Even as contract workers have proliferated within federal agencies, agencies might nonetheless lack contractual assurances that they won't divulge sensitive information, says the Government Accountability Office.

In one such recent breach, a Transportation Security Administration contractor allegedly gave a Boston couple the social security numbers of more than a dozen TSA workers located at Boston Logan airport.

In a report dated Sept. 10, GAO auditors examined the contracting practices of three large federal agencies with particularly large contractor work forces--the departments of Defense, Homeland Security, and Health and Human Services.

Of those three, only DHS has required companies to sign standard contract provisions that require contractors to follow best practices in safeguarding sensitive information accessed by contractors, according to the GAO.

Such standard contract provisions don't currently exist in the Federal Acquisition Regulation, but do exist in the DHS supplement to the FAR, the HSAR. Most federal agencies follow the FAR along with a local supplement.

The Defense Department supplemental regulation, the DFARS, does mandate written approval from a civil servant before a contractor can disclose potentially sensitive information, but lacks measures that DHS requires, such as requiring contractors to train employees on protection of sensitive information, the report states. Other DHS safeguards include requiring employees to sign nondisclosure agreements.

HHS once had a standard contract provision requiring vendors to obtain written consent from a civil servant before disclosing certain kinds of sensitive information, but HHS deleted that clause during a January 2010 revision of its supplement, the HHSAR.

HHS officials told GAO auditors that they deleted the clause because the FAR will likely include language about contractors divulging sensitive information, as undertaken by the FAR Council in FAR Case 2007-019.

The proposed rule would add provisions to FAR Parts 4, 12, 13, 14, 15 and 37 (along with Part 52, where the boilerplate contractual language is kept) requiring non-disclosure agreements and defining remedies for improper disclosure. The proposed rule has yet to be published in the Federal Register for public comment.

For more:
- download the report, GAO-10-693 (.pdf)
- download a list of all open FAR cases, as of Sept. 3, 2010

Related Articles:
Simplified acquisition and other thresholds going up
FAPIIS data to be publically accessible
Contracting officers must post online J&As for noncompetitive procurement