GAO Finds That DoD Research Centers Are Failing to Follow All Data Protection Measures of New Pilot Program
On March 6, 2020, the Government Accountability Office (“GAO”) published a report evaluating a new Department of Defense (“DoD”) pilot program that provides a more streamlined process for Federal Funded Research and Development Centers (“FFRDCs”) to receive access to sensitive data of DoD contractors. Based on its review, GAO found that although this streamlined access does indicate that the sample FFRDCs were able to provide more rigorous analyses to DoD, there were several issues with DoD’s implementation of its procedures to protect sensitive contractor data. Thus, GAO made several recommendations, including that DoD take steps to improve its adherence to the pilot program’s required data protection measures.
The National Defense Authorization Act for Fiscal Year 2017 directed DoD to establish a pilot program aiming to streamline the process for FFRDCs to receive access to DoD contractor data, particularly from large data repositories. FFRDCs are partnerships between DoD and non-DoD parent organizations created though sponsoring agreements to complete work related to DoD objectives, such as financial analysis, policy development, acquisition planning, source selection, and contract management. In performing these functions, it often is useful for the FFRDCs to access DoD contractor information for review. Typically, FFRDCs access such data through DoD personnel, government databases, or directly from prime contractors, and the process involves the FFRDCs obtaining nondisclosure agreements with each data owner. However, this process can be time consuming. Thus, the pilot program allows a select number of participating FFRDCs to more easily access information from large data repositories where DoD has compiled data from hundreds of contractors, such as the Cost Assessment Data Enterprise, thereby eliminating the requirement for FFRDCs to obtain nondisclosure agreements from each individual data owner.
In implementing the pilot program, DoD did establish procedures to protect this sensitive contractor data. The pilot program requires the participating FFRDCs and their parent organizations to follow certain protective measures in order to access the sensitive DoD contractor data under the new streamlined process. The protective measures, which incorporate some previous FFRDC practices, require that:
- FFRDCs maintain a financial disclosure program to ensure that FFRDC researchers do not work on matters that create a financial conflict of interest, with the parent organizations certifying and archiving annual reviews of financial disclosure forms by their researchers;
- Parent organizations have all personnel receiving sensitive data execute and abide by a nondisclosure agreement;
- FFRDC source-selection personnel notify contracting officers if they are contacted about employment with any entity whose proposal is being evaluated and immediately recuse themselves from that source-selection process;
- FFRDCs use pilot-accessed data only for purposes covered by their sponsoring agreement and not to compete against a third party or for use in other current or future research or technology development activities;
- Parent organizations implement a process for reporting unauthorized disclosures of pilot-accessed data that violate trade secrets laws; and
- FFRDCs provide training on the legal obligations of handling of proprietary information.
GAO’s review of the participating FFRDCs’ implementation of these protective measures revealed mixed results. While most of the protective measures were included in the FFRDCs’ sponsoring agreements, some were missing. For example, GAO found that none of the sponsoring agreements reviewed included the instructions requiring that source-selection personnel notify contracting officers if contacted about employment with an entity whose proposal was being evaluated and to then recuse themselves accordingly. The sponsoring agreements also contained incomplete information on whom FFRDCs should notify upon any violations of trade secrets laws. And while the financial disclosure requirements were contained in sponsoring agreements, GAO found that not all FFRDC parent organizations were certifying review of, and archiving, the financial disclosure forms as required.
Under the pilot program, the participating FFRDCs and researchers should have addressed and implemented these protective measures before the Government provided them access to sensitive data. But GAO found that DoD did not have documented policies and procedures in place to ensure that such prerequisites were completed before allowing access to sensitive data. Instead, GAO learned that different individuals in different roles were only confirming whether some, but not all, of the prerequisites were implemented, while the FFRDCs and researchers were still granted access to sensitive data.
As a result of its findings, GAO made six recommendations, including that DoD take steps to ensure that the pilot program’s protective measures are incorporated into existing agreements, and that FFRDCs and parent organizations are implementing the protective measures for DoD contractors’ sensitive data. GAO also recommended that DoD establish a monitoring and oversight mechanism to ensure that other aspects of the pilot program are being followed, as well as processes to continually analyze and evaluate the pilot program. In a letter responding to the GAO report, DoD concurred with all of GAO’s recommendations.
What This Means For You
Contractors should be aware of these new ways that the Government is handling their sensitive data. Importantly, while GAO found issues with DoD’s implementation of the pilot program’s data protection measures, GAO did not uncover any mishandling or unauthorized use of such data. Thus, it is unclear how, if at all, DoD’s changes to its pilot program will impact DoD contractors. However, in order to assess the level of risk involved with their DoD contract data, contractors should both (1) review their contract documents to see what, if any, agreements they have that would allow data to be shared in the government data repositories that the pilot program allows FFRDCs to access; and (2) remain vigilant about marking all confidential and proprietary data to protect this information and to preserve their protection rights in the event such data is ever improperly released.
Subscribe to The V&E Report to receive weekly email updates
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.