Cover Image

Not for Sale

View/Hide Left Panel
Click for next page ( 77

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement

Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 76
76 APPENDIX G: Checklist for Assessing Adequacy of Management of Security Information The following checklist of questions may be useful in assessing the adequacy of the agency's management of security information in its competitive procurement process. Because of the importance of state public records law in assessing the protected status of Restricted Security Information, the checklist also includes issues to look for in researching state law. The parameters of state law may influence counsel's recommendations for structuring procedures to manage secu- rity information. Ensuring Agency's Decisional Infrastructure Does the agency's Sensitive Security Information (SSI)/Restricted Security Information policy cover procure- ment? Is the policy applied uniformly? Are personnel with significant input into procurement documents adequately trained on the disclosure and management ramifications of including SSI/Restricted Security Information in procurement documents? Are personnel who manage procurement documentation adequately trained on the requirements for managing SSI/Restricted Security Information in procurement records? Does the agency require that personnel with the requisite expertise, such as legal counsel or records managers, review any public record requests for documents containing SSI/Restricted Security Information? Are personnel who manage procurement documents adequately trained on requirements for responding to pub- lic records requests for procurement documents containing SSI or Restricted Security Information (procedural requirements under state law; agency procedures for review of public record requests)? Deciding Whether to Include SSI/Restricted Security Information in Procurement Documents Is there a real need to include the information in the documentation? If included, can the Restricted Security Information be protected under state law? What are the ramifications of being forced to release the Restricted Security Information? What are the contract management ramifications of including the SSI/Restricted Security Information? Protecting SSI/Restricted Security Information Under Contract Management Process Does the agency have the physical and IT security required to adequately secure all contract documents (hard copy and electronic) containing SSI/Restricted Security Information? Does the agency adequately manage contractor access to all SSI/Restricted Security Information, including site visits and access to documents needed to perform the contract?

OCR for page 76
77 Does the agency adequately manage internal access to all contracts containing SSI/Restricted Security Informa- tion? Do management controls include: Restricting access to personnel with need to know? 516 Tracking all copies of documents containing SSI/Restricted Security Information? Requiring nondisclosure agreements before providing access to SSI/Restricted Security Information? Requiring background checks that comply with 6 U.S.C. 1143 before providing access to SSI/Restricted Security Information? State Law Issues to Consider Does the state law definition cover electronic records? Has a standard been established for email? What is the standard for considering contractor records to be public records? Does state law explicitly address segregation? Do these requirements affect the structure of procurement docu- ments? Does state law include an exemption for security information? What is the scope of the exemption? Is the ex- emption mandatory or discretionary? Does the exemption require any specific statement or finding concerning public harm or danger from disclosure of withheld information? Do state courts look to the Freedom of Information Act in interpreting public disclosure requirements, particu- larly as applied to security exemptions? What is the standard of proof in establishing that an exemption applies? Does state law expressly address contract records? Have state courts interpreted the applicability of federal security legislation, such as the Critical Infrastructure Information Act of 2002, under state public records law? 516 Use of a controlled access database to do so could provide a quality control mechanism. See U.S. GOV'T ACCOUNTABILITY OFFICE, supra note 138, at 20.

OCR for page 76