Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
76 APPENDIX G: Checklist for Assessing Adequacy of Management of Security Information The following checklist of questions may be useful in assessing the adequacy of the agencyâs management of security information in its competitive procurement process. Because of the importance of state public records law in assessing the protected status of Restricted Security Information, the checklist also includes issues to look for in researching state law. The parameters of state law may influence counselâs recommendations for structuring procedures to manage secu- rity information. Â Ensuring Agencyâs Decisional Infrastructure Does the agencyâs Sensitive Security Information (SSI)/Restricted Security Information policy cover procure- ment? Is the policy applied uniformly? Are personnel with significant input into procurement documents adequately trained on the disclosure and management ramifications of including SSI/Restricted Security Information in procurement documents? Are personnel who manage procurement documentation adequately trained on the requirements for managing SSI/Restricted Security Information in procurement records? Does the agency require that personnel with the requisite expertise, such as legal counsel or records managers, review any public record requests for documents containing SSI/Restricted Security Information? Are personnel who manage procurement documents adequately trained on requirements for responding to pub- lic records requests for procurement documents containing SSI or Restricted Security Information (procedural requirements under state law; agency procedures for review of public record requests)? Â Deciding Whether to Include SSI/Restricted Security Information in Procurement Documents Is there a real need to include the information in the documentation? If included, can the Restricted Security Information be protected under state law? What are the ramifications of being forced to release the Restricted Security Information? What are the contract management ramifications of including the SSI/Restricted Security Information? Â Protecting SSI/Restricted Security Information Under Contract Management Process Does the agency have the physical and IT security required to adequately secure all contract documents (hard copy and electronic) containing SSI/Restricted Security Information? Does the agency adequately manage contractor access to all SSI/Restricted Security Information, including site visits and access to documents needed to perform the contract?
77 Does the agency adequately manage internal access to all contracts containing SSI/Restricted Security Informa- tion? Do management controls include: Restricting access to personnel with need to know? Tracking all copies of documents containing SSI/Restricted Security Information?516 Requiring nondisclosure agreements before providing access to SSI/Restricted Security Information? Requiring background checks that comply with 6 U.S.C. § 1143 before providing access to SSI/Restricted Security Information?  State Law Issues to Consider Does the state law definition cover electronic records? Has a standard been established for email? What is the standard for considering contractor records to be public records? Does state law explicitly address segregation? Do these requirements affect the structure of procurement docu- ments? Does state law include an exemption for security information? What is the scope of the exemption? Is the ex- emption mandatory or discretionary? Does the exemption require any specific statement or finding concerning public harm or danger from disclosure of withheld information? Do state courts look to the Freedom of Information Act in interpreting public disclosure requirements, particu- larly as applied to security exemptions? What is the standard of proof in establishing that an exemption applies? Does state law expressly address contract records? Have state courts interpreted the applicability of federal security legislation, such as the Critical Infrastructure Information Act of 2002, under state public records law? 516 Use of a controlled access database to do so could provide a quality control mechanism. See U.S. GOVâT ACCOUNTABILITY OFFICE, supra note 138, at 20.