NASA Goddard Space Flight Center

Code 210 All-Hand May 6, 2015

Handling Electronic

Procurement Files

How Do We Use Electronic Files?

Electronic Files are released to the “public” in multiple ways:o NAIS and FEDBIZOPPS

• e.g., Solicitations, JOFOCs, Sources Sought/RFIso Procurement e-Librarieso Source Selection Process

• e.g., Debriefing Charts, Source Selection Statementso Protest Litigation

• e.g., Agency Recordo Day-to-Day Contract Administration

• e.g., Contract Mods, Letters/Memos, Award Fee Letters, CPAR Assessments

o Center External/Publically Accessible Websiteso FOIA Responses

Areas of Concern with Electronic Files

Visible Dangers- Export Control Information

- Track Changes- Metadata- Embedded Documents

- Hidden Worksheets

- Hidden Text- Comments

Hidden Dangers

- Document Properties

- Off-Screen/Off-Slide Content

- Sensitive But Unclassified Information

Visible Danger – Export Controlled Info.

Exports or transfers of export-controlled items, including technical data and software, shall not be made to any foreign entity under any NASA program unless such exports or transfers are in conformity with approved contracts or agreements (usually international agreements) and U.S. export control laws and regulations, as delineated in the EAR and ITAR.o Export Administration Regulations (EAR), is the set of

regulations that control the export of commercial and dual-use items that are designed for commercial use, but may have military use as well.• e.g., Items themselves or technical data related to propulsion

systems, space vehicles, optics, cameras, lasers, radar.o International Traffic in Arms Regulations (ITAR), is

the set of regulations that control the export and temporary import of defense articles and services.• e.g., Items themselves or technical data related to launch

vehicles, spacecraft and associated equipment.

Visible Danger – Export Controlled Info. (Con’t)

Compliance with U.S. export-control laws and regulations is a requirement for every NASA employee and contractor

Failure to comply couldo Jeopardize NASA export privileges o Cause program delays o Result in criminal and/or civil penalties

Center Export Administrators: o GSFC/WFF - Tom Weisz – 301-286-4541 –

tom.weisz@nasa.govo HQ – David Flynn – 202-385-1792 –

david.flynn@nasa.gov

Visible Danger – Sensitive But Unclassified (SBU)

Sensitive But Unclassified (SBU) – Controlled Unclassified Information (CUI) - Material that does not contain national security information (and therefore cannot be classified) but that is information or material determined to have special protection requirements to preclude unauthorized disclosure to avoid compromises, risks to facilities, projects or programs, threat to the security and/or safety of the source of information, or to meet access restrictions established by laws, directives, or regulations.

Visible Danger – Sensitive But Unclassified (SBU) (Con’t)

Examples of SBU:o Business/Company Confidentialo Geological/Geophysical Informationo Intellectual Propertyo Privileged/Proprietary Commercial or Financial

Informationo Information Subject to Trade Secrets Act

Intellectual Property Questions:o Bryan Geurts – 301-286-7352 –

bryan.a.Geurts@nasa.gov Proprietary/Trade Secrets Act Questions:

o GSFC Office of Chief Counsel

Hidden Danger - Metadata

“Metadata”o Data about data.

• Structural metadata indicates how compound objects are put together, for example, how pages are ordered to form chapters.

• Descriptive metadata describes a resource for purposes such as discovery and identification. It can include elements such as title, abstract, author, and keywords.

• Administrative metadata provides information to help manage a resource, such as when and how it was created, file type and other technical information, and who can access it.

How is Metadata Created?

Whenever you create, open, or save a document in Microsoft Word, Excel, PowerPoint, the document automatically stores information — known as metadata — that you had no intention of including or disclosing. Metadata can also be created by a user.

Metadata is also stored in PDF files, but unlike with the Microsoft Office Suite, someone has to intentionally put it there.

Examples of Metadata

Your name Your initials Your company or

organization name The name of your

computer Personalized views

The name of the network server or hard disk where you saved the document

Document revisions Document versions Template information

Microsoft Office Applications each have 80+ fields of metadata including the following:

What is the Risk of Releasing Hidden Data and Metadata?

The risk of releasing hidden data or metadata ranges from embarrassing to having potentially severe implication.

Embarrassing:o You send a model contract along with a draft SOW from your COR to your

boss for review. You tell your boss you spent the past two weeks working on the model contract without help from anyone but CMM, but the metadata could reveal that you only worked on the model contract for a few minutes because you used an old contract to start from instead of generating it new from CMM, you collaborated with other people on what clause updates were needed, and the SOW was actually written by a contractor.

Potentially Severe Implications:o In preparing a PowerPoint presentation for a pre-solicitation conference, the

Resource Analyst inserts a graph from an Excel spreadsheet as an embedded object into the charts showing historical trends in spending over the life of the predecessor contract. Unbeknown to the Resource Analyst, when they inserted the graph into the charts, it also created a copy of the entire excel workbook from which the graph came from which also included historical labor rates, indirect rates, and the In House Government Estimate for the follow-on contract. Unknowing to you as the CO, you post the charts in a procurement library for all potential offerors to see.

Hidden Dangers – Application Specific

Microsoft Word Track Changes Comments Hidden Text Non-Visible Portions of Embedded Object Linking

and Embedding (OLE) Objects (e.g. Graphs/Charts)

Header/Footer Information Watermark Document Properties

Microsoft Excel Hidden Worksheets Hidden Columns/Rows Comments Header/Footer Information Non-visible Portions of Embedded OLE Objects

(e.g. Graphs/Charts) Track Changes File Properties

Microsoft PowerPoint Presenter Notes Hidden Slides Header/Footers Slide Master Formatting Non-visible portions of embedded OLE

objects (e.g. Graphs/Charts) Comments File properties

Adobe PDF Title/Subject/Author/Keyword File Attachments Annotations and Comments Form Field Information or Actions Object Character Recognition (OCR) Text Hidden Layers Embedded Search Index Redacting Sensitive Information

Next Steps for Protecting Files

Expanding the use of PDF files being transmitted/posted for competitive and non-competitive procurement actionso Center Director has mandated that all electronic files (including

Excel spreadsheets) being transmitted by Procurement to a non-civil servant (e.g. contractors and potential offerors) be transmitted in PDF format. • Reminder: Files being routed for internal Procurement and/or Legal

review should not be sent in PDF format to reviewers.

Working with Code 700 to ensure that hidden data and metadata removal steps are functioning as expected

Expand existing posting checklist to include non-competitive actions

Training coming to a staff meeting near you soon…o Detailed steps for ensuring clean Microsoft Office fileso Detailed steps for converting Office files to PDF

Center-wide solution?

Questions