DOD sponsors research and development activities at 10 Federally Funded Research and Development Centers that provide innovative solutions to national security threats.
These centers sometimes need to access sensitive DOD data (such as proprietary information from DOD’s contractors), which can be a long, time-consuming process. DOD began a pilot in 2017 to streamline these centers’ access to sensitive data.
The Government Accountability Office found that some centers reported easier access to sensitive data during the pilot. However, DOD has not consistently collected information on the pilot or developed a plan to evaluate it.
The Department of Defense (DOD) launched a 3-year pilot program in December 2017 to enable a streamlined process to share certain sensitive data, such as data collected from its contractors, with its Federally Funded Research and Development Centers (FFRDC). At times, FFRDCs need to access such data to support DOD. The pilot was intended to reduce the burden on FFRDCs to seek permission from hundreds of contractors to access information needed for their research. Six of DOD’s 10 FFRDCs have taken part in the pilot, enrolling a combined total of 33 projects, as shown in the table.
DOD officials and FFRDC representatives reported that the streamlined process made the use of sensitive data feasible. As a result, FFRDCs with completed projects in GAO’s sample indicated they were able to provide more robust analyses or insights to DOD.
DOD guidance for the pilot program established procedures to protect sensitive data. But GAO found that DOD did not incorporate all of the details of the required protections into its agreements with FFRDCs. Further, GAO found that not all FFRDCs were performing annual certification of financial disclosure forms, as required by its agreements with DOD. DOD does not have a process to ensure that all the protections pertaining to FFRDCs’ streamlined access to sensitive data are being followed. Without a process that defines roles and responsibilities, DOD cannot ensure that FFRDCs adhere to the protections.
DOD developed goals for the pilot program and outlined what information was to be obtained for each participating project, actions that are consistent with GAO’s leading practices for pilot design. However, DOD has not developed a plan for evaluating the program nor has it consistently collected information on about a third of the pilot projects. Leading practices for pilot design call for an evaluation plan, which should include an assessment methodology and identify responsibilities as to how the evaluation will be conducted. Without an evaluation plan and a mechanism to collect information on pilot projects, DOD will not be positioned to identify the effectiveness of the pilot program and benefit from lessons learned. Such information will be useful as Congress considers the path forward after the pilot ends in December 2020.
GAO is making six recommendations, including that DOD take steps to ensure data protections are in the agreements and followed, collect information on projects, and evaluate the pilot. DOD agreed with the recommendations.