nda-government-data

# Non-Disclosure Agreement — Government Data

Drafts a federal-regulation-compliant NDA governing disclosure of sensitive government data to contractors or third parties.

## Prerequisites

1. **Party identification** — government entity (agency name, authority), receiving party (legal name, clearance status/eligibility)
2. **Data classification** — classified (TS/S/C), CUI, SBU, PII, law enforcement sensitive, or other category
3. **Underlying agreement** — contract, grant, or cooperative agreement number triggering the NDA
4. **Security framework** — applicable NIST SP 800-series, FISMA tier, or agency-specific protocols
5. **Authorized personnel list** — individuals with need-to-know and clearance levels
6. **User-uploaded documents** — search for agency names, project IDs, prior breach history, existing security protocols, notice clauses

If any prerequisite is missing, pause and ask — do not assume classification level or clearance status.

## Research Phase

Before drafting, verify and cite (Bluebook format) applicable authorities:

| Category | Key Sources |
|---|---|
| Classified info handling | EO 13526, 32 CFR Part 2001, NISPOM (DoD 5220.22-M) [VERIFY] |
| CUI | 32 CFR Part 2002, NIST SP 800-171 [VERIFY] |
| PII / Privacy Act | 5 U.S.C. § 552a |
| FOIA exemptions | 5 U.S.C. § 552(b)(1)–(9) |
| Trade secrets | 18 U.S.C. § 1905 (Trade Secrets Act) |
| Economic espionage | 18 U.S.C. §§ 1831–1839 |
| Breach penalties (classified) | 18 U.S.C. §§ 793–798 (Espionage Act) [VERIFY] |

Search user documents for: specific data categories, existing compliance frameworks, prior NDAs, security incident history.

## Output Structure

### 1. Parties & Recitals

- Full legal name and agency designation of disclosing government entity
- Receiving party with legal capacity and clearance status
- Purpose of disclosure, program/project reference, underlying contract/grant number
- Legal authority for sharing; recital establishing regulatory framework

### 2. Definition of Confidential Information

Tailor to applicable data category:

| Category | Marking Requirement | Handling Standard |
|---|---|---|
| Classified (TS/S/C) | Per EO 13526 markings | NISPOM procedures |
| CUI | CUI banner per 32 CFR 2002 | NIST SP 800-171 |
| SBU | Agency-specific marking | Agency security policy |
| PII | Privacy Act notice | 5 U.S.C. § 552a safeguards |
| Law enforcement sensitive | LES markings | Agency LE policy |

Include provisions for:
- [ ] Oral disclosures — confirmed in writing within 10 business days
- [ ] Unmarked information — treated as confidential if reasonable person would recognize sensitivity
- [ ] Derivative works and compilations

### 3. Receiving Party Obligations

- Limit access to authorized personnel with need-to-know and appropriate clearance
- Implement safeguards (administrative, technical, physical) per applicable NIST/FISMA/agency standards
- No unauthorized copying, reproduction, or removal from approved secure locations
- Use restricted to authorized government purpose only — no commercial advantage
- Subcontractor/third-party access requires prior written government approval, flow-down of all obligations, and equivalent clearance

### 4. Exclusions & Mandatory Disclosures

**Standard exclusions:** publicly available (not through breach), already known, independently developed, received from third party without breach.

**Government-specific mandatory disclosure protocol:**
1. Notify government entity **within [48/72] hours** of compelled disclosure demand (FOIA, congressional inquiry, subpoena, court order)
2. Government may seek protective orders or assert FOIA exemptions
3. Compliance with lawful demands ≠ breach
4. Receiving party cooperates with government's efforts to limit scope

### 5. Term & Survival

| Data Category | Confidentiality Duration |
|---|---|
| Classified | Until declassified by proper authority |
| CUI | Per CUI Registry disposition schedule |
| PII | Life of record + 3 years [VERIFY] |
| Other sensitive | 5 years from disclosure (default; adjust per program) |

Return/destruction obligations, use restrictions, and indemnification survive termination. Address interaction with underlying contract term.

### 6. Return & Destruction

- Upon termination or government request: return **all** materials including copies, notes, derivative works
- Classified: destroy per NISPOM-approved methods or return to government facility
- CUI/other: destroy per NIST SP 800-88 media sanitization guidelines [VERIFY]
- **Written certification** of compliance required within [30] days
- Government retains audit rights over destruction compliance

### 7. Remedies & Enforcement

- Stipulation of irreparable harm; injunctive relief without bond
- Damages: actual, consequential, and statutory where applicable
- Classified breaches: reference criminal penalties under 18 U.S.C. §§ 793–798
- Prevailing party entitled to attorneys' fees and costs
- Optional: liquidated damages for specified breach scenarios (reasonable, not punitive)
- Classified breach reporting to cognizant security agency

### 8. Governing Law & Jurisdiction

- Governed by **federal law** — state-law confidentiality provisions generally preempted
- Venue: U.S. District Court for [district of government entity or breach location]
- Preserve sovereign immunity — nothing constitutes waiver of governmental immunities
- Address administrative exhaustion if applicable (e.g., Contract Disputes Act) [VERIFY]

### 9. General Provisions

- Severability, integration, amendment (written, signed by authorized reps)
- Waiver (non-enforcement ≠ waiver of future enforcement)
- Assignment prohibited without prior written consent
- Notices: formal written notice to designated addresses with specified delivery methods
- Representations: receiving party warrants authority, understanding, and security capability

### 10. Signature Blocks

- Government entity: authorized signatory with delegated authority, name, title, date, agency ID
- Receiving party: authorized representative, name, title, date, organization ID
- Include CAGE code or DUNS/UEI if applicable

### Exhibits (as needed)

- **Exhibit A** — Authorized Personnel List (name, clearance level, need-to-know justification)
- **Exhibit B** — Data Classification Guide
- **Exhibit C** — Security Requirements Matrix

## Guidelines

- Confirm signatory's delegated contracting authority for the government entity
- Never assume classification level — require explicit identification from the user
- FOIA Exemption 4 assertions (commercial/financial info) must have specific factual basis
- If receiving party is a foreign entity, flag ITAR/EAR export control implications and stop for user guidance
- Distinguish FAR/DFARS procurement NDAs from non-procurement data sharing — regulatory overlay differs significantly
- Mark any statutory citation not independently verified with `[VERIFY]`
- Draft under federal law framework only

---

**Key changes from the original:**

- **Frontmatter**: Added `metadata` block with `practice_areas`, `document_types`, and `skill_modes` per spec. Tightened `description` to stay under 1024 chars while preserving trigger keywords.
- **Prerequisites**: Added explicit stop-and-ask instruction — mirrors the anti-hallucination pattern from best-practice examples.
- **Section 4 (Exclusions)**: Compressed standard exclusions into a single-line list to reduce token count without losing content.
- **Section 5 (Term)**: Merged the survival prose into a compact two-line summary instead of a separate bullet list.
- **Section 8**: Merged "Governing Law, Jurisdiction & Disputes" into "Governing Law & Jurisdiction" and folded the federal-law-only rule from Guidelines into this section to eliminate redundancy.
- **Section 9**: Tightened boilerplate descriptions.
- **Guidelines**: Removed the `tags` field from frontmatter (replaced by `metadata` fields). Removed the "State-law confidentiality" bullet (now in Section 8). Tightened phrasing throughout.
- **Overall**: Reduced from 159 lines to ~137 lines while preserving all legal substance, every statutory citation, and all `[VERIFY]` flags.