Governing rules include procurement integrity, data protection, subcontracting law, confidentiality obligations, cybersecurity requirements, and public records law. These areas set both limits and necessary safeguards for offshore involvement. States vary. Some states have strict limits on offshore access for categories such as criminal justice data, health records, education records, and personally identifiable information. Florida provides a concrete example of explicit restrictions unless authorized by the state. Contracts often add firm constraints. Common contractual clauses include no offshore delivery, U.S. persons only, and domestic data residency mandates. Treat contract language as binding, and do not assume uniform rules across agencies or states.

Work with public information and sanitized inputs only. Tasks that typically fit inside the safe zone include RFP extraction, statement of work breakdown, evaluation criteria analysis, drafting nonconfidential Q&A, building compliance matrices, competitor research from public sources, formatting, and tracker maintenance. Support internal prime materials that are scrubbed of sensitive content, such as templates, checklists, and sanitized past performance summaries. Ensure documents are cleansed of names, identifiers, and internal system references before assigning them offshore.

Do not access or process controlled or sensitive data. That includes PII, criminal justice information, health data, internal agency documents, and confidential competitor material. Also avoid direct contact with agencies, submitting questions, attending prebid meetings, or participating in oral presentations unless the contract explicitly allows it.

Contract review and clearance. Primes must verify subcontracting rules and any state or agency restrictions before assigning work offshore. Data sanitization. Primes must remove names, identifiers, sensitive attachments, and internal metadata before sharing materials offshore. Access controls and separation. Use isolated workspaces, limited access folders, role based permissions, and secure file sharing so offshore users see only allowed content. Legal and training safeguards. Require signed nondisclosure agreements and completion of procurement integrity and data handling training. Maintain records of NDAs, training completion, access logs, and sanitized input inventories for audits.

• Public sources only: news reports, publicly posted RFP text, published agency websites, and open-source competitor research. Use only verifiable public URLs and record the sources.
• Sanitized prime materials: templates, internal checklists, redacted past performance summaries, and pricing models after removal of identifiers or sensitive elements. Ensure a documented sanitization step before work begins.
• Non sensitive operational work: formatting, building trackers, extracting requirements from public RFP sections, converting scope language into task lists, and updating capture workbooks using only cleaned inputs.
• Strategy support using sanitized inputs: scoring strategy inputs, risk analysis based on public facts, and high level competitor mapping when derived from public records.

• Confidential agency data and internal government documents, including evaluator notes, source selection materials, and any internal memoranda.
• Personally identifiable information, criminal justice records, health records, education records, or other data subject to state residency limits. Some states expressly forbid offshore handling of these categories.
• Proprietary competitor information that is not publicly available, and unredacted past performance documents that include internal comments or identifiers.
• Any contract section labeled for U.S. persons only, domestic handling only, or onshore delivery only. Do not perform tasks tied to those clauses.
• Direct agency interaction: do not contact the agency, submit questions, attend prebid meetings, or participate in oral presentations unless the prime explicitly delegates an onshore role.

• Contract review and disclosures: primes must check for offshore restrictions and complete any required subcontractor disclosure before assigning work.
• Access controls and isolated workspaces: use limited access folders, role based permissions, and secure file sharing to keep sanitized inputs separate from restricted materials.
• Mandatory NDAs and training: require signed nondisclosure agreements and procurement integrity plus data handling training for offshore staff. Maintain training logs.
• Sanitization and documentation: remove names, identifiers, metadata, and sensitive attachments. Keep a record of what was sanitized and why.

1. Is the item publicly posted or clearly labeled sanitized? If yes, proceed and log the source.
2. If the item contains names, metadata, PII, or references to internal systems, stop and escalate to the prime. Do not attempt ad hoc redaction without prime approval.
3. If the prime cannot confirm sanitization or onshore handling is required, refuse the task until the prime provides an approved input.

Offshore teams may work with public information and sanitized prime materials. Typical lawful tasks include extracting RFP text, breaking down statements of work, drafting Q&A language from public facts, creating compliance matrices, formatting and organizing documents, and performing competitor research limited to public sources. They can also support strategy by mapping themes and scoring strategy inputs so long as sensitive information is excluded.

Offshore personnel must never access or handle controlled or sensitive data. Examples of forbidden work include processing PII, criminal justice or health records, internal agency documents, evaluator identities, confidential competitor files, direct communication with the agency, or submitting questions to the procuring office. Contracts may also include explicit clauses that bar offshore delivery or require U.S. persons only; those clauses take priority and must be followed.

• Contract review and clarifying data residency and subcontracting rules before assigning tasks. - Data sanitization, removing names, identifiers, and sensitive attachments before sending materials offshore. - Access controls such as isolated workspaces, role based permissions, and secure file sharing. - Required NDAs and training on procurement integrity and data handling, plus maintaining logs of access, sanitized inputs, and training completion for audits.

• Follow the rule public plus sanitized only, never assume uniform state rules. - Complete required NDAs and procurement integrity training before starting work. - Flag and stop on any PII, internal names, or metadata, then escalate. - Keep traceable records: source citations, access logs, and sanitized input proofs for audits.

• Standard templates: proposal templates, scoring rubrics, and format guides that contain no agency names, evaluator cues, or PII. These are usable when cleaned of identifying details. - Internal checklists: process checklists or task lists that describe how to perform nonconfidential steps, with any internal system identifiers removed. - Sanitized past performance summaries: redacted summaries that remove client names, contract numbers, and sensitive attachments, leaving only high level outcomes and metrics. - Pricing models without sensitive inputs: spreadsheets or models that show structure, formulas, or nonidentifying cost drivers after rates, salaries, and proprietary discounts are removed or converted to generic ranges or indices.

• Remove names, identifiers, and attachment metadata. Primes must sanitize files so no internal agency documents, evaluator identities, or PII remain. If a file still contains sensitive items, do not share it offshore. - Use isolated workspaces and limited access folders. Restrict offshore access to only the sanitized files required for a task, and apply role based permissions and secure file sharing so access is auditable. - Require NDAs and compliance training. Offshore personnel must complete nondisclosure agreements and procurement integrity and data handling training before receiving sanitized inputs. - Maintain documentation for audits. Keep access logs, sanitized input records, and training completion logs to demonstrate that only allowed materials were shared offshore.

1. Replace specific salary and vendor line items with role level cost ranges or anonymized indices. 2. Remove client names, contract numbers, and internal notes. 3. Strip file metadata and any hidden comments or tracked changes. 4. Store the sanitized workbook in an isolated folder with role based permissions and record the sanitization steps in a short log entry. 5. Provide the offshore team a short written brief listing what was removed and what they may not attempt to recover. Following these steps keeps the model useful for analysis while meeting procurement integrity rules.

• Quick checklist before sharing: remove names, strip metadata, redact attachments, confirm no PII, and log the sanitization steps. If any doubt remains, escalate rather than guess. - Actionable tip: convert sensitive numeric details to bands or indices so offshore teams can run meaningful analysis without seeing protected figures. - Reflective prompt: pick one file you would send offshore and list three specific elements you would remove or mask before sharing it.

Disqualification from award or work, and contract termination, often follow procurement integrity breaches. Agencies may remove a prime from consideration or end a contract when offshore rules are violated.

Breach of contract and financial penalties arise when subcontracting or data residency clauses are violated. Many SLED contracts include explicit 'domestic handling only' and 'U.S. persons only' requirements that, if ignored, create contractual liability.

Reputational harm and future exclusion reduce business opportunities. Protest vulnerability and public complaints can damage a prime’s standing with agencies and future buyers.

Regulatory and public records exposure occurs when sensitive or internal materials become part of an agency record. Public records rules may make improperly submitted material visible, creating additional compliance risks.

Audit findings and required disclosures force costly remediation. Primes must show access logs, sanitized input records, and training evidence during audits, and failure to provide these increases legal exposure.

• Personally identifiable information (PII). Names plus identifiers such as Social Security numbers, dates of birth, addresses, or other unique identifiers that can identify an individual. - Criminal justice information. Arrest records, case files, incident reports, or any law enforcement system data that are subject to CJIS or similar protections. - Health records. Protected health information governed by HIPAA or state health rules, including medical histories and health care claims. - Education records. Student records and other information subject to FERPA protections. - Classified information. Any material marked or handled under classified information rules or national security controls. - Export controlled technical data. Technical drawings, specifications, software source code, or other data restricted by ITAR or EAR. Such material may not be shared offshore without explicit export authorization. - Proprietary or competitive information. Confidential vendor proposals, bid evaluations, or competitor trade secrets. - Internal agency documents and source selection materials. Drafts of internal reviews, evaluator identities, scoring worksheets, or any document that reveals agency deliberations or procurement strategy. - Internal prime systems and financial or HR data. Access to CRMs, accounting systems, payroll, or other internal tools that contain sensitive business information is not allowed unless explicitly authorized.

• Attachments with embedded metadata or tracked changes that reveal names, reviewer notes, or system paths. - Unredacted past performance documents, contractor references, or proprietary technical appendices. - Contract sections or RFP requirements marked for domestic handling only, or clauses stating U.S. persons only.

A prime sends a proposal packet that appears sanitized, but a PDF appendix includes reviewer comments with evaluator initials and staff email addresses. Stop work on that item and escalate to the prime. The prime must either remove the metadata and comments or confirm a lawful basis for sharing before the offshore team continues. Practically, flag the file, record the source, and wait for written confirmation that the input is cleared for offshore use.

• Confirm the source and whether the prime has certified the material as public or sanitized. - Search for names, ID numbers, health, legal, or education terms, and metadata that remain in attachments. - Verify the contract allows offshore handling for the specific deliverable, and look for clauses that require domestic handling only.

1. Classify and scope the source material - Identify document types, attachments, and data fields. Label anything that could contain PII, internal system identifiers, evaluator names, vendor proprietary content, or other controlled information. Use contract clauses and state rules to mark categories that cannot be transferred offshore.

2. Isolate sensitive items before editing - Move originals into a secure, onshore, access controlled repository. Work only on copies kept in a controlled staging area. Keep a mapping log that links each sanitized copy to its original, stored onshore and available for audit.

4. Clean document metadata and hidden content - Remove tracked changes, comments, document properties, file history, and embedded links to internal systems. Convert files to formats that reduce hidden data risk, for example to flattened PDF or plain text when appropriate.

6. Quality assurance and attestation - A trained onshore reviewer must verify each sanitized item, complete a checklist, and sign an attestation that no restricted content remains. Keep the QA checklist, the attestation, and the sanitized copy together in version control.

Work only with public materials or explicitly sanitized files. Remove names, identifiers, internal attachments, and metadata before offshore teams see content. If a document looks internal or contains potential PII, stop and escalate rather than guessing about removal, because mistaken use creates immediate legal exposure for the prime and subcontractor.

Give offshore personnel only what they need, in isolated workspaces with role based permissions. Use limited access folders, secure file sharing, and version controlled repositories so every file transfer is traceable. Maintain access logs and records of who saw what and when, so audits can prove compliance.

Before assigning work, review contracts for offshore restrictions such as "U.S. persons only" or domestic handling clauses, and make required subcontractor disclosures. Require signed NDAs and documented completion of procurement integrity and data handling training for all offshore staff. These steps convert contractual requirements into auditable controls that protect the prime from liability.

Keep a clear trail for every deliverable. Log sanitized input sources, training records, NDA archives, and any subcontractor disclosure filings. Use version control and store sanitized copies separately from raw or internal documents. Auditors will look for traceability and source discipline, so default to more documentation rather than less.

Build an immediate escalation path for items that contain names, PII, internal system references, evaluator identities, unredacted performance records, or contract clauses that explicitly forbid offshore work. If a red flag appears, stop work on that item and notify the prime before continuing, because early escalation prevents costly penalties and bid protests.

• Source log: record the original source (URL, document title, agency name), date accessed, and a short note describing why the source is allowed.
• Sanitization log: list every sanitization action, who performed it, the method used (for example, redaction or removal), and a timestamp.
• Access and activity logs: capture who opened or edited files, what changes they made, and the date and time.
• Contract and disclosure records: store subcontractor disclosures required by the prime and any contract clauses that limit offshore work.
• Legal and training records: keep NDA copies, procurement integrity training completion records, and data handling training logs.
• Version control history: preserve prior drafts and an explanation for major changes so analysis is traceable.

1. Capture the original item in the source log, with a unique identifier.
2. Create a copy for sanitization, never edit the original. Add a version label that includes the sanitization date and initials.
3. Apply redaction or removal. Note each field removed, and why it was removed.
4. Save the sanitized copy to a controlled workspace with restricted permissions. Record the storage location in the sanitized log.
5. Link the sanitized copy back to the source log entry and to any deliverable that uses it.

• Use clear file naming: [Project][SourceShort][YYYYMMDD][sanitized|orig][initials].
• Keep originals read only, in a secure, version controlled folder.
• Store logs in a central, searchable location that the prime can export for auditors.
• Apply role based access controls so only authorized users can view originals or change logs.

• Confirm each item received has a source log entry.
• Never mix public and internal material in the same working file.
• Add a sanitization entry for every redaction or removal.
• Save edits with a version comment explaining the reason.
• Keep NDA and training records current and accessible.
• Flag and escalate any ambiguous material immediately.

• Access logs that show who opened files and when. Maintain timestamped records for each offshore contributor.
• Sanitized input records that prove all materials given offshore removed names, identifiers, and internal metadata. Document the sanitization steps and retain originals where permitted.
• Subcontractor disclosures and NDA archives that demonstrate required notifications and legal agreements were in place. Keep signed copies and version histories.
• Training completion logs that show offshore staff finished procurement integrity and data handling training. Timestamped certificates or LMS records are adequate.

• The prime must produce audit evidence to the agency. If rules were violated, the prime faces contract breach, disqualification, and other liabilities. Maintain central proof of controls and decisions.
• Offshore teams must keep work traceable and properly sourced. Notes about source type, sanitization, and any escalations create the chain of custody auditors expect.

• Administrative outcomes can include bid disqualification or contract termination. Financial penalties and formal protests are possible. Rapid remediation is harder when records are missing.

• Use version controlled workspaces and limited access folders so every change is recorded.
• Log and label every input: source type, public or sanitized, who sanitized it, and when. Keep a short sanitization checklist with each file.
• Archive NDAs, training receipts, and subcontractor disclosures in a single searchable folder. Export evidence at regular intervals.
• Flag and escalate any ambiguous content immediately. If a document may contain internal data or evaluator identifiers, stop work and notify the prime.

Record who accessed what, when, from where, and by what role, plus the action taken. Use these to show that offshore accounts never accessed restricted systems or files. Primes should combine technical logs with administrative notes that explain anomalous entries.

Keep a clear chain showing original source, sanitization actions, who performed the sanitization, and a timestamped copy of the sanitized file. Label each file with a unique identifier and link it to the work product that used it.

Retain executed NDAs, completed-training records with course name, completion date, and user identity, plus logs of periodic refreshers. These items show the prime held offshore staff to contractual and procurement-integrity expectations.

Follow the contract or agency retention requirements where stated, and preserve records in searchable, tamper-evident formats. When an agency does not specify retention, align with the prime's legal or records policy and retain enough history to reconstruct events for the procurement lifecycle. Keep records in a centralized archive with controlled access and immutable backups.

Documents that contain names, personally identifiable information, or other identifiers. Attachments that include internal metadata, tracked changes, or hidden comments. References to internal agency systems, internal file paths, or nonpublic portals. Any mention or list of evaluator identities or scoring panels. Proprietary competitor material that is not public. Contract language that requires U.S. persons only or domestic handling of data. Unredacted past performance or internal agency documents. Any unexpected request to contact an agency, attend meetings, or access an internal prime system. These items are explicitly listed as situations that require stopping work and escalating immediately.

1. Stop further handling. Do not open, edit, or forward the file. 2) Preserve the artifact. Make a copy in the secured, isolated workspace the prime has provided. Record the original file name, location, and timestamp. 3) Capture evidence. Take a screenshot that shows the filename and any visible sensitive content. Note the source where the file came from. 4) Record why it is a concern in a short note. State which rule may be violated, for example PII exposure or a domestic handling clause. 5) Notify the prime compliance or contract lead immediately. Put the word "Escalation" and the relevant contract or RFP number in the subject line. Include the evidence, the short note, and the time you discovered it. 6) Avoid any further action until told to proceed. Do not attempt to sanitize or infer missing information on your own.

Subject: Escalation, [RFP or Contract ID], potential restricted material Body: I discovered [brief description, for example "attachment with evaluator names"], located at [file path or link], at [date/time]. I preserved a copy in the secure workspace and attached a screenshot. I stopped all work on this item pending guidance. Please advise next steps.

If an uploaded past performance file shows internal evaluator comments and a list of staff names, stop and preserve the file, capture a screenshot, and notify the prime compliance lead with the brief message above. The prime will confirm whether the file must be removed, sanitized by an authorized onshore person, or treated as restricted under the contract. The course materials highlight similar situations and the requirement to escalate rather than proceed.

• If unsure, escalate; never guess. - Do not share or download suspect files to personal devices. - Keep a short record of what you found and when. - Use the prime's secure workspace for all preservation and evidence. - Rapid escalation protects the prime and keeps work compliant. When in doubt, stop, preserve evidence, notify the prime, and wait for instructions.

• Stop active work on the item. Do not forward, edit, or circulate the content. The guidance notes that if something looks sensitive, flag it immediately rather than guessing about its permissibility.
• Quarantine the original file in the assigned secure workspace or an access-restricted folder. If you cannot place it in the secure workspace, note the original location and restrict further access.
• Capture a short factual record, including the date and time, task or ticket ID, file name, and the exact action that led to finding the item. Avoid copying or transcribing sensitive text unless specifically instructed.

• Notify the prime through the designated compliance channel immediately. Typical channels include a secure compliance mailbox, an incident ticket in the capture system, or a named compliance lead. If the matter looks urgent or legally risky, escalate to the prime contract manager and legal counsel.
• Provide a concise escalation message with these fields: your name and role, task or contract identifier, timestamp, short description of the red flag (for example, contains internal metadata or possible evaluator identity), exact file path or link, steps you already took, and a unique identifier or hash for the file if available. Do not attach the sensitive file into an unsecured email.
• Include any training or NDA status if requested. Primes maintain records such as access logs and sanitized input records for audits, so clear, well formatted reports help them respond and document the event.

• Leave the original file intact. Make a note of who had access and when. Keep local notes and timestamps in a secure, version controlled location the prime has approved.
• If you must create a copy for analysis, create a clearly labeled working copy stored only in the approved workspace and mark it as under investigation. Track every action you take in the project log so auditors can reconstruct the timeline later.

• Wait for explicit, written direction from the prime or their legal or compliance lead before taking further action on the item. The prime may sanitize the content, remove offshore tasks, or reassign work.
• If instructed to delete or to transfer work onshore, confirm completion in writing and retain the confirmation in the task log.

• When unsure, escalate. Do not guess about permissibility.
• Use only approved channels for reporting sensitive findings.
• Keep records concise, factual, and time stamped.
• Avoid copying sensitive content into chat apps or personal tools.
• Complete any follow up confirmations the prime requests so the incident is auditable.