Public comment: Confidential government information nondisclosure agreement

Scott Kupor, Director
Office of Personnel Management

Re: Confidential Government Information Nondisclosure Agreement

Dear Director Kupor,

On behalf of the Niskanen Center, I am pleased to share comments on the Office of Personnel Management’s (OPM) request for feedback on a draft “Confidential Government Information Nondisclosure Agreement” posted on May 27, 2026 in the Federal Register.

Background

The Niskanen Center is a nonprofit public policy organization that advocates for a government that provides social insurance and essential public goods, fosters market competition and innovation, invests in state capacity, and does not impede productive enterprise. We are committed to the principles of liberal democracy and an open society that encourages engagement, cooperation, discussion, and learning.

An agile, accountable, and high-performing federal workforce is essential to our vision of a stronger government and better governing outcomes for all Americans. Our reform agenda for the federal workforce revolves around several core design principles:

• Fewer, Simpler Personnel Systems – Reduce the complexity of federal personnel systems to make them easier to understand, simpler to administer, and more flexible.
• Fast & Fair Accountability – Streamline and speed up the process for removing poor performers and those who engage in misconduct while maintaining constitutional guardrails against arbitrary partisan dismissals and unlawful discrimination.
• Market-Sensitivity – Prioritize the federal government’s ability to compete in the labor market through its approaches to compensation, hiring, and benefits administration, so the federal government can attract and retain the best talent on offer.
• Minimized HR Touches, Maximized Manager Flexibility – Devolve as much authority to agencies — and then on to line managers — as possible, recognizing that centralized HR functions are not accountable for mission outcomes and are generally unable to weigh tradeoffs in pursuit of those outcomes.
• Internal Capacity First – Invest in internal agency capacity before augmenting agency workforces with vendors which may have misaligned incentives and are more difficult to manage in the long-term, especially for core agency work not otherwise happening in the private sector.

Underpinning each of these principles is also a commitment to uphold nonpartisanship and observable merit as the foundation for all policy choices related to the federal workforce — without a bedrock commitment to administration free from partisan meddling and to the merit system,¹ meaningful reform that addresses the root causes of state incapacity is impossible.

Summary of our view

In pursuit of an accountable and effective government, we appreciate OPM’s broadest stated goal in offering this proposal: protecting the government’s and the public’s information from unlawful and authorized disclosure.

Indeed, protection of sensitive information and good government go hand-in-hand. Ironically (given the circumstances of his resignation), President Nixon ably summed up this idea in 1974: “Many of the good things in life that Americans take for granted would be impossible, or impossibly high-priced, without data retrieval systems and computer technology. But until the day comes when science finds a way of installing a conscience in every computer, we must develop human, personal safeguards that prevent computers from becoming huge, mechanical, impersonal robots that deprive us of our essential liberties.” Over fifty years later, this is as true as ever. In an era of overwhelming data access, it is crucial that our government guards its people’s information with intense care as a precondition for those same citizens to empower the government to do much of anything.

That principle comes with a corollary OPM should not lose sight of: protecting information is not the government’s only obligation. The same agencies that must guard sensitive material also have to move information to the people who need it, coordinate across very different missions, and provide the public a window into the ordinary agency operations that their taxpayer dollars support. Governing well means balancing these imperatives. Strike that balance badly, and an effort to protect Americans’ information instead saps the productivity they are counting on and leaves employees unsure of what they may say or do. This careful weighing is precisely what Nixon was calling for in his address championing the work that eventually spawned the Privacy Act of 1974 (signed by his successor): go too far and the government can’t operate, not far enough and the public’s rights are infringed, threatening the government’s legitimacy.

Respectfully, we think that OPM has not gotten the balance quite right with this proposal and, in doing so, is needlessly polarizing an otherwise low-temperature topic without a commensurate benefit to the public or the federal government. Specifically, we have four main concerns with OPM’s proposed NDA as written:

1. There are contradictions in the construction of the NDA as it now stands. OPM states, more than once, that this NDA “does not create new substantive restrictions on employee speech or disclosure rights,” and only documents the “obligations that already exist under law and regulation.” Yet the form OPM has drafted has provisions that clearly go beyond current law: it requires former employees to obtain written permission before speaking, assigns to the government any income from an unauthorized disclosure, and more. These are new and OPM should be forthright about that fact.
2. The current text is overbroad and unwieldy for agencies, managers, and employees, introducing more rather than less confusion into the system.
3. OPM has not articulated a compelling reason for introducing another procedure into the personnel system. Regardless of whether one reads this NDA to be creating net-new policy or not, we see it as introducing more paperwork into the system without any discernable benefit.
4. OPM has not articulated a compelling reason for introducing another procedure into the personnel system. Regardless of whether one reads this NDA to be creating net-new policy or not, we see it as introducing more paperwork into the system without any discernable benefit.We are concerned that this constellation of vague drafting, murkiness about penalty and enforceability, and introduction of extra procedure will contribute to a further culture of box-checking and fear-based compliance in the workforce. Even if that is not intended by OPM, experience has shown us that sloppy agency implementation has a way of translating good-natured policy initiatives into rigid rules as they cascade down from the center of government to agencies, units, and teams that are just trying to do their best. This problem is a feature of many large bureaucracies; OPM would do well to take it seriously.

In our view, OPM would be better off changing course. If OPM’s intention is that agencies use these NDAs to remind employees of their obligations, we believe that goal is better served by annual training (as is typical) rather than the introduction of a new form. We recommend that OPM invests the resources it currently expects to use in implementing this proposal into improved scenario-based training, awareness campaigns, and other means that are more fit to a good-faith approach to promoting existing privacy rules and procedures in the federal workforce.

We don’t disagree with OPM’s ultimate goal here — the protection of nonpublic information is important and agencies are right to remind employees periodically of their obligations — but we do think OPM needs to be more thoughtful about how to balance all the competing priorities it is responsible for: the protection of merit systems, the protection of information, the impact of its regulatory agenda on a workforce it needs to complete the President’s agenda, and the need for Congress to have its say in designing changes to the personnel system.

OPM’s proposal is unclear about whether or not it includes changes to
employee rights

OPM assures the public that the proposed NDA “does not create new substantive restrictions on employee speech or disclosure rights,” and merely gives agencies a way for employees to acknowledge “obligations that already exist under law and regulation.” We take OPM at its word as to its intent because we think that’s a reasonable goal and well within OPM’s purview to promote: we do not think federal employees (or any employee) should disclose their employer’s confidential information without permission and we think the existing legal regime balances this interest with others reasonably well.

However, the proposed text contradicts this framing; the NDA in its current form clearly extends beyond current law and practice. In Section 2, OPM writes that “[u]pon leaving employment with the Agency, the Employee agrees not to disclose any Confidential Government Information absent written permission from an authorized agency official,” and in Section 7, OPM suggests that this requirement would be operative for five years after employment ends. This represents a significant new policy of prior restraint on speech for former federal employees who no longer have an employer-employee relationship with the government. Setting aside whether management prefers this constraint or not, this poses obvious Constitutional issues; federal employees do not check their Constitutional rights at the door when they enter into or depart from public service.

This is not to say that some restraints on speech are not warranted, but a form is not the appropriate venue for creating these restrictions without any other statutory or regulatory hook. Adverse actions under Chapter 75, debarments under 5 CFR 731, and other penalties for speech are the result of a careful balancing act by Congress and policymakers between the need to take action when employees fail to meet the expectations set for them and the legal reality that they retain the right to free speech and due process during (and especially after) their term of employment. This is the reason that neither OPM nor agencies can invent new adverse action procedures unilaterally; such solitary actions do not have legal or constitutional legitimacy. Preventing disclosure by former federal employees might be a reasonable goal — we already do it in the case of classified information, for which employees have an indefinite obligation to protect — but the right avenue to establish such a constraint is statutory.²

Section 4 includes a list of remedies that are also net-new policy. A breach — or even a “threatened breach” — is declared to cause “irreparable harm,” entitling the agency to “injunctive relief and specific performance,” a court order against disclosure, “without the necessity of posting a bond or proving actual damages.” And the employee “assigns to the United States Government all royalties, remunerations, and emoluments” flowing from any violating disclosure. Section 6 then provides that wherever this agreement and another obligation conflict, “the more restrictive or stringent provision shall govern.” These are not the features of a document that, in OPM’s telling, changes nothing and contemplates no new restrictions on speech.

Before proceeding with this initiative, OPM should answer these questions: does this NDA create any obligation, restraint, or remedy that does not already independently bind the employee? If the answer is no, the operative terms of Sections 2 and 4 should be struck, because they tell employees otherwise. If the answer is yes, the form should be withdrawn and the new authority pursued through rulemaking and legislation, where it can be debated and reviewed subject to the regular process. In doing so, due attention should be given to whether OPM has the authority to do this in the first place. What OPM should not do is publish a notice promising that nothing has changed while they circulate a form suggesting that a great deal has.

2. The proposal includes an overbroad, unwieldy definition of “Confidential Government Information”

Setting aside the question of whether or not the NDA implicates changes to employee rights, it would be difficult to administer in either case due to vague definitional drafting.

In the draft NDA, OPM defines “Confidential Government Information” as “non-public, confidential, or proprietary information, whether or not marked as such, which may include, but not be limited to, information related to internal agency operations, personnel matters, personally identifiable information (PII), personal health information (PHI), procurement processes, or any sensitive, pre-decisional or deliberative material that is not currently publicly available and should not be disclosed under applicable law, Federal regulation, or government-wide policy.”

This definition poses several practical challenges for agencies, employees, and supervisors who would be responsible for operationalizing this guidance:

• OPM is conflating several different types of information which sit under different (and sometimes no) regulatory or statutory regimes. For example, PHI has a very specific meaning derived from the Health Insurance Portability and Accountability Act (HIPAA) and clear penalties for disclosure.³ It is fairly simple for an employee to avoid running afoul of that rule because the boundaries of PHI are clear. But, on the other hand, “internal agency operations” has no definition that anyone could refer to. By being vague, OPM makes it very hard for agencies to police or even provide advice to employees about whether a given piece of information should be covered by the NDA (and therefore require pre-clearance).
• OPM’s definition includes many categories of information that are not inherently sensitive but are nonetheless “non-public” until such time as someone makes them public simply by saying them publicly. Without significant secondary, interpretive guidance to agencies and employees, it will be hard to sort out what is non–public by happenstance and what is non-public on purpose. For example: imagine a think tank were to host an event about improving the efficiency of grant administration in the federal government and a former grant officer spoke up to explain how they cut processing times from 100 to 10 days using new workflow technology. Is this an unauthorized disclosure? It certainly relates to internal agency operations, but also is precisely the type of innovative solution that probably should be shared among peers and policymakers who want to learn from one another.
• Because OPM also specifies that this list is non-exhaustive (“may include, but not be limited to”) and that confidential information may or may not be “marked as such,” it seems that there is practically no limiting factor on what information may not be included. This is arbitrary and simply not administrable: federal employees touch millions of pieces of information in the regular course of doing their jobs lawfully and faithfully, and it’s impossible to administer an NDA that has this level of specificity. Significant new agency resources would need to be devoted to providing case-by-case guidance to current and former employees on what they can disclose and when, as well as policing violations.

In effect, OPM has created a list that could contain virtually anything or nothing, which makes it so overbroad as to be meaningless to all parties. This stands in stark contrast to other efforts to promote better information management hygiene that hinge on standards as the path towards compliance. Most directly relevant, for example, EO 13556 established a government-wide program for managing “Controlled Unclassified Information” or CUI, that assigned the National Archives and Records Administration (NARA) responsibility for developing “an open and uniform program for managing information that requires safeguarding or dissemination controls.” Indeed, this program was actually designed to remedy confusion that resulted from inconsistently applied rules and regulations, as the EO describes:

At present, executive departments and agencies (agencies) employ ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information, such as information that involves privacy, security, proprietary business interests, and law enforcement investigations. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. The fact that these agency-specific policies are often hidden from public view has only aggravated these issues.⁴

OPM’s proposal conflicts with this goal and with the still-ongoing effort to improve the government’s approach to CUI by creating a parallel list and new term (“Confidential Government Information”) without any of the care and consideration that has gone into the CUI effort. In fact, even that CUI effort, which is narrower and better defined, is still seen by some contractors as moving too quickly to be feasibly managed.⁵ We believe OPM launching a parallel system would be a mistake and, in fact, contribute to less effective control of non-public and non-disclosable information than is in practice today.

3. There is no compelling reason provided to introduce more paperwork
into an already too-procedural personnel system

In the most favorable reading of the NDA — that the form adds nothing new — it’s still not clear that the effort is worth the benefit. A redundant form is not without consequence; there are direct (e.g., systems required to collect and maintain records) and indirect (e.g., hours spent by agency administrators, managers, and employees on compliance) costs to its administration. In this case, adopting this NDA as a government-wide standard adds new layers of paperwork and fears of compliance-related process fouls to an already slow-moving federal government.

Alternatively, if new disclosure penalties are created by this NDA that exceed OPM’s legal authority, agencies will scramble to implement policies that won’t survive legal challenges anyway. In either scenario, this is a recipe for further inefficiency, and a waste of the time and scarce resources agencies could spend on more value-add policy implementation. Speaking from our experience, it is hard enough to get agencies to implement management priorities like the President’s Management Agenda or pooled hiring efforts without adding more new and novel ones to the pile.

This alone would be a reason not to proceed — agencies have enough on their plates already — but we think this is particularly bad in the context of the rest of the federal personnel system. As we’ve written about extensively, the civil service system is already too procedural and filled with time-wasting paperwork that snarls agencies and federal employees in red tape and prevents them from doing their job. “Think of [the procedures] as barnacles on a boat, naturally occurring but in need of periodic removal. As administrators seek to apply the principles to ever-more detailed situations in routinized ways, they interpret and operationalize the principles in ways that result in outcomes inconsistent with the principles themselves.”⁶

We applaud OPM’s efforts to streamline the federal personnel system elsewhere, and we’d be remiss if we did not point out that this proposal does the opposite.

4. The proposal reinforces a fear-based culture of compliance

This constellation of issues — the inconsistent story on penalties, the vague drafting, and creeping proceduralism — is something of a perfect storm to degrade state capacity. In addition to exacerbating current mechanical issues that make it too hard to run the government, we are concerned this proposal will reinforce a culture of fear-based box-checking that we know has negative impacts on agency performance.

Indeed, as we’ve written, compliance regulations often risk going beyond their goals and end up preventing the federal workforce from succeeding at its core mission work:

All systems must strike a balance between “go energy” and “stop energy,” similar to a car’s gas pedal and brake. Of course we need government agencies to exercise “stop authority” to ensure good governance, but our teams charged with achieving mission goals, with hitting the gas to meet critical national needs, almost always feel outgunned by those whose jobs are to hit the brakes. “We were six people trying to deliver the product,” one staffer told us. “There were easily 60 people telling us everything we couldn’t do…”

But OPM’s role in improving the government workforce goes far beyond some calibration around these compliance issues. More than just getting out of agencies’ way to increase the velocity of the vehicle of government, OPM could and should take an active, strategic role in balancing the ratio of stop energy to go energy. Just as a company might look five years ahead at what roles it will most need to successfully compete in the marketplace, and plan to be able to fill those roles, so could OPM look at the needs of the federal government from a far more strategic perspective. As government works to right-size procedure through statutory, regulatory, practice, and culture changes, it must also actively plan for a workforce that can operate at the speed our nation needs it to. That will require a very different OPM than the one we have today.⁷

OPM’s proposed NDA introduces a lot more “stop energy” into the system without adding real value for taxpayers, agencies, or members of the public they serve. If agencies are to operate more efficiently and effectively, it doesn’t make sense to introduce more compliance that has federal employees second-guessing every public statement they make.

Suppose agencies, for example, lack the time, resources, or interest to develop a nuanced NDA program. Instead, they may require that federal employees contact their agency head or other similar official every time they wish to communicate with anyone outside of their smallest working circle. This obviously creates challenges in efficiently administering government programs, and impedes the good government work that Americans desire. And even if efficiency was not a priority here, and constant permission requests were a worthwhile cost of enforcement, OPM’s notice offers no assurance that permission from supervisors, up to and including the leading political appointee, could not be revoked after the fact. As a result, it’s easy to imagine federal employees searching for layers of redundant approval to protect themselves from accidentally tripping over any live wires, past or present, at the expense of doing their jobs.

Even if OPM does not intend for this to be the case, or suggests that the above nightmare scenario is an example of malicious compliance, we have good reason to believe that it will happen anyway. Because the government is so large and its work so diffuse, well-meaning and even reasonable policy often becomes interpreted rigidly as it travels further from originators at OPM, OMB, or in Congress. At Niskanen, we call this the cascade of rigidity, which “begins with high-level principles outlined in legislation and executive orders. As these principles descend through layers of bureaucracy, they are translated into more specific and prescriptive guidance. Each level of government, from agencies and sub agencies to individual bureaus and divisions, interprets and operationalizes the guidance in its own way. With each step down the ladder, the flexibility intended by the original framers is diminished, replaced by rigid interpretations and narrow, literal applications of rules.”⁸

Figure 1. Pahlka, “The How We Need Now,” 10.

This is one of the pathologies that, in our view, has gotten in the way of effective government. OPM’s proposal is in danger of becoming just another example of accreted procedure that neither provides any new value to agencies nor to the public they serve. Because agencies do not typically issue general-purpose NDAs to employees (given their legal redundancy or lack of authority discussed above) they are likely to resort to blunt, check-box approaches.

We see this pattern recur everywhere; even the best of intentions cannot prevent it. The only solution is to be much more thoughtful in the center of government about the ways in which policies are likely to be felt in the field.

The goals of this notice could be much better achieved with improved
annual training requirements and awareness offerings

If OPM’s intention is simply to remind employees of their “obligations that already exist under law and regulation, while expressly preserving rights to make disclosures authorized by law, including protected whistleblower disclosures,” there are better ways to achieve that goal. Currently, OPM’s proposed NDA-based approach to nondisclosures seems focused on policing violations rather than preventing them in the first place, but that isn’t the only way to solve the problem. We recommend instead that OPM adopts a strategy that has less deleterious effects on the federal workforce to achieve this goal.

As OPM alludes to in their notice and questions, no written document could adequately cover every possible scenario and every individual requirement for any one agency such that all agencies can implement the same document. Instead, we think that the best strategy to remind employees about their obligations is the way the government does it today: annual trainings that use scenario-based learning to explain the do’s and don’ts in ways that enable employees to apply abstract rules to their own work and experiences.

The business literature gives us reason to believe that this is the case. A 2009 meta-analysis of studies on business ethics training, for example, found that “[c]ase-based learning is most effective, along with a variety of additional learning activities.”⁹ More recent meta-analytic work 9 has gestured at similar findings: “programs emphasizing active trainee participation […] appeared to demonstrate slightly greater benefits to participants compared with programs where a more passive learning approach was employed” and “programs with an above average emphasis on case instruction appeared especially beneficial to participants.”¹⁰ Additionally, there is precedent for operationalizing this type of guidance in scenario-based training. For instance, 5 CFR 2635 discusses acceptance of gifts by federal employees from outside sources and provides guidance in the form of a scenario:

Example 1 to paragraph (b): An employee of the Federal Deposit Insurance Corporation (FDIC) has been dating an accountant employed by a member bank. As part of its “Work-Life Balance” program, the bank has given each employee in the accountant’s division two tickets to a professional basketball game and has urged each to invite a family member or friend to share the evening of entertainment. Under the circumstances, the FDIC employee may accept the invitation to attend the game. Even though the tickets were initially purchased by the member bank, they were given without reservation to the accountant to use as desired, and the invitation to the employee was motivated by their personal friendship.¹¹

Agencies frequently follow-up these scenario-based guidance documents with annual and just-in-time training to employees. These trainings usually involve scenario descriptions designed to help employees understand the intent of the regulations rather than only the letter of the law; this is because the rules cannot possibly accommodate every potential ethics situation that an employee could encounter but are rather intended to apply generally. Rather than having employees just sign one-and-done ethics rules, trainings are designed to give useful guidance that prevents ethical lapses before they occur.

Indeed, if OPM believes that significant work is needed to remind federal employees of their obligations, they are better off pursuing a strategy that looks more like annual ethics training than an NDA. In these trainings, agency leaders are able to:

• Tailor discussion to their relevant field. Supervisors and subordinates avoid extrapolating from blanket statements.
• Discuss nuances and complications. Exceptions like the Whistleblower Protection Act are harder to quickly explain in an NDA than they are in longer conversations.
• Answer questions. Instead of signing a document and moving on, employees are encouraged to test how fully they understand their responsibilities, and fill in gaps that can’t be resolved by a form.

Furthermore, as these trainings are already standard practice (e.g., in the context of existing CUI awareness programs), they can be improved more efficiently than creating an additional system that likely requires updates to agency training materials anyway.

Conclusion

OPM’s stated goal is to remind employees of their existing legal obligations. We recommend pursuing this goal through training rather than a one-size-fits-all form, to avoid complicating or confusing employees’ existing responsibilities with new, overbroad expectations. Agencies can individually train employees to handle their specific protected material as outlined by current law without worrying about covering those of other agencies or providing overbroad guidance. Simultaneously, reaffirming employees’ understandings would be much better accomplished when done through discussion. Instead of signing a document that may be misinterpreted, face-to-face training ensures that confusion can be sorted out on-site by supervisors. These changes should be done in conjunction with an understanding that careful balancing of information-sharing and information protection are both simultaneously necessary in order to have an efficient, people-serving government.

Regardless of OPM’s final decision on this topic, ultimate responsibility to structure the federal personnel system rests with Congress, and we continue to believe that durable reform is only possible through congressional action. If OPM believes that additional authorities are necessary for agencies to appropriately safeguard non-public information, Congress should be engaged as a governing partner to formulate, debate, and ultimately formalize those new authorities. We continue to advocate for the Executive Branch to thoughtfully engage their counterparts on the Hill and in civil society to re-think the civil service. We welcome the opportunity to work with all interested parties on such an effort.

Sincerely,

Gabe Menchaca
Senior Policy Analyst, State Capacity Initiative
Niskanen Center

Julia Murphy
Intern, State Capacity Initiative
Niskanen Center

1. Richard Nixon, Radio Address About the American Right of Privacy. Online by Gerhard Peters and John T. Woolley, The American Presidency Project https://www.presidency.ucsb.edu/node/256379. ↩︎
2. John Davis, “Retiring with a Clearance: Navigating Classified Information Obligations,” ClearanceJobs, Aug. 16 2023, https://news.clearancejobs.com/2023/08/16/retiring-with-a-clearance-navigating-classified-information-obligations/. ↩︎
3. U.S. Department of Health and Human Services, “Summary of the HIPAA Privacy Rule,” https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. ↩︎
4. “Executive Order 13556 of November 4, 2010, Controlled Unclassified Information,” Code of Federal Regulations, title 3 (2010): 68675, https://www.govinfo.gov/content/pkg/FR-2010-11-09/pdf/2010-28360.pdf. ↩︎
5. Justin Doubleday, “GSA’s CMMC-like rules raise concerns in industry,” Federal News Network, March 5, 2026 https://federalnewsnetwork.com/acquisition-policy/2026/03/gsas-cmmc-like-rules-raise-concerns-in-industry/. ↩︎
6. Jennifer Pahlka and Andrew Greenway, “The How We Need Now: A Capacity Agenda for 2025 and Beyond,” Niskanen Center, December 20 2024, 19, https://www.niskanencenter.org/wp-content/uploads/2024/12/Niskanen-State-Capacity-Paper_-Jen-Pahlka-and-And rew-Greenway-2.pdf. ↩︎
7. Ibid, 21. ↩︎
8. Ibid, 9. ↩︎
9. Ethan P. Waples et al., “A Meta-Analytic Investigation of Business Ethics Instruction,” Journal of Business Ethics,
   87(1), 146, https://doi.org/10.1007/s10551-008-9875-0. ↩︎
10. Logan L. Watts et al., “Are Ethics Training Programs Improving? A Meta-Analytic Review of Past and Present Ethics Instruction in the Sciences,”. Ethics & Behavior, 27(5). https://pmc.ncbi.nlm.nih.gov/articles/PMC6368181/. ↩︎
11. 5 CFR 2635.204(b). ↩︎