You may show this to your managers if you wish.
Before retirement, I worked at the Navy Enterprise Data Center New Orleans, one of a small number of Navy hosting sites. As we grew, we had 1200-1500 servers spread over 60-80 projects including some with either "Sensitive but Unclassified" (SBU) or Secret requirements. (It was not a Top Secret site, though.) ALL of our people had to have Secret clearances to even work on the in-house network, me included.
One of our biggest projects, data-wise, was from BUMED (U.S. Navy Bureau of Medicine), which used an Access Front End and an SQL Server back end. This project had to conform to both Privacy Act and HIPAA requirements - which it did. The FE files were on individual user machines in that environment. I estimate a user base of between 40 and 50 medical records clerks plus a couple of supervisors. Sorry, cannot legally tell you anything about the number of people or incidents that database actually tracked.
We were able to demonstrate that NO repeat NO sensitive data was ever stored in the FE files and that the ability of the user to print a report was a bigger risk than having an FE file on a workstation. The report ability was going to be a reality regardless of where the FE files were located.
It is an example of false security to force deployment of Access FE files in a way that risks damage to the back-end database. Stated another way, it is a violation of the principle of Operational Security to knowingly place a program in an at-risk environment if the risk includes damaging the data repository. The U.S. Navy saw fit to use a distributed Access front-end on sensitive personnel records subject to strict security requirements.