It's definitely something to raise a concern (which many already commented). Not knowing the full detail, I'd just ask you to consider this: How is this different from an external auditor (such as EY or PwC) came in and conduct security assessment of your system? What are your process when handling this kind of scenario/data? (someone already gave great example)
You said you are willing and offered to spend time with them to review security practices and results of other security assessments done before. But whoever saw that they can take notes, and then upload their notes to the repository. How is it different from you uploading the document to repository yourself?
I believe as CISO you are responsible for identifying and explaining the risk. But if management understand the risk and chose to accept it, you should document it and proceed. You can take further action to minimize the accepted risk. For example, encrypt or restrict access to the document uploaded with document management system. Or Improve security posture after the security assessment. As someone already commented, security assessment is a snapshot of how vulnerable you are at that point in time.
Bottom line @Picasso people do not change and government procurement is broken. Vulnerability assessments and pen tests are not worth the paper they are printed on because often "their scope" is not what you actually need tested. To succeed you need to bring real quantitative data to the debate.
You will be the first to go even if the risk acceptance is documented and approved by your management chain. Look of the bright side, this is a sign to move on to bigger and better things!