Task Order No. NRC-HQ-10-17-T-0002 Under Contract No. GS-06F-1101Z

ML17262B251
Person / Time
Issue date:	09/19/2017
From:	Heriberto Colon Acquisition Management Division
To:	Buford M 3Links Technologies
References
GS-06F-1101Z
Download: ML17262B251 (32)
v • d • e

Text

1. REQUISITION NUMBER PAGE OF SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24, & 30 See Schedule 1 32

2. CONTRACT NO. 3. AWARD/ 4. ORDER NUMBER 5. SOLICITATION NUMBER 6. SOLICITATION GS-06F-1101Z EFFECTIVE DATE ISSUE DATE NRC-HQ-10-17-T-0002

7. FOR SOLICITATION a. NAME b. TELEPHONE NUMBER (No collect calls) 8. OFFER DUE DATE/LOCAL TIME INFORMATION CALL: BANU GOLDFEIZ

9. ISSUED BY CODE NRCHQ 10. THIS ACQUISITION IS X UNRESTRICTED OR SET ASIDE:  % FOR:

WOMEN-OWNED SMALL BUSINESS US NRC - HQ SMALL BUSINESS (WOSB) ELIGIBLE UNDER THE WOMEN-OWNED ACQUISITION MANAGEMENT DIVISION HUBZONE SMALL SMALL BUSINESS PROGRAM NAICS: 541513 BUSINESS EDWOSB MAIL STOP TWFN-8E06M SERVICE-DISABLED 8(A)

WASHINGTON DC 20555-0001 VETERAN-OWNED SIZE STANDARD: $27.50 SMALL BUSINESS

11. DELIVERY FOR FOB DESTINA- 12. DISCOUNT TERMS 13b. RATING TION UNLESS BLOCK IS 13a. THIS CONTRACT IS A MARKED 30 RATED ORDER UNDER

14. METHOD OF SOLICITATION SEE SCHEDULE 30 DPAS (15 CFR 700)

RFQ IFB RFP

15. DELIVER TO CODE NRCHQ 16. ADMINISTERED BY CODE NRCHQ NUCLEAR REGULATORY COMMISSION US NRC - HQ NUCLEAR REGULATORY COMMISSION ACQUISITION MANAGEMENT DIVISION WASHINGTON DC 20555-0001 MAIL STOP TWFN-8E06M WASHINGTON DC 20555-0001 17a. CONTRACTOR/ CODE 015229300 FACILITY CODE 18a. PAYMENT WILL BE MADE BY CODE NRC PAYMENTS 1 OFFEROR 3LINKS TECHNOLOGIES INC NRC PAYMENTS ATTN MELVIN BUFORD NRCPAYMENTSNRCGOV 8701 GEORGIA AVENUE SUITE 705 SILVER SPRING MD 20910 TELEPHONE NO. 3015888291 17b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN OFFER 18b. SUBMIT INVOICES TO ADDRESS SHOWN IN BLOCK 18a UNLESS BLOCK BELOW IS CHECKED SEE ADDENDUM

19. 20. 21. 22. 23. 24.

ITEM NO. SCHEDULE OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT Period of Performance: 01/31/2018 to 01/30/2019 00001 BASE PERIOD VTC O& M (FFP)

Requisition No: ADM-17-0167, OCIO-17-0372 Accounting Info:

2017-X0200-FEEBASED-40-40D099-6007-51-J-144-252A-5 1-J-144-6007 Funded:

Accounting Info:

Continued ...

(Use Reverse and/or Attach Additional Sheets as Necessary)

25. ACCOUNTING AND APPROPRIATION DATA 26. TOTAL AWARD AMOUNT (For Govt. Use Only)

See schedule $999,932.12 27a. SOLICITATION INCORPORATES BY REFERENCE FAR 52.212-1, 52.212-4. FAR 52.212-3 AND 52.212-5 ARE ATTACHED. ADDENDA ARE ARE NOT ATTACHED.

X 27b. CONTRACT/PURCHASE ORDER INCORPORATES BY REFERENCE FAR 52.212-4. FAR 52.212-5 IS ATTACHED. ADDENDA ARE X ARE NOT ATTACHED.

28. CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN X 29. AWARD OF CONTRACT: REF. NRC-HQ-10-17-Q-004 OFFER COPIES TO ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER DATED 09/11/2017 . YOUR OFFER ON SOLICITATION (BLOCK 5),

ALL ITEMS SET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE SET FORTH SHEETS SUBJECT TO THE TERMS AND CONDITIONS SPECIFIED. HEREIN, IS ACCEPTED AS TO ITEMS:

30a. SIGNATURE OF OFFEROR/CONTRACTOR 31a. UNITED STATES OF AMERICA (SIGNATURE OF CONTRACTING OFFICER) 30b. NAME AND TITLE OF SIGNER (Type or print) 30c. DATE SIGNED 31b. NAME OF CONTRACTING OFFICER (Type or print) 31c. DATE SIGNED HERIBERTO COLON 09/19/2017 AUTHORIZED FOR LOCAL REPRODUCTION STANDARD FORM 1449 (REV. 2/2012)

PREVIOUS EDITION IS NOT USABLE Prescribed by GSA - FAR (48 CFR) 53.212

2 of 32

19. 20. 21. 22. 23. 24.

ITEM NO. SCHEDULE OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 2017-X0200-FEEBASED-10-10D011-6089-51-J-144-251A-5 1-J-144-6089 Funded:

00002 BASE PERIOD VTC ON-CALL (LH)

Requisition No: OCIO-17-0372 Accounting Info:

2017-X0200-FEEBASED-10-10D011-6089-51-J-144-251A-5 1-J-144-6089 Funded:

10001 OPTION PERIOD 1 - VTC O&M (FFP) 0.00 Amount: (Option Line Item)

Anticipated Exercise Date01/31/2019 10002 OPTION PERIOD 1 - VTC ON CALL (LH) 0.00 (Engineer/Service and Support)

Amount: Option Line Item)

Anticipated Exercise Date01/31/2019 20001 OPTION PERIOD 2 - VTC O&M (FFP) 0.00 Amount: Option Line Item)

Anticipated Exercise Date01/31/2020 20002 OPTION PERIOD 2 - VTC ON CALL (LH) 0.00 Continued ...

32a. QUANTITY IN COLUMN 21 HAS BEEN RECEIVED INSPECTED ACCEPTED, AND CONFORMS TO THE CONTRACT, EXCEPT AS NOTED:

32b. SIGNATURE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32c. DATE 32d. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32e. MAILING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32f. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32g. E-MAIL OF AUTHORIZED GOVERNMENT REPRESENTATIVE

33. SHIP NUMBER 34. VOUCHER NUMBER 35. AMOUNT VERIFIED 36. PAYMENT 37. CHECK NUMBER CORRECT FOR COMPLETE PARTIAL FINAL PARTIAL FINAL

38. S/R ACCOUNT NUMBER 39. S/R VOUCHER NUMBER 40. PAID BY 41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT 42a. RECEIVED BY (Print) 41b. SIGNATURE AND TITLE OF CERTIFYING OFFICER 41c. DATE 42b. RECEIVED AT (Location) 42c. DATE REC'D (YY/MM/DD) 42d. TOTAL CONTAINERS STANDARD FORM 1449 (REV. 2/2012) BACK

REFERENCE NO. OF DOCUMENT BEING CONTINUED PAGE OF CONTINUATION SHEET GS-06F-1101Z/NRC-HQ-10-17-T-0002 3 32 NAME OF OFFEROR OR CONTRACTOR 3LINKS TECHNOLOGIES INC ITEM NO. SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT (A) (B) (C) (D) (E) (F)

(Engineer/Service and Support)

Amount: (Option Line Item)

Anticipated Exercise Date01/31/2019 The obligated amount of award: $338,415.00. The total for this award is shown in box 26.

NSN 7540-01-152-8067 OPTIONAL FORM 336 (4-86)

Sponsored by GSA FAR (48 CFR) 53.110

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 4 of 32 SECTION B - Supplies or Services/Prices B.1 PRICE SCHEDULE ITEM NO. DESCRIPTION CONTRACT OPTION QTY. UNIT UNIT PRICE FUNDED AMOUNT AMOUNT TYPE BASE PERIOD - (January 31, 2018 - January 30, 2019 )

000001AA VTC O&M FFP NO 12 MO 0 000001AB On-Call - VTC Engineer/Service LH NO 1 LOT and Support Subtotal $

On-Call Labor Category Hourly Rate VTC Engineer/Service and Support OPTION YEAR 1 - (January 31, 2019-January 30, 2020) )

10001 VTC O&M FFP YES 12 MO 10002 On-Call - VTC Engineer/Service LH YES 1 LOT $0.00 and Support Subtotal $0.00 Labor Category Hourly Rate VTC Engineer/Service and Support OPTION YEAR 2 - (January 31, 2020 - January 30, 2021) 20001 VTC O&M FFP YES 12 MO $0.00

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 5 of 32 20002 On-Call - VTC Engineer/Service LH YES 1 LOT $0.00 and Support Subtotal $0.00 Labor Category Hourly Rate VTC Engineer/Service and Support TOTAL $999,932.12

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 6 of 32 NRCB10 BRIEF PROJECT TITLE AND WORK DESCRIPTION (a) The title of this project is: VTC support services at the U.S. Nuclear Regulatory Commission.

(b) Summary work description:

The main objectives of this contract/order are to:

To provide the necessary technical services to transition from a manual to an automated VTC delivery system; and To obtain subject matter expertise and related technical services to assist with the upgrade from the ISDN to a VTCIP platform; To support day-to-day VTC operational services at the NRC.

See Attachment 1: Statement of Work (End of Clause)

NRCB080 CONSIDERATION AND OBLIGATION-FIRM-FIXED-PRICE The total amount of the Firm-Fixed-Price portion of this contract is and this amount is fully-funded.

(End of Clause)

NRCB084 CONSIDERATION AND OBLIGATION- LABOR-HOUR CONTRACT (a) The ceiling price to the Government for full performance under this contract is

$999,932.12.

(b) The contract includes direct labor hours at specified fixed hourly rates, inclusive of wages, fringe, overhead, general and administrative expenses, and profit.

(c) It is estimated that the amount currently obligated will cover performance through September 1, 2018.

(d) This is an incrementally-funded contract and FAR 52.232 Limitation of Funds applies.

(End of Clause)

NRCF30B PERIOD OF PERFORMANCE ALTERNATE This contract shall commence on January 31st, 2018 and will expire on January 30, 2019. The term of this contract may be extended at the option of the Government for an additional 2 years, from January 31, 2019 to January 30, 2021.

Base Period : January 31, 2018 - January 30, 2019 Option Period 1: January 31, 2019 - January 30, 2020 Option Period 2: January 31, 2020 - January 30, 202

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 7 of 32 SECTION C - Description/Specifications See Attachment 1: Statement of Work

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 8 of 32 SECTION D - Packaging and Marking NRCD010 PACKAGING AND MARKING (a) The Contractor shall package material for shipment to the NRC in such a manner that will ensure acceptance by common carrier and safe delivery at destination.

Containers and closures shall comply with the Surface Transportation Board, Uniform Freight Classification Rules, or regulations of other carriers as applicable to the mode of transportation.

(b) On the front of the package, the Contractor shall clearly identify the contract number under which the product is being provided.

(c) Additional packaging and/or marking requirements are as follows: N/A.

(End of Clause)

NRCD020 BRANDING The Contractor is required to use the statement below in any publications, presentations, articles, products, or materials funded under this contract/order, to the extent practical, in order to provide NRC with recognition for its involvement in and contribution to the project. If the work performed is funded entirely with NRC funds, then the contractor must acknowledge that information in its documentation/presentation.

Work Supported by the U.S. Nuclear Regulatory Commission (NRC), Office of Chief Information Officer (OCIO), under Contract/order number GS-06F-1101Z/NRC-HQ 17-T-0002 (End of Clause)

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 9 of 32 SECTION E - Inspection and Acceptance NRCE10 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officers Representative (COR) at the destination, accordance with FAR 52.247 F.o.b. Destination.

Contract Deliverables:

1. See Attachment 1: Statement of Work

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 10 of 32 SECTION F - Deliveries or Performance NRCF010 PLACE OF DELIVERY-REPORTS The items to be furnished hereunder shall be delivered, with all charges paid by the Contractor, to:

Name: Roberto Figueroa, Contractor Officers Representative (COR) (1 electronic copy)

Email: Roberto.Figueroa@nrc.gov Name: Donald Lewis, Alternate Contractor Officers Representative (ACOR) (1 electronic copy)

Email: Donald.Lewis@nrc.gov Name: Banu Goldfeiz, Acquisition Business Specialist (1 electronic copy)

Email: Banu.Goldfeiz@nrc.gov 2052.215-71 PROJECT OFFICER AUTHORITY (OCT 1999)

(a) The contracting officer's authorized representative (COR) for this contract is:

Name: Roberto Figueroa Address: US Nuclear Regulatory Commission Rockville Pike, Rockville MD 20852 Telephone Number: 301-287-0781-Email: Roberto.Figueroa@nrc.gov Alternate Contractor Officers Representative (ACOR)

Name: Donald Lewis Address: US Nuclear Regulatory Commission Rockville Pike, Rockville MD 20852 Telephone Number: 301-287-0787-Email: Donald.Lewis@nrc.gov (b) Performance of the work under this contract is subject to the technical direction of the NRC project officer. The term technical direction is defined to include the following:

(1) Technical direction to the contractor which shifts work emphasis between areas of work or tasks, authorizes travel which was unanticipated in the Schedule (i.e., travel not contemplated in the Statement of Work or changes to specific travel identified in the Statement of Work), fills in details, or otherwise serves to accomplish the contractual statement of work.

(2) Provide advice and guidance to the contractor in the preparation of drawings, specifications, or technical portions of the work description.

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 11 of 32 (3) Review and, where required by the contract, approve technical reports, drawings, specifications, and technical information to be delivered by the contractor to the Government under the contract.

(c) Technical direction must be within the general statement of work stated in the contract. The project officer does not have the authority to and may not issue any technical direction which:

(1) Constitutes an assignment of work outside the general scope of the contract.

(2) Constitutes a change as defined in the "Changes" clause of this contract.

(3) In any way causes an increase or decrease in the total estimated contract cost, the fixed fee, if any, or the time required for contract performance.

(4) Changes any of the expressed terms, conditions, or specifications of the contract.

(5) Terminates the contract, settles any claim or dispute arising under the contract, or issues any unilateral directive whatever.

(d) All technical directions must be issued in writing by the COR or must be confirmed by the COR in writing within ten (10) working days after verbal issuance. A copy of the written direction must be furnished to the contracting officer. A copy of NRC Form 445, Request for Approval of Official Foreign Travel, which has received final approval from the NRC must be furnished to the contracting officer.

(e) The contractor shall proceed promptly with the performance of technical directions duly issued by the project officer in the manner prescribed by this clause and within the project officer's authority under the provisions of this clause.

(f) If, in the opinion of the contractor, any instruction or direction issued by the project officer is within one of the categories defined in paragraph (c) of this section, the contractor may not proceed but shall notify the contracting officer in writing within five (5) working days after the receipt of any instruction or direction and shall request that contracting officer to modify the contract accordingly. Upon receiving the notification from the contractor, the contracting officer shall issue an appropriate contract modification or advise the contractor in writing that, in the contracting officer's opinion, the technical direction is within the scope of this article and does not constitute a change under the "Changes" clause.

(g) Any unauthorized commitment or direction issued by the project officer may result in an unnecessary delay in the contractor's performance and may even result in the contractor expending funds for unallowable costs under the contract.

(h) A failure of the parties to agree upon the nature of the instruction or direction or upon the contract action to be taken with respect to the instruction or direction is subject to

§52.233 Disputes.

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 12 of 32 (i) In addition to providing technical direction as defined in paragraph (b) of the section, the project officer shall:

(1) Monitor the contractor's technical progress, including surveillance and assessment of performance, and recommend to the contracting officer changes in requirements.

(2) Assist the contractor in the resolution of technical problems encountered during performance.

(3) Review all costs requested for reimbursement by the contractor and submit to the contracting officer recommendations for approval, disapproval, or suspension of payment for supplies and services required under this contract.

2052.215-70 KEY PERSONNEL. (JAN 1993)

(a) The following individuals are considered to be essential to the successful performance of the work hereunder:

Thomas Dashiell - PM / VTC Engineer Damion Jackson - VTC Technician

• The contractor agrees that personnel may not be removed from the contract work or replaced without compliance with paragraphs (b) and (c) of this section.

(b) If one or more of the key personnel, for whatever reason, becomes, or is expected to become, unavailable for work under this contract for a continuous period exceeding 30 work days, or is expected to devote substantially less effort to the work than indicated in the proposal or initially anticipated, the contractor shall immediately notify the contracting officer and shall, subject to the concurrence of the contracting officer, promptly replace the personnel with personnel of at least substantially equal ability and qualifications.

(c) Each request for approval of substitutions must be in writing and contain a detailed explanation of the circumstances necessitating the proposed substitutions. The request must also contain a complete resume for the proposed substitute and other information requested or needed by the contracting officer to evaluate the proposed substitution.

The contracting officer and the project officer shall evaluate the contractor's request and the contracting officer shall promptly notify the contractor of his or her decision in writing.

(d) If the contracting officer determines that suitable and timely replacement of key personnel who have been reassigned, terminated, or have otherwise become unavailable for the contract work is not reasonably forthcoming, or that the resultant reduction of productive effort would be so substantial as to impair the successful completion of the contract or the service order, the contract may be terminated by the contracting officer for default or for the convenience of the Government, as appropriate.

If the contracting officer finds the contractor at fault for the condition, the contract price or fixed fee may be equitably adjusted downward to compensate the Government for any resultant delay, loss, or damage. (End of Clause)

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 13 of 32 SECTION G - Contract Administration Data NRCG030 ELECTRONIC PAYMENT (SEP 2014)

The Debt Collection Improvement Act of 1996 requires that all payments except IRS tax refunds be made by Electronic Funds Transfer. Payment shall be made in accordance with FAR 52.232-33, entitled Payment by Electronic Funds-Central Contractor Registration.

To receive payment, the contractor shall prepare invoices in accordance with NRCs Billing Instructions. Claims shall be submitted on the payees letterhead, invoice, or on the Governments Standard Form 1034, Public Voucher for Purchases and Services Other than Personal, and Standard Form 1035, Public Voucher for Purchases Other than Personal - Continuation Sheet. The preferred method of submitting invoices is electronically to: NRCPayments@nrc.gov.

(End of Clause)

NRCG020 REGISTRATION IN FEDCONNECT (JULY 2014)

The Nuclear Regulatory Commission (NRC) uses Compusearch Software Systems Secure and auditable two-way web portal, FedConnect, to communicate with vendors and contractors. FedConnect provides bi-directional communication between the vendor/contractor and the NRC throughout pre-award, award, and post-award acquisition phases. Therefore, in order to do business with the NRC, vendors and contractors must register to use FedConnect at https://www.fedconnect.net/FedConnect . The individual registering in FedConnect must have authority to bind the vendor/contractor. There is no charge for using FedConnect. Assistance with FedConnect is provided by Compusearch Software Systems, not the NRC. FedConnect contact and assistance information is provided on the FedConnect web site at https://www.fedconnect.net/FedConnect.

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 14 of 32 SECTION H - Special Contract Requirements 2052.204-70 SECURITY (OCT 1999)

(a) Security/Classification Requirements Form. The attached NRC Form 187 (See List of Attachments) furnishes the basis for providing security and classification requirements to prime contractors, subcontractors, or others (e.g., bidders) who have or may have an NRC contractual relationship that requires access to classified information or matter, access on a continuing basis (in excess of 90 or more days) to NRC Headquarters controlled buildings, or otherwise requires NRC photo identification or card-key badges.

(b) It is the contractor's duty to safeguard National Security Information, Restricted Data, and Formerly Restricted Data. The contractor shall, in accordance with the Commission's security regulations and requirements, be responsible for safeguarding National Security Information, Restricted Data, and Formerly Restricted Data, and for protecting against sabotage, espionage, loss, and theft, the classified documents and material in the contractor's possession in connection with the performance of work under this contract. Except as otherwise expressly provided in this contract, the contractor shall transmit to the Commission any classified matter in the possession of the contractor or any person under the contractor's control in connection with performance of this contract upon completion or termination of this contract.

(1) The contractor shall complete a certificate of possession to be furnished to the Commission specifying the classified matter to be retained if the retention is:

(i) Required after the completion or termination of the contract; and (ii) Approved by the contracting officer.

(2) The certification must identify the items and types or categories of matter retained, the conditions governing the retention of the matter and their period of retention, if known. If the retention is approved by the contracting officer, the security provisions of the contract continue to be applicable to the matter retained.

(c) In connection with the performance of the work under this contract, the contractor may be furnished, or may develop or acquire, proprietary data (trade secrets) or confidential or privileged technical, business, or financial information, including Commission plans, policies, reports, financial plans, internal data protected by the Privacy Act of 1974 (Pub. L.93-579), or other information which has not been released to the public or has been determined by the Commission to be otherwise exempt from disclosure to the public. The contractor agrees to hold the information in confidence and not to directly or indirectly duplicate, disseminate, or disclose the information, in whole or in part, to any other person or organization except as necessary to perform the work under this contract. The contractor agrees to return the information to the Commission or otherwise dispose of it at the direction of the contracting officer. Failure to comply with this clause is grounds for termination of this contract.

(d) Regulations. The contractor agrees to conform to all security regulations and requirements of the Commission which are subject to change as directed by the NRC Division of Facilities and Security and the Contracting Officer. These changes will be under the authority of the FAR Changes clause referenced in Section I of this document.

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 15 of 32 e) Definition of National Security Information. As used in this clause, the term National Security Information means information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

(f) Definition of Restricted Data. As used in this clause, the term Restricted Data means all data concerning design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy, but does not include data declassified or removed from the Restricted Data category under to Section 142 of the Atomic Energy Act of 1954, as amended.

(g) Definition of Formerly Restricted Data. As used in this clause the term Formerly Restricted Data means all data removed from the Restricted Data category under Section 142-d of the Atomic Energy Act of 1954, as amended.

(h) Security clearance personnel. The contractor may not permit any individual to have access to Restricted Data, Formerly Restricted Data, or other classified information, except in accordance with the Atomic Energy Act of 1954, as amended, and the Commission's regulations or requirements applicable to the particular type or category of classified information to which access is required. The contractor shall also execute a Standard Form 312, Classified Information Nondisclosure Agreement, when access to classified information is required.

(i) Criminal liabilities. Disclosure of National Security Information, Restricted Data, and Formerly Restricted Data relating to the work or services ordered hereunder to any person not entitled to receive it, or failure to safeguard any Restricted Data, Formerly Restricted Data, or any other classified matter that may come to the contractor or any person under the contractor's control in connection with work under this contract, may subject the contractor, its agents, employees, or subcontractors to criminal liability under the laws of the United States. (See the Atomic Energy Act of 1954, as amended, 42 U.S.C. 2011 et seq.; 18 U.S.C. 793 and 794; and Executive Order 12958.)

(j) Subcontracts and purchase orders. Except as otherwise authorized, in writing, by the contracting officer, the contractor shall insert provisions similar to the foregoing in all subcontracts and purchase orders under this contract.

(k) In performing contract work, the contractor shall classify all documents, material, and equipment originated or generated by the contractor in accordance with guidance issued by the Commission. Every subcontract and purchase order issued under the contract that involves originating or generating classified documents, material, and equipment must provide that the subcontractor or supplier assign the proper classification to all documents, material, and equipment in accordance with guidance furnished by the contractor NRC INFORMATION TECHNOLOGY SECURITY TRAINING (MAY 2016)

NRC contractors shall ensure that their employees, consultants, and subcontractors with access to the agency's information technology (IT) equipment and/or IT services complete NRC's online initial and refresher IT security training requirements to ensure that their knowledge of IT threats, vulnerabilities, and associated countermeasures remains current. Both the initial and refresher IT security training courses generally last an hour or less and can be taken during the employee's regularly scheduled work day.

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 16 of 32 Contractor employees, consultants, and subcontractors shall complete the NRC's online annual, "Computer Security Awareness" course on the same day that they receive access to the agency's IT equipment and/or services, as their first action using the equipment/service. For those contractor employees, consultants, and subcontractors who are already working under this contract, the on-line training must be completed in accordance with agency Network Announcements issued throughout the year, within three weeks of issuance of this modification.

Additional annual required online NRC training includes but is not limited to the following:

(1) Information Security (INFOSEC) Awareness (2) Continuity of Operations (COOP) Awareness (3) Defensive Counterintelligence and Insider Threat Awareness (4) No FEAR Act (5) Personally Identifiable Information (PII) and Privacy Act Responsibilities Awareness Contractor employees, consultants, and subcontractors who have been granted access to NRC information technology equipment and/or IT services must continue to take IT security refresher training offered online by the NRC throughout the term of the contract.

Contractor employees will receive notice of NRC's online IT security refresher training requirements through agency-wide notices.

Contractor Monthly Letter Status Reports (MLSR) must include the following information for all completed training:

(1) the name of the individual completing the course; (2) the course title; and (3) the course completion date.

The MLSR must also include the following information for those individuals who have not completed their required training:

(1) the name of the individual who has not yet completed the training; (2) the title of the course(s) which must still be completed; and (3) the anticipated course completion date(s).

The NRC reserves the right to deny or withdraw Contractor use or access to NRC IT equipment and/or services, and/or take other appropriate contract administrative actions (e.g., disallow costs, terminate for cause) should the Contractor violate the Contractor's responsibility under this clause.

(End of Clause) 2052.204-71 SITE ACCESS BADGE REGUIREMTNES (JAN 1993))

During the life of this contract, the rights of ingress and egress for contractor personnel must be made available as required. In this regard, all contractor personnel whose duties under this contract require their presence on-site shall be clearly identifiable by a distinctive badge furnished by the Government. The Project Officer shall assist the contractor in obtaining the badges for contractor personnel. It is the sole responsibility of the contractor to ensure that each employee has proper identification at all times. All prescribed identification must be immediately delivered to the Security Office for cancellation or disposition upon the termination of employment of any contractor personnel. Contractor personnel shall have this identification in their possession during on-site performance under this contract. It is the contractor's duty to assure that contractor personnel enter only those work areas necessary for performance of contract work and to assure the safeguarding of any Government records or data that contractor personnel may come into contact with. (End of Clause)

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 17 of 32 NRCH020 SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL (SEP 2013)

The Contractor shall ensure that all its employees, subcontractor employees or consultants who are assigned to perform the work herein for contract performance for periods of more than 30 calendar days at NRC facilities, are approved by the NRC for unescorted NRC building access.

The Contractor shall conduct a preliminary federal facilities security screening interview or review for each of its employees, subcontractor employees, and consultants and submit to the NRC only the names of candidates for contract performance that have a reasonable probability of obtaining approval necessary for access to NRC's federal facilities. The Contractor shall prescreen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The Contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the applicant verify the pre-screening record or review, sign and date it. Two (2) copies of the pre-screening signed record or review shall be supplied to the Division of Facilities and Security, Personnel Security Branch (DFS/PSB) with the Contractor employee's completed building access application package.

The Contractor shall further ensure that its employees, any subcontractor employees and consultants complete all building access security applications required by this clause within fourteen (14) calendar days of notification by DFS/PSB of initiation of the application process. Timely receipt of properly completed records of the Contractor's signed pre-screening record or review and building access security applications (submitted for candidates that have a reasonable probability of obtaining the level of access authorization necessary for access to NRC's facilities) is a contract requirement.

Failure of the Contractor to comply with this contract administration requirement may be a basis to cancel the award, or terminate the contract for default, or offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the Contractor. In the event of cancellation or termination, the NRC may select another firm for contract award.

A Contractor, subcontractor employee or consultant shall not have access to NRC facilities until he/she is approved by DFS/PSB. Temporary access may be approved based on a favorable NRC review and discretionary determination of their building access security forms. Final building access will be approved based on favorably adjudicated checks by the Government. However, temporary access approval will be revoked and the Contractor's employee may subsequently be denied access in the event the employee's investigation cannot be favorably determined by the NRC. Such employee will not be authorized to work under any NRC contract requiring building

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 18 of 32 access without the approval of DFS/PSB. When an individual receives final access, the individual will be subject to a review or reinvestigation every five (5) or ten (10) years, depending on their job responsibilities at the NRC.

The Government shall have and exercise full and complete control and discretion over granting, denying, withholding, or terminating building access approvals for individuals performing work under this contract. Individuals performing work under this contract at NRC facilities for a period of more than 30 calendar days shall be required to complete and submit to the Contractor representative an acceptable OPM Standard Form 85 (Questionnaire for Non-Sensitive Positions), and two (2) FD 258 (Fingerprint Charts).

Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than five (5) years residency in the U.S. will not be approved for building access. The Contractor shall submit the documents to the NRC Contracting Officer's Representative (COR) who will give them to DFS/PSB.

DFS/PSB may, among other things, grant or deny temporary unescorted building access approval to an individual based upon its review of the information contained in the OPM Standard Form 85 and the Contractor's pre-screening record. Also, in the exercise of its authority, the Government may, among other things, grant or deny permanent building access approval based on the results of its review or investigation. This submittal requirement also applies to the officers of the firm who, for any reason, may visit the NRC work sites for an extended period of time during the term of the contract. In the event that DFS/PSB are unable to grant a temporary or permanent building access approval, to any individual performing work under this contract, the Contractor is responsible for assigning another individual to perform the necessary function without any delay in the contract's performance schedule, or without adverse impact to any other terms or conditions of the contract. The Contractor is responsible for informing those affected by this procedure of the required building access approval process (i.e.,

temporary and permanent determinations), and the possibility that individuals may be required to wait until permanent building access approvals are granted before beginning work in NRC's buildings.

CANCELLATION OR TERMINATION OF BUILDING ACCESS/ REQUEST The Contractor shall immediately notify the COR when a Contractor or subcontractor employee or consultant's need for NRC building access approval is withdrawn or the need by the Contractor employee's for building access terminates. The COR will immediately notify DFS/PSB (via e-mail) when a Contractor employee no longer requires building access. The Contractor shall be required to return any NRC issued badges to the COR for return to DFS/FSB (Facilities Security Branch) within three (3) days after their termination.

(End of Clause)

NRCH030 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (JUL 2016)

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 19 of 32 The contractor must identify all individuals selected to work under this contract. The NRC Contracting Officers Representative (COR) shall make the final determination of the level, if any, of IT access approval required for all individuals working under this contract/order using the following guidance. The Government shall have full and complete control and discretion over granting, denying, withholding, or terminating IT access approvals for contractor personnel performing work under this contract/order.

The contractor shall conduct a preliminary security interview or review for each employee requiring IT level I or II access and submit to the Government only the names of candidates that have a reasonable probability of obtaining the level of IT access approval for which the employee has been proposed. The contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the employee verify the pre-screening record or review, sign and date it. The contractor shall supply two (2) copies of the signed contractor's pre-screening record or review to the NRC Contracting Officers Representative (COR), who will then provide them to the NRC Office of Administration, Division of Facilities and Security, Personnel Security Branch with the employees completed IT access application package.

The contractor shall further ensure that its personnel complete all IT access approval security applications required by this clause within fourteen (14) calendar days of notification by the NRC Contracting Officers Representative (COR) of initiation of the application process. Timely receipt of properly completed records of the pre-screening record and IT access approval applications (submitted for candidates that have a reasonable probability of obtaining the level of security assurance necessary for access to NRC's IT systems/data) is a requirement of this contract/order. Failure of the contractor to comply with this requirement may be a basis to terminate the contract/order for cause, or to offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the contractor.

SECURITY REQUIREMENTS FOR IT LEVEL I Performance under this contract/order will involve contractor personnel who perform services requiring direct access to or operation of agency sensitive information technology systems or data (IT Level I). The IT Level I involves responsibility for: (a) the planning, direction, and implementation of a computer security program; (b) major responsibility for the direction, planning, and design of a computer system, including hardware and software; (c) the capability to access a computer system during its operation or maintenance in such a way that could cause or that has a relatively high risk of causing grave damage; or (d) the capability to realize a significant personal gain from computer access.

Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the NRC Contracting Officers Representative (COR). Temporary IT access may be approved by DFS/PSB based on a favorable review or adjudication of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 20 of 32 review or adjudication of a completed background investigation. However, temporary access authorization approval will be revoked and the employee may subsequently be denied IT access in the event the employees investigation cannot be favorably adjudicated. Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officers Representative (COR). Where temporary access authorization has been revoked or denied by DFS/PSB, the contractor shall assign another contractor employee to perform the necessary work under this contract/order without delay to the contract/order performance schedule, or without adverse impact to any other terms or conditions of the contract/order. When an individual receives final IT access approval from DFS/PSB, the individual will be subject to a reinvestigation every ten (10) years thereafter (assuming continuous performance under contracts/orders at NRC) or more frequently in the event of noncontinuous performance under contracts/orders at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions), two (2) copies of the Contractor's signed pre-screening record, and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the individual being authorized to perform work under this contract/order requiring access to sensitive information technology systems or data.

Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level I access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB. The contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the contractor employees security forms and/or the receipt of adverse information by NRC, the contractor individual may be denied access to NRC facilities and sensitive information technology systems or data until a final determination is made by DFS/PSB. The contractor individuals clearance status will thereafter be communicated to the contractor by the NRC Contracting Officers Representative (COR) regarding the contractor persons eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level I contractors shall be subject to the attached NRC Form 187 and SF-86. Together, these furnish the basis for providing security requirements to contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems and data; access on a continuing basis (in excess more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

SECURITY REQUIREMENTS FOR IT LEVEL II Performance under this contract/order will involve contractor personnel that develop and/or analyze sensitive information technology systems or data or otherwise have access to such systems or data (IT Level II).

The IT Level II involves responsibility for the planning, design, operation, or maintenance of a computer system and all other computer or IT positions.

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 21 of 32 Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the NRC Contracting Officers Representative (COR). Temporary access may be approved by DFS/PSB based on a favorable review of their security forms and checks.

Final IT access may be approved by DFS/PSB based on a favorably adjudication.

However, temporary access authorization approval will be revoked and the contractor employee may subsequently be denied IT access in the event the employee's investigation cannot be favorably adjudicated. Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officers Representative (COR). Where temporary access authorization has been revoked or denied by DFS/PSB, the contractor is responsible for assigning another contractor employee to perform the necessary work under this contract/order without delay to the contract/order performance schedule, or without adverse impact to any other terms or conditions of the contract/order. When a contractor employee receives final IT access approval from DFS/PSB, the individual will be subject to a review or reinvestigation every ten (10) years (assuming continuous performance under contract/order at NRC) or more frequently in the event of noncontinuous performance under contract/order at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions), two (2) copies of the Contractor's signed pre-screening record and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the contractor employee being authorized to perform work under this contract/order. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level II access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB. The contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the contractor employees security forms and/or the receipt of adverse information by NRC, the contractor employee may be denied access to NRC facilities, sensitive information technology systems or data until a final determination is made by DFS/PSB regarding the contractor persons eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level II contractors shall be subject to the attached NRC Form 187, SF-86, and contractor's record of the pre-screening. Together, these furnish the basis for providing security requirements to contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems or data; access on a continuing basis (in excess of more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

CANCELLATION OR TERMINATION OF IT ACCESS/REQUEST

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 22 of 32 When a request for IT access is to be withdrawn or canceled, the contractor shall immediately notify the NRC Contracting Officers Representative (COR) by telephone so that the access review may be promptly discontinued. The notification shall contain the full name of the contractor employee and the date of the request. Telephone notifications must be promptly confirmed by the contractor in writing to the NRC Contracting Officers Representative (COR), who will forward the confirmation to DFS/PSB. Additionally, the contractor shall immediately notify the NRC Contracting Officers Representative (COR) in writing, who will in turn notify DFS/PSB, when a contractor employee no longer requires access to NRC sensitive automated information technology systems or data, including the voluntary or involuntary separation of employment of a contractor employee who has been approved for or is being processed for IT access.

The contractor shall flow the requirements of this clause down into all subcontracts and agreements with consultants for work that requires them to access NRC IT resources.

(End of Clause)

NRCH034 INFORMATION TECHNOLOGY (IT) SECURITY REQUIREMENTS -

GENERAL (JUL 2016)

Basic Contract IT Security Requirements The contractor agrees to insert terms that conform substantially to the language of the IT security requirements, excluding any reference to the Changes clause of this contract, into all subcontracts under this contract. For unclassified information used for the effort, the contractor shall provide an information security categorization document indicating the sensitivity of the information processed as part of this contract if the information security categorization was not provided in the statement of work. The determination shall be made using National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 and must be approved by the Office of the Chief Information Officer (OCIO). The NRC contracting officer (CO) and Contracting Officers Representative (COR) shall be notified immediately before the contractor begins to process information at a higher sensitivity level. If the effort includes use or processing of classified information, the NRC CO and COR shall be notified before the contractor begins to process information at a more restrictive classification level.

All work under this contract shall comply with the latest version of policy, procedures and standards. Individual task orders will reference latest versions of standards or exceptions as necessary. These policy, procedures and standards include: NRC Management Directive (MD) volume 12, Security; Computer Security Office policies, procedures and standards; National Institute of Standards and Technology (NIST) guidance and Federal Information Processing Standards (FIPS); and Committee on National Security Systems (CNSS) policy, directives, instructions, and guidance. This information is available at the following links: NRC Policies, Procedures and Standards (OCIO/ISD - Director, Information Security Directorate, internal website):

http://www.internal.nrc.gov/CSO/policies.html All NRC Management Directives (public website):

http://www.nrc.gov/reading-rm/doc-collections/managementdirectives/

NIST SP and FIPS documentation is located at: http://csrc.nist.gov/

CNSS documents are located at: http://www.cnss.gov/

When e-mail is used, the contractors shall only use NRC provided e-mail accounts to send and receive sensitive information (information that is not releasable to the public) or mechanisms to protect the information during transmission to NRC that have been

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 23 of 32 approved by OCIO/ISD. All contractor employees must sign the NRC Agency-Wide Rules of Behavior for Authorized Computer Use prior to being granted access to NRC computing resources. The contractor shall adhere to following NRC policies, including but not limited to:

Must meet all federally mandated and NRC defined cybersecurity requirements.

• Management Directive 12.5, NRC Cybersecurity Program

• Computer Security Policy for Encryption of Sensitive Data When Outside of Agency facilities Policy for Copying, Scanning, Printing, and Faxing SGI & Classified Information

• Computer Security Information Protection Policy

• Remote Access Policy

• Laptop Security Policy

• Computer Security Incident Response Policy Contractor will adhere to NRCs use of personal devices to process and store NRC sensitive information. The NRCs BYOD program allows NRC employees and contractors to conduct official government business using supported personal smart phones and tablets. All work performed at non-NRC facilities shall be in facilities, networks, and computers that have been accredited by NRC for processing information at the sensitivity level of the information being processed.

Contract Performance and Closeout The contractor shall ensure that the NRC data processed during the performance of this contract shall be purged from all data storage components of the contractors computer facility, and the contractor will retain no NRC data within 30 calendar days after contract is completed. Until all data is purged, the contractor shall ensure that any NRC data remaining in any storage component will be protected to prevent unauthorized disclosure. When a contractor employee no longer requires access to an NRC system, the contractor shall notify the COR within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Upon contract completion, the contractor shall provide a status list of all contractor employees who were users of NRC systems and shall note if any users still require access to the system to perform work if a follow-on contract or task order has been issued by NRC.

Control of Information and Data The contractor shall not publish or disclose in any manner, without the COs written consent, the details of any security controls or countermeasures either designed or developed by the contractor under this contract or otherwise provided by the NRC.

Any IT system used to process NRC sensitive information shall:

• Include a mechanism to require users to uniquely identify themselves to the system before beginning to perform any other actions that the system is expected to provide.

• Be able to authenticate data that includes information for verifying the claimed identity of individual users (e.g., passwords).

• Protect authentication data so that it cannot be accessed by any unauthorized user.

• Be able to enforce individual accountability by providing the capability to uniquely identify each individual computer system user.

• Report to appropriate security personnel when attempts are made to guess the authentication data whether inadvertently or deliberately.

Access Controls Any contractor system being used to process NRC data shall be able to define and enforce access privileges for individual users. The discretionary access controls mechanisms shall be configurable to protect objects (e.g., files, folders) from

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 24 of 32 unauthorized access. The contractor system being used to process NRC data shall provide only essential capabilities and specifically prohibit and/or restrict the use of functions, ports, protocols, and/or services, as specified in the contract/grant.

The contractors shall only use NRC approved methods to send and receive information considered sensitive or classified. Specifically,

• Classified Information - All NRC Classified data being transmitted over a network shall use NSA approved encryption and adhere to guidance in MD 12.2, NRC Classified Information Security Program; MD 12.5, NRC Cybersecurity Program; and any classified encryption guidance provided by the Committee on National Security Systems.

Classified processing shall be only within facilities, computers, and spaces that have been specifically approved for classified processing. All NRC personnel who have been or will be granted an account to access any system or network (to include a stand-alone system or network) on which classified information resides must be an NRC authorized classifier. Contractors must follow the above guidance and procedures when requiring access to or handling classified information. Only designated and authorized classifiers of the contractor may have access to classified information or systems.

• SGI Information - All SGI being transmitted over a network shall adhere to guidance in MD 12.7, NRC Safeguards Information Security Program; and MD 12.5, NRC Cybersecurity Program. SGI processing shall be only within facilities, computers, and spaces that have been specifically approved for SGI processing. Cryptographic modules provided as part of the system shall be validated under the Cryptographic Module Validation Program to conform to NIST FIPS 140-2 overall level 2 and must be operated in FIPS mode. The contractor shall provide the FIPS 140-2 cryptographic module certificate number and a brief description of the encryption module that includes the encryption algorithm(s) used, the key length, and the vendor of the product.

• All NRC personnel who have been or will be granted an account to access any system or network (to include a stand-alone system or network) on which SGI resides must be an NRC authorized classifier. The most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks must be enforced by the system through assigned access authorizations.

Separation of duties for contractor systems used to process NRC information must be enforced by the system through assigned access authorizations. The mechanisms within the contractor system or application that enforces access control and other security features shall be continuously protected against tampering and/or unauthorized changes.

Configuration Standards All systems used to process NRC sensitive information shall meet NRC configuration standards available at: http://www.internal.nrc.gov/CSO/standards.html.

Information Security Training and Awareness Training Contractors shall ensure that their employees, consultants, and subcontractors that have significant IT responsibilities (e.g., IT administrators, developers, project leads) receive indepth IT security training in their area of responsibility. This training is at the employers expense. In compliance with OMB policy, individuals with significant cybersecurity responsibilities (e.g., ISSOs, System Administrators) must complete required role-based training before assuming the role. NRC contractors must ensure that their staff receives the requisite role-based cybersecurity training at the contractors expense.

Media Handling

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 25 of 32 All media used by the contractor to store or process NRC information shall be controlled in accordance with the sensitivity level. The contractor shall not perform sanitization or destruction of media approved for processing NRC information designated as SGI or Classified. The contractor must provide the media to NRC for destruction.

Vulnerability Management The Contractor must adhere to NRC patch management processes for all systems used to process NRC information. Patch Management reports will made available to the NRC upon request for following security categorizations and reporting timeframes:

• 5 calendar days after being requested for a high sensitivity system

• 10 calendar days after being requested for a moderate sensitivity system

• 15 calendar days after being requested for a low sensitivity system For any contractor system used to process NRC information, the contractor must ensure that information loaded into the system is scanned for viruses prior to posting; servers are scanned for malware, including viruses, adware, and spyware, on a regular basis; and virus signatures are updated at the following frequency:

• 1 calendar day for a high sensitivity system

• 3 calendar days for a moderate sensitivity system

• 7 calendar days for a low sensitivity system For any contractor deliverables or information loaded on external hard drives or other electronic devices, the contractor must ensure that, prior to delivery to the NRC, the device, including software and files, is free of malware, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, browser hijacking software, mobile code, or other malicious code.

NRCH310 ANNUAL AND FINAL CONTRACTOR PERFORMANCE EVALUATIONS Annual and final evaluations of contractor performance under this contract will be prepared in accordance with FAR Subpart 42.15, "Contractor Performance Information,"

normally at or near the time the contractor is notified of the NRC's intent to exercise the contract option. If the multi-year contract does not have option years, then an annual evaluation will be prepared []. Final evaluations of contractor performance will be prepared at the expiration of the contract during the contract closeout process.

The Contracting Officer will transmit the NRC Contracting Officers Representatives (COR) annual and final contractor performance evaluations to the contractor's Project Manager, unless otherwise instructed by the contractor. The contractor will be permitted thirty days to review the document and submit comments, rebutting statements, or additional information.

Where a contractor concurs with, or takes no exception to an annual performance evaluation, the Contracting Officer will consider such evaluation final and releasable for source selection purposes. Disagreements between the parties regarding a performance evaluation will be referred to an individual one level above the Contracting Officer, whose decision will be final.

The Contracting Officer will send a copy of the completed evaluation report, marked "Source Selection Information, to the contractor's Project Manager for their records as soon as practicable after it has been finalized. The completed evaluation report also will be used as a tool to improve communications between the NRC and the contractor and to improve contract performance.

The completed annual performance evaluation will be used to support future award decisions in accordance with FAR 42.1502 and 42.1503. During the period the information is being used to provide source selection information, the completed annual

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 26 of 32 performance evaluation will be released to only two parties - the Federal government personnel performing the source selection evaluation and the contractor under evaluation if the contractor does not have a copy of the report already.

(End of Clause)

NRCH330 RULES OF BEHAVIOR FOR AUTHORIZED COMPUTER USE In accordance with Appendix III, "Security of Federal Automated Information Resources," to Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," NRC has established rules of behavior for individual users who access all IT computing resources maintained and operated by the NRC or on behalf of the NRC. In response to the direction from OMB, NRC has issued the "Agency-wide Rules of Behavior for Authorized Computer Use" policy, hereafter referred to as the rules of behavior. The rules of behavior for authorized computer use will be provided to NRC computer users, including contractor personnel, as part of the annual computer security awareness course.

The rules of behavior apply to all NRC employees, contractors, vendors, and agents (users) who have access to any system operated by the NRC or by a contractor or outside entity on behalf of the NRC. This policy does not apply to licensees. The next revision of Management Directive 12.5, "NRC Automated Information Security Program,"

will include this policy. The rules of behavior can be viewed at http://www.internal.nrc.gov/CSO/documents/ROB.pdf or use NRCs external Web-based ADAMS at http://wba.nrc.gov:8080/ves/ (Under Advanced Search, type ML082190730 in the Query box).

The rules of behavior are effective immediately upon acknowledgement of them by the person who is informed of the requirements contained in those rules of behavior. All current contractor users are required to review and acknowledge the rules of behavior as part of the annual computer security awareness course completion. All new NRC contractor personnel will be required to acknowledge the rules of behavior within one week of commencing work under this contract and then acknowledge as current users thereafter. The acknowledgement statement can be viewed at http://www.internal.nrc.gov/CSO/documents/ROB_Ack.pdf or use NRCs external Web-based ADAMS at http://wba.nrc.gov:8080/ves/ (Under Advanced Search, type ML082190730 in the Query box).

The NRC Computer Security Office will review and update the rules of behavior annually beginning in FY 2011 by December 31st of each year. Contractors shall ensure that their personnel to which this requirement applies acknowledge the rules of behavior before beginning contract performance and, if the period of performance for the contract lasts more than one year, annually thereafter. Training on the meaning and purpose of the rules of behavior can be provided for contractors upon written request to the NRC Contracting Officers Representative (COR).

The contractor shall flow down this clause into all subcontracts and other agreements that relate to performance of this contract/order if such subcontracts/agreements will authorize access to NRC electronic and information technology (EIT) as that term is defined in FAR 2.101.

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 27 of 32 (End of Clause)

NRCH430 - DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TO NUCLEAR FACILITIES, ACCESS TO CLASSIFIED INFORMATION OR SAFEGUARDS INFORMATION, OR PERFORMING IN SPECIALLY SENSITIVE POSITIONS (OCT 2014)

All contractor employees, subcontractor employees, applicants, and consultants proposed for performance or performing under this contract shall be subject to pre-assignment, random, reasonable suspicion, and post-accident drug testing applicable to:

(1) individuals who require unescorted access to nuclear power plants, (2) individuals who have access to classified or safeguards information, (3) individuals who are required to carry firearms in performing security services for the NRC, (4) individuals who are required to operate government vehicles or transport passengers for the NRC, (5) individuals who are required to operate hazardous equipment at NRC facilities, or (6) individuals who admit to recent illegal drug use or those who are found through other means to be using drugs illegally.

The NRC Drug Program Manager will schedule the drug testing for all contractor employees, subcontractor employees, applicants, and consultants who are subject to testing under this clause. The consequences of refusing to undergo drug testing or a refusal to cooperate in such testing, including not appearing at the scheduled appointment time, will result in the Agencys refusal of the contractor employee to work under any NRC contract. Any NRC contractor employee found to be using, distributing or possessing illegal drugs, or any contractor employee who fails to receive a verified negative drug test result under this program while in a duty status will immediately be removed from working under the NRC contract. The contractor's employer will be notified of the denial or revocation of the individual's authorization to have access to information and ability to perform under the contract. The individual may not work on any NRC contract for a period of not less than one year from the date of the failed, positive drug test and will not be considered for reinstatement unless evidence of rehabilitation, as determined by the NRC "drug testing contractor's" Medical Review Officer, is provided.

Contractor drug testing records are protected under the NRC Privacy Act Systems of Records, System 35, "Drug Testing Program Records - NRC" found at:

http://www.nrc.gov/reading-rm/foia/privacy-systems.html (End of Clause)

NRCH480 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONIC PAYMENT/REMITTANCE ADDRESS The Debt Collection Improvement Act of 1996 requires that all Federal payments except IRS tax refunds be made by Electronic Funds Transfer. lt is the policy of the Nuclear Regulatory Commission to pay government vendors by the Automated Clearing House (ACH) electronic funds transfer payment system. Item 15C of the Standard Form 33 may be disregarded.

(End of Clause)

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 28 of 32 NRCH490 - AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS (a) All offerors will receive preaward and postaward notices in accordance with FAR 15.503.

(b) It is also brought to your attention that the contracting officer is the only individual who can legally obligate funds or commit the NRC to the expenditure of public funds in connection with this procurement. This means that unless provided in a contract document or specifically authorized by the contracting officer, NRC technical personnel may not issue contract modifications, give formal contractual commitments, or otherwise bind, commit, or obligate the NRC contractually. Informal unauthorized commitments, which do not obligate the NRC and do not entitle the contractor to payment, may include:

(1) Encouraging a potential contractor to incur costs prior to receiving a contract; (2) Requesting or requiring a contractor to make changes under a contract without formal contract modifications; (3) Encouraging a contractor to incur costs under a cost-reimbursable contract in excess of those costs contractually allowable; and (4) Committing the Government to a course of action with regard to a potential contract, contract change, claim, or dispute.

(End of Clause)

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 29 of 32 SECTION I - Contract Clauses NRCI010 NRC ACQUISTION REGULATION (NRCAR) PROVISIONS AND CLAUSES (AUG 2011)

Applicable NRCAR provisions and clauses located in 48 CFR Chapter 20 are hereby incorporated by reference into this contract/order. Also, the full text of a clause may be accessed electronically at this/these address:

https://www.nrc.gov/aboutnrc/contracting/48cfr-ch20.html (End of Clause)

NRCAR CLAUSES INCORPORATED BY REFERENCE 2052.222-70 NONDISCRIMINATION BECAUSE OF AGE. (JAN 1993) 2.252-2 FAR CLAUSES INCORPORATED BY REFERENCE. (FEB 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): [Insert one or more Internet addresses]

https://www.acquisition.gov/?q=browsefar https://www.nrc.gov/about-nrc/contracting/48cfr-ch20.html (End of clause)

FAR CLAUSES INCORPORATED BY REFERENCE 52.203-12 LIMITATION ON PAYMENTS TO INFLUENCE CERTAIN FEDERAL TRANSACTIONS. (OCT 2010) 52.203-16 PREVENTING PERSONAL CONFLICTS OF INTEREST. (DEC 2011) 52.203-17 CONTRACTOR EMPLOYEE WHISTLEBLOWER RIGHTS AND REQUIREMENT TO INFORM EMPLOYEES OF WHISTLEBLOWER RIGHTS. (APR 2014) 52.204-2 SECURITY REQUIREMENTS. (AUG 1996) 52.204-9 PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL.

(JAN 2011) 52.204-13 SYSTEM FOR AWARD MANAGEMENT MAINTENANCE. (OCT 2016) 52.223-6 DRUG-FREE WORKPLACE. (MAY 2001) 52.232-1 PAYMENTS. (APR 1984) 52.232-22 LIMITATION OF FUNDS (Apr 1984) 52.232-39 UNENFORCEABILITY OF UNAUTHORIZED OBLIGATIONS. (JUN 2013) 52.232-40 PROVIDING ACCELERATED PAYMENTS TO SMALL BUSINESS SUBCONTRACTORS. (DEC 2013) 52.242-13 BANKRUPTCY. (JUL 1995) 52.243-3 CHANGES - TIME-AND-MATERIALS OR LABOR-HOURS. (SEP 2000) 52.249-1 TERMINATION FOR CONVENIENCE OF THE GOVERNMENT (FIXED-PRICE) (SHORT FORM). (APR 1984) 52.249-4 TERMINATION FOR CONVENIENCE OF THE GOVERNMENT (SERVICES)

(SHORT FORM). (APR 1984)

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 30 of 32 52.249-8 DEFAULT (FIXED-PRICE SUPPLY AND SERVICE). (APR 1984)

FAR CLAUSES INCORPORATED BY FULL TEXT 52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor anytime prior to expiration of the contract (End of clause) 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor anytime prior to expiration of the contract, provided that the Government gives the Contractor a preliminary written notice of its intent to extend anytime before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 3 years and 6 months.

(End of clause)

NRC Local Clauses incorporated by Full Text NRCI020 COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, AS AMENDED (SEP 2013)

In 1998, Congress amended the Rehabilitation Act of 1973 (29 U.S.C. §794d) as amended by the Workforce Investment Act of 1998 (P.L. 105 - 220), August 7, 1998 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. Inaccessible technology interferes with an ability to obtain and use information quickly and easily. Section 508 was enacted to eliminate barriers in information technology, open new opportunities for people with disabilities, and encourage development of technologies that will help achieve these goals. The law applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology. Under Section 508 (29 U.S.C. §794d), agencies must give disabled employees and members of the public access to information that is comparable to access available to others. Specifically, Section 508 of that Act requires that when Federal agencies develop, procure, maintain, or use EIT, Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who are not individuals with disabilities, unless an undue burden would be imposed on the agency. (36 C.F.R. §1194 implements Section 508 of the Rehabilitation Act of 1973, as amended, and is viewable at:

http://www.accessboard.gov/sec508/standards.htm)

Exceptions.

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 31 of 32 All EIT that the government acquires by purchase or by lease/rental under this contract must meet the applicable accessibility standards at 36 C.F.R. Part 1194, unless one or more of the following exceptions at FAR 39.204 applies to this acquisition (applicable if checked):

[ ] The EIT is for a national security system.

[ ] The EIT is acquired by a contractor incidental to a contract.

repair or occasional monitoring of equipment.

[ ] Compliance with the applicable 36 C.F.R. Part 1194 provisions would impose an undue burden on the agency.

Applicable Standards.

The following accessibility standards from 36 C.F.R. Part 1194 have been determined to be applicable to this contract/order. See www.section508.gov for more information:

[X] 1194.21 Software applications and operating systems.

[X] 1194.22 Web-based intranet and internet information and applications. 16 rules.

[X] 1194.23 Telecommunications products.

[X] 1194.24 Video and multimedia products.

[ ] 1194.25 Self-contained, closed products.

[X ] 1194.26 Desktop and portable computers.

[ ] 1194.31 Functional performance criteria.

[X] 1194.41 Information, documentation, and support.

Note: Under the Exceptions paragraph, the Contracting Officer should check the boxes for any exceptions that apply. If no exceptions apply, then the Contracting Officer should, standards apply. See FAR Subpart 39.2 and www.section508.gov for additional guidance

GS-06F-1101Z NRC0HQ-10-147-T-0002 Page 32 of 32 SECTION J - List of Documents, Exhibits and Other Attachments J.1 List of Documents, Exhibits, and Other Attachments Attachment Number Title Statement of Work ` NRC VTC Assets List Billing instructions for Fixed Price Contract Billing instructions for T&M/Labor Hour Contracts Security form 187