ML18260A207

From kanterella
Jump to navigation Jump to search
Task Order No. 31310018F0102 Under Contract No. NRC-HQ-10-15-A-0005
ML18260A207
Person / Time
Issue date: 09/17/2018
From: Jessica Chu
Acquisition Management Division
To: Hyland M
AEGIS.net
References
NRC-HQ-10-15-A-0005
Download: ML18260A207 (25)
v  d  e


Text

NRC PAYMENTS 1 NRC@fiscal.treasury.gov NRC PAYMENTS 7038936020707 152858358 SEE ADDENDUM IS CHECKED CODE 18a. PAYMENT WILL BE MADE BY CODE FACILITY CODE 17b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN OFFER OFFEROR NRCHQ Washington DC 20555-0001 Mail Stop: TWFN-5E03 Acquisition Management Division U.S. NRC - HQ CODE

16. ADMINISTERED BY CODE X

541519 SIZE STANDARD:

% FOR:

SET ASIDE:

UNRESTRICTED OR NRCHQ RFP IFB

10. THIS ACQUISITION IS CODE RFQ
14. METHOD OF SOLICITATION 13b. RATING NAICS:

SMALL BUSINESS 06/04/2018 BANU GOLDFEIZ 31310018F0102 09/25/2018 (No collect calls)

INFORMATION CALL:

FOR SOLICITATION

8. OFFER DUE DATE/LOCAL TIME
b. TELEPHONE NUMBER
a. NAME
4. ORDER NUMBER
3. AWARD/
6. SOLICITATION 31310018Q0065
5. SOLICITATION NUMBER SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS
1. REQUISITION NUMBER PAGE OF 1

25 OCIO-18-0115 OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24, & 30 TELEPHONE NO.

MERRIFIELD VA 22116 P.O. BOX 3897 Attn: MARIO HYLAND AEGIS.NET INC 17a. CONTRACTOR/

Multiple Destinations

15. DELIVER TO Washington DC 20555-0001 Mail Stop: TWFN-07B20M Acquisition Management Division
9. ISSUED BY
7.

NRC-HQ-10-15-A-0005

2. CONTRACT NO.

EFFECTIVE DATE

$27.5 18b. SUBMIT INVOICES TO ADDRESS SHOWN IN BLOCK 18a UNLESS BLOCK BELOW ISSUE DATE DELIVERY FOR FOB DESTINA-TION UNLESS BLOCK IS MARKED

11.

SEE SCHEDULE

12. DISCOUNT TERMS 30 THIS CONTRACT IS A RATED ORDER UNDER DPAS (15 CFR 700) 13a.

SERVICE-DISABLED VETERAN-OWNED SMALL BUSINESS HUBZONE SMALL BUSINESS 8(A)

U.S. NRC - HQ WOMEN-OWNED SMALL BUSINESS (WOSB) ELIGIBLE UNDER THE WOMEN-OWNED SMALL BUSINESS PROGRAM EDWOSB 24.

AMOUNT 23.

UNIT PRICE 22.

UNIT

21.

QUANTITY 20.

SCHEDULE OF SUPPLIES/SERVICES 19.

ITEM NO.

GSA Contract #: GS-35F-0125S Accounting Info:

2018-X0200-FEEBASED-10-10D010-6142-51-J-145-2574-5 1-J-145-6142 Period of Performance: 09/25/2018 to 07/24/2019 00001 BASE Period - Senior IT Security Officer Support Services (SITSOSS) IV&V Line Item Ceiling:

Continued...

(Use Reverse and/or Attach Additional Sheets as Necessary)

$1,250,739.08 HEREIN, IS ACCEPTED AS TO ITEMS:

X X

DATED JESSICA CHU 09/17/2018

. YOUR OFFER ON SOLICITATION (BLOCK 5),

INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE SET FORTH 31310018Q0065 1

COPIES TO ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER ARE ARE 31c. DATE SIGNED 27b. CONTRACT/PURCHASE ORDER INCORPORATES BY REFERENCE FAR 52.212-4. FAR 52.212-5 IS ATTACHED. ADDENDA FICER) 30c. DATE SIGNED ALL ITEMS SET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL SHEETS SUBJECT TO THE TERMS AND CONDITIONS SPECIFIED.

27a. SOLICITATION INCORPORATES BY REFERENCE FAR 52.212-1, 52.212-4. FAR 52.212-3 AND 52.212-5 ARE ATTACHED. ADDENDA

26. TOTAL AWARD AMOUNT (For Govt. Use Only)

OFFER STANDARD FORM 1449 (REV. 2/2012)

Prescribed by GSA - FAR (48 CFR) 53.212 ARE NOT ATTACHED.

ARE NOT ATTACHED.

AUTHORIZED FOR LOCAL REPRODUCTION PREVIOUS EDITION IS NOT USABLE 30b. NAME AND TITLE OF SIGNER (Type or print) 30a. SIGNATURE OF OFFEROR/CONTRACTOR

28. CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN
25. ACCOUNTING AND APPROPRIATION DATA See schedule 07/02/2018
29. AWARD OF CONTRACT: REF.

32e. MAILING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32c. DATE 32b. SIGNATURE OF AUTHORIZED GOVERNMENT REPRESENTATIVE ACCEPTED, AND CONFORMS TO THE CONTRACT, EXCEPT AS NOTED:

32a. QUANTITY IN COLUMN 21 HAS BEEN RECEIVED INSPECTED

40. PAID BY
39. S/R VOUCHER NUMBER
38. S/R ACCOUNT NUMBER
37. CHECK NUMBER FINAL PARTIAL
36. PAYMENT FINAL PARTIAL
35. AMOUNT VERIFIED CORRECT FOR
34. VOUCHER NUMBER
33. SHIP NUMBER COMPLETE 32g. E-MAIL OF AUTHORIZED GOVERNMENT REPRESENTATIVE 42d. TOTAL CONTAINERS 42c. DATE REC'D (YY/MM/DD) 42b. RECEIVED AT (Location) 42a. RECEIVED BY (Print) 41c. DATE 41b. SIGNATURE AND TITLE OF CERTIFYING OFFICER 41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT STANDARD FORM 1449 (REV. 2/2012) BACK 24.

AMOUNT 23.

UNIT PRICE 22.

UNIT

21.

QUANTITY 20.

SCHEDULE OF SUPPLIES/SERVICES 19.

ITEM NO.

00002 OPTION PERIOD 1 - Senior IT Security Officer 0.00 Support Services (SITSOSS) IV&V Amount:

Anticipated Exercise Date07/24/2019 Period of Performance: 07/25/2019 to 07/24/2020 00003 OPTION PERIOD 2 - Senior IT Security Officer 0.00 Support Services (SITSOSS) IV&V Amount:

Anticipated Exercise Date07/24/2020 Period of Performance: 07/25/2020 to 07/24/2021 The obligated amount of award:

. The total for this award is shown in box 26.

32f. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32d. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 25 2 of

NRC-HQ-10-15-A-0005/31310018F0102 Page 3 of 25 SECTION B - Supplies or Services/Prices B.1. BRIEF DESCRIPTION OF WORK (a) The title of this project is: Senior Information Technology Security Officer Support Services (SITSOSS) Independent Verification and Validation (IV&V)

(b) Summary work description: The Contractor shall provide support for specific activities related to system assessment and authorization, continuous monitoring, cybersecurity risk management, cybersecurity metrics development and presentation, and risk scoring, calculation and tracking (End of Clause)

B.2 CONSIDERATION AND OBLIGATION-LABOR-HOUR CONTRACT (a) The ceiling price to the Government for full performance under this contract is

$1,250,739.08.

(b) The contract includes direct labor hours at specified fixed hourly rates, inclusive of wages, fringe, overhead, general and administrative expenses, and profit.

(c) It is estimated that the current obligation in the amount of $

will cover performance through May 2019.

(d) This is an incrementally-funded contract and FAR 52.232 Limitation of Funds applies.

(End of Clause)

NRC-HQ-10-15-A-0005/31310018F0102 Page 4 of 25 SECTION C - Description/Specifications C.1 BACKGROUND The NRC Chief Information Officer (CIO) and Chief Information Security Officer (CISO) are responsible for planning, directing, and overseeing the implementation of a comprehensive, coordinated, integrated and cost-effective NRC Cybersecurity Program, consistent with applicable laws, regulations, management initiatives and policies, and Commission and Executive Director for Operations direction.

The NRC CISO ensures appropriate, effective, and efficient NRC-wide integration, direction and coordination of cybersecurity planning and performance within the framework of the NRC Cybersecurity Program and with related CIO activities. The CISO provides Agency-level liaison with external entities on mutual cybersecurity interests; formulates and oversees a cybersecurity program budget; proposes and successfully advocates appropriate Agency-level cybersecurity guidelines. Additionally, the CISO provides vision, leadership, and oversight in developing and promulgating an end-to-end, comprehensive cybersecurity architecture, which is integrated with NRC's enterprise architecture. The CISO provides credible, cogent, and timely advice and counsel to the Chairman, Commission, and NRC senior management on programmatic, infrastructure, and administrative aspects of cybersecurity. The CISO guides security process maturity within the NRC; advocates these concepts to NRC organizations; and makes necessary adjustments to components of the cybersecurity program to counter the evolving threat to information technology.

C.2. OBJECTIVE In alignment with National Institute of Standards and Technology (NIST) guidance, Office of Management and Budget (OMB) directives, the Federal Information Systems Management Act (FISMA), and Department of Homeland Security (DHS) policy, directives, instructions, and guidance, this BPA Call is intended to support the NRC CIO and CISO with support on: independent verification and validation of cybersecurity deliverables; formulating, monitoring and projecting system and agency-wide cybersecurity performance metrics such as ITIM-OCIO-77, AW-IT-01 and ITIM-OCIO-62 on an annual, quarterly, monthly and continuous basis for all NRC Office Directors and the Executive Director of Operations (EDO); performance of security assessments; analyses and recommendations based upon cybersecurity Continuous Monitoring metrics, as well as their formulation, supporting data collection, calculation and display; and to maintain the agency-wide Cybersecurity Risk Dashboard, which provides metrics to the Deputy Executive Director of Operations (DEDO)s, Chief Information Officer (CIO), Chief Information Security Officer (CISO), system owners, Information System Security Officer (ISSO)s and staff on how well NRC information systems are meeting federally mandated and NRC defined cybersecurity requirements.

C.3. SCOPE OF WORK Independent Verification and Validation Support Services

NRC-HQ-10-15-A-0005/31310018F0102 Page 5 of 25 The Contractor shall provide support for specific activities related to system assessment and authorization, continuous monitoring, cybersecurity risk management, cybersecurity metrics development and presentation, and risk scoring, calculation and tracking. If necessary, the Contractor shall support NRCs system security personnel and other contractors in understanding existing or proposed system architectures and other technological concerns. Contractor staff shall communicate with NRC subject matter experts and independent assessors to ensure common understanding and optimal outcomes. Support provided under this BPA Call may include, but may not be limited to:

Providing independent reviews, analyses, summaries and recommendations of Authorization packages and FISMA related continuous monitoring deliverables (e.g.,

Contingency Plans, Contingency Test Reports, Plans of Action & Milestones (POA&M) Reports, etc.) of unclassified systems according to Federal and NRC regulations, guidelines, and standards (http://fusion.nrc.gov/OCIO/team/CSO/isd/Cyber%20Security%20Issuances/Forms/All Items.aspx)

Identifying and updating cybersecurity risk metrics, investigating best practices of communicating this information to NRC executives and staff, performing daily tracking and updates of security metrics, and updating numerical models such as the NRC cybersecurity performance indicator and other quantitative cybersecurity risk scoring; Ranking risk according to severity of total impact and associated remediation resource costs, and generating reports to estimate the impact of exploited risks or events upon mission performance and NRC resources; Developing evaluation criteria, metrics, templates, checklists and procedures for approval to ensure that systems are evaluated in a similar manner from one review to the next; Providing daily continuous monitoring updates for the CIO daily situational awareness briefing, including updated statuses, displays, and graphical data representations of FISMA requirements and NRC compliance metrics; Performing independent reviews of cybersecurity risk indicators, quantifying, documenting and communicating their magnitude to the NRC CIO and CISO, Office Directors and staff by leveraging NRC productivity tools such as Excel, Internet Explorer and Sharepoint, and suggesting risk reduction strategies and appropriate weightings and distributions of risk across all NRC systems and offices; Monitoring, researching, and developing documentation and reports detailing what impact new Federal cybersecurity regulations, DHS guidance, and OMB requirements may have on the NRC, and providing recommendations on how to best implement these new externally mandated requirements; Updating the existing suite of Excel spreadsheets and Sharepoint graphical displays comprising the cybersecurity risk dashboard (CRDB) used to calculate the NRC Cyber Security Performance Index (CPI) upon any changes to the number of NRC FISMA systems or their organizational alignment, or changes in the CPI mathematical basis; Maintaining the CPI calculations (used in support of agency Quarterly Performance Reports), risk scoring, and continuous monitoring status spreadsheets and reports for all NRC FISMA systems and Offices;

NRC-HQ-10-15-A-0005/31310018F0102 Page 6 of 25 Providing continuous updates and IV&V of inputs to the CPI and CRDB for disparate security centralized data sets including: Phishing statistics; role-based training, computer security awareness training, cyber security incidents, and FISMA required continuous monitoring completion tracking and status determination; Providing analyses and recommendations based upon cybersecurity continuous monitoring metrics, as well as their formulation, supporting data collection, calculation and display; Providing documentation of calculations, processes, and data input/output from the CRDB.

Providing security artifact, risk assessment, and Plan of Action and Milestone (POA&M) support through the use of the agency's online POA&M data and/or tools; Providing recommendations on NRC cybersecurity processes, standards, templates, and procedures to ensure federal regulations, guidelines, and standards are being met; Assessing Business Area Risk Assessments (or their equivalents), quantitative estimation of risks in terms of resource metrics, tradeoff analyses of remediation and cyber defense options, and incorporating risk allocation amongst organizational entities and decision support for resource allocation and enhanced investment decisions; Reviewing system documentation supporting proposed system change authorizations and providing recommendations and support to the cybersecurity coordination process and related processes and standards; Assigning remediation costs to identified risks based on published data, historical data, and specific impact to NRC, allocating risk from a portfolio based on NRC-approved mathematical techniques amongst organizational entities in the NRC, and identifying and quantifying system specific and correlated inter-system risks; Analyzing and documenting recommended cybersecurity best practices and how they can be applied at NRC, and providing recommendations to BPA Call COR to be shared with CIO and CISO to better communicate and reduce cybersecurity risk to the NRC mission; Performing sampled IV&V testing (e.g., vulnerability scanning, hardening verification, etc.) based upon security best practices with NRC-approved tools and documenting the results in a formal report;

Providing recommendations to satisfy DHS data collection and reporting guidance to the BPA Call COR to be shared with CIO and CISO.

Analyzing new technologies, methods and dashboards to determine, quantify, communicate and mitigate risk in the context of the NRC Cybersecurity Program; Performing reviews of test plans to ensure that proposed assessment scope address security controls as specified in National Institute of Standards (NIST) Special Publications; Performing reviews of security categorizations as specified in National Institute of Standards (NIST) Special Publication 800-60, latest version.

NRC-HQ-10-15-A-0005/31310018F0102 Page 7 of 25 C.4. ESTIMATED LABOR CATEGORIES, KEY PERSONNEL AND LEVELS OF EFFORT C.4.1 Key Personnel and Qualification Requirements The Contractor shall provide key personnel with senior-level expertise, certifications and experience in the areas specified in the paragraph below. The Contractors key personnel shall have experience with the federal regulations, guidelines, and standards identified in section C. Experience with NRC-specific regulations, guidelines, and standards is not required, but is highly desirable. The Contractor shall provide two (2) key personnel to perform the tasks identified in section C.3.

At a minimum, the Contractors key personnel shall have experience with network security, information assurance principles as prescribed in the NIST 800 Special Publication series, DHS and OMB FISMA guidance, independent IT security system assessments, cybersecurity risk analyses, metrics development, operating systems, and the following: Microsoft Exchange and webserver technology; DHS Continuous Diagnostics and Mitigation; databases (e.g., Oracle, SQL, etc.); Active Directory; Citrix; Microsoft Excel (advanced data modeling/charting); AnyChart, Inc. graphing and charting tools; Microsoft SharePoint Servers and web parts; and quantitative risk analysis and modeling.

C.4.2 Estimated Levels of Effort (LOE)

Level-of-Effort (in hours). The estimated the number of hours required are as follows:

Base Period Option Period 1 Option Period 2 Total Hours Estimated Hours 3,145 3,096 3,026 9,267 C.5. PERFORMANCE STANDARDS 5.1 Reporting Requirements In addition to meeting the delivery schedule in the timely submission of any draft and final reports, summaries, data and documents that are created in the performance of this BPA Call, the Contractor shall comply with the directions of the NRC regarding the contents of the report, summaries, data and related documents to include correcting, deleting, editing, revising, modifying, formatting, and supplementing any of the information contained therein at no additional cost to the NRC. Performance under the BPA Call shall not be deemed accepted or completed until the Contractor complies with NRC's directions. Unless otherwise directed by the BPA Call COR, the reports, summaries, data and related documents shall be considered draft until approved by the

NRC-HQ-10-15-A-0005/31310018F0102 Page 8 of 25 NRC. The Contractor agrees that the direction, determinations, and decisions on approval or disapproval of reports, summaries, data and related documents created under this BPA Call remains solely within the discretion of the NRC.

5.1.1 Monthly Letter Status Report (MLSR)

The Contractor shall provide a Monthly Letter Status Report which consists of a technical progress report and financial status report. This report will be used by the Government to assess the adequacy of the resources proposed by the contractor to accomplish the work contained in this SOW and provide status of contractor progress in achieving activities and producing deliverables. The report shall include order summary information, work completed during the specified period, milestone schedule information, problem resolution, travel plans, and staff hour summary.

5.2 Deliverables and Delivery Schedule 100% of the tasks assigned shall be delivered (Draft and Final) to the NRC within the timeframes specified below. Compliance will be monitored by the BPA Call COR.

Examples of deliverables and their required timeframes may include, but not be limited to:

Section #/Deliverable Due Date Format Submit to 5.1.1 MLSR 15th calendar day of the following month Word Document CO/ BPA Call COR C.3 Authorization Evaluation packages of NRC IT Systems Within 10 business days of request Word Document BPA Call COR C.3 Authorization Evaluation packages of E-Government

/Contractor Systems Within 5 business days of request Word Document BPA Call COR C.3 CRDB Update Process Each Sept 30th, Dec 31st, Mar 30th, and Jun 30th Word Document BPA Call COR C.3 CRDB Requirements Document Each Sept 30th, Dec 31st, Mar 30th, and Jun 30th Word Document BPA Call COR C.3 Performing Cybersecurity Document Continuous Monitoring Reviews Within 3 business days of request Word Document BPA Call COR C.3 Performing IT Security Metrics updates Within 3 business days of request Word Document BPA Call COR Note: When evaluating Authorization packages determined to be for significantly complex systems, the BPA Call COR will specify the amount of time needed to complete the evaluation.

NRC-HQ-10-15-A-0005/31310018F0102 Page 9 of 25 Grammar and Mechanics: All documentation submitted by the Contractor shall conform to the Chicago Manual of Style, as amended by any applicable NRC format templates and requirements.

Deliverables: The Contractor shall provide all documentation to the BPA Call COR electronically from an NRC provided NRC electronic mail account in the following formats, except as specifically stated herein: latest installed NRC version of Microsoft Word, Microsoft Excel, Microsoft Project, Sharepoint and Adobe PDF. All electronic mail shall be transmitted from the Contractor's NRC electronic mail account. Personal and corporate electronic mail accounts shall not be used to transmit sensitive NRC information unless NRC CISO-approved mechanisms to protect the information during transmission are implemented.

Method of Surveillance for Draft and Final Submissions: All contract deliverables submitted to the NRC must conform to the standards referenced in this SOW and will be reviewed by the NRC. Unless otherwise directed by the BPA Call COR, all documentation shall be submitted in draft form for comment to the BPA Call COR.

The NRC will generate comments and submit them to the Contractor. Once the Contractor receives NRC's comments, the Contractor shall have three (3) business days to generate the final draft version of the document. Then, the final draft will be sent to the BPA Call COR for review and approval. Once the final draft has been accepted, the Contractor will be given one (1) business day to revise the document and resubmit as a final deliverable. This constitutes a revision cycle.

The first revision cycle for a deliverable shall be acceptable to the Government when the Contractor submits a revised deliverable incorporating any comments and suggestions made by the BPA Call COR.

C.6. APPLICABLE DOCUMENTS AND STANDARDS All work under this BPA Call shall comply with the latest version of all applicable guidance and standards. These standards include, but are not limited to, NRC Management Directive (MD) volume 12.5 Security, cybersecurity policies, including those issued via Yellow Announcements, National Institute of Standards and Technology (NIST) guidance and Federal Information Processing Standards (FIPS),

and Committee on National Security Systems (CNSS) policy, directives, instructions, and guidance. This information is available at the following links:

NRC Policies, Procedures and Standards (CSO internal website):

http://www.internaI.nrc.gov/CSO/policies.htmI

NRC Policy and Procedures for Handling, Marking and Protecting Sensitive Unclassified Non-Safeguards Information (SUNSI):

http://www.internal.nrc.gov/sunsi/pdf/SUNSI-Policy-Procedures.pdf

All NRC Management Directives (public website): http://www.nrc.gov/reading-rm/doc-collections/management-directives/

NIST Special Publications and Federal Information Processing Standards (FIPS) Publications documentation is located at: http://csrc.nist.gov/

NRC-HQ-10-15-A-0005/31310018F0102 Page 10 of 25

CNSS documents are located at: http://www.cnss.gov/

The Contractor shall ensure compliance with the latest version of NIST publications, OMB/DHS guidance, and FIPS standards available at contract issuance and continued compliance with the latest versions within one year of the release date.

Identification/ Marking of Sensitive and SAFEGUARDS Information: The decision, determination or direction by the NRC that information constitutes sensitive or SAFEGUARDS information remains exclusively a matter within the authority of the NRC to make. In performing the contract, the Contractor shall clearly mark sensitive unclassified non-SAFEGUARDS information (SUNSI), sensitive, and SAFEGUARDS information to include for example Official Use Only and SAFEGUARDS Information on any reports, documents, designs, data, materials and written information as directed by the NRC. In addition to marking the information as directed by the NRC, the Contractor shall use the applicable NRC cover sheet forms (e.g. NRC Form 461 SAFEGUARDS Information and NRC Form 190B Official Use Only) in maintaining these records and documents. The Contractor shall ensure that sensitive and SAFEGUARDS information is handled appropriately, maintained and protected from unauthorized disclosure. The Contractor shall comply with the requirements to mark, maintain and protect all information including documents, summaries, reports, data, designs, and materials in accordance with the provisions of Section 147 of the Atomic Energy Act of 1954 as amended, its implementing regulations (1 0 CFR 73.21 ), and NRC Management Directive and Handbook 12.6.

Publication of Results: Prior to any dissemination, display, publication or release of articles, reports, summaries, data or related documents developed under the contract, the Contractor shall submit for review and approval by the NRC the proposed articles, reports, summaries, data and related documents that the Contractor intends to release, disseminate or publish to other persons, the public or any other entities. The Contractor shall not release, disseminate, display or publish articles, reports, summaries, data, and related documents or the contents therein that have not been reviewed and approved by the NRC for release, display, dissemination or publication.

The Contractor agrees to conspicuously place any disclaimers, markings or notices directed by the NRC on any articles, reports, summaries, data and related documents that the Contractor intends to release, display, disseminate or publish to other persons, the public or any other entities. The Contractor agrees and grants a royalty free, nonexclusive, irrevocable world-wide license to the government to use, reproduce, modify, distribute, prepare derivative works, release, display or disclose the articles, reports, summaries, data and related documents developed under the contract, for any governmental purpose and to have or authorize others to do so.

Deliverable Reviews: Deliverable Reviews will be held to provide the Contractor with feedback related to improving the quality of deliverables, including feedback received from Customer Satisfaction Surveys. Such reviews will be coordinated by the BPA

NRC-HQ-10-15-A-0005/31310018F0102 Page 11 of 25 Call COR as required to supplement written comments provided on deliverable submissions. The written minutes of all deliverable review meetings shall be prepared by the Contractor upon request. Should the Government not concur with the minutes, the BPA Call COR shall so state any areas of non-concurrence in writing to the Contractor within ten calendar days of receipt of the minutes. Failure to correct and identify defects, and integrate NRC comments into the deliverable may result in the issuance of a Contract Discrepancy Report (CDR) by the Contracting Officer. Upon issuance of a CDR, a meeting will be held.

C.7.

Section 508 - Electronic and Information Technology Standards The following standards are applicable to this contract/order:

In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board), pursuant to Section 508(2)(A) of the Rehabilitation Act Amendments of 1998, established information technology accessibility standards for the federal government. Section 508(a)(1) requires that when federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology (EIT), they shall ensure that the EIT allows federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. The Section 508 requirement also applies to members of the public seeking information or services from a federal department or agency. Section 508 text is available at http://www.opm.gov/HTML/508-textOfLaw.htm or http://www.section508.gov/

Any Electronic and Information Technology (EIT), as defined at FAR 2.101, supplied under this contract/order must conform to the Architectural and Transportation Barriers Compliance Board Electronic and Information Technology Accessibility Standards (36 CFR Part 1194). The applicable standards are available at: http://www.access-board.gov/sec508/guide/index.htm The following standards are applicable to this task order:

Subpart B - Technical Standards Software Applications and Operating Systems (1194.21)

Web-based Intranet and Internet Information and Applications(1194.22)

Telecommunications Products (1194.23)

Video and Multimedia Products (1194.24)

Self-Contained, Closed Products (1194.25)

Desktop and Portable Computers (1194.26)

EIT purchased under this contract/order must be accessible to persons with disabilities, unless otherwise stipulated in the contract/order. Any product replacements contemplated under this contract/order must be equally as 508 compliant as (or more

NRC-HQ-10-15-A-0005/31310018F0102 Page 12 of 25 compliant than) the original product purchased. Also, the Government reserves the right to conduct hands-on testing to validate contractor 508 compliance claims.

A Voluntary Product Accessibility Template (VPAT) shall be provided along with EIT deliverables submitted to the Government, if available.

C.8. PLACE OF PERFORMANCE NRC does not require support staff be available on site. While the contractor may not rely on the availability of NRC office space, the NRC can accommodate IV&V staff on site on an ad-hoc and occasional basis. The contractor shall provide office space for proposed staff and ensure that they are readily available by telephone and NRC email during hours billed.

C.9. APPLICABLE PUBLICATIONS (Current Editions)

The Contractor shall adhere to following NRC policies:

1.

Management Directive 12.5, Automated Information Security Program 2.

NRC Sensitive Unclassified Non-Safeguards Information (SUNSI) 3.

Cybersecurity Policy for Encryption of Data at Rest When Outside of Agency Facilities 4.

Policy for Copying, Scanning, Printing, and Faxing SGI & Classified Information 5.

Cybersecurity Information Protection Policy 6.

Remote Access Policy 7.

Use of Commercial Wireless Devices, Services and Technologies Policy 8.

Laptop Security Policy 9.

Cybersecurity Incident Response Policy

10. Other NRC Security Policies, including but not limited to those issued via NRC Yellow Announcements.

C.10. SECURITY REQUIRMENTS The contractor shall be required to return NRC issued Personal Identification Verification (PIV) cards/badges to the COR at the end of the contract period of performance. If a contractor voluntarily leaves the company, the badge must be returned on the employees final day of employment. Once the badge is returned to the NRC, the contractor will no longer have access to NRC buildings, sensitive information technology systems or data. Additional information related to the returning of PIV badges can be found in Management Directive 12.1, Section 5.

No classified processing will be performed under this BPA Call. Additionally, the contractor shall not use non-NRC provided hardware or software to process any information related to this effort. If a requirement for using contractor hardware or software arises, it must be approved beforehand, in writing, by the BPA Call CO/COR Upon written permission of the BPA Call CO/COR, all electronic processing of NRC sensitive information shall be in facilities, networks, and computers that have been

NRC-HQ-10-15-A-0005/31310018F0102 Page 13 of 25 certified and accredited by NRC for processing information at the highest sensitivity of the information that is processed or will ultimately be processed.

When e-mail is used, the Contractor shall only use NRC provided e-mail accounts to send and receive sensitive information (information that is not releasable to the public) unless approved in writing beforehand by the BPA Call CO/COR.

All Contractor employees must sign the NRC Agency Rules of Behavior for Secure Computer Use prior to being granted access to NRC computing resources.

Contractor shall adhere to NRC's prohibition of use of personal devices to process and store NRC sensitive information.

The Contractor shall not publish or disclose in any manner, without the BPA Call CO/CORs written consent, the details of any NRC security controls, countermeasures or cyber security posture metrics or data.

All media used by the Contractor to store or process NRC information shall be controlled in accordance with the sensitivity level. The Contractor shall not perform sanitization or destruction of media approved for processing NRC information designated as SGI or Classified. The Contractor must provide the media to NRC for destruction.

NRC-HQ-10-15-A-0005/31310018F0102 Page 14 of 25 SECTION D - Packaging and Marking D.1 BRANDING The Contractor is required to use the statement below in any publications, presentations, articles, products, or materials funded under this contract/order, to the extent practical, in order to provide NRC with recognition for its involvement in and contribution to the project. If the work performed is funded entirely with NRC funds, then the contractor must acknowledge that information in its documentation/presentation.

Work Supported by the U.S. Nuclear Regulatory Commission (NRC), Office of the Chief Information Officer, under Contract/order number NRC-HQ-10-15A-0005/31310018F0102.

(End of Clause)

D.2 MARKING DELIVERABLES The Contractor shall include the BPA number and the BPA Call number on, or adjacent to, all exterior mailing or shipping labels of deliverable items called for by the BPA Call, except for reports. Mark deliverables for the BPA Call COR.

(End of Clause)

NRC-HQ-10-15-A-0005/31310018F0102 Page 15 of 25 SECTION E - Inspection and Acceptance E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officers Representative (BPA CALL COR) at the destination, accordance with FAR 52.247 F.o.b. Destination.

Contract Deliverables: See section C.5.2 of the Statement of Work.

(End of Clause)

NRC-HQ-10-15-A-0005/31310018F0102 Page 16 of 25 SECTION F - Deliveries or Performance F.1 PERIOD OF PERFORMANCE (SEP 2013)

This contract shall commence on September 25, 2018 and will expire on July 24, 2019.

There are also two one-year option periods.

Base Period: September 25, 2018 - July 24, 2019 Option Period 1: June, 25, 2019June 24, 2020 Option Period 2: June, 25, 2020June 24, 2021 (End of Clause F.2 PLACE OF DELIVERY REPORTS The items to be furnished hereunder shall be delivered, with all charges paid by the Contractor, to: BPA Call COR

NRC-HQ-10-15-A-0005/31310018F0102 Page 17 of 25 SECTION G - Contract Administration Data G.1 CONTRACTING OFFICER REPRESENTATIVE (a) The contracting officer's authorized representative, hereinafter referred to as the BPA Call COR, for this BPA Call is:

Name: Alan Sage.

Alternate COR Name: Bill Dabs (b) Performance of the work under this BPA Call is subject to the technical direction of the BPA Call COR. The term technical direction is defined to include the following:

(1) Technical direction to the contractor which shifts work emphasis between areas of work or tasks, authorizes travel which was unanticipated in the Schedule (i.e., travel not contemplated in the Performance Work Statement (PWS) or changes to specific travel identified in the PWS), fills in details, or otherwise serves to accomplish the BPA Call statement of work.

(2) Provide advice and guidance to the contractor in the preparation of drawings, specifications, or technical portions of the work description.

(3) Review and, where required by the BPA Call, approve technical reports, drawings, specifications, and technical information to be delivered by the contractor to the Government under the BPA Call.

(c) Technical direction must be within the general statement of work stated in the BPA Call. The BPA Call COR does not have the authority to and may not issue any technical direction which:

(1) Constitutes an assignment of work outside the general scope of the BPA Call.

(2) Constitutes a change as defined in the "Changes" clause of the Contractors GSA Federal Supply Schedule contract upon which the Contractors BPA and this BPA Call are based.

(3) In any way causes an increase or decrease in the total estimated BPA Call cost or the time required for BPA Call performance.

(4) Changes any of the expressed terms, conditions, or specifications of the BPA Call.

(5) Terminates the BPA Call, settles any claim or dispute arising under the BPA Call, or issues any unilateral directive whatever.

(d) All technical directions must be issued in writing by the BPA Call COR or must be confirmed by the BPA Call COR in writing within ten (10) working days after verbal issuance.

(e) The contractor shall proceed promptly with the performance of technical directions duly issued by the BPA Call COR in the manner prescribed by this clause and within the BPA Call COR's authority under the provisions of this clause.

NRC-HQ-10-15-A-0005/31310018F0102 Page 18 of 25 (f) If, in the opinion of the contractor, any instruction or direction issued by the BPA Call COR is within one of the categories defined in paragraph (c) of this section, the contractor may not proceed but shall notify the contracting officer in writing within five (5) working days after the receipt of any instruction or direction and shall request that contracting officer to modify the BPA Call accordingly. Upon receiving the notification from the contractor, the contracting officer shall issue an appropriate BPA Call modification or advise the contractor in writing that, in the contracting officer's opinion, the technical direction is within the scope of this article and does not constitute a change under the "Changes" clause.

(g) Any unauthorized commitment or direction issued by the BPA Call COR or others may result in an unnecessary delay in the contractor's performance and may even result in the contractor expending funds for unallowable costs under the BPA Call.

(h) A failure of the parties to agree upon the nature of the instruction or direction or upon the contract action to be taken with respect to the instruction or direction is subject to 52.233 Disputes.

(i) In addition to providing technical direction as defined in paragraph (b) of the section, the BPA Call COR shall:

(1) Monitor the contractor's technical progress, including surveillance and assessment of performance, and recommend to the contracting officer changes in requirements.

(2) Assist the contractor in the resolution of technical problems encountered during performance.

(3) Review all costs requested for reimbursement by the contractor and submit to the contracting officer recommendations for approval, disapproval, or suspension of payment for supplies and services required under this BPA Call.

NRC-HQ-10-15-A-0005/31310018F0102 Page 19 of 25 SECTION H - Special Contract Requirements H.1 GOVERNMENT FURNISHED EQUIPMENT/PROPERTY C.4.3 Government-Furnished Property (a) Offsite staff will be provided network access, email, and government laptops for secure remote access if deemed necessary by the BPA Call COR.

The following GFP may be provided to any offsite contractor staff:

GFP Item Quantity Date provided to contractor Method of Shipment NRC standard laptop 2

Upon BPA Call award Contractor to pick up from NRC (b) Only the equipment/property listed above in the quantities shown will be provided by the Government. The contractor shall be responsible and accountable for all Government property provided under this contract and shall comply with the provisions of the FAR Government Property Clause under this contract and FAR Subpart 45.5, as in effect on the date of this contract. The contractor shall investigate and provide written notification to the NRC Contracting Officer (CO) and the NRC Division of Facilities and Security, Physical Security Branch of all cases of loss, damage, or destruction of Government property in its possession or control not later than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after discovery.

The contractor must report stolen Government property to the local police and a copy of the police report must be provided to the CO and to the Division of Facilities and Security, Office of Administration.

(c) All other equipment/property required in performance of the contract shall be furnished by the Contractor.

(End of Clause)

H.2 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS (a) All offerors will receive preaward and postaward notices in accordance with FAR 15.503.

(b) It is also brought to your attention that the contracting officer is the only individual who can legally obligate funds or commit the NRC to the expenditure of public funds in connection with this procurement. This means that unless provided in a contract document or specifically authorized by the contracting officer, NRC technical personnel may not issue contract modifications, give formal contractual commitments, or otherwise bind, commit, or obligate the NRC contractually. Informal unauthorized commitments, which do not obligate the NRC and do not entitle the contractor to payment, may include:

(1) Encouraging a potential contractor to incur costs prior to receiving a contract;

NRC-HQ-10-15-A-0005/31310018F0102 Page 20 of 25 (2) Requesting or requiring a contractor to make changes under a contract without formal contract modifications; (3) Encouraging a contractor to incur costs under a cost-reimbursable contract in excess of those costs contractually allowable; and (4) Committing the Government to a course of action with regard to a potential contract, contract change, claim, or dispute.

(End of Clause)

NRC-HQ-10-15-A-0005/31310018F0102 Page 21 of 25 SECTION I - Contract Clauses I.1 52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor at any time prior to contract expiration.

(End of clause)

I.2 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor at any time prior to contract expiration. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 3.5 years.

(End of clause)

I.5 52.232-19 AVAILABILITY OF FUNDS FOR THE NEXT FISCAL YEAR. (APR 1984)

Funds are not presently available for performance under this contract beyond May 2019.. The Government's obligation for performance of this contract beyond that date is contingent upon the availability of appropriated funds from which payment for contract purposes can be made. No legal liability on the part of the Government for any payment may arise for performance under this contract beyond May 2019, until funds are made available to the Contracting Officer for performance and until the Contractor receives notice of availability, to be confirmed in writing by the Contracting Officer.

(End of clause)

I.6 52.232-22 LIMITATION OF FUNDS. (APR 1984)

(a) The parties estimate that performance of this contract will not cost the Government more than (1) the estimated cost specified in the Schedule or, (2) if this is a cost-sharing contract, the Governments share of the estimated cost specified in the Schedule. The Contractor agrees to use its best efforts to perform the work specified in the Schedule and all obligations under this contract within the estimated cost, which, if this is a cost-sharing contract, includes both the Governments and the Contractors share of the cost.

(b) The Schedule specifies the amount presently available for payment by the Government and allotted to this contract, the items covered, the Governments share of the cost if this is a cost-sharing contract, and the period of performance it is estimated the allotted amount will cover. The parties contemplate that the Government will allot

NRC-HQ-10-15-A-0005/31310018F0102 Page 22 of 25 additional funds incrementally to the contract up to the full estimated cost to the Government specified in the Schedule, exclusive of any fee. The Contractor agrees to perform, or have performed, work on the contract up to the point at which the total amount paid and payable by the Government under the contract approximates but does not exceed the total amount actually allotted by the Government to the contract.

(c) The Contractor shall notify the Contracting Officer in writing whenever it has reason to believe that the costs it expects to incur under this contract in the next 60 days, when added to all costs previously incurred, will exceed 75 percent of (1) the total amount so far allotted to the contract by the Government or, (2) if this is a cost-sharing contract, the amount then allotted to the contract by the Government plus the Contractors corresponding share. The notice shall state the estimated amount of additional funds required to continue performance for the period specified in the Schedule.

(d) Sixty days before the end of the period specified in the Schedule, the Contractor shall notify the Contracting Officer in writing of the estimated amount of additional funds, if any, required to continue timely performance under the contract or for any further period specified in the Schedule or otherwise agreed upon, and when the funds will be required.

(e) If, after notification, additional funds are not allotted by the end of the period specified in the Schedule or another agreed-upon date, upon the Contractors written request the Contracting Officer will terminate this contract on that date in accordance with the provisions of the Termination clause of this contract. If the Contractor estimates that the funds available will allow it to continue to discharge its obligations beyond that date, it may specify a later date in its request, and the Contracting Officer may terminate this contract on that later date.

(f) Except as required by other provisions of this contract, specifically citing and stated to be an exception to this clause (1) The Government is not obligated to reimburse the Contractor for costs incurred in excess of the total amount allotted by the Government to this contract; and (2) The Contractor is not obligated to continue performance under this contract (including actions under the Termination clause of this contract) or otherwise incur costs in excess of (i) The amount then allotted to the contract by the Government or; (ii) If this is a cost-sharing contract, the amount then allotted by the Government to the contract plus the Contractors corresponding share, until the Contracting Officer notifies the Contractor in writing that the amount allotted by the Government has been increased and specifies an increased amount, which shall then constitute the total amount allotted by the Government to this contract.

(g) The estimated cost shall be increased to the extent that (1) the amount allotted by the Government or, (2) if this is a cost-sharing contract, the amount then allotted by the Government to the contract plus the Contractors corresponding share, exceeds the estimated cost specified in the Schedule. If this is a cost-sharing contract, the increase shall be allocated in accordance with the formula specified in the Schedule.

(h) No notice, communication, or representation in any form other than that specified in paragraph (f)(2) of this clause, or from any person other than the Contracting Officer, shall affect the amount allotted by the Government to this contract. In the absence of the specified notice, the Government is not obligated to reimburse the Contractor for any costs in excess of the total amount allotted by the Government to this contract, whether incurred during the course of the contract or as a result of termination.

NRC-HQ-10-15-A-0005/31310018F0102 Page 23 of 25 (i) When and to the extent that the amount allotted by the Government to the contract is increased, any costs the Contractor incurs before the increase that are in excess of (1) The amount previously allotted by the Government or; (2) If this is a cost-sharing contract, the amount previously allotted by the Government to the contract plus the Contractors corresponding share, shall be allowable to the same extent as if incurred afterward, unless the Contracting Officer issues a termination or other notice and directs that the increase is solely to cover termination or other specified expenses.

(j) Change orders shall not be considered an authorization to exceed the amount allotted by the Government specified in the Schedule, unless they contain a statement increasing the amount allotted.

(k) Nothing in this clause shall affect the right of the Government to terminate this contract. If this contract is terminated, the Government and the Contractor shall negotiate an equitable distribution of all property produced or purchased under the contract, based upon the share of costs incurred by each.

(l) If the Government does not allot sufficient funds to allow completion of the work, the Contractor is entitled to a percentage of the fee specified in the Schedule equalling the percentage of completion of the work contemplated by this contract.

(End of clause)

I.7 2052.215-77 TRAVEL APPROVALS AND REIMBURSEMENT. (OCT 1999)

(a) All foreign travel must be approved in advance by the NRC on NRC Form 445, Request for Approval of Official Foreign Travel, and must be in compliance with FAR 52.247-63 Preference for U.S. Flag Air Carriers. The contractor shall submit NRC Form 445 to the BPA Call COR no later than 30 days before beginning travel.

(b) The contractor must receive written approval from the BPA Call COR before taking travel that was unanticipated in the Schedule (i.e., travel not contemplated in the SOW, or changes to specific travel identified in the SOW).

(c) The contractor will be reimbursed only for travel costs incurred that are directly related to this BPA CALL and are allowable subject to the limitations prescribed in FAR 31.205-46.

(d) It is the responsibility of the contractor to notify the contracting officer in accordance with the Limitations of Cost clause of this BPA Call when, at any time, the contractor learns that travel expenses will cause the contractor to exceed the estimated costs specified in the Schedule.

(e) Reasonable travel costs for research and related activities performed at State and nonprofit institutions, in accordance with Section 12 of Pub. L. 100-679, must be charged in accordance with the contractor's institutional policy to the degree that the limitations of Office of Management and Budget (OMB) guidance are not exceeded. Applicable guidance documents include OMB Circular A-87, Cost Principles for State and Local Governments; OMB Circular A-122, Cost Principles for Nonprofit Organizations; and OMB Circular A-21, Cost Principles for Educational Institutions.

(End of Clause)

I.8 52.252-2 Clauses Incorporated by Reference (FEB 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make

NRC-HQ-10-15-A-0005/31310018F0102 Page 24 of 25 their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): http://www.acquisition.gov/far 52.227-14 RIGHTS IN DATA--GENERAL AUG 1999 52.237-3 CONTINUITY OF SERVICES JAN 1991

NRC-HQ-10-15-A-0005/31310018F0102 Page 25 of 25 SECTION J - List of Documents, Exhibits and Other Attachments J.1 List of Documents, Exhibits, and Other Attachments Attachment Number Title Security Clauses Billing instructions for Time and Materials/Labor Hour Type Contracts SITSOSS IV&V Cost Price Spreadsheet

Retrieved from "https://kanterella.com/w/index.php?title=ML18260A207&oldid=4963009"