Text

Task Order No. 31310019F0037 Under Contract No. GS23F0038U - Redacted
	ML19114A287
Person / Time
Issue date:	04/24/2019
From:	Jessica Chu; Acquisition Management Division
To:	Castro T; Castro Co
References
	GS23F0038U
	Download: ML19114A287 (36)
	v • d • e

1. REQUISITION NUMBER PAGE OF SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24, & 30 CFO-19-0001 1 36

2. CONTRACT NO. 3. AWARD/ 4. ORDER NUMBER 5. SOLICITATION NUMBER 6. SOLICITATION GS23F0038U EFFECTIVE DATE 31310019Q0015 ISSUE DATE 04/24/2019 31310019F0037 02/07/2019

7. FOR SOLICITATION a. NAME b. TELEPHONE NUMBER (No collect calls) 8. OFFER DUE DATE/LOCAL TIME INFORMATION CALL JESSICA CHU

9. ISSUED BY CODE NRCHQ 10. THIS ACQUISITION IS X UNRESTRICTED OR SET ASIDE: % FOR:

WOMEN-OWNED SMALL BUSINESS US NRC - HQ SMALL BUSINESS (WOSB) ELIGIBLE UNDER THE WOMEN-OWNED ACQUISITION MANAGEMENT DIVISION HUBZONE SMALL SMALL BUSINESS PROGRAM NAICS: 541211 BUSINESS EDWOSB MAIL STOP TWFN-07B20M SERVICE-DISABLED 8(A)

WASHINGTON DC 20555-0001 VETERAN-OWNED SIZE STANDARD: $20.5 SMALL BUSINESS

11. DELIVERY FOR FOB DESTINA- 12. DISCOUNT TERMS 13b. RATING TION UNLESS BLOCK IS 13a. THIS CONTRACT IS A MARKED 30 RATED ORDER UNDER

14. METHOD OF SOLICITATION SEE SCHEDULE DPAS (15 CFR 700)

RFQ IFB RFP

15. DELIVER TO CODE NRCHQ 16. ADMINISTERED BY CODE NRCHQ NUCLEAR REGULATORY COMMISSION US NRC - HQ NUCLEAR REGULATORY COMMISSION ACQUISITION MANAGEMENT DIVISION WASHINGTON DC 20555-0001 MAIL STOP TWFN-07B20M WASHINGTON DC 20555-0001 17a. CONTRACTOR/ CODE 619053411 FACILITY CODE 18a. PAYMENT WILL BE MADE BY CODE NRCPAYMENTS OFFEROR CASTRO COMPANY LLC FISCAL ACCOUNTING PROGRAM ATTN THOMAS CASTRO ADMIN TRAINING GROUP AVERY STREET A3-G 1737 KING ST STE 250 BUREAU OF THE FISCAL SERVICE ALEXANDRIA VA 223142760 PO BOX 1328 PARKERSBURG WV 26106-1328 TELEPHONE NO. 7032294440107 17b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN OFFER 18b. SUBMIT INVOICES TO ADDRESS SHOWN IN BLOCK 18a UNLESS BLOCK BELOW IS CHECKED SEE ADDENDUM

19. 20. 21. 22. 23. 24.

ITEM NO. SCHEDULE OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT Period of Performance: 04/24/2019 to 11/30/2019 00001 TASK 1 - Monitoring of Internal Control Corrective Actions 00002 TASK 2 - Risk Assessment and Internal Control Reviews Continued ...

(Use Reverse and/or Attach Additional Sheets as Necessary)

25. ACCOUNTING AND APPROPRIATION DATA 26. TOTAL AWARD AMOUNT (For Govt. Use Only) 2019-X0200-FEEBASED-7N-7ND001-N7234-51-G-153-252A-7N-N7234 $1,320,272.60 27a. SOLICITATION NCORPORATES BY REFERENCE FAR 52 212-1, 52.212-4. FAR 52.212-3 AND 52.212-5 ARE ATTACHED. ADDENDA ARE ARE NOT ATTACHED.

X 27b. CONTRACT/PURCHASE ORDER NCORPORATES BY REFERENCE FAR 52 212-4. FAR 52 212-5 IS ATTACHED. ADDENDA X ARE ARE NOT ATTACHED.

28. CONTRACTOR IS REQU RED TO SIGN THIS DOCUMENT AND RETURN X 29. AWARD OF CONTRACT: REF. OFFER COP ES TO ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER DATED . YOUR OFFER ON SOLICITATION (BLOCK 5),

ALL ITEMS SET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE SET FORTH SHEETS SUBJECT TO THE TERMS AND CONDITIONS SPECIFIED. HEREIN, IS ACCEPTED AS TO ITEMS:

30a. SIGNATURE OF OFFEROR/CONTRACTOR 31a. UNITED STATES OF AMERICA (SIGNATURE OF CONTRACTING OFFICER) 30b. NAME AND TITLE OF SIGNER (Type or print) 30c. DATE SIGNED 31b. NAME OF CONTRACTING OFFICER (Type or print) 31c. DATE SIGNED JESSICA CHU 04/24/2019 AUTHORIZED FOR LOCAL REPRODUCTION STANDARD FORM 1449 (REV. 2/2012)

PREVIOUS EDITION IS NOT USABLE Prescribed by GSA - FAR (48 CFR) 53.212

2 of 36

19. 20. 21. 22. 23. 24.

ITEM NO. SCHEDULE OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 00003 TASK 3 - Internal Control Documentation and Policy Guidance 00004 TASK 4 - Recommendations on Matters Relating to Internal Controls 00005 TASK 5 - Weekly and Monthly Status Meetings, Monthly Project Status Reports, and Final Report 10001 OPTION PERIOD 1 TASK 1 - Monitoring of Internal Control Corrective Actions Anticipated Exercise Date11/30/2019 10002 OPTION PERIOD 1 TASK 2 - Risk Assessment and Internal Control Reviews Anticipated Exercise Date11/30/2019 10003 OPTION PERIOD 1 TASK 3 - Internal Control Documentation and Policy Guidance Continued ...

32a. QUANTITY IN COLUMN 21 HAS BEEN RECEIVED INSPECTED ACCEPTED, AND CONFORMS TO THE CONTRACT, EXCEPT AS NOTED:

32b. SIGNATURE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32c. DATE 32d. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32e. MA LING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32f. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32g. E-MA L OF AUTHORIZED GOVERNMENT REPRESENTATIVE

33. SHIP NUMBER 34. VOUCHER NUMBER 35. AMOUNT VERIFIED 36. PAYMENT 37. CHECK NUMBER CORRECT FOR COMPLETE PARTIAL FINAL PARTIAL FINAL

38. S/R ACCOUNT NUMBER 39. S/R VOUCHER NUMBER 40. PAID BY 41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT 42a. RECEIVED BY (Print) 41b. SIGNATURE AND TITLE OF CERTIFY NG OFFICER 41c. DATE 42b. RECEIVED AT (Location) 42c. DATE REC'D (YY/MM/DD) 42d. TOTAL CONTAINERS STANDARD FORM 1449 (REV. 2/2012) BACK

REFERENCE NO. OF DOCUMENT BEING CONTINUED PAGE OF CONTINUATION SHEET GS23F0038U/31310019F0037 3 36 NAME OF OFFEROR OR CONTRACTOR CASTRO COMPANY LLC ITEM NO. SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT (A) (B) (C) (D) (E) (F)

Anticipated Exercise Date11/30/2019 10004 OPTION PERIOD 1 TASK 4 - Recommendations on Matters Relating to Internal Controls Anticipated Exercise Date11/30/2019 10005 OPTION PERIOD 1 TASK 5 - Weekly and Monthly Status Meetings, Monthly Project Status Reports, and Final Report Anticipated Exercise Date11/30/2019 20001 OPTION PERIOD 2 TASK 1 - Monitoring of Internal Control Corrective Actions Anticipated Exercise Date11/30/2020 20002 OPTION PERIOD 2 TASK 2 - Risk Assessment and Internal Control Reviews Anticipated Exercise Date11/30/2020 20003 OPTION PERIOD 2 TASK 3 - Internal Control Documentation and Policy Guidance Anticipated Exercise Date11/30/2020 20004 OPTION PERIOD 2 TASK 4 - Recommendations on Matters Relating to Internal Controls Anticipated Exercise Date11/30/2020 20005 OPTION PERIOD 2 Continued ...

NSN 7540-01-152-8067 OPTIONAL FORM 336 (4-86)

References:

The COR shall provide direction on which reviews the Contractor shall perform. These reviews may require the Contractor to provide written recommendations to the COR for improvements to internal controls.

Task 3 - Internal Control Documentation and Policy Guidance Requirement: As gaps in documentation are identified, the Contractor shall prepare and update process narratives and flowcharts with input from the COR. Such documentation shall follow OMB Circular A-123 and shall conform to NRC Policies and Procedures. The preparation and updates to process narratives and flowcharts is to ensure NRC is in compliance with federal rules and regulations. The NRC Policies and Procedures for Enterprise Risk Management and Internal Control are primarily contained in Management Directive 4.4 and the associated Handbook. As part of performing the internal control reviews, the Contractor shall prepare and update process narratives and flowcharts and make appropriate written recommendations to the COR on appropriate revisions to NRC guidance and policies with regard to internal control, particularly internal control over financial reporting.

Deliverable(s): The Contractor shall update the process narratives and flowcharts and make written recommendations to the COR. The recommendations shall be provided to the COR at the weekly status update meetings. The recommendations shall be compiled into a brief document that explains the findings and recommended changes to policy or guidance documents within (5) business days of the CORs request.

Acceptance Criteria: The COR will have ten (10) business days to complete the review of the deliverable.

The COR will indicate their acceptance or rejection of the deliverable in writing. In the event of the rejection of the deliverable, the COR shall notify the Contractor in writing, giving the specific reason(s) for rejection. The Contractor shall have five (5) business days to correct the rejected deliverable and return it to the COR.

Meetings: Recommendations will be discussed at the weekly status meetings.

Task 4 - Recommendations on Matters Relating to Internal Controls Requirement: The Contractor shall analyze the effects of new and emerging issues on internal controls and provide recommendations to the NRC.

GS23F0038U/31310019F0037 Page 11 of 37 Deliverable(s): As part of performing the internal control reviews, the Contractor shall analyze emerging issues, as needed and provide recommendations. The recommendations shall be provided to the COR at the weekly status meetings. The Contractor shall prepare written recommendations on the issues, if needed, as part of the reporting process for internal control reviews. The recommendations shall be compiled into a document explaining the findings and recommended changes to policy or guidance documents. The written recommendations shall be provided to the COR no later than a week after the weekly status meeting.

Acceptance Criteria: The COR will have ten (10) business days to complete the review of the deliverable.

The COR will accept or reject the deliverable in writing. In the event of the rejection of the deliverable, the COR shall notify the Contractor in writing, giving the specific reason(s) for rejection. The Contractor shall have five (5) business days to correct the rejected deliverable and return it to the COR.

Meetings: Recommendations shall be provided to the COR at the weekly status meetings.

Task 5 - Weekly and Monthly Status Meetings, Monthly Project Status Reports, and Final Report Requirement:

Weekly Status Meetings: The Contractor shall meet with the COR on a weekly basis at NRC headquarters. The content of the meetings shall include the status of all corrective action plan monitoring, ongoing internal control reviews, policy findings, and other items relevant to internal controls.

Monthly Meetings and Reports: The Contractor shall attend monthly meetings with the COR to present the status of the above items. In addition, the Contractor shall provide written Monthly Project Status Reports to the COR on the progress and status of all internal control reviews, recommendations, monitoring of corrective action plans, or other activities. The monthly reports shall be provided to the COR (3) business days prior to the monthly meetings.

Final Report: The Contractor shall provide a final report summarizing the work performed and the results and conclusions under this order 30 calendar days prior to the expiration date of the order. The report shall include, at a minimum, a summary narrative of the assessment, the process narratives, test plans, and a findings matrix. The Contractor shall provide the report to the COR in a format that is readable by Microsoft Office software. Additionally, the Contractor shall provide its work documentation used in the test work and the final report to the COR in formats that are readable by Microsoft Office software at the conclusion of the assessment.

Deliverable(s):

(1) Weekly status meetings; (2) Monthly status meetings; and (3) Monthly Project Status Reports (4) Final Report Acceptance Criteria: The Contractor shall provide Monthly Project Status Report and Final Report in formats that are readable by Microsoft Office software. The Monthly Project Status Report shall provide the status of all corrective action plans, internal control reviews and other ongoing work. The Final Report shall include, at a minimum, a summary narrative of the assessment, the process narratives, test plans, and a findings matrix.

Meetings: Weekly meetings and monthly meetings will be held at NRC headquarters. Remote attendance may be allowed as coordinated and approved by the COR. The Contractor shall not be reimbursed for local travel when commuting from Contractor facility to NRC facility for these meetings.

No additional travel is anticipated.

C.4 Deliverables and Delivery Schedule

GS23F0038U/31310019F0037 Page 12 of 37 Task and Deliverable Due Date Task 1 - Monitoring of Internal Control Corrective Actions:

Deliverable: Status Updates and Written Monthly throughout task order period of Recommendations on Corrective Actions performance Deliverable: Written Recommendations on Additional Corrective Plan Issues Within ten (10) working days of COR Identified at Monthly Meetings request Task 2 - Internal Controls Reviews:

Deliverable: Review and Testing Plans Delivered in accordance with due date for Business Processes established in Project Plan (TBD)

Deliverable: Internal Controls Draft Report Within ten (10) workings days of completion of the reviews and testing Deliverable: Internal Controls Final Report Within ten (10) workings days of receipt of COR comments on the draft report Task 3 - Internal Control Documentation and policy Guidance:

Deliverable: Update Process Narratives Completed within (5) business days of and Provide Written Recommendations COR request and briefed at the weekly for the Process Narratives status meetings Task 4 - Recommendations on Matters Relating to Internal Controls:

Deliverable: Written Recommendations Within a week of the weekly status on Emerging Issues meeting Task 5 - Weekly and Monthly Status Meetings, Monthly Project Status Reports, and Final Report:

Deliverable: Weekly Status Meetings Weekly throughout the task order period of performance Deliverable: Monthly Meetings Monthly throughout the task order period of performance Deliverable: Monthly Project Status (3) business days prior to the monthly Report meetings Deliverable: Final Report 30 calendar days prior to the expiration date of the order C.6 Roles The Contractor shall utilize the following roles to perform the requirements of this task order, as appropriate:

A. Senior Manager - Key personnel Requires a high level of understanding of A-123 Assessments in the federal government and of federal government guidance and requirements. The senior manager leads the overall project, ensures that appropriate Contractor personnel are assigned to the project and reviews and approves the deliverables.

The senior manager provides recommendations to the COR on issues that arise and government wide best practices to the NRC.

B. Manager - Key personnel Requires a high level of understanding of A-123 Assessments in the federal government and of federal government guidance and requirements. The manager leads the project on a daily basis and develops the project plans in coordination with the COR. The manager monitors and reviews the auditors work and reviews and approves the deliverables. The manager provides regular status reports to the COR.

GS23F0038U/31310019F0037 Page 13 of 37 The manager provide recommendations to the COR on issues that arise and government wide best practices to the agency. The manager shall be a Certified Public Accountant (CPA).

C. IT Manager - Key personnel Requires a high level of understanding of the IT portion of A-123 Assessments in the federal government and of federal government IT guidance and requirements. The IT manager leads the IT portion of the project on a daily basis and develops the IT project plans in coordination with the COR. The IT manager monitors and reviews the IT auditors work and reviews and approves the deliverables. The IT manager provides status reports to the COR. The IT manager provides recommendations to the COR on IT issues that arise and government wide best practices to the agency. The IT manager shall be a Certified Information Systems Auditor (CISA).

D. Senior Auditor Requires an understanding of A-123 Assessments in the federal government and of federal government guidance and requirements. Conducts interviews, reviews documentation, updates procedures, tests controls, documents results and reports findings for the assessment.

E. Senior IT Auditor.

Requires an understanding of the IT portion of A-123 Assessments in the federal government and of federal government IT guidance and requirements. Conducts interviews, reviews documentation, updates procedures, tests controls, documents results and reports findings for the IT portion of the assessment.

F. Auditor Requires a basic understanding of A-123 Assessments in the federal government and of federal government guidance and requirements. Conducts interviews, reviews documentation, updates procedures, tests controls, documents results and reports findings for the assessment.

C.7 Applicable Documents and Standards The major guidance for this effort is OMB Circular A-123, specifically appendix A.

NRC Management Directive 4.4 and the associated Handbook (Attachment 3)

NRC Management Directive 12.1, Section 5 (Attachment 4)

Additional guidance includes, but is not limited to the following:

Prompt Payment Act

Anti-Deficiency Act

Pay and Allowance System for Civilian Employees

Budget Control Act of 2011 (Sequestration)

Chief Financial Officers Act of 1990

Consolidated and Further Continuing Appropriation Act of 2013 (Continuing Resolution)

Debt Collection Improvement Act of 1996 (Per OMB 07-04)

Federal Acquisition Regulations

Federal Employees Compensation Act

Federal Employees Group Life Insurance Act of 1980

Federal Employees Health Benefits Act of 1959

Federal Financial Management Improvement Act of 1996

Federal Information Security Management Act of 2002

Federal Managers Financial Integrity Act of 1982

Government Management and Reform Act of 1994

Improper Payments Elimination and Recovery Improvement Act of 2012

OMB Bulletin 17-03 and successor amendments, Audit Requirements for Federal Financial Statements

OMB Circular A-11, Preparation, Submission and Execution of the Budget

OMB Circular A-123, Management's Responsibility for Enterprise Risk Management and Internal Control

OMB Circular A-130, Management of Federal Information Resources

GS23F0038U/31310019F0037 Page 14 of 37

OMB Circular A-136, Financial Reporting Requirements

Single Audit Act C.8 Section 508 - Electronic and Information Technology Standards

1. Background

In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board),

pursuant to Section 508(2)(A) of the Rehabilitation Act Amendments of 1998, established electronic and information technology accessibility (Section 508) standards for the federal government. Section 508(a)(1) requires that when federal departments or agencies develop, procure, maintain, or use electronic and information technology they shall ensure that the EIT allows federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. The Section 508 requirement also applies to members of the public seeking information or services from a federal department or agency.

The Section 508 standards (codified at 36 CFR § 1194) were revised by the Access Board and published on January 18, 2017 and minor corrections were made on January 22, 2018, effective March 23, 2018. The revised Section 508 standards have replaced the term EIT with information and communication technology (ICT). The text of the revised Section 508 standards can be found in 1194.1 and in Appendices A, C and D of Part 1194 (at https://www.ecfr.gov/cgi-bin/text-idx?SID=caeb8ddcea26ba5002c2eea047698e85&mc=true&tpl=/ecfrbrowse/Title36/36cfr1194 main 02.tpl).

2. General Requirements In order to help the NRC comply with Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794d)(Section 508), the Contractor shall ensure that its electronic content deliverables under this acquisition are:

1) in conformance with, and

2) support the requirements of the Standards for Section 508 of the Rehabilitation Act, as set forth in 1194.1 and in Appendices A and C of 36 CFR § 1194.

The use of an alternative design or technology that results in substantially equivalent or greater accessibility and usability by individuals with disabilities than would be provided by conformance to one or more of the requirements in Chapters 4 and 5 of the Revised Section 508 Standards is permitted. The Contractor shall use the functional performance criteria in Chapter 3 of the Revised Section 508 Standards to determine whether substantially equivalent or greater accessibility and usability is provided to individuals with disabilities.

3. Applicable Section 508 Standards The following provisions of 36 CFR § 1194 are applicable to the Contractors electronic content deliverables:

Applicable?

(Yes/No Provision of 36 CFR Part 1194

/Maybe)

Appendix A to Part 1194 - Section 508 of the Rehabilitation Act: Application and Yes Scoping Requirements (Always applies) o Section 508 Chapter 1: Application and Administration - sets forth general Yes application and administration provisions (Always applies)

Yes E101 General (Always applies)

Yes E102 Referenced Standards (Always applies)

Yes E103 Definitions (Always applies)

GS23F0038U/31310019F0037 Page 15 of 37 Applicable?

(Yes/No Provision of 36 CFR Part 1194

/Maybe) o Section 508 Chapter 2: Scoping Requirements - containing scoping Yes requirements (which, in turn, prescribe which ICT - and, in some cases, how many - must comply with the technical specifications) (Always applies)

Yes E201 Application Yes E202 General Exceptions Yes E202.1 General No E202.2 Legacy ICT No E202.3 National Security Systems Yes E202.4 Federal Contracts No E202.5 ICT Functions Located in Maintenance or Monitoring Spaces No E202.6 Undue Burden or Fundamental Alteration No E202.7 Best Meets No E203 Access to Functionality No E203.1 General (Applies to NRC)

No E203.2 User Needs Yes E204 Functional Performance Criteria Yes E205 Electronic Content Yes E205.1 General (Always applies)

Yes E205.2 Public Facing (Always applies)

Maybe E205.3 Agency Official Communication No E206 Hardware No E207 Software No E208 Support Documentation and Services Appendix C to Part 1194 - Functional Performance Criteria and Technical Yes Requirements (Always applies) o Chapter 3: Functional Performance Criteria - applies to ICT where required by Yes 508 Chapter 2 (Scoping Requirements) and where otherwise referenced in any other chapter of the Revised 508 Standards (Always applies)

Yes 301 General (Always applies)

Yes 302 Functional Performance Criteria (Always applies)

No o Chapter 4: Hardware No 401 General No 402 Closed Functionality No 403 Biometrics No 404 Preservation of Information Provided for Accessibility No 405 Privacy No 406 Standard Connections No 407 Operable Parts No 408 Display screens No 409 Status Indicators No 410 Color Coding No 411 Audible Signals No 412 ICT with Two-Way Communication No 413 Closed Caption Processing Technologies No 414 Audio Description Processing Technologies No 415 User Controls for Captions and Audio Descriptions No o Chapter 5: Software No 501 General No 502 Interoperability with Assistive Technology No 503 Applications

GS23F0038U/31310019F0037 Page 16 of 37 Applicable?

(Yes/No Provision of 36 CFR Part 1194

/Maybe)

No 504 Authoring Tools (maybe) o Chapter 6: Support Documentation and Services (Always applies if Chapters 4 No or 5 apply)

No 601 General No 602 Support Documentation No 603 Support Services Yes o Chapter 7: Referenced Standards (Always applies)

Yes 701 General (Always applies)

Yes 702 Incorporation by Reference (Always applies)

No Appendix D to Part 1194Electronic and Information Technology Accessibility Standards as Originally Published on December 21, 2000 Refer to Chapter 2 (Scoping Requirements) first to confirm what provisions in Appendix C apply in a particular case.

4. Electronic Content Deliverables All formal and final versions of the following electronic content deliverables shall conform to section E205.4, unless the Contractor requests and obtains advance written approval from the COR for a specific deliverable.

Electronic content deliverables that are in Adobe Portable Document Format (PDF) shall conform to the requirement in E205.4 of the Revised 508 Standards and ISO 14289-1 (PDF/UA-1) unless the Contractor requests and obtains advance written approval from the COR for a specific deliverable.

5. Section 508 Inspection and Acceptance The COR reserves the right to conduct hands-on testing to validate the Contractors Section 508 conformance claims.

C.9 Place of Performance Work for this task order shall be performed primarily at the Contractors site. On occasion, the work will require the Contractor to be on site at NRC headquarters, 11555 Rockville Pike, Rockville, Maryland.

This shall include the periods of time when the Contractor gathers internal controls information from NRC, when testing internal controls, or when access to a particular IT system is necessary. For those requirements, the COR will provide access to the staff and IT systems necessary to complete the work.

The Contractor shall inform the COR via email (2) business days in advance when such requirements are going to occur.

In addition, the Contractor shall meet with the COR on a weekly basis and attend monthly status meetings on site at NRC headquarters.

C.12 Security Requirements The Contractor shall return NRC issued Personal Identification Verification (PIV) cards/badges to the COR at the end of the period of performance. If Contractor personnel are reassigned or are otherwise no longer available to work on this task order, the Contractor must return that persons badge to the COR on the persons final day of work on the task order. Once the badge is returned to the COR, that person will no longer have access to NRC buildings, sensitive information technology systems or data. Additional information related to the returning of PIV badges may be found in Management Directive 12.1, Section 5.

GS23F0038U/31310019F0037 Page 17 of 37 SECTION D - Packaging and Marking D.1 PACKAGING AND MARKING (a) The Contractor shall package material for shipment to the NRC in such a manner that will ensure acceptance by common carrier and safe delivery at destination. Containers and closures shall comply with the Surface Transportation Board, Uniform Freight Classification Rules, or regulations of other carriers as applicable to the mode of transportation.

(b) On the front of the package, the Contractor shall clearly identify the contract number under which the product is being provided.

D.2 BRANDING The Contractor is required to use the statement below in any publications, presentations, articles, products, or materials funded under this order, to the extent practical, in order to provide NRC with recognition for its involvement in and contribution to the project. If the work performed is funded entirely with NRC funds, then the contractor must acknowledge that information in its documentation/

presentation. Work Supported by the U.S. Nuclear Regulatory Commission (NRC), Office of the Chief Financial Officer under Contract/order number GS23F0038U/31310019F0037.

GS23F0038U/31310019F0037 Page 18 of 37 SECTION E - Inspection and Acceptance E.1 NRCE010 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officers Representative (COR) at the destination, accordance with FAR 52.247 F.o.b.

Destination.

Contract Deliverables:

See deliverable section under C.5 in the Statement of Work

GS23F0038U/31310019F0037 Page 19 of 37 SECTION F - Deliveries or Performance F.1 PERIOD OF PERFORMANCE The base period of this task order shall commence on the date of award until November 30, 2019. The term of this contract may be extended at the option of the Government for four (4) one-year option periods. The periods of performance are:

Base Period: 4/24/2019 - 11/30/2019 Option Period 1: 12/01/2019 - 11/30/2020 Option Period 2: 12/01/2020 - 11/30/2021 Option Period 3: 12/01/2021 - 11/30/2022 Option Period 4: 12/01/2022 - 11/30/2023

GS23F0038U/31310019F0037 Page 20 of 37 SECTION G - Contract Administration Data G.1 ELECTRONIC PAYMENT (DEC 2017)

The Debt Collection Improvement Act of 1996 requires that all payments except IRS tax refunds be made by Electronic Funds Transfer. Payment shall be made in accordance with FAR 52.232-33, entitled Payment by Electronic Funds Transfer-System for Award Management. To receive payment, the contractor shall prepare invoices in accordance with NRCs Billing Instructions. Claims shall be submitted through the Invoice Processing Platform (IPP) (https://www.ipp.gov/). Back up documentation shall be included as required by the NRCs Billing Instructions.

GS23F0038U/31310019F0037 Page 21 of 37 SECTION H - Special Contract Requirements H.1 ANNUAL AND FINAL CONTRACTOR PERFORMANCE EVALUATIONS Annual and final evaluations of contractor performance under this contract will be prepared in accordance with FAR Subpart 42.15, "Contractor Performance Information," normally at or near the time the contractor is notified of the NRC's intent to exercise the contract option. If the multi-year contract does not have option years, then an annual evaluation will be prepared n/a. Final evaluations of contractor performance will be prepared at the expiration of the contract during the contract closeout process.

The Contracting Officer will transmit the NRC Contracting Officers Representatives (COR) annual and final contractor performance evaluations via CPARS. The Contractor will be permitted thirty days to review the document and submit comments, rebutting statements, or additional information.

Where a contractor concurs with, or takes no exception to an annual performance evaluation, the Contracting Officer will consider such evaluation final and releasable for source selection purposes.

Disagreements between the parties regarding a performance evaluation will be referred to an individual one level above the Contracting Officer, whose decision will be final.

The completed evaluation report also will be used as a tool to improve communications between the NRC and the contractor and to improve contract performance.

The completed annual performance evaluation will be used to support future award decisions in accordance with FAR 42.1502 and 42.1503. During the period the information is being used to provide source selection information, the completed annual performance evaluation will be released to only two parties - the Federal government personnel performing the source selection evaluation and the contractor under evaluation if the contractor does not have a copy of the report already.

H.2 AUTHORITY TO USE GOVERNMENT PROVIDED SPACE AT NRC HEADQUARTERS (SEP 2013)

Prior to occupying any Government provided space at NRC Headquarters in Rockville Maryland, the Contractor shall obtain written authorization to occupy specifically designated government space, via the NRC Contracting Officers Representative (COR), from the Chief, Space Design Branch, Office of Administration. Failure to obtain this prior authorization can result in one, or a combination, of the following remedies as deemed appropriate by the Contracting Officer.

(1) Rental charge for the space occupied will be deducted from the invoice amount due the Contractor (2) Removal from the space occupied (3) Contract Termination H.3 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS It is brought to your attention that the contracting officer is the only individual who can legally obligate funds or commit the NRC to the expenditure of public funds in connection with this procurement. This means that unless provided in a contract document or specifically authorized by the contracting officer, NRC technical personnel may not issue contract modifications, give formal contractual commitments, or otherwise bind, commit, or obligate the NRC contractually. Informal unauthorized commitments, which do not obligate the NRC and do not entitle the contractor to payment, may include:

(1) Encouraging a potential contractor to incur costs prior to receiving a contract; (2) Requesting or requiring a contractor to make changes under a contract without formal contract modifications; (3) Encouraging a contractor to incur costs under a cost-reimbursable contract in excess of those costs contractually allowable; and (4) Committing the Government to a course of action with regard to a potential contract, contract change, claim, or dispute.

GS23F0038U/31310019F0037 Page 22 of 37 H.4 COMPLIANCE WITH U.S. IMMIGRATION LAWS AND REGULATIONS NRC contractors are responsible to ensure that their alien personnel are not in violation of United States immigration laws and regulations, including employment authorization documents and visa requirements.

Each alien employee of the Contractor must be lawfully admitted for permanent residence as evidenced by Permanent Resident Form I-551 (Green Card), or must present other evidence from the U.S.

Department of Homeland Security/U.S. Citizenship and Immigration Services that employment will not affect his/her immigration status. The U.S. Citizenship and Immigration Services provides information to contractors to help them understand the employment eligibility verification process for non-US citizens.

This information can be found on their website, http://www.uscis.gov/portal/site/uscis.

The NRC reserves the right to deny or withdraw Contractor use or access to NRC facilities or its equipment/services, and/or take any number of contract administrative actions (e.g., disallow costs, terminate for cause) should the Contractor violate the Contractor's responsibility under this clause.

H.5 CONTRACTOR RESPONSIBILITY FOR PROTECTING PERSONALLY IDENTIFIABLE INFORMATION (PII)

In accordance with the Office of Management and Budget's guidance to Federal agencies and the Nuclear Regulatory Commission's (NRC) implementing policy and procedures, a contractor (including subcontractors and contractor employees), who performs work on behalf of the NRC, is responsible for protecting, from unauthorized access or disclosure, personally identifiable information (PII) that may be provided, developed, maintained, collected, used, or disseminated, whether in paper, electronic, or other format, during performance of this contract.

A contractor who has access to NRC owned or controlled PII, whether provided to the contractor by the NRC or developed, maintained, collected, used, or disseminated by the contractor during the course of contract performance, must comply with the following requirements:

(1) General. In addition to implementing the specific requirements set forth in this clause, the contractor must adhere to all other applicable NRC guidance, policy and requirements for the handling and protection of NRC owned or controlled PII. The contractor is responsible for making sure that it has an adequate understanding of such guidance, policy and requirements.

(2) Use, Ownership, and Nondisclosure. A contractor may use NRC owned or controlled PII solely for purposes of this contract, and may not collect or use such PII for any purpose outside the contract without the prior written approval of the NRC Contracting Officer. The contractor must restrict access to such information to only those contractor employees who need the information to perform work under this contract, and must ensure that each such contractor employee (including subcontractors' employees) signs a nondisclosure agreement, in a form suitable to the NRC Contracting Officer, prior to being granted access to the information. The NRC retains sole ownership and rights to its PII.

Unless the contract states otherwise, upon completion of the contract, the contractor must turn over all PII in its possession to the NRC, and must certify in writing that it has not retained any NRC owned or controlled PII except as otherwise authorized in writing by the NRC Contracting Officer.

(3) Security Plan. When applicable, and unless waived in writing by the NRC Contracting Officer, the contractor must work with the NRC to develop and implement a security plan setting forth adequate procedures for the protection of NRC owned or controlled PII as well as the procedures which the contractor must follow for notifying the NRC in the event of any security breach. The plan will be incorporated into the contract and must be implemented and followed by the contractor once it has been approved by the NRC Contracting Officer. If the contract does not include a security plan at the time of contract award, a plan must be submitted for the approval of the NRC Contracting Officer within 30 days after contract award.

(4) Breach Notification. The contractor must immediately notify the NRC Contracting Officer and the NRC Contracting Officers Representative (COR) upon discovery of any suspected or confirmed

GS23F0038U/31310019F0037 Page 23 of 37 breach in the security of NRC owned or controlled PII.

(5) Legal Demands for Information. If a legal demand is made for NRC owned or controlled PII (such as by subpoena), the contractor must immediately notify the NRC Contracting Officer and the NRC Contracting Officers Representative (COR). After notification, the NRC will determine whether and to what extent to comply with the legal demand. The Contracting Officer will then notify the contractor in writing of the determination and such notice will indicate the extent of disclosure authorized, if any.

The contractor may only release the information specifically demanded with the written permission of the NRC Contracting Officer.

(6) Audits. The NRC may audit the contractor's compliance with the requirements of this clause, including through the use of online compliance software.

(7) Flow-down. The prime contractor will flow this clause down to subcontractors that would be covered by any portion of this clause, as if they were the prime contractor.

(8) Remedies:

(a) The contractor is responsible for implementing and maintaining adequate security controls to prevent the loss of control or unauthorized disclosure of NRC owned or controlled PII in its possession. Furthermore, the contractor is responsible for reporting any known or suspected loss of control or unauthorized access to PII to the NRC in accordance with the provisions set forth in Article 4 above.

(b) Should the contractor fail to meet its responsibilities under this clause, the NRC reserves the right to take appropriate steps to mitigate the contractor's violation of this clause. This may include, at the sole discretion of the NRC, termination of the subject contract.

(9) Indemnification. Notwithstanding any other remedies available to the NRC, the contractor will indemnify the NRC against all liability (including costs and fees) for any damages arising out of violations of this clause.

H.6 GREEN PURCHASING (a) In furtherance of the sustainable acquisition goals of Executive Order (EO) 13693, "Planning for Federal Sustainability in the Next Decade," products and services provided under this contract/order shall be energy efficient (EnergyStar or Federal Energy Management Program - FEMP-designated products), water efficient, biobased, environmentally preferable (excluding EPEAT-registered products), non-ozone depleting, contain recycled content, or are non- or low toxic alternatives or hazardous constituents (e.g., non-VOC paint), where such products and services meet agency performance requirements. See: Executive Order (EO) 13693, "Planning for Federal Sustainability in the Next Decade."

(b) The NRC and contractor may negotiate during the contract term to permit the substitution or addition of designated recycled content products (i.e., Comprehensive Procurement Guidelines - CPG),

EPEAT-registered products, EnergyStar- and FEMP designated energy efficient products and appliances, USDA designated biobased products (Biopreferred program), environmentally preferable products, WaterSense and other water efficient products, products containing non- or lower-ozone depleting substances (i.e., SNAP), and products containing non- or low-toxic or hazardous constituents (e.g., non-VOC paint), when such products and services are readily available at a competitive cost and satisfy the NRCs performance needs.

(c) The contractor shall flow down this clause into all subcontracts and other agreements that relate to performance of this contract/order.

GS23F0038U/31310019F0037 Page 26 of 37 approved by the contracting officer, the security provisions of the contract continue to be applicable to the matter retained.

(c) In connection with the performance of the work under this order, the contractor may be furnished, or may develop or acquire, proprietary data (trade secrets) or confidential or privileged technical, business, or financial information, including Commission plans, policies, reports, financial plans, internal data protected by the Privacy Act of 1974 (Pub. L.93-579), or other information which has not been released to the public or has been determined by the Commission to be otherwise exempt from disclosure to the public. The contractor agrees to hold the information in confidence and not to directly or indirectly duplicate, disseminate, or disclose the information, in whole or in part, to any other person or organization except as necessary to perform the work under this order. The contractor agrees to return the information to the Commission or otherwise dispose of it at the direction of the contracting officer. Failure to comply with this clause is grounds for termination of this order.

(d) Regulations. The contractor agrees to conform to all security regulations and requirements of the Commission which are subject to change as directed by the NRC Division of Facilities and Security and the Contracting Officer. These changes will be under the authority of the FAR Changes clause referenced in Section I of this document.

(e) Definition of National Security Information. As used in this clause, the term National Security Information means information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

(f) Definition of Restricted Data. As used in this clause, the term Restricted Data means all data concerning design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy, but does not include data declassified or removed from the Restricted Data category under to Section 142 of the Atomic Energy Act of 1954, as amended.

(g) Definition of Formerly Restricted Data. As used in this clause the term Formerly Restricted Data means all data removed from the Restricted Data category under Section 142-d of the Atomic Energy Act of 1954, as amended.

(h) Security clearance personnel. The contractor may not permit any individual to have access to Restricted Data, Formerly Restricted Data, or other classified information, except in accordance with the Atomic Energy Act of 1954, as amended, and the Commission's regulations or requirements applicable to the particular type or category of classified information to which access is required. The contractor shall also execute a Standard Form 312, Classified Information Nondisclosure Agreement, when access to classified information is required.

(i) Criminal liabilities. Disclosure of National Security Information, Restricted Data, and Formerly Restricted Data relating to the work or services ordered hereunder to any person not entitled to receive it, or failure to safeguard any Restricted Data, Formerly Restricted Data, or any other classified matter that may come to the contractor or any person under the contractor's control in connection with work under this order, may subject the contractor, its agents, employees, or subcontractors to criminal liability under the laws of the United States. (See the Atomic Energy Act of 1954, as amended, 42 U.S.C. 2011 et seq.; 18 U.S.C. 793 and 794; and Executive Order 12958.)

(j) Subcontracts and purchase orders. Except as otherwise authorized, in writing, by the contracting officer, the contractor shall insert provisions similar to the foregoing in all subcontracts and purchase orders under this order.

(k) In performing contract work, the contractor shall classify all documents, material, and equipment originated or generated by the contractor in accordance with guidance issued by the Commission.

Every subcontract and purchase order issued under the contract that involves originating or generating classified documents, material, and equipment must provide that the subcontractor or supplier assign the proper classification to all documents, material, and equipment in accordance with guidance furnished by the contractor.

H.12 SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL (SEP 2013)

The Contractor shall ensure that all its employees, subcontractor employees or consultants who are assigned to perform the work herein for contract performance for periods of more than 30 calendar days at NRC facilities, are approved by the NRC for unescorted NRC building access.

GS23F0038U/31310019F0037 Page 27 of 37 The Contractor shall conduct a preliminary federal facilities security screening interview or review for each of its employees, subcontractor employees, and consultants and submit to the NRC only the names of candidates for contract performance that have a reasonable probability of obtaining approval necessary for access to NRC's federal facilities. The Contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The Contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the applicant verify the pre-screening record or review, sign and date it. Two (2) copies of the pre-screening signed record or review shall be supplied to the Division of Facilities and Security, Personnel Security Branch (DFS/PSB) with the Contractor employee's completed building access application package.

The Contractor shall further ensure that its employees, any subcontractor employees and consultants complete all building access security applications required by this clause within fourteen (14) calendar days of notification by DFS/PSB of initiation of the application process. Timely receipt of properly completed records of the Contractor's signed pre-screening record or review and building access security applications (submitted for candidates that have a reasonable probability of obtaining the level of access authorization necessary for access to NRC's facilities) is a contract requirement. Failure of the Contractor to comply with this order administration requirement may be a basis to cancel the award, or terminate the contract for default, or offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the Contractor. In the event of cancellation or termination, the NRC may select another firm for contract award.

A Contractor, subcontractor employee or consultant shall not have access to NRC facilities until he/she is approved by DFS/PSB. Temporary access may be approved based on a favorable NRC review and discretionary determination of their building access security forms. Final building access will be approved based on favorably adjudicated checks by the Government. However, temporary access approval will be revoked and the Contractor's employee may subsequently be denied access in the event the employee's investigation cannot be favorably determined by the NRC. Such employee will not be authorized to work under any NRC contract requiring building access without the approval of DFS/PSB. When an individual receives final access, the individual will be subject to a review or reinvestigation every five (5) or ten (10) years, depending on their job responsibilities at the NRC.

The Government shall have and exercise full and complete control and discretion over granting, denying, withholding, or terminating building access approvals for individuals performing work under this order.

Individuals performing work under this order at NRC facilities for a period of more than 30 calendar days shall be required to complete and submit to the Contractor representative an acceptable OPM Standard Form 85 (Questionnaire for Non-Sensitive Positions), and two (2) FD 258 (Fingerprint Charts). Non-U.S.

citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than five (5) years residency in the U.S. will not be approved for building access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB.

DFS/PSB may, among other things, grant or deny temporary unescorted building access approval to an individual based upon its review of the information contained in the OPM Standard Form 85 and the Contractor's pre-screening record. Also, in the exercise of its authority, the Government may, among other things, grant or deny permanent building access approval based on the results of its review or investigation. This submittal requirement also applies to the officers of the firm who, for any reason, may visit the NRC work sites for an extended period of time during the term of the contract. In the event that

GS23F0038U/31310019F0037 Page 28 of 37 DFS/PSB are unable to grant a temporary or permanent building access approval, to any individual performing work under this order, the Contractor is responsible for assigning another individual to perform the necessary function without any delay in the contract's performance schedule, or without adverse impact to any other terms or conditions of the contract. The Contractor is responsible for informing those affected by this procedure of the required building access approval process (i.e., temporary and permanent determinations), and the possibility that individuals may be required to wait until permanent building access approvals are granted before beginning work in NRC's buildings.

CANCELLATION OR TERMINATION OF BUILDING ACCESS/ REQUEST The Contractor shall immediately notify the COR when a Contractor or subcontractor employee or consultant's need for NRC building access approval is withdrawn or the need by the Contractor employee's for building access terminates. The COR will immediately notify DFS/PSB (via e-mail) when a Contractor employee no longer requires building access. The Contractor shall be required to return any NRC issued badges to the COR for return to DFS/FSB (Facilities Security Branch) within three (3) days after their termination.

H.13 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (JUL 2016)

The contractor must identify all individuals selected to work under this order. The NRC Contracting Officers Representative (COR) shall make the final determination of the level, if any, of IT access approval required for all individuals working under this order using the following guidance. The Government shall have full and complete control and discretion over granting, denying, withholding, or terminating IT access approvals for contractor personnel performing work under this order.

The contractor shall conduct a preliminary security interview or review for each employee requiring IT level I or II access and submit to the Government only the names of candidates that have a reasonable probability of obtaining the level of IT access approval for which the employee has been proposed. The contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the employee verify the pre-screening record or review, sign and date it. The contractor shall supply two (2) copies of the signed contractor's pre-screening record or review to the NRC Contracting Officers Representative (COR), who will then provide them to the NRC Office of Administration, Division of Facilities and Security, Personnel Security Branch with the employees completed IT access application package.

The contractor shall further ensure that its personnel complete all IT access approval security applications required by this clause within fourteen (14) calendar days of notification by the NRC Contracting Officers Representative (COR) of initiation of the application process. Timely receipt of properly completed records of the pre-screening record and IT access approval applications (submitted for candidates that have a reasonable probability of obtaining the level of security assurance necessary for access to NRC's IT systems/data) is a requirement of this order. Failure of the contractor to comply with this requirement may be a basis to terminate the order for cause, or to offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the contractor.

SECURITY REQUIREMENTS FOR IT LEVEL I Performance under this order will involve contractor personnel who perform services requiring direct access to or operation of agency sensitive information technology systems or data (IT Level I). The IT

GS23F0038U/31310019F0037 Page 29 of 37 Level I involves responsibility for: (a) the planning, direction, and implementation of a computer security program; (b) major responsibility for the direction, planning, and design of a computer system, including hardware and software; (c) the capability to access a computer system during its operation or maintenance in such a way that could cause or that has a relatively high risk of causing grave damage; or (d) the capability to realize a significant personal gain from computer access.

Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the NRC Contracting Officers Representative (COR). Temporary IT access may be approved by DFS/PSB based on a favorable review or adjudication of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably review or adjudication of a completed background investigation. However, temporary access authorization approval will be revoked and the employee may subsequently be denied IT access in the event the employees investigation cannot be favorably adjudicated. Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officers Representative (COR).

Where temporary access authorization has been revoked or denied by DFS/PSB, the contractor shall assign another contractor employee to perform the necessary work under this order without delay to the order performance schedule, or without adverse impact to any other terms or conditions of the order.

When an individual receives final IT access approval from DFS/PSB, the individual will be subject to a reinvestigation every ten (10) years thereafter (assuming continuous performance under contracts/orders at NRC) or more frequently in the event of noncontinuous performance under contracts/orders at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions),

two (2) copies of the Contractor's signed pre-screening record, and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the individual being authorized to perform work under this order requiring access to sensitive information technology systems or data. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level I access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB. The contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the contractor employees security forms and/or the receipt of adverse information by NRC, the contractor individual may be denied access to NRC facilities and sensitive information technology systems or data until a final determination is made by DFS/PSB. The contractor individuals clearance status will thereafter be communicated to the contractor by the NRC Contracting Officers Representative (COR) regarding the contractor persons eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level I contractors shall be subject to the attached NRC Form 187 and SF-86. Together, these furnish the basis for providing security requirements to contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems and data; access on a continuing basis (in excess more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

SECURITY REQUIREMENTS FOR IT LEVEL II Performance under this order will involve contractor personnel that develop and/or analyze sensitive information technology systems or data or otherwise have access to such systems or data (IT Level II).

The IT Level II involves responsibility for the planning, design, operation, or maintenance of a computer system and all other computer or IT positions.

GS23F0038U/31310019F0037 Page 30 of 37 Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the NRC Contracting Officers Representative (COR). Temporary access may be approved by DFS/PSB based on a favorable review of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably adjudication. However, temporary access authorization approval will be revoked and the contractor employee may subsequently be denied IT access in the event the employee's investigation cannot be favorably adjudicated. Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officers Representative (COR). Where temporary access authorization has been revoked or denied by DFS/PSB, the contractor is responsible for assigning another contractor employee to perform the necessary work under this order without delay to the order performance schedule, or without adverse impact to any other terms or conditions of the order. When a contractor employee receives final IT access approval from DFS/PSB, the individual will be subject to a review or reinvestigation every ten (10) years (assuming continuous performance under order at NRC) or more frequently in the event of noncontinuous performance under order at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions),

two (2) copies of the Contractor's signed pre-screening record and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the contractor employee being authorized to perform work under this order. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level II access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB. The contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the contractor employees security forms and/or the receipt of adverse information by NRC, the contractor employee may be denied access to NRC facilities, sensitive information technology systems or data until a final determination is made by DFS/PSB regarding the contractor persons eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level II contractors shall be subject to the attached NRC Form 187, SF-86, and contractor's record of the pre-screening. Together, these furnish the basis for providing security requirements to contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems or data; access on a continuing basis (in excess of more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

CANCELLATION OR TERMINATION OF IT ACCESS/REQUEST When a request for IT access is to be withdrawn or canceled, the contractor shall immediately notify the NRC Contracting Officers Representative (COR) by telephone so that the access review may be promptly discontinued. The notification shall contain the full name of the contractor employee and the date of the request. Telephone notifications must be promptly confirmed by the contractor in writing to the NRC Contracting Officers Representative (COR), who will forward the confirmation to DFS/PSB.

Additionally, the contractor shall immediately notify the NRC Contracting Officers Representative (COR) in writing, who will in turn notify DFS/PSB, when a contractor employee no longer requires access to NRC sensitive automated information technology systems or data, including the voluntary or involuntary separation of employment of a contractor employee who has been approved for or is being processed for IT access.

The contractor shall flow the requirements of this clause down into all subcontracts and agreements with consultants for work that requires them to access NRC IT resources.

GS23F0038U/31310019F0037 Page 31 of 37 H.14 SECURITY REQUIREMENTS RELATING TO THE PRODUCTION OF REPORT(S) OR THE PUBLICATION OF RESULTS UNDER CONTRACTS, AGREEMENTS, AND GRANTS Review and Approval of Reports (a) Reporting Requirements. The contractor/grantee shall comply with the terms and conditions of the contract/grant regarding the contents of the draft and final report, summaries, data, and related documents, to include correcting, deleting, editing, revising, modifying, formatting, and supplementing any of the information contained therein, at no additional cost to the NRC. Performance under the contract/grant will not be deemed accepted or completed until it complies with the NRCs directions.

The reports, summaries, data, and related documents will be considered draft until approved by the NRC. The contractor/grantee agrees that the direction, determinations, and decisions on approval or disapproval of reports, summaries, data, and related documents created under this contract/grant remain solely within the discretion of the NRC.

(b) Publication of Results. Prior to any dissemination, display, publication, or release of articles, reports, summaries, data, or related documents developed under the contract/grant, the contractor/grantee shall submit them to the NRC for review and approval. The contractor/ grantee shall not release, disseminate, display or publish articles, reports, summaries, data, and related documents, or the contents therein, that have not been reviewed and approved by the NRC for release, display, dissemination or publication. The contractor/grantee agrees to conspicuously place any disclaimers, markings or notices, directed by the NRC, on any articles, reports, summaries, data, and related documents that the contractor/grantee intends to release, display, disseminate or publish to other persons, the public, or any other entities. The contractor/grantee agrees, and grants, a royalty-free, nonexclusive, irrevocable worldwide license to the government, to use, reproduce, modify, distribute, prepare derivative works, release, display or disclose the articles, reports, summaries, data, and related documents developed under the contract/grant, for any governmental purpose and to have or authorize others to do so.

(c) Identification/Marking of Sensitive Unclassified Non-Safeguards Information (SUNSI) and Safeguards Information (SGI). The decision, determination, or direction by the NRC that information possessed, formulated or produced by the contractor/grantee constitutes SUNSI or SGI is solely within the authority and discretion of the NRC. In performing the contract/grant, the contractor/grantee shall clearly mark SUNSI and SGI, to include for example, OUO-Allegation Information or OUO-Security Related Information on any reports, documents, designs, data, materials, and written information, as directed by the NRC. In addition to marking the information as directed by the NRC, the contractor shall use the applicable NRC cover sheet (e.g., NRC Form 461 Safeguards Information) in maintaining these records and documents. The contractor/grantee shall ensure that SUNSI and SGI is handled, maintained and protected from unauthorized disclosure, consistent with NRC policies and directions. The contractor/grantee shall comply with the requirements to mark, maintain, and protect all information, including documents, summaries, reports, data, designs, and materials in accordance with the provisions of Section 147 of the Atomic Energy Act of 1954 as amended, its implementing regulations (10 CFR 73.21), Sensitive Unclassified Non-Safeguards and Safeguards Information policies, and NRC Management Directives and Handbooks 12.5, 12.6 and 12.7.

(d) Remedies. In addition to any civil, criminal, and contractual remedies available under the applicable laws and regulations, failure to comply with the above provisions, and/or NRC directions, may result in suspension, withholding, or offsetting of any payments invoiced or claimed by the contractor/grantee.

(e) Flowdown. If the contractor/grantee intends to enter into any subcontracts or other agreements to perform this contract/grant, the contractor/grantee shall include all of the above provisions in any subcontracts or agreements.

H.15 2052.204-71 SITE ACCESS BADGE REQUIREMENTS. (JAN 1993)

During the life of this order, the rights of ingress and egress for contractor personnel must be made available as required. In this regard, all contractor personnel whose duties under this order require their presence on-site shall be clearly identifiable by a distinctive badge furnished by the Government. The Project Officer shall assist the contractor in obtaining the badges for contractor personnel. It is the sole

GS23F0038U/31310019F0037 Page 32 of 37 responsibility of the contractor to ensure that each employee has proper identification at all times. All prescribed identification must be immediately delivered to the Security Office for cancellation or disposition upon the termination of employment of any contractor personnel. Contractor personnel shall have this identification in their possession during on-site performance under this order. It is the contractor's duty to assure that contractor personnel enter only those work areas necessary for performance of contract work and to assure the safeguarding of any Government records or data that contractor personnel may come into contact with.

H.16 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONIC PAYMENT/REMITTANCE ADDRESS The Debt Collection Improvement Act of 1996 requires that all Federal payments except IRS tax refunds be made by Electronic Funds Transfer. lt is the policy of the Nuclear Regulatory Commission to pay government vendors by the Automated Clearing House (ACH) electronic funds transfer payment system.

Item 15C of the Standard Form 33 may be disregarded.

GS23F0038U/31310019F0037 Page 33 of 37 SECTION I - Contract Clauses I.1 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor within the period of performance; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at any time before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 5 years.

I.2 52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within the period of performance.

I.3 52.227-14 RIGHTS IN DATA-GENERAL. (MAY 2014)

(a) Definitions. As used in this clause-Computer database or database means a collection of recorded information in a form capable of, and for the purpose of, being stored in, processed, and operated on by a computer. The term does not include computer software.

Computer software- (1) Means (i) Computer programs that comprise a series of instructions, rules, routines, or statements, regardless of the media in which recorded, that allow or cause a computer to perform a specific operation or series of operations; and (ii) Recorded information comprising source code listings, design details, algorithms, processes, flow charts, formulas, and related material that would enable the computer program to be produced, created, or compiled.

(2) Does not include computer databases or computer software documentation.

Computer software documentation means owner's manuals, user's manuals, installation instructions, operating instructions, and other similar items, regardless of storage medium, that explain the capabilities of the computer software or provide instructions for using the software.

Data means recorded information, regardless of form or the media on which it may be recorded. The term includes technical data and computer software. The term does not include information incidental to contract administration, such as financial, administrative, cost or pricing, or management information.

Form, fit, and function data means data relating to items, components, or processes that are sufficient to enable physical and functional interchangeability, and data identifying source, size, configuration, mating and attachment characteristics, functional characteristics, and performance requirements. For computer software it means data identifying source, functional characteristics, and performance requirements but specifically excludes the source code, algorithms, processes, formulas, and flow charts of the software.

Limited rights means the rights of the Government in limited rights data as set forth in the Limited

GS23F0038U/31310019F0037 Page 34 of 37 Rights Notice of paragraph (g)(3) if included in this clause.

Limited rights data means data, other than computer software, that embody trade secrets or are commercial or financial and confidential or privileged, to the extent that such data pertain to items, components, or processes developed at private expense, including minor modifications.

Restricted computer software means computer software developed at private expense and that is a trade secret, is commercial or financial and confidential or privileged, or is copyrighted computer software, including minor modifications of the computer software.

Restricted rights, as used in this clause, means the rights of the Government in restricted computer software, as set forth in a Restricted Rights Notice of paragraph (g) if included in this clause, or as otherwise may be provided in a collateral agreement incorporated in and made part of this contract, including minor modifications of such computer software.

Technical data, means recorded information (regardless of the form or method of the recording) of a scientific or technical nature (including computer databases and computer software documentation).

This term does not include computer software or financial, administrative, cost or pricing, or management data or other information incidental to contract administration. The term includes recorded information of a scientific or technical nature that is included in computer databases (See 41 U.S.C. 116).

Unlimited rights means the rights of the Government to use, disclose, reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, in any manner and for any purpose, and to have or permit others to do so.

(b) Allocation of rights. (1) Except as provided in paragraph (c) of this clause, the Government shall have unlimited rights in-(i) Data first produced in the performance of this contract; (ii) Form, fit, and function data delivered under this contract; (iii) Data delivered under this contract (except for restricted computer software) that constitute manuals or instructional and training material for installation, operation, or routine maintenance and repair of items, components, or processes delivered or furnished for use under this contract; and (iv) All other data delivered under this contract unless provided otherwise for limited rights data or restricted computer software in accordance with paragraph (g) of this clause.

(2) The Contractor shall have the right to-(i) Assert copyright in data first produced in the performance of this contract to the extent provided in paragraph (c)(1) of this clause; (ii) Use, release to others, reproduce, distribute, or publish any data first produced or specifically used by the Contractor in the performance of this contract, unless provided otherwise in paragraph (d) of this clause; (iii) Substantiate the use of, add, or correct limited rights, restricted rights, or copyright notices and to take other appropriate action, in accordance with paragraphs (e) and (f) of this clause; and (iv) Protect from unauthorized disclosure and use those data that are limited rights data or restricted computer software to the extent provided in paragraph (g) of this clause.

(c) Copyright- (1) Data first produced in the performance of this contract. (i) Unless provided otherwise in paragraph (d) of this clause, the Contractor may, without prior approval of the Contracting Officer, assert copyright in scientific and technical articles based on or containing data first produced in the performance of this contract and published in academic, technical or professional journals, symposia proceedings, or similar works. The prior, express written permission of the Contracting Officer is required to assert copyright in all other data first produced in the performance of this contract.

(ii) When authorized to assert copyright to the data, the Contractor shall affix the applicable copyright notices of 17 U.S.C. 401 or 402, and an acknowledgment of Government sponsorship (including contract number).

GS23F0038U/31310019F0037 Page 35 of 37 (iii) For data other than computer software, the Contractor grants to the Government, and others acting on its behalf, a paid-up, nonexclusive, irrevocable, worldwide license in such copyrighted data to reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly by or on behalf of the Government. For computer software, the Contractor grants to the Government, and others acting on its behalf, a paid-up, nonexclusive, irrevocable, worldwide license in such copyrighted computer software to reproduce, prepare derivative works, and perform publicly and display publicly (but not to distribute copies to the public) by or on behalf of the Government.

(2) Data not first produced in the performance of this contract. The Contractor shall not, without the prior written permission of the Contracting Officer, incorporate in data delivered under this contract any data not first produced in the performance of this contract unless the Contractor-(i) Identifies the data; and (ii) Grants to the Government, or acquires on its behalf, a license of the same scope as set forth in paragraph (c)(1) of this clause or, if such data are restricted computer software, the Government shall acquire a copyright license as set forth in paragraph (g)(4) of this clause (if included in this contract) or as otherwise provided in a collateral agreement incorporated in or made part of this contract.

(3) Removal of copyright notices. The Government will not remove any authorized copyright notices placed on data pursuant to this paragraph (c), and will include such notices on all reproductions of the data.

(d) Release, publication, and use of data. The Contractor shall have the right to use, release to others, reproduce, distribute, or publish any data first produced or specifically used by the Contractor in the performance of this contract, except-(1) As prohibited by Federal law or regulation (e.g., export control or national security laws or regulations);

(2) As expressly set forth in this contract; or (3) If the Contractor receives or is given access to data necessary for the performance of this contract that contain restrictive markings, the Contractor shall treat the data in accordance with such markings unless specifically authorized otherwise in writing by the Contracting Officer.

(e) Unauthorized marking of data. (1) Notwithstanding any other provisions of this contract concerning inspection or acceptance, if any data delivered under this contract are marked with the notices specified in paragraph (g)(3) or (g) (4) if included in this clause, and use of the notices is not authorized by this clause, or if the data bears any other restrictive or limiting markings not authorized by this contract, the Contracting Officer may at any time either return the data to the Contractor, or cancel or ignore the markings. However, pursuant to 41 U.S.C. 4703, the following procedures shall apply prior to canceling or ignoring the markings.

(i) The Contracting Officer will make written inquiry to the Contractor affording the Contractor 60 days from receipt of the inquiry to provide written justification to substantiate the propriety of the markings; (ii) If the Contractor fails to respond or fails to provide written justification to substantiate the propriety of the markings within the 60-day period (or a longer time approved in writing by the Contracting Officer for good cause shown), the Government shall have the right to cancel or ignore the markings at any time after said period and the data will no longer be made subject to any disclosure prohibitions.

(iii) If the Contractor provides written justification to substantiate the propriety of the markings within the period set in paragraph (e)(1)(i) of this clause, the Contracting Officer will consider such written justification and determine whether or not the markings are to be cancelled or ignored. If the Contracting Officer determines that the markings are authorized, the Contractor will be so notified in writing. If the Contracting Officer determines, with concurrence of the head of the contracting activity, that the markings are not authorized, the Contracting Officer will furnish the Contractor a written determination, which determination will become the final agency decision regarding the appropriateness of the markings unless the Contractor files suit in a court of competent jurisdiction within 90 days of receipt of the Contracting Officer's decision. The Government will continue to abide by the markings under this paragraph (e)(1)(iii) until final resolution of the matter either by the Contracting Officer's determination becoming final (in which instance the Government will thereafter have the right

GS23F0038U/31310019F0037 Page 36 of 37 to cancel or ignore the markings at any time and the data will no longer be made subject to any disclosure prohibitions), or by final disposition of the matter by court decision if suit is filed.

(2) The time limits in the procedures set forth in paragraph (e)(1) of this clause may be modified in accordance with agency regulations implementing the Freedom of Information Act (5 U.S.C. 552) if necessary to respond to a request thereunder.

(3) Except to the extent the Government's action occurs as the result of final disposition of the matter by a court of competent jurisdiction, the Contractor is not precluded by paragraph (e) of the clause from bringing a claim, in accordance with the Disputes clause of this contract, that may arise as the result of the Government removing or ignoring authorized markings on data delivered under this contract.

(f) Omitted or incorrect markings. (1) Data delivered to the Government without any restrictive markings shall be deemed to have been furnished with unlimited rights. The Government is not liable for the disclosure, use, or reproduction of such data.

(2) If the unmarked data has not been disclosed without restriction outside the Government, the Contractor may request, within 6 months (or a longer time approved by the Contracting Officer in writing for good cause shown) after delivery of the data, permission to have authorized notices placed on the data at the Contractor's expense. The Contracting Officer may agree to do so if the Contractor-(i) Identifies the data to which the omitted notice is to be applied; (ii) Demonstrates that the omission of the notice was inadvertent; (iii) Establishes that the proposed notice is authorized; and (iv) Acknowledges that the Government has no liability for the disclosure, use, or reproduction of any data made prior to the addition of the notice or resulting from the omission of the notice.

(3) If data has been marked with an incorrect notice, the Contracting Officer may-(i) Permit correction of the notice at the Contractor's expense if the Contractor identifies the data and demonstrates that the correct notice is authorized; or (ii) Correct any incorrect notices.

(g) Protection of limited rights data and restricted computer software. (1) The Contractor may withhold from delivery qualifying limited rights data or restricted computer software that are not data identified in paragraphs (b)(1)(i), (ii), and (iii) of this clause. As a condition to this withholding, the Contractor shall-(i) Identify the data being withheld; and (ii) Furnish form, fit, and function data instead.

(2) Limited rights data that are formatted as a computer database for delivery to the Government shall be treated as limited rights data and not restricted computer software.

(3) (Reserved)

(h) Subcontracting. The Contractor shall obtain from its subcontractors all data and rights therein necessary to fulfill the Contractor's obligations to the Government under this contract. If a subcontractor refuses to accept terms affording the Government those rights, the Contractor shall promptly notify the Contracting Officer of the refusal and shall not proceed with the subcontract award without authorization in writing from the Contracting Officer.

(i) Relationship to patents or other rights. Nothing contained in this clause shall imply a license to the Government under any patent or be construed as affecting the scope of any license or other right otherwise granted to the Government.

I.4 52.252-2 CLAUSES INCORPORATED BY REFERENCE. (FEB 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es):

https://www.acquisition.gov/?q=browsefar https://www.nrc.gov/about-nrc/contracting/48cfr-ch20.html

GS23F0038U/31310019F0037 Page 37 of 37 SECTION J - ATTACHMENTS

1) Cost/Price Spreadsheet

2) NRC Form 187 Contract Security and/or Classification Requirements

3) NRC Management Directive 4.4

4) NRC Management Directive 12.1

5) IPP Billing Instructions for Fixed Price Contracts

ML19114A287

Text

References:

1. Background

Navigation menu

Search