Text

Task Order No. 31310019F0043 to Contract No. GS06F1018Z
	ML19196A080
Person / Time
Issue date:	07/15/2019
From:	Jessica Chu; Acquisition Management Division
To:	Lyttle G; Technology Solutions Provider
References
	GS06F1018Z
	Download: ML19196A080 (49)
	v • d • e

NRCPAYMENTS ROCKVILLE MD 20852-2738 MAILSTOP T9-B07 11545 ROCKVILLE PIKE TWO WHITE FLINT NORTH US NUCLEAR REGULATORY COMMISSION 7038687790 104603696 SEE ADDENDUM IS CHECKED CODE 18a. PAYMENT WILL BE MADE BY CODE FACILITY CODE 17b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN OFFER OFFEROR NRCHQ WASHINGTON DC 20555-0001 MAIL STOP TWFN-07B20M ACQUISITION MANAGEMENT DIVISION US NRC - HQ NRCHQ CODE

16. ADMINISTERED BY CODE X

541512 SIZE STANDARD:

100.00

% FOR:

SET ASIDE:

UNRESTRICTED OR NRCHQ RFP IFB

10. THIS ACQUISITION IS CODE RFQ

14. METHOD OF SOLICITATION 13b. RATING NAICS:

SMALL BUSINESS JOHNNIE BAKER 31310019F0043 07/15/2019 (No collect calls)

INFORMATION CALL:

FOR SOLICITATION

8. OFFER DUE DATE/LOCAL TIME

b. TELEPHONE NUMBER

a. NAME

4. ORDER NUMBER

3. AWARD/

6. SOLICITATION

5. SOLICITATION NUMBER SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS

1. REQUISITION NUMBER PAGE OF 1

49 OGC-19-0008 OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24, & 30 TELEPHONE NO.

RESTON VA 201911557 11490 COMMERCE PARK DRIVE SUITE 200 ATTN GREG LYTTLE TECHNOLOGY SOLUTIONS PROVIDER INC 17a. CONTRACTOR/

ROCKVILLE MD 20852 4930 BOILING BROOK PARKWAY MAIL PROCESSING CENTER US NUCLEAR REGULATORY COMMISSION-

15. DELIVER TO WASHINGTON DC 20555-0001 MAIL STOP TWFN-07B20M ACQUISITION MANAGEMENT DIVISION

9. ISSUED BY

7.

GS06F1018Z

2. CONTRACT NO.

EFFECTIVE DATE

$27.50 18b. SUBMIT INVOICES TO ADDRESS SHOWN IN BLOCK 18a UNLESS BLOCK BELOW ISSUE DATE DELIVERY FOR FOB DESTINA-TION UNLESS BLOCK IS MARKED

11.

SEE SCHEDULE

12. DISCOUNT TERMS 30 THIS CONTRACT IS A RATED ORDER UNDER DPAS (15 CFR 700) 13a.

SERVICE-DISABLED VETERAN-OWNED SMALL BUSINESS HUBZONE SMALL BUSINESS 8(A)

US NRC - HQ WOMEN-OWNED SMALL BUSINESS (WOSB) ELIGIBLE UNDER THE WOMEN-OWNED SMALL BUSINESS PROGRAM EDWOSB X

24.

AMOUNT 23.

UNIT PRICE 22.

UNIT

21.

QUANTITY 20.

SCHEDULE OF SUPPLIES/SERVICES 19.

ITEM NO.

Accounting Info:

2019-X0200-FEEBASED-7C-7CD099-6047-51-L-156-252A-5 1-L-156-6047 Period of Performance: 07/15/2019 to 07/14/2020 00001 Base Period APPIAN Financial Disclosure System 255,650.60 for the Office of the General Counsel Continued...

(Use Reverse and/or Attach Additional Sheets as Necessary)

$576,026.45 HEREIN, IS ACCEPTED AS TO ITEMS:

X X

X DATED JESSICA CHU 07/15/2019

. YOUR OFFER ON SOLICITATION (BLOCK 5),

INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE SET FORTH 1

COPIES TO ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER ARE ARE 31c. DATE SIGNED 27b. CONTRACT/PURCHASE ORDER INCORPORATES BY REFERENCE FAR 52.212-4. FAR 52.212-5 IS ATTACHED. ADDENDA 31a. UNITED STATES OF AMERICA (SIGNATURE OF CONTRACTING OFFICER) 30c. DATE SIGNED 31b. NAME OF CONTRACTING OFFICER (Type or print)

ALL ITEMS SET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL SHEETS SUBJECT TO THE TERMS AND CONDITIONS SPECIFIED.

27a. SOLICITATION INCORPORATES BY REFERENCE FAR 52.212-1, 52.212-4. FAR 52.212-3 AND 52.212-5 ARE ATTACHED. ADDENDA

26. TOTAL AWARD AMOUNT (For Govt. Use Only)

OFFER STANDARD FORM 1449 (REV. 2/2012)

Prescribed by GSA - FAR (48 CFR) 53.212 ARE NOT ATTACHED.

ARE NOT ATTACHED.

AUTHORIZED FOR LOCAL REPRODUCTION PREVIOUS EDITION IS NOT USABLE 30b. NAME AND TITLE OF SIGNER (Type or print) 30a. SIGNATURE OF OFFEROR/CONTRACTOR

28. CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN

25. ACCOUNTING AND APPROPRIATION DATA See schedule

29. AWARD OF CONTRACT: REF.

32e. MAILING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32c. DATE 32b. SIGNATURE OF AUTHORIZED GOVERNMENT REPRESENTATIVE ACCEPTED, AND CONFORMS TO THE CONTRACT, EXCEPT AS NOTED:

32a. QUANTITY IN COLUMN 21 HAS BEEN RECEIVED INSPECTED

40. PAID BY

39. S/R VOUCHER NUMBER

38. S/R ACCOUNT NUMBER

37. CHECK NUMBER FINAL PARTIAL

36. PAYMENT FINAL PARTIAL

35. AMOUNT VERIFIED CORRECT FOR

34. VOUCHER NUMBER

33. SHIP NUMBER COMPLETE 32g. E-MAIL OF AUTHORIZED GOVERNMENT REPRESENTATIVE 42d. TOTAL CONTAINERS 42c. DATE REC'D (YY/MM/DD) 42b. RECEIVED AT (Location) 42a. RECEIVED BY (Print) 41c. DATE 41b. SIGNATURE AND TITLE OF CERTIFYING OFFICER 41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT STANDARD FORM 1449 (REV. 2/2012) BACK 24.

AMOUNT 23.

UNIT PRICE 22.

UNIT

21.

QUANTITY 20.

SCHEDULE OF SUPPLIES/SERVICES 19.

ITEM NO.

Includes:

Base Period (Phase I - Development)

Base Period (Phase II Operations and Maintenance)

Appian Licenses Ethics Management Accelerator (EMA) 10001 Option Period 1 APPIAN Licenses Renewal 0.00 Amount:

(Option Line Item)

Anticipated Exercise Date07/14/2020 10002 Option Period 1 APPIAN O&M Optional Task 0.00 Amount:

(Option Line Item)

Anticipated Exercise Date07/14/2020 20001 Option Period 2 APPIAN Licenses Renewal 0.00 Amount:

(Option Line Item)

Anticipated Exercise Date07/14/2021 20002 Option Period 2 APPIAN O&M Optional Task 0.00 Continued...

32f. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32d. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 49 2 of

ITEM NO.

SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT NAME OF OFFEROR OR CONTRACTOR 3

49 CONTINUATION SHEET REFERENCE NO. OF DOCUMENT BEING CONTINUED PAGE OF TECHNOLOGY SOLUTIONS PROVIDER INC (A)

(B)

(C)

(D)

(E)

(F)

GS06F1018Z/31310019F0043 Amount:

(Option Line Item)

Anticipated Exercise Date07/14/2021 30001 Option Period 3 APPIAN Licenses Renewal 0.00 Amount:

(Option Line Item)

Anticipated Exercise Date07/14/2022 30002 Option Period 3 APPIAN O&M Optional Task 0.00 Amount:

(Option Line Item)

Anticipated Exercise Date07/14/2022 40001 Option Period 4 APPIAN Licenses Renewal 0.00 Amount:

(Option Line Item)

Anticipated Exercise Date07/14/2023 40002 Option Period 4 APPIAN O&M Optional Task 0.00 Amount:

(Option Line Item)

Anticipated Exercise Date07/14/2023 The obligated amount of award: $255,650.60. The total for this award is shown in box 26.

NSN 7540-01-152-8067 OPTIONAL FORM 336 (4-86)

Background

Federal statutes and regulations require Federal agencies, including the NRC, to maintain an ethics program. At the NRC, the Office of the General Counsel (OGC) has primary responsibility for the agencys ethics program, and the General Counsel is the Designated Agency Ethics Official (DAEO). One significant and mandatory component of the NRCs ethics program is a process or system for submitting, processing, and retaining Office of Government Ethics (OGE)

Confidential Financial Disclosure Reports (the OGE 450 form). A second required component of the ethics program is a process or system for retaining ethics advice provided in response to requests for ethics guidance submitted by agency employees.

The OGE 450 is a form developed and maintained by OGE that is used government-wide for the purpose of conducting systematic review of the financial interests of both current and prospective employees to identify potential, and prevent actual, conflicts of interest. Employees in positions determined by the NRC to be subject to the OGE 450 filing requirement submit new entrant OGE 450 forms when they enter filing positions, and annual OGE 450 forms that are due between January 1 and February 15 of each calendar year. Deputy Ethics Counselors in OGC review and certify these OGE 450 reports, which must be retained in accordance with records-retention policies.

There are approximately 900 Filers, but this number fluctuates throughout the year. OGC may add another 200-300 in the next couple of years. Filers will access the system a few times during the filing season but should have access year-round. Legal reviewers will not be more than 10 users and require access to the system 7 days a week, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months a day, 365 days a year (7x24x365). Administrators may be 3-5 staff members and require access to the system 7x24x365.

Through a Confidential Financial Disclosure and advice storage FEDRAMP Authorized PaaS solution, the NRC will be able to gain process efficiencies that will allow the NRC to use its resources more efficiently across the enterprise, thereby freeing up resources to provide additional focus on the mission of the NRC. A cloud based solution will streamline costly and time consuming Confidential Financial Disclosure Reports and ethics advice storage efforts.

The NRC requires a cloud-based, automated Ethics Management (EM) system to replace the NRCs time-consuming manual processes with regard to the review and storage of Confidential Financial Disclosure Reports. The Contractor shall provide a FEDRAMP-authorized, solution with the most functional capabilities in EM automation.

Ethics Management (EM) System The EM system shall enable the filing, review, and retention of OGE 450 forms and the searchable storage of ethics advice provided to NRC employees.

Objective The Contractor shall provide the NRC with a FedRAMP authorized, cloud-based SaaS/PaaS EM Automation solution to satisfy the Office of Government Ethics (OGE) and the Office of Management and Budget (OMB) requirements. The Contractor shall be responsible for providing all development and configuration needs and support services to support the NRC EM system

DOTO GS06F1018Z/31310019F0043 Page 6 of 49 and functions.

As a Platform-as-a-Service (PaaS), the solution shall provide several benefits to the NRC such as:

Every object built shall be reusable, so building subsequent applications shall take less time than the last because less building shall be required.

As a single platform, the NRC shall only have to configure items like Single Sign-on (SSO) once. Every application deployed after the first shall able to leverage those components.

There will be no need to have additional ATOs as the first deployment will take care of the enterprise based ATO for the PaaS.

From a future perspective, Appian will need to be connected to the NRC Enterprise Identity Hub (EIH) for user provisioning. EIH is the agencys ID management platform.

For OGC EM system, Federal Personnel Payroll System (FPPS) is sufficient as the users are only going to be federal employees.

Scope of Work System Build The Contractor shall:

a.

Build and design the first application build on the PaaS with the concept of reusable components and a designed enterprise application governance process to maximize re-usability to get the most value out of the PaaS Application.

b.

Deliver the system in production with through system testing and User acceptance testing by engaging the system owners for financial disclosure filing and review by 10/15/2019 The EM system shall:

a.

Have the capability to import and store historical data (e.g., OGE 450 forms and legal advice provided to employees) from the current NRC OGC system (based on SQL Server) b.

Be able to ingest a minimum of 6 years of historical forms and 6 years of historical advice.

Estimate of about 6000 forms that will need to be migrated to the new system

c. Be able to capture OGC advice that has been provided to agency employees that is currently housed in MS Outlook into the new system. Please note that we are storing data from emails in MS Outlook to build the advice function within the new system. We will possibly need data mining, modeling and migration.

c.

Be able to provide the function of allowing submitters to submit questions to OGC staff while allowing OGC staff to respond to said questions.

d.

have the capability to store, in searchable form, ethics advice provided in response to requests for ethics guidance submitted by agency employees.

e.

Provide an Employee Profile that shall populate through a nightly import from the FPPS (Federal Personnel Payroll System). The FPPS is owned and operated by the Interior Business Center (IBC), which is part of the Department of Interior (DOI).

i.

The Employee Profile shall include the following data fields:

1.

Last Name 2.

First Name 3.

Middle Name 4.

Suffix 5.

LAN ID 6.

Filing status (yes/no radio button) - (the status shall indicate 450 Filer, 278 Filer, Not a Filer) 7.

Grade

DOTO GS06F1018Z/31310019F0043 Page 7 of 49 8.

Pay Plan 9.

NRC Office code

10. Email address

11. Position Title

12. Position Number

13. Appointment date

14. Termination date

15. Date for current position

16. Rotation date (enter manually, not override)

17. Special Government Employee (SGE) (yes/no radio button) - (All SGE at NRC are in Pay Plan EG, EE, or EI)

18. Employee ID number (this id number originates in FPPS and fed to iLearn and HRMS) ii.

Additionally, the Employee Profile shall include:

1.

Date entered OGE 450 filing position; should allow for multiple entries to reflect that an employee may enter and leave filing positions on multiple occasions over time 2.

Date exited OGE 450 filing position; should allow for multiple entries to reflect that an employee may enter and leave filing positions on multiple occasions over time; exit should turn off the employees status as an annual filer 3.

Compliance status (yes/no radio button that automatically selects when the assigned new entrant or annual report has been filed);

for SGEs without Lan IDs, administrators shall be able to manually toggle the yes/no button 4.

For SGEs, should include NRC 448, NRC for Appointment of Consultant, Expert or Member, received (yes/no radio button), date received (manual entry), spot to upload copy of NRC 448, assigned reviewer, days under review, date review complete 5.

For SGEs without Lan IDs: OGE 450 received (yes/no radio button),

date received (manual entry), spot to upload copy of OGE 450, assigned reviewer, days under review, date review complete 6.

Prohibited Security rule applicability status (yes/no radio button) 7.

Outside Employment approval (yes/no radio button); spot for uploading approval documents 8.

A Notes section that allows legal reviewers and administrators to enter information regarding the employee f.

Provide an ethics waivers mechanism that is with the following:

i.

18 U.S.C. Section 208 waiver (yes/no radio button); spot for uploading and storing waiver documents ii.

Prohibited Securities waiver (yes/no radio button); spot for uploading and storing waiver documents Automated OGE-450 form The EM system shall:

a.

Include an automated return form function that shall allow the legal reviewer to send a form back to the filer for corrections or more information. Corrections made by the filer shall not alter the original submission date of the form. After the filer corrects the form, the form shall return to the queue of the same reviewer who returned the form to the filer

DOTO GS06F1018Z/31310019F0043 Page 8 of 49 (If user has left the agency, the system shall automatically identify that filer, from the HR data load, and send back to the reviewer who will can perform a re-assignment).

b.

Have an editable drop-down list of securities that offers choices for completing an entry once the filer has entered the initial characters of the name of the security. The EM system shall include a functionality that flags for the legal reviewer securities included on the NRCs Prohibited Securities list that appear on an individual OGE 450 as submitted by the filer.

c.

Allow the use of a digital signature by submitter and reviewer.

d.

Have standard reports that can be modified by administrators with the ability to create new reports as needed. Reports shall be able to be filtered and sorted.

i.

Under review report: lists name of employees who submitted forms by type (new entrant or annual), reporting year if annual, date submitted, number of days under review, and assigned reviewer, date review complete ii.

All users report, with columns showing: filer name, reporting status (annual/new entrant), compliance status, due date of assigned new entrant report or next annual report, email address, grade, office code, employee Lan ID iii.

Extension report: listing of all extensions granted by year, shall include filer name, organization, new due date, compliance status iv.

SGE report: SGE name, compliance status, email address, office code (For the Advisory Committee on the Medical Uses of Isotopes (ACMUI) (This would likely be an external email address. Alternatively, could have N/A for SGEs without Lan IDs.)

v.

Prohibited Securities report, listing all employees subject to the Prohibited Securities rule vi.

Waiver report, listing waivers granted by type (18 U.S.C. Section 208 or Prohibited Securities), by year vii.

Outside employment report, listing outside employment approvals by year e.

Have automated, but not automatic, deletion of records over 6 years. The deletion of records function shall be initiated by an administrator and shall include an override feature that allows for the retention of specified records.

f.

Have automated email notifications for new entrant filing, annual filing, subsequent reminders, extension due dates, return of forms, and certification of forms. The language for these emails should be standard text and can be modified by the administrators and administrators should have the ability to easily turn the email notification function on and off.

g.

Be able to add new filers and remove filers through the year based on the nightly import from the Federal Personnel Payroll System (FPPS) NRC HR systems of current NRC Employees h.

Have automated event/audit log and monitoring.

i.

OGE 450 form completion shall be intuitive from a filers perspective, preferably with an interface that walks filers through each part of the form and reportable items. Examples and instructions for each part should be included throughout the form wizard for reference (to match the examples and instructions on the actual OGE 450). Drop down choices for different types of assets and income (e.g. stock, bond, mutual fund, real estate, etc.), to match all items required to be identified on the OGE 450 shall be included.

User Types The EM system shall have separate account types for filers, legal reviewers, administrators. The defined functionality for each user type shall include:

a.

Filers i.

Create new 450

DOTO GS06F1018Z/31310019F0043 Page 9 of 49 ii.

Edit saved 450 (before certification) iii.

View/print prior year(s) 450 forms iv.

Copy/import prior year data into new 450 v.

Electronic certification vi.

Submit form vii.

Edit forms returned by legal reviewers viii.

Print 450 that populates the information entered the form wizard into a pdf that mirrors the actual OGE 450 b.

Legal Reviewers i.

Search employee data or forms ii.

View prior year(s) OGE 450 forms for all filers iii.

View employees current year form side-by-side or in comparison with prior year form.

iv.

View/approve current year OGE 450 v.

Return OGE 450 to filer with comments/edit vi.

Edit forms if needed.

vii.

Notate extensions in filers profile viii.

Upload documents associated with individual employees ix.

Print forms as a pdf printable x.

A spot that allows legal reviewers and administrators to upload documents related to particular employee c.

Administrators i.

Assign forms (individually or by group) ii.

Assign submitted forms to legal reviewers, either individually or by batch based on submission date of the form.

iii.

Add employees iv.

Delete records/forms v.

Run reports vi.

Notate extensions in filers profile vii.

Upload documents associated with individual employees viii.

Manage designation of all account types ix.

Activate/deactivate email reminders x.

Edit email language, specify when emails should go out xi.

Turn email functionality on and off for end of the year changes and beginning of filing season.

xii.

Specify dates for email reminders xiii.

Edit system preferences (e.g. session settings, login screen instructions) xiv.

View event and audit log.

xv.

Administrator should have ability to make minor changes to the system when needed.

xvi.

A Notes section that allows administrators to enter information regarding the employee.

xvii.

A spot that allows legal reviewers and administrators to upload documents related to the particular employee xviii.

A feature that allows Administrators to edit any of the Employee Profile fields manually if needed.

xix.

Administrator should be able to build ad-hoc reports from the submitted Form 450s.

Cloud Environment

DOTO GS06F1018Z/31310019F0043 Page 10 of 49 The EM system shall:

a.

Be FEDRAMP moderate Authorized (not just the data center, but also the software platform) cloud services.

b.

Automate application promotion from lower environments such as development and test to higher environments such as production.

c.

Provide high availability and a configuration that meets service and operation recovery point objective (RPO) of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months at a minimum and a recovery time objective (RTO) of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months at a minimum in an event of unplanned service and application outage.

d.

Be able to secure data at rest and in transit e.

Provide application performance monitoring and security.

f.

Scalable from 30 - 60 concurrent users without compromising user experiences and solution performance g.

Flexible to provide access to NRC owned application data within 60 days after service termination h.

Flexible to migrate the application and application development platforms to the NRC on premise data center using industry standard migration tools and container technologies such as Docker i.

Comprehensive in providing a unified platform covering the following capabilities:

interface, reports, rules, collaboration, process, cloud deployment, mobile, social, data, content, security, identity, accelerators, and integration.

j.

Capable to provide a native mobile application for both iOS and Android that does not require additional coding and service procurement k.

Flexible to allow transfer or reassign of licenses between NRC users as needed l.

Flexible to reduce and increase user licenses any time based on the NRC demand for services Technical Requirements The Contractor shall develop and deploy applications that integrate with:

a.

b.

SAML (Security Assertion Markup Language) based user authentication and authorization providers.

c.

The applications and application development cloud services shall:

a.

Comply with the requirements in the Section 508 - Electronic and Information Technology Standards section, below.

b.

Be compatible with Windows IE Browser, Google Chrome, updated versions of Apache HTTP Server, Microsoft SQL Server, Microsoft Windows Servers, Apache Tomcat, Java Runtime Environment, and Microsoft ISS (Internet Information Services) web server, if/when applicable as an essential component of the EM System.

c.

Provide analytics, dashboards, and reporting d.

Support sequential workflow/process activities/tasks e.

Support human interactive workflow/process activities/tasks f.

Support concurrent routing of a case and/or concurrent workflow/process activities g.

Support time-out for workflow/process activities with the ability to save filers information so the filers does not have to start from scratch when logging in h.

Support delayed routing of workflow/process items/cases i.

Support data export to both machine and human readable formats. For example, CSV, Microsoft Excel formats Maintenance and Technical Support Services The Contractor shall provide the following maintenance and standard technical support:

DOTO GS06F1018Z/31310019F0043 Page 11 of 49

a. Phone and email support

b. Software updates, new releases, upgrades (software, operating system, and supporting applications), hotfixes, and patches. At a minimum, updates/security patches shall be provided quarterly.

c.

Standard support case severity/response times as delineated in the table below:

Priority Level Severity Definition

Response

Time 1

The software is down in a production setting, and no workaround exists, or the workaround is not feasible to implement due to the impact on the customers business.

<1 business hour.

2 Users are unable to operate the core functionality on a production instance of the Cloud Offering using the users then-current username and password. Core functionality means the ability to use the Cloud Offering to: (i) load a designer interface; (ii) publish a generic process; (iii) launch a generic process (including accepting a generic task and entering a generic form); (iv) access a generic dashboard) or run a generic report.

<2 business hours.

3 A production instance is negatively affected, but it is not a Priority 1 or Priority 2 issue.

<8 business hours.

4 All other issues not outlined above.

<12 business hours.

d. The Contractor personnel assigned a case shall be able to raise a problems priority level and the Government shall also be able to request that the priority level be raised based on importance of the issue or the length of time the case has remained open.

e. The solution shall provide a 98.99% uptime. If during the software subscription, availability is less than 98.99% of the time during a calendar month, the Contractor shall provide the following remedy delineated in the table below:

Priority Level Monthly Available Percentage Service Credits (% of Applicable Monthly License Fee)

Priority 1 Less than 98.99%

10%

Priority 2 Less than 97.99%

15%

f.

The Contractor shall provide help desk support during the following business hours: 8:00 a.m. to 6:00 p.m., Eastern Standard Time (EST), Monday through Friday (except federally observed holidays).

DOTO GS06F1018Z/31310019F0043 Page 12 of 49 Contractor Wide Responsibilities

a. Project Management - Throughout the EM Order Period of Performance, for reasons known (which are described in each support area of this Statement of Work or also known as the SOW) and currently unknown (ex. Introduction of new / upgraded End-User technologies resulting from unforeseen new OMB mandates, unforeseen new regulations, adapting to a rapidly changed nuclear power industry environment, and/or Contractor recommendations, etc.), the Contractor shall have Project Managers capable of beginning and completing the implementation of minor and major technical and/or operational changes. The technical and/or operational changes shall be completed according to the CORs or ACORs approved schedule, quality standards, requirements, and budget. In addition, the Contractor shall:

i.

Develop plans consistent with industry standard accepted project and change management practices (e.g. PMIs PMBOK) addressing the ten (10) Project Manager (PM) areas of knowledge unless stated otherwise ii.

Ensure coordination with related functions and stakeholders across the project lifecycle iii.

Follow the NRC OCIO IT Technical Control Review Framework (IT Governance)

b. Platform Training: The Contractor shall provide platform training (2-3 staff members of the NRC) either on premise or off premise.

c.

Financial Management and Related Reporting i.

The Contractor shall provide ongoing visibility into the historical, current, and forecasted budget and execution status across all areas of the task.

ii.

The Contractor shall maintain detailed cost tracking associated with specific service types, dimensions, and codes as provided by the NRC iii.

The Contractor shall provide detailed monthly financial data in summarized and raw structured (e.g. CSV) formats as defined and approved by the COR

d. Software Distribution Management i.

The Contractor shall distribute software licenses in accordance with the NRCs software license management policies and related platforms. Specifically, the Contractor shall:

ii.

Ensure software licenses are only distributed once proper approval is received iii.

Collaborate with the Service Delivery Integration Team regarding license transfer, removal, and/or re-installation

e. Security Compliance i.

In the performance of its services under this contract, the Contractor shall address and comply with a range of security requirements across all Service Areas. These security requirements are critical to the success of the NRC. Compliance with these requirements is expected to be achieved within the respective Task Areas that they apply to.

Technical Security Compliance Requirements Protection Non-Public Information Contractor Agreement The Contractor shall:

a.

Ensure strict confidentiality of all Classified Information, Safeguards Information (SGI),

Sensitive Unclassified Non-Safeguards Information (SUNSI), and Controlled Unclassified Information (CUI) information/data that is provided by the Government during the

DOTO GS06F1018Z/31310019F0043 Page 13 of 49 performance of this contract.

b.

Be responsible for coordinating with the COR or ACOR to ensure all applicable Federal privacy requirements are being met in accordance with NRC procedures.

c.

Be responsible for coordinating with the COR or ACOR to ensure applicable federal security requirements are being met in accordance with Federal and NRC policies.

Position Sensitivity Description The Contractor shall:

a.

Identify its personnel, subcontractors and consultants requiring NRC access approval and propose the level of Information Technology (IT) approval for each, using the NRC guidance in paragraph H.5, SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL.

b.

Ensure that its personnel, subcontractors and consultants who are assigned to perform the work herein for contract performance for periods of more than 30 calendar days at NRC facilities, are approved by the NRC for unescorted NRC building access using the guidance in paragraph H.6, SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL.

c.

Information Security Awareness and Role-Based Training The Contractor shall:

a.

Ensure that its personnel, subcontractors and consultants complete NRC-provided mandatory security and privacy training prior to gaining access to NRC information systems and provide their completion certificate number to the COR or ACOR. The training requirements are mandatory. Non-compliance may result in revocation of system access.

b.

Ensure that its personnel, subcontractors and consultants complete annual security and privacy refresher training. NRC will provide notification and instructions on completing this training.

c.

Maintain a listing by name and title of each contractor personnel, subcontractor and consultant working under this order that has completed the mandatory training. The list shall be provided to the COR or ACOR upon request.

d.

Ensure that its personnel, subcontractors and consultants complete specialized IT security training based on the role-based requirements. The Contractor is required to report training completed to ensure competencies that address this training.

e.

Ensure that training hours for its personnel, subcontractors and consultants to satisfy any training requirements are reported to the COR or ACOR in writing upon their completion of training.

Rules of Behavior The Contractor shall ensure that:

a.

Its personnel, subcontractor personnel, and consultants comply with the NRC Rules of Behavior (RoB).

b.

All its personnel, subcontractors and consultants, as users of NRC IT resources, read these rules and sign the accompanying acknowledgement form before accessing NRC data/information, systems and/or networks.

c.

The acknowledgement is signed annually by its personnel, subcontractor personnel, and consultants to reaffirm knowledge of, and agreement to adhere to the NRC RoB. These affirmations shall be provided to the COR or ACOR upon request.

d.

Ensure that its personnel, subcontractor personnel, and consultants with access to specific NRC systems sign additional Rules of Behavior specific to those systems.

Additionally, the OCIO will verify non-government furnished equipment to ensure that it meets

DOTO GS06F1018Z/31310019F0043 Page 14 of 49 the required standards as defined in the Rules of Behavior policy.

Information Security and Privacy The Contractor shall:

a.

Designate a specific person to be responsible for information security for Contractor personnel, subcontractor personnel, and consultants and have a segregated group with roles and responsibilities that will ensure compliance and oversight of IT security.

b.

Ensure its subcontractors, consultants and data transfer stakeholders (either internal or external to the Contractor firm) provide the same security and privacy protection where applicable. This requirement is important because in an age where business practices demand fast and easy transmission of information across borders - and the cloud - those very activities can easily run afoul of the laws, regulations, and restrictions governing data transfers, whether relating to consumer, customer, employee, vendor, or other data.

c.

As new Federal security requirements or updates to existing requirements are made, apply those that are pertinent to the systems and processes they use in support of the NRC.

d.

Properly protect and handle information in accordance with the type of the information.

e.

Only use NRC approved methods to send and receive information considered sensitive or classified.

Additionally, written approval is required from the COR or ACOR prior to the use or storage of NRC Sensitive Information or sharing of NRC Sensitive Information by the Contractor with any subcontractor, person, or entity other than NRC. Requests for approval shall be submitted to the COR.

Controlling System Access The Contractor shall:

a.

Track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems, etc.) according to NRCs policy and the formal determination of which persons, computers, and applications have a need and right to access critical assets based on an approved classification.

b.

Use PIV credentials in accordance with NIST FIPS 201, Personal Identity Verification (PIV) of all Federal employees to provide user-based access to information systems.

c.

Ensure that all Contractor personnel, subcontractor personnel, and consultants accessing systems processing NRCs information have user-based PIV card access.

d.

Ensure the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks shall be enforced by the system through assigned access authorizations.

e.

Ensure separation of duties for Contractor systems used to process NRC information is enforced by the system through assigned access authorizations.

Security Incident Response Consistent with Federal Government Reporting requirements, all incidents must be reported to the United States Computer Emergency Readiness Team (US-CERT). To comply, the Contractor shall:

a.

Report any information security incident to the COR or ACOR within one (1) hour of discovery. NRC will report information security incident that also becomes a privacy incident when the incident involves the suspected or actual loss of PII, to the United States Computer Emergency Readiness Team (US-CERT) within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of discovery.

b.

Ensure any incident the US-CERT and/or NRC designates as a major incident shall be reported to the COR, who will then ensure it is reported to Congress within seven (7) days of discovery.

DOTO GS06F1018Z/31310019F0043 Page 15 of 49 c.

Handle incidents per federal, department and NRC regulations. The Contractor shall complete incident reports to the COR or ACOR according to applicable regulations, Investigate, manage and report incidents internal to the contractor security boundaries.

d.

Facilitate and manage the processing of all security incidents for the NRC.

e.

Collaborate with other contractors, if necessary, for incidents that cross EM order boundaries.

f.

Notify the COR or ACOR in writing within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of the discovery or disclosure of successful exploits of the vulnerability, which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system).

Security Standards Where applicable, the Contractor shall:

a.

Develop and apply appropriate security controls to meet NRC information security requirements, as defined in Attachment 4 - NRC Security Standards. The publicly available NRC standards can be accessed utilizing the accession numbers at, http://www.nrc.gov/reading-rm/adams.html. Non-publicly available standards will be provided upon request.

b.

Coordinate with the COR or ACOR to assess and establish/update the NRC Security Standards within 30 days of order award or when a Significant Change has been made to its system, as defined by the NRC CIO.

c.

Coordinate with the COR or ACOR to assess alternative ways to improve NRC information security requirements as defined in NRC Security Standards.

System Security Requirements All information systems that input, store, process, and/or output Government information must be provided an Authority to Operate (ATO) signed by the CIO, or Designated Approving Authority.

Where applicable, the Contractor shall:

a.

Comply with NRC policies, procedures, and guidance for security Assessment and Authorization (A&A) activities.

b.

Provide access, when requested by the COR, to verify compliance with the requirements for an Information Technology security program. For systems not located on NRC premises, the Government reserves the right to conduct on-site inspections. The Contractor shall make appropriate personnel available for interviews and provide all necessary documentation during this review.

c.

Take an active role in the support of the Assessment and Authorization lifecycle for all systems the Contractor supports. This includes attendance at all appropriate meetings with the COR or ACOR (e.g., kickoff, findings), development of corrective action plans, remediation of findings, as well as providing reports to the COR.

d.

Support the NRCs continuous monitoring methodology based on NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Contractor shall continuously acquire, assess, and act on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

All Contractor systems shall participate in Information Security Continuous Monitoring (ISCM) and Reporting as defined in the NRC IT Policy.

Additionally, if the Contractor is developing an NRC information system, system component, or information system service, the Contractor shall also:

a.

Follow a documented development process that: (i) explicitly addresses security requirements; (ii) identifies the standards and tools used in the development process.

b.

Produce design specification and security architecture that is consistent with and supportive of NRC security architecture and accurately and completely describes the

DOTO GS06F1018Z/31310019F0043 Page 16 of 49 required security functionality, and the allocation of security controls among physical and logical components.

Interconnection Security Agreements Any Interconnection Security Agreements (ISA) between NRC and nonNRC information systems shall be established only through controlled interfaces and via approved service providers. The controlled interfaces shall be accredited at the highest security level of information on the network. Connections with other Federal agencies shall be documented based on interagency agreements; memoranda of understanding, service level agreements or interconnect service agreements.

System Authorization and Assessment Where applicable, the Contractor shall:

a.

Comply with Authority To Operate (ATO) requirements as mandated by Federal laws and policies, including making available any documentation, physical access, and logical access needed to support this requirement b.

Coordinate with the COR or ACOR to create, maintain, and update all applicable ATO documentation as defined by NRC Information Security procedures.

c.

Allow NRC employees (or NRC CISO-designated third-party contractors) to conduct Security Assessment activities to include control reviews in accordance with NIST SP 800-53/NIST SP 800-53A and NRC procedures and standards.

d.

Mitigate all applicable security risks found during the ATO process and continuous monitoring activities.

Prior to authorizing a system or application using public cloud services, the NRC will work with the Contractor to implement customer and shared responsibility controls and conduct a thorough review of the security assessment package to determine that it is complete, consistent, and compliant with FedRAMP requirements. To support this, the Contractor shall:

a.

Provide the COR or ACOR access to the Contractors facilities, installations, operations, documentation, databases, IT systems, devices, and personnel used in performance of the contract, regardless of location.

b.

Submit Authorization and Assessment packages to the COR or ACOR at least 90 days before the ATO expiration date for security review and verification of security controls.

The 90-day security review process is independent of the system production date and therefore it is important to build the security review into project schedules. Security reviews may include onsite visits that involve physical or logical inspection of the Contractor environment to ensure controls are in place. ATO extensions will only be granted in extenuating circumstances.

Security Controls Compliance Assessment Where applicable, the Contractor shall:

a.

Not publish or disclose in any manner, without the COs written consent, the details of any safeguards either designed or developed by the Contractor under this order or otherwise provided by the Government.

b.

The contractor shall turn over all the development done under this contract to NRC and NRC owns the application and all the data and configuration items that go in it.

c.

Afford the Government access to the Contractors facilities, installations, technical capabilities, operations, documentation, records, and databases within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of notification. The program of inspection shall include, but is not limited to authenticated and unauthenticated:

i.

Operating system/network vulnerability scans, ii.

Web application vulnerability scans,

DOTO GS06F1018Z/31310019F0043 Page 17 of 49 iii.

Database application vulnerability scans Automated scans can be performed by Government personnel, or personnel acting on behalf of the Government, using Government operated equipment, and Government specified tools.

Patching Where applicable, the Contractor shall:

a.

Consistent with Department of Homeland Security (DHS) Binding Operational Directive 15-01, Critical Vulnerability Mitigation Requirements for Federal Civilian Executive Branch Departments and Agencies Internet-Accessible Systems, patch all critical and high vulnerabilities immediately or, at a minimum, within 30 days of patch release. NRC currently utilizes regular maintenance windows. In addition, NRC patches are subject to NRCs change and configuration management processes. For critical and high vulnerability patching, the COR or ACOR reserves the right to request an "out of cycle" patch release.

b.

Apply patches to all systems, even systems that are properly air gapped or are physically isolated from unsecured networks.

c.

Develop and apply appropriate automated patching solution to meet NRC information security requirements where practical, as defined and approved by the NRC Chief Information Officer (CIO).

Tracking and Correcting Security Deficiencies Where applicable, the Contractor shall:

a.

Track and correct any applicable information security deficiencies, conditions, weaknesses, findings, and gaps identified by audits, reviews, security control assessments, and tests, including those identified in:

i.

Chief Financial Officer (CFO) audits ii.

FISMA audits iii.

NRC evaluations and tests iv.

Inspector General (IG) audits and reviews v.

A-123 audits vi.

NRC Security Operations Center (SOC) continuous monitoring activities such as, but not limited to, vulnerability and compliance scanning of all the NRC information systems vii.

Other applicable reviews and audits b.

Mitigate critical, high-risk, and moderate-risk deficiencies within 30 days; low risk deficiencies within 120 days from the date deficiencies are formally identified.

Security Tools Implementation Where applicable, the Contractor shall coordinate with the COR or ACOR to understand their specified requirements in administering, managing, configuring, maintaining, acquiring, interfacing, integrating and/or tuning NRCs defined security tools devices and application systems, servers and sensors for systems/applications they host or maintain.

Return of NRC and NRC-Activity-Related Information The Contractor shall coordinate with the COR or ACOR to ensure return of all original (and at least one duplicate copy of those information types specified by NRC) of all NRC-provided and NRC-Activity-Related Information (including but not limited to all records, files, and metadata in electronic or hardcopy format), including but not limited to any of the following:

a.

Provided by NRC or obtained by the Contractor while conducting activities in accordance with the contract b.

Distributed for any purpose by the Contractor to any other related organization and/or any

DOTO GS06F1018Z/31310019F0043 Page 18 of 49 other component or separate business entity c.

Received from the Contractor by any other related organization and/or any other component or separate business entity.

Verified Secure Destruction of NRC and NRC-Activity-Related Information The Contractor shall coordinate with the COR or ACOR to execute secure destruction of all active and archived originals and/or copies of all NRC and NRC-activity-related files and information, (including but not limited to all records, files, and metadata in electronic or hardcopy format), by procedures approved by the COR or ACOR in advance. NRC and NRC-activity-related files includes but is not limited to:

a.

Provided by NRC or obtained by the Contractor while conducting activities in accordance with the contract b.

Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity c.

Received from the Contractor by any other related organization and/or any other component or separate business entity.

Delivery Related Service Level Requirements The Contractor shall meet or exceed the delivery related service level requirements while delivering the work described in this EM Call. These service level requirements are in addition to the other service level requirements.

Definition Performance Standard Acceptable Quality Level (AQL)

Method of Surveillance Federal and NRC-Level Policy and Standards Compliance The Contractor shall comply with all applicable Federal and NRC-level policies and documented technical and process standards in the performance of its services.

100%

Compliance Monthly EM Contract COR Report (NRC internal)

On-Time Project Milestone Completion For all in-scope projects managed by the Contractor, the Contractor shall achieve the agreed upon project milestones by the date agreed to by the COR.

<5% Variation NRC Designated and Provided Repository On-Time Submission of Recurring Reporting For all recurring reports, the Contractor shall submit reports and/or data as applicable on the days and intervals agreed to by the COR.

<10% Variation Monthly EM Contract COR Report (NRC internal)

Financial and Resource Information Accuracy The Contractor shall provide accurate financial and resource reporting and data to the NRC.

100% Accuracy of Dollars, Hours, and Associated Category Assignments Reconciliation Error Rate (NRC internal)

DOTO GS06F1018Z/31310019F0043 Page 19 of 49 Service Level Requirements (SLRs)

In accomplishing the above activities and other duties, the Contractor shall complete the activities in accordance with the service level requirements outlined in the sections below. Within the first month of award, the Contractor shall meet with the COR or ACOR to verify and validate the service level requirements outlined below. In addition, factors such as but not limited to hang-ups, business-hour/day rollovers, when a repair becomes a replace, etc. have been considered by NRC when coming up with these SLRs.

Security Service Level Requirements The Contractor shall provide its resources and services in a manner that enables achievement of the Service Level Requirements described below. These objectives are intended to convey the outcomes the NRC desires as a result of successful assistance from the Contractor.

All NRC systems and implementations must meet federally-mandated (e.g., FIPS, FISMA, Privacy Act, HSPD-12, TIC) and NRC-defined cybersecurity requirements. The NRC uses the NIST Special Publications (SP), as amended, to determine risk. These publications include, but are not limited to:

800-30 Guide for Conducting Risk Assessments https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

800-37 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

800-60 Guide for Mapping Types of Information and Information Systems to Security Categories) https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final

800-63-3 Digital Identity Guidelines (IAL - identify assurance, AAL - authentication assurance, and FAL - federation assurance) https://csrc.nist.gov/publications/detail/sp/800-63/3/final Please note, higher risk levels have shorter mitigation timeframes.

DOTO GS06F1018Z/31310019F0043 Page 20 of 49 Area Performance Standard Acceptable Quality Level (AQL)

Frequency Method of Surveillance As defined by NIST 800-30, Critical/High severity and high-risk deficiencies mitigated within 30 days, From the date deficiencies are formally identified or within a specified time period previously defined and approved by NRC authorizing official.

100%

As defined by NIST 800-30, Moderate-risk deficiencies shall be mitigated within 30 days, from the date deficiencies are formally identified or within a specified time period previously defined and approved by NRC authorizing official.

95%

Tracking and Correcting Security Deficiencies As defined by NIST 800-30, Low-risk deficiencies shall be mitigated within 120 days from the date deficiencies are formally identified or within a specified time period previously defined and approved by NRC authorizing official 95%

Monthly System Records Plan of Actions and Milestones Incident Records NRC Security Audits and Assessments EM Contract COR Oversight Common Security Configurations Percentage of system components that are in compliance with approved configuration standard or deviation 98%

Monthly System Records NRC Security Audits and Assessments EM Contract COR Oversight Encryption Standards Percentage of required devices, components and interfaces compliant with NRC encryption standards 100%

Monthly System Records NRC Security Audit EM Contract COR Oversight Controlling Access Percentage of Contractor personnel accessing NRCs systems with user-base PIV card access or NRC approved access 100%

Weekly System Records

DOTO GS06F1018Z/31310019F0043 Page 21 of 49 Area Performance Standard Acceptable Quality Level (AQL)

Frequency Method of Surveillance mechanism.

NRC Security Audits and Assessments EM Contract COR Oversight System Changes Ensure changes to systems are properly approved by the NRC Designated Approving Authority (DAA) or the configuration control board (CCB) before those changes are deployed to the NRC production environment, in accordance with NRC policy MD 12.5 100%

Weekly System Records Change Management System Configuration Management System NRC Security Audit Help Desk Service Level Requirements The Contractor shall provide Help Desk Services in accordance with the Service Level Requirements described in the table below.

Note: Standing up an end-user help desk is not a requirement and is not needed. A technical support POC shall be available to answer and resolve reported issues from OGC ethics staff and COR/PM.

Definition Performance Standard Service Measure Acceptable Quality Level (AQL)

Method of Surveillance

DOTO GS06F1018Z/31310019F0043 Page 22 of 49 Application/Solution Service Level Requirements The Contractor shall provide Services Levels in accordance with application/solution needs as systems are deployed. These requirements are in addition to the other Service Level Requirements mentioned Section C.3.4 as a whole.

Speed to Answer Calls (NOTE: Hang-ups are factored into the End User Calls Abandonment Rate SLR below.)

OGC ethics staff and COR Calls are answered within one minute or less.

Measure time a phone call enters the service desk queue to the time a live agent takes the call and works with user.

At least 95% of calls shall be answered by a live agent within 1 minute or less.

Formula:

Number of calls answered within performance target ÷ Total number of calls answered during measurement interval =

Service level attained TBD End User Calls Abandonment Rate OGC ethics staff and COR Calls are answered in a timely fashion to ensure the end user does not hang up while waiting.

Number of calls that are abandoned.

Abandonment Rate is less than or equal to 5% per business day.

Formula:

Number of Abandoned Calls /

Total Number of Calls TBD Average Speed to Answer E-mails OGC ethics staff and COR E-mails to the Help Desk are answered within four business hours.

Duration between when message was received and when it was addressed.

90% or greater of all e-mails to the Help Desk shall be answered within four business hours of the message entering the queue.

Performance Monitoring and Statistics Incident Records

DOTO GS06F1018Z/31310019F0043 Page 23 of 49 Key Personnel The Contractor shall provide one (1) individual to be considered Key Personnel for this order as identified below. All Key Personnel shall successfully obtain an NRC IT-I clearance at a minimum. The COR or ACOR will identify during post-award if higher clearances are needed for specific roles. However, if the COR or ACOR identifies that a specific role needs to have an active clearance on Day 1, then charges for the person fulfilling that role cannot be made until the clearance is successfully adjudicated. While the Key Personnel heading contains the functional title as it applies to this specific contract, the Contractor may propose the labor category it deems most appropriate for this position.

The Contractor should provide Key Personnel whose resumes demonstrate that they meet or exceed the following education, certification and experience requirements:

1.

Project Manager or Equivalent

At least 10 years providing consulting level services to the federal government

At least 10 years of experience managing projects and contract engagements associated with Business Process Automation Services

Extensive knowledge of the Project Management Body of Knowledge (PMBOK)

Extensive knowledge of Agile Methodology and principles

Experienced in managing projects where the project team members and end users are dispersed over more than one location

Extensive knowledge and operations of the Ethics Management tool that is being proposed

Extensive knowledge of IT Governance Frameworks

Experience with business process design & re-engineering to support solution architecture development/management

Experience with UI/UX, Agile, Data, and Cloud services Deliverables In meeting the requirements described in this SOW, the Contractor shall complete the deliverables identified in the table below.

Topic Area Deliverable Description Deliverable Due Date User accepted Ethics management software/

data and configuration items NRC accepted / usable ethics management system called out in this statement of work along with the configuration items and data.

09/30/2019 Participation in Integrated Operations Meeting with the COR To occur on a weekly basis during a time scheduled by the COR Weekly Status Report By COB Fridays Monthly Status Report By COB 5 business days after the end of the month Project Management NOTE: Project management practices shall stress continuous and open communication with NRC and other contractors. Coordination Meeting Agenda, Minutes, and Action Items

Agenda: Five (5) business days prior to

DOTO GS06F1018Z/31310019F0043 Page 24 of 49 Topic Area Deliverable Description Deliverable Due Date a meeting

Minutes and Action Items: Three (3) business days after meetings shall be conducted on both a formal and informal basis.

Project Plans, Schedules, Communications Plans, Risk Management Plans and Issue Resolution Plans executed on the base year and provide maintenance in subsequent years.

Draft: 15 business days after initiation of the project in question

Final: 15 business days after receiving written comments from the COR Finalized Service Level Requirements

Within 30 calendar days of award Operational Reports (Performance, Utilization, Incident, etc. Summaries, Metrics, and Analyses)

As directed by the COR Operational Data (Raw data, logs, etc.)

As directed by the COR Delivery Management Operational SOP(s) describing the actions that the Contractor will consistently execute in delivering the services and meeting the requirements described in this PWS.

Draft: COB 60 business days after award

Final: 20 business days after receiving written comments from the COR

Updates and revisions made every six months Inspection and Acceptance of Deliverables The COR or ACOR will have five (5) business days to complete the review of each deliverable and accept or reject the deliverable by giving written notice. When the COR or ACOR fails to complete the review within the review period, the Contractor may deem the deliverable to have been accepted by the COR or ACOR unless an extension of the review period is requested by the COR or ACOR and mutually agreed upon with the Contractor.

In the event of COR or ACOR rejection of any deliverable, the Contractor shall be so notified in writing by the COR or ACOR and given the specific reason(s) for the rejection.

The Contractor shall have three (3) business days to correct the rejected deliverable and return it to the COR or ACOR for review.

Section 508 - Electronic and Information Technology Standards 508.1 Introduction

DOTO GS06F1018Z/31310019F0043 Page 25 of 49 In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board) pursuant to Section 508(2)(A) of the Rehabilitation Act Amendments of 1998, established electronic and information technology (EIT) accessibility standards for the federal government.

The Standards for Section 508 of the Rehabilitation Act (codified at 36 CFR § 1194) were revised by the Access Board, published on January 18, 2017 and minor corrections were made on January 22, 2018, effective March 23, 2018.

The Revised 508 Standards have replaced the term EIT with information and communication technology (ICT). ICT is information technology (as defined in 40 U.S.C.

11101(6)) and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content. Examples of ICT include but are not limited to: Computers and peripheral equipment; information kiosks and transaction machines; telecommunications equipment; customer premises equipment; multifunction office machines; software; applications; Web sites; videos; and, electronic documents.

The text of the Revised 508 Standards can be found in 36 CFR § 1194.1 and in Appendices A, C and D of 36 CFR § 1194 (at https://www.ecfr.gov/cgi-bin/text-idx?SID=caeb8ddcea26ba5002c2eea047698e85&mc=true&tpl=/ecfrbrowse/Title36/36cf r1194_main_02.tpl).

508.2 General Requirements In order to help the NRC comply with Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794d)(Section 508), the Contractor shall ensure that its deliverables (both products and services) within the scope of this order are 1.

in conformance with, and 2.

support the requirements of the Standards for Section 508 of the Rehabilitation Act, as set forth in Appendices A, C and D of 36 CFR § 1194.

508.3 Applicable Provisions of the Revised 508 Standards The following is an outline of the Revised 508 Standards that identifies what provisions are always applicable and which ones may be applicable. If Maybe is stated in the table below, then those provisions are applicable only if they are within the scope of this acquisition.

Applicable to the Contract/Order?

Provision of 36 CFR Part 1194 Yes 1.

Appendix A to Part 1194 - Section 508 of the Rehabilitation Act:

Application and Scoping Requirements Yes o

Section 508 Chapter 1: Application and Administration - sets forth general application and administration provisions

DOTO GS06F1018Z/31310019F0043 Page 26 of 49 Applicable to the Contract/Order?

Provision of 36 CFR Part 1194 Yes o

Section 508 Chapter 2: Scoping Requirements - containing scoping requirements (which, in turn, prescribe which ICT - and, in some cases, how many - must comply with the technical specifications)

Maybe 2.

Appendix C to Part 1194 - Functional Performance Criteria and Technical Requirements Maybe o

Chapter 3: Functional Performance Criteria - applies to ICT where required by 508 Chapter 2 (Scoping Requirements) and where otherwise referenced in any other chapter of the Revised 508 Standards No o

Chapter 4: Hardware Yes o

Chapter 5: Software Yes o

Chapter 6: Support Documentation and Services (applicable to, but not limited to, help desks, call centers, training services, and automated self-service technical support) (Always applies if Chapters 4 or 5 apply)

Yes o

Chapter 7: Referenced Standards No 3.

Appendix D to Part 1194 - Electronic and Information Technology Accessibility Standards as Originally Published on December 21, 2000 Refer to Chapter 2 (Scoping Requirements) first to confirm what provisions in Appendix C apply in a particular case.

Section E203.2 applies only to the NRC, except as specified below.

DOTO GS06F1018Z/31310019F0043 Page 27 of 49 508.4 Exceptions 508.4.1 Legacy ICT Unless a deliverable of this order is identified in this order as Legacy ICT, use by the Contractor of the Legacy ICT general exception (section E202.2 of 36 CFR § 1194) shall only be permitted on a case-by-case basis for applicable legacy ICT and with advance written approval from the COR.

508.4.2 Undue Burden The Undue Burden general exception (section E202.6 of 36 CFR § 1194) is not expected to be applicable to work performed by the Contractor. If there are questions about potential application of this exception, please discuss with the CO.

508.4.3 Fundamental Alteration or Best Meets If the Contractor wishes to use the Fundamental Alteration (section E202.6 of 36 CFR § 1194) or Best Meets (section E202.7 of 36 CFR § 1194) general exceptions the Contractor shall do the following:

1.

provide the COR or ACOR with information necessary to support the agencys documentation requirements, as identified in sections E202.6.2 and E202.7.1 of 36 CFR § 1194, respectively 2.

request and obtain written approval from the COR or ACOR for development and/or use, as applicable to the scope of the contract/order, of an alternative means for providing individuals with disabilities access to and use of the information and data, as specified in sections E202.6.3 and E202.7.2 of 36 CFR § 1194, respectively.

508.4.4 National Security Systems Not applicable.

508.4.5 ICT Functions Located in Maintenance or Monitoring Spaces The Contractor shall confirm with the COR or ACOR that an ICT deliverable of this contract/order will be located in maintenance or monitoring spaces before assuming that the ICT Functions Located in Maintenance or Monitoring Spaces general exception (section E202.5 of 36 CFR § 1194) applies.

Note that this exception does not apply to features of the ICT (such as Web interfaces) that can be accessed remotely, outside the maintenance or monitoring space where the ICT is located.

508.5 Additional Requirements 508.5.1 Notification Due to Impact from NRC Policies, Procedures, Tools and/or ICT Infrastructure

DOTO GS06F1018Z/31310019F0043 Page 28 of 49 If and when 1) the Contractor is dependent upon NRC policies, procedures, tools and/or ICT infrastructure for Revised-508-Standards-conformant delivery of any of the products or services under this acquisition, and 2) the Contractor is aware that conformance of products or services will be negatively impacted by capability gaps in NRC policies, procedures, tools and/or ICT infrastructure, the Contractor shall inform the COR or ACOR so that the NRC can both be aware and take corrective action.

508.5.2 Accessibility of Electronic Content For electronic content (as defined in section E103 of 36 CFR § 1194) deliverables of this contract/order:

1.

If a deliverable is in the form of an Adobe Portable Document Format (PDF) file and is either Public Facing or Agency Official Communication (as defined in sections E103 and E205.3 of 36 CFR § 1194, respectively) the Contractor shall ensure that it conforms to both section E205.4 of 36 CFR § 1194 and ISO 14289-1 (PDF/UA-1) 2.

Unless the Contractor requests and obtains advance written approval from the COR or ACOR for a specific deliverable or class of deliverables, the contractor shall ensure that a.

deliverables that are not Public Facing and not Agency Official Communication (as defined in sections E103 and E205.3 of 36 CFR § 1194, respectively) shall conform to section E205.4 of 36 CFR § 1194 b.

deliverables that are in the form of PDF files, are not Public Facing and are not Agency Official Communication (as defined in sections E103 and E205.3 of 36 CFR § 1194, respectively) shall conform to section E205.4 of 36 CFR § 1194 and ISO 14289-1 (PDF/UA-1).

508.5.3 Other It is desirable that the Contractor address the applicable provisions of the Revised 508 Standards throughout product and service lifecycles rather than only performing a conformance check toward the end of a process.

If and when the Contractor provides custom ICT development services pursuant to this acquisition, the Contractor shall ensure the ICT products and services fully support the applicable provisions of the Revised 508 Standards prior to delivery and before final acceptance.

If and when the Contractor provides installation, configuration or integration services for ICT products (equipment and/or software) pursuant to this acquisition, the Contractor shall not install, configure or integrate the ICT equipment and software in a way that reduces the level of conformance with the applicable provisions of the Revised 508 Standards.

If and when the scope of this contract/order includes work by the Contractor to collect, directly from NRC employees or the Public, requirements for the procurement, development, maintenance or use of ICT the Contractor shall identify the needs of users with disabilities in conformance to section E203.2.

508.6 ICT Accessibility Deliverables

DOTO GS06F1018Z/31310019F0043 Page 29 of 49 The Contractor shall provide the following ICT accessibility deliverables, when within the scope of this contract/order.

508.6.1 Accessibility Conformance Report (ACR)

This report shall be submitted for ICT products, systems or application deliverables. A written ACR shall be based on the Voluntary Product Accessibility Template (VPAT), as specified at https://www.itic.org/policy/accessibility/vpat or provide equivalent information.

This report has the purpose to document the state of conformance to the Revised 508 Standards for the subject product, system or application.

508.6.2 Supplemental Accessibility Report (SAR)

This report shall be submitted for ICT products, systems or application deliverables that have been custom developed or integrated by the Contractor to meet contract/order requirements. A written SAR shall contain:

a) Description of evaluation methods used to produce the ACR, to demonstrate due diligence in supporting conformance claims; b) Information on core functions that cant be used by persons with disabilities; and, c)

Information on how to configure and install the ICT item to support accessibility 508.6.3 ICT Support Documentation This documentation shall be submitted for ICT products, systems or application deliverables. The support documentation shall include:

a) Documentation of features that help achieve accessibility and compatibility with assistive technology for persons with disabilities (as required by section 602 of 36 CFR

§ 1194);

b) For authoring tools that generate content (documents, reports, videos, multimedia, web content, etc.): Information on how the tool enables the creation of accessible electronic content that conforms to the Revised 508 Standards (see section 504 of 36 CFR § 1194), including the range of accessible user interface elements the tool can create; c)

For platform software (as defined in section E103.4 of 36 CFR § 1194) and software tools that are provided by a platform developer: Documentation on the set of accessibility services that support applications running on the platform to interoperate with assistive technology, as required by section 502.3 of 36 CFR § 1194.

508.6.4 ICT Support Documentation (Alternate Formats)

Upon request, alternate formats for non-electronic support documentation shall be provided (as required by section 602.4 of 36 CFR § 1194).

508.6.5 Document Accessibility Checklist

DOTO GS06F1018Z/31310019F0043 Page 30 of 49 This checklist shall be submitted for ICT electronic content deliverables that are documents (as defined in section E103 of 36 CFR § 1194), if the requirement is specified elsewhere in this acquisition that testing be performed. A completed checklist summarising the subject documents state of conformance to the applicable WCAG 2.0 Level A and AA Success Criteria (as referenced in section E205.4 and 702.10 of 36 CFR § 1194) and, for PDF files, ISO 14289-1 (PDF/UA-1).

508.6.6 Communication to ICT Users When the Contractor is providing ICT support services (including, but not limited to help desks, call centers, training services, and automated self-service technical support), any communication to ICT users shall accommodate the communication needs of individuals with disabilities (see section 603.3 of 36 CFR § 1194) and include information on accessibility and compatibility features (see 603.2 of 36 CFR § 1194).

Verification of the use of Incremental Development Methodology According to OMB Incremental development is defined as a method of system development where the product is designed, developed, tested, and implemented incrementally (a little more is added each time). In order to accommodate the incremental developments requirements for IT project, the following items should be included and address in the procurement lifecycle (plan, conduct, control, and close procurement) 1.

All new order SOW should include a definition of incremental development 2.

The contractor should indicate that they are using some forms of incremental development methodology in their response to the bid.

3.

The contractor should provide a quarterly report of whether the order fulfils the incremental development requirements. This includes verifying whether the investment is adequately implementing incremental development by delivering usable functionality to end users at least every six months.

Release and Ownership of Publications Any documents generated by the Contractor shall not be released for publication or dissemination without prior Contract Officer (CO) and/or COR or ACOR written approval.

In addition, all documentation developed in support of Agency initiatives or projects are the property of the NRC.

DOTO GS06F1018Z/31310019F0043 Page 31 of 49 SECTION D - Packaging and Marking D.1 BRANDING The Contractor is required to use the statement below in any publications, presentations, articles, products, or materials funded under this contract, to the extent practical, in order to provide NRC with recognition for its involvement in and contribution to the project. If the work performed is funded entirely with NRC funds, then the contractor must acknowledge that information in its documentation/presentation.

Work Supported by the U.S. Nuclear Regulatory Commission (NRC), Office of Chief Information Officer, under Order number GS06F1018Z/31310019F0043.

(End of Clause)

D.2 PACKAGING AND MARKING (a) The Contractor shall package material for shipment to the NRC in such a manner that will ensure acceptance by common carrier and safe delivery at destination.

Containers and closures shall comply with the Surface Transportation Board, Uniform Freight Classification Rules, or regulations of other carriers as applicable to the mode of transportation.

(b) On the front of the package, the Contractor shall clearly identify the order number under which the product is being provided.

(c) Additional packaging and/or marking requirements are as follows: N/A.

(End of Clause)

DOTO GS06F1018Z/31310019F0043 Page 32 of 49 SECTION E - Inspection and Acceptance E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officers Representative (COR) at the destination, accordance with FAR 52.247 F.o.b. Destination.

Contract Deliverables: Refer to deliverable table in SECTION C (End of Clause)

DOTO GS06F1018Z/31310019F0043 Page 33 of 49 SECTION F - Deliveries or Performance F.1 PERIOD OF PERFORMANCE This order shall commence on July 15, 2019 and will expire on July 14,2020. The term of this order may be extended at the option of the Government for an additional four years, from July 15, 2020 to July 14, 2024.

Base Period: July 15, 2019 to July 14, 2020 Option Period 1: July 15, 2020 to July 14, 2021 Option Period 2: July 15, 2021 to July 14, 2022 Option Period 3: July 15, 2022 to July 14, 2023 Option Period 4: July 15, 2023 to July 14, 2024 (End of Clause)

DOTO GS06F1018Z/31310019F0043 Page 34 of 49 SECTION G - Contract Administration Data G.1 2052.215-70 Key personnel.

(a) The following individuals are considered to be essential to the successful performance of the work hereunder:

The contractor agrees that personnel may not be removed from the contract work or replaced without compliance with paragraphs (b) and (c) of this section.

(b) If one or more of the key personnel, for whatever reason, becomes, or is expected to become, unavailable for work under this contract for a continuous period exceeding 30 work days, or is expected to devote substantially less effort to the work than indicated in the proposal or initially anticipated, the contractor shall immediately notify the contracting officer and shall, subject to the concurrence of the contracting officer, promptly replace the personnel with personnel of at least substantially equal ability and qualifications.

(c) Each request for approval of substitutions must be in writing and contain a detailed explanation of the circumstances necessitating the proposed substitutions. The request must also contain a complete resume for the proposed substitute and other information requested or needed by the contracting officer to evaluate the proposed substitution.

The contracting officer and the project officer shall evaluate the contractor's request and the contracting officer shall promptly notify the contractor of his or her decision in writing.

(d) If the contracting officer determines that suitable and timely replacement of key personnel who have been reassigned, terminated, or have otherwise become unavailable for the contract work is not reasonably forthcoming, or that the resultant reduction of productive effort would be so substantial as to impair the successful completion of the contract or the service order, the contract may be terminated by the contracting officer for default or for the convenience of the Government, as appropriate.

If the contracting officer finds the contractor at fault for the condition, the contract price or fixed fee may be equitably adjusted downward to compensate the Government for any resultant delay, loss, or damage.

(End of Clause)

G.2 2052.215-71 PROJECT OFFICER AUTHORITY. (OCT 1999) - ALTERNATE II (OCT 1999)

(a) The contracting officer's authorized representative, hereinafter referred to as the project officer, for this order is:

Name:

Address:

DOTO GS06F1018Z/31310019F0043 Page 35 of 49 Telephone Number:

(b) The alternate contracting officer's authorized representative, hereinafter referred to as the alternate project officer, for this order is:

Name:

Address:

Telephone Number:

(c) The project officer/ alternate project officer shall:

(1) Monitor contractor performance and recommend changes in requirements to the contracting officer.

(2) Inspect and accept products/services provided under the contract.

(3) Review all contractor invoices/vouchers requesting payment for products/services provided under the order and make recommendations for approval, disapproval, or suspension.

(c) The project officer may not make changes to the express terms and conditions of this contract.

(End of Clause)

G.3 REGISTRATION IN FEDCONNECT (JULY 2014)

The Nuclear Regulatory Commission (NRC) uses Compusearch Software Systems secure and auditable two-way web portal, FedConnect, to communicate with vendors and contractors. FedConnect provides bi-directional communication between the vendor/contractor and the NRC throughout pre-award, award, and post-award acquisition phases. Therefore, in order to do business with the NRC, vendors and contractors must register to use FedConnect at https://www.fedconnect.net/FedConnect. The individual registering in FedConnect must have authority to bind the vendor/contractor. There is no charge for using FedConnect. Assistance with FedConnect is provided by Compusearch Software Systems, not the NRC. FedConnect contact and assistance information is provided on the FedConnect web site at https://www.fedconnect.net/FedConnect.

G.4 ELECTRONIC PAYMENT (DEC 2017)

The Debt Collection Improvement Act of 1996 requires that all payments except IRS tax refunds be made by Electronic Funds Transfer. Payment shall be made in accordance

DOTO GS06F1018Z/31310019F0043 Page 36 of 49 with FAR 52.232-33, entitled Payment by Electronic Funds Transfer-System for Award Management.

To receive payment, the contractor shall prepare invoices in accordance with NRCs Billing Instructions. Claims shall be submitted through the Invoice Processing Platform (IPP) (https://www.ipp.gov/). Back up documentation shall be included as required by the NRCs Billing Instructions.

(End of Clause)

DOTO GS06F1018Z/31310019F0043 Page 37 of 49 BILLING INSTRUCTIONS FOR FIXED-PRICE TYPE CONTRACTS (JULY 2017)

General: During performance and through final payment of this contract, the contractor is responsible for the accuracy and completeness of data within the System for Award Management (SAM) database and the Invoice Processing Platform (IPP) system and for any liability resulting from the Governments reliance on inaccurate or incomplete SAM and/or IPP data.

The contractor shall prepare invoices/vouchers for payment of deliverables identified in the contract, in the manner described herein. FAILURE TO SUBMIT INVOICES/VOUCHERS IN ACCORDANCE WITH THESE INSTRUCTIONS MAY RESULT IN REJECTION OF THE INVOICE/VOUCHER AS IMPROPER.

Electronic Invoice/Voucher Submissions: Invoices/vouchers shall be submitted electronically to the U.S. Nuclear Regulatory Commission (NRC) is through the Invoice Processing Platform (IPP) at www.ipp.gov.

Purchase of Capital Property: ($50,000 or more with life of one year or longer)

Contractors must report to the Contracting Officer, electronically, any capital property acquired with contract funds having an initial cost of $50,000 or more, in accordance with procedures set forth in NRC Management Directive (MD) 11.1, NRC Acquisition of Supplies and Services.

Agency Payment Office: Payment will be made by the office designated in the contract in Block 12 of Standard Form 26, Block 25 of Standard Form 33, or Block 18a of Standard Form 1449, whichever is applicable.

Frequency: The contractor shall submit invoices/vouchers for payment once each month, unless otherwise authorized by the Contracting Officer.

Supporting Documentation: Any supporting documentation required to substantiate the amount billed shall be included as an attachment to the invoice created in IPP. If the necessary supporting documentation is not included, the invoice will be rejected.

Task Order Contracts: The contractor must submit a separate invoice/voucher for each individual task order with pricing information.

Final vouchers/invoices shall be marked "FINAL INVOICE" or "FINAL VOUCHER".

Currency: Invoices/Vouchers must be expressed in U.S. Dollars.

Supersession: These instructions supersede previous Billing Instructions for Fixed-Price Type Contracts (JAN 2015).

DOTO GS06F1018Z/31310019F0043 Page 38 of 49 Does my company need to register in IPP?

If your company is currently registered in IPP and doing business with other Federal Agencies in IPP, you will not be required to re-register.

If your company is not currently registered in IPP, please note the following:

You will be receiving an invitation to register for IPP from IPP Customer Support, STLS.IPPHELPDESK@stls.frb.org.

IPP Customer Support will send you two emails: the first email will contain the initial administrative IPP User ID and the second email, sent within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of receipt of the first email, will contain a temporary password.

Please add the Customer Support email address (STLS.IPPHELPDESK@stls.frb.org) to your address book so you do not disregard these emails or mistake them for spam.

During registration, one initial administrative user account will be created for your company and this user will be responsible for setting up all other user accounts including other administrators.

Registration is complete when the initial administrative user logs into the IPP web site with the User ID and password provided by Treasury and accepts the rules of behavior.

What type of is training provided?

Vendor training materials, including a first time login tutorial, user guides, a quick reference guide, and frequently asked questions are available on Treasurys IPP website. Individuals within your company responsible for submitting invoices should review these materials before work begins on the contract.

How do I receive assistance with IPP?

Treasurys IPP Customer Support team provides vendor assistance related to the IPP application, and is also available to assist IPP users and to answer any questions related to accessing IPP or completing the registration process. IPP application support is also available via phone at (866) 973-3131, Monday through Friday from 8:00 am to 6:00 pm ET, and via email at IPPCustomerSupport@fiscal.treasury.gov.

Specific questions regarding your contract or task order should be directed to the appropriate NRC Contracting Officer.

DOTO GS06F1018Z/31310019F0043 Page 39 of 49 SECTION H - Special Contract Requirements H.1 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS It is brought to your attention that the contracting officer is the only individual who can legally obligate funds or commit the NRC to the expenditure of public funds in connection with this procurement. This means that unless provided in a contract document or specifically authorized by the contracting officer, NRC technical personnel may not issue contract modifications, give formal contractual commitments, or otherwise bind, commit, or obligate the NRC contractually. Informal unauthorized commitments, which do not obligate the NRC and do not entitle the contractor to payment, may include:

(1) Encouraging a potential contractor to incur costs prior to receiving a contract; (2) Requesting or requiring a contractor to make changes under a contract without formal contract modifications; (3) Encouraging a contractor to incur costs under a cost-reimbursable contract in excess of those costs contractually allowable; and (4) Committing the Government to a course of action with regard to a potential contract, contract change, claim, or dispute.

(End of Clause)

H.2 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONIC PAYMENT/REMITTANCE ADDRESS The Debt Collection Improvement Act of 1996 requires that all Federal payments except IRS tax refunds be made by Electronic Funds Transfer. lt is the policy of the Nuclear Regulatory Commission to pay government vendors by the Automated Clearing House (ACH) electronic funds transfer payment system. Item 15C of the Standard Form 33 may be disregarded.

(End of Clause)

H.3 GREEN PURCHASING (SEP 2015 )

(a) In furtherance of the sustainable acquisition goals of Executive Order (EO) 13693, "Planning for Federal Sustainability in the Next Decade," products and services provided under this contract/order shall be energy efficient (EnergyStar or Federal Energy Management Program - FEMP-designated products), water efficient, biobased, environmentally preferable (excluding EPEAT-registered products), non-ozone depleting, contain recycled content, or are non-or low toxic alternatives or hazardous constituents (e.g., non-VOC paint), where such products and services meet agency performance requirements. See: Executive Order (EO) 13693, "Planning for Federal Sustainability in the Next Decade."

(b) The NRC and contractor may negotiate during the contract term to permit the substitution or addition of designated recycled content products (i.e., Comprehensive

DOTO GS06F1018Z/31310019F0043 Page 40 of 49 Procurement Guidelines - CPG), EPEAT-registered products, EnergyStar-and FEMP designated energy efficient products and appliances, USDA designated biobased products (Biopreferred program), environmentally preferable products, WaterSense and other water efficient products, products containing non-or lower-ozone depleting substances (i.e., SNAP), and products containing non-or low-toxic or hazardous constituents (e.g., non-VOC paint), when such products and services are readily available at a competitive cost and satisfy the NRCs performance needs.

(c) The contractor shall flow down this clause into all subcontracts and other agreements that relate to performance of this contract/order.

(End of Clause)

H.4 AUTHORITY TO USE GOVERNMENT PROVIDED SPACE AT NRC HEADQUARTERS (SEP 2013)

Prior to occupying any Government provided space at NRC Headquarters in Rockville Maryland, the Contractor shall obtain written authorization to occupy specifically designated government space, via the NRC Contracting Officers Representative (COR),

from the Chief, Space Design Branch, Office of Administration. Failure to obtain this prior authorization can result in one, or a combination, of the following remedies as deemed appropriate by the Contracting Officer.

(1) Rental charge for the space occupied will be deducted from the invoice amount due the Contractor (2) Removal from the space occupied (3) Contract Termination (End of Clause)

H.5 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (JUL 2016)

The contractor must identify all individuals selected to work under this contract. The NRC Contracting Officers Representative (COR) shall make the final determination of the level, if any, of IT access approval required for all individuals working under this contract/order using the following guidance. The Government shall have full and complete control and discretion over granting, denying, withholding, or terminating IT access approvals for contractor personnel performing work under this contract/order.

The contractor shall conduct a preliminary security interview or review for each employee requiring IT level I or II access and submit to the Government only the names of candidates that have a reasonable probability of obtaining the level of IT access approval for which the employee has been proposed. The contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years;

DOTO GS06F1018Z/31310019F0043 Page 41 of 49 (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the employee verify the pre-screening record or review, sign and date it. The contractor shall supply two (2) copies of the signed contractor's pre-screening record or review to the NRC Contracting Officers Representative (COR), who will then provide them to the NRC Office of Administration, Division of Facilities and Security, Personnel Security Branch with the employees completed IT access application package.

H.6 SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL (SEP 2013)

The Contractor shall ensure that all its employees, subcontractor employees or consultants who are assigned to perform the work herein for contract performance for periods of more than 30 calendar days at NRC facilities, are approved by the NRC for unescorted NRC building access.

The Contractor shall conduct a preliminary federal facilities security screening interview or review for each of its employees, subcontractor employees, and consultants and submit to the NRC only the names of candidates for contract performance that have a reasonable probability of obtaining approval necessary for access to NRC's federal facilities. The Contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The Contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the applicant verify the pre-screening record or review, sign and date it. Two (2) copies of the pre-screening signed record or review shall be supplied to the Division of Facilities and Security, Personnel Security Branch (DFS/PSB) with the Contractor employee's completed building access application package.

The Contractor shall further ensure that its employees, any subcontractor employees and consultants complete all building access security applications required by this clause within fourteen (14) calendar days of notification by DFS/PSB of initiation of the application process. Timely receipt of properly completed records of the Contractor's signed pre-screening record or review and building access security applications (submitted for candidates that have a reasonable probability of obtaining the level of access authorization necessary for access to NRC's facilities) is a contract requirement.

DOTO GS06F1018Z/31310019F0043 Page 42 of 49 Failure of the Contractor to comply with this contract administration requirement may be a basis to cancel the award, or terminate the contract for default, or offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the Contractor. In the event of cancellation or termination, the NRC may select another firm for contract award.

A Contractor, subcontractor employee or consultant shall not have access to NRC facilities until he/she is approved by DFS/PSB. Temporary access may be approved based on a favorable NRC review and discretionary determination of their building access security forms. Final building access will be approved based on favorably adjudicated checks by the Government. However, temporary access approval will be revoked and the Contractor's employee may subsequently be denied access in the event the employee's investigation cannot be favorably determined by the NRC. Such employee will not be authorized to work under any NRC contract requiring building access without the approval of DFS/PSB. When an individual receives final access, the individual will be subject to a review or reinvestigation every five (5) or ten (10) years, depending on their job responsibilities at the NRC.

The Government shall have and exercise full and complete control and discretion over granting, denying, withholding, or terminating building access approvals for individuals performing work under this contract. Individuals performing work under this contract at NRC facilities for a period of more than 30 calendar days shall be required to complete and submit to the Contractor representative an acceptable OPM Standard Form 85 (Questionnaire for Non-Sensitive Positions), and two (2) FD 258 (Fingerprint Charts).

Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than five (5) years residency in the U.S. will not be approved for building access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB.

DFS/PSB may, among other things, grant or deny temporary unescorted building access approval to an individual based upon its review of the information contained in the OPM Standard Form 85 and the Contractor's pre-screening record. Also, in the exercise of its authority, the Government may, among other things, grant or deny permanent building access approval based on the results of its review or investigation. This submittal requirement also applies to the officers of the firm who, for any reason, may visit the NRC work sites for an extended period of time during the term of the contract. In the event that DFS/PSB are unable to grant a temporary or permanent building access approval, to any individual performing work under this contract, the Contractor is responsible for assigning another individual to perform the necessary function without any delay in the contract's performance schedule, or without adverse impact to any other terms or conditions of the contract. The Contractor is responsible for informing those affected by this procedure of the required building access approval process (i.e.,

temporary and permanent determinations), and the possibility that individuals may be required to wait until permanent building access approvals are granted before beginning work in NRC's buildings.

DOTO GS06F1018Z/31310019F0043 Page 43 of 49 CANCELLATION OR TERMINATION OF BUILDING ACCESS/ REQUEST The Contractor shall immediately notify the COR when a Contractor or subcontractor employee or consultant's need for NRC building access approval is withdrawn or the need by the Contractor employees for building access terminates. The COR will immediately notify DFS/PSB (via e-mail) when a Contractor employee no longer requires building access. The Contractor shall be required to return any NRC issued badges to the COR for return to DFS/FSB (Facilities Security Branch) within three (3) days after their termination.

(End of Clause)

DOTO GS06F1018Z/31310019F0043 Page 44 of 49 SECTION I - Contract Clauses I.1 FAR Clauses Incorporated By Reference 52.203-6 RESTRICTIONS ON SUBCONTRACTOR SALES TO THE GOVERNMENT.

(SEP 2006) - ALTERNATE I (OCT 1995) 52.203-8 CANCELLATION, RESCISSION, AND RECOVERY OF FUNDS FOR ILLEGAL OR IMPROPER ACTIVITY. (MAY 2014) 52.203-10 PRICE OR FEE ADJUSTMENT FOR ILLEGAL OR IMPROPER ACTIVITY.

(MAY 2014) 52.204-9 PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL.

(JAN 2011) 52.204-10 REPORTING EXECUTIVE COMPENSATION AND FIRST-TIER SUBCONTRACT AWARDS. (OCT 2018) 52.204-14 SERVICE CONTRACT REPORTING REQUIREMENTS. (OCT 2016) 52.204-19 INCORPORATION BY REFERENCE OF REPRESENTATIONS AND CERTIFICATIONS. (DEC 2014) 52.219-8 UTILIZATION OF SMALL BUSINESS CONCERNS. (OCT 2018) 52.222-3 CONVICT LABOR. (JUN 2003) 52.222-21 PROHIBITION OF SEGREGATED FACILITIES. (APR 2015) 52.222-26 EQUAL OPPORTUNITY. (SEP 2016) 52.222-37 EMPLOYMENT REPORTS ON VETERANS. (FEB 2016) 52.222-50 COMBATING TRAFFICKING IN PERSONS. (JAN 2019) 52.222-54 EMPLOYMENT ELIGIBILITY VERIFICATION. (OCT 2015) 52.224-3 PRIVACY TRAINING. (JAN 2017) 52.225-13 RESTRICTIONS ON CERTAIN FOREIGN PURCHASES. (JUN 2008) 52.232-33 PAYMENT BY ELECTRONIC FUNDS TRANSFER - SYSTEM FOR AWARD MANAGEMENT. (OCT 2018) 52.233-3 PROTEST AFTER AWARD. (AUG 1996) 52.233-4 APPLICABLE LAW FOR BREACH OF CONTRACT CLAIM. (OCT 2004) 52.239-1 PRIVACY OR SECURITY SAFEGUARDS. (AUG 1996)

DOTO GS06F1018Z/31310019F0043 Page 45 of 49 I.2 NRCAR Clauses Incorporated By Reference 2052.215-73 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS (OCT 1999) 2052.222-70 NONDISCRIMINATION BECAUSE OF AGE. (JAN 1993)

I.3 FAR Clauses Incorporated By Full Text 52.217-7 Option for Increased Quantity-Separately Priced Line Item.

The Government may require the delivery of the numbered line item, identified in the Schedule as an optional task, in the quantity and at the price stated in the Schedule. The Contracting Officer may exercise the option by written notice to the Contractor at any time prior to the expiration of the contract. Delivery of added items shall continue at the same rate that like items are called for under the contract, unless the parties otherwise agree.

(End of clause) 52.217-8 Option to Extend Services.

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor at any time prior to the expiration of the contract.

(End of clause) 52.217-9 Option to Extend the Term of the Contract.

(a) The Government may extend the term of this contract by written notice to the Contractor at any time prior to the expiration of the contract; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at any time prior to the expiration of the contract. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 60 months.

(End of clause) 52.219-11 SPECIAL 8(A) CONTRACT CONDITIONS. (JAN 2017)

DOTO GS06F1018Z/31310019F0043 Page 46 of 49 The Small Business Administration (SBA) agrees to the following:

(a) To furnish the supplies or services set forth in this order according to the specifications and the terms and conditions hereof by subcontracting with an eligible concern pursuant to the provisions of section 8(a) of the Small Business Act, as amended (15 U.S.C. 637(a)).

(b) That in the event SBA does not award a subcontract for all or a part of the work hereunder, this order may be terminated either in whole or in part without cost to either party.

(c) Except for novation agreements, delegates to the NRC the responsibility for administering the subcontract to be awarded hereunder with complete authority to take any action on behalf of the Government under the terms and conditions of the subcontract; provided, however, that the NRC shall give advance notice to the SBA before it issues a final notice terminating the right of a subcontractor to proceed with further performance, either in whole or in part, under the subcontract for default or for the convenience of the Government.

(d) That payments to be made under any subcontract awarded under this order will be made directly to the subcontractor by the NRC.

(e) That the subcontractor awarded a subcontract hereunder shall have the right of appeal from decisions of the Contracting Officer cognizable under the Disputes clause of said subcontract.

(f) To notify the NRC Contracting Officer immediately upon notification by the subcontractor that the owner or owners upon whom 8(a) eligibility was based plan to relinquish ownership or control of the concern.

(End of clause) 52.219-12 SPECIAL 8(A) SUBCONTRACT CONDITIONS. (JAN 2017)

(a) The Small Business Administration (SBA) has entered into Order No.

GS06F1018Z/31310019F0043 with the NRC to furnish the supplies or services as described therein. A copy of the order is attached hereto and made a part hereof.

(b) The Groundswell Consulting Group LLC, hereafter referred to as the subcontractor, agrees and acknowledges as follows:

(1) That it will, for and on behalf of the SBA, fulfill and perform all of the requirements of Order No. GS06F1018Z/31310019F0043 for the consideration stated therein and that it has read and is familiar with each and every part of the contract.

(2) That the SBA has delegated responsibility, except for novation agreements, for the administration of this subcontract to the NRC with

DOTO GS06F1018Z/31310019F0043 Page 47 of 49 complete authority to take any action on behalf of the Government under the conditions of this subcontract.

(3) That it will not subcontract the performance of any of the requirements of this subcontract to any lower tier subcontractor without the prior written approval of the SBA and the designated Contracting Officer of the NRC.

(4) That it will notify the NRC Contracting Officer in writing immediately upon entering an agreement (either oral or written) to transfer all or part of its stock or other ownership interest to any other party.

(c) Payments, including any progress payments under this subcontract, will be made directly to the subcontractor by the NRC.

(End of clause) 52.219-28 POST-AWARD SMALL BUSINESS PROGRAM REREPRESENTATION.

(JUL 2013)

(a) Definitions. As used in this clause-Long-term contract means a contract of more than five years in duration, including options. However, the term does not include contracts that exceed five years in duration because the period of performance has been extended for a cumulative period not to exceed six months under the clause at 52.217-8, Option to Extend Services, or other appropriate authority.

Small business concern means a concern, including its affiliates, that is independently owned and operated, not dominant in the field of operation in which it is bidding on Government contracts, and qualified as a small business under the criteria in 13 CFR part 121 and the size standard in paragraph (c) of this clause. Such a concern is "not dominant in its field of operation" when it does not exercise a controlling or major influence on a national basis in a kind of business activity in which a number of business concerns are primarily engaged.

In determining whether dominance exists, consideration shall be given to all appropriate factors, including volume of business, number of employees, financial resources, competitive status or position, ownership or control of materials, processes, patents, license agreements, facilities, sales territory, and nature of business activity.

(b) If the Contractor represented that it was a small business concern prior to award of this contract, the Contractor shall rerepresent its size status according to paragraph (e) of this clause or, if applicable, paragraph (g) of this clause, upon the occurrence of any of the following:

(1) Within 30 days after execution of a novation agreement or within 30 days after modification of the order to include this clause, if the novation agreement was executed prior to inclusion of this clause in the contract.

DOTO GS06F1018Z/31310019F0043 Page 48 of 49 (2) Within 30 days after a merger or acquisition that does not require a novation or within 30 days after modification of the order to include this clause, if the merger or acquisition occurred prior to inclusion of this clause in the contract.

(3) For long-term contracts-(i) Within 60 to 120 days prior to the end of the fifth year of the contract; and (ii) Within 60 to 120 days prior to the date specified in the order for exercising any option thereafter.

(c) The Contractor shall rerepresent its size status in accordance with the size standard in effect at the time of this rerepresentation that corresponds to the North American Industry Classification System (NAICS) code assigned to this contract. The small business size standard corresponding to this NAICS code can be found at http://www.sba.gov/content/table-small-business-size-standards.

(d) The small business size standard for a Contractor providing a product which it does not manufacture itself, for a contract other than a construction or service contract, is 500 employees.

(e) Except as provided in paragraph (g) of this clause, the Contractor shall make the representation required by paragraph (b) of this clause by validating or updating all its representations in the Representations and Certifications section of the System for Award Management (SAM) and its other data in SAM, as necessary, to ensure that they reflect the Contractor's current status. The Contractor shall notify the contracting office in writing within the timeframes specified in paragraph (b) of this clause that the data have been validated or updated, and provide the date of the validation or update.

(f) If the Contractor represented that it was other than a small business concern prior to award of this contract, the Contractor may, but is not required to, take the actions required by paragraphs (e) or (g) of this clause.

(g) If the Contractor does not have representations and certifications in SAM, or does not have a representation in SAM for the NAICS code applicable to this contract, the Contractor is required to complete the following rerepresentation and submit it to the contracting office, along with the contract number and the date on which the rerepresentation was completed:

The Contractor represents that it [ ] is, [ ] is not a small business concern under NAICS Code [insert NAICS Code] assigned to order number [insert contract number]. (Contractor to sign and date and insert authorized signer's name and title).

(End of clause) 52.222-35 EQUAL OPPORTUNITY FOR VETERANS. (OCT 2015)

DOTO GS06F1018Z/31310019F0043 Page 49 of 49 (a) Definitions. As used in this clause-

"Active duty wartime or campaign badge veteran," "Armed Forces service medal veteran," "disabled veteran," "protected veteran," "qualified disabled veteran,"

and "recently separated veteran" have the meanings given at FAR 22.1301.

(b) Equal opportunity clause. The Contractor shall abide by the requirements of the equal opportunity clause at 41 CFR 60-300.5(a), as of March 24, 2014. This clause prohibits discrimination against qualified protected veterans, and requires affirmative action by the Contractor to employ and advance in employment qualified protected veterans.

(c) Subcontracts. The Contractor shall insert the terms of this clause in subcontracts of $150,000 or more unless exempted by rules, regulations, or orders of the Secretary of Labor. The Contractor shall act as specified by the Director, Office of Federal Contract Compliance Programs, to enforce the terms, including action for noncompliance. Such necessary changes in language may be made as shall be appropriate to identify properly the parties and their undertakings.

(End of clause) 52.222-36 EQUAL OPPORTUNITY FOR WORKERS WITH DISABILITIES. (JUL 2014)

(a) Equal opportunity clause. The Contractor shall abide by the requirements of the equal opportunity clause at 41 CFR 60-741.5(a), as of March 24, 2014. This clause prohibits discrimination against qualified individuals on the basis of disability, and requires affirmative action by the Contractor to employ and advance in employment qualified individuals with disabilities.

(b) Subcontracts. The Contractor shall include the terms of this clause in every subcontract or purchase order in excess of $15,000 unless exempted by rules, regulations, or orders of the Secretary, so that such provisions will be binding upon each subcontractor or vendor. The Contractor shall act as specified by the Director, Office of Federal Contract Compliance Programs of the U.S.

Department of Labor, to enforce the terms, including action for noncompliance.

Such necessary changes in language may be made as shall be appropriate to identify properly the parties and their undertakings.

(End of clause)

SECTION J - List of Documents, Exhibits and Other Attachments Attachment Number Title Date 1

8aSTARSIIContract 05/08/2019

ML19196A080

Text

Background

Response

Navigation menu

Search