Contract No. 31310021C0024 - Redacted

ML21272A105
Person / Time
Issue date:	09/16/2021
From:	Rasmey Robinson Acquisition Management Division
To:
References
31310021C0024
Download: ML21272A105 (67)
v • d • e

Text

AWARD/CONTRACT

2. CONTRACT (Proc. Inst. Ident.) NO.

3. EFFECTIVE DATE

5. ISSUED BY CODE

6. ADMINISTERED BY (If other than Item 5)

UNDER DPAS (15 CFR 700)

4. REQUISITION/PURCHASE REQUEST/PROJECT NO.

7. NAME AND ADDRESS OF CONTRACTOR (No., street, country, State and ZIP Code)

1. THIS CONTRACT IS A RATED ORDER RATING PAGE OF PAGES 1

8. DELIVERY

9. DISCOUNT FOR PROMPT PAYMENT

10. SUBMIT INVOICES (4 copies unless otherwise specified)

TO THE ADDRESS SHOWN IN ITEM CODE CODE CODE FACILITY CODE

11. SHIP TO/MARK FOR

12. PAYMENT WILL BE MADE BY 41 U.S.C. 3304 (a) (

10 U.S.C. 2304 (c) (

13. AUTHORITY FOR USING OTHER THAN FULL AND OPEN COMPETITION:

14. ACCOUNTING AND APPROPRIATION DATA 50 31310021C0024 See Block 20C ADM-21-0125 NRCHQ US NRC - HQ ACQUISITION MANAGEMENT DIVISION MAIL STOP TWFN-07B20M WASHINGTON DC 20555-0001 CHAINBRIDGE SOLUTIONS INCORPORATED ATTN AARTI SMITH 12700 FAIR LAKES CIRCLE SUITE 230 SUITE 230 FAIRFAX VA 220334905 OTHER (See below)

FOB ORIGIN X

30 CODE NRCHQ NUCLEAR REGULATORY COMMISSION NUCLEAR REGULATORY COMMISSION WASHINGTON DC 20555-0001 NRC PAYMENTS 1 NRC PAYMENTS NRCFISCALTREASURYGOV See Schedule

)

)

791357200 SCD-C 15A. ITEM NO 15F. AMOUNT 15E. UNIT PRICE 15D.

UNIT 15C.

QUANTITY 15B. SUPPLIES/SERVICES Continued 15G. TOTAL AMOUNT OF CONTRACT

$1,037,797.50

16. TABLE OF CONTENTS (X)

SEC.

DESCRIPTION (X)

PAGE(S)

DESCRIPTION SEC.

A B

C D

E F

G H

PART I - THE SCHEDULE PART II - CONTRACT CLAUSES SOLICITATION/CONTRACT FORM SUPPLIES OR SERVICES AND PRICES/COSTS DESCRIPTION/SPECS./WORK STATEMENT PACKAGING AND MARKING INSPECTION AND ACCEPTANCE DELIVERIES OR PERFORMANCE CONTRACT ADMINISTRATION DATA SPECIAL CONTRACT REQUIREMENTS M

L K

J I

PART III - LIST OF DOCUMENTS, EXHIBITS AND OTHER ATTACH.

CONTRACT CLAUSES LIST OF ATTACHMENTS REPRESENTATIONS, CERTIFICATIONS AND INSTRS., CONDS., AND NOTICES TO OFFERORS EVALUATION FACTORS FOR AWARD OTHER STATEMENTS OF OFFERORS PART IV - REPRESENTATIONS AND INSTRUCTIONS X

X X

X X

X X

X X

PAGE(S) 7 8

9 10 11 12 13 42 50 17.

CONTRACTOR' S NEGOTIATED AGREEMENT (Contractor is required to sign this document and return copies to issuing office.) Contractor agrees to furnish and deliver all items or perform all the services set forth or otherwise identified above and on any continuation sheets for the consideration stated herein. The rights and obligations of the parties to this contract shall be subject to and governed by the following documents: (a) this award/contract, (b) the solicitation, if any, and (c) such provisions, representations, certifications, and specifications, as are attached or incorporated by reference herein. (Attachments are listed herein.)

No further contractual document is necessary. (Block 18 should be checked only when awarding a sealed-bid contract.)

documents: (a) the Government's solicitation and your bid, and (b) this award/contract.

sheets. This award consummates the contract which consists of the following in full above, is hereby accepted as to the items listed above and on any continuation including the additions or changes made by you which additions or changes are set forth Solicitation Number SEALED-BID AWARD (Contractor is not required to sign this document.) Your bid on 18.

20C. DATE SIGNED (Signature of the Contracting Officer) 20B. UNITED STATES OF AMERICA 20A. NAME OF CONTRACTING OFFICER 19B. NAME OF CONTRACTOR 19A. NAME AND TITLE OF SIGNER (Type or print)

BY (Signature of person authorized to sign) 19C. DATE SIGNED BY STANDARD FORM 26 (Rev. 3/2013)

Prescribed by GSA - FAR (48 CFR) 53.214(a)

AUTHORIZED FOR LOCAL REPRODUCTION Previous edition is NOT usable X

31310021R0066 RICHARD W. ROBINSON 09/16/2021 CONTRACTING OFFICER WILL COMPLETE ITEM 17 (SEALED-BID OR NEGOTIATED PROCUREMENT) OR 18 (SEALED-BID PROCUREMENT) AS APPLICABLE CHAINBRIDGE SOLUTIONS INCORPORATED

31310021R0066 Page 4 B - Supplies or Services/Prices.....................................................................................................7 B.1 BRIEF PROJECT TITLE AND WORK DESCRIPTION.......................................................7 B.2 CONSIDERATION AND OBLIGATION-FIRM-FIXED-PRICE.............................................7 B.3 CONSIDERATION AND OBLIGATION-LABOR-HOUR CONTRACT...............................7 C - Description/Specifications.......................................................................................................8 C.1 STATEMENT OF WORK....................................................................................................8 D - Packaging and Marking...........................................................................................................9 D.1 PACKAGING AND MARKING............................................................................................9 D.2 BRANDING.........................................................................................................................9 E - Inspection and Acceptance....................................................................................................10 E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)........................................10 F - Deliveries or Performance.....................................................................................................11 F.1 PLACE OF DELIVERY-REPORTS...................................................................................11 F.2 PERIOD OF PERFORMANCE ALTERNATE...................................................................11 F.3 PLACE OF PERFORMANCE............................................................................................11 G - Contract Administration Data................................................................................................12 G.1 REGISTRATION IN FEDCONNECT (MAY 2021).........................................................12 G.2 ELECTRONIC PAYMENT (DEC 2017)............................................................................12 H - Special Contract Requirements.............................................................................................13 H.1 SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL (SEP 2013).......13 H.2 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (JUL 2016)........................................................................................14 H.3 IT SECURITY REQUIREMENTS - DEVELOPMENT AND OPERATIONS AND MAINTENANCE REQUIREMENTS (APR 2014).....................................................................18 H.4 IT SECURITY REQUIREMENTS - CERTIFICATION AND ACCREDITATION...............24 H.5 ANNUAL AND FINAL CONTRACTOR PERFORMANCE EVALUATIONS......................26 H.6 RULES OF BEHAVIOR FOR AUTHORIZED COMPUTER USE.....................................26 H.7 INTERNET........................................................................................................................27 H.8 NRC INFORMATION TECHNOLOGY SECURITY TRAINING (MAY 2016)....................27 H.9 SECURITY REQUIREMENTS RELATING TO THE PRODUCTION OF REPORTS OR THE PUBLICATION OF RESULTS UNDER CONTRACTS, AGREEMENTS, AND GRANTS (JUL 2016)...............................................................................................................................28 H.10 WHISTLEBLOWER PROTECTION FOR NRC CONTRACTOR AND SUBCONTRACTOR EMPLOYEES.........................................................................................30 H.11 DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TO NUCLEAR FACILITIES, ACCESS TO CLASSIFIED INFORMATION OR SAFEGUARDS INFORMATION, OR PERFORMING IN SPECIALLY SENSITIVE POSITIONS (MARCH 2019)

.................................................................................................................................................30 H.12 CONTRACTOR RESPONSIBILITY FOR PROTECTING PERSONALLY IDENTIFIABLE INFORMATION (PII)................................................................................................................30 H.13 GREEN PURCHASING (SEP 2015 )..............................................................................32 H.14 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONIC PAYMENT/REMITTANCE ADDRESS....................................................................................32 H.15 KEY PERSONNEL. (JAN 1993).....................................................................................32 H.16 2052.204-70 SECURITY. (OCT 1999)............................................................................33 H.17 2052.204-71 SITE ACCESS BADGE REQUIREMENTS. (JAN 1993)...........................35 H.18 2052.209-72 CONTRACTOR ORGANIZATIONAL CONFLICTS OF INTEREST. (JAN 1993).......................................................................................................................................36

31310021R0066 Page 5 H.19 2052.215-71 CONTRACTING OFFICER REPRESENTATIVE AUTHORITY. (OCT 1999)

.................................................................................................................................................39 I - Contract Clauses.....................................................................................................................42 I.10 52.204-21 BASIC SAFEGUARDING OF COVERED CONTRACTOR INFORMATION SYSTEMS. (JUN 2016)...........................................................................................................42 I.13 52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999)...............................................44 I.14 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000)...........44 I.15 52.219-11 SPECIAL 8(A) CONTRACT CONDITIONS. (JAN 2017).................................45 I.16 52.219-12 SPECIAL 8(A) SUBCONTRACT CONDITIONS. (OCT 2019)........................45 I.17 52.219-14 LIMITATIONS ON SUBCONTRACTING. (MAR 2020)...................................46 I.18 52.219-17 SECTION 8(A) AWARD. (OCT 2019).............................................................47 I.39 52.252-2 CLAUSES INCORPORATED BY REFERENCE. (FEB 1998)..........................48 J - List of Documents, Exhibits and Other Attachments..............................................................50

31310021R0066 Page 6

31310021R0066 Page 7 B - Supplies or Services/Prices B.1 BRIEF PROJECT TITLE AND WORK DESCRIPTION (a) The title of this project is: Procurement for Development and Maintenance of NRC Travel Tracker Software/SEAD 3 Software Solution (b) Summary work description: The objective of this contract/purchase order is to provide the NRC with a secure software solution to track unofficial foreign travel. The contractor shall be familiar with Security Executive Agent Directive 3 (SEAD 3). The Minimum Viable Product (MVP) software solution must be approved and be in place by NLT Jan 6, 2022.

B.2 CONSIDERATION AND OBLIGATION-FIRM-FIXED-PRICE The total amount of the Firm-Fixed-Price portion of this contract is $500,177.60 (Base and all Exercised Options) and this amount is fully funded.

B.3 CONSIDERATION AND OBLIGATION-LABOR-HOUR CONTRACT (a) The ceiling price to the Government for full performance under this contract for Labor Hour Services is $$537,619.90 (Base and All Options).

(b) The contract includes direct labor hours at specified fixed hourly rates, inclusive of wages, fringe, overhead, general and administrative expenses, and profit.

(c) It is estimated that the amount currently obligated to Labor Hour Line Items ($0) will cover performance through: No Labor Hour Line items have been exercised yet.

(d) This is an incrementally-funded contract and FAR 52.232 Limitation of Funds applies.

31310021R0066 Page 8 C - Description/Specifications C.1 STATEMENT OF WORK C. STATEMENT OF WORK See Attachment 1 - Statement of Work

31310021R0066 Page 9 D - Packaging and Marking D.1 PACKAGING AND MARKING (a) The Contractor shall package material for shipment to the NRC in such a manner that will ensure acceptance by common carrier and safe delivery at destination. Containers and closures shall comply with the Surface Transportation Board, Uniform Freight Classification Rules, or regulations of other carriers as applicable to the mode of transportation.

(b) On the front of the package, the Contractor shall clearly identify the contract number under which the product is being provided.

(c) Additional packaging and/or marking requirements are as follows: N/A.

D.2 BRANDING The Contractor is required to use the statement below in any publications, presentations, articles, products, or materials funded under this contract/order, to the extent practical, in order to provide NRC with recognition for its involvement in and contribution to the project. If the work performed is funded entirely with NRC funds, then the contractor must acknowledge that information in its documentation/presentation.

Work Supported by the U.S. Nuclear Regulatory Commission (NRC), Office of Administration, under Contract/order number 31310021C0024.

31310021R0066 Page 10 E - Inspection and Acceptance E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officers Representative (COR) at the destination, accordance with FAR 52.247 F.o.b. Destination.

Contract Deliverables:

1.See Section C.5 of Attachment 1 E.2 52.246-4 INSPECTION OF SERVICES - FIXED-PRICE. (AUG 1996)

E.3 52.246-6 INSPECTION - TIME-AND-MATERIAL AND LABOR-HOUR. (MAY 2001)

31310021R0066 Page 11 F - Deliveries or Performance F.1 PLACE OF DELIVERY-REPORTS The items to be furnished hereunder shall be delivered electronically to, with all applicable charges paid by the Contractor, to:

Michael England, Contracting Officer's Representative (COR) michael.england@nrc.gov and; Rob Robinson, Contracting Officer richard.robinson@nrc.gov F.2 PERIOD OF PERFORMANCE ALTERNATE This contract shall commence on 09/17/2021 and will expire on 03/16/2022. The term of this contract may be extended at the option of the Government for an additional 48 months, from 3/16/2022 to 3/16/2026.

Base Period:

9/17/2021 - 3/16/2022 Optional Task 1: 9/17/2021 - 3/16/2022 Option Period(s):

Option Period 1:

3/17/2022 - 3/16/2023 Option Period 2:

3/17/2023 - 3/16/2024 Option Period 3:

3/17/2024 - 3/16/2025 Option Period 4:

3/17/2025 - 3/16/2026 F.3 PLACE OF PERFORMANCE The work to be performed under this contract/order will be primarily performed at The Contractor's site

31310021R0066 Page 12 G - Contract Administration Data G.1 REGISTRATION IN FEDCONNECT (MAY 2021)

The Nuclear Regulatory Commission (NRC) uses Unison Software Inc.s secure and auditable two-way web portal, FedConnect, to communicate with vendors and contractors. FedConnect provides bi-directional communication between the vendor/contractor and the NRC throughout pre-award, award, and post-award acquisition phases.

Vendors/contractors shall use FedConnect for the submission of responses to solicitations, acknowledgment of receipt of award and modification documents; and may be required to submit monthly letter status reports and other deliverables through FedConnect as well.

Please see Section C of this award for details regarding submission of deliverables.

Therefore, in order to do business with the NRC, vendors and contractors shall register to use FedConnect at https://www.fedconnect.net/FedConnect. The individual registering in FedConnect shall have authority to bind the vendor/contractor. There is no charge for using FedConnect. Assistance with FedConnect is provided by Unison, not the NRC. FedConnect contact and assistance information is provided on the FedConnect web site.

G.2 ELECTRONIC PAYMENT (DEC 2017)

The Debt Collection Improvement Act of 1996 requires that all payments except IRS tax refunds be made by Electronic Funds Transfer. Payment shall be made in accordance with FAR 52.232-33, entitled Payment by Electronic Funds Transfer-System for Award Management.

To receive payment, the contractor shall prepare invoices in accordance with NRCs Billing Instructions. Claims shall be submitted through the Invoice Processing Platform (IPP)

(https://www.ipp.gov/). Back up documentation shall be included as required by the NRCs Billing Instructions.

31310021R0066 Page 13 H - Special Contract Requirements H.1 SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL (SEP 2013)

The Contractor shall ensure that all its employees, subcontractor employees or consultants who are assigned to perform the work herein for contract performance for periods of more than 30 calendar days at NRC facilities, are approved by the NRC for unescorted NRC building access.

The Contractor shall conduct a preliminary federal facilities security screening interview or review for each of its employees, subcontractor employees, and consultants and submit to the NRC only the names of candidates for contract performance that have a reasonable probability of obtaining approval necessary for access to NRC's federal facilities. The Contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The Contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the applicant verify the pre-screening record or review, sign and date it. Two (2) copies of the pre-screening signed record or review shall be supplied to the Division of Facilities and Security, Personnel Security Branch (DFS/PSB) with the Contractor employee's completed building access application package.

The Contractor shall further ensure that its employees, any subcontractor employees and consultants complete all building access security applications required by this clause within fourteen (14) calendar days of notification by DFS/PSB of initiation of the application process.

Timely receipt of properly completed records of the Contractor's signed pre-screening record or review and building access security applications (submitted for candidates that have a reasonable probability of obtaining the level of access authorization necessary for access to NRC's facilities) is a contract requirement. Failure of the Contractor to comply with this contract administration requirement may be a basis to cancel the award, or terminate the contract for default, or offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the Contractor. In the event of cancellation or termination, the NRC may select another firm for contract award.

A Contractor, subcontractor employee or consultant shall not have access to NRC facilities until he/she is approved by DFS/PSB. Temporary access may be approved based on a favorable NRC review and discretionary determination of their building access security forms. Final building access will be approved based on favorably adjudicated checks by the Government.

However, temporary access approval will be revoked and the Contractor's employee may subsequently be denied access in the event the employee's investigation cannot be favorably determined by the NRC. Such employee will not be authorized to work under any NRC contract requiring building access without the approval of DFS/PSB. When an individual receives final access, the individual will be subject to a review or reinvestigation every five (5) or ten (10) years, depending on their job responsibilities at the NRC.

31310021R0066 Page 14 The Government shall have and exercise full and complete control and discretion over granting, denying, withholding, or terminating building access approvals for individuals performing work under this contract. Individuals performing work under this contract at NRC facilities for a period of more than 30 calendar days shall be required to complete and submit to the Contractor representative an acceptable OPM Standard Form 85 (Questionnaire for Non-Sensitive Positions), and two (2) FD 258 (Fingerprint Charts). Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than five (5) years residency in the U.S. will not be approved for building access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB.

DFS/PSB may, among other things, grant or deny temporary unescorted building access approval to an individual based upon its review of the information contained in the OPM Standard Form 85 and the Contractor's pre-screening record. Also, in the exercise of its authority, the Government may, among other things, grant or deny permanent building access approval based on the results of its review or investigation. This submittal requirement also applies to the officers of the firm who, for any reason, may visit the NRC work sites for an extended period of time during the term of the contract. In the event that DFS/PSB are unable to grant a temporary or permanent building access approval, to any individual performing work under this contract, the Contractor is responsible for assigning another individual to perform the necessary function without any delay in the contract's performance schedule, or without adverse impact to any other terms or conditions of the contract. The Contractor is responsible for informing those affected by this procedure of the required building access approval process (i.e., temporary and permanent determinations), and the possibility that individuals may be required to wait until permanent building access approvals are granted before beginning work in NRC's buildings.

CANCELLATION OR TERMINATION OF BUILDING ACCESS/ REQUEST The Contractor shall immediately notify the COR when a Contractor or subcontractor employee or consultant's need for NRC building access approval is withdrawn or the need by the Contractor employee's for building access terminates. The COR will immediately notify DFS/PSB (via e-mail) when a Contractor employee no longer requires building access. The Contractor shall be required to return any NRC issued badges to the COR for return to DFS/FSB (Facilities Security Branch) within three (3) days after their termination.

H.2 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (JUL 2016)

The contractor must identify all individuals selected to work under this contract. The NRC Contracting Officers Representative (COR) shall make the final determination of the level, if any, of IT access approval required for all individuals working under this contract/order using the following guidance. The Government shall have full and complete control and discretion over granting, denying, withholding, or terminating IT access approvals for contractor personnel performing work under this contract/order.

The contractor shall conduct a preliminary security interview or review for each employee requiring IT level I or II access and submit to the Government only the names of candidates that

31310021R0066 Page 15 have a reasonable probability of obtaining the level of IT access approval for which the employee has been proposed. The contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the employee verify the pre-screening record or review, sign and date it. The contractor shall supply two (2) copies of the signed contractor's pre-screening record or review to the NRC Contracting Officers Representative (COR), who will then provide them to the NRC Office of Administration, Division of Facilities and Security, Personnel Security Branch with the employees completed IT access application package.

The contractor shall further ensure that its personnel complete all IT access approval security applications required by this clause within fourteen (14) calendar days of notification by the NRC Contracting Officers Representative (COR) of initiation of the application process. Timely receipt of properly completed records of the pre-screening record and IT access approval applications (submitted for candidates that have a reasonable probability of obtaining the level of security assurance necessary for access to NRC's IT systems/data) is a requirement of this contract/order. Failure of the contractor to comply with this requirement may be a basis to terminate the contract/order for cause, or to offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the contractor.

SECURITY REQUIREMENTS FOR IT LEVEL I Performance under this contract/order will involve contractor personnel who perform services requiring direct access to or operation of agency sensitive information technology systems or data (IT Level I). The IT Level I involves responsibility for: (a) the planning, direction, and implementation of a computer security program; (b) major responsibility for the direction, planning, and design of a computer system, including hardware and software; (c) the capability to access a computer system during its operation or maintenance in such a way that could cause or that has a relatively high risk of causing grave damage; or (d) the capability to realize a significant personal gain from computer access.

Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the NRC Contracting Officers Representative (COR). Temporary IT access may be approved by DFS/PSB based on a favorable review or adjudication of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably review or adjudication of a completed background investigation. However, temporary access authorization approval will be revoked and the employee may subsequently be denied IT access in the event the employees investigation cannot be favorably adjudicated. Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officers Representative (COR). Where temporary access authorization has been revoked or denied by DFS/PSB, the contractor shall assign another contractor employee to perform the necessary work under this

31310021R0066 Page 16 contract/order without delay to the contract/order performance schedule, or without adverse impact to any other terms or conditions of the contract/order. When an individual receives final IT access approval from DFS/PSB, the individual will be subject to a reinvestigation every ten (10) years thereafter (assuming continuous performance under contracts/orders at NRC) or more frequently in the event of noncontinuous performance under contracts/orders at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions), two (2) copies of the Contractor's signed pre-screening record, and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the individual being authorized to perform work under this contract/order requiring access to sensitive information technology systems or data. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level I access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB. The contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the contractor employees security forms and/or the receipt of adverse information by NRC, the contractor individual may be denied access to NRC facilities and sensitive information technology systems or data until a final determination is made by DFS/PSB. The contractor individuals clearance status will thereafter be communicated to the contractor by the NRC Contracting Officers Representative (COR) regarding the contractor persons eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level I contractors shall be subject to the attached NRC Form 187 and SF-86. Together, these furnish the basis for providing security requirements to contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems and data; access on a continuing basis (in excess more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

SECURITY REQUIREMENTS FOR IT LEVEL II Performance under this contract/order will involve contractor personnel that develop and/or analyze sensitive information technology systems or data or otherwise have access to such systems or data (IT Level II).

The IT Level II involves responsibility for the planning, design, operation, or maintenance of a computer system and all other computer or IT positions.

Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the NRC Contracting Officers Representative (COR). Temporary access may be approved by DFS/PSB based on a favorable review of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably adjudication. However, temporary access authorization approval will be revoked and the contractor employee may subsequently be denied IT access in the event the employee's investigation cannot be favorably adjudicated.

31310021R0066 Page 17 Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officers Representative (COR). Where temporary access authorization has been revoked or denied by DFS/PSB, the contractor is responsible for assigning another contractor employee to perform the necessary work under this contract/order without delay to the contract/order performance schedule, or without adverse impact to any other terms or conditions of the contract/order. When a contractor employee receives final IT access approval from DFS/PSB, the individual will be subject to a review or reinvestigation every ten (10) years (assuming continuous performance under contract/order at NRC) or more frequently in the event of noncontinuous performance under contract/order at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions), two (2) copies of the Contractor's signed pre-screening record and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the contractor employee being authorized to perform work under this contract/order. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level II access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB. The contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the contractor employees security forms and/or the receipt of adverse information by NRC, the contractor employee may be denied access to NRC facilities, sensitive information technology systems or data until a final determination is made by DFS/PSB regarding the contractor persons eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level II contractors shall be subject to the attached NRC Form 187, SF-86, and contractor's record of the pre-screening. Together, these furnish the basis for providing security requirements to contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems or data; access on a continuing basis (in excess of more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

CANCELLATION OR TERMINATION OF IT ACCESS/REQUEST When a request for IT access is to be withdrawn or canceled, the contractor shall immediately notify the NRC Contracting Officers Representative (COR) by telephone so that the access review may be promptly discontinued. The notification shall contain the full name of the contractor employee and the date of the request. Telephone notifications must be promptly confirmed by the contractor in writing to the NRC Contracting Officers Representative (COR),

who will forward the confirmation to DFS/PSB. Additionally, the contractor shall immediately notify the NRC Contracting Officers Representative (COR) in writing, who will in turn notify DFS/PSB, when a contractor employee no longer requires access to NRC sensitive automated information technology systems or data, including the voluntary or involuntary separation of

31310021R0066 Page 18 employment of a contractor employee who has been approved for or is being processed for IT access.

The contractor shall flow the requirements of this clause down into all subcontracts and agreements with consultants for work that requires them to access NRC IT resources.

H.3 IT SECURITY REQUIREMENTS - DEVELOPMENT AND OPERATIONS AND MAINTENANCE REQUIREMENTS (APR 2014)

O&M Security Requirements All system modifications to classified systems must comply with NRC security policies and procedures for classified systems, as well as federal laws, guidance, and standards to ensure Federal Information Security Management Act (FISMA) compliance.

The Contractor shall correct errors in contractor developed software and applicable documentation that are not commercial off-the-shelf which are discovered by the NRC or the contractor. Inability of the parties to determine the cause of software errors shall be resolved in accordance with the Disputes clause in Section I, FAR 52.233-1, incorporated by reference in the contract.

The Contractor shall adhere to the guidance outlined in NIST, SP 800-53, FIPS 200 and NRC guidance for the identification and documentation of minimum security controls.

The contractor shall provide the system requirements traceability matrix at the end of the initiation phase, development/acquisition phase, implementation/assessment phase, operation

& maintenance phase and disposal phase that provides the security requirements in a separate section so that they can be traced through the development life cycle. The contractor shall also provide the software and hardware designs and test plan documentation, and source code upon request to the NRC for review.

All development and testing of the systems shall be protected at their assigned system sensitivity level and shall be performed on a network separate and isolated from the NRC operational network.

All system computers must be properly configured and hardened according to NRC policies, guidance, and standards and comply with all NRC security policies and procedures as commensurate with the system security categorization.

All contractor provided deliverables identified in the project plan will be subject to the review and approval of NRC Management. The contractor will make the necessary modifications to project deliverables to resolve any identified issues. Project deliverables include but are not limited to:

requirements, architectures, design documents, test plans, and test reports.

Access Controls The contractor shall not hardcode any passwords into the software unless the password only appears on the server side (e.g. using server-side technology such as ASP, PHP, or JSP).

31310021R0066 Page 19 The contractor shall ensure that the software does not contain undocumented functions and undocumented methods for gaining access to the software or to the computer system on which it is installed. This includes, but is not limited to, master access keys, back doors, or trapdoors.

Cryptography Cryptographic modules provided as part of the system shall be validated under the Cryptographic Module Validation Program to conform to NIST FIPS 140-2 and must be operated in FIPS mode. The contractor shall provide the FIPS 140-2 cryptographic module certificate number and a brief description of the encryption module that includes the encryption algorithm(s) used, the key length, and the vendor of the product.

Configuration Management and Control The contractor must ensure that the system will be divided into configuration items (CIs). CIs are parts of a system that can be individually managed and versioned. The system shall be managed at the CI level.

The contractor must have a configuration management plan that includes all hardware and software that is part of the system and contains at minimum the following sections:

a. Introduction

i. Purpose & Scope ii. Definitions iii. References

b. Configuration Management

i. Organization ii. Responsibilities iii. Tools and Infrastructure

c. Configuration Management Activities

i. Specification Identification ii. Change control form identification iii. Project baselines

d. Configuration and Change Control

i. Change Request Processing and Approval ii. Change Control Board

e. Milestones

31310021R0066 Page 20

i. Define baselines, reviews, audits ii. Training and Resources The Information System Security Officers (ISSO's) role in the change management process must be described. The ISSO is responsible for the security posture of the system. Any changes to the system security posture must be approved by the ISSO. The contractor should not have the ability to make changes to the system's security posture without the appropriate involvement and approval of the ISSO.

The contractor shall track and record information specific to proposed and approved changes that minimally include:

a. Identified configuration change

b. Testing of the configuration change

c. Scheduled implementation the configuration change

d. Track system impact of the configuration change

e. Track the implementation of the configuration change

f. Recording & reporting of configuration change to the appropriate party

g. Back out/Fall back plan

h. Weekly Change Reports and meeting minutes

i. Emergency change procedures

j. List of team members from key functional areas The contractor shall provide a list of software and hardware changes in advance of placing them into operation within the following timeframes:

• 30 calendar days for a classified, SGI, or high sensitivity system

• 20 calendar days for a moderate sensitivity system

• 10 calendar days for a low sensitivity system The contractor must maintain all system documentation that is current to within:

• 10 calendar days for a classified, SGI, or high sensitivity system

• 20 calendar days for a moderate sensitivity system

• 30 calendar days for a low sensitivity system Modified code, tests performed and test results, issue resolution documentation, and updated system documentation shall be deliverables on the contract.

31310021R0066 Page 21 Any proposed changes to the system must have written approval from the NRC Contracting Officers Representative (COR).

The contractor shall maintain a list of hardware, firmware and software changes that is current to within:

• 15 calendar days for a classified, SGI or high sensitivity system

• 20 calendar days for a moderate sensitivity system

• 30 calendar days for a low sensitivity system The contractor shall analyze proposed hardware and software configurations and modification as well as addressed security vulnerabilities in advance of NRC accepted operational deployment dates within:

• 15 calendar days for a classified, SGI, or high sensitivity system

• 20 calendar days for a moderate sensitivity system

• 30 calendar days for a low sensitivity system The contractor shall provide the above analysis with the proposed hardware and software for NRC testing in advance of NRC accepted operational deployment dates within:

• 15 calendar days for a classified, SGI, or high sensitivity system

• 20 calendar days for a moderate sensitivity system

• 30 calendar days for a low sensitivity system Control of Hardware and Software The contractor shall demonstrate that all hardware and software meet security requirements prior to being placed into the NRC production environment.

The contractor shall ensure that the development environment is separated from the operational environment using NRC CSO approved controls.

The contractor shall only use licensed software and in-house developed authorized software (including NRC and contractor developed) on the system and for processing NRC information.

Public domain, shareware, or freeware shall only be installed after prior written approval is obtained from the NRC Chief Information Security Officer (CISO).

The contractor shall provide proof of valid software licensing upon request of the Contracting Officer, the NRC COR, a Senior Information Technology Security Officer (SITSO), or the Designated Approving Authorities (DAAs).

Information Security Training and Awareness Training The contractor shall ensure that its employees, in performance of the contract, receive Information Technology (IT) security training in their role at the contractors expense. The

31310021R0066 Page 22 Contractor must provide the NRC written certification that training is complete, along with the title of the course and dates of training as a prerequisite to start of work on the contract.

The IT security role and associated type of training course and periodicity required to be completed are as follows:

Role Type of Training Required Frequency of Training Auditor Vendor specific operating system and application security training, database security training Prior to appointment and then every three years IT Functional Manager Vendor specific operating system and application security training, database security training Prior to appointment and then every two years Additional system specific training upon a major system update/change System Administrator Vendor specific operating system and application security training Prior to appointment and then every year:

• Training in operating system security in the area of responsibility occurs every 2 years

• Training in application security in the area of responsibility occurs every 2 years Information Systems Security Officer ISSO role specific training (not awareness) provided by a government agency or by a vendor such as SANS Vendor specific operating system and application security training Prior to appointment and then every year:

• Training in the ISSO role occurs every 3 years

• Training in operating system security in the area of responsibility occurs every 3 years

• Training in application security in the area of responsibility occurs every 3 years Database Administrator Vendor specific database security training Prior to appointment and then every 2 years:

• Training in database security in the area of responsibility occurs every 2 years Network Administrator Network administrator role specific training (not awareness) provided by a government agency or by a vendor such as SANS Network specific security training Prior to appointment and then every year:

• Training in the Network administrator role occurs every 3 years

• Training in network security in the area of responsibility occurs every year where network administrator role training does not occur IT Managers

31310021R0066 Page 23 Vendor specific operating system and application security training, database security training.

Prior to appointment and then every two years Additional system specific training upon a major system update/change IT System Developer Vendor specific operating system and application security training, database security training Prior to appointment and then every year

- training with system-specific training (ISS LoB or commercial) upon assuming the role, to become biannual with NRC provided training every other year.

The contractor must ensure that required refresher training is accomplished in accordance with the required frequency specifically associated with the IT security role.

Auditing The system shall be able to create, maintain and protect from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects. The audit data shall be protected so that read access to it is limited to those who are authorized.

The system shall be able to record the following types of events: use of identification and authentication mechanisms, introduction of objects into a users address space (e.g., file open, program initiation), deletion of objects, and actions taken by computer operators and system administrators or system security officers and other security relevant events. The system shall be able to audit any override of security controls.

The Contractor shall ensure auditing is implemented on the following:

• Operating System

• Application

• Web Server

• Web Services

• Network Devices

• Database

• Wireless The contractor shall perform audit log reviews daily using automated analysis tools.

Contractor must log at least the following events on systems that process NRC information:

• Audit all failures

• Successful logon attempt

• Failure of logon attempt

31310021R0066 Page 24

• Permission Changes

• Unsuccessful File Access

• Creating users & objects

• Deletion & modification of system files

• Registry Key/Kernel changes

• Startup & shutdown

• Authentication

• Authorization/permission granting

• Actions by trusted users

• Process invocation

• Controlled access to data by individually authenticated user

• Unsuccessful data access attempt

• Data deletion

• Data transfer

• Application configuration change

• Application of confidentiality or integrity labels to data

• Override or modification of data labels or markings

• Output to removable media

• Output to a printer H.4 IT SECURITY REQUIREMENTS - CERTIFICATION AND ACCREDITATION SECURITY RISK ASSESSMENT The contractor shall work with the NRC Contracting Officers Representative (COR) in performing Risk Assessment activities according to NRC policy, standards, and guidance. The contractor shall perform Risk Assessment activities that include analyzing how the architecture implements the NRC documented security policy for the system, assessing how management, operational, and technical security control features are planned or implemented and how the system interconnects to other systems or networks while maintaining security.

SYSTEM SECURITY PLAN

31310021R0066 Page 25 The contractor shall develop the system security plan (SSP) according to NRC policy, standards, and guidance to define the implementation of IT security controls necessary to meet both the functional assurance and security requirements. The contractor will ensure that all controls required to be implemented are documented in the SSP.

ASSESSMENT PROCEDURES - SECURITY TEST & EVALUATION The contractor shall follow NRC policy, standards, and guidance for execution of the test procedures. These procedures shall be supplemented and augmented by tailored test procedures based on the control objective as it applies to NRC. The contractor shall include verification and validation to ensure that appropriate corrective action was taken on identified security weaknesses.

The contractor shall perform ST&E activities, including but not limited to, coordinating the ST&E and developing the ST&E Plan, execution ST&E test cases and documentation of test results.

The contractor shall prepare the Plan of Action and Milestones (POA&M) based on the ST&E results.

PLAN OF ACTION AND MILESTONES (POA&M) MAINTENANCE & REPORTING The contractor shall provide a determination, in a written form agreed to by the NRC Contracting Officers Representative (COR) and Computer Security Office, on whether the implemented corrective action was adequate to resolve the identified information security weaknesses and provide the reasons for any exceptions or risked-based decisions. The contractor shall document any vulnerabilities indicating which portions of the security control have not been implemented or applied.

The contractor shall develop and implement solutions that provide a means of planning and monitoring corrective actions; define roles and responsibilities for risk mitigation; assist in identifying security funding requirements; track and prioritize resources; and inform decision-makers of progress of open POA&M items.

The contractor shall perform verification of IT security weaknesses to ensure that all weaknesses identified through third party (e.g., OIG) audits are included in the POA&Ms that the quarterly reporting to OMB is accurate, and the reasons for any exceptions or risked-based decisions are reasonable and clearly documented. This verification process will be done in conjunction with the continuous monitoring activities.

CERTIFICATION & ACCREDITATION DOCUMENTATION The contractor shall create, update maintain all Certification and Accreditation (C&A) documentation in accordance with the following NRC Certification and Accreditation procedures and guidance:

-C&A Non-SGI Unclassified Systems

-C&A SGI Unclassified Systems

-C&A Classified Systems

31310021R0066 Page 26 The Contractor must develop contingency plan and ensure annual contingency testing is completed within one year of previous test and provide an updated security plan and test report according to NRCs policy and procedure.

The Contractor must conduct annual security control testing according to NRCs policy and procedure and update POA&M, SSP, etc. to reflect any findings or changes to management, operational and technical controls.

H.5 ANNUAL AND FINAL CONTRACTOR PERFORMANCE EVALUATIONS Annual and final evaluations of contractor performance under this contract will be prepared in accordance with FAR Subpart 42.15, "Contractor Performance Information," normally at or near the time the contractor is notified of the NRC's intent to exercise the contract option. If the multi-year contract does not have option years, then an annual evaluation will be prepared N/A (it will be prepared in conjunction with the exercise of options). Final evaluations of contractor performance will be prepared at the expiration of the contract during the contract closeout process.

The Contracting Officer will transmit the NRC Contracting Officers Representatives (COR) annual and final contractor performance evaluations to the contractor's Project Manager, unless otherwise instructed by the contractor. The contractor will be permitted thirty days to review the document and submit comments, rebutting statements, or additional information.

Where a contractor concurs with, or takes no exception to an annual performance evaluation, the Contracting Officer will consider such evaluation final and releasable for source selection purposes. Disagreements between the parties regarding a performance evaluation will be referred to an individual one level above the Contracting Officer, whose decision will be final.

The Contracting Officer will send a copy of the completed evaluation report, marked "Source Selection Information, to the contractor's Project Manager for their records as soon as practicable after it has been finalized. The completed evaluation report also will be used as a tool to improve communications between the NRC and the contractor and to improve contract performance.

The completed annual performance evaluation will be used to support future award decisions in accordance with FAR 42.1502 and 42.1503. During the period the information is being used to provide source selection information, the completed annual performance evaluation will be released to only two parties - the Federal government personnel performing the source selection evaluation and the contractor under evaluation if the contractor does not have a copy of the report already.

H.6 RULES OF BEHAVIOR FOR AUTHORIZED COMPUTER USE In accordance with Appendix III, "Security of Federal Automated Information Resources," to Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," NRC has established rules of behavior for individual users who access all IT computing resources maintained and operated by the NRC or on behalf of the NRC. In response to the direction from OMB, NRC has issued the "Agency-wide Rules of Behavior for Authorized Computer Use" policy, hereafter referred to as the rules of behavior. The rules of behavior for authorized computer use will be provided to NRC computer users, including contractor personnel, as part of the annual computer security awareness course.

31310021R0066 Page 27 The rules of behavior apply to all NRC employees, contractors, vendors, and agents (users) who have access to any system operated by the NRC or by a contractor or outside entity on behalf of the NRC. This policy does not apply to licensees. The next revision of Management Directive 12.5, "NRC Automated Information Security Program," will include this policy. The rules of behavior can be viewed at https://www.nrc.gov/docs/ML1724/ML17244A084.pdf or use NRCs external Web-based ADAMS at https://www.nrc.gov/reading-rm/adams.html.

The rules of behavior are effective immediately upon acknowledgement of them by the person who is informed of the requirements contained in those rules of behavior. All current contractor users are required to review and acknowledge the rules of behavior as part of the annual computer security awareness course completion. All new NRC contractor personnel will be required to acknowledge the rules of behavior within one week of commencing work under this contract and then acknowledge as current users thereafter. The acknowledgement statement can be viewed at https://www.nrc.gov/docs/ML1724/ML17244A086.pdf or use NRCs external Web-based ADAMS at https://www.nrc.gov/reading-rm/adams.html.

The NRC Computer Security Office will review and update the rules of behavior annually beginning in FY 2011 by December 31st of each year. Contractors shall ensure that their personnel to which this requirement applies acknowledge the rules of behavior before beginning contract performance and, if the period of performance for the contract lasts more than one year, annually thereafter. Training on the meaning and purpose of the rules of behavior can be provided for contractors upon written request to the NRC Contracting Officers Representative (COR).

The contractor shall flow down this clause into all subcontracts and other agreements that relate to performance of this contract/order if such subcontracts/agreements will authorize access to NRC electronic and information technology (EIT) as that term is defined in FAR 2.101.

H.7 INTERNET Neither NRC nor its third party contractors that manage or develop the NRC web site shall send persistent cookies, place persistent cookies on users' computers, nor collect personally identifiable information from visitors to the NRC web site unless in addition to clear and conspicuous notice, each of the following conditions are met: there is a compelling need to gather the data on the site; there are appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval is obtained from the head of the agency.

H.8 NRC INFORMATION TECHNOLOGY SECURITY TRAINING (MAY 2016)

NRC contractors shall ensure that their employees, consultants, and subcontractors with access to the agency's information technology (IT) equipment and/or IT services complete NRC's online initial and refresher IT security training requirements to ensure that their knowledge of IT threats, vulnerabilities, and associated countermeasures remains current. Both the initial and refresher IT security training courses generally last an hour or less and can be taken during the employee's regularly scheduled work day.

Contractor employees, consultants, and subcontractors shall complete the NRC's online annual, "Computer Security Awareness" course on the same day that they receive access to the

31310021R0066 Page 28 agency's IT equipment and/or services, as their first action using the equipment/service. For those contractor employees, consultants, and subcontractors who are already working under this contract, the on-line training must be completed in accordance with agency Network Announcements issued throughout the year, within three weeks of issuance of this modification.

Additional annual required online NRC training includes but is not limited to the following:

(1) Information Security (INFOSEC) Awareness (2) Continuity of Operations (COOP) Awareness (3) Defensive Counterintelligence and Insider Threat Awareness (4) No FEAR Act (5) Personally Identifiable Information (PII) and Privacy Act Responsibilities Awareness Contractor employees, consultants, and subcontractors who have been granted access to NRC information technology equipment and/or IT services must continue to take IT security refresher training offered online by the NRC throughout the term of the contract. Contractor employees will receive notice of NRC's online IT security refresher training requirements through agency-wide notices.

Contractor Monthly Letter Status Reports (MLSR) must include the following information for all completed training:

(1) the name of the individual completing the course; (2) the course title; and (3) the course completion date.

The MLSR must also include the following information for those individuals who have not completed their required training:

(1) the name of the individual who has not yet completed the training; (2) the title of the course(s) which must still be completed; and (3) the anticipated course completion date(s).

The NRC reserves the right to deny or withdraw Contractor use or access to NRC IT equipment and/or services, and/or take other appropriate contract administrative actions (e.g., disallow costs, terminate for cause) should the Contractor violate the Contractor's responsibility under this clause.

H.9 SECURITY REQUIREMENTS RELATING TO THE PRODUCTION OF REPORTS OR THE PUBLICATION OF RESULTS UNDER CONTRACTS, AGREEMENTS, AND GRANTS (JUL 2016)

Review and Approval of Reports

31310021R0066 Page 29 (a) Reporting Requirements. The contractor/grantee shall comply with the terms and conditions of the contract/grant regarding the contents of the draft and final report, summaries, data, and related documents, to include correcting, deleting, editing, revising, modifying, formatting, and supplementing any of the information contained therein, at no additional cost to the NRC.

Performance under the contract/grant will not be deemed accepted or completed until it complies with the NRCs directions, as applicable. The reports, summaries, data, and related documents will be considered draft until approved by the NRC. The contractor/grantee agrees that the direction, determinations, and decisions on approval or disapproval of reports, summaries, data, and related documents created under this contract/grant remain solely within the discretion of the NRC.

(b) Publication of Results. Prior to any dissemination, display, publication, or release of articles, reports, summaries, data, or related documents developed under the contract/grant, the contractor/grantee shall submit them to the NRC for review and approval. The contractor/

grantee shall not release, disseminate, display or publish articles, reports, summaries, data, and related documents, or the contents therein, that have not been reviewed and approved by the NRC for release, display, dissemination or publication. The contractor/grantee agrees to conspicuously place any disclaimers, markings or notices, directed by the NRC, on any articles, reports, summaries, data, and related documents that the contractor/grantee intends to release, display, disseminate or publish to other persons, the public, or any other entities. The contractor/grantee agrees, and grants, a royalty-free, nonexclusive, irrevocable worldwide license to the government, to use, reproduce, modify, distribute, prepare derivative works, release, display or disclose the articles, reports, summaries, data, and related documents developed under the contract/grant, for any governmental purpose and to have or authorize others to do so.

(c) Identification/Marking of Sensitive Unclassified Non-Safeguards Information (SUNSI) and Safeguards Information (SGI). The decision, determination, or direction by the NRC that information possessed, formulated or produced by the contractor/grantee constitutes SUNSI or SGI is solely within the authority and discretion of the NRC. In performing the contract/grant, the contractor/grantee shall clearly mark SUNSI and SGI, to include for example, OUO-Allegation Information or OUO-Security Related Information on any reports, documents, designs, data, materials, and written information, as directed by the NRC. In addition to marking the information as directed by the NRC, the contractor shall use the applicable NRC cover sheet (e.g., NRC Form 461 Safeguards Information) in maintaining these records and documents. The contractor/grantee shall ensure that SUNSI and SGI is handled, maintained and protected from unauthorized disclosure, consistent with NRC policies and directions. The contractor/grantee shall comply with the requirements to mark, maintain, and protect all information, including documents, summaries, reports, data, designs, and materials in accordance with the provisions of Section 147 of the Atomic Energy Act of 1954 as amended, its implementing regulations (10 CFR 73.21), Sensitive Unclassified Non-Safeguards and Safeguards Information policies, and NRC Management Directives and Handbooks 12.5, 12.6 and 12.7.

(d) Remedies. In addition to any civil, criminal, and contractual remedies available under the applicable laws and regulations, failure to comply with the above provisions, and/or NRC directions, may result in suspension, withholding, or offsetting of any payments invoiced or claimed by the contractor/grantee.

31310021R0066 Page 30 (e) Flowdown. If the contractor/grantee intends to enter into any subcontracts or other agreements to perform this contract/grant, the contractor/grantee shall include all of the above provisions in any subcontracts or agreements.

H.10 WHISTLEBLOWER PROTECTION FOR NRC CONTRACTOR AND SUBCONTRACTOR EMPLOYEES (a) The U.S. Nuclear Regulatory Commission (NRC) contractor and its subcontractor are subject to the Whistleblower Employee Protection public law provisions as codified at 42 U.S.C.

5851. NRC contractor(s) and subcontractor(s) shall comply with the requirements of this Whistleblower Employee Protection law, and the implementing regulations of the NRC and the Department of Labor (DOL). See, for example, DOL Procedures on Handling Complaints at 29 C.F.R. Part 24 concerning the employer obligations, prohibited acts, DOL procedures and the requirement for prominent posting of notice of Employee Rights at Appendix A to Part 24 entitled: Your Rights Under the Energy Reorganization Act.

(b) Under this Whistleblower Employee Protection law, as implemented by regulations, NRC contractor and subcontractor employees are protected from discharge, reprisal, threats, intimidation, coercion, blacklisting or other employment discrimination practices with respect to compensation, terms, conditions or privileges of their employment because the contractor or subcontractor employee(s) has provided notice to the employer, refused to engage in unlawful practices, assisted in proceedings or testified on activities concerning alleged violations of the Atomic Energy Act of 1954 (as amended) and the Energy Reorganization Act of 1974 (as amended).

(c) The contractor shall insert this or the substance of this clause in any subcontracts involving work performed under this contract.

H.11 DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TO NUCLEAR FACILITIES, ACCESS TO CLASSIFIED INFORMATION OR SAFEGUARDS INFORMATION, OR PERFORMING IN SPECIALLY SENSITIVE POSITIONS (MARCH 2019)

The following Contractor employees, subcontractor personnel, and consultants proposed for performance or performing under this contract shall be subject to pre-assignment, random, reasonable suspicion, and post-accident drug testing: (1) individuals who have access to classified information (National Security Information and/or Restricted Data); (2) individuals who have access to Safeguards information (section 147 of the Atomic Energy Act of 1954, as amended); (3) individuals who are authorized to carry firearms while performing work under this contract; (4) individuals who are required to operate government vehicles or transport passengers for the NRC; (5) individuals who are required to operate hazardous equipment at NRC facilities; (6) individuals who administer the agencys drug program or who have Employee Assistance Program duties; (7) individuals who have unescorted access to vital or protected areas of Nuclear Power Plants, Category 1 Fuel Cycle Facilities, or Uranium Enrichment Facilities; or (8) incident/emergency response personnel (including on-call).

H.12 CONTRACTOR RESPONSIBILITY FOR PROTECTING PERSONALLY IDENTIFIABLE INFORMATION (PII)

In accordance with the Office of Management and Budget's guidance to Federal agencies and the Nuclear Regulatory Commission's (NRC) implementing policy and procedures, a contractor

31310021R0066 Page 31 (including subcontractors and contractor employees), who performs work on behalf of the NRC, is responsible for protecting, from unauthorized access or disclosure, personally identifiable information (PII) that may be provided, developed, maintained, collected, used, or disseminated, whether in paper, electronic, or other format, during performance of this contract.

A contractor who has access to NRC owned or controlled PII, whether provided to the contractor by the NRC or developed, maintained, collected, used, or disseminated by the contractor during the course of contract performance, must comply with the following requirements:

(1) General. In addition to implementing the specific requirements set forth in this clause, the contractor must adhere to all other applicable NRC guidance, policy and requirements for the handling and protection of NRC owned or controlled PII. The contractor is responsible for making sure that it has an adequate understanding of such guidance, policy and requirements.

(2) Use, Ownership, and Nondisclosure. A contractor may use NRC owned or controlled PII solely for purposes of this contract, and may not collect or use such PII for any purpose outside the contract without the prior written approval of the NRC Contracting Officer. The contractor must restrict access to such information to only those contractor employees who need the information to perform work under this contract, and must ensure that each such contractor employee (including subcontractors' employees) signs a nondisclosure agreement, in a form suitable to the NRC Contracting Officer, prior to being granted access to the information. The NRC retains sole ownership and rights to its PII. Unless the contract states otherwise, upon completion of the contract, the contractor must turn over all PII in its possession to the NRC, and must certify in writing that it has not retained any NRC owned or controlled PII except as otherwise authorized in writing by the NRC Contracting Officer.

(3) Security Plan. When applicable, and unless waived in writing by the NRC Contracting Officer, the contractor must work with the NRC to develop and implement a security plan setting forth adequate procedures for the protection of NRC owned or controlled PII as well as the procedures which the contractor must follow for notifying the NRC in the event of any security breach. The plan will be incorporated into the contract and must be implemented and followed by the contractor once it has been approved by the NRC Contracting Officer. If the contract does not include a security plan at the time of contract award, a plan must be submitted for the approval of the NRC Contracting Officer within 30 days after contract award.

(4) Breach Notification. The contractor must immediately notify the NRC Contracting Officer and the NRC Contracting Officers Representative (COR) upon discovery of any suspected or confirmed breach in the security of NRC owned or controlled PII.

(5) Legal Demands for Information. If a legal demand is made for NRC owned or controlled PII (such as by subpoena), the contractor must immediately notify the NRC Contracting Officer and the NRC Contracting Officers Representative (COR). After notification, the NRC will determine whether and to what extent to comply with the legal demand. The Contracting Officer will then notify the contractor in writing of the determination and such notice will indicate the extent of disclosure authorized, if any. The contractor may only release the information specifically demanded with the written permission of the NRC Contracting Officer.

(6) Audits. The NRC may audit the contractor's compliance with the requirements of this clause, including through the use of online compliance software.

31310021R0066 Page 32 (7) Flow-down. The prime contractor will flow this clause down to subcontractors that would be covered by any portion of this clause, as if they were the prime contractor.

(8) Remedies:

(a) The contractor is responsible for implementing and maintaining adequate security controls to prevent the loss of control or unauthorized disclosure of NRC owned or controlled PII in its possession. Furthermore, the contractor is responsible for reporting any known or suspected loss of control or unauthorized access to PII to the NRC in accordance with the provisions set forth in Article 4 above.

(b) Should the contractor fail to meet its responsibilities under this clause, the NRC reserves the right to take appropriate steps to mitigate the contractor's violation of this clause. This may include, at the sole discretion of the NRC, termination of the subject contract.

(9) Indemnification. Notwithstanding any other remedies available to the NRC, the contractor will indemnify the NRC against all liability (including costs and fees) for any damages arising out of violations of this clause.

H.13 GREEN PURCHASING (SEP 2015 )

(a) In furtherance of the sustainable acquisition goals of Executive Order (EO) 13693, "Planning for Federal Sustainability in the Next Decade," products and services provided under this contract/order shall be energy efficient (EnergyStar or Federal Energy Management Program -

FEMP-designated products), water efficient, biobased, environmentally preferable (excluding EPEAT-registered products), non-ozone depleting, contain recycled content, or are non-or low toxic alternatives or hazardous constituents (e.g., non-VOC paint), where such products and services meet agency performance requirements. See: Executive Order (EO) 13693, "Planning for Federal Sustainability in the Next Decade."

(b) The NRC and contractor may negotiate during the contract term to permit the substitution or addition of designated recycled content products (i.e., Comprehensive Procurement Guidelines

- CPG), EPEAT-registered products, EnergyStar-and FEMP designated energy efficient products and appliances, USDA designated biobased products (Biopreferred program),

environmentally preferable products, WaterSense and other water efficient products, products containing non-or lower-ozone depleting substances (i.e., SNAP), and products containing non-or low-toxic or hazardous constituents (e.g., non-VOC paint), when such products and services are readily available at a competitive cost and satisfy the NRCs performance needs.

(c) The contractor shall flow down this clause into all subcontracts and other agreements that relate to performance of this contract/order.

H.14 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONIC PAYMENT/REMITTANCE ADDRESS The Debt Collection Improvement Act of 1996 requires that all Federal payments except IRS tax refunds be made by Electronic Funds Transfer. lt is the policy of the Nuclear Regulatory Commission to pay government vendors by the Automated Clearing House (ACH) electronic funds transfer payment system. Item 15C of the Standard Form 33 may be disregarded.

H.15 KEY PERSONNEL. (JAN 1993)

31310021R0066 Page 33 (a) The following individuals are considered to be essential to the successful performance of the work hereunder:

Project Manager -

Please note, these labor categories are intended to describe general roles envisioned as being necessary for the performance of the contract. Individuals possessing experience applicable to more than one of these categories can be considered as satisfying the conditions of more than one role.

• The contractor agrees that personnel may not be removed from the contract work or replaced without compliance with paragraphs (b) and (c) of this section.

(b) If one or more of the key personnel, for whatever reason, becomes, or is expected to become, unavailable for work under this contract for a continuous period exceeding 30 work days, or is expected to devote substantially less effort to the work than indicated in the proposal or initially anticipated, the contractor shall immediately notify the contracting officer and shall, subject to the concurrence of the contracting officer, promptly replace the personnel with personnel of at least substantially equal ability and qualifications.

(c) Each request for approval of substitutions must be in writing and contain a detailed explanation of the circumstances necessitating the proposed substitutions. The request must also contain a complete resume for the proposed substitute and other information requested or needed by the contracting officer to evaluate the proposed substitution. The contracting officer and the project officer shall evaluate the contractor's request and the contracting officer shall promptly notify the contractor of his or her decision in writing.

(d) If the contracting officer determines that suitable and timely replacement of key personnel who have been reassigned, terminated, or have otherwise become unavailable for the contract work is not reasonably forthcoming, or that the resultant reduction of productive effort would be so substantial as to impair the successful completion of the contract or the service order, the contract may be terminated by the contracting officer for default or for the convenience of the Government, as appropriate. If the contracting officer finds the contractor at fault for the condition, the contract price or fixed fee may be equitably adjusted downward to compensate the Government for any resultant delay, loss, or damage.

H.16 2052.204-70 SECURITY. (OCT 1999)

(a) Security/Classification Requirements Form. The attached NRC Form 187 (See List of Attachments) furnishes the basis for providing security and classification requirements to prime contractors, subcontractors, or others (e.g., bidders) who have or may have an NRC contractual relationship that requires access to classified information or matter, access on a continuing basis (in excess of 90 or more days) to NRC Headquarters controlled buildings, or otherwise requires NRC photo identification or card-key badges.

(b) It is the contractor's duty to safeguard National Security Information, Restricted Data, and Formerly Restricted Data. The contractor shall, in accordance with the Commission's security regulations and requirements, be responsible for safeguarding National Security Information, Restricted Data, and Formerly Restricted Data, and for

31310021R0066 Page 34 protecting against sabotage, espionage, loss, and theft, the classified documents and material in the contractor's possession in connection with the performance of work under this contract. Except as otherwise expressly provided in this contract, the contractor shall transmit to the Commission any classified matter in the possession of the contractor or any person under the contractor's control in connection with performance of this contract upon completion or termination of this contract.

(1) The contractor shall complete a certificate of possession to be furnished to the Commission specifying the classified matter to be retained if the retention is:

(i) Required after the completion or termination of the contract; and (ii) Approved by the contracting officer.

(2) The certification must identify the items and types or categories of matter retained, the conditions governing the retention of the matter and their period of retention, if known. If the retention is approved by the contracting officer, the security provisions of the contract continue to be applicable to the matter retained.

(c) In connection with the performance of the work under this contract, the contractor may be furnished, or may develop or acquire, proprietary data (trade secrets) or confidential or privileged technical, business, or financial information, including Commission plans, policies, reports, financial plans, internal data protected by the Privacy Act of 1974 (Pub. L.93-579), or other information which has not been released to the public or has been determined by the Commission to be otherwise exempt from disclosure to the public. The contractor agrees to hold the information in confidence and not to directly or indirectly duplicate, disseminate, or disclose the information, in whole or in part, to any other person or organization except as necessary to perform the work under this contract. The contractor agrees to return the information to the Commission or otherwise dispose of it at the direction of the contracting officer. Failure to comply with this clause is grounds for termination of this contract.

(d) Regulations. The contractor agrees to conform to all security regulations and requirements of the Commission which are subject to change as directed by the NRC Division of Facilities and Security and the Contracting Officer. These changes will be under the authority of the FAR Changes clause referenced in Section I of this document.

(e) Definition of National Security Information. As used in this clause, the term National Security Information means information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

(f) Definition of Restricted Data. As used in this clause, the term Restricted Data means all data concerning design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy, but does not include data declassified or removed from the Restricted Data category under to Section 142 of the Atomic Energy Act of 1954, as amended.

31310021R0066 Page 35 (g) Definition of Formerly Restricted Data. As used in this clause the term Formerly Restricted Data means all data removed from the Restricted Data category under Section 142-d of the Atomic Energy Act of 1954, as amended.

(h) Security clearance personnel. The contractor may not permit any individual to have access to Restricted Data, Formerly Restricted Data, or other classified information, except in accordance with the Atomic Energy Act of 1954, as amended, and the Commission's regulations or requirements applicable to the particular type or category of classified information to which access is required. The contractor shall also execute a Standard Form 312, Classified Information Nondisclosure Agreement, when access to classified information is required.

(i) Criminal liabilities. Disclosure of National Security Information, Restricted Data, and Formerly Restricted Data relating to the work or services ordered hereunder to any person not entitled to receive it, or failure to safeguard any Restricted Data, Formerly Restricted Data, or any other classified matter that may come to the contractor or any person under the contractor's control in connection with work under this contract, may subject the contractor, its agents, employees, or subcontractors to criminal liability under the laws of the United States. (See the Atomic Energy Act of 1954, as amended, 42 U.S.C. 2011 et seq.; 18 U.S.C. 793 and 794; and Executive Order 12958.)

(j) Subcontracts and purchase orders. Except as otherwise authorized, in writing, by the contracting officer, the contractor shall insert provisions similar to the foregoing in all subcontracts and purchase orders under this contract.

(k) In performing contract work, the contractor shall classify all documents, material, and equipment originated or generated by the contractor in accordance with guidance issued by the Commission. Every subcontract and purchase order issued under the contract that involves originating or generating classified documents, material, and equipment must provide that the subcontractor or supplier assign the proper classification to all documents, material, and equipment in accordance with guidance furnished by the contractor.

(End of Clause)

H.17 2052.204-71 SITE ACCESS BADGE REQUIREMENTS. (JAN 1993)

During the life of this contract, the rights of ingress and egress for contractor personnel must be made available as required. In this regard, all contractor personnel whose duties under this contract require their presence on-site shall be clearly identifiable by a distinctive badge furnished by the Government. The Project Officer shall assist the contractor in obtaining the badges for contractor personnel. It is the sole responsibility of the contractor to ensure that each employee has proper identification at all times. All prescribed identification must be immediately delivered to the Security Office for cancellation or disposition upon the termination of employment of any contractor personnel. Contractor personnel shall have this identification in their possession during on-site performance under this contract. It is the contractor's duty to assure that contractor personnel enter only those work areas necessary for performance of contract work and to assure the safeguarding of any Government records or data that contractor personnel may come into contact with.

31310021R0066 Page 36 (End of Clause)

H.18 2052.209-72 CONTRACTOR ORGANIZATIONAL CONFLICTS OF INTEREST. (JAN 1993)

(a) Purpose. The primary purpose of this clause is to aid in ensuring that the contractor:

(1) Is not placed in a conflicting role because of current or planned interests (financial, contractual, organizational, or otherwise) which relate to the work under this contract; and (2) Does not obtain an unfair competitive advantage over other parties by virtue of its performance of this contract.

(b) Scope. The restrictions described apply to performance or participation by the contractor, as defined in 48 CFR 2009.570-2 in the activities covered by this clause.

(c) Work for others.

(1) Notwithstanding any other provision of this contract, during the term of this contract, the contractor agrees to forego entering into consulting or other contractual arrangements with any firm or organization the result of which may give rise to a conflict of interest with respect to the work being performed under this contract. The contractor shall ensure that all employees under this contract abide by the provision of this clause. If the contractor has reason to believe, with respect to itself or any employee, that any proposed consultant or other contractual arrangement with any firm or organization may involve a potential conflict of interest, the contractor shall obtain the written approval of the contracting officer before the execution of such contractual arrangement.

(2) The contractor may not represent, assist, or otherwise support an NRC licensee or applicant undergoing an NRC audit, inspection, or review where the activities that are the subject of the audit, inspection, or review are the same as or substantially similar to the services within the scope of this contract (or task order as appropriate) except where the NRC licensee or applicant requires the contractor's support to explain or defend the contractor's prior work for the utility or other entity which NRC questions.

(3) When the contractor performs work for the NRC under this contract at any NRC licensee or applicant site, the contractor shall neither solicit nor perform work in the same or similar technical area for that licensee or applicant organization for a period commencing with the award of the task order or beginning of work on the site (if not a task order contract) and ending one year after completion of all work under the associated task order, or last time at the site (if not a task order contract).

(4) When the contractor performs work for the NRC under this contract at any NRC licensee or applicant site,

31310021R0066 Page 37 (i) The contractor may not solicit work at that site for that licensee or applicant during the period of performance of the task order or the contract, as appropriate.

(ii) The contractor may not perform work at that site for that licensee or applicant during the period of performance of the task order or the contract, as appropriate, and for one year thereafter.

(iii) Notwithstanding the foregoing, the contracting officer may authorize the contractor to solicit or perform this type of work (except work in the same or similar technical area) if the contracting officer determines that the situation will not pose a potential for technical bias or unfair competitive advantage.

(d) Disclosure after award.

(1) The contractor warrants that to the best of its knowledge and belief, and except as otherwise set forth in this contract, that it does not have any organizational conflicts of interest as defined in 48 CFR 2009.570-2.

(2) The contractor agrees that if, after award, it discovers organizational conflicts of interest with respect to this contract, it shall make an immediate and full disclosure in writing to the contracting officer. This statement must include a description of the action which the contractor has taken or proposes to take to avoid or mitigate such conflicts. The NRC may, however, terminate the contract if termination is in the best interest of the Government.

(3) It is recognized that the scope of work of a task-order-type contract necessarily encompasses a broad spectrum of activities. Consequently, if this is a task-order-type contract, the contractor agrees that it will disclose all proposed new work involving NRC licensees or applicants which comes within the scope of work of the underlying contract. Further, if this contract involves work at a licensee or applicant site, the contractor agrees to exercise diligence to discover and disclose any new work at that licensee or applicant site. This disclosure must be made before the submission of a bid or proposal to the utility or other regulated entity and must be received by the NRC at least 15 days before the proposed award date in any event, unless a written justification demonstrating urgency and due diligence to discover and disclose is provided by the contractor and approved by the contracting officer. The disclosure must include the statement of work, the dollar value of the proposed contract, and any other documents that are needed to fully describe the proposed work for the regulated utility or other regulated entity. NRC may deny approval of the disclosed work only when the NRC has issued a task order which includes the technical area and, if site-specific, the site, or has plans to issue a task order which includes the technical area and, if site-specific, the site, or when the work violates paragraphs (c)(2), (c)(3) or (c)(4) of this section.

(e) Access to and use of information.

31310021R0066 Page 38 (1) If, in the performance of this contract, the contractor obtains access to information, such as NRC plans, policies, reports, studies, financial plans, internal data protected by the Privacy Act of 1974 (5 U.S.C. Section 552a (1988)), or the Freedom of Information Act (5 U.S.C. Section 552 (1986)), the contractor agrees not to:

(i) Use this information for any private purpose until the information has been released to the public; (ii) Compete for work for the Commission based on the information for a period of six months after either the completion of this contract or the release of the information to the public, whichever is first; (iii) Submit an unsolicited proposal to the Government based on the information until one year after the release of the information to the public; or (iv) Release the information without prior written approval by the contracting officer unless the information has previously been released to the public by the NRC.

(2) In addition, the contractor agrees that, to the extent it receives or is given access to proprietary data, data protected by the Privacy Act of 1974 (5 U.S.C.

Section 552a (1988)), or the Freedom of Information Act (5 U.S.C. Section 552 (1986)), or other confidential or privileged technical, business, or financial information under this contract, the contractor shall treat the information in accordance with restrictions placed on use of the information.

(3) Subject to patent and security provisions of this contract, the contractor shall have the right to use technical data it produces under this contract for private purposes provided that all requirements of this contract have been met.

(f) Subcontracts. Except as provided in 48 CFR 2009.570-2, the contractor shall include this clause, including this paragraph, in subcontracts of any tier. The terms contract, contractor, and contracting officer, must be appropriately modified to preserve the Government's rights.

(g) Remedies. For breach of any of the above restrictions, or for intentional nondisclosure or misrepresentation of any relevant interest required to be disclosed concerning this contract or for such erroneous representations that necessarily imply bad faith, the Government may terminate the contract for default, disqualify the contractor from subsequent contractual efforts, and pursue other remedies permitted by law or this contract.

(h) Waiver. A request for waiver under this clause must be directed in writing to the contracting officer in accordance with the procedures outlined in 48 CFR 2009.570-9.

(i) Follow-on effort. The contractor shall be ineligible to participate in NRC contracts, subcontracts, or proposals therefor (solicited or unsolicited) which stem directly from the contractor's performance of work under this contract. Furthermore, unless so directed in writing by the contracting officer, the contractor may not perform any technical consulting

31310021R0066 Page 39 or management support services work or evaluation activities under this contract on any of its products or services or the products or services of another firm if the contractor has been substantially involved in the development or marketing of the products or services.

(1) If the contractor under this contract, prepares a complete or essentially complete statement of work or specifications, the contractor is not eligible to perform or participate in the initial contractual effort which is based on the statement of work or specifications. The contractor may not incorporate its products or services in the statement of work or specifications unless so directed in writing by the contracting officer, in which case the restrictions in this paragraph do not apply.

(2) Nothing in this paragraph precludes the contractor from offering or selling its standard commercial items to the Government.

(End of Clause)

H.19 2052.215-71 CONTRACTING OFFICER REPRESENTATIVE AUTHORITY. (OCT 1999)

(a) The contracting officer's authorized representative (hereinafter referred to as the COR) for this contract is:

(b) Performance of the work under this contract is subject to the technical direction of the NRC COR. The term "technical direction" is defined to include the following:

(1) Technical direction to the contractor which shifts work emphasis between areas of work or tasks, authorizes travel which was unanticipated in the Schedule (i.e., travel not contemplated in the Statement of Work (SOW) or changes to specific travel identified in the SOW), fills in details, or otherwise serves to accomplish the contractual SOW.

(2) Provide advice and guidance to the contractor in the preparation of drawings, specifications, or technical portions of the work description.

(3) Review and, where required by the contract, approval of technical reports, drawings, specifications, and technical information to be delivered by the contractor to the Government under the contract.

(c) Technical direction must be within the general statement of work stated in the contract. The COR does not have the authority to and may not issue any technical direction which:

(1) Constitutes an assignment of work outside the general scope of the contract.

(2) Constitutes a change as defined in the "Changes" clause of this contract.

31310021R0066 Page 40 (3) In any way causes an increase or decrease in the total estimated contract cost, the fixed fee, if any, or the time required for contract performance.

(4) Changes any of the expressed terms, conditions, or specifications of the contract.

(5) Terminates the contract, settles any claim or dispute arising under the contract, or issues any unilateral directive whatever.

(d) All technical directions must be issued in writing by the COR or must be confirmed by the COR in writing within ten (10) working days after verbal issuance. A copy of the written direction must be furnished to the contracting officer. A copy of NRC Form 445, Request for Approval of Official Foreign Travel, which has received final approval from the NRC must be furnished to the contracting officer.

(e) The contractor shall proceed promptly with the performance of technical directions duly issued by the COR in the manner prescribed by this clause and within the COR's authority under the provisions of this clause.

(f) If, in the opinion of the contractor, any instruction or direction issued by the COR is within one of the categories as defined in paragraph (c) of this section, the contractor may not proceed but shall notify the contracting officer in writing within five (5) working days after the receipt of any instruction or direction and shall request the contracting officer to modify the contract accordingly. Upon receiving the notification from the contractor, the contracting officer shall issue an appropriate contract modification or advise the contractor in writing that, in the contracting officer's opinion, the technical direction is within the scope of this article and does not constitute a change under the "Changes" clause.

(g) Any unauthorized commitment or direction issued by the COR may result in an unnecessary delay in the contractor's performance and may even result in the contractor expending funds for unallowable costs under the contract.

(h) A failure of the parties to agree upon the nature of the instruction or direction or upon the contract action to be taken with respect thereto is subject to 52.233 Disputes.

(i) In addition to providing technical direction as defined in paragraph (b) of the section, the COR shall:

(1) Monitor the contractor's technical progress, including surveillance and assessment of performance, and recommend to the contracting officer changes in requirements.

(2) Assist the contractor in the resolution of technical problems encountered during performance.

(3) Review all costs requested for reimbursement by the contractor and submit to the contracting officer recommendations for approval, disapproval, or suspension of payment for supplies and services required under this contract.

(4) Assist the contractor in obtaining the badges for the contractor personnel.

31310021R0066 Page 41 (5) Immediately notify the Security Branch, Division of Facilities and Security (SB/DFS) (via e-mail) when a contractor employee no longer requires access authorization and return of any NRC issued badge to SB/DFS within three days after their termination.

(6) Ensure that all contractor employees that require access to classified Restricted Data or National Security Information or matter, access to sensitive unclassified information (Safeguards, Official Use Only, and Proprietary information) access to sensitive IT systems or data, unescorted access to NRC controlled buildings/space, or unescorted access to protected and vital areas of nuclear power plants receive approval of SB/DFS prior to access in accordance with Management Directive and Handbook 12.3.

(7) For contracts for the design, development, maintenance or operation of Privacy Act Systems of Records, obtain from the contractor as part of closeout procedures, written certification that the contractor has returned to NRC, transferred to the successor contractor, or destroyed at the end of the contract in accordance with instructions provided by the NRC Systems Manager for Privacy Act Systems of Records, all records (electronic or paper) which were created, compiled, obtained or maintained under the contract.

(End of Clause)

31310021R0066 Page 42 I - Contract Clauses I.1 52.202-1 DEFINITIONS. (JUN 2020)

I.2 52.203-5 COVENANT AGAINST CONTINGENT FEES. (MAY 2014)

I.3 52.203-7 ANTI-KICKBACK PROCEDURES. (JUN 2020)

I.4 52.203-8 CANCELLATION, RESCISSION, AND RECOVERY OF FUNDS FOR ILLEGAL OR IMPROPER ACTIVITY. (MAY 2014)

I.5 52.203-10 PRICE OR FEE ADJUSTMENT FOR ILLEGAL OR IMPROPER ACTIVITY.

(MAY 2014)

I.6 52.203-17 CONTRACTOR EMPLOYEE WHISTLEBLOWER RIGHTS AND REQUIREMENT TO INFORM EMPLOYEES OF WHISTLEBLOWER RIGHTS. (JUN 2020)

I.7 52.204-13 SYSTEM FOR AWARD MANAGEMENT MAINTENANCE. (OCT 2018)

I.8 52.204-14 SERVICE CONTRACT REPORTING REQUIREMENTS. (OCT 2016)

I.9 52.204-19 INCORPORATION BY REFERENCE OF REPRESENTATIONS AND CERTIFICATIONS. (DEC 2014)

I.10 52.204-21 BASIC SAFEGUARDING OF COVERED CONTRACTOR INFORMATION SYSTEMS. (JUN 2016)

(a) Definitions. As used in this clause-Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

Information means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).

Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).

Safeguarding means measures or controls that are prescribed to protect information systems.

31310021R0066 Page 43 (b) Safeguarding requirements and procedures. (1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (i.e.,

information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

31310021R0066 Page 44 (xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

(2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.

(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

(End of clause)

I.11 52.204-23 PROHIBITION ON CONTRACTING FOR HARDWARE, SOFTWARE, AND SERVICES DEVELOPED OR PROVIDED BY KASPERSKY LAB AND OTHER COVERED ENTITIES. (JUL 2018)

I.12 52.204-25 PROHIBITION ON CONTRACTING FOR CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT. (AUG 2020)

I.13 52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 1 day.

(End of clause)

I.14 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor within the contract period of performance; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 1days before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

31310021R0066 Page 45 (c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 4 years and 6 months.

(End of clause)

I.15 52.219-11 SPECIAL 8(A) CONTRACT CONDITIONS. (JAN 2017)

The Small Business Administration (SBA) agrees to the following:

(a) To furnish the supplies or services set forth in this contract according to the specifications and the terms and conditions hereof by subcontracting with an eligible concern pursuant to the provisions of section 8(a) of the Small Business Act, as amended (15 U.S.C. 637(a)).

(b) That in the event SBA does not award a subcontract for all or a part of the work hereunder, this contract may be terminated either in whole or in part without cost to either party.

(c) Except for novation agreements, delegates to the U.S. Nuclear Regulatory Commission the responsibility for administering the subcontract to be awarded hereunder with complete authority to take any action on behalf of the Government under the terms and conditions of the subcontract; provided, however, that the U.S. Nuclear Regulatory Commission shall give advance notice to the SBA before it issues a final notice terminating the right of a subcontractor to proceed with further performance, either in whole or in part, under the subcontract for default or for the convenience of the Government.

(d) That payments to be made under any subcontract awarded under this contract will be made directly to the subcontractor by the U.S. Nuclear Regulatory Commission.

(e) That the subcontractor awarded a subcontract hereunder shall have the right of appeal from decisions of the Contracting Officer cognizable under the Disputes clause of said subcontract.

(f) To notify the U.S. Nuclear Regulatory Commission Contracting Officer immediately upon notification by the subcontractor that the owner or owners upon whom 8(a) eligibility was based plan to relinquish ownership or control of the concern.

(End of clause)

I.16 52.219-12 SPECIAL 8(A) SUBCONTRACT CONDITIONS. (OCT 2019)

(a) The Small Business Administration (SBA) has entered into Contract No.

0353/21/3323 with the U.S. Nuclear Regulatory Commission to furnish the supplies or services as described therein. A copy of the contract is attached hereto and made a part hereof.

(b) The Chainbridge Solutions, Inc., hereafter referred to as the subcontractor, agrees and acknowledges as follows:

31310021R0066 Page 46 (1) That it will, for and on behalf of the SBA, fulfill and perform all of the requirements of Contract No. 31310021C0024 for the consideration stated therein and that it has read and is familiar with each and every part of the contract.

(2) That the SBA has delegated responsibility, except for novation agreements, for the administration of this subcontract to the U.S. Nuclear Regulatory Commission with complete authority to take any action on behalf of the Government under the conditions of this subcontract.

(3) That it will notify the U.S. Nuclear Regulatory Commission Contracting Officer in writing immediately upon entering an agreement (either oral or written) to transfer all or part of its stock or other ownership interest to any other party.

(c) Payments, including any progress payments under this subcontract, will be made directly to the subcontractor by the U.S. Nuclear Regulatory Commission.

(End of clause)

I.17 52.219-14 LIMITATIONS ON SUBCONTRACTING. (MAR 2020)

(a) This clause does not apply to the unrestricted portion of a partial set-aside.

(b) Applicability. This clause applies only to-(1) Contracts that have been set aside for small business concerns or 8(a) participants; (2) Part or parts of a multiple-award contract that have been set aside for small business concerns or 8(a) participants; (3) Orders set aside for small business concerns or 8(a) participants under multiple-award contracts as described in 8.405-5 and 16.505(b)(2)(i)(F); and (4) Orders issued directly to small business concerns or 8(a) participants under multiple-award contracts as described in 19.504(c)(1)(ii).

(c) Limitations on subcontracting. By submission of an offer and execution of a contract, the Contractor agrees that in performance of the contract in the case of a contract for-(1) Services (except construction). At least 50 percent of the cost of contract performance incurred for personnel shall be expended for employees of the concern.

(2) Supplies (other than procurement from a non-manufacturer of such supplies).

The concern shall perform work for at least 50 percent of the cost of manufacturing the supplies, not including the cost of materials.

(3) General construction. The concern will perform at least 15 percent of the cost of the contract, not including the cost of materials, with its own employees.

31310021R0066 Page 47 (4) Construction by special trade contractors. The concern will perform at least 25 percent of the cost of the contract, not including the cost of materials, with its own employees.

(d) The Contractor shall comply with the limitations on subcontracting as follows:

(1) For contracts, in accordance with paragraph (b)(1) and (2) of this clause-(Contracting Officer check as appropriate.)

[X] By the end of the base term of the contract and then by the end of each subsequent option period; or

[ ] By the end of the performance period for each order issued under the contract.

(2) For orders, in accordance with paragraphs (b)(3) and (4) of this clause, by the end of the performance period for the order.

(End of clause)

I.18 52.219-17 SECTION 8(A) AWARD. (OCT 2019)

(a) By execution of a contract, the Small Business Administration (SBA) agrees to the following:

(1) To furnish the supplies or services set forth in the contract according to the specifications and the terms and conditions by subcontracting with the Offeror who has been determined an eligible concern pursuant to the provisions of section 8(a) of the Small Business Act, as amended (15 U.S.C. 637(a)).

(2) Except for novation agreements, delegates to the U.S. Nuclear Regulatory Commission the responsibility for administering the contract with complete authority to take any action on behalf of the Government under the terms and conditions of the contract; provided, however that the contracting agency shall give advance notice to the SBA before it issues a final notice terminating the right of the subcontractor to proceed with further performance, either in whole or in part, under the contract.

(3) That payments to be made under the contract will be made directly to the subcontractor by the contracting activity.

(4) To notify the U.S. Nuclear Regulatory Commission Contracting Officer immediately upon notification by the subcontractor that the owner or owners upon whom 8(a) eligibility was based plan to relinquish ownership or control of the concern.

(5) That the subcontractor awarded a subcontract hereunder shall have the right of appeal from decisions of the cognizant Contracting Officer under the "Disputes" clause of the subcontract.

31310021R0066 Page 48 (b) The offeror/subcontractor agrees and acknowledges that it will, for and on behalf of the SBA, fulfill and perform all of the requirements of the contract.

(End of clause)

I.19 52.222-50 COMBATING TRAFFICKING IN PERSONS. (OCT 2020)

I.20 52.223-18 ENCOURAGING CONTRACTOR POLICIES TO BAN TEXT MESSAGING WHILE DRIVING. (JUN 2020)

I.21 52.224-2 PRIVACY ACT. (APR 1984)

I.22 52.224-3 PRIVACY TRAINING. (JAN 2017)

I.23 52.225-13 RESTRICTIONS ON CERTAIN FOREIGN PURCHASES. (FEB 2021)

I.24 52.227-14 RIGHTS IN DATA-GENERAL. (MAY 2014)

I.25 52.232-1 PAYMENTS. (APR 1984)

I.26 52.232-7 PAYMENTS UNDER TIME-AND-MATERIALS AND LABOR-HOUR CONTRACTS. (AUG 2012)

I.27 52.232-22 LIMITATION OF FUNDS. (APR 1984)

I.28 52.232-39 UNENFORCEABILITY OF UNAUTHORIZED OBLIGATIONS. (JUN 2013)

I.29 52.232-40 PROVIDING ACCELERATED PAYMENTS TO SMALL BUSINESS SUBCONTRACTORS. (DEC 2013)

I.30 52.233-4 APPLICABLE LAW FOR BREACH OF CONTRACT CLAIM. (OCT 2004)

I.31 52.239-1 PRIVACY OR SECURITY SAFEGUARDS. (AUG 1996)

I.32 52.243-1 CHANGES - FIXED-PRICE. (AUG 1987)

I.33 52.243-3 CHANGES - TIME-AND-MATERIALS OR LABOR-HOURS. (SEP 2000)

I.34 52.244-2 SUBCONTRACTS. (JUN 2020)

I.35 52.244-5 COMPETITION IN SUBCONTRACTING. (DEC 1996)

I.36 52.244-6 SUBCONTRACTS FOR COMMERCIAL ITEMS. (JUL 2021)

I.37 52.246-25 LIMITATION OF LIABILITY - SERVICES. (FEB 1997)

I.38 52.249-4 TERMINATION FOR CONVENIENCE OF THE GOVERNMENT (SERVICES)

(SHORT FORM). (APR 1984)

I.39 52.252-2 CLAUSES INCORPORATED BY REFERENCE. (FEB 1998)

31310021R0066 Page 49 This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): https://www.acquisition.gov/

https://www.nrc.gov/about-nrc/contracting/48cfr-ch20.html#_1_44 (End of clause)

31310021R0066 Page 50 J - List of Documents, Exhibits and Other Attachments Attachment Number Title Date 1 - Statement of Work 09/10/2021 2 - Price Schedule 09/10/2021 3 - Instructions_ IPP Billing Instructions for Fixed Price Contracts (2) 09/10/2021 4 - Instructions_ IPP Billing Instructions for Labor-Hour or Time-and-Materials Contracts 09/10/2021 5 - NRC Form 187 09/10/2021

Version Control Date: November 2018 STATEMENT OF WORK (SOW) FOR NRC TRAVEL TRACKER SOFTWARE/SEAD 3 Software Solution Contents C.1

Background

C.2 Objective C.3 Scope of Work C.4 Reporting Requirements C.5 Deliverables and Delivery Schedule C.6 Applicable Documents and Standards C.7 Section 508 - Information and Communication Technology Accessibility C.8 Incremental Development for Software C.9 Place of Performance C.10 Contractor Travel C.11 Applicable Publications (Current Editions)

C.12 Security Requirements C.13 Data Rights C.14 Anticipated Labor Categories

Version Control Date: November 2018 STATEMENT OF WORK (SOW) FOR NRC TRAVEL TRACKER SOFTWARE/SEAD 3 Software Solution C.1

Background

The Security Executive Agent Directive 3 (SEAD 3), establishes reporting requirements for all covered individuals who have access to classified information or hold a sensitive position.

Under SEAD 3, U.S. Nuclear Regulatory Commission (NRC) covered personnel (employees, contractors, subcontractors, licensees, licensee contractors, and others) with access to classified information must report all unofficial foreign travel and receive agency approval prior to travel.

To fulfill these requirements, the NRC will need a secure software solution to track unofficial foreign travel and allow the disclosure of the planned itinerary and foreign contacts during unofficial foreign trips via a portal that NRC covered persons (travelers) can easily access.

C.2 Objective The objective of this contract/purchase order is to provide the NRC with a secure software solution to track unofficial foreign travel. The contractor shall be familiar with Security Executive Agent Directive 3 (SEAD 3). The Minimum Viable Product (MVP) software solution must be approved and be in place by NLT Jan 6, 2022.

C.3 Scope of Work Utilizing agile software development principals and methodologies, the contractor shall develop a section 508 conformant software solution that complies with all Federally-mandated and NRC-defined cybersecurity requirements. If the solution is going to be cloud based it must be currently FEDRAMP authorized. The following tasks identify the requirements and software solution capabilities/functionalities necessary to furnish an MVP software solution.

Task 1 - Database Design: The contractor shall use the same database infrastructure from PSATS to form the foundation of the SEAD3 database. Specifically, the contractor shall ensure data recall, security design and data export are similar to the PSATS database. Additionally, this database shall have local access rights capability. Additionally, the Contractor shall provide a Project Plan to include major products, milestones, activities, and resources required that represents the how and when this projects objectives are to be achieved. The Project Plan shall document planning assumptions and decisions and document approved scope, costs, and schedule baseline. The Contractor shall also provide a Project Schedule using Microsoft Project 2003 or higher. The Project Plan shall include schedule for iterative agile sprints and biweekly customer feedback. The Contractor shall utilize a configuration management (CM) tool for all check-in/check-out of code, change requests, and documentation. The NRC uses Jira and BitBucket and will make it available via the NRCs network if the Contractor does not have a CM tool. The Contractor shall provide the NRC with an updated Entity-relationship diagram (ERD) whenever any fields or relationships change within entellitrak, SEAD3 or PSATS.

Version Control Date: November 2018 Task 2 - Design Data Input Model: The contractor shall develop a web-based form, to serve as the user interface for the SEAD3 workflow. The NRC has provided a PDF Template (See ) which shall serve as the basis for the information the traveler is required to provide as part of their pre-travel trip report.

Task 3 -Create SEAD 3 Queue and Workflow The contractor shall develop a workflow approval process. As a part of this process, the information should be routed through an approval process, with a final notification sent to the traveler, the Security Management and Operation Branch (SMOB) and any other identified personnel. The workflow model shall include an approvers workflow model for additional information to be entered into the database.

Task 4 - Post Travel Reporting Workflow (For the MVP)

Due to the near-term deadline of January 6, 2022 for the MVP deployment, the contractor intends to address this task with workarounds to provide interim functionality until a more detailed workflow can be designed under Option Task 2 - Maintenance, Modernization and Enhancement Services. The interim functionality is addressed by a Saved Search that will identify approved travel that was completed within a certain time window. SMOB can send those travelers emails with Post Travel Report forms for completion. When returned, they can be attached to the Travel Event.

Task 5 -Create Intranet/Internet Access Page and Site Connection The contractor shall Create a web-based form that can be electronically filled-in by personnel who are external (i.e. licensee sites, contractor sites) as well as personnel who are internal to the NRC network. This form must use secure means to protect and transmit the captured information back to the NRC, using current NRC cybersecurity guidelines. For external users, outside of the NRC network, identity and authentication methods must be integrated with the NRCs Identity, Credential, and Access Management (ICAM) program, including the use of common authentication technologies such as Security Assertion Markup Language (SAML). For external users, existing credentials and credentialing process should be utilized to reduce burden on users and prevent the issuance of disparate authenticators. Any externally provided information will be secured using accepted industry and NRC security standards.

Task 6 - Create Reporting/Export Page (For the MVP)

Due to the near-term deadline of January 6, 2022 for the MVP deployment, the contractor intends to address this task with workarounds to provide interim functionality until a more detailed workflow can be designed under Option Task 2 - Maintenance, Modernization and Enhancement Services. The interim functionality is addressed by the built-in Advanced Search capabilities of Entellitrak. Chainbridge Solutions helps SMOB create a repeatable query that can be saved and shared, along with the desired output columns. Reports can be natively exported to standard file formats such as html or XLS.

Task 7 -Create/Configure Integration with DoS This software solution must also have the ability to manually upload data from the Department of State and Center for Disease Control travel advisory information websites.

Task 8 - User Testing/Interface

Version Control Date: November 2018 In order to support the success of the agile development process and allow for an efficient user feedback loop, the contractor shall create and maintain a designated test site in the Contractors IT environment for the SEAD3 system testing. This test site shall not contain any NRC personnel security data. Additionally, the Contractor shall provide comprehensive and detailed test plans and test scripts to the NRC for all system testing. The Contractor shall use the NRCs standard browser and configuration, currently Chrome and Microsoft Edge, to fully test all aspects of any code prior to releasing it to the NRC for user acceptance testing. The Contractor shall ensure that all SEAD3 releases are thoroughly tested before NRC testing takes place.

As a final step, if the NRC will require a testing and corrections period prior to final to software acceptance. This period will be used to correct deficiencies and conduct security testing.

OPTIONAL TASKS:

Optional Task 1 - Create/Configure Integration with Department of State This software solution may also have the ability to automatically pull data from the Department of State and Center for Disease Control travel advisory information.

Optional Task 2 -

Maintenance, Modernization and Enhancement Services After the NRC Travel Tracking System has been developed and implemented for use, the contractor shall provide ongoing maintenance, modernization and security enhancement services necessary to comply with evolving Agency and/or Federal-wide security requirements (i.e. SEAD3 and Cybersecurity etc.). Maintenance shall also include service to the information database to ensure proper usage and upgrades needed for compatibility with the applicable NRC Microsoft server version. The Contractor shall assist the NRC System Administrator with applying updates to SEAD3 in the pre-production and production environment. The Contractor shall utilize a configuration management (CM) tool for all check-in/check-out of code, change requests, and documentation. The NRC uses Jira and BitBucket and will make it available via the NRCs network if the Contractor does not have a CM tool. The Contractor shall provide the NRC with an updated Entity-relationship diagram (ERD) whenever any fields or relationships change within entellitrak, SEAD3 or PSATS.

Examples of these types of requirements include but arent limited to:

The Post Travel Reporting Workflow shall provide for a means to allow travelers to provide additional information to their trip report, post-travel. After returning from their trip, travelers will be required to provide the following information, as applicable:

a) Report behavior or activities of those around them that could compromise classified information, workplace safety, and/or our national security.

b) Unplanned contacts with foreign governments, companies, or citizens during foreign travel and reason for contact Unusual or suspicious occurrences during travel, including those of possible security or counterintelligence significance. Any foreign legal or customs incidents encountered.

Version Control Date: November 2018 Create Reporting/Export Page The SEAD3 database shall have reporting functionality which, at a minimum, shall have the capability to search/sort by the input fields identified in Task 2.

C.4 Vendor Reporting Requirements

1.

Contractor shall conduct iterative agile sprints and provide appropriate updates on the progress every 15 days or sooner, if possible. Updates shall consist of written reports and software demonstrations. The software demonstration will illustrate changes and updates completed during the design process. Each software demonstration shall demonstrate the iterative changes as discussed by the NRC and its representatives.

2.

Contractor shall provide the final software update on January 6, 2022. The contractor shall allow for another sixty (60) days, once the software is in use, to correct any issues or vulnerabilities.

C.5 Deliverables and Delivery Schedule

1.

Utilizing the latest agile software development principals and methodologies, the contractor shall provide the following deliverables:

Section #

Deliverable Due Date Format Submit to C.3 - Task One Project Plan within 10 days after Contract Award Word or Excel Document.

Virtual meetings for software demonstrations.

COR C.3 - Task 1 Update ERD As needed whenever fields or relationships have changed within entellitrak, SEAD3, or PSATS Word or Excel Document.

COR C.4 -

Agile Sprints/ Bi-Weekly Customer Meetings As proposed by contractor but no later than every 15 days COR C.3 - Tasks 1-8 Final Minimally Viable Product (MVP):

Solution shall be section 508 conformant and No later than January 6, 2022

Version Control Date: November 2018 FEDRAMP authorized, if cloud based solution.

Provide name of

product, stock number or part

number, software version number and version date as applicable C.4 Final adjustments to MVP No later than March 6, 2022 C.3 - Optional Tasks 1 and 2 Maintenance, Modernization and Enhancement Services When needed, as applicable - To be defined via issuance of work orders C.7.4.6 508 general exceptions documentation When needed, as applicable.

Word or Adobe PDF Document CO/COR C.7.6.1 Accessibility Conformance Report (ACR)

When new or updated ICT products, systems or applications are delivered, as applicable.

Word or Adobe PDF Document COR C.7.6.2 Supplemental Accessibility Report (SAR)

When new or updated ICT products, systems or applications are delivered, as applicable.

Word Document COR C.7.6.3 ICT support documentation When new or updated ICT products, systems or applications are delivered, as applicable.

Word or Adobe PDF Document COR C.6 Applicable Documents and Standards

Version Control Date: November 2018 C.7.4.1 Legacy ICT N/A C.7.4.2 National Security Systems Based on the definition at 40 U.S.C. 11103(a), the National Security Systems general exception (section E202.3 of 36 CFR § 1194) is not applicable to this contract/order.

C.7.4.3 Incidental ICT ICT acquired by the Contractor incidental to this contract/order shall not be required to conform to the revised 508 standards.

Note: This only applies when the Contractor is procuring the ICT, only the Contractor personnel will access or use the ICT, and ownership of the ICT will remain with the Contractor upon completion of the contract/order.

C.7.4.4 ICT Functions Located in Maintenance or Monitoring Spaces The Contractor shall confirm with the COR that an ICT deliverable of this contract/order will be located in maintenance or monitoring spaces before assuming that the ICT Functions Located in Maintenance or Monitoring Spaces general exception (section E202.5 of 36 CFR § 1194) applies.

Note that this exception does not apply to features of the ICT (such as Web interfaces) that can be accessed remotely, outside the maintenance or monitoring space where the ICT is located.

C.7.4.5 Undue Burden N/A C.7.4.6 Fundamental Alteration or Best Meets If the Contractor wishes to use the Fundamental Alteration (section E202.6 of 36 CFR § 1194) or Best Meets (section E202.7 of 36 CFR § 1194) general exceptions the Contractor shall do the following:

1. provide the COR with information necessary to support the agencys documentation requirements, as identified in sections E202.6.2 and E202.7.1 of 36 CFR § 1194, respectively

2. request and obtain written approval from the COR for development and/or use, as applicable to the scope of the contract/order, of an alternative means for providing individuals with disabilities access to and use of the information and data, as specified in sections E202.6.3 and E202.7.2 of 36 CFR § 1194, respectively.

C.7.5 Additional Accessibility Requirements

Version Control Date: November 2018 C.7.5.1 Notification Due to Impact from NRC Policies, Procedures, Tools and/or ICT Infrastructure If and when 1) the Contractor is dependent upon NRC policies, procedures, tools and/or ICT infrastructure for standards-conformant delivery of any of the products or services under this acquisition, and 2) the Contractor is aware that conformance of products or services will be negatively impacted by capability gaps in NRC policies, procedures, tools and/or ICT infrastructure, the Contractor shall inform the COR so that the NRC can both be aware and take corrective action.

C.7.5.2 Accessibility of Electronic Content For electronic content (as defined in section E103 of 36 CFR § 1194) deliverables of this contract/order:

1. If a deliverable is either Public Facing or Agency Official Communication (as defined in sections E103 and E205.3 of 36 CFR § 1194, respectively) and therefore required to be conformant with section E205.4 of 36 CFR § 1194 then

a. The NRC may choose, for its own reasons, to take responsibility for the final conformance of the deliverable or its class of deliverables by explicitly identifying the deliverable or class of deliverables through one of the following means:

i. Identified in this contract/order, or ii. Identified in writing to the Contractor by the COR, with a copy to the CO.

2. Otherwise, the NRC may still have a requirement that the deliverable be conformant with section E205.4 of 36 CFR § 1194, but only if the deliverable is explicitly identified in this contract/order as having that requirement.

C.7.5.3 Other It is desirable that the Contractor address the applicable provisions of the Revised 508 Standards throughout product and service lifecycles rather than only performing a conformance check toward the end of a process.

If and when the Contractor provides custom ICT development services pursuant to this acquisition, the Contractor shall ensure the ICT products and services fully support the applicable provisions of the Revised 508 Standards prior to delivery and before final acceptance.

If and when the Contractor provides installation, configuration or integration services for ICT products (equipment and/or software) pursuant to this acquisition, the Contractor shall not install, configure or integrate the ICT equipment and software in a way that reduces the level of conformance with the applicable provisions of the Revised 508 Standards.

If and when the scope of this contract/order includes work by the Contractor to collect, directly from NRC employees or the Public, requirements for the procurement, development, maintenance or use of ICT the Contractor shall identify the needs of users with disabilities in

Version Control Date: November 2018 conformance to section E203.2.

C.7.6 ICT Accessibility Deliverables The Contractor shall provide the following ICT accessibility deliverables, when within the scope of this contract/order.

C.7.6.1 Accessibility Conformance Report (ACR)

This report shall be submitted for ICT products, systems or application deliverables. A written ACR shall be based on the Voluntary Product Accessibility Template (VPAT), as specified at https://www.itic.org/policy/accessibility/vpat or provide equivalent information. This report has the purpose to document the state of conformance to the Revised 508 Standards for the subject product, system or application.

C.7.6.2 Supplemental Accessibility Report (SAR)

This report shall be submitted for ICT products, systems or application deliverables that have been custom developed or integrated by the Contractor to meet contract/order requirements. A written SAR shall contain:

a) Description of evaluation methods used to produce the ACR, to demonstrate due diligence in supporting conformance claims; b) Information on core functions that cant be used by persons with disabilities; and, c) Information on how to configure and install the ICT item to support accessibility C.7.6.3 ICT Support Documentation This documentation shall be submitted for ICT products, systems or application deliverables.

The support documentation shall include:

a) Documentation of features that help achieve accessibility and compatibility with assistive technology for persons with disabilities (as required by section 602 of 36 CFR § 1194);

b) For authoring tools that generate content (documents, reports, videos, multimedia, web content, etc.): Information on how the tool enables the creation of accessible electronic content that conforms to the Revised 508 Standards (see section 504 of 36 CFR § 1194),

including the range of accessible user interface elements the tool can create; c) For platform software (as defined in section E103.4 of 36 CFR § 1194) and software tools that are provided by a platform developer: Documentation on the set of accessibility services that support applications running on the platform to interoperate with assistive technology, as required by section 502.3 of 36 CFR § 1194.

C.7.6.4 ICT Support Documentation (Alternate Formats)

Version Control Date: November 2018 Upon request, alternate formats for non-electronic support documentation shall be provided (as required by section 602.4 of 36 CFR § 1194).

C.7.6.5 Electronic Content Accessibility Checklist If the requirement is specified elsewhere in this acquisition that testing of electronic content be performed, the Contractor shall submit a completed accessibility checklist to document the conformance of the tested content. The checklist shall summarise the subject deliverables state of conformance to the applicable WCAG 2.0 Level A and AA Success Criteria (as referenced in section E205.4 and 702.10 of 36 CFR § 1194).

C.7.6.6 Communication to ICT Users When the Contractor is providing ICT support services (including, but not limited to help desks, call centers, training services, and automated self-service technical support), any communication to ICT users shall accommodate the communication needs of individuals with disabilities (see section 603.3 of 36 CFR § 1194) and include information on accessibility and compatibility features (see 603.2 of 36 CFR § 1194).

C.8 Incremental Development for Software The Contractor shall use an incremental build model for software development. The Agency defines an incremental build model as a method of software development where the product is designed, implemented, and tested incrementally, with increasing functionality and/or capability added in each increment until the product is finished.

C.9 Place of Performance The following NRC Facilities are the locations where work can be performed:

NRC Headquarters:

One White Flint North (OWFN): 11555 Rockville Pike, Rockville, MD 20852 Two White Flint North (TWFN): 11545 Rockville Pike, Rockville, MD 20852 Three White Flint North (3WFN): 11601 Landsdown Street, North Bethesda, MD 20852 NRC Warehouse: 4930 Boling Brook Parkway, Rockville MD 20852 NRC Region One:

2100 Renaissance Blvd. Suite 100, King of Prussia, PA 19406 NRC Region Two:

Marquis One Tower 245 Peachtree Center Ave. NE, Suite 1200, Atlanta, GA 30303

Version Control Date: November 2018 NRC Region Three:

2443 Warrenville Road, Suite 210, Lisle, IL 60532 NRC Region Four:

1600 East Lamar Blvd., Arlington, TX 76011 Additional Facilities:

Any additional or future NRC facilities as required.

C.10 Contractor Travel All required Contractor travel will be in accordance with the FAR and pre-approved by the COR.

C.11 Applicable Publications (Current Editions)

N/A C.12 Security Requirements The contractor shall be required to return NRC issued Personal Identification Verification (PIV) cards/badges to the COR at the end of the contract period of performance. If a contractor voluntarily leaves the company, the badge must be returned on the employees final day of employment. Once the badge is returned to the NRC, the contractor will no longer have access to NRC buildings, sensitive information technology systems or data. Additional information related to the returning of PIV badges can be found in Management Directive 12.1, Section 5.

C.13 Data Rights The NRC shall have unlimited rights to and ownership of all deliverables provided under this contract/order, including reports, recommendations, briefings, work plans and all other deliverables. All documents and materials, to include the source codes of any software, produced under this contract/order are the property of the Government with all rights and privileges of ownership/copyright belonging exclusively to the Government. These documents and materials may not be used or sold by the contractor without written authorization from the CO. All materials supplied to the Government shall be the sole property of the Government and may not be used for any other purpose. This right does not abrogate any other Government rights. The definition of unlimited rights is contained in Federal Acquisition Regulation (FAR) 27.401, Definitions. FAR clause at FAR 52.227-14, Rights in Data-General, is hereby incorporated by reference and made a part of this contract/order.

C.14 Anticipated Labor Categories The contractor shall ensure the requirements set forth in this statement of work are supported by personnel with the appropriate education, certifications, and/or experience in performing