ML21272A106

From kanterella
Revision as of 15:29, 18 January 2022 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Task Order No. 31310021F0093 Under Contract No. NNG15SD26B - Redacted
ML21272A106
Person / Time
Issue date: 08/12/2021
From: Rasmey Robinson
Acquisition Management Division
To: Schlosser D
Thundercat Technology
References
NNG15SD26B
Download: ML21272A106 (37)
v  d  e


Text

1. REQUISITION NUMBER PAGE OF SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24, & 30 OIG-21-0009 1 37

2. CONTRACT NO. 3. AWARD/ 4. ORDER NUMBER 5. SOLICITATION NUMBER 6. SOLICITATION NNG15SD26B EFFECTIVE DATE 31310021Q0102 ISSUE DATE 31310021F0093 07/06/2021
7. FOR SOLICITATION a. NAME b. TELEPHONE NUMBER (No collect calls) 8. OFFER DUE DATE/LOCAL TIME INFORMATION CALL: RICHARD ROBINSON 301-415-3689
9. ISSUED BY CODE NRCHQ 10. THIS ACQUISITION IS UNRESTRICTED OR X SET ASIDE: 100.00  % FOR:

WOMEN-OWNED SMALL BUSINESS US NRC - HQ X SMALL BUSINESS (WOSB) ELIGIBLE UNDER THE WOMEN-OWNED ACQUISITION MANAGEMENT DIVISION HUBZONE SMALL SMALL BUSINESS PROGRAM NAICS: 541519 BUSINESS EDWOSB MAIL STOP TWFN-07B20M SERVICE-DISABLED WASHINGTON DC 20555-0001 VETERAN-OWNED 8(A)

SIZE STANDARD: 150 SMALL BUSINESS

11. DELIVERY FOR FOB DESTINA- 12. DISCOUNT TERMS 13b. RATING TION UNLESS BLOCK IS 13a. THIS CONTRACT IS A MARKED 30 RATED ORDER UNDER
14. METHOD OF SOLICITATION SEE SCHEDULE DPAS (15 CFR 700)

RFQ IFB RFP

15. DELIVER TO CODE NRCHQ 16. ADMINISTERED BY CODE NRCHQ NUCLEAR REGULATORY COMMISSION US NRC - HQ NUCLEAR REGULATORY COMMISSION ACQUISITION MANAGEMENT DIVISION WASHINGTON DC 20555-0001 MAIL STOP TWFN-07B20M WASHINGTON DC 20555-0001 17a. CONTRACTOR/ CODE 809887164 FACILITY 18a. PAYMENT WILL BE MADE BY CODE NRCPAYMENTS OFFEROR CODE THUNDERCAT TECHNOLOGY LLC FISCAL ACCOUNTING PROGRAM ATTN DAVID SCHLOSSER ADMIN TRAINING GROUP AVERY STREET A3-G 1925 ISAAC NEWTON SQ STE 180 BUREAU OF THE FISCAL SERVICE RESTON VA 201905030 PO BOX 1328 PARKERSBURG WV 26106-1328 TELEPHONE NO. 7036740247 17b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN OFFER 18b. SUBMIT INVOICES TO ADDRESS SHOWN IN BLOCK 18a UNLESS BLOCK BELOW IS CHECKED SEE ADDENDUM
19. 20. 21. 22. 23. 24.

ITEM NO. SCHEDULE OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT The U.S. Nuclear Regulatory Commission (NRC) hereby issues a Delivery Order for the BRAND NAME OR EQUAL Software as a Service (SaaS) products listed in the Price Schedule of the attached documents.

Total Period of Performance (Base and All Options): 8/16/2021 - 8/15/2026 Period of Performance (Base and Exercised Options): 8/16/2021 - 8/15/2022 Total Order Ceiling (Base and All Options):

(Use Reverse and/or Attach Additional Sheets as Necessary)

25. ACCOUNTING AND APPROPRIATION DATA 26. TOTAL AWARD AMOUNT (For Govt. Use Only)

See schedule $776,218.09 27a. SOLICITATION INCORPORATES BY REFERENCE FAR 52.212-1, 52.212-4. FAR 52.212-3 AND 52.212-5 ARE ATTACHED. ADDENDA ARE ARE NOT ATTACHED.

X 27b. CONTRACT/PURCHASE ORDER INCORPORATES BY REFERENCE FAR 52.212-4. FAR 52.212-5 IS ATTACHED. ADDENDA X ARE ARE NOT ATTACHED.

28. CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN X 29. AWARD OF CONTRACT: EK051027 v1 OFFER COPIES TO ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER REF.

DATED 07/20/2021 . YOUR OFFER ON SOLICITATION (BLOCK 5),

ALL ITEMS SET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE SET FORTH SHEETS SUBJECT TO THE TERMS AND CONDITIONS SPECIFIED. HEREIN, IS ACCEPTED AS TO ITEMS:

30a. SIGNATURE OF OFFEROR/CONTRACTOR 31a. UNITED STATES OF AMERICA (SIGNATURE OF CONTRACTING OFFICER) 30b. NAME AND TITLE OF SIGNER (Type or print) 30c. DATE SIGNED 31b. NAME OF CONTRACTING OFFICER (Type or print) 31c. DATE SIGNED RICHARD W. ROBINSON 08/12/2021 AUTHORIZED FOR LOCAL REPRODUCTION STANDARD FORM 1449 (REV. 2/2012)

PREVIOUS EDITION IS NOT USABLE Prescribed by GSA - FAR (48 CFR) 53.212

NNG15SD26B/31310021F0093 B - Continuation Pages ...............................................................................................................10 B.1 BRIEF PROJECT TITLE AND WORK DESCRIPTION.....................................................10 B.2 TYPE OF CONTRACT (JULY 2020).................................................................................10 B.3 CONSIDERATION AND OBLIGATION-FIRM-FIXED-PRICE...........................................10 C - Contract Clauses ...................................................................................................................11 C.1 PACKAGING AND MARKING ..........................................................................................11 C.2 BRANDING .......................................................................................................................11 C.3 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013) .......................................11 C.4 PERIOD OF PERFORMANCE ALTERNATE ...................................................................11 C.5 REGISTRATION IN FEDCONNECT (MAY 2021) .........................................................12 C.6 ELECTRONIC PAYMENT (DEC 2017) ............................................................................12 C.7 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (JUL 2016)........................................................................................12 C.8 IT SECURITY REQUIREMENTS - DEVELOPMENT AND OPERATIONS AND MAINTENANCE REQUIREMENTS (APR 2014).....................................................................16 C.9 IT SECURITY REQUIREMENTS - NRC AND CONTRACTOR (NON-NRC) FACILITIES (APR 2014)..............................................................................................................................22 C.10 DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TO NUCLEAR FACILITIES, ACCESS TO CLASSIFIED INFORMATION OR SAFEGUARDS INFORMATION, OR PERFORMING IN SPECIALLY SENSITIVE POSITIONS (MARCH 2019)

.................................................................................................................................................23 C.11 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONIC PAYMENT/REMITTANCE ADDRESS ....................................................................................23 C.12 2052.204-70 SECURITY. (OCT 1999)............................................................................24 C.13 2052.215-71 CONTRACTING OFFICER REPRESENTATIVE AUTHORITY. (OCT 1999)

- ALTERNATE II (OCT 1999) ..................................................................................................25 C.15 52.204-19 INCORPORATION BY REFERENCE OF REPRESENTATIONS AND CERTIFICATIONS. (DEC 2014)..............................................................................................26 C.16 52.212-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS - COMMERCIAL ITEMS. (JUL 2021) ......................26 C.17 52.217-6 OPTION FOR INCREASED QUANTITY. (MAR 1989)....................................35 C.18 52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999) .............................................35 C.19 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000) .........35 D - Contract Documents, Exhibits and Attachments ...................................................................37 Page 9

NNG15SD26B/31310021F0093 B - Continuation Pages NRC Local Clauses B.1 BRIEF PROJECT TITLE AND WORK DESCRIPTION (a) The title of this project is: INVESTIGATIONS, CORRESPONDENCE AND AUDIT MANAGEMENT SYSTEM (ICAMS) FOR OFFICE OF THE INSPECTOR GENERAL (OIG)

(b) Summary work description: The objective of this acquisition is to procure a FedRAMP authorized, total Software-as-a-Service (SaaS) solution to provide an Investigation, Correspondance, and Audit Management System to support the U.S. Nuclear Regulatory Commission (NRC) OIGs mission of combating fraud, waste and abuse. The NRC intends to purchase software licenses and support on a BRAND NAME OR EQUAL basis from an authorized NASA SEWP V Contractor that sells AINS eCase software.

BRAND NAME OR EQUAL SPECIFICATIONS: The NRC requires BRAND NAME OR EQUAL for the software products and support services listed in the Price Schedule above.

Specifically the NRC requires a total SaaS solution to satisfy this requirement. The single SaaS solution must:

- be a Commercial-off-the Shelf (COTS), out of the box ICAMS product(s) that only requires the solution to be configured, as opposed to developed;

- meet the professional standards governing Inspector General audits and investigations, which are enumerated in Government Auditing Standards and Quality Standards for Investigations, in order to comply with Council of the Inspectors General on Integrity and Efficiency (CIGIE) Peer Review program.

- be compliant with all FedRAMP Moderate requirements including, but not limited to, IT infrastructure, software maintenance, hardware maintenance, redundant systems, disaster recovery, backups, cybersecurity, continuous monitoring, change control, and incident response.

A single SaaS solution, meeting all of the ICAMS requirements, from a single software provider is preferred.

B.2 TYPE OF CONTRACT (JULY 2020)

The contract type for this award is Fixed Price B.3 CONSIDERATION AND OBLIGATION-FIRM-FIXED-PRICE The total amount of the Firm-Fixed-Price portion of this contract is $290,658.66, and this amount is fully-funded.

Page 10

NNG15SD26B/31310021F0093 C - Contract Clauses NRC Local Clauses Incorporated by Full Text C.1 PACKAGING AND MARKING (a) The Contractor shall package material for shipment to the NRC in such a manner that will ensure acceptance by common carrier and safe delivery at destination. Containers and closures shall comply with the Surface Transportation Board, Uniform Freight Classification Rules, or regulations of other carriers as applicable to the mode of transportation.

(b) On the front of the package, the Contractor shall clearly identify the contract number under which the product is being provided.

(c) Additional packaging and/or marking requirements are as follows: N/A.

C.2 BRANDING The Contractor is required to use the statement below in any publications, presentations, articles, products, or materials funded under this contract/order, to the extent practical, in order to provide NRC with recognition for its involvement in and contribution to the project. If the work performed is funded entirely with NRC funds, then the contractor must acknowledge that information in its documentation/presentation.

Work Supported by the U.S. Nuclear Regulatory Commission (NRC), Office of the Inspector General, under Contract/order number NNG15SD26B/31310021F0093.

C.3 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officers Representative (COR) at the destination, accordance with FAR 52.247 F.o.b. Destination.

Contract Deliverables:

1. See Price Schedule.

C.4 PERIOD OF PERFORMANCE ALTERNATE This contract shall commence on 08/16/2021 and will expire on 08/15/2022. The term of this contract may be extended at the option of the Government for an additional 4 years, from 08/15/2022 to 08/15/2026.

Base Period: 08/16/2021 to 08/15/2022 Option Period(s):

Option Period 1 - 08/16/2022 to 08/15/2023 Option Period 2 - 08/16/2023 to 08/15/2024 Option Period 3 - 08/16/2024 to 08/15/2025 Option Period 4 - 08/16/2025 to 08/15/2026 Page 11

NNG15SD26B/31310021F0093 C.5 REGISTRATION IN FEDCONNECT (MAY 2021)

The Nuclear Regulatory Commission (NRC) uses Unison Software Inc.s secure and auditable two-way web portal, FedConnect, to communicate with vendors and contractors. FedConnect provides bi-directional communication between the vendor/contractor and the NRC throughout pre-award, award, and post-award acquisition phases.

Vendors/contractors shall use FedConnect for the submission of responses to solicitations, acknowledgment of receipt of award and modification documents; and may be required to submit monthly letter status reports and other deliverables through FedConnect as well.

Please see Section C of this award for details regarding submission of deliverables.

Therefore, in order to do business with the NRC, vendors and contractors shall register to use FedConnect at https://www.fedconnect.net/FedConnect. The individual registering in FedConnect shall have authority to bind the vendor/contractor. There is no charge for using FedConnect. Assistance with FedConnect is provided by Unison, not the NRC. FedConnect contact and assistance information is provided on the FedConnect web site.

C.6 ELECTRONIC PAYMENT (DEC 2017)

The Debt Collection Improvement Act of 1996 requires that all payments except IRS tax refunds be made by Electronic Funds Transfer. Payment shall be made in accordance with FAR 52.232-33, entitled Payment by Electronic Funds Transfer-System for Award Management.

To receive payment, the contractor shall prepare invoices in accordance with NRCs Billing Instructions. Claims shall be submitted through the Invoice Processing Platform (IPP)

(https://www.ipp.gov/). Back up documentation shall be included as required by the NRCs Billing Instructions.

C.7 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (JUL 2016)

Page 12

NNG15SD26B/31310021F0093 The contractor must identify all individuals selected to work under this contract. The NRC Contracting Officers Representative (COR) shall make the final determination of the level, if any, of IT access approval required for all individuals working under this contract/order using the following guidance. The Government shall have full and complete control and discretion over granting, denying, withholding, or terminating IT access approvals for contractor personnel performing work under this contract/order.

The contractor shall conduct a preliminary security interview or review for each employee requiring IT level I or II access and submit to the Government only the names of candidates that have a reasonable probability of obtaining the level of IT access approval for which the employee has been proposed. The contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the employee verify the pre-screening record or review, sign and date it. The contractor shall supply two (2) copies of the signed contractor's pre-screening record or review to the NRC Contracting Officers Representative (COR), who will then provide them to the NRC Office of Administration, Division of Facilities and Security, Personnel Security Branch with the employees completed IT access application package.

The contractor shall further ensure that its personnel complete all IT access approval security applications required by this clause within fourteen (14) calendar days of notification by the NRC Contracting Officers Representative (COR) of initiation of the application process. Timely receipt of properly completed records of the pre-screening record and IT access approval applications (submitted for candidates that have a reasonable probability of obtaining the level of security assurance necessary for access to NRC's IT systems/data) is a requirement of this contract/order. Failure of the contractor to comply with this requirement may be a basis to terminate the contract/order for cause, or to offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the contractor.

SECURITY REQUIREMENTS FOR IT LEVEL I Performance under this contract/order will involve contractor personnel who perform services requiring direct access to or operation of agency sensitive information technology systems or data (IT Level I). The IT Level I involves responsibility for: (a) the planning, direction, and implementation of a computer security program; (b) major responsibility for the direction, planning, and design of a computer system, including hardware and software; (c) the capability to access a computer system during its operation or maintenance in such a way that could cause or that has a relatively high risk of causing grave damage; or (d) the capability to realize a significant personal gain from computer access.

Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the NRC Contracting Officers Representative (COR). Temporary IT access may be approved by Page 13

NNG15SD26B/31310021F0093 DFS/PSB based on a favorable review or adjudication of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably review or adjudication of a completed background investigation. However, temporary access authorization approval will be revoked and the employee may subsequently be denied IT access in the event the employees investigation cannot be favorably adjudicated. Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officers Representative (COR). Where temporary access authorization has been revoked or denied by DFS/PSB, the contractor shall assign another contractor employee to perform the necessary work under this contract/order without delay to the contract/order performance schedule, or without adverse impact to any other terms or conditions of the contract/order. When an individual receives final IT access approval from DFS/PSB, the individual will be subject to a reinvestigation every ten (10) years thereafter (assuming continuous performance under contracts/orders at NRC) or more frequently in the event of noncontinuous performance under contracts/orders at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions), two (2) copies of the Contractor's signed pre-screening record, and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the individual being authorized to perform work under this contract/order requiring access to sensitive information technology systems or data. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level I access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB. The contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the contractor employees security forms and/or the receipt of adverse information by NRC, the contractor individual may be denied access to NRC facilities and sensitive information technology systems or data until a final determination is made by DFS/PSB. The contractor individuals clearance status will thereafter be communicated to the contractor by the NRC Contracting Officers Representative (COR) regarding the contractor persons eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level I contractors shall be subject to the attached NRC Form 187 and SF-86. Together, these furnish the basis for providing security requirements to contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems and data; access on a continuing basis (in excess more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

SECURITY REQUIREMENTS FOR IT LEVEL II Performance under this contract/order will involve contractor personnel that develop and/or analyze sensitive information technology systems or data or otherwise have access to such systems or data (IT Level II).

Page 14

NNG15SD26B/31310021F0093 The IT Level II involves responsibility for the planning, design, operation, or maintenance of a computer system and all other computer or IT positions.

Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the NRC Contracting Officers Representative (COR). Temporary access may be approved by DFS/PSB based on a favorable review of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably adjudication. However, temporary access authorization approval will be revoked and the contractor employee may subsequently be denied IT access in the event the employee's investigation cannot be favorably adjudicated.

Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officers Representative (COR). Where temporary access authorization has been revoked or denied by DFS/PSB, the contractor is responsible for assigning another contractor employee to perform the necessary work under this contract/order without delay to the contract/order performance schedule, or without adverse impact to any other terms or conditions of the contract/order. When a contractor employee receives final IT access approval from DFS/PSB, the individual will be subject to a review or reinvestigation every ten (10) years (assuming continuous performance under contract/order at NRC) or more frequently in the event of noncontinuous performance under contract/order at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions), two (2) copies of the Contractor's signed pre-screening record and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the contractor employee being authorized to perform work under this contract/order. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level II access. The Contractor shall submit the documents to the NRC Contracting Officers Representative (COR) who will give them to DFS/PSB. The contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the contractor employees security forms and/or the receipt of adverse information by NRC, the contractor employee may be denied access to NRC facilities, sensitive information technology systems or data until a final determination is made by DFS/PSB regarding the contractor persons eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level II contractors shall be subject to the attached NRC Form 187, SF-86, and contractor's record of the pre-screening. Together, these furnish the basis for providing security requirements to contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems or data; access on a continuing basis (in excess of more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

CANCELLATION OR TERMINATION OF IT ACCESS/REQUEST Page 15

NNG15SD26B/31310021F0093 When a request for IT access is to be withdrawn or canceled, the contractor shall immediately notify the NRC Contracting Officers Representative (COR) by telephone so that the access review may be promptly discontinued. The notification shall contain the full name of the contractor employee and the date of the request. Telephone notifications must be promptly confirmed by the contractor in writing to the NRC Contracting Officers Representative (COR),

who will forward the confirmation to DFS/PSB. Additionally, the contractor shall immediately notify the NRC Contracting Officers Representative (COR) in writing, who will in turn notify DFS/PSB, when a contractor employee no longer requires access to NRC sensitive automated information technology systems or data, including the voluntary or involuntary separation of employment of a contractor employee who has been approved for or is being processed for IT access.

The contractor shall flow the requirements of this clause down into all subcontracts and agreements with consultants for work that requires them to access NRC IT resources.

C.8 IT SECURITY REQUIREMENTS - DEVELOPMENT AND OPERATIONS AND MAINTENANCE REQUIREMENTS (APR 2014)

O&M Security Requirements All system modifications to classified systems must comply with NRC security policies and procedures for classified systems, as well as federal laws, guidance, and standards to ensure Federal Information Security Management Act (FISMA) compliance.

The Contractor shall correct errors in contractor developed software and applicable documentation that are not commercial off-the-shelf which are discovered by the NRC or the contractor. Inability of the parties to determine the cause of software errors shall be resolved in accordance with the Disputes clause in Section I, FAR 52.233-1, incorporated by reference in the contract.

The Contractor shall adhere to the guidance outlined in NIST, SP 800-53, FIPS 200 and NRC guidance for the identification and documentation of minimum security controls.

The contractor shall provide the system requirements traceability matrix at the end of the initiation phase, development/acquisition phase, implementation/assessment phase, operation

& maintenance phase and disposal phase that provides the security requirements in a separate section so that they can be traced through the development life cycle. The contractor shall also provide the software and hardware designs and test plan documentation, and source code upon request to the NRC for review.

All development and testing of the systems shall be protected at their assigned system sensitivity level and shall be performed on a network separate and isolated from the NRC operational network.

All system computers must be properly configured and hardened according to NRC policies, guidance, and standards and comply with all NRC security policies and procedures as commensurate with the system security categorization.

All contractor provided deliverables identified in the project plan will be subject to the review and approval of NRC Management. The contractor will make the necessary modifications to project Page 16

NNG15SD26B/31310021F0093 deliverables to resolve any identified issues. Project deliverables include but are not limited to:

requirements, architectures, design documents, test plans, and test reports.

Access Controls The contractor shall not hardcode any passwords into the software unless the password only appears on the server side (e.g. using server-side technology such as ASP, PHP, or JSP).

The contractor shall ensure that the software does not contain undocumented functions and undocumented methods for gaining access to the software or to the computer system on which it is installed. This includes, but is not limited to, master access keys, back doors, or trapdoors.

Cryptography Cryptographic modules provided as part of the system shall be validated under the Cryptographic Module Validation Program to conform to NIST FIPS 140-2 and must be operated in FIPS mode. The contractor shall provide the FIPS 140-2 cryptographic module certificate number and a brief description of the encryption module that includes the encryption algorithm(s) used, the key length, and the vendor of the product.

Configuration Management and Control The contractor must ensure that the system will be divided into configuration items (CIs). CIs are parts of a system that can be individually managed and versioned. The system shall be managed at the CI level.

The contractor must have a configuration management plan that includes all hardware and software that is part of the system and contains at minimum the following sections:

a. Introduction
i. Purpose & Scope ii. Definitions iii. References
b. Configuration Management
i. Organization ii. Responsibilities iii. Tools and Infrastructure
c. Configuration Management Activities
i. Specification Identification ii. Change control form identification iii. Project baselines Page 17

NNG15SD26B/31310021F0093

d. Configuration and Change Control
i. Change Request Processing and Approval ii. Change Control Board
e. Milestones
i. Define baselines, reviews, audits ii. Training and Resources The Information System Security Officers (ISSO's) role in the change management process must be described. The ISSO is responsible for the security posture of the system. Any changes to the system security posture must be approved by the ISSO. The contractor should not have the ability to make changes to the system's security posture without the appropriate involvement and approval of the ISSO.

The contractor shall track and record information specific to proposed and approved changes that minimally include:

a. Identified configuration change
b. Testing of the configuration change
c. Scheduled implementation the configuration change
d. Track system impact of the configuration change
e. Track the implementation of the configuration change
f. Recording & reporting of configuration change to the appropriate party
g. Back out/Fall back plan
h. Weekly Change Reports and meeting minutes
i. Emergency change procedures
j. List of team members from key functional areas The contractor shall provide a list of software and hardware changes in advance of placing them into operation within the following timeframes:
  • 30 calendar days for a classified, SGI, or high sensitivity system
  • 20 calendar days for a moderate sensitivity system
  • 10 calendar days for a low sensitivity system The contractor must maintain all system documentation that is current to within:

Page 18

NNG15SD26B/31310021F0093

  • 10 calendar days for a classified, SGI, or high sensitivity system
  • 20 calendar days for a moderate sensitivity system
  • 30 calendar days for a low sensitivity system Modified code, tests performed and test results, issue resolution documentation, and updated system documentation shall be deliverables on the contract.

Any proposed changes to the system must have written approval from the NRC Contracting Officers Representative (COR).

The contractor shall maintain a list of hardware, firmware and software changes that is current to within:

  • 15 calendar days for a classified, SGI or high sensitivity system
  • 20 calendar days for a moderate sensitivity system
  • 30 calendar days for a low sensitivity system The contractor shall analyze proposed hardware and software configurations and modification as well as addressed security vulnerabilities in advance of NRC accepted operational deployment dates within:
  • 15 calendar days for a classified, SGI, or high sensitivity system
  • 20 calendar days for a moderate sensitivity system
  • 30 calendar days for a low sensitivity system The contractor shall provide the above analysis with the proposed hardware and software for NRC testing in advance of NRC accepted operational deployment dates within:
  • 15 calendar days for a classified, SGI, or high sensitivity system
  • 20 calendar days for a moderate sensitivity system
  • 30 calendar days for a low sensitivity system Control of Hardware and Software The contractor shall demonstrate that all hardware and software meet security requirements prior to being placed into the NRC production environment.

The contractor shall ensure that the development environment is separated from the operational environment using NRC CSO approved controls.

The contractor shall only use licensed software and in-house developed authorized software (including NRC and contractor developed) on the system and for processing NRC information.

Public domain, shareware, or freeware shall only be installed after prior written approval is obtained from the NRC Chief Information Security Officer (CISO).

Page 19

NNG15SD26B/31310021F0093 The contractor shall provide proof of valid software licensing upon request of the Contracting Officer, the NRC COR, a Senior Information Technology Security Officer (SITSO), or the Designated Approving Authorities (DAAs).

Information Security Training and Awareness Training The contractor shall ensure that its employees, in performance of the contract, receive Information Technology (IT) security training in their role at the contractors expense. The Contractor must provide the NRC written certification that training is complete, along with the title of the course and dates of training as a prerequisite to start of work on the contract.

The IT security role and associated type of training course and periodicity required to be completed are as follows:

Role Type of Training Required Frequency of Training Auditor Vendor specific operating system and application security training, database security training Prior to appointment and then every three years IT Functional Manager Vendor specific operating system and application security training, database security training Prior to appointment and then every two years Additional system specific training upon a major system update/change System Administrator Vendor specific operating system and application security training Prior to appointment and then every year:

  • Training in operating system security in the area of responsibility occurs every 2 years
  • Training in application security in the area of responsibility occurs every 2 years Information Systems Security Officer ISSO role specific training (not awareness) provided by a government agency or by a vendor such as SANS Vendor specific operating system and application security training Prior to appointment and then every year:
  • Training in the ISSO role occurs every 3 years
  • Training in operating system security in the area of responsibility occurs every 3 years
  • Training in application security in the area of responsibility occurs every 3 years Database Administrator Vendor specific database security training Prior to appointment and then every 2 years:
  • Training in database security in the area of responsibility occurs every 2 years Network Administrator Network administrator role specific training (not awareness) provided by a government agency or by a vendor such as SANS Page 20

NNG15SD26B/31310021F0093 Network specific security training Prior to appointment and then every year:

  • Training in the Network administrator role occurs every 3 years
  • Training in network security in the area of responsibility occurs every year where network administrator role training does not occur IT Managers Vendor specific operating system and application security training, database security training.

Prior to appointment and then every two years Additional system specific training upon a major system update/change IT System Developer Vendor specific operating system and application security training, database security training Prior to appointment and then every year

- training with system-specific training (ISS LoB or commercial) upon assuming the role, to become biannual with NRC provided training every other year.

The contractor must ensure that required refresher training is accomplished in accordance with the required frequency specifically associated with the IT security role.

Auditing The system shall be able to create, maintain and protect from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects. The audit data shall be protected so that read access to it is limited to those who are authorized.

The system shall be able to record the following types of events: use of identification and authentication mechanisms, introduction of objects into a users address space (e.g., file open, program initiation), deletion of objects, and actions taken by computer operators and system administrators or system security officers and other security relevant events. The system shall be able to audit any override of security controls.

The Contractor shall ensure auditing is implemented on the following:

  • Operating System
  • Application
  • Web Server
  • Web Services
  • Network Devices
  • Database
  • Wireless The contractor shall perform audit log reviews daily using automated analysis tools.

Page 21

NNG15SD26B/31310021F0093 Contractor must log at least the following events on systems that process NRC information:

  • Audit all failures
  • Successful logon attempt
  • Failure of logon attempt
  • Permission Changes
  • Unsuccessful File Access
  • Creating users & objects
  • Deletion & modification of system files
  • Registry Key/Kernel changes
  • Startup & shutdown
  • Authentication
  • Authorization/permission granting
  • Actions by trusted users
  • Process invocation
  • Controlled access to data by individually authenticated user
  • Unsuccessful data access attempt
  • Data deletion
  • Data transfer
  • Application configuration change
  • Application of confidentiality or integrity labels to data
  • Override or modification of data labels or markings
  • Output to removable media
  • Output to a printer C.9 IT SECURITY REQUIREMENTS - NRC AND CONTRACTOR (NON-NRC) FACILITIES (APR 2014)

Backups The contractor shall ensure that backup media is created, encrypted (in accordance with information sensitivity) and verified to ensure that data can be retrieved and is restorable to Page 22

NNG15SD26B/31310021F0093 NRC systems based on information sensitivity levels. Backups shall be executed to create readable media that allows successful file/data restoration at the following frequencies:

  • At least every 1 calendar day for a high sensitivity system
  • At least every 1 calendar day for a moderate sensitivity system
  • At least every 7 calendar days for a low sensitivity system Perimeter Protection The Contractor must employ perimeter protection mechanisms, such as firewalls and routers, to deny all communications unless explicitly allowed by exception.

The contractor must deploy and monitor intrusion detection capability and have an always deployed and actively engaged security monitoring capability in place for systems placed in operation for the NRC. Intrusion detection and monitoring reports will made available to the NRC upon request for following security categorizations and reporting timeframes:

  • 5 calendar days after being requested for a high sensitivity system
  • 10 calendar days after being requested for a moderate sensitivity system
  • 15 calendar days after being requested for a low sensitivity system C.10 DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TO NUCLEAR FACILITIES, ACCESS TO CLASSIFIED INFORMATION OR SAFEGUARDS INFORMATION, OR PERFORMING IN SPECIALLY SENSITIVE POSITIONS (MARCH 2019)

The following Contractor employees, subcontractor personnel, and consultants proposed for performance or performing under this contract shall be subject to pre-assignment, random, reasonable suspicion, and post-accident drug testing: (1) individuals who have access to classified information (National Security Information and/or Restricted Data); (2) individuals who have access to Safeguards information (section 147 of the Atomic Energy Act of 1954, as amended); (3) individuals who are authorized to carry firearms while performing work under this contract; (4) individuals who are required to operate government vehicles or transport passengers for the NRC; (5) individuals who are required to operate hazardous equipment at NRC facilities; (6) individuals who administer the agencys drug program or who have Employee Assistance Program duties; (7) individuals who have unescorted access to vital or protected areas of Nuclear Power Plants, Category 1 Fuel Cycle Facilities, or Uranium Enrichment Facilities; or (8) incident/emergency response personnel (including on-call).

C.11 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONIC PAYMENT/REMITTANCE ADDRESS The Debt Collection Improvement Act of 1996 requires that all Federal payments except IRS tax refunds be made by Electronic Funds Transfer. lt is the policy of the Nuclear Regulatory Commission to pay government vendors by the Automated Clearing House (ACH) electronic funds transfer payment system. Item 15C of the Standard Form 33 may be disregarded.

NRCAR Clauses Incorporated By Reference Page 23

NNG15SD26B/31310021F0093 NRCAR Clauses Incorporated By Full Text C.12 2052.204-70 SECURITY. (OCT 1999)

(a) Security/Classification Requirements Form. The attached NRC Form 187 (See List of Attachments) furnishes the basis for providing security and classification requirements to prime contractors, subcontractors, or others (e.g., bidders) who have or may have an NRC contractual relationship that requires access to classified information or matter, access on a continuing basis (in excess of 90 or more days) to NRC Headquarters controlled buildings, or otherwise requires NRC photo identification or card-key badges.

(b) It is the contractor's duty to safeguard National Security Information, Restricted Data, and Formerly Restricted Data. The contractor shall, in accordance with the Commission's security regulations and requirements, be responsible for safeguarding National Security Information, Restricted Data, and Formerly Restricted Data, and for protecting against sabotage, espionage, loss, and theft, the classified documents and material in the contractor's possession in connection with the performance of work under this contract. Except as otherwise expressly provided in this contract, the contractor shall transmit to the Commission any classified matter in the possession of the contractor or any person under the contractor's control in connection with performance of this contract upon completion or termination of this contract.

(1) The contractor shall complete a certificate of possession to be furnished to the Commission specifying the classified matter to be retained if the retention is:

(i) Required after the completion or termination of the contract; and (ii) Approved by the contracting officer.

(2) The certification must identify the items and types or categories of matter retained, the conditions governing the retention of the matter and their period of retention, if known. If the retention is approved by the contracting officer, the security provisions of the contract continue to be applicable to the matter retained.

(c) In connection with the performance of the work under this contract, the contractor may be furnished, or may develop or acquire, proprietary data (trade secrets) or confidential or privileged technical, business, or financial information, including Commission plans, policies, reports, financial plans, internal data protected by the Privacy Act of 1974 (Pub. L.93-579), or other information which has not been released to the public or has been determined by the Commission to be otherwise exempt from disclosure to the public. The contractor agrees to hold the information in confidence and not to directly or indirectly duplicate, disseminate, or disclose the information, in whole or in part, to any other person or organization except as necessary to perform the work under this contract. The contractor agrees to return the information to the Commission or otherwise dispose of it at the direction of the contracting officer. Failure to comply with this clause is grounds for termination of this contract.

(d) Regulations. The contractor agrees to conform to all security regulations and requirements of the Commission which are subject to change as directed by the NRC Page 24

NNG15SD26B/31310021F0093 Division of Facilities and Security and the Contracting Officer. These changes will be under the authority of the FAR Changes clause referenced in Section I of this document.

(e) Definition of National Security Information. As used in this clause, the term National Security Information means information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

(f) Definition of Restricted Data. As used in this clause, the term Restricted Data means all data concerning design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy, but does not include data declassified or removed from the Restricted Data category under to Section 142 of the Atomic Energy Act of 1954, as amended.

(g) Definition of Formerly Restricted Data. As used in this clause the term Formerly Restricted Data means all data removed from the Restricted Data category under Section 142-d of the Atomic Energy Act of 1954, as amended.

(h) Security clearance personnel. The contractor may not permit any individual to have access to Restricted Data, Formerly Restricted Data, or other classified information, except in accordance with the Atomic Energy Act of 1954, as amended, and the Commission's regulations or requirements applicable to the particular type or category of classified information to which access is required. The contractor shall also execute a Standard Form 312, Classified Information Nondisclosure Agreement, when access to classified information is required.

(i) Criminal liabilities. Disclosure of National Security Information, Restricted Data, and Formerly Restricted Data relating to the work or services ordered hereunder to any person not entitled to receive it, or failure to safeguard any Restricted Data, Formerly Restricted Data, or any other classified matter that may come to the contractor or any person under the contractor's control in connection with work under this contract, may subject the contractor, its agents, employees, or subcontractors to criminal liability under the laws of the United States. (See the Atomic Energy Act of 1954, as amended, 42 U.S.C. 2011 et seq.; 18 U.S.C. 793 and 794; and Executive Order 12958.)

(j) Subcontracts and purchase orders. Except as otherwise authorized, in writing, by the contracting officer, the contractor shall insert provisions similar to the foregoing in all subcontracts and purchase orders under this contract.

(k) In performing contract work, the contractor shall classify all documents, material, and equipment originated or generated by the contractor in accordance with guidance issued by the Commission. Every subcontract and purchase order issued under the contract that involves originating or generating classified documents, material, and equipment must provide that the subcontractor or supplier assign the proper classification to all documents, material, and equipment in accordance with guidance furnished by the contractor.

(End of Clause)

C.13 2052.215-71 CONTRACTING OFFICER REPRESENTATIVE AUTHORITY. (OCT 1999) -

ALTERNATE II (OCT 1999)

Page 25

NNG15SD26B/31310021F0093 (a) The contracting officer's authorized representative, hereinafter referred to as the COR, for this contract is:

Name:

Email:

(b) The COR shall:

(1) Monitor contractor performance and recommend changes in requirements to the contracting officer.

(2) Inspect and accept products/services provided under the contract.

(3) Review all contractor invoices/vouchers requesting payment for products/services provided under the contract and make recommendations for approval, disapproval, or suspension.

(c) The COR may not make changes to the express terms and conditions of this contract.

  • To be incorporated into any resultant contract (End of Clause)

FAR Clauses Incorporated By Reference C.14 52.204-13 SYSTEM FOR AWARD MANAGEMENT MAINTENANCE. (OCT 2018)

FAR Clauses Incorporated By Full Text C.15 52.204-19 INCORPORATION BY REFERENCE OF REPRESENTATIONS AND CERTIFICATIONS. (DEC 2014)

The Contractor's representations and certifications, including those completed electronically via the System for Award Management (SAM), are incorporated by reference into the contract.

(End of clause)

C.16 52.212-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS - COMMERCIAL ITEMS. (JUL 2021)

(a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items:

(1) 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or Statements (JAN 2017) (section 743 of Division E, Title VII, of the Consolidated and Further Continuing Appropriations Act, 2015 (Pub. L. 113-235) and its successor provisions in subsequent appropriations acts (and as extended in continuing resolutions)).

Page 26

NNG15SD26B/31310021F0093 (2) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (JUL 2018)

(Section 1634 of Pub. L. 115-91).

(3) 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (AUG 2020) (Section 889(a)(1)(A) of Pub. L. 115-232).

(4) 52.209-10, Prohibition on Contracting with Inverted Domestic Corporations (NOV 2015).

(5) 52.233-3, Protest After Award (AUG 1996) (31 U.S.C. 3553).

(6) 52.233-4, Applicable Law for Breach of Contract Claim (OCT 2004) (Public Laws 108-77 and 108-78 (19 U.S.C. 3805 note)).

(b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (Contracting Officer check as appropriate.)

[X] (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (JUN 2020), with Alternate I (OCT 1995) (41 U.S.C. 4704 and 10 U.S.C. 2402).

[ ] (2) 52.203-13, Contractor Code of Business Ethics and Conduct (JUN 2020)

(41 U.S.C. 3509).

[ ] (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment Act of 2009 (JUN 2010) (Section 1553 of Pub. L. 111-5). (Applies to contracts funded by the American Recovery and Reinvestment Act of 2009.)

[X] (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract Awards (JUN 2020) (Pub. L. 109-282) (31 U.S.C. 6101 note).

(5) (Reserved)

[X] (6) 52.204-14, Service Contract Reporting Requirements (OCT 2016) (Pub. L.

111-117, section 743 of Div. C).

[ ] (7) 52.204-15, Service Contract Reporting Requirements for Indefinite-Delivery Contracts (OCT 2016) (Pub. L. 111-117, section 743 of Div. C).

[X] (8) 52.209-6, Protecting the Government's Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment. (JUN 2020) (31 U.S.C. 6101 note).

[X] (9) 52.209-9, Updates of Publicly Available Information Regarding Responsibility Matters (OCT 2018) (41 U.S.C. 2313).

[ ] (10) (Reserved)

Page 27

NNG15SD26B/31310021F0093

[ ] (11)(i) 52.219-3, Notice of HUBZone Set-Aside or Sole Source Award (MAR 2020) (15 U.S.C. 657a).

[ ] (ii) Alternate I (MAR 2020) of 52.219-3.

[ ] (12)(i) 52.219-4, Notice of Price Evaluation Preference for HUBZone Small Business Concerns (MAR 2020) (if the offeror elects to waive the preference, it shall so indicate in its offer) (15 U.S.C. 657a).

[ ] (ii) Alternate I (MAR 2020) of 52.219-4.

[ ] (13) (Reserved)

[X] (14)(i) 52.219-6, Notice of Total Small Business Set-Aside (NOV 2020) (15 U.S.C. 644).

[ ] (ii) Alternate I (MAR 2020) of 52.219-6.

[ ] (15)(i) 52.219-7, Notice of Partial Small Business Set-Aside (NOV 2020) (15 U.S.C. 644).

[ ] (ii) Alternate I (MAR 2020) of 52.219-7.

[ ] (16) 52.219-8, Utilization of Small Business Concerns (OCT 2018) (15 U.S.C.

637(d)(2) and (3)).

[ ] (17)(i) 52.219-9, Small Business Subcontracting Plan (JUN 2020) (15 U.S.C.

637(d)(4)).

[ ] (ii) Alternate I (NOV 2016) of 52.219-9.

[ ] (iii) Alternate II (NOV 2016) of 52.219-9.

[ ] (iv) Alternate III (JUN 2020) of 52.219-9.

[ ] (v) Alternate IV (JUN 2020) of 52.219-9.

[ ] (18)(i) 52.219-13, Notice of Set-Aside of Orders (MAR 2020) (15 U.S.C.

644(r)).

[ ] (ii) Alternate I (MAR 2020) of 52.219-13.

[X] (19) 52.219-14, Limitations on Subcontracting (MAR 2020) (15 U.S.C.

637(a)(14)).

[ ] (20) 52.219-16, Liquidated Damages-Subcontracting Plan (JAN 1999) (15 U.S.C. 637(d)(4)(F)(i)).

[ ] (21) 52.219-27, Notice of Service-Disabled Veteran-Owned Small Business Set-Aside (MAR 2020) (15 U.S.C. 657f).

Page 28

NNG15SD26B/31310021F0093

[X] (22)(i) 52.219-28, Post-Award Small Business Program Rerepresentation (NOV 2020) (15 U.S.C. 632(a)(2)).

[ ] (ii) Alternate I (MAR 2020) of 52.219-28.

[ ] (23) 52.219-29, Notice of Set-Aside for, or Sole Source Award to, Economically Disadvantaged Women-Owned Small Business (EDWOSB)

Concerns (MAR 2020) (15 U.S.C. 637(m)).

[ ] (24) 52.219-30, Notice of Set-Aside for, or Sole Source Award to, Women-Owned Small Business Concerns Eligible Under the Women-Owned Small Business Program (MAR 2020) (15 U.S.C. 637(m)).

[ ] (25) 52.219-32, Orders Issued Directly Under Small Business Reserves (MAR 2020) (15 U.S.C. 644(r)).

[ ] (26) 52.219-33, Nonmanufacturer Rule (MAR 2020) (15 U.S.C. 637(a)(17)).

[X] (27) 52.222-3, Convict Labor (JUN 2003) (E.O. 11755).

[ ] (28) 52.222-19, Child Labor-Cooperation with Authorities and Remedies (JAN 2020) (E.O. 13126).

[X] (29) 52.222-21, Prohibition of Segregated Facilities (APR 2015).

[X] (30)(i) 52.222-26, Equal Opportunity (SEP 2016) (E.O. 11246).

[ ] (ii) Alternate I (FEB 1999) of 52.222-26.

[X] (31)(i) 52.222-35, Equal Opportunity for Veterans (JUN 2020) (38 U.S.C.

4212).

[ ] (ii) Alternate I (JUL 2014) of 52.222-35.

[X] (32)(i) 52.222-36, Equal Opportunity for Workers with Disabilities (JUN 2020)

(29 U.S.C. 793).

[ ] (ii) Alternate I (JUL 2014) of 52.222-36.

[X] (33) 52.222-37, Employment Reports on Veterans (JUN 2020) (38 U.S.C.

4212).

[X] (34) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (DEC 2010) (E.O. 13496).

[X] (35)(i) 52.222-50, Combating Trafficking in Persons (OCT 2020) (22 U.S.C.

chapter 78 and E.O. 13627).

[ ] (ii) Alternate I (MAR 2015) of 52.222-50 (22 U.S.C. chapter 78 and E.O. 13627).

Page 29

NNG15SD26B/31310021F0093

[ ] (36) 52.222-54, Employment Eligibility Verification (OCT 2015). (E. O. 12989).

(Not applicable to the acquisition of commercially available off-the-shelf items or certain other types of commercial items as prescribed in 22.1803.)

[ ] (37)(i) 52.223-9, Estimate of Percentage of Recovered Material Content for EPA-Designated Items (MAY 2008) (42 U.S.C. 6962(c)(3)(A)(ii)). (Not applicable to the acquisition of commercially available off-the-shelf items.)

[ ] (ii) Alternate I (MAY 2008) of 52.223-9 (42 U.S.C. 6962(i)(2)(C)). (Not applicable to the acquisition of commercially available off-the-shelf items.)

[ ] (38) 52.223-11, Ozone-Depleting Substances and High Global Warming Potential Hydrofluorocarbons (JUN 2016) (E.O. 13693).

[ ] (39) 52.223-12, Maintenance, Service, Repair, or Disposal of Refrigeration Equipment and Air Conditioners (JUN 2016) (E.O. 13693).

[ ] (40)(i) 52.223-13, Acquisition of EPEAT-Registered Imaging Equipment (JUN 2014) (E.O.s 13423 and 13514).

[ ] (ii) Alternate I (OCT 2015) of 52.223-13.

[ ] (41)(i) 52.223-14, Acquisition of EPEAT-Registered Televisions (JUN 2014)

(E.O.s 13423 and 13514).

(ii) Alternate I (JUN 2014) of 52.223-14.

[ ] (42) 52.223-15, Energy Efficiency in Energy-Consuming Products (MAY 2020)

(42 U.S.C. 8259b).

[ ] (43)(i) 52.223-16, Acquisition of EPEAT-Registered Personal Computer Products (OCT 2015) (E.O.s 13423 and 13514).

[ ] (ii) Alternate I (JUN 2014) of 52.223-16.

[X] (44) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving (JUN 2020) (E.O. 13513).

[ ] (45) 52.223-20, Aerosols (JUN 2016) (E.O. 13693).

[ ] (46) 52.223-21, Foams (JUN 2016) (E.O. 13693).

[ ] (47)(i) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).

[ ] (ii) Alternate I (JAN 2017) of 52.224-3.

[ ] (48) 52.225-1, Buy American-Supplies (JAN 2021) (41 U.S.C. chapter 83).

[ ] (49)(i) 52.225-3, Buy American-Free Trade Agreements-Israeli Trade Act (JAN 2021) (41 U.S.C. chapter 83, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, Pub. L. 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 109-283, 110-138, 112-41, 112-42, and 112-43.

Page 30

NNG15SD26B/31310021F0093

[ ] (ii) Alternate I (JAN 2021) of 52.225-3.

[ ] (iii) Alternate II (JAN 2021) of 52.225-3.

[ ] (iv) Alternate III (JAN 2021) of 52.225-3.

[X] (50) 52.225-5, Trade Agreements (OCT 2019) (19 U.S.C. 2501, et seq., 19 U.S.C. 3301 note).

[X] (51) 52.225-13, Restrictions on Certain Foreign Purchases (FEB 2021)

(E.O.'s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury).

[ ] (52) 52.225-26, Contractors Performing Private Security Functions Outside the United States (OCT 2016) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note).

[ ] (53) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (NOV 2007)

(42 U.S.C. 5150).

[ ] (54) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (NOV 2007) (42 U.S.C. 5150).

[ ] (55) 52.229-12, Tax on Certain Foreign Procurements (FEB 2021).

[ ] (56) 52.232-29, Terms for Financing of Purchases of Commercial Items (FEB 2002) (41 U.S.C. 4505, 10 U.S.C. 2307(f)).

[ ] (57) 52.232-30, Installment Payments for Commercial Items (JAN 2017) (41 U.S.C. 4505, 10 U.S.C. 2307(f)).

[X] (58) 52.232-33, Payment by Electronic Funds Transfer-System for Award Management (OCT 2018) (31 U.S.C. 3332).

[ ] (59) 52.232-34, Payment by Electronic Funds Transfer - Other than System for Award Management (JUL 2013) (31 U.S.C. 3332).

[ ] (60) 52.232-36, Payment by Third Party (MAY 2014) (31 U.S.C. 3332).

[ ] (61) 52.239-1, Privacy or Security Safeguards (AUG 1996) (5 U.S.C. 552a).

[ ] (62) 52.242-5, Payments to Small Business Subcontractors (JAN 2017)(15 U.S.C. 637(d)(13)).

[ ] (63)(i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (FEB 2006) (46 U.S.C. 55305) and 10 U.S.C. 2631).

[ ] (ii) Alternate I (APR 2003) of 52.247-64.

[ ] (iii) Alternate II (FEB 2006) of 52.247-64.

Page 31

NNG15SD26B/31310021F0093 (c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (Contracting Officer check as appropriate.)

[ ] (1) 52.222-41, Service Contract Labor Standards (AUG 2018) (41 U.S.C.

chapter 67).

[ ] (2) 52.222-42, Statement of Equivalent Rates for Federal Hires (MAY 2014)

(29 U.S.C. 206 and 41 U.S.C. chapter 67).

[ ] (3) 52.222-43, Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (Multiple Year and Option Contracts) (AUG 2018)

(29 U.S.C. 206 and 41 U.S.C. chapter 67).

[ ] (4) 52.222-44, Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (MAY 2014) (29 U.S.C 206 and 41 U.S.C. chapter 67).

[ ] (5) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (MAY 2014) (41 U.S.C. chapter 67).

[ ] (6) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (MAY 2014) (41 U.S.C. chapter 67).

[ ] (7) 52.222-55, Minimum Wages Under Executive Order 13658 (NOV 2020).

[ ] (8) 52.222-62, Paid Sick Leave Under Executive Order 13706 (JAN 2017)

(E.O. 13706).

[ ] (9) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (JUN 2020) (42 U.S.C. 1792).

(d) Comptroller General Examination of Record. The Contractor shall comply with the provisions of this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, as defined in FAR 2.101, on the date of award of this contract, and does not contain the clause at 52.215-2, Audit and Records - Negotiation.

(1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor's directly pertinent records involving transactions related to this contract.

(2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR Subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records Page 32

NNG15SD26B/31310021F0093 relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved.

(3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law.

(e)(1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c), and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1) of this paragraph in a subcontract for commercial items.

Unless otherwise indicated below, the extent of the flow down shall be as required by the clause-(i) 52.203-13, Contractor Code of Business Ethics and Conduct (JUN 2020) (41 U.S.C. 3509).

(ii) 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or Statements (JAN 2017) (section 743 of Division E, Title VII, of the Consolidated and Further Continuing Appropriations Act, 2015 (Pub. L. 113-235) and its successor provisions in subsequent appropriations acts (and as extended in continuing resolutions)).

(iii) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (JUL 2018) (Section 1634 of Pub. L. 115-91).

(iv) 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (AUG 2020) (Section 889(a)(1)(A) of Pub. L. 115-232).

(v) 52.219-8, Utilization of Small Business Concerns (OCT 2018) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds the applicable threshold specified in FAR 19.702(a) on the date of subcontract award, the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities.

(vi) 52.222-21, Prohibition of Segregated Facilities (APR 2015).

(vii) 52.222-26, Equal Opportunity (SEP 2016) (E.O. 11246).

(viii) 52.222-35, Equal Opportunity for Veterans (JUN 2020) (38 U.S.C.

4212).

Page 33

NNG15SD26B/31310021F0093 (ix) 52.222-36, Equal Opportunity for Workers with Disabilities (JUN 2020)

(29 U.S.C. 793).

(x) 52.222-37, Employment Reports on Veterans (JUN 2020) (38 U.S.C.

4212).

(xi) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (DEC 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40.

(xii) 52.222-41, Service Contract Labor Standards (AUG 2018) (41 U.S.C.

chapter 67).

(xiii) [ ] (A) 52.222-50, Combating Trafficking in Persons (OCT 2020) (22 U.S.C. chapter 78 and E.O. 13627).

[ ] (B) Alternate I (MAR 2015) of 52.222-50 (22 U.S.C. chapter 78 and E.O. 13627).

(xiv) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (MAY 2014) (41 U.S.C. chapter 67).

(xv) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (MAY 2014)

(41 U.S.C. chapter 67).

(xvi) 52.222-54, Employment Eligibility Verification (OCT 2015) (E. O.

12989).

(xvii) 52.222-55, Minimum Wages Under Executive Order 13658 (NOV 2020).

(xviii) 52.222-62 Paid Sick Leave Under Executive Order 13706 (JAN 2017) (E.O. 13706).

(xix)(A) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).

(B) Alternate I (JAN 2017) of 52.224-3.

(xx) 52.225-26, Contractors Performing Private Security Functions Outside the United States (OCT 2016) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note).

(xxi) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (JUN 2020) (42 U.S.C. 1792). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6.

Page 34

NNG15SD26B/31310021F0093 (xxii) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (FEB 2006) (46 U.S.C. 55305 and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64.

(2) While not required, the Contractor May include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations.

(End of clause)

C.17 52.217-6 OPTION FOR INCREASED QUANTITY. (MAR 1989)

The Government may increase the quantity of supplies called for in the Schedule at the unit price specified. The Contracting Officer may exercise the option by written notice to the Contractor within the period of performance of the contract. Delivery of the added items shall continue at the same rate as the like items called for under the contract, unless the parties otherwise agree.

(End of clause)

C.18 52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within anytime during the contract period of performance.

(End of clause)

C.19 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor within any time during the contract period of performance; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 1days before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 5 years.

(End of clause)

Other Clauses Incorporated by Reference Other Clauses Incorporated By Full Text Page 35

NNG15SD26B/31310021F0093 Page 36

NNG15SD26B/31310021F0093 D - Contract Documents, Exhibits and Attachments Number Attachment Title Date of Number Pages Attachment 1 - Instructions_ IPP Billing Instructions 1 08/10/2021 2 for Fixed Price Contracts 2 Attachment 2 - SEWPVClauses_Oct 2020 08/10/2021 3 3 Attachment 3 - Statement of Work 08/10/2021 10 Page 37

Retrieved from "https://kanterella.com/w/index.php?title=ML21272A106&oldid=3405025"