Text

Contract No. 31310024C0016
	ML24214A005
Person / Time
Issue date:	06/02/2025
From:	Jeffrey Mitchell; Acquisition Management Division
To:	;
References
	31310024C0016
	Download: ML24214A005 (1)
	v • d • e

AWARD/CONTRACT 2 CONTRACT (Procurement, Instruction, Identification) NUMBER

3. EFFECTIVE DATE

5. ISSUED BY CODE

6. ADMINISTERED BY (If other than Item 5)

System (DPAS) - Code of Federal Regulations - at 15 CFR 700.

4. REQUISITION/PURCHASE REQUEST/PROJECT NUMBER

7. NAME AND ADDRESS OF CONTRACTOR (Number, Street, County, State and ZIP Code)

1. This Contract is a Rated Order under the Defense Priorities and Allocations RATING PAGE OF PAGES 1

8. DELIVERY

9. DISCOUNT FOR PROMPT PAYMENT

10. SUBMIT INVOICES (4 copies unless otherwise specified)

TO THE ADDRESS SHOWN IN ITEM CODE CODE CODE FACILITY CODE

11. SHIP TO/MARK FOR

12. PAYMENT WILL BE MADE BY 41 U.S.C. 3304 (a) (

10 U.S.C. 3204 (a) (

13. AUTHORITY FOR USING OTHER THAN FULL AND OPEN COMPETITION UNDER

14. ACCOUNTING AND APPROPRIATION DATA 97 31310024C0016 See Block 20C RES-24-0174 NRCHQ US NRC - HQ ACQUISITION MANAGEMENT DIVISION MAIL STOP TWFN-07B20M WASHINGTON DC 20555-0001 INFORMATION SYSTEMS LABORATORIES INC 12900 BROOKPRINTER PLACE SUITE 800 POWAY CA 92064 OTHER (See below)

FREE ON BOARD (FOB) ORIGIN X

30 CODE NRCHQ NUCLEAR REGULATORY COMMISSION 11555 ROCKVILLE PIKE ROCKVILLE MD 20852-2738 See Schedule

)

VXDFH959NB65 SCD-C THE UNITED STATES CODE AT:

15A. ITEM NUMBER 15F. AMOUNT 15E. UNIT PRICE 15D.

UNIT 15C.

QUANTITY 15B. SUPPLIES/SERVICES Continued 15G. TOTAL AMOUNT OF CONTRACT

$1,110,310.83

16. TABLE OF CONTENTS (X)

SEC.

DESCRIPTION (X)

PAGE(S)

DESCRIPTION SEC.

A B

C D

E F

G H

PART I - THE SCHEDULE PART II - CONTRACT CLAUSES SOLICITATION/CONTRACT FORM SUPPLIES OR SERVICES AND PRICES/COSTS DESCRIPTION/SPECIFICATIONS/WORK STATEMENT PACKAGING AND MARKING INSPECTION AND ACCEPTANCE DELIVERIES OR PERFORMANCE CONTRACT ADMINISTRATION DATA SPECIAL CONTRACT REQUIREMENTS M

L K

J I

PART III - LIST OF DOCUMENTS, EXHIBITS AND OTHER ATTACHMENTS CONTRACT CLAUSES LIST OF ATTACHMENTS REPRESENTATIONS, CERTIFICATIONS AND OTHER INSTRSUCTIONS, CONDITIONS, AND NOTICES TO OFFERORS EVALUATION FACTORS FOR AWARD STATEMENTS OF OFFERORS PART IV - REPRESENTATIONS AND INSTRUCTIONS X

X X

PAGE(S) 6 9

27 28 29 30 32 78 97 17.

CONTRACTOR' S NEGOTIATED AGREEMENT (Contractor is required to sign this document and return copies to issuing office.) Contractor agrees to furnish and deliver all items or perform all the services set forth or otherwise identified above and on any continuation sheets for the consideration stated herein. The rights and obligations of the parties to this contract shall be subject to and governed by the following documents: (a) this award/contract, (b) the solicitation, if any, and (c) such provisions, representations, certifications, and specifications, as are attached or incorporated by reference herein. (Attachments are listed herein.)

No further contractual document is necessary. (Block 18 should be checked only when awarding a sealed-bid contract.)

documents: (a) the Government's solicitation and your bid, and (b) this award/contract.

sheets. This award consummates the contract which consists of the following in full above, is hereby accepted as to the items listed above and on any continuation including the additions or changes made by you which additions or changes are set forth Solicitation Number SEALED-BID AWARD (Contractor is not required to sign this document.) Your bid on 18.

20C. DATE SIGNED (Signature of the Contracting Officer) 20B. UNITED STATES OF AMERICA 20A. NAME OF CONTRACTING OFFICER 19B. NAME OF CONTRACTOR 19A. NAME AND TITLE OF SIGNER (Type or print)

BY (Signature of person authorized to sign) 19C. DATE SIGNED BY STANDARD FORM 26 (Rev. 12/2022)

Prescribed by GSA - FAR (48 CFR) 53.214(a)

AUTHORIZED FOR LOCAL REPRODUCTION Previous edition is NOT usable X

31310024R0026 JEFFREY R. MITCHELL CONTRACTING OFFICER WILL COMPLETE ITEM 17 (SEALED-BID OR NEGOTIATED PROCUREMENT) OR 18 (SEALED-BID PROCUREMENT) AS APPLICABLE INFORMATION SYSTEMS LABORATORIES INC

ITEM NO.

SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT NAME OF OFFEROR OR CONTRACTOR 2

97 CONTINUATION SHEET REFERENCE NO. OF DOCUMENT BEING CONTINUED PAGE OF INFORMATION SYSTEMS LABORATORIES INC 31310024C0016 (A)

(B)

(C)

(D)

(E)

(F)

Accounting Info:

2024-C0200-FEEBASED-60-60D001-60B107-1032-11-6-154

-251D-11-6-154-1032-25.1 Period of Performance: 08/01/2024 to 07/31/2026 AUTHORIZED FOR LOCAL REPRO OPTIONAL FORM 336 (4-86)

References:

[1] U.S. Code of Federal Regulations, Domestic Licensing of production and utilization facilities, Part 50, Chapter I, Title 10, Energy.

[2] ASME, NQA-1-2008, Quality Assurance Requirements for Nuclear Facility Applications, New York, NY, 2008.

[3] ASME, NQA-1a-2009, Quality Assurance Requirements for Nuclear Facility Applications, New York, NY, 2009.

[4] NRC, Regulatory Guide 1.28, Revision 4, Quality Assurance Program Criteria (Design and Construction), June 2010, NRC Agencywide Documents Access and Management System (ADAMS) Accession No. ML100160003.

[5] NRC, NUREG-2247, Extremely Low Probability of Rupture Version 2 Probabilistic Fracture Mechanics Code, August 2021, ADAMS Accession No. ML21225A736.

[6] GoldSim Technology Group, Monte Carlo Simulation SoftwareGoldSim [online].

Available: https://www.goldsim.com/web/home/. [Accessed January 22, 2024].

31310024R0026 Page 11

[7] GoldSim Technology Group, Overview of GoldSim Element Types [online]. Available:

https://help.goldsim.com/index.html#!Modules/5/overviewofgoldsimelementtypes.htm.

[Accessed January 22, 2024].

2 OBJECTIVE The primary objective of this contract is to obtain expert technical assistance services to redesign and refactor the xLPR Framework to support increased capacity, performance, flexibility, and maintainability.

3 SCOPE OF WORK/TASKS 3.1 Task 1: Requirements Analysis, Architecture, and Design The focus of Task 1 is to assess the current and projected future needs of the xLPR code and to plan for development of a new Framework to meet those needs.

Completion Date: Task 1 shall be completed no later than 90 calendar days from Contract award.

Expected Travel: For Task 1, two trips are expected for up to 4 Contactor personnel of up to 4 days duration from the Contractors office(s) to NRC Headquarters or similar distance. (Total of 2 Trips) 3.1.1 Task 1a: Codebase Familiarization The Contractor shall familiarize itself with the current operation and capabilities of the xLPR code. Materials to be used in this process include, but are not limited to, the following:

executable files, source code files, user manual, training manuals, technical reports, and recorded presentations. The Contractor shall also become familiar with the current software quality assurance practices, configuration management systems, and baselined configuration items (e.g., software requirements descriptions, software design descriptions, software test plans, and software test results reports).

3.1.2 Task 1b: Requirements Gathering and Review The Contractor shall lead and otherwise facilitate software requirements gathering and review activities. The purpose of these activities is to determine which of the existing software requirements should remain, be revised, or be eliminated to support redesign and refactoring of the xLPR Framework. New requirements will also be determined. The current maintenance backlog shall be considered in this process as well as the evaluation areas listed in Task 1c. As initiated by the COR the Contractor will receive input from internal and external and other users of the code. The goal of this activity is to develop and prioritize the initial set of requirements that will be the focus for implementation under Task 3, while balancing the scope of the development effort with resource and schedule constraints. The Contractor shall prepare a draft set of new and revised software requirements for the COR to review. The Contractor shall address all comments provided and prepare a final set of new and revised software requirements.

Deliverables:

31310024R0026 Page 12 (1) Draft set of new and revised software requirements (2) Final set of new and revised software requirements with comments incorporated 3.1.3 Task 1c: Implementation Language, Design, and Architecture Recommendations Leveraging its expertise in 3GL/4GL, and taking input from Tasks 1a and 1b, the Contractor shall recommend the most appropriate coding language(s) for refactoring and redesigning the xLPR Framework. Specific areas that shall be evaluated by the Contractor to support its recommendations include, but are not limited to, the following:

Translating the existing code into a custom software solution implemented in a 3GL/4GL, such as Python or C++. The relative advantages and disadvantages of the viable implementation languages shall be considered.

Developing new code to replace inherent GoldSim software functions (e.g., functions for data storage, random number generation, probability distribution sampling, simulation control, error reporting, and results display)

Coding language interoperability, including with existing software elements such as the physics-based Fortran modules

Potential refactoring or redesign of the C# preprocessor or calling it directly as part of overall simulation execution without the need for user action

Potential redesign or refactoring of the Excel-based input set

Hardware requirements

Development of a simple graphical user interface for basic simulation control, monitoring, and display of results

Support for future enhanced user interface(s) and user experience

Increasing computational performance (e.g., greater speed and more memory access) through parallel processing

Use of current and future distributed computing resources (e.g., RESGC virtual machines)

Potential support for a variety of operating environments

Public licensing and distribution frameworks

Incorporation of third-party software

Improving maintainability

Increasing flexibility to more easily support new features and applications

Taking advantage of object-oriented design

Potential for future interfaces with artificial intelligence and machine learning technologies

Potential for future Webhosting

Software quality assurance

Software testing considerations

Software and nuclear industry trends

Potential future applications of the code

Level of coding expertise in the current development team and of future developers

User group support

Consolidating redundant variables

Design for extensibility

Cybersecurity considerations

Incorporating efficient data structures To ensure compatibility, the Contractor shall also recommend whether changes, potentially including full refactoring and redesign, will be needed for the Preprocessor and inputs set. The

31310024R0026 Page 13 Contractor shall also make recommendations on design approaches and software architecture changes. Some limited coding activities may be explored as part of this task as approved by the COR. The Contractor shall document its recommendations and associated rationale and present them for review. The Contractor shall address all comments and prepare a final set of recommendations to be approved by the COR.

Deliverables:

(1) Draft written recommendations for the new software implementation language(s),

architecture, and strategies for refactoring and redesign (2) Final written recommendations for the new software implementation language(s),

architecture, and strategies for refactoring and redesign with comments incorporated 3.2 Task 2: Infrastructure Development The focus of Task 2 is to prepare the infrastructure necessary to support implementation of the recommendations developed under Task 1.

Completion Date: Task 2 shall be completed no later than 120 calendar days from contract award.

Expected Travel: For Task 2, there is no expected travel.

The Contractor shall review the current xLPR software development infrastructure and make recommendations for changes or enhancements necessary to implement the recommendations developed under Task 1. This infrastructure includes, but is not limited to, the quality assurance plans, implementing procedures, coding standards and guidelines, training materials, and supporting software tools. To the extent possible, supporting software tools (e.g., dependencies such as libraries and compilers) should be free to obtain and open source. Software development shall be conducted using a process approved by the COR, such as Agile.

Under this task, the Contractor shall also prepare the software development environment(s).

The primary tools for configuration management will be the NRC GitHub repository(ies) and the EPRI Box repository. Should the Contractor identify the need for additional tools, then access to these tools shall be made available to the NRC staff and other developers as approved by the COR. Furthermore, the Contractor shall plan to transfer all data stored in these tools to the NRC, at the end of the period of performance. The data transfer plan shall be approved by the COR.

As requested by the COR, the Contractor shall provide training to NRC and EPRI developers on the revised infrastructure. The Contractor shall meet all quality assurance program requirements.

Deliverables:

(1) draft software quality assurance plan and other software development infrastructure (2) final software quality assurance plans and other development infrastructure with comments incorporated 3.3 Task 3: Software Development

31310024R0026 Page 14 The focus of Task 3 is to code, test, document, integrate and otherwise develop the new xLPR Framework following the recommendations prepared under Task 1, as may be revised. Task 3 shall not commence until Task 2 is complete, unless a deviation is allowed in writing by the COR.

Completion Date: Task 3 shall be considered complete when the COR has determined that a minimum viable product has been produced. Task 3 shall be completed no later than 24 months from Contract award.

Expected Travel: For Task 3, 2 trips are expected for up to 4 Contactor personnel of up to 4 days duration from the Contractors office(s) to NRC Headquarters or similar distance. (Total of 2 trips)

Deliverables: The deliverables for Task 3 are the draft and final configuration items as specified in the approved software quality assurance plan.

All software development occurring under Task 3 shall be conducted in accordance with the approved software quality assurance plan and as directed by the COR. Following this plan and the recommendations from Task 1, the Contractor shall prepare draft and final document and software configuration items (e.g., software requirements descriptions, software design descriptions, software test plans, and software test results reports). The Contractor shall lead the software development efforts for the Framework. After configuration items are baselined, the Contractor shall maintain them in accordance with the software quality assurance plan.

In general, it is expected that all software necessary to meet xLPR requirements will be developed under this Contract. Any software developed by the Contractor outside the scope of this Contract or any third party-developed software proposed to be included in the xLPR code shall be approved in advance by the CO (Refer to 52.227-14 Rights in Data - General (May 2014)). Any such software will be evaluated to make sure that its use would not pose any undue risks to the program because of licensing, distribution, maintainability, availability, cost, or other factors.

Deliverables: The deliverables for Task 3 are the draft and final configuration items as specified in the approved software quality assurance plan.

3.4 Task 4: Technical Support and Training The focus of Task 4 is to provide ad-hoc technical support and formal training sessions for users of the xLPR code.

Completion Date: Task 4 training shall be completed based upon scheduling of the training sessions as determined by the COR. Task 4 technical support may occur anytime.

Expected Travel: For Task 4, 2 trips are expected for up to 4 Contactor personnel of up to 4 days duration from the Contractors office(s) to NRC Headquarters or similar distance. (Total of 2 trips)

The Contractor shall provide up to two formal training sessions for xLPR users on proper use of the xLPR code with the enhanced Framework prepared under Task 3. These training sessions shall be recorded for future reference and public viewing as determined by the COR. The COR

31310024R0026 Page 15 shall identify the dates of the formal training sessions. The Contractor shall prepare the draft training materials, such as slide presentations and software files, and submit them to the COR for review no later than 30 calendar days before a first training session is scheduled. The Contractor shall incorporate comments on the draft training materials and submit the final training materials to the COR for approval no later than 10 calendar days before the first training session is scheduled. As directed by the COR, the Contractor shall improve the training materials based on feedback from the first training session and submit the revised materials to the COR for approval no later than 10 calendar days before a second training session is scheduled.

Additionally, the Contractor shall provide ad-hoc technical support, during normal business hours, as approved by the COR. This support may be provided to NRC and EPRI staff and contractors and public users of the code. The Contractor shall also maintain the software development infrastructure, as needed.

Deliverables:

(1) draft training materials (2) final training materials with comments incorporated (3) first training session (4) improved training materials (5) second training session 3.5 Task 5: Software Maintenance (Optional)

The focus of Task 5 is ongoing maintenance of the xLPR code.

Completion Date: At the discretion of the NRC, Task 5 may be optionally exercised on a yearly basis for up to 3 years following completion of Task 3.

Expected Travel: For Task 5, 1 trip per year is expected for up to 4 Contactor personnel of up to 4 days duration from the Contractors office(s) to NRC Headquarters or similar distance.

(Total of 3 trips)

Deliverables: The deliverables for Task 5 are the draft and final configuration items as specified in the approved software quality assurance plan.

The Contractor shall maintain the xLPR code following completion of Task 3. Maintenance will be conducted to correct identified problems, improve performance or maintainability, keep the products usable in a changed or changing environment, and detect and correct latent faults. All maintenance activities occurring under Task 5 shall be conducted in accordance with the approved software quality assurance plan. Following this plan, the Contractor shall prepare draft and final document and software configuration items (e.g., software requirements descriptions, software design descriptions, software test plans, and software test results reports). As directed by the COR, the Contractor shall also interface with other qualified software developers from the NRC staff, EPRI, or their contractors.

Additionally, the Contractor shall provide ad-hoc technical support, during normal business hours, as approved by the COR. This support may be provided to NRC and EPRI staff and contractors and public users of the code. The Contractor shall also maintain the software development infrastructure, as needed.

31310024R0026 Page 16 3.6 Task 6: Webhosting Feasibility Study (Optional)

The focus of Taks 6 is to explore the potential for future Webhosting of the xLPR code.

Completion Date: At the discretion of the NRC, Task 6 may be optionally exercised. Task 6 shall be completed no later than 150 calendar days after exercising the task.

Expected Travel: For Task 6, there is no expected travel.

Deliverables: There are two deliverables for Task 6:

(1) draft technical letter report (TLR)

(2) final TLR with comments incorporated The Contractor shall host the xLPR code, or portions thereof, on a Web server. The Contractor shall then demonstrate calling of the Webhosted software from an external source (e.g., a website or separate software application). This task is for exploratory purposes; therefore, software development for this task does not need to follow the approved software quality assurance plan.

Using data from this exercise and its own expertise, the Contractor shall prepare a draft TLR outlining the advantages and disadvantages of Webhosting the xLPR code, or portion(s) thereof. The TLR shall address topics including, but not limited to, server hardware and software requirements, cybersecurity, code performance, and effort and cost estimates. The TLR shall also explore the possibility of charging service fees to users for accessing Webhosted element(s) of the xLPR code, including the set-up efforts and costs to provide such services, a pricing model, and potential user revenue streams. The Contractor shall prepare a final TLR that incorporates all comments provided on the draft.

4 Estimated Labor Categories and Key Personnel Labor Categories, Requirements and Key Personnel. Personnel working under this contact/order shall meet the minimum requirements for experience and education, as follows:

The proposed team of personnel must possess the minimum requirements below. The offeror may propose a single individual or multiple individuals to meet the minimum requirements for these labor categories. Each proposed personnel shall meet one or more of the experiences and education requirement stated below.

Labor Category Qualifications Key Personnel Project Manager Minimum qualification requirements:

B.S. in engineering, science, or similar technical field

Minimum 5 years of software development project management and oversight experience No Sr. Software Engineer Minimum qualification requirements:

B.S. in computer science, engineering, or Yes

31310024R0026 Page 17 similar technical field

Minimum of 10 years of software development experience, with expert knowledge of a range of popular 3GL/4GL suitable for scientific applications, including Python and C++

Working knowledge of modern Fortran (required of at least one member of the Key Personnel)

Minimum of 3 years of experience leading Agile software development projects

Demonstrated proficiency in object-oriented programming, parallel programming, and message passing interface

Extensive experience in production level code verification, validation, testing, and version control

Extensive experience with Git, GitHub, and other relevant software development tools

Experience with software quality assurance standards Skillsets that are not Required, but Desired for this Contract:

Experience developing Monte Carlo simulation software

Experience developing graphical user interfaces for software applications

Experience with statistical sampling methods

Experience in parallel programming

Experience with ASME NQA-1 quality assurance standards Software Engineer

B.S. in computer science, engineering, or similar technical field

Minimum of 5 years of software development experience, including Python and C++

Minimum of 1 year of experience in Agile software development

Demonstrated experience in object-oriented programming

Experience in production level code verification, validation, testing, and version control

Minimum of 1 year of experience in Git, GitHub, and other relevant software Yes

31310024R0026 Page 18 development tools

Experience with software quality assurance standards Skillsets that are not Required, but Desired for this Contract:

Working knowledge of modern Fortran

Experience developing Monte Carlo simulation software

Experience developing graphical user interfaces for software applications

Experience with statistical sampling methods

Experience in parallel programming

See NRCAR 2052.215-70, Key Personnel 5 Certification and License Requirements Not applicable.

6 Reporting Requirements The Contractor shall provide a Monthly Letter Status Report (MLSR) which consists of a technical progress report and financial status report. This report will be used by the Government to assess the adequacy of the resources proposed by the Contractor to accomplish the work contained in this SOW and provide status of Contractor progress in achieving tasks and producing deliverables. The report shall include Contract summary information, work completed during the specified period, milestone schedule information, problem resolution, travel plans, and staff hours summary. The MLSR shall include a spend plan that is updated every month with a description of any significant deviations from the plan along with planned Contractor actions for managing the impact of any such deviations.

At the beginning of Task 3, the Contactor shall include in the MLSR the number of estimated logical source lines of code (SLOC) and the estimated number of function or story points, if applicable. This MLSR shall also include the estimated percentages of new, modified, and reused SLOC and estimated function or story points, if applicable. In addition, this MLSR shall include the estimated distribution of effort among design, coding, and integration and testing.

Upon completion of Task 3, the Contactor shall include in the MLSR the actual figures for these same measures along with the total effort in hours divided into the following categories:

requirements analysis, architectural design, detailed design, construction, integration, qualification testing, and support processes.

7 List of Deliverables The deliverables below shall be submitted to the COR. The COR will review all draft deliverables (and coordinate any internal and external NRC staff review, if needed) and provide comments back to the Contractor. The Contractor shall revise the draft deliverable based on the comments provided by the COR and then deliver a revised version of the deliverable, which will then be considered the Final Version. When mutually agreed upon between the Contractor and the COR, the contractor may submit preliminary or partial drafts to help gauge the Contractors understanding of the particular work requirement. More than one round of drafts may be needed

31310024R0026 Page 19 if the Contractor does not successfully incorporate the CORs comments on the previous draft.

The contractor shall develop (as necessary), maintain, and control data, files, information, and deliverables pursuant to this task order.

Task No.

Deliverable Due Date Draft set of new and revised software requirements 75 calendar days from contract award 1b Final set of new and revised software requirements with comments incorporated 90 calendar days from contract award Draft written recommendations for the new software implementation language(s),

architecture, and refactoring and redesign strategies 75 calendar days from contract award 1c Final written recommendations for the new software implementation language(s),

architecture, and refactoring and redesign strategies with comments incorporated 90 calendar days from contract award Draft software quality assurance plan and other software development infrastructure 105 calendar days from contract award 2

Final software quality assurance plans and other development infrastructure with comments incorporated 120 calendar days from contract award 3

Draft and final configuration items as specified in the approved software quality assurance plan Upon completion Draft training materials 30 calendar days before first COR-scheduled training session Final training materials with comments incorporated 10 calendar days before first COR-scheduled training session First training session To be determined by COR Improved training materials 10 calendar days before second COR-scheduled training session 4

Second training session To be determined by COR 5

(Optional)

Draft and final configuration items as specified in the approved software quality assurance plan Upon completion 6

Draft TLR 120 calendar days from

31310024R0026 Page 20 exercising the task (Optional)

Final TLR with comments incorporated 150 calendar days from exercising the task 8 Required Materials/Facilities Required software to be provided by the Contractor (access for all Key Personnel) includes any compilers or other software needed to support development in the programming languages(s) approved by the COR for xLPR code software development and maintenance.

9 Release of Publications Any documents generated by the Contractor under this Contract shall not be released for publication or dissemination without COR prior written approval. The Contractors investigator(s) may publish the results of this work in the open literature or may present papers at public or association meetings at interim stages of the work if the article or paper has been reviewed by the COR in draft form and agreement has been reached on the content. Submit the work in final form to the COR, accompanied by NRC Form 390A, Release to Publish Unclassified NRC Contractor Speeches, Presentations, Papers, and Journal Articles. If agreement on the content has not been reached, NRC may also require that the paper include, in addition to the standard statement Work Supported by the U.S. Nuclear Regulatory Commission, any caveats necessary to cover NRC objections. If NRC objections cannot be covered in this manner, NRC can refuse to authorize publication in the open literature and/or presentation of papers.

The Contractor shall place the following disclaimer on all published papers and articles:

This report was prepared as an account of work sponsored by an agency of the U.S.

Government. Neither the U.S. Government nor any agency thereof, nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third partys use, or the results of such use, of any information, apparatus, product, or process disclosed in this report, or represents that its use by such third party would not infringe privately owned rights. The views expressed in this paper are not necessarily those of the U.S.

Nuclear Regulatory Commission.

For additional information, see NRC Management Directive 3.9, NRC Staff and Contractor Speeches, Presentations, Papers, and Journal Articles on Regulatory and Technical Subjects.

10 Place of Performance The work to be performed under this Contract shall be performed at the Contractors facility except for travel.

11 Contractor Travel The Contractor will be authorized travel expenses consistent with the Federal Travel Regulation (FTR) and the limitation of funds specified in the travel line item of this Contract. All travel requires prior written Government approval from the CO, unless otherwise delegated to the COR.

All travel is subject to the following conditions:

31310024R0026 Page 21

Contractor attendance at a meeting may be in person or virtually, as approved by the COR.

The number of trips, number of Contractor personnel, duration, and location, may be modified by the COR based on meeting circumstances and the need for Contractor support.

The Contractor shall implement travel cost-sharing measures (e.g., sharing rental car) if possible.

All travel conducted pursuant to this task order is billable at Federal per diem rates, in accordance with Federal Travel Regulations.

The following travel may occur under this Contract:

Task No.

Trip Description Location Date No.

Trips No. of Days/Trip No.

Attendees/Trip 1

Contract Kick-off and Support for Requirements

Analysis, Architecture, and Design To be determined To be determined 2

4 4

2 No planned travel 3

Support for Software Development To be determined To be determined 2

4 4

4 Formal Training Sessions To be determined To be determined 2

4 4

5 Support for Software Maintenance To be determined To be determined 3

4 4

6 No planned travel 12 Data Rights The NRC shall have unlimited rights to and ownership of all deliverables provided under this Contract, including reports, recommendations, briefings, work plans, software source code and executables, and all other deliverables. All documents and materials, to include the source codes of any software, produced under this contract/order are the property of the Government with all rights and privileges of ownership/copyright belonging exclusively to the Government.

These documents and materials may not be used or sold by the contractor without written authorization from the CO. All materials supplied to the Government shall be the sole property of the Government and may not be used for any other purpose unless the contractor receives the prior, express written permission of the CO. This right does not abrogate any other Government rights. The definition of unlimited rights is contained in Federal Acquisition Regulation (FAR) 27.401, Definitions.

13 Security

31310024R0026 Page 22 The work will be UNCLASSIFIED; but requires an IT Security Level II Access. Access is needed to test the new code in RES' virtual high performance AWS cloud computing platforms.

14 Section 508 - Information and Communication Technology Accessibility 14.1 Introduction In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board) pursuant to Section 508(2)(A) of the Rehabilitation Act Amendments of 1998, established electronic and information technology (EIT) accessibility standards for the federal government.

The Standards for Section 508 of the Rehabilitation Act (codified at 36 CFR § 1194) were revised by the Access Board, published on January 18, 2017 and minor corrections were made on January 22, 2018, effective March 23, 2018.

The Revised 508 Standards have replaced the term EIT with information and communication technology (ICT). ICT is information technology (as defined in 40 U.S.C. 11101(6)) and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content. Examples of ICT include, but are not limited to: Computers and peripheral equipment; information kiosks and transaction machines; telecommunications equipment; customer premises equipment; multifunction office machines; software; applications; Web sites; videos; and, electronic documents.

The text of the Revised 508 Standards can be found in 36 CFR § 1194.1 and in Appendices A, C and D of 36 CFR § 1194 (at https://www.ecfr.gov/cgi-bin/text-idx?SID=caeb8ddcea26ba5002c2eea047698e85&mc=true&tpl=/ecfrbrowse/Title36/36cfr1194_

main 02.tpl).

14.2 General Requirements In order to help the NRC comply with Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794d)(Section 508), the Contractor shall ensure that its deliverables (both products and services) within the scope of this contract/order are

1. in conformance with, and

2. support the requirements of the Standards for Section 508 of the Rehabilitation Act, as set forth in Appendices A, C and D of 36 CFR § 1194.

14.3 Applicable Provisions of the Revised 508 Standards The following is an outline of the Revised 508 Standards that identifies what provisions are always applicable and which ones may be applicable. If Maybe is stated in the table below, then those provisions are applicable only if they are within the scope of this acquisition.

Applicable to the Contract/Order?

Provision of 36 CFR Part 1194 Yes

1. Appendix A to Part 1194 - Section 508 of the Rehabilitation Act: Application and Scoping Requirements Yes Section 508 Chapter 1: Application and Administration - sets

31310024R0026 Page 23 forth general application and administration provisions Yes Section 508 Chapter 2: Scoping Requirements - containing scoping requirements (which, in turn, prescribe which ICT - and, in some cases, how many - must comply with the technical specifications)

Maybe

2. Appendix C to Part 1194 - Functional Performance Criteria and Technical Requirements Maybe Chapter 3: Functional Performance Criteria - applies to ICT where required by 508 Chapter 2 (Scoping Requirements) and where otherwise referenced in any other chapter of the Revised 508 Standards Maybe Chapter 4: Hardware Maybe Chapter 5: Software Maybe Chapter 6: Support Documentation and Services (applicable to, but not limited to, help desks, call centers, training services, and automated self-service technical support) (Always applies if Chapters 4 or 5 apply)

Yes Chapter 7: Referenced Standards Maybe

3. Appendix D to Part 1194 - Electronic and Information Technology Accessibility Standards as Originally Published on December 21, 2000 Refer to Chapter 2 (Scoping Requirements) first to confirm what provisions in Appendix C apply in a particular case.

Section E203.2 applies only to the NRC, except as specified below.

14.4 Exceptions 14.4.1 Legacy ICT Unless a deliverable of this contract/order is identified in this contract/order as Legacy ICT, use by the Contractor of the Legacy ICT general exception (section E202.2 of 36 CFR § 1194) shall only be permitted on a case-by-case basis for applicable legacy ICT and with advance written approval from the COR.

14.4.2 Undue Burden The Undue Burden general exception (section E202.6 of 36 CFR § 1194) is not expected to be applicable to work performed by the Contractor. If there are questions about potential application of this exception, please discuss with the CO.

14.4.3 Fundamental Alteration or Best Meets If the Contractor wishes to use the Fundamental Alteration (section E202.6 of 36 CFR § 1194) or Best Meets (section E202.7 of 36 CFR § 1194) general exceptions the Contractor shall do the following:

1. provide the COR with information necessary to support the agencys documentation requirements, as identified in sections E202.6.2 and E202.7.1 of 36 CFR § 1194, respectively

31310024R0026 Page 24

2. request and obtain written approval from the COR for development and/or use, as applicable to the scope of the contract/order, of an alternative means for providing individuals with disabilities access to and use of the information and data, as specified in sections E202.6.3 and E202.7.2 of 36 CFR § 1194, respectively.

14.4.4 National Security Systems Based on the definition at 40 U.S.C. 11103(a), the National Security Systems general exception (section E202.3 of 36 CFR § 1194) is not applicable to this contract/order.

14.4.5 ICT Functions Located in Maintenance or Monitoring Spaces The Contractor shall confirm with the COR that an ICT deliverable of this contract/order will be located in maintenance or monitoring spaces before assuming that the ICT Functions Located in Maintenance or Monitoring Spaces general exception (section E202.5 of 36 CFR § 1194) applies.

Note that this exception does not apply to features of the ICT (such as Web interfaces) that can be accessed remotely, outside the maintenance or monitoring space where the ICT is located.

14.5 Additional Requirements 14.5.1 Notification Due to Impact from NRC Policies, Procedures, Tools and/or ICT Infrastructure If and when 1) the Contractor is dependent upon NRC policies, procedures, tools and/or ICT infrastructure for Revised-508-Standards-conformant delivery of any of the products or services under this acquisition, and 2) the Contractor is aware that conformance of products or services will be negatively impacted by capability gaps in NRC policies, procedures, tools and/or ICT infrastructure, the Contractor shall inform the COR so that the NRC can both be aware and take corrective action.

14.5.2 Accessibility of Electronic Content For electronic content (as defined in section E103 of 36 CFR § 1194) deliverables of this contract/order:

1. If a deliverable is in the form of an Adobe Portable Document Format (PDF) file and is either Public Facing or Agency Official Communication (as defined in sections E103 and E205.3 of 36 CFR § 1194, respectively) the Contractor shall ensure that it conforms to both section E205.4 of 36 CFR § 1194 and ISO 14289-1 (PDF/UA-1)

2. Unless the Contractor requests and obtains advance written approval from the COR for a specific deliverable or class of deliverables, the contractor shall ensure that

1. deliverables that are not Public Facing and not Agency Official Communication (as defined in sections E103 and E205.3 of 36 CFR § 1194, respectively) shall conform to section E205.4 of 36 CFR § 1194

2. deliverables that are in the form of PDF files, are not Public Facing and are not Agency Official Communication (as defined in sections E103 and E205.3 of 36 CFR § 1194, respectively) shall conform to section E205.4 of 36 CFR § 1194 and ISO 14289-1 (PDF/UA-1).

31310024R0026 Page 25 14.5.3 Other It is desirable that the Contractor address the applicable provisions of the Revised 508 Standards throughout product and service lifecycles rather than only performing a conformance check toward the end of a process.

If and when the Contractor provides custom ICT development services pursuant to this acquisition, the Contractor shall ensure the ICT products and services fully support the applicable provisions of the Revised 508 Standards prior to delivery and before final acceptance.

If and when the Contractor provides installation, configuration or integration services for ICT products (equipment and/or software) pursuant to this acquisition, the Contractor shall not install, configure or integrate the ICT equipment and software in a way that reduces the level of conformance with the applicable provisions of the Revised 508 Standards.

If and when the scope of this contract/order includes work by the Contractor to collect, directly from NRC employees or the Public, requirements for the procurement, development, maintenance or use of ICT the Contractor shall identify the needs of users with disabilities in conformance to section E203.2.

14.6 Accessibility Deliverables The Contractor shall provide the following ICT accessibility deliverables, when within the scope of this contract/order.

14.6.1 Accessibility Conformance Report (ACR)

This report shall be submitted for ICT products, systems or application deliverables. A written ACR shall be based on the Voluntary Product Accessibility Template (VPAT), as specified at https://www.itic.org/policy/accessibility/vpat or provide equivalent information. This report has the purpose to document the state of conformance to the Revised 508 Standards for the subject product, system or application.

14.6.2 Supplemental Accessibility Report (SAR)

This report shall be submitted for ICT products, systems or application deliverables that have been custom developed or integrated by the Contractor to meet contract/order requirements. A written SAR shall contain:

a) Description of evaluation methods used to produce the ACR, to demonstrate due diligence in supporting conformance claims; b) Information on core functions that cant be used by persons with disabilities; and, c) Information on how to configure and install the ICT item to support accessibility 14.6.3 ICT Support Documentation This documentation shall be submitted for ICT products, systems or application deliverables.

The support documentation shall include:

a) Documentation of features that help achieve accessibility and compatibility with assistive technology for persons with disabilities (as required by section 602 of 36 CFR § 1194);

31310024R0026 Page 26 b) For authoring tools that generate content (documents, reports, videos, multimedia, web content, etc.): Information on how the tool enables the creation of accessible electronic content that conforms to the Revised 508 Standards (see section 504 of 36 CFR § 1194), including the range of accessible user interface elements the tool can create; c) For platform software (as defined in section E103.4 of 36 CFR § 1194) and software tools that are provided by a platform developer: Documentation on the set of accessibility services that support applications running on the platform to interoperate with assistive technology, as required by section 502.3 of 36 CFR § 1194.

14.6.4 ICT Support Documentation (Alternate Formats)

Upon request, alternate formats for non-electronic support documentation shall be provided (as required by section 602.4 of 36 CFR § 1194).

14.6.5 Document Accessibility Checklist This checklist shall be submitted for ICT electronic content deliverables that are documents (as defined in section E103 of 36 CFR § 1194), if the requirement is specified elsewhere in this acquisition that testing be performed. A completed checklist summarizing the subject documents state of conformance to the applicable WCAG 2.0 Level A and AA Success Criteria (as referenced in section E205.4 and 702.10 of 36 CFR § 1194) and, for PDF files, ISO 14289-1 (PDF/UA-1).

14.6.6 Communication to ICT Users When the Contractor is providing ICT support services (including, but not limited to help desks, call centers, training services, and automated self-service technical support), any communication to ICT users shall accommodate the communication needs of individuals with disabilities (see section 603.3 of 36 CFR § 1194) and include information on accessibility and compatibility features (see 603.2 of 36 CFR § 1194).

31310024R0026 Page 27 D - Packaging and Marking D.1 PACKAGING AND MARKING (AUG 2023)

(a) The Contractor shall package material for shipment to the NRC in such a manner that will ensure acceptance by common carrier and safe delivery at destination. Containers and closures shall comply with the Surface Transportation Board, Uniform Freight Classification Rules, or regulations of other carriers as applicable to the mode of transportation.

(b) On the front of the package, the Contractor shall clearly identify the contract number under which the product is being provided.

(c) Additional packaging and/or marking requirements are as follows: N/A.

D.2 BRANDING (AUG 2023)

As directed by the COR, the Contractor shall use the statement below in any publications, presentations, articles, products, or materials provided under this contract/order if the work performed is funded entirely with NRC contract funds.

Work procured by the U.S. Nuclear Regulatory Commission (NRC), Office of Nuclear Regulatory Research, under Contract/order number 31310024C0016.

31310024R0026 Page 28 E - Inspection and Acceptance E.1 INSPECTION AND ACCEPTANCE BY THE NRC (AUG 2023)

Unless otherwise specified, inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officers Representative (COR) at the destination, accordance with FAR 52.247 F.o.b. Destination.

Contract Deliverables:

Refer to the Statement of Work for deliverables.

E.2 52.246-5 INSPECTION OF SERVICES - COST-REIMBURSEMENT. (APR 1984)

31310024R0026 Page 30 G - Contract Administration Data NRC Local Clauses Incorporated by Full Text G.1 REGISTRATION IN FEDCONNECT (AUG 2023)

The Nuclear Regulatory Commission (NRC) uses Unison Software Inc.s secure and auditable two-way web portal, FedConnect, to communicate with vendors and contractors.

FedConnect provides bi-directional communication between the vendor/contractor and the NRC throughout pre-award, award, and post-award acquisition phases. Vendors/contractors shall use FedConnect for the submission of responses to solicitations, acknowledgment of receipt of award and modification documents; and may be required to submit monthly letter status reports and other deliverables through FedConnect as well.

Therefore, in order to do business with the NRC, vendors and contractors shall register to use FedConnect at https://www.fedconnect.net/FedConnect. The individual registering in FedConnect shall have authority to bind the vendor/contractor. There is no charge for using FedConnect. Assistance with FedConnect is provided by Unison, not the NRC. FedConnect contact and assistance information is provided on the FedConnect web site.

NRCAR Clauses Incorporated By Reference NRCAR Clauses Incorporated By Full Text G.2 2052.215-77 TRAVEL APPROVALS AND REIMBURSEMENT. (OCT 1999)

(a) All foreign travel must be approved in advance by the NRC on NRC Form 445, Request for Approval of Official Foreign Travel, and must be in compliance with FAR 52.247-63 Preference for U.S. Flag Air Carriers. The contractor shall submit NRC Form 445 to the NRC no later than 30 days before beginning travel.

(b) The contractor must receive written approval from the NRC Project Officer before taking travel that was unanticipated in the Schedule (i.e., travel not contemplated in the Statement of Work, or changes to specific travel identified in the Statement of Work).

(c) The contractor will be reimbursed only for travel costs incurred that are directly related to this contract and are allowable subject to the limitations prescribed in FAR 31.205-46.

(d) It is the responsibility of the contractor to notify the contracting officer in accordance with the Limitations of Cost clause of this contract when, at any time, the contractor learns that travel expenses will cause the contractor to exceed the estimated costs specified in the Schedule.

(e) Reasonable travel costs for research and related activities performed at State and nonprofit institutions, in accordance with Section 12 of Pub. L. 100-679, must be charged in accordance with the contractor's institutional policy to the degree that the limitations of Office of Management and Budget (OMB) guidance are not exceeded. Applicable guidance documents include OMB Circular A-87, Cost Principles for State and Local

31310024R0026 Page 32 H - Special Contract Requirements NRC Local Clauses Incorporated by Full Text H.1 SECURITY REQUIREMENTS FOR CONTRACTORS (AUG 2023)

It has been determined that contractor personnel with access to information related to work on this contract/order are required to obtain IT-II access or L clearance.

The Contractor shall ensure that all its applicants (i.e. employees, subcontractor employees or consultants) who are assigned to perform the work herein for contract performance are approved by the NRC. The NRC Contracting Officers Representative (COR) shall make the final determination of the Building Access (BA), level of Information Technology (IT) Access (Level I or Level II), or the national security clearance level (Q or L) required for all applicants working under this contract/task order using the following guidance. The Contractor should conduct a preliminary federal facilities security screening interview or prescreening review for each of its applicants and submit to the NRC only the names that have a reasonable probability of obtaining approval necessary for access to NRC's federal facilities.

The Contractors pre-screening review, applicable to all access/clearance levels, should focus on the applicants history regarding the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military court-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year; (e) illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; (f) delinquency on any federal debts or bankruptcy in the last seven (7) years; (g) applicants with less than five (5) years permanent residency in the U.S. will not be approved for Building Access, IT Access, or a national security clearance; (h) non-U.S. citizens must provide official documentation to the DFS/PSB as proof of their permanent residency (i) foreign nationals (non-U.S. citizens) are not eligible for a national security clearance (Q or L)

SECURITY REQUIREMENTS FOR BUILDING ACCESS This is applicable when an applicant will require unescorted Building Access (BA) and a HSPD-12 PIV card (NRC badge). Temporary Building Access may be approved by the NRC based on a favorable NRC review and discretionary determination of the applicants Building Access security forms. Final Building Access will be approved by the NRC based on favorable adjudication of their background investigation completed by the Defense Counterintelligence

31310024R0026 Page 33 and Security Agency (DCSA). Requires an OPM SF-85 (see https://www.opm.gov/forms/standard-forms/).

SECURITY REQUIREMENTS FOR IT LEVEL II (IT-II) ACCESS An applicant will require IT-II Access if the applicant will need access to IT systems or Controlled Unclassified Information (CUI) regardless of physical work location, including an NRC Local Area Network (LAN) account. IT-II Access includes all the access and responsibilities included under Building Access. Temporary IT Access may be approved by the NRC based on a favorable NRC review and discretionary determination of the applicants IT Access security forms. Final IT Access will be approved by the NRC based on favorable adjudication of their background investigation completed by the Defense Counterintelligence and Security Agency (DCSA). Requires an OPM SF-86 (see www.opm.gov/forms/standard-forms/).

SECURITY REQUIREMENTS FOR IT LEVEL I (IT-I) ACCESS An applicant will require IT-I Access if the applicant will need access to IT systems or Controlled Unclassified Information (CUI) regardless of physical work location, including an NRC Local Area Network (LAN) account. IT-I Access involves responsibility for the planning, direction, and implementation of a computer security program, and will have major responsibility for the direction, planning, and design of a computer system, including its hardware and software. IT-I access also includes the need to access a computer system during its operation or maintenance in such a way that could cause or that has a relatively high risk of causing grave damage to the agency. IT-I access also includes the applicants capability to realize a significant personal gain from computer access. IT-I Access includes all the access and responsibilities under IT-II Access and Building Access. Temporary IT Access may be approved by the NRC based on a favorable NRC review and discretionary determination of the applicants IT Access security forms. Final IT Access will be approved by the NRC based on favorable adjudication of their background investigation completed by the Defense Counterintelligence and Security Agency (DCSA). Requires an OPM SF-86 (see https://www.opm.gov/forms/standard-forms/).

SECURITY REQUIREMENTS FOR L CLEARANCE An applicant will be submitted for an L Clearance if the applicant is designated in a non-critical-sensitive position requiring access to, on a need-to-know basis, to Secret and Confidential National Security Information or Confidential Restricted Data (RD) not related to broad naval nuclear propulsion program policy or direction. A security orientation briefing must be given to the applicant by the NRC when the background investigation is completed and favorably adjudicated by the NRC. This briefing will normally be given by a representative of the NRCs Personnel Security Branch (PSB), or in a regional office by a regional security representative. Temporary IT-II Access may be approved based on a favorable NRC review and discretionary determination of the applicants national security clearance security forms. A national security clearance will be granted by the NRC based on favorable adjudication of the applicants background investigation completed by the Defense Counterintelligence and Security Agency (DCSA). Requires an OPM SF-86 (see https://www.opm.gov/forms/standard-forms/).

SECURITY REQUIREMENTS FOR Q CLEARANCE

31310024R0026 Page 34 An applicant will be submitted for a Q Clearance if the applicant is designated in a critical-sensitive position requiring access to, on a need-to-know basis, to Top Secret, Top Secret RD, Secret, Secret RD, Confidential, and Confidential RD. A security orientation briefing must be given to the applicant by the NRC requiring national security clearance when the background investigation is completed and favorably adjudicated by the NRC. This briefing will normally be given by a representative of PSB, or in a regional office by a regional security representative.

Temporary IT-II Access may be approved based on a favorable NRC review and discretionary determination of the applicants national security clearance security forms. A national security clearance will be granted by the NRC based on favorable adjudication of their background investigation completed by the Defense Counterintelligence and Security Agency (DCSA).

Requires an OPM SF-86 (see https://www.opm.gov/forms/standard-forms/).

REMOVING AN APPLICANT FROM A CONTRACT AND/OR TASK ORDER The Contractor shall immediately notify the COR when an applicant will no longer support this NRC contract/order.

H.2 INFORMATION TECHNOLOGY (IT) SECURITY REQUIREMENTS (AUG 2023)

All work under this contract and all devices used to store, process, or transmit NRC sensitive information shall comply with the current versions of the federally mandated and NRC defined policy, procedures, and standards, as applicable and as amended. This list includes but is not limited to the following:

National Institute of Standard and Technology (NIST) Federal Information Processing Standards (FIPS):

FIPS PUB 140-3, SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES FIPS PUB 180-4, Secure Hash Standard (SHS)

FIPS PUB 186-4, Digital Signature Standard (DSS)

FIPS PUB 197, Advanced Encryption Standard FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors FIPS PUB 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions NIST Special Publications (SP):

SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information

31310024R0026 Page 35 SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 Committee on National Security Systems (CNSS) Policies:

CNSSP 1, National Policy for Safeguarding and Control of COMSEC Material CNSSP 3, National Policy for Granting Access to U.S. Classified Cryptographic Information CNSSP 7, Policy on the use of Commercial Solutions to Protect National Security Systems CNSSP 8, Release and Transfer of USG Cryptologic NSS Tec Sec Mat'l, Info, and Techniques to Foreign Govts CNSSP 10, NATIONAL POLICY GOVERNING USE OF APPROVED SECURITY CONTAINERS IN INFORMATION SECURITY APPLICATIONS CNSSP 11, Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products CNSSP 14, Rel of IA Products and Services to Auth U.S. Persons or Activities Not a Part of Fed. Govt CNSSP 15, Use of Public Standards for Secure Information Sharing CNSSP 16, National Policy for the Destruction of COMSEC Paper Material CNSSP 17, Policy on Wireless Systems CNSSP 18, National Policy on Classified Information Spillage CNSSP 19, National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products CNSSP 21, National Cybersecurity Policy on Enterprise Architecture Frameworks for National Security Systems CNSSP 22, Cybersecurity Risk Management Policy CNSSP 24, Policy on Assured Information Sharing (AIS) for National Security Systems (NSS)

CNSSP 25, National Policy for Public Key Infrastructure in National Security Systems CNSSP 25, National Policy for Public Key Infrastructure in National Security Systems provides for a National Security Systems (NSS) Public Key Infrastructure (PKI) on Secret networks.

CNSSP 26, National Policy on Reducing the Risk of Removable Media for National Security Systems CNSSP 28, Cybersecurity of Unmanned National Security Systems CNSSP 29, National Secret Enclave Connection Policy

31310024R0026 Page 36 CNSSP 30, Cryptographic Key Protection CNSSP 300, National Policy on Control of Compromising Emanations NSTISSP 5, National Policy for Incident Response and Vulnerability Reporting for National Security Systems NSTISSP 101, National Policy on Securing Voice Communications NSTISSP 200, National Policy on Controlled Access Protection CNSS Protection Directives:

CNSSD 504, Directive on Protecting National Security Systems from Insider Threat CNSSD 500, Information Assurance (IA) Education, Training, and Awareness NSTISSD 501, National Training Program for Information Systems Security (INFOSEC)

Professionals CNSSD 502, National Directive On Security of National Security Systems CNSSD 505, Supply Chain Risk Management (SCRM)

CNSSD 506, NATIONAL DIRECTIVE TO IMPLEMENT PUBLIC KEY INFRASTRUCTURE ON SECRET NETWORKS CNSSD 507, National Directive for Identity, Credential, and Access Mgmt. Capabilities on the U.S. Federal Secret Fabric CNSSD 510, Directive on the Use of Mobile Devices Within Secure Spaces CNSSD 520, The Use of Mobile Devices to Process National Security Information Outside of Secure Spaces NSTISSD 600, Communications Security Monitoring CNSSD 900, Governing Procedures of the Committee on National Security Systems (CNSS)

CNSSD 901, National Security Telecommunications and Information Systems Security (CNSS) Issuance System CNSS Instructions:

CNSSI 1001, National Instruction On Classified Information Spillage CNSSI 1002, Management of Combined Secure Interoperability Requirements CNSSI 1010, Cyber Incident Response CNSSI 1011, Implementing Host-Based Security Capabilities on National Security Systems

31310024R0026 Page 37 CNSSI 1013, Network Intrusion Detection Sys & Intrusion Prevention Sys (IDS/IPS) on NSS CNSSI 1015, Enterprise Audit Management Instruction for CNSSI 1100, Consistency and Synchronization During Classification and Declassification of Information Related to Cybersecurity of National Security Systems CNSSI 1200, Instruction for Space Systems Used to Support NSS CNSSI 1253, Security Categorization and Control Selection for National Security Systems CNSSI 1253F Attachment 1, Security Overlays Template CNSSI 1253F Attachment 2, Space Platform Overlay CNSSI 1253F Attachment 2, Space Platform Overlay CNSSI 1253F Attachment 3, Cross Domain Solution Overlay CNSSI 1253F Attachment 4, Intelligence Overlay CNSSI 1253F Attachment 4.1, IC CIO Signed Memo for Intelligence Overlay CNSSI 1253F, Attachment 5, Classified Information Overlay CNSSI 1012, Instruction for Network Mapping of National Security Systems (NSS)

CNSSI 1253F Attachment 6, Privacy Overlay CNSSI 1254, Risk Management Framework Documentation, Data Element Standards, and Reciprocity Process for National Security Systems CNSSI 1300, Instruction for National Security Systems Public Key Infrastructure X.509 Certificate Policy Under CNSS Policy No. 25 CNSSI 3006, Operational Security Doctrine for Global Positioning System Precise Positioning Service User Equipment NTISSI 3013, Operational Security Doctrine for the Secure Telephone Unit III (STU-III) Type 1 Terminal NSTISSI 3019, Operational Security Doctrine for the FASTLANE (KG-75 and KG-75A)

CNSS-18-19, FASTLANE KG-75 and KG-75A Operational Systems Security Doctrine CNSSI 3021, Operational Security Doctrine for the AN/CYZ-10/10A Data Transfer Device NSTISSI 3022, OPSEC Doctrine for TEDs KG-81, KG-94, KG-95, KG-194, and KIV-19 in Stand Alone Applications NSTISSI 3026, Operational Security Doctrine for the Motorola Network Encryption System (NES)

31310024R0026 Page 38 NSTISSI 3028, Operational Security Doctrine for the FORTEZZA User PCMCIA Card NSTISSI 3028, Operational Security Doctrine for the FORTEZZA User PCMCIA Card CNSSI 3029, Operational Systems Security Doctrine for TACLANE (KG-175)

CNSSI 3029 2004 Amendment, Operational Systems Security Doctrine for TACLANE (KG-175)

CNSSI 3029 2006 Amendment, Operational Systems Security Doctrine for TACLANE (KG-175)

NSTISSI 3030, OPSEC Security Doctrine for the FORTEZZA PLUS (KOV-14) and Cryptographic Card and Associated STE NSTISSI 3030 2006 Amendment, Amendment to NSTISSI-3030 CNSSI 3031, Operation Systems Security Doctrine for the Sectera In-Line Network Encryptor (KG-235)

CNSSI 3032, Operational Security Doctrine for the VIASAT Internet Protocol (VIP) Crypto Version 1 (KIV-21)

CNSSI 3034, Operational Security Doctrine for the SECNET 11 Wireless Local Area Network Interface Card CNSSI 3035, OPERATIONAL SECURITY DOCTRINE FOR THE REDEAGLE KG-245 IN-LINE NETWORK ENCRYPTOR (INE)

CNSSI 4000, Maintenance of Communications Security (COMSEC) Equipment CNSSI 4001, Controlled Cryptographic Items NSTISSI 4002 NTISSI 4002 2009 Amendment, Pen and Ink Changes for NTISSI 4002 NTISSI 4002 2004 Amendment, Pen and Ink Changes for NTISSI 4002 9 Jul 2004 CNSSI 4003, Reporting and Evaluating Communications Security (COMSEC) Incidents CNSSI 4004.1, Destruction and Emergency Protection Procedures for COMSEC and Classified Material CNSSI 4005, Safeguarding COMSEC Facilities and Materials CNSSI 4005 Amendment This document is designated FOUO CNSS-008-14 Amendment to CNSSI 4005 CNSSI 4006, Controlling Authorities for Traditional COMSEC Keying Material

31310024R0026 Page 39 CNSSI 4007, Communications Security (COMSEC) Utility Program CNSS-19-19, COMSEC Utility Program Reissue Date Memo CNSSI 4008, Program for the Management and Use of National Reserve Information Assurance Security Equipment CNSS-20-19, Equipment Material Reissue Memo CNSSI 4009, Committee on National Security Systems (CNSS) Glossary NSTISSI 4010, Keying Material Management NSTISSI 4011, National Training Standard for Information Systems Security (INFOSEC)

Professionals CNSSI 4012, National Information Assurance Training Standard for Senior Systems Managers CNSSI 4013, National Information Assurance Training Standard For System Administrators (SA)

CNSSI 4014, Information Assurance Training Standard for Information Systems Security Officers NSTISSI 4015, National Training Standard for Systems Certifiers CNSSI 4016, National Information Assurance Training Standard For Risk Analysts CNSSI 4031, Cryptographic High Value Products (CHVP)

CNSSI 4032, Management and Use of Secure Data Network Systems CNSSI 4033, Nomenclature for Communications Security Material CNSSI 5000, Voice Over Internet Protocol (VoIP) Telephony CNSSI 5000 ANNEX I, VOICE OVER SECURE INTERNET PROTOCOL (VoSIP)

CNSSI 5000 Annex J, Softphone Security Requirements CNSSI 5001, Type-Acceptance Program for Voice Over Internet Protocol (VoIP) Telephones CNSSI 5002, Telephony Isolation Used for Unified Communications Implementations Within Physically Protected Spaces CNSSI 5006, National Instruction for Approved Telephone Equipment CNSSI 5007, Telephone and Security Equipment Submission and Evaluation Procedures NACSI 6002, National COMSEC Instruction CNSSI 7003, Protected Distribution Systems

31310024R0026 Page 40 Director of National Intelligence (DNI)

For guidance on processing and handling of information that falls under the purview of DNI, please consult the classified DNI network.

The NRCs Bring Your Own Device (BYOD) program allows NRC employees and contractor personnel to conduct official business using personally owned smart phones and tablets, as long as:

The smart phone or tablet uses a containerized solution whereby the Contractor or NRC controls activation, deactivation, and remote wiping of the container, and the container is isolated from personal applications and data.

NRC sensitive information is only stored or processed within the container and any stored information is encrypted.

The operating system on the smart phone or tablet is current within 2 versions of the currently deployed operating system for the type of device.

The Contractor shall not connect personally owned devices (e.g., mobile phones, tablets, and thumb drives) to a system (e.g., desktop, mobile desktop) used to process NRC sensitive information. All work performed by the Contractor shall be in facilities and on networks and computing devices that have been authorized by the COR for processing information at the sensitivity level of the information being processed.

If the effort includes use or processing of classified information, the Contractor shall notify the NRC CO and COR in writing before the contractor begins to process classified information.

All Contractor and subcontractor personnel must acknowledge and abide by the NRC Agency-Wide Rules of Behavior for Authorized Computer Use prior to being granted access to NRC computing resources (available in NRCs Public Agencywide Documents Access and Management System (ADAMS), located at: https://adams.nrc.gov/wba/. Search for Accession Number ML2016A026).

1.1 Definitions

The following terms are defined through the reference sources below and are current as of the date of the clause. However, if those definitions are updated by those sources at a later date, the most recent definition applies.

Adequate security - As defined in Office of Management and Budget (OMB) Circular A-130.

Classified Information - As defined in Executive Order (E.O.) 13526 or any predecessor order Cloud computing - As defined in NIST SP 800-145.

Compromise-As defined in NIST SP 800-32; CNSSI 4009.

Computing Device - Any electronic equipment that is controlled by a central processing unit (CPU). Examples include information systems, cellular phones, tablets, laptops, Fitbit, watches, and personal computers.

Cyber incident - As defined in CNSSI 4009.

31310024R0026 Page 41 Forensic analysis, or Forensics - As defined in CNSSI 4009.

Incident - As defined in FIPS Pub 200.

Information and Communications Technology (ICT) - As defined in CNSSI 4009.

Malware - As defined in CNSSI 4009, under Malicious Code.

Media - As defined in FIPS Pub 200.

Safeguards Information (CUI//SP-SGI) - As defined in 10 CFR § 73.2.

Supply Chain Risk - As defined in 10 U.S.C. 2339a.

1.2 Adequate security The Contractor shall protect all information handled by, processed, stored, or transmitted by the Contractor in accordance with the sensitivity of the information as determined by the NRC. The Contractor shall provide adequate security on all covered Contractor devices and information systems. All cryptography used under this award shall use the current version of FIPS 140 validated cryptographic modules operated in FIPS mode. The Contractor shall ensure NRC sensitive information is removed from Contractor-owned system components prior to component disposal. A disposal plan will be submitted to the NRC and approved by the agencys Chief Information Security Officer (CISO) before the purging or disposal of NRC sensitive information commences.

1.2.1 Classified Information The Contractor shall implement, at a minimum, the following information security protections to provide adequate security for classified information:

1. The Contractor shall only process and handle classified information at facilities that have NRC approval in writing for this type of information.

2. The Contractor shall follow CNSS direction and specific requirements determined by the information owner when processing, storing, or transmitting classified information.

3. The Contractor shall follow DNI policy, standards, and guidance when processing, storing or transmitting classified information that falls under the purview of the DNI.

4. The Contractor shall not process, transmit, or store classified information on an unclassified system or network.

5. The Contractor shall only store, process, or transmit classified information using systems that have been provided in writing an NRC authority to operate for classified information processing.

6. The Contractor shall not use copiers, scanners, printers, or fax machines that are connected to an unclassified network for processing classified information.

7. The Contractor shall constantly monitor scanning, printing, and faxing of classified information via an individual properly authorized for access to the information, and the Contractor shall

31310024R0026 Page 42 continuously attend the machines via a properly authorized individual until completion of the process.

8. When transmitting classified information using voice telecommunications (e.g., telephone, radio, or video teleconferencing), the Contractor shall only transmit the classified information over protected systems.

9. The Contractor shall only use cryptographic modules approved by the National Security Agency (NSA) and operated as directed by NSA for protecting classified information.

10. The Contractor shall only use cryptographic modules approved by the DNI and operated as directed by the DNI for protecting Sensitive Compartmented Information (SCI) information.

11. Where not superseded by requirements in this section, the Contractor shall implement adequate security as defined in Section 1.2.3.

1.2.2 Safeguards Information (CUI//SP-SGI)

The Contractor shall implement, at a minimum, the following information security protections to provide adequate security for CUI//SP-SGI:

1. The Contractor shall only process and handle CUI//SP-SGI information at facilities that have NRC approval in writing for this type of information.

2. The Contractor shall only store, process, or transmit CUI//SP-SGI using systems that have been provided in writing an NRC authority to operate for CUI//SP-SGI processing.

3. The Contractor shall only connect CUI//SP-SGI systems to other CUI//SP-SGI systems, except where using NRC authorizing official approved (in writing) encrypted connections that permit transmission over lower-level networks. The COR will coordinate this approval with NRCs authorizing official.

4. The Contractor shall only connect CUI//SP-SGI laptops to CUI//SP-SGI systems using techniques and capabilities specifically approved by the NRC for connecting to the CUI//SP-SGI system.

5. The Contractor may not use copiers, scanners, printers, or fax machines that are connected to an unclassified, non-safeguards information network for processing CUI//SP-SGI.

6. The Contractor shall constantly monitor scanning, printing, and faxing of CUI//SP-SGI via an individual properly authorized for access to the information, and the Contractor shall continuously attend the machines via a properly authorized individual until completion of the process.

7. When transmitting CUI//SP-SGI using voice telecommunications (e.g., telephone, radio, or video teleconferencing), the Contractor shall only transmit the CUI//SP-SGI over protected systems.

8. The Contractor shall only use cryptographic modules that are operated in FIPS mode and are FIPS 140-2 validated to at least an overall level 2 with the validation subcategories of Roles,

31310024R0026 Page 43 Services, and Authentication; electromagnetic interference/electromagnetic compatibility; and Design Assurance validated to at least level 3.

9. The Contractor shall provide all media that has been used to store or process CUI//SP-SGI to NRC COR for destruction.

10. Where not superseded by requirements in this section, the Contractor shall implement adequate security as defined in Section 1.2.3.

1.2.3 Sensitive Information that is Not Classified Information and Not CUI//SP-SGI The Contractor shall implement, at a minimum, the following information security protections to provide adequate security for sensitive information:

1. The Contractor shall ensure any ICT used for sensitive information meets the requirements identified in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations unless otherwise authorized by the Contracting Officer.

2. The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for their coordination with and consideration by the NRC Chief Information Officer (CIO). The Contractor need not implement any security requirement adjudicated by an authorized representative of the NRC CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.

3. If the NRC CIO has previously adjudicated the Contractors requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, the Contractor shall provide a copy of that approval to the Contracting Officer when requesting its recognition under this contract.

4. If the Contractors solution utilizes a third-party cloud service that deals with NRC sensitive information, those cloud offerings must be FedRAMP authorized at least at the moderate level.

If the cloud offering deals with non-sensitive information, the cloud offerings must be FedRAMP authorized. These cloud offerings can use any impact level that is deemed appropriate.

5. The Contractor shall apply other information system security measures when the Contractor reasonably determines that information system security measures, in addition to those identified in paragraphs in this clause, may be required to provide adequate security in a dynamic environment, to accommodate special circumstances (e.g., medical devices) and to address any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability.

The contractor must address these measures in a system security plan that is approved by the NRC CIO.

6. The Contractor shall only use FIPS 140 validated cryptographic modules and algorithms configured in accordance with the cryptographic modules security policy.

7. If the Contractor uses email to send and receive sensitive information, the Contractor shall use an NRC provided e-mail account. Otherwise, the Contractor shall transmit sensitive information using mechanisms to protect the information during transmission that have been approved by the NRC CIO.

1.3 Cyber Incident Reporting Requirement

31310024R0026 Page 44 When the Contractor discovers a cyber incident that affects Classified or Controlled Unclassified Information or that affects the Contractors ability to perform the requirements of the contract, the Contractor shall

1. Rapidly report potential or confirmed cyber incidents to the NRC CO.

2. Upon direction from the NRC COR, conduct a review for evidence of compromise of Classified or Controlled Unclassified Information, including, but not limited to, identifying compromised devices, computers, servers, specific data, and user accounts.

1.4 Subcontracting The Contractor shall flow this clause down to all subcontracts.

1.5 Supply Chain Risk In order to manage supply chain risk, the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror/Contractor and its supply chain.

The Contractor shall complete and maintain a Supply Chain Risk Assessment (SCRA) using the SCRA for Offerors included as attachment [N/A] for each computing device and software used to store, process, or transmit NRC sensitive information and shall provide updates to the CO within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of any changes.

The Contractor shall ensure all hardware and software vendors used to support NRC implementations and solutions have a valid National Defense Authorization Act (NDAA) Section 889 attestation.

1.6 Award Performance and Closeout The Contractor shall ensure that the NRC data processed during the performance of this award is purged from all data storage components of the Contractors computing devices, and the Contractor shall not retain any NRC data within 30 calendar days after award is completed. Until the Contractor purges all of that data, the Contractor shall ensure that any NRC data remaining in any storage component is protected in accordance with its sensitivity to prevent unauthorized disclosure.

When a representative of the Contractor no longer requires access to an NRC system, the Contractor shall notify the COR in writing within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Upon contract completion, the Contractor shall provide a status list in writing to the COR of all Contractor personnel who were users of NRC systems and shall note if any users still require access to the system to perform work if a follow-on award issued by the NRC.

Before the purging of NRC sensitive information can begin, a disposal plan will be submitted to the NRC and approved by the agencys CISO.

1.7 Control of Information and Data

31310024R0026 Page 45 The Contractor shall not publish or disclose in any manner, without the COs prior written consent, the details of any security controls or countermeasures either designed or developed by the Contractor under this award or otherwise provided by the NRC to the Contractor.

Any computing device used by the Contractor to store, process, or transmit NRC sensitive information shall:

Include a mechanism to require users to uniquely identify and authenticate themselves to the system before beginning to perform any other actions that the system is expected to provide.

Be able to authenticate data that includes information for verifying the claimed identity of individual users (e.g., passwords).

Protect authentication data so that it cannot be accessed by any unauthorized user.

Be able to enforce individual accountability by providing the capability to uniquely identify each individual computing device user.

Report to appropriate security personnel when attempts are made to guess the authentication data whether inadvertently or deliberately.

1.8 Access Controls Any computing device used by the Contractor to store, process, or transmit NRC data shall be able to define and enforce access privileges for individual users. The discretionary access control mechanisms shall be configurable to protect objects (e.g., files, folders) from unauthorized access.

A computing device used by the Contractor to store, process, or transmit NRC data shall provide only essential capabilities and specifically prohibit and/or restrict the use of functions, ports, protocols, and/or services, as specified in the contract/grant.

Contractor personnel that access a computing device that processes, stores, or transmits NRC sensitive information must meet personnel security requirements identified by federal law, federal regulation, and federal government policy, as applicable, for the type of information.

The Contractor shall ensure that the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks is enforced by the system through assigned access authorizations.

The Contractor shall ensure separation of duties for Contractor systems used to process NRC information and enforce them by the system through assigned access authorizations.

The Contractor shall continuously protect mechanisms within the Contractor system or application that enforces access control and other security features s against tampering and/or unauthorized changes.

1.9 Media Handling The Contractor shall control all media used by the Contractor to store or process NRC information in accordance with the information sensitivity level.

31310024R0026 Page 46 The Contractor shall not sanitize or destroy media approved for processing NRC information designated as CUI//SP-SGI or Classified. The Contractor must provide the media to the COR for destruction.

1.10 Vulnerability Management The Contractor shall install security-relevant software and firmware updates (e.g., patches, service packs, hot fixes) in accordance with the following:

Within 14 calendar days for vulnerabilities that have been assigned Common Vulnerabilities and Exposures (CVE) ID after January 1, 2021 and added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabliities Catalog.

Within 30 calendar days for vulnerabilities deemed to be Critical according to the Common Vulnerability Scoring System (CVSS), as described in NRC CSO-STD-0020, Organization-Defined Values for System Security and Privacy Controls (available in NRCs Public Agencywide Documents Access and Management System (ADAMS), located at:

https://adams.nrc.gov/wba/. Search for Accession Number ML22101A241)

Within 30 calendar days for vulnerabilities deemed to be High according to the CVSS

Within 90 calendar days for vulnerabilities deemed to be Moderate according to the CVSS

Within 120 calendar days for vulnerabilities deemed to be Low according to the CVSS If federally mandated requirements (e.g., CISA emergency directives) specify a shorter timeframe, then the contractor would be required to meet those timeframes. Examples include, but are not restricted to, CISA Emergency Directives, Binding Operational Directives and required patching/remediation for vulnerabilities within the CISA Known Exploited Vulnerabilities Catalog.

Bullets two through five are specified in NRC Computer Security Organization (CSO) Standard (STD) 0020 System Security and Privacy Controls Standard and are subject to change as the standard is amended.

The Contractor shall provide patch Management reports to the COR upon Contractor receipt of a written request from the COR in accordance with the following reporting timeframes:

5 calendar days after being requested for a classified, CUI//SP-SGI, or high sensitivity system as determined using FIPS Pub 199

10 calendar days after being requested for a moderate sensitivity system as determined using FIPS Pub 199

15 calendar days after being requested for a low sensitivity system as determined using FIPS Pub 199 The Contractor shall incorporate anti-malware solutions into all systems used to process NRC information. For any Contractor system used to process NRC information, the Contractor must ensure that:

31310024R0026 Page 47

All information is scanned for viruses prior to allowing the system to access the information

Servers are scanned for malware, including viruses, adware, and spyware.

Anti-malware information is updated at least at the following frequency:

1 calendar day for a high sensitivity system 3 calendar days for a moderate sensitivity system 7 calendar days for a low sensitivity system For any Contractor deliverables or information loaded on external hard drives or other electronic devices, the Contractor must ensure that, prior to delivery to the NRC, the device, including software and files, is free of malware, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, browser hijacking software, mobile code, or other malicious code.

H.3 INFORMATION TECHNOLOGY (IT) SECURITY REQUIREMENTS - GENERAL EXCEPTIONS (AUG 2023 All purchases shall comply with the latest version of policy, procedures, and standards.

Individual task orders will reference latest versions of policy, procedures, standards, or exceptions as necessary. These policy, procedures and standards include: NRC Management Directive (MD) volume 12 Security, Information Security Directorate policies, NRC processes, NRC procedures, NRC guidance, and NRC standards, National Institute of Standards and Technology (NIST) guidance and Federal Information Processing Standards (FIPS), and Committee on National Security Systems (CNSS) policy, directives, instructions, and guidance.

The applicable management directives can be found on NRCs website here:

https://www.nrc.gov/reading-rm/doc-collections/management-directives/volumes/vol-12.html.

All procurements must be certified and accredited prior to being placed into an operational state.

All cloud services must be FedRAMP authorized. Deviations can only be approved by the NRC Chief Information Security Officer (CISO).

All electronic processing of NRC sensitive information, including all system development and operations and maintenance activities performed at non-NRC facilities shall be in facilities, networks, and computers that have been accredited by NRC for processing information at the highest sensitivity of the information that is processed, stored, or transmitted.

Exceptions to or deviations from MD 12.5 may be granted by the NRC Chief Information Officer (CIO), except for those areas in which the responsibility or authority is vested solely with the Executive Director of Operations (EDO) or Director, Office of Administration (ADM) and cannot be delegated, or for matters specifically required by law, Executive Order, or directive to be referred to other management officials.

For national security systems, nothing in MD 12.5 shall supersede any authority of the Director of National Intelligence (DNI), National Security Agency (NSA), Secretary of Defense, or other agency head, as authorized by law and as directed by the President, with regard to the operation, control, or management of national security systems. Nothing in this directive or

31310024R0026 Page 48 handbook shall supersede any requirement made by or under the Atomic Energy Act of 1954.

Restricted data or formerly restricted data shall be handled, protected, classified, downgraded, and declassified in conformity with the Atomic Energy Act of 1954.

H.4 IT SECURITY REQUIREMENTS - DEVELOPMENT AND OPERATIONS AND MAINTENANCE REQUIREMENTS (AUG 2023)

Requirements in this clause supersede less restrictive requirements in NRCAR clause Information Technology (IT) Security Requirements (May 2022) https://www.nrc.gov/about-nrc/contracting/48cfr-ch20.html.

All work under this contract and all devices used to process NRC sensitive information shall comply with the following special publications (SP), management directives, standards, and processes, as amended:

National Institute of Standard and Technology (NIST) Special Publications (SP) as amended:

SP 800-12 Rev. 1, An Introduction to Information Security SP 800-15, MISPC Minimum Interoperability Specification for PKI Components, Version 1 SP 800-16, Information Technology Security Training Requirements: a Role-and Performance-Based Model SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems SP 800-22 Rev. 1a, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication SP 800-28 Version 2, Guidelines on Active Content and Mobile Code SP 800-30 Rev. 1, Guide for Conducting Risk Assessments SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems SP 800-35, Guide to Information Technology Security Services SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations:

A System Life Cycle Approach for Security and Privacy SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques SP 800-38A Addendum, Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode

31310024R0026 Page 49 SP 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication SP 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC SP 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices SP 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping SP 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View SP 800-40 Rev. 3, Guide to Enterprise Patch Management Technologies SP 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy SP 800-44 Version 2, Guidelines on Securing Public Web Servers SP 800-45 Version 2, Guidelines on Electronic Mail Security SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security SP 800-47, Security Guide for Interconnecting Information Technology Systems SP 800-49, Federal S/MIME V3 Client Profile SP 800-50, Building an Information Technology Security Awareness and Training Program SP 800-51 Rev. 1, Guide to Using Vulnerability Naming Schemes SP 800-52 Rev. 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations SP 800-53A Rev. 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans SP 800-53B, Control Baselines for Information Systems and Organizations

31310024R0026 Page 50 SP 800-55 Rev. 1, Performance Measurement Guide for Information Security SP 800-56A Rev. 3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography SP 800-56B Rev. 2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography SP 800-56C Rev. 2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 - General SP 800-57 Part 2 Rev. 1, Recommendation for Key Management: Part 2 - Best Practices for Key Management Organizations SP 800-57 Part 3 Rev. 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance SP 800-58, Security Considerations for Voice Over IP Systems SP 800-59, Guideline for Identifying an Information System as a National Security System SP 800-60 Vol. 1 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories SP 800-60 Vol. 2 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices SP 800-61 Rev. 2, Computer Security Incident Handling Guide SP 800-63-3, Digital Identity Guidelines SP 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management SP 800-63C, Digital Identity Guidelines: Federation and Assertions SP 800-66 Rev. 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule SP 800-67 Rev. 2, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher SP 800-70 Rev. 4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers SP 800-72, Guidelines on PDA Forensics SP 800-73-4, Interfaces for Personal Identity Verification

31310024R0026 Page 51 SP 800-76-2, Biometric Specifications for Personal Identity Verification SP 800-77 Rev. 1, Guide to IPsec VPNs SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification SP 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)

SP 800-81-2, Secure Domain Name System (DNS) Deployment Guide SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security SP 800-83 Rev. 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities SP 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)

SP 800-85B, PIV Data Model Test Guidelines SP 800-86, Guide to Integrating Forensic Techniques into Incident Response SP 800-87 Rev. 2, Codes for Identification of Federal and Federally-Assisted Organizations SP 800-88 Rev. 1, Guidelines for Media Sanitization SP 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications SP 800-90A Rev. 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators SP 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation SP 800-92, Guide to Computer Security Log Management SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)

SP 800-95, Guide to Secure Web Services SP 800-96, PIV Card to Reader Interoperability Guidelines SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i SP 800-98, Guidelines for Securing Radio Frequency Identification (RFID) Systems SP 800-100, Information Security Handbook: A Guide for Managers SP 800-101 Rev. 1, Guidelines on Mobile Device Forensics SP 800-102, Recommendation for Digital Signature Timeliness

31310024R0026 Page 52 SP 800-106, Randomized Hashing for Digital Signatures SP 800-107 Rev. 1, Recommendation for Applications Using Approved Hash Algorithms SP 800-108, Recommendation for Key Derivation Using Pseudorandom Functions (Revised)

SP 800-111, Guide to Storage Encryption Technologies for End User Devices SP 800-113, Guide to SSL VPNs SP 800-114 Rev. 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security SP 800-115, Technical Guide to Information Security Testing and Assessment SP 800-116 Rev. 1, Guidelines for the Use of PIV Credentials in Facility Access SP 800-119, Guidelines for the Secure Deployment of IPv6 SP 800-121 Rev. 2, Guide to Bluetooth Security SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

SP 800-123, Guide to General Server Security SP 800-124 Rev. 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise SP 800-125, Guide to Security for Full Virtualization Technologies SP 800-125A Rev. 1, Security Recommendations for Server-based Hypervisor Platforms SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection SP 800-126 Rev. 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1 SP 800-126 Rev. 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 SP 800-126 Rev. 3, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3 SP 800-126A, SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3 SP 800-128, Guide for Security-Focused Configuration Management of Information Systems SP 800-130, A Framework for Designing Cryptographic Key Management Systems SP 800-131A Rev. 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths SP 800-132, Recommendation for Password-Based Key Derivation: Part 1: Storage Applications

31310024R0026 Page 53 SP 800-133 Rev. 2, Recommendation for Cryptographic Key Generation SP 800-135 Rev. 1, Recommendation for Existing Application-Specific Key Derivation Functions SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs:

Developing an ISCM Program Assessment SP 800-140, FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759 SP 800-140A, CMVP Documentation Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 SP 800-140B, CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B SP 800-140C, CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759 SP 800-140D, CMVP Approved Sensitive Parameter Generation and Establishment Methods:

CMVP Validation Authority Updates to ISO/IEC 24759 SP 800-140E, CMVP Approved Authentication Mechanisms: CMVP Validation Authority Requirements for ISO/IEC 19790 Annex E and ISO/IEC 24579 Section 6.17 SP 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation Authority Updates to ISO/IEC 24759 SP 800-142, Practical Combinatorial Testing SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing SP 800-145, The NIST Definition of Cloud Computing SP 800-146, Cloud Computing Synopsis and Recommendations SP 800-147, BIOS Protection Guidelines SP 800-147B, BIOS Protection Guidelines for Servers SP 800-150, Guide to Cyber Threat Information Sharing SP 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)

SP 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs)

SP 800-156, Representation of PIV Chain-of-Trust for Import and Export

31310024R0026 Page 54 SP 800-160 Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems SP 800-160 Vol. 2, Developing Cyber Resilient Systems: A Systems Security Engineering Approach SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations SP 800-163 Rev. 1, Vetting the Security of Mobile Applications SP 800-166, Derived PIV Application and Data Model Test Guidelines SP 800-167, Guide to Application Whitelisting SP 800-168, Approximate Matching: Definition and Terminology SP 800-175A, Guideline for Using Cryptographic Standards in the Federal Government:

Directives, Mandates and Policies SP 800-175B Rev. 1, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms SP 800-177 Rev. 1, Trustworthy Email SP 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist SP 800-181 Rev. 1, Workforce Framework for Cybersecurity (NICE Framework)

SP 800-183, Networks of 'Things' SP 800-184, Guide for Cybersecurity Event Recovery SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash SP 800-187, Guide to LTE Security SP 800-189, Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation SP 800-190, Application Container Security Guide SP 800-192, Verification and Test Methods for Access Control Policies/Models SP 800-193, Platform Firmware Resiliency Guidelines SP 800-202, Quick Start Guide for Populating Mobile Test Devices SP 800-204, Security Strategies for Microservices-based Application Systems

31310024R0026 Page 55 SP 800-204A, Building Secure Microservices-based Applications Using Service-Mesh Architecture SP 800-204B, Attribute-based Access Control for Microservices-based Applications using a Service Mesh SP 800-205, Attribute Considerations for Access Control Systems SP 800-207, Zero Trust Architecture SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes SP 800-209, Security Guidelines for Storage Infrastructure SP 800-210, General Access Control Guidance for Cloud Systems SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements NRC Management Directives (MD) as amended:

MD 12.0 - Glossary of Security Terms MD 12.1 - NRC Facility Security Program MD 12.2 - NRC Classified Information Security Program MD 12.3 - NRC Personnel Security Program MD 12.4 - NRC Communications Security (COMSEC) Program MD 12.5 - NRC Cybersecurity Program MD 12.6 - NRC Sensitive Unclassified Information Security Program MD 12.7 - NRC Safeguards Information Security Program Cybersecurity Organization Issuances as amended:

Standards (available in NRCs Public Agencywide Documents Access and Management System (ADAMS), located at: https://adams.nrc.gov/wba/. Search for Accession Number ML22101A241)

CSO-STD-0001 Strong Password Standard CSO-STD-0020 Organization-Defined Values for System Security and Privacy Controls CSO-STD-0021 Common and Hybrid Security Control Standard CSO-STD-0040 Warning Banner Standard CSO-STD-1002 NRC Classified Information Electronic Processing Security Standard

31310024R0026 Page 56 CSO-STD-1003 NRC Safeguards Information Electronic Processing Security Standard CSO-STD-1004 General Laptop Configuration Standard CSO-STD-1108 Web Application Standard CSO-STD-2002 System Backup Standard CSO-STD-2004 Electronic Media Device Handling Standard CSO-STD-2005 System Monitoring Standard CSO-STD-2006 User Access Management Standard CSO-STD-2008 Network Ports, Protocols, and Services Enterprise Security Architecture Standard CSO-STD-2009 Cryptographic Control Standard CSO-STD-2105 NRC User Remote Access and International Travel Security Standard CSO-STD-2108 Endpoint Protection Security Standard CSO-STD-4000 Network Infrastructure Enterprise Security Architecture Standard Processes (available in NRCs Public ADAMS, located at: https://adams.nrc.gov/wba/. Search for Accession Number ML22077A369)

CSO-PROS-1323 Frequencies CSO-PROS-1323 Information Security Continuous Monitoring Process CSO-PROS-1324 Deviation Request Process CSO-PROS-1341 Short Term Authorization Process CSO-PROS-1401 Periodic System Scanning Process CSO-PROS-2001 System Security Categorization Process CSO-PROS-2016 Plan of Action and Milestones (POAM) Process CSO-PROS-2030 Risk Management Framework Process CSO-PROS-2101 NRC IT System/Subsystem/Service Decommissioning and/or Transfer Process CSO-PROS-2102 System Cybersecurity Assessment Process CSO-PROS-2108 800-79 Assessment Process CSO-PROS-7002 Security Control Tailoring Process

31310024R0026 Page 57 Exceptions to or deviations from NRC MD 12.5 may be granted by the NRC CIO in writing. For national security systems, nothing in MD 12.5 shall supersede any authority of the DNI, NSA, Secretary of Defense, or other agency head, as authorized by law and as directed by the President, with regard to the operation, control, or management of national security systems.

Restricted data or formerly restricted data shall be handled, protected, classified, downgraded, and declassified in conformity with the Atomic Energy Act of 1954 as amended.

All cloud offerings used to process, transmit, or store NRC sensitive information must be Federal Risk and Authorization Management Program (FedRAMP) authorized at least at the moderate level. When processing non-sensitive information, the cloud offering must be FedRAMP authorized. These cloud offerings can use any impact level that is deemed appropriate.

All Contractor systems shall comply with NRC security policies and procedures, as well as federal laws, guidance, and standards to ensure compliance with the Federal Information Security Modernization Act (FISMA) as amended.

All information provided by NRC to the Contractor shall not be used in any way other than required by the contract without the expressed consent of the Contracting Officer.

If the Contractor is providing, through sale or lease, a system or system components, the Contractor shall:

1. Provide a description of the functional properties of security and privacy controls functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.

2. Provide design and implementation information for the controls that includes security-relevant external system interfaces and implementation information. Implementation documentation shall include manufacturer, version, serial number, verification hash or signature, date of purchase or download, and the vendor or download source.

3. Deliver the system, component, or service with COR-approved security configurations implemented.

4. Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

5. Produce a plan for continuous monitoring of control effectiveness that is consistent with NRC CSO-PROS-1323, Information Security Continuous Monitoring Process.

6. Identify the functions, ports, protocols, and services intended for organizational use within the proposal or in the design phase at the latest.

7. Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within NRC systems.

8. Require subcontractors involved in the supply chain for the system, system component, or system service to provide the Contractor with notification of supply chain compromises and

31310024R0026 Page 58 results of assessments or audits. The Contractor shall provide the COR the notifications and results within one (1) day of receipt of the information.

9. Implement a tamper protection program, including counterfeit detection, for the system, system component, or system service throughout the System Development Life Cycle (SDLC).

If the Contractor is developing a system or system components for or on behalf of the NRC, the Contractor shall also:

1. Provide high-level design, low-level design, source code, and hardware schematics. High-level design for the system means subsystems and the interfaces between subsystems. The low-level design for the system means modules and the interfaces between modules. Design and implementation documentation shall include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics mean the implementation representation of the system.

2. Demonstrate the use of a system development life cycle process that includes software development methods, systems engineering methods, systems security and privacy engineering methods, and quality control processes.

1.11 Information Security Training and Awareness Training The Contractor shall ensure that its personnel that have significant cybersecurity responsibilities (e.g., Security Control Assessor, System Administrators) complete required role-based training before assuming the role and periodically thereafter in accordance with NRC requirements.

1.12 Development, Operations, and Maintenance The Contractor shall correct errors in contractor-developed software and applicable documentation that are not commercial off-the-shelf that are discovered by NRC personnel or the Contractor.

The Contractor shall provide a system requirements traceability matrix at the completion of each of the following: requirements analysis, system design, system implementation/coding, system testing, and system deployment that provides the security requirements in a separate section so that they can be traced through the development life cycle. The Contractor shall also provide the software and hardware designs and test plan documentation and source code to the COR for review upon Contractor receipt of a written request from them.

The Contractor shall protect all development and testing of the systems at their assigned system sensitivity level and the Contractor shall perform them on a network that is separate and isolated from the NRC operational network.

The Contractor shall properly configure and harden all system computers according to NRC policies, guidance, and standards and comply with all NRC security policies and procedures as commensurate with the system security categorization.

All Contractor-provided deliverables identified in the project plan will be subject to the review and approval of NRC Management. The Contractor will make the necessary modifications to

31310024R0026 Page 59 project deliverables to resolve any identified issues. Project deliverables include but are not limited to: requirements, architectures, design documents, test plans, and test reports.

1.12.1 Access Controls The Contractor shall not hardcode any passwords or other authentication information into software provided under this contract unless the password only appears on the server side (e.g.

using server-side technology such as ASP, PHP, or JSP).

The Contractor shall ensure that the software does not contain undocumented functions and undocumented methods for gaining access to the software or to the computer system on which it is installed. This includes, but is not limited to, master access keys, back doors, or trapdoors.

1.12.2 Configuration Management The Contractor must ensure that the system is divided into configuration items (CIs). CIs are parts of a system that may be individually managed and versioned. The Contractor shall manage the system at the CI level.

The Contractor must submit a configuration management plan that includes all hardware and software that is part of the system and contains at minimum the following sections:

a. Introduction

i. Purpose & Scope ii. Definitions iii. References

b. Configuration Management

i. Organization ii. Responsibilities iii. Tools and Infrastructure

c. Configuration Management Activities

i. Specification Identification ii. Change control form identification iii. Project baselines

d. Configuration and Change Control

i. Change Request Processing and Approval ii. Change Control Board

31310024R0026 Page 60

e. Milestones

i. Define baselines, reviews, audits ii. Training and Resources The Contractor shall describe the Information System Security Officers (ISSO's) role in the change management process. The ISSO is responsible for the security posture of the system.

Any changes to the system security posture must be approved by the ISSO. The Contractor shall not make changes to the system's security posture without the appropriate involvement and approval of the COR.

The Contractor shall track and record information specific to proposed and approved changes that minimally include:

1. Identified configuration change

2. Testing of the configuration change

3. Scheduled implementation the configuration change

4. Track system impact of the configuration change

5. Track the implementation of the configuration change

6. Recording & reporting of configuration change to the appropriate party

7. Back out/Fall back plan

8. Weekly Change Reports and meeting minutes

9. Emergency change procedures

10. List of team members from key functional areas The Contractor shall provide a list of software and hardware changes in advance of placing them into operation within the following timeframes:

30 calendar days for a classified, CUI//SP-SGI, or high sensitivity system

20 calendar days for a moderate sensitivity system

10 calendar days for a low sensitivity system The Contractor must maintain all system documentation that is current to within:

10 calendar days for a classified, CUI//SP-SGI, or high sensitivity system

20 calendar days for a moderate sensitivity system

30 calendar days for a low sensitivity system

31310024R0026 Page 61 Modified code, tests performed and test results, issue resolution documentation, and updated system documentation shall be deliverables on the contract.

Any proposed changes to the system must have written approval from the NRC COR.

The Contractor shall complete analysis of proposed hardware and software configurations and modification as well as security vulnerabilities in advance of NRC accepted operational deployment dates and shall provide the documented analysis:

30 calendar days in advance of NRC accepted operational deployment date for a classified, CUI//SP-SGI, or high sensitivity system

20 calendar days in advance of NRC accepted operational deployment date for a moderate sensitivity system

10 calendar days in advance of NRC accepted operational deployment date for a low sensitivity system 1.12.3 Control of Hardware and Software The Contractor shall demonstrate that all hardware and software meet security requirements prior to being placed into the NRC production environment.

The Contractor shall ensure that the development environment is separated from the operational environment using NRC CSO approved controls.

The Contractor shall only use licensed software and in-house developed authorized software (including NRC and contractor developed) on the system and for processing NRC information.

Public domain, shareware, or freeware shall only be installed after prior written approval is obtained from the NRC Chief Information Security Officer (CISO).

The Contractor shall provide proof of valid software licensing upon request of the Contracting Officer, the NRC COR, the NRC CISO, or the NRC Authorizing Official.

1.12.4 Auditing The Contractor shall ensure that systems being developed, operated, or maintained under this contract creates, maintains, and protects from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects. The Contractor shall ensure that audit data is protected so that read access to it is limited to those who are authorized.

The Contractor shall ensure auditing is implemented on all system components in accordance with CSO-STD-0020, Organization-Defined Values for System Security and Privacy Controls.

The system shall be able to audit any override of security controls.

H.5 IT SECURITY REQUIREMENTS - CERTIFICATION AND ACCREDITATION (AUG 2023)

If the contractor develops, operates, or maintains NRC information technology resources, the contractor will be expected to patch, harden, and maintain these resources according to all Federally Mandated and NRC defined cybersecurity and privacy requirements. The contractor

31310024R0026 Page 62 will have documented processes and procedures that describe how these information technology resources are configured and maintained.

The contractor will also document how the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53 security controls are implemented and how the security controls are monitored and maintained over time. All processes, procedures, and documentation supported by the contractor must be kept current when the information technology resources the contractor is supporting are re-configured, updated, modified, or changed.

All referenced to NIST special publications will be considered as amended. That means as the publication is updated the contractor will ensure all changes are addressed.

The following provides a description of a system authorization package and how an authorization is handled:

- Security Categorization documents (e.g., Security Categorization Report [SEC CAT], Business Impact Assessment [BIA], Privacy Threshold Analysis (PTA) / Privacy Impact Assessment (PIA), Digital Authentication Risk Assessment [DARA]).

- Security Categorization Assessment Reports (SCAR).

- System Security Plan (SSP).

- Assessment Documents (e.g., Security Assessment Plan [SAP], FTS, VAR, Security Assessment Report [SAR], Plan of Actions and Milestones [POA&M]).

- Supporting Documentation (e.g., System Inventory, System Architecture Document [SAD],

System Diagrams, Contingency Plan [CP], Contingency Test Plan [CTP], Contingency Test Report [CTR], Disaster Recovery Procedures, Incident Response [IR] Plan, Configuration Management [CM] Plan, Deviation Requests [DR], Deviation Request Assessment Report

[DRAR], Standard Operating Procedures [SOPs], Service Level Agreements [SLA],

Memorandums of Understanding [MOU], Interconnection Security Agreements [ISA]).

The VAR, SAR, and CTR is delivered in a file format that cannot be changed (e.g., Portable Document Format [PDF]). The FTS, VAR, and SAR must be current within the last 3 months unless a waiver has been granted by the CISO. All high-risk findings should be mitigated before an authorization is requested.

The authorization package provides the Information needed to develop the CISO recommendation. The CISOs recommendation summarizes the risks associated with the authorization decision, includes all attached supporting documentation associated with the recommendation (e.g., security categorization documents, SCAR, SSP, assessment, supporting documentation), and supports one of the following outcomes:

- Granting an authorization.

- Not granting an authorization.

- Request for more information from the system owner, ISSO, or assessors to clarify any discrepancies or issues found with the authorization package.

31310024R0026 Page 63 The authorization package and CISO recommendation are essential and provide the AO with the information needed to make a credible risk-based decision on whether to grant authorization.

For more information see (this is not a complete list):

NIST Special Publications (as amended):

- NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems

- NIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

- NIST FIPS 140, Security Requirements for Cryptographic Modules

- NIST SP 800-18, Guide for Developing System Security Plans for Federal Information Systems

- NIST SP 800-30, Guide for Conducting Risk Assessments

- NIST SP 800-34, Contingency Planning Guide for Federal Information Systems

- NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy

- NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations

- NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories vol 1

- NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories vol 2

- NIST SP 800-63, Digital Identity Guidelines NRC Authorization Processes (as amended):

- CSO-PROS-2001 System Security Categorization Process

- CSO-PROS-1325 External IT Services Authorization Process

- CSO-PROS-2102 System Cybersecurity Assessment Process

- CSO-PROS-7002 Security Control Tailoring H.6 IT SECURITY REQUIREMENTS - NRC AND CONTRACTOR (NON-NRC) FACILITIES (AUG 2023)

Backups

31310024R0026 Page 64 The contractor shall ensure that backup media is created, encrypted (in accordance with information sensitivity) and verified to ensure that data can be retrieved and is restorable to NRC systems based on information sensitivity levels. Backups shall be executed to create readable media that allows successful file/data restoration at the following frequencies:

At least every 1 calendar day for a high sensitivity system

At least every 1 calendar day for a moderate sensitivity system

At least every 7 calendar days for a low sensitivity system Perimeter Protection The Contractor must employ perimeter protection mechanisms, such as firewalls and routers, to deny all communications unless explicitly allowed by exception.

The contractor must deploy and monitor intrusion detection capability and have an always deployed and actively engaged security monitoring capability in place for systems placed in operation for the NRC. Intrusion detection and monitoring reports will made available to the NRC upon request for following security categorizations and reporting timeframes:

5 calendar days after being requested for a high sensitivity system

10 calendar days after being requested for a moderate sensitivity system

15 calendar days after being requested for a low sensitivity system H.7 GOVERNMENT FURNISHED EQUIPMENT/PROPERTY (AUG 2023)

(a) The NRC will provide the contractor with the following items for use under this contract:

Access to results from previous NRC contracts, as needed for this project per the CORs determination, including past data, analyses, and reports.

Access to Extremely Low Probability of Rupture (xLPR) source and executable code, user manual, data libraries, configuration control documents, and other reference files and documents pertinent to development and maintenance of the xLPR code, as needed for this project per the CORs determination.

Access to the RESGC environment (NRC/RES high performance computing government cloud system).

Access to NRC GitHub repositories.

(b) Only the equipment/property listed above in the quantities shown will be provided by the Government. The contractor shall be responsible and accountable for all Government property provided under this contract and shall comply with the provisions of the FAR Government Property Clause under this contract and FAR Subpart 45.5, as in effect on the date of this contract. The contractor shall investigate and provide written notification to the NRC Contracting Officer (CO) and the NRC Division of Facilities and Security, Physical Security Branch (PSB) of all cases of loss, damage, or destruction of Government property in its possession or control not later than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after discovery. The contractor must report stolen Government property to

31310024R0026 Page 65 the local police and a copy of the police report must be provided to the CO and to the Division of Facilities and Security, Office of Administration.

(c) All other equipment/property required in performance of the contract shall be furnished by the Contractor.

H.8 ANNUAL AND FINAL CONTRACTOR PERFORMANCE EVALUATIONS (AUG 2023)

Annual and final evaluations of contractor performance under this contract will be prepared in accordance with FAR Subpart 42.15, "Contractor Performance Information," normally at or near the time the contractor is notified of the NRC's intent to exercise the contract option. If the multi-year contract does not have option years, then an annual evaluation will be prepared annually.

Final evaluations of contractor performance will be prepared at the expiration of the contract during the contract closeout process.

The Contracting Officer will transmit the NRC Contracting Officers Representatives (COR) annual and final contractor performance evaluations to the contractor's Project Manager, unless otherwise instructed by the contractor. The contractor will be permitted thirty (30) calendar days to review the document and submit comments, rebutting statements, or additional information.

Where a contractor concurs with, or takes no exception to an annual performance evaluation, the Contracting Officer will consider such evaluation final and releasable for source selection purposes. Disagreements between the parties regarding a performance evaluation will be referred to an individual one level above the Contracting Officer, whose decision will be final.

The Contracting Officer will send a copy of the completed evaluation report, marked "Source Selection Information, to the contractor's Project Manager for their records as soon as practicable after it has been finalized. The completed evaluation report also will be used as a tool to improve communications between the NRC and the contractor and to improve contract performance.

The completed annual performance evaluation will be used to support future award decisions in accordance with FAR 42.1502 and 42.1503. During the period the information is being used to provide source selection information, the completed annual performance evaluation will be released to only two parties - the Federal government personnel performing the source selection evaluation and the contractor under evaluation if the contractor does not have a copy of the report already.

H.9 CONTRACTOR CONDUCT (AUG 2023)

The Contractor is responsible for ensuring that all Contractor staff receive anti-harassment training before being granted facility access. The Government reserves the right to deny or restrict facility access for any Contractor employee who engages in any conduct that the agency believes adversely affects the work place. The imposition of a restriction or prohibition shall not excuse the Contractor from performance of obligations under the contract.

H.10 NRC INFORMATION TECHNOLOGY SECURITY TRAINING (AUG 2023)

NRC contractors shall ensure that their employees, consultants, and subcontractors with access to the agency's information technology (IT) equipment and/or IT services complete NRC's online initial and refresher IT security training requirements to ensure that their knowledge of IT

31310024R0026 Page 66 threats, vulnerabilities, and associated countermeasures remains current. Both the initial and refresher IT security training courses generally last an hour or less and can be taken during the employee's regularly scheduled workday.

Contractor employees, consultants, and subcontractors shall complete the NRC's online annual, "Computer Security Awareness" course on the same day that they receive access to the agency's IT equipment and/or services, as their first action using the equipment/service. For those contractor employees, consultants, and subcontractors who are already working under this contract, the on-line training must be completed in accordance with agency Network Announcements issued throughout the year, within three weeks of issuance of this modification.

Additional annual required online NRC training includes but is not limited to the following:

1. Allegations Intake and Routing (Initial)

2. Be riskSMART (Initial)

3. Classified Information Awareness (Initial and Annually)

4. Controlled Unclassified Information (CUI) Awareness (Initial and every 2 years beginning in 2023)

5. Cybersecurity Awareness Training (Initial and Annually)

6. Defensive Counterintelligence and Insider Threat Awareness (Initial and Annually)

7. Internal Control: A Path Forward to Accountability (Initial)

8. NRC Records Management Training (Initial and Annually)

9. Personally Identifiable Information (PII) and Privacy Act Responsibilities Awareness (Initial and Annually)

10. Safeguards Information Training for Staff (Initial)

Contractor employees, consultants, and subcontractors who have been granted access to NRC information technology equipment and/or IT services must continue to take IT security refresher training offered online by the NRC throughout the term of the contract. Contractor employees will receive notice of NRC's online IT security refresher training requirements through agency-wide notices.

Contractor Monthly Letter Status Reports (MLSR) must include the following information for all completed training:

(1) the name of the individual completing the course; (2) the course title; and (3) the course completion date.

The MLSR must also include the following information for those individuals who have not completed their required training:

31310024R0026 Page 67 (1) the name of the individual who has not yet completed the training; (2) the title of the course(s) which must still be completed; and (3) the anticipated course completion date(s).

The NRC reserves the right to deny or withdraw Contractor use or access to NRC IT equipment and/or services, and/or take other appropriate contract administrative actions (e.g., disallow costs, terminate for cause) should the Contractor violate the Contractor's responsibility under this clause.

H.11 SECURITY REQUIREMENTS RELATING TO THE PRODUCTION OF REPORTS OR THE PUBLICATION OF RESULTS UNDER CONTRACTS, AGREEMENTS, AND GRANTS (AUG 2023)

Review and Approval of Reports (a) Reporting Requirements. The contractor/grantee shall comply with the terms and conditions of the contract/grant regarding the contents of the draft and final report, summaries, data, and related documents, to include correcting, deleting, editing, revising, modifying, formatting, and supplementing any of the information contained therein, at no additional cost to the NRC.

Performance under the contract/grant will not be deemed accepted or completed until it complies with the NRCs directions, as applicable. The reports, summaries, data, and related documents will be considered draft until approved by the NRC. The contractor/grantee agrees that the direction, determinations, and decisions on approval or disapproval of reports, summaries, data, and related documents created under this contract/grant remain solely within the discretion of the NRC.

(b) Publication of Results. Prior to any dissemination, display, publication, or release of articles, reports, summaries, data, or related documents developed under the contract/grant, the contractor/grantee shall submit them to the NRC for review and approval. The contractor/

grantee shall not release, disseminate, display, or publish articles, reports, summaries, data, and related documents, or the contents therein, that have not been reviewed and approved by the NRC for release, display, dissemination, or publication. The contractor/grantee agrees to conspicuously place any disclaimers, markings, or notices, directed by the NRC, on any articles, reports, summaries, data, and related documents that the contractor/grantee intends to release, display, disseminate or publish to other persons, the public, or any other entities. The contractor/grantee agrees, and grants, a royalty-free, nonexclusive, irrevocable worldwide license to the government, to use, reproduce, modify, distribute, prepare derivative works, release, display or disclose the articles, reports, summaries, data, and related documents developed under the contract/grant, for any governmental purpose and to have or authorize others to do so.

(c) Identification/Marking of Sensitive Unclassified Non-Safeguards Information (SUNSI) and Safeguards Information (SGI). The decision, determination, or direction by the NRC that information possessed, formulated, or produced by the contractor/grantee constitutes SUNSI or SGI is solely within the authority and discretion of the NRC. In performing the contract/grant, the contractor/grantee shall clearly mark SUNSI and SGI, to include for example, OUO-Allegation Information or OUO-Security Related Information on any reports, documents, designs, data, materials, and written information, as directed by the NRC. In addition to marking the

31310024R0026 Page 68 information as directed by the NRC, the contractor shall use the applicable NRC cover sheet (e.g., NRC Form 461 Safeguards Information) in maintaining these records and documents. The contractor/grantee shall ensure that SUNSI and SGI is handled, maintained, and protected from unauthorized disclosure, consistent with NRC policies and directions. The contractor/grantee shall comply with the requirements to mark, maintain, and protect all information, including documents, summaries, reports, data, designs, and materials in accordance with the provisions of Section 147 of the Atomic Energy Act of 1954 as amended, its implementing regulations (10 CFR 73.21), Sensitive Unclassified Non-Safeguards and Safeguards Information policies, and NRC Management Directives and Handbooks 12.5, 12.6 and 12.7.

(d) Remedies. In addition to any civil, criminal, and contractual remedies available under the applicable laws and regulations, failure to comply with the above provisions, and/or NRC directions, may result in suspension, withholding, or offsetting of any payments invoiced or claimed by the contractor/grantee.

(e) Flowdown. If the contractor/grantee intends to enter into any subcontracts or other agreements to perform this contract/grant, the contractor/grantee shall include all of the above provisions in any subcontracts or agreements.

H.12 DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TO NUCLEAR FACILITIES, ACCESS TO CLASSIFIED INFORMATION OR SAFEGUARDS INFORMATION, OR PERFORMING IN ESPECIALLY SENSITIVE POSITIONS (AUG 2023)

The following Contractor employees, subcontractor personnel, and consultants proposed for performance or performing under this contract shall be subject to pre-assignment, random, reasonable suspicion, and post-accident drug testing: (1) individuals who have access to classified information (National Security Information and/or Restricted Data); (2) individuals who have access to Safeguards information (section 147 of the Atomic Energy Act of 1954, as amended); (3) individuals who are authorized to carry firearms while performing work under this contract; (4) individuals who are required to operate government vehicles or transport passengers for the NRC; (5) individuals who are required to operate hazardous equipment at NRC facilities; (6) individuals who administer the agencys drug program or who have Employee Assistance Program duties; (7) individuals who have unescorted access to vital or protected areas of Nuclear Power Plants, Category 1 Fuel Cycle Facilities, or Uranium Enrichment Facilities; or (8) incident/emergency response personnel (including on-call).

NRCAR Clauses Incorporated By Reference NRCAR Clauses Incorporated By Full Text H.13 2052.204-70 SECURITY. (OCT 1999)

(a) Security/Classification Requirements Form. The attached NRC Form 187 (See List of Attachments) furnishes the basis for providing security and classification requirements to prime contractors, subcontractors, or others (e.g., bidders) who have or may have an NRC contractual relationship that requires access to classified information or matter, access on a continuing basis (in excess of 90 or more days) to NRC Headquarters controlled buildings, or otherwise requires NRC photo identification or card-key badges.

(b) It is the contractor's duty to safeguard National Security Information, Restricted Data, and Formerly Restricted Data. The contractor shall, in accordance with the

31310024R0026 Page 69 Commission's security regulations and requirements, be responsible for safeguarding National Security Information, Restricted Data, and Formerly Restricted Data, and for protecting against sabotage, espionage, loss, and theft, the classified documents and material in the contractor's possession in connection with the performance of work under this contract. Except as otherwise expressly provided in this contract, the contractor shall transmit to the Commission any classified matter in the possession of the contractor or any person under the contractor's control in connection with performance of this contract upon completion or termination of this contract.

(1) The contractor shall complete a certificate of possession to be furnished to the Commission specifying the classified matter to be retained if the retention is:

(i) Required after the completion or termination of the contract; and (ii) Approved by the contracting officer.

(2) The certification must identify the items and types or categories of matter retained, the conditions governing the retention of the matter and their period of retention, if known. If the retention is approved by the contracting officer, the security provisions of the contract continue to be applicable to the matter retained.

(c) In connection with the performance of the work under this contract, the contractor may be furnished, or may develop or acquire, proprietary data (trade secrets) or confidential or privileged technical, business, or financial information, including Commission plans, policies, reports, financial plans, internal data protected by the Privacy Act of 1974 (Pub. L.93-579), or other information which has not been released to the public or has been determined by the Commission to be otherwise exempt from disclosure to the public. The contractor agrees to hold the information in confidence and not to directly or indirectly duplicate, disseminate, or disclose the information, in whole or in part, to any other person or organization except as necessary to perform the work under this contract. The contractor agrees to return the information to the Commission or otherwise dispose of it at the direction of the contracting officer. Failure to comply with this clause is grounds for termination of this contract.

(d) Regulations. The contractor agrees to conform to all security regulations and requirements of the Commission which are subject to change as directed by the NRC Division of Facilities and Security and the Contracting Officer. These changes will be under the authority of the FAR Changes clause referenced in Section I of this document.

(e) Definition of National Security Information. As used in this clause, the term National Security Information means information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

(f) Definition of Restricted Data. As used in this clause, the term Restricted Data means all data concerning design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy, but does not include data declassified or removed from the Restricted Data category under to Section 142 of the Atomic Energy Act of 1954, as amended.

31310024R0026 Page 70 (g) Definition of Formerly Restricted Data. As used in this clause the term Formerly Restricted Data means all data removed from the Restricted Data category under Section 142-d of the Atomic Energy Act of 1954, as amended.

(h) Security clearance personnel. The contractor may not permit any individual to have access to Restricted Data, Formerly Restricted Data, or other classified information, except in accordance with the Atomic Energy Act of 1954, as amended, and the Commission's regulations or requirements applicable to the particular type or category of classified information to which access is required. The contractor shall also execute a Standard Form 312, Classified Information Nondisclosure Agreement, when access to classified information is required.

(i) Criminal liabilities. Disclosure of National Security Information, Restricted Data, and Formerly Restricted Data relating to the work or services ordered hereunder to any person not entitled to receive it, or failure to safeguard any Restricted Data, Formerly Restricted Data, or any other classified matter that may come to the contractor or any person under the contractor's control in connection with work under this contract, may subject the contractor, its agents, employees, or subcontractors to criminal liability under the laws of the United States. (See the Atomic Energy Act of 1954, as amended, 42 U.S.C. 2011 et seq.; 18 U.S.C. 793 and 794; and Executive Order 12958.)

(j) Subcontracts and purchase orders. Except as otherwise authorized, in writing, by the contracting officer, the contractor shall insert provisions similar to the foregoing in all subcontracts and purchase orders under this contract.

(k) In performing contract work, the contractor shall classify all documents, material, and equipment originated or generated by the contractor in accordance with guidance issued by the Commission. Every subcontract and purchase order issued under the contract that involves originating or generating classified documents, material, and equipment must provide that the subcontractor or supplier assign the proper classification to all documents, material, and equipment in accordance with guidance furnished by the contractor.

(End of Clause)

H.14 2052.204-71 SITE ACCESS BADGE REQUIREMENTS. (JAN 1993)

During the life of this contract, the rights of ingress and egress for contractor personnel must be made available as required. In this regard, all contractor personnel whose duties under this contract require their presence on-site shall be clearly identifiable by a distinctive badge furnished by the Government. The Project Officer shall assist the contractor in obtaining the badges for contractor personnel. It is the sole responsibility of the contractor to ensure that each employee has proper identification at all times. All prescribed identification must be immediately delivered to the Security Office for cancellation or disposition upon the termination of employment of any contractor personnel. Contractor personnel shall have this identification in their possession during on-site performance under this contract. It is the contractor's duty to assure that contractor personnel enter only those work areas necessary for performance of contract work and to assure the safeguarding of any Government records or data that contractor personnel may come into contact with.

31310024R0026 Page 73 (d) All technical directions must be issued in writing by the COR or must be confirmed by the COR in writing within ten (10) working days after verbal issuance. A copy of the written direction must be furnished to the contracting officer. A copy of NRC Form 445, Request for Approval of Official Foreign Travel, which has received final approval from the NRC must be furnished to the contracting officer.

(e) The contractor shall proceed promptly with the performance of technical directions duly issued by the COR in the manner prescribed by this clause and within the COR's authority under the provisions of this clause.

(f) If, in the opinion of the contractor, any instruction or direction issued by the COR is within one of the categories as defined in paragraph (c) of this section, the contractor may not proceed but shall notify the contracting officer in writing within five (5) working days after the receipt of any instruction or direction and shall request the contracting officer to modify the contract accordingly. Upon receiving the notification from the contractor, the contracting officer shall issue an appropriate contract modification or advise the contractor in writing that, in the contracting officer's opinion, the technical direction is within the scope of this article and does not constitute a change under the "Changes" clause.

(g) Any unauthorized commitment or direction issued by the COR may result in an unnecessary delay in the contractor's performance and may even result in the contractor expending funds for unallowable costs under the contract.

(h) A failure of the parties to agree upon the nature of the instruction or direction or upon the contract action to be taken with respect thereto is subject to 52.233 Disputes.

(i) In addition to providing technical direction as defined in paragraph (b) of the section, the COR shall:

(1) Monitor the contractor's technical progress, including surveillance and assessment of performance, and recommend to the contracting officer changes in requirements.

(2) Assist the contractor in the resolution of technical problems encountered during performance.

(3) Review all costs requested for reimbursement by the contractor and submit to the contracting officer recommendations for approval, disapproval, or suspension of payment for supplies and services required under this contract.

(4) Assist the contractor in obtaining the badges for the contractor personnel.

(5) Immediately notify the Security Branch, Division of Facilities and Security (SB/DFS) (via e-mail) when a contractor employee no longer requires access authorization and return of any NRC issued badge to SB/DFS within three days after their termination.

(6) Ensure that all contractor employees that require access to classified Restricted Data or National Security Information or matter, access to sensitive unclassified information (Safeguards, Official Use Only, and Proprietary

31310024R0026 Page 74 information) access to sensitive IT systems or data, unescorted access to NRC controlled buildings/space, or unescorted access to protected and vital areas of nuclear power plants receive approval of SB/DFS prior to access in accordance with Management Directive and Handbook 12.3.

(7) For contracts for the design, development, maintenance or operation of Privacy Act Systems of Records, obtain from the contractor as part of closeout procedures, written certification that the contractor has returned to NRC, transferred to the successor contractor, or destroyed at the end of the contract in accordance with instructions provided by the NRC Systems Manager for Privacy Act Systems of Records, all records (electronic or paper) which were created, compiled, obtained or maintained under the contract.

(End of Clause)

H.17 2052.242-70 RESOLVING DIFFERING PROFESSIONAL VIEWS. (OCT 1999)

(a) The Nuclear Regulatory Commission's (NRC) policy is to support the contractor's expression of professional health and safety related concerns associated with the contractor's work for NRC that may differ from a prevailing NRC staff view, disagree with an NRC decision or policy position, or take issue with proposed or established agency practices. An occasion may arise when an NRC contractor, contractor's personnel, or subcontractor personnel believes that a conscientious expression of a competent judgement is required to document such concerns on matters directly associated with its performance of the contract. The NRC's policy is to support these instances as Differing Professional Views (DPVs).

(b) The procedure that will be used provides for the expression and resolution of differing professional views (DPVs) of health and safety related concerns associated with the mission of the agency by NRC contractors, contractor personnel or subcontractor personnel on matters directly associated with its performance of the contract. This procedure may be found in Attachments to this document. The contractor shall provide a copy of the NRC DPV procedure to all of its employees performing under this contract and to all subcontractors who shall, in turn, provide a copy of the procedure to its employees. The prime contractor or subcontractor shall submit all DPV's received but need not endorse them.

(End of Clause)

H.18 2052.242-71 PROCEDURES FOR RESOLVING DIFFERING PROFESSIONAL VIEWS.

(OCT 1999)

(a) The following procedure provides for the expression and resolution of differing professional views (DPVs) of health and safety related concerns of NRC contractors and contractor personnel on matters connected to the subject of the contract. Subcontractor DPVs must be submitted through the prime contractor. The prime contractor or subcontractor shall submit all DPV's received but need not endorse them.

(b) The NRC may authorize up to eight reimbursable hours for the contractor to document, in writing, a DPV by the contractor, the contractor's personnel, or

31310024R0026 Page 75 subcontractor personnel. The contractor shall not be entitled to any compensation for effort on a DPV which exceeds the specified eight hour limit.

(c) Before incurring costs to document a DPV, the contractor shall first determine whether there are sufficient funds obligated under the contract which are available to cover the costs of writing a DPV. If there are insufficient obligated funds under the contract, the contractor shall first request the NRC contracting officer for additional funding to cover the costs of preparing the DPV and authorization to proceed.

(d) Contract funds shall not be authorized to document an allegation where the use of this NRC contractor DPV process is inappropriate. Examples of such instances are:

allegations of wrongdoing which should be addressed directly to the NRC Office of the Inspector General (OIG), issues submitted anonymously, or issues raised which have already been considered, addressed, or rejected, absent significant new information.

This procedure does not provide anonymity. Individuals desiring anonymity should contact the NRC OIG or submit the information under NRC's Allegation Program, as appropriate.

(e) When required, the contractor shall initiate the DPV process by submitting a written statement directly to the NRC Office Director or Regional Administrator responsible for the contract, with a copy to the Contracting Officer, Division of Contracts and Property Management, Office of Administration. Each DPV submitted will be evaluated on its own merits.

(f) The DPV, while being brief, must contain the following as it relates to the subject matter of the contract:

(1) A summary of the prevailing NRC view, existing NRC decision or stated position, or the proposed or established NRC practice.

(2) A description of the submitter's views and how they differ from any of the above items.

(3) The rationale for the submitter's views, including an assessment based on risk, safety and cost benefit considerations of the consequences should the submitter's position not be adopted by NRC.

(g) The Office Director or Regional Administrator will immediately forward the submittal to the NRC DPV Review Panel and acknowledge receipt of the DPV, ordinarily within five (5) calendar days of receipt.

(h) The panel will normally review the DPV within seven calendar days of receipt to determine whether enough information has been supplied to undertake a detailed review of the issue. Typically, within 30 calendar days of receipt of the necessary information to begin a review, the panel will provide a written report of its findings to the Office Director or Regional Administrator and to the Contracting Officer, which includes a recommended course of action.

(i) The Office Director or Regional Administrator will consider the DPV Review Panel's report, make a decision on the DPV and provide a written decision to the contractor and

31310024R0026 Page 76 the Contracting Officer normally within seven calendar days after receipt of the panel's recommendation.

(j) Subsequent to the decision made regarding the DPV Review Panel's report, a summary of the issue and its disposition will be included in the NRC Weekly Information Report submitted by the Office Director. The DPV file will be retained in the Office or Region for a minimum of one year thereafter. For purposes of the contract, the DPV shall be considered a deliverable under the contract. Based upon the Office Director or Regional Administrator's report, the matter will be closed.

(End of Clause)

FAR Clauses Incorporated By Reference FAR Clauses Incorporated By Full Text H.19 52.204-27 PROHIBITION ON A BYTEDANCE COVERED APPLICATION. (JUN 2023)

(a) Definitions. As used in this clause-Covered application means the social networking service TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited.

Information technology, as defined in 40 U.S.C. 11101(6)-

(1) Means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use-(i) Of that equipment; or (ii) Of that equipment to a significant extent in the performance of a service or the furnishing of a product; (2) Includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but (3) Does not include any equipment acquired by a Federal contractor incidental to a Federal contract.

(b) Prohibition. Section 102 of Division R of the Consolidated Appropriations Act, 2023 (Pub. L. 117-328), the No TikTok on Government Devices Act, and its implementing guidance under Office of Management and Budget (OMB) Memorandum M-23-13, dated February 27, 2023, "No TikTok on Government Devices" Implementation Guidance,

31310024R0026 Page 77 collectively prohibit the presence or use of a covered application on executive agency information technology, including certain equipment used by Federal contractors. The Contractor is prohibited from having or using a covered application on any information technology owned or managed by the Government, or on any information technology used or provided by the Contractor under this contract, including equipment provided by the Contractor's employees; however, this prohibition does not apply if the Contracting Officer provides written notification to the Contractor that an exception has been granted in accordance with OMB Memorandum M-23-13.

(c) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (c), in all subcontracts, including subcontracts for the acquisition of commercial products or commercial services.

(End of clause)

Other Clauses Incorporated by Reference Other Clauses Incorporated By Full Text

31310024R0026 Page 78 I - Contract Clauses NRC Local Clauses Incorporated by Full Text NRCAR Clauses Incorporated By Reference NRCAR Clauses Incorporated By Full Text I.1 2052.209-72 CONTRACTOR ORGANIZATIONAL CONFLICTS OF INTEREST. (JAN 1993)

(a) Purpose. The primary purpose of this clause is to aid in ensuring that the contractor:

(1) Is not placed in a conflicting role because of current or planned interests (financial, contractual, organizational, or otherwise) which relate to the work under this contract; and (2) Does not obtain an unfair competitive advantage over other parties by virtue of its performance of this contract.

(b) Scope. The restrictions described apply to performance or participation by the contractor, as defined in 48 CFR 2009.570-2 in the activities covered by this clause.

(c) Work for others.

(1) Notwithstanding any other provision of this contract, during the term of this contract, the contractor agrees to forego entering into consulting or other contractual arrangements with any firm or organization the result of which may give rise to a conflict of interest with respect to the work being performed under this contract. The contractor shall ensure that all employees under this contract abide by the provision of this clause. If the contractor has reason to believe, with respect to itself or any employee, that any proposed consultant or other contractual arrangement with any firm or organization may involve a potential conflict of interest, the contractor shall obtain the written approval of the contracting officer before the execution of such contractual arrangement.

(2) The contractor may not represent, assist, or otherwise support an NRC licensee or applicant undergoing an NRC audit, inspection, or review where the activities that are the subject of the audit, inspection, or review are the same as or substantially similar to the services within the scope of this contract (or task order as appropriate) except where the NRC licensee or applicant requires the contractor's support to explain or defend the contractor's prior work for the utility or other entity which NRC questions.

(3) When the contractor performs work for the NRC under this contract at any NRC licensee or applicant site, the contractor shall neither solicit nor perform work in the same or similar technical area for that licensee or applicant organization for a period commencing with the award of the task order or beginning of work on the site (if not a task order contract) and ending one year after completion of all work under the associated task order, or last time at the site (if not a task order contract).

31310024R0026 Page 79 (4) When the contractor performs work for the NRC under this contract at any NRC licensee or applicant site, (i) The contractor may not solicit work at that site for that licensee or applicant during the period of performance of the task order or the contract, as appropriate.

(ii) The contractor may not perform work at that site for that licensee or applicant during the period of performance of the task order or the contract, as appropriate, and for one year thereafter.

(iii) Notwithstanding the foregoing, the contracting officer may authorize the contractor to solicit or perform this type of work (except work in the same or similar technical area) if the contracting officer determines that the situation will not pose a potential for technical bias or unfair competitive advantage.

(d) Disclosure after award.

(1) The contractor warrants that to the best of its knowledge and belief, and except as otherwise set forth in this contract, that it does not have any organizational conflicts of interest as defined in 48 CFR 2009.570-2.

(2) The contractor agrees that if, after award, it discovers organizational conflicts of interest with respect to this contract, it shall make an immediate and full disclosure in writing to the contracting officer. This statement must include a description of the action which the contractor has taken or proposes to take to avoid or mitigate such conflicts. The NRC may, however, terminate the contract if termination is in the best interest of the Government.

(3) It is recognized that the scope of work of a task-order-type contract necessarily encompasses a broad spectrum of activities. Consequently, if this is a task-order-type contract, the contractor agrees that it will disclose all proposed new work involving NRC licensees or applicants which comes within the scope of work of the underlying contract. Further, if this contract involves work at a licensee or applicant site, the contractor agrees to exercise diligence to discover and disclose any new work at that licensee or applicant site. This disclosure must be made before the submission of a bid or proposal to the utility or other regulated entity and must be received by the NRC at least 15 days before the proposed award date in any event, unless a written justification demonstrating urgency and due diligence to discover and disclose is provided by the contractor and approved by the contracting officer. The disclosure must include the statement of work, the dollar value of the proposed contract, and any other documents that are needed to fully describe the proposed work for the regulated utility or other regulated entity. NRC may deny approval of the disclosed work only when the NRC has issued a task order which includes the technical area and, if site-specific, the site, or has plans to issue a task order which includes the technical area and, if site-specific, the site, or when the work violates paragraphs (c)(2), (c)(3) or (c)(4) of this section.

31310024R0026 Page 80 (e) Access to and use of information.

(1) If, in the performance of this contract, the contractor obtains access to information, such as NRC plans, policies, reports, studies, financial plans, internal data protected by the Privacy Act of 1974 (5 U.S.C. Section 552a (1988)), or the Freedom of Information Act (5 U.S.C. Section 552 (1986)), the contractor agrees not to:

(i) Use this information for any private purpose until the information has been released to the public; (ii) Compete for work for the Commission based on the information for a period of six months after either the completion of this contract or the release of the information to the public, whichever is first; (iii) Submit an unsolicited proposal to the Government based on the information until one year after the release of the information to the public; or (iv) Release the information without prior written approval by the contracting officer unless the information has previously been released to the public by the NRC.

(2) In addition, the contractor agrees that, to the extent it receives or is given access to proprietary data, data protected by the Privacy Act of 1974 (5 U.S.C.

Section 552a (1988)), or the Freedom of Information Act (5 U.S.C. Section 552 (1986)), or other confidential or privileged technical, business, or financial information under this contract, the contractor shall treat the information in accordance with restrictions placed on use of the information.

(3) Subject to patent and security provisions of this contract, the contractor shall have the right to use technical data it produces under this contract for private purposes provided that all requirements of this contract have been met.

(f) Subcontracts. Except as provided in 48 CFR 2009.570-2, the contractor shall include this clause, including this paragraph, in subcontracts of any tier. The terms contract, contractor, and contracting officer, must be appropriately modified to preserve the Government's rights.

(g) Remedies. For breach of any of the above restrictions, or for intentional nondisclosure or misrepresentation of any relevant interest required to be disclosed concerning this contract or for such erroneous representations that necessarily imply bad faith, the Government may terminate the contract for default, disqualify the contractor from subsequent contractual efforts, and pursue other remedies permitted by law or this contract.

(h) Waiver. A request for waiver under this clause must be directed in writing to the contracting officer in accordance with the procedures outlined in 48 CFR 2009.570-9.

(i) Follow-on effort. The contractor shall be ineligible to participate in NRC contracts, subcontracts, or proposals therefor (solicited or unsolicited) which stem directly from the

31310024R0026 Page 81 contractor's performance of work under this contract. Furthermore, unless so directed in writing by the contracting officer, the contractor may not perform any technical consulting or management support services work or evaluation activities under this contract on any of its products or services or the products or services of another firm if the contractor has been substantially involved in the development or marketing of the products or services.

(1) If the contractor under this contract, prepares a complete or essentially complete statement of work or specifications, the contractor is not eligible to perform or participate in the initial contractual effort which is based on the statement of work or specifications. The contractor may not incorporate its products or services in the statement of work or specifications unless so directed in writing by the contracting officer, in which case the restrictions in this paragraph do not apply.

(2) Nothing in this paragraph precludes the contractor from offering or selling its standard commercial items to the Government.

(End of Clause)

I.2 2052.222-70 NONDISCRIMINATION BECAUSE OF AGE. (JAN 1993)

(a) Contractors and subcontractors engaged in the performance of Federal contracts may not, in connection with the employment, advancement, or discharge of employees or in connection with the terms, conditions, or privileges of their employment, discriminate against persons because of their age except upon the basis of a bona fide occupational qualification, retirement plan, or statutory requirement; and (b) That contractors and subcontractors, or persons acting on their behalf, may not specify, in solicitations or advertisements for employees to work on Government contracts, a maximum age limit for employment unless the specified maximum age limit is based upon a bona fide occupational qualification, retirement plan, or statutory requirement.

(End of Provision)

FAR Clauses Incorporated By Reference I.3 52.202-1 DEFINITIONS. (JUN 2020)

I.4 52.203-3 GRATUITIES. (APR 1984)

I.5 52.203-5 COVENANT AGAINST CONTINGENT FEES. (MAY 2014)

I.6 52.203-7 ANTI-KICKBACK PROCEDURES. (JUN 2020)

I.7 52.203-8 CANCELLATION, RESCISSION, AND RECOVERY OF FUNDS FOR ILLEGAL OR IMPROPER ACTIVITY. (MAY 2014)

I.8 52.203-10 PRICE OR FEE ADJUSTMENT FOR ILLEGAL OR IMPROPER ACTIVITY.

(MAY 2014)

31310024R0026 Page 82 I.9 52.203-12 LIMITATION ON PAYMENTS TO INFLUENCE CERTAIN FEDERAL TRANSACTIONS. (JUN 2020)

I.10 52.203-13 CONTRACTOR CODE OF BUSINESS ETHICS AND CONDUCT. (NOV 2021)

I.11 52.204-4 RESERVED I.12 52.204-9 PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL. (JAN 2011)

I.13 52.204-10 REPORTING EXECUTIVE COMPENSATION AND FIRST-TIER SUBCONTRACT AWARDS. (JUN 2020)

I.14 52.204-13 SYSTEM FOR AWARD MANAGEMENT MAINTENANCE. (OCT 2018)

I.15 52.209-6 PROTECTING THE GOVERNMENT'S INTEREST WHEN SUBCONTRACTING WITH CONTRACTORS DEBARRED, SUSPENDED, OR PROPOSED FOR DEBARMENT.

(NOV 2021)

I.16 52.209-9 UPDATES OF PUBLICLY AVAILABLE INFORMATION REGARDING RESPONSIBILITY MATTERS. (OCT 2018)

I.17 52.215-8 ORDER OF PRECEDENCE - UNIFORM CONTRACT FORMAT. (OCT 1997)

I.18 52.215-23 LIMITATIONS ON PASS-THROUGH CHARGES. (JUN 2020)

I.19 52.216-8 FIXED FEE. (JUN 2011)

I.20 52.216-26 PAYMENTS OF ALLOWABLE COSTS BEFORE DEFINITIZATION. (DEC 2002)

I.21 52.219-8 UTILIZATION OF SMALL BUSINESS CONCERNS. (FEB 2024)

I.22 52.219-9 SMALL BUSINESS SUBCONTRACTING PLAN. (SEP 2023)

I.23 52.219-16 LIQUIDATED DAMAGES - SUBCONTRACTING PLAN. (SEP 2021)

I.24 52.222-3 CONVICT LABOR. (JUN 2003)

I.25 52.222-21 PROHIBITION OF SEGREGATED FACILITIES. (APR 2015)

I.26 52.222-26 EQUAL OPPORTUNITY. (SEP 2016)

I.27 52.222-35 EQUAL OPPORTUNITY FOR VETERANS. (JUN 2020)

I.28 52.222-36 EQUAL OPPORTUNITY FOR WORKERS WITH DISABILITIES. (JUN 2020)

I.29 52.222-37 EMPLOYMENT REPORTS ON VETERANS. (JUN 2020)

I.30 52.222-40 NOTIFICATION OF EMPLOYEE RIGHTS UNDER THE NATIONAL LABOR RELATIONS ACT. (DEC 2010)

31310024R0026 Page 83 I.31 52.222-50 COMBATING TRAFFICKING IN PERSONS. (NOV 2021)

I.32 52.222-54 EMPLOYMENT ELIGIBILITY VERIFICATION. (MAY 2022)

I.33 52.223-6 DRUG-FREE WORKPLACE. (MAY 2001)

I.34 52.223-18 ENCOURAGING CONTRACTOR POLICIES TO BAN TEXT MESSAGING WHILE DRIVING. (JUN 2020)

I.35 52.225-13 RESTRICTIONS ON CERTAIN FOREIGN PURCHASES. (FEB 2021)

I.36 52.227-14 RIGHTS IN DATA-GENERAL. (MAY 2014)

I.37 52.228-7 INSURANCE - LIABILITY TO THIRD PERSONS. (MAR 1996)

I.38 52.232-17 INTEREST. (MAY 2014)

I.39 52.232-18 AVAILABILITY OF FUNDS. (APR 1984)

I.40 52.232-20 LIMITATION OF COST. (APR 1984)

I.41 52.232-22 LIMITATION OF FUNDS. (APR 1984)

I.42 52.232-23 ASSIGNMENT OF CLAIMS. (MAY 2014)

I.43 52.232-25 PROMPT PAYMENT. (JAN 2017)

I.44 52.232-33 PAYMENT BY ELECTRONIC FUNDS TRANSFER - SYSTEM FOR AWARD MANAGEMENT. (OCT 2018)

I.45 52.232-39 UNENFORCEABILITY OF UNAUTHORIZED OBLIGATIONS. (JUN 2013)

I.46 52.233-1 DISPUTES. (MAY 2014)

I.47 52.233-4 APPLICABLE LAW FOR BREACH OF CONTRACT CLAIM. (OCT 2004)

I.48 52.242-1 NOTICE OF INTENT TO DISALLOW COSTS. (APR 1984)

I.49 52.242-3 PENALTIES FOR UNALLOWABLE COSTS. (DEC 2022)

I.50 52.242-4 CERTIFICATION OF FINAL INDIRECT COSTS. (JAN 1997)

I.51 52.242-5 PAYMENTS TO SMALL BUSINESS SUBCONTRACTORS. (JAN 2017)

I.52 52.242-13 BANKRUPTCY. (JUL 1995)

I.53 52.244-6 SUBCONTRACTS FOR COMMERCIAL PRODUCTS AND COMMERCIAL SERVICES. (FEB 2024)

I.54 52.245-1 GOVERNMENT PROPERTY. (SEP 2021)

I.55 52.245-9 USE AND CHARGES. (APR 2012)

31310024R0026 Page 84 I.56 52.246-25 LIMITATION OF LIABILITY - SERVICES. (FEB 1997)

I.57 52.249-6 TERMINATION (COST-REIMBURSEMENT). (MAY 2004)

I.58 52.249-6 TERMINATION (COST-REIMBURSEMENT). (MAY 2004) - ALTERNATE IV (SEP 1996)

FAR Clauses Incorporated By Full Text I.59 52.216-7 ALLOWABLE COST AND PAYMENT. (AUG 2018)

(a) Invoicing. (1) The Government will make payments to the Contractor when requested as work progresses, but (except for small business concerns) not more often than once every 2 weeks, in amounts determined to be allowable by the Contracting Officer in accordance with Federal Acquisition Regulation (FAR) subpart 31.2 in effect on the date of this contract and the terms of this contract. The Contractor may submit to an authorized representative of the Contracting Officer, in such form and reasonable detail as the representative may require, an invoice or voucher supported by a statement of the claimed allowable cost for performing this contract.

(2) Contract financing payments are not subject to the interest penalty provisions of the Prompt Payment Act. Interim payments made prior to the final payment under the contract are contract financing payments, except interim payments if this contract contains Alternate I to the clause at 52.232-25.

(3) The designated payment office will make interim payments for contract financing on the 30th day after the designated billing office receives a proper payment request.

In the event that the Government requires an audit or other review of a specific payment request to ensure compliance with the terms and conditions of the contract, the designated payment office is not compelled to make payment by the specified due date.

(b) Reimbursing costs. (1) For the purpose of reimbursing allowable costs (except as provided in paragraph (b)(2) of the clause, with respect to pension, deferred profit sharing, and employee stock ownership plan contributions), the term costs includes only-(i) Those recorded costs that, at the time of the request for reimbursement, the Contractor has paid by cash, check, or other form of actual payment for items or services purchased directly for the contract; (ii) When the Contractor is not delinquent in paying costs of contract performance in the ordinary course of business, costs incurred, but not necessarily paid, for-(A) Supplies and services purchased directly for the contract and associated financing payments to subcontractors, provided payments determined due will be made-(1) In accordance with the terms and conditions of a subcontract or invoice; and

31310024R0026 Page 85 (2) Ordinarily within 30 days of the submission of the Contractor's payment request to the Government; (B) Materials issued from the Contractor's inventory and placed in the production process for use on the contract; (C) Direct labor; (D) Direct travel; (E) Other direct in-house costs; and (F) Properly allocable and allowable indirect costs, as shown in the records maintained by the Contractor for purposes of obtaining reimbursement under Government contracts; and (iii) The amount of financing payments that have been paid by cash, check, or other forms of payment to subcontractors.

(2) Accrued costs of Contractor contributions under employee pension plans shall be excluded until actually paid unless-(i) The Contractor's practice is to make contributions to the retirement fund quarterly or more frequently; and (ii) The contribution does not remain unpaid 30 days after the end of the applicable quarter or shorter payment period (any contribution remaining unpaid shall be excluded from the Contractor's indirect costs for payment purposes).

(3) Notwithstanding the audit and adjustment of invoices or vouchers under paragraph (g) below, allowable indirect costs under this contract shall be obtained by applying indirect cost rates established in accordance with paragraph (d) below.

(4) Any statements in specifications or other documents incorporated in this contract by reference designating performance of services or furnishing of materials at the Contractor's expense or at no cost to the Government shall be disregarded for purposes of cost-reimbursement under this clause.

(c) Small business concerns. A small business concern may receive more frequent payments than every 2 weeks.

(d) Final indirect cost rates. (1) Final annual indirect cost rates and the appropriate bases shall be established in accordance with subpart 42.7 of the Federal Acquisition Regulation (FAR) in effect for the period covered by the indirect cost rate proposal.

(2)(i) The Contractor shall submit an adequate final indirect cost rate proposal to the Contracting Officer (or cognizant Federal agency official) and auditor within the 6-month period following the expiration of each of its fiscal years. Reasonable extensions, for exceptional circumstances only, may be requested in writing by

31310024R0026 Page 86 the Contractor and granted in writing by the Contracting Officer. The Contractor shall support its proposal with adequate supporting data.

(ii) The proposed rates shall be based on the Contractor's actual cost experience for that period. The appropriate Government representative and the Contractor shall establish the final indirect cost rates as promptly as practical after receipt of the Contractor's proposal.

(iii) An adequate indirect cost rate proposal shall include the following data unless otherwise specified by the cognizant Federal agency official:

(A) Summary of all claimed indirect expense rates, including pool, base, and calculated indirect rate.

(B) General and Administrative expenses (final indirect cost pool).

Schedule of claimed expenses by element of cost as identified in accounting records (Chart of Accounts).

(C) Overhead expenses (final indirect cost pool). Schedule of claimed expenses by element of cost as identified in accounting records (Chart of Accounts) for each final indirect cost pool.

(D) Occupancy expenses (intermediate indirect cost pool).

Schedule of claimed expenses by element of cost as identified in accounting records (Chart of Accounts) and expense reallocation to final indirect cost pools.

(E) Claimed allocation bases, by element of cost, used to distribute indirect costs.

(F) Facilities capital cost of money factors computation.

(G) Reconciliation of books of account (i.e., General Ledger) and claimed direct costs by major cost element.

(H) Schedule of direct costs by contract and subcontract and indirect expense applied at claimed rates, as well as a subsidiary schedule of Government participation percentages in each of the allocation base amounts.

(I) Schedule of cumulative direct and indirect costs claimed and billed by contract and subcontract.

(J) Subcontract information. Listing of subcontracts awarded to companies for which the contractor is the prime or upper-tier contractor (include prime and subcontract numbers; subcontract value and award type; amount claimed during the fiscal year; and the subcontractor name, address, and point of contact information).

31310024R0026 Page 87 (K) Summary of each time-and-materials and labor-hour contract information, including labor categories, labor rates, hours, and amounts; direct materials; other direct costs; and, indirect expense applied at claimed rates.

(L) Reconciliation of total payroll per IRS form 941 to total labor costs distribution.

(M) Listing of decisions/agreements/approvals and description of accounting/organizational changes.

(N) Certificate of final indirect costs (see 52.242-4, Certification of Final Indirect Costs).

(O) Contract closing information for contracts physically completed in this fiscal year (include contract number, period of performance, contract ceiling amounts, contract fee computations, level of effort, and indicate if the contract is ready to close).

(iv) The following supplemental information is not required to determine if a proposal is adequate, but may be required during the audit process:

(A) Comparative analysis of indirect expense pools detailed by account to prior fiscal year and budgetary data.

(B) General organizational information and limitation on allowability of compensation for certain contractor personnel. See 31.205-6(p). Additional salary reference information is available at https://www.whitehouse.gov/ wp-content/uploads/2017/11/ContractorCompensationCapContractsA wardedBeforeJune24.pdf and https://www.whitehouse.gov/wp-content/uploads/2017/11/ContractorCompensationCapContractsA wardedafterJune24.pdf.

(C) Identification of prime contracts under which the contractor performs as a subcontractor.

(D) Description of accounting system (excludes contractors required to submit a CAS Disclosure Statement or contractors where the description of the accounting system has not changed from the previous year's submission).

(E) Procedures for identifying and excluding unallowable costs from the costs claimed and billed (excludes contractors where the procedures have not changed from the previous year's submission).

(F) Certified financial statements and other financial data (e.g.,

trial balance, compilation, review, etc.).

31310024R0026 Page 88 (G) Management letter from outside CPAs concerning any internal control weaknesses.

(H) Actions that have been and/or will be implemented to correct the weaknesses described in the management letter from subparagraph (G) of this section.

(I) List of all internal audit reports issued since the last disclosure of internal audit reports to the Government.

(J) Annual internal audit plan of scheduled audits to be performed in the fiscal year when the final indirect cost rate submission is made.

(K) Federal and State income tax returns.

(L) Securities and Exchange Commission 10-K annual report.

(M) Minutes from board of directors meetings.

(N) Listing of delay claims and termination claims submitted which contain costs relating to the subject fiscal year.

(O) Contract briefings, which generally include a synopsis of all pertinent contract provisions, such as: Contract type, contract amount, product or service(s) to be provided, contract performance period, rate ceilings, advance approval requirements, pre-contract cost allowability limitations, and billing limitations.

(v) The Contractor shall update the billings on all contracts to reflect the final settled rates and update the schedule of cumulative direct and indirect costs claimed and billed, as required in paragraph (d)(2)(iii)(I) of this section, within 60 days after settlement of final indirect cost rates.

(3) The Contractor and the appropriate Government representative shall execute a written understanding setting forth the final indirect cost rates. The understanding shall specify (i) the agreed-upon final annual indirect cost rates, (ii) the bases to which the rates apply, (iii) the periods for which the rates apply, (iv) any specific indirect cost items treated as direct costs in the settlement, and (v) the affected contract and/or subcontract, identifying any with advance agreements or special terms and the applicable rates. The understanding shall not change any monetary ceiling, contract obligation, or specific cost allowance or disallowance provided for in this contract. The understanding is incorporated into this contract upon execution.

(4) Failure by the parties to agree on a final annual indirect cost rate shall be a dispute within the meaning of the Disputes clause.

(5) Within 120 days (or longer period if approved in writing by the Contracting Officer) after settlement of the final annual indirect cost rates for all years of a physically complete contract, the Contractor shall submit a completion invoice or

31310024R0026 Page 89 voucher to reflect the settled amounts and rates. The completion invoice or voucher shall include settled subcontract amounts and rates. The prime contractor is responsible for settling subcontractor amounts and rates included in the completion invoice or voucher and providing status of subcontractor audits to the contracting officer upon request.

(6)(i) If the Contractor fails to submit a completion invoice or voucher within the time specified in paragraph (d)(5) of this clause, the Contracting Officer may-(A) Determine the amounts due to the Contractor under the contract; and (B) Record this determination in a unilateral modification to the contract.

(ii) This determination constitutes the final decision of the Contracting Officer in accordance with the Disputes clause.

(e) Billing rates. Until final annual indirect cost rates are established for any period, the Government shall reimburse the Contractor at billing rates established by the Contracting Officer or by an authorized representative (the cognizant auditor), subject to adjustment when the final rates are established. These billing rates-(1) Shall be the anticipated final rates; and (2) May be prospectively or retroactively revised by mutual agreement, at either party's request, to prevent substantial overpayment or underpayment.

(f) Quick-closeout procedures. Quick-closeout procedures are applicable when the conditions in FAR 42.708(a) are satisfied.

(g) Audit. At any time or times before final payment, the Contracting Officer may have the Contractor's invoices or vouchers and statements of cost audited. Any payment may be (1) reduced by amounts found by the Contracting Officer not to constitute allowable costs or (2) adjusted for prior overpayments or underpayments.

(h) Final payment. (1) Upon approval of a completion invoice or voucher submitted by the Contractor in accordance with paragraph (d)(5) of this clause, and upon the Contractor's compliance with all terms of this contract, the Government shall promptly pay any balance of allowable costs and that part of the fee (if any) not previously paid.

(2) The Contractor shall pay to the Government any refunds, rebates, credits, or other amounts (including interest, if any) accruing to or received by the Contractor or any assignee under this contract, to the extent that those amounts are properly allocable to costs for which the Contractor has been reimbursed by the Government. Reasonable expenses incurred by the Contractor for securing refunds, rebates, credits, or other amounts shall be allowable costs if approved by the Contracting Officer. Before final payment under this contract, the Contractor and each assignee whose assignment is in effect at the time of final payment shall execute and deliver-

31310024R0026 Page 90 (i) An assignment to the Government, in form and substance satisfactory to the Contracting Officer, of refunds, rebates, credits, or other amounts (including interest, if any) properly allocable to costs for which the Contractor has been reimbursed by the Government under this contract; and (ii) A release discharging the Government, its officers, agents, and employees from all liabilities, obligations, and claims arising out of or under this contract, except-(A) Specified claims stated in exact amounts, or in estimated amounts when the exact amounts are not known; (B) Claims (including reasonable incidental expenses) based upon liabilities of the Contractor to third parties arising out of the performance of this contract; provided, that the claims are not known to the Contractor on the date of the execution of the release, and that the Contractor gives notice of the claims in writing to the Contracting Officer within 6 years following the release date or notice of final payment date, whichever is earlier; and (C) Claims for reimbursement of costs, including reasonable incidental expenses, incurred by the Contractor under the patent clauses of this contract, excluding, however, any expenses arising from the Contractor's indemnification of the Government against patent liability.

(End of clause)

I.60 52.217-7 OPTION FOR INCREASED QUANTITY - SEPARATELY PRICED LINE ITEM.

(MAR 1989)

The Government may require the delivery of the numbered line item, identified in the Schedule as an option item, in the quantity and at the price stated in the Schedule. The Contracting Officer may exercise the option by written notice to the Contractor within the period of performance. Delivery of added items shall continue at the same rate that like items are called for under the contract, unless the parties otherwise agree.

(End of clause)

I.61 52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within the period of performance.

(End of clause)

31310024R0026 Page 91 I.62 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor within 30 days from contract expiration; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 30days before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 5 years.

(End of clause)

I.63 52.219-14 LIMITATIONS ON SUBCONTRACTING. (OCT 2022)

(a) This clause does not apply to the unrestricted portion of a partial set-aside.

(b) Definition. Similarly situated entity, as used in this clause, means a first-tier subcontractor, including an independent contractor, that-(1) Has the same small business program status as that which qualified the prime contractor for the award (e.g., for a small business set-aside contract, any small business concern, without regard to its socioeconomic status); and (2) Is considered small for the size standard under the North American Industry Classification System (NAICS) code the prime contractor assigned to the subcontract.

(c) Applicability. This clause applies only to-(1) Contracts that have been set aside for any of the small business concerns identified in 19.000(a)(3);

(2) Part or parts of a multiple-award contract that have been set aside for any of the small business concerns identified in 19.000(a)(3);

(3) Contracts that have been awarded on a sole-source basis in accordance with subparts 19.8, 19.13, 19.14, and 19.15; (4) Orders expected to exceed the simplified acquisition threshold and that are-(i) Set aside for small business concerns under multiple-award contracts, as described in 8.405-5 and 16.505(b)(2)(i)(F); or (ii) Issued directly to small business concerns under multiple-award contracts as described in 19.504(c)(1)(ii);

(5) Orders, regardless of dollar value, that are-

31310024R0026 Page 92 (i) Set aside in accordance with subparts 19.8, 19.13, 19.14, or 19.15 under multiple-award contracts, as described in 8.405-5 and 16.505(b)(2)(i)(F); or (ii) Issued directly to concerns that qualify for the programs described in subparts 19.8, 19.13, 19.14, or 19.15 under multiple-award contracts, as described in 19.504(c)(1)(ii); and (6) Contracts using the HUBZone price evaluation preference to award to a HUBZone small business concern unless the concern waived the evaluation preference.

(d) Independent contractors. An independent contractor shall be considered a subcontractor.

(e) Limitations on subcontracting. By submission of an offer and execution of a contract, the Contractor agrees that in performance of a contract assigned a North American Industry Classification System (NAICS) code for-(1) Services (except construction), it will not pay more than 50 percent of the amount paid by the Government for contract performance to subcontractors that are not similarly situated entities. Any work that a similarly situated entity further subcontracts will count towards the prime contractor's 50 percent subcontract amount that cannot be exceeded. When a contract includes both services and supplies, the 50 percent limitation shall apply only to the service portion of the contract; (2) Supplies (other than procurement from a nonmanufacturer of such supplies),

it will not pay more than 50 percent of the amount paid by the Government for contract performance, excluding the cost of materials, to subcontractors that are not similarly situated entities. Any work that a similarly situated entity further subcontracts will count towards the prime contractor's 50 percent subcontract amount that cannot be exceeded. When a contract includes both supplies and services, the 50 percent limitation shall apply only to the supply portion of the contract; (3) General construction, it will not pay more than 85 percent of the amount paid by the Government for contract performance, excluding the cost of materials, to subcontractors that are not similarly situated entities. Any work that a similarly situated entity further subcontracts will count towards the prime contractor's 85 percent subcontract amount that cannot be exceeded; or (4) Construction by special trade contractors, it will not pay more than 75 percent of the amount paid by the Government for contract performance, excluding the cost of materials, to subcontractors that are not similarly situated entities. Any work that a similarly situated entity further subcontracts will count towards the prime contractor's 75 percent subcontract amount that cannot be exceeded.

(f) The Contractor shall comply with the limitations on subcontracting as follows:

31310024R0026 Page 93 (1) For contracts, in accordance with paragraphs (c)(1), (2), (3) and (6) of this clause-

[Contracting Officer check as appropriate.]

[X] By the end of the base term of the contract and then by the end of each subsequent option period; or

[ ] By the end of the performance period for each order issued under the contract.

(2) For orders, in accordance with paragraphs (c)(4) and (5) of this clause, by the end of the performance period for the order.

(g) A joint venture agrees that, in the performance of the contract, the applicable percentage specified in paragraph (e) of this clause will be performed by the aggregate of the joint venture participants.

(1) In a joint venture comprised of a small business protégé and its mentor approved by the Small Business Administration, the small business protégé shall perform at least 40 percent of the work performed by the joint venture. Work performed by the small business protégé in the joint venture must be more than administrative functions.

(2) In an 8(a) joint venture, the 8(a) participant(s) shall perform at least 40 percent of the work performed by the joint venture. Work performed by the 8(a) participants in the joint venture must be more than administrative functions.

(End of clause)

I.64 52.244-2 SUBCONTRACTS. (JUN 2020) - ALTERNATE I (JUN 2020)

(a) Definitions. As used in this clause-Approved purchasing system means a Contractor's purchasing system that has been reviewed and approved in accordance with Part 44 of the Federal Acquisition Regulation (FAR).

Consent to subcontract means the Contracting Officer's written consent for the Contractor to enter into a particular subcontract.

Subcontract means any contract, as defined in FAR Subpart 2.1, entered into by a subcontractor to furnish supplies or services for performance of the prime contract or a subcontract. It includes, but is not limited to, purchase orders, and changes and modifications to purchase orders.

(b) When this clause is included in a fixed-price type contract, consent to subcontract is required only on unpriced contract actions (including unpriced modifications or unpriced delivery orders), and only if required in accordance with paragraph (c) or (d) of this clause.

31310024R0026 Page 94 (c) If the Contractor does not have an approved purchasing system, consent to subcontract is required for any subcontract that-(1) Is of the cost-reimbursement, time-and-materials, or labor-hour type; or (2) Is fixed-price and exceeds-(i) For a contract awarded by the Department of Defense, the Coast Guard, or the National Aeronautics and Space Administration, the greater of the simplified acquisition threshold, as defined in FAR 2.101 on the date of subcontract award, or 5 percent of the total estimated cost of the contract; or (ii) For a contract awarded by a civilian agency other than the Coast Guard and the National Aeronautics and Space Administration, either the simplified acquisition threshold, as defined in FAR 2.101 on the date of subcontract award, or 5 percent of the total estimated cost of the contract.

(d) If the Contractor has an approved purchasing system, the Contractor nevertheless shall obtain the Contracting Officer's written consent before placing the following subcontracts:

All Subcontractors (e)(1) The Contractor shall notify the Contracting Officer reasonably in advance of placing any subcontract or modification thereof for which consent is required under paragraph (b), (c), or (d) of this clause, including the following information:

(i) A description of the supplies or services to be subcontracted.

(ii) Identification of the type of subcontract to be used.

(iii) Identification of the proposed subcontractor.

(iv) The proposed subcontract price.

(v) The subcontractor's current, complete, and accurate certified cost or pricing data and Certificate of Current Cost or Pricing Data, if required by other contract provisions.

(vi) The subcontractor's Disclosure Statement or Certificate relating to Cost Accounting Standards when such data are required by other provisions of this contract.

(vii) A negotiation memorandum reflecting-(A) The principal elements of the subcontract price negotiations; (B) The most significant considerations controlling establishment of initial or revised prices;

31310024R0026 Page 95 (C) The reason certified cost or pricing data were or were not required; (D) The extent, if any, to which the Contractor did not rely on the subcontractor's certified cost or pricing data in determining the price objective and in negotiating the final price; (E) The extent to which it was recognized in the negotiation that the subcontractor's certified cost or pricing data were not accurate, complete, or current; the action taken by the Contractor and the subcontractor; and the effect of any such defective data on the total price negotiated; (F) The reasons for any significant difference between the Contractor's price objective and the price negotiated; and (G) A complete explanation of the incentive fee or profit plan when incentives are used. The explanation shall identify each critical performance element, management decisions used to quantify each incentive element, reasons for the incentives, and a summary of all trade-off possibilities considered.

(2) If the Contractor has an approved purchasing system and consent is not required under paragraph (c) or (d) of this clause, the Contractor nevertheless shall notify the Contracting Officer reasonably in advance of entering into any (i) cost-plus-fixed-fee subcontract, or (ii) fixed-price subcontract that exceeds either the simplified acquisition threshold, as defined in FAR 2.101 on the date of subcontract award, or 5 percent of the total estimated cost of this contract. The notification shall include the information required by paragraphs (e)(1)(i) through (iv) of this clause.

(f) Unless the consent or approval specifically provides otherwise, neither consent by the Contracting Officer to any subcontract nor approval of the Contractor's purchasing system shall constitute a determination-(1) Of the acceptability of any subcontract terms or conditions; (2) Of the allowability of any cost under this contract; or (3) To relieve the Contractor of any responsibility for performing this contract.

(g) No subcontract or modification thereof placed under this contract shall provide for payment on a cost-plus-a-percentage-of-cost basis, and any fee payable under cost-reimbursement type subcontracts shall not exceed the fee limitations in FAR 15.404-4(c)(4)(i).

(h) The Contractor shall give the Contracting Officer immediate written notice of any action or suit filed and prompt notice of any claim made against the Contractor by any subcontractor or vendor that, in the opinion of the Contractor, may result in litigation related in any way to this contract, with respect to which the Contractor may be entitled to reimbursement from the Government.

31310024R0026 Page 96 (i) The Government reserves the right to review the Contractor's purchasing system as set forth in FAR Subpart 44.3.

(j) Paragraphs (c) and (e) of this clause do not apply to the following subcontracts, which were evaluated during negotiations:

To be incorporated into resultant contract.

(End of clause)

I.65 52.252-2 CLAUSES INCORPORATED BY REFERENCE. (FEB 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es):

https://www.acquisition.gov/browse/index/far https://www.nrc.gov/about-nrc/contracting/48cfr-ch20.html (End of clause)

Other Clauses Incorporated by Reference Other Clauses Incorporated By Full Text

31310024R0026 Page 97 J - List of Documents, Exhibits and Other Attachments Attachment Number Title Document Version Date Number of Pages 1

Attachment No. 1 _ 31310024C0016 _ Monthly Letter Status Report (MLSR) Instructions &

Template BASE 07/18/2024 10 2

Attachment No. 2 _ 31310024C0016 _

Organizational Conflicts of Interest BASE 07/18/2024 8

3 Attachment No. 3 _ 31310024C0016 _ NRC Form 187 BASE 07/18/2024 4

ML24214A005

Text

References:

1.1 Definitions

Navigation menu

Search