ORDFR FOR SLIPPILIF:S OR SF:RVICFS. -' . IMFPORTAN C: Mark all packages and papers with contract and/or order numbers. ......... v jPAGE OF PAGES 1 20 r 1. DATE OF ORDER 2. CONTRACT NO. (If any) S. SHIP TO: 092/05 NRC-HQ-l0-l5-A-0005 a. NAME OF CONSIGNEE 3. ORDER NO. 14. REOUISITION/REFERENCE NO. NRC-HQ-7S-15-O-0001 JCSO-l5-00271 U.S. Nuclear Regulatory Commission- 5. ISSUING DFFICE (Address correspondence to) b. STREET ADDRESS U.S. NRC - HQ Mail Processing Center Acquisition Management Division 4930 Boiling Brook Parkway Mail Stop: TWFN-5E03 Washington DC 20555-0001 ______________ ___________ c. CITY d. STATE e. ZIP CODE Rockville MD 20852 7. TO: f. SHIP VIA a. NAME OF CONTRACTOR AEGI. NE INC8. TYPE OF ORDER b. COMPANY NAME ]aPUCAE[b.DLVR c. STREETADDRESS REFERENCE YOUR: 4 2 READS WAY QUOTE Except for billing instructions on the ______________________________________ reverse, this delivery order is subject to instructions contained on this side ______________________________________ only of this form and is issued Please furnish the following on the terms subject to the terms and conditions and conditions specitied on both sides of of the above-numbered contract. d. CITY ] . STATE If. ZP CODE this order and on the attached sheet, if any, NEW CASTLE DE R 197201649 including delivery as indicated. 9. ACCOUNTING AND APPROPRIATION DATA 10. REOUISITIONING OFFICE See Schedule Computer Security Office 11. BUSINESS CLASSIFICATION (Check appropriate box(es)) 12. F.O.B. POINT []a. SMALL H] b. OTHER THAN SMALL H] c, DISADVANTAGED G]d. WOMEN-OWNED [H e. HUBZone H] f. SERVICE-DISABLED H• g. WOMEN-OWNED SMALL BUSINESS (WOSBj [• h. EDWOSB VETERAN-OWNED ELIGIBLE UNDER THE WOSB PROGRAM 13. PLACE] OF 14. GOVERNMENT BJL NO. 15. DELIVER TO F.O.B. POINT 16. DISCOUNTTERMS a. INSPECTION b. ACCEPTANCEONRBERE(ae Destination Destination 17. SCHeDULE (See reverse for Rejections) QUANTITY UNIT OUANTITY ITEM NO. SUPPLIES OR SERVICES ORDERED UNIT PRICE AMOUNT ACCEPTED (a) (b) (c) (d) (a) (f) (g) GSA Contract #: GS-35F-0125S Accounting Info: 2015-X0200-FEEBASED-7S-7SD001-5l-J-i145-N7343 -252A Period of Performance: 09/25/2015 to 09/24/2016 I8. SHIPPING POINT 19. GROSS SHIPPING WEIGHT 20. INVOICE NO. 17(h) (Cont. pages) 21. MAIL INVOICE TO: , a. NAME $0. 00 4 U.S. Nuclear Regulatory Commission SEE aILLING INSTRUCTIONS b. STREETADDRESS One White Flint North ONREVECRSC (or P.O. Box) 11555 Rockville Pike 17(i) GRAND Mailstop 03-El7A TOTAL NRCPayment s@nrc. gov . e 200875 Rockville d.MD 20852-2738 22. UNITED STATES OF 09 / 23 / 2015 23. NAME (Typed) AMRCAB Sinlur) LADELIS M. RODRIGUEZ AUTHRIZDORLCAL REPRODUCTION r - ,lu - • (2._ 4%.fx•,,J4gta 5 •,• TITLE: CONTRACTINGIORDERING OFFICER PREVIOUS EDITION NOT USABLE OPTIONAL FORM 347 18ev. ,200121 Prescribed by GSN/FAR 48 CER 53.2131f) SUNSI REVIEW COMPLE OCT - 1 2015
Transcript
ORDFR FOR SLIPPILIF:S OR SF:RVICFS.-' . IMFPORTAN C: Mark all packages and papers with contract and/or order numbers.
......... v jPAGE OF PAGES1 20r
1. DATE OF ORDER 2. CONTRACT NO. (If any) S. SHIP TO:092/05 NRC-HQ-l0-l5-A-0005 a. NAME OF CONSIGNEE
3. ORDER NO. 14. REOUISITION/REFERENCE NO.
NRC-HQ-7S-15-O-0001 JCSO-l5-00271 U.S. Nuclear Regulatory Commission-
5. ISSUING DFFICE (Address correspondence to) b. STREET ADDRESS
U.S. NRC - HQ Mail Processing CenterAcquisition Management Division 4930 Boiling Brook Parkway
Mail Stop: TWFN-5E03
Washington DC 20555-0001 ______________ ___________c. CITY d. STATE e. ZIP CODE
Rockville MD 20852
7. TO: f. SHIP VIA
a. NAME OF CONTRACTOR
AEGI. NE INC8. TYPE OF ORDER
b. COMPANY NAME ]aPUCAE[b.DLVR
c. STREETADDRESS REFERENCE YOUR:4 2 READS WAY QUOTE Except for billing instructions on the
______________________________________ reverse, this delivery order is subjectto instructions contained on this side
______________________________________ only of this form and is issuedPlease furnish the following on the terms subject to the terms and conditionsand conditions specitied on both sides of of the above-numbered contract.
d. CITY ] . STATE If. ZP CODE this order and on the attached sheet, if any,NEW CASTLE DE R 197201649 including delivery as indicated.
9. ACCOUNTING AND APPROPRIATION DATA 10. REOUISITIONING OFFICE
See Schedule Computer Security Office11. BUSINESS CLASSIFICATION (Check appropriate box(es)) 12. F.O.B. POINT
[]a. SMALL H] b. OTHER THAN SMALL H] c, DISADVANTAGED G]d. WOMEN-OWNED [H e. HUBZone
H] f. SERVICE-DISABLED H• g. WOMEN-OWNED SMALL BUSINESS (WOSBj [• h. EDWOSBVETERAN-OWNED ELIGIBLE UNDER THE WOSB PROGRAM
13. PLACE] OF 14. GOVERNMENT BJL NO. 15. DELIVER TO F.O.B. POINT 16. DISCOUNTTERMS
a. INSPECTION b. ACCEPTANCEONRBERE(ae
Destination Destination17. SCHeDULE (See reverse for Rejections)
QUANTITY UNIT OUANTITYITEM NO. SUPPLIES OR SERVICES ORDERED UNIT PRICE AMOUNT ACCEPTED
(a) (b) (c) (d) (a) (f) (g)
GSA Contract #: GS-35F-0125SAccounting Info:2015-X0200-FEEBASED-7S-7SD001-5l-J-i145-N7343-252APeriod of Performance: 09/25/2015 to09/24/2016
ADDITIONAL TERMS AND CONDITIONS ................................................... 31. CONTRACTOR ACCEPTANCE OF TASK ORDER.................................... 32. NRCB010 BRIEF PROJECT TITLE AND WORK DESCRIPTION .................... 33. NRCB050 CONSIDERATION AND OBLIGATION-TASK ORDERS ................. 34. NRCFO3OB PERIOD OF PERFORMANCE ALTERNATE ............................. 55. NRCF01O PLACE OF DELIVERY-REPORTS... ........................................ 56. 2052.215-70 KEY PERSONNEL. (JAN 1993)........................................... 57. 2052.215-71 PROJECT OFFICER AUTHORITY. (OCT 1999)......................... 68. NRCH49O AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS... 79. 52.21 7-9 OPTION TO EXTEND THE TERM OF THE CONTRACT................... 8TASK ORDER PERFORMANCE WORK STATEMENT (PWS)....Error! Bookmark notdefined.
Acceptance of this task order should be made by an official authorized to bind yourorganization. Please sign one copy of this document in the space provided and return itvia email to the Contracting Officer.
Accepted Task Order:
Printed Name & Title SgaueDat
2. NRCBOIO BRIEF PROJECT TITLE AND WORK DESCRIPTION
(a) The title of this project is: OSO Senior Information Technology Security OfficerInformation Technology Solutions - Independent Verification and Validation Support(ITS-IV&V)
(b) Summary work description: CSO reviews the security posture of all NRC systems andprovides findings, metrics, recommendations, and quantified risks to NRC executivesand the Designated Accrediting Authorities (DAAs) on all systems (internal and external)including those receiving an initial Authority to Operate (ATO) and those entering into orcurrently under an ongoing authorization. The expectation of this task order is to supportthe CSO in reducing risk the agency mission through the preparation of independentreviews of system security artifacts, and supporting the continuous monitoring and metricsdevelopment and presentation processes which qualitatively, visually, and empiricallyreflect the degree to which NRC systems meet federal and NRC security requirements.
3. NRCBO50 CONSIDERATION AND OBLIGATION-TASK ORDERS
(a) The ceiling of this order for services is $2,020,837.54.
(b) This order is subject to the minimum and maximum ordering requirements set forth inthe contract.
(c) The amount presently obligated with respect to this order is $145,000. The obligatedamount shall, at no time, exceed the order ceiling as specified in paragraph (a) above.When and if the amount(s) paid and payable to the Contractor hereunder shall equal theobligated amount, the Contractor shall not be obligated to continue performance of thework unless and until the Contracting Officer shall increase the amount obligated withrespect to this order, in accordance with FAR Part 43 - Modifications. Any workundertaken by the Contractor in excess of the obligated amount specified above is doneso at the Contractor's sole risk and may not be reimbursed by the Government.
(d) The Contractor shall comply with the provisions of FAR 52.232-22 - Limitation ofFunds, for incrementally-funded delivery orders or task orders.
3005 Intermediate Systems Analyst [_____Hours~Hours
3006 Senior Information AssuranceA n~Ilcf
3007 Intermediate Information Assurance Hours - •
Analyst_3008 Travel Unit •
_____Totals:] - Hours$857.91'
5. NRCF030B PERIOD OF PERFORMANCE ALTERNATE
This contract shall commence on award date and will expire one year after. The term ofthis contract may be extended at the option of the Government for an additional twoone-year optional periods.
6. NRCFO10 PLACE OF DELIVERY-REPORTS
The items to be furnished hereunder shall be delivered, electronically via email to:a. The Contracting Officer Representative (COR) (1 electronic copy)b. The Contracting Officer (00)
7. 2052.21 5-70 KEY PERSONNEL. (JAN 1993)
(a) The following individuals are considered to be essential to the successful performanceof the work hereunder:
TOM LOURENCO - PROGRAM MANAGERDOUG MEYER - PROJECT MANAGERPETE MEYERS - SENIOR MANAGEMENT ANALYSTJEFF HAVER - SENIOR SYSTEMS ANALYSTRUTH BRISCOQE - INTERMEDIATE SYSTEMS ANALYSTJOEL DUBOW - SENIOR INFORMATION ASSURANCE ANALYSTJOSH UNDERWOOD - INTERMEDIATE INFORMATION ASSURANCE ANALYST
*The contractor agrees that personnel may not be removed from the contract work orreplaced without compliance with paragraphs (b) and (c) of this section.
(b) If one or more of the key personnel, for whatever reason, becomes, or is expected tobecome, unavailable for work under this contract for a continuous period exceeding 30work days, or is expected to devote substantially less effort to the work than indicated inthe proposal or initially anticipated, the contractor shall immediately notify the contractingofficer and shall, subject to the concurrence of the contracting officer, promptly replace thepersonnel with personnel of at least substantially equal ability and qualifications.
(c) Each request for approval of substitutions must be in writing and contain a detailedexplanation of the circumstances necessitating the proposed substitutions. The request
must also contain a complete resume for the proposed substitute and other informationrequested or needed by the contracting officer to evaluate the proposed substitution. Thecontracting officer and the project officer shall evaluate the contractor's request and thecontracting officer shall promptly notify the contractor of his or her decision in writing.
(d) If the contracting officer determines that suitable and timely replacement of keypersonnel who have been reassigned, terminated, or have otherwise become unavailablefor the contract work is not reasonably forthcoming, or that the resultant reduction ofproductive effort would be so substantial as to impair the successful completion of thecontract or the service order, the contract may be terminated by the contracting officer fordefault or for the convenience of the Government, as appropriate. If the contracting officerfinds the contractor at fault for the condition, the contract price or fixed fee may beequitably adjusted downward to compensate the Government for any resultant delay,loss, or damage.
(a) The contracting officer's authorized representative hereinafter referred to as the projectofficer• for this contract is:
Name: Alan SageAddress: US NRC, Mail Stop: T2 C2, Washington DC 20555Email: alan.sacqe~nrc.QovTelephone Number: 301-415-7060
(b) Performance of the work under this contract is subject to the technical direction of theNRC project officer. The term technical direction is defined to include the following:
(1) Technical direction to the contractor which shifts work emphasis between areas ofwork or tasks, authorizes travel which was unanticipated in the Schedule (i.e., travel notcontemplated in the Statement of Work or changes to specific travel identified in theStatement of Work), fills in details, or otherwise serves to accomplish the contractualstatement of work.
(2) Provide advice and guidance to the contractor in the preparation of drawings,specifications, or technical portions of the work description.
(3) Review and, where required by the contract, approve technical reports, drawings,specifications, and technical information to be delivered by the contractor to theGovernment under the contract.
(c) Technical direction must be within the general statement of work stated in the contract.The project officer does not have the authority to and may not issue any technical directionwhich:
(1) Constitutes an assignment of work outside the general scope of the contract.
(2) Constitutes a change as defined in the "Changes" clause of this contract.
(3) In any way causes an increase or decrease in the total estimated contract cost, thefixed fee, if any, or the time required for contract performance.
(4) Changes any of the expressed terms, conditions, or specifications of the contract.
(5) Terminates the contract, settles any claim or dispute arising under the contract, orissues any unilateral directive whatever.
(d) All technical directions must be issued in writing by the project officer or must beconfirmed by the project officer in writing within ten (10) working days after verbalissuance. A copy of the written direction must be furnished to the contracting officer. Acopy of NRC Form 445, Request for Approval of Official Foreign Travel, which hasreceived final approval from the NRC must be furnished to the contracting officer.
(e) The contractor shall proceed promptly with the performance of technical directions dulyissued by the project officer in the manner prescribed by this clause and within the projectofficer's authority under the provisions of this clause.
(f) If, in the opinion of the contractor, any instruction or direction issued by the projectofficer is within one of the categories defined in paragraph (c) of this section, thecontractor may not proceed but shall notify the contracting officer in writing within five (5)working days after the receipt of any instruction or direction and shall request thatcontracting officer to modify the contract accordingly. Upon receiving the notification fromthe contractor, the contracting officer shall issue an appropriate contract modification oradvise the contractor in writing that, in the contracting officer's opinion, the technicaldirection is within the scope of this article and does not constitute a change under the"Changes" clause.
(g) Any unauthorized commitment or direction issued by the project officer may result in anunnecessary delay in the contractor's performance and may even result in the contractorexpending funds for unallowable costs under the contract.
(h) A failure of the parties to agree upon the nature of the instruction or direction or uponthe contract action to be taken with respect to the instruction or direction is subject to52.233-1 - Disputes.
(i) In addition to providing technical direction as defined in paragraph (b) of the section, theproject officer shall:
(1) Monitor the contractor's technical progress, including surveillance and assessment ofperformance, and recommend to the contracting officer changes in requirements.
(2) Assist the contractor in the resolution of technical problems encountered duringperformance.
(3) Review all costs requested for reimbursement by the contractor and submit to thecontracting officer recommendations for approval, disapproval, or suspension of paymentfor supplies and services required under this contract.
9. NRCH490 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS
(a) All offerors will receive preaward and postaward notices in accordance with FAR15.503.
(b) It is also brought to your attention that the contracting officer is the only individual whocan legally obligate funds or commit the NRC to the expenditure of public funds inconnection with this procurement. This means that unless provided in a contractdocument or specifically authorized by the contracting officer, NRC technical personnelmay not issue contract modifications, give formal contractual commitments, or otherwisebind, commit, or obligate the NRC contractually. 'Informal unauthorized commitments,which do not obligate the NRC and do not entitle the contractor to payment, may include:
(1). Encouraging a potential contractor to incur costs prior to receiving a contract;
(2) Requesting or requiring a contractor to make changes under a contract without formalcontract modifications;
(3) Encouraging a contractor to incur costs under a cost-reimbursable contract in excessof those costs contractually allowable; and
(4) Committing the Government to a course of action with regard to a potential contract,contract change, claim, or dispute.
10.52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT.
As prescribed in 17.208(g), insert a clause substantially the same as the following:
Option to Extend the Term of the Contract (Mar 2000)
(a) The Government may extend the term of this contract by written notice to theContractor within 10 days; provided that the Government gives the Contractor apreliminary written notice of its intent to extend at least 10 days before the contractexpires. The preliminary notice does not commit the Government to an extension.
(b) If the Government exercises this option, the extended contract shall be considered toinclude this option clause.
(c) The total duration of this contract, including the exercise of any options under thisclause, shall not exceed September 24, 2018.
Support to NRC's Computer Security Office Senior Information Technology SecurityOfficer including independent verification and validation of cybersecurity deliverables,performance of security assessments, risk metrics development, and cybersecurityauthorizations in alignment with National Institute of Standards and Technology (NIST)guidance, Office of Management and Budget (0MB), the Federal Information SystemsManagement Act (FISMA), and the Department of Homeland Security (DHS) policy,directives, instructions, and guidance.
2. BACKGROUNDIINTRODUCTION
The Computer Security Office (CSO) is responsible for planning, directing, andoverseeing the implementation of a comprehensive, coordinated, integrated andcost-effective NRC Cybersecurity Program, consistent with applicable laws, regulations,Commission, Executive Director for Operations and Deputy Executive Director forInformation Services/Chief Information Officer direction, management initiatives andpolicies.
The Director, CSO functions as the NRC Chief Information Security Officer (CISO), andensures appropriate, effective, and efficient NRC-wide integration, direction andcoordination of cybersecurity planning and performance within the framework of the NRCProgram and with related Office of Information Services activities. The CSO providesAgency-level liaison with external entities on mutual cybersecurity interests; formulatesand oversees a cybersecurity program budget; proposes and successfully advocatesappropriate Agency-level cybersecurity guidelines. Additionally, the CISO provides vision,leadership, and oversight in developing and promulgating an end-to-end, comprehensivecybersecurity architecture, which is integrated with NRC's enterprise architecture. TheCISO provides credible, cogent, and timely advice and counsel to the Chairman,Commission, and NRC senior management on programmatic, infrastructure, andadministrative aspects of cybersecurity.-The CISO guides security process maturity withinthe NRC; advocates these concepts to NRC organizations; and makes necessaryadjustments to components of the cybersecurity program to counter the evolving threat toinformation technology.
3. SCOPE
CSO reviews the security posture of all NRC systems and provides findings, metrics,recommendations, and quantified risks to NRC executives and the DesignatedAccrediting Authorities (DAAs) on all systems (internal and external) including thosereceiving an initial Authority to Operate (ATO) and those entering into or currently underan ongoing authorization. The expectation of this task order is to support the CSO inreducing risk the agency mission through the preparation of independent reviews ofsystem security artifacts, and supporting the continuous monitoring and metricsdevelopment and presentation processes which qualitatively, visually, and empiricallyreflect the degree to which NRC systems meet federal and NRC security requirements.
Task 1- Independent Verification and Validation Support Services
The Contractor shall provide support for specific activities related to system assessmentand authorization, continuous monitoring, cybersecurity risk management, cybersecuritymetrics development and presentation, and risk scoring, calculation and tracking. Ifnecessary, the Contractor shall support NRC's system security personnel and othercontractors in understanding existing or proposed system architectures and othertechnological concerns. In all cases, it is expected that Contractor staff will communicatewith NRC subject matter experts and independent assessors to ensure commonunderstanding and optimal deliverables. Support provided under this task may include,but may not be limited to:
* Providing independent reviews and recommendations of Authorization packages andFISMA related deliverables (e.g., Contingency Plans, Contingency Test Reports, Plansof Action & Milestones (POA&M) Reports, etc.) of unclassified systems according toFederal and NRC regulations, guidelines, and standards;(http://fusion. nrc••qov/CSO/team/Cyber%20Securitv%20lssuances/Forms/Allltems~asp
* Developing evaluation criteria, metrics, templates, checklists and procedures forapproval to ensure that systems are evaluated in a similar manner from one review tothe next;
* Performing sampled IV&V testing (e.g., vulnerability scanning, hardening verification,etc.) based upon security best practices with NRC-approved tools and documenting theresults in a formal report;
* Performing independent reviews of cybersecurity risk indicators, quantifying,documenting and communicating their magnitude to the NRC DAA, Office Directorsand staff by leveraging NRC productivity tools such as Excel, Internet Explorer andSharepoint, and suggesting risk reduction strategies and appropriate weightings anddistributions of risk across all NRC systems and offices;
* Reviewing system documentation supporting proposed system change authorizationsand providing recommendations and support to the cybersecurity coordination processand related processes and standards;
* Providing documentation, assessment reports, and Plan of Action and Milestonesupport through the use of the agency's automated FISMA tool;
* Monitoring, researching, and developing documentation and reports detailing what.impact new Federal cybersecurity regulations, DHS Continuous Diagnostics andMitigation guidance, and 0MB requirements may have on the NRC, and providingrecommendations on how to best implement these new externally mandatedrequirements;
* Providing recommendations on NRC cybersecurity processes, standards, templates,and procedures to ensure federal regulations, guidelines, and standards are being met;
* Incorporating Business Area Risk Assessments, quantitative estimation of risks interms of resource metrics, tradeoff analyses of remediation and cyber defense options,and incorporating risk allocation amongst organizational entities and decision Supportfor resource allocation and enhanced investment decisions;
* Assigning remediation costs to identified risks based on published data, historical data,and specific impact to NRC, allocating risk from a portfolio based on NRC-approvedmathematical techniques amongst organizational entities in the NRC, and identifying
and quantifying system specific and correlated inter-system risks;* Analyzing and documenting recommended cybersecurity best practices and how they
can be applied at NRC, and assisting the Computer Security Office with realizing anyNRC-approved recommendations to better communicate and reduce cybersecurity riskto the NRC mission;
* Ranking risk according to severity of total impact and associated remediation resourcecosts, and generating reports to estimate the impact of exploited risks or events uponmission performance and NRC resources;
* Identifying and updating cybersecurity risk metrics, investigating best practices ofcommunicating this information to NRC executives and staff, performing daily trackingand updates of security metrics, and updating numerical models such as the NRCcybersecurity performance indicator and other quantitative cybersecurity risk scoring;
* Assisting the Computer Security Office with developing requirements that meet DHS0DM data collection and reporting guidance;
* Analyzing new technologies, methods and dashboards to determine, quantify,communicate and mitigate risk in the context of the NRC Cybersecurity Program;
* Performing reviews of test plans to ensure that all system modifications address thesecurity controls as specified, in National Institute of Standards (NIST) SpecialPublications;
* Performing reviews of security categorizations as specified in National Institute ofStandards (NIST) Special Publication 800-60, latest version;
5. PERFORMANCE STANDARDS
Performance standards establish the performance levels required by the Government.
5.1 Grammar and Mechanics: All documentation submitted by the Contractor shallconform to the Chicago Manual of Style, as amended by any applicable NRC formattemplates and requirements.
5.2 Deliverables: The Contractor shall provide all documentation to the NRC CORelectronically from an NRC provided NRC electronic mail account in the followingformats, except as specifically stated herein: latest installed NRC version of MicrosoftWord, Microsoft Excel, Microsoft Project, Sharepoint and Adobe PDF. All electronicmail shall be transmitted from the Contractor's NRC electronic mail account. Personaland corporate electronic mail accounts shall not be used to transmit sensitive NRCinformation unless NRC CSO-approved mechanisms to protect the informationduring transmission are implemented.
5.3 Method of Surveillance for Draft and Final Submissions: All contractdeliverables submitted to the NRC must conform to the standards referenced in thisSOW and will be reviewed by the NRC. Unless otherwise directed by the NRC COR,all documentation shall be submitted in draft form for comment to the CSO technicalmonitor. The NRC will generate comments and submit them to the Contractor. Oncethe Contractor receives NRC's comments, the Contractor shall have three (3)business days to generate the final draft version of the document. Then, the final draftwill be sent to the CSO technical monitor for review and approval. Once the final drafthas been accepted, the Contractor will be given one (1) business day to revise thedocument and resubmit as a final deliverable. This constitutes a revision cycle.
Any changes required after the first revision cycle shall be completed at no additionalcost to the Government. The first revision cycle for a deliverable shall be acceptableto the Government when the Contractor submits a revised deliverable incorporatingany comments and suggestions made by the NRC COR.
5.4 Reporting Requirements: In addition to meeting the delivery schedule in thetimely submission of any draft and final reports, summaries, data and documents thatare created in the performance of this contract, the Contractor shall comply with thedirections of the NRC regarding the contents of the report, summaries, data andrelated documents to include correcting, deleting, editing, revising, modifying,formatting, and supplementing any of the information contained therein at noadditional cost to the NRC. Performance under the contract shall not be deemedaccepted or completed until the Contractor complies with NRC's directions. Unlessotherwise directed by the COR, the reports, summaries, data and related documentsshall be considered draft until approved by the NRC. The Contractor agrees that thedirection, determinations, and decisions on approval or disapproval of reports,summaries, data and related documents created under this contract remains solelywithin the discretion of the NRC.
5.5 The Contractor shall adhere to following NRC policies:
* Management Directive 12.5, Automated Information Security Program* NRC Sensitive Unclassified Non-Safeguards Information (SUNSI)* Cybersecurity Policy for Encryption of Data at Rest When Outside of Agency
Facilities* Policy for Copying, Scanning, Printing, and Faxing SGI & Classified Information* Cybersecurity Information Protection Policy* Remote Access Policy* Use of Commercial Wireless Devices, Services and Technologies Policy* Laptop Security Policy• Cybersecurity Incident Response Policy* Other NRC Security Policies, including but not limited to those issued via NRC
Yellow Announcements.
All work under this contract shall comply with the latest version of all applicableguidance and standards. These standards include, but are not limited to, NRCManagement Directive (MD) volume 12 Security, cybersecurity policies, includingthose issued via Yellow Announcements, National Institute of Standards andTechnology (NIST) guidance and Federal Information Processing Standards (FIPS),and Committee on National Security Systems (CNSS) policy, directives, instructions,and guidance. This information is available at the following links:
* NRC Policies, Procedures and Standards (CSO internalwebsite): http://www, internal, n rc.qov/CSO/policies. html
* NRC Policy and Procedures for Handling, Marking and Protecting SensitiveUnclassified Non-Safeguards Information(SUNSI): http://www.internal. nrc.qiov/sunsi/pdf/SUNSt-Policy-Procedures.pdf
* All NRC Management Directives (publicwebsite): http://www. nrc.,qov/readinQ-rm/doc-collectionslmanaqement-directives/
• NIST Special Publications and Federal Information Processing Standards (FIPS)Publications documentation is located at: http:llcsrc.nist..qovl
* CNSS documents are located at: http://www.cnss.qov/
The Contractor shall ensure compliance with the latest version of CNSS publications,NIST guidance, and FIPS standards available at contract issuance and continuedcompliance with the latest versions within one year of the release date.
6.6 Identification/ Marking of Sensitive and SAFEGUARDS Information: Thedecision, determination or direction by the NRC that information constitutes sensitiveor SAFEGUARDS information remains exclusively a matter within the authority of theNRC to make: In performing the contract, the Contractor shall clearly mark sensitiveunclassified non-SAFEGUARDS information (SUNSI), sensitive, and SAFEGUARDSinformation to include for example Official Use Only and SAFEGUARDS Informationon any reports, documents, designs, data, materials and written information asdirected by the NRC. In addition to marking the information as directed by the NRC,the Contractor shall use the applicable NRC cover sheet forms (e.g. NRC Form 461SAFEGUARDS Information and NRC Form 190B Official Use Only) in maintainingthese records and documents. The Contractor shall ensure that sensitive andSAFEGUARDS information is handled appropriately, maintained and protected fromunauthorized disclosure. The Contractor shall comply with the requirements to mark,maintain and protect all information including documents, summaries, reports, data,designs, and materials in accordance with the provisions of Section 147 of the AtomicEnergy Act of 1954 as amended, its implementing regulations (1 0 CFR 73.21 ), andNRC Management Directive and Handbook 12.6.
5,7 Publication of Results: Prior to any dissemination, display, publication orrelease of articles, reports, summaries, data or related documents developed underthe contract, the Contractor shall submit for review and approval by the NRC theproposed articles, reports, summaries, data and related documents that theContractor intends to release, disseminate or publish to other persons, the public orany other entities. The Contractor shall not release, disseminate, display or publisharticles, reports, summaries, data, and related documents or the contents therein thathave not been reviewed and approved by the NRC for release, display, disseminationor publication. The Contractor agrees to conspicuously place any disclaimers,markings or notices directed by the NRC on any articles, reports, summaries, data andrelated documents that the Contractor intends to release, display, disseminate orpublish to other persons, the public or any other entities. The Contractor agrees andgrants a royalty free, nonexclusive, irrevocable world-wide license to the governmentto use, reproduce, modify, distribute, prepare derivative works, release, display ordisclose the articles, reports, summaries, data and related documents developedunder the contract, for any governmental purpose and to have or authorize others todo so.
5.8 Deliverable Reviews: Deliverable Reviews will be held to provide theContractor with feedback related to improving the quality of deliverables, includingfeedback received from Customer Satisfaction Surveys. Such reviews will becoordinated by the CSO technical monitor as required to supplement writtencomments provided on deliverable submissions. The written minutes of all deliverablereview meetings shall be prepared by the Contractor. Should the Government notconcur with the minutes, the CSO technical monitor shall so state any areas of
non-concurrence in writing to the Contractor within ten calendar days of receipt of theminutes. Failure to correct and identify defects, and integrate NRC comments into thedeliverable may result in the issuance of a Contract Discrepancy Report (CDR) by theContracting Officer. Upon issuance of a CDR, a meeting will be held.
6. DELIVERABLES AND DELIVERY SCHEDULE
After official notification by the CSO technical monitor, 100% of the tasks assigned shallbe delivered (Draft and Final) to the NRC within the timeframes specified below.Compliance will be monitored by the CSO technical monitor. Examples of deliverablesand their required timeframes may include, but not be limited to:
Task CompleteEvaluating Authorization packages of NRC IT 10 business daysSystemsEvaluating Authorization packages of 5 business daysE-Government /Contractor SystemsEvaluating Authorization packages of Stand Alone 2 business daysSystemsPerforming Cybersecurity Document Continuous 3 business daysMonitoring ReviewsPerforming Security Categorization Report Reviews 2 business daysPerforming IT Security Metrics updates 2 business days :Performing Deviation Request Reviews 2 business days
Note: When evaluating Authorization packages determined to be for significantly complexsystems, the CSO technical monitor will specify the amount of time needed to completethe evaluation.
7. GOVERNMENT-FURNISHED PROPERTY
The NRC will provide workspace, file storage, computer workstations, email and othercomputer network accounts to onsite staff. Offsite staff will be provided network access,email, and potentially also government laptops for secure remote access if deemednecessary by the NRC COR.
8. QUALITY CONTROL
The Contractor shall develop and maintain a complete Quality Control Plan (QOP) toensure that the requirements of the task order are performed in accordance with thisSOW. The QCP shall include the review of deliverables by qualified Quality Assurancestaff prior to delivery to the government. The QCP shall describe the methods foridentifying, preventing, and ensuring any defective services are corrected before the levelof performance becomes unacceptable. The Contractor's QCP shall address the tasks inthe section 4, Performance Requirements, of this SOW.
One copy of the Contractor's QCP shall be provided to the CO at the time its proposal issubmitted. After acceptance of the QCP the contractor shall receive the CO acceptancein writing of any proposed changes to its plan. An updated copy of the QCP must beprovided to the CO as changes occur during the performance of the contract.
CSO requires that support staff be available on~site at least 30% of the hours billed. Whilethe contractor may not rely on the availability of NRC office space, CSO can currentlyaccommodate up to three IV&V analysts on site. The contractor shall provide office spacefor any other staff and ensure that they are readily available by telephone and NRC emailduring hours billed. The contractor shall also ensure that all staff hours are workedbetween 7:00a.m. and 5:00 p.m. unless specifically approved by the NRC COR."
10. TRAVEL
Support under this task order may require local travel to offices of contractors providingsoftware development, maintenance and operational support for NRC systems.Additionally, occasional travel will be required to remote facilities supporting NRC systems(e.g., the Lockheed Martin facility in Richland, WA) as well as the NRC regional offices. Toensure consistent proposals, the contractor shall include in their proposal $5,000 in travelexpenses for each performance period.
11. SECURITY
No classified processing will be performed under this task. Additionally, the contractorshall not use non-NRC provided hardware or software to process any information relatedto this effort. If a requirement for using contractor hardware or software arises, it must beapproved beforehand,. in writing, by the Director, CSO. Upon written permission of theDirector, CSO, all electronic processing of NRC sensitive information, including systemdevelopment and operations and maintenance performed at non-NRC facilities shall be infacilities, networks, and computers that have been certified and accredited by NRC forprocessing information at the highest sensitivity of the information that is processed or willultimately be processed.
When e-mail is used, the Contractors shall only use NRC provided e-mail accounts tosend and receive sensitive information (information that is not releasable to the public)unless approved in writing beforehand by the Director, CSO.
All Contractor employees must sign the NRC Agency Rules of Behavior for SecureComputer Use prior to being granted access to NRC computing resources.
Contractor shall adhere to NRC's prohibition of use of personal devices to process andstore NRC sensitive information.
The Contractor shall not publish or disclose in any manner, without the Director, CSO'swritten consent, the details of any security controls or countermeasures either designed ordeveloped by the Contractor under this contract or otherwise provided by the NRC.
All media used by the Contractor to store or process NRC information shall be controlledin accordance with the sensitivity level. The Contractor shall not perform sanitization ordestruction of media approved for processing NRC information designated as SGI or.Classified. The Contractor must provide the media to NRC for destruction.
12. SPECIAL QUALIFICATIONS / KEY PERSONNEL REQUIREMENTS
CSO requires that the contractor designate a lead analyst as the primary point of contactfor each system under review. For major systems, the contractor shall designate a leadperson who is dedicated to IV&V support for the subject system.
12.1 Key PersonnelDue to the tight timeframes imposed by the DA~s and CSO customers, the limitednumber of staff anticipated in support of CSO on this task and the complex nature ofNRC systems and federal and NRC security requirements, a minimum of 2 contractorstaff will be considered Key Personnel and subject to all related conditions of the basecontract. In addition, the contractor should have resources available to supportsurge capabilities.
12.2 System -specific Contractor CapabilitiesThe contractor shall provide staff with senior-level expertise, certifications andexperience in the areas below. This level of support is required to avoid disruptionrelated to disputes over the technical accuracy of IV&V contractor assessments.The Contractor's personnel shall have experience with the federal regulations,guidelines, and standards identified in section 5. The contractor shall provide seniorinformation security specialists (also known as Senior Industry / Functional AreaSpecialists) and senior subject matter experts (also known as SME II) to perform thetasks identified in section 4.At a minimum, the Contractor's key personnel shall have experience with networksecurity, information assurance principles as prescribed in the NIST 800 SpecialPublication series, independent IT security system assessments, risk analyses,metrics development, operating systems, and the following: Microsoft Exchange andwebserver technology; DHS Continuous Diagnostics and Mitigation; Databases (e.g.,Oracle, SQL, etc.); Active Directory; Citrix, End Point Protection; SharePoint Serversand web parts, Quantitative Risk Analysis and Modeling; Public Key Infrastructure;and.
13. SECTION 508 - ELECTRONIC AND INFORMATION TECHNOLOGY STANDARDS
In December 2000, the Architectural and Transportation Barriers Compliance Board(Access Board), pursuant to Section 508(2)(A) of the Rehabilitation Act Amendments of1998, established information technology accessibility standards for the federalgovernment. Section 508(a)(1) requires that when federal departments or agenciesdevelop, procure, maintain, or use Electronic and Information Technology (EIT), they shallensure that the EIT allows federal employees with disabilities to have access to and use ofinformation and data that is comparable to the access to and use of information and databy other Federal employees. The Section 508 requirement also applies to members of thepublic seeking information or services from a federal department or agency. Section 508text is available at
All Electronic and Information Technology (EIT), as defined at FAR 2.101, supplied underthis contract/order must conform to the Architectural and Transportation BarriersCompliance Board Electronic and Information Technology Accessibility Standards (36.
CFR Part 1194). The applicable standards are available at:http:llwww. access-board.govlsec5081guidelindex. htm
The following standards are applicable to this contract/order:
* Software Applications and Operating Systems (1194.21)• Web-based Intranet and Internet Information and Applications(1 194.22)* Telecommunications Products (1194.23)* Video and Multimedia Products (1194.24)* Self-Contained, Closed Products (1194.25)* Desktop and Portable Computers (1194.26)
Page 18
NIRC FORM 187 C N R TSEU IYU.S. NUCLEAR REGULATORY COMMISSIONi
• ,.•CLASSIFICATION REQUIREMENTS
1. Type of Submission 3. Contractor Company Full Name and Complete Address (Prime Contractor)
2. Type of Contract
Coinmeiciall
4. Contract Number, IAA Number, or Job Code for DOE Projects 5. Contract Start Date 6. Contract End Date
ITB .... D 9/25/2015 ,[ 9/24/20t8
7. Is this contract a follow-on contract? If Yes, provide previous Contract Number, 8. Contractor Cage Code or DOE Facility Code
9. Contract Performance Requirements
A. Will the contract require access to classified matter F•1 Yes (continue) [7 No (if no, proceed to Block E)(information, systems, andlor material) (I.e., 32 CFR Part 2004 or MD 12.2)? L2 I
B. What is the highest lovel of classified matter the contractor will need to access to perform contract responsibilities?
C. To carry out requirements of the contract, will the contractor need to possess, r-- es (continue) [171 No (if no, proceed to Block S.generate, or store classified matter at the contractor facility location? LJe L
D. Choose all that apply: In regards to classified matter, the contractor will require:
--- 1) Access to Foreign Intelligence Information I• 2) Receipt and storage (i.e., safeguarding) of classified matter
3) Access to cryptographic material or 7] 4) Access to classified mailer or information processed by
other classified COMSEC information L~J another agency
5) Use of a classified information technology [] 6) Generation of classified at Contractor facility location
processing system LD 7) Generation of classified mailer at an NRC facility
E. Will the contractor require access to Safeguards Information or Safeguards Information - Modified Handling LII Ye NInformation (i.e., 10 CFR 73.21, 73.22, and/or 73.23)? ys N
F. Will the contractor possess, generate, or store SGI or SGI-M at the contractor facility? fiZ Yes f7•j No
G. Will thle contractor require access to any Sensitive Unclassified Non-Safeguards Information (SUNSI) or sensitive [7 rinformation technology (IT) Systems (i.e., MD 12.6)? Yes LINo
H. Willcotacothe contractOrfaiiypOssess, generate, or store SUNSI or have access to NRC sensitive IT systems at the ]Ys[ N
I. Was, "Yes"~ checked to Block 9.A., Block 9.C., Block 9.E., or Block 9.F.?[ [(If "Yes", then a Facility Clearance is required to be issued for the contractor and any known sub-contractors by the LJYes NoFacilities Security Branch before final contract award and before work can begin on the contract.)
J. Choose all that apply.
[I 1) Unescorted Access is required to Nuclear Power Plants. [1 5) Require operation of govcrnment vehicles or transport
LJ passengers for the NRC.
2) Access Is required to Unclassified Safeguards Information. [• 6) Will operate hazardous equipment at NRC facilities.
[• 3) Access is required to Sensitive IT Systems and Data. [I 7) Required to carry firearms.
W 4) Unescorted Access to NRC Headquarters Building. 5 ) Found to use or admit to use of illegal drugs.
NRC FORM 1B7 (01-2015) Page 1 of 4
11. Does this contract contain any subcontractors? U_ Y [ L NIf **No*", L~eave. area blank. (Note: It is the responsibility ot the COR to notify FSB if the contractor adds a subcontractor to the YsN
contract during the execution of the contract. The sub-contraclers may require a facility clearance before work can fbe allowed).
Subcontractor Company name, address and Defense Security_ Service cage code. (if applicable) __________________
12. Review of contractor/subcontractor reports, documents for classified, SGI, SGI-M, and/or SUNSI will be reviewed by:
Typed or Printed Name anrd Title of Authorized Classifier
No chlssi lied proccssing will occtr.
Typed or Printed Name and Title of Authorized Derivative Classifier (for Classified Information)
No classified proces•sin~g will oc~cur.
Typed or Printed Name and Title of a Qualified Designator for SGI, and SGI-M (I.e., person must be qualified per MD 12.4)
'4 ctlssiljicd or S(i! processing wvilt oc cur,
13. Required Distribution of NRC Form 187 for Review (Check all appropriate boxes)j--- 1) Originating NRC office or Division (item 14A.) [--- 3) Division of Contracts and Property Management (Item 14C.)
[J- 2) Division of Facilities and Security (Item 1413.)
• 14. Approvals
A. Typed or Printed Name of Director, Office or Division Signature' Date
••i ---- ("TyeorPrinted Name of Director,• Acquisitions Managementi/ "LDivision ': .Signature(/j t (,'••Ji•iDt•
