Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JANUARY 28, 2016 FBO #5179
MODIFICATION

R -- NIH Child Care Subsidy Program

Notice Date
1/26/2016
 
Notice Type
Modification/Amendment
 
NAICS
541611 — Administrative Management and General Management Consulting Services
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, Office of Research Facilities, 9000 Rockville Pike, Bldg. 13, Rm. 2E47, MSC 5738, Bethesda, Maryland, 20892-5738, United States
 
ZIP Code
20892-5738
 
Solicitation Number
NIH-OD3342016
 
Point of Contact
Tonia Ellen, Phone: 3014968413
 
E-Mail Address
tonia.ellen@nih.gov
(tonia.ellen@nih.gov)
 
Small Business Set-Aside
N/A
 
Description
This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6 as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; proposals are being requested and a written solicitation will not be issued. The solicitation number for this requirement is NIH-O D3342016 and this is a Request for Proposals (RFP). The official documents, and the submission of those proposal should be in response to only those attachments that have "Amendment 2" in the title. The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2005-85 dated January 4, 2016. The NAICS code for this requirement is 541611 for $15.0M. The Statement of Work is attached. The Period of Performance will be April 1, 2016 through December 31, 2016 for the base year and four (4) 12-month option periods. FAR Pt. 52.212-1, Instructions to Offerors-Commercial, applies to this acquisition and a statement regarding any addenda to the provision. FAR Pt. 52.212-2, Evaluation-Commercial Items is applicable. Proposals will be evaluated on : Evaluation Criteria The government will be evaluating the proposals on a best value basis using Tradeoffs. The evaluation factors are listed below, with the weight of each factor attributed each Non-Price Factor. Non-Price Factors, when combined, are significantly more important than Price Factor. Non-Price Factors: 35% Key Personnel qualifications and experience in administering similar programs 35%, Past Performance- Please submit the attached Past Performance Questionnaire to your relevant references, and have the reviewer return it directly to the contract specialist, in coordination with the instructions located inside the Questionnaire. 30%, Technical and Management Approach to implementation of tasks and deliverables stated Price: Price will be rated only among those proposals that are deemed Technically Acceptable after review of their Non-Price Factors. The price will be evaluated based on the base period of performance, inclusive of all option periods. Offerors shall include a completed copy of the provision at 52.212-3, Offerors Representations and Certifications-Commercial Items, with its offer or submit a printout to their Online Reps and Certs. The clause 52.212-5, Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items, applies to this acquisition. By submission of an offer, the offeror acknowledges the requirement that a prospective awardee shall be registered in SAM at www.sam.gov prior to award, during performance and through final payment of the Purchase Order. Requests for information and (or) questions concerning this requirement are to be submitted by- Tuesday, January 19, 2016 by 3PM through e-mail ONLY. Offers must be submitted no later than 12:00 P.M. Eastern Daylight Time on Monday, February 1, 2016. For Delivery responses through the Postal Service, the address is National Institute of Health, Office of Logistics and Acquisition Operations, 6011 Executive Blvd. 5 th Floor, Rockville, MD 20892, E-mail submissions are permitted to ellent@od.nih.gov. NO PHONE CALLS PLEASE Added: <input type="hidden" name="dnf_class_values[procurement_notice][description][1][added_on]" value="2015-11-24 13:57:01">Nov 24, 2015 1:57 pm Modified: <input type="hidden" name="dnf_class_values[procurement_notice][description][1][modified_on]" value="2016-01-26 13:44:17">Jan 26, 2016 1:44 pm Track Changes NIH Child Care Subsidy Program Statement of Work (SOW) 1. Introduction and Overview The intent of this Statement of Work (SOW) is to secure a contractor that will provide administrative services for the NIH Child Care Subsidy Program. 2. Background The National Institutes of Health is soliciting proposals from qualified organizations to administer Agency's child care tuition assistance program. On November 12, 2001, President George W. Bush signed H.R. 2590 into Public Law 107-67 which includes permanent legislation authorizing the use of appropriated funds by executive agencies to provide child care services for Federal civilian employees. This legislation permits Federal agencies to administer a program to assist their lower income Federal employees with the costs of child care. The contractor will administer the program on behalf of the agency for the period of April 1, 2016 through December 31, 2021, with four (one year) extensions. In FY2014, 142 NIH Federal Employees were served with 180 children to receive the tuition assistance from the NIH Child Care Subsidy program. 3. Scope The goal is to assist lower income Federal employees with the cost of licensed child care services. Tuition assistance can reduce the amount of tuition parents pay for child care by providing subsidies, directly to the licensed child care provider. By providing assistance with child care cost, the employee can obtain quality dependable child care. 4. Objectives The National Institutes of Health (NIH) requires a contractor to demonstrate it has the ability to effectively manage the NIH Child Care Subsidy program. In responding to this request, a contractor must demonstrate its ability to perform the following services: •· Handle all administrative tasks associated with the NIH Child Care Subsidy program appropriately, effectively and in a timely manner. •· Maintain confidentiality of all the information contained in child care subsidy applications. •· Determine the eligibility of the NIH Federal Employee based on the guidelines given by the Agency. •· Determine the eligibility of the licensed/regulated child care provider to receive Federal funds. •· Notify the Federal employee and the approved licensed child care provider of the amount of the tuition assistance that each family will receive and the effective dates. •· Review monthly invoices for the tuition assistance amounts and provide payment to the approved child care provider in a timely manner. •· Provide to the NIH monthly reports. 5. Requirements/Tasks The contractor is required to have experience doing work that required determining benefits eligibility •· The contractor will maintain independent financial database to manage and distribute NIH Child Care Subsidy tuition assistance. •· The contractor will notify the NIH Federal Employee and approved child care provider of eligibility and amount of tuition assistance within 10 business days of receiving a completed application. •· The contractor will determine the eligibility of the applicant by requiring and reviewing the following documentation: •o NIH Form #2897 NIH Child Care Subsidy Program Application •o OPM Form 1643 Child Care Subsidy Applicant Form •o OPM Form 1644 Child Care Provider Information for the Child Care Subsidy/ Program for Federal Employees •o Form SF-50 (Verification of NIH Employment) •o Two most recent pay statements for each parent, guardian or spouse. •o A copy of the full time college registration documentation for a spouse or partner (if applicable). •o A copy of the most recent Federal income tax returns for each parent, guardian, or partner. •o A copy of the child care provider's current license or statement of compliance with State and/or local child care regulations •· The contractor will insure the NIH Federal Employee understands if, for whatever reason he/she is no longer a NIH Federal employee, he/she must notify the contractor immediately to terminate participation in the subsidy program. •· The contractor will collect any reimbursements from the NIH Federal Employee if he/she fails to notify the contractor. •· The contractor will determine the eligibility of the child care provider to receive Federal funds (all must comply with all applicable licensing and/or other regulatory requirements) by: •(1) Requiring each child care provider to submit a copy of current licenses and any statement of compliance from anybody charged with regulating that provider; •(2) Requiring child care provider to submit their taxpayer identification numbers; and •(3) Insuring that licensed child care providers understand that if, for whatever reason, the provider is no longer licensed or subject to regulatory oversight or is not in compliance with applicable regulations, the provider will immediately notify the contractor and the Federal employee whose child is enrolled in the child care program. In such cases, the provider will no longer be permitted to receive the tuition subsidy. •· The contractor will review monthly invoices for the tuition assistance amounts from the approved child care providers, and provide payment if appropriate, based on the invoiced amount no later than 30 calendar days after the date of the invoice. •· The contractor will pay the tuition assistance directly to the approved child care provider, and not the NIH Federal Employee. •(1) Ensure that the child care provider submits a written invoice on a monthly basis to the contractor. •(2) Invoices that are submitted more than 60 days after the end of that month will not be eligible for payment. •(3) Tuition assistance will be quoted as weekly amounts and the invoices must be prepared using full week amounts unless the child leaves the child care provider's program during a particular week. •· The contractor will notify the Project Officer 90 calendar days prior to the program going to a waitlist status. •· The contractor will provide on request the name and address of each approved child care provider that receives tuition assistance from the NIH Child Care Subsidy program. •· The contractor will provide the agency with monthly reports for tax purposes if payments do not qualify for the DCAP exclusion. •· The contractor will determine eligibility for the program on an annual basis. Employees who do not submit re-determination information by the annual May 1 st deadline will be removed from the program and may be placed on the subsidy program waiting list or be required to re-apply for the program. •· The contractor will notify the employee 60 days in advance of reaching the reimbursement limit. •· The Contractor must provide the best value cost to NIH employees. •· The contractor must have appropriate safeguards established and in place to protect Personal Identifying Information that is obtained in the regular course of business. •· The contractor must comply with all NIH security requirements. •· The contractor must have personnel assigned to perform tasks for the duration of the contract. Rules of Behavior The Contractor shall ensure that all employees, including subcontractor employees, comply with the NIH Information Technology General Rules of Behavior, which are available at http://irtsectraining.nih.gov/CSA_2013/0301010_BehaviorRules.aspx. Confidential Treatment of Sensitive Information The Contractor shall guarantee strict confidentiality of the information/data that it is provided by the Government during the performance of this contract. The Government has determined that the information/data that the vendor will be provided during the performance of the task order is of a sensitive nature. Disclosure of the information/data, in whole or in part, by the vendor can only be made after the vendor receives prior written approval from the Contracting Officer. Whenever the vendor is uncertain with regard to the proper handling of information/data under the contract, the vendor shall obtain a written determination from the Child Care Program Manager. •· The contractor must have appropriate safeguards established and in place to protect Personal Identifying Information that is obtained in the regular course of business; •· The contractor must have personnel assigned to perform tasks through this SOW. •· 508 Compliance: Section 508 of the Rehabilitation Act requires that Federal agencies' electronic and information technology is accessible to people with disabilities. This courseware product must be Section 508 conformant. Specifically, the end product must be conformant with all applicable provisions, including: •· 1194.21 Software Applications and Operating Systems •· 1194.22 Web-based Intranet and Internet Information and Applications •· 1194.31 Functional performance criteria •· 1194.41 Information, documentation, and support These provisions can be found at http://www.hhs.gov/web/508/index.html. •· Quality Assurance Plan The contractor must have an establish quality assurance plan that meets the needs of the Government as outlined in the SOW. The contractor must provide a copy of the quality assurance plan to the Project Officer. 6. Deliverables •· The contractor will issue monthly reports to the NIH on the status of the NIH Child Care Subsidy program. Reports will contain the following information, and will be due on the fifteenth day of the month following the reported month: •(1) The Name, GS level and NIH Institute of the employee •(2) The amount of tuition assistance disbursed in a given month •(3) The number of children by age enrolled whose parents receive the tuition assistance •(4) The number of NIH Federal Employees from the agency who qualified for a subsidy and who are receiving the subsidy •(5) The total family income of each family that receives a tuition subsidy •(6) The amount of the weekly tuition subsidy for each recipient •(7) The remaining balance of the agency's funds •(8) Fees paid to the contractor •· The contractor will issue quarterly reports which will contain the following information and be due the fifteen day following the end of the month: •(1) The number of total applications for the month •(2) The number of application in process •(3) The number of new tuition assistance subsidies •(4) The number of applicants who were ineligible •(5) The number of applicants who were denied assistance and why •(6) Names of NIH Federal employees who may reach the $5,000 maximum tuition reimbursement in the next quarter 7. Source •· http://olpa.od.nih.gov/actions/public/session1/pl107-67.asp •· http://childcare.ors.nih.gov •· http://www.ors.od.nih.gov/pes/dats/childcare/Pages/cc_subsidy.aspx •· http://oma1.od.nih.gov/manualchapters/management/1480/ •· http://main.opm.gov/Employment_and_Benefits/WorkLife/FamilyCareIssues/ChildCare_Subsidy/index.asp •· http://opm.gov/Employment_and_Benefits/WorkLife/OfficialDocuments/HandbooksGuides/Childcare_Legislation/p-law.asp 8. Government-Furnished Property Government will not provide any furnished property to the contractor. The contractor must provide a suitable location in order to perform the tasks listed above. 9. Security Information Security Training HHS policy requires contractors/subcontractors receive security training commensurate with their responsibilities for performing work under the terms and conditions of their contractual agreements. The contractor shall ensure that each contractor/subcontractor employee has completed the NIH Computer Security Awareness Training course at: http://irtsectraining.nih.gov/ prior to performing any task order work, and thereafter completing the NIH-specified fiscal year refresher course during the period of performance of the task order. Contractor's Official Responsible for Information Security The Contractor shall include in the "Information Security" part of its Technical Proposal the name and title of its official who will be responsible for all information security requirements should the vendor be selected for an award. Personnel Security Responsibilities 1. The Contractor shall notify the Contracting Officer, Project Officer, and I/C ISSO within five working days before a new employee assumes a position that requires a suitability determination or when an employee with a suitability determination or security clearance stops working under this contract. The Government will initiate a background investigation on new employees requiring suitability determination and will stop pending background investigations for employees that no longer work under this acquisition. 2. The Contractor shall provide the Project Officer with the name, position title, e-mail address, and phone number of all new contract employees working under the contract and provide the name, position title and suitability determination level held by the former incumbent. If the employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate suitability level. 3. The Contractor shall provide the Project Officer with the name, position title, and suitability determination level held by or pending for departing employees. Perform and document the actions identified in the Contractor Employee Separation Checklist at https://ocio.nih.gov/aboutus/publicinfosecurity/acquisition/Documents/Emp-sep-checklist.pdf when a Contractor/subcontractor employee terminates work under this contract. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request. Information and Physical Access Security The Contractor and all subcontractors performing under this acquisition shall comply with ARTICLE H.. NIH INFORMATION AND PHYSICAL ACCESS SECURITY (see appendix A). 10. Place of Performance Contractor must be accessible to the Project Officer, Contract Officer, NIH Federal Employees, and the child care provider by postal mail, telephone, fax, and email. The Contractor must appear in person at the request of the Project Officer and/or Contract Officer. 11. Period of Performance The contract will be a Firm-Fixed Contract with (1) base year and (4) option years. Base: April 1, 2016 to December 31, 2016 Option 1: January 1, 2017 to December 31, 2017 Option 2: January 1, 2018 to December 31, 2018 Option 3: January 1, 2019 to December 31, 2019 Option 4: January 1, 2020 to December 31, 2020 12. Evaluation Criteria The government will be evaluating the proposals on a best value basis using Tradeoffs. The evaluation factors are listed below, with the weight of each factor attributed to each Non-Price Factor. Non-Price Factors, when combined, are significantly more important than the Price Factor. Non-Price Factors: 35% Key Personnel qualifications and experience in administering similar programs 35%, Past Performance- Please submit the attached Past Performance Questionnaire to your relevant references, and have the reviewer return it directly to the contract specialist, in coordination with the instructions located inside the Questionnaire. 30%, Technical and Management Approach to implementation of tasks and deliverables stated Price: Price will be rated only among those proposals that are deemed Technically Acceptable after review of their Non-Price Factors. The price will be evaluated based on the base period of performance, inclusive of all option periods. 13. Contract Terms and Conditions 52.212-4 Contract Terms and Conditions - Commercial Items (May 2015) Addendum to 52.212-4 Invoicing Guidance Mail the original itemized invoice to: National Institutes of Health Office of Financial Management Commercial Accounts 2115 East Jefferson Street, Room 4B-432, MSC 8500 Bethesda, MD 20892-8500 For inquires regarding payment call: Chief, Accounts Payable Section, OFM (301) 496-6088 Additionally, please email a courtesy copy of the invoice to the Contract Specialist for the official contract file. The following Invoice and Payment Terms is applicable to all purchase orders, task/delivery orders and BPA Calls: I. Invoice Requirements A. An invoice is the Vendor's bill or written request for payment under the contract for supplies delivered or services performed. A proper invoice is an "Original" which must include the items listed in bullets 1 through 12 below. If the invoice does not comply with these requirements, it can result in an invoice being considered improper and returned to the vendor. 1. Name and Address of the Vendor 2. Invoice date (Date Invoice Submitted) 3. Order number and where applicable, main agreement (e.g., BPA and Contract #) 4. Description, quantity, unit of measure, unit price, and extended price of supplies delivered or service performed 5. Shipping and payment terms (e.g., shipment number and date of shipment, prompt payment discount terms) 6. Name and complete mailing address where payment is to be sent per ACH information on record 7. Name (where practicable), title, telephone number and mailing address of person to be notified in the event of a defective invoice 8. DUNS number or DUNS+4, as registered in CCR 9. Vendor Identification Number (VIN) 10. NOTE: This only applies to new purchase orders, task/delivery orders and BPA Calls awarded on/after June 4, 2007. The VIN is a 7 digit number that appears after the vendor's name on the face page of the award document in the block where the contractor's name and address appear. Inclusion of the VIN on the invoice is not required if the invoice identifies the contractor's DUNS or DUNS+4 11. Any other information or documentation required by the order (e.g., evidence of shipment) 12. Unique Invoice Number which can only be used one time regardless of the number of contracts or orders held by an organization (or business unit identified by a separate DUNS or DUNS+4 number), regardless if the invoices are being issued out of separate locations B. Shipping costs will be reimbursed only if authorized by the Contract/Purchase Order. If authorized, shipping costs must be itemized. II Invoice Payment A. Except as indicated in paragraph B below, the due date for making invoice payments by the designated payment office shall be the later of the following two events: 1. The 30th day after the designated billing office has received a proper invoice 2. The 30th day after Government acceptance of supplies delivered or services performed B. The due date for making invoice payments for meat and meat food products, perishable agricultural commodities, dairy products, and edible fats or oils, shall be in accordance with the Prompt Payment Act, as amended. III. Interest Penalties A. An interest penalty shall be paid automatically if payment is not made by the due date and the conditions listed below are met, if applicable 1. A proper invoice was received by the designated billing office; 2. A receiving report or other Government documentation authorizing payment was processed and there was no disagreement over quantity, quality, or contractor compliance with a term or condition; 3. In the case of a final invoice for any balance of funds due the contractor for supplies delivered or services performed, the amount was not subject to further settlement actions between the Government and the Contractor. B. Determination of interest and penalties due will be made in accordance with the provisions of the Prompt Payment Act, as amended, the Contract Disputes Act, and regulations issued by the Office of Management and Budget. 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items. As prescribed in 12.301 (b)(4), insert the following clause: Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items (Jan 2016) (a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (1) 52.209-10, Prohibition on Contracting with Inverted Domestic Corporations (Dec 2014) (2) 52.233-3, Protest After Award ( Aug 1996) ( 31 U.S.C. 3553 ). (3) 52.233-4, Applicable Law for Breach of Contract Claim ( Oct 2004 )"(Public Laws 108-77 and 108-78 ( 19 U.S.C. 3805 note )). (b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: _X_ (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (Sept 2006), with Alternate I (Oct 1995) ( 41 U.S.C. 4704 and 10 U.S.C. 2402 ). __ (2) 52.203-13, Contractor Code of Business Ethics and Conduct (Oct 2015) ( 41 U.S.C. 3509 )). __ (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment Act of 2009 (June 2010) (Section 1553 of Pub. L. 111-5). (Applies to contracts funded by the American Recovery and Reinvestment Act of 2009.) _X_ (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract Awards (Oct 2015) (Pub. L. 109-282) ( 31 U.S.C. 6101 note ). __ (5) [Reserved]. __ (6) 52.204-14, Service Contract Reporting Requirements (Jan 2014) (Pub. L. 111-117, section 743 of Div. C). __ (7) 52.204-15, Service Contract Reporting Requirements for Indefinite-Delivery Contracts (Jan 2014) (Pub. L. 111-117, section 743 of Div. C). _X_ (8) 52.209-6, Protecting the Government's Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment. (Oct 2015) (31 U.S.C. 6101 note). _X_ (9) 52.209-9, Updates of Publicly Available Information Regarding Responsibility Matters (Jul 2013) (41 U.S.C. 2313). __ (10) [Reserved]. _ _ (11)(i) 52.219-3, Notice of HUBZone Set-Aside or Sole-Source Award (Nov 2011) ( 15 U.S.C. 657a ). __ (ii) Alternate I (Nov 2011) of 52.219-3. __ (12)(i) 52.219-4, Notice of Price Evaluation Preference for HUBZone Small Business Concerns ( Oct 2014) (if the offeror elects to waive the preference, it shall so indicate in its offer) ( 15 U.S.C. 657a ). __ (ii) Alternate I ( Jan 2011) of 52.219-4. __ (13) [Reserved] __ (14)(i) 52.219-6, Notice of Total Small Business Set-Aside (Nov 2011) ( 15 U.S.C. 644 ). __ (ii) Alternate I (Nov 2011). __ (iii) Alternate II (Nov 2011). __ (15)(i) 52.219-7, Notice of Partial Small Business Set-Aside (June 2003) ( 15 U.S.C. 644 ). __ (ii) Alternate I (Oct 1995) of 52.219-7. __ (iii) Alternate II (Mar 2004) of 52.219-7. _X_ (16) 52.219-8, Utilization of Small Business Concerns (Oct 2014) ( 15 U.S.C. 637(d)(2) and (3)). _X_ (17)(i) 52.219-9, Small Business Subcontracting Plan (Oct 2015) ( 15 U.S.C. 637(d)(4) ). __ (ii) Alternate I (Oct 2001) of 52.219-9. __ (iii) Alternate II (Oct 2001) of 52.219-9. __ (iv) Alternate III (Oct 2015) of 52.219-9. __ (18) 52.219-13, Notice of Set-Aside of Orders (Nov 2011)( 15 U.S.C. 644(r) ). __ (19) 52.219-14, Limitations on Subcontracting (Nov 2011) ( 15 U.S.C. 637(a)(14) ). __ (20) 52.219-16, Liquidated Damages-Subcontracting Plan (Jan 1999) ( 15 U.S.C. 637(d)(4)(F)(i) ). __ (21) 52.219-27, Notice of Service-Disabled Veteran-Owned Small Business Set-Aside (Nov 2011) ( 15 U.S.C. 657 f ). _X_ (22) 52.219-28, Post Award Small Business Program Rerepresentation (Jul 2013) ( 15 U.S.C. 632(a)(2) ). __ (23) 52.219-29, Notice of Set-Aside for Economically Disadvantaged Women-Owned Small Business (EDWOSB) Concerns (Jul 2013) ( 15 U.S.C. 637(m) ). __ (24) 52.219-30, Notice of Set-Aside for Women-Owned Small Business (WOSB) Concerns Eligible Under the WOSB Program (Jul 2013) ( 15 U.S.C. 637(m) ). _X_ (25) 52.222-3, Convict Labor (June 2003) (E.O. 11755). _X_ (26) 52.222-19, Child Labor-Cooperation with Authorities and Remedies (Jan 2014) (E.O. 13126). _X_ (27) 52.222-21, Prohibition of Segregated Facilities (Apr 2015). _X_ (28) 52.222-26, Equal Opportunity (Apr 2015) (E.O. 11246). _X_ (29) 52.222-35, Equal Opportunity for Veterans (Oct 2015)( 38 U.S.C. 4212 ). _X_ (30) 52.222-36, Equal Opportunity for Workers with Disabilities (Jul 2014) ( 29 U.S.C. 793 ). _X_ (31) 52.222-37, Employment Reports on Veterans ( Oct 2015) (38 U.S.C. 4212). _X_ (32) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). _X _ (33)(i) 52.222-50, Combating Trafficking in Persons (Mar 2015) ( 22 U.S.C. chapter 78 and E.O. 13627). __ (ii) Alternate I (Mar 2015) of 52.222-50 ( 22 U.S.C. chapter 78 and E.O. 13627). _X_ (34) 52.222-54, Employment Eligibility Verification ( Oct 2015 ). (Executive Order 12989). (Not applicable to the acquisition of commercially available off-the-shelf items or certain other types of commercial items as prescribed in 22.1803.) _X_ (35)(i) 52.223-9, Estimate of Percentage of Recovered Material Content for EPA-Designated Items (May 2008) ( 42 U.S.C. 6962(c)(3)(A)(ii) ). (Not applicable to the acquisition of commercially available off-the-shelf items.) __ (ii) Alternate I (May 2008) of 52.223-9 ( 42 U.S.C. 6962(i)(2)(C) ). (Not applicable to the acquisition of commercially available off-the-shelf items.) __ (36)(i) 52.223-13, Acquisition of EPEAT®-Registered Imaging Equipment ( Jun 2014 ) (E.O. 13423 and 13514). __ (ii) Alternate I (Oct 2015) of 52.223-13. __ (37)(i) 52.223-14, Acquisition of EPEAT®-Registered Televisions (E.O. 13423 and 13514). __ (ii) Alternate I (Jun 2014) of 52.223-14. __ (38) 52.223-15, Energy Efficiency in Energy-Consuming Products ( Dec 2007 ) ( 42 U.S.C. 8259b ). __ (39)(i) 52.223-16, Acquisition of EPEAT®-Registered Personal Computer Products ( Oct 2015 ) (E.O. 13423 and 13514). __ (ii) Alternate I (Jun 2014) of 52.223-16. _X_ (40) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving ( Aug 2011 ) (E.O. 13513). __ (41) 52.225-1, Buy American-Supplies (May 2014) ( 41 U.S.C. chapter 83 ). __ (42)(i) 52.225-3, Buy American-Free Trade Agreements-Israeli Trade Act (May 2014) ( 41 U.S.C. chapter 83, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, Pub. L. 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 109-283, 110-138, 112-41, 112-42, and 112-43. __ (ii) Alternate I (May 2014) of 52.225-3. __ (iii) Alternate II (May 2014) of 52.225-3. __ (iv) Alternate III (May 2014) of 52.225-3. __ (43) 52.225-5, Trade Agreements ( Nov 2013 ) ( 19 U.S.C. 2501, et seq., 19 U.S.C. 3301 note). _X_ (44) 52.225-13, Restrictions on Certain Foreign Purchases (June 2008) (E.O.'s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury). __ (45) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Jul 2013) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note). __ (46) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (Nov 2007) ( 42 U.S.C. 5150 ). __ (47) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (Nov 2007) ( 42 U.S.C. 5150 ). __ (48) 52.232-29, Terms for Financing of Purchases of Commercial Items (Feb 2002) ( 41 U.S.C. 4505, 10 U.S.C. 2307(f) ). __ (49) 52.232-30, Installment Payments for Commercial Items (Oct 1995) ( 41 U.S.C. 4505, 10 U.S.C. 2307(f) ). _X_ (50) 52.232-33, Payment by Electronic Funds Transfer-System for Award Management (Jul 2013) ( 31 U.S.C. 3332 ). __ (51) 52.232-34, Payment by Electronic Funds Transfer-Other than System for Award Management (Jul 2013) ( 31 U.S.C. 3332 ). __ (52) 52.232-36, Payment by Third Party (May 2014) ( 31 U.S.C. 3332 ). __ (53) 52.239-1, Privacy or Security Safeguards (Aug 1996) ( 5 U.S.C. 552a ). __ (54)(i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) ( 46 U.S.C. Appx. 1241(b) and 10 U.S.C. 2631 ). __ (ii) Alternate I (Apr 2003) of 52.247-64. (c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: [ Contracting Officer check as appropriate. ] __ (1) 52.222-17, Nondisplacement of Qualified Workers (May 2014) (E.O.13495). __ (2) 52.222-41, Service Contract Labor Standards (May 2014) ( 41 U.S.C. chapter 67 ). __ (3) 52.222-42, Statement of Equivalent Rates for Federal Hires (May 2014) ( 29 U.S.C. 206 and 41 U.S.C. chapter 67 ). __ (4) 52.222-43, Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (Multiple Year and Option Contracts) (May 2014) ( 29 U.S.C. 206 and 41 U.S.C. chapter 67 ). __ (5) 52.222-44, Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (May 2014) ( 29 U.S.C. 206 and 41 U.S.C. chapter 67 ). __ (6) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May 2014) ( 41 U.S.C. chapter 67 ). __ (7) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (May 2014) ( 41 U.S.C. chapter 67 ). __ (8) 52.222-55, Minimum Wages Under Executive Order 13658 (Dec 2014) (Executive Order 13658). __ (9) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (May 2014) ( 42 U.S.C. 1792 ). __ (10) 52.237-11, Accepting and Dispensing of $1 Coin (Sept 2008) ( 31 U.S.C. 5112(p)(1) ). (d) Comptroller General Examination of Record. The Contractor shall comply with the provisions of this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, and does not contain the clause at 52.215-2, Audit and Records-Negotiation. (1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor's directly pertinent records involving transactions related to this contract. (2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR Subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved. (3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law. (e)(1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c), and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1) in a subcontract for commercial items. Unless otherwise indicated below, the extent of the flow down shall be as required by the clause- (i) 52.203-13, Contractor Code of Business Ethics and Conduct (Oct 2015) ( 41 U.S.C. 3509 ). (ii) 52.219-8, Utilization of Small Business Concerns (Oct 2014) ( 15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds $650,000 ($1.5 million for construction of any public facility), the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities. (iii) 52.222-17, Nondisplacement of Qualified Workers (May 2014) (E.O. 13495). Flow down required in accordance with paragraph (l) of FAR clause 52.222-17. (iv) 52.222-21, Prohibition of Segregated Facilities (Apr 2015) (v) 52.222-26, Equal Opportunity (Apr 2015) (E.O. 11246). (vi) 52.222-35, Equal Opportunity for Veterans (Oct 2015) ( 38 U.S.C. 4212 ). (vii) 52.222-36, Equal Opportunity for Workers with Disabilities (Jul 2014) ( 29 U.S.C. 793 ). (viii) 52.222-37, Employment Reports on Veterans (Oct 2015) ( 38 U.S.C. 4212 ) (ix) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40. (x) 52.222-41, Service Contract Labor Standards (May 2014) ( 41 U.S.C. chapter 67 ). (xi) __(A) 52.222-50, Combating Trafficking in Persons (Mar 2015) ( 22 U.S.C. chapter 78 and E.O 13627). __(B) Alternate I (Mar 2015) of 52.222-50 ( 22 U.S.C. chapter 78 and E.O 13627 ). (xii) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May 2014) ( 41 U.S.C. chapter 67 ). (xiii) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (May 2014) ( 41 U.S.C. chapter 67 ). (xiv) 52.222-54, Employment Eligibility Verification ( Oct 2015 ). (xv) 52.222-55, Minimum Wages Under Executive Order 13658 (Dec 2014) (Executive Order 13658). (xvi) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Jul 2013) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note). (xvii) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (May 2014) ( 42 U.S.C. 1792 ). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6. (xviii) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) ( 46 U.S.C. Appx. 1241(b) and 10 U.S.C. 2631 ). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64. (2) While not required, the contractor may include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations. (End of clause) 52.217-8 Option to Extend Services. As prescribed in 17.208 (f), insert a clause substantially the same as the following: Option to Extend Services (Nov 1999) The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor prior to the end of the period of performance. (End of clause) 52.217-9 Option to Extend the Term of the Contract. As prescribed in 17.208 (g), insert a clause substantially the same as the following: Option to Extend the Term of the Contract (Mar 2000) (a) The Government may extend the term of this contract by written notice to the Contractor prior to the end of the period of performance provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 30 days before the contract expires. The preliminary notice does not commit the Government to an extension. (b) If the Government exercises this option, the extended contract shall be considered to include this option clause. (c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 66 months. Appendix A NIH Information and Physical Access Security Acquisition/Solicitation Language Rev. -- 08/31/2010 ARTICLE H.. NIH INFORMATION AND PHYSICAL ACCESS SECURITY This acquisition requires the Contractor to: •· develop, have the ability to access, or host and/or maintain Federal information and/or Federal information system(s). •· access, or use, Personally Identifiable Information (PII), including instances of remote access to or physical removal of such information beyond agency premises or control. •· have regular or prolonged physical access to a "Federally-controlled facility," as defined in FAR Subpart 2.1. The Contractor and all subcontractors performing under this acquisition shall comply with the following requirements: a. Information Type [ ] Administrative, Management and Support Information: ______________________________ ______________________________ ______________________________ [X] Mission Based Information: ______________________________ ______________________________ ______________________________ b. Security Categories and Levels Confidentiality Level: [ ] Low [X] Moderate [ ] High Integrity Level: [ ] Low [X] Moderate [ ] High Availability Level: [ ] Low [X] Moderate [ ] High Overall Level: [ ] Low [X] Moderate [ ] High c. Position Sensitivity Designations The following sensitivity level(s), clearance type(s), and investigation requirements apply to this contract: [ ] Level 6: Public Trust - High Risk. Contractor/subcontractor employees assigned to Level 6 positions shall undergo a Suitability Determination and Background Investigation (BI). [X] Level 5: Public Trust - Moderate Risk. Contractor/subcontractor employees assigned to Level 5 positions with no previous investigation and approval shall undergo a Suitability Determination and a Minimum Background Investigation (MBI), or a Limited Background Investigation (LBI). [ ] Level 1: Non-Sensitive Contractor/subcontractor employees assigned to Level 1 positions shall undergo a Suitability Determination and National Agency Check and Inquiry Investigation (NACI). The Contractor shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff (including subcontractor staff) working under this acquisition where the Contractor will develop, have the ability to access, or host and/or maintain a federal information system(s). The roster shall be submitted to the Project Officer, with a copy to the Contracting Officer, within 14 calendar days of the effective date of this contract. Any revisions to the roster as a result of staffing changes shall be submitted within 15 calendar days of the change. The Contracting Officer will notify the Contractor of the appropriate level of investigation required for each staff member. An electronic template, "Roster of Employees Requiring Suitability Investigations," is available for contractor use at http://ocio.nih.gov/docs/public/Suitability-roster.xls Suitability Investigations are required for contractors who will need access to NIH information systems and/or to NIH physical space. However, contractors who do not need access to NIH physical space will not need an NIH ID Badge. Each contract employee needing a suitability investigation will be contacted via email by the NIH Office of Personnel Security and Access Control (DPSAC) within 30 days. The DPSAC email message will contain instructions regarding fingerprinting as well as links to the electronic forms contract employees must complete. Additional information can be found at the following website: http://idbadge.nih.gov/background/index.asp All contractor and subcontractor employees shall comply with the conditions established for their designated position sensitivity level prior to performing any work under this contract. Contractors may begin work after the fingerprint check has been completed. d. Information Security Training d.1 Mandatory Training All employees having access to (1) Federal information or a Federal information system or (2) personally identifiable information, shall complete the NIH Information Security Awareness Training course at http://irtsectraining.nih.gov/ before performing any work under this contract. Thereafter, employees having access to the information identified above shall complete an annual NIH-specified refresher course during the life of this contract. The Contractor shall also ensure subcontractor compliance with this training requirement. d.2 Role-based Training HHS requires role-based training when responsibilities associated with a given role or position, could, upon execution, have the potential to adversely impact the security posture of one or more HHS systems. Read further guidance at: Secure One HHS Memorandum on Role-Based Training Requirement " For additional information see the following: http://ocio.nih.gov/security/security-communicating.htm#RoleBased The Contractor shall maintain a list of all information security training completed by each contractor/subcontractor employee working under this contract. The list shall be provided to the Project Officer and/or Contracting Officer upon request. e. Rules of Behavior The Contractor shall ensure that all employees, including subcontractor employees, comply with the NIH Information Technology General Rules of Behavior, which are available at http://ocio.nih.gov/security/nihitrob.html. f. Personnel Security Responsibilities 1. The Contractor shall notify the Contracting Officer, Project Officer, and I/C ISSO within five working days before a new employee assumes a position that requires a suitability determination or when an employee with a suitability determination or security clearance stops working under this contract. The Government will initiate a background investigation on new employees requiring suitability determination and will stop pending background investigations for employees that no longer work under this acquisition. 2. The Contractor shall provide the Project Officer with the name, position title, e-mail address, and phone number of all new contract employees working under the contract and provide the name, position title and suitability determination level held by the former incumbent. If the employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate suitability level. 3. The Contractor shall provide the Project Officer with the name, position title, and suitability determination level held by or pending for departing employees. Perform and document the actions identified in the Contractor Employee Separation Checklist (attached) when a Contractor/subcontractor employee terminates work under this contract. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request. g. Commitment to Protect Non-Public Departmental Information and Data 1. Contractor Agreement The Contractor, and any subcontractors performing under this contract, shall not release, publish, or disclose non-public Departmental information to unauthorized personnel, and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: - 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) - 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) - Public Law 96-511 (Paperwork Reduction Act) 2. Contractor Employee Non-Disclosure Agreement Each employee, including subcontractors, having access to non-public Department information under this acquisition shall complete the Commitment to Protect Non-Public Information - Contractor Employee Agreement A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer prior to performing any work under this acquisition. h. NIST SP 800-53 Assessment This contract requires the Contractor to develop, host, and/or maintain a Federal information system at the Contractor's or any subcontractors' facility. The Contractor shall submit an annual information security assessment using NIST SP 800-53, Recommended Security Controls for Federal Information Systems. The assessments shall be due annually within 30 days after the anniversary date of the contract, with the final assessment due at contract completion. The assessments shall be based on the Federal IT Security Assessment Framework and NIST SP 800-53 at: NIST SP 800-53, Rev. 3 http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf Annex 1: Baseline Security Controls for Low-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex1-updt.pdf Annex 2: Baseline Security Controls for Moderate-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex2-updt.pdf Annex 3: Baseline Security Controls for High-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex3-updt.pdf The Contractor shall ensure that all of its subcontractors (at all tiers), where applicable, comply with the above reporting requirements. i. Information System Security Plan (ISSP) The Contractor shall update the acceptable ISSP submitted in their proposal every three years following the effect date of the contract or when a major modification has been made to its internal system. One copy each shall be submitted to the Project Officer and Contracting Officer. j. Loss and/or Disclosure of Personally Identifiable Information (PII) - Notification of Data Breach The Contractor shall report all suspected or confirmed incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH Incident Response Team via email ( IRT@mail.nih.gov ) within one hour of discovering the incident. The Contractor shall follow-up with IRT by completing and submitting one of the following two forms within three (3) work days: NIH PII Spillage Report [ http://ocio.nih.gov/docs/public/PII_Spillage_Report.doc ] NIH Lost or Stolen Assets Report [ http://ocio.nih.gov/docs/public/Lost_or_Stolen.doc k. Data Encryption The following encryption requirements apply to all laptop computers containing HHS data at rest and/or HHS data in transit. The date by which the Contractor shall be in compliance will be set by the Project Officer, however, device encryption shall occur before any sensitive data is stored on the laptop computer/mobile device, or within 45 days of the start of the contract, whichever occurs first. 1. The Contractor shall secure all laptop computers used on behalf of the government using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval. 2. The Contractor shall secure all mobile devices, including non-HHS laptops and portable media that contain sensitive HHS information by using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored. 3. The Contractor shall use a FIPS 140-2 compliant key recovery mechanism so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited. Key recovery is required by " OMB Guidance to Federal Agencies on Data Availability and Encryption ", November 26, 2001, http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf. Encryption key management shall comply with all HHS and NIH policies ( http://intranet.hhs.gov/infosec/docs/guidance/hhs_standard_2007.pdf ) and shall provide adequate protection to prevent unauthorized decryption of the information. All media used to store information shall be encrypted until it is sanitized or destroyed in accordance with NIH procedures. Contact the NIH Center for Information Technology for assistance ( http://cit.nih.gov/ProductsAndServices/ServiceCatalog/Services.htm?Service=Media+Sanitization+Service ). l. Physical Access Security In accordance with OMB Memorandum M-05-24, the Contractor shall ensure that background investigations are conducted for all contractor/subcontractor personnel who have (1) access to sensitive information, (2) access to Federal information systems, (3) regular or prolonged physical access to Federally-controlled facilities, or (4) any combination thereof. OMB Memorandum M-05-24 is available at http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf. Agency personal identification verification policy and procedures are identified below: HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook (02-01-05): http://www.hhs.gov/oamp/policies/personnel_security_suitability_handbook.html m. Vulnerability Scanning Requirements This acquisition requires the Contractor to host an NIH webpage or database. The Contractor shall conduct periodic and special vulnerability scans, and install software/hardware patches and upgrades to protect automated federal information assets. The minimum requirement shall be to protect against vulnerabilities identified on the SANS Top-20 Internet Security Attack Targets list ( http://www.sans.org/top20/?ref=3706#w1 ). The Contractor shall report the results of these scans to the Project Officer on a monthly basis, with reports due 10 calendar days following the end of each reporting period. The Contractor shall ensure that all of its subcontractors (at all tiers), where applicable, comply with the above requirements. n. Using Secure Computers to Access Federal Information 1. The Contractor shall use an FDCC compliant computer when processing information on behalf of the Federal government. 2. The Contractor shall install computer virus detection software on all computers used to access information on behalf of the Federal government. Virus detection software and virus detection signatures shall be kept current. o. Common Security Configurations •1. The Contractor shall ensure new systems are configured with the applicable Federal Desktop Core Configuration (FDCC) ( http://nvd.nist.gov/fdcc/download_fdcc.cfm ) and applicable configurations from http://checklists.nist.gov, as jointly identified by the Operating Division (OPDIV)/Staff Division (STAFFDIV) Contracting Officer's Technical Representative (COTR) and the Chief Information Security Officer (CISO). •2. The Contractor shall ensure hardware and software installation, operation, maintenance, update, and/or patching will not alter the configuration settings specified in: (a) the FDCC ( http://nvd.nist.gov/fdcc/index.cfm ); and (b) other applicable configuration checklists as referenced above. •3. The Contractor shall ensure applications are fully functional and operate correctly on systems configured in accordance with the above configuration requirements. •4. The Contractor shall ensure applications designed for end users run in the standard user context without requiring elevated administrative privileges. •5. Federal Information Processing Standard 201 (FIPS-201)-compliant, Homeland Security Presidential Directive 12 (HSPD-12) card readers shall: (a) be included with the purchase of servers, desktops, and laptops; and (b) comply with FAR Subpart 4.13, Personal Identity Verification. •6. The Contractor shall ensure that all of its subcontractors (at all tiers) comply with the above requirements. p. Special Information Security Requirements for Foreign Contractors/Subcontractors When foreign contractors/subcontractors perform work under this acquisition at non-US Federal Government facilities, provisions of HSPD-12 do NOT apply. q. REFERENCES: INFORMATION SECURITY INCLUDING PERSONALLY IDENTIFIABLE INFORMATION r. REFERENCES: PHYSICAL ACCESS SECURITY PERSONNEL WILL HAVE ACCESS TO, OR USE OF, PERSONALLY IDENTIFIABLE INFORMATION (PII), INCLUDING INSTANCES OF REMOTE ACCESS TO OR PHYSICAL REMOVAL OF SUCH INFORMATION BEYOND AGENCY PREMISES OR CONTROL. FOR ADDITIONAL INFORMATION, SEE: OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information (05-22-06): http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf. OMB Memorandum M-06-16, Protection of Sensitive Agency Information (06-23-06): http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf. OMB Memorandum M-06-19, Safeguarding Against and Responding to the Breach of Personally Identifiable Information: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-19.pdf. Guide for Identifying Sensitive Information, including Information in Identifiable Form, at the NIH: http://ocio.nih.gov/security/NIH_Sensitive_Info_Guide.pdf ) **** __. Personally Identifiable Information (PII) Security Plan The Offeror shall submit a PII Security Plan with its technical proposal that addresses each of the following items: 1. Verify the information categorization to ensure the identification of the PII requiring protection. 2. Verify the existing risk assessment. 3. Identify the Contractor's existing internal corporate policy that addresses the information protection requirements of the SOW. 4. Verify the adequacy of the Contractor's existing internal corporate policy that addresses the information protection requirements of the SOW. 5. Identify any revisions, or development, of an internal corporate policy to adequately address the information protection requirements of the SOW. 6. For PII to be physically transported to or stored at a remote site, verify that the security controls of NIST Special Publication 800-53 involving the encryption of transported information will be implemented. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf 7. When applicable, verify how the NIST Special Publication 800-53 security controls requiring authentication, virtual private network (VPN) connections will be implemented. 8. When applicable, verify how the NIST Special Publication 800-53 security controls enforcing allowed downloading of PII will be implemented. 9. Identify measures to ensure subcontractor compliance with safeguarding PII. The details contained in the Offeror's PII Security Plan must be commensurate with the size and complexity of the contract requirements based on the System Categorization specified above in the subparagraph entitled Security Categories and Levels. The Offeror's PII Security Plan will be evaluated by the Government for appropriateness and adequacy. __. Information System Security Plan The Offeror shall submit an Information System Security Plan (ISSP) with its technical proposal using the current template in Appendix A of NIST SP 800-18, Guide to Developing Security Plans for Federal Information Systems ( http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf ). The details contained in the ISSP must be commensurate with the size and complexity of the contract requirements based on the System Categorization determined above in the subparagraph entitled Security Categories and Levels. The Offeror shall also identify measures to ensure subcontractor compliance with the ISSP. The ISSP will be evaluated by the Government for appropriateness and adequacy. The Contractor will be required to update and resubmit its ISSP every three years following the effective date of the contract or when a major modification has been made to its internal system.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/OLAO/NIH-OD3342016/listing.html)
 
Place of Performance
Address: Maryland metropolitan area, Bethesda, Maryland, 20892, United States
Zip Code: 20892
 
Record
SN04001101-W 20160128/160126234324-85792ab028126894c3abe68c0c06e0d0 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.