Loren Data's SAM Daily™

FBO DAILY - FEDBIZOPPS ISSUE OF JULY 14, 2016 FBO #5347
SOLICITATION NOTICE

B -- Office of Personnel Management (OPM) Publicly Available Electronic Information (PAEI) Pilot - Pricing sheet - RFQ

Notice Date

7/12/2016
 

Notice Type

Combined Synopsis/Solicitation
 

NAICS

561611 — Investigation Services
 

Contracting Office

Office of Personnel Management, Office of Procurement Operations, Contracting, 1900 E Street, N.W., Room 1342, Washington, District of Columbia, 20415-7710, United States
 

ZIP Code

20415-7710
 

Solicitation Number

OPM1516T0005
 

Archive Date

8/2/2016
 

Point of Contact

Gabriel Lansberry, Fax: (724) 794-7199, Leslie L. Henderson, Fax: (724)794-7199
 

E-Mail Address

Gabriel.Lansberry@opm.gov, leslie.henderson@opm.gov
(Gabriel.Lansberry@opm.gov, leslie.henderson@opm.gov)
 

Small Business Set-Aside

N/A
 

Description

PAEI RFQ document Pricing sheet Title: Office of Personnel Management (OPM) Publicly Available Electronic Information (PAEI) Pilot Expected Post Date: July 12, 2016 Expected Response Date: July 26, 2016 Classification Code: NAICS Code: 561611 Investigation Services Procurement: Purchase Order for Commercial Services Notice Information Agency/Office: Office of Personnel Management (OPM) - Office of Procurement Operations (OPO) Contracting Group B (Boyers Group) Location: Fort Meade, Maryland Title: Office of Personnel Management (OPM) Publicly Available Electronic Information (PAEI) Pilot Request for Proposals (RFP) Stipulations: This is a combined synopsis/solicitation for a commercial service prepared in accordance with Federal Acquisition Regulation (FAR) in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; proposals are being requested and a SF 1449 will not be issued, in accordance with FAR 12.603(b). The Solicitation number is: OPM1516T0005 and is issued as a Request for Proposals (RFP). This solicitation document incorporates all mandatory commercial item provisions and clauses that are in effect through Federal Acquisition Circular (FAC) 2005-88 dated May 16, 2016. The North American Industrial Classification System (NAICS) code is 561611 and the small business size standard is $20.5 million. This procurement is solicited on a full and open basis to all qualified vendors. In support of its mission, The U.S. Office of Personnel Management (OPM) will issue a contract to the offeror that represent the best value to the government. The contractor(s) shall provide all accommodations listed in the Performance Work Statement (PWS) with this solicitation under the resulting contract, see PWS detailed below. The period of performance is defined below. Offerors can e-mail requests for additional information and questions which will only be accepted by Gabriel.Lansberry@opm.gov and Leslie.Henderson@opm.gov through 4:00 pm Eastern Daylight Time (EDT) July 19, 2016 via email only. Offerors are invited to submit their proposals to gabriel.lansberry@opm.gov and Leslie.Henderson@opm.gov in response to this notice no later than 4:00 p.m. Eastern Standard Time (EST) on July 26, 2016, to the contracting office via email only. Proposals submitted in either Word or Adobe PDF response to this notice shall include the solicitation number in the subject line and be signed, dated and submitted via e-mail to Gabriel.Lansberry@opm.gov and Leslie.Henderson@opm.gov. Offerors are solely responsible for ensuring their offer is received at the designated place and time for receipt of offers. NOTE: Communication with officials other than the contract specialist indicated above may compromise the competitiveness of this acquisition and result in the cancellation of the solicitation and/or exclusion of your proposal. Statement of Work (SOW) A.Description: The Office of Personnel Management-Federal Investigative Services (OPM-FIS) conducts background investigations pertaining to Individual Subjects (Subjects) for the federal government. OPM-FIS is seeking a contract with a vendor for a pilot that will incorporate automated Publicly Available Electronic Information (PAEI) searches into the background investigation process. For the purposes of this pilot, PAEI is defined as any information that has been published or broadcast for public consumption, is available on request to the public, is accessible on-line or otherwise to the public, is available to the public by subscription or purchase, or is otherwise lawfully accessible to the public. B.Background: The U.S. Office of Personnel Management's (OPM) Federal Investigative Services (FIS) provides background investigation (BI) products/services to departments and agencies of the federal government. BIs are required to determine an individual Subject's eligibility for access to classified information, assignment to or retention in positions with sensitive duties, or other designated duties requiring such investigations. The investigations often involve personal and intimate details of the Subject's life and must be processed and conducted with tact and discretion. Information collected by the contractor, as part of the BIs, is protected under the Privacy Act of 1974. C.Purpose and Scope OPM-FIS conducts background investigations for the federal government. For the purposes of this pilot, PAEI is defined as any information that has been published or broadcast for public consumption, is available on request to the public, is accessible on-line or otherwise to the public, is available to the public by subscription or purchase or is otherwise lawfully accessible to the public. OPM-FIS is seeking to contract with a vendor who has documented experience in conducting automated PAEI checks for other federal government agencies to participate in a pilot that will incorporate PAEI searches into the background investigation process. The awarded contractor will have employees working on this pilot sign non-disclosure agreements. D.Deliverables 1. DELIVERABLES •400 PAEI reports delivered electronically that are in.pdf or.tif format compliant with requirements of this statement of work. •Metrics reports will be delivered at the end of each month. •Case level metrics will include: oPercentage of ‘no record' results oPercentage of results with no reportable information (e.g., a record exists, but no reportable information as it does not meet an adjudicative guideline) oPercentage of cases with reportable information based on adjudicative guidelines above oPercentage of reportable information found per each adjudicative guideline oPercentage of reportable information found per each website •Issue level metrics will include: oTotal number of issues found oAverage number of issues found per investigation •Timeliness metrics to include average time required for each PAEI search from vendor's receipt of OPM-supplied data to delivery of PAEI report to OPM. •Contractor must provide customer with technical support ensuring successful exchanges of data files until all PAEI reports have been provided to OPM-FIS. •Contractor will provide a list of all key personnel affiliated with the PAEI project, including their resumes. The vendor must immediately notify OPM-FIS upon any changes in key personnel. •Signed non-disclosures in a format approved by OPM for all personnel working on the contract. 2. LABOR The contractor shall provide all labor needed for the performance of this contract except as otherwise set forth in this statement of work (SOW). 3. GOVERNMENT PROPERTY - LIFE OF CONTRACT The government shall provide appropriate data so the contractor can perform the searches. 4. MATERIALS OPM-FIS will provide pertinent SF86 data to the PAEI vendor for processing via a secure automated interface provided by OPM with the files password protected. Data will be transmitted via secure, automated interface in the agreed upon format (e.g.,.pdf,.tif, etc) on a mutually agreeable schedule. OPM-FIS will transmit the data, approximately 20-50 cases per week, for a period of up to one year. The vendor will transmit results of PAEI checks to OPM-FIS via a secure automated interface provided by OPM with the files password protected. 5. SECURE STORAGE FOR INVESTIGATIVE MATERIALS All personally identifiable information (PII) on Subjects involved in this pilot will be handled and maintained in accordance with the Privacy Act and established System of Record Notices. PII will be exchanged with data providers only as necessary and in an approved secure manner. At no time will a commercial entity retain information used to conduct a check in association with this evaluation beyond the length of time required for billing purposes or by law. The contractor is required to maintain strict security measures in all its operations and provide secure storage for investigative materials. Contractor facilities must have been inspected and approved by OPM for the handling and storage of investigative material. The contractor shall consider investigative material sensitive, unclassified material subject to the Privacy Act of 1974, but the investigative material shall be handled in a manner appropriate for sensitive information. Contractor, subcontractor and consultant personnel will comply with all applicable provisions of the National Industrial Security Program Operating Manual (NISPOM) and any revisions to that manual. The contractor will delete or destroy all PII data and any data captured in PAEI reports upon receipt of the PAEI reports by OPM-FIS. The contractor will return the reports in a secure method outlined by OPM. All contractor personnel affiliated with the PAEI product must sign an OPM-FIS non-disclosure agreement. 6. GOVERNMENT QUALITY ASSURANCE SURVEILLANCE PLAN The government retains the right to perform a quality assessment of the contractor provided reports for accuracy and compliance with the requirements set forth. 7. QUALITY The contractor shall conduct a pre-submission quality review of all reports to assure compliance with this statement of work. E. Deliveries or Performance PAEI reports from the contractor must be provided to OPM-FIS within three business days of receipt of required identifying data on the Subjects from OPM-FIS. F. Contract Administration Data 1. LIMITATION OF TECHNICAL DIRECTION FROM THE COR a. Performance of work under this contract will be subject to the technical direction of the COR or a designated representative. b. Technical direction must be within the scope of Section D of the contract. The COR does not have the authority to issue any technical direction which: (1) constitutes a change of assignment of additional work outside Section D; (2) constitutes a change as defined in FAR clause 52.212-4, Contract Terms and Conditions -Commercial Items(3) in any manner causes an increase or decrease in the contract price or the time required for contract performance; (4) changes any of the terms, conditions or specifications of the contract; or (5) interferes with the contractor's right to perform under the terms and conditions of the contract. 2. CONTRACTOR'S INVOICES The contractor can provide valid invoices monthly for work performed and accepted by the government for the duration of the pilot project. Invoices must be submitted following the procedures in OPM Clause 1752.232-70 (for large businesses) or 1752.232-73 (for small businesses). 3. CONTRACT TERMINATION OPM agrees that if it exercises its right to terminate the contract pursuant to the provisions of FAR clause 52.212-4, Contract Terms and Conditions-Commercial Items, termination will not apply to scheduled work, which shall be completed no later than the due date of the case after the issuance of the Notice of Termination as specified at FAR clause 52.249-2(a). G. Special Contract Requirements 1. CONTRACT TYPE This contract is a firm fixed price contract, with 400 cases to be ordered for review under this pilot with an optional quantity of 400 additional cases. 2. NEGLIGENCE OR MISCONDUCT BY CONTRACTOR EMPLOYEES OR SUBCONTRACTORS a. Because this contract is essential to the national security of the United States, all persons performing work under this contract are held to the highest ethical standard. The contractor shall exhibit high ethical and professional standards as set forth in pertinent OPM guidance in the performance of all fieldwork performed under this contract. At OPM's discretion, any contractor personnel may be immediately suspended or terminated from this contract for any cause deemed detrimental by OPM. b. Contractor personnel are not government employees and do not represent a business concern or other organization owned in whole or in part by the government, or substantially owned by one or more government employees. At no time shall any contractor personnel represent themselves as a government employee. The government shall not be liable for actions of contractor personnel performing under this contract. c. If any action or misconduct by a contractor employee or subcontractor that might adversely affect: (1) the integrity of an investigative product or OPM's automated system; (2) OPM's access to source information; (3) a Subject or source's privacy rights; (4) the security of investigative material or OPM equipment or facilities; (5) the individual's basic suitability to perform work under this contract; or (6) workplace safety, is of concern to OPM. is discovered by the contractor, the contractor shall immediately notify OPM of the adversarial individual's identity, the nature of the alleged negligence or misconduct and any investigations that may require review and/or reopening. d. Each contractor personnel working on this contract must sign a non-disclosure agreement and provide it to the Contracting Officer prior to work on the contract. 3. REQUIRED INSURANCE a. The contractor shall be solely responsible for procuring and maintaining all necessary insurance and any other licenses, bonds or approvals that may be required by State and local laws to perform the duties described under this contract if such licenses, bonds or approvals have been or would be found to be applicable by a court of competent jurisdiction. 4. RESPONSIBILITY FOR LOSS, PERSONAL INJURY OF CONTRACTOR PERSONNEL a. The government will not be responsible or held liable for any loss, damage, personal injury or loss of life of contractor personnel, not caused by the fault, negligence or wrongful omission of the government, its agents or its employees, occurring at any time such personnel are entering, exiting, using or occupying government property or facilities in performance of this contract. b. The contractor shall be liable and will indemnify and hold harmless the government, its agents and employees, against all actions or claims for damages to persons, property, including death not caused by the fault, negligence, wrongful act or wrongful omission of the government, its agents or employees. The contractor shall be liable and will indemnify and hold harmless the government, its agents and employees against all action or claims for all damages to persons or property, including death arising or resulting from the fault, negligence, wrongful act or wrongful omission of the contractor personnel in accordance with the Federal Tort Claim Act (28 U.S.C. 2671-2680). 5. ALL ITEMS TO BECOME PROPERTY OF THE GOVERNMENT a. Title to all materials and work in process acquired or produced by the contractor for performance under this contract and chargeable thereto as well as title to all source data information and materials furnished to the government, together with all plans, systems analysis and design specifications and drawings, completed programs and documentation thereof, reports and listings, all tapes, disk files and all other items pertaining to the work and services to be performed pursuant to the agreement, including any copyright, are the property of the government during the performance period of the contract, and will remain with the government upon completion of the contract. The government will have the full right to use each of these for its purposes without compensation or approval on the part of the contractor. b. All materials furnished to and/or maintained or developed by the contractor in connection with performing work under this contract, such as operational instructions, reference and training material, and investigative lead lists will be the property of OPM. c. Nothing under this clause shall relieve the contractor or the government of any of their respective rights or obligations under this contract. 6. DISCLOSURE OF INFORMATION a. Except as otherwise specifically provided, any information made available to the contractor by the government will be used only for the purpose of carrying out the provisions of this contract. It will not be divulged or made known in any manner to any persons except as may be necessary in the performance of the contract or other OPM approved system. b. In performance of this contract, the contractor assumes responsibility for protection of the confidentiality of government records and will ensure that its subcontractors, employees and consultants will also protect the confidentiality of government records. 7. LIMITED DISTRIBUTION OF DATA AND INFORMATION a. Performance of this contract may require the contractor to have access to or use data and information which may be considered restricted by other customers. Disseminating or using such data or information, other than in performing this contract, could be adverse to the interest of the government and others. b. Contractor personnel shall not divulge or release data or information developed or obtained in connection with the performance of this contract to anyone other than authorized OPM personnel. c. Except as otherwise agreed to with a data owner, the contractor shall not use, disclose or reproduce proprietary data belonging to other customers and which bears a restrictive legend, other than as specifically required in performing this contract. Nothing in this provision shall be construed as: 1. precluding the use of any data independently acquired by the contractor without such limitation; and 2. prohibiting an agreement, at no cost or other obligation to the government, between the contractor and the data owner providing for greater rights to the contractor. 8. CONFIDENTIALITY OF DATA a. It is anticipated that the performance of this contract will require the contractor to have access to confidential data and information. In order to protect the interests of the parties with respect to such information and data, the contractor agrees: 1. not to disclose the above types of information and data without the written consent of the Contracting Officer; and 2. to abide by the restrictive legends contained on any such data. 9. ORGANIZATIONAL CONFLICTS OF INTEREST a. The contractor warrants that, to the best of the contractor's knowledge and belief, there are no relevant facts or circumstances which could give rise to an organizational conflict of interest (OCI), as defined in FAR 9.5, Organizational and Consultants Conflicts of Interest, or that the contractor has disclosed all such relevant information. b. The contractor agrees that if an actual or potential OCI is discovered after award, the contractor shall make a full disclosure in writing to the Contracting Officer. This disclosure must include a description of actions, which the contractor has taken or proposes to take, after consultation with the Contracting Officer, to avoid, mitigate or neutralize the actual or potential conflict. c. The Contracting Officer may terminate this contract for the convenience, in whole or in part, if it deems such termination necessary to avoid an OCI. If the contractor was aware of a potential OCI prior to award or discovered an actual or potential conflict after award and did not disclose or misrepresented relevant information to the Contracting Office, the government may terminate the contract for default, debar the contractor from government contracting or pursue such other remedies as may be permitted by law or this contract. d. The contractor must include this clause in all subcontracts and in lower tier subcontracts unless a waiver is requested from, and granted by, the Contracting Officer. e. In the event that a requirement changes in such a way as to create a potential conflict of interest for the OPM will require the contractor and its employees to sign a non-disclosure form. 10. ACCESS TO CASE MATERIAL a. OPM is responsible for the protection of its automated systems, the information processed by these systems and all investigative materials received, distributed or retained by FIS. To ensure fulfillment of this responsibility, OPM requires the contractor to adhere to all policies and procedures specified in the OPM-FIS Security Manual, NISPOM and OPM computer security policies. b. The contractor must be in complete compliance with all security requirements prior to starting work under this contractor and must maintain compliance throughout the life of the contract. c. If at any time during contract performance a contractor employee commits a computer security violation; OPM will immediately terminate the contractor's system access pending investigation. OPM may require the contractor to remove individuals from work on this contract, at any time, as a result of individual security violations. If at any time during contract performance it is determined that the contractor is not in full compliance with the security requirements of this contract, the government may immediately suspend performance under this contract and require the immediate return of all case materials to the government at full contractor expense. Any work suspension resulting from a security lapse will not be subject to equitable adjustment; all costs incurred shall be borne by the contractor. 11. FREEDOM OF INFORMATION/PRIVACY ACT PROVISIONS a. The contractor shall perform certain processes that must meet the requirements of OPM/Central 9 System of Records, "Personnel Investigation Records" (58 Fed. Reg. 19184 (1993)) to accomplish any agency function under the Privacy Act, see 5 U.S.C. 552a, 5 CFR Part 293. See also FAR Clauses 52.224-1 and 52.224-2. Violation of the Privacy Act may involve imposition of criminal penalties. These records are considered "agency records" subject to the Freedom of Information Act (FOIA). See 5 U.S.C. 552. These records may be released by OPM in accordance with applicable FOIA provisions. b. Safeguarding Information - OPM regulations require safeguarding information about individuals (see 5 CFR 293.106(b) and 293.107). The contractor shall provide acceptable secured capability for investigative materials. All materials, including investigative notes and computer files, must be locked in a secured area when not under the direct supervision of contractor personnel. H. Period of Performance The period of performance is one (1) year. I. Instructions to Offerors The provision at 52.212-1, Instructions to Offerors - Commercial, applies to this acquisition. Addenda to 52.212-1: 1.Proposal Response Due Date Proposals shall be received no later than 4:00 PM Eastern Daylight Time (EDT), July 26, 2016. Proposals submitted in response to this notice shall include the solicitation number in the subject line and be signed, dated and submitted via email to gabriel.lansberry@opm.gov and leslie.henderson@opm.gov. Offerors are solely responsible for ensuring their proposals are received at the designated time and place for receipt of proposals. 2. Proposal Submission Instructions Technical and Pricing proposals MUST be in two separate volumes- Each of the parts shall be separate and complete, so that evaluation of one may be accomplished independently of and concurrently with the evaluation of the others. If your technical and price proposal is not submitted in two separate files, your response to this solicitation will be considered non-responsive and withdrawn from consideration. Responsiveness- Only those proposals that fully meet all the requirements as outlined in the PWS and that respond to the Instructions to Offerors will be considered responsive, which will receive further consideration and continue in this procurement action. All Non- Responsive offerors will not receive any further consideration and will be eliminated from this procurement action. The submission shall be clearly indexed and logically assembled. Each volume shall be clearly identified and shall begin at the top of a page. All pages of each volume shall be appropriately numbered and identified by the complete company name, date and solicitation number in the header and/or footer. A Table of Contents should be created. Files shall use the following Page Setup parameters: Margins - Top, Bottom, Left, Right - 1" Gutter - 0" From Edge - Header, Footer - 0.5" Page Size, Width - 8.5" Page Size, Height - 11" The following additional restrictions apply: •Each paragraph shall be separated by at least one blank line. •A standard, 11-point minimum font size applies. •Tables and illustrations may use a reduced font size not less than 8-point and may be landscape. Proposal page limits are as follows: •Technical Proposal - 15 pages maximum •Price Proposal - no page limit Proposals that exceed the page limits above will be considered non-responsive and will not be given any further consideration. Page numbers, headers and footers may be within the page margins ONLY, and are not bound by the font requirements. Company logos are prohibited with the exception of the Title Page. The page limits are applicable to graphs, tables, drawings and any other attachments submitted with the proposals and not specifically excluded by the solicitation. Any index, table of contents, glossary, company brochures, etc. will not be included in the maximum page limitation. The technical proposal shall consist of a written response to each of the technical evaluation factors identified in FAR 52.212-2: -Factor 1: Past Performance -Factor 2: Knowledge and Application of the Adjudicative Guidelines for Determining Eligibility for Access to Classified Information -Factor 3: Demonstration that the vendor is compliant with the Fair Credit Reporting Act The price proposal shall consist of the following: -Submission of information as required per FAR 52.212-1(b) -Completion of Attachment 2 - Pricing Sheet -Completion of FAR 52.212-3, Offeror Representations and Certifications-Commercial Items 3. Communications and Questions All communications and questions concerning this solicitation including requests for clarification shall be made in writing to gabriel.lansberry@opm.gov and leslie.henderson@opm.gov. All questions and OPM's response will be answered and provided to all offerors via posting on www.fbo.gov. Same/similar questions will be grouped together for a single response. Responses to questions will not reference the inquiring interested vendor. The due date for communications and questions concerning this solicitation are due NO LATER THAN 4:00 P.M. Eastern Standard Time on July 19, 2016. Electronic submission of questions and comments shall be emailed to gabriel.lansberry@opm.gov and leslie.henderson@opm.gov. For submission of questions and comments, refer to the specific text of this solicitation. Use the following header in the email subject line. Subject: RFP No. OPM1516T0005- Office of Personnel Management (OPM) Publicly Available Electronic Information. Reference: RFP Section, Paragraph(s), Page(s). As soon as an offeror is aware of any problem or ambiguity in the specifications, terms or conditions, instructions or evaluation criteria of this solicitation, they must notify the OPM Contracting Officer listed above. Note: Communications with officials other than the OPM Contracting Officer / Contracting Specialist may compromise the competitiveness of this acquisition and result in the cancellation of the solicitation and/or exclusion of your proposal. All communications MUST be in writing and submitted via email to the Contracting Specialist listed above. J. Evaluation Criteria The provision at 52.212-2, Evaluation - Commercial Items, applies to this acquisition: FAR 52.212-2 Evaluation -- Commercial Items (Oct 2014) (a) The Government will award a contract resulting from this solicitation to the responsible offeror whose offer conforming to the solicitation will be most advantageous to the Government, price and other factors considered. The following factors shall be used to evaluate offers: Factor 1: Past Performance: demonstrates experience with other federal government agencies performing similar work within the last three years, to include samples of both a favorable and a non-favorable PAEI report that demonstrate requirements outlined in this document; demonstrates ability to accurately match Subjects with their on-line identity; demonstrates experience in providing secure receipt, retention and delivery of agency data resulting in securely delivered reports; and demonstrates the ability to protect the Subject's 1st amendment rights through proper reporting of the information per the requirements of this statement of work. Factor 2: Knowledge and Application of the Adjudicative Guidelines for Determining Eligibility for Access to Classified Information: demonstrates knowledge of the adjudicative guidelines; demonstrates how the adjudicative guidelines are applied in the final report ensuring reports only include relevant information as defined by the adjudicative guidelines. Factor 3: Demonstration that the vendor is compliant with the Fair Credit Reporting Act Factor 4: Price: will be evaluated to determine if it is: •Realistic for the work to be performed •A reflection of a clear understanding of the requirements Technical and past performance, when combined, are significantly more important than price. (b) Options. The Government will evaluate offers for award purposes by adding the total price for all options to the total price for the basic requirement. The Government may determine that an offer is unacceptable if the option prices are significantly unbalanced. Evaluation of options shall not obligate the Government to exercise the option(s). (c) A written notice of award or acceptance of an offer, mailed or otherwise furnished to the successful offeror within the time for acceptance specified in the offer, shall result in a binding contract without further action by either party. Before the offer's specified expiration time, the Government may accept an offer (or part of an offer), whether or not there are negotiations after its receipt, unless a written notice of withdrawal is received before award. K. Applicable FAR Provisions and Clauses: 52.252-2 -- Clauses Incorporated by Reference (Feb 1998) This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): ___http://farsite.hill.af.mil/vffara.htm______________________ ____https://www.acquisition.gov/?q=browsefar______________ 52.212-4, Contract Terms and Conditions-Commercial Items (MAY 2015) (Incorporated by Reference) Provisions and Clauses Incorporated by Full Text: 52.204-19 Incorporation by Reference of Representations and Certifications (DEC 2014) The Contractor's representations and certifications, including those completed electronically via the System for Award Management (SAM), are incorporated by reference into the contract. 52.212-3 Offeror Representations and Certifications-Commercial Items (April 2016) The Offeror shall complete only paragraph (b) of this provision if the Offeror has completed the annual representations and certification electronically via the System for Award Management (SAM) website accessed through http://www.acquisition.gov. If the Offeror has not completed the annual representations and certifications electronically, the Offeror shall complete only paragraphs (c) through (r) of this provision. (a) Definitions. As used in this provision- "Economically disadvantaged women-owned small business (EDWOSB) concern" means a small business concern that is at least 51 percent directly and unconditionally owned by, and the management and daily business operations of which are controlled by, one or more women who are citizens of the United States and who are economically disadvantaged in accordance with 13 CFR part 127. It automatically qualifies as a women-owned small business eligible under the WOSB Program. "Forced or indentured child labor" means all work or service- (1) Exacted from any person under the age of 18 under the menace of any penalty for its nonperformance and for which the worker does not offer himself voluntarily; or (2) Performed by any person under the age of 18 pursuant to a contract the enforcement of which can be accomplished by process or penalties. "Highest-level owner" means the entity that owns or controls an immediate owner of the offeror, or that owns or controls one or more entities that control an immediate owner of the offeror. No entity owns or exercises control of the highest level owner. "Immediate owner" means an entity, other than the offeror, that has direct control of the offeror. Indicators of control include, but are not limited to, one or more of the following: ownership or interlocking management, identity of interests among family members, shared facilities and equipment, and the common use of employees. "Inverted domestic corporation", means a foreign incorporated entity that meets the definition of an inverted domestic corporation under 6 U.S.C. 395(b), applied in accordance with the rules and definitions of 6 U.S.C. 395(c). "Manufactured end product" means any end product in product and service codes (PSCs) 1000-9999, except- (1) PSC 5510, Lumber and Related Basic Wood Materials; (2) Product or Service Group (PSG) 87, Agricultural Supplies; (3) PSG 88, Live Animals; (4) PSG 89, Subsistence; (5) PSC 9410, Crude Grades of Plant Materials; (6) PSC 9430, Miscellaneous Crude Animal Products, Inedible; (7) PSC 9440, Miscellaneous Crude Agricultural and Forestry Products; (8) PSC 9610, Ores; (9) PSC 9620, Minerals, Natural and Synthetic; and (10) PSC 9630, Additive Metal Materials. "Place of manufacture" means the place where an end product is assembled out of components, or otherwise made or processed from raw materials into the finished product that is to be provided to the Government. If a product is disassembled and reassembled, the place of reassembly is not the place of manufacture. "Predecessor" means an entity that is replaced by a successor and includes any predecessors of the predecessor. "Restricted business operations" means business operations in Sudan that include power production activities, mineral extraction activities, oil-related activities, or the production of military equipment, as those terms are defined in the Sudan Accountability and Divestment Act of 2007 (Pub. L. 110-174). Restricted business operations do not include business operations that the person (as that term is defined in Section 2 of the Sudan Accountability and Divestment Act of 2007) conducting the business can demonstrate- (1) Are conducted under contract directly and exclusively with the regional government of southern Sudan; (2) Are conducted pursuant to specific authorization from the Office of Foreign Assets Control in the Department of the Treasury, or are expressly exempted under Federal law from the requirement to be conducted under such authorization; (3) Consist of providing goods or services to marginalized populations of Sudan; (4) Consist of providing goods or services to an internationally recognized peacekeeping force or humanitarian organization; (5) Consist of providing goods or services that are used only to promote health or education; or (6) Have been voluntarily suspended. "Sensitive technology"- (1) Means hardware, software, telecommunications equipment, or any other technology that is to be used specifically- (i) To restrict the free flow of unbiased information in Iran; or (ii) To disrupt, monitor, or otherwise restrict speech of the people of Iran; and (2) Does not include information or informational materials the export of which the President does not have the authority to regulate or prohibit pursuant to section 203(b)(3) of the International Emergency Economic Powers Act (50 U.S.C. 1702(b)(3)). "Service-disabled veteran-owned small business concern"- (1) Means a small business concern- (i) Not less than 51 percent of which is owned by one or more service-disabled veterans or, in the case of any publicly owned business, not less than 51 percent of the stock of which is owned by one or more service-disabled veterans; and (ii) The management and daily business operations of which are controlled by one or more service-disabled veterans or, in the case of a service-disabled veteran with permanent and severe disability, the spouse or permanent caregiver of such veteran. (2) Service-disabled veteran means a veteran, as defined in 38 U.S.C. 101(2), with a disability that is service-connected, as defined in 38 U.S.C. 101(16). "Small business concern" means a concern, including its affiliates, that is independently owned and operated, not dominant in the field of operation in which it is bidding on Government contracts, and qualified as a small business under the criteria in 13 CFR Part 121 and size standards in this solicitation. "Small disadvantaged business concern", consistent with 13 CFR 124.1002, means a small business concern under the size standard applicable to the acquisition, that- (1) Is at least 51 percent unconditionally and directly owned (as defined at 13 CFR 124.105) by- (i) One or more socially disadvantaged (as defined at 13 CFR 124.103) and economically disadvantaged (as defined at 13 CFR 124.104) individuals who are citizens of the United States; and (ii) Each individual claiming economic disadvantage has a net worth not exceeding $750,000 after taking into account the applicable exclusions set forth at 13 CFR 124.104(c)(2); and (2) The management and daily business operations of which are controlled (as defined at 13.CFR 124.106) by individuals, who meet the criteria in paragraphs (1)(i) and (ii) of this definition. "Subsidiary" means an entity in which more than 50 percent of the entity is owned- (1) Directly by a parent corporation; or (2) Through another subsidiary of a parent corporation. "Veteran-owned small business concern" means a small business concern- (1) Not less than 51 percent of which is owned by one or more veterans (as defined at 38 U.S.C. 101(2)) or, in the case of any publicly owned business, not less than 51 percent of the stock of which is owned by one or more veterans; and (2) The management and daily business operations of which are controlled by one or more veterans. "Successor" means an entity that has replaced a predecessor by acquiring the assets and carrying out the affairs of the predecessor under a new name (often through acquisition or merger). The term "successor" does not include new offices/divisions of the same company or a company that only changes its name. The extent of the responsibility of the successor for the liabilities of the predecessor may vary, depending on State law and specific circumstances. "Women-owned business concern" means a concern which is at least 51 percent owned by one or more women; or in the case of any publicly owned business, at least 51 percent of its stock is owned by one or more women; and whose management and daily business operations are controlled by one or more women. "Women-owned small business concern" means a small business concern- (1) That is at least 51 percent owned by one or more women; or, in the case of any publicly owned business, at least 51 percent of the stock of which is owned by one or more women; and (2) Whose management and daily business operations are controlled by one or more women. "Women-owned small business (WOSB) concern eligible under the WOSB Program" (in accordance with 13 CFR part 127), means a small business concern that is at least 51 percent directly and unconditionally owned by, and the management and daily business operations of which are controlled by, one or more women who are citizens of the United States. (b)(1) Annual Representations and Certifications. Any changes provided by the offeror in paragraph (b)(2) of this provision do not automatically change the representations and certifications posted on the SAM website. (2) The offeror has completed the annual representations and certifications electronically via the SAM website accessed through http://www.acquisition.gov. After reviewing the SAM database information, the offeror verifies by submission of this offer that the representations and certifications currently posted electronically at FAR 52.212-3, Offeror Representations and Certifications-Commercial Items, have been entered or updated in the last 12 months, are current, accurate, complete, and applicable to this solicitation (including the business size standard applicable to the NAICS code referenced for this solicitation), as of the date of this offer and are incorporated in this offer by reference (see FAR 4.1201), except for paragraphs ______________. [Offeror to identify the applicable paragraphs at (c) through (r) of this provision that the offeror has completed for the purposes of this solicitation only, if any. These amended representation(s) and/or certification(s) are also incorporated in this offer and are current, accurate, and complete as of the date of this offer. Any changes provided by the offeror are applicable to this solicitation only, and do not result in an update to the representations and certifications posted electronically on SAM.] (c) Offerors must complete the following representations when the resulting contract will be performed in the United States or its outlying areas. Check all that apply. (1) Small business concern. The offeror represents as part of its offer that it □ is, □ is not a small business concern. (2) Veteran-owned small business concern. [Complete only if the offeror represented itself as a small business concern in paragraph (c)(1) of this provision.] The offeror represents as part of its offer that it □ is, □ is not a veteran-owned small business concern. (3) Service-disabled veteran-owned small business concern. [Complete only if the offeror represented itself as a veteran-owned small business concern in paragraph (c)(2) of this provision.] The offeror represents as part of its offer that it o is, o is not a service-disabled veteran-owned small business concern. (4) Small disadvantaged business concern. [Complete only if the offeror represented itself as a small business concern in paragraph (c)(1) of this provision.] The offeror represents, that it □ is, □ is not a small disadvantaged business concern as defined in 13 CFR 124.1002. (5) Women-owned small business concern. [Complete only if the offeror represented itself as a small business concern in paragraph (c)(1) of this provision.] The offeror represents that it □ is, □ is not a women-owned small business concern. (6) WOSB concern eligible under the WOSB Program. [Complete only if the offeror represented itself as a women-owned small business concern in paragraph (c)(5) of this provision.] The offeror represents that- (i) It □ is,□ is not a WOSB concern eligible under the WOSB Program, has provided all the required documents to the WOSB Repository, and no change in circumstances or adverse decisions have been issued that affects its eligibility; and (ii) It □ is, □ is not a joint venture that complies with the requirements of 13 CFR part 127, and the representation in paragraph (c)(6)(i) of this provision is accurate for each WOSB concern eligible under the WOSB Program participating in the joint venture. [The offeror shall enter the name or names of the WOSB concern eligible under the WOSB Program and other small businesses that are participating in the joint venture: __________.] Each WOSB concern eligible under the WOSB Program participating in the joint venture shall submit a separate signed copy of the WOSB representation. (7) Economically disadvantaged women-owned small business (EDWOSB) concern. [Complete only if the offeror represented itself as a WOSB concern eligible under the WOSB Program in (c)(6) of this provision.] The offeror represents that- (i) It □ is, □ is not an EDWOSB concern, has provided all the required documents to the WOSB Repository, and no change in circumstances or adverse decisions have been issued that affects its eligibility; and (ii) It □ is, □ is not a joint venture that complies with the requirements of 13 CFR part 127, and the representation in paragraph (c)(7)(i) of this provision is accurate for each EDWOSB concern participating in the joint venture. [The offeror shall enter the name or names of the EDWOSB concern and other small businesses that are participating in the joint venture: __________.] Each EDWOSB concern participating in the joint venture shall submit a separate signed copy of the EDWOSB representation. Note: Complete paragraphs (c)(8) and (c)(9) only if this solicitation is expected to exceed the simplified acquisition threshold. (8) Women-owned business concern (other than small business concern). [Complete only if the offeror is a women-owned business concern and did not represent itself as a small business concern in paragraph (c)(1) of this provision.] The offeror represents that it □ is a women-owned business concern. (9) Tie bid priority for labor surplus area concerns. If this is an invitation for bid, small business offerors may identify the labor surplus areas in which costs to be incurred on account of manufacturing or production (by offeror or first-tier subcontractors) amount to more than 50 percent of the contract price:____________________________________ (10) HUBZone small business concern. [Complete only if the offeror represented itself as a small business concern in paragraph (c)(1) of this provision.] The offeror represents, as part of its offer, that- (i) It □ is, □ is not a HUBZone small business concern listed, on the date of this representation, on the List of Qualified HUBZone Small Business Concerns maintained by the Small Business Administration, and no material changes in ownership and control, principal office, or HUBZone employee percentage have occurred since it was certified in accordance with 13 CFR Part 126; and (ii) It □ is, □ is not a HUBZone joint venture that complies with the requirements of 13 CFR Part 126, and the representation in paragraph (c)(10)(i) of this provision is accurate for each HUBZone small business concern participating in the HUBZone joint venture. [The offeror shall enter the names of each of the HUBZone small business concerns participating in the HUBZone joint venture: __________.] Each HUBZone small business concern participating in the HUBZone joint venture shall submit a separate signed copy of the HUBZone representation. (d) Representations required to implement provisions of Executive Order 11246- (1) Previous contracts and compliance. The offeror represents that- (i) It □ has, □ has not participated in a previous contract or subcontract subject to the Equal Opportunity clause of this solicitation; and (ii) It □ has, □ has not filed all required compliance reports. (2) Affirmative Action Compliance. The offeror represents that- (i) It □ has developed and has on file, □ has not developed and does not have on file, at each establishment, affirmative action programs required by rules and regulations of the Secretary of Labor (41 cfr parts 60-1 and 60-2), or (ii) It □ has not previously had contracts subject to the written affirmative action programs requirement of the rules and regulations of the Secretary of Labor. (e) Certification Regarding Payments to Influence Federal Transactions (31 U.S.C. 1352). (Applies only if the contract is expected to exceed $150,000.) By submission of its offer, the offeror certifies to the best of its knowledge and belief that no Federal appropriated funds have been paid or will be paid to any person for influencing or attempting to influence an officer or employee of any agency, a Member of Congress, an officer or employee of Congress or an employee of a Member of Congress on his or her behalf in connection with the award of any resultant contract. If any registrants under the Lobbying Disclosure Act of 1995 have made a lobbying contact on behalf of the offeror with respect to this contract, the offeror shall complete and submit, with its offer, OMB Standard Form LLL, Disclosure of Lobbying Activities, to provide the name of the registrants. The offeror need not report regularly employed officers or employees of the offeror to whom payments of reasonable compensation were made. (f) Buy American Certificate. (Applies only if the clause at Federal Acquisition Regulation (FAR) 52.225-1, Buy American-Supplies, is included in this solicitation.) (1) The offeror certifies that each end product, except those listed in paragraph (f)(2) of this provision, is a domestic end product and that for other than COTS items, the offeror has considered components of unknown origin to have been mined, produced, or manufactured outside the United States. The offeror shall list as foreign end products those end products manufactured in the United States that do not qualify as domestic end products, i.e., an end product that is not a COTS item and does not meet the component test in paragraph (2) of the definition of "domestic end product." The terms "commercially available off-the-shelf (COTS) item" "component," "domestic end product," "end product," "foreign end product," and "United States" are defined in the clause of this solicitation entitled "Buy American-Supplies." (2) Foreign End Products: Line Item No.Country of Origin _______________________________ _______________________________ _______________________________ [List as necessary] (3) The Government will evaluate offers in accordance with the policies and procedures of FAR Part 25. (g)(1) Buy American-Free Trade Agreements-Israeli Trade Act Certificate. (Applies only if the clause at FAR 52.225-3, Buy American-Free Trade Agreements-Israeli Trade Act, is included in this solicitation.) (i) The offeror certifies that each end product, except those listed in paragraph (g)(1)(ii) or (g)(1)(iii) of this provision, is a domestic end product and that for other than COTS items, the offeror has considered components of unknown origin to have been mined, produced, or manufactured outside the United States. The terms "Bahrainian, Moroccan, Omani, Panamanian, or Peruvian end product," "commercially available off-the-shelf (COTS) item," "component," "domestic end product," "end product," "foreign end product," "Free Trade Agreement country," "Free Trade Agreement country end product," "Israeli end product," and "United States" are defined in the clause of this solicitation entitled "Buy American-Free Trade Agreements-Israeli Trade Act." (ii) The offeror certifies that the following supplies are Free Trade Agreement country end products (other than Bahrainian, Moroccan, Omani, Panamanian, or Peruvian end products) or Israeli end products as defined in the clause of this solicitation entitled "Buy American-Free Trade Agreements-Israeli Trade Act": Free Trade Agreement Country End Products (Other than Bahrainian, Moroccan, Omani, Panamanian, or Peruvian End Products) or Israeli End Products: Line Item No.Country of Origin _______________________________ _______________________________ _______________________________ [List as necessary] (iii) The offeror shall list those supplies that are foreign end products (other than those listed in paragraph (g)(1)(ii) of this provision) as defined in the clause of this solicitation entitled "Buy American-Free Trade Agreements-Israeli Trade Act." The offeror shall list as other foreign end products those end products manufactured in the United States that do not qualify as domestic end products, i.e., an end product that is not a COTS item and does not meet the component test in paragraph (2) of the definition of "domestic end product." Other Foreign End Products: Line Item No.Country of Origin _______________________________ _______________________________ _______________________________ [List as necessary] (iv) The Government will evaluate offers in accordance with the policies and procedures of FAR Part 25. (2) Buy American-Free Trade Agreements-Israeli Trade Act Certificate, Alternate I. If Alternate I to the clause at FAR 52.225-3 is included in this solicitation, substitute the following paragraph (g)(1)(ii) for paragraph (g)(1)(ii) of the basic provision: (g)(1)(ii) The offeror certifies that the following supplies are Canadian end products as defined in the clause of this solicitation entitled "Buy American-Free Trade Agreements-Israeli Trade Act": Canadian End Products: Line Item No. _______________________________________ _______________________________________ _______________________________________ [List as necessary] (3) Buy American-Free Trade Agreements-Israeli Trade Act Certificate, Alternate II. If Alternate II to the clause at FAR 52.225-3 is included in this solicitation, substitute the following paragraph (g)(1)(ii) for paragraph (g)(1)(ii) of the basic provision: (g)(1)(ii) The offeror certifies that the following supplies are Canadian end products or Israeli end products as defined in the clause of this solicitation entitled "Buy American-Free Trade Agreements-Israeli Trade Act": Canadian or Israeli End Products: Line Item No.Country of Origin _______________________________ _______________________________ _______________________________ [List as necessary] (4) Buy American-Free Trade Agreements-Israeli Trade Act Certificate, Alternate III. If Alternate III to the clause at 52.225-3 is included in this solicitation, substitute the following paragraph (g)(1)(ii) for paragraph (g)(1)(ii) of the basic provision: (g)(1)(ii) The offeror certifies that the following supplies are Free Trade Agreement country end products (other than Bahrainian, Korean, Moroccan, Omani, Panamanian, or Peruvian end products) or Israeli end products as defined in the clause of this solicitation entitled "Buy American-Free Trade Agreements-Israeli Trade Act": Free Trade Agreement Country End Products (Other than Bahrainian, Korean, Moroccan, Omani, Panamanian, or Peruvian End Products) or Israeli End Products: Line Item No.Country of Origin _______________________________ _______________________________ _______________________________ [List as necessary] (5) Trade Agreements Certificate. (Applies only if the clause at FAR 52.225-5, Trade Agreements, is included in this solicitation.) (i) The offeror certifies that each end product, except those listed in paragraph (g)(5)(ii) of this provision, is a U.S.-made or designated country end product, as defined in the clause of this solicitation entitled "Trade Agreements." (ii) The offeror shall list as other end products those end products that are not U.S.-made or designated country end products. Other End Products: Line Item No.Country of Origin _______________________________ _______________________________ _______________________________ [List as necessary] (iii) The Government will evaluate offers in accordance with the policies and procedures of FAR Part 25. For line items covered by the WTO GPA, the Government will evaluate offers of U.S.-made or designated country end products without regard to the restrictions of the Buy American statute. The Government will consider for award only offers of U.S.-made or designated country end products unless the Contracting Officer determines that there are no offers for such products or that the offers for such products are insufficient to fulfill the requirements of the solicitation. (h) Certification Regarding Responsibility Matters (Executive Order 12689). (Applies only if the contract value is expected to exceed the simplified acquisition threshold.) The offeror certifies, to the best of its knowledge and belief, that the offeror and/or any of its principals- (1) □ Are, □ are not presently debarred, suspended, proposed for debarment, or declared ineligible for the award of contracts by any Federal agency; (2) □ Have, □ have not, within a three-year period preceding this offer, been convicted of or had a civil judgment rendered against them for: commission of fraud or a criminal offense in connection with obtaining, attempting to obtain, or performing a Federal, state or local government contract or subcontract; violation of Federal or state antitrust statutes relating to the submission of offers; or commission of embezzlement, theft, forgery, bribery, falsification or destruction of records, making false statements, tax evasion, violating Federal criminal tax laws, or receiving stolen property; (3) □ Are, □ are not presently indicted for, or otherwise criminally or civilly charged by a Government entity with, commission of any of these offenses enumerated in paragraph (h)(2) of this clause; and (4) □ Have, □ have not, within a three-year period preceding this offer, been notified of any delinquent Federal taxes in an amount that exceeds $3,500 for which the liability remains unsatisfied. (i) Taxes are considered delinquent if both of the following criteria apply: (A) The tax liability is finally determined. The liability is finally determined if it has been assessed. A liability is not finally determined if there is a pending administrative or judicial challenge. In the case of a judicial challenge to the liability, the liability is not finally determined until all judicial appeal rights have been exhausted. (B) The taxpayer is delinquent in making payment. A taxpayer is delinquent if the taxpayer has failed to pay the tax liability when full payment was due and required. A taxpayer is not delinquent in cases where enforced collection action is precluded. (ii) Examples. (A) The taxpayer has received a statutory notice of deficiency, under I.R.C. §6212, which entitles the taxpayer to seek Tax Court review of a proposed tax deficiency. This is not a delinquent tax because it is not a final tax liability. Should the taxpayer seek Tax Court review, this will not be a final tax liability until the taxpayer has exercised all judicial appeal rights. (B) The IRS has filed a notice of Federal tax lien with respect to an assessed tax liability, and the taxpayer has been issued a notice under I.R.C. §6320 entitling the taxpayer to request a hearing with the IRS Office of Appeals contesting the lien filing, and to further appeal to the Tax Court if the IRS determines to sustain the lien filing. In the course of the hearing, the taxpayer is entitled to contest the underlying tax liability because the taxpayer has had no prior opportunity to contest the liability. This is not a delinquent tax because it is not a final tax liability. Should the taxpayer seek tax court review, this will not be a final tax liability until the taxpayer has exercised all judicial appeal rights. (C) The taxpayer has entered into an installment agreement pursuant to I.R.C. §6159. The taxpayer is making timely payments and is in full compliance with the agreement terms. The taxpayer is not delinquent because the taxpayer is not currently required to make full payment. (D) The taxpayer has filed for bankruptcy protection. The taxpayer is not delinquent because enforced collection action is stayed under 11 U.S.C. §362 (the Bankruptcy Code). (i) Certification Regarding Knowledge of Child Labor for Listed End Products (Executive Order 13126). [The Contracting Officer must list in paragraph (i)(1) any end products being acquired under this solicitation that are included in the List of Products Requiring Contractor Certification as to Forced or Indentured Child Labor, unless excluded at.] (1) Listed end products. Listed End ProductListed Countries of Origin ______________________________________ ______________________________________ (2) Certification. [If the Contracting Officer has identified end products and countries of origin in paragraph (i)(1) of this provision, then the offeror must certify to either (i)(2)(i) or (i)(2)(ii) by checking the appropriate block.] □ (i) The offeror will not supply any end product listed in paragraph (i)(1) of this provision that was mined, produced, or manufactured in the corresponding country as listed for that product. □ (ii) The offeror may supply an end product listed in paragraph (i)(1) of this provision that was mined, produced, or manufactured in the corresponding country as listed for that product. The offeror certifies that it has made a good faith effort to determine whether forced or indentured child labor was used to mine, produce, or manufacture any such end product furnished under this contract. On the basis of those efforts, the offeror certifies that it is not aware of any such use of child labor. (j) Place of manufacture. (Does not apply unless the solicitation is predominantly for the acquisition of manufactured end products.) For statistical purposes only, the offeror shall indicate whether the place of manufacture of the end products it expects to provide in response to this solicitation is predominantly- (1) □ In the United States (Check this box if the total anticipated price of offered end products manufactured in the United States exceeds the total anticipated price of offered end products manufactured outside the United States); or (2) □ Outside the United States. (k) Certificates regarding exemptions from the application of the Service Contract Labor Standards (Certification by the offeror as to its compliance with respect to the contract also constitutes its certification as to compliance by its subcontractor if it subcontracts out the exempt services.) [The contracting officer is to check a box to indicate if paragraph (k)(1) or (k)(2) applies.] □ (1) Maintenance, calibration, or repair of certain equipment as described in FAR 22.1003-4(c)(1). The offeror □ does □ does not certify that- (i) The items of equipment to be serviced under this contract are used regularly for other than Governmental purposes and are sold or traded by the offeror (or subcontractor in the case of an exempt subcontract) in substantial quantities to the general public in the course of normal business operations; (ii) The services will be furnished at prices which are, or are based on, established catalog or market prices (see FAR 22.1003-4(c)(2)(ii)) for the maintenance, calibration, or repair of such equipment; and (iii) The compensation (wage and fringe benefits) plan for all service employees performing work under the contract will be the same as that used for these employees and equivalent employees servicing the same equipment of commercial customers. □ (2) Certain services as described in FAR 22.1003-4(d)(1). The offeror □ does □ does not certify that- (i) The services under the contract are offered and sold regularly to non-Governmental customers, and are provided by the offeror (or subcontractor in the case of an exempt subcontract) to the general public in substantial quantities in the course of normal business operations; (ii) The contract services will be furnished at prices that are, or are based on, established catalog or market prices (see FAR 22.1003-4(d)(2)(iii)); (iii) Each service employee who will perform the services under the contract will spend only a small portion of his or her time (a monthly average of less than 20 percent of the available hours on an annualized basis, or less than 20 percent of available hours during the contract period if the contract period is less than a month) servicing the Government contract; and (iv) The compensation (wage and fringe benefits) plan for all service employees performing work under the contract is the same as that used for these employees and equivalent employees servicing commercial customers. (3) If paragraph (k)(1) or (k)(2) of this clause applies- (i) If the offeror does not certify to the conditions in paragraph (k)(1) or (k)(2) and the Contracting Officer did not attach a Service Contract Labor Standards wage determination to the solicitation, the offeror shall notify the Contracting Officer as soon as possible; and (ii) The Contracting Officer may not make an award to the offeror if the offeror fails to execute the certification in paragraph (k)(1) or (k)(2) of this clause or to contact the Contracting Officer as required in paragraph (k)(3)(i) of this clause. (l) Taxpayer Identification Number (TIN) (26 U.S.C. 6109, 31 U.S.C. 7701). (Not applicable if the offeror is required to provide this information to the SAM database to be eligible for award.) (1) All offerors must submit the information required in paragraphs (l)(3) through (l)(5) of this provision to comply with debt collection requirements of 31 U.S.C. 7701(c) and 3325(d), reporting requirements of 26 U.S.C. 6041, 6041A, and 6050M, and implementing regulations issued by the Internal Revenue Service (IRS). (2) The TIN may be used by the Government to collect and report on any delinquent amounts arising out of the offeror's relationship with the Government (31 U.S.C. 7701(c)(3)). If the resulting contract is subject to the payment reporting requirements described in FAR 4.904, the TIN provided hereunder may be matched with IRS records to verify the accuracy of the offeror's TIN. (3) Taxpayer Identification Number (TIN). □ TIN: ________________________________. □ TIN has been applied for. □ TIN is not required because: □ Offeror is a nonresident alien, foreign corporation, or foreign partnership that does not have income effectively connected with the conduct of a trade or business in the United States and does not have an office or place of business or a fiscal paying agent in the United States; □ Offeror is an agency or instrumentality of a foreign government; □ Offeror is an agency or instrumentality of the Federal Government. (4) Type of organization. □ Sole proprietorship; □ Partnership; □ Corporate entity (not tax-exempt); □ Corporate entity (tax-exempt); □ Government entity (Federal, State, or local); □ Foreign government; □ International organization per 26 CFR 1.6049-4; □ Other ________________________________. (5) Common parent. □ Offeror is not owned or controlled by a common parent; □ Name and TIN of common parent: Name ________________________________. TIN _________________________________. (m) Restricted business operations in Sudan. By submission of its offer, the offeror certifies that the offeror does not conduct any restricted business operations in Sudan. (n) Prohibition on Contracting with Inverted Domestic Corporations. (1) Government agencies are not permitted to use appropriated (or otherwise made available) funds for contracts with either an inverted domestic corporation, or a subsidiary of an inverted domestic corporation, unless the exception at 9.108-2(b) applies or the requirement is waived in accordance with the procedures at 9.108-4. (2) Representation. The Offeror represents that- (i) It □ is, □ is not an inverted domestic corporation; and (ii) It □ is, □ is not a subsidiary of an inverted domestic corporation. (o) Prohibition on contracting with entities engaging in certain activities or transactions relating to Iran. (1) The offeror shall e-mail questions concerning sensitive technology to the Department of State at CISADA106@state.gov. (2) Representation and Certifications. Unless a waiver is granted or an exception applies as provided in paragraph (o)(3) of this provision, by submission of its offer, the offeror- (i) Represents, to the best of its knowledge and belief, that the offeror does not export any sensitive technology to the government of Iran or any entities or individuals owned or controlled by, or acting on behalf or at the direction of, the government of Iran; (ii) Certifies that the offeror, or any person owned or controlled by the offeror, does not engage in any activities for which sanctions may be imposed under section 5 of the Iran Sanctions Act; and (iii) Certifies that the offeror, and any person owned or controlled by the offeror, does not knowingly engage in any transaction that exceeds $3,500 with Iran's Revolutionary Guard Corps or any of its officials, agents, or affiliates, the property and interests in property of which are blocked pursuant to the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (see OFAC's Specially Designated Nationals and Blocked Persons List at http://www.treasury.gov/ofac/downloads/t11sdn.pdf). (3) The representation and certification requirements of paragraph (o)(2) of this provision do not apply if- (i) This solicitation includes a trade agreements certification (e.g., 52.212-3(g) or a comparable agency provision); and (ii) The offeror has certified that all the offered products to be supplied are designated country end products. (p) Ownership or Control of Offeror. (Applies in all solicitations when there is a requirement to be registered in SAM or a requirement to have a DUNS Number in the solicitation. (1) The Offeror represents that it □ has or □ does not have an immediate owner. If the Offeror has more than one immediate owner (such as a joint venture), then the Offeror shall respond to paragraph (2) and if applicable, paragraph (3) of this provision for each participant in the joint venture. (2) If the Offeror indicates "has" in paragraph (p)(1) of this provision, enter the following information: Immediate owner CAGE code: ____________________. Immediate owner legal name: _____________________. (Do not use a "doing business as" name) Is the immediate owner owned or controlled by another entity: □ Yes or □ No. (3) If the Offeror indicates "yes" in paragraph (p)(2) of this provision, indicating that the immediate owner is owned or controlled by another entity, then enter the following information: Highest-level owner CAGE code: __________________. Highest-level owner legal name: ___________________. (Do not use a "doing business as" name) (q) Representation by Corporations Regarding Delinquent Tax Liability or a Felony Conviction under any Federal Law. (1) As required by sections 744 and 745 of Division E of the Consolidated and Further Continuing Appropriations Act, 2015 (Pub. L. 113-235), and similar provisions, if contained in subsequent appropriations acts, The Government will not enter into a contract with any corporation that- (i) Has any unpaid Federal tax liability that has been assessed, for which all judicial and administrative remedies have been exhausted or have lapsed, and that is not being paid in a timely manner pursuant to an agreement with the authority responsible for collecting the tax liability, where the awarding agency is aware of the unpaid tax liability, unless an agency has considered suspension or debarment of the corporation and made a determination that suspension or debarment is not necessary to protect the interests of the Government; or (ii) Was convicted of a felony criminal violation under any Federal law within the preceding 24 months, where the awarding agency is aware of the conviction, unless an agency has considered suspension or debarment of the corporation and made a determination that this action is not necessary to protect the interests of the Government. (2) The Offeror represents that- (i) It is □ is not □ a corporation that has any unpaid Federal tax liability that has been assessed, for which all judicial and administrative remedies have been exhausted or have lapsed, and that is not being paid in a timely manner pursuant to an agreement with the authority responsible for collecting the tax liability; and (ii) It is □ is not □ a corporation that was convicted of a felony criminal violation under a Federal law within the preceding 24 months. (r) Predecessor of Offeror. (Applies in all solicitations that include the provision at 52.204-16, Commercial and Government Entity Code Reporting.) (1) The Offeror represents that it □ is or □ is not a successor to a predecessor that held a Federal contract or grant within the last three years. (2) If the Offeror has indicated "is" in paragraph (r)(1) of this provision, enter the following information for all predecessors that held a Federal contract or grant within the last three years (if more than one predecessor, list in reverse chronological order): Predecessor CAGE code: ________ (or mark "Unknown") Predecessor legal name: _________________________ (Do not use a "doing business as" name) 52.212-4 Contract Terms and Conditions-Commercial Items (May 2015). Incorporated by reference. 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items. (March 2016) (a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (1) 52.209-10, Prohibition on Contracting with Inverted Domestic Corporations (Nov 2015) (2) 52.233-3, Protest After Award (AUG 1996) (31 U.S.C. 3553). (3) 52.233-4, Applicable Law for Breach of Contract Claim (OCT 2004)(Public Laws 108-77 and 108-78 (19 U.S.C. 3805 note)). (b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: [Contracting Officer check as appropriate.] _X_ (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (Sept 2006), with Alternate I (Oct 1995) (41 U.S.C. 4704 and 10 U.S.C. 2402). _X_ (2) 52.203-13, Contractor Code of Business Ethics and Conduct (Oct 2015) (41 U.S.C. 3509)). __ (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment Act of 2009 (June 2010) (Section 1553 of Pub. L. 111-5). (Applies to contracts funded by the American Recovery and Reinvestment Act of 2009.) _X_ (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract Awards (Oct 2015) (Pub. L. 109-282) (31 U.S.C. 6101 note). __ (5) [Reserved]. __ (6) 52.204-14, Service Contract Reporting Requirements (Jan 2014) (Pub. L. 111-117, section 743 of Div. C). __ (7) 52.204-15, Service Contract Reporting Requirements for Indefinite-Delivery Contracts (Jan 2014) (Pub. L. 111-117, section 743 of Div. C). _X_ (8) 52.209-6, Protecting the Government's Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment. (Oct 2015) (31 U.S.C. 6101 note). __ (9) 52.209-9, Updates of Publicly Available Information Regarding Responsibility Matters (Jul 2013) (41 U.S.C. 2313). __ (10) [Reserved]. __ (11)(i) 52.219-3, Notice of HUBZone Set-Aside or Sole-Source Award (Nov 2011) (15 U.S.C. 657a). __ (ii) Alternate I (Nov 2011) of 52.219-3. __ (12)(i) 52.219-4, Notice of Price Evaluation Preference for HUBZone Small Business Concerns (OCT 2014) (if the offeror elects to waive the preference, it shall so indicate in its offer) (15 U.S.C. 657a). __ (ii) Alternate I (JAN 2011) of 52.219-4. __ (13) [Reserved] __ (14)(i) 52.219-6, Notice of Total Small Business Set-Aside (Nov 2011) (15 U.S.C. 644). __ (ii) Alternate I (Nov 2011). __ (iii) Alternate II (Nov 2011). __ (15)(i) 52.219-7, Notice of Partial Small Business Set-Aside (June 2003) (15 U.S.C. 644). __ (ii) Alternate I (Oct 1995) of 52.219-7. __ (iii) Alternate II (Mar 2004) of 52.219-7. _X_ (16) 52.219-8, Utilization of Small Business Concerns (Oct 2014) (15 U.S.C. 637(d)(2) and (3)). _ _ (17)(i) 52.219-9, Small Business Subcontracting Plan (Oct 2015) (15 U.S.C. 637(d)(4)). __ (ii) Alternate I (Oct 2001) of 52.219-9. __ (iii) Alternate II (Oct 2001) of 52.219-9. __ (iv) Alternate III (Oct 2015) of 52.219-9. __ (18) 52.219-13, Notice of Set-Aside of Orders (Nov 2011) (15 U.S.C. 644(r)). __ (19) 52.219-14, Limitations on Subcontracting (Nov 2011) (15 U.S.C. 637(a)(14)). _ _ (20) 52.219-16, Liquidated Damages-Subcon-tracting Plan (Jan 1999) (15 U.S.C. 637(d)(4)(F)(i)). __ (21) 52.219-27, Notice of Service-Disabled Veteran-Owned Small Business Set-Aside (Nov 2011) (15 U.S.C. 657 f). __ (22) 52.219-28, Post Award Small Business Program Representation (Jul 2013) (15 U.S.C. 632(a)(2)). __ (23) 52.219-29, Notice of Set-Aside for, or Sole Source Award to, Economically Disadvantaged Women-Owned Small Business Concerns (Dec 2015) (15 U.S.C. 637(m)). __ (24) 52.219-30, Notice of Set-Aside for, or Sole Source Award to, Women-Owned Small Business Concerns Eligible Under the Women-Owned Small Business Program (Dec 2015) (15 U.S.C. 637(m)). _X_ (25) 52.222-3, Convict Labor (June 2003) (E.O. 11755). _X_ (26) 52.222-19, Child Labor-Cooperation with Authorities and Remedies (Feb 2016) (E.O. 13126). _X_ (27) 52.222-21, Prohibition of Segregated Facilities (Apr 2015). _X_ (28) 52.222-26, Equal Opportunity (Apr 2015) (E.O. 11246). _X_ (29) 52.222-35, Equal Opportunity for Veterans (Oct 2015)(38 U.S.C. 4212). _X_ (30) 52.222-36, Equal Opportunity for Workers with Disabilities (Jul 2014) (29 U.S.C. 793). __ (31) 52.222-37, Employment Reports on Veterans (FEB 2016) (38 U.S.C. 4212). __ (32) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). __ (33)(i) 52.222-50, Combating Trafficking in Persons (Mar 2015) (22 U.S.C. chapter 78 and E.O. 13627). __ (ii) Alternate I (Mar 2015) of 52.222-50 (22 U.S.C. chapter 78 and E.O. 13627). __ (34) 52.222-54, Employment Eligibility Verification (OCT 2015). (Executive Order 12989). (Not applicable to the acquisition of commercially available off-the-shelf items or certain other types of commercial items as prescribed in 22.1803.) __ (35)(i) 52.223-9, Estimate of Percentage of Recovered Material Content for EPA-Designated Items (May 2008) (42 U.S.C. 6962(c)(3)(A)(ii)). (Not applicable to the acquisition of commercially available off-the-shelf items.) __ (ii) Alternate I (May 2008) of 52.223-9 (42 U.S.C. 6962(i)(2)(C)). (Not applicable to the acquisition of commercially available off-the-shelf items.) __ (36)(i) 52.223-13, Acquisition of EPEAT®-Registered Imaging Equipment (JUN 2014) (E.O.s 13423 and 13514). __ (ii) Alternate I (Oct 2015) of 52.223-13. __ (37)(i) 52.223-14, Acquisition of EPEAT®-Registered Televisions (JUN 2014) (E.O.s 13423 and 13514). __ (ii) Alternate I (Jun 2014) of 52.223-14. __ (38) 52.223-15, Energy Efficiency in Energy-Consuming Products (DEC 2007) (42 U.S.C. 8259b). __ (39)(i) 52.223-16, Acquisition of EPEAT®-Registered Personal Computer Products (OCT 2015) (E.O.s 13423 and 13514). __ (ii) Alternate I (Jun 2014) of 52.223-16. _X_ (40) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving (AUG 2011) (E.O. 13513). __ (41) 52.225-1, Buy American-Supplies (May 2014) (41 U.S.C. chapter 83). __ (42)(i) 52.225-3, Buy American-Free Trade Agreements-Israeli Trade Act (May 2014) (41 U.S.C. chapter 83, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, Pub. L. 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 109-283, 110-138, 112-41, 112-42, and 112-43. __ (ii) Alternate I (May 2014) of 52.225-3. __ (iii) Alternate II (May 2014) of 52.225-3. __ (iv) Alternate III (May 2014) of 52.225-3. __ (43) 52.225-5, Trade Agreements (FEB 2016) (19 U.S.C. 2501, et seq., 19 U.S.C. 3301 note). _X_ (44) 52.225-13, Restrictions on Certain Foreign Purchases (June 2008) (E.O.'s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury). __ (45) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Jul 2013) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note). __ (46) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (Nov 2007) (42 U.S.C. 5150). __ (47) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (Nov 2007) (42 U.S.C. 5150). __ (48) 52.232-29, Terms for Financing of Purchases of Commercial Items (Feb 2002) (41 U.S.C. 4505, 10 U.S.C. 2307(f)). __ (49) 52.232-30, Installment Payments for Commercial Items (Oct 1995) (41 U.S.C. 4505, 10 U.S.C. 2307(f)). _X_ (50) 52.232-33, Payment by Electronic Funds Transfer-System for Award Management (Jul 2013) (31 U.S.C. 3332). __ (51) 52.232-34, Payment by Electronic Funds Transfer-Other than System for Award Management (Jul 2013) (31 U.S.C. 3332). __ (52) 52.232-36, Payment by Third Party (May 2014) (31 U.S.C. 3332). __ (53) 52.239-1, Privacy or Security Safeguards (Aug 1996) (5 U.S.C. 552a). __ (54)(i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx. 1241(b) and 10 U.S.C. 2631). __ (ii) Alternate I (Apr 2003) of 52.247-64. (c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: [Contracting Officer check as appropriate.] __ (1) 52.222-17, Nondisplacement of Qualified Workers (May 2014)(E.O. 13495). __ (2) 52.222-41, Service Contract Labor Standards (May 2014) (41 U.S.C. chapter 67). __ (3) 52.222-42, Statement of Equivalent Rates for Federal Hires (May 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67). __ (4) 52.222-43, Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (Multiple Year and Option Contracts) (May 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67). __ (5) 52.222-44, Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (May 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67). __ (6) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May 2014) (41 U.S.C. chapter 67). _X_ (7) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (May 2014) (41 U.S.C. chapter 67). __ (8) 52.222-55, Minimum Wages Under Executive Order 13658 (Mar 2016). __ (9) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (May 2014) (42 U.S.C. 1792). __ (10) 52.237-11, Accepting and Dispensing of $1 Coin (Sept 2008) (31 U.S.C. 5112(p)(1)). (d) Comptroller General Examination of Record. The Contractor shall comply with the provisions of this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, and does not contain the clause at 52.215-2, Audit and Records-Negotiation. (1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor's directly pertinent records involving transactions related to this contract. (2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR Subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved. (3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law. (e)(1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c), and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1) in a subcontract for commercial items. Unless otherwise indicated below, the extent of the flow down shall be as required by the clause- (i) 52.203-13, Contractor Code of Business Ethics and Conduct (Oct 2015) (41 U.S.C. 3509). (ii) 52.219-8, Utilization of Small Business Concerns (Oct 2014) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds $700,000 ($1.5 million for construction of any public facility), the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities. (iii) 52.222-17, Nondisplacement of Qualified Workers (May 2014) (E.O. 13495). Flow down required in accordance with paragraph (l) of FAR clause 52.222-17. (iv) 52.222-21, Prohibition of Segregated Facilities (Apr 2015) (v) 52.222-26, Equal Opportunity (Apr 2015) (E.O. 11246). (vi) 52.222-35, Equal Opportunity for Veterans (Oct 2015) (38 U.S.C. 4212). (vii) 52.222-36, Equal Opportunity for Workers with Disabilities (Jul 2014) (29 U.S.C. 793). (viii) 52.222-37, Employment Reports on Veterans (Feb 2016) (38 U.S.C. 4212) (ix) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40. (x) 52.222-41, Service Contract Labor Standards (May 2014) (41 U.S.C. chapter 67). (xi) __(A) 52.222-50, Combating Trafficking in Persons (Mar 2015) (22 U.S.C. chapter 78 and E.O 13627). __(B) Alternate I (Mar 2015) of 52.222-50 (22 U.S.C. chapter 78 and E.O 13627). (xii) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May 2014) (41 U.S.C. chapter 67). (xiii) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (May 2014) (41 U.S.C. chapter 67). (xiv) 52.222-54, Employment Eligibility Verification (OCT 2015) (E.O. 12989). (xv) 52.222-55, Minimum Wages Under Executive Order 13658 (Mar 2016). (xvi) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Jul 2013) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note). (xvii) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (May 2014) (42 U.S.C. 1792). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6. (xviii) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx. 1241(b) and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64. (2) While not required, the Contractor may include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations. L. Applicable OPM Specific Clauses Attachment 1 - OPM Specific Clauses 1752.205-70Announcement of Contract Award (July 2006) OPM complies with FAR 5.3, Synopses of Contract Awards, in terms of synopsizing and publicly announcing contract awards. These actions take place at the time of, and not before, the contract is awarded. Contract award, in this case, means signature of the contractual document by the Contracting Officer and forwarding of the contractual document to the contract awardee. If the contract awardee wishes to make a separate public announcement, the awardee must obtain the approval of the Contracting Officer prior to releasing the announcement, and must plan to make announcement only after the contract has been awarded. 1752.209-74Organizational Conflicts of Interest (July 2005) (a)The Contractor warrants that, to the best of the Contractor's knowledge and belief, there are no relevant facts or circumstances which could give rise to an organizational conflict of interest (OCI), as defined in FAR 9.5, Organizational and Consultants Conflicts of Interest, or that the Contractor has disclosed all such relevant information. (b)The Contractor agrees that if an actual or potential OCI is discovered after award, the Contractor shall make a full disclosure in writing to the Contracting Officer. This disclosure must include a description of actions, which the Contractor has taken or proposes to take, after consultation with the Contracting Officer, to avoid, mitigate, or neutralize the actual or potential conflict. (c)The Contracting Officer may terminate this contract for convenience, in whole or in part, if it deems such termination necessary to avoid an OCI. If the Contractor was aware of a potential OCI prior to award or discovered an actual or potential conflict after award and did not disclose or misrepresented relevant information to the Contacting Office, the Government may terminate the contract for default, debar the Contractor from Government contracting, or pursue such other remedies as may be permitted by law or this contract. (d)The Contractor must include this clause inall subcontracts and in lower tier subcontracts unless a waiver is requested from, and granted by, the Contracting Officer. (e)In the event that a requirement changes in such a way as to create a potential conflict of interest for the Contractor, the Contractor must: (1)Notify the Contracting Officer of a potential conflict, and; (2)Recommend to the Government an alternate approach which would avoid the potential conflict, or (3)Present for approval a conflict of interest mitigation plan that will: (i)Describe in detail the changed requirement that creates the potential conflict of interest; and (ii)Outline in detail the actions to be taken by the Contractor or the Government in the performance of the task to mitigate the conflict, division of subcontractor effort, and limited access to information, or other acceptable means. (4)The Contractor must not commence work on a changed requirement related to a potential conflict of interest until specifically notified by the Contracting Officer to proceed. (5)If the Contracting Officer determines that it is in the best interest of the Government to proceed with work, notwithstanding a conflict of interest, a request for waiver must be submitted in accordance with FAR 9.503. 1752.209-75Reducing Text Messaging While Driving (Oct 2009) (a)In accordance with Section 4 of the Executive Order, "Federal Leadership on Reducing Text Messaging While Driving," dated October 1, 2009, you are hereby encouraged to: (1)Adopt and enforce policies that ban text messaging while driving company-owned or -rented vehicles or Government-owned, -leased or -rented vehicles, or while driving privately-owned vehicles when on official Government business or when performing any work for or on behalf of the Government; and (2)Consider new company rules and programs, and reevaluating existing programs to prohibit text messaging while driving, and conducting education, awareness, and other outreach for company employees about the safety risks associated with texting while driving. These initiatives should encourage voluntary compliance with the company's text messaging policy while off duty. (b)For purposes of complying with the Executive Order: (1) "Texting" or "Text Messaging" means reading from or entering data into any handheld or other electronic device, including for the purpose of SMS texting, e-mailing, instant messaging, obtaining navigational information, or engaging in any other form of electronic data retrieval or electronic data communication. (2) "Driving" means operating a motor vehicle on an active roadway with the motor running, including while temporarily stationary because of traffic, a traffic light or stop sign, or otherwise. It does not include operating a motor vehicle with or without the motor running when one has pulled over to the side of, or off, an active roadway and has halted in a location where one can safely remain stationary. 1752.222-70Notice of Requirement for Certification of Nonsegregated Facilities (July 2005) By signing this offer or contract, the contractor will be deemed to have signed and agreed to the provisions of Federal Acquisition Regulations (FAR) Clause 52.222-21, Certification of Nonsegregated Facilities, incorporated by reference in this solicitation/contract. The certification provides that the bidder or offeror does not maintain or provide for its employees, facilities which are segregated on a basis of race, color, religion, or national origin, whether such facilities are segregated by directive or on a de facto basis. The certification also provides that the bidder/offeror does not and will not permit its employees to perform their services at any location under its control where segregated facilities are maintained. FAR Clause 52.222-21 must be included in all subcontracts as well. 1752.222-71 Special Requirements for Employing Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans (July 2005) (a)If this contract contains FAR Clause 52.222-35 (Equal Opportunity for Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans), your company must comply with the requirements of this clause, including the listing of employment opportunities with the local office of the state employment service system. (b)If this contract contains FAR clauses 52.222-37 (Employment Reports on Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans) or 52.222-38 (Compliance with Veterans' Employment Reporting Requirements), you are reminded that your company must comply with the special reporting requirements described in those clauses. Your company must submit information on several aspects of its employment and hiring of special disabled and Vietnam era veterans or other veterans who served on active duty during a war or in a campaign or expedition for which a campaign badge has been authorized. You must submit this information no later than September 30 of each year, in the "Federal Contractor Veterans' Employment Report" or VETS-100 Report. The U.S. Department of Labor has established a web site for submitting this report. The address is: http://www.vets100.cudenver.edu. 1752.223-71Environmentally Preferable Products and Services (Feb 2013) (a)Executive Order 13423, Strengthening Federal Environmental, Energy, and Transportation Management, requires in agency acquisitions of goods and services (i) use of sustainable environmental practices, including acquisition of biobased, environmentally preferable, energy-efficient, water-efficient, and recycled-content products, and (ii) use of paper of at least 30 percent post-consumer fiber content. (b) By signing this offer or contract, the contractor will be deemed to have signed and agreed that all goods and services provided under this contract will comply with the above requirements of Executive Order 13514. 1752.224-71Freedom of Information Act Requests (Sep 2009) (a)Offerors are reminded that information furnished under this solicitation may be subject to disclosure under the Freedom of Information Act (FOIA). Therefore: (1)All items that are confidential to business, or contain trade secrets, proprietary, or personnel information must be clearly marked in all documents submitted to the U.S. Office of Personnel Management (OPM or The Government). Marking of items will not necessarily preclude disclosure when the OPM determines disclosure is warranted by FOIA. However, if such items are not marked, all information contained within the submitted documents will be deemed to be releasable. (2)No later than five (5) business days after award of a contract, blanket purchase agreement (BPA), or order, the Contractor must provide OPM a redacted copy of the contract/BPA/order in electronic format. This copy will be used to satisfy any requests for copies of the contract/BPA/order under the FOIA. If the Contracting Officer believes that any redacted information does not require protection from public release, the issue will be resolved in accordance with paragraph 3.104-4(d) of the Federal Acquisition Regulation. (b)Any information made available to the Contractor by the Government must be used only for the purpose of carrying out the provisions of this contract and must not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. (c)In performance of this contract, the Contractor assumes responsibility for protection of the confidentiality of Government records and must ensure that all work performed by its subcontractors shall be under the supervision of the Contractor or the Contractor's responsible employees. (d)Each officer or employee of the Contractor or any of its subcontractors to whom any Government record may be made available or disclosed must be notified in writing by the Contractor that information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such information, by any means, for a purpose or to an extent unauthorized herein, may subject the offender to criminal sanctions imposed by 19 U.S.C. 641. That section provides, in pertinent part, that whoever knowingly converts to their use or the use of another, or without authority, sells, conveys, or disposes of any record of the United States or whoever receives the same with intent to convert it to their use or gain, knowing it to have been converted, shall be guilty of a crime punishable by a fine of up to $10,000, or imprisoned up to ten years, or both. 1752.232-70 Invoice Requirements Large Business (Oct 2012) (a)A proper invoice must include the following items (except for interim payments on cost reimbursement contracts for services): (1) Name and address of the contractor. (2)Invoice date and invoice number. (Contractors should date invoices as close as possible to the date of transmission.) (3)Contract number or other authorization for supplies delivered or services performed (including order number and contract line item number). (4)Description, quantity, unit of measure, unit price, and extended price of supplies delivered or services performed. (5)Shipping and payment terms (e.g., shipment number and date of shipment, discount for prompt payment terms). Bill of lading number and weight of shipment will be shown for shipments on Government bills of lading. (6)Name and address of contractor official to whom payment is to be sent (must be the same as that in the contract or in a proper notice of assignment). (7)Name (where practicable), title, phone number, and mailing address of person to notify in the event of a defective invoice. (8)Taxpayer Identification Number (TIN). The contractor must include its TIN on the invoice only if required by agency procedures. (See 4.9 TIN requirements.) (9) Electronic funds transfer (EFT) banking information. (i)The contractor shall have submitted correct EFT banking information in accordance with the applicable solicitation provision (e.g., 52.232-38, Submission of Electronic Funds Transfer Information with Offer), contract clause (e.g., 52.232-33, Payment by Electronic Funds Transfer-Central Contractor Registration, or 52.232-34, Payment by Electronic Funds Transfer-Other Than Central Contractor Registration), or applicable agency procedures. (ii)The last four digits of the contractor's bank account must be shown on each invoice submitted for payment. This information will be used as a cross-reference in situations where the EFT banking information in the Central Contract Registration is suspect. (iii)EFT banking information is not required if the Government waived the requirement to pay by EFT. (10) The vendor's certification that their EFT banking information in the Central Contractor Registration is current, accurate and complete as of the date of the invoice. (11)Any other information or documentation required by the contract (e.g., evidence of shipment). (b)Any invoice that does not contain all of the information listed in paragraph (a) above will be rejected as improper, and a new complete corrected invoice must be submitted. The payment due date for the corrected invoice will be calculated from the date it is received in the Prompt Pay e-mail box. (c)ALL large business invoices-without exception-must have unique identifying numbers, and be submitted via e-mail to OPM's Prompt Pay e-mail box at: PromptPay@opm.gov Please note that OPM cannot guarantee payment of invoices sent by any other means, such as regular mail or e-mail to other addresses. (d) Please attach only one invoice to each e-mail, and use the following format for the subject line of the e-mail: <Contractor name>&<Invoice no>&<Amount>&<Contract Number>/<Call or Order Number> Example: ABC Co&AB-1298433&10000.00&OPM00-00-X-0000/X0000 (e)Payment due dates will only be calculated from the date that invoices are received in the Prompt Pay e-mail box. (f) Inquiries regarding payment of invoices should be e-mailed to InvoiceInquiries@opm.gov. The relevant invoice must be attached to the inquiry e-mail, and the subject line of the e-mail must state "INQUIRY," followed by the information described in paragraph (d) above. Example: INQUIRY: ABC Co&AB-1298433&10000.00&OPM00-00-X-0000/X0000 Do NOT use the Prompt Pay e-mail box for inquiries. (g) If the supplies, services, technical or other reports are rejected for failure to conform to the technical requirements of the contract, or for damage in transit or otherwise, the invoice will be rejected and returned to the Contractor. 1752.232-71 Method of Payment (July 2005) (a)Payments under this contract will be made either by check or by wire transfer through the Treasury Financial Communications System at the option of the Government. (b)The Contractor must forward the following information in writing to the Contracting Officer not later than seven (7) days after receipt of notice of award: (1)Full Name (where practicable), title, telephone number, and complete mailing address of responsible official(s): (i)to whom check payments are to be sent, and (ii)who may be contacted concerning the bank account information requested below. (2)The following bank account information required to accomplish wire transfers: (i)Name, address, and telegraphic abbreviation of the receiving financial institution. (ii)Receiving financial institution's 9-digit American Bankers Association (ABA) identifying number for routing transfer of funds. (Provide this number only if the receiving financial institution has access to the Federal Reserve Communications System.) (iii)Recipient's name and account number at the receiving financial institution to be credited with the funds. If the receiving financial institution does not have access to the Federal Reserve Communications System, provide the name of the correspondent financial institution through which the receiving institution receives electronic funds transfer messages. If a correspondent financial institution is specified, also provide: (A)Address and telegraphic abbreviation of the correspondent financial institution. (B)The correspondent financial institution's 9-digit ABA identifying number for routing transfer of funds. (c)Any changes to the information furnished under paragraph (b) of this clause shall be furnished to the Contracting Officer in writing at least 30 days before the effective date of the change. It is the Contractor's responsibility to furnish these changes promptly to avoid payments to erroneous addresses or bank accounts. (d)The document furnishing the information required in paragraphs (b) and (c) must be dated and contain the signature, title, and telephone number of the Contractor official authorized to provide it, as well as the Contractor's name and contract number 1752.232-73 Small Business Invoice Requirements (October 2012) (a)A proper invoice must include the following items (except for interim payments on cost reimbursement contracts for services): (1) Name and address of the contractor. (2)Invoice date and invoice number. (Contractors should date invoices as close as possible to the date of transmission.) (3)Contract number or other authorization for supplies delivered or services performed (including order number and contract line item number). (4)Description, quantity, unit of measure, unit price, and extended price of supplies delivered or services performed. (5)Shipping and payment terms (e.g., shipment number and date of shipment, discount for prompt payment terms). Bill of lading number and weight of shipment will be shown for shipments on Government bills of lading. (6)Name and address of contractor official to whom payment is to be sent (must be the same as that in the contract or in a proper notice of assignment). (7)Name (where practicable), title, phone number, and mailing address of person to notify in the event of a defective invoice. (8)Taxpayer Identification Number (TIN). The contractor must include its TIN on the invoice only if required by agency procedures. (See 4.9 TIN requirements.) (9) Electronic funds transfer (EFT) banking information. (i)The contractor shall have submitted correct EFT banking information in accordance with the applicable solicitation provision (e.g., 52.232-38, Submission of Electronic Funds Transfer Information with Offer), contract clause (e.g., 52.232-33, Payment by Electronic Funds Transfer-Central Contractor Registration, or 52.232-34, Payment by Electronic Funds Transfer-Other Than Central Contractor Registration), or applicable agency procedures. (ii)The last four digits of the contractor's bank account must be shown on each invoice submitted for payment. This information will be used as a cross-reference in situations where the EFT banking information in the Central Contract Registration is suspect. (iii)EFT banking information is not required if the Government waived the requirement to pay by EFT. (10) The vendor's certification that their EFT banking information in the Central Contractor Registration is current, accurate and complete as of the date of the invoice. (11)Any other information or documentation required by the contract (e.g., evidence of shipment). (b)Any invoice that does not contain all of the information listed in paragraph (a) above will be rejected as improper, and a new complete corrected invoice must be submitted. The payment due date for the corrected invoice will be calculated from the date it is received in the Prompt Pay e-mail box. (c)ALL small business invoices-without exception-must have unique identifying numbers, and be submitted via e-mail to OPM's Small Business Invoice e-mail box at: SmallBusinessInvoices@opm.gov Please note that OPM cannot guarantee payment of invoices sent by any other means, such as regular mail or e-mail to other addresses. (d) Please attach ONLY one invoice to each e-mail, and use the following format for the subject line of the e-mail: <Contractor name>&<Invoice no>&<Amount>&<Contract Number>/<Call or Order Number> Example: ABC Co&AB-1298433&10000.00&OPM00-00-X-0000/X0000 (e)Payment due dates will only be calculated from the date that invoices are received in the Small Business Invoice e-mail box. (f) Inquiries regarding payment of invoices should be e-mailed to InvoiceInquiries@opm.gov. The relevant invoice must be attached to the inquiry e-mail, and the subject line of the e-mail must state "INQUIRY," followed by the information described in paragraph (d) above. Example: INQUIRY: ABC Co&AB-1298433&10000.00&OPM00-00-X-0000/X0000 Do NOT use the Prompt Pay e-mail box for inquiries. (g) If the supplies, services, technical or other reports are rejected for failure to conform to the technical requirements of the contract, or for damage in transit or otherwise, the invoice will be rejected and returned to the Contractor. 1752.232-74 Providing Accelerated Payment to Small Business Subcontractors (Oct 2012) (a)This clause implements the temporary policy provided by OMB Policy Memorandum M-12-16, Providing Prompt Payment to Small Business Subcontractors, dated July 11, 2012. (Note: OMB Policy Memorandum M-12-16 is accessible on line at: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-16.pdf.) (b)Upon receipt of accelerated payments from the Government, the contractor is required to pay all small business subcontractors on an accelerated timetable to the maximum extent practicable after receipt of invoice and all proper documents. (c)Include the substance of this clause, including this paragraph (b), in all subcontracts with small business. 1752.233-70 OPM Protest Procedures [Applicable to Solicitations Only] (Dec 2010) (a)An interested party who files a protest with OPM has the option of requesting review and consideration of the protest by either the Contracting Officer (CO) or the Senior Procurement Executive (SPE). The protest must clearly indicate the official to whom it is directed. (b)If the protest is directed to the SPE, a copy of the protest must be sent to the Director of the Contracting Group at the same time the protest is filed with the CO in accordance with FAR 52.233-2. The address of the Director of the Contract Group is: Juan Arratia, Director Office of Procurement Operations U.S. Office of Personnel Management 1900 E Street N.W., Room 1342 Washington, DC 20415 (c) Review and consideration of a protest by the SPE is an alternative to review and consideration by the CO. 1752.237-70 Non-Personal Services (July 2005) (a)As stated in the Office of Federal Procurement Policy Letter 92-1, dated September 23, 1992, Inherently Governmental Functions, no personal services shall be performed under this contract. No Contractor employee will be directly supervised by the Government. All individual employee assignments, and daily work direction, shall be given by the applicable employee supervisor. If the Contractor believes any Government action or communication has been given that would create a personal services relationship between the Government and any Contractor employee, the Contractor must promptly notify the Contracting Officer of this communication or action. (b)The Contractor must not perform any inherently Governmental actions under this contract. No Contractor employee shall hold him or herself out to be a Government employee, agent, or representative. No Contractor employee may state orally or in writing at any time that he or she is acting on behalf of the Government. In all communications with third parties in connection with the contract, Contractor employees must identify themselves as Contractor employees and specify the name of the company for which they work. In all communications with other Government Contractors in connection with this contract, the Contractor employee must state that they have no authority to in any way change the contract and that if the other Contractor believes this communication to be a direction to change their contract, they should notify the Contracting Officer for that contract and not carry out the direction until a clarification has been issued by the Contracting Officer. (c)The Contractor must insure that all of its employees working on this contract are informed of the substance of this clause. Nothing in this clause limits the Government's rights in any way under any other provision of the contract, including those related to the Government's right to inspect and accept the services to be performed under this contract. The substance of this clause must be included in all subcontracts at any tier. 1752.242-70 Contract Performance Information (July 2005) (a)Dissemination of Contract Performance Information The Contractor must not publish, permit to be published, or distribute for public consumption, any information, oral or written, concerning the results or conclusions made pursuant to the performance of this contract, without the prior written consent of the Contracting Officer. Two copies of any material proposed to be published or distributed must be submitted to the Contracting Officer for approval. (b)Contractor Testimony All requests for the testimony of the Contractor or its employees, and any intention to testify as an expert witness relating to: (a) any work required by, and or performed under, this contract: or (b) any information provided by any party to assist the Contractor in the performance of this contract, must be immediately reported to the Contracting Officer. Neither the Contractor nor its employees must testify on a matter related to work performed or information provided under this contract, either voluntarily or pursuant to a request, in any judicial or administrative proceeding unless approved by the Contracting Officer or required by a judge in a final court order. 1752.224-70Definition of Terms (Dec 2015) The following definitions apply to this contract: a.Information: This term is synonymous with the term Data. Both terms refer to single or multiple instances of any recorded or communicated fact or opinion being stored or transferred in any digital or analog format or medium. b.Controlled Unclassified Information (CUI): This term refers to that sub-category of Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 USC Section 552a (the Privacy Act) that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. c.Personally Identifiable Information (PII): This term refers to that sub-category of CUI that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. d.Information System: This term refers to a system composed of people and equipment that processes or interprets Information. e.Information Technology (IT) System: This term refers to that sub-category of Information System composed of hardware, software, data, and networks that processes or interprets Information. f.Information Security Incident (ISI): This term refers to any event that includes the known, potential, or suspected exposure, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access of any Contractor or Government Information or Information Systems. g.Record: (1)For the purpose of Records Management, this term refers to all recorded Information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transactions of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the US Government or because of the informational value of the data in them. (2)For the purpose of the Privacy Act, this term refers to any item, collection, or grouping of Information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, or criminal or employment history, and that contains the person's name, or the identifying number, symbol, or other identifier assigned to the individual, such as a fingerprint, voiceprint, or a photograph. h.System of Records on individuals: This term refers to a group of any Records from which Information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual. i.Operation of a System of Records: This term refers to the performance of any of the activities associated with maintaining the System of Records, including the collection, use, and dissemination of Records. j.Privileged User: This term refers to a user that is assigned an organization-defined privileged role that allows that individual to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, but are not limited to, IT system development, key management, account management, network and system administration, database administration, and web administration. 1752.224-72Access to Contractor Information Technology (IT) Systems (Dec 2015) During the period of performance of the contract and throughout any contract close-out period, the Contractor must provide OPM, or its designate, with immediate access to all IT systems used by the Contractor to support the performance of the contract for the purpose of inspection and forensic analysis in the event of an Information Security Incident (ISI). 1752.224-73 Protecting Information (Dec 2015) a.Applicability (1)This clause applies to the Contractor, its subcontractors and teaming partners, and employees (hereafter referred to collectively as "Contractor"). (2)These requirements are applicable to all Information, regardless of medium, maintained by the Contractor for the performance of this contract. (3)These requirements are in addition to all applicable requirements established by the Privacy Act of 1974 (5 U.S.C. 552a); and to all other requirements established by various Federal statutes, mandates, and Executive Orders for the management and security of Information and Information Systems. The following additional requirements should not be construed to alter or diminish civil and/or criminal liabilities provided under the Privacy Act or any other applicable Federal statutes. b.Authorization to Handle Controlled Unclassified Information (CUI) (1)Prior to receiving, collecting, transmitting, storing, using, accessing, sharing, or removing CUI from any approved locations; the Contractor must receive approval in writing from the Chief Information Officer (CIO) through the Contracting Officer (CO) or Contracting Officer's Representative (COR). (2)If the Contractor should begin to receive, collect, transmit, store, use, access, or share CUI without appropriate approval, it should be reported as an Information Security Incident (ISI). (3)Prior to removing CUI from any approved location, electronic device, removable media, or storage container, approval must be received in writing from the CO or COR. c.Authorization to Use Information Technology (IT) Systems (1)Prior to designing, developing, operating, accessing, or using an IT system that will store or process Information other than general information necessary to manage the contract (such as billing), the Contractor must receive approval in writing from the CIO through the CO or COR. (2)The time required to obtain approval may be lengthy, and the Contractor should identify this requirement as soon as possible. (3)If the Contractor should begin to operate, access, or use an IT system without appropriate approval, it must be reported as an ISI. d.Retention of Authorizing Documentation The Contractor must maintain a current and complete file of all documentation authorizing handling of CUI during the period of performance of the contract, unless otherwise instructed by the Contracting Officer. Documentation will be made accessible during inspections or upon written request by the CO or the COR. 1752.224-74Privacy Act (Dec 2015) The following Federal Acquisition Regulation (FAR) clauses apply as prescribed within FAR 24.104 for solicitations and contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an OPM function. Additionally, in instances where the Contractor is required to access a system of records on individuals to accomplish an OPM function, the contractor is subject to the Privacy Act, Privacy Act Notification, and applicable agency regulations. 52.224-1 Privacy Act Notification PRIVACY ACT NOTIFICATION (APR 1984) The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties. 52.224-2 Privacy Act PRIVACY ACT (APR 1984) (a) The Contractor agrees to- (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies- (i) The systems of records; and (ii) The design, development, or operation work that the contractor is to perform; (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and (3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency. (c)(1) "Operation of a system of records," as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) "Record," as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. (3) "System of records on individuals," as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 1752.224-75Information Protection Policies and Procedures (Dec 2015) The Contractor must ensure its policies and procedures address compliance with all information protection requirements of this contract. The policies and procedures must address the following: a.Proper identification, marking, control, storage, transmission, use, and handling of Controlled Unclassified Information (CUI), regardless of medium. b.Proper control, storage, and protection of mobile devices, portable data storage devices, and communication devices containing CUI. c.Proper use of FIPS 140-2 compliant encryption, redaction, and masking methods to protect CUI while at rest and in transit throughout contractor networks, and on host and client platforms. d.Proper use of FIPS 140-2 compliant encryption methods to protect CUI transmitted in email attachments, including policy that passwords must not be communicated in the same email as the attachment. e.Roles and responsibilities and proper actions to be taken during Information Security Incidents (ISIs). f.Proper procedures for obtaining authorized access to information technology (IT) systems. g.General IT security and protection training for all employees. h.Specialized IT security and protection training for IT security staff. i.Information Systems policy compliance requirements and procedures. This is not an all-inclusive list and may include additional requirements which the contractor shall address during performance. 1752.224-76Compliance with Information Protection Requirements (Dec 2015) The Chief Information Officer, through the Contracting Officer or Contracting Officer's Representative, reserves the right to verify compliance with information security requirements established by this contract. Verification may include, but is not limited to, onsite or offsite inspections, documentation reviews, process observation, network and IT system scanning. The Contractor will fully comply with all OPM-initiated inspections as permissible by law. 1752.224-77Information Security Incidents (ISI) (Dec 2015) a.ISI Reporting Activities (1)Contractors must report any and all ISI involving OPM Information to the OPM Situation Room (SITRoom) at SITROOM@OPM.GOV, voice: 202-418-0111, fax: 202-606-0624. The SITRoom is available 24 hours per day, 365 days per year. (2)Contractors must report any and all ISI involving information technology (IT) systems and Controlled Unclassified Information (CUI) immediately upon becoming aware of the ISI but no later than 30 minutes after becoming aware of the ISI, regardless of day or time; regardless of internal investigation, evaluation, or confirmation of procedures or activities; and regardless of whether the ISI is suspected, known, or determined to involve IT systems operated in support of this contract. (3)Contractors reporting an ISI to the SITRoom by email, phone, or fax must copy the Contracting Officer (CO) or Contracting Officer's Representative (COR) if possible; but if not, must notify the CO or COR immediately after reporting to the SITRoom. (4)When reporting an ISI to the SITRoom by email: (a)Do not include any CUI in the subject or body of any email; (b)Use FIPS 140-2 compliant encryption methods to protect CUI to be included as an email attachment, and do not include passwords in the same email as the encrypted attachment; and (c)Provide any supplementary information or reports related to a previously reported incident directly to the OPM SITRoom with the following text in the subject line of the email: "Supplementary Information / Report related to previously reported incident # [insert number]." b.ISI Review and Response Activities (1)The Contractor must provide full access and cooperation for all activities determined by CO or COR to be required to ensure an effective review and response to protect OPM's Information and Information Systems operated in support of this contract. (2)The Contractor must promptly respond to all requests by the CO or COR for ISI and system-related information, including but not limited to disk images, log files, event information, and any other information determined by OPM to be required for a rapid but comprehensive technical and forensic review. (3)OPM, at its sole discretion, may obtain the assistance of Federal agencies and/or third party firms to aid in ISI Review and Response activities. c.ISI Determination Activities (1)The Contractor must not make any determinations related to an ISI associated with Information Systems or Information maintained by the Contractor in support of the activities authorized by this contract, including determinations related to notification of affected individuals and/or Federal agencies (except reporting criminal activity to Law Enforcement Organizations) and offering of services, such as credit monitoring. (2)The Contractor must not conduct any internal ISI-related review or response activities that could modify or eliminate any existing technical configuration or information or forensic technical evidence existing at the time of the ISI without approval from the OPM Chief Information Officer (CIO) through the CO or COR. (3)All determinations related to an ISI associated with Information Systems or Information maintained by the Contractor in support of the activities authorized by this contract will be made only by the OPM CIO through the CO or COR. (4)The Contractor must report criminal activity to Law Enforcement Organizations upon becoming aware of such activity. 1752.224-78Information Security Inspections (Dec 2015) a.The Contractor must permit and cooperate with any mutually agreed upon pre-scheduled onsite or offsite information security inspections, such as: (1) Before initiation of the performance period; (2) As periodically scheduled for contract oversight and compliance purposes; (3) As determined by the OPM Chief Information Officer (CIO) through the Contracting Officer (CO) or Contracting Officer's Representative (COR) to be required for evaluation of or in response to any reported Information Security Incident (ISI); or (4) As determined by the OPM CIO through the CO or COR to be required to address any risk of non-compliance with the requirements of this contract. b.OPM will provide the Contractor with a Post-Inspection Report, which will state findings and specify the Contractor's requirement for remediating findings to maintain compliance with this contract. c.The Contractor must provide a formal response to the OPM Post-Inspection Report within fifteen (15) days of receipt of the report for critical/high risk findings and within thirty (30 days for all other findings. 1752.224-79Suspension of Contract for Security Concerns (Dec 2015) If at any time during Contract performance it is determined that the Contractor is not in full compliance with the security requirements of this Contract, the Government may immediately suspend performance under this Contract and require the immediate return of all Controlled Unclassified Information (CUI) materials and information to the Government at full Contractor expense. Any work suspension resulting from a security lapse will not be subject to equitable adjustment; all costs incurred will be borne by the Contractor.   1752.239-70Internet Protocol Version 6 (IPV6) Compliance (Dec 2015) All information technology (IT) functionality, capabilities, and features must be supported and operational in both a dual-stack IPv4/IPv6 environment and an IPv6 only environment. Furthermore, all management, user interfaces, configuration options, reports, and other administrative capabilities that support IPv4 functionality will support comparable IPv6 functionality. The Contractor is required to certify that its products have been tested to meet the requirements for both a dual-stack IPv4/IPv6 and IPv6 only environment. The Contracting Officer (CO) or Contracting Officer's Representative (COR) reserves the right to require the Contractor's products to be tested within an OPM or third party test facility to show compliance with this requirement. All costs and resource allocations required for this third party service must be the sole responsibility of the Contractor. Compliance certification shall be provided in writing to the CO or COR. 1752.239-72Access to OPM Information Technology (IT) Systems (Dec 2015) a.The Contractor must provide to the distribution list "System Access Control" (systemaccesscontrol@opm.gov) an initial and complete list of employee names that require access to OPM IT systems. This list will be provided at least five (5) days prior to required access. b.The Contractor must send a staffing change report by the fifth day of each month after contract award to the Contracting Officer (CO), Contracting Officer's Representative (COR), and systemaccesscontrol@opm.gov. The report must contain the listing of all staff members who separated or were hired under this contract in the past 60 days. This form must be submitted even if no separations or hires have occurred during this period. Failure to submit a ‘Contractor Staffing Change Report' each month may, at the Government's discretion, result in the suspension of all accounts associated with this contract. c.Each contractor employee is required to utilize a Personal Identity Verification (PIV) card to access OPM IT systems and Controlled Unclassified Information (CUI), in accordance with the National Institutes of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201. Using shared accounts to access OPM IT systems and CUI is strictly prohibited. OPM will disable accounts, and access to OPM IT systems will be revoked and denied if contractor employees share accounts. Users of the IT systems will be subject to periodic auditing to ensure compliance with OPM policies. d.OPM, at its discretion, may suspend or terminate the access to any IT systems and/or facilities when an Information Security Incident (ISI) or other electronic access violation, use or misuse issue gives cause for such action. The suspension or termination may last until such time as the CO or COR determines that the situation has been corrected or no longer exists. e.Upon request of the CO or COR, the Contractor must immediately return all Government Information, as well as any media type that houses or stores Government Information, regardless of potential violations of other contracts the contractor may have in place, including, but not limited to, data stored on recovery media, tape backups, and images. f.The CO, COR and the OPM Helpdesk (helpdesk@opm.gov or 202-606-4927) must be notified at least five (5) days prior to a contractor employee being removed from a contract. For unplanned terminations or removals of contractor employees from the contractor organization, the CO, COR and OPM Helpdesk must be notified immediately. OPM PIV cards issued to Contractor employees must be returned to the COR within two (2) days of departure of a Contractor employee. 1752.239-73 Section 508 Standards (Dec 2015) a.All information technology (IT) procured through this contract must meet the applicable accessibility standards at 36 CFR 1194, unless an OPM exception to this requirement exists. 36 CFR 1194 implements Section 508 of the Rehabilitation Act of 1973, as amended, and is viewable at http://www.access-board.gov/sec508/508standards.htm. b.The following standards have been determined to be applicable to this contract: (1) 1194.21. Software applications and operating systems (2) 1194.22. Web-based intranet and Internet information and applications (3) 1194.23 Telecommunications products (4) 1194.24 Video and multimedia products (5)1194.25 Self Contained, closed products (6) 1194.26 Desktop and portable computers (7)1194.31 Functional performance criteria (8)1194.41 Information, documentation, and support c.OPM is required by Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. 794d), to offer access to IT for disabled individuals within its employment, and for disabled members of the public seeking information and services. This access must be comparable to that which is offered to similar individuals who do not have disabilities. Standards for complying with this law are prescribed by the Architectural and Transportation Barriers Compliance Board ("The Access Board"). d.The final work product must include documentation that the deliverable conforms to the Section 508 Standards promulgated by the US Access Board. e.OPM's assessment of the Section 508 compliance will control. In the event that additional changes are needed to conform with OPM's assessment, the Contractor shall make these changes at no additional charge to OPM. 1752.239-75Information System Security Requirements (Dec 2015) a.The activities required by this contract necessitate the Contractor's access to Government Information, including Controlled Unclassified Information (CUI). Contractors are required to comply with current Federal regulations and guidance found in the Federal Information Security Modernization Act (FISMA); Privacy Act of 1974; E-Government Act of 2002, Section 208; National Institute of Standards and Technology (NIST); Federal Information Processing Standards (FIPS); Office of Management and Budget (OMB) memorandums; and other relevant Federal laws and regulations with which OPM must comply. b.The Contractor shall comply with implementation of required security controls for protection of the Government Information based on the sensitivity of the data within the system as outlined by Federal regulatory requirements, including but not limited to, Health Insurance Portability and Accountability Act (HIPAA), IRS 1075 for federal tax information, Executive Order 13556 for Controlled Unclassified Information (CUI) and any additional regulatory requirements. c.The Contractor shall implement and maintain an Information security program that is compliant with FISMA, NIST Special Publications, OMB guidelines, OPM security policies, and other applicable laws, throughout the performance of this contract. d.The Contractor facilities and IT systems shall meet the security requirements for the same impact level or greater as defined by the FIPS 199 as required for the protection of Government Information. The OPM Chief Information Officer, through the Contracting Officer or Contracting Officer's Representative shall provide written approval of the FIPS 199 security categorization. 1752.239-76Security Assessment and Authorization (SA&A) (Dec 2015) a.This contract requires the Contractor to develop, deploy, and/or use information technology (IT) systems to access and/or store Government Information, including Controlled Unclassified Information (CUI). b.All IT systems that input, store, process, and/or output Government Information must be provided an Authority to Operate (ATO) signed by the Contractor Chief Information Officer (CIO) or higher level executive prior to operation of the IT system. The Contractor must complete the SA&A process independently of OPM, including the selection and funding of an approved Federal Risk and Authorization Management Program (FEDRAMP) Third-Party Assessor Organization (3PAO) to validate the security and privacy controls in place for the systems and the overall accuracy of SA&A packages. c.The Contractor must submit to the OPM Chief Information Officer (CIO), through the Contracting Officer (CO) or Contracting Officer's Representative (COR) the signed SA&A package, along with the security assessment report and supporting documentation such as system and configuration scans from the 3PAO at least sixty (60) days prior to operation of the IT system for review and authorization by the OPM Authorizing Officials (AOs), through the CO or COR. Should the AOs not consider the signed package to meet OPM SA&A requirements for any reason, the AOs retain the right to not issue an ATO for the system. Should the AOs consider it possible for the Contractor to improve the compliance of the A&A package, the CO or COR may provide general or detailed information to the Contractor for possible modification to the package to improve compliance and resubmission to the CO or COR after modification. The CO or COR reserves the right to limit the number of re-submissions of a modified package before a final determination that a resubmitted package will not receive an ATO and no further resubmissions will be accepted. This may be grounds for contract termination. The OPM CIO is the final authority on the compliance of a submitted package with OPM SA&A requirements. d.The Contractor Security Assessment and Authorization (SA&A) SA&A documentation package must be developed with the use of OPM Security Assessment and Authorization (SA&A) documentation templates in accordance with the OPM Security Assessment and Authorization policy based on the most current NIST Risk Management Framework (RMF), as adapted for Contractor IT systems supporting OPM. Templates are available for all required security documentation including, but not limited to, the System Security Plan, the Security Assessment Plan, the Security Assessment Report, Contingency Plan and Incident Response Plan. The SA&A process must be followed throughout the IT system lifecycle process to ensure proper oversight by OPM. e.The IT systems must meet the security requirements for the same impact level or greater as defined by the Federal Information Process Standard (FIPS) 199 for the Information being accessed. The OPM CIO, through the CO or COR, must provide written approval of the FIPS 199 security categorization. f.The Contractor shall complete a Privacy Threshold Analysis (PTA) for all systems as a requirement for an ATO. Based on the PTA, the OPM Chief Privacy Officer will determine whether a Privacy Impact Assessment (PIA) is required to be completed by the Contractor as part of the SA&A package. g.The Contractor must submit an updated SA&A package, along with the 3PAO report, and supporting documentation to the CO or COR at least 90 days before the expiration of an existing ATO for security review and verification of security controls. Security reviews may include onsite visits that involve physical or logical inspection of the Contractor environment and IT systems. h.The Contractor must ensure a plan of action and milestones (POA&M) is generated for each security finding and is remediated within a time frame commensurate with the level of risk, as follows, or as otherwise negotiated and approved in writing by the OPM CIO, through the CO or COR: (1)High Risk = 30 days; (2)Moderate Risk = 90 days; and (3)Low Risk = 120 days. 1752.239-77Federal Reporting Requirements (Dec 2015) The Contractor must comply with both OPM IT Security policies and OPM's continuous monitoring reporting requirements as required by the Federal Information Security Modernization Act (FISMA). The Contractor must provide OPM with the requested information within the timeframes provided for each request. Failure to do so may result in the loss of OPM's authorization to receive and process sensitive information or operate an IT system containing sensitive information. Reporting requirements may change each reporting period. 1752.239-78Cloud Computing (Dec 2015) a.Prior to using any commercial Cloud Service Provider (CSP), the Contractor shall obtain approval from the Chief Information Officer (CIO), through the Contracting Officer (CO) or Contracting Officer's Representative (COR). b.Information stored in a cloud environment remains the sole property of OPM, not the Contractor or the CSP. c.The CSP must provide all the protections levied on the Contractor, and must be held accountable for all other requirements for IT systems and CUI, unless waived in writing by the OPM CIO, through the CO or COR. d.The CSP must allow the OPM CIO, through the CO or COR, access to OPM Information including data schemas, meta data, and other associated data artifacts that are required to ensure OPM can fully and appropriately retrieve OPM Information from the CSP. e.The CSP, and any subcontractor or teaming partner CSPs, must be evaluated by a Federal Risk and Authorization Management Program (FEDRAMP) Third Party Assessment Organization (3PAO). The contractor is responsible for the selection and funding of the 3PAO. The most current, and any subsequent, security assessment reports must be made available to the CIO, through the CO or COR, for consideration, including the CSP's Systems Security Plan, as part of the Contractor's Systems Security Plan. 1752.239-80 Information Technology (IT) Security and Privacy Awareness Training (Dec 2015) a.The Contractor must ensure that all Contractor employees complete OPM-provided mandatory security and privacy training prior to gaining access to OPM IT systems and periodically thereafter based on OPM policy requirements. OPM will provide notification and instructions for completing this training. Non-compliance shall result in revocation of system access. b.With written permission and justification from the Chief Information Officer, through the Contracting Officer or Contracting Officer's Representative, in lieu of the OPM-provided training, the Contractor may provide its own continuous training and awareness for Contract employees. All costs and resource allocations required must be the sole responsibility of the Contractor. Evidence of training for contractor employees shall be provided to OPM upon request. 1752.239-81 Specialized IT Security Awareness Training (Dec 2015) a.Contractor personnel performing work related to IT security are required to complete specialized IT security training based on the role-based requirements listed below every fiscal year within the contract period of performance. The Contractor must certify to the Contracting Officer or Contracting Officer's Representative (COR) that IT security personnel have completed the requisite training hours satisfying the below training requirements. IT Security Roles/FunctionsMinimum Hours Required for Specialized Training •Contractor System Manager\Owner5 •Information Security Specialist •Information System Security Officer (ISSO)20 •Privacy Officer5 •System Administrator •Network Administrator •Database Administrator •Service Desk Personnel/Helpdesk •Programmer/Developer10 •Other IT Personnel with security responsibilities2 b.The Information System Security Officer (ISSO) and Information Security Specialists must be a Certified Information Systems Security Professional (CISSP) within 6 months of contract award and maintain certification throughout the period of performance, which will serve to fulfill the requirement for specialized training. 1752.239-82 HSPD-12 Compliance (Dec 2015) a.All Contactor employees must consent to screening and sign an access agreement prior to being authorized access to Government IT systems or Controlled Unclassified Information (CUI); and rescreening according to change in position risk designation or other requirements according to HSPD-12 requirements. b.The Contracting Officer (CO) or Contracting Officer's Representative (COR) approval is required prior to contractor personnel accessing OPM IT systems and CUI. c.Procurements for services and products involving facility or system access control must be in accordance with HSPD-12 policy and other applicable Federal regulations. d.All IT systems must enforce the use of Personal Identity Verification (PIV) credentials, in accordance with the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 201. Development and test IT systems may be approved to use alternate 2-factor authentication, such as tokens, with the written approval of the OPM Chief Information Officer, through the CO or COR, prior to implementation. 1752.239-83 Secure Technical Implementation (Dec 2015) a.The Contractor must certify applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration (FDCC)\United States Government Configuration Baseline (USGCB). b.The standard installation, operation, maintenance, updates, and/or patching of software must not alter the configuration settings from the approved FDCC\USGCB configuration. c.Applications designed for normal end users must run in the standard user context without elevated system administration privileges. d.The Contractor must apply due diligence at all times to ensure that the required level of security is always in place to protect OPM systems and information, such as using Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG). The Contracting Officer or Contracting Officer's Representative (COR) reserves the right to verify compliance. 1752.239-84 Data Protection Requirements (Dec 2015) a.Controlled Unclassified Information (CUI) shall be encrypted in transit and at rest using Federal Information Process Standard (FIPS) 140 and validated by the Cryptographic Module Validation Program (CMVP). b.The Contractor must provide the validation certificate number to the Contracting Officer or Contracting Officer's Representative (COR) for verification. This shall occur prior to award and upon any changes to the cryptographic module. This shall only occur for the cryptographic modules. c.The Contractor shall redact or mask all CUI that is not essential to users, including privileged users. 1752.239-85Security Monitoring and Alerting Requirements (Dec 2015) All contractor-operated systems that use or store OPM Information must meet or exceed OPM IT Security policy requirements pertaining to security monitoring and alerting. The minimum requirements are listed further below: a.System and Network Visibility and Policy Enforcement at the following levels: (1)Edge (2)Server / Host (3)Workstation / Laptop / Client (4)Network (5)Application (6)Database (7)Storage (8)User b.Alerting and Monitoring c.System, User, and Data Segmentation 1752.239-86 Contractor Information Technology (IT) System Oversight / Compliance (Dec 2015) a.The Contractor must support OPM in its efforts to assess and monitor the IT systems and infrastructure used in support of the performance of this contract. The Contractor must provide logical and physical access to the Contractor's facilities, installations, technical capabilities, operations, documentation, records, devices, applications and databases used in performance of the contract, regardless of location, upon Agency request. The Contractor will be expected to perform automated scans and continuous monitoring activities which may include, but will not limited be to, authenticated and unauthenticated scans of networks, operating systems, applications, and databases and provide the results of the scans to the Contracting Officer's Representative (COR), or allow the COR to run the scans directly. b.All Contractor systems must participate in the OPM Information Security Continuous Monitoring (ISCM) program utilizing the OPM Information Security Continuous Monitoring Plan for security control monitoring and must submit to the COR, the report on security control monitoring as required following the OPM Information Security Continuous Monitoring Reporting template as defined in the OPM IT Security Policy. c.All Contractor systems must perform vulnerability scanning as defined by OPM IT Security continuous monitoring program and will provide requested vulnerability scanning reports to the COR in accordance with OPM's continuous monitoring program plan. d.All Contractor systems must participate in the implementation of automated security controls testing mechanisms and provide automated test results in Security Compliant Automation Protocol (SCAP) compliant data to the COR in accordance with OPM's continuous monitoring program. 1752.242-71 Return of OPM and OPM-Activity-Related Information (Dec 2015) a.Within thirty (30) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, unless otherwise instructed by the Contracting Officer, the Contractor must return all original OPM-provided and OPM-Activity-Related Information, such as records, files, and metadata in electronic or hardcopy format, including but not limited to the following: (1)provided by OPM; (2)obtained by the Contractor while conducting activities in accordance with the contract with OPM; (3)distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (4)received from the Contractor by any other related organization and/or any other component or separate business entity. b.Within forty-five (45) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, unless otherwise instructed by the Contracting Officer, the Contractor must provide the Contracting Officer and COR with an associated Certification of Verified Return of all original OPM and OPM-Activity-Related Information, such as records, files, and metadata in electronic or hardcopy format, including but not limited to the following: (1)provided by OPM; (2)obtained by the Contractor while conducting activities in accordance with the contract with OPM; (3)distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (4)received from the Contractor by any other related organization and/or any other component or separate business entity. 1752.242-72 Secure Destruction of All OPM and OPM-Activity-Related Information (Dec 2015) a.Within sixty (60) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, BUT ONLY after the Contracting Officer (CO) or Contracting Officer's Representative (COR) has accepted and approved the Contractor's compliance with the Certification of Verified Return, the Contractor must execute secure destruction of all copies of all OPM and OPM-activity-related files and information (including but not limited to all records, files, and metadata in electronic or hardcopy format) not returned to OPM and held in possession by the Contractor, by procedures approved by the CO or COR in advance and in accordance with applicable OPM IT Security Policy Requirements, including but not limited to the following: (1)provided by OPM; (2)obtained by the Contractor while conducting activities in accordance with the contract; (3)distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (4)received from the Contractor by any other related organization and/or any other component or separate business entity. b.Within seventy-five (75) days after the end of the contract performance period or after the contract is suspended or terminated by the CO, BUT ONLY after the CO or COR has accepted and approved the Contractor's compliance with the Certification of Verified Return, the Contractor must provide the CO or COR with Certification of Secure Destruction of all existing active and archived originals and/or copies of all OPM and OPM-activity-related files and information, (including but not limited to all records, files, and metadata in electronic or hardcopy format); by procedures approved by OPM in advance and in accordance with applicable OPM IT Security Policy Requirements; including but not limited to the following: (1)provided by OPM; (2)obtained by the Contractor while conducting activities in accordance with the contract; (3)distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (4)received from the Contractor by any other related organization and/or any other component or separate business entity. 1752.242-73 Mandatory Requirement for Contractor Return of all OPM-Owned and Leased Computing and Information Storage Equipment (Dec 2015) a.Within sixty (60) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, or within a time period approved by the Contracting Officer or Contracting Officer's Representative (COR), the Contractor must return all OPM-owned and leased computing and information storage equipment. b.Within seventy-five (75) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, the Contractor must provide OPM with Certified Verification of Return of all OPM-Owned and Leased Computing and Information Storage Equipment. 1752.224-70Definition of Terms (Dec 2015) The following definitions apply to this contract: k.Information: This term is synonymous with the term Data. Both terms refer to single or multiple instances of any recorded or communicated fact or opinion being stored or transferred in any digital or analog format or medium. l.Controlled Unclassified Information (CUI): This term refers to that sub-category of Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 USC Section 552a (the Privacy Act) that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. m.Personally Identifiable Information (PII): This term refers to that sub-category of CUI that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. n.Information System: This term refers to a system composed of people and equipment that processes or interprets Information. o.Information Technology (IT) System: This term refers to that sub-category of Information System composed of hardware, software, data, and networks that processes or interprets Information. p.Information Security Incident (ISI): This term refers to any event that includes the known, potential, or suspected exposure, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access of any Contractor or Government Information or Information Systems. q.Record: (1)For the purpose of Records Management, this term refers to all recorded Information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transactions of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the US Government or because of the informational value of the data in them. (2)For the purpose of the Privacy Act, this term refers to any item, collection, or grouping of Information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, or criminal or employment history, and that contains the person's name, or the identifying number, symbol, or other identifier assigned to the individual, such as a fingerprint, voiceprint, or a photograph. r.System of Records on individuals: This term refers to a group of any Records from which Information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual. s.Operation of a System of Records: This term refers to the performance of any of the activities associated with maintaining the System of Records, including the collection, use, and dissemination of Records. t.Privileged User: This term refers to a user that is assigned an organization-defined privileged role that allows that individual to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, but are not limited to, IT system development, key management, account management, network and system administration, database administration, and web administration. 1752.224-72Access to Contractor Information Technology (IT) Systems (Dec 2015) During the period of performance of the contract and throughout any contract close-out period, the Contractor must provide OPM, or its designate, with immediate access to all IT systems used by the Contractor to support the performance of the contract for the purpose of inspection and forensic analysis in the event of an Information Security Incident (ISI). 1752.224-73 Protecting Information (Dec 2015) c.Applicability (4)This clause applies to the Contractor, its subcontractors and teaming partners, and employees (hereafter referred to collectively as "Contractor"). (5)These requirements are applicable to all Information, regardless of medium, maintained by the Contractor for the performance of this contract. (6)These requirements are in addition to all applicable requirements established by the Privacy Act of 1974 (5 U.S.C. 552a); and to all other requirements established by various Federal statutes, mandates, and Executive Orders for the management and security of Information and Information Systems. The following additional requirements should not be construed to alter or diminish civil and/or criminal liabilities provided under the Privacy Act or any other applicable Federal statutes. d.Authorization to Handle Controlled Unclassified Information (CUI) (4)Prior to receiving, collecting, transmitting, storing, using, accessing, sharing, or removing CUI from any approved locations; the Contractor must receive approval in writing from the Chief Information Officer (CIO) through the Contracting Officer (CO) or Contracting Officer's Representative (COR). (5)If the Contractor should begin to receive, collect, transmit, store, use, access, or share CUI without appropriate approval, it should be reported as an Information Security Incident (ISI). (6)Prior to removing CUI from any approved location, electronic device, removable media, or storage container, approval must be received in writing from the CO or COR. e.Authorization to Use Information Technology (IT) Systems (4)Prior to designing, developing, operating, accessing, or using an IT system that will store or process Information other than general information necessary to manage the contract (such as billing), the Contractor must receive approval in writing from the CIO through the CO or COR. (5)The time required to obtain approval may be lengthy, and the Contractor should identify this requirement as soon as possible. (6)If the Contractor should begin to operate, access, or use an IT system without appropriate approval, it must be reported as an ISI. f.Retention of Authorizing Documentation The Contractor must maintain a current and complete file of all documentation authorizing handling of CUI during the period of performance of the contract, unless otherwise instructed by the Contracting Officer. Documentation will be made accessible during inspections or upon written request by the CO or the COR. 1752.224-74Privacy Act (Dec 2015) The following Federal Acquisition Regulation (FAR) clauses apply as prescribed within FAR 24.104 for solicitations and contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an OPM function. Additionally, in instances where the Contractor is required to access a system of records on individuals to accomplish an OPM function, the contractor is subject to the Privacy Act, Privacy Act Notification, and applicable agency regulations. 52.224-1 Privacy Act Notification PRIVACY ACT NOTIFICATION (APR 1984) The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties. 52.224-2 Privacy Act PRIVACY ACT (APR 1984) (a) The Contractor agrees to- (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies- (i) The systems of records; and (ii) The design, development, or operation work that the contractor is to perform; (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and (3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency. (c)(1) "Operation of a system of records," as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) "Record," as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. (3) "System of records on individuals," as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 1752.224-75Information Protection Policies and Procedures (Dec 2015) The Contractor must ensure its policies and procedures address compliance with all information protection requirements of this contract. The policies and procedures must address the following: j.Proper identification, marking, control, storage, transmission, use, and handling of Controlled Unclassified Information (CUI), regardless of medium. k.Proper control, storage, and protection of mobile devices, portable data storage devices, and communication devices containing CUI. l.Proper use of FIPS 140-2 compliant encryption, redaction, and masking methods to protect CUI while at rest and in transit throughout contractor networks, and on host and client platforms. m.Proper use of FIPS 140-2 compliant encryption methods to protect CUI transmitted in email attachments, including policy that passwords must not be communicated in the same email as the attachment. n.Roles and responsibilities and proper actions to be taken during Information Security Incidents (ISIs). o.Proper procedures for obtaining authorized access to information technology (IT) systems. p.General IT security and protection training for all employees. q.Specialized IT security and protection training for IT security staff. r.Information Systems policy compliance requirements and procedures. This is not an all-inclusive list and may include additional requirements which the contractor shall address during performance. 1752.224-76Compliance with Information Protection Requirements (Dec 2015) The Chief Information Officer, through the Contracting Officer or Contracting Officer's Representative, reserves the right to verify compliance with information security requirements established by this contract. Verification may include, but is not limited to, onsite or offsite inspections, documentation reviews, process observation, network and IT system scanning. The Contractor will fully comply with all OPM-initiated inspections as permissible by law. 1752.224-77Information Security Incidents (ISI) (Dec 2015) d.ISI Reporting Activities (5)Contractors must report any and all ISI involving OPM Information to the OPM Situation Room (SITRoom) at SITROOM@OPM.GOV, voice: 202-418-0111, fax: 202-606-0624. The SITRoom is available 24 hours per day, 365 days per year. (6)Contractors must report any and all ISI involving information technology (IT) systems and Controlled Unclassified Information (CUI) immediately upon becoming aware of the ISI but no later than 30 minutes after becoming aware of the ISI, regardless of day or time; regardless of internal investigation, evaluation, or confirmation of procedures or activities; and regardless of whether the ISI is suspected, known, or determined to involve IT systems operated in support of this contract. (7)Contractors reporting an ISI to the SITRoom by email, phone, or fax must copy the Contracting Officer (CO) or Contracting Officer's Representative (COR) if possible; but if not, must notify the CO or COR immediately after reporting to the SITRoom. (8)When reporting an ISI to the SITRoom by email: (d)Do not include any CUI in the subject or body of any email; (e)Use FIPS 140-2 compliant encryption methods to protect CUI to be included as an email attachment, and do not include passwords in the same email as the encrypted attachment; and (f)Provide any supplementary information or reports related to a previously reported incident directly to the OPM SITRoom with the following text in the subject line of the email: "Supplementary Information / Report related to previously reported incident # [insert number]." e.ISI Review and Response Activities (4)The Contractor must provide full access and cooperation for all activities determined by CO or COR to be required to ensure an effective review and response to protect OPM's Information and Information Systems operated in support of this contract. (5)The Contractor must promptly respond to all requests by the CO or COR for ISI and system-related information, including but not limited to disk images, log files, event information, and any other information determined by OPM to be required for a rapid but comprehensive technical and forensic review. (6)OPM, at its sole discretion, may obtain the assistance of Federal agencies and/or third party firms to aid in ISI Review and Response activities. f.ISI Determination Activities (5)The Contractor must not make any determinations related to an ISI associated with Information Systems or Information maintained by the Contractor in support of the activities authorized by this contract, including determinations related to notification of affected individuals and/or Federal agencies (except reporting criminal activity to Law Enforcement Organizations) and offering of services, such as credit monitoring. (6)The Contractor must not conduct any internal ISI-related review or response activities that could modify or eliminate any existing technical configuration or information or forensic technical evidence existing at the time of the ISI without approval from the OPM Chief Information Officer (CIO) through the CO or COR. (7)All determinations related to an ISI associated with Information Systems or Information maintained by the Contractor in support of the activities authorized by this contract will be made only by the OPM CIO through the CO or COR. (8)The Contractor must report criminal activity to Law Enforcement Organizations upon becoming aware of such activity. 1752.224-78Information Security Inspections (Dec 2015) d.The Contractor must permit and cooperate with any mutually agreed upon pre-scheduled onsite or offsite information security inspections, such as: (1) Before initiation of the performance period; (2) As periodically scheduled for contract oversight and compliance purposes; (3) As determined by the OPM Chief Information Officer (CIO) through the Contracting Officer (CO) or Contracting Officer's Representative (COR) to be required for evaluation of or in response to any reported Information Security Incident (ISI); or (4) As determined by the OPM CIO through the CO or COR to be required to address any risk of non-compliance with the requirements of this contract. e.OPM will provide the Contractor with a Post-Inspection Report, which will state findings and specify the Contractor's requirement for remediating findings to maintain compliance with this contract. f.The Contractor must provide a formal response to the OPM Post-Inspection Report within fifteen (15) days of receipt of the report for critical/high risk findings and within thirty (30 days for all other findings. 1752.224-79Suspension of Contract for Security Concerns (Dec 2015) If at any time during Contract performance it is determined that the Contractor is not in full compliance with the security requirements of this Contract, the Government may immediately suspend performance under this Contract and require the immediate return of all Controlled Unclassified Information (CUI) materials and information to the Government at full Contractor expense. Any work suspension resulting from a security lapse will not be subject to equitable adjustment; all costs incurred will be borne by the Contractor.   1752.239-70Internet Protocol Version 6 (IPV6) Compliance (Dec 2015) All information technology (IT) functionality, capabilities, and features must be supported and operational in both a dual-stack IPv4/IPv6 environment and an IPv6 only environment. Furthermore, all management, user interfaces, configuration options, reports, and other administrative capabilities that support IPv4 functionality will support comparable IPv6 functionality. The Contractor is required to certify that its products have been tested to meet the requirements for both a dual-stack IPv4/IPv6 and IPv6 only environment. The Contracting Officer (CO) or Contracting Officer's Representative (COR) reserves the right to require the Contractor's products to be tested within an OPM or third party test facility to show compliance with this requirement. All costs and resource allocations required for this third party service must be the sole responsibility of the Contractor. Compliance certification shall be provided in writing to the CO or COR. 1752.239-72Access to OPM Information Technology (IT) Systems (Dec 2015) g.The Contractor must provide to the distribution list "System Access Control" (systemaccesscontrol@opm.gov) an initial and complete list of employee names that require access to OPM IT systems. This list will be provided at least five (5) days prior to required access. h.The Contractor must send a staffing change report by the fifth day of each month after contract award to the Contracting Officer (CO), Contracting Officer's Representative (COR), and systemaccesscontrol@opm.gov. The report must contain the listing of all staff members who separated or were hired under this contract in the past 60 days. This form must be submitted even if no separations or hires have occurred during this period. Failure to submit a ‘Contractor Staffing Change Report' each month may, at the Government's discretion, result in the suspension of all accounts associated with this contract. i.Each contractor employee is required to utilize a Personal Identity Verification (PIV) card to access OPM IT systems and Controlled Unclassified Information (CUI), in accordance with the National Institutes of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201. Using shared accounts to access OPM IT systems and CUI is strictly prohibited. OPM will disable accounts, and access to OPM IT systems will be revoked and denied if contractor employees share accounts. Users of the IT systems will be subject to periodic auditing to ensure compliance with OPM policies. j.OPM, at its discretion, may suspend or terminate the access to any IT systems and/or facilities when an Information Security Incident (ISI) or other electronic access violation, use or misuse issue gives cause for such action. The suspension or termination may last until such time as the CO or COR determines that the situation has been corrected or no longer exists. k.Upon request of the CO or COR, the Contractor must immediately return all Government Information, as well as any media type that houses or stores Government Information, regardless of potential violations of other contracts the contractor may have in place, including, but not limited to, data stored on recovery media, tape backups, and images. l.The CO, COR and the OPM Helpdesk (helpdesk@opm.gov or 202-606-4927) must be notified at least five (5) days prior to a contractor employee being removed from a contract. For unplanned terminations or removals of contractor employees from the contractor organization, the CO, COR and OPM Helpdesk must be notified immediately. OPM PIV cards issued to Contractor employees must be returned to the COR within two (2) days of departure of a Contractor employee. 1752.239-73 Section 508 Standards (Dec 2015) f.All information technology (IT) procured through this contract must meet the applicable accessibility standards at 36 CFR 1194, unless an OPM exception to this requirement exists. 36 CFR 1194 implements Section 508 of the Rehabilitation Act of 1973, as amended, and is viewable at http://www.access-board.gov/sec508/508standards.htm. g.The following standards have been determined to be applicable to this contract: (1) 1194.21. Software applications and operating systems (2) 1194.22. Web-based intranet and Internet information and applications (3) 1194.23 Telecommunications products (4) 1194.24 Video and multimedia products (5)1194.25 Self Contained, closed products (6) 1194.26 Desktop and portable computers (7)1194.31 Functional performance criteria (8)1194.41 Information, documentation, and support h.OPM is required by Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. 794d), to offer access to IT for disabled individuals within its employment, and for disabled members of the public seeking information and services. This access must be comparable to that which is offered to similar individuals who do not have disabilities. Standards for complying with this law are prescribed by the Architectural and Transportation Barriers Compliance Board ("The Access Board"). i.The final work product must include documentation that the deliverable conforms to the Section 508 Standards promulgated by the US Access Board. j.OPM's assessment of the Section 508 compliance will control. In the event that additional changes are needed to conform with OPM's assessment, the Contractor shall make these changes at no additional charge to OPM. 1752.239-75Information System Security Requirements (Dec 2015) e.The activities required by this contract necessitate the Contractor's access to Government Information, including Controlled Unclassified Information (CUI). Contractors are required to comply with current Federal regulations and guidance found in the Federal Information Security Modernization Act (FISMA); Privacy Act of 1974; E-Government Act of 2002, Section 208; National Institute of Standards and Technology (NIST); Federal Information Processing Standards (FIPS); Office of Management and Budget (OMB) memorandums; and other relevant Federal laws and regulations with which OPM must comply. f.The Contractor shall comply with implementation of required security controls for protection of the Government Information based on the sensitivity of the data within the system as outlined by Federal regulatory requirements, including but not limited to, Health Insurance Portability and Accountability Act (HIPAA), IRS 1075 for federal tax information, Executive Order 13556 for Controlled Unclassified Information (CUI) and any additional regulatory requirements. g.The Contractor shall implement and maintain an Information security program that is compliant with FISMA, NIST Special Publications, OMB guidelines, OPM security policies, and other applicable laws, throughout the performance of this contract. h.The Contractor facilities and IT systems shall meet the security requirements for the same impact level or greater as defined by the FIPS 199 as required for the protection of Government Information. The OPM Chief Information Officer, through the Contracting Officer or Contracting Officer's Representative shall provide written approval of the FIPS 199 security categorization. 1752.239-76Security Assessment and Authorization (SA&A) (Dec 2015) i.This contract requires the Contractor to develop, deploy, and/or use information technology (IT) systems to access and/or store Government Information, including Controlled Unclassified Information (CUI). j.All IT systems that input, store, process, and/or output Government Information must be provided an Authority to Operate (ATO) signed by the Contractor Chief Information Officer (CIO) or higher level executive prior to operation of the IT system. The Contractor must complete the SA&A process independently of OPM, including the selection and funding of an approved Federal Risk and Authorization Management Program (FEDRAMP) Third-Party Assessor Organization (3PAO) to validate the security and privacy controls in place for the systems and the overall accuracy of SA&A packages. k.The Contractor must submit to the OPM Chief Information Officer (CIO), through the Contracting Officer (CO) or Contracting Officer's Representative (COR) the signed SA&A package, along with the security assessment report and supporting documentation such as system and configuration scans from the 3PAO at least sixty (60) days prior to operation of the IT system for review and authorization by the OPM Authorizing Officials (AOs), through the CO or COR. Should the AOs not consider the signed package to meet OPM SA&A requirements for any reason, the AOs retain the right to not issue an ATO for the system. Should the AOs consider it possible for the Contractor to improve the compliance of the A&A package, the CO or COR may provide general or detailed information to the Contractor for possible modification to the package to improve compliance and resubmission to the CO or COR after modification. The CO or COR reserves the right to limit the number of re-submissions of a modified package before a final determination that a resubmitted package will not receive an ATO and no further resubmissions will be accepted. This may be grounds for contract termination. The OPM CIO is the final authority on the compliance of a submitted package with OPM SA&A requirements. l.The Contractor Security Assessment and Authorization (SA&A) SA&A documentation package must be developed with the use of OPM Security Assessment and Authorization (SA&A) documentation templates in accordance with the OPM Security Assessment and Authorization policy based on the most current NIST Risk Management Framework (RMF), as adapted for Contractor IT systems supporting OPM. Templates are available for all required security documentation including, but not limited to, the System Security Plan, the Security Assessment Plan, the Security Assessment Report, Contingency Plan and Incident Response Plan. The SA&A process must be followed throughout the IT system lifecycle process to ensure proper oversight by OPM. m.The IT systems must meet the security requirements for the same impact level or greater as defined by the Federal Information Process Standard (FIPS) 199 for the Information being accessed. The OPM CIO, through the CO or COR, must provide written approval of the FIPS 199 security categorization. n.The Contractor shall complete a Privacy Threshold Analysis (PTA) for all systems as a requirement for an ATO. Based on the PTA, the OPM Chief Privacy Officer will determine whether a Privacy Impact Assessment (PIA) is required to be completed by the Contractor as part of the SA&A package. o.The Contractor must submit an updated SA&A package, along with the 3PAO report, and supporting documentation to the CO or COR at least 90 days before the expiration of an existing ATO for security review and verification of security controls. Security reviews may include onsite visits that involve physical or logical inspection of the Contractor environment and IT systems. p.The Contractor must ensure a plan of action and milestones (POA&M) is generated for each security finding and is remediated within a time frame commensurate with the level of risk, as follows, or as otherwise negotiated and approved in writing by the OPM CIO, through the CO or COR: (4)High Risk = 30 days; (5)Moderate Risk = 90 days; and (6)Low Risk = 120 days. 1752.239-77Federal Reporting Requirements (Dec 2015) The Contractor must comply with both OPM IT Security policies and OPM's continuous monitoring reporting requirements as required by the Federal Information Security Modernization Act (FISMA). The Contractor must provide OPM with the requested information within the timeframes provided for each request. Failure to do so may result in the loss of OPM's authorization to receive and process sensitive information or operate an IT system containing sensitive information. Reporting requirements may change each reporting period. 1752.239-79Cloud Computing (Dec 2015) f.Prior to using any commercial Cloud Service Provider (CSP), the Contractor shall obtain approval from the Chief Information Officer (CIO), through the Contracting Officer (CO) or Contracting Officer's Representative (COR). g.Information stored in a cloud environment remains the sole property of OPM, not the Contractor or the CSP. h.The CSP must provide all the protections levied on the Contractor, and must be held accountable for all other requirements for IT systems and CUI, unless waived in writing by the OPM CIO, through the CO or COR. i.The CSP must allow the OPM CIO, through the CO or COR, access to OPM Information including data schemas, meta data, and other associated data artifacts that are required to ensure OPM can fully and appropriately retrieve OPM Information from the CSP. j.The CSP, and any subcontractor or teaming partner CSPs, must be evaluated by a Federal Risk and Authorization Management Program (FEDRAMP) Third Party Assessment Organization (3PAO). The contractor is responsible for the selection and funding of the 3PAO. The most current, and any subsequent, security assessment reports must be made available to the CIO, through the CO or COR, for consideration, including the CSP's Systems Security Plan, as part of the Contractor's Systems Security Plan. 1752.239-80 Information Technology (IT) Security and Privacy Awareness Training (Dec 2015) c.The Contractor must ensure that all Contractor employees complete OPM-provided mandatory security and privacy training prior to gaining access to OPM IT systems and periodically thereafter based on OPM policy requirements. OPM will provide notification and instructions for completing this training. Non-compliance shall result in revocation of system access. d.With written permission and justification from the Chief Information Officer, through the Contracting Officer or Contracting Officer's Representative, in lieu of the OPM-provided training, the Contractor may provide its own continuous training and awareness for Contract employees. All costs and resource allocations required must be the sole responsibility of the Contractor. Evidence of training for contractor employees shall be provided to OPM upon request. 1752.239-81 Specialized IT Security Awareness Training (Dec 2015) c.Contractor personnel performing work related to IT security are required to complete specialized IT security training based on the role-based requirements listed below every fiscal year within the contract period of performance. The Contractor must certify to the Contracting Officer or Contracting Officer's Representative (COR) that IT security personnel have completed the requisite training hours satisfying the below training requirements. IT Security Roles/FunctionsMinimum Hours Required for Specialized Training •Contractor System Manager\Owner5 •Information Security Specialist •Information System Security Officer (ISSO)20 •Privacy Officer5 •System Administrator •Network Administrator •Database Administrator •Service Desk Personnel/Helpdesk •Programmer/Developer10 •Other IT Personnel with security responsibilities2 d.The Information System Security Officer (ISSO) and Information Security Specialists must be a Certified Information Systems Security Professional (CISSP) within 6 months of contract award and maintain certification throughout the period of performance, which will serve to fulfill the requirement for specialized training. 1752.239-82 HSPD-12 Compliance (Dec 2015) e.All Contactor employees must consent to screening and sign an access agreement prior to being authorized access to Government IT systems or Controlled Unclassified Information (CUI); and rescreening according to change in position risk designation or other requirements according to HSPD-12 requirements. f.The Contracting Officer (CO) or Contracting Officer's Representative (COR) approval is required prior to contractor personnel accessing OPM IT systems and CUI. g.Procurements for services and products involving facility or system access control must be in accordance with HSPD-12 policy and other applicable Federal regulations. h.All IT systems must enforce the use of Personal Identity Verification (PIV) credentials, in accordance with the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 201. Development and test IT systems may be approved to use alternate 2-factor authentication, such as tokens, with the written approval of the OPM Chief Information Officer, through the CO or COR, prior to implementation. 1752.239-83 Secure Technical Implementation (Dec 2015) e.The Contractor must certify applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration (FDCC)\United States Government Configuration Baseline (USGCB). f.The standard installation, operation, maintenance, updates, and/or patching of software must not alter the configuration settings from the approved FDCC\USGCB configuration. g.Applications designed for normal end users must run in the standard user context without elevated system administration privileges. h.The Contractor must apply due diligence at all times to ensure that the required level of security is always in place to protect OPM systems and information, such as using Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG). The Contracting Officer or Contracting Officer's Representative (COR) reserves the right to verify compliance. 1752.239-84 Data Protection Requirements (Dec 2015) d.Controlled Unclassified Information (CUI) shall be encrypted in transit and at rest using Federal Information Process Standard (FIPS) 140 and validated by the Cryptographic Module Validation Program (CMVP). e.The Contractor must provide the validation certificate number to the Contracting Officer or Contracting Officer's Representative (COR) for verification. This shall occur prior to award and upon any changes to the cryptographic module. This shall only occur for the cryptographic modules. f.The Contractor shall redact or mask all CUI that is not essential to users, including privileged users. 1752.239-85Security Monitoring and Alerting Requirements (Dec 2015) All contractor-operated systems that use or store OPM Information must meet or exceed OPM IT Security policy requirements pertaining to security monitoring and alerting. The minimum requirements are listed further below: d.System and Network Visibility and Policy Enforcement at the following levels: (9)Edge (10)Server / Host (11)Workstation / Laptop / Client (12)Network (13)Application (14)Database (15)Storage (16)User e.Alerting and Monitoring f.System, User, and Data Segmentation 1752.239-86 Contractor Information Technology (IT) System Oversight / Compliance (Dec 2015) e.The Contractor must support OPM in its efforts to assess and monitor the IT systems and infrastructure used in support of the performance of this contract. The Contractor must provide logical and physical access to the Contractor's facilities, installations, technical capabilities, operations, documentation, records, devices, applications and databases used in performance of the contract, regardless of location, upon Agency request. The Contractor will be expected to perform automated scans and continuous monitoring activities which may include, but will not limited be to, authenticated and unauthenticated scans of networks, operating systems, applications, and databases and provide the results of the scans to the Contracting Officer's Representative (COR), or allow the COR to run the scans directly. f.All Contractor systems must participate in the OPM Information Security Continuous Monitoring (ISCM) program utilizing the OPM Information Security Continuous Monitoring Plan for security control monitoring and must submit to the COR, the report on security control monitoring as required following the OPM Information Security Continuous Monitoring Reporting template as defined in the OPM IT Security Policy. g.All Contractor systems must perform vulnerability scanning as defined by OPM IT Security continuous monitoring program and will provide requested vulnerability scanning reports to the COR in accordance with OPM's continuous monitoring program plan. h.All Contractor systems must participate in the implementation of automated security controls testing mechanisms and provide automated test results in Security Compliant Automation Protocol (SCAP) compliant data to the COR in accordance with OPM's continuous monitoring program. 1752.242-71 Return of OPM and OPM-Activity-Related Information (Dec 2015) c.Within thirty (30) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, unless otherwise instructed by the Contracting Officer, the Contractor must return all original OPM-provided and OPM-Activity-Related Information, such as records, files, and metadata in electronic or hardcopy format, including but not limited to the following: (5)provided by OPM; (6)obtained by the Contractor while conducting activities in accordance with the contract with OPM; (7)distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (8)received from the Contractor by any other related organization and/or any other component or separate business entity. d.Within forty-five (45) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, unless otherwise instructed by the Contracting Officer, the Contractor must provide the Contracting Officer and COR with an associated Certification of Verified Return of all original OPM and OPM-Activity-Related Information, such as records, files, and metadata in electronic or hardcopy format, including but not limited to the following: (5)provided by OPM; (6)obtained by the Contractor while conducting activities in accordance with the contract with OPM; (7)distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (8)received from the Contractor by any other related organization and/or any other component or separate business entity. 1752.242-72 Secure Destruction of All OPM and OPM-Activity-Related Information (Dec 2015) c.Within sixty (60) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, BUT ONLY after the Contracting Officer (CO) or Contracting Officer's Representative (COR) has accepted and approved the Contractor's compliance with the Certification of Verified Return, the Contractor must execute secure destruction of all copies of all OPM and OPM-activity-related files and information (including but not limited to all records, files, and metadata in electronic or hardcopy format) not returned to OPM and held in possession by the Contractor, by procedures approved by the CO or COR in advance and in accordance with applicable OPM IT Security Policy Requirements, including but not limited to the following: (5)provided by OPM; (6)obtained by the Contractor while conducting activities in accordance with the contract; (7)distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (8)received from the Contractor by any other related organization and/or any other component or separate business entity. d.Within seventy-five (75) days after the end of the contract performance period or after the contract is suspended or terminated by the CO, BUT ONLY after the CO or COR has accepted and approved the Contractor's compliance with the Certification of Verified Return, the Contractor must provide the CO or COR with Certification of Secure Destruction of all existing active and archived originals and/or copies of all OPM and OPM-activity-related files and information, (including but not limited to all records, files, and metadata in electronic or hardcopy format); by procedures approved by OPM in advance and in accordance with applicable OPM IT Security Policy Requirements; including but not limited to the following: (5)provided by OPM; (6)obtained by the Contractor while conducting activities in accordance with the contract; (7)distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (8)received from the Contractor by any other related organization and/or any other component or separate business entity. 1752.242-73 Mandatory Requirement for Contractor Return of all OPM-Owned and Leased Computing and Information Storage Equipment (Dec 2015) c.Within sixty (60) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, or within a time period approved by the Contracting Officer or Contracting Officer's Representative (COR), the Contractor must return all OPM-owned and leased computing and information storage equipment. d.Within seventy-five (75) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, the Contractor must provide OPM with Certified Verification of Return of all OPM-Owned and Leased Computing and Information Storage Equipment.
 

Web Link

FBO.gov Permalink
(https://www.fbo.gov/spg/OPM/OCAS/CD/OPM1516T0005/listing.html)
 

Place of Performance

Address: U.S. Office of Personnel Management, Federal Investigative Services, 601 10th Street, Fort Meade, Maryland, 20755, United States

Zip Code: 20755
 

Record

SN04180035-W 20160714/160712235546-19061858c343c971ad03434740519d8f (fbodaily.com)
 

Source

FedBizOpps Link to This Notice
(may not be valid after Archive Date)

---

| FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |