EFTA00127472.pdf

MCC NEW YORK 15BNYM18FTP120150 Page 1 of 15 SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS 1. REQUISITION NUMBER OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24 & 30 1064-18 2. CONTRACT NO. 3. AWARDEFFECTIVE 1. ORDER NUMBER S. SOLICITATION NUMBER 8. SOLICITATION ISSUE DATE DATE GS-07F-0322T 15BNYMI8FTP120150 09/21/2018 a. NAME b. TELEPHONE NUMBER (No eo.Nef ediS) 8. OFFER DUE DATE/LOCAL 7. FOR SOLICITATION TIME INFORMATION CALL: 9. ISSUED BY CODE I5BNYM 10. THE ACOUISMON IS x UNRESTRICTED OR SET ASIDE: % FOR Federal Bureau of Prisons SHALL BUSINESS WOMEN-011111E0 9.01.L BUSINESS kWOSIN MCC New York fl EuGIBLE uNDER THE wOKEROHNED • SMALL BUSNESSPRO3FLAM 150 Park Row HUOZONE SWILL talcs: 334512 alStAESS EOMS8 New York. NY 10007 O SERVICEZCSABLED SIZE STANDARD: Employees VETESIMOWICO SHILL BUSNESS 81.4 11. DELNERY FOR FOB DESTINATION 12 DISCOUNT TERMS 13b. RATING UNLESS BLOCK IS MARKED IS. THIS CONTRACT IS A SEE NET 30 ❑ RAT (RATED ORDER UNDER PAS 14. METHOD OF SOLICITATION CFR 7001 SCHEDULE 15. DELNER TO W. ADMINISTERED BY ❑ RFO ❑ IFB ❑ RFP CODE I5BNYM COOS I BNEF Federal Bureau of Prisons Federal Bureau of Prisons MCC New York NE Finance Center- FCI Fort Dix 150 Park Row NE FINANCE CENTER New York. NY 10007 BLDG 5756 HARTFORD ROAD Joint Base MDL, NJ 08640 17a. CONTRACTOR' CMEI42i578695 I FACILITY 171856222 18a. PAYMENT WILL BE MADE BY CODE BFTD OFFEROR CODE Federal Bureau of Prisons ATfN: NYM ACCOUNT. SIGNETTECHNOLOGIES. INC- 12300 KILN COURT FCI Fon Dix PAYABLE SUITE E P.O. Box 38 BELTSVILLE. MD 20705-1357 NER Finance Center - Acccounting DUNS: 17185/1222 Joint Base MDL. NJ 08640 TELEPHONE NO 18b. SUBMIT INVOICES TO ADDRESS SHCAVN IN BLOCK 1Ba UNLESS BLOCK BELOW IS MI 7b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN CHECKED OFFER ❑ SEE ADDENDUM 19. 20. 21. 22. 23. 24. ITEM NO. SCHEDULE OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT Delivery Date: 09/28/2018 MCC NEW YORK - CAMERA SYSTEM Provide services in accordance with the FSS. SOW and technical proposal. GSA: GS-07F-0322T See Continuation Sheet(s) Oaf.....(nota. Aiwa% Miasma, 3l.....\'... i 25. ACCOUNTING AND APPROPRIATION DATA 6 TOTAL AWARD AMOUNTTM: Gut Use OWN SA-2018-02-FP021452PI-29F-3100-2018 5698.108.99 ▪ 27a. SOLICITATION INCORPORATES BY REFERENCE FAR 52.212-1. 52.212-0. FAR 52.2123 AND 62.212-6 ARE ATTACHED. ADDENDA ARE DARE NOT ATTACHED ▪ 27b. CONTRACDPUROIASE ORDER INCORPORATES BY REFERENCE FAR 52.212-1. FAR 52.2125 IS ATTACHED. ADDENDA ARE D ARE NOT ATTACHED N 28. CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN I COPIES TO ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER ALL ITEMS SET FORTH 9 29. AWARD OF CONTRACT: REF. DATED OFFER . YOUR OFFER ON SOLICITATION (MOCK 5) OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL SHEETS SUBJECT TO THE INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE SET FORTH HEREIN. TERMS AND CONDITIONS SPECIFED IS ACCEPTED AS TO ITEMS: AUTHORIZED FOR LOCAL REPRODUCTION STANDARD FORM 1449 (REV. 212012) PREVIOUS EDITION IS NOT USABLE Presaited by GSA. FAR fa CFR) 53212 EFTA00127472  15BNYM18FTP120150 Page 2 of 15 20. 21. 22. 23. 24. ITEr: `.1,-; SCHEDULE OF SUPPLIESSERVICES OUANTITY UNIT UNIT PRICE AMOUNT 32a. OUANTITY IN COLUMN 21 HAS BEEN 0 RECEIVED 0 INSPECTED ❑ ACCEPTED, AND CONFORMS TO THE CONTRACT. EXCEPT AS NOTED: 32b. SIGNATURE OF AUTHORIZED GOVERNMENT 32c. DATE 32d. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE REPRESENTATIVE 32a. MAILING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32f. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32g. E-MAIL OF AUTHORIZED GOVERNMENT REPRESENTATIVE 33. SHIP NUMBER 34. VOUCHER NUMBER 35. AMOUNT VERIFIED 36. PAYMENT 37. CHECK NUMBER CORRECT FOR COMPLETE PARTIAL O FINAL PARTIAL I I FINAL 38. SR ACCOUNT NUMBER 39. SR VOUCHER NUMBER 40. PAID BY 41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT 42a. RECEIVED BY (Print) 41b. SIGNATURE AND TITLE OF CERTIFYING OFFICER 41c. DATE 42b. RECEIVED AT (Location) 42c. DATE RECO (YWMAtliDO 42d. TOTAL CONTAINERS STANDARD FORM 1449 (REV. 02,2012) SACK EFTA00127473  15BNYM18FTP120150 Page 3 of 15 Table of Contents Section Description Pape Number Solicitation/Contract Form 2 Commodity or Services Schedule 4 3 Contract Clauses 6 52.21.603.70 Contracting Officer's Representative (COR) (June 2012) 6 2852.223.70 Unsafe Conditions Due to the Presence of Hazardous Material (June 1996) 6 52.24.403.70 Notice of Contractor Personnel Security Requirements (OCT 2005) 6 52.27.103.72 DOJ CONTRACTOR RESIDENCY REQUIREMENT BUREAU OF PRISONS (JUNE 2004) 8 DJAR-PGD-15.02.1B Contractor Internal Confidentiality Agreements or Statements Prohibiting or Restricting Reporting of Waste, Fraud, and Abuse - Solicitation - (DEVIATION 2015.02) (March 2015) 8 DJAR-PGD-15.03 Security of Department Information and Systems 8 BOP 2852.242-71 EVALUATION OF CONTRACTOR PERFORMANCE UTILIZING CPARS (APR 2011) 13 508 COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, 1998 AMENDMENTS 13 DJAR-PGD-15.02.2A Corporate Representation Regarding Felony Conviction Under Any Federal Law or Unpaid Delinquent Tax Liability - Award (DEVIATION 2015.02) (March 2015) 13 4 List of Attachments 15 EFTA00127474  15BNYM18FTP120150 Page 4 of 15 Section 2 - Commodity or Services Schedule SCHEDULE OF SUPPLIES/SERVICES CONTINUATION SHEET ITEM NO. SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 0001 NV-ENT-CH 350.000000 EA $239.4000 $83/90.00 Single License for Nice Vision Enterprise package video/audio channel 0002 NV-SVR9820-RIN6-RIN1-80TB 4.000000 EA $22,184.4000 $88.737.60 VISIONHUB SMART VIDEO RECORDER 9820. 2U WITH INTERNAL RAID6 + RAID 1 80TB NET STORAGE 0003 NV-ENT-RSVR-ICH 350.000000 OR $66.5000 $23.275.00 RECORDER REDUNDANCY LICENSE PER 1 CHANNEL 0004 NV-ENT-NUVUPG-NET2X NET31 1.000000 EA $0.0000 $0.00 ENTERPRISE SOFTWARE PACKAGE MAJOR VERSION UPGRADE FOR SITE. USERS AND CHANNELS FROM NET 2.X TO NET 3.1 0005 NV-NIVD5204 1.000000 EA 53.800.4800 53.800.48 NICEVISION DECODER 5204 SUPPORTING UP TO 4 VIDEO OUTPUTS (IU) 0006 SGT-AMS 1.000000 EA $4,389.0000 $4.389.00 AMS SERVER 0007 NV-NIVE-2016 22.000000 EA S2A93/500 554.862.50 NICEVISION H.264 ENCODER SUPPORTING 16 CAMERAS AT 30/25FPS IN 4CIF RESOLUTION. INCLUDES DUAL PS 0008 1OM62WR-89 135.000000 EA $517.3700 $69.844.95 IP CAMERA 0009 SIGNET LABOR 1.000000 EA $243.523.0000 $243.523.00 0010 NV-ED-RMK 11.000000 EA $119.7000 $1.316.70 NICE VISION ENCODER/DECODER RACK MOUNT KIT SUPPORTING 4 NVEJNVD 1002 (FOR NOT-XT-MODELS). OR 6 NVE/NVD 1002 POWER S 0011 17.000000 EA $2.500.0000 $42.500.00 OUTDOOR PTZ/1080P/X32/IP 0012 O8414LVS 75.000000 EA $1.050.0000 $78,750.00 CORNER /VANCAM/1.3MM 0013 17.000000 EA $8a0000 $1,394.00 WALL WALL MOUNT FOR O6055-E 0014 T98AI18-VE 8.000000 EA $240.7200 $1.925.76 MEDIACONVERTER CABINET FUNDING DETAILS: ITEM FUNDING LINE OBLIGATED AMOUNT ACCOUNTING CODES NO. NA I $698,108.99 SA-2018-02-FP021452P1-29F-3100-2018 TOTAL: $698,108.99 EFTA00127475  15BNYM18FTP120150 Page 5 of 15 Large Business EFTA00127476  15BNYM18FTP120150 Page 6 of 15 Section 3 - Contract Clauses Clauses By Full Text 52.21.603-70 Contracting Officer's Representative (COR) (June 2012) (a . MCC NEW YORK,JArea Code and Telephone Numberl, is hereby designated as the Contracting Officer's Representative (COR) under this contract. (b) The COR is responsible, as applicable, for: receiving all deliverables, inspecting and accepting the supplies or services provide hereunder in accordance with the terms and conditions of this contract; providing direction to the contractor which clarifies the con- tractor effort, fills in details or otherwise serves to accomplish the contractual Scope of Work; evaluating performance; and certifying all invoices/vouchers for acceptance of the supplies or services furnished for payment. (c) The COR does not have the authority to alter the contractor's obligations under the contract, and/or modify any of the expressed terms, conditions, specifications, or cost of the agreement. If as a result of technical discussions it is desirable to alter/change contrac- tual obligations or the Scope of Work, the Contracting Officer shall issue such changes. 2852.223-70 Unsafe Conditions Due to the Presence of Hazardous Material (June 1996) (a) "Unsafe condition" as used in this clause means the actual or potential exposure of contractor or Government employees to a haz- ardous material as defined in Federal Standard No. 313, and any revisions thereto during the term of this contract, or any other materi- al or working condition designated by the Contracting Officer's Technical Representative (COTR) as potentially hazardous and requir- ing safety controls. (b) The Occupational Safety and Health Administration (OSHA) is responsible for issuing and administering regulations that require contractors to apprise its employees of all hazards to which they may be exposed in the course of their employment; proper conditions and precautions for safe use and exposure; and related symptoms and emergency treatment in the event of exposure. (c) Prior to commencement of work, contractors are required to inspect for and report to the contracting officer or designee the pres- ence of, or suspected presence of, any unsafe condition including asbestos or other hazardous materials or working conditions in areas in which they will be working. (d) If during the performance of the work under this contract, the contractor or any of its employees, or subcontractor employees, dis- covers the existence of an unsafe condition, the contractor shall immediately notify the contracting officer, or designee, (with written notice provided not later than three (3) working days thereafter) of the existence of an unsafe condition. Such notice shall include the contractor's recommendations for the protection and the safety of Government, contractor and subcontractor personnel and property that may be exposed to the unsafe condition. (e) When the Government receives notice of an unsafe condition from the contractor, the parties will agree on a course of action to mitigate the effects of that condition and, if necessary, the contract will be amended. Failure to agree on a course of action will consti- tute a dispute under the Disputes clause of this contract. (f) Nothing contained in this clause shall relieve the contractor or subcontractors from complying with applicable Federal, State, and local laws, codes, ordinances and regulations (including the obtaining of licenses and permits) in connection with hazardous material including but not limited to the use, disturbance, or disposal of such material. (End of Clause) 52.24-403.70 Notice of Contractor Personnel Security Requirements (OCT 2005) Compliance with Homeland Security Presidential Directive-12 (HSPD-12) and Federal Information Processing Standard Publication 201 (FIPS 201) I entitled "Personal Identification Verification (PIV) for Federal Employees and Contractors," Phase I. 1. Long-Term Contractor Personnel: In order to be compliant with HSPD-12/PIV I, the following investigative requirements must be met for each new long-term 2 con- tractor employee whose background investigation (BI) process begins on or after October 27, 2005: a. Contractor Personnel must present two forms of identification in original form prior to badge issuance (acceptable documents are listed in Form I-9, OMB No. 1615.0047, "Employment Eligibility Verification: and at least one document must be a valid State or EFTA00127477  15BNYM18FTP120150 Page 7 of 15 Federal government-issued picture ID); b. Contractor Personnel must appear in person at least once before a DOJ official who is responsible for checking the identification documents. This identity proofing must be completed sometime during the clearance process but prior to badge issuance and must be documented by the DOJ official; c. Contractor Personnel must undergo a BI commensurate with the designated risk level associated with the duties of each position. Outlined below are the minimum BI requirements for each risk level: • High Risk - Background Investigation (5 year scope) • Moderate Risk - Limited Background Investigation (LBI) or Minimum Background Investigation (MBI) • Low Risk - National Agency Check with Inquiries (NACI) investigation d. The pre-appointment B1 waiver requirements for all position sensitivity levels are a: Favorable review of the security questionnaire form: 2) Favorable fingerprint results; 3) Favorable credit report, if required;3 4) Waiver request memorandum, including both the Office of Personnel Management schedule date and position sensitivity/risk level; and 5) Favorable review of the National Agency Check (NAC) 4 portion of the applicable BI that is determined by position sensitivity/risk level. A badge may be issued following approval of the above waiver requirements. If the NAC is not received within five days of OPM's scheduling date, the badge can be issued based on a favorable review of the Se- curity Questionnaire and the Federal Bureau of Investigation Criminal History Check (i.e., fingerprint check results). e. Badge re-validation will occur once the investigation is completed and favorably adjudicated. If the BI results so justify, badges is- sued under these procedures will be suspended or revoked. 2. Short-Term Contractor Personnel: It is the policy of the DOJ that short-term contractors having access to DOJ information systems and/or DOJ facilities or space for six months or fewer are subject to the identity proofing requirements listed in items la. and lb. above. The pre-appointment waiver re- quirements for short-term contractors are: a. Favorable review of the security questionnaire form; b. Favorable fingerprint results; c. Favorable credit report, if required;5 and d. Waiver request memorandum indicating both the position sensitivity/risk level and the duration of the appointment. The commen- surate BI does not need to be initiated. A badge may be issued following approval of the above waiver requirements and the badge will expire six months from the date of is- suance. This process can only be used once for a short-term contractor in a twelve month period. This will ensure that any consecutive short-term appointments are subject to the full PIV-I identity proofing process. For example, if a contractor employee requires daily access for a three or four-week period, this contractor would be cleared according to the above short-term requirements. However, if a second request is submitted for the same contractor employee within a twelve- month period for the purpose of extending the initial contract or for employment under a totally different contract for another three or four-week period, this contractor would now be considered "long-term" and must be cleared according to the long-term requirements as stated in this interim policy. 3. Intermittent Contractors: An exception to the above-mentioned short-term requirements would be intermittent contractors. a. For purposes of this policy, "intermittent" is defined as those contractor employees needing access to DOJ information systems and/ or DOJ facilities or space for a maximum of one day per week, regardless of the duration of the required intermittent access. For ex- ample, the water delivery contractor that delivers water one time each week and is working on a one-year contract. b. Contractors requiring intermittent access should follow the Department's escort policy. Please reference the August 11, 2004, and January 29, 2001, Department Security Officer policy memoranda that conveys the requirements for contractor facility escorted ac- cess. c. Due to extenuating circumstances, if a component requests unescorted access or DOJ IT system access for an intermittent contract- or, the same pre-employment background investigation waiver requirements that apply to short-term contractors are required. d. If an intermittent contractor is approved for unescorted access, the contractor will only be issued a daily badge. The daily badge will be issued upon entrance into a DOJ facility or space and must be returned upon exiting the same facility or space. e. If an intermittent contractor is approved for unescorted access, the approval will not exceed one year. If the intermittent contractor requires unescorted access beyond one year, the contractor will need to be re-approved each year. 4. An individual transferring from another department or agency shall not be re-adjudicated provided the individual has a current (within the last five years), favorably adjudicated III meeting HSPD-12 and DOJ's B1 requirements. 5. The DOJ's current escorted contractor policy remains unchanged by this acquisition notice. Notes: 1. FIPS 201 is available at: www.csrc.nist.govfpublicationsffips/fips201/FIPS-201-022505.pdf 2. Under HSPD-I 2, long-term contractors are contractors having access to DOJ information systems and/or DO] facilities or space for six months or longer. The PIV-I identity proofing process, including initiation and adjudication of the required background investiga- tion, is required for all new long-term contractors regardless of whether it is the current practice to issue a badge. The second phase of HSPD-I 2 implementation (PIV-II) requires badge issuance to all affected long-term contractors. 3. For contractors in position sensitivity/risk levels above level I, a favorable review of a credit check is required as part of the pre- appointment waiver package. EFTA00127478  15BNYM18FTP120150 Page 8 of 15 4. In order to avoid a delay in the hiring process, components should request an Advance NAC Report when initiating investigations to OPM. Per OPM ' s instructions, to obtain an Advance NAC Report, a Code " 3" must be placed in block " B " of the " Agency Use Only " section of the investigative form. This report is available for all case types. 5.For contractors in position sensitivity/risk levels above level 1. a favorable review of a credit check is required as part of the pre- appointment waiver package. [End of Clause] 52.27-103.72 DOI CONTRACTOR RESIDENCY REQUIREMENT BUREAU OF PRISONS (JUNE 2004) For three of the five years immediately prior to submission of an offer/bid/quote, or prior to performance under a contract or commit- ment, individuals or contractor employees providing services must have: 1. Legally resided in the United States (U.S.); 2. worked for the U.S. overseas in a Federal or military capacity; or 3. been a dependent of a Federal or military employee serving overseas. If the individual is not a U.S. citizen, they must be from a country allied with the U.S. The following website provides current inform- ation regarding allied countries: http://www.opm.gov/employ/htmlicilizen.htm By signing this contract or commitment document, or by commencing performance, the contractor agrees to this restriction. [End of Clause] DJAR-PGD-15.02-1B Contractor Internal Confidentiality Agreements or Statements Prohibiting or Restricting Reporting of Waste, Fraud, and Abuse - Solicitation - (DEVIATION 2015.02) (March 2015) None of the funds appropriated to the Department under its current Appropriations Act may be used to enter into a contract, grant, or cooperative agreement with an entity that requires employess or contractors of such entity that requires employees or contractors of such entity seeking to report fraud, waste, and abuse to sign internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting such waste, fraud, ora hose to a designated investigative or law en- forcement representative of a Federal department or agency authorized to receive such information. By submitting a response to this solicitation, the contractor certifies that it does not require employees or contractors of the contractor seeking to report fraud, waste, and abuse to sign internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting waste, fraud, and abuse to a designated investigative or law enforcement representative of a Federal depart- ment or agency authorized to receive such information. (End of Provision) DJAR-PGD-15.03 Security of Department Information and Systems I. Applicability to Contractors and Subcontractors This clause applies to all contractors and subcontractors, including cloud service providers ("CSPs"), and personnel of contractors, subcontractors, and CSPs (hereinafter collectively, "Contractor") that may access, collect, store, process, maintain, use, share, retrieve, disseminate, transmit, or dispose of DOJ Information. It establishes and implements specific DOJ requirements applicable to this Con- tract. The requirements established herein are in addition to those required by the Federal Acquisition Regulation ("FAR"), including FAR 11.002(g) and 52.239-I, the Privacy Act of 1974, and any other applicable laws, mandates, Procurement Guidance Documents, and Executive Orders pertaining to the development and operation of Information Systems and the protection of Government Informa- tion. This clause does not alter or diminish any existing rights, obligation or liability under any other civil and/or criminal law, rule, regulation or mandate. IL General Definitions The following general definitions apply to this clause. Specific definitions also apply as set forth in other paragraphs. A. infamafia' means any communication or representation of knowledge such as facts, data, or opinions, in any form or me- dium, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information includes information in an electronic format that allows it be stored, retrieved or transmitted, also referred to as "data," and "personally identifiable information" ("P11"), re- gardless of form. B. Personally Identifiable Information (or Pill means any information about an individual maintained by an agency, includ- ing, but not limited to. information related to education, financial transactions, medical history, and criminal or employment history and information, which can be used to distinguish or trace an individual's identity, such as his or her name, social security number, EFTA00127479  15BNYM18FTP120150 Page 9 of 15 date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. C. DOJ Information means any Information that is owned, produced, controlled, protected by, or otherwise within the custody or responsibility of the DOI. including, without limitation, Information related to DOJ programs or personnel. It includes, without lim- itation. Information (I) provided by or generated for the DOJ, (2) managed or acquired by Contractor for the DOJ in connection with the performance of the contract, and/or (3) acquired in order to perform the contract. D. Information System means any resources, or set of resources organized for accessing, collecting, storing, processing, main- taining, using, sharing, retrieving, disseminating, transmitting, or disposing of (hereinafter collectively, "processing, storing, or trans- mitting") Information. E. Covered Information System means any information system used fir, involved with, or allowing, the processing, storing, or transmitting of DO1 Information. Confidentiality and Non-disclosure of DOJ Information A. Preliminary and final deliverables and all associated working papers and material generated by Contractor containing DOJ Information are the property of the U.S. Government and must be submitted to the Contracting Officer ("CO") or the CO's Represent- ative ("COR") at the conclusion of the contract. The U.S. Government has unlimited data rights to all such deliverables and associated working papers and materials in accordance with FAR 52.227-14. B. All documents produced in the performance of this contract containing DOJ Information are the property of the U.S. Gov- ernment and Contractor shall neither reproduce nor release to any third-party at any time, including during or at expiration or termina- tion of the contract without the prior written permission of the CO. C. Any DOJ information made available to Contractor under this contract shall be used only for the purpose of performance of this contract and shall not be divulged or made known in any manner to any persons except as may be necessary in the performance of this contract. In performance of this contract, Contractor assumes responsibility for the protection of the confidentiality of any and all DOJ Information processed. stored, or transmitted by the Contractor. When requested by the CO (typically no more than annually), Contractor shall provide a report to the CO identifying, to the best of Contractor's knowledge and belief, the type, amount, and level of sensitivity of the DOJ Information processed, stored, or transmitted under the Contract, including an estimate of the number of indi- viduals for whom PII has been processed, stored or transmitted under the Contract and whether such information includes social secur- ity numbers (in whole or in part). IV. Compliance with Information Technology Security Policies, Procedures and Requirements A. For all Covered Information Systems, Contractor shall comply with all security requirements, including but not limited to the regulations and guidance found in the Federal Information Security Management Act of 2014 ("FISMA"), Privacy Act of 1974, E- Government Act of 2002, National Institute of Standards and Technology ("NIST') Special Publications ("SF'), including NIST SP 800-37, 800.53, and 800.60 Volumes I and II, Federal Information Processing Standards ("FIPS") Publications 140.2, 199, and 200, OMB Memoranda, Federal Risk and Authorization Management Program ("FedRAMP"), DOJ IT Security Standards, including DOJ Order 2640.2, as amended. These requirements include but are not limited to: 1. Limiting access to DOJ Information and Covered Information Systems to authorized users and to transactions and functions that authorized users are permitted to exercise; 2. Providing security awareness training including, but not limited to, recognizing and reporting potential indicators of insider threats to users and managers of DOJ Information and Covered Information Systems; 3. Creating, protecting, and retaining Covered Information System audit records, reports. and supporting documentation to en- able reviewing, monitoring, analysis, investigation, reconstruction, and reporting of unlawful, unauthorized, or inappropriate activity related to such Covered Information Systems and/or DOJ Information; 4. Maintaining authorizations to operate any Covered Information System; 5. Performing continuous monitoring on all Covered Information Systems; 6. Establishing and maintaining baseline configurations and inventories of Covered Information Systems, including hardware, software, firmware, and documentation, throughout the Information System Development Lifecycle, and establishing and enforcing security configuration settings for IT products employed in Information Systems; 7. Ensuring appropriate contingency planning has been performed, including DOJ Information and Covered Information Sys- tem backups; EFTA00127480  15BNYM18FTP120150 Page 10 of 15 8. Identifying Covered Information System users, processes acting on behalf of users, or devices, and authenticating and veri- fying the identities of such users, processes, or devices, using multifactor authentication or HSPD-12 compliant authentication meth- ods where required; 9. Establishing an operational incident handling capability for Covered Information Systems that includes adequate prepara- tion, detection, analysis, containment, recovery, and user response activities, and tracking, documenting, and reporting incidents to ap- propriate officials and authorities within Contractor's organization and the DOJ; 10. Performing periodic and timely maintenance on Covered Information Systems, and providing effective controls on tools, techniques, mechanisms, and personnel used to conduct such maintenance; 12. Protecting Covered Information System media containing DOJ Information, including paper, digital and electronic media; limiting access to DOJ Information to authorized users; and sanitizing or destroying Covered Information System media containing DOJ Information before disposal, release or reuse of such media; 13. Limiting physical access to Covered Information Systems, equipment, and physical facilities housing such Covered Informa- tion Systems to authorized U.S. citizens unless a waiver has been granted by the Contracting Officer ("CO"), and protecting the phys- ical facilities and support infrastructure for such Information Systems; 14. Screening individuals prior to authorizing access to Covered Information Systems to ensure compliance with DOJ Security standards; 15. Assnsing the risk to DOJ Information in Covered Information Systems periodically, including scanning for vulnerabilities and remediating such vulnerabilities in accordance with DOJ policy and ensuring the timely removal of assets no longer supported by the Contractor; 16. Assa-csing the security controls of Covered Information Systems periodically to determine if the controls are effective in their application, developing and implementing plans of action designed to correct deficiencies and eliminate or reduce vulnerabilities in such Information Systems, and monitoring security controls on an ongoing basis to ensure the continued effectiveness of the controls; 17. Monitoring, controlling, and protecting information transmitted or received by Covered Information Systems at the external boundaries and key internal boundaries of such Information Systems, and employing architectural designs, software development techniques, and systems engineering principles that promote effective security; and 18. Identifying, reporting, and correcting Covered Information System security flaws in a timely manner, providing protection from malicious code at appropriate locations, monitoring security alerts and advisories and taking appropriate action in response. B. Contractor shall not process, store, or transmit DOJ Information using a Covered Information System without first obtaining an Authority to Operate ("ATO") for each Covered Information System. The ATO shall be signed by the Authorizing Official for the DOJ component responsible for maintaining the security, confidentiality, integrity, and availability of the DOJ Information under this contract. The DOJ standards and requirements for obtaining an ATO may be found at DOJ Order 2640.2, as amended. (For Cloud Computing Systems, see Section V, below.) C. Contractor shall ensure that no Non-U.S. citizen accesses or assists in the development, operation, management, or mainten- ance of any DOJ Information System, unless a waiver has been granted by the by the DOJ Component Head (or his or her designee) responsible for the DOJ Information System, the DOJ Chief Information Officer, and the DOJ Security Officer. D. When requested by the DOJ CO or COR, or other DOJ official as described below, in connection with DOJ's efforts to en- sure compliance with security requirements and to maintain and safeguard against threats and hazards to the security, confidentiality, integrity, and availability of DOJ Information, Contractor shall provide DOJ, including the Office of Inspector General ("OIG") and Federal law enforcement components, (I) access to any and all information and records, including electronic information, regarding a Covered Information System, and (2) physical access to Contractor's facilities, installations, systems, operations, documents, records, and databases. Such access may include independent validation testing of controls, system penetration testing, and FISMA data re- views by DOJ or agents acting on behalf of DOJ, and such access shall be provided within 72 hours of the request. Additionally, Con- tractor shall cooperate with DOJ's efforts to ensure, maintain, and safeguard the security, confidentiality, integrity, and availability of DOJ Information. E. The use of Contractor-owned laptops or other portable digital or electronic media to process or store DOJ Information covered by this clause is prohibited until Contractor provides a letter to the DOJ CO, and obtains the CO's approval, certifying com- pliance with the following requirements: 1. Media must be encrypted using a NIST FIPS 140-2 approved product; 2. Contractor must develop and implement a process to ensure that security and other applications software is kept up-to-date; EFTA00127481  15BNYM18FTP120150 Page 11 01 15 3. Where applicable, media must utilize antivirus software and a host-based firewall mechanism: 4. Contractor must log all computer-readable data extracts from databases holding DOJ Information and verify that each ex- tract including such data has been erased within 90 days of extraction or that its use is still required. All DOJ Information is sensitive information unless specifically designated as non-sensitive by the DOJ; and, 5. A Rules of Behavior ("ROB") form must be signed by users. These rules must address, at a minimum, authorized and offi- cial use, prohibition against unauthorized users and use, and the protection of DOJ Information. The form also must notify the user that he or she has no reasonable expectation of privacy regarding any communications transmitted through or data stored on Contract- or-owned laptops or other portable digital or electronic media. F. Contractor-owned removable media containing DOJ Information shall not be removed from DOJ facilities without prior ap- proval of the DOJ CO or COR. G. When no longer needed, all media must be processed (sanitized, degaussed, or destroyed) in accordance with DOJ security requirements. H. Contractor must keep an accurate inventory of digital or electronic media used in the performance of DOJ contracts. I. Contractor must remove all DOJ Information from Contractor media and return all such information to the DOJ within 15 days of the expiration or termination of the contract, unless otherwise extended by the CO, or waived (in part or whole) by the CO, and all such information shall be returned to the DOJ in a format and form acceptable to the DOJ. The removal and return of all DOJ Information must be accomplished in accordance with DOJ IT Security Standard requirements, and an official of the Contractor shall provide a written certification certifying the removal and return of all such information to the CO within 15 days of the removal and return of all DOJ Information. J. DOJ, at its discretion, may suspend Contractor's access to any DOJ Information, or terminate the contract, when DOJ sus- pects that Contractor has failed to comply with any security requirement, or in the event of an Information System Security Incident (see Section V.E. below), where the Department determines that either event gives cause for such action. The suspension of access to DOJ Information may last until such time as DOJ, in its sole discretion, determines that the situation giving rise to such action has been corrected or no longer exists. Contractor understands that any suspension or termination in accordance with this provision shall be at no cost to the DOJ, and that upon request by the CO, Contractor must immediately return all DOJ Information to DO], as well as any media upon which DOJ Information resides, at Contractor's expense. V. Cloud Computing A. Cloud Computing means an Information System having the essential characteristics described in NIST SP 800-145, The NIST Definition of Cloud Computing. For the sake of this provision and clause, Cloud Computing includes Software as a Service, Platform as a Service, and Infrastructure as a Service, and deployment in a Private Cloud, Community Cloud, Public Cloud, or Hybrid Cloud. B. Contractor may not utilize the Cloud system of any CSP unless: 1. The Cloud system and CSP have been evaluated and approved by a 3PAO certified under FedRAMP and Contractor has provided the most current Security Assessment Report ("SAR") to the DOJ CO for consideration as part of Contractor's overall Sys- tem Security Plan, and any subsequent SARs within 30 days of issuance, and has received an ATO from the Authorizing Official for the DOJ component responsible for maintaining the security confidentiality, integrity, and availability of the DOJ Information under contract; or, 2. If not certified under FedRAMP, the Cloud System and CSP have received an ATO signed by the Authorizing Official for the DOJ component responsible for maintaining the security, confidentiality, integrity, and availability of the DOJ Information under the contract. C. Contractor must ensure that the CSP allows DOJ to access and retrieve any DOJ Information processed, stored or transmit- ted in a Cloud system under this Contract within a reasonable time of any such request, but in no event less than 48 hours from the re- quest. To ensure that the DOJ can hilly and appropriately search and retrieve DOJ Information from the Cloud system, access shall in- clude any schemes, meta-data, and other associated data artifacts. VI. Information System Security Breach or Incident A. Definitions I. fonfirmed Security Breach (hereinafter, "Confirmed Breach") means any confirmed unauthorized exposure, loss of con- trol, compromise, exfiltration, manipulation, disclosure, acquisition, or accessing of any Covered Information System or any DOJ In- formation accessed by, retrievable from, processed by, stored on, or transmitted within, to or from any such system. EFTA00127482  15BNYM18FTP120150 Page 12 of 15 2. Potential Security Breach (hereinafter. "Potential Breach") means any suspected. but unconfirmed, Covered Information System Security Breach. 3. Security Incident means any Confirmed or Potential Covered Information System Security Breach. B. Confirmed Breach. Contractor shall immediately (and in no event later than within 1 hour of discovery) report any Con- firmed Breach to the DOJ CO and the CO's Representative ("CUR"). If the Confirmed Breach occurs outside of regular business hours and/or neither the DOJ CO nor