EFTA00125313.pdf

MCC NEW YORK 15BNYM18FTP120150 Page 1 of 15 SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS T REOURITION Nuys ER OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24 tt 30 1064-18 2. CONTRACT NO 2 AWARDEFFECTIVE B. ORDER NUMBER 5. SOLICITATION tamBEH 6. SOUCITAIION ISSUE DATE DATE GS-07F-03221 09/21/2018 15BNYM18FTP120150 a NAME D. TELEPHONE NUMBER (1io PONT caTal I. OFFM DUE DATE (LOCAL 7. FOR SOLICITATION THE INFORMATION CALL: 9. ISSUED BY CODE I I SBNYM 10. THE ACOUISITION IS 0 UNRESTRICTED OR O SET AS % FOR Federal Bureau of Prisons MCC New York • :,....".,..„,, vi . wommosTwo s i tu omen aa1WO50) • 4 5 .,,is,;:40,4srssums . Sian IMAMS, POCCIV*I ED NATC3 334512 ISO Park Row AESD New York, NY 10007 u -m-Br WAKED sin STANDARD. Employees Witll•JI-00410) gm SIOL. &ANUS Ell /CAI II CIELNERY FOR FOB DESTINATON II OISCOUNT TERNS 130. RAM O MUSS BLOCK IS MARRED 13. TIES CONTRACT i S A NET 30 ❑ MATZO OROCR UNDER CIPAS sip SOEOULE (15 CFR 700) 4. METHOD OF SOLICITATION O RFO IFS 0RFP 15 OfJ.Naii 1G GCCE 15BNYM I6.ADSENS1ERED BY CODE I BNEF Federal Bureau of Prisons Federal Bureau of Prisons MCC New York NE Finance Caner- FCI Fon Dix 150 Perk Row (0) NE FINANCE CENTER New York, NY 10007 BLDG 5756 HARTFORD ROAD Joint Base MDL, NJ 08640 17B. CONTRACTOR/ 03M 1421578695 I Fact" 171856222 So PATIENT WILL SE kla BY cool I am OFFER R COOS SIGNET TECHNOLOGIES. INC. Federal Bureau ofPrisons ATTN: NYM ACCOUNTS 12300 KILN COURT FCI Fon Dix PAYABLE SUITE E P.O. Box 38 BELTSVILLE, MD 20705-1357 NER Finance Center - Acccounting DUNS: 171103222 Joint Base MDL, NJ 08640 TELEPHONE NO. lb. SUGAR*NONin ADDRESS SHOWN IN BLOCK IS.(LESS BLOCH BELOW IS 125. CHECK IF REMITTANCE IS CHF ER ENT AND PUT S404 ADDRESS Ps CHECKED SEE ADOCNOUM IJ- 19. 20. 21. 22. 23. 24. ITEM NO. SCHEDULE OF SUPPUESISEFMCES QUANTITY UNIT UNIT PRICE ANOUFJi Delivery Date: 09/2X/201x MCC NEW YORK - CAMERA SYSTEM Provide services in accordance with the FSS. SOW and lechnical proposal. GSA: GS-07F-03221 Sec Continuation Sheet(s) (as /swot ailiams AAL44.malAine so Nam ZS ACCOUNTING ANDAPPROPRIATION DATA 20. TOTAL AWARD ALCuNI (Foe C.N. un, rk.s,s SA-2018-02-FP021452P1-29F-3100-2018 5698,11.99 8 27a. SOLICHATKIN INCORPORATESIT REFERENCE FM 52 2124. 62 2124. FM 622124 NC 622124 MI ATTACHED ADDENDA ARC ARE NOT ATTACHED 274. CONIRACTAIRCHASE OMER INCORPORATES BY REFERENCE FAR S22124 FAR 522124 IS ATTACHED. ADZIENCA ARE PRE NOT ATTACHED 29 CONTRACTORIS REWIRED TO SON TM DOCUMENT AND RETURN I COPIES TO AWARD Or CONTRACT (WIER isSIANO OFFICE. CONTRACTOR AORICS TO FURNISH AHD DEUVOR ALL ITIOA0 SET FORTH DATED YOUR OFFER ON SOLI TAtION (BOCK 5) OR OTHERVASE ICEMITIED MOVE AND ON AM ADOITIONAL SHEETS WILMOT TO HIE INCLUO NG ANY MINTIONS OR CHANGES YMICH ARE SET FORTH HEREIN. TERMS AND CON OTIONS STICH= TS ACCEPTED AS TO ITEMS lo. NAME Of THE CONTRACHRO OFFICER OW, OR PROM 3Ie. DATE MOBBED Scc(ion Chia. FAO 09/21/2018 AUTHORIZED FOR LOCAL REPRODUCTION STANDARD FORM 1449 (REV 2/2012) PREVIOUS EDITION IS NOT USABLE Pnow-orb IN GSA -FAR 01CFR) 53 212 EFTA00125313  15BNYM18FTP120150 Page 2 of 15 ... - 22 23 24 19 20. ITEM NO. SCHEDULE OF SUPPLIES/SERVICES QUANTITY t, \ IT UNIT PRICE AMOUNT 323. QUANTITY IN COLUMN 21 HAS BEEN 0 RECEIVED O INSPECTED ID ACCEPTED. AND CONFORMS TO THE CONTRACT. EXCEPT AS NOTED: 320. SIGNATURE OF AUTHORIZED GOVERNMENT 32c DATE 326. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE REPRESENTATIVE 32e. MNLING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 321. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE 322. EMAIL OF AUTHORIZED GOVERNMENT REPRESENTATIVE 33. SHIP NUMBER 34. VOUCHER NUMBER 35 AMOUNT VERIFED 36. PAYMENT 37. CHECK NUMBER CORRECT FOR COMPLETE PARTIAL mi FINAL I PARTIAL I [FINAL U. SIR ACCOUNT NUMBER 39. SIR VOUCHER NUMBER 40. PAID BY 41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT 42a. RECEIVED BY (P4ra) 4th. SIGNATURE AND TITLE Of CERTIFYING OFFICER 4Ic. DATE 42b. RECEIVED AT (Location) 4k. DATE RECD (Y17144020) 420 TOTAL CONTAINERS STANDARD FORM 1449 inv. mem BACK EFTA00125314  15BNYM18FTP120150 Page 3 of 15 Table of Contents =in Description pace Number 1 Solicitation/Contract Form I 2 Commodity or Services Schedule 4 3 Contract Clauses 6 52.21.603.70 Contracting Officer's Representative (COR) (June 2012) 6 2852.223-70 Unsafe Conditions Due to the Presence of Hazardous Material (June 1996) 6 52.24-403-70 Notice of Contractor Personnel Security Requirements (OCT 2005) 6 52.27-103-72 DOT CONTRACTOR RESIDENCY REQUIREMENT BUREAU OF PRISONS (JUNE 2004) 8 DJAR-PGD-I5-02-1B Contractor Internal Confidentiality Agreements or Statements Prohibiting or Restricting Reporting of Waste, Fraud, and Abuse - Solicitation - (DEVIATION 2015-02) (March 2015) 8 WAR-PGD-I5-03 Security of Department Information and Systems 8 BOP 2852.242-71 EVALUATION OF CONTRACTOR PERFORMANCE UTILIZING CPARS (APR 2011) 13 508 COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, 1998 AMENDMENTS 13 DJAR-PGD-15-02-2A Corporate Representation Regarding Felony Conviction Under Any Federal Law or Unpaid Delinquent Tax Liability - Award (DEVIATION 2015-02) (March 2015) 13 4 List of Attachments 15 EFTA00125315  15BNYM18FTP120150 Page 4 of 15 Section 2 - Commodity or Services Schedule SCHEDULE OF SUPPLIES/SERVICES CONTINUATION SHEET ITEM NO. SUPPLIESISERVICES QUANTITY UNIT UNIT PRICE AMOUNT V 0001 NV-ENT-1CH 350.000000 52394000 $83,790.00 Single License for Vision Enterprise package video/mac channel V 0002 NV•SVR9820-RIN6-RINI-60TB 4.000000 522,184.4000 P18,737.60 VISIONHUB SMART VIDEO RECORDER 9820. 2U WITH INTERNAL RAID6 * RAID 1 80TB NET STORAGE '2 0003 NV-ENT-RSVR.TCH 350.000000 566.5000 $23.275.00 RECORDER REDUNDANCY LICENSE PER 1 CHANNEL V 0004 NV-ENT-MJVUPG-NET2X NET31 1.000000 50.0000 50.00 ENTERPRISE SOFTWARE PACKAGE MAJOR VERSION UPGRADE FOR SITE, USERS AND CHANNELS FROM NET 2.X TO NET 3.1 V 0005 NV-NVD-5204 1.000000 518004800 53,800.48 c Ila aMI LITCODER 5204 SUPPORTING UP TO 4 VIDEO V 0006 SGT-AMS 1.000000 54389.0000 54.389.00 AMS SERVER V 0007 NV-NVE-2016 22.000000 52.493.7500 $54,862.50 16 CAMERAS AT NICE5V FIIPPIP4 :Cir I RESOLUTION. INCLUDES DUAL 0006 101462WR-B9 P CAMERA 135.000000 V VV 5517.3700 569,844.95 0009 SIGNET LABOR 1.000000 5243,523.0000 5243,523.00 0010 SIGN 11.000000 5119.7000 51,316.70 IC VISION ENCODER/DECODER RACK MOUNT KIT SUPPORTING 4 NVEINVD 1002 (FOR NOT-XI-MODELS). OR 6 NVEJNVD 1002 POWER S V 0011 06055-E 17.000000 52,500.0000 542,500.00 OUTDOOR PT2/1080P/X32/IP V 0012 ggeggcsivANcAkviiiim 75.000000 51,050.0000 S78,750.00 V 0013 61 17.000000 582.0000 51,394.00 W T9AL1LL MOUNT FOR 06055-E V 0014 198A18-VE 8.000000 5240.7200 51,925.76 MEDIA CONVERTER CABINET 101AL S698.108 99 FUNDING DETAILS: ITEM FUNDING LINE OBLIGATED AMOUNT ACCOUNTING CODES NO. NIA 1 5698,108 99 SA-2018-024P021452P1-29F-3100-2018 TOTAL: $698,10899 EFTA00125316  15BNYM1BFTP120150 Page 5 of 15 Large Business EFTA00125317  15BNYIA18FTP120150 Page 6 of 15 Section 3 - Contract Clauses Clauses By Fun Text 52.21.603.70 Contracting Officer's Representative (COR) (June 2012) (a)IM. FACILITES MANAGER MCC NEW YORKJArea Code and Telephone Numbed is hereby designated as the Contracting Officer's Representative (COR) under this contract. (b) The COR is responsible, as applicable, for: receiving all deliverables, inspecting and accepting the supplies or services provide hereunder in accordance with the terms and conditions of this contract; providing direction to the contractor which clarifies the con- tractor effort, fills in details or otherwise serves to accomplish the contractual Scope of Work; evaluating performance; and certifying all invoices/vouchers for acceptance of the supplies or services furnished for payment. (c) The COR does not have the authority to alter the contractor's obligations under the contract, and/or modify any of the expressed terms, conditions, specifications, or cost of the agreement. If as a result of technical discussions it is desirable to alterkhange contrac- tual obligations or the Scope of Work, the Contracting Officer shall issue such changes. 2852.223-70 Unsafe Conditions Due to the Presence of Hazardous Material (June 1996) (a) "Unsafe condition" as used in this clause means the actual or potential exposure of contractor or Government employees to a haz- ardous material as defined in Federal Standard No. 313, and any revisions thereto during the term of this contract, or any other materi- al or working condition designated by the Contracting Officer's Technical Representative (COTR) as potentially hazardous and requir- ing safety controls. (b) The Occupational Safety and Health Administration (OSHA) is responsible for issuing and administering regulations that require contractors to apprise its employees of all hazards to which they may be exposed in the course of their employment; proper conditions and precautions for safe use and exposure; and related symptoms and emergency treatment in the event of exposure. (c) Prior to commencement of work, contractors are required to inspect for and report to the contracting officer or designee the pres- ence of, or suspected presence of, any unsafe condition including asbestos or other hazardous materials or working conditions in areas in which they will be working. (d) If during the performance of the work under this contract, the contractor or any of its employees, or subcontractor employees, dis- covers the existence of an unsafe condition, the contractor shall immediately notify the contracting officer, or designee, (with written notice provided not later than three (3) working days thereafter) of the existence of an unsafe condition. Such notice shall include the contractor's recommendations for the protection and the safety of Government, contractor and subcontractor personnel and property that may be exposed to the unsafe condition. (e) When the Government receives notice of an unsafe condition from the contractor, the parties will agree on a course of action to mitigate the effects of that condition and, if necessary, the contract will be amended. Failure to agree on a course of action will consti- tute a dispute under the Disputes clause of this contract. (f) Nothing contained in this clause shall relieve the contractor or subcontractors from complying with applicable Federal, State. and local laws, codes, ordinances and regulations (including the obtaining of licenses and permits) in connection with hazardous material including but not limited to the use, disturbance, or disposal of such material. (End of Clause) 52.24-403-70 Notice of Contractor Personnel Security Requirements (OCT 2005) Compliance with Homeland Security Presidential Directive-12 (HSPD-12) and Federal Information Processing Standard Publication 201 (FIPS 201) r entitled "Personal Identification Verification (NV) for Federal Employees and Contractors," Phase I. I. Long-Tenn Contractor Personnel: In order to be compliant with HSPD-I2/PIV I, the following investigative requirements must be met for each new long-term' con- tractor employee whose background investigation (BI) process begins on or after October 27, 2005: a. Contractor Personnel must present two forms of identification in original form prior to badge issuance (acceptable documents are listed in Form 1-9, OMB No. 1615-0047, "Employment Eligibility Verification," and at least one document must be a valid State or EFTA00125318  158NYM18FTP120150 Page 7 of 15 Federal government-issued picture ID); b. Contractor Personnel must appear in person at least once before a DO) official who is responsible for checking the identification documents. This identity proofing must be completed sometime during the clearance process but prior to badge issuance and must be documented by the DOJ official; c. Contractor Personnel must undergo a BI commensurate with the designated risk level associated with the duties ofeach position. Outlined below are the minimum Eil requirements for each risk level: • High Risk - Background Investigation (5 yew scope) • Moderate Risk - Limited Background Investigation (LBI) or Minimum Background Investigation (MBI) • Low Risk - National Agency Check with Inquiries (NACI) investigation d. The pre-appointment B1 waiver requirements for all position sensitivity levels are a: I) Favorable review of the security questionnaire form; 2) Favorable fingerprint results; 3) Favorable credit report, if required:3 4) Waiver request memorandum, including both the Office of Personnel Management schedule date and position sensitivity/risk level; and 5) Favorable review of the National Agency Check (NAC) 4 portion of the applicable BI that is determined by position sensitivity/risk level. A badge may be issued following approval of the above waiver requirements. If the NAC is not received within five days of OPM's scheduling date, the badge can be issued based on a favorable review of the Se- curity Questionnaire and the Federal Bureau of Investigation Criminal I history Check (i.e., fingerprint check results). e. Badge re-validation will occur once the investigation is completed and favorably adjudicated. If the BI results so justify, badges is- sued under these procedures will be suspended or revoked. 2. Short-Term Contractor Personnel: It is the policy of the DOJ that short-term contractors having access to DO) information systems and/or DO) facilities or space for six months or fewer are subject to the identity proofing requirements listed in items Ia. and lb. above. The pre-appointment waiver re- quirements for short-term contractors are•. a. Favorable review of the security questionnaire form; b. Favorable fingerprint results; c. Favorable credit report, if requiree and d. Waiver request memorandum indicating both the position sensitivity/risk level and the duration of the appointment The commen- surate 81 does not need to be initiated. A badge may be issued following approval of the above waiver requirements and the badge will expire six months from the date of is- suance. This process can only be used once for a short-term contractor in a twelve month period. This will ensure that any consecutive short-term appointments are subject to the full PIV-I identity proofing process. For example, if a contractor employee requires daily access for a three or four-week period, this contractor would be cleared according to the above short-term requirements. llowever, if a second request is submitted for the same contractor employee within a twelve- month period for the purpose of extending the initial contract or for employment under a totally different contract for another three or four-week period, this contractor would now be considered gong-teen" and must be cleared according to the long-term requirements as stated in this interim policy. 3. Intermittent Contractors: An exception to the above-mentioned shod-term requirements would be intermittent contractors. a. For purposes of this policy, Intermittent" is defined as those contractor employees needing access to Dal information systems and/ or DO) facilities or space for a maximum of one day per week, regardless of the duration of the required intermittent access. For ex- ample. the water delivery contractor that delivers water one time each week and is working on a one-year contract. b. Contractors requiring intermittent access should follow the Department's escort policy. Please reference the August I I, 2004, and January 29, 2001, Department Security Officer policy memoranda that conveys the requirements for contractor facility escorted ac- cess. c. Due to extenuating circumstances, if a component requests unescorted access or Dal IT system access for an intermittent contract- or, the same pre-employment background investigation waiver requirements that apply to short-term contractors are required. d. If an intermittent contractor is approved for unescorted access, the contractor will only be issued a daily badge. The daily badge will be issued upon entrance into a Dal facility or space and must be returned upon exiting the same facility or space. e. If an intermittent contractor is approved for unescorted access, the approval will not exceed one year. If the intermittent contractor requires unescorted access beyond one year, the contractor will need to be re-approved each year. 4. An individual transferring from another department or agency shall not be re-adjudicated provided the individual has a current (within the last five years), favorably adjudicated BI meeting FISPD-12 and DOJ's BI requirements. 5. The DOJ's current escorted contractor policy remains unchanged by this acquisition notice. Notes: I. FIPS 201 is available at: www.csrc.nistgov/publications/fips/fips201/FIPS-201-022505.pdf 2. Under HSPD-12, long-term contractors are contractors having access to Dal information systems and/or DOJ facilities or space for six months or longer. The PIV-I identity proofing process, including initiation and adjudication of the required background investiga- tion, is required for all new long-term contractors regardless of whether it is the current practice to issue a badge. The second phase of 11SPD-12 implementation (Ply-II) requires badge issuance to all affected long-term contractors. 3. For contractors in position sensitivity/risk levels above level 1, a favorable review of a credit check is required as part of the pre- appointment waiver package. EFTA00125319  15BNYM18FTP120150 Page 8 of 15 4. In order to avoid a delay in the hiring process, components should request an Advance NAC Report when initiating investigations to OPM. Per OPM ' s instructions, to obtain an Advance NAC Report, a Code " 3" must be placed in block " B " of the " Agency Use Only " section of the investigative form. This report is available for all case types. 5.For contractors in position sensitivity/risk levels above level I, a favorable review of a credit check is required as part of the pre- appointment waiver package. [End of Clause] 52.27-103-72 Dal CONTRACTOR RESIDENCY REQUIREMENT BUREAU OF PRISONS (JUNE 2004) For three of the five years immediately prior to submission of an offer/bid/quote, or prior to performance under a contract or commit- ment, individuals or contractor employees providing services must have: I. Legally resided in the United States (U.S.): 2. worked for the U.S. overseas in a Federal or military capacity; or 3. been a dependent of a Federal or military employee serving overseas. If the individual is not a U.S. citizen, they must be from a country allied with the U.S. The following website provides current inform- ation regarding allied countries: http://www.opm.gov/employ/html/citizen.htm By signing this contract or commitment document, or by commencing performance, the contractor agrees to this restriction. [End of Clause] DJAR-POD-I 5-02-1B Contractor Internal Confidentiality Agreements or Statements Prohibiting or Restricting Reporting of Waste, Fraud, and Abuse - Solicitation - (DEVIATION 2015-02) (March 2015) None of the funds appropriated to the Department under its current Appropriations Act may be used to enter into a contract, grant. or cooperative agreement with an entity that requires employess or contractors of such entity that requires employees or contractors of such entity seeking to report fraud, waste, and abuse to sign internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting such waste, fraud, ora base to a designated investigative or law en- forcement representative of a Federal department or agency authorized to receive such information. By submitting a response to this solicitation, the contractor certifies that it does not require employees or contractors of the contractor seeking to report fraud, waste, and abuse to sign internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting waste, fraud, and abuse to a designated investigative or law enforcement representative of a Federal depart- ment or agency authorized to receive such information. (End of Provision) DJAR-PGD-15-03 Security of Department Information and Systems 1. Applicability to Contractors and Subcontractors This clause applies to all contractors and subcontractors, including cloud service providers ("CSPs"), and personnel of contractors, subcontractors, and CSPs (hereinafter collectively, "Contractor") that may access, collect, store, process, maintain, use, share, retrieve, disseminate, transmit, or dispose ofDal Information. It establishes and implements specific DOJ requirements applicable to this Con- tract. The requirements established herein are in addition to those required by the Federal Acquisition Regulation ("FAR"), including FAR 11.002(g) and 52.239-1, the Privacy Act of 1974, and any other applicable laws, mandates, Procurement Guidance Documents, and Executive Orders pertaining to the development and operation of Information Systems and the protection of Government Informa- tion. This clause does not alter or diminish any existing rights, obligation or liability under any other civil and/or criminal law, rule, regulation or mandate. 11. General Definitions The following general definitions apply to this clause. Specific definitions also apply as set forth in other paragraphs. A. Information means any communication or representation of knowledge such as facts, data, or opinions, in any form or me- dium, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information includes information in an electronic format that allows it be stored, retrieved or transmitted, also referred to as "data," and "personally identifiable information" ("PII"), re- gardless of form. B. personally Identifiable Information (or Pill means any information about an individual maintained by an agency, includ- ing, but not limited to, information related to education, financial transactions, medical history, and criminal or employment history and information, which can be used to distinguish or trace an individual's identity, such as his or her name, social security number, EFTA00125320  158NYM18FTP120150 Page 9 of 15 date and place of birth, mother's maiden name, biometric records. etc., including any other personal information which is linked or linkable to an individual. C. DOJ Information means any Information that is owned, produced, controlled, protected by, or otherwise within the custody or responsibility of the Dal, including, without limitation, Information related to Dal programs or personnel. It includes, without lim- itation, Information (I) provided by or generated for the Dal, (2) managed or acquired by Contractor for the DO/ in connection with the performance of the contract, and/or (3) acquired in order to perform the contract. D. Information Svstem means any resources, or set of resources organized for accessing, collecting, storing, processing, main- taining, using, sharing, retrieving, disseminating, transmitting, or disposing of (hereinafter collectively. "processing, storing, or trans- mitting") Information. E. Covered Information Svsterrt means any information system used for, involved with, or allowing, the processing, storing, or transmitting of DOJ Information. 111. Confidentiality and Non-disclosure of 00.1Information A. Preliminary and final deliverables and all associated working papers and material generated by Contractor containing Dal Information are the property of the U.S. Government and must be submitted to the Contracting Officer ("CO") or the CO's Represent- ative ("COR") at the conclusion of the contract. The U.S. Government has unlimited data rights to all such deliverables and associated working papers and materials in accordance with FAR 52.227-14. B. All documents produced in the performance of this contract containing Dal Information are the property of the U.S. Gov- ernment and Contractor shall neither reproduce nor release to any third-parry at any time, including during or nt expiration or termina- tion of the contract without the prior written permission of the CO. C. Any Dal information made available to Contractor under this contract shall be used only for the purpose of perfomiance of this contract and shall not be divulged or made known in any manner to any persons except as may be necessary in the performance of this contract. In performance of this contract, Contractor assumes responsibility for the protection of the confidentiality of any and all DOJ Information processed, stored, or transmitted by the Contractor. When requested by the CO (typically no more than annually), Contractor shall provide a report to the CO identifying, to the best of Contractor's knowledge and belief, the type, amount, and level of sensitivity of the Dal Information processed, stored, or transmitted under the Contract, including an estimate of the number of indi- viduals for whom P11 has been processed, stored or transmitted under the Contract and whether such information includes social secur- ity numbers (in whole or in pan). IV. Compliance with Information Technology Security Policies, Procedures and Requirements A. For all Covered Information Systems, Contractor shall comply with all security requirements, including but not limited to the regulations and guidance found in the Federal Information Security Management Act of 2014 ("FISMA"), Privacy Act of 1974, E- Government Act of 2002, National Institute of Standards and Technology ("NIST") Special Publications ("SP"), including NIST SP 800-37, 800.53, and 800-60 Volumes I and II, Federal Information Processing Standards ("FR'S") Publications 140-2, 199, and 200, O501B Memoranda, Federal Risk and Authorization Management Program ("FedRAMP"), Dal IT Security Standards, including DOJ Order 2640.2, as amended. These requirements include but arc not limited to: I. Limiting access to 001 Information and Covered Information Systems to authorized users and to transactions and functions that authorized users are permitted to exercise: 2. Providing security awareness training including, but not limited to, recognizing and reporting potential indicators of insider threats to users and managers of DO1 Information and Covered Information Systems: 3. Creating, protecting, and retaining Covered Information System audit records, reports, and supporting documentation to en- able reviewing, monitoring, analysis, investigation, reconstruction, and reporting of unlawful, unauthorized, or inappropriate activity related to such Covered Information Systems and/or Dal Information; 4. Maintaining authorizations to operate any Covered Information System; 5. Performing continuous monitoring on all Covered Information Systems; 6. Establishing and maintaining baseline configurations and inventories of Covered Information Systems, including hardware, software, firmware, and documentation, throughout the Information System Development Lifecycle, and establishing and enforcing security configuration settings for IT products employed in Information Systems. 7. Ensuring appropriate contingency planning has been performed, including DOJ Information and Covered Information Sys- tem backups: EFTA00125321  15BNY1A18FTP120150 Page 10 of 15 8. Identifying Covered Information System users, processes acting on behalf of users, or devices, and authenticating and veri- fying the identities of such users, processes, or devices, using multifactor authentication or HSPD-12 compliant authentication meth- ods where required; 9. Establishing an operational incident handling capability for Covered Information Systems that includes adequate prepara- tion, detection, analysis, containment, recovery, and user response activities, and tracking, documenting, and reporting incidents to ap- propriate officials and authorities within Contractor's organization and the DO); 10. Performing periodic and timely maintenance on Covered Information Systems, and providing effective controls on tools, techniques, mechanisms, and personnel used to conduct such maintenance; 12. Protecting Covered Information System media containing DOJ Information, including paper, digital and electronic media; limiting access to Dal Information to authorized users; and sanitizing or destroying Covered Information System media containing Dal Information before disposal, release or reuse of such media; 13. Limiting physical access to Covered Information Systems, equipment, and physical facilities housing such Covered Informa- tion Systems to authorized U.S. citizens unless a waiver has been granted by the Contracting Officer ("CO"), and protecting the phys- ical facilities and support infrastructure for such Information Systems; 14. Screening individuals prior to authorizing access to Covered Information Systems to ensure compliance with Dal Security standards; 15. Assessing the risk to DO) Information in Covered Information Systems periodically, including scanning for vulnerabilities and remediating such vulnerabilities in accordance with DOJ policy and ensuring the timely removal of assets no longer supported by the Contractor; 16. Assessing the security controls of Covered Information Systems periodically to determine if the controls are effective in their application, developing and implementing plans of action designed to correct deficiencies and eliminate or reduce vulnerabilities in such Information Systems, and monitoring security controls on an ongoing basis to ensure the continued effectiveness of the controls; 17. Monitoring, controlling, and protecting information transmitted or received by Covered Information Systems at the external boundaries and key internal boundaries of such Information Systems, and employing architectural designs, software development techniques, and systems engineering principles that promote effective security; and 18. Identifying, reporting, and correcting Covered Information System security flaws in a timely manner, providing protection from malicious code at appropriate locations, monitoring security alerts and advisories and taking appropriate action in response. B. Contractor shall not process, store, or transmit Dal Infomiation using a Covered Information System without first obtaining an Authority to Operate ("ATO") for each Covered Information System. The ATO shall be signed by the Authorizing Official for the Dal component responsible for maintaining the security, confidentiality, integrity, and availability of the Dal Information under this contract. The DO) standards and requirements for obtaining on ATO may be found at DO) Order 2640.2, as amended. (For Cloud Computing Systems, see Section V. below.) C. Contractor shall ensure that no Non-U.S. citizen accesses or assists in the development, operation, management, or mainten- ance of ony Dal Information System, unless a waiver has been granted by the by the DO) Component Head (or his or her designee) responsible for the Dal Information System, the Dal Chief Information Officer, and the DO) Security Officer. D. When requested by the Dal CO or COR, or other Dal official as described below, in connection with DO)'s efforts to en- sure compliance with security requirements and to maintain and safeguard against threats and hazards to the security, confidentiality, integrity, and availability of DO) Information, Contractor shall provide DOJ, including the Office of Inspector General ("OIG") and Federal law enforcement components, (1) access to any and all information and records, including electronic information, regarding a Covered Information System, and (2) physical access to Contractor's facilities, installations, systems, operations, documents, records, and databases. Such access may include independent validation testing of controls, system penetration testing, and FISMA data re- views by Dal or agents acting on behalf of DOJ, and such access shall be provided within 72 hours of the request. Additionally, Con- tractor shall cooperate with DOJ's efforts to ensure, maintain, and safeguard the security, confidentiality, integrity, and availability of DO) Information. E. The use of Contractor-owned laptops or other portable digital or electronic media to process or store DO) Information covered by this clause is prohibited until Contractor provides a letter to the Dal CO, and obtains the CO's approval, certifying com- pliance with the following requirements: 1. Media must be encrypted using a NIST Fl PS 140-2 approved product; 2. Contractor must develop and implement a process to ensure that security and other applications software is kept up-to-date; EFTA00125322  1SBNYM18FTP120150 Page 11 of 15 3. Where applicable, media must utilize antivirus software and a host-based firewall mechanism; 4. Contractor must log all computer-readable data extracts from databases holding Dal Information and verify that each ex- tract including such data has been erased within 90 days of extraction or that its use is still required. All DO1 Information is sensitive information unless specifically designated as non-sensitive by the DO); and, 5. A Rules of Behavior ("ROB") form must be signed by users. These rules must address, at a minimum, authorized and offi- cial use, prohibition against unauthorized users and use, and the protection of Dal Information. The form also must notify the user that he or she has no reasonable expectation of privacy regarding any communications transmitted through or data stored on Contract- or-owned laptops or other portable digital or electronic media. F. Contractor-owned removable media containing Dal Information shall not be removed from Dal facilities without prior ap- proval of the Dal CO or COR. G. When no longer needed, all media must be processed (sanitized, degaussed, or destroyed) in accordance with DOS security requirements. Contractor must keep an accurate inventory of digital or electronic media used in the performance of Dal contracts. 1. Contractor must remove all DO) Information from Contractor media and return all such information to the DO) within 15 days of the expiration or termination of the contract, unless otherwise extended by the CO, or waived (in part or whole) by the CO, and all such information shall be returned to the Dal in a format and form acceptable to the DO). The removal and return of all DO1 Information must be accomplished in accordance with Dal IT Security Standard requirements, and an official of the Contractor shall provide a written certification certifying the removal and return of all such information to the CO within 15 days of the removal and return of all DO) Information. J. DO1, at its discretion, may suspend Contractor's access to any DO1 Information, or terminate the contract, when Dal sus- pects that Contractor has failed to comply with any security requirement, or in the event of an Information System Security Incident (see Section V.E. below), where the Department determines that either event gives cause for such action. The suspension of access to DO1 Information may last until such time as DO), in its sole discretion, determines that the situation giving rise to such action has been corrected or no longer exists. Contractor understands that any suspension or termination in accordance with this provision shall be at no cost to the DO1, and that upon request by the CO, Contractor must immediately return all DO) Information to DO1, as well as any media upon which DO1 Information resides, at Contractor's expense. V. Cloud Computing A. Cloud Computing means an Information System having the essential characteristics described in NIST SP 800.145, The NIST Definition of Cloud Computing. For the sake of this provision and clause, Cloud Computing includes Software as a Service, Platform as a Service, and Infrastructure as a Service, and deployment in a Private Cloud, Community Cloud, Public Cloud, or I lybrid Cloud. B. Contractor may not utilize the Cloud system of any CSP unless: I. The Cloud system and CSP have been evaluated and approved by a 31'AO certified under FedRAMP and Contractor has provided the most current Security Assessment Report ("SAR") to the Dal CO for consideration as part of Contractor's overall Sys- tem Security Plan, and any subsequent SARs within 30 days of issuance, and has received un ATO from the Authorizing Official for the 130) component responsible for maintaining the security confidentiality, integrity, and availability of the DO) Information under contract; or, 2. If not certified under FedRAMP, the Cloud System and CSP have received an ATo signed by the Authorizing Official for the DO) component responsible for maintaining the security, confidentiality, integrity, and availability of the Dal Information under the contract. C. Contractor must ensure that the CSP allows Dal to access and retrieve any DOS Information processed. stored or transmit- ted in a Cloud system under this Contract within a reasonable time of any such request, but in no event less than 48 hours from the re- quest. To ensure that the Dal can fully and appropriately search and retrieve DO1 Information from the Cloud system, access shall in