EFTA00125313.pdf

MCC NEW YORK 15BNYM18FTP120150 Page 1 of 15 SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24 tt 30 T REOURITION Nuys ER 1064-18 2. CONTRACT NO GS-07F-03221 2 AWARDEFFECTIVE DATE 09/21/2018 B. ORDER NUMBER 15BNYM18FTP120150 5. SOLICITATION tamBEH 6. SOUCITAIION ISSUE DATE 7. FOR SOLICITATION INFORMATION CALL: a NAME D. TELEPHONE NUMBER (1io PONT caTal I. OFFM DUE DATE (LOCAL THE 9. ISSUED BY CODE I Federal Bureau Prisons I SBNYM 10. • • THE ACOUISITION IS :,....".,..„,, vi 54.,is,;:40,4srssums u -m-Br WAKED Wit ll•JI-00410) SIOL. &ANUS 0 . . gm Ell UNRESTRICTED OR O SET AS % FOR wommosTwo situ omen aa1WO50) Sian IMAMS, POCCIV*I ED NATC3 334512 AESD sin STANDARD. Employees /CAI of MCC New York ISO Park Row New York, NY 10007 II MUSS CIELNERY FOR FOB DESTINATON BLOCK IS MARRED sip NET SOEOULE II OISCOUNT TERNS 30 K 13. TIES CONTRACT i S A MATZO OROCR UNDER CIPAS (15 CFR 700) 130. RAM O 4. METHOD OF SOLICITATION O RFO IFS 0RFP 15 OfJ.Naii 1G GCCE 15BNYM Federal Bureau of Prisons MCC New York 150 Perk Row (0) New York, NY 10007 I6.ADSENS1ERED BY CODE I BNEF Federal Bureau of Prisons NE Finance Caner- FCI Fon Dix NE FINANCE CENTER BLDG 5756 HARTFORD ROAD Joint Base MDL, NJ 08640 17B. CONTRA R CTOR/ 03M 1421578695 I OFFE R Fact" COOS 171856222 So PATIENT WILL SE kla BY cool I am Federal Bureau of Prisons ATTN: NYM ACCOUNTS FCI Fon Dix PAYABLE P.O. Box 38 NER Finance Center - Acccounting Joint Base MDL, NJ 08640 SIGNET TECHNOLOGIES. INC. 12300 KILN COURT SUITE E BELTSVILLE, MD 20705-1357 DUNS: 171103222 TELEPHONE NO. IJ- 125. CHECK IF REMITTANCE IS CHF ER ENT AND PUT S404 ADDRESS Ps lb. SUGAR*NON in ADDRESS SHOWN IN BLOCK IS. (LESS BLOCH BELOW IS CHECKED SEE ADOCNOUM 19. ITEM NO. 20. SCHEDULE OF SUPPUESISEFMCES 21. QUANTITY 22. UNIT 23. UNIT PRICE 24. ANOUFJi Delivery Date: 09/2X/201x MCC NEW YORK - CAMERA SYSTEM Provide services in accordance with the FSS. SOW and lechnical proposal. GSA: GS-07F-03221 Sec Continuation Sheet(s) (as /swot ailiams A AL44.malAine so Nam ZS ACCOUNTING ANDAPPROPRIATION DATA SA-2018-02-FP021452P1-29F-3100-2018 20. TOTAL AWARD ALCuNI (Foe C.N. un, rk.s,s 5698,11.99 8 27a. SOLICHATKIN INCORPORATES IT REFERENCE FM 52 2124. 62 2124. FM 622124 NC 622124 MI ATTACHED ADDENDA 274. CONIRACTAIRCHASE OMER INCORPORATES BY REFERENCE FAR S22124 FAR 522124 IS ATTACHED. ADZIENCA ARC ARE NOT ATTACHED ARE PRE NOT ATTACHED 29 CONTRACTORIS REWIRED TO SON TM DOCUMENT AND RETURN I COPIES TO AWARD Or CONTRACT (WIER isSIANO OFFICE. CONTRACTOR AORICS TO FURNISH AHD DEUVOR ALL ITIOA0 SET FORTH DATED YOUR OFFER ON SOLI TAtION (BOCK 5) OR OTHERVASE ICEMITIED MOVE AND ON AM ADOITIONAL SHEETS WILMOT TO HIE INCLUO NG ANY MINTIONS OR CHANGES YMICH ARE SET FORTH HEREIN. TERMS AND CON OTIONS STICH= TS ACCEPTED AS TO ITEMS lo. NAME Of THE CONTRACHRO OFFICER OW, OR PROM Scc(ion Chia. FAO 3Ie. DATE MOBBED 09/21/2018 AUTHORIZED FOR LOCAL REPRODUCTION PREVIOUS EDITION IS NOT USABLE STANDARD FORM 1449 (REV 2/2012) Pnow-orb IN GSA-FAR 01CFR) 53 212 EFTA00125313 15BNYM18FTP120150 Page 2 of 15 19 ITEM NO. 20. SCHEDULE OF SUPPLIES/SERVICES ... - QUANTITY 22 t, \ IT 23 UNIT PRICE 24 AMOUNT 323. QUANTITY IN COLUMN 21 HAS BEEN 0 RECEIVED O INSPECTED ID ACCEPTED. AND CONFORMS TO THE CONTRACT. EXCEPT AS NOTED: 320. SIGNATURE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32c DATE 326. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32e. MNLING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 321. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE 322. EMAIL OF AUTHORIZED GOVERNMENT REPRESENTATIVE 33. SHIP NUMBER 34. VOUCHER NUMBER 35 AMOUNT VERIFED CORRECT FOR 36. PAYMENT COMPLETE PARTIAL 37. CHECK NUMBER mi FINAL I PARTIAL I [FINAL U. SIR ACCOUNT NUMBER 39. SIR VOUCHER NUMBER 40. PAID BY 41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT 42a. RECEIVED BY (P4ra) 4th. SIGNATURE AND TITLE Of CERTIFYING OFFICER 4Ic. DATE 42b. RECEIVED AT (Location) 4k. DATE RECD (Y17144020) 420 TOTAL CONTAINERS STANDARD FORM 1449 inv. mem BACK EFTA00125314 15BNYM18FTP120150 Page 3 of 15 Table of Contents =in Description pace Number 1 Solicitation/Contract Form I 2 Commodity or Services Schedule 4 3 Contract Clauses 6 52.21.603.70 Contracting Officer's Representative (COR) (June 2012) 6 2852.223-70 Unsafe Conditions Due to the Presence of Hazardous Material (June 1996) 6 52.24-403-70 Notice of Contractor Personnel Security Requirements (OCT 2005) 6 52.27-103-72 DOT CONTRACTOR RESIDENCY REQUIREMENT BUREAU OF PRISONS (JUNE 2004) 8 DJAR-PGD-I5-02-1B Contractor Internal Confidentiality Agreements or Statements Prohibiting or Restricting Reporting of Waste, Fraud, and Abuse - Solicitation - (DEVIATION 2015-02) (March 2015) 8 WAR-PGD-I5-03 Security of Department Information and Systems 8 BOP 2852.242-71 EVALUATION OF CONTRACTOR PERFORMANCE UTILIZING CPARS (APR 2011) 13 508 COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, 1998 AMENDMENTS 13 DJAR-PGD-15-02-2A Corporate Representation Regarding Felony Conviction Under Any Federal Law or Unpaid Delinquent Tax Liability - Award (DEVIATION 2015-02) (March 2015) 13 4 List of Attachments 15 EFTA00125315 15BNYM18FTP120150 Page 4 of 15 Section 2 - Commodity or Services Schedule SCHEDULE OF SUPPLIES/SERVICES CONTINUATION SHEET ITEM NO. SUPPLIESISERVICES QUANTITY UNIT UNIT PRICE AMOUNT 0001 NV-ENT-1CH 350.000000 V V V V VV V V V V V '2 V V 52394000 $83,790.00 Single License for Vision Enterprise package video/mac channel 0002 NV•SVR9820-RIN6-RINI-60TB 4.000000 522,184.4000 P18,737.60 VISIONHUB SMART VIDEO RECORDER 9820. 2U WITH INTERNAL RAID6 * RAID 1 80TB NET STORAGE 0003 NV-ENT-RSVR.TCH 350.000000 566.5000 $23.275.00 RECORDER REDUNDANCY LICENSE PER 1 CHANNEL 0004 NV-ENT-MJVUPG-NET2X NET31 1.000000 50.0000 50.00 ENTERPRISE SOFTWARE PACKAGE MAJOR VERSION UPGRADE FOR SITE, USERS AND CHANNELS FROM NET 2.X TO NET 3.1 0005 NV-NVD-5204 1.000000 518004800 53,800.48 Icla aMI LITCODER 5204 SUPPORTING UP TO 4 VIDEO 0006 SGT-AMS 1.000000 54389.0000 54.389.00 AMS SERVER 0007 NV-NVE-2016 22.000000 52.493.7500 $54,862.50 NICE5VFIPPIP4 I:Cir RESOLUTION. INCLUDES DUAL 16 CAMERAS AT 0006 101462WR-B9 135.000000 5517.3700 569,844.95 P CAMERA 0009 NET SIGN SIGNET LABOR 1.000000 5243,523.0000 5243,523.00 0010 IC VISION ENCODER/DECODER RACK MOUNT KIT 11.000000 5119.7000 51,316.70 SUPPORTING 4 NVEINVD 1002 (FOR NOT-XI-MODELS). OR 6 NVEJNVD 1002 POWER S 0011 06055-E OUTDOOR PT2/1080P/X32/IP 17.000000 52,500.0000 542,500.00 0012 ggeggcsivANcAkviiiim 75.000000 51,050.0000 S78,750.00 0013 T9AL1LL 61 17.000000 582.0000 51,394.00 W M OUNT FOR 06055-E 0014 198A18-VE 8.000000 5240.7200 51,925.76 MEDIA CONVERTER CABINET 101AL S698.108 99 FUNDING DETAILS: ITEM NO. FUNDING LINE OBLIGATED AMOUNT ACCOUNTING CODES NIA 1 5698,108 99 SA-2018-024P021452P1-29F-3100-2018 TOTAL: $698,10899 EFTA00125316 15BNYM1BFTP120150 Page 5 of 15 Large Business EFTA00125317 15BNYIA18FTP120150 Page 6 of 15 Section 3 - Contract Clauses Clauses By Fun Text 52.21.603.70 Contracting Officer's Representative (COR) (June 2012) (a)IM. FACILITES MANAGER MCC NEW YORKJArea Code and Telephone Numbed is hereby designated as the Contracting Officer's Representative (COR) under this contract. (b) The COR is responsible, as applicable, for: receiving all deliverables, inspecting and accepting the supplies or services provide hereunder in accordance with the terms and conditions of this contract; providing direction to the contractor which clarifies the con- tractor effort, fills in details or otherwise serves to accomplish the contractual Scope of Work; evaluating performance; and certifying all invoices/vouchers for acceptance of the supplies or services furnished for payment. (c) The COR does not have the authority to alter the contractor's obligations under the contract, and/or modify any of the expressed terms, conditions, specifications, or cost of the agreement. If as a result of technical discussions it is desirable to alterkhange contrac- tual obligations or the Scope of Work, the Contracting Officer shall issue such changes. 2852.223-70 Unsafe Conditions Due to the Presence of Hazardous Material (June 1996) (a) "Unsafe condition" as used in this clause means the actual or potential exposure of contractor or Government employees to a haz- ardous material as defined in Federal Standard No. 313, and any revisions thereto during the term of this contract, or any other materi- al or working condition designated by the Contracting Officer's Technical Representative (COTR) as potentially hazardous and requir- ing safety controls. (b) The Occupational Safety and Health Administration (OSHA) is responsible for issuing and administering regulations that require contractors to apprise its employees of all hazards to which they may be exposed in the course of their employment; proper conditions and precautions for safe use and exposure; and related symptoms and emergency treatment in the event of exposure. (c) Prior to commencement of work, contractors are required to inspect for and report to the contracting officer or designee the pres- ence of, or suspected presence of, any unsafe condition including asbestos or other hazardous materials or working conditions in areas in which they will be working. (d) If during the performance of the work under this contract, the contractor or any of its employees, or subcontractor employees, dis- covers the existence of an unsafe condition, the contractor shall immediately notify the contracting officer, or designee, (with written notice provided not later than three (3) working days thereafter) of the existence of an unsafe condition. Such notice shall include the contractor's recommendations for the protection and the safety of Government, contractor and subcontractor personnel and property that may be exposed to the unsafe condition. (e) When the Government receives notice of an unsafe condition from the contractor, the parties will agree on a course of action to mitigate the effects of that condition and, if necessary, the contract will be amended. Failure to agree on a course of action will consti- tute a dispute under the Disputes clause of this contract. (f) Nothing contained in this clause shall relieve the contractor or subcontractors from complying with applicable Federal, State. and local laws, codes, ordinances and regulations (including the obtaining of licenses and permits) in connection with hazardous material including but not limited to the use, disturbance, or disposal of such material. (End of Clause) 52.24-403-70 Notice of Contractor Personnel Security Requirements (OCT 2005) Compliance with Homeland Security Presidential Directive-12 (HSPD-12) and Federal Information Processing Standard Publication 201 (FIPS 201) r entitled "Personal Identification Verification (NV) for Federal Employees and Contractors," Phase I. I. Long-Tenn Contractor Personnel: In order to be compliant with HSPD-I2/PIV I, the following investigative requirements must be met for each new long-term' con- tractor employee whose background investigation (BI) process begins on or after October 27, 2005: a. Contractor Personnel must present two forms of identification in original form prior to badge issuance (acceptable documents are listed in Form 1-9, OMB No. 1615-0047, "Employment Eligibility Verification," and at least one document must be a valid State or EFTA00125318 158NYM18FTP120150 Page 7 of 15 Federal government-issued picture ID); b. Contractor Personnel must appear in person at least once before a DO) official who is responsible for checking the identification documents. This identity proofing must be completed sometime during the clearance process but prior to badge issuance and must be documented by the DOJ official; c. Contractor Personnel must undergo a BI commensurate with the designated risk level associated with the duties of each position. Outlined below are the minimum Eil requirements for each risk level: • High Risk - Background Investigation (5 yew scope) • Moderate Risk - Limited Background Investigation (LBI) or Minimum Background Investigation (MBI) • Low Risk - National Agency Check with Inquiries (NACI) investigation d. The pre-appointment B1 waiver requirements for all position sensitivity levels are a: I) Favorable review of the security questionnaire form; 2) Favorable fingerprint results; 3) Favorable credit report, if required :3 4) Waiver request memorandum, including both the Office of Personnel Management schedule date and position sensitivity/risk level; and 5) Favorable review of the National Agency Check (NAC) 4 portion of the applicable BI that is determined by position sensitivity/risk level. A badge may be issued following approval of the above waiver requirements. If the NAC is not received within five days of OPM's scheduling date, the badge can be issued based on a favorable review of the Se- curity Questionnaire and the Federal Bureau of Investigation Criminal I history Check (i.e., fingerprint check results). e. Badge re-validation will occur once the investigation is completed and favorably adjudicated. If the BI results so justify, badges is- sued under these procedures will be suspended or revoked. 2. Short-Term Contractor Personnel: It is the policy of the DOJ that short-term contractors having access to DO) information systems and/or DO) facilities or space for six months or fewer are subject to the identity proofing requirements listed in items Ia. and lb. above. The pre-appointment waiver re- quirements for short-term contractors are•. a. Favorable review of the security questionnaire form; b. Favorable fingerprint results; c. Favorable credit report, if requiree and d. Waiver request memorandum indicating both the position sensitivity/risk level and the duration of the appointment The commen- surate 81 does not need to be initiated. A badge may be issued following approval of the above waiver requirements and the badge will expire six months from the date of is- suance. This process can only be used once for a short-term contractor in a twelve month period. This will ensure that any consecutive short-term appointments are subject to the full PIV-I identity proofing process. For example, if a contractor employee requires daily access for a three or four-week period, this contractor would be cleared according to the above short-term requirements. llowever, if a second request is submitted for the same contractor employee within a twelve- month period for the purpose of extending the initial contract or for employment under a totally different contract for another three or four-week period, this contractor would now be considered gong-teen" and must be cleared according to the long-term requirements as stated in this interim policy. 3. Intermittent Contractors: An exception to the above-mentioned shod-term requirements would be intermittent contractors. a. For purposes of this policy, Intermittent" is defined as those contractor employees needing access to Dal information systems and/ or DO) facilities or space for a maximum of one day per week, regardless of the duration of the required intermittent access. For ex- ample. the water delivery contractor that delivers water one time each week and is working on a one-year contract. b. Contractors requiring intermittent access should follow the Department's escort policy. Please reference the August I I, 2004, and January 29, 2001, Department Security Officer policy memoranda that conveys the requirements for contractor facility escorted ac- cess. c. Due to extenuating circumstances, if a component requests unescorted access or Dal IT system access for an intermittent contract- or, the same pre-employment background investigation waiver requirements that apply to short-term contractors are required. d. If an intermittent contractor is approved for unescorted access, the contractor will only be issued a daily badge. The daily badge will be issued upon entrance into a Dal facility or space and must be returned upon exiting the same facility or space. e. If an intermittent contractor is approved for unescorted access, the approval will not exceed one year. If the intermittent contractor requires unescorted access beyond one year, the contractor will need to be re-approved each year. 4. An individual transferring from another department or agency shall not be re-adjudicated provided the individual has a current (within the last five years), favorably adjudicated BI meeting FISPD-12 and DOJ's BI requirements. 5. The DOJ's current escorted contractor policy remains unchanged by this acquisition notice. Notes: I. FIPS 201 is available at: www.csrc.nistgov/publications/fips/fips201/FIPS-201-022505.pdf 2. Under HSPD-12, long-term contractors are contractors having access to Dal information systems and/or DOJ facilities or space for six months or longer. The PIV-I identity proofing process, including initiation and adjudication of the required background investiga- tion, is required for all new long-term contractors regardless of whether it is the current practice to issue a badge. The second phase of 11SPD-12 implementation (Ply-II) requires badge issuance to all affected long-term contractors. 3. For contractors in position sensitivity/risk levels above level 1, a favorable review of a credit check is required as part of the pre- appointment waiver package. EFTA00125319 15BNYM18FTP120150 Page 8 of 15 4. In order to avoid a delay in the hiring process, components should request an Advance NAC Report when initiating investigations to OPM. Per OPM ' s instructions, to obtain an Advance NAC Report, a Code " 3" must be placed in block " B " of the " Agency Use Only " section of the investigative form. This report is available for all case types. 5.For contractors in position sensitivity/risk levels above level I, a favorable review of a credit check is required as part of the pre- appointment waiver package. [End of Clause] 52.27-103-72 Dal CONTRACTOR RESIDENCY REQUIREMENT BUREAU OF PRISONS (JUNE 2004) For three of the five years immediately prior to submission of an offer/bid/quote, or prior to performance under a contract or commit- ment, individuals or contractor employees providing services must have: I. Legally resided in the United States (U.S.): 2. worked for the U.S. overseas in a Federal or military capacity; or 3. been a dependent of a Federal or military employee serving overseas. If the individual is not a U.S. citizen, they must be from a country allied with the U.S. The following website provides current inform- ation regarding allied countries: http://www.opm.gov/employ/html/citizen.htm By signing this contract or commitment document, or by commencing performance, the contractor agrees to this restriction. [End of Clause] DJAR-POD-I 5-02-1B Contractor Internal Confidentiality Agreements or Statements Prohibiting or Restricting Reporting of Waste, Fraud, and Abuse - Solicitation - (DEVIATION 2015-02) (March 2015) None of the funds appropriated to the Department under its current Appropriations Act may be used to enter into a contract, grant. or cooperative agreement with an entity that requires employess or contractors of such entity that requires employees or contractors of such entity seeking to report fraud, waste, and abuse to sign internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting such waste, fraud, ora base to a designated investigative or law en- forcement representative of a Federal department or agency authorized to receive such information. By submitting a response to this solicitation, the contractor certifies that it does not require employees or contractors of the contractor seeking to report fraud, waste, and abuse to sign internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting waste, fraud, and abuse to a designated investigative or law enforcement representative of a Federal depart- ment or agency authorized to receive such information. (End of Provision) DJAR-PGD-15-03 Security of Department Information and Systems 1. Applicability to Contractors and Subcontractors This clause applies to all contractors and subcontractors, including cloud service providers ("CSPs"), and personnel of contractors, subcontractors, and CSPs (hereinafter collectively, "Contractor") that may access, collect, store, process, maintain, use, share, retrieve, disseminate, transmit, or dispose of Dal Information. It establishes and implements specific DOJ requirements applicable to this Con- tract. The requirements established herein are in addition to those required by the Federal Acquisition Regulation ("FAR"), including FAR 11.002(g) and 52.239-1, the Privacy Act of 1974, and any other applicable laws, mandates, Procurement Guidance Documents, and Executive Orders pertaining to the development and operation of Information Systems and the protection of Government Informa- tion. This clause does not alter or diminish any existing rights, obligation or liability under any other civil and/or criminal law, rule, regulation or mandate. 11. General Definitions The following general definitions apply to this clause. Specific definitions also apply as set forth in other paragraphs. A. Information means any communication or representation of knowledge such as facts, data, or opinions, in any form or me- dium, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information includes information in an electronic format that allows it be stored, retrieved or transmitted, also referred to as "data," and "personally identifiable information" ("PII"), re- gardless of form. B. personally Identifiable Information (or Pill means any information about an individual maintained by an agency, includ- ing, but not limited to, information related to education, financial transactions, medical history, and criminal or employment history and information, which can be used to distinguish or trace an individual's identity, such as his or her name, social security number, EFTA00125320 158 NYM18FTP120150 Page 9 of 15 date and place of birth, mother's maiden name, biometric records. etc., including any other personal information which is linked or linkable to an individual. C. DOJ Information means any Information that is owned, produced, controlled, protected by, or otherwise within the custody or responsibility of the Dal, including, without limitation, Information related to Dal programs or personnel. It includes, without lim- itation, Information (I) provided by or generated for the Dal, (2) managed or acquired by Contractor for the DO/ in connection with the performance of the contract, and/or (3) acquired in order to perform the contract. D. Information Svstem means any resources, or set of resources organized for accessing, collecting, storing, processing, main- taining, using, sharing, retrieving, disseminating, transmitting, or disposing of (hereinafter collectively. "processing, storing, or trans- mitting") Information. E. Covered Information Svsterrt means any information system used for, involved with, or allowing, the processing, storing, or transmitting of DOJ Information. 111. Confidentiality and Non-disclosure of 00.1 Information A. Preliminary and final deliverables and all associated working papers and material generated by Contractor containing Dal Information are the property of the U.S. Government and must be submitted to the Contracting Officer ("CO") or the CO's Represent- ative ("COR") at the conclusion of the contract. The U.S. Government has unlimited data rights to all such deliverables and associated working papers and materials in accordance with FAR 52.227-14. B. All documents produced in the performance of this contract containing Dal Information are the property of the U.S. Gov- ernment and Contractor shall neither reproduce nor release to any third-parry at any time, including during or nt expiration or termina- tion of the contract without the prior written permission of the CO. C. Any Dal information made available to Contractor under this contract shall be used only for the purpose of perfomiance of this contract and shall not be divulged or made known in any manner to any persons except as may be necessary in the performance of this contract. In performance of this contract, Contractor assumes responsibility for the protection of the confidentiality of any and all DOJ Information processed, stored, or transmitted by the Contractor. When requested by the CO (typically no more than annually), Contractor shall provide a report to the CO identifying, to the best of Contractor's knowledge and belief, the type, amount, and level of sensitivity of the Dal Information processed, stored, or transmitted under the Contract, including an estimate of the number of indi- viduals for whom P11 has been processed, stored or transmitted under the Contract and whether such information includes social secur- ity numbers (in whole or in pan). IV. Compliance with Information Technology Security Policies, Procedures and Requirements A. For all Covered Information Systems, Contractor shall comply with all security requirements, including but not limited to the regulations and guidance found in the Federal Information Security Management Act of 2014 ("FISMA"), Privacy Act of 1974, E- Government Act of 2002, National Institute of Standards and Technology ("NIST") Special Publications ("SP"), including NIST SP 800-37, 800.53, and 800-60 Volumes I and II, Federal Information Processing Standards ("FR'S") Publications 140-2, 199, and 200, O501B Memoranda, Federal Risk and Authorization Management Program ("FedRAMP"), Dal IT Security Standards, including DOJ Order 2640.2, as amended. These requirements include but arc not limited to: I. Limiting access to 001 Information and Covered Information Systems to authorized users and to transactions and functions that authorized users are permitted to exercise: 2. Providing security awareness training including, but not limited to, recognizing and reporting potential indicators of insider threats to users and managers of DO1 Information and Covered Information Systems: 3. Creating, protecting, and retaining Covered Information System audit records, reports, and supporting documentation to en- able reviewing, monitoring, analysis, investigation, reconstruction, and reporting of unlawful, unauthorized, or inappropriate activity related to such Covered Information Systems and/or Dal Information; 4. Maintaining authorizations to operate any Covered Information System; 5. Performing continuous monitoring on all Covered Information Systems; 6. Establishing and maintaining baseline configurations and inventories of Covered Information Systems, including hardware, software, firmware, and documentation, throughout the Information System Development Lifecycle, and establishing and enforcing security configuration settings for IT products employed in Information Systems. 7. Ensuring appropriate contingency planning has been performed, including DOJ Information and Covered Information Sys- tem backups: EFTA00125321 15BNY1A18FTP120150 Page 10 of 15 8. Identifying Covered Information System users, processes acting on behalf of users, or devices, and authenticating and veri- fying the identities of such users, processes, or devices, using multifactor authentication or HSPD-12 compliant authentication meth- ods where required; 9. Establishing an operational incident handling capability for Covered Information Systems that includes adequate prepara- tion, detection, analysis, containment, recovery, and user response activities, and tracking, documenting, and reporting incidents to ap- propriate officials and authorities within Contractor's organization and the DO); 10. Performing periodic and timely maintenance on Covered Information Systems, and providing effective controls on tools, techniques, mechanisms, and personnel used to conduct such maintenance; 12. Protecting Covered Information System media containing DOJ Information, including paper, digital and electronic media; limiting access to Dal Information to authorized users; and sanitizing or destroying Covered Information System media containing Dal Information before disposal, release or reuse of such media; 13. Limiting physical access to Covered Information Systems, equipment, and physical facilities housing such Covered Informa- tion Systems to authorized U.S. citizens unless a waiver has been granted by the Contracting Officer ("CO"), and protecting the phys- ical facilities and support infrastructure for such Information Systems; 14. Screening individuals prior to authorizing access to Covered Information Systems to ensure compliance with Dal Security standards; 15. Assessing the risk to DO) Information in Covered Information Systems periodically, including scanning for vulnerabilities and remediating such vulnerabilities in accordance with DOJ policy and ensuring the timely removal of assets no longer supported by the Contractor; 16. Assessing the security controls of Covered Information Systems periodically to determine if the controls are effective in their application, developing and implementing plans of action designed to correct deficiencies and eliminate or reduce vulnerabilities in such Information Systems, and monitoring security controls on an ongoing basis to ensure the continued effectiveness of the controls; 17. Monitoring, controlling, and protecting information transmitted or received by Covered Information Systems at the external boundaries and key internal boundaries of such Information Systems, and employing architectural designs, software development techniques, and systems engineering principles that promote effective security; and 18. Identifying, reporting, and correcting Covered Information System security flaws in a timely manner, providing protection from malicious code at appropriate locations, monitoring security alerts and advisories and taking appropriate action in response. B. Contractor shall not process, store, or transmit Dal Infomiation using a Covered Information System without first obtaining an Authority to Operate ("ATO") for each Covered Information System. The ATO shall be signed by the Authorizing Official for the Dal component responsible for maintaining the security, confidentiality, integrity, and availability of the Dal Information under this contract. The DO) standards and requirements for obtaining on ATO may be found at DO) Order 2640.2, as amended. (For Cloud Computing Systems, see Section V. below.) C. Contractor shall ensure that no Non-U.S. citizen accesses or assists in the development, operation, management, or mainten- ance of ony Dal Information System, unless a waiver has been granted by the by the DO) Component Head (or his or her designee) responsible for the Dal Information System, the Dal Chief Information Officer, and the DO) Security Officer. D. When requested by the Dal CO or COR, or other Dal official as described below, in connection with DO)'s efforts to en- sure compliance with security requirements and to maintain and safeguard against threats and hazards to the security, confidentiality, integrity, and availability of DO) Information, Contractor shall provide DOJ, including the Office of Inspector General ("OIG") and Federal law enforcement components, (1) access to any and all information and records, including electronic information, regarding a Covered Information System, and (2) physical access to Contractor's facilities, installations, systems, operations, documents, records, and databases. Such access may include independent validation testing of controls, system penetration testing, and FISMA data re- views by Dal or agents acting on behalf of DOJ, and such access shall be provided within 72 hours of the request. Additionally, Con- tractor shall cooperate with DOJ's efforts to ensure, maintain, and safeguard the security, confidentiality, integrity, and availability of DO) Information. E. The use of Contractor-owned laptops or other portable digital or electronic media to process or store DO) Information covered by this clause is prohibited until Contractor provides a letter to the Dal CO, and obtains the CO's approval, certifying com- pliance with the following requirements: 1. Media must be encrypted using a NIST Fl PS 140-2 approved product; 2. Contractor must develop and implement a process to ensure that security and other applications software is kept up-to-date; EFTA00125322 1SBNYM18FTP120150 Page 11 of 15 3. Where applicable, media must utilize antivirus software and a host-based firewall mechanism; 4. Contractor must log all computer-readable data extracts from databases holding Dal Information and verify that each ex- tract including such data has been erased within 90 days of extraction or that its use is still required. All DO1 Information is sensitive information unless specifically designated as non-sensitive by the DO); and, 5. A Rules of Behavior ("ROB") form must be signed by users. These rules must address, at a minimum, authorized and offi- cial use, prohibition against unauthorized users and use, and the protection of Dal Information. The form also must notify the user that he or she has no reasonable expectation of privacy regarding any communications transmitted through or data stored on Contract- or-owned laptops or other portable digital or electronic media. F. Contractor-owned removable media containing Dal Information shall not be removed from Dal facilities without prior ap- proval of the Dal CO or COR. G. When no longer needed, all media must be processed (sanitized, degaussed, or destroyed) in accordance with DOS security requirements. Contractor must keep an accurate inventory of digital or electronic media used in the performance of Dal contracts. 1. Contractor must remove all DO) Information from Contractor media and return all such information to the DO) within 15 days of the expiration or termination of the contract, unless otherwise extended by the CO, or waived (in part or whole) by the CO, and all such information shall be returned to the Dal in a format and form acceptable to the DO). The removal and return of all DO1 Information must be accomplished in accordance with Dal IT Security Standard requirements, and an official of the Contractor shall provide a written certification certifying the removal and return of all such information to the CO within 15 days of the removal and return of all DO) Information. J. DO1, at its discretion, may suspend Contractor's access to any DO1 Information, or terminate the contract, when Dal sus- pects that Contractor has failed to comply with any security requirement, or in the event of an Information System Security Incident (see Section V.E. below), where the Department determines that either event gives cause for such action. The suspension of access to DO1 Information may last until such time as DO), in its sole discretion, determines that the situation giving rise to such action has been corrected or no longer exists. Contractor understands that any suspension or termination in accordance with this provision shall be at no cost to the DO1, and that upon request by the CO, Contractor must immediately return all DO) Information to DO1, as well as any media upon which DO1 Information resides, at Contractor's expense. V. Cloud Computing A. Cloud Computing means an Information System having the essential characteristics described in NIST SP 800.145, The NIST Definition of Cloud Computing. For the sake of this provision and clause, Cloud Computing includes Software as a Service, Platform as a Service, and Infrastructure as a Service, and deployment in a Private Cloud, Community Cloud, Public Cloud, or I lybrid Cloud. B. Contractor may not utilize the Cloud system of any CSP unless: I. The Cloud system and CSP have been evaluated and approved by a 31'AO certified under FedRAMP and Contractor has provided the most current Security Assessment Report ("SAR") to the Dal CO for consideration as part of Contractor's overall Sys- tem Security Plan, and any subsequent SARs within 30 days of issuance, and has received un ATO from the Authorizing Official for the 130) component responsible for maintaining the security confidentiality, integrity, and availability of the DO) Information under contract; or, 2. If not certified under FedRAMP, the Cloud System and CSP have received an ATo signed by the Authorizing Official for the DO) component responsible for maintaining the security, confidentiality, integrity, and availability of the Dal Information under the contract. C. Contractor must ensure that the CSP allows Dal to access and retrieve any DOS Information processed. stored or transmit- ted in a Cloud system under this Contract within a reasonable time of any such request, but in no event less than 48 hours from the re- quest. To ensure that the Dal can fully and appropriately search and retrieve DO1 Information from the Cloud system, access shall in- clude any schemas, meta-data, and other associated data artifacts. VI. Information System Security Breach or Incident A. Definitions I. confirmed Security Breach (hereinafter, "Confirmed Breach") means any confirmed unauthorized exposure, loss of con- trol, compromise, exfiltration, manipulation, disclosure, acquisition, or accessing of any Covered Information System or any DO) In- formation accessed by. retrievable from, processed by, stored on, or transmitted within, to or from any such system. EFTA00125323 15BNYM18FTP1201S0 Page 12 of IS 2. Potential Security Breach (hereinafter, "Potential Breach") means any suspected, but unconfirmed, Covered Information System Security Breach. 3. Security Incident means any Confirmed or Potential Covered Information System Security Breach. B. Confirmed Breach. Contractor shall immediately (and in no event later than within I hour of discovery) report any Con- firmed Breach to the DOS CO and the CO's Representative ("COR"). If the Confirmed Breach occurs outside of regular business hours and/or neither the DO) CO nor the COR can be reached, Contractor must call DOJ-CERT at I-866-US4-CERT (1.866-874-2378) im- mediately (and in no event later than within 1 hour of discovery of the Confirmed Breach), and shall notify the CO and COR as soon as practicable. C. Potential Breach. 1. Contractor shall report any Potential Breach within 72 hours of detection to the DO) CO and the COR, unless Contractor has (a) completed its investigation of the Potential Breach in accordance with its own internal policies and procedures for identification, investigation and mitigation of Security Incidents and (b) determined that there has been no Confirmed Breach. 2. If Contractor has not made a determination within 72 hours of detection of the Potential Breach whether an Confirmed Breach has occurred. Contractor shall report the Potential Breach to the DO) CO and COR within one-hour (i.e., 73 hours from detec- tion of the Potential Breach). If the time by which to report the Potential Breach occurs outside of regular business hours and/or neither the DOS CO nor the COR can be reached, Contractor must call the DOS Computer Emergency Readiness Team (DOJ-CERT) at I -866-US4-CERT (1-866-874-2378) within one-hour (i.e., 73 hours from detection of the Potential Breach) and contact the DOS CO and COR as soon as practicable. D. Any report submitted in accordance with paragraphs (B) and (C), above, shall identify (I) both the Information Systems and DO1 Information involved or at risk, including the type, amount, and level of sensitivity of the DO1 Information and, if the DO) In- formation contains PII, the estimated number of unique instances of PI!, (2) all steps and processes being undertaken by Contractor to minimize, remedy, and/or investigate the Security Incident, (3) any and all other information as required by the US-CERT Federal In- cident Notification Guidelines, including the functional impact, information impact, impact to recoverability, threat vector, mitigation details, and all available incident details; and (4) any other information specifically requested by theDOJ. Contractor shall continue to provide written updates to the DOS CO regarding the status of the Security Incident at least every three (3) calendar days until in- formed otherwise by the DOS CO. E. All determinations regarding whether and when to notify individuals and/or federal agencies potentially affected by a Secur- ity Incident will be made by DOJ senior officials or the DO) Core Management Team at DOS's discretion. F. Upon notification of a Security Incident in accordance with this section, Contractor must provide to Dal full access to any affected or potentially affected facility and/or Information System, including access by the DOJ OIG and Federal law enforcement or- ganizations, and undertake any and all response actions DOS determines are required to ensure the protection of Dal Information, in- cluding providing all requested images, log files, and event information to facilitate rapid resolution of any Security Incident. G. DOS. at its sole discretion, may obtain, and Contractor will permit, the assistance of other federal agencies and/or third party contractors or firms to aid in response activities related to any Security Incident. Additionally, DOI, at its sole discretion, may require Contractor to retain, at Contractor's expense, a Third Party Assessing Organization (3PAO), acceptable to DO1, with expertise in in- cident response, compromise assessment, and federal security control requirements, to conduct a thorough vulnerability and security assessment of all affected Information Systems. It. Response activities related to any Security Incident undertaken by DOS, including activities undertaken by Contractor, other federal agencies, and any third-party contractors or firms at the request or direction of DOS, may include inspections, investigations, forensic reviews, data analyses and processing, and final determinations of responsibility for the Security Incident and/or liability for any additional response activities. Contractor shall be responsible for all costs and related resource allocations required for all such re- sponse activities related to any Security Incident, including the cost of any penetration testing. VII. Personally Identifiable Information Notification Requirement Contractor certifies that it has a security policy in place that contains procedures to promptly notify any individual whose Personally Identifiable Information ("PA") was, or is reasonably determined by Dal to have been, compromised. Any notification shall be co- ordinated with the DOS CO and shall not proceed until the DOS has made a determination that notification would not impede a law en- forcement investigation or jeopardize national security. The method and content of any notification by Contractor shall be coordinated with, and subject to the approval of, DO). Contractor shall be responsible for taking corrective action consistent with Dal Data Breach Notification Procedures and as directed by the DOJ CO, including all costs and expenses associated with such corrective ac- tion, which may include providing credit monitoring to any individuals whose Pit was actually or potentially compromised. VIII. Pass-through of Security Requirements to Subcontractors aid CSPs EFTA00125324 15BNYPA18FTP120150 Pogo 13 of 15 The requirements set forth in the preceding paragraphs of this clause apply to all subcontractors and CSPs who perform work in con- nection with this Contract, including any CSP providing services for any other CSP under this Contract, and Contractor shall flow down this clause to all subcontractors and CSPs performing under this contract. Any breach by any subcontractor or CS? of any of the provisions set forth in this clause will be attributed to Contractor. BOP 2852.242-71 EVALUATION OF CONTRACTOR PERFORMANCE UTILIZING CPARS (APR 2011) The services, although not directly supervised, shall be reviewed by Federal Bureau of Prisons (BOP) staff to ensure contract compli- ance. The contractor's performance will be evaluated in accordance with FAR 42.15. Contract monitoring reports will be prepared by the Contacting Officer's Representative (COR) and maintained in the contract file. In accordance with FAR 42.1502 and 42.1503, agencies shall prepare an evaluation of contractor performance and submit it to the Past Performance Information Retrieval System (PPIRS). The BOP utilizes the Department of Defense (DOD) web-based Contractor Performance Assessment Reporting System (CPARS) to provide contractor performance evaluations. The contractor shall provide and maintain a current e-mail address throughout the life of the contract. The contractor will receive an e-mail from the Focal Point thru the following website address webptsmhr@navy.milwhen the contract is registered in CPARS. The e-mail will contain a "user ID" and temporary password to register in the CPARS system. The contractor must be registered to arresa and review its evaluation and/or provide a response. If assistance is required when registering, please contact the Contracting Staff/Focal Point. (End of Clause) 508 COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, 1998 AMENDMENTS All electronic and information technology (EIT) procured through this solicitation and any resulting contract, task order, delivery or- der, or purchase order must meet the applicable accessibility standards at 36 CFR 1194. 36 CFR implements Section 508 of the Re- habilitation Act of 1973, as amended, and viewable at http://www.section508.gov (See Standards-Part 1194). Part 1194.21 - Software applications and operating systems Part 1194.22 - Web-Based Intranet and Internet Information and Applications Part 1194.23 - Telecommunications Products Part 1194.24 - Video and Multimedia Products Part 1194.25 - Self-Contained, Closed Products Part 1194.26 - Desktop and Portable Computers Part 1194.31 - Functional Performance Criteria Part 1194.41 - Information, documentation, and Support The contractor shall indicate for each line item in the schedule of items whether each product is compliant or noncompliant with the accessibility standards at 36 CFR 1194. Further, the offer must indicate where full details of compliance can be found (e.g., with of- fer, vendor's website or other location). (End of Clause) DJAR-PGD-I 5-02-2A Corporate Representation Regarding Felony Conviction Under Any Federal Law or Unpaid Delinquent Tax Liability - Award (DEVIATION 2015-02) (March 2015) (a) Nonc of the funds made available by the Department's current Appropriations Act may be used to enter into a contract, memorandum of understanding, or cooperative agreement with a corporation - (1) convicted of a felony criminal violation under any Federal law within the preceding 24 months, where the awarding agency is aware of the conviction, unless an agency has considered suspension or debarment of the corporation and made a determination that this further action is not necessary to protect the interests of the Government, or (2) that has any unpaid Federal tax liability that has been assessed, for which all judicial and administrat- ive remedies have been exhausted or have lapsed, and that is not being paid in a timely manner pursuant to an agreement with the authority responsible for collecting the tax liability, where the awarding agency is aware of the unpaid tax liability , unless an agency has considered suspension or debarment of the corporation and made a determination that this further action is not necessary to protect the interests of the Government. (b) By acccpting this award or order, in writing or by performance, the offeror/contractor represents that- (I) the offcror is not a corporation convicted of a felony criminal violation under any Federal or State law EFTA00125325 158NYM18FTP120150 Page 14 of 15 within the preceding 24 months; and, (2) the offeror is not a corporation that has any unpaid Federal or State tax liability that has been assessed, for which all judicial and administrative remedies have been exhausted or have lapsed, and that is not being paid in a timely manner pursuant to an agreement with the authority responsible for collecting the tax liability. (End of Clause) EFTA00125326 15BNYMUIFTP120150 Page 15 of 15 Section 4 - List of Attachments This Section Is Intentionally Left Blank EFTA00125327