EFTA00127472.pdf

MCC NEW YORK 15BNYM18FTP120150 Page 1 of 15 SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24 & 30 1. REQUISITION NUMBER 1064-18 2. CONTRACT NO. GS-07F-0322T 3. AWARDEFFECTIVE DATE 09/21/2018 1. ORDER NUMBER 15BNYMI8FTP120150 S. SOLICITATION NUMBER 8. SOLICITATION ISSUE DATE 7. FOR SOLICITATION INFORMATION CALL: a. NAME b. TELEPHONE NUMBER (No eo.Nef ediS) 8. OFFER DUE DATE/LOCAL TIME 9. ISSUED BY CODE Federal Bureau of Prisons I5BNYM 10. THE ACOUISMON IS x UNRESTRICTED OR SET ASIDE: % FOR MCC New York 150 Park Row New York. NY 10007 fl SHALL BUSINESS WOMEN-011111E0 9.01.L BUSINESS kWOSIN EuGIBLE uNDER THE wOKEROHNED SMALL BUSNESSPRO3FLAM • HUOZONE SWILL talcs: 334512 alStAESS EOMS8 O SERVICEZCSABLED SIZE STANDARD: Employees VETESIMOWICO SHILL BUSNESS 81.4 11. UNLESS DELNERY FOR FOB DESTINATION BLOCK IS MARKED EE S CHEDULE 12 DISCOUNT TERMS NET 30 K IS. THIS CONTRACT IS A (RATED RAT ORDER UNDER PAS CFR 7001 13b. RATING 14. METHOD OF SOLICITATION K S RFO K IFB K RFP 15. DELNER TO CODE I5BNYM W. ADMINISTERED BY COOS I BNEF Federal Bureau of Prisons MCC New York 150 Park Row New York. NY 10007 Federal Bureau of Prisons NE Finance Center- FCI Fort Dix NE FINANCE CENTER BLDG 5756 HARTFORD ROAD Joint Base MDL, NJ 08640 17a. CONTRACTOR' CMEI42i578695 I FACI CODE LITY 171856222 18a. PAYMENT WILL BE MADE BY CODE BFTD OFFEROR SIGNETTECHNOLOGIES. INC- 12300 KILN COURT SUITE E BELTSVILLE. MD 20705-1357 DUNS: 17185/1222 TELEPHONE NO Federal Bureau of Prisons ATfN: NYM ACCOUNT. FCI Fon Dix PAYABLE P.O. Box 38 NER Finance Center - Acccounting Joint Base MDL. NJ 08640 MI 7b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN 18b. SUBMIT INVOICES TO ADDRESS SHCAVN IN BLOCK 1Ba UNLESS BLOCK BELOW IS CHECKED K OFFER SEE ADDENDUM 19. ITEM NO. 20. SCHEDULE OF SUPPLIES/SERVICES 21. QUANTITY 22. UNIT 23. UNIT PRICE 24. AMOUNT Delivery Date: 09/28/2018 MCC NEW YORK - CAMERA SYSTEM Provide services in accordance with the FSS. SOW and technical proposal. GSA: GS-07F-0322T See Continuation Sheet(s) Oaf .....(nota. Aiwa% Miasma, 3l.....\'... i 25. ACCOUNTING AND APPROPRIATION DATA SA-2018-02-FP021452PI-29F-3100-2018 6 TOTAL AWARD AMOUNTTM: Gut Use OWN 5698.108.99 ▪ 27a. SOLICITATION INCORPORATES BY REFERENCE FAR 52.212-1. 52.212-0. FAR 52.2123 AND 62.212-6 ARE ATTACHED. ADDENDA ARE DARE NOT ATTACHED ▪ 27b. CONTRACDPUROIASE ORDER INCORPORATES BY REFERENCE FAR 52.212-1. FAR 52.2125 IS ATTACHED. ADDENDA N 28. CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN I COPIES TO 29. AWARD OF CONTRACT: REF. OFFER ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER ALL ITEMS SET FORTH 9 DATED . YOUR OFFER ON SOLICITATION (MOCK 5) OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL SHEETS SUBJECT TO THE INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE SET FORTH HEREIN. TERMS AND CONDITIONS SPECIFED IS ACCEPTED AS TO ITEMS: ARE D ARE NOT ATTACHED AUTHORIZED FOR LOCAL REPRODUCTION PREVIOUS EDITION IS NOT USABLE STANDARD FORM 1449 (REV. 212012) Presaited by GSA. FAR fa CFR) 53212 EFTA00127472 15BNYM18FTP120150 Page 2 of 15 ITEr: `.1,-; 20. SCHEDULE OF SUPPLIESSERVICES 21. OUANTITY 22. UNIT 23. UNIT PRICE 24. AMOUNT 32a. OUANTITY IN COLUMN 21 HAS BEEN 0 RECEIVED 0 INSPECTED K ACCEPTED, AND CONFORMS TO THE CONTRACT. EXCEPT AS NOTED: 32b. SIGNATURE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32c. DATE 32d. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32a. MAILING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32f. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32g. E-MAIL OF AUTHORIZED GOVERNMENT REPRESENTATIVE 33. SHIP NUMBER 34. VOUCHER NUMBER 35. AMOUNT VERIFIED CORRECT FOR 36. PAYMENT COMPLETE PARTIAL O FINAL 37. CHECK NUMBER PARTIAL I I FINAL 38. SR ACCOUNT NUMBER 39. SR VOUCHER NUMBER 40. PAID BY 41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT 42a. RECEIVED BY (Print) 41b. SIGNATURE AND TITLE OF CERTIFYING OFFICER 41c. DATE 42b. RECEIVED AT (Location) 42c. DATE RECO (YWMAtliDO 42d. TOTAL CONTAINERS STANDARD FORM 1449 (REV. 02,2012) SACK EFTA00127473 15BNYM18FTP120150 Page 3 of 15 Table of Contents Section Description Pape Number Solicitation/Contract Form 2 Commodity or Services Schedule 4 3 Contract Clauses 6 52.21.603.70 Contracting Officer's Representative (COR) (June 2012) 6 2852.223.70 Unsafe Conditions Due to the Presence of Hazardous Material (June 1996) 6 52.24.403.70 Notice of Contractor Personnel Security Requirements (OCT 2005) 6 52.27.103.72 DOJ CONTRACTOR RESIDENCY REQUIREMENT BUREAU OF PRISONS (JUNE 2004) 8 DJAR-PGD-15.02.1B Contractor Internal Confidentiality Agreements or Statements Prohibiting or Restricting Reporting of Waste, Fraud, and Abuse - Solicitation - (DEVIATION 2015.02) (March 2015) 8 DJAR-PGD-15.03 Security of Department Information and Systems 8 BOP 2852.242-71 EVALUATION OF CONTRACTOR PERFORMANCE UTILIZING CPARS (APR 2011) 13 508 COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, 1998 AMENDMENTS 13 DJAR-PGD-15.02.2A Corporate Representation Regarding Felony Conviction Under Any Federal Law or Unpaid Delinquent Tax Liability - Award (DEVIATION 2015.02) (March 2015) 13 4 List of Attachments 15 EFTA00127474 15BNYM18FTP120150 Page 4 of 15 Section 2 - Commodity or Services Schedule SCHEDULE OF SUPPLIES/SERVICES CONTINUATION SHEET ITEM NO. SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 0001 NV-ENT-CH 350.000000 EA $239.4000 $83/90.00 for Nice Vision Ente Single License rprise package video/audio channel 0002 NV-SVR9820-RIN6-RIN1-80TB 4.000000 EA $22,184.4000 $88.737.60 VISIONHUB SMART VIDEO RECORDER 9820. 2U WITH INTERNAL RAID6 + RAID 1 80TB NET STORAGE 0003 NV-ENT-RSVR-ICH 350.000000 OR $66.5000 $23.275.00 RECORDER REDUNDANCY LICENSE PER 1 CHANNEL 0004 NV-ENT-NUVUPG-NET2X NET31 1.000000 EA $0.0000 $0.00 ENTERPRISE SOFTWARE PACKAGE MAJOR VERSION UPGRADE FOR SITE. USERS AND CHANNELS FROM NET 2.X TO NET 3.1 0005 NV-NIVD5204 1.000000 EA 53.800.4800 53.800.48 NICEVISION DECODER 5204 SUPPORTING UP TO 4 VIDEO OUTPUTS (IU) 0006 SGT-AMS 1.000000 EA $4,389.0000 $4.389.00 AMS SERVER 0007 NV-NIVE-2016 22.000000 EA S2A93/500 554.862.50 NICEVISION H.264 ENCODER SUPPORTING 16 CAMERAS AT 30/25FPS IN 4CIF RESOLUTION. INCLUDES DUAL PS 0008 1OM62WR-89 135.000000 EA $517.3700 $69.844.95 IP CAMERA 0009 SIGNET LABOR 1.000000 EA $243.523.0000 $243.523.00 0010 NV-ED-RMK 11.000000 EA $119.7000 $1.316.70 NICE VISION ENCODER/DECODER RACK MOUNT KIT SUPPORTING 4 NVEJNVD 1002 (FOR NOT-XT-MODELS). OR 6 NVE/NVD 1002 POWER S 0011 OUTDOOR PTZ/1080P/X32/IP 17.000000 EA $2.500.0000 $42.500.00 0012 O8414LVS 75.000000 EA $1.050.0000 $78,750.00 CORNER /VA NCAM/1.3MM 0013 WALL MOUNT 17.000000 EA $8a0000 $1,394.00 WALL FOR O6055-E 0014 T98AI18-VE ONVERTER MEDIA 8.000000 EA $240.7200 $1.925.76 C CABINET FUNDING DETAILS: ITEM NO. FUNDING LINE OBLIGATED AMOUNT ACCOUNTING CODES NA I $698,108.99 SA-2018-02-FP021452P1-29F-3100-2018 TOTAL: $698,108.99 EFTA00127475 15BNYM18FTP120150 Page 5 of 15 Large Business EFTA00127476 15BNYM18FTP120150 Page 6 of 15 Section 3 - Contract Clauses Clauses By Full Text 52.21.603-70 Contracting Officer's Representative (COR) (June 2012) (a . MCC NEW YORK,JArea Code and Telephone Numberl, is hereby designated as the Contracting Officer's Representative (COR) under this contract. (b) The COR is responsible, as applicable, for: receiving all deliverables, inspecting and accepting the supplies or services provide hereunder in accordance with the terms and conditions of this contract; providing direction to the contractor which clarifies the con- tractor effort, fills in details or otherwise serves to accomplish the contractual Scope of Work; evaluating performance; and certifying all invoices/vouchers for acceptance of the supplies or services furnished for payment. (c) The COR does not have the authority to alter the contractor's obligations under the contract, and/or modify any of the expressed terms, conditions, specifications, or cost of the agreement. If as a result of technical discussions it is desirable to alter/change contrac- tual obligations or the Scope of Work, the Contracting Officer shall issue such changes. 2852.223-70 Unsafe Conditions Due to the Presence of Hazardous Material (June 1996) (a) "Unsafe condition" as used in this clause means the actual or potential exposure of contractor or Government employees to a haz- ardous material as defined in Federal Standard No. 313, and any revisions thereto during the term of this contract, or any other materi- al or working condition designated by the Contracting Officer's Technical Representative (COTR) as potentially hazardous and requir- ing safety controls. (b) The Occupational Safety and Health Administration (OSHA) is responsible for issuing and administering regulations that require contractors to apprise its employees of all hazards to which they may be exposed in the course of their employment; proper conditions and precautions for safe use and exposure; and related symptoms and emergency treatment in the event of exposure. (c) Prior to commencement of work, contractors are required to inspect for and report to the contracting officer or designee the pres- ence of, or suspected presence of, any unsafe condition including asbestos or other hazardous materials or working conditions in areas in which they will be working. (d) If during the performance of the work under this contract, the contractor or any of its employees, or subcontractor employees, dis- covers the existence of an unsafe condition, the contractor shall immediately notify the contracting officer, or designee, (with written notice provided not later than three (3) working days thereafter) of the existence of an unsafe condition. Such notice shall include the contractor's recommendations for the protection and the safety of Government, contractor and subcontractor personnel and property that may be exposed to the unsafe condition. (e) When the Government receives notice of an unsafe condition from the contractor, the parties will agree on a course of action to mitigate the effects of that condition and, if necessary, the contract will be amended. Failure to agree on a course of action will consti- tute a dispute under the Disputes clause of this contract. (f) Nothing contained in this clause shall relieve the contractor or subcontractors from complying with applicable Federal, State, and local laws, codes, ordinances and regulations (including the obtaining of licenses and permits) in connection with hazardous material including but not limited to the use, disturbance, or disposal of such material. (End of Clause) 52.24-403.70 Notice of Contractor Personnel Security Requirements (OCT 2005) Compliance with Homeland Security Presidential Directive-12 (HSPD-12) and Federal Information Processing Standard Publication 201 (FIPS 201) I entitled "Personal Identification Verification (PIV) for Federal Employees and Contractors," Phase I. 1. Long-Term Contractor Personnel: In order to be compliant with HSPD-12/PIV I, the following investigative requirements must be met for each new long-term 2 con- tractor employee whose background investigation (BI) process begins on or after October 27, 2005: a. Contractor Personnel must present two forms of identification in original form prior to badge issuance (acceptable documents are listed in Form I-9, OMB No. 1615.0047, "Employment Eligibility Verification: and at least one document must be a valid State or EFTA00127477 15BNYM18FTP120150 Page 7 of 15 Federal government-issued picture ID); b. Contractor Personnel must appear in person at least once before a DOJ official who is responsible for checking the identification documents. This identity proofing must be completed sometime during the clearance process but prior to badge issuance and must be documented by the DOJ official; c. Contractor Personnel must undergo a BI commensurate with the designated risk level associated with the duties of each position. Outlined below are the minimum BI requirements for each risk level: • High Risk - Background Investigation (5 year scope) • Moderate Risk - Limited Background Investigation (LBI) or Minimum Background Investigation (MBI) • Low Risk - National Agency Check with Inquiries (NACI) investigation d. The pre-appointment B1 waiver requirements for all position sensitivity levels are a: Favorable review of the security questionnaire form: 2) Favorable fingerprint results; 3) Favorable credit report, if required;3 4) Waiver request memorandum, including both the Office of Personnel Management schedule date and position sensitivity/risk level; and 5) Favorable review of the National Agency Check (NAC) 4 portion of the applicable BI that is determined by position sensitivity/risk level. A badge may be issued following approval of the above waiver requirements. If the NAC is not received within five days of OPM's scheduling date, the badge can be issued based on a favorable review of the Se- curity Questionnaire and the Federal Bureau of Investigation Criminal History Check (i.e., fingerprint check results). e. Badge re-validation will occur once the investigation is completed and favorably adjudicated. If the BI results so justify, badges is- sued under these procedures will be suspended or revoked. 2. Short-Term Contractor Personnel: It is the policy of the DOJ that short-term contractors having access to DOJ information systems and/or DOJ facilities or space for six months or fewer are subject to the identity proofing requirements listed in items la. and lb. above. The pre-appointment waiver re- quirements for short-term contractors are: a. Favorable review of the security questionnaire form; b. Favorable fingerprint results; c. Favorable credit report, if required;5 and d. Waiver request memorandum indicating both the position sensitivity/risk level and the duration of the appointment. The commen- surate BI does not need to be initiated. A badge may be issued following approval of the above waiver requirements and the badge will expire six months from the date of is- suance. This process can only be used once for a short-term contractor in a twelve month period. This will ensure that any consecutive short-term appointments are subject to the full PIV-I identity proofing process. For example, if a contractor employee requires daily access for a three or four-week period, this contractor would be cleared according to the above short-term requirements. However, if a second request is submitted for the same contractor employee within a twelve- month period for the purpose of extending the initial contract or for employment under a totally different contract for another three or four-week period, this contractor would now be considered "long-term" and must be cleared according to the long-term requirements as stated in this interim policy. 3. Intermittent Contractors: An exception to the above-mentioned short-term requirements would be intermittent contractors. a. For purposes of this policy, "intermittent" is defined as those contractor employees needing access to DOJ information systems and/ or DOJ facilities or space for a maximum of one day per week, regardless of the duration of the required intermittent access. For ex- ample, the water delivery contractor that delivers water one time each week and is working on a one-year contract. b. Contractors requiring intermittent access should follow the Department's escort policy. Please reference the August 11, 2004, and January 29, 2001, Department Security Officer policy memoranda that conveys the requirements for contractor facility escorted ac- cess. c. Due to extenuating circumstances, if a component requests unescorted access or DOJ IT system access for an intermittent contract- or, the same pre-employment background investigation waiver requirements that apply to short-term contractors are required. d. If an intermittent contractor is approved for unescorted access, the contractor will only be issued a daily badge. The daily badge will be issued upon entrance into a DOJ facility or space and must be returned upon exiting the same facility or space. e. If an intermittent contractor is approved for unescorted access, the approval will not exceed one year. If the intermittent contractor requires unescorted access beyond one year, the contractor will need to be re-approved each year. 4. An individual transferring from another department or agency shall not be re-adjudicated provided the individual has a current (within the last five years), favorably adjudicated III meeting HSPD-12 and DOJ's B1 requirements. 5. The DOJ's current escorted contractor policy remains unchanged by this acquisition notice. Notes: 1. FIPS 201 is available at: www.csrc.nist.govfpublicationsffips/fips201/FIPS-201-022505.pdf 2. Under HSPD-I 2, long-term contractors are contractors having access to DOJ information systems and/or DO] facilities or space for six months or longer. The PIV-I identity proofing process, including initiation and adjudication of the required background investiga- tion, is required for all new long-term contractors regardless of whether it is the current practice to issue a badge. The second phase of HSPD-I 2 implementation (PIV-II) requires badge issuance to all affected long-term contractors. 3. For contractors in position sensitivity/risk levels above level I, a favorable review of a credit check is required as part of the pre- appointment waiver package. EFTA00127478 15BNYM18FTP120150 Page 8 of 15 4. In order to avoid a delay in the hiring process, components should request an Advance NAC Report when initiating investigations to OPM. Per OPM ' s instructions, to obtain an Advance NAC Report, a Code " 3" must be placed in block " B " of the " Agency Use Only " section of the investigative form. This report is available for all case types. 5.For contractors in position sensitivity/risk levels above level 1. a favorable review of a credit check is required as part of the pre- appointment waiver package. [End of Clause] 52.27-103.72 DOI CONTRACTOR RESIDENCY REQUIREMENT BUREAU OF PRISONS (JUNE 2004) For three of the five years immediately prior to submission of an offer/bid/quote, or prior to performance under a contract or commit- ment, individuals or contractor employees providing services must have: 1. Legally resided in the United States (U.S.); 2. worked for the U.S. overseas in a Federal or military capacity; or 3. been a dependent of a Federal or military employee serving overseas. If the individual is not a U.S. citizen, they must be from a country allied with the U.S. The following website provides current inform- ation regarding allied countries: http://www.opm.gov/employ/htmlicilizen.htm By signing this contract or commitment document, or by commencing performance, the contractor agrees to this restriction. [End of Clause] DJAR-PGD-15.02-1B Contractor Internal Confidentiality Agreements or Statements Prohibiting or Restricting Reporting of Waste, Fraud, and Abuse - Solicitation - (DEVIATION 2015.02) (March 2015) None of the funds appropriated to the Department under its current Appropriations Act may be used to enter into a contract, grant, or cooperative agreement with an entity that requires employess or contractors of such entity that requires employees or contractors of such entity seeking to report fraud, waste, and abuse to sign internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting such waste, fraud, ora hose to a designated investigative or law en- forcement representative of a Federal department or agency authorized to receive such information. By submitting a response to this solicitation, the contractor certifies that it does not require employees or contractors of the contractor seeking to report fraud, waste, and abuse to sign internal confidentiality agreements or statements prohibiting or otherwise restricting such employees or contractors from lawfully reporting waste, fraud, and abuse to a designated investigative or law enforcement representative of a Federal depart- ment or agency authorized to receive such information. (End of Provision) DJAR-PGD-15.03 Security of Department Information and Systems I. Applicability to Contractors and Subcontractors This clause applies to all contractors and subcontractors, including cloud service providers ("CSPs"), and personnel of contractors, subcontractors, and CSPs (hereinafter collectively, "Contractor") that may access, collect, store, process, maintain, use, share, retrieve, disseminate, transmit, or dispose of DOJ Information. It establishes and implements specific DOJ requirements applicable to this Con- tract. The requirements established herein are in addition to those required by the Federal Acquisition Regulation ("FAR"), including FAR 11.002(g) and 52.239-I, the Privacy Act of 1974, and any other applicable laws, mandates, Procurement Guidance Documents, and Executive Orders pertaining to the development and operation of Information Systems and the protection of Government Informa- tion. This clause does not alter or diminish any existing rights, obligation or liability under any other civil and/or criminal law, rule, regulation or mandate. IL General Definitions The following general definitions apply to this clause. Specific definitions also apply as set forth in other paragraphs. A. infamafia' means any communication or representation of knowledge such as facts, data, or opinions, in any form or me- dium, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information includes information in an electronic format that allows it be stored, retrieved or transmitted, also referred to as "data," and "personally identifiable information" ("P11"), re- gardless of form. B. Personally Identifiable Information (or Pill means any information about an individual maintained by an agency, includ- ing, but not limited to. information related to education, financial transactions, medical history, and criminal or employment history and information, which can be used to distinguish or trace an individual's identity, such as his or her name, social security number, EFTA00127479 15BNYM18FTP120150 Page 9 of 15 date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. C. DOJ Information means any Information that is owned, produced, controlled, protected by, or otherwise within the custody or responsibility of the DOI. including, without limitation, Information related to DOJ programs or personnel. It includes, without lim- itation. Information (I) provided by or generated for the DOJ, (2) managed or acquired by Contractor for the DOJ in connection with the performance of the contract, and/or (3) acquired in order to perform the contract. D. Information System means any resources, or set of resources organized for accessing, collecting, storing, processing, main- taining, using, sharing, retrieving, disseminating, transmitting, or disposing of (hereinafter collectively, "processing, storing, or trans- mitting") Information. E. Covered Information System means any information system used fir, involved with, or allowing, the processing, storing, or transmitting of DO1 Information. Confidentiality and Non-disclosure of DOJ Information A. Preliminary and final deliverables and all associated working papers and material generated by Contractor containing DOJ Information are the property of the U.S. Government and must be submitted to the Contracting Officer ("CO") or the CO's Represent- ative ("COR") at the conclusion of the contract. The U.S. Government has unlimited data rights to all such deliverables and associated working papers and materials in accordance with FAR 52.227-14. B. All documents produced in the performance of this contract containing DOJ Information are the property of the U.S. Gov- ernment and Contractor shall neither reproduce nor release to any third-party at any time, including during or at expiration or termina- tion of the contract without the prior written permission of the CO. C. Any DOJ information made available to Contractor under this contract shall be used only for the purpose of performance of this contract and shall not be divulged or made known in any manner to any persons except as may be necessary in the performance of this contract. In performance of this contract, Contractor assumes responsibility for the protection of the confidentiality of any and all DOJ Information processed. stored, or transmitted by the Contractor. When requested by the CO (typically no more than annually), Contractor shall provide a report to the CO identifying, to the best of Contractor's knowledge and belief, the type, amount, and level of sensitivity of the DOJ Information processed, stored, or transmitted under the Contract, including an estimate of the number of indi- viduals for whom PII has been processed, stored or transmitted under the Contract and whether such information includes social secur- ity numbers (in whole or in part). IV. Compliance with Information Technology Security Policies, Procedures and Requirements A. For all Covered Information Systems, Contractor shall comply with all security requirements, including but not limited to the regulations and guidance found in the Federal Information Security Management Act of 2014 ("FISMA"), Privacy Act of 1974, E- Government Act of 2002, National Institute of Standards and Technology ("NIST') Special Publications ("SF'), including NIST SP 800-37, 800.53, and 800.60 Volumes I and II, Federal Information Processing Standards ("FIPS") Publications 140.2, 199, and 200, OMB Memoranda, Federal Risk and Authorization Management Program ("FedRAMP"), DOJ IT Security Standards, including DOJ Order 2640.2, as amended. These requirements include but are not limited to: 1. Limiting access to DOJ Information and Covered Information Systems to authorized users and to transactions and functions that authorized users are permitted to exercise; 2. Providing security awareness training including, but not limited to, recognizing and reporting potential indicators of insider threats to users and managers of DOJ Information and Covered Information Systems; 3. Creating, protecting, and retaining Covered Information System audit records, reports. and supporting documentation to en- able reviewing, monitoring, analysis, investigation, reconstruction, and reporting of unlawful, unauthorized, or inappropriate activity related to such Covered Information Systems and/or DOJ Information; 4. Maintaining authorizations to operate any Covered Information System; 5. Performing continuous monitoring on all Covered Information Systems; 6. Establishing and maintaining baseline configurations and inventories of Covered Information Systems, including hardware, software, firmware, and documentation, throughout the Information System Development Lifecycle, and establishing and enforcing security configuration settings for IT products employed in Information Systems; 7. Ensuring appropriate contingency planning has been performed, including DOJ Information and Covered Information Sys- tem backups; EFTA00127480 15BNYM18FTP120150 Page 10 of 15 8. Identifying Covered Information System users, processes acting on behalf of users, or devices, and authenticating and veri- fying the identities of such users, processes, or devices, using multifactor authentication or HSPD-12 compliant authentication meth- ods where required; 9. Establishing an operational incident handling capability for Covered Information Systems that includes adequate prepara- tion, detection, analysis, containment, recovery, and user response activities, and tracking, documenting, and reporting incidents to ap- propriate officials and authorities within Contractor's organization and the DOJ; 10. Performing periodic and timely maintenance on Covered Information Systems, and providing effective controls on tools, techniques, mechanisms, and personnel used to conduct such maintenance; 12. Protecting Covered Information System media containing DOJ Information, including paper, digital and electronic media; limiting access to DOJ Information to authorized users; and sanitizing or destroying Covered Information System media containing DOJ Information before disposal, release or reuse of such media; 13. Limiting physical access to Covered Information Systems, equipment, and physical facilities housing such Covered Informa- tion Systems to authorized U.S. citizens unless a waiver has been granted by the Contracting Officer ("CO"), and protecting the phys- ical facilities and support infrastructure for such Information Systems; 14. Screening individuals prior to authorizing access to Covered Information Systems to ensure compliance with DOJ Security standards; 15. Assnsing the risk to DOJ Information in Covered Information Systems periodically, including scanning for vulnerabilities and remediating such vulnerabilities in accordance with DOJ policy and ensuring the timely removal of assets no longer supported by the Contractor; 16. Assa-csing the security controls of Covered Information Systems periodically to determine if the controls are effective in their application, developing and implementing plans of action designed to correct deficiencies and eliminate or reduce vulnerabilities in such Information Systems, and monitoring security controls on an ongoing basis to ensure the continued effectiveness of the controls; 17. Monitoring, controlling, and protecting information transmitted or received by Covered Information Systems at the external boundaries and key internal boundaries of such Information Systems, and employing architectural designs, software development techniques, and systems engineering principles that promote effective security; and 18. Identifying, reporting, and correcting Covered Information System security flaws in a timely manner, providing protection from malicious code at appropriate locations, monitoring security alerts and advisories and taking appropriate action in response. B. Contractor shall not process, store, or transmit DOJ Information using a Covered Information System without first obtaining an Authority to Operate ("ATO") for each Covered Information System. The ATO shall be signed by the Authorizing Official for the DOJ component responsible for maintaining the security, confidentiality, integrity, and availability of the DOJ Information under this contract. The DOJ standards and requirements for obtaining an ATO may be found at DOJ Order 2640.2, as amended. (For Cloud Computing Systems, see Section V, below.) C. Contractor shall ensure that no Non-U.S. citizen accesses or assists in the development, operation, management, or mainten- ance of any DOJ Information System, unless a waiver has been granted by the by the DOJ Component Head (or his or her designee) responsible for the DOJ Information System, the DOJ Chief Information Officer, and the DOJ Security Officer. D. When requested by the DOJ CO or COR, or other DOJ official as described below, in connection with DOJ's efforts to en- sure compliance with security requirements and to maintain and safeguard against threats and hazards to the security, confidentiality, integrity, and availability of DOJ Information, Contractor shall provide DOJ, including the Office of Inspector General ("OIG") and Federal law enforcement components, (I) access to any and all information and records, including electronic information, regarding a Covered Information System, and (2) physical access to Contractor's facilities, installations, systems, operations, documents, records, and databases. Such access may include independent validation testing of controls, system penetration testing, and FISMA data re- views by DOJ or agents acting on behalf of DOJ, and such access shall be provided within 72 hours of the request. Additionally, Con- tractor shall cooperate with DOJ's efforts to ensure, maintain, and safeguard the security, confidentiality, integrity, and availability of DOJ Information. E. The use of Contractor-owned laptops or other portable digital or electronic media to process or store DOJ Information covered by this clause is prohibited until Contractor provides a letter to the DOJ CO, and obtains the CO's approval, certifying com- pliance with the following requirements: 1. Media must be encrypted using a NIST FIPS 140-2 approved product; 2. Contractor must develop and implement a process to ensure that security and other applications software is kept up-to-date; EFTA00127481 15BNYM18FTP120150 Page 11 01 15 3. Where applicable, media must utilize antivirus software and a host-based firewall mechanism: 4. Contractor must log all computer-readable data extracts from databases holding DOJ Information and verify that each ex- tract including such data has been erased within 90 days of extraction or that its use is still required. All DOJ Information is sensitive information unless specifically designated as non-sensitive by the DOJ; and, 5. A Rules of Behavior ("ROB") form must be signed by users. These rules must address, at a minimum, authorized and offi- cial use, prohibition against unauthorized users and use, and the protection of DOJ Information. The form also must notify the user that he or she has no reasonable expectation of privacy regarding any communications transmitted through or data stored on Contract- or-owned laptops or other portable digital or electronic media. F. Contractor-owned removable media containing DOJ Information shall not be removed from DOJ facilities without prior ap- proval of the DOJ CO or COR. G. When no longer needed, all media must be processed (sanitized, degaussed, or destroyed) in accordance with DOJ security requirements. H. Contractor must keep an accurate inventory of digital or electronic media used in the performance of DOJ contracts. I. Contractor must remove all DOJ Information from Contractor media and return all such information to the DOJ within 15 days of the expiration or termination of the contract, unless otherwise extended by the CO, or waived (in part or whole) by the CO, and all such information shall be returned to the DOJ in a format and form acceptable to the DOJ. The removal and return of all DOJ Information must be accomplished in accordance with DOJ IT Security Standard requirements, and an official of the Contractor shall provide a written certification certifying the removal and return of all such information to the CO within 15 days of the removal and return of all DOJ Information. J. DOJ, at its discretion, may suspend Contractor's access to any DOJ Information, or terminate the contract, when DOJ sus- pects that Contractor has failed to comply with any security requirement, or in the event of an Information System Security Incident (see Section V.E. below), where the Department determines that either event gives cause for such action. The suspension of access to DOJ Information may last until such time as DOJ, in its sole discretion, determines that the situation giving rise to such action has been corrected or no longer exists. Contractor understands that any suspension or termination in accordance with this provision shall be at no cost to the DOJ, and that upon request by the CO, Contractor must immediately return all DOJ Information to DO], as well as any media upon which DOJ Information resides, at Contractor's expense. V. Cloud Computing A. Cloud Computing means an Information System having the essential characteristics described in NIST SP 800-145, The NIST Definition of Cloud Computing. For the sake of this provision and clause, Cloud Computing includes Software as a Service, Platform as a Service, and Infrastructure as a Service, and deployment in a Private Cloud, Community Cloud, Public Cloud, or Hybrid Cloud. B. Contractor may not utilize the Cloud system of any CSP unless: 1. The Cloud system and CSP have been evaluated and approved by a 3PAO certified under FedRAMP and Contractor has provided the most current Security Assessment Report ("SAR") to the DOJ CO for consideration as part of Contractor's overall Sys- tem Security Plan, and any subsequent SARs within 30 days of issuance, and has received an ATO from the Authorizing Official for the DOJ component responsible for maintaining the security confidentiality, integrity, and availability of the DOJ Information under contract; or, 2. If not certified under FedRAMP, the Cloud System and CSP have received an ATO signed by the Authorizing Official for the DOJ component responsible for maintaining the security, confidentiality, integrity, and availability of the DOJ Information under the contract. C. Contractor must ensure that the CSP allows DOJ to access and retrieve any DOJ Information processed, stored or transmit- ted in a Cloud system under this Contract within a reasonable time of any such request, but in no event less than 48 hours from the re- quest. To ensure that the DOJ can hilly and appropriately search and retrieve DOJ Information from the Cloud system, access shall in- clude any schemes, meta-data, and other associated data artifacts. VI. Information System Security Breach or Incident A. Definitions I . fonfirmed Security Breach (hereinafter, "Confirmed Breach") means any confirmed unauthorized exposure, loss of con- trol, compromise, exfiltration, manipulation, disclosure, acquisition, or accessing of any Covered Information System or any DOJ In- formation accessed by, retrievable from, processed by, stored on, or transmitted within, to or from any such system. EFTA00127482 15BNYM18FTP120150 Page 12 of 15 2. Potential Security Breach (hereinafter. "Potential Breach") means any suspected. but unconfirmed, Covered Information System Security Breach. 3. Security Incident means any Confirmed or Potential Covered Information System Security Breach. B. Confirmed Breach. Contractor shall immediately (and in no event later than within 1 hour of discovery) report any Con- firmed Breach to the DOJ CO and the CO's Representative ("CUR"). If the Confirmed Breach occurs outside of regular business hours and/or neither the DOJ CO nor the COR can be reached, Contractor must call DOJ-CERT at l-866-US4-CERT (1.866.874.2378) im- mediately (and in no event later than within I hour of discovery of the Confirmed Breach), and shall notify the CO and COR as soon as practicable. C. Potential Breach. 1. Contractor shall report any Potential Breach within 72 hours of detection to the DOJ CO and the COR, unless Contractor has (a) completed its investigation of the Potential Breach in accordance with its own internal policies and procedures for identification, investigation and mitigation of Security Incidents and (b) determined that there has been no Confirmed Breach. 2. If Contractor has not made a determination within 72 hours of detection of the Potential Breach whether an Confirmed Breach has occurred, Contractor shall report the Potential Breach to the DOJ CO and COR within one-hour (i.e., 73 hours from detec- tion of the Potential Breach). If the time by which to report the Potential Breach occurs outside of regular business hours and/or neither the DOJ CO nor the COR can be reached, Contractor must call the DOJ Computer Emergency Readiness Team (DOJ-CERT) at I -866-US4-CERT (I.866.874-2378) within one-hour (i.e., 73 hours from detection of the Potential Breach) and contact the DOJ CO and COR as soon as practicable. D. Any report submitted in accordance with paragraphs (B) and (C), above, shall identify (1) both the Information Systems and DOJ Information involved or at risk, including the type, amount, and level of sensitivity of the DOJ Information and, if the DOJ In- formation contains PH, the estimated number of unique instances of PII, (2) all steps and processes being undertaken by Contractor to minimize, remedy, and/or investigate the Security Incident, (3) any and all other information as required by the US-CERT Federal In- cident Notification Guidelines, including the functional impact, information impact, impact to recoverability, threat vector, mitigation details, and all available incident details; and (4) any other information specifically requested by theDOJ. Contractor shall continue to provide written updates to the DOJ CO regarding the status of the Security Incident at least every three (3) calendar days until in- formed otherwise by the DOJ CO. E. All determinations regarding whether and when to notify individuals and/or federal agencies potentially affected by a Secur- ity Incident will be made by DOJ senior officials or the DOJ Core Management Team at DOJ's discretion. F. Upon notification of a Security Incident in accordance with this section, Contractor must provide to DOJ full access to any affected or potentially affected facility and/or Information System, including access by the DOJ OIG and Federal law enforcement or- ganizations, and undertake any and all response actions DOJ determines are required to ensure the protection of DOJ Information, in- cluding providing all requested images, log files, and event information to facilitate rapid resolution of any Security Incident. G. DOJ, at its sole discretion, may obtain, and Contractor will permit, the assistance of other federal agencies and/or third party contractors or firms to aid in response activities related to any Security Incident. Additionally, DO1, at its sole discretion, may require Contractor to retain, at Contractor's expense, a Third Party Assessing Organization (3PAO), acceptable to DOJ, with expertise in in- cident response, compromise assessment, and federal security control requirements, to conduct a thorough vulnerability and security assessment of all affected Information Systems. H. Response activities related to any Security Incident undertaken by DO.1, including activities undertaken by Contractor, other federal agencies, and any third-party contractors or firms at the request or direction of DOJ, may include inspections, investigations, forensic reviews, data analyses and processing, and final determinations of responsibility for the Security Incident and/or liability for any additional response activities. Contractor shall be responsible for all costs and related resource allocations required for all such re- sponse activities related to any Security Incident, including the cost of any penetration testing. VII. Personally Identifiable Information Notification Requirement Contractor certifies that it has a security policy in place that contains procedures to promptly notify any individual whose Personally Identifiable Information ("PH") was, or is reasonably determined by DOJ to have been, compromised. Any notification shall be co- ordinated with the DOJ CO and shall not proceed until the DOJ has made a determination that notification would not impede a law en- forcement investigation or jeopardize national security. The method and content of any notification by Contractor shall be coordinated with, and subject to the approval of, DOJ. Contractor shall be responsible for taking corrective action consistent with DOJ Data Breach Notification Procedures and as directed by the DOJ CO, including all costs and expenses associated with such corrective ac- tion, which may include providing credit monitoring to any individuals whose Pll was actually or potentially compromised. VIII. Pass-through of Security Requirements to Subcontractors and CSPs EFTA00127483 15BNYM18FTP120150 Page 13 of 15 The requirements set forth in the preceding paragraphs of this clause apply to all subcontractors and CSPs who perform work in con- nection with this Contract, including any CSP providing services for any other CSP under this Contract, and Contractor shall flow down this clause to all subcontractors and CSPs performing under this contract. Any breach by any subcontractor or CSP of any of the provisions set forth in this clause will be attributed to Contractor. BOP 2852.242-71 EVALUATION OF CONTRACTOR PERFORMANCE UTILIZING CPARS (APR 2011) The services, although not directly supervised, shall be reviewed by Federal Bureau of Prisons (BOP) staff to ensure contract compli- ance. The contractor's performance will be evaluated in accordance with FAR 42.15. Contract monitoring reports will be prepared by the Contacting Officer's Representative (COR) and maintained in the contract file. In accordance with FAR 42.1502 and 42.1503, agencies shall prepare an evaluation of contractor performance and submit it to the Past Performance Information Retrieval System (PPIRS). The BOP utilizes the Department of Defense (DOD) web-based Contractor Performance Assessment Reporting System (CPARS) to provide contractor performance evaluations. The contractor shall provide and maintain a current e-mail address throughout the life of the contract. The contractor will receive an e-mail from the Focal Point thru the following website address webptsmh@navy.milwhen the contract is registered in CPARS. The e-mail will contain a "user ID" and temporary password to register in the CPARS system. The contractor must be registered to access and review its evaluation and/or provide a response. If assistance is required when registering, please contact the Contracting Staff/Focal Point. (End of Clause) 508 COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, 1998 AMENDMENTS All electronic and information technology (Eli) procured through this solicitation and any resulting contract, task order, delivery or- der, or purchase order must meet the applicable accessibility standards at 36 CFR 1194. 36 CFR implements Section 508 of the Re- habilitation Act of 1973, as amended, and viewable at http://www.section508.gov (See Standards-Part 1194). Part 1194.21 - Software applications and operating systems Part 1194.22 - Web-Based Intranet and Internet Information and Applications Part 1194.23 — Telecommunications Products Part 1194.24 — Video and Multimedia Products Part 1194.25 — Self-Contained, Closed Products Part 1194.26 — Desktop and Portable Computers Part 1194.31 - Functional Performance Criteria Part 1194.41 - Information, documentation, and Support The contractor shall indicate for each line item in the schedule of items whether each product is compliant or noncompliant with the accessibility standards at 36 CFR 1194. Further, the offer must indicate where full details of compliance can be found (e.g., with of- fer, vendor's website or other location). (End of Clause) DJAR-PGD-15.02-2A Corporate Representation Regarding Felony Conviction Under Any Federal Law or Unpaid Delinquent Tax Liability - Award (DEVIATION 2015.02) (March 2015) (a) None of the funds made available by the Department's current Appropriations Act may be used to enter into a contract, memorandum of understanding, or cooperative agreement with a corporation - (1) convicted of a felony criminal violation under any Federal law within the preceding 24 months, where the awardinc agency is aware of the conviction, unless an agency has considered suspension or debarment of the corporation and made a determination that this further action is not necessary to protect the interests of the Government, or (2) that has any unpaid Federal tax liability that has been assessed, for which all judicial and administrat- ive remedies have been exhausted or have lapsed, and that is not being paid in a timely manner pursuant to an agreement with the authority responsible for collecting the tax liability, where the awarding agency is aware of the unpaid tax liability , unless an agency has considered suspension or debarment of the corporation and made a determination that this further action is not necessary to protect the interests of the Government. (b) By accepting this award or order, in writing or by performance, the offeror/contractor represents that- (1) the offeror is not a corporation convicted of a felony criminal violation under any Federal or State law EFTA00127484 15BNYM18FTP120150 Page 14 0115 within the preceding 24 months; and, (2) the offeror is not a corporation that has any unpaid Federal or State tax liability that has been assessed, for which all judicial and administrative remedies have been exhausted or have lapsed, and that is not being paid in a timely manner pursuant to an agreement with the authority responsible for collecting the tax liability. (End of Clause) EFTA00127485 15BNYM18FTP120150 Page 15 of 15 Section 4 - List of Attachments This Section Is Intentionally Left Blank EFTA00127486