task order no. 001 to control no. nrc-33-05-339. · 2012. 11. 21. · atn! ic (ddie) c0l0n, 3r....
TRANSCRIPT
.- ~ i -
2- -~~-- -
ORk A FOR SUPPLIE-S OR SERVICES 4FACE CF PAOZZ
* ZACErq0P,,,r k 2 jIJ CON7RACT NOA 11 a., I___.________________________________GZ33Y00583i a. NJAM-- OF C343?ZEE
O1X N IO.FIZATION NO. 14. ECU~SMONREFZR'ENSFNO, U. S. t1.ic11ear regulatory Conmp~ssion14r1P-3-OZ*S39~D V,2-O-O -00 Attn: Behro-oz Sanh-t
ISSONG OCrC-E rIDrI e~'~2 STZE-i ADCRZ=uS. ruc1 ear Regulatory Cc.-T~i s~ion ]i1Srr:ý: T4-A5-7Div. C5 CCnt:ractT ________________________________
Atn! IC (ddie) C0l0n, 3r. Orrd. ";7 a ZIP flCODE
;-,Ehi.-g9cn, I1c 20SES Slashirý!rcn tc j20555
c~NAiAE7 OF CONrrRACTCR .7.I SI I:
PROJECT P-RFC)17,P:ZE CO'F?.PRTXOJ e. TfP OPCR:3ER
t. COMPANY NAME
.Tl:PE-Er. DIEP.BcT t j&PuMS . CEILNERY0P.ECTO`F. OF CC27T?,'tCCS R efece- Ys._______________ Exa-sp fo.' UPMe bnsm0-3mn cri Ihv wo', Vil
r- STREE-T ADDRIESS Peas-- IwnisF 0r Iovoift; or th2 termss and Csli-n rasfi ctOw 1: su-ro lot3
1760 OLD R~DA'1D FL 4 Carlon rbecx- tcý siia a th' od ýO crntrimed on Ih~ sie "~ of Fr fo nd Is501 on M ateftwd sh5. 24t a ay, kd.oi'-g ý,oud subo Mo In.--'r.3 aRid cnn0dooro
d. CITY e- STATE L. Z-' C00Z dsýe 93 tie-ec Of ',,Ler1 ci.,rrot
VCC LEATI VA 221022433 1 _______________ ________________
P ACCO'rilnNG AND AF'IMOPRATION DATA 10 ELSI~N FIOE S7T
51:-1-1-11C-398 RI2.38 251A 31x0200. 511
OB)LIGATE: S139,883.0-96h~AfAI
II IESS ' ?IA~OJ(Z~LLpm0na boces) 12. F.0 E. POINT
t- WDALL t. OTH3R ThAN SMALL c. DISADVIANTAGED gSERVICE- mestinaticr;
r1 VETERAj4d. VIOAE-N-CNiNED a . HUD.rzom L EkERG0NG SMALL OWNED
13 PLACE OP 14 6CVERI41MEN7 EL NO. IS. ELUVERTO FO.D.PONrT 1t..O!SCOUIt TEF14tON OR 8V:FOr (ta!e)
a. bOES'ECT!ON b, ACCOEPTAN-ZE
R~ockville, X~D Rockville, M4 -
17. SC;ZOU)ILE (See revese for Reec:bCM)
O'JANTITY MIT. jOV.AONIT FY1TE )0 SUPPUIE3 Off SE,-VICS OtDERmED LflET PRICE A-*31JN-T ACCE-TED
(A) (01, MC MD E)( (GIT.17e Contrnctorx shall PrOvide the U.S. Ifuclear IRegule-toz1 'I LM' 136,883.86 3o83tCoomaission with *rNgIR Secure LMI/Electronic Sere (SLES)
Systero* wiport, in accordance with the attached Sateteosntof Work. thc. terms and conditionz of CSA Contract MD.
GS-25F-0068J, and the attached SCFEZ'JLE.
ATTACHMENTS:
2. Statenrnot Of V~crlk
3. 11RC Form.187
4. Billing In~structions
ACCUT-TANCE:
PF-RINT ==/4TITLE DATE
S1G2~ATUP.E
Ia. S'-EPP111 POINT W9 GROSS stla0PING4 WEIGN7 20 WYOIC E NO.
21 MAIVL "DCIFTO: 171h)4 TOTAL
(COVIOE ILUUG U.S. N:uclear Regu.latory COO.-isij±on C~tINZTFUCTV1 rS Di.o Cotcs.MlSn:1-2
0!1Dv fCotatMl tn 71REVERSE 0 STRECT ADDRESS (*r P.O. Coll
z CITY 0.SAT . ZIPc~ TOTAL
Wazhington DC 20555 136,683 .86
22, ULRIET-D STATEL OF A6VER)CA ber E. Wa22 Her
otrcing Of ficerTITLE CO'TrACTSJG/3IDECAWG OFFICER
ALITHO1CED P0(1 LOCAL ITPC(10UC~tIOPREVIOUS EVIT1N N~OT USABLE
OPTIONAL POAU 347 (REV.1X200S)PRESCRDSED BY OEFFAA 7 OPFl 3--213)C
NRC-33-05-339-OO1. Attachment#11
SCHEDULE
TASKS I - 13 (PERIOD OF PERFORMANCE:.0711312005- 04/12/2006)
- .'4-.I CYOT Rte Eftodiva 12101,143-1I1/3005) 7j vYBRtsEfdv 2' /51/03
GSA['4! YS fe EftiO10/0-Ila6
Htem order Est. t i." Total Est.
Na. No. GSA IT Category Functional Title Hours Rate rrice [4flours Rate Pdr~I tz; Ilourm rotal Sumn
002 P009503 P027004 P026
CODC' (Estimated Trove[lAmosmt)*
TOTAL: I1039 5898
TOTAL ES5TIMATED (CEILING) AMOUNT: f .t-tTttirr~. c' t'2
v ~ ~ i6638
TASKS 14 (OptIonal) - (PERIOD OF PERFORMANCE: 9 Monthst --- r''.rt~r' ~ I Cr08 Rates (Effectivo 12107105-1113(V 10 -YO Iae (Efciv 23/0-i/07 *.)~::.::
GSA.11.31 Order Eat. Est. ?.'Total Eat.
No. "a.. GSA I'T Catogory Functional Title Heurs Rate PrIle, H fours list. PrIce i flours Tote! Sinai
cOil _______________________________
002S
003 S~¾W04 __________
Rubtotal, Labor 2 25 9.2 3 8.J!4 FW 37,027.19 V . $297,965.43
0CO'a (Estimated lrdrrtvA~mourly
Total Price a$ 264,639.24 .~-S 37,927.19 $ 32554
*Trrt,AN 8. prvknw- h&xr s hi acm.e 15 Fg~ntATw~ftbo~k~ttn ,. ,-
TOTAL ESTIMATED VALUE(it Option Is exerdlsed).................. ;~nffr•.yz. 4t44;~§-.n.. r .t~k S~~4.Z$:rr43944. .. 29
Page 1 OfIl
NRC-33-05-339-OO1, ATTACHMiENT 7472
STATE10ENT OF WORK
NSIR Secure LANl0lct-ronic S-afe- (SLES3) system
Background
The Office'of NuclIear Security and Incident Response (NSIR) identified needs to better manageSafeguards Information (SG 1) and classified doc-uments and to transmit suCh information betweenauthorized NRC staff in the headquarters, in the regions, and in the states as well as to authorizedFederal agencies. The Secure LAN/Electronic Safe (SLES) system will provide the agencyincreased effectiveness in processing, handling, and storing these types of documents amongindividuals with a need to know. The secure information transmission mechanism will provide theagency more efficiency in transmitting SGI inform atiorddocu me nts between authorized users.
Early work, will focus on SGI information, then the solution will be expanded to include classifiedrecords. A pilot project has been initiated to create a prototype electronic records repositorysystem. -It is based on the NRC ADAMS documentation repository that uses FileNet as itsunderlying implementation. Though supporting various analysis goals around repository'functionality and usability, the prototype applies a minimal communications architecture thatcannot appropriately support remote access. The prototype uses Windows Active DirectoryServices to form a peer-to-peer configuration while the target SLES solution will require somethingmore sophisticated to allow accessibility from outside the, currently closed prototypecommunications architecture.
This statement of work addresses the definition of a secure network, architecture that applies bestpractices from other agencies and can be demonstrated to meet the current security needs of theSLES system. This architecture definition and the related deliverables will provide technicalinsight needed for business case approval for the system.
Scope
To define a Local Area Network/Metropolitan Area Network/Wide Area Network, architecture(LAN/MAN/WAN, hereafter referred to as the network architecture) for the SLES repository;author the appropriate security and planning documentation for the architecture; prove thearchitecture in the NRC environment; and analyze the ability for the architecture to be extended inaccessibility and security level.
Obiective
The objective of this SOW is to identify and prove a secure network architecture that supportsimprovement in NSIR's management of its official documents and agency records. The contractorshall' plrflorm ian, analysis, domnonstrato arn approach that works within NRCC socuri-ty constraint"),and document the approach for security verification and project planning. Having perform-edthese tasks for an environment that can support SGI records, the contractor shall define anenvironment that can support classified data and provide appropriate security and planning
Page 1 of 14
*NRC-33-05-339-0O1, ATTACHMIENT #2
* - documentation.
In keeping with the Office of Management and Budget (OMB's) President's MAanageme~nt Agend_-i-(PMA), best practices from other agencies are to be applied. This initiative to apply cross-agencysolutions leverages the analysis of other government agencies arid reduces duplicative wort- andthe cost of delivering services.
The results of this statement of work will flow into a requirements document cand into thealternatives analysis portion of the business case.
Contractor Personnel Skill set Requirements
The contractor shall provide personnel who have the requisite experience and knowledge of RiskAssessments and of communications, computer, and network security.
The contractor shall have the communication skills required to take the necessary actions tocontact, meet with, discuss, and otherwise obtain information required to accomplish the itemsdescribed in this statement df work on.his/her own initiative without supervision. For example, thecontractor is expected to collaborate with security experts within the NRC Office of InformationServices (015) to author a security plan and have it reviewed.
Tasks
Work performed, and any Output produced under this order, shall incorporate and be inaccordance with applicable NRC policies and processes.
Contractor support is required in the following areas:
I1. Project Management PlanThe contractor shall develop a detailed project plan specifying at a minimum a contractorstaffing plan, the milestones, start/end dates for each activity and their dependencies, andthe deliverables, to fulfill the NRC's SGI processing requirements, and to fulfill NRC'sclassified information processing requirements.
2. Analyze Technical Needs and Constraints
Contractor shall review the results or prior interviews of previously identified stakeholdersand examine existing requirements and relevant information to understand the technicalneeds and the constraints on a secure SGI architecture. This task will involve reaffirmingthe appropriate stakeholders within NSIR, OhS, and other parts of the organization. It willalso pull information from
* Records Management Analysis (RMA) of business processes and requirementsanalysis;
* The existing IT System Security Plan and Physical Security Plan;
Page 2 of 14
NRC-33-05-339-001, ATTACIHMENIT #2
The August 2004 Secure LAN/Electronic Safe IT Investment Screening Form; andOther appropriate documents identified in the course of performing this task.
3. Analyze Candidate Solutions
The contractor shall analyze and present candidate solutions for the network architecturefor the SLES.
The contractor shall analyze and identify options for the network architecture solution thatbest match the SGI processing requirements of NRC. As a minimum standard foracceptance, the solutions must also be in compliance with NIST/FIPS standards andrequirements. Security technology solutions or products that are in use at otherGovernment agencies may also be considered as- solutions. The purpose of this analysiswill be" to assess the technical features, strengths, and weaknesses of the options, and toverify that the products will work within the existing NRC infrastructure. As a minimumstandard, the network architecture analysis wili present the results of the analyses of thecandidate secure network, architectures, and will. identify and recommend the one securitysolution that best matches NRC SGI processing requirements.
4. Perform Risk Assessment
The. contractor shall perform a risk assessment on the recommended solution for theSLES system. The assessment of risk and the development of system security plans aretwo important activities in an agency's information security program that directly supportsecurity accreditation and are required by the Federal Information System ManagementAct (FlSMA) and 0MB Circular A-i 30, Appendix Ill. Risk assessments influence thedevelopment of the security controls for information systems and generate much of theinformation needed for the associated system security plans. The risk assessment shallcharacterize the information processed by SLES using Federal Information ProcessingStandard (FIPS). 199, Standards for Security Categorization of Federal Information andInformation Systems and National Institute of Standards and Technology (NIST) SpecialPublication (SP) 800-60, Guide for M~apping Types of Information and Inform ation Systemsto Security Categories. The risk assessment shall follow NIST SP 800-37 "Guide for thleSecurity Certification and Accreditation of Federal Information Systems," and include thefollowing:.
* Identification of the information types processed by the system associated with theappropriate NIST SP 800-60 information type; the appropriate informationsensitivity for confidentiality, integrity, and availability; and the rationale for thesensitivity
* Identification of SLES user types and associated roles and responsibilities* Identification of risk assessment team members and their associations* A description of the risk assessment approach and techniques, where the
techniques include documentation review, interviews, observation, and hands-onsystem assessment
Page3 of 14
i Z
NRC-33-O5-339-O91, ATTACH-NIENT #r2
A description of the risk scale used, including at a minimum, the potentialI impact asdefined in FIPS 199, and likelihood as defined in NIST SP 800-30, RiskManagement Guide folr Informatiori T-64hnolo~gy SystemsA list of potential system vulnerabilities
C. A list of potential threat-sources applicable to the system, including natural, human,and environmental threat-sources
0 A table of vulnerability and threat-source pairs and observations about each0 Detailed findings for each vulnerability and threat-source pai~r discussing the
possible outcome if the pair is exploited; existing controls to mitigate the pair; thelikelihood determination as high, -moderate, or low; the impact determinationexpressed as high, moderate, or low; the overall risk rating based upon the riskscale; and the recommended controls tc mitigate the risk
o A summary that includes the number of high, mode-rate, and loaf findings andprovides a list of prioritized action items based upon the findings.
The risk assessment shall be documented in a report that follows the NRC Template forRisk Assessment Report. The report shall be delivered in draft form and then in final formafter NRC comments are incorporated. The NRC IT Security staff review of the draft isrequired to ensure compliance. The NRC Senior IT Security Officer must approve the finalto enable system accreditation.
The contractor will track, any residual risk in the plan of action and milestones (POA&M).The contractor shall document the results of the process. This shall include documentingthe risk number, a description of each risk, the type of risk (i.e., impacting theconfidentiality, integrity, or availability), the level of risk (i.e., low, moderate, or high), theassociated controls, and the action(s) required or actually performed to eliminate orminimize each risk. The goal is for NRC and contractor personnel to remediate all highand moderate security findings, and track the remaining security findings in the POA&M
5. Define SGI Secure Network Architecture
Contractor shall define a network architecture that supports the needs of the SLES systemand adheres to all the appropriate NRC environmental and security specifications for thestorage and transmission of electronic SGI information within the agency as well as toexternal regions, states, and federal agencies. The architecture will be organized asshown in Attachment 2 and must:
* Provide a secure network for the SLES repository (appearing in the diagram as 0numbered 1);
* Include an element such as a firewall, portal, etc. that allows appropriately secureexternal access to the records within the internal secure network from an extern'alnetwork and any other required hardware or software (appearing in the diagram asOf numbered 2); and
* Define a client workstation configuration that can co-exist with the existing NRCenvironment and access the secure data (appearing in the diagram as 0numbered 3). The current standard NRC desktop hardware configuration is an
Page 4 of 14
Tf
NTRC-331-05-339-O01, ATTACHN=-PNT #-2 -
IBM compatible workstation with an Intel Pentium Ill processor or higher (500 M'1-1or greater). The standard workstations have *128Mvb RAM;,10G hard drives and anIntel Pro 1 00BtLAN card. The agency workstation standard Is NT 4.0 andWindows XP. The agency standard 0/'S is Novell 6.0. It is accept able for thedefined SLES client workstat 'ion solution to use an alternate networking card on theexisting NRC w6rkstations, or a separate thin-client workstation, or other solutionas long as the cost and impact to the user are- minimized.Identify any additional elements not explicitly called out here such as biometricdevices, intrusion detection devices, Keyboard Video Mouse (KVM) switches, orspecial-purpose software frameworks or products.
Contractor shall produce a rendering of the proposed architecture with graphics and text tocommunicate it to appropriate NRC stakeholders.
6. Pilot Simulated SGI Secure Network ArchitectureThe contractor shal! pilot the secure network, architecture for SGII at the NRC facility toprove feasibility. The pilot test will conduct a pilot to satisfy both interna~lexternal access toNRC SGI from inside/outside of NRC headquarters. The pilot shall be done within anisolated physical space with the "external" client simulated as being outside on theNRC-wide network accessing the Secure records through the selected firewall/portalsolution.
As a minimum standard, a Pilot Test Report document will contain user feedback., theidentification of technical issues that need to be resolved, lessons learned, and anyrecommended enhancements that could assist in improving the performance of theproduct in the pilot test. The Pilot Test Report will also identify the resources,' recommendproduct le-ase/buy alternatives, or discuss any other issues that will need to be addressedin order to deploy the solution to a much larger community of users at NRC.
7. Develop System Security Plan
The contractor shall develop a System Security Plan (SSP) for the SLES that takes intoaccount remote access from the NRC network. The SLES SSP shall be developed inaccordance with NIST SP 800-53 "Recommended Security Controls for FederalInformation Systems," NIST SP 800-37 "Guide for the Security Certification andAccreditation of Federal Information Systems," and the NRC IT Security Plan Template.The contractor shall identify within the SSP the necessary security controls required toprotect SLES, citing the security controls that are in place, those that are planned, and'those that are not applicable. Where the SLES relies upon a control that is provided byanother system (e.g. the NRIC LAN/MAN/WAN), the specific control being relied upon shallbe noted along with the name of the system providing that control. The contractor shalltrace the security controls to specific documented guidance, NRC policy (e.g.,Mlanagemont Diroc~tivo'S), infrastructure policy or procedures, or SLES-specific poricy orprocedures.
Page 5 of 14
I -
NTIC-33-0-5-339-001, ATTACHMIENT #2
The system security plan shalJ be doCumnenieU in a report th at follows the NRC Template-for System Securit~y Plan. The report shall be delivered in draft form and then in
-- pre-System Security Test and Evaluation (ST&E) form after NRCI comments areinc-orpo rated. Ths NRC IT Security staff review of the draft is required to ensurecompliance. The contractor shall update the system security plan after completion of theST&E test report to reflect validated in-place and planned controls. The NRC SeniorInformation Technology Security Officer (SITSO) must approve the final to enable systemaccreditation.
S. Update Physical Security Plan
The contractor shall ensure that the Physical Security Plan (PSP) for the SLES applies tothe new architecture with remote access to the SGI records. A current SLES PSP coveringthe existing As-Is architecture has been authored and has passed review f romn the NRCsecurity staff. If necessary, the contractor shall update the PSP and organize a review bythe NRC Security staff to ensure acceptance. The contractor shall update the documentbased on review comments and recommendations until it passes review.
9. Develop Contingency Plan
The contractor shall develop a contingency plan for the SLES system. The SLEScontingency plan shall be developed in accordance with NIST SP 800-34 "ContingencyPlanning Guide for Information Technology Systems," NIST SP 800-37 "Guide for theSecurity Certification and Accreditation of Federal Information Systems," and the NRCContingency Plan (OP) Template. The contractor shall provide detailed procedures for the*notification and activation phase, recovery operations, and return to normal operations.The procedures shall contain sufficient detail that a technically trained individual notfamiliar with the system can successfully follow the procedures. The system -contingencyplan shall also contain sufficient personnel contact information to enable contact at alltimes, vendor contact information to enable contact at all times, equipment (hardware andsoftware) and specification information to enable reconstitution of the system from scratch,all service level agreements and memoranda of understanding, the IT standard operatingprocedures for the system, identification of any systems that this system is dependentupon along with references for the applicable contingency p!ans, references to theemergency management plan and occupant evacuation plan,'and references to theappropriate continuity of operations plan.
The system contingency plan shall be documented in a report that follows the N4RCTemplate for System Contingency Plan. The report shall be delivered in draft form andthen in pre-Test form after NRC comments are incorporated. The NRC IT Security staffreview of the draft is required to ensure compliance. The contractor shall update thesystem contingency plan after completion of the contingency plan test report to reflectvalidated information. The NRC Senior IT Security Officer must approve the final to enablesystem accreditation.
Page 6of 14
-NRC-33-05-339-OD1. ATTACH\M NT -P2
10. Develop System .Security Test and Evaluation Plan
The contractor shall develop a Security Test and Evaluation Plan with tests for the securenetwork architecture IT security requirements for the SLES system. The Security Test andEvaluation Plan shall be documented in a report that follows the NRC template. Thesystem STE Plan shall be developed in accordance with NIST SP 800-53 "RecommendedSecurity Controls for Federal Information Systems," NIST SP 800-37 "Guide for theSecurity Certification and Accreditation of Federal Information Systems," and the NRCSystem Security Test and Evaluation Plan Template. The STE Plan shall include detailedtest procedures to ensure all IT security functional and assurance requirements are fullytested. The procedures shall contain sufficient detail that a technically trained individualnot familiar with the system can successfully follow the procedures.5
Ex-ecution of the test is outside the scope of this SOW. Sys temn security test and evaluationmust be performed by someone (certification agent) who is independent from the personsdirectly responsible for the development of the informatiori system and the day-to-dayoperation of the system.
11. Develop Contingency Plan (CP) Test and Report
The contractor shall test the SLES against a System Contingency Plan (CP) that has beenapproved by the NRC Senior Information Technology Security Officer (SITSO). Testingshall follow the test procedures documented in the CP. The contractor shall document thetesting in a System Contingency Test Report (CP Test Report) for the SLES system. TheSLES CP Test Report shall be developed in accordance with NIST SP8D0-34 "Contingency Planning Guide for Information Technology Systems," NIST SP,800-37 "Guide for the Security Certification and Accreditation of Federal InformationSystems," and the NRC Contingency Test Report Template.
The OP Test shall be documented in a report that follows the NRC Template for NRCContingency Test Report. The CP Test Report shall identify all testing assumptions,constraints, and dependencies as well as any anomalies, impromptu tests, and deviationsencountered during testing. The CP Test Report shall include the actual testing scheduleand detailed te~t results for each test procedure outlining specific errors encountered. TheCP Test Report shall include a table of test findings incorporating any test issues andrecommendaticns. The OP Test Report shall identify any problems encountered duringtesting and identify the resulting action items for the system. The OP Test Report shall bedelivered in draft form and then in final form after NRC comments are incorporated. TheNRC Senior Information Technology Security Officer (SITSO) must approve the final OPTest Report to enable system accreditation.
12. Provide Data for Altemnatives Analysis
The contractor shall provide appropriate information to support an alternative analysis ofthe Business Case including:
Page 7 of 14
NR C-33-05-339-001, ATTA CHIIEfNT ;42
*Resources required to install and maintain the architecture;oCost summaries for initial1 investment (Staff, Software, Hardware, Installation/Tlest,
etc.);Recurring cost summaries (Staff, License Maintenance, Upgrades, Support, etc.)
*Tangible and non-tangible benefits (where non-tangible benefits can be expressedin terms of improved mission performance, Improved decision making, morereliable or useful information, etc.):
*Risk, level (in such areas as Schedule, Cost, Feasibility, Reliability, Security, etc.);and
*Technologies used.
This information will be included in the SLES Business Case. The authoring of theBusiness Case is outside the scope of this SOW.
13. Define Classified Network Architecture
Having designed and piloted a secure network architecture supporting SGI information,contractor shall define a secure network architecture for SLES that will support classifiedrecords. The classified information networPkwill not be piloted and will not require as deepof an analysis. Contractor shall produce a rendering of the proposed classified informationarchitecture with graphics and text to communicate it to appropriate NRC stakeholders aswell as providing an estimation of cost for said architecture.
14. Pilot SGI Secure Network Architecture (Optional task)
This is an Optional Task. If the Government elects to exercise Optional Task 14, a writtenmodification to the resultant order, if any, is required from the Contracting Officer (CO)prior to initiation of any work by the Contractor.
Depending on the results of the SGI simulated processing pilot test in the secure room,14RC management approval to proceed, and availability of funding, the contractor shallextend the in-room pilot, and pilot the secure network architecture for SGI outside of thesecure room at the NRC facility to prove feasibility. The pilot test will conduct a pilot tosatisfy internal/external access to NRC SGI from inside/outside of NRC headquarters. Thepilot shall be done with the client accessing the secure records through the selectedsolution as an internal NRC client as well as a remote regional, state, or federal client.The NRC Project Officer and the Contractor will meet to discuss the Deliverables andagree on a Delivery Schedule for this Optional Task, if exercised.
As a minimum standard, a Pilot Test Report document shall contain user feedback, theidentification of technical issues that need to be resolved, lessons learned, and anyrecommended enhancements that could assist in improving the performance of theproduct in the pilot test.
15. GOVERNMENT FURNISHED EQUIPMENT/PROPERTY
(a) Based on the contractor's -recommended candidate solutions for the network,architecture for the SLES under Task 3 above, the NRC will procure and provide the
Page 8 of 14
NRC-033-05*339-001, ATTACHMNENT 422
contractor with the Hardware and Software necessary for the SLES pilot test(s) under thiscontract.
(b) The contractor shall be responsible and accountable for all Government propeartyprovided under this contract and shall -comply with the provisions of the FA.R GovernmentProperty Clause under this contract and FAR Subpart 45.5, as in effecton the date of this contract. The contractor shall investigate andprovide written notification to the NRC Contracting Officer (00) andthe NRC Division of Facilities and Security, Physical Security Branchof all cases of loss, damage, or destruction of Government property inits possession or control not later than 24 hours after discovery. Thecontractor must report stolen Government property to the local policeand a copy of the-police report must be provided to the CO and to theDivision of Facilities and Security, Physical Security Branch.
(c) All other equipment/property required in performance of the contract shall be furnishedby the Contractor.
Pro~qress Reportina
The contractor shall provide weekly written progress reports to the Project Officer. The progressreports shall cover all work completed during the preceding week and shall present the work, to beaccomplished during the subsequent week. This report shall also identify any problemsencountered or still outstanding with an explanation of cause and resolution to the problem or- howthe problem will be solved. The contractor shall summarize processes and procedures discussedand developed during project-related meetings. The meeting summaries shall be distributed in adocumented format to NSIR Project Management for review and concurrence.
Security Requirements
Each contractor must possess an active and approved Information Technology (IT) Level Isecurity authorization to have access to NRC's SGI information. Candidates may consult with theNRC Project Off icer or the Division of Security to determine if IT Level I (or higher) classificationcan be issued based on existing secret/top secret, or IT Level I type clearances. Note that NRCusually must conduct or arrange for its own security clearance reviews and may not be able toprovide the required final IT Level I clearance based on another clearance. It is also impractical tosubmit an original request for "0"l clearance without already having an equal or higher clearanceas it takes one year minimum to process the request.
The contractor proposed staff shall each submit a completed security forms packet including theSF-86, Questionnaire for National Security Positions, and fingerprint cards for review andfavorable adjudication, prior to performing workc under this order.
Page 9 of 14
NRIC-33-O5-339-00i. ATITACHMINIET #2
Proprietary lnformati:ýn
All information and documents made available to the contractor during the course of this contractare deemed official use only as they provide information on system vulnerabilities, and shall bereturned to the NRC upon completion on the contract.
Summary, of Milestones and Deliverables
Deliverables and due dates are summarized below. Deliverable due dates are based on calendardays. The following Deliverables and Milestones do not include optional tasks.
For the following M~ilestones, in additio~n to the specific tasks, the contr-actor, shall summarizeprocesses and procedures discussed and developed during project-related meetings. Themeeting summaries shall be distributed in a documented format to NSIR Project Management forreview and concurrence.
Pagye 10 of 14
NRC-373-05-3339-001, ATTACHMIEN-1-#2
IRem No. Deliverable Description EstimatedDeliverable Due
- Dates
IKickoff Meig5 days after. award orearlier
2 Deliver Project Management Plan Award + 15 clays
3 fDeliver Candidate Solution's Briefing Award + 15 days
14 Deliver Secure Network Architecture + Award + 30 days
Security Risk Assessment
5 Complete Install of Secure Network Architecture Pilot jAward + 90 days
6 Deliver Draft Security Documents (System Security Plan, Award + 90 daysPhysical Security Plan (updated), Contingency Plan,Systemn Security Test & Evaluation Plan)
7 Deliver Final Security Documents (System Security Plan, Award + 120 daysPhysical Security Plan (updated), Contingency Plan,System Security Test & Evaluation Plan)
8 t Contingency Plan Test & Report Award + 180 days
9 Alternatives Analysis Data Award + 180 days
10 Deliver SGI Pilot Report Award + 210 days
11 Deliver Classified Network Architecture Award + 210 days
The contractor shall submit all deliverables in paper copy and in electronic format in either WP10.0 or WinWord Version XP on 3.5" floppy diskette or CD-ROM. Deliverables will be reviewedand signed off by the Project Officer. Security deliverables will be reviewed and signed off by theappropriate NRC IT security staff.
The contractor shall provide all the hardware, software, equipment and related licenses necessaryto demonstrate the network architecture. NRC shall be given the option to purchase elements ofthe architecture. NRC will not be obligated to purchase said materials.
Pagre 11 of 14
NRC-033-0O5-3039-001, ATTACHMENT #2
Period of Performance -(Tasks 1 -13)
The period of performance for Tasks 11 -13S is 9 months from the date of award.
Period oi Performance (Ootional Task 1 A)
The period of performance for Optional Task 14, if exercised, is 9 months.~
Place of PerformanceDeliverables may be prepared offsite at the contractor's site. The pilot will be deployed at thle NRCHeadquarters in the secure room at the NRC Headquarters facility in Rockville, [AD.
Performance Reauiremeýnts
The deliverables required under this order must conform to the standards contained, orreferenced, in the statement of work.
Training~ and Travel (Tasks 1-13)
The contractor shall provide secure LAN User training as required. Training shall consist of up totwvo hours of training for up to ten (10) pilot users per training session at the NRC Headquarters(Rockville, LAD). Training materials will be provided by the contractor for al! training sessionsprovided.
It is antic ipated that travel will be required for 1-2 days of requirements analysis at each of twoRegional Offices (Atlanta, GA and Arlington, TX).
Trainingi and Travel (Ootional Task 1 4)
The contractor shall provide secure LAN User training as required. Training shall consist of up totwo hours of training for up to ten (10) pilot users per training session at the NRC Headquarters(Rockville, MD). Training materials shall be provided by the contractor for, all training sessionsprovided.
It is anticipated that travel wiI; be required for 1-4 days of requirements analysis at each of twoRegional Offices (Atlanta, GA and Arlington, TX,).
Pagye 12 of 14
NRC-333-05-339-0O1, ATTACHMENT #2
Attachment I - Current SLESI Network A-chitecture (As-is)
SLES Locaical Net~vorh Diaoramn
M)81525 HP PASA100 sýn wa
ift R,12 Z 3. M)22 1 fftz;.2 25.0 1IZ! iFD-i' Of ipq. PO Det Optipt.. PC IterO Dell Op~pix PC
Page 13 of 14
NflC- 33 :F)5-339-001, ATTA CHMENT #2
Attachment 2 - Logical Proposed Systems Architecture (To-Be)
SLES Logica! U4shmork, Dia&grarm (future)
ID-1 pipiex PCI 0.1 Opl~;~ex PC Der PC VAQ4ýP
Page 14 of 14
GS35FOOSBJ NPIC-33-05-33t_-,#01
ITASK ORDER TERMIS AND COINDITION'.S______________NOT SPECIFIED IN\ THE CONTRACT_____________
A.1 NRC ACQUISI TION CLAUSES - (N.9CAR) 48 CFFR CH. 20
A.2 OT HER APPLICPABLE CLAUSES
[XJ See Addendum for the following in full text (if checked)
[] 52.216-1 8, Ordering
[152.216-19, Order Limitations
[52.216-22, Indefinite Quantity
[152.217-6, Option for Increased Quantity
[152.217-7, Option for Increased Quantity Separately Priced Line Item
U 52.217-8, Option to Extend Services
[Xj 52.217-9, Option to E~xtend the Term of the Contract
A.3 CONSIDERATION AND OBLIGATION-DELIVERY ORDLERS (JUN 1988)
(a) The total estimated amount of this contract (ceiling) for the products/services ordered, delivered, andaccepted under this contract is $136,883.86.
(b) The amount presently obligated with respect to this contract is $136,883.86. This obligated amount maybe unilaterally increased from time to time by the Contracting Officer by written modification to this contract.The obligated amount shall, at no time, exceed the contract coiling as specified in paragraph a above. Whenand if the amount(s) paid and payable to the Contractor hereunder sh all equal the obligated amount, theContractor shall not be obligated to continue performance of the wort- unless and until the Contracting Officershall Increase the amount obligated with respect to this contract. Any work undertaken by the Contractor inexcess of the obligated amount specified above is done so at the Contractor's sole risk.
A.4 SECURITY REQUIREMENTS FOR INFORD./ATION' TECHNOLOGY ACCESS APPROVAL(FEB 2004)
T ho proposor/con t ii O 4Lly %Mra--tor mu-"-iantify, all ind'vduals and propose the level of Inforniation Technology (ITI)approval for each, using the following guidance. The NRC sponsoring office shall make the final determinationof the level, if any, of IT approval required for all individuals working under this contract.
The Government shall have and exercise full and complete control over granting, denying, withholding, orterminating building access approvals for individuals performing work under this contract.
SECURITY REQUIREMENTS FOR LEVEL I
Page 2 of 9
GS315FOOGSJ NRC-33-05-33&-o0
Performance under this contract will involve prime contractor personnel, subcontractors or others whoperform services requiring direct access to or operate agency sensitive information technology systems or data(IT Level 1).
The IT Level I involves responsibility for 'the planning, direction, and implementation of a computer securityprogram; major responsibility for the direction, planning, and design of a computer sysatm, including hardwareand software; or the capability to access a computer system during its- operation or maintenance in such a waythat could cause or that has a relatively high risk, of causing grave damage; or the capability to realize asignific-ant personal gain from computer access. Such contractor personnel shall be subject to the NRCcontractor personnel security requirements of NRC Mlanagement Directive (MVD) 12.3, Part I and will require afavorably adjudicated Limited Back~ground Investigation (LBI).
A contractor employee shall not have access to sensitive information technol6gy systems or data until he/sheis approved by Security Branch, Division of Facilities and Security (SB/DFS). Temporary access may beapproved based on a favorable adjudication of their security forms and checks. Final access will be approvedbased on a favorably adjudicated LBI in accordance with the procedures found in NRC MD 12.3, Part 1.However, temporary access authorization approval will be revolked and the employee may subsequently beremoved from the contract in the event the employee's investigation cannot be favorably adjudicated. Suchemployee will not be authorized to work under any NRC contract without the approval of SB/DFS. Timelyrecelip of properly completed security applications is a contract requirement. Failure of the contractor tocomply with this-condition within the ten work.day period may be a basis to void the notice of selection. In thatevent, the Government may select another firm for award. When an individual receives final access, theindividual will be subject, to a reinvestigation every 10 years.
The contractor shall submit a completed security forms packet, including the SF-86, *mQuestionnaire forNational Security Positions,*m and fingerprint charts, through the Project Offricer to SB! DFS for review andfavorable adjudication, prior to the individual performing work under this contract. The contractor shall assurethat all formns are accurate, complete, and legible (except for Part 2 of the questionnaire, which is required tobe completed in private and submitted by the individual to the contractor in a sealed envelope), as set forth inMD 12.3 which is incorporated into this contract by reference as though fully set forth herein. Based on SBreview of the applicant's security forms and/or the receipt of adverse information by NRC, the individual maybe denied access to NRC facilities, sensitive information technology systems or data until a final determinationis made of his/her bligibility under the provisions of MD 12.3. Any questions regarding the individual's eligibilityfor IT Level I approval will be resolved in accordance with the due process procedures set forth in MD 12.3 andE. 0. 12888.
In accordance with NRCAR 205-2.204.70 "mSecurity,"m IT Level I contractors shall be subject to the attachedN4RC Form 187 (See Section J for List of Attachments) which furnishes the basis for providing securityrequireme3nts to prime contractors, subcontractors or others (e.g., bidders) who have or may have an NRCcontractual relationship which requires access to or operation of agency sensitive information technologysystems or remote development and/or analysis of sensitive information technology systems or data or otheraccess to such systems and data; access on a continuing basis (in excess of 30 days) to NRC Headquarterscontrolled buildings; or otherwise requires issuance of an N4RC badge.
SECURITY REQUIREMENTS FOR LEVEL 11
Performance under this contract will involve contractor personnel that develop and/or analyze sensitiveinformation technology systems or data or otherwise have access to such systems or data (IT Level II).
The IT Level 11 involves responsibility for the planning, design, operation, or maintenance of a computersystem and all other computer or IT positions. Such contractor personnel shall be subject to the NRCcontractor personnel requirements of MD 12.3, Part I, which is hereby incorporated by reference and made apart of this contract as though fully set forth herein, and will require a favorably adjudicated Access NationalAgency Check with Inquiries (ANACI).
IPage 3of 9
G S35F005E&J NPIC-33-05-339-i0i
A contractor employee shall not have access to sensitive information technol~ogy systems or data until hoe!sheis approved by SB/DFS. Temporeary access may be approved based on a favorable review of their securityforms and checks. Final access will be approved based on a favorably adjudicated ANACI in accordance withthe procedures found in MD 12.3, Part 1. However, temporary access authorization approval will be revokedand ths employee may subsequently be removed from the contract, in the event the employee's investigationcannot be favorably adjudicated. Such employee will not be authorized to work under any.NRC contractwithout the approval, of SB/DFS. Timely receipt of properly completed security appiaonisactrtrequirement. Failure of the: contractor to comply with this condition within the7 ten wotk.day period may be abasis to void the notice of selection. In that event, the Government may select another firm for award. Whenan individual receives final access, the individ~ual will be subject to a reinvestigation every 10 years.
The contractor shall submit a completed security forms packet, including the SF-86, "Questionnaire forNational Security Positions," and fingerprint charts, through the Project Officer to the NRC SB/DFS for reviewand favoyrable adjudication, prior to the individual performing work under this contract. The contractor shallassure that all forms are accurate, complete, and legible (except for Part 2 of the questicnnaire, which isrequired to be completed in private and submitted by the individual to the contractor in a sealed envelope), asset forth in MD 12.3. Based on SB review of the applicant's security forms and/or the receipt of adverseinfor mation by NRC, the individual may be denied access to NRC facilities, sensitive information technologysystems or data until a final determination Is made of his/her eligibility under the provisions of MD 12.3. Anyquestions regarding the individual's eligibility for IT Level 11 approval will be resolved in accordance with the'dte process procedures set forth in MD 12.3 and E.O.A 12968.
In accordance with NRCAR 2052.204.70 "Security," IT Level 1I contractors shall be subject to the attachedNRC Form 187 (See Section J for List of Attachments) which furnishes the basis for providing securityrequirements to prime contractors, Subcontractors or others (e.g. bidders) who have or may have an NRCcontractual relationship which requires access to or operation of agency sensitive information technologysystems or remote development and/or analysis of sensitive information technology systems or data or otheraccess to such systems or data; access on a continuing basis (in excess of 30 days) to NRC Headquarterscontrolled buildings; or otherwise requires issuance of an NRC badge.
CANC ELLATION OR TERMINIATION OF IT ACCESS/REQUEST
When a request for investigation is to be withdrawn or canceled, the contractor shall immediately notify theProject Officer by telephone in order that he/she will immediately contact the SB/DFS so that the investigationmay be promptly discontinued. The notification shall contain the full name of the individual, and the date of therequest. Telephone notifications must be promptly confirmed in writing to the Project Officer who will forwardthe confirmation via email to the SB/DFS. Additionally, SBIDFS must be immediately notified w~hen anindividual no longer requires access to NRC sensitive automated Information technology systems or data,including the voluntary or involuntary separation of employment of an individual who has been approved for oris being processed for access under the NRC 'Personnel Security Program."
A.5 2052.204.70 SECURITY (MAR 2004)
(a) Contract Security and/or Classific 'ation Requirements (NRC Form 187). The policies, procedures, andcriteria of the NRC Security Program; NRC Management Directive (MD) 12 (including MD 12.1, 'NRC FacilitySecurity Program;" MD 12.2, 'NRC: Classified Information Security Program;" MD 12.3, "NRC PersonnelSecurity Program;" MD, 12.4, 'NRC: Telecommunications Systems Security Program;" MD 12.5, 'NRCCAutomated Information Systems Security Program;" and MD 12.6, 'NRC Sensitive Unclassified InformationSecurity Program"), apply to performance of this contract, subcontract or oilher activity. This MD isincorporated into this contract by reference as though fully set forth herein. The attached NRC Form 187 (SeeList of Attachments) furnishes the basis for providing security and classification requirements to prime
Page 4 of 9
GS35F0068J NRC-33-O5-133M-01contractors, subcontractors, or others (e.a., bidders) who have or may have an NRC contractual relationshipthat requires access to classified Restricted Data or National Security Information or m~attel, access tosensitive unclassified information (e.g., Safeguards), access to sensitive Information Technology (IT) systemsor data, unescorted access to NRC controlled buildings/space, or unescorted access--o- protected and vitalareas of nuclear po-wer plants.
(b) It is the contractor's duty to protect National Security Information, Restricted Data, and FormerlyRestricted Data. The contractor shall, in accordance with the Commission's security regulations anidrequirements, be responsible for protecting National Security Information, Restricted Data, and FormerlyRestricted Data, and for protecting against sabotage, espionage, loss, and theft, the classified documents andmaterial in the contractor's possession in connection with the perfo~rmance of work under this contract. Exceptas otherwise expressly provided in this contract, the contractor shall, upon completion or termination of thiscontract, transmit to the Commission any classified matter in the possession of the contractor or any personunder the contractor's control in connection with performance of this contract. If retention by the contractor ofany classified matter is required after the completion or termination of the contract and the retention isapproved by the contracting officer, the contractor shall complete a certificate of possession -to be furnished tothe Commission specifying the classified matter to be retained. The certification must identify the items andtypes or categories of matter retained, the conditions governing the retention of the matter and their period ofretention, if known. If the retention is approved by the contracting officer, the security- provisions of the contractcontinue to be applicable to the matter retained.
(c) In connection with the performance of the-work under this contracIt, the contractor may be furnished, ormay develop or acquire, safeguards information, or confidential or privileged technical, business, or financialinformation, including Commission plans, policies, reports, financial plans, internal data protected by thePrivacy Act of 1974 (Pub. L. 93.579), or other information which has not been released to the public or hasbeen determined by the Commission to be otherwise exempt from disclosure to the public. The contractorshall ensure that information protected from public disclosure is maintained as required by lWRC regulationsand policies, as cited in this contracIt or as otherwise provided by the NRC. The contractor will not directly orindirectly duplicate, disseminate, or disclose the information in whole or in part to any other person ororganization except as may be necessary to perform the work under this contract. The contractor agrees toreturn the information to the Commission or otherwise dispose of it at the direction of the contracting officer.Failure to comply with this clause is grounds for termination of this contract.
(d) Regulations. The contractor agrees to conform to all security regulations and requirements of theCommission which are subject to change as directed by the NRC Division of Facilities and Security (DFS) andthe Contracting Officer. These changes will be under the authority of the FAR Changes clause referenced inthis document.
The contractor agrees to comply with the security requirements set forth in NRC Management Directive 12.1,NRC Facility Security Program which is incorporated into this contract by reference as though fully set forthherein. Attention is directed specifically to the section titled "Infractions and Violations," including"Administrative Actions" arid "Reporting Infractions."
(e) Definition of National Security Information. The term National Security Information, as used in this clause,means information that has been determined pursuiant to Executive Order 12958 or any predecessor order torequire protection against unauthorized disclosure and that is so designated.
(f) Definition of Restricted Data. The term Restricted Data, as used in this clause, means all data concerningdesign, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the'use ofspecial nuclear material in the production of energy, but does not include data declassified or removed fromthe Restricted Data category pursuant to Section 142 of the Atomic Energy Act of 1954, as amended.
Page 5 of 9
GS35FOO68J NRC-33-05-33ý-uv~l
)g) uefinition of Formerly Restricted Data. The term Formerly Restricted Data, as used in this clause, meansall data removed. from the Res~tricted Data category under Sec-ton 142--d of thee Atomic- Energy Act of 1954, asamended.'
(h) Definition of, Safeguards Information. Sensitive unclassified information that specifically. identifies thedetailed security measures of a licensee or an applicant for the physical protection of special nuclear material;or security measures for the physical protection and location of certain plant equipment vital to the safety ofproduction of utilization facilities. Protection of this information is required pursuant to Section 147 of theAtomic Energy Act of 1954, as amended.
WI Security Clearance. The contractor may not permit any individual to have access to Restricted Date,Formerly Restricted Data, or other classified information, except in accordance with the Atomic Energy Act of1954, as amendead, and the Commission's regulations or requirements applicable to then particular type orcategory of classified information to which access is required. The contractor shall also execute a StandardForm 312, Classified Information Nondisclosure Agreement, when access to classified information is required.
j)Criminal Liabilities. It is understood that disclosure of National Security Information-, Restri::ted Data. andFormerly Restricted Data relating to the work or services ordered hereunder to any person not entitled torecaive it, or failure to safeguard any Restricted Data, Formerly Restricted Data, or any other classified matterthat may come to the contractor or any person under the contractor's controll in connection with work, under thiscontract, may subject the contractor", its agents, employees, or subcontractors to criminal liability under thelaws of the United States. (See the Atomic Energy Act of 1954, as amended, 42 U.S.C. 20111 et seq.; 18U.S.C. 793 and 794; and Executive Order 12958.)
(k) Subcontracts and Purchase Orders. Except as otherwise authorized in writing by the contracting officer,the contractor shall insert provisions similar to the foregoing in all subcontracts and purchase orders under thiscontract.
(1) In performing the contract work, the contractor shall classify all documents, material, and equipmentoriginated or generated by the contractor in accordance with guidance issued by the Commission. Everysubcontract and purchase order issued hereunder involving the origination or generation of classifieddocuments, material, and equipment must provide that the subcontractor or supplier assign classification to alldocuments, material, and equipment in accordance with guidance furnished by the contractor.
A.6 BADGE REQUIREMEN4TS FOR UNESCORTED BUILDI1NG ACCESS TO INRC Facilities(FEB 2004)
During the life of this contract, the rights of ingress and egress for contractor personnel must be madeavailable, as required, provided that the individual has been approved for unescorted access after a favorableadjudication from the Security Branch, Division of Facilities and Security (SD/DFS). In this regard, allcontractor personnel whose duties under this contract require their presence on.site shall be clearly identifiableby a distinctive badge furnished by the NRC. The Project Officer shall assist the contractor in nbtaining hsedg;=s,for the contractor personnel. It is the sole responsibility of the contractor to ensure that each employee has aproper NRC-issued identificationt/badge at all times. All photo-identification badges must be immediately (nolater than three days) delivered to SB/DFS for cancellation or disposition upon the termination of employmentof any contractor personnel. Contractor personnel must display any 1NRC issued badge in clear view at alltimes during on.site performance under this contract. It is the contractor's duty to assure that contractorpersonnel enter only those work areas necessary for performance of contract work, and to assure theprotection of any Govemment records or data that contractor personnel may come into contact with.
Page 6 of 9
GS3550058J NRC-33-05-33&-,, 11
A.7 205-2.215-70 KEY PERSONNŽEL (JAN 1993)
(a) The following individuals are considered to be essential to the successful performance of the workhereunder:
-MThe contractor agrees that personnel may not be removed from the contract work or replaced withoutcompliance with paragraphs (b) and (c) of this section.
(b) If one or more of the key personnel, for whatever reason, becomes, or is expected to become,unavailable for work under this contract for a continuous period exceeding 30 work days, or is expected todevote, substantially less effort to the work than indicated in the proposal or Initially anticipated, the contractorshall immediately notify the contracting officer and shall, subject to the con-currence of the contracting officer,promptly replace the personnel with personnel of at least substantially equal ability and qualifications.
(c) Each request for approval of substitutions must be in writing and contain a detailed explanation of thecircumstances necessitating the proposed substitutions. The request must also contain a complete resume forthe proposed substitute and other information requested or needed by the contracting officer to evaluate theproposed substitution. The contracting officer and the project officer shall evaluate the contractor's requestand the contracting officer shall promptly notify the contractor of his or her decision. in writing.
(d) If the contracting officer determines that suitable and timely replacement of key personnel who havebeen reassigned, terminated, or have otherwise become unavailable for the contract work is not reasonablyforthcoming, or that the resultant reduction of productive effort would be so substantial as to impair thesuccessful completion of the contract or the service order, the contract may be terminated by the contractingofficer for default or for the convenience of the Government, as appropriate. If the contracting officer finds thecontractor at fault for the condition, the contract price or fixed fee may be equitably adjusted downward tocompensate the Government for any resultant delay, loss, or damage.
A.8 PROJECT OFFICER AUTHORITY (FEB 2004)
(a) The contracting off icer's authorized representative hereinafter referred to as the project officer for thiscontract is:
Name: Behrooz Sabet
Address: U.S. Nuclear Regulatory CommissionMall Stop: T4-A57Washington, DC 20555
Page 7 of 9
GS35FODBSJ NPIC-33-05-33M -_J1
Telephone Number: (301) 415-7107
(b) Performance of the wort, -under this contract is subject to the technical direction of the NRC projec~t officer.The term Alrcetechnic-al direction~i'. is defined to include the followino:
(1) Technical direction to the contractor which shifts work emphasis between areas of wort' or tasks,authorizes travel which was unanticcipvated in the Schedule (i.e., travel not contemplated in the Statement ofWort; (SOW) or changes to specif ic travel identified in the SOW), fills in details, or otherwise serves toaccomplish the contractual SOW.
(2) Provide advice and guidance to the contractor in the preparation of drawings, specifications, or technicalportions of the work, description.
(3) Review and, where required by the contract, approval of technical reports, drawings, specifications, andtechnical information to be delivered by the contractor to the.Government under the contract.
(c) Technical direction must be wi thin the general statement of work, stated in the contract. The project off icerdoes not have the authority to and may not, issue any technical ditrection which:
(1) Constitutes an assignment of work, outside the general scope of the contract.
(2) Constitutes a change as defined in the "Changes" clause of this orat
(3) In any way causes an increase or decrease in the total estimated contract cost, the fixed fee, if any, or thetime required for contract performnance.
(4) Change s any of the expressed terms, conditions, or specifications of the contract.
(5) Terminates the contract, settles any claim or dispute arising under the contract, or issues any unilateraldirective whatever.
(d) All technical directions must be issued in writing by the project, officer or must be confirmed by the projectofficer in writing within ten (10) working days after verbal issuance. A copy of the written direction must befurnished to the contracting officer. A copy of N4RC Form 445, Request for Approval of Official Foreign Travel,which has received final approval from the NRC must be furnished to the contracting officer.
(e) The contractor shall proceed promptly with the performance of technical directions duly issued by theproject officer in the manner prescribed by this clause and within the project of ficer's authority under theprovisions of this clause.
(f) If, in the opinion of the contractor, any instruction or direction Issued by the project officer is within one ofthe categories as defined in paragraph (c) of this section, the contractor may not proceed but shall notify thecontracting off icer in writing within five (5) working days after the receipt of any instruction or direction and shallrequest the contracting officer to modify the contract accordingly. Upon receiving the notification from thecontractor, the contracting officer shahi issue an appropriate contract 'modification or advise the contractor inwriting that, in the contracting officer's opinion, the technical direction is within the scope of this article! anddoes not constitute a change under the "Changes" clause.
(g) Any unauthorized commitment or direction issued by the project officer may result- in an unnecessary delayin the contractor's performance and may even result in the contractor expending funds for unallowable costsunder the contract.
FPage 8 of 9
GS35F905V.PJ NIRC-33-05-33"Z _.J1
(h) A failure or the pariies io agree upon the nature of the instruction or direction or upon the contract action tobe taken with respect thereto is subject to 52.2233.1 . Disputes.
(i) In addition to providing technical direction as defined in paragraph (b) of the section, the project officershall:
(1) Mohinior 'the contractor's technical progress, including surveillance and assessment of performance, andrecommend to the contracting officer changes in requirements. (2) Assist the contractor in the resolution oftechnical problems encountered during performance.
(3) Review all costs requested for reimbursement by the contractor and submit to the contracting offiýerrecommendations for approval, d-sapproval, or suspension of payment for supplies and services requiredunder this contract.
(4) Assist the contractor in obtaining the badges for the contractor personnel.
(5) Immediately notify the Security Branch, Division of Facilities and Security (SB/DFS) (via e-mail) when acontractor emiployee no longer requires access authorization and return of any NRC issued badge to SB/D=Swithin three days after their termination.
(6) Ensure that all contractor employees that require access to classified Restricted Data or National SecurityInformation or matter, access to sensitive unclassified information (Safeguards, Official Use Only, andProprietary information) access to sensitive IT systems or data, unescorted access to NRC controlledbuildings/space, or LUnescorted access to protected and vital areas of nuclear power plants receive approval ofSB/DFS prior to access in accordance with Management Directive and Handbook 12.3..
A.9 52.217-9 OPTION TO EXTEN4D THE TERM OF THE CO1NTRACT(MAR 2000)
(a) The Government may extend the term of this contract by writterY notice to the Contractor within 2 days;provided that the Government4 gives the Contractor a preliminary written notice of its intent to extend at least 30days days before the contract expires. The preliminary notice does not commit the Government to anextension.
(b) If the Government exercises this option, the extended contract shall be considered to include this optionclause.
(c) The total duration of this contract, including the exercise of any options under this clause, shall notexceed 5 years.
A.10 SEAT BELTS
Contractors, subcontractors, and grantees, are encouraged to adopt and enforce on-the-job'seat bel t policiesand programs for their employees when operating company-owned, rented, or personally owned vehicles.
Pago 9 of 9
C V
MRC FORM& 167V(I-..35)
U.S.NUCEARF~GUATOY CO~4~l ~Ofl AUTHORITYjThe policies. pocedures, and cdieria of the
lRcý Stcuudzy Proc-rarn, NRCMD i-. Mcppvy toperbrrnance of Ibis ccr.ract. sutccnis. ct c,
ECURITY Ai"INDIOP locbrectiliiy.C01W1TRACT SCLASSIFJCAT 1011 REQUIREMENTS COMPLETE CLASSIFIED ITEMS BiY
SEPARAT"E CORP ESPONMDENCEi.CC ,TP.ACTOP, NME A-NO kZDRESS I.cwrrTP)'T NUWAER FOR COMM~ERCIAL
f4CONTRCT OR JOB COCE VORDOEE I 2 TYPE OF SUBIMISSICPN..... ,.~ ~ ROJECM(Prxracontslrz
lcr ari S *-fracts.)~f .ORia:1NA.
i'1~- ~ A -. -'I ~' E.PROJECTED CPROJECTED B.EiED(pesrL:~~~;-.;:;:v'M.T S DPATE.- C-OmrýRlom PATE] o~S~ilos
- -'L C. OTHEP. { ~acty)
3. FOR FOLLOWN-OrN CONT7RACT, ENTEP PRECEDIMG CIONTRACT HMIUMEIR AN*D PROJECTED COMPLETION DATE
A. DOES tDT APPILY cot Crr(pACT N~UMBER CATE f4.PROJECT TrTIE VIlD O7 HER IDBHRTIrllG MCRIAAOR.Tl--tI
Secure L.-n Electronki Saife (SLES)
~S.PEROPJANC WIL FEQURENATIOUAL SECURITY' RESTRICTED DATAA. ACCESS TO CLASSIFIED MATTEP OR' CLASSIFIED INFORMATION NOT
iYE-S (If-imS...arswmr1.7beelow) APPLICABLE1
NO ((CI rc 5dt .C.) SERT CONFIDENTAL SECRET CONFIDENTIAL
t! 2. RECEIPT, STORAGE, OR 011 EP &IAFEGUAFDING OF
3. GENERATION OF CLASSIFIED MATTER.fom
4. ACCESS TO CRYPTOGRAPHIC MATERIAL OR OTHER.CLASSIFIED COMSEC INFO RMATION. []IIK ____
5. ACCESS TO CLASSIFIED NMATER OR CLASSIFIED rINFORIMATION PROCESSED BY ANO4THER AGENCY. E
6 G. CLASSIFIED USE OF AN INFORMATION TECHNOLOGY L ) ______ LPROCESSING SY(STEM. IL ~E i
7. OTHER (Spedly)0
B. IS FACILITY CLEARANCE REQUIRED? [ YES 1,110 1L.____________NA_,
K]UN~wour-,I EDACCES 1S.REiRED TO PROMTECTED ANDIl VITAL AREAS OF f UCLEAR POWER PLANTS.
0. ACCESS IS REQUIRED TO UNCLASSIFIED SAFEGUARDS INFORMATION.
E. ACCESS IS REQUIRED TO SENSIT'IVE IT SYSTEMS AND DATA.
FOR PROCEDURES AND REQUIREMENTS ON PROVIDING EMAPORARY AND FiINAL APPROVAL FOR UNESCORTED ACCESS, REFER TO NRCMD 12.
NRC FORM 187 11-2000) PrlINTED ON4 r-CcyamE PAPERz 1ThIS ifornwas dss wkj-' 0 ksFanm'
I (1I -
f. 1IFORMATION FER7AINING TO THESE REQUIREMENTS OR THIS FPrDECT. EVIJ THOUIGH SUCHI ItFORMA7101ON IS CONSZEPRED LINCLASSIPIED
,ýrNAME~ AND TITLS ISSNIAT-1; P E ATE
7. CLASSIPICZATION GUIDANCZE
0,NATURE OF CLASSIFIED GUIDANCE ENTIFICATIOII 0= CLASSFICATIOII GUIDESI
8. CLASSIFI-ED REVIE-W OF COMJRACTOR ISUBCONITRACTOR REPORT(S) A'NDOTHER DOCUMENTS WILL SE____________________COTIDUCTED BY:
AUTHORIZED CLASSIFIER (llara and Title) t/iO4FFAITE USCRM
9. REQUIRED LflSTR3UIJION OF MRC FORMA 187 Chezk appropribts bo4efts)
SPONSORPIG PRC OFFICE OR DrSONEIGH (rl0~1A) DIVISION OF CONTRA CTS AMD PROPER TY 14'ANAGEMENT
DIVISIOi OF FA6ILM:S Al D SEECURITY (Itcm 1013) L] CONITPACTOR (Itcam 1)
SECURIrYrCLASSIFICATION REQUIREMENTS FOR SUBCONITRACTS RESULTING FROM THIS CONTRACT WILL DE APPROVE- BY THEElOFFICIALS NAMED IN ITEMS 108 AND 10C EELOW.
10. APPROVALS -
SECURITY/CLASSIFICATION REOUIREMEIJTS FOR SUBCON'TRACTS RESULTING FROM THIS COINTRACT WILL BE APPROVEED BY THE OFFICIALS ?I ,.MED IN
rTENS1 6A4 CEE O .NAME (Print or type) _ _ __ SIGMIATUR E DATEA. DIRECTOR. OFFICE OR DhrSION 7SIGr krTtWRE ~DATE
Miriam Cohen
5. DIRECTOR, DIVISION OF FACILITES AND SECURITY ~SIGNATURE fDA.E
Thomas Martin Nh) ,ff L - sDi OE egreem~ernts)
Scott1 fl~~AF~!~
jy .
A.........................--- --..... ~-- -.-.--.---.--...- ~...-.-. ----.-. -. -.
I
a (Y 1.'
BILLING INSTRUCTIONS FORLASOR HOUR TYPE CONITRACTS
General: The contractor shall prepare vouchers/invoices for reimbursement of costs inthe manner and format described herein or a similar format. FAILURE TO SUBMI1TX'OUCHERS1lNIVOICES IN ACCORDANCE WITH THESE INSTRUCTIONS WILLRESULT IN REJECTION OF THE VOUCHERJINVOICE AS IMjPROPER.
Number of Copies: An original and three copies, including supporting documentationshall be submitted. A copy of all supporting documents must be attached to each copyof your vouch er/invoice. Failure to submit all the required copies will resulIt in rejectionof the voucher/invoice as improper.
Designated Agency Billing Office: Vouchers/invoices shall be submitted to the followingaddress:
U.S. Nuclear Regulatory CommissionDivision of ContractsMail Stop T-7-1-2Washington, D.C. 20555
HAND DELIVERY OF VOUCHERS/INVOICES I S DISCOURAGED AND WILL NOTEXPEDITE PROCESSING BY NRC. However, should you choose to delivervouchers/invoices by hand, including delivery by any express mail services or specialdelivery services which use a courier or other person to deliver the voucher/invoice inperson to the NRC, such vouchers/invoices must be addressed to the aboveDesignated Agency Billing Office and will only be accepted at the following location:
U.S. Nuclear Regulatory CommissionOne White Flint North11555 Rockville Pike - Mail RoomRockville, MD '20852
HAND-CARRIED SUBMISSIONS WILL NOT BE ACCEPTED AT OTHER THAN THEABOVE ADDRESS.
Note that [the official receipt date for hand-delivered vouchers/invoices will be the date itis received by the official agency billing office in the Division of Contracts and PropertyManagement.
a ( ? 4
- Page 2of 2
_Acencv. Paymnent Office: Payment will be made by the following office:
U.S. Nuclear Regulatory Commission
.Mail Stop T-9-H4Washington, DC 20555
Frequencv: The contractor shall submit claims for reimbursement once each month,unless otherwise authorized by the Contracting Officer.
Format: Claims should be submitte d in the format depicted on the attached sampleform entitled "Voucher/invoice for Purchases and Services Other Than Personal" (seeAttachment) or a similar format. THE SAMPLE FORMAT IS PROVIDED 'FORGUIDANCE ONLY AND IS NOT REQUIRED FOR SUBMISSION OF AVOUCHERIINVOICE. ALTERN.ATE FORMATS ARE PERMISSIBLE PROVIDED ALLREQUIREMENTS OF THE BILLING INSTRUCTIONS ARE ADDRESSED.
Billing of Costs After Exoiration of Contract/Purchase Order: If the costs are incurredduring the purchase order period and claimed after the purchase order has expired, the6period during which these costs were incurred must be cited. To be considered aproper voucher/invoice, the contractor shall clearly mark it 'EXPIRATION VOUCHER"OR "EXPIRATION INVOICE".
Currency: Billings may be expressed in the currency normally used by the contractor inmaintaining his accounting records; payments will be made in that currency. However,the U.S. dollar equivalent for all vouch ers/invoices paid under the purchase order maynot exceed the total U.S. dollars -authorized in the purchase order.
ATTACHM0ENT
INVOICGENOUCHER FOR PURCHASESAND
SERV'ICES OTHER T HAN PERSONAL
(SAUIPLE FORMAT - COVER SHEET)
Official Agency Billingi OfficeU.S. Nuclear Regulatory CommissionDivision of Contracts and Property
Management MS: T-7-12Washington, DC 20555-000's
(a) Purchase Order No:
(b) Voucher/Invoice No:
(c) Date of Voucher/Invoice:
Payee's Name and Address
(d) Individual to Contact Regarding Voucher/InvoiceName:Telephone Ho:
(e) This voucher/invoice represents reimbursable costs for the billing periodto
Amount BilledCurrent Period Cumulative
(f) Direct Costs:
(1) Direct Labor*
(2) Travel*
$
$
$
$
Total Direct Costs: $ $
* The contractor shal-)l submit as an attac~hmpnt to its invoice/voucher cover sheet a-listing of labor categories, hours billed, fixed hourly rates, total dollars, and cumulativehours billed to date under each labor category, authorized under the purchase order foreach of the three activities to be performed under the purchase order. In addition, thecontractor shall include travel costs incurred with the required supportingdocumentation, as well as, the cumulative total of travel costs billed to date by activity.