Task Order No. NRC-HQ-40-15-O-0001 Under Delivery Order No. … · 2015-10-09 · ORDER FOR SUPPLIES OR SERVICES PAGE NO Ir i{ SCHEDULE -CONTINUATION 2 IMPORTANT: Mark all packages

f, P 4 ORDER FOR SUPPLIES OR SERVICES PAGE OF PAGES

IMPORlANT:' Ma--rk all packages and papers with contract and/or order numbers. 1 25

1. DATE OFO'RDER 2. CONTRACT NO. (If any) 6. SHIP TO:

09/29/2015 N -H-01 A005a. NAME OF CONSIGNEE

3. ORNDER NO. 4. REOUISITIONIREFERENCE NO.

NRC-HQ-40-15-O-0001 ADM-15-0283 U.S. Nuclear Regulatory Commission-

5. ISSUING OFFICE (Address correspondence to) b. STREET ADDRESSU.S. NRC - HQ Mail Processing CenterAcquisition Management Division 4930 Boiling Brook Parkway

Mail Stop: TWFN-5E03

Washington DC 20555-0001 _____________ ___________a. CITY d. STATE e. ZIP CODE

Rockville •MD •20852

7. TO: f. SHIP VIA

a. NAME OF CONTRACTORAEGIS.NET INC B. TYPE OF ORDER

b. COMPANY NAME Liea. PURCHASE []b. DELIVERY

c. STREET ADDRESS REFERENCE YOUR:42 READS WAY QUOTE Except for billing instructions on the

______________________________________ reverse, this delivery order is subjectto instructions contained on this side

______________________________________ only of this form and is issuedPlease furnish the following on the terms subject to the terms and conditionsand conditions specified on both sides of of the above-numbered contract.

d. CITY e. STATE f. ZIP CODE this order and on the attached sheet, if any,NEW CASTLE DE 197201649 including delivery as indicated.

9. ACCOUNTING AND APPROPRIATION DATA 10. REQUISITIONING OFFICE

See Schedule Office of Information Services11. BUSINESS CLASSIFICATION (Check appropriate box(es)) 12. F.O.B. POINT

[]a. SMALL Li b. OTHER THAN SMALL Li c. DISADVANTAGED Li]d. WOMEN-OWNED Li e. HUBZone

Li f. SERVICE-DISABLED H] g. WOMEN-OWNED SMALL BUSINESS (WOSS) [ .EWS

VETERAN-OWNED ELIGIBLE UNDER THE WOSB PROGRAMHh.EWS

13. PLACE OF 14. GOVERNMENT B/L NO. 15. DELIVER TO F.O.B. POINT 16. DISCOUNT TERMS

a. INSPECTION b. ACCEPTANCE ONOI EOE(ae

Destination] DestinationI

17. SCHEDULE (See reverse for Rejections)

OUANTITY UNIT OUANTITYITEM NO. SUPPLIES OR SERVICES ORDERED UNIT PRICE AMOUNT ACCEPTED

(a) (b) (c) (d) (e) (f) (g)

GSA Contract #: GS-35F-0125SIMark For:

U.S. Nuclear Regulatory CommissionOffice of AdminstrationWashington DC 20555-0002

Accounting Info:Continued .. .

1B. SHIPPING POINT 19. GROSS SHIPPING WEIGHT 20. INVOICE NO. 17(h)TOTAL

(Cent.cages)

21. MAIL INVOICE TO:

SE IL~C a. NAME $ 0. 0 0U.S. Nuclear Regulatory Commission

INSTRUCTIONS b. STREETADDRESS One White Flint NorthONriREVERSE (o7PO(Bo)

(r..x)11555 Rockville Pike17)GRANDMailstop O3-E17A TOTAL

c. CITY NR~ nnsnc.gvd. STATE e.ZIP CODE $2, 148, 597. 384

Rockville MD 20852-2738

22. UNITED STATES OF 0 9/ 29 / 2 015 23. NAME (Typed)

AMERICA BY (Signature) LAD ISM RO IUEr ., *-(,,'< 12•' j'•.L4

•.t&4 ':..i TITLE: CONTRACTING/ORDERING OFFICER

AUTHORIZED FOR LOCAL REPRODUCTIONpREVIOUS EDITION NOT USABLE

lUPLATE AD oin

OPTIONAL FORM 347 IHey. 2012o12Prescribed by GSNFAR 48 CFR 53,213(5)

SUNSI REVIEW COMPLEtTt OCT - 12Z015

ORDER FOR SUPPLIES OR SERVICES PAGE NOIr i{ SCHEDULE -CONTINUATION 2

IMPORTANT: Mark all packages and papers with contract and/or order numbers.

DATE OF ORDER CONTRACT NO. ORDER NO.

09/29/2015 ]NRC-HQ-10-15-A-0005 NRC-HQ-40-15-0-0001

ITEM NO. SUPPLIES/SERVICES QUANTITY UNIT UNIT 1 AMOUNT f QUANTITY

(a) (b) (c) (d) (a) j(f) (g)

2015-X0200-FEEBASED-40-40D007-51-P-156-6031--252APeriod of Performance: 09/29/2015 to09/28/2016

TOTAL CARRIED FORWARD TO 1ST PAGE (ITEM 17(H)) $0.00

PREVIOUS EDITION NOT USABLE UIJTIUNAL I-UKM 54B (Rev. 402006)prescribed by GSA FAR (48 CFR) 53,213(f)

BPA NRC-HQ-1 0-I15-A-0005Task NRC-HQ.-40-15-0-0001

ADDITIONAL TERMS AND CONDITIONS.................................................... 41. CONTRACTOR ACCEPTANCE OF TASK ORDER ............ ....................... 42. NRCBO1O BRIEF PROJECT TITLE AND WORK DESCRIPTION .................... 43. NRCBO5O CONSIDERATION AND OBLIGATION-TASK ORDERS.................. 44. PRICE SCHEDULE ......................................................................... 55. NRCFO3OB PERIOD OF PERFORMANCE ALTERNATE.............................. 66. NRCFOIO PLACE OF DELIVERY-REPORTS ........................................... 67. 2052.215-70 KEY PERSONNEL. (JAN 1993) ........................................... 78. 2052.215-71 PROJECT OFFICER AUTHORITY. (OCT 1999)......................... 79. NRCH49O AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS... 910. 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT................. 9

Page 3

I

BPA NRC-HQ-1 0-1 5-A-0005Task NRC-HQ-40-1 5-0-000 1

ADDITIONAL TERMS AND CONDITIONS

1. CONTRACTOR ACCEPTANCE OF TASK ORDER

Acceptance of this task order should be made by an official authorized to bind yourorganization. Please sign one copy of this document in the space provided and return itvia email to the Contracting Officer.

Accepted Task Order:

Printed Name &~title Signature L/-Dat•

2. NRCBO10 BRIEF PROJECT TITLE AND WORK DESCRIPTION

(a) The title of this project is: Independent Verification and Validation for the StrategicAcquisition System

(b) Summary work description: The U.S. Nuclear Regulatory Commission's Office ofAdministration, Acquisition Management Division is responsible for overseeing theagency's procurement activities. The Strategic Acquisition System (STAQS) provides theinformation technology that supports the procurement business process. STAQSinterfaces in real-time with the agency's financial system, Financial Accounting andInformation Management System (FAIMIS), using the Oracle Service OrientedArchitecture suite to commit and obligate agency funds using commercial contracts,Financial Assistance Grants, DOE lab agreements, and Interagency Agreements (IAAs).The NRC needs independent verification and validation services to support operationsand maintenance of STAQS and to ensure that STAQS and FAIMIS remain synchronizedwith respect to procurement data. The NRC also needs independent verification andvalidation services to support STAQS system security needs. Independent Verificationand Validation (IV&V) services are necessary to the operations and maintenance ofSTAQS. The selected contractor shall provide services to support the Government withthe review and validation all deliverables developed by the system integrator, the systemhosting provider, STAQS support staff, and FAIMIS support staff.

3. NRCB050 CONSIDERATION AND OBLIGATION-TASK ORDERS

(a) The ceiling of this order for services is $2,148,597.38.

(b) This order is subject to the minimum and maximum ordering requirements set forth inthe contract.

(c) The amount presently obligated with respect to this order is $29,105.00. Theobligated amount shall, at no time, exceed the order ceiling as specified in paragraph (a)above. When and if the amount(s) paid and payable to the Contractor hereunder shallequal the obligated amount, the Contractor shall not be obligated to continue performanceof the work unless and until the Contracting Officer shall increase the amount obligatedwith respect to this order. Any work undertaken by the Contractor in excess of the

Page 4

BPA NRC-HQ-1 0-1 5-A-0005Task NRC-HQ-40-1 5-0-0001

obligated amount specified above is done so at the Contractor's sole risk and may not bereimbursed by the Government.

(d) The Contractor shall comply with the provisions of FAR 52.232-22 - Limitation ofFunds, for incrementally-funded delivery orders or task orders.

4. PRICE SCHEDULE

Program Manager1002 Project Manager1003 Senior Systems Analyst1004 Intermediate Systems Analyst1005 Senior Information Assurance Analyst 111

hoursHours

Hours1006 Intermediate Information Assurance Analyst

TotM I: m I Hours I s4*i ...... t II I I " I

Intermediate Information Assurance Analyst

5.29Totals: - I Hours____________ I - - L ____________________________ I

Intermediate Systems Analyst

Page 5

1


3005 Senior Information Assurance Analyst

3006 Intermediate Information Assurance AnalystTotals:[

o00 tineeior

4002 Project Manager4003 Senior Systems Analyst

4004 Intermediate Systems Analyst4005 Senior Information Assurance Analyst 7 J4006 Intermediate Information Assurance Analyst

otoPeriod 4

5002 Project Manager5003 Senior Systems Analyst5004 Intermediate Systems Analyst II'5005 Senior Information Assurance Analyst 7775006 Intermediate Information Assurance Analyst [

_I Totals;

Hours•Hours

Hours

null.UHoursHoursHours

HoursHours

IHours;114• I,•1"1 ,•lg I

HoursSHours"

_Hours

HoursHoursHours]

1.33I

5. NRCF030B PERIOD OF PERFORMANCE ALTERNATE

One base period of one year, Four (4) additional option years. The last optional year maybe shorter than 12 months, since it would end on August 9, 2020, which is the last day ofthe blanket purchase agreement.

6. NRCF010 PLACE OF DELIVERY-REPORTS

The items to be furnished hereunder shall be delivered, electronically via email to:a. The Contracting Officer Representative (COR) (1 electronic copy)b. The Contracting Officer (00)

Page 6

A


7. 2052.215-70 KEY PERSONNEL. (JAN 1993)

(a) The following individuals are considered to be essential to the successful performanceof the work hereunder:

TOM LOURENCO - PROGRAM MANAGERAGI SEATON - PROJECT MANAGERSUE DALY - SENIOR SYSTEMS ANALYSTSUMAN SUBHASH - INTERMEDIATE SYSTEMS ANALYSTCHRISTIAN PALMHEDE - SENIOR INFORMATION ASSURANCE ANALYSTJEFF HAVER - SENIOR INFORMATION ASSURANCE ANALYSTRUTH BRISCOE - INTERMEDIATE INFORMATION ASSURANCE ANALYST

*The contractor agrees that personnel may not be removed from the contract work orreplaced without compliance with paragraphs (b) and (c) of this section.

(b) If one or more of the key personnel, for whatever reason, becomes, or is expected tobecome, unavailable for work under this contract for a continuous period exceeding 30work days, or is expected to devote substantially less effort to the work than indicated inthe proposal or initially anticipated, the contractor shall immediately notify the contractingofficer and shall, subject to the concurrence of the contracting officer, promptly replace thepersonnel with personnel of at least substantially equal ability and qualifications.

(c) Each request for approval of substitutions must be in writing and contain a detailedexplanation of the circumstances necessitating the proposed substitutions. The requestmust also contain a complete resume for the proposed substitute and other informationrequested or needed by the contracting officer to evaluate the proposed substitution. Thecontracting officer and the project officer shall evaluate the contractor's request and thecontracting officer shall promptly notify the contractor of his or her decision in writing.

(d) If the contracting officer determines that suitable and timely replacement of keypersonnel who have been reassigned, terminated, or have otherwise become unavailablefor the contract work is not reasonably forthcoming, or that the resultant reduction ofproductive effort would be so substantial as to impair the successful completion of thecontract or the service order, the contract may be terminated by the contracting officer fordefault or for the convenience of the Government, as appropriate. If the contracting officerfinds the contractor at fault for the condition, the contract price or fixed fee may beequitably adjusted downward to compensate the Government for any resultant delay,loss, or damage.

8. 2052.215-71 PROJECT OFFICER AUTHORITY. (OCT 1999)

(a) The contracting officer's authorized representative hereinafter referred to as the projectofficer for this contract is:

Name: Nandini SharmaAddress: US NRC, Mail Stop: T3 3 D18, Washington DC 20555Email: alan.sagqe(nrc.povTelephone Number: 301-415-1586

Page 7


(b) Performance of the work under this contract is subject to the technical direction of theNRC project officer. The term technical direction is defined to include the following:

(1) Technical direction to the contractor which shifts work emphasis between areas ofwork or tasks, authorizes travel which was unanticipated in the Schedule (i.e., travel notcontemplated in the Statement of Work or changes to specific travel identified in theStatement of Work), fills in details, or otherwise serves to accomplish the contractualstatement of work.

(2) Provide advice and guidance to the contractor in the preparation of drawings,specifications, or technical portions of the work description.

(3) Review and, where required by the contract, approve technical reports, drawings,specifications, and technical information to be delivered by the contractor to theGovernment under the contract.

(c) Technical direction must be within the general statement of work stated in the contract.The project officer does not have the authority to and may not issue any technical directionwhich:

(1) Constitutes an assignment of work outside the general scope of the contract.

(2) Constitutes a change as defined in the "Changes" clause of this contract.

(3) In any way causes an increase or decrease in the total estimated contract cost, thefixed fee, if any, or the time required for contract performance.

(4) Changes any of the expressed terms, conditions, or specifications of the contract.

(5) Terminates the contract, settles any claim or dispute arising under the contract, orissues any unilateral directive whatever.

(d) All technical directions must be issued in writing by the project officer or must beconfirmed by the project officer in writing within ten (10) working days after verbalissuance. A copy of the written direction must be furnished to the contracting officer. Acopy of NRC Form 445, Request for Approval of Official Foreign Travel, which hasreceived final approval from the NRC must be furnished to the contracting officer.

(e) The contractor shall proceed promptly with the performance of technical directions dulyissued by the project officer in the manner prescribed by this clause and within the projectofficer's authority under the provisions of this clause.

(f) If, in the opinion of the contractor, any instruction or direction issued by the projectofficer is within one of the categories defined in paragraph (c) of this section, thecontractor may not proceed but shall notify the contracting officer in writing within five (5)working days after the receipt of any instruction or direction and shall request thatcontracting officer to modify the contract accordingly. Upon receiving the notification fromthe contractor, the contracting officer shall issue an appropriate contract modification oradvise the contractor in writing that, in the contracting officer's opinion, the technicaldirection is within the scope of this article and does not constitute a change under the"Changes" clause.

Page 8

A


(g) Any unauthorized commitment or direction issued by the project officer may result in anunnecessary delay in the contractor's performance and may even result in the contractorexpending funds for unallowable costs under the contract.

(h) A failure of the parties to agree upon the nature of the instruction or direction or uponthe contract action to be taken with respect to the instruction or direction is subject to52.233-1 - Disputes.

(i) In addition to providing technical direction as defined in paragraph (b) of the section, theproject officer shall:

(1) Monitor the contractor's technical progress, including surveillance and assessment ofperformance, and recommend to the contracting officer changes in requirements.

(2) Assist the contractor in the resolution of technical problems encountered duringperformance.

(3) Review all costs requested for reimbursement by the contractor and submit to thecontracting officer recommendations for approval, disapproval, or suspension of paymentfor supplies and services required under this contract.

9. NRCH490 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS

(a) All offerors will receive preaward and postaward notices in accordance with FAR15.503.

(b) It is also brought to your attention that the contracting officer is the only individual whocan legally obligate funds or commit the NRC to the expenditure of public funds inconnection with this procurement. This means that unless provided in a contractdocument or specifically authorized by the contracting officer, NRC technical personnelmay not issue contract modifications, give formal contractual commitments, or otherwisebind, commit, or obligate the NRC contractually. Informal unauthorized commitments,which do not obligate the NRC and do not entitle the contractor to payment, may include:

(1) Encouraging a potential contractor to incur costs prior to receiving a contract;

(2) Requesting or requiring a contractor to make changes under a contract without formalcontract modifications;

(3) Encouraging a contractor to incur costs under a cost-reimbursable contract in excessof those costs contractually allowable; and

(4) Committing the Government to a course of action with regard to a potential contract,contract change, claim, or dispute.

10. 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT.

As prescribed in 17.208(g), insert a clause substantially the same as the following:

Option to Extend the Term of the Contract (Mar 2000)

Page 9

BPA NRC-HQ-1 0-1 5-A-0005Task NRC-HQ-40-1 5-0-000 1

(a) The Government may extend the term of this contract by written notice to theContractor within 10 days; provided that the Government gives the Contractor apreliminary written notice of its intent to extend at least 10 days before the contractexpires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered toinclude this option clause.

(c) The total duration of this contract, including the exercise of any options under thisclause, shall not exceed August 9, 2020.

(End of clause)

Page 10


COVER PAGE ADDENDUM TO:

PERFORMANCE WORK STATEMENT

Information Technology Solutions - Independent Verification and Validation

Support (ITS-I V&V)

Project Title: Independent Verification and Validation for the Strategic AcquisitionSystemJob Code or Funding Template: Cost Center =201 5-X0200-FEEBASED-40-40D007-51 -P-I156-6031 -252AFee Recoverable: No.TAC Code: N/ANRC Requesting Office: Office of Administration, Acquisition Management Division

Page 11


TASK ORDER PERFORMANCE WORK STATEMENT (PWS)

1. PROJECT TITLE

Support for the NRC's Strategic Acquisition System including quality assurance, validationof maintenance releases, and support for system security.

2. INTRODUCTION

The U.S. Nuclear Regulatory Commission's Office of Administration, AcquisitionManagement Division is responsible for overseeing the agency's procurement activities.The Strategic Acquisition System (STAQS) provides the information technology thatsupports the procurement business process. STAQS was deployed on October 11, 2013and is an implementation of the PRISM Acquisition Software Suite by Compusearch, Inc.configured to meet the requirements of the NRC. 'STAQS interfaces in real-time with theagency's financial system, Financial Accounting and Information Management System(FAIMIS), using the Oracle Service Oriented Architecture suite to commit and obligateagency funds using commercial contracts, Financial Assistance Grants, DOE labagreements, and Interagency Agreements (IAAs). The NRC needs independentverification and validation services to support operations and maintenance of STAQS andto ensure that STAQS and FAIMIS remain synchronized with respect to procurementdata. The NRC also needs independent verification and validation services to supportSTAQS system security needs.

3. SCOPE

Independent Verification and Validation (IV&V) services are necessary to the operationsand maintenance of STAQS. The selected contractor shall provide services to supportthe Government with the review and validation all deliverables developed by the systemintegrator, the system hosting provider, STAQS support staff, and FAIMIS support staff.Specifically, the contractor shall perform the independent review and validation in order toassist the NRC by meeting the following objectives:

1. Review system configuration and design deliverables for accuracy andcompleteness based on the stated requirements.

2. Review additional contract deliverables. Additional contract deliverables include,but are not limited to, test plans and test scripts, system interface requirements,user training materials, Information Technology (IT) security continuousmonitoring deliverables, and IT security documentation.

3. Provide on-going advice and assistance to the NRC Contracting Officer'sRepresentative (COR) for actionable items identified during the operations andmaintenance of STAQS, including, but not limited to: quality assurance thatSTAQS and FAIMIS remain synchronized with respect to acquisition data, supportfor financial systems and other NRC mandated audits, support for IT securitydocumentation updates, support for emergent security items initiated throughFederal initiatives and NRC CSO or OIS actions, and support for IT security Plansof Action and Milestones (POAMS).

4. Provide final reports of the findings and recommendations from the review of thecontract deliverables.

5. Assist the NRC COR with tasks needed to successfully execute all testing ofsystem maintenance releases for commercial contracts, financial assistance

Page 12


procurements, IAAs, DOE laboratory agreements, internal interfaces (FAIMIS,CRISP), and external interfaces (e.g., SAM, FPDS, FAADS).

6. Assist the NRC COR with tasks such as systems compliance reviews, qualityassurance reviews, ITIM program and project reviews, feasibility studies,technology assessments, business case development support, system integrationplanning, and system and acceptance testing.

7. Assist the NRC COR with tasks supporting STAQS related efforts implementingkey and required ITIM Federal statutes and policies such as the Clinger CohenAct, Government Performance Results Act, Paperwork Reduction Act, FederalInformation Security Management Act, 0MB Circulars and in responding torequirements of various financial, security and OIG audits.

8. Assist the NRC COR in conducting independent third party assessments, studies,and reviews of information technology and information management (ITIM)products, projects, services, and systems.

9. Assist the NRC COR in supporting the work of other STAQS supportingorganizations and vendors, such as the STAQS Change Control Board, STAQSHelp Desk, STAQS Hosting Services Provider, Reporting Services providers andSTAQS Application Vendor.

4. PERFORMANCE REQUIREMENTS

TASK 4.1 - REVIEW OF SYSTEM CONFIGURATION, DESIGN, AND IT SECURITYDELI VERABLES

The contractor shall perform reviews of the system configuration and design deliverables.These deliverables will include, but not be limited to, design documents, the qualityassurance plan, the test plan, data conversion scripts, interface documentation, test resultsummaries, IT security continuous monitoring products, IT security documentation, anduser training materials. In reviewing each deliverable, the contractor shall inform the NRCCOR of any issues with accuracy or potential project risk.For each deliverable review, the contractor shall assess compliance with NRCrequirements, the approved design, applicable standards, and absence of techniques thatmay reduce maintainability or extensibility.The contractor shall summarize the audit results in a written report delivered to the NRCCOR within five (5) days after the completion of the audit or as directed by the NRC COR.An audit is required when change to the baseline product configuration occurs. As part ofthese reviews, the contractor shall ensure the system configuration complies with Section508 of the Rehabilitation Act of 1973, as amended, and the applicable technical standards(36 CFR 1194).

TASK 4.2 - IT SECURITY

The contractor shall comply with all IT security requirements as stated in MD 12.5, as wellas the following security management directives:

• MD 12.1 NRC Facility Security Program* MD 12.2 NRC Classified Information Security Program* MD 12.3 NRC Personnel Security Program* MD 12.4 NRC Telecommunication System Security Program* MD 12.5 NRC Automated Information Security Program* MD 12.7 NRC Safeguard Information Security Program

Page 13


All work under this task order shall comply with the latest version of all applicable guidanceand standards. These standards include, but are not limited to, NRC MD 12.5 AutomatedInformation Security Program, National Institute of Standards and Technology (NIST)guidance and Federal Information Processing Standards (FIPS), and Committee onNational Security Systems (CNSS) policy, policy, directives, instructions, and guidance.This information is available at the following URLs:

NRC Policies, Procedures and Standards (Computer Security Office (CSO) internalwebsite): http:Ilwww. internal.nrc.govlCSO/policies.html

All NRC Management Directives (public website):http://www.n rc.gov/reading-rm/doc-collections/management-di rectivesl

NIST Special Publications (SP) and FIPS documentation is located at:http://csrc.nist.gov/

CNSS documents are located at:http:llwww.cnss.govl

All studies must address NRC and federal security requirements from laws, standards,and guidelines. All work performed at non-NRC facilities shall be in facilities, on networks,and on computers that have been accredited by NRC for processing information at thesensitivity level of the information being processed.

The contractor shall ensure that its employees, in performance of the contract, receive ITsecurity training in their role at the contractor's expense. The contractor must provide theNRC with written certification that employee training is complete, along with the title of thecourse and dates of training, as a prerequisite to starting work on the contract.The contractor shall not publish or disclose in any manner, without the NRC CO's writtenconsent, the details of any protections either designed or developed by the contractorunder this contract or otherwise provided by the government. The System Security Planand other information system security documentation for this contract are consideredSensitive Unclassified Information. The contractor agrees to abide by NRC regulations forhandling sensitive unclassified information governed by the NRC's Sensitive UnclassifiedNon-Safeguards Information program (SUNSI) and NRC's Management Directive 12.5,"NRC AuCORated Information Security Program."

Any contract going into FY 2013 must account for the modifications taking place forControlled Unclassified Information to replace SUNSI and Safeguards Information (SGI).When e-mail is used, the contractors shall only use NRC provided e-mail accounts to sendand receive sensitive information (information that is not releasable to the public) or usemechanisms to protect the information during transmission to NRC that have beenapproved by CSO. Separation of duties for the systems must be enforced by the systemthrough assigned access authorizations. The information system shall provide onlyessential capabilities and specifically prohibit and/or restrict the use of specified functions,ports, protocols, and/or services. The most restrictive set of rights/privileges or accessesneeded by users (or processes acting on behalf of users) for the performance of specifiedtasks must be enforced by the system through assigned access authorizations.

The contractor shall only use licensed software and in-house developed authorized code

Page 14


(including government and contractor developed) on the system and for processinggovernment information. Public domain, shareware, or freeware shall only be installedafter prior written approval is obtained from the NRC Designated Approving Authority(DAA). The contractor shall provide proof of licensing upon request of the NRC 00, theContracting Officer's Technical Representative, the Senior IT Security Officer (SITSO), orthe DAA.All development and testing environments of the system shall be performed on a networkseparate and isolated from the NRC operational network and that is protected at thesystem sensitivity level. All system computers must be properly configured and hardenedand comply with all NRC security policies and procedures based on the sensitivity of thesystem.User accounts that have system-level or administrative privileges must have a uniquepassword from all other accounts held by that user, and general user tasks must beperformed from a general user account, not from the administrative account.

The contractor shall not hardcode any passwords into the software unless the passwordonly appears on the server side (e.g., using server-side technology such as Active ServerPages, Hypertext Preprocessor, or JavaServer Pages.)

All sensitive data transmitted over a network by the system shall use FIPS 140-2 validatedencryption. The contractor shall provide the FIPS 140-2 cryptographic module certificatenumber and a brief description of the encryption module that includes the encryptionalgorithm(s) used, the key length, and the vendor of the product.-

All media produced by the contractor must include appropriate markings to indicate thesensitivity of the information contained on the media, and the media shall be controlledaccording to that sensitivity. The contractor shall adhere to NRC policies, including but notlimited to:

* NRC Sensitive Unclassified Non-Safeguards Information (SUNSI)* Computer Security Policy for Encryption of Data at Rest When Outside of Agency

Facilities* Policy for Copying, Scanning, Printing, and Faxing SGI & Classified Information* Computer Security Information Protection Policy* Remote Access Policy* Laptop Security Policy* Computer Security Incident Response Policy

All systems used to process NRC sensitive information shall meet NRC configurationstandards available at: http://www. internal.nrc.ciov/CSO/standards.html. The contractorwill adhere to NRC's prohibition of using personal devices to process and store NRCsensitive information.

Any IT system used to process NRC sensitive information shall:* Include a mechanism to require users to uniquely identify themselves to the

system before beginning to perform any other actions that the system is expectedto provide.

* Be able to authenticate data that includes information for verifying the claimedidentity of individual users (e.g., passwords)

. Protect authentication data so that it cannot be accessed by any unauthorized user

Page 15


* Be able to enforce individual accountability by providing the capability to uniquelyidentify each individual computer system user

* Report to appropriate security personnel when attempts are made to guess theauthentication data weather inadvertently or deliberately

Any contractor system being used to process NRC data shall be able to define andenforce access privileges for individual users. The discretionary access controlsmechanisms shall be configurable to protect objects (e.g., files, folders) from unauthorizedaccess. The contractors shall only use NRC approved methods to send and receiveinformation considered sensitive or classified. Specifically:

*Classified Information - All NRC classified data being transmitted over a networkshall use NSA approved encryption and adhere to guidance in MD 12.2 NRCClassified Information Security Program, MD 12.5 NRC Automated InformationSecurity Program and Committee on National Security Systems. Classifiedprocessing shall be only within facilities, computers, and spaces that have beenspecifically approved for classified processing.

*SGI Information - All SGI being transmitted over a network shall adhere toguidance in MD 12.7 NRC Safeguards Information Security Program and MD 12.5NRC Automated Information Security Program. SGI processing shall be onlywithin facilities, computers, and spaces that have been specifically approved forSGI processing. Information designated as SGI may only be transmitted usingFIPS 140-2 validated encryption or encryption approved for classified processing.

For unclassified information used for the IV&V effort, the contractor shall provide aninformation security categorization document indicating the sensitivity of the informationprocessed as part of this contract if the information security categorization was notprovided in the statement of work. The determination shall be made using NIST SP800-60 and must be approved by CSO. The NRC COR and NRC PM shall be notifiedimmediately if the contractor begins to process information at a higher sensitivity level. Ifthe effort includes use or processing of classified information, the NRC COR and NRC PMshall be notified immediately if the contractor begins to process information at a morerestrictive classification level. The mechanisms within the contractor system or applicationthat enforces access control and other security features shall be continuously protectedagainst tampering and/or unauthorized changes.

* All contractor employees must acknowledge the NRC Agency-wide Rules ofBehavior for Authorized Computer Use prior to being granted access to NRCcomputing resources.

* The contractor must ensure that required refresher training for their employees isaccomplished in accordance with the required frequency specifically associatedwith their IT security role.

* If new or unanticipated threats or hazards are discovered by either the governmentor the contractor, or if existing protections have ceased to function, the discoverershall immediately bring the situation to the attention of the other party.

* The contractor shall ensure that the NRC data processed during the performanceof this contract shall be purged from all data storage components of thecontractor's computer facility, and the contractor will retain no NRC data within 30calendar days after contract completion. Until all data is purged, the contractor

Page 16


shall ensure that any NRC data remaining in any storage component will beprotected to prevent unauthorized disclosure.

*When contractor employees no longer require access to an NRC system, thecontractor shall notify the NRC P0 within 24 hours.

*Upon contract completion, the contractor shall provide a status list of all NRCsystem users and shall note if any users still require access to the system toperform work if a follow-on contract or task order has been approved by NRC.

Task 4.2.1 - IT Security Support

The contractor shall provide limited technical assistance and support for specific activitiesrelated to the system IT security continuous monitoring process. The contractor shallsupport the NRC's OIS and other NRC security personnel and contractors inunderstanding the system architecture and technological concerns related to continuousmonitoring.

The contractor shall support IT security continuous monitoring through reviewing allcontinuous monitoring deliverables and coordinating the distribution of these deliverablesaccording to Agency policy and procedure to keep the NRC Computer Security Office(CSO) informed concerning system vulnerabilities and POAMS.

The contractor shall support financial system audits and other audits by providing theauditors documentation identified for each audit.

The contractor shall update STAQS security documentation as necessary to maintaincurrency.All system modifications shall undergo a security engineering review commensurate withthe Security Categorization of the system and the NRC SITSO/DAA-approved FIPS 199security baseline for the system. The contractor shall perform reviews of system test plansto ensure that all system modifications address the security controls as specified in FIPS200, and NIST SP 800-53 and 800-53A, or the then current publication.

Additionally, the contractor shall review the test results of all changes to ensure that anychange to existing security controls or requirements for new security controls areimplemented and tested by the system integrator. The criteria for testing and acceptanceshall be based on the original content of the release together with the technicalapproach/design, as approved by the NRC task manager. The contractor shall support theNRC task manager in verifying that valid test cases are provided for all of the release'srequirements. A "valid test case" is one that will fully exercise and verify the changerequests (CR) requirements. The test plans shall also exercise the systems' securitycontrols and security requirements and associated technical resolutions, risk mitigation,and implementations to confirm that the system and associated controls are operating asintended, and in accordance with FIPS 200, and NIST SP 800-53 and 800-53A, NIST SP800-37 Guide for the Security Certification and Accreditation of Federal InformationSystems, and the NRC System Security Test and Evaluation (ST&E) Plan Template. Thecontractor shall update the test plan after completion of the system security test andevaluation plan test report to reflect validated information. The NRC SITSO/DAA mustapprove the final system ST&E test report to enable system release deployment.

TASK 4.3 - QUALITY ASSURANCE

Page 17

I A


The contractor shall ensure the quality and integrity of acquisition data sent through theinterfaces between STAQS and FAIMIS by performing a review and comparison of thedata based on system requirements and design criteria. The contractor shall analyze alldiscrepancies and identify the actions needed to correct each discrepancy.

The contractor shall investigate reported system defects, confirming their existence,proposing a short-term work-around, defining relationships to stated systemrequirements, evaluating maintainer-proposed solutions, and providing recommendationsto NRC staff.

Task 4.3.1 - System Change Control

The contractor shall review, for clarity and completeness, proposed system changes toSTAQS under maintenance and provide recommendations to the NRC COR. Thecontractor shall verify that each CR specification was implemented.

The contractor shall serve as an expert advisor to the STAQS Change Control Board(CCB). In this capacity, the contractor shall explain the implications of each defect orproposed enhancement that is under consideration by the CCB. The contractor shall alsoadvise the NRC P0 and NRC COR during the evaluation of maintainer cost and scheduleproposals.

The contractor shall support the NRC COR in managing and maintaining STAQS CCBdocumentation, and artifacts. The contractor shall assist the NRC COR in themanagement and operation of the STAQS CCB.

TASK 4.4 - TESTING SUPPORT FOR STAQS MAINTENANCE RELEASES

The contractor shall provide comprehensive technical assistance and support for NRCwith all stages of testing. The contractor shall review the system documentation andmonitor the performance of the following testing phases for accuracy and performance:

* System Unit Testing* System Interface Testing* Performance Testing* End-to-End Testing* User Acceptance Testing

The contractor shall provide support with user acceptance testing (UAT). UAT testingshould be in concert with the requirements established in the system requirements anddesign. This support shall include development of user support test plans, ensuringcoverage of all requirements, and shall include development of test plans and test scriptsfor automated performance of acceptance testing. The contractor shall execute testscripts and supplement the NRC user role to the extent directed by the NRC COR. Testscripts shall be automated unless otherwise directed by the NRC COR. The contractorshall develop automated scripts in the IBM Rational Robot, Functional Tester, and ManualTest tools.

5. PERFORMANCE STANDARDS

Page 18

I -

BPA NRC-HQ-10-15-A-0005Task NRC-HQ-40-1 5-0-0001

Performance standards establish the performance levels required by the Government. Allof these standards shall be captured and clearly displayed in a Quality AssuranceSurveillance Plan (QASP).

The deliverables required under this order must conform to the standards contained, orreferenced, in this statement of work. All deliverables required under this order must bedelivered to the NRC in electronic format (in both Microsoft Word and ADOBE AcrobatPortable Document Format PDF). Submissions must follow NRC Guidance for ElectronicSubmissions; see http:/lwww. nrc.govlsite-helple-submittalslguide-electronic-subr5. pdf. Atthe same time, the contractor shall also provide with each deliverable, any peripheralMicrosoft files (e.g., Project or Excel), if applicable, to the NRC COR. The contractor shalldeliver draft and final versions of all deliverables required under this order, addressingNRC comments and concerns Prior to delivery of the final version of each product.

6. DELIVERABLES AND DELIVERY SCHEDULE

In fulfillment of this effort, the Contractor shall provide the following deliverables. Alldeliverables shall be submitted to the NRC COR, unless otherwise agreed upon. Unlessotherwise specified, the Government will have a maximum of ten (10) working days fromthe day the draft deliverable is received to review the document, provide comments backto the Contractor, approve or disapprove the deliverable(s). The Contractor will also havea maximum of ten (10) working days from the day comments are received to incorporateall changes and submit the final deliverable to the Government. All days identified beloware intended to be workdays unless otherwise specified.

6.1 PROJECT MANAGEMENT PLAN

The contractor shall prepare a Project Management Plan describing the technicalapproach, organizational resources and management controls to be employed to meet thecost, performance and schedule requirements for this effort. The Project ManagementPlan shall detail the products, methods for developing the products, allocation of staff andother resources necessary to produce the products and a revised timeline for producingthe products, if necessary. The NRC COR shall receive the revised Project ManagementPlan in electronic form (Microsoft Word of pdf). Based on the Project Management Plan,the NRC COR will provide approval to move forward on planned activities. The contractorshall request prior approval on all activities not included in the plan or any modifications tothe plan after approval has been given.

6.2 MONTHLY TECHNICAL STATUS REPORT

The contractor shall document the efforts performed in the completion of each task in adetailed Monthly Status Report due on the 3 0th of each month. The status report shallinclude, at a minimum:a) Progress for the period: detailed progress report of findings, activities andaccomplishments during the reporting period, and summary of work accomplished duringthe reporting period and percent complete.b) Activities planned for the next reporting period: planned activities, as well as the statusof any/all deliverables, including planned delivery date(s) and actual and/or anticipateddelivery dates.

Page 19

BPA' NRC-HQ-1 0-1 5-A-0005Task NRC-HQ-40-1 5-0-0001

c) Problems encountered: identification of any problems, issues or delays andrecommendations as to their resolution, and any corrective action that was taken tocorrect identified problems.

6.3 MONTHLY FINANCIAL STATUS REPORT

The contractor shall document the financial status of the task order in a detailed MonthlyStatus Report due on or before the 30th of each month. The status report shall include, ata minimum:a) Financial Summary for the period, ceiling amount remaining and obligated amountremaining.

6.4 QUALITY CONTROL PLAN

The Contractor shall develop and maintain a complete Quality Control Plan (QCP) toensure that the requirements of the task order are performed in accordance with thisPWS. The QCP shall describe the methods for identifyjing, preventing, and ensuring anydefective services are corrected before the level of performance becomes unacceptable.The Contractor's QCP shall address the tasks in the section 4, PerformanceRequirements, of this PWS.

One copy of the Contractor's QCP shall be provided to the CO at the time its proposal issubmitted. After acceptance of the QCP the contractor shall receive the CO acceptancein writing of any proposed changes to its plan. An updated copy of the QCP will berequested by the COR as changes occur during the performance of the contract.

Summary of deliverables and due dates:

•,•...Task ServicelDeliverable•" Due Date6.1 Project Management Plan Five (5) days

after date ofaward

6.2 Monthly Technical Status Report Recurring6.3 Monthly Financial Status Report Recurring6.4 Quality Control Plan Recurring

7. GOVERNMENT-FURNISHED PROPERTY

The Government will not provide any property .or equipment to the Contractor forperformance of work under this delivery order.

8. PLACE OF PERFORMANCE

It is anticipated that the majority of the work under this task ordert will be performed forNRC's Headquarters in Rockville, Maryland. However, if space limitations exist whichprevent the contractor from working on-site, the TO COR may authorize the Contractor towork at the contractor's facility.

9. TRAVEL

Page 20

U * A


Only local travel is expected to take place to and from NRC headquarters, the contractorwill not be reimbursed for expenses related to local travel.

10. SECURITY

Performance on this contract will not require access to classified information. TheContractorrequires unescorted building access to NRC HQ as well as access to NRC IT systems. Allcontractors must meet the requirements for receiving this level of access before they canperform work on the contact.

11, SPECIAL QUALIFICATIONS!/ KEY PERSONNEL REQUIREMENTS

The Contractor shall provide personnel resumes for all individuals anticipated to performthis effort. Resumes should be directed to the specific needs of the order and not begeneral in nature. For example -

-Contractor personnel responding to testing requirements in the task should includeinformation in their resume describing demonstrable professional qualifications,certifications, skillset, experience, knowledge of Prism, and of testing processesand technologies relating to procurement systems, financial systems and financialinterfaces.

-Contractor personnel responding to PRISM system security support in the taskshould include information in their resume describing demonstrable professionalqualifications, certifications, skillset, experience, knowledge of PRISM, the NRCsecurity and infrastructure environment, of security processes, and of mandatedFederal technology and security related guidelines and requirements.

Resumes shall be included for all subcontractor/consultant/team partner personnel, ifknown. The Contractor shall provide firm written commitments from anysubcontractor/consultant/team partner personnel. The Contractor shall identify relevantexperience of key personnel proposed and organizational resources to be dedicated tothe effort, including staffing at the task level. The plan shall identify the team membersproposed for each task, their associated skill sets, and labor category title. The overall mixof labor and availability of key personnel with knowledge and experience to accomplisheach task shall be discussed, as well as all proposed subcontract personnel or teamingarrangements in relation to the effort/task that they are proposed to perform.

12. SECTION 508 - ELECTRONIC AND INFORMATION TECHNOLOGY STANDARDS

In December 2000, the Architectural and Transportation Barriers Compliance Board(Access Board), pursuant to Section 508(2)(A) of the Rehabilitation Act Amendments of1998, established information technology accessibility standards for the federalgovernment. Section 508(a)(1) requires that when federal departments or agenciesdevelop, procure, maintain, or use Electronic and Information Technology (EIT), they shallensure that the EIT allows federal employees with disabilities to have access to and use ofinformation and data that is comparable to the access to and use of information and databy other Federal employees. The Section 508 requirement also applies to members of thepublic seeking information or services from a federal department or agency. Section 508text is available at

http:llwww.opm.gov/HTM L/508-textOfLaw. htm or

Page 21


http:llwww.section508.govl

All Electronic and Information Technology (EIT), as defined at FAR 2.101, supplied underthis contract/order must conform to the Architectural and Transportation BarriersCompliance Board Electronic and Information Technology Accessibility Standards (36CFR Part 1194). The applicable standards are available at:http:llwww. access-board .gov/sec5081guidelindex. htm

The following standards are applicable to this contract/order:

* Software Applications and Operating Systems (1194.21)• Web-based Intranet and Internet Information and Applications(1 194.22)* Telecommunications Products (1194.23)* Video and Multimedia Products (1194.24)* Self-Contained, Closed Products (1194.25)* Desktop and Portable Computers (1194.26)

Page 22

BPA NRC-HQ-10-15-A-0005Task NRC-HQ-40-1 5-0-0001

Quality Assurance Plan

7PWS A', ] <: {;7i : .'cceptable Performance Surveillance ...Reference ii• Activity = ' -! , :Standard: L •==; evel (APL)i /i ==Measuremnent (Source) •... .. ' "Method°

ProjectManagement Report shall identify all tasks,

Produce a monthly responsible individual, due date, Monthly Status report will beProject Status and within 2 business days of Report shall contain accurate submitted on the 3 0 th day of 100% COR

6.1 Report receipt of the tasks. information, each month. reviewAccurate and complete project No more than 2 revisions will Monthly Status report will be

Project documents shall be delivered to be allowed for each submitted on the 3 0 th day of 100% COR6.1, 6.2 Management the COR within 3 days document. each month. review

Report shall contain no more Monthly Status report will beProject than 5% inaccurate submitted on the 3 0 th day of 100% COR

6.1, 6.2 Management Accurately complete the tasks information each month. reviewMonthly Status report will be

Project Accurately report monthly Report shall contain 100% submitted on the 3 0 th day of 100% COR6.3 Management spending, accurate information each month. review

Identify and resolve errors inApplication and the STAQS application and Processes and procedures

Data integrity STAQS data; capture metrics, for STAQS quality assurance 100% COR6.4 Quality Assurance Application Support report test results activities, review

Resolve STAQS systemsecurity and accreditationrequirements; complete

Security review security and audit related Processes and proceduresand reviews and documentation for STAQS security an audit 100% OCOR

4.1, 4.2 documentation Application Support drafts, activities, review

Page 23

NRC FORM 187 • ro U.S. NUCLEAR REGULATORY COMMISSION(02.2o14) • . ..%CONTRACTSE U IYA DONRCMO I2 :3t",•

•,,'• ,'• ==,oCLASSIFICATION REEQUIREMNENTS

1t. Type of Submission I3. Contractor Company Full Name and Complete Address (Prime Contractor).NeI- qiemn

.NwRqirmn RFQ. ADM-l5-0283 under IV&V BPA's NRC-HQ-l0-15-A-0003, NRC-

Tye fCom r acta HQ- 10-15-A00,and NRC-HQ-10-15-A-0005

4. Contract Number, IAA Number, or Job Code for DOE Projects 5. Contract Start Date 6. Contract End Date

7. Is this contract a follow-on contract? If Yes, provide previous Contract Number, 8. Contractor Cage Code or DOE Facility Code

Ys -- ]o NRC-DR-33-10-324 task 6 T[BD

9. Contract Performance Requirements

A. Will the contract require access to classified matter 71"- Yes (continue) F7 No (if no, proceed to Block E)(information, systems, and/or material) (i.e., 32 CFR Part 2004 or MD 12.2)? L.....M

B. What is the highest level of classified matter the contractor will need to access to perform contract responsibilities?

Sclet 1s Leel o Clssifcatin Slect2ndLeve of lasi,,cto

C. To carry out requirements of the contract, will the contractor need to possess, J]Yes 'cnine [--]No (i8opkce toB Ecgenerate, or store classified matter at the contractor facility location? I I cnne ( ifnpoedt oc9.

D. Choose all that apply: In regards to classified matter, the contractor will require:

[-]1) Access to Foreign Intelligence Information Li 2) Receipt and storage (I.e., safeguarding) of classified matter

{--]3) Access to cryptographic material or L--' 4) Access to classified matter or information processed by

i other classified CONSEC information _ nter agency

II 5) Use of a classified information technology F-- 6) Generation of classified at Contractor facility location

D-- 7) Generation of classified matter at an NRC facility

E. Will the contractor require access to safeguards Information or Safeguards Information - Modified HandlingF1rinformation (i.e., 10 CER 73.21, 73.22, and/or 73.23)? U_ Yes N

F. Will the contractor possess, generate, or store SGI or SGI-M at the contractor facility? [I Yes No

G. Will the contractor require access to Sensitive Unclassified Non-Safeguards Information (SUNSi) or sensitive fl[---]information technology (IT) Systems (iLe., M•D 12.6)? LJYes No

H. Will the contractor possess, gernerate,.or store SUNSI or have access to NRC sensitive IT systems at the r1 rcontractor facility? U Yes LJNo

I. Was "Yes" checked to Block g.A., Block S.C., Block g.E., or Block g.H.? r- ri(If "'Yes", then a Facility Clearance including a security plan is required to be issued for the contractor by the LiYes [JNoFacilities Security Branch before final award of the contract and before work can begin on the contract.)

J. Choose all that apply;

F]1) Unescorted Access is required to Nuclear Power Plants. F'] 5) Require operation of government vehicles or transport

i i i I passengers for the NRC.

S2) Access is required to Unclassified Safeguards Information. []6) WIll operate hazardous equipment at NRCfaites

W- 3) Access is required to Sensitive IT Systems and Data. 7 eurdt ar iers

214) Unescorted Access to NRC Headquarters Building. B)8 Found to use or admit to use of illegal drugs.

NRC FORM 187 (12-2014)Page 1 of 4

NRC FORM 187 CONTRACT SECURITY AND/OR U.s. NUCLEAR REGULATORY COMMISSION(12.2014 CLASSIFICATION REQUIREMENTS (Continued)NR N I- __ Pq ,

10. Classification Guidance (to be compl•eted by the COR)

11. DOes this contract contain any subcontractors? y•[71Nif "Ves", provide company name and address. If known, also provide Defense Security Service cage code. L Yes .JNIf more than one subcontractor, provide additional information to Facilities Security Branch.If'to'", Leave area blank. (Note: It is the responsibility of the COR to notify FSB if the contract adds a subcontractor).

Subcontractor Company name, address and Defense Security Service cage code. (if applicable)

12. Review of contractorlsubcontractor reports, documents for classified, SGI, SGI-M, and/or SUNSI will be reviewed by:

Typed or Printed Name and Title of Authorized Classifier

Typed or Printed Name and Title of Authorized .Derivative Classifier (for Classified Information)

"Typed or Printed Name and Title of a Qualified Designator for 5G1, and SG1-lW (i.e., person must be qualified per MD 12.4)

13. Required Distribution of NRC Form 187 for Review (Check all appropriate boxes)

[ t) SpnoigNRC office or Division (Item 14A.) [ 3) Division of Contracts and Property Management (item 14C.)

[] 2) Division of Facilities and Security (Item 148.)

C.Tpdor Printed Name of Director, Affceqursitisons aaeetDvso i t

iames Corbett, Director, AMD/ADM DateI__ __.............___ ___ __ __ _ __ _ __ _ 7f

Documents

Task Order No. NRC-HQ-40-15-O-0001 Under Delivery Order No. … · 2015-10-09 · ORDER FOR SUPPLIES OR SERVICES PAGE NO Ir i{ SCHEDULE -CONTINUATION 2 IMPORTANT: Mark all packages