AMENDMENT NOTICE: This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in FAR Subpart 12.6, as supplemented with additional information included in this notice. The solicitation number is 70FBR924R00000001 and is issued as a Request for Quote (RFQ), unless otherwise indicated herein. The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2023-06. The associated North American Industrial Classification System (NAICS) code for this procurement is 611430 with a small business size standard of $15.00M.
This requirement is a Small Business Set-Aside and only qualified sellers may submit bids.
The solicitation pricing on https://marketplace.unisonglobal.com will start on the date this solicitation is posted, and, unless otherwise displayed at https://marketplace.unisonglobal.com, will end on:
2023-10-25 17:00:00.0 Eastern Time. This time supersedes the Offers Due Time listed above.
FOB Destination shall be in the Statement of Work.
The DHS Federal Emergency Management Agency requires the following items, Meet or Exceed, to the following:
LI 001: CLIN 0001 - The Contractor shall furnish all labor, tools, equipment, materials, consumable items, and supervision to complete Objectives 2.1, 2.2, 2.3, and 2.4 per the Statement of Work.Base Period - 2 Month Period of Performance, 2, MO;
LI 002: CLIN 0002 - The Contractor shall furnish all labor, tools, equipment, materials, consumable items, and supervision to complete Objective 2.5 per the Statement of WorkBase Period - 2 Month Period of Performance, 2, MO;
LI 003: CLIN 0003 - Travel Reimbursed per Federal Travel GuidelinesBase Period - 2 Month Period of Performance, 2, MO;
LI 004: CLIN 1001 - The Contractor shall furnish all labor, tools, equipment, materials, consumable items, and supervision to complete Objective 2.5 per the Statement of WorkOption Period 1 - 4 Month Period of Performance, 4, MO;
LI 005: CLIN 1002 - Travel Reimbursed per Federal Travel GuidelinesOption Period 1 - 4 Month Period of Performance, 4, MO;
Solicitation and Buy Attachments
***Question Submission: Interested Sellers must submit any questions concerning the solicitation at the earliest time possible to enable the Buyer to respond. Questions must be submitted by using the 'Submit a Question' feature at https://marketplace.unisonglobal.com. Questions not received within a reasonable time prior to close of the solicitation may not be considered.***
For this solicitation, DHS Federal Emergency Management Agency intends to conduct an online competitive reverse auction to be facilitated by the third-party reverse auction provider, Unison Marketplace. Unison Marketplace has developed an online, anonymous, browser based application to conduct the reverse auction. A Seller may submit a series of pricing bids, which descend in price during the specified period of time for the aforementioned reverse auction. DHS Federal Emergency Management Agency is taking this action in an effort to improve both vendor access and awareness of requests and the agency's ability to gather multiple, competed, real-time bids. All responsible Sellers that respond to this solicitation MUST submit the pricing portion of their bid using the online exchange located at https://marketplace.unisonglobal.com. There is no cost to register, review procurement data or make a bid on https://marketplace.unisonglobal.com.Sellers that are not currently registered to use https://marketplace.unisonglobal.com should proceed to https://marketplace.unisonglobal.com to complete their free registration. Sellers that require special considerations or assistance may contact Marketplace Support at 1.877.933.3243 or via email at marketplacesupport@unisonglobal.com. Sellers may not artificially manipulate the price of a transaction on https://marketplace.unisonglobal.com by any means. It is unacceptable to place bad faith bids, to use decoys in the https://marketplace.unisonglobal.com process or to collude with the intent or effect of hampering the competitive https://marketplace.unisonglobal.com process. Should Sellers require additional clarification, notify the point of contact or Marketplace Support at 1.877.933.3243 or marketplacesupport@unisonglobal.com.
Use of Unison Marketplace: Buyers and Sellers agree to conduct this transaction through Unison Marketplace in compliance with the Unison Marketplace Terms of Use. Failure to comply with the below terms and conditions may result in offer being determined as non-responsive.
Unless the Buyer indicates otherwise within a particular line item description, each Seller shall include in its online Bid individual pricing for all required line items in order to be considered for award (i.e., Do not use the Included in another line item function when pricing each line item). If a line item cannot be separately priced, you must notify the buyer through the Unison Submit a Question feature regarding which line item(s) should be included in which other line item(s) and request reposting. Failure to comply with this term may result in the Bid being determined to be non-responsive.
Bid MUST be good for 30 calendar days after close of Buy.
This solicitation requires registration with the System for Award Management (SAM) at the time an offer is submitted or prior to award, excluding the exceptions outlined in FAR 4.1102(a). Registration information can be found at www.sam.gov.
The selected Offeror must comply with the following commercial item terms and conditions, which are incorporated herein by reference: FAR 52.212-1, Instructions to Offerors - Commercial Items, applies to this acquisition; FAR 52.212-3, Offeror Representations and Certifications - Commercial Items - the selected offeror must submit a completed copy of the listed representations and certifications; FAR 52.212-4, Contract Terms and Conditions - Commercial Items; FAR 52.212-5, Contract Terms and Conditions Required To Implement Statutes or Executive Orders-Commercial Items, paragraph (a) and the following clauses in paragraph (b): 52.222-21, 52.222-26, 52.222-35, 52.222-36, 52.222-37, 52.225-13, 52.232-34. The full text of the referenced FAR clauses may be accessed electronically at https://www.acquisition.gov/far/.
FAR 52.212-4, Contract Terms and Conditions - Commercial Items; FAR 52.212-5, Contract Terms and Conditions Required To Implement Statutes or Executive Orders-Commercial Items, paragraph (a) and the following clauses in paragraph (b): 52.222-21, 52.222-26, 52.222-35, 52.222-36, 52.222-37, 52.225-13, 52.232-34. The full text of the referenced FAR clauses may be accessed electronically at http://www.acqnet.gov/far.
Q&A -Please submit all questions by using the 'Submit a Question' button. This buy will then be reposted with Q&A based on the questions that come in (if applicable).
In addition to providing pricing at www.unisonmarketplace.com for this solicitation, each Offeror must provide any required, NON-PRICING responses (e.g. technical proposal, representations and certifications, etc.) so that they are received no later than the closing date and time for this solicitation. Submissions can be sent to marketplacesupport@unisonglobal.com. Technical Proposal not to exceed 15 pages, in 12 point Times New Roman, single spaced.
(a)Definitions. As used in this clauseCovered article means any hardware, software, or service that(1)Is developed or provided by a covered entity;(2)Includes any hardware, software, or service developed or provided in whole or in part by a covered entity; or(3)Contains components using any hardware or software developed in whole or in part by a covered entity.Covered entity means(1)Kaspersky Lab;(2)Any successor entity to Kaspersky Lab;(3)Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or(4)Any entity of which Kaspersky Lab has a majority ownership.(b)Prohibition. Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91) prohibits Government use of any covered article. The Contractor is prohibited from(1)Providing any covered article that the Government will use on or after October 1, 2018; and(2)Using any covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract.(c)Reporting requirement.(1)In the event the Contractor identifies covered article provided to the Government during contract performance, or the Contractor is notified of such by a subcontractor at any tier or by any other source, the Contractor shall report, in writing, via email, to the Contracting Officer, Contracting Officers Representative, and the Enterprise Security Operations Center (SOC) at NDAA_Incidents@hq.dhs.gov, with required information in the body of the email. In the case of the Department of Defense, the Contractor shall report to the website at https://dibnet.dod.mil. For indefinite delivery contracts, the Contractor shall report to the Enterprise SOC, Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) and Contracting Officers Representative(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil.(2)The Contractor shall report the following information pursuant to paragraph (c)(1) of this clause:(i)Within 1 business day from the date of such identification or notification: the contract number; the order number(s), if applicable; supplier name; brand; model number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.(ii)Within 10 business days of submitting the report pursuant to paragraph (c)(1) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of a covered article, any reasons that led to the use or submission of the covered article, and any additional efforts that will be incorporated to prevent future use or submission of covered articles.(c) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (d), in all subcontracts, including subcontracts for the acquisition of commercial items.(End of clause)
52.20424 Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment. As prescribed in 4.2105(a), insert the following provision: Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment (AUG 2020) The Offeror shall not complete the representation at paragraph (d)(1) of this provision if the Offeror has represented that it does not provide covered telecommunications equipment or services as a part of its offered products or services to the Government in the performance of any contract, subcontract, or other contractual instrument in the provision at 52.20426, Covered Telecommunications Equipment or ServicesRepresentation, or in paragraph (v) of the provision at 52.2123, Offeror Representations and Certifications Commercial Items. (a)Definitions. As used in this provision Backhaul, covered telecommunications equipment or services, critical technology, interconnection arrangements, reasonable inquiry, roaming, and substantial or essential component have the meanings provided in the clause 52.20425, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (b) Prohibition. (1) Section 889(a)(1)(A) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115232) prohibits the head of an executive agency on or after August 13, 2019, from procuring or obtaining, or extending or renewing a contract to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. Nothing in the prohibition shall be construed to (i) Prohibit the head of an executive agency from procuring with an entity to provide a service that connects to the facilities of a third-party, such as backhaul, roaming, or interconnection arrangements; or (ii) Cover telecommunications equipment that cannot route or redirect user data traffic or cannot permit visibility into any user data or packets that such equipment transmits or otherwise handles.(2) Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115232) prohibits the head of an executive agency on or after August 13, 2020, from entering into a contract or extending or renewing a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. This prohibition applies to the use of covered telecommunications equipment or services, regardless of whether that use is in performance of work under a Federal contract. Nothing in the prohibition shall be construed to (i) Prohibit the head of an executive agency from procuring with an entity to provide a service that connects to the facilities of a third-party, such as backhaul, roaming, or interconnection arrangements; or (ii) Cover telecommunications equipment that cannot route or redirect user data traffic or cannot permit visibility into any user data or packets that such equipment transmits or otherwise handles. (c) Procedures. The Offeror shall review the list of excluded parties in the System for Award Management (SAM) (https:// www.sam.gov) for entities excluded from receiving federal awards for covered telecommunications equipment or services. (d) Representations. The Offeror represents that (1) It [ ] will, [ ] will not provide covered telecommunications equipment or services to the Government in the performance of any contract, subcontract or other contractual instrument resulting from this solicitation. The Offeror shall provide the additional disclosure information required at paragraph (e)(1) of this section if the Offeror responds will in paragraph (d)(1) of this section; and (2) After conducting a reasonable inquiry, for purposes of this representation, the Offeror represents that It [ ] does, [ ] does not use covered telecommunications equipment or services, or use any equipment, system, or service that uses covered telecommunications equipment or services. The Offeror shall provide the additional disclosure information required at paragraph (e)(2) of this section if the Offeror responds does in paragraph (d)(2) of this section.(e) Disclosures. (1) Disclosure for the representation in paragraph (d)(1) of this provision. If the Offeror has responded will in the representation in paragraph (d)(1) of this provision, the Offeror shall provide the following information as part of the offer: (i) For covered equipment (A) The entity that produced the covered telecommunications equipment (include entity name, unique entity identifier, CAGE code, and whether the entity was the original equipment manufacturer (OEM) or a distributor, if known); (B) A description of all covered telecommunications equipment offered (include brand; model number, such as OEM number, manufacturer part number, or wholesaler number; and item description, as applicable); and (C) Explanation of the proposed use of covered telecommunications equipment and any factors relevant to determining if such use would be permissible under the prohibition in paragraph (b)(1) of this provision. (ii) For covered services (A) If the service is related to item maintenance: A description of all covered telecommunications services offered (include on the item being maintained: Brand; model number, such as OEM number, manufacturer part number, or wholesaler number; and item description, as applicable); or (B) If not associated with maintenance, the Product Service Code (PSC) of the service being provided; and explanation of the proposed use of covered telecommunications services and any factors relevant to determining if such use would be permissible under the prohibition in paragraph (b)(1) of this provision. (2) Disclosure for the representation in paragraph (d)(2) of this provision. If the Offeror has responded does in the representation in paragraph (d)(2) of this provision, the Offeror shall provide the following information as part of the offer: (i) For covered equipment (A) The entity that produced the covered telecommunications equipment (include entity name, unique entity identifier, CAGE code, and whether the entity was the OEM or a distributor, if known); (B) A description of all covered telecommunications equipment offered (include brand; model number, such as OEM number, manufacturer part number, or wholesaler number; and item description, as applicable); and (C) Explanation of the proposed use of covered telecommunications equipment and any factors relevant to determining if such use would be permissible under the prohibition in paragraph (b)(2) of this provision. (ii) For covered services (A) If the service is related to item maintenance: A description of all covered telecommunications services offered (include on the item being maintained: Brand; model number, such as OEM number, manufacturer part number, or wholesaler number; and item description, as applicable); or (B) If not associated with maintenance, the PSC of the service being provided; and explanation of the proposed use of covered telecommunications services and any factors relevant to determining if such use would be permissible under the prohibition in paragraph (b)(2) of this provision.
(a) Definitions. As used in this clauseBackhaul means intermediate links between the core network, or backbone network, and the small subnetworks at the edge of the network (e.g., connecting cell phones/towers to the core telephone network). Backhaul can be wireless (e.g., microwave) or wired (e.g., fiber optic, coaxial cable, Ethernet).Covered foreign country means The Peoples Republic of China.Covered telecommunications equipment or services means(1) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities);(2) For the purpose of public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities);(3) Telecommunications or video surveillance services provided by such entities or using such equipment; or(4) Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.Critical technology means(1) Defense articles or defense services included on the United States Munitions List set forth in the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations;(2) Items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, and controlled-(i) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or(ii) For reasons relating to regional stability or surreptitious listening;(3) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by part 810 of title 10, Code of Federal Regulations (relating to assistance to foreign atomic energy activities);(4) Nuclear facilities, equipment, and material covered by part 110 of title 10, Code of Federal Regulations (relating to export and import of nuclear equipment and material); (5) Select agents and toxins covered by part 331 of title 7, Code of Federal Regulations, part 121 of title 9 of such Code, or part 73 of title 42 of such Code; or(6) Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).Interconnection arrangements means arrangements governing the physical connection of two or more networks to allow the use of anothers network to hand off traffic where it is ultimately delivered (e.g., connection of a customer of telephone provider A to a customer of telephone company B) or sharing data and other information resources. Reasonable inquiry means an inquiry designed to uncover any information in the entitys possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity that excludes the need to include an internal or third-party audit. Roaming means cellular communications services (e.g., voice, video, data) received from a visited network when unable to connect to the facilities of the home network either because signal coverage is too weak or because traffic is too high.Substantial or essential component means any component necessary for the proper function or performance of a piece of equipment, system, or service.(b) Prohibition. (1) Section 889(a)(1)(A) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115232) prohibits the head of an executive agency on or after August 13, 2019, from procuring or obtaining, or extending or renewing a contract to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. The Contractor is prohibited from providing to the Government any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception at paragraph (c) of this clause applies or the covered telecommunication equipment or services are covered by a waiver described in FAR 4.2104. (2) Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115232) prohibits the head of an executive agency on or after August 13, 2020, from entering into a contract, or extending or renewing a contract, with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception at paragraph (c) of this clause applies or the covered telecommunication equipment or services are covered by a waiver described in FAR 4.2104. This prohibition applies to the use of covered telecommunications equipment or services, regardless of whether that use is in performance of work under a Federal contract.(c) Exceptions. This clause does not prohibit contractors from providing (1) A service that connects to the facilities of a third-party, such as backhaul, roaming, or interconnection arrangements; or(2) Telecommunications equipment that cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles.(d) Reporting requirement. (1) In the event the Contractor identifies covered telecommunications equipment or services used as a substantial or essential component of any system, or as critical technology as part of any system, during contract performance, or the Contractor is notified of such by a subcontractor at any tier or by any other source, the Contractor shall report the information in paragraph (d)(2) of this clause in writing via email to the Contracting Officer, Contracting Officers Representative, and the Enterprise Security Operations Center (SOC) at NDAA_Incidents@hq.dhs.gov, with required information in the body of the email. In the case of the Department of Defense, the Contractor shall report to the website at https://dibnet.dod.mil. For indefinite delivery contracts, the Contractor shall report to the Enterprise SOC, Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) and Contracting Officers Representative(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil.(2) The Contractor shall report the following information pursuant to paragraph (d)(1) of this clause (i) Within one business day from the date of such identification or notification: the contract number; the order number(s), if applicable; supplier name; supplier unique entity identifier (if known); supplier Commercial and Government Entity (CAGE) code (if known); brand; model number (original equipment manufacturer number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.(ii) Within 10 business days of submitting the information in paragraph (d)(2)(i) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of covered telecommunications equipment or services, and any additional efforts that will be incorporated to prevent future use or submission of covered telecommunications equipment or services.(e) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (e), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items.
As prescribed in 4.2105(c), insert the following provision:COVERED TELECOMMUNICATIONS EQUIPMENT OR SERVICES-REPRESENTATION (DEC 2019) (a) Definitions. As used in this provision, covered telecommunications equipment or services has the meaning provided in the clause 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (b) Procedures. The Offeror shall review the list of excluded parties in the System for Award Management (SAM) (https://www.sam.gov) for entities excluded from receiving federal awards for covered telecommunications equipment or services. (c) Representation. The Offeror represents that it does, does not provide covered telecommunications equipment or services as a part of its offered products or services to the Government in the performance of any contract, subcontract, or other contractual instrument.
s prescribed in 17.208(f), insert a clause substantially the same as the following:Option to Extend Services (Nov 1999)The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 5 days of expiration.(End of clause)
s prescribed in 17.208(g), insert a clause substantially the same as the following:Option to Extend the Term of the Contract (Mar 2000)(a) The Government may extend the term of this contract by written notice to the Contractor within 1 day prior to expiration; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 5 days before the contract expires. The preliminary notice does not commit the Government to an extension.(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 12 months.(End of clause)
As prescribed in (HSAR) 48 CFR 3004.470-3(b), insert a clause substantially the same as follows with appropriate alternates:Contractor Employee Access (SEP 2012)(a)Sensitive Information, as used in this clause, means any information, which if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense, homeland security or foreign policy. This definition includes the following categories of information:(1)Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure Information Act of 2002 (Title II, Subtitle B, of the Homeland Security Act, Pub. L. 107-296, 196 Stat. 2135), as amended, the implementing regulations thereto (Title 6, Code of Federal Regulations, part 29) as amended, the applicable PCII Procedures Manual, as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the PCII Program Manager or his/her designee);(2)Sensitive Security Information (SSI), as defined in Title 49, Code of Federal Regulations, part 1520, as amended, Policies and Procedures of Safeguarding and Control of SSI, as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the Assistant Secretary for the Transportation Security Administration or his/her designee);(3)Information designated as For Official Use Only, which is unclassified information of a sensitive nature and the unauthorized disclosure of which could adversely impact a person's privacy or welfare, the conduct of Federal programs, or other programs or operations essential to the national or homeland security interest; and(4)Any information that is designated sensitive or subject to other controls, safeguards or protections in accordance with subsequently adopted homeland security information handling procedures. (b)Information Technology Resources include, but are not limited to, computer equipment, networking equipment, telecommunications equipment, cabling, network drives, computer drives, network software, computer software, software programs, intranet sites, and internet sites.(c)Contractor employees working on this contract must complete such forms as may be necessary for security or other reasons, including the conduct of background investigations to determine suitability. Completed forms shall be submitted as directed by the Contracting Officer. Upon the Contracting Officer's request, the Contractor's employees shall be fingerprinted, or subject to other investigations as required. All Contractor employees requiring recurring access to Government facilities or access to sensitive information or IT resources are required to have a favorably adjudicated background investigation prior to commencing work on this contract unless this requirement is waived under Departmental procedures.(d)The Contracting Officer may require the Contractor to prohibit individuals from working on the contract if the Government deems their initial or continued employment contrary to the public interest for any reason, including, but not limited to, carelessness, insubordination, incompetence, or security concerns.(e)Work under this contract may involve access to sensitive information. Therefore, the Contractor shall not disclose, orally or in writing, any sensitive information to any person unless authorized in writing by the Contracting Officer. For those Contractor employees authorized access to sensitive information, the Contractor shall ensure that these persons receive training concerning the protection and disclosure of sensitive information both during and after contract performance.(f)The Contractor shall include the substance of this clause in all subcontracts at any tier where the subcontractor may have access to Government facilities, sensitive information, or resources.(End of clause)052.204-71 Contractor employee access.As prescribed in (HSAR) 48 CFR 3004.4704(a), insert the following clause with appropriate alternates:Contractor Employee Access (JUL 2023)(a)Controlled Unclassified Information (CUI) is any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. This definition includes the following CUI categories and subcategories of information:(1)Chemical-terrorism Vulnerability Information (CVI) as defined in 6 CFR part 27, Chemical Facility Anti- Terrorism Standards, and as further described in supplementary guidance issued by an authorized official of the Department of Homeland Security (including the Revised Procedural Manual Safeguarding Information Designated as Chemical-Terrorism Vulnerability Information dated September 2008);(2)Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure Information Act of 2002 (title XXII, subtitle B of the Homeland Security Act of 2002 as amended through Pub. L. 116283), PCII's implementing regulations (6 CFR part 29), the PCII Program Procedures Manual, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security, the PCII Program Manager, or a PCII Program Manager Designee;(3)Sensitive Security Information (SSI) as defined in 49 CFR part 1520, Protection of Sensitive Security Information, as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the Assistant Secretary for the Transportation Security Administration or designee), including Department of Homeland Security MD 11056.1, Sensitive Security Information (SSI) and, within the Transportation Security Administration, TSA MD 2810.1, SSI Program;(4)Homeland Security Agreement Information means information the Department of Homeland Security receives pursuant to an agreement with State, local, Tribal, territorial, or private sector partners that is required to be protected by that agreement. The Department receives this information in furtherance of the missions of the Department, including, but not limited to, support of the Fusion Center Initiative and activities for cyber information sharing consistent with the Cybersecurity Information Sharing Act of 2015;(5)Homeland Security Enforcement Information means unclassified information of a sensitive nature lawfully created, possessed, or transmitted by the Department of Homeland Security in furtherance of its immigration, customs, and other civil and criminal enforcement missions, the unauthorized disclosure of which could adversely impact the mission of the Department;(6)International Agreement Information means information the Department of Homeland Security receives that is required to be protected by an information sharing agreement or arrangement with a foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body, or an international or foreign private or non-governmental organization;(7)Information Systems Vulnerability Information (ISVI) means:(i)Department of Homeland Security information technology (IT) systems data revealing infrastructure used for servers, desktops, and networks; applications name, version, and release; switching, router, and gateway information; interconnections and access methods; and mission or business use/need. Examples of ISVI are systems inventories and enterprise architecture models. Information pertaining to national security systems and eligible for classification under Executive Order 13526 will be classified as appropriate; and/or(ii)Information regarding developing or current technology, the release of which could hinder the objectives of the Department, compromise a technological advantage or countermeasure, cause a denial of service, or provide an adversary with sufficient information to clone, counterfeit, or circumvent a process or system;(8)Operations Security Information means Department of Homeland Security information that could be collected, analyzed, and exploited by a foreign adversary to identify intentions, capabilities, operations, and vulnerabilities that threaten operational security for the missions of the Department;(9)Personnel Security Information means information that could result in physical risk to Department of Homeland Security personnel or other individuals whom the Department is responsible for protecting;(10)Physical Security Information means reviews or reports illustrating or disclosing facility infrastructure or security vulnerabilities related to the protection of Federal buildings, grounds, or property. For example, threat assessments, system security plans, contingency plans, risk management plans, business impact analysis studies, and certification and accreditation documentation;(11)Privacy Information includes both Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII). PII refers to information that can be used to distinguish or trace an individual's identity, either alone, or when combined with other information that is linked or linkable to a specific individual; and SPII is a subset of PII that if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. To determine whether information is PII, DHS will perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available, in any medium or from any source, that would make it possible to identify an individual. Certain data elements are particularly sensitive and may alone present an increased risk of harm to the individual.(i)Examples of stand-alone PII that are particularly sensitive include: Social Security numbers (SSNs), driver's license or State identification numbers, Alien Registration Numbers (A-numbers), financial account numbers, and biometric identifiers.(ii)Multiple pieces of information may present an increased risk of harm to the individual when combined, posing an increased risk of harm to the individual. SPII may also consist of any grouping of information that contains an individual's name or other unique identifier plus one or more of the following elements:(A)Truncated SSN (such as last 4 digits);(B)Date of birth (month, day, and year);(C)Citizenship or immigration status;(D)Ethnic or religious affiliation;(E)Sexual orientation;(F)Criminal history;(G)Medical information; and(H)System authentication information, such as mother's birth name, account passwords, or personal identification numbers (PINs).(iii)Other PII that may present an increased risk of harm to the individual depending on its context, such as a list of employees and their performance ratings or an unlisted home address or phone number. The context includes the purpose for which the PII was collected, maintained, and used. This assessment is critical because the same information in different contexts can reveal additional information about the impacted individual.(b)Information Resources means information and related resources, such as personnel, equipment, funds, and information technology. (c)Contractor employees working on this contract must complete such forms as may be necessary for security or other reasons, including the conduct of background investigations to determine suitability. Completed forms shall be submitted as directed by the Contracting Officer. Upon the Contracting Officer's request, the Contractor's employees shall be fingerprinted or subject to other investigations as required. All Contractor employees requiring recurring access to government facilities or access to CUI or information resources are required to have a favorably adjudicated background investigation prior to commencing work on this contract unless this requirement is waived under departmental procedures.(d)The Contracting Officer may require the Contractor to prohibit individuals from working on the contract if the Government deems their initial or continued employment contrary to the public interest for any reason, including, but not limited to, carelessness, insubordination, incompetence, or security concerns.(e)Work under this contract may involve access to CUI. The Contractor shall access and use CUI only for the purpose of furnishing advice or assistance directly to the Government in support of the Government's activities, and shall not disclose, orally or in writing, CUI for any other purpose to any person unless authorized in writing by the Contracting Officer. For those Contractor employees authorized to access CUI, the Contractor shall ensure that these persons receive initial and refresher training concerning the protection and disclosure of CUI. Initial training shall be completed within 60 days of contract award and refresher training shall be completed every 2 years thereafter.(f)The Contractor shall include this clause in all subcontracts at any tier where the subcontractor may have access to government facilities, CUI, or information resources.(End of clause)
As prescribed in (HSAR) 48 CFR 3004.4704(b), insert the following clause:Safeguarding of Controlled Unclassified Information (JUL 2023)(a)Definitions. As used in this clauseAdequate Security means security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls.Controlled Unclassified Information (CUI) is any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. This definition includes the following CUI categories and subcategories of information:(1)Chemical-terrorism Vulnerability Information (CVI) as defined in 6 CFR part 27, Chemical Facility Anti- Terrorism Standards, and as further described in supplementary guidance issued by an authorized official of the Department of Homeland Security (including the Revised Procedural Manual Safeguarding Information Designated as Chemical-Terrorism Vulnerability Information dated September 2008);(2)Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure Information Act of 2002 (title XXII, subtitle B of the Homeland Security Act of 2002 as amended through Public Law 116283), PCII's implementing regulations (6 CFR part 29), the PCII Program Procedures Manual, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security, the PCII Program Manager, or a PCII Program Manager Designee;(3)Sensitive Security Information (SSI) as defined in 49 CFR part 1520, Protection of Sensitive Security Information, as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the Assistant Secretary for the Transportation Security Administration or designee), including Department of Homeland Security MD 11056.1, Sensitive Security Information (SSI) and, within the Transportation Security Administration, TSA MD 2810.1, SSI Program;(4)Homeland Security Agreement Information means information the Department of Homeland Security receives pursuant to an agreement with State, local, Tribal, territorial, or private sector partners that is required to be protected by that agreement. The Department receives this information in furtherance of the missions of the Department, including, but not limited to, support of the Fusion Center Initiative and activities for cyber information sharing consistent with the Cybersecurity Information Sharing Act of 2015;(5)Homeland Security Enforcement Information means unclassified information of a sensitive nature lawfully created, possessed, or transmitted by the Department of Homeland Security in furtherance of its immigration, customs, and other civil and criminal enforcement missions, the unauthorized disclosure of which could adversely impact the mission of the Department;(6)International Agreement Information means information the Department of Homeland Security receives that is required to be protected by an information sharing agreement or arrangement with a foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body, or an international or foreign private or non-governmental organization;(7)Information Systems Vulnerability Information (ISVI) means:(i)Department of Homeland Security information technology (IT) systems data revealing infrastructure used for servers, desktops, and networks; applications name, version, and release; switching, router, and gateway information; interconnections and access methods; and mission or business use/need. Examples of ISVI are systems inventories and enterprise architecture models. Information pertaining to national security systems and eligible for classification under Executive Order 13526 will be classified as appropriate; and/or(ii)Information regarding developing or current technology, the release of which could hinder the objectives of the Department, compromise a technological advantage or countermeasure, cause a denial of service, or provide an adversary with sufficient information to clone, counterfeit, or circumvent a process or system;(8)Operations Security Information means Department of Homeland Security information that could be collected, analyzed, and exploited by a foreign adversary to identify intentions, capabilities, operations, and vulnerabilities that threaten operational security for the missions of the Department; (9)Personnel Security Information means information that could result in physical risk to Department of Homeland Security personnel or other individuals whom the Department is responsible for protecting;(10)Physical Security Information means reviews or reports illustrating or disclosing facility infrastructure or security vulnerabilities related to the protection of Federal buildings, grounds, or property. For example, threat assessments, system security plans, contingency plans, risk management plans, business impact analysis studies, and certification and accreditation documentation;(11)Privacy Information includes both Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII). PII refers to information that can be used to distinguish or trace an individual's identity, either alone, or when combined with other information that is linked or linkable to a specific individual; and SPII is a subset of PII that if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. To determine whether information is PII, the DHS will perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available, in any medium or from any source, that would make it possible to identify an individual. Certain data elements are particularly sensitive and may alone present an increased risk of harm to the individual.(i)Examples of stand-alone PII that are particularly sensitive include: Social Security numbers (SSNs), driver's license or State identification numbers, Alien Registration Numbers (A-numbers), financial account numbers, and biometric identifiers.(ii)Multiple pieces of information may present an increased risk of harm to the individual when combined, posing an increased risk of harm to the individual. SPII may also consist of any grouping of information that contains an individual's name or other unique identifier plus one or more of the following elements:(A)Truncated SSN (such as last 4 digits);(B)Date of birth (month, day, and year);(C)Citizenship or immigration status;(D)Ethnic or religious affiliation;(E)Sexual orientation;(F)Criminal history;(G)Medical information; and(H)System authentication information, such as mother's birth name, account passwords, or personal identification numbers (PINs).(iii)Other PII that may present an increased risk of harm to the individual depending on its context, such as a list of employees and their performance ratings or an unlisted home address or phone number. The context includes the purpose for which the PII was collected, maintained, and used. This assessment is critical because the same information in different contexts can reveal additional information about the impacted individual.Federal information means information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government, in any medium or form.Federal information system means an information system used or operated by an agency or by a Contractor of an agency or by another organization on behalf of an agency.Handling means any use of controlled unclassified information, including but not limited to marking, safeguarding, transporting, disseminating, re-using, storing, capturing, and disposing of the information.Incident means an occurrence that(1)Actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or(2)Constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.Information Resources means information and related resources, such as personnel, equipment, funds, and information technology.Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide(1)Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;(2)Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and(3)Availability, which means ensuring timely and reliable access to and use of information.Information System means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.(b)Handling of Controlled Unclassified Information. (1) Contractors and subcontractors must provide adequate security to protect CUI from unauthorized access and disclosure. Adequate security includes compliance with DHS policies and procedures in effect at the time of contract award. These policies and procedures are accessible at https://www.dhs.gov/dhs-security-and-training-requirements-contractors.(2)The Contractor shall not use or redistribute any CUI handled, collected, processed, stored, or transmitted by the Contractor except as specified in the contract.(3)The Contractor shall not maintain SPII in its invoicing, billing, and other recordkeeping systems maintained to support financial or other administrative functions. It is acceptable to maintain in these systems the names, titles, and contact information for the Contracting Officer's Representative (COR) or other government personnel associated with the administration of the contract, as needed.(4)Any government data provided, developed, or obtained under the contract, or otherwise under the control of the Contractor, shall not become part of the bankruptcy estate in the event a Contractor and/or subcontractor enters bankruptcy proceedings.(c)Incident Reporting Requirements. (1) Contractors and subcontractors shall report all known or suspected incidents to the Component Security Operations Center (SOC) in accordance with Attachment F, Incident Response, to DHS Policy Directive 4300A Information Technology System Security Program, Sensitive Systems. If the Component SOC is not available, the Contractor shall report to the DHS Enterprise SOC. Contact information for the DHS Enterprise SOC is accessible at https://www.dhs.gov/dhs-security-and-training- requirements-contractors. Subcontractors are required to notify the prime Contractor that it has reported a known or suspected incident to the Department. Lower tier subcontractors are required to likewise notify their higher tier subcontractor, until the prime contractor is reached. The Contractor shall also notify the Contracting Officer and COR using the contact information identified in the contract. If the report is made by phone, or the email address for the Contracting Officer or COR is not immediately available, the Contractor shall contact the Contracting Officer and COR immediately after reporting to the Component or DHS Enterprise SOC.(2)All known or suspected incidents involving PII or SPII shall be reported within 1 hour of discovery. All other incidents shall be reported within 8 hours of discovery.(3)CUI transmitted via email shall be protected by encryption or transmitted within secure communications systems. CUI shall be transmitted using a FIPS 1402/1403 Security Requirements for Cryptographic Modules validated cryptographic module identified on https://csrc.nist.gov/projectscryptographic-module-validation- program/validated-modules. When this is impractical or unavailable, for Federal information systems only, CUI may be transmitted over regular email channels. When using regular email channels, Contractors and subcontractors shall not include any CUI in the subject or body of any email. The CUI shall be included as a password-protected attachment with the password provided under separate cover, including as a separate email. Recipients of CUI information will comply with any email restrictions imposed by the originator.(4)An incident shall not, by itself, be interpreted as evidence that the Contractor or Subcontractor has failed to provide adequate information security safeguards for CUI or has otherwise failed to meet the requirements of the contract.(5)If an incident involves PII or SPII, in addition to the incident reporting guidelines in Attachment F, Incident Response, to DHS Policy Directive 4300A Information Technology System Security Program, Sensitive Systems, Contractors shall also provide as many of the following data elements that are available at the time the incident is reported, with any remaining data elements provided within 24 hours of submission of the initial incident report:(i)Unique Entity Identifier (UEI);(ii)Contract numbers affected unless all contracts by the company are affected;(iii)Facility CAGE code if the location of the event is different than the prime Contractor location;
(a)Definitions. Privacy Information includes both Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII). PII refers to information that can be used to distinguish or trace an individual's identity, either alone, or when combined with other information that is linked or linkable to a specific individual; and SPII is a subset of PII that if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. To determine whether information is PII, the DHS will perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available, in any medium or from any source, that would make it possible to identify an individual. Certain data elements are particularly sensitive and may alone present an increased risk of harm to the individual.(1)Examples of stand-alone PII that are particularly sensitive include: Social Security numbers (SSNs), driver's license or State identification numbers, Alien Registration Numbers (A-numbers), financial account numbers, and biometric identifiers.(2)Multiple pieces of information may present an increased risk of harm to the individual when combined, posing an increased risk of harm to the individual. SPII may also consist of any grouping of information that contains an individual's name or other unique identifier plus one or more of the following elements: (i)Truncated SSN (such as last 4 digits);(ii)Date of birth (month, day, and year);(iii)Citizenship or immigration status;(iv)Ethnic or religious affiliation;(v)Sexual orientation;(vi)Criminal history;(vii)Medical information; and(viii)System authentication information, such as mother's birth name, account passwords, or personal identification numbers (PINs).(3)Other PII that may present an increased risk of harm to the individual depending on its context, such as a list of employees and their performance ratings or an unlisted home address or phone number. The context includes the purpose for which the PII was collected, maintained, and used. This assessment is critical because the same information in different contexts can reveal additional information about the impacted individual.(b)PII and SPII Notification Requirements. (1) No later than 5 business days after being directed by the Contracting Officer, or as otherwise required by applicable law, the Contractor shall notify any individual whose PII or SPII was either under the control of the Contractor or resided in an information system under control of the Contractor at the time the incident occurred. The method and content of any notification by the Contractor shall be coordinated with, and subject to prior written approval by, the Contracting Officer. The Contractor shall not proceed with notification unless directed in writing by the Contracting Officer.(2)All determinations by the Department related to notifications to affected individuals and/or Federal agencies and related services (e.g., credit monitoring) will be made in writing by the Contracting Officer.(3)Subject to government analysis of the incident and direction to the Contractor regarding any resulting notification, the notification method may consist of letters to affected individuals sent by first-class mail, electronic means, or general public notice, as approved by the Government. Notification may require the Contractor's use of address verification and/or address location services. At a minimum, the notification shall include:(i)A brief description of the incident;(ii)A description of the types of PII or SPII involved;(iii)A statement as to whether the PII or SPII was encrypted or protected by other means;(iv)Steps individuals may take to protect themselves; (v)What the Contractor and/or the Government are doing to investigate the incident, mitigate the incident, and protect against any future incidents; and(vi)Information identifying who individuals may contact for additional information.(c)Credit Monitoring Requirements. The Contracting Officer may direct the Contractor to:(1)Provide notification to affected individuals as described in paragraph (b).(2)Provide credit monitoring services to individuals whose PII or SPII was under the control of the Contractor or resided in the information system at the time of the incident for a period beginning the date of the incident and extending not less than 18 months from the date the individual is notified. Credit monitoring services shall be provided from a company with which the Contractor has no affiliation. At a minimum, credit monitoring services shall include:(i)Triple credit bureau monitoring;(ii)Daily customer service;(iii)Alerts provided to the individual for changes and fraud; and(iv)Assistance to the individual with enrollment in the services and the use of fraud alerts.(3)Establish a dedicated call center. Call center services shall include:(i)A dedicated telephone number to contact customer service within a fixed period;(ii)Information necessary for registrants/enrollees to access credit reports and credit scores;(iii)Weekly reports on call center volume, issue escalation (i.e., those calls that cannot be handled by call center staff and must be resolved by call center management or DHS, as appropriate), and other key metrics;(iv)Escalation of calls that cannot be handled by call center staff to call center management or DHS, as appropriate;(v)Customized Frequently Asked Questions, approved in writing by the Contracting Officer in coordination with the Component or Headquarters Privacy Officer; and(vi)Information for registrants to contact customer service representatives and fraud resolution representatives for credit monitoring assistance.(End of clause)
