Exhibit 6.15

SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS

1. REQUISITION NUMBER

PAGE OF

OFFEROR TO COMPLETE BLOCKS 12. 17. 23. 24. & 30

See Schedule

1

64

2. CONTRACT NO.

3. AWARD/

4. ORDER NUMBER

5. SOLICITATION NUMBER

6. SOLICITATION

EFFECTIVE DATE

70CDCR21P00000056

ISSUE DATE

7.

FOR SOLICITATION

a. NAME

b. TELEPHONE NUMBER

(No collect calls)

8. OFFER DUE DATE/LOCAL TIME

INFORMATION CALL:

VALERIE LEONOVA

202-732-215

9. ISSUED BY

CODE

70CDCR

10. THIS ACQUISITION IS

x UNRESTRICTED OR

¨ SET ASIDE

% FOR:

WOMEN-OWNED SMALL BUSINESS

DETENTION COMPLIANCE AND REMOVALS

¨ SMALL BUSINESS

¨

¨    (WOSB) ELIGIBLE SMALL BUSINESS

U.S. Immigration and Customs Enforcement

¨ HUBZONE SMALL

SMALL BUSINESS PROGRAM

NAICS: 541511

Office of Acquisition Management

BUSINESS

¨

¨     EDWOSB

801 I ST NW, RM 900

¨ SERVICE-DISABLED

¨

¨     8(A)

SIZE STANDARD:

$30.0

WASHINGTON DC 20536

VETERAN-OWNED

SMALL BUSINESS

11. DELIVERY FOR FOB DESTINA

12. DISCOUNT TERMS

13b. RATING

T1ON UNLESS BLOCK IS

Net 30

¨ 13a.   THIS CONTRACT IS A

MARKED

RATED ORDER UNDER

14. METHOD OF SOLICITATION

x SEE SCHEDULE

DPAS (15 CFR 700)

¨RFQ

¨IFB

¨RFP

15. DELIVER TO

CODE

ICE-ATD

16. ADMINISTERED BY

CODE

ICE/DCR

ATTN: Joshua Jones

ICE/Detention Compliance & Removals

500 12TH ST. SW

Immigration and Customs Enforcement

Washington DC 20536

Office of Acquisition Management

801 I Street NW, suite 930

Washington DC 20536

17a. CONTRACTOR/

CODE

0806095210000

FACILITY

18a. PAYMENT WILL BE MADE BY

CODE

ICE-ERO-FHQ-DMD

OFFEROR

CODE

T STAMP INC

DHS, ICE

ATTN JOHN BRIDGE

Burlington Finance Center

3017 BOLING WAY NE STE 248

P.O. Box 1620

ATLANTA GA 303052205

Attn: ICE-ERO/DRO-FHQ-DMD

Williston VT 05495-1620

TELEPHONE NO.

7067515590

¨17b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN OFFER

18b. SUBMIT INVOICES TO ADDRESS SHOWN IN BLOCK 18a UNLESS BLOCK BELOW

IS CHECKED

¨ SEE ADDENDUM

19.

20.

21.

22.

23.

24.

ITEM NO.

SCHEDULE OF SUPPLIES/SERV1CES

QUANTITY

UNIT

UNIT PRICE

AMOUNT

DUNS Number: 080609521

---

This is a firm, fixed price purchase order for

field testing tools to facilitate rapid

processing and enrollments of noncitizens into

the ICE ERO Alternatives to Detention (ATD)

program through a facial confirmation

smartphone-based application. A total of 10,000

participants will be processed.

Contracting Officer Representative (COR):

(Use Reverse and/or Attach Additional Sheets as Necessary)

25. ACCOUNTING AND APPROPRIATION DATA

26. TOTAL AWARD AMOUNT (For Govt. Use Only)

See schedule

$3,920,764.00

¨ 27a. SOLICITATION INCORPORATES BY REFERENCE FAR 52.212-1, 52.212-4. FAR 52.212-3 AND 52.212-5 ARE ATTACHED. ADDENDA						¨ are	¨ ARE NOT ATTACHED.
x 27b. CONTRACT/PURCHASE ORDER INCORPORATES BY REFERENCE FAR 52.212-4. FAR 52.212-5 IS ATTACHED. ADDENDA						¨ are	x ARE NOT ATTACHED.
x 28 CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN		1	¨	29. AWARD OF CONIRACT:				OFFER
COPIES TO ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DELIVER				DATED	.YOUR OFFER ON SOLICITATION (BLOCK 5),
ALL ITEMS SET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL				INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE SET FORTH
SHEETS SUBJECT TO THE TERMS AND CONDITIONS SPECIFIED.				HEREIN. IS ACCEPTED AS TO ITEMS:
30a. SIGNATURE OF OFFEROR/CONTRACTOR		31a. UNITED STATES OF AMERICA (SIGNATURE OF CONTRACTING OFFICER)
/s/ [ILLEGIBLE]
		SARAH A WEST			Digitally signed by SARAH A WEST
					Date: 2021.09.23 16:08:33 -04'00'
30b. NAME AND TITLE QF SIGNER (Type or print)	30c. DATE SIGNED	31b. NAME OF CONTRACTING OFFICER (Type or print)					31c. DATE SIGNED
JOHN BRIDGE EXECUTIVE VICE PRESIDENT	9/23/2021	SARAH WEST
AUTHORIZED FOR LOCAL REPRODUCTION					STANDARD FORM 1449 (REV. 2/2012)
PREVIOUS EDITION IS NOT USABLE					Prescribed by GSA – FAR (48 CFR) 53.212

					2 of 62
19.	20.	21.	22.	23.	24.
ITEM NO.	SCHEDULE OF SUPPLIES/SERVICES	QUANTITY	UNIT	UNIT PRICE	AMOUNT
	Roxann Dzur, (202) 590-2616,
	email: roxann.r.dzur@ice.dhs.gov
	Alternate COR:
	Joshua Jones, (202) 732-6160,
	email: joshua.a.jones@ice.dhs.gov
	Contracting Officer (CO):
	Sarah West, (202) 805-2856,
	email: sarah.a.west@ice.dhs.gov
	Contract Specialist (CS):
	Valerie Leonova, (202) 731-4703
	email: valerie.leonova@ice.dhs.gov
	---
	MissionCritical: Y
	Delivery: 03/26/2022
	Accounting Info:
	NONE000-000 E4 36-59-00-000
	18-06-0300-40-10-00-00 GE-25-76-00-
	000000
	Period of Performance: 09/27/2021 to 03/26/2022
0001	RAPID ALTERNATIVES TO DETENTION ENROLLMENTS				3,920,764.00
	THROUGH FACIAL CONFIRMATION APPLICATION
	Requisition No: 192121FHQCMDATD02,
	192121FHQCMDATD04
	Continued ...

32a. QUANTITY IN COLUMN 21 HAS BEEN
¨ RECEIVED		¨ INSPECTED		¨ ACCEPTED, AND CONFORMS TO THE CONTRACT, EXCEPT AS NOTED:							______________________
32b. SIGNATURE OF AUTHORIZED GOVERNMENT REPRESENTATIVE						32c. DATE	32d. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE
32e. MAILING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE							32f. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE
							32g. E-MAIL OF AUTHORIZED GOVERNMENT REPRESENTATIVE
33. SHIP NUMBER			34. VOUCHER NUMBER		35. AMOUNT VERIFIED		36. PAYMENT			37. CHECK NUMBER
					CORRECT FOR
							¨ COMPLETE	¨ PARTIAL	¨ FINAL
¨ PARTIAL	¨ FINAL
38. S/R ACCOUNT NUMBER			39. S/R VOUCHER NUMBER		40. PAID BY

41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT		42a. RECEIVED BY (Print)
41b. SIGNATURE AND TITLE OF CERTIFYING OFFICER	41c. DATE
		42b. RECEIVED AT (Location)
		42c. DATE REC’D (YY/MM/DD)	42d. TOTAL CONTAINERS
				STANDARD FORM 1449 (REV. 2/2012) BACK

CONTINUATION SHEET		REFERENCE NO. OF DOCUMENT BEING CONTINUED			PAGE OF
		70CDCR21P00000056			3	62
NAME OF OFFEROR OR CONTRACTOR
T STAMP INC
ITEM NO.	SUPPLIES/SERVICES		QUANTITY	UNIT	UNIT PRICE	AMOUNT
(A)	(B)		(C)	(D)	(E)	(F)
	---
	Invoice Instructions:
	ICE - ERO Contracts
	Service Providers/Contractors shall use these
	procedures when submitting an invoice.
	1. Invoice Submission: Invoices shall be
	submitted in a “.pdf” format in accordance
	with the contract terms and conditions
	[Contract Specialist and Contracting
	Officer to disclose if on a monthly basis
	or other agreed to terms”] via email,
	United States Postal Service (USPS) or
	facsimile as follows:
	a) Email:
	· Invoice.Consolidation@ice.dhs.gov
	· Contracting Officer Representative (COR)
	or Government Point of Contact (GPOC)
	· Contract Specialist/Contracting Officer
	Each email shall contain only (1) invoice
	and the invoice number shall be indicated
	on the subject line of the email.
	b) USPS:
	DHS, ICE
	Financial Operations - Burlington
	P.O. Box 1620
	Williston, VT 05495-1620
	ATTN: ICE-ERO/FHQ-DMD
	The Contractors Data Universal Numbering
	System (DUNS) Number must be registered and
	active in the System for Award Management
	(SAM) at https://www.sam.gov prior to award
	and shall be notated on every invoice
	submitted to ensure prompt payment provisions are
	met. The ICE program office
	identified in the task order/contract shall
	also be notated on every invoice.
	c) Facsimile:
	Alternative Invoices shall be submitted to:
	(802)-288-7658
	Submissions by facsimile shall include a
	cover sheet, point of contact and the
	Continued ...
NSN 7540-01-152-8067						OPTIONAL FORM 336 (4-86)
						Sponsored by GSA
						FAR (48 CFR) 53.110

CONTINUATION SHEET		REFERENCE NO. OF DOCUMENT BEING CONTINUED					PAGE OF
		70CDCR21P00000056					4	63
NAME OF OFFEROR OR CONTRACTOR
T STAMP INC
ITEM NO.	SUPPLIES/SERVICES		QUANTITY	UNIT	UNIT PRICE	AMOUNT
(A)	(B)		(C)	(D)	(E)	(F)
	number of total pages.
	Note: the Service Providers or Contractors Dunn and Bradstreet (D&B) DUNS Number must be registered in the System for Award Management (SAM) at https://www.sam.gov prior to award and shall be notated on every invoice submitted to ensure prompt payment provisions are met. The ICE program office identified in the task order/contract shall also be notated on every invoice.
	2. Content of Invoices: Each invoice shall contain the following information in accordance with 52.212-4 (g), as applicable:
	(i). Name and address of the Service Provider/Contractor. Note: the name, address and DUNS number on the invoice MUST match the information in both the Contract/Agreement and the information in the SAM. If payment is remitted to another entity, the name, address and DUNS information of that entity must also be provided which will require Government verification before payment can be processed;
	(ii). Dunn and Bradstreet (D&B) DUNS Number;
	(iii). Invoice date and invoice number;
	(iv). Agreement/Contract number, contract line item number and, if applicable, the order number;
	(v). Description, quantity, unit of measure, unit price, extended price and period of performance of the items or services delivered;
	(vi). If applicable, shipping number and date of shipment, including the bill of lading number and weight of shipment if shipped on Government bill of lading; Continued ...

CONTINUATION SHEET		REFERENCE NO. OF DOCUMENT BEING CONTINUED					PAGE	OF
		70CDCR21P00000056					5	64
NAME OF OFFEROR OR CONTRACTOR
T STAMP INC
ITEM NO.	SUPPLIES/SERVICES		QUANTITY	UNIT	UNIT PRICE	AMOUNT
(A)	(B)		(C)	(D)	(E)	(F)
	(vii). Terms of any discount for prompt payment offered;
	(viii). Remit to Address;
	(ix). Name, title, and phone number of person to resolve invoicing issues;
	(x). ICE program office designated on order/contract/agreement and
	(xi). Mark invoice as “Interim” (Ongoing performance and additional billing expected) and “Final” (performance complete and no additional billing)
	(xii). Electronic Funds Transfer (EFT) banking information in accordance with 52.232-33 Payment by Electronic Funds Transfer – System for Award Management or 52-232-34, Payment by Electronic Funds Transfer – Other than System for Award Management.
	3. Invoice Supporting Documentation. To ensure payment, the vendor must submit supporting documentation which provides substantiation for the invoiced costs to the Contracting Officer Representative (COR) or Point of Contact (POC) identified in the contract. Invoice charges must align with the contract CLINs. Supporting documentation is required when guaranteed minimums are exceeded and when allowable costs are incurred. Details are as follows:
	(i). Guaranteed Minimums. If a guaranteed minimum is not exceeded on a CLIN(s) for the invoice period, no supporting documentation is required. When a guaranteed minimum is exceeded on a CLIN (s) for the invoice period, the Contractor is required to submit invoice supporting documentation for all detention services provided during the invoice period which provides the information described below: Continued ...

CONTINUATION SHEET		REFERENCE NO. OF DOCUMENT BEING CONTINUED					PAGE OF
		70CDCR21P00000056					6	62
NAME OF OFFEROR OR CONTRACTOR
T STAMP INC
ITEM NO.	SUPPLIES/SERVICES		QUANTITY	UNIT	UNIT PRICE	AMOUNT
(A)	(B)		(C)	(D)	(E)	(F)
	a. Detention Bed Space Services
	· Bed day rate;
	· Detainees check-in and check-out dates;
	· Number of bed days multiplied by the bed
	day rate;
	· Name of each detainee;
	· Detainees identification information
	(ii). Allowable Incurred Cost. Fixed Unit Price Items (items for allowable incurred costs, such as transportation services, stationary guard or escort services, transportation mileage or other Minor Charges such as sack lunches and detainee wages): shall be fully supported with documentation substantiating the costs and/or reflecting the established price in the contract and shall be submitted in .pdf format:
	a. Detention Bed Space Services. For detention bed space CLINs without a GM, the supporting documentation must include:
	· Bed day rate;
	· Detainees check-in and check-out dates;
	· Number of bed days multiplied by the bed day rate;
	· Name of each detainee;
	· Detainees identification information
	b. Transportation Services: For transportation CLINs without a GM, the supporting documentation must include:
	· Mileage rate being applied for that invoice;
	· Number of miles;
	· Transportation routes provided;
	· Locations serviced;
	· Names of detainees transported;
	· Itemized listing of all other charges; and,
	· for reimbursable expenses (e.g. travel expenses, special meals, etc.) copies of all receipts.
	Continued ...

CONTINUATION SHEET		REFERENCE NO. OF DOCUMENT BEING CONTINUED				PAGE OF
		70CDCR21P00000056				7		62
NAME OF OFFEROR OR CONTRACTOR
T STAMP INC
ITEM NO.	SUPPLIES/SERVICES		QUANTITY	UNIT	UNIT PRICE		AMOUNT
(A)	(B)		(C)	(D)	(E)		(F)
	c. Stationary Guard Services: The itemized monthly invoice shall state:
	· The location where the guard services were provided,
	· The employee guard names and number of hours being billed,
	· The employee guard names and duration of the billing (times and dates), and
	· for individual or detainee group escort services only, the name of the detainee(s) that was/were escorted.
	d. Other Direct Charges (e.g. VTC support, transportation meals/sack lunches, volunteer detainee wages, etc.):
	1) The invoice shall include appropriate supporting documentation for any direct charge billed for reimbursement. For charges for detainee support items (e.g. meals, wages, etc.), the supporting documentation should include the name of the detainee(s) supported and the date(s) and amount(s) of support.
	(iii) Firm Fixed-Price CLINs. Supporting documentation is not required for charges for FFP CLINs.
	4. Safeguarding Information: As a contractor or vendor conducting business with Immigration and Customs Enforcement (ICE), you are required to comply with DHS Policy regarding the safeguarding of Sensitive Personally Identifiable Information (PII). Sensitive PII is information that identifies an individual, including an alien, and could result in harm, embarrassment, inconvenience or unfairness. Examples of Sensitive PII include information such as: Social Security Numbers, Alien Registration Numbers (A-Numbers), or combinations of information such as the individuals name or other unique identifier and full date of birth, citizenship, or immigration status. As part of your obligation to safeguard information, the follow precautions are required: Continued ...

CONTINUATION SHEET		REFERENCE NO. OF DOCUMENT BEING CONTINUED					PAGE OF
		70CDCR21P00000056					8	62
NAME OF OFFEROR OR CONTRACTOR
T STAMP INC
ITEM NO.	SUPPLIES/SERVICES		QUANTITY	UNIT	UNIT PRICE	AMOUNT
(A)	(B)		(C)	(D)	(E)	(F)
	(i) Email supporting documents containing Sensitive PII in an encrypted attachment with password sent separately to the Contracting Officer Representative assigned to the contract.
	(ii) Never leave paper documents containing Sensitive PII unattended and unsecure. When not in use, these documents will be locked in drawers, cabinets, desks, etc. so the information is not accessible to those without a need to know.
	(iii) Use shredders when discarding paper documents containing Sensitive PII.
	(iv) Refer to the DHS Handbook for Safeguarding Sensitive Personally Identifiable Information (March 2012) found at http://www.dhs.gov/xlibrary/assets/privacy/d hs-privacy-safeguardingsensitivepiihandbookmarch2012. pdf for more information on and/or examples of Sensitive PII.
	5. Invoice Inquiries. If you have questions regarding payment, please contact ICE Financial Operations at 1-877-491-6521 or by e-mail at OCFO.CustomerService@ice.dhs.gov.
	---
	The total amount of award: $3,920,764.00. The obligation for this award is shown in box 26.

Acquisition Request (Statement of Work) For
Rapid Alternatives to Detention Enrollments Through Facial Confirmation Application

1.0 Purpose. The Department of Homeland Security (DHS), Immigration and Customs Enforcement (ICE), and the Headquarters Alternatives to Detention (HQ – ATD) is currently facing an unusual and compelling urgency caused by the number (over 170,000 per month) of individuals and families attempting to cross the southwest border. This has put substantial strain on Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) with regards to apprehension, processing, transportation, detention, and release. The purpose is to procure a technology solution that includes GPS tracking, facial confirmation software for biometric identification, and rapid enrollment of southwest border participants in five minutes or less.

2.0 Requirement. Alternatives to Detention (HQ – ATD) program increases compliance with release conditions by using a combination of case management and technology to ensure court appearances and final orders of removal. However, due to the extreme influx, current methods of enrollment in some forms can exceed 20 to 25 minutes per participant encountered. The Government intends to award a 6-month contract for the provision of southwest border supporting Alternative to Detention. This technology solution will enable ATD to rapidly (five minutes or less) enroll participants in a facial recognition-enhanced geolocation application with contractor provided smartphones. The facial confirmation will ensure that the participant is with the smartphone when the geolocation of the phone is captured. This ensures ATD’s ability to validate the location of the participant through repeated check-ins, the participant can be tracked from enrollment point to final destination city. Upon arrival and successful check-in at destination city, participant will be contacted to report for evaluation and enrollment into traditional ATD – ISAP.

3.0 Deliverables. The contractor will provide all personnel, equipment, and supplies. This requirement is to provide six (6) months, or 10,000 participants, whichever comes first, of enrollment and monitoring services. Tasks and deliverable listed below:

1. Smartphone application for use by participants during check ins

2. Information dashboard for officers overseeing this program

3. 10,000 preloaded smartphones with webcam and data plan.

4. Weekly progress reports

4.0 Task - Check in service. The contractor will rapidly enroll (five minutes or less) participants in a facial recognition-enhanced geolocation application with contractor provided smartphones. Participant will report using contractor provided phone and application once per day or determine by ICE. The contractor’s application will collect data points, locations, holds information for review. The facial confirmation shall ensure that the participant is with the smartphone when the geolocation of the phone is captured. This technology shall ensure the privacy of all participants by tokenizing a participant’s facial biometrics. Upon arrival and reporting, participants reach the destination city (as identified as an exclusion zone set around the city so any report is notified), the contractor will contact the participant to arrange for possible new date/time for reporting. The participant reports to given location, meet with an ICE assigned officer. The participant is then removed from pilot program, and the device is collected. The contractor will send the device to the appropriate location. Application will include:

1. The capability to create “geofencing”

2. Passive tracking of geolocation with points collected at the time of each check-in

3. Randomized and on-demand biometric check-in to validate participant and phone are in the same location

4. Case management dashboard with encrypted messaging

5. Ability to advise participants of required in-person meetings

6. Alerting when check-in process is not completed or when biometrics do not match.

4.1 Task - Check-in Failures. In the event biometric check in fails due to non-responsiveness or a failed verification, an alert will be sent to the Case Manager/Dashboard (3.2 Task). In the event the biometric authentication is attempted and continues to fail (with a recommended three attempts), the video of registration attempts will be saved for a time frame determined by ICE and an alert will be sent to the Case Manager/Dashboard. The Government must be able to receive immediate notifications immediately upon a complete failure to check-in whether due to three failed attempts or no attempts during a required time period. The video will allow the Case Manager to review the attempt and determine if it was erroneous or if someone is attempting to fraudulently authenticate on behalf of the participant.

4.2 Task - Information dashboard. The contractor shall provide an information dashboard system for administering and supervising all aspects of a participant’s involvement in the program. The system shall provide for monitoring and documenting a participant’s compliance from enrollment to termination from the program. The contractor shall be proactive in managing cases and use all appropriate tools and techniques available. The information dashboard will have the ability for ICE to see current location, three days location data, access to historical location data and status of the participant. The dashboard will also have an officer interface so ICE will know who all the participants are, have their basic information (as determined by ICE), be able to see each time they reported (time date stamp for each event), latitude /longitude /address for each report, have contact information to be able to call the contractor provided phone to call in the participant.

4.3 Task - Personnel. The contractor will provide personnel to assist ICE with registering and enrolling qualified participants at the southwest border. It is anticipated that enrollment into the program will take approximately five minutes or less by filling out a minimum set of data within the dashboard on a tablet. Enrollment will identify participants and ensure linkage between Check-In and the identity of the individual established by ICE. This on-site support will be eight to ten hours per day, with hours that may be adjusted to ensure the smoothest transition of participants out of processing facilities. The contractor will explain reporting requirements. This includes where the participant needs to report including time, date, location and ensure participants understand how the software package works, expectations for reporting. The contractor must be able to communicate in a language¹ the participant can understand.

4.4 Task Report - The contractor shall provide a weekly progress report identifying:

Number of active participants at the end of the reporting period, total number of participants over the week, year to date, and since program inception.

Number of terminations (program wide) with the corresponding percentage and roll-up for all offices.

5.0 Period of Performance. The period of performance shall be 6 months from date of award or 10,000 participants, whichever comes first, of enrollment and monitoring services.

6.0 Place of Performance. Southwest Border (4 locations). Address TBD

7.0 Shipping Address. Alternatives to Detention, 500 12TH ST. SW STOP 8065 Washington, DC. 20536

8.0 License Specification/Source. Not applicable to this requirement.

9.0 Compliance. Not applicable to this requirement.

10.0  Maintenance Consideration. Standard warranty.

11.0  Point of Contact. Point of contact for this acquisition request is Joshua Jones, MPA, Alternatives to Detention, HQ/ATD, Joshua.a.jones @ice.dhs.gov, 202-732-6160.

REQUIRED SECURITY LANGUAGE FOR 

SENSITIVE /BUT UNCLASSIFED (SBU) CONTRACTS

SECURITY REQUIREMENTS

GENERAL

The United States Immigration and Customs Enforcement (ICE) has determined that performance of the tasks as described in Contract               requires that the Contractor, subcontractor(s), vendor(s), etc. (herein known as Contractor) have access to sensitive DHS information, and that the Contractor will adhere to the following.

¹ For purposes of the pilot, the primary language spoken will be Spanish.

PRELIMINARY FITNESS DETERMINATION

ICE will exercise full control over granting, denying, withholding or terminating unescorted government facility and/or sensitive Government information access for contractor employees, based upon the results of a Fitness screening process. ICE may, as it deems appropriate, authorize and make a favorable expedited preliminary Fitness determination based on preliminary security checks. The preliminary Fitness determination will allow the contractor employee to commence work temporarily prior to the completion of a Full Field Background Investigation. The granting of a favorable preliminary Fitness shall not be considered as assurance that a favorable final Fitness determination will follow as a result thereof. The granting of preliminary Fitness or final Fitness shall in no way prevent, preclude, or bar the withdrawal or termination of any such access by ICE, at any time during the term of the contract. No employee of the Contractor shall be allowed to enter on duty and/or access sensitive information or systems without a favorable preliminary Fitness determination or final Fitness determination by the Office of Professional Responsibility (OPR), Personnel Security. No employee of the Contractor shall be allowed unescorted access to a Government facility without a favorable preliminary Fitness determination or final Fitness determination by OPR Personnel Security. Contract employees are processed under DHS Instruction 121-01-007-001 (Personnel Security, Suitability and Fitness Program), or successor thereto; those having direct contact with Detainees will also have 6 CFR § 115.117 considerations made as part of the Fitness screening process. (Sexual Abuse and Assault Prevention Standards) implemented pursuant to Public Law 108-79 (Prison Rape Elimination Act (PREA) of 2003)

BACKGROUND INVESTIGATIONS

Contractor employees (to include applicants, temporaries, part-time and replacement employees) under the contract, needing access to sensitive information and/or ICE Detainees, shall undergo a position sensitivity analysis based on the duties each individual will perform on the contract.

The results of the position sensitivity analysis shall identify the appropriate background investigation to be conducted. Background investigations will be processed through OPR Personnel Security. Contractor employees nominated by a Contracting Officer Representative for consideration to support this contract shall submit the following security vetting documentation to OPR Personnel Security, through the Contracting Officer Representative (COR), within 10 days of notification by OPR Personnel Security of nomination by the COR and initiation of an Electronic Questionnaire for Investigation Processing (e-QIP) in the Office of Personnel Management (OPM) automated on-line system.

1. Standard Form 85P (Standard Form 85PS (With supplement to 85P required for armed positions)), “Questionnaire for Public Trust Positions” Form completed on-line and archived by the contractor employee in their OPM e-QIP account.

2. Signature Release Forms (Three total) generated by OPM e-QIP upon completion of Questionnaire (e-signature recommended/acceptable – instructions provided to applicant by OPR Personnel Security). Completed on-line and archived by the contractor employee in their OPM e-QIP account.

3. Two (2) SF 87 (Rev. December 2017) Fingerprint Cards. (Two Original Cards sent via COR to OPR Personnel Security)

4. Foreign National Relatives or Associates Statement. (This document sent as an attachment in an e-mail to contractor employee from OPR Personnel Security – must be signed and archived into contractor employee’s OPM e-QIP account prior to electronic “Release” of data via on-line account)

5. DHS 11000-9, “Disclosure and Authorization Pertaining to Consumer Reports Pursuant to the Fair Credit Reporting Act” (This document sent as an attachment in an e-mail to contractor employee from OPR Personnel Security – must be signed and archived into contractor employee’s OPM e-QIP account prior to electronic “Release” of data via on-line account)

6. Optional Form 306 Declaration for Federal Employment (This document sent as an attachment in an e-mail to contractor employee from OPR Personnel Security – must be signed and archived into contractor employee’s OPM e-QIP account prior to electronic “Release” of data via on-line account)

7. If occupying PREA designated position: Questionnaire regarding conduct defined under 6 CFR § 115.117 (Sexual Abuse and Assault Prevention Standards) (This document sent as an attachment in an e-mail to contractor employee from OPR Personnel Security – must be signed and archived into contractor employee’s OPM e-QIP account prior to electronic “Release” of data via on-line account)

8. One additional document may be applicable if contractor employee was born abroad. If applicable, additional form and instructions will be provided to contractor employee. (If applicable, the document will be sent as an attachment in an e-mail to contractor employee from OPR Personnel Security – must be signed and archived into contractor employee’s OPM e-QIP account prior to electronic “Release” of data via on-line account)

Contractor employees who have an adequate, current investigation by another Federal Agency may not be required to submit complete security packages; the investigation may be accepted under reciprocity. The questionnaire related to 6 CFR § 115.117 listed above in item 7 will be required for positions designated under PREA.

An adequate and current investigation is one where the investigation is not more than five years old, meets the contract risk level requirement, and applicant has not had a break in service of more than two years. (Executive Order 13488 amended under Executive Order 13764/DHS Instruction 121-01-007-01)

Required information for submission of security packet will be provided by OPR Personnel Security at the time of award of the contract. Only complete packages will be accepted by the OPR Personnel Security as notified by the COR.

To ensure adequate background investigative coverage, contractor employees must currently reside in the United States or its Territories. Additionally, contractor employees are required to have resided within the Unites States or its Territories for three or more years out of the last five (ICE retains the right to deem a contractor employee ineligible due to insufficient background coverage). This time-line is assessed based on the signature date of the standard form questionnaire submitted for the applied position. Contractor employees falling under the following situations may be exempt from the residency requirement: 1) work or worked for the U.S. Government in foreign countries in federal civilian or military capacities; 2) were or are dependents accompanying a federal civilian or a military employee serving in foreign countries so long as they were or are authorized by the U.S. Government to accompany their federal civilian or military sponsor in the foreign location; 3) worked as a contractor employee, volunteer, consultant or intern on behalf of the federal government overseas, where stateside coverage can be obtained to complete the background investigation; 4) studied abroad at a U.S. affiliated college or university; or 5) have a current and adequate background investigation (commensurate with the position risk/sensitivity levels) completed for a federal or contractor employee position, barring any break in federal employment or federal sponsorship.

Only U.S. Citizens and Legal Permanent Residents are eligible for employment on contracts requiring access to DHS sensitive information unless an exception is granted as outlined under DHS Instruction 121-01-007-001. Per DHS Sensitive Systems Policy Directive 4300A, only U.S. citizens are eligible for positions requiring access to DHS Information Technology (IT) systems or positions that are involved in the development, operation, management, or maintenance of DHS IT systems, unless an exception is granted as outlined under DHS Instruction 121-01-007-001.

TRANSFERS FROM OTHER DHS CONTRACTS:

Contractor employees may be eligible for transfer from other DHS Component contracts provided they have an adequate and current investigation meeting the new assignment requirement. If the contractor employee does not meet the new assignment requirement a DHS 11000-25 with ICE supplemental page will be submitted to OPR Personnel Security to initiate a new investigation.

Transfers will be accomplished by submitting a DHS 11000-25 with ICE supplemental page indicating “Contract Change.” The questionnaire related to 6 CFR § 115.117 listed above in item 7 will be required for positions designated under PREA.

CONTINUED ELIGIBILITY

ICE reserves the right and prerogative to deny and/or restrict facility and information access of any contractor employee whose actions conflict with Fitness standards contained in DHS Instruction 121-01-007-01, Chapter 3, paragraph 6.B or who violate standards of conduct under 6 CFR § 115.117. The Contracting Officer or their representative can determine if a risk of compromising sensitive Government information exists or if the efficiency of service is at risk and may direct immediate removal of a contractor employee from contract support. The OPR Personnel Security will conduct periodic reinvestigations every 5 years, or when derogatory information is received, to evaluate continued Fitness of contractor employees.

REQUIRED REPORTS

The Contractor will notify OPR Personnel Security, via the COR, of all terminations/resignations of contractor employees under the contract within five days of occurrence. The Contractor will return any expired ICE issued identification cards and building passes of terminated/ resigned employees to the COR. If an identification card or building pass is not available to be returned, a report must be submitted to the COR referencing the pass or card number, name of individual to whom issued, the last known location and disposition of the pass or card. The COR will return the identification cards and building passes to the responsible ID Unit.

The Contractor will report any adverse information coming to their attention concerning contractor employees under the contract to the OPR Personnel Security, via the COR, as soon as possible. Reports based on rumor or innuendo should not be made. The subsequent termination of employment of an employee does not obviate the requirement to submit this report. The report shall include the contractor employees’ name and social security number, along with the adverse information being reported.

The Contractor will provide, through the COR a Quarterly Report containing the names of contractor employees who are active, pending hire, have departed within the quarter or have had a legal name change (Submitted with documentation). The list shall include the Name, Position and SSN (Last Four) and should be derived from system(s) used for contractor payroll/voucher processing to ensure accuracy.

CORs will submit reports to psu-industrial-security@ice.dhs.gov

Contractors, who are involved with management and/or use of information/data deemed “sensitive” to include ‘law enforcement sensitive” are required to complete the DHS Form 11000-6-Sensitive but Unclassified Information NDA for contractor access to sensitive information. The NDA will be administered by the COR to the all contract personnel within 10 calendar days of the entry on duty date. The completed form shall remain on file with the COR for purpose of administration and inspection.

Sensitive information as defined under the Computer Security Act of 1987, Public Law 100-235 is information not otherwise categorized by statute or regulation that if disclosed could have an adverse impact on the welfare or privacy of individuals or on the welfare or conduct of Federal programs or other programs or operations essential to the national interest. Examples of sensitive information include personal data such as Social Security numbers; trade secrets; system vulnerability information; pre-solicitation procurement documents, such as statements of work; and information pertaining to law enforcement investigative methods; similarly, detailed reports related to computer security deficiencies in internal controls are also sensitive information because of the potential damage that could be caused by the misuse of this information. All sensitive information must be protected from loss, misuse, modification, and unauthorized access in accordance with DHS Management Directive 11042.1, DHS Policy for Sensitive Information and ICE Policy 4003, Safeguarding Law Enforcement Sensitive Information.”

Any unauthorized disclosure of information should be reported to ICE.ADSEC@ICE.dhs.gov.

SECURITY MANAGEMENT

The Contractor shall appoint a senior official to act as the Corporate Security Officer. The individual will interface with the OPR Personnel Security through the COR on all security matters, to include physical, personnel, and protection of all Government information and data accessed by the Contractor.

The COR and the OPR Personnel Security shall have the right to inspect the procedures, methods, and facilities utilized by the Contractor in complying with the security requirements under this contract. Should the COR determine that the Contractor is not complying with the security requirements of this contract, the Contractor will be informed in writing by the Contracting Officer of the proper action to be taken in order to effect compliance with such requirements.

INFORMATION TECHNOLOGY SECURITY CLEARANCE

When sensitive government information is processed on Department telecommunications and automated information systems, the Contractor agrees to provide for the administrative control of sensitive data being processed and to adhere to the procedures governing such data as outlined in DHS MD 4300.1, Information Technology Systems Security. or its replacement. Contractor employees must have favorably adjudicated background investigations commensurate with the defined sensitivity level.

Contractor employees who fail to comply with Department security policy are subject to having their access to Department IT systems and facilities terminated, whether or not the failure results in criminal prosecution. Any person who improperly discloses sensitive information is subject to criminal and civil penalties and sanctions under a variety of laws (e.g., Privacy Act).

INFORMATION TECHNOLOGY SECURITY TRAINING AND OVERSIGHT

In accordance with Chief Information Office requirements and provisions, all contractor employees accessing Department IT systems or processing DHS sensitive data via an IT system will require an ICE issued/provisioned Personal Identity Verification (PIV) card. Additionally, Cybersecurity Awareness Training (CSAT) will be required upon initial access and annually thereafter. CSAT training will be provided by the appropriate component agency of DHS.

Contractor employees, who are involved with management, use, or operation of any IT systems that handle sensitive information within or under the supervision of the Department, shall receive periodic training at least annually in security awareness and accepted security practices, systems rules of behavior, to include Unauthorized Disclosure Training, available on PALMS or by contacting ICE.ADSEC@ICE.dhs.gov. Department contractor employees, with significant security responsibilities, shall receive specialized training specific to their security responsibilities annually. The level of training shall be commensurate with the individual’s duties and responsibilities and is intended to promote a consistent understanding of the principles and concepts of telecommunications and IT systems security.

All personnel who access Department information systems will be continually evaluated while performing these duties. System Administrators should be aware of any unusual or inappropriate behavior by personnel accessing systems. Any unauthorized access, sharing of passwords, or other questionable security procedures should be reported to the local Security Office or Information System Security Officer (ISSO).

PRIVACY REQUIREMENTS FOR CONTRACTOR AND PERSONNEL

In addition to FAR 52.224-1 Privacy Act Notification (APR 1984), 52.224-2 Privacy Act (APR 1984), FAR 52.224-3 Privacy Training (JAN 2017), and HSAR Clauses, the following instructions must be included in their entirety in all contracts.

Limiting Access to Privacy Act and Other Sensitive Information

In accordance with FAR 52.224-1 Privacy Act Notification (APR 1984), and FAR 52.224-2 Privacy Act (APR 1984), if this contract requires contractor personnel to have access to information protected by the Privacy Act of 1974, the contractor is advised that the relevant DHS system of records notices (SORNs) applicable to this Privacy Act information may be found at https://www.dhs.gov/system-records-notices-sorns. Applicable SORNS of other agencies may be accessed through the agencies’ websites or by searching GovInfo, available at https://www.govinfo.gov that replaced the FDsys website in December 2018. SORNs may be updated at any time.

Prohibition on Performing Work Outside a Government Facility/Network/Equipment

The Contractor shall perform all tasks on authorized Government networks, using Government-furnished IT and other equipment and/or Workplace as a Service (WaaS) if WaaS is authorized by the statement of work. Government information shall remain within the confines of authorized Government networks at all times. Except where telework is specifically authorized within this contract, the Contractor shall perform all tasks described in this document at authorized Government facilities; the Contractor is prohibited from performing these tasks at or removing Government-furnished information to any other facility; and Government information shall remain within the confines of authorized Government facilities at all times. Contractors may only access classified materials on government furnished equipment in authorized government owned facilities regardless of telework authorizations.

Prior Approval Required to Hire Subcontractors

The Contractor is required to obtain the Contracting Officer’s approval prior to engaging in any contractual relationship (Subcontractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under or relating to this contract. The Contractor (and any Subcontractor) is required to abide by Government and Agency guidance for protecting sensitive and proprietary information.

Separation Checklist for Contractor Employees

Contractor shall complete a separation checklist before any employee or Subcontractor employee terminates working on the contract. The separation checklist must verify: (1) return of any Government-furnished equipment; (2) return or proper disposal of sensitive personally identifiable information (PII), in paper or electronic form, in the custody of the employee or Subcontractor employee including the sanitization of data on any computer systems or media as appropriate; and (3) termination of any technological access to the Contractor’s facilities or systems that would permit the terminated employee’s access to sensitive PII.

In the event of adverse job actions resulting in the dismissal of an employee or Subcontractor employee, the Contractor shall notify the Contracting Officer’s Representative (COR) within 24 hours. For normal separations, the Contractor shall submit the checklist on the last day of employment or work on the contract.

As requested, contractors shall assist the ICE Point of Contact (ICE/POC), Contracting Officer, or COR with completing ICE Form 50-005/Contractor Employee Separation Clearance Checklist by returning all Government-furnished property including but not limited to computer equipment, media, credentials and passports, smart cards, mobile devices, PIV cards, calling cards, and keys and terminating access to all user accounts and systems.

Contractor’s Commercial License Agreement and Government Electronic Information Rights

Except as stated in the Performance Work Statement and, where applicable, the Contractor’s Commercial License Agreement, the Government Agency owns the rights to all electronic information (electronic data, electronic information systems or electronic databases) and all supporting documentation and associated metadata created as part of this contract. All deliverables (including all data and records) under the contract are the property of the U.S. Government and are considered federal records, for which the Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein. The Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data.

Privacy Lead Requirements

If the contract involves an IT system build or substantial development or changes to an IT system that may require privacy documentation, the Contractor shall assign or procure a Privacy Lead, to be listed under the SOW or PWS’s required Contractor Personnel section. The Privacy Lead shall be responsible for providing adequate support to DHS to ensure DHS can complete any required PTA, PIA, SORN, or other supporting documentation to support privacy compliance. The Privacy Lead shall work with personnel from the program office, the ICE Privacy Unit, the Office of the Chief Information Officer, and the Records and Data Management Unit to ensure that the privacy documentation is kept on schedule, that the answers to questions in the PIA are thorough and complete, and that questions asked by the ICE Privacy Unit and other offices are answered in a timely fashion.

The Privacy Lead:

· Must have excellent writing skills, the ability to explain technology clearly for a non-technical audience, and the ability to synthesize information from a variety of sources.

· Must have excellent verbal communication and organizational skills.

· Must have experience writing PIAs. Ideally the candidate would have experience writing PIAs for DHS.

· Must be knowledgeable about the Privacy Act of 1974 and the E-Government Act of 2002.

· Must be able to work well with others.

If a Privacy Lead is already in place with the program office and the contract involves IT system builds or substantial changes that may require privacy documentation, the requirement for a separate Private Lead specifically assigned under this contract may be waived provided the Contractor agrees to have the existing Privacy Lead coordinate with and support the ICE Privacy POC to ensure privacy concerns are proactively reviewed and so ICE can complete any required PTA, PIA, SORN, or other supporting documentation to support privacy compliance if required. The Contractor shall work with personnel from the program office, the ICE Office of Information Governance and Privacy, and the Office of the Chief Information Officer to ensure that the privacy documentation is kept on schedule, that the answers to questions in any privacy documents are thorough and complete, that all records management requirements are met, and that questions asked by the ICE Privacy Unit and other offices are answered in a timely fashion.

A.10 In accordance with HSAR Class Deviation 15-01, Special Clause, Safeguarding of Sensitive Information (MAR 2015)

The following clause should be incorporated into acquisition documents for High Risk Contracts, defined as contracts that consist of contractors or sub-contractors viewing ICE sensitive data, contracts that are performed off-site, and/or contracts that are performed out of the continental United States:

Safeguarding of Sensitive Information (MAR 2015)

a) Applicability. This clause applies to the Contractor, its subcontractors, and Contractor employees (hereafter referred to collectively as “Contractor”). The Contractor shall insert the substance of this clause in all subcontracts.

b) Definitions. As used in this clause—

“Personally Identifiable Information (PII)” means information that can be used to distinguish or trace an individual’s identity, such as name, social security number, or biometric records, either alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, or mother’s maiden name. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-personally identifiable information can become personally identifiable information whenever additional information is made publicly available—in any medium and from any source—that, combined with other available information, could be used to identify an individual.

PII is a subset of sensitive information. Examples of PII include, but are not limited to: name, date of birth, mailing address, telephone number, Social Security number (SSN), email address, zip code, account numbers, certificate/license numbers, vehicle identifiers including license plates, uniform resource locators (URLs), static Internet protocol addresses, biometric identifiers such as fingerprint, voiceprint, iris scan, photographic facial images, or any other unique identifying number or characteristic, and any information where it is reasonably foreseeable that the information will be linked with other information to identify the individual.

“Sensitive Information” is defined in HSAR clause 3052.204-71, Contractor Employee Access, as any information, which if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of Title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense, homeland security or foreign policy. This definition includes the following categories of information:

(1) Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure Information Act of 2002 (Title II, Subtitle B, of the Homeland Security Act, Public Law 107-296, 196 Stat. 2135), as amended, the implementing regulations thereto (Title 6, Code of Federal Regulations, Part 29) as amended, the applicable PCII Procedures Manual, as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the PCII Program Manager or his/her designee);

(2) Sensitive Security Information (SSI), as defined in Title 49, Code of Federal Regulations, Part 1520, as amended, “Policies and Procedures of Safeguarding and Control of SSI,” as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the Assistant Secretary for the Transportation Security Administration or his/her designee);

(3) Information designated as “For Official Use Only,” which is unclassified information of a sensitive nature and the unauthorized disclosure of which could adversely impact a person’s privacy or welfare, the conduct of Federal programs, or other programs or operations essential to the national or homeland security interest; and

(4) Any information that is designated “sensitive” or subject to other controls, safeguards or protections in accordance with subsequently adopted homeland security information handling procedures.

“Sensitive Information Incident” is an incident that includes the known, potential, or suspected exposure, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access or attempted access of any Government system, Contractor system, or sensitive information.

“Sensitive Personally Identifiable Information (SPII)” is a subset of PII, which if lost, compromised or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some forms of PII are sensitive as stand-alone elements. Examples of such PII include: Social Security numbers (SSN), driver’s license or state identification number, Alien Registration Numbers (A-number), financial account number, and biometric identifiers such as fingerprint, voiceprint, or iris scan. Additional examples include any groupings of information that contain an individual’s name or other unique identifier plus one or more of the following elements:

(1) Truncated SSN (such as last 4 digits)

(2) Date of birth (month, day, and year)

(3) Citizenship or immigration status

(4) Ethnic or religious affiliation

(5) Sexual orientation

(6) Criminal History

(7) Medical Information

(8) System authentication information such as mother’s maiden name, account passwords or personal identification numbers (PIN)

Other PII may be “sensitive” depending on its context, such as a list of employees and their performance ratings or an unlisted home address or phone number. In contrast, a business card or public telephone directory of agency employees contains PII but is not sensitive.

c) Authorities. The Contractor shall follow all current versions of Government policies and guidance accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors, or available upon request from the Contracting Officer, including but not limited to:

(1) DHS Management Directive 11042.1 Safeguarding Sensitive But Unclassified (for Official Use Only) Information

(2) DHS Sensitive Systems Policy Directive 4300A

(3) DHS 4300A Sensitive Systems Handbook and Attachments

(4) DHS Security Authorization Process Guide

(5) DHS Handbook for Safeguarding Sensitive Personally Identifiable Information

(6) DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel Suitability and Security Program

(7) DHS Information Security Performance Plan (current fiscal year)

(8) DHS Privacy Incident Handling Guidance

(9) Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptographic Modules accessible at http://csrc.nist.gov/ groups/STM/cmvp/standards.html

(10) National Institute of Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations accessible at http://csrc.nist.gov/publications/PubsSPs.html

(11) NIST Special Publication 800-88 Guidelines for Media Sanitization accessible at http://csrc.nist.gov/publications/PubsSPs.html

d) Handling of Sensitive Information. Contractor compliance with this clause, as well as the policies and procedures described below, is required.

(1) Department of Homeland Security (DHS) policies and procedures on Contractor personnel security requirements are set forth in various Management Directives (MDs), Directives, and Instructions. MD 11042.1, Safeguarding Sensitive But Unclassified (For Official Use Only) Information describes how Contractors must handle sensitive but unclassified information. DHS uses the term “FOR OFFICIAL USE ONLY” to identify sensitive but unclassified information that is not otherwise categorized by statute or regulation. Examples of sensitive information that are categorized by statute or regulation are PCII, SSI, etc. The DHS Sensitive Systems Policy Directive 4300A and the DHS 4300A Sensitive Systems Handbook provide the policies and procedures on security for Information Technology (IT) resources. The DHS Handbook for Safeguarding Sensitive Personally Identifiable Information provides guidelines to help safeguard SPII in both paper and electronic form. DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel Suitability and Security Program establishes procedures, program responsibilities, minimum standards, and reporting protocols for the DHS Personnel Suitability and Security Program.

(2) The Contractor shall not use or redistribute any sensitive information processed, stored, and/or transmitted by the Contractor except as specified in the contract.

(3) All Contractor employees with access to sensitive information shall execute DHS Form 11000-6, Department of Homeland Security Non-Disclosure Agreement (NDA), as a condition of access to such information. The Contractor shall maintain signed copies of the NDA for all employees as a record of compliance. The Contractor shall provide copies of the signed NDA to the Contracting Officer’s Representative (COR) no later than two (2) days after execution of the form.

(4) The Contractor’s invoicing, billing, and other recordkeeping systems maintained to support financial or other administrative functions shall not maintain SPII. It is acceptable to maintain in these systems the names, titles and contact information for the COR or other Government personnel associated with the administration of the contract, as needed.

e) Authority to Operate. The Contractor shall not input, store, process, output, and/or transmit sensitive information within a Contractor IT system without an Authority to Operate (ATO) signed by the Headquarters or Component CIO, or designee, in consultation with the Headquarters or Component Privacy Officer. Unless otherwise specified in the ATO letter, the ATO is valid for three (3) years. The Contractor shall adhere to current Government policies, procedures, and guidance for the Security Authorization (SA) process as defined below.

(1) Complete the Security Authorization process. The SA process shall proceed according to the DHS Sensitive Systems Policy Directive 4300A (most current version), or any successor publication, DHS 4300A Sensitive Systems Handbook (most current version), or any successor publication, and the Security Authorization Process Guide including templates.

(i) Security Authorization Process Documentation. SA documentation shall be developed using the Government provided Requirements Traceability Matrix and Government security documentation templates. SA documentation consists of the following: Security Plan, Contingency Plan, Contingency Plan Test Results, Configuration Management Plan, Security Assessment Plan, Security Assessment Report, and Authorization to Operate Letter. Additional documents that may be required include a Plan(s) of Action and Milestones and Interconnection Security Agreement(s). During the development of SA documentation, the Contractor shall submit a signed SA package, validated by an independent third party, to the COR for acceptance by the Headquarters or Component CIO, or designee, at least thirty (30) days prior to the date of operation of the IT system. The Government is the final authority on the compliance of the SA package and may limit the number of resubmissions of a modified SA package. Once the ATO has been accepted by the Headquarters or Component CIO, or designee, the Contracting Officer shall incorporate the ATO into the contract as a compliance document. The Government’s acceptance of the ATO does not alleviate the Contractor’s responsibility to ensure the IT system controls are implemented and operating effectively.

(ii) Independent Assessment. Contractors shall have an independent third party validate the security and privacy controls in place for the system(s). The independent third party shall review and analyze the SA package, and report on technical, operational, and management level deficiencies as outlined in NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. The Contractor shall address all deficiencies before submitting the SA package to the Government for acceptance.

(iii) Support the completion of the Privacy Threshold Analysis (PTA) as needed. As part of the SA process, the Contractor may be required to support the Government in the completion of the PTA. The requirement to complete a PTA is triggered by the creation, use, modification, upgrade, or disposition of a Contractor IT system that will store, maintain and use PII, and must be renewed at least every three (3) years. Upon review of the PTA, the DHS Privacy Office determines whether a Privacy Impact Assessment (PIA) and/or Privacy Act System of Records Notice (SORN), or modifications thereto, are required. The Contractor shall provide all support necessary to assist the Department in completing the PIA in a timely manner and shall ensure that project management plans and schedules include time for the completion of the PTA, PIA, and SORN (to the extent required) as milestones. Support in this context includes responding timely to requests for information from the Government about the use, access, storage, and maintenance of PII on the Contractor’s system, and providing timely review of relevant compliance documents for factual accuracy. Information on the DHS privacy compliance process, including PTAs, PIAs, and SORNs, is accessible at http://www.dhs.gov/privacy-compliance.

(2) Renewal of ATO. Unless otherwise specified in the ATO letter, the ATO shall be renewed every three (3) years. The Contractor is required to update its SA package as part of the ATO renewal process. The Contractor shall update its SA package by one of the following methods: (1) Updating the SA documentation in the DHS automated information assurance tool for acceptance by the Headquarters or Component CIO, or designee, at least 90 days before the ATO expiration date for review and verification of security controls; or (2) Submitting an updated SA package directly to the COR for approval by the Headquarters or Component CIO, or designee, at least 90 days before the ATO expiration date for review and verification of security controls. The 90 day review process is independent of the system production date and therefore it is important that the Contractor build the review into project schedules. The reviews may include onsite visits that involve physical or logical inspection of the Contractor environment to ensure controls are in place.

(3) Security Review. The Government may elect to conduct random periodic reviews to ensure that the security requirements contained in this contract are being implemented and enforced. The Contractor shall afford DHS, the Office of the Inspector General, and other Government organizations access to the Contractor’s facilities, installations, operations, documentation, databases and personnel used in the performance of this contract. The Contractor shall, through the Contracting Officer and COR, contact the Headquarters or Component CIO, or designee, to coordinate and participate in review and inspection activity by Government organizations external to the DHS. Access shall be provided, to the extent necessary as determined by the Government, for the Government to carry out a program of inspection, investigation, and audit to safeguard against threats and hazards to the integrity, availability and confidentiality of Government data or the function of computer systems used in performance of this contract and to preserve evidence of computer crime.

(4) Continuous Monitoring. All Contractor-operated systems that input, store, process, output, and/or transmit sensitive information shall meet or exceed the continuous monitoring requirements identified in the Fiscal Year 2014 DHS Information Security Performance Plan, or successor publication. The plan is updated on an annual basis. The Contractor shall also store monthly continuous monitoring data at its location for a period not less than one year from the date the data is created. The data shall be encrypted in accordance with FIPS 140-2 Security Requirements for Cryptographic Modules and shall not be stored on systems that are shared with other commercial or Government entities. The Government may elect to perform continuous monitoring and IT security scanning of Contractor systems from Government tools and infrastructure.

(5) Revocation of ATO. In the event of a sensitive information incident, the Government may suspend or revoke an existing ATO (either in part or in whole). If an ATO is suspended or revoked in accordance with this provision, the Contracting Officer may direct the Contractor to take additional security measures to secure sensitive information. These measures may include restricting access to sensitive information on the Contractor IT system under this contract. Restricting access may include disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls.

(6) Federal Reporting Requirements. Contractors operating information systems on behalf of the Government or operating systems containing sensitive information shall comply with Federal reporting requirements. Annual and quarterly data collection will be coordinated by the Government. Contractors shall provide the COR with requested information within three (3) business days of receipt of the request. Reporting requirements are determined by the Government and are defined in the Fiscal Year 2014 DHS Information Security Performance Plan, or successor publication. The Contractor shall provide the Government with all information to fully satisfy Federal reporting requirements for Contractor systems.

f)       Sensitive Information Incident Reporting Requirements.

(1) All known or suspected sensitive information incidents shall be reported to the Headquarters or Component Security Operations Center (SOC) within one hour of discovery in accordance with 4300A Sensitive Systems Handbook Incident Response and Reporting requirements. When notifying the Headquarters or Component SOC, the Contractor shall also notify the Contracting Officer, COR, Headquarters or Component Privacy Officer, and US-CERT using the contact information identified in the contract. If the incident is reported by phone or the Contracting Officer’s email address is not immediately available, the Contractor shall contact the Contracting Officer immediately after reporting the incident to the Headquarters or Component SOC. The Contractor shall not include any sensitive information in the subject or body of any e-mail. To transmit sensitive information, the Contractor shall use FIPS 140-2 Security Requirements for Cryptographic Modules compliant encryption methods to protect sensitive information in attachments to email. Passwords shall not be communicated in the same email as the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence that the Contractor has failed to provide adequate information security safeguards for sensitive information, or has otherwise failed to meet the requirements of the contract.

(2) If a sensitive information incident involves PII or SPII, in addition to the reporting requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting, Contractors shall also provide as many of the following data elements that are available at the time the incident is reported, with any remaining data elements provided within 24 hours of submission of the initial incident report:

(i) Data Universal Numbering System (DUNS);

(ii) Contract numbers affected unless all contracts by the company are affected;

(iii) Facility CAGE code if the location of the event is different than the prime contractor location;

(iv) Point of contact (POC) if different than the POC recorded in the System for Award Management (address, position, telephone, email);

(v) Contracting Officer POC (address, telephone, email);

(vi) Contract clearance level;

(vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor network;

(viii) Government programs, platforms or systems involved;

(ix) Location(s) of incident;

(x) Date and time the incident was discovered;

(xi) Server names where sensitive information resided at the time of the incident, both at the Contractor and subcontractor level;

(xii) Description of the Government PII and/or SPII contained within the system;

(xiii) Number of people potentially affected and the estimate or actual number of records exposed and/or contained within the system; and

(xiv) Any additional information relevant to the incident.

g) Sensitive Information Incident Response Requirements.

(1) All determinations related to sensitive information incidents, including response activities, notifications to affected individuals and/or Federal agencies, and related services (e.g., credit monitoring) will be made in writing by the Contracting Officer in consultation with the Headquarters or Component CIO and Headquarters or Component Privacy Officer.

(2) The Contractor shall provide full access and cooperation for all activities determined by the Government to be required to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents.

(3) Incident response activities determined to be required by the Government may include, but are not limited to, the following:

(i)       Inspections,

(ii)       Investigations,

(iii)       Forensic reviews, and

(iv)       Data analyses and processing.

(4) The Government, at its sole discretion, may obtain the assistance from other Federal agencies and/or third-party firms to aid in incident response activities.

h) Additional PII and/or SPII Notification Requirements.

(1) The Contractor shall have in place procedures and the capability to notify any individual whose PII resided in the Contractor IT system at the time of the sensitive information incident not later than 5 business days after being directed to notify individuals, unless otherwise approved by the Contracting Officer. The method and content of any notification by the Contractor shall be coordinated with, and subject to prior written approval by the Contracting Officer, in consultation with the Headquarters or Component Privacy Officer, utilizing the DHS Privacy Incident Handling Guidance. The Contractor shall not proceed with notification unless the Contracting Officer, in consultation with the Headquarters or Component Privacy Officer, has determined in writing that notification is appropriate.

(2) Subject to Government analysis of the incident and the terms of its instructions to the Contractor regarding any resulting notification, the notification method may consist of letters to affected individuals sent by first class mail, electronic means, or general public notice, as approved by the Government. Notification may require the Contractor’s use of address verification and/or address location services. At a minimum, the notification shall include:

(i)       A brief description of the incident;

(ii)       A description of the types of PII and SPII involved;

(iii)       A statement as to whether the PII or SPII was encrypted or protected by other means;

(iv)       Steps individuals may take to protect themselves;

(v)       What the Contractor and/or the Government are doing to investigate the incident, to mitigate the incident, and to protect against any future incidents; and

(vi)       Information identifying who individuals may contact for additional information.

i) Credit Monitoring Requirements. In the event that a sensitive information incident involves PII or SPII, the Contractor may be required to, as directed by the Contracting Officer:

(1) Provide notification to affected individuals as described above; and/or

(2) Provide credit monitoring services to individuals whose data was under the control of the Contractor or resided in the Contractor IT system at the time of the sensitive information incident for a period beginning the date of the incident and extending not less than 18 months from the date the individual is notified. Credit monitoring services shall be provided from a company with which the Contractor has no affiliation. At a minimum, credit monitoring services shall include:

(i)       Triple credit bureau monitoring;

(ii)       Daily customer service;

(iii)       Alerts provided to the individual for changes and fraud; and

(iv)       Assistance to the individual with enrollment in the services and the use of fraud alerts; and/or

(3) Establish a dedicated call center. Call center services shall include:

(i)       A dedicated telephone number to contact customer service within a fixed period;

(ii)       Information necessary for registrants/enrollees to access credit reports and credit scores;

(iii)       Weekly reports on call center volume, issue escalation (i.e., those calls that cannot be handled by call center staff and must be resolved by call center management or DHS, as appropriate), and other key metrics;

(iv)       Escalation of calls that cannot be handled by call center staff to call center management or DHS, as appropriate;

(v)       Customized FAQs, approved in writing by the Contracting Officer in coordination with the Headquarters or Component Chief Privacy Officer; and

(vi)       Information for registrants to contact customer service representatives and fraud resolution representatives for credit monitoring assistance.

j) Certification of Sanitization of Government and Government-Activity-Related Files and Information. As part of contract closeout, the Contractor shall submit the certification to the COR and the Contracting Officer following the template provided in NIST Special Publication 800-88 Guidelines for Media Sanitization.

A.11 In accordance with HSAR Class Deviation 15-01, Special Clause, Information Technology Security and Privacy Training (MAR 2015)

The following clauses should be incorporated into acquisition documents for High Risk Contracts, defined as contracts that consist of contractors or sub-contractors viewing ICE sensitive data, contracts that are performed off-site, or contracts that are performed out of the continental United States:

Security Training Requirements.

(1) All users of Federal information systems are required by Title 5, Code of Federal Regulations, Part 930.301, Subpart C, as amended, to be exposed to security awareness materials annually or whenever system security changes occur, or when the user’s responsibilities change. The Department of Homeland Security (DHS) requires that Contractor employees take an annual Information Technology Security Awareness Training course before accessing sensitive information under the contract. Unless otherwise specified, the training shall be completed within thirty (30) days of contract award and be completed on an annual basis thereafter not later than October 31^st of each year. Any new Contractor employees assigned to the contract shall complete the training before accessing sensitive information under the contract. The training is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor shall maintain copies of training certificates for all Contractor and subcontractor employees as a record of compliance. Unless otherwise specified, initial training certificates for each Contractor and subcontractor employee shall be provided to the Contracting Officer’s Representative (COR) not later than thirty (30) days after contract award. Subsequent training certificates to satisfy the annual training requirement shall be submitted to the COR via e-mail notification not later than October 31^st of each year. The e-mail notification shall state the required training has been completed for all Contractor and subcontractor employees.

(2) The DHS Rules of Behavior apply to every DHS employee, Contractor and subcontractor that will have access to DHS systems and sensitive information. The DHS Rules of Behavior shall be signed before accessing DHS systems and sensitive information. The DHS Rules of Behavior is a document that informs users of their responsibilities when accessing DHS systems and holds users accountable for actions taken while accessing DHS systems and using DHS Information Technology resources capable of inputting, storing, processing, outputting, and/or transmitting sensitive information. The DHS Rules of Behavior is accessible at http://www.dhs.gov/dhs-security-and-training-requirements- contractors. Unless otherwise specified, the DHS Rules of Behavior shall be signed within thirty (30) days of contract award. Any new Contractor employees assigned to the contract shall also sign the DHS Rules of Behavior before accessing DHS systems and sensitive information. The Contractor shall maintain signed copies of the DHS Rules of Behavior for all Contractor and subcontractor employees as a record of compliance. Unless otherwise specified, the Contractor shall e-mail copies of the signed DHS Rules of Behavior to the COR not later than thirty (30) days after contract award for each employee. The DHS Rules of Behavior will be reviewed annually and the COR will provide notification when a review is required.

Privacy Training Requirements.

All Contractor and subcontractor employees that will have access to Personally Identifiable Information (PII) and/or Sensitive PII (SPII) are required to take Privacy at DHS: Protecting Personal Information before accessing PII and/or SPII. The training is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. Training shall be completed within thirty (30) days of contract award and be completed on an annual basis thereafter not later than October 31^st of each year. Any new Contractor employees assigned to the contract shall also complete the training before accessing PII and/or SPII. The Contractor shall maintain copies of training certificates for all Contractor and subcontractor employees as a record of compliance. Initial training certificates for each Contractor and subcontractor employee shall be provided to the COR not later than thirty (30) days after contract award. Subsequent training certificates to satisfy the annual training requirement shall be submitted to the COR via e-mail notification not later than October 31^st of each year. The e-mail notification shall state the required training has been completed for all Contractor and subcontractor employees.

a. The Offeror understands and agrees that the Government retains the right to cancel or terminate the Contract, if the Government determines that continuing this solicitation presents an unacceptable risk to national security.

b. “Gray-Market” Equipment

i. The Offeror shall provide only new equipment unless otherwise expressly approved, in writing, by the DHS Contracting Officer. Offerors shall provide only Original Equipment Manufacturer (OEM) parts to the Government. In the event that a shipped OEM part fails, all replacement parts must be OEM parts.

ii. The Offeror shall be excused from using new OEM (i.e., “gray market”, “previously used”) components only with formal Government approval, in writing, from the DHS Contracting Officer. Such components shall be procured from their original source and shipped only from the manufacturer’s authorized shipment points.

iii. All equipment obtained by the Offeror on behalf of the Government will need to be provided to OIG OCIO for review to validate requirements and approved Contractors by DHS.

c. Hardware and Software Requests

i. The contractors supply the Government hardware and software will provide the manufacturer’s name, address, state, and/or domain of registration, and the DUNS number for all components comprising the hardware and software. If subcontractors or subcomponents are used, the name, address, state, and/or domain of registration and DUNS number of those suppliers must be provided.

ii. Subcontractors are subject to the same general requirements and standards as prime contractors. Contractors employing subcontractors will perform due diligence to ensure that these standards are met.

iii. The Government shall be notified when a new contractor/subcontractor/service provider is introduced to the supply chain, or when suppliers of parts or subcomponents are changed.

1. For software products, the Offeror shall provide all OEM software updates to correct defects for the life of the product (i.e., until the “End of Life (EoL)”). Software updates and patches shall be either: made available to the government for all products procured under this Contract, replaced upon End of Support (EoS) is reached, or formally waived (in writing) by the DHS Contracting Officer.

d.       Supply-Chain Transport

i. Offerors shall employ formal and accountable transit, storage, and delivery procedures (i.e., the possession of the component is documented at all times from initial shipping point to final destination, and every transfer of the component from one custodian to another is fully documented and accountable) for all shipments to fulfill Contract obligations with the Government.

ii. All records pertaining to the transit, storage, and delivery will be maintained and available for inspection for the lessor of the term of the Contract, the period of performance, or one calendar year from the date the activity occurred.

iii.       This transit process shall minimize the number of times in route components undergo a change of custody and make use of tamper-proof or tamper-evident packaging for all shipments. The supplier, at the Government’s request, shall be able to provide shipping status at any time during transit.

iv. All records pertaining to the transit, storage, and delivery shall be readily available for inspection by any agent designated by the U.S. Government as having the authority to examine them.

v. The Offeror is fully liable for all damage, deterioration, or losses incurred during shipping and handling, unless the damage, deterioration, or loss is due to the Government.

vi. The Offeror shall provide a packing slip which shall accompany each container or package with the information identifying this solicitation number, the order number, a description of the hardware/software enclosed (Manufacturer name, model number, serial number), and the customer point of contact.

vii. The Offeror shall send a shipping notification to the intended government recipient; with a copy transmitted via email to the Contracting Officer, or designated representative. This shipping notification shall be sent electronically and will state this solicitation number, the order number, a description of the hardware/software being ship (manufacturer name, model number, serial number), initial shipper, shipping date and identifying (tracking) number.

e.       Notifications

i. The Offeror shall notify DHS Contracting Officer, COR and the Office of the Chief Information Officer and the DHS component Chief Information Officer through the Enterprise Security Operations Center (ESOC) directly of any suspected or potential violations of Section 889 of the National Defense Authorization Act (NDAA) for Information Communications Technology (ICT) at NDAA_Incidents@hq.dhs.gov.

f.       Foreign Equities

The Offeror shall immediately notify the DHS Contracting Officer, COR that will report to the Office of the Chief Security Officer (OCSO) or cognizant component personnel security office regarding any changes to corporate foreign ownership, control, or influence.

Section 508 of the Rehabilitation Act (classified to 29 U.S.C. § 794d) requires that when Federal agencies develop, procure, maintain, or use information and communications technology (ICT), it shall be accessible to people with disabilities. Federal employees and members of the public with disabilities must be afforded access to and use of information and data comparable to that of Federal employees and members of the public without disabilities.

All products, platforms and services delivered as part of this work statement that, by definition, are deemed ICT shall conform to the revised regulatory implementation of Section 508 Standards, which are located at 36 C.F.R. § 1194.1 & Appendixes A, C & D, and available at https://www.ecfr.gov/cgi-bin/text- idx?SID=e1c6735e25593339a9db63534259d8ec&mc=true&node=pt36.3.1194&rgn=div5. In the revised regulation, ICT replaced the term electronic and information technology (EIT) used in the original 508 standards. ICT includes IT and other equipment.

Exceptions for this work statement have been determined by DHS and only the exceptions described herein may be applied. Any request for additional exceptions shall be sent to the Contracting Officer and a determination will be made according to DHS Directive 139-05, Office of Accessible Systems and Technology, dated November 12, 2018 and DHS Instruction 139-05-001, Managing the Accessible Systems and Technology Program, dated November 20, 2018, or any successor publication.

1.1 Section 508 Requirements for Technology Services (include in the SOW, PWS, or SOO)

1. When providing installation, configuration or integration services for ICT, the Contractor shall not reduce the original ICT item’s level of Section 508 conformance prior to the services being performed.

2. When developing or modifying ICT, the Contractor is required to validate ICT deliverables for conformance to the applicable Section 508 requirements. Validation shall occur on a frequency that ensures Section 508 requirements is evaluated within each iteration and release that contains user interface functionality.

3. When modifying, installing, configuring or integrating commercially available or government-owned ICT, the Contractor shall not reduce the original ICT Item’s level of Section 508 conformance.

4. When developing or modifying web based and electronic content components, except for electronic documents and non-fillable forms provided in a Microsoft Office or Adobe PDF format, the Contractor shall demonstrate conformance to the applicable Section 508 standards (including WCAG 2.0 Level A and AA Success Criteria) by conducting testing using the DHS Trusted Tester for Web Methodology Version 5.0 or successor versions, and shall ensure testing is conducted by individuals who are certified by DHS on version 5.0 or successor versions (e.g. “DHS Certified Trusted Testers”). The Contractor shall provide the Trusted Tester Certification IDs to DHS upon request. Information on the DHS Trusted Tester for Web Methodology Version 5.0, related test tools, test reporting, training, and tester certification requirements is published at https://www.dhs.gov/trusted-tester.

5. When developing or modifying electronic documents and forms provided in a Microsoft Office or Adobe PDF format, the Contractor shall demonstrate conformance to the applicable to the applicable Section 508 standards (including WCAG Level A and AA Level 2.0 Success Criteria) by conducting testing using the test methods published under “Accessibility Tests for Documents” at https://www.dhs.gov/compliance-test-processes.

6. When developing or modifying ICT deliverables that contain the ability to automatically generate electronic documents and forms in Microsoft Office and Adobe formats, or when the capability is provided to enable end users to design and author web based electronic content (i.e. surveys, dashboards, charts, data visualizations, etc.), the Contractor shall demonstrate the ability to ensure these outputs conform to the applicable Section 508 standards (including WCAG 2.0 Level A and AA Success Criteria). The Contractor shall demonstrate conformance by conducting testing and reporting test results based on representative sample outputs. For outputs produced as Microsoft Office and Adobe PDF file formats, the Contractor shall use the test methods published under “Accessibility Tests for Documents”, which are published at https://www.dhs.gov/compliance-test-processes. For outputs produced as web based electronic content, the Contractor shall use the DHS Trusted Tester for Web Methodology Version 5.0, or successor versions. This methodology is published at https://www.dhs.gov/trusted-tester

7. When developing or modifying software functions of ICT, the Contractor shall demonstrate conformance to the applicable Section 508 standards (including the requirements in Chapter 5 and WCAG 2.0 Level A and AA Success Criteria). When the requirements in Chapter 5 do not address one or more software functions, the Contractor shall demonstrate conformance to the Functional Performance Criteria specified in Chapter 3. The Contractor shall use a test process capable of validating conformance to all applicable Section 508 standards for software functionality delivered pursuant to this contract. The Contractor may utilize the DHS Trusted Tester Methodology for Web and Software Version 4.0 as a component of the overall test process used. This version of the test process provides partial test coverage of the Section 508 standards that apply to software. If the Contractor uses this test process, the Contractor shall address the test coverage gaps through additional test procedures. Information on the DHS Trusted Tester Methodology for Web and Software Version 4.0, including coverage against the applicable Section 508 standards for software as well as gaps that need to be addressed through other test methods, related test tools, and training is published at https://www.dhs.gov/trusted-tester.

8. Contractor personnel shall possess the knowledge, skills and abilities necessary to address the accessibility requirements in this work statement.

1.2 Section 508 Deliverables (include in the SOW, PWS, or SOO)

1. Section 508 Test Plans: When developing or modifying ICT pursuant to this contract, the Contractor shall provide a detailed Section 508 Conformance Test Plan. The Test Plan shall describe the scope of components that will be tested, an explanation of the test process that will be used, when testing will be conducted during the project development life cycle, who will conduct the testing, how test results will be reported, and any key assumptions.

2. Section 508 Test Results: When developing or modifying ICT pursuant to this contract, the Contractor shall provide test results in accordance with the Section 508 Requirements for Technology Services provided in this solicitation.

3. Section 508 Accessibility Conformance Reports: For each ICT item offered through this contract (including commercially available products, and solutions consisting of ICT that are developed or modified pursuant to this contract), the Offeror shall provide an Accessibility Conformance Report (ACR) to document conformance claims against the applicable Section 508 standards. The ACR shall be based on the Voluntary Product Accessibility Template Version 2.0 508 (or successor versions). The template can be found at https://www.itic.org/policy/accessibility/vpat. Each ACR shall be completed by following all of the instructions provided in the template, including an explanation of the validation method used as a basis for the conformance claims in the report.

4. Other Section 508 Documentation: The following documentation shall be provided upon request for ICT items offered through this contract:

 ● Documentation of features provided to help achieve accessibility and usability for people with disabilities.

 ● Documentation on how to configure and install the ICT Item to support accessibility.

 ● Documentation of core functions that cannot be accessed by persons with disabilities.

 ● Documentation of remediation plans to address non-conformance to the Section 508 standards

DHS Enterprise Architecture Compliance

All solutions and services shall meet DHS Enterprise Architecture policies, standards, and procedures. Specifically, the contractor shall comply with the following HLS EA requirements:

● All developed solutions and requirements shall be compliant with the HLS EA.

● All IT hardware and software shall be compliant with the HLS EA Technical Reference Model (TRM) Standards and Products Profile.

● Description information for all data assets, information exchanges and data standards, whether adopted or developed, shall be submitted to the Enterprise Architecture Division (EAD) for review, approval and insertion into the DHS Data Reference Model and Mobius.

● Development of data assets, information exchanges and data standards will comply with the DHS Data Management Policy MD 103-01 and all data-related artifacts will be developed and validated according to DHS data management architectural guidelines.

● Applicability of Internet Protocol Version 6 (IPv6) to DHS-related components (networks, infrastructure, and applications) specific to individual acquisitions shall be in accordance with the DHS Enterprise Architecture (per OMB Memorandum M-05-22, August 2, 2005) regardless of whether the acquisition is for modification, upgrade, or replacement. All EA-related component acquisitions shall be IPv6 compliant as defined in the U.S. Government Version 6 (USGv6) Profile (National Institute of Standards and Technology (NIST) Special Publication 500-267) and the corresponding declarations of conformance defined in the USGv6 Test Program.

Requires Geospatial Information System Compliance Language

All implementations including geospatial data, information, and services shall comply with the policies and requirements set forth in the DHS Geospatial Information Infrastructure (GII), including (but not limited to) the following:

· All data built to the GII, whether adopted or developed, shall be submitted to the government for review and insertion into the DHS Data Reference Model.

· All software built to the GII, whether adopted or developed, shall be submitted to the government for review and insertion into the DHS Technical Reference Model.

FEDERAL ACQUISITION REGUALATION (FAR) CLAUSES INCORPORATED BY REFERENCE

	FAR CLAUSES
52.204-13	System for Award Management Maintenance	Oct 2018
	Commercial and Government Entity Code
52.204-18	Maintenance	Aug 2020
52.204-23	Prohibition on Contracting for Hardware, Software, and	Jul 2018
	Services Developed or Provided by Kaspersky Lab and
	Other Covered Entities
52.212-4	Contract Terms and Conditions – Commercial Items	Oct 2018
52.232-8	Discounts for Prompt Payment	Feb 2002
	Providing Accelerated Payments to Small Business
52.232-40	Subcontractors	Dec 2013
52.233-4	Applicable Law for Breach Of Contract Claim	Oct 2004
52.242-17	Government Delay of Work	Apr 1984

FEDERAL ACQUISITION REGUALATION (FAR) CLAUSES IN FULL TEXT

52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018)

(a) Definitions. As used in this clause—

Covered article means any hardware, software, or service that–

(1) Is developed or provided by a covered entity;

(2) Includes any hardware, software, or service developed or provided in whole or in part by a covered entity; or

(3) Contains components using any hardware or software developed in whole or in part by a covered entity.

Covered entity means—

(1) Kaspersky Lab;

(2) Any successor entity to Kaspersky Lab;

(3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or

(4) Any entity of which Kaspersky Lab has a majority ownership.

(b) Prohibition. Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91) prohibits Government use of any covered article. The Contractor is prohibited from—

1

(1) Providing any covered article that the Government will use on or after October 1, 2018; and

(2) Using any covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract.

(c) Reporting requirement.

(1) In the event the Contractor identifies a covered article provided to the Government during contract performance, or the Contractor is notified of such by a subcontractor at any tier or any other source, the Contractor shall report, in writing, to the Contracting Officer or, in the case of the Department of Defense, to the website at https://dibnet.dod.mil. For indefinite delivery contracts, the Contractor shall report to the Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil.

(2) The Contractor shall report the following information pursuant to paragraph (c)(1) of this clause:

(i) Within 1 business day from the date of such identification or notification: the contract number; the order number(s), if applicable; supplier name; brand; model number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.

(ii) Within 10 business days of submitting the report pursuant to paragraph (c)(1) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of a covered article, any reasons that led to the use or submission of the covered article, and any additional efforts that will be incorporated to prevent future use or submission of covered articles.

(d) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (d), in all subcontracts, including subcontracts for the acquisition of commercial items.

(End of clause)

52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment (Aug 2020)

(a) Definitions. As used in this clause—

Backhaul means intermediate links between the core network, or backbone network, and the small subnetworks at the edge of the network (e.g., connecting cell phones/towers to the core telephone network). Backhaul can be wireless (e.g., microwave) or wired (e.g., fiber optic, coaxial cable, Ethernet).

Covered foreign country means The People’s Republic of China.

2

Covered telecommunications equipment or services means-

(1) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities);

(2) For the purpose of public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities);

(3) Telecommunications or video surveillance services provided by such entities or using such equipment; or

(4) Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of National

3

Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.

Critical technology means-

(1) Defense articles or defense services included on the United States Munitions List set forth in the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations;

(2) Items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, and controlled-

(i) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or

(ii) For reasons relating to regional stability or surreptitious listening;

(3) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by part 810 of title 10, Code of Federal Regulations (relating to assistance to foreign atomic energy activities);

(4) Nuclear facilities, equipment, and material covered by part 110 of title 10, Code of Federal Regulations (relating to export and import of nuclear equipment and material);

(5) Select agents and toxins covered by part 331 of title 7, Code of Federal Regulations, part 121 of title 9 of such Code, or part 73 of title 42 of such Code; or

(6) Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).

Interconnection arrangements means arrangements governing the physical connection of two or more networks to allow the use of another’s network to hand off traffic where it is ultimately delivered (e.g., connection of a customer of telephone provider A to a customer of telephone company B) or sharing data and other information resources.

Reasonable inquiry means an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity that excludes the need to include an internal or third- party audit.

Roaming means cellular communications services (e.g., voice, video, data) received from a visited network when unable to connect to the facilities of the home network either because signal coverage is too weak or because traffic is too high.

4

Substantial or essential component means any component necessary for the proper function or performance of a piece of equipment, system, or service.

(b) Prohibition.

(1) Section 889(a)(1)(A) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232) prohibits the head of an executive agency on or after August 13, 2019, from procuring or obtaining, or extending or renewing a contract to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. The Contractor is prohibited from providing to the Government any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception at paragraph (c) of this clause applies or the covered telecommunication equipment or services are covered by a waiver described in FAR 4.2104.

(2) Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232) prohibits the head of an executive agency on or after August 13, 2020, from entering into a contract, or extending or renewing a contract, with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception at paragraph (c) of this clause applies or the covered telecommunication equipment or services are covered by a waiver described in FAR 4.2104. This prohibition applies to the use of covered telecommunications equipment or services, regardless of whether that use is in performance of work under a Federal contract.

(c) Exceptions. This clause does not prohibit contractors from providing—

(1) A service that connects to the facilities of a third-party, such as backhaul, roaming, or interconnection arrangements; or

(2) Telecommunications equipment that cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles.

(d) Reporting requirement.

(1) In the event the Contractor identifies covered telecommunications equipment or services used as a substantial or essential component of any system, or as critical technology as part of any system, during contract performance, or the Contractor is notified of such by a subcontractor at any tier or by any other source, the Contractor shall report the information in paragraph (d)(2) of this clause to the Contracting Officer, unless elsewhere in this contract are established procedures for reporting the information; in the case of the Department of Defense, the Contractor shall report to the website at https://dibnet.dod.mil. For indefinite delivery contracts, the Contractor shall report to the Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil.

5

(2) The Contractor shall report the following information pursuant to paragraph (d)(1) of this clause

(i) Within one business day from the date of such identification or notification: the contract number; the order number(s), if applicable; supplier name; supplier unique entity identifier (if known); supplier Commercial and Government Entity (CAGE) code (if known); brand; model number (original equipment manufacturer number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.

(ii) Within 10 business days of submitting the information in paragraph (d)(2)(i) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of covered telecommunications equipment or services, and any additional efforts that will be incorporated to prevent future use or submission of covered telecommunications equipment or services.

(e) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (e) and excluding paragraph (b)(2), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items.

(End of clause)

52.212-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUES OR EXECUTIVE ORDERS – COMMERCIAL ITEMS (Sep 2021)

(a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items:

(1) 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or Statements (Jan 2017) (section 743 of Division E, Title VII, of the Consolidated and Further Continuing Appropriations Act, 2015 (Pub. L. 113-235) and its successor provisions in subsequent appropriations acts (and as extended in continuing resolutions)).

(2) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115-91).

(3) 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (Aug 2020) (Section 889(a)(1)(A) of Pub. L. 115-232).

(4) 52.209-10, Prohibition on Contracting with Inverted Domestic Corporations (Nov 2015).

(5) 52.233-3, Protest After Award (Aug 1996) (31 U.S.C. 3553).

6

(6) 52.233-4, Applicable Law for Breach of Contract Claim (Oct 2004) (Public Laws 108-77 and 108-78 (19 U.S.C. 3805 note)).

(b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items:

x (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (June 2020), with Alternate I (Oct 1995) (41 U.S.C. 4704 and 10 U.S.C. 2402).

¨ (2) 52.203-13, Contractor Code of Business Ethics and Conduct (Jun 2020) (41 U.S.C. 3509)).

¨ (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment Act of 2009 (Jun 2010) (Section 1553 of Pub. L. 111-5). (Applies to contracts funded by the American Recovery and Reinvestment Act of 2009.)

¨ (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract Awards (Jun 2020) (Pub. L. 109-282) ( 31 U.S.C. 6101 note).

¨ (5) [Reserved].

¨ (6) 52.204-14, Service Contract Reporting Requirements (Oct 2016) (Pub. L. 111-117, section 743 of Div. C).

¨ (7) 52.204-15, Service Contract Reporting Requirements for Indefinite-Delivery Contracts (Oct 2016) (Pub. L. 111-117, section 743 of Div. C).

x (8) 52.209-6, Protecting the Government’s Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment. (Jun 2020) (31 U.S.C. 6101 note).

¨ (9) 52.209-9, Updates of Publicly Available Information Regarding Responsibility Matters (Oct 2018) (41 U.S.C. 2313).

¨ (10) [Reserved].

¨ (11) (i) 52.219-3, Notice of HUBZone Set-Aside or Sole-Source Award (Mar 2020) (15 U.S.C. 657a).

¨ (ii) Alternate I (Mar 2020) of 52.219-3.

¨ (12) (i) 52.219-4, Notice of Price Evaluation Preference for HUBZone Small Business Concerns (Mar 2020) (if the offeror elects to waive the preference, it shall so indicate in its offer) (15 U.S.C. 657a).

¨ (ii) Alternate I (Mar 2020) of 52.219-4.

¨ (13) [Reserved]

¨ (14) (i) 52.219-6, Notice of Total Small Business Set-Aside (Nov 2020) (15 U.S.C. 644).

¨ (ii) Alternate I (Mar 2020) of 52.219-6.

7

¨ (15) (i) 52.219-7, Notice of Partial Small Business Set-Aside (Nov 2020) (15 U.S.C. 644).

¨ (ii) Alternate I (Mar 2020) of 52.219-7.

¨ (16) 52.219-8, Utilization of Small Business Concerns (Oct 2018) (15 U.S.C. 637(d)(2) and (3)).

¨ (17) (i) 52.219-9, Small Business Subcontracting Plan (Jun 2020) (15 U.S.C. 637(d)(4)).

¨ (ii) Alternate I (Nov 2016) of 52.219-9.

¨ (iii) Alternate II (Nov 2016) of 52.219-9.

¨ (iv) Alternate III (Jun 2020) of 52.219-9.

¨ (v) Alternate IV (Jun 2020) of 52.219-9

¨ (18) (i) 52.219-13, Notice of Set-Aside of Orders (Mar 2020) (15 U.S.C. 644(r)).

¨ (ii) Alternate I (Mar 2020) of 52.219-13.

¨ (19) 52.219-14, Limitations on Subcontracting (Mar 2020) (15 U.S.C. 637(a)(14)).

¨ (20) 52.219-16, Liquidated Damages-Subcontracting Plan (Jan 1999) (15 U.S.C. 637(d)(4)(F)(i)).

¨ (21) 52.219-27, Notice of Service-Disabled Veteran-Owned Small Business Set-Aside (Mar 2020) (15 U.S.C. 657f).

x (22) (i) 52.219-28, Post Award Small Business Program Rerepresentation (Nov 2020) (15 U.S.C. 632(a)(2)).

¨ (ii) Alternate I (MAR 2020) of 52.219-28.

¨ (23) 52.219-29, Notice of Set-Aside for, or Sole Source Award to, Economically Disadvantaged Women-Owned Small Business Concerns (Mar 2020) (15 U.S.C. 637(m)).

¨ (24) 52.219-30, Notice of Set-Aside for, or Sole Source Award to, Women-Owned Small Business Concerns Eligible Under the Women-Owned Small Business Program (Mar2020) (15 U.S.C. 637(m)).

¨ (25) 52.219-32, Orders Issued Directly Under Small Business Reserves (Mar 2020) (15 U.S.C. 644(r)).

¨ (26) 52.219-33, Nonmanufacturer Rule (Mar 2020) (15U.S.C. 637(a)(17)).

x (27) 52.222-3, Convict Labor (Jun 2003) (E.O.11755).

x (28) 52.222-19, Child Labor-Cooperation with Authorities and Remedies (Jan2020) (E.O.13126).

x (29) 52.222-21, Prohibition of Segregated Facilities (Apr 2015).

x (30) (i) 52.222-26, Equal Opportunity (Sep 2016) (E.O.11246).

¨ (ii) Alternate I (Feb 1999) of 52.222-26.

8

¨ (31) (i) 52.222-35, Equal Opportunity for Veterans (Jun 2020) (38 U.S.C. 4212).

¨ (ii) Alternate I (Jul 2014) of 52.222-35.

¨ (32) (i) 52.222-36, Equal Opportunity for Workers with Disabilities (Jun 2020) (29 U.S.C. 793).

¨ (ii) Alternate I (Jul 2014) of 52.222-36.

¨ (33) 52.222-37, Employment Reports on Veterans (Jun 2020) (38 U.S.C. 4212).

x (34) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496).

x (35) (i) 52.222-50, Combating Trafficking in Persons (Oct 2020) (22 U.S.C. chapter 78 and E.O. 13627).

¨ (ii) Alternate I (Mar 2015) of 52.222-50 (22 U.S.C. chapter 78 and E.O. 13627).

¨ (36) 52.222-54, Employment Eligibility Verification (Oct 2015). (Executive Order 12989). (Not applicable to the acquisition of commercially available off-the-shelf items or certain other types of commercial items as prescribed in 22.1803.)

¨ (37) (i) 52.223-9, Estimate of Percentage of Recovered Material Content for EPA– Designated Items (May 2008) ( 42 U.S.C. 6962(c)(3)(A)(ii)). (Not applicable to the acquisition of commercially available off-the-shelf items.)

¨ (ii) Alternate I (May 2008) of 52.223-9 (42 U.S.C. 6962(i)(2)(C)). (Not applicable to the acquisition of commercially available off-the-shelf items.)

¨ (38) 52.223-11, Ozone-Depleting Substances and High Global Warming Potential Hydrofluorocarbons (Jun 2016) (E.O. 13693).

¨ (39) 52.223-12, Maintenance, Service, Repair, or Disposal of Refrigeration Equipment and Air Conditioners (Jun 2016) (E.O. 13693).

¨ (40) (i) 52.223-13, Acquisition of EPEAT®-Registered Imaging Equipment (Jun 2014) (E.O.s 13423 and 13514).

¨ (ii) Alternate I (Oct 2015) of 52.223-13.

¨ (41) (i) 52.223-14, Acquisition of EPEAT®-Registered Televisions (Jun 2014) (E.O.s 13423 and 13514).

¨ (ii) Alternate I (Jun2014) of 52.223-14.

¨ (42) 52.223-15, Energy Efficiency in Energy-Consuming Products (May 2020) (42 U.S.C. 8259b).

9

¨ (43) (i) 52.223-16, Acquisition of EPEAT®-Registered Personal Computer Products (Oct 2015) (E.O.s 13423 and 13514).

¨ (ii) Alternate I (Jun 2014) of 52.223-16.

x (44) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving (Jun 2020) (E.O. 13513).

¨ (45) 52.223-20, Aerosols (Jun 2016) (E.O. 13693).

¨ (46) 52.223-21, Foams (Jun2016) (E.O. 13693).

¨ (47) (i) 52.224-3 Privacy Training (Jan 2017) (5 U.S.C. 552 a).

¨ (ii) Alternate I (Jan 2017) of 52.224-3.

¨ (48) 52.225-1, Buy American-Supplies (Jan2021) (41 U.S.C. chapter 83).

¨ (49) (i) 52.225-3, Buy American-Free Trade Agreements-Israeli Trade Act (Jan 2021)(41 U.S.C.chapter83, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, Pub. L. 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 109-283, 110-138, 112-41, 112-42, and 112-43.

¨ (ii) Alternate I (Jan 2021) of 52.225-3.

¨ (iii) Alternate II (Jan 2021) of 52.225-3.

¨ (iv) Alternate III (Jan 2021) of 52.225-3.

¨ (50) 52.225-5, Trade Agreements (Oct 2019) (19 U.S.C. 2501, et seq., 19 U.S.C. 3301 note).

¨ (51) 52.225-13, Restrictions on Certain Foreign Purchases (Feb 2021) (E.O.’s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury).

¨ (52) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Oct 2016) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302Note).

¨ (53) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (Nov2007) (42 U.S.C. 5150).

¨ (54) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (Nov2007) (42 U.S.C. 5150).

¨ (55) 52.229-12, Tax on Certain Foreign Procurements (Feb 2021).

¨ (56) 52.232-29, Terms for Financing of Purchases of Commercial Items (Feb 2002) (41 U.S.C. 4505, 10 U.S.C. 2307(f)).

10

¨ (57) 52.232-30, Installment Payments for Commercial Items (Jan 2017) (41 U.S.C. 4505, 10 U.S.C. 2307(f)).

x (58) 52.232-33, Payment by Electronic Funds Transfer-System for Award Management (Oct2018) (31 U.S.C. 3332).

¨ (59) 52.232-34, Payment by Electronic Funds Transfer-Other than System for Award Management (Jul 2013) (31 U.S.C. 3332).

¨ (60) 52.232-36, Payment by Third Party (May 2014) (31 U.S.C. 3332).

¨ (61) 52.239-1, Privacy or Security Safeguards (Aug 1996) (5 U.S.C. 552a).

¨ (62) 52.242-5, Payments to Small Business Subcontractors (Jan 2017) (15 U.S.C. 637(d)(13)).

¨ (63) (i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) ( 46 U.S.C. 55305 and 10 U.S.C. 2631).

¨ (ii) Alternate I (Apr 2003) of 52.247-64.

¨ (iii) Alternate II (Feb 2006) of 52.247-64.

(c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items:

¨ (1) 52.222-41, Service Contract Labor Standards (Aug 2018) (41 U.S.C. chapter67).

¨ (2) 52.222-42, Statement of Equivalent Rates for Federal Hires (May 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67).

¨ (3) 52.222-43, Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (Multiple Year and Option Contracts) (Aug 2018) (29 U.S.C. 206 and 41 U.S.C. chapter 67).

¨ (4) 52.222-44, Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (May 2014) ( 29U.S.C.206 and 41 U.S.C. chapter 67).

¨ (5) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May 2014) (41 U.S.C. chapter 67).

¨ (6) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (May 2014) (41 U.S.C. chapter 67).

¨ (7) 52.222-55, Minimum Wages Under Executive Order 13658 (Nov 2020).

11

¨ (8) 52.222-62, Paid Sick Leave Under Executive Order 13706 (Jan 2017) (E.O. 13706).

¨ (9) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (Jun 2020) (42 U.S.C. 1792).

(d) Comptroller General Examination of Record. The Contractor shall comply with the provisions of this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, as defined in FAR 2.101, on the date of award of this contract, and does not contain the clause at 52.215-2, Audit and Records-Negotiation.

(1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor’s directly pertinent records involving transactions related to this contract.

(2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved.

(3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law.

(e) (1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c), and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1) in a subcontract for commercial items. Unless otherwise indicated below, the extent of the flow down shall be as required by the clause-

(i) 52.203-13, Contractor Code of Business Ethics and Conduct (Jun 2020) (41 U.S.C. 3509).

(ii) 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or Statements (Jan 2017) (section 743 of Division E, Title VII, of the Consolidated and Further Continuing Appropriations Act, 2015 (Pub. L. 113-235) and its successor provisions in subsequent appropriations acts (and as extended in continuing resolutions)).

(iii) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) (Section 1634 of Pub. L. 115-91).

(iv) 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (Aug 2020) (Section 889(a)(1)(A) of Pub. L. 115-232).

(v) 52.219-8, Utilization of Small Business Concerns (Oct 2018) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds the applicable threshold specified in FAR 19.702(a) on the date of subcontract award, the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities.

12

(vi) 52.222-21, Prohibition of Segregated Facilities (Apr 2015).

(vii) 52.222-26, Equal Opportunity (Sep 2015) (E.O.11246).

(viii) 52.222-35, Equal Opportunity for Veterans (Jun 2020) (38 U.S.C. 4212).

(ix) 52.222-36, Equal Opportunity for Workers with Disabilities (Jun 2020) (29 U.S.C. 793).

(x) 52.222-37, Employment Reports on Veterans (Jun 2020) (38 U.S.C. 4212).

(xi) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40.

(xii) 52.222-41, Service Contract Labor Standards (Aug 2018) (41 U.S.C. chapter 67).

(xiii) (A) 52.222-50, Combating Trafficking in Persons (Oct 2020) (22 U.S.C. chapter 78 and E.O 13627).

(B) Alternate I (Mar 2015) of 52.222-50 (22 U.S.C. chapter 78 and E.O. 13627).

(xiv) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May2014) (41 U.S.C. chapter 67).

(xv) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (May 2014) (41 U.S.C. chapter 67).

(xvi) 52.222-54, Employment Eligibility Verification (Oct 2015) (E.O. 12989).

(xvii) 52.222-55, Minimum Wages Under Executive Order 13658 (Nov 2020).

(xviii) 52.222-62, Paid Sick Leave Under Executive Order 13706 (Jan 2017) (E.O. 13706).

(xix) (A) 52.224-3, Privacy Training (Jan 2017) (5 U.S.C. 552a).

(B) Alternate I (Jan 2017) of 52.224-3.

(xx) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Oct 2016) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note).

(xxi) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (Jun 2020) (42 U.S.C. 1792). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6.

13

(xxii) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) ( 46 U.S.C. 55305 and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64.

(2) While not required, the Contractor may include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations.

(End of clause)

52.227-14 Rights in Data-General (May 2014)

(a) Definitions. As used in this clause-

Computer database or “database means” a collection of recorded information in a form capable of, and for the purpose of, being stored in, processed, and operated on by a computer. The term does not include computer software.

Computer software-

(1) Means

(i) Computer programs that comprise a series of instructions, rules, routines, or statements, regardless of the media in which recorded, that allow or cause a computer to perform a specific operation or series of operations; and

(ii) Recorded information comprising source code listings, design details, algorithms, processes, flow charts, formulas, and related material that would enable the computer program to be produced, created, or compiled.

(2) Does not include computer databases or computer software documentation.

Computer software documentation means owner’s manuals, user’s manuals, installation instructions, operating instructions, and other similar items, regardless of storage medium, that explain the capabilities of the computer software or provide instructions for using the software.

Data means recorded information, regardless of form or the media on which it may be recorded. The term includes technical data and computer software. The term does not include information incidental to contract administration, such as financial, administrative, cost or pricing, or management information.

Form, fit, and function data means data relating to items, components, or processes that are sufficient to enable physical and functional interchangeability, and data identifying source, size, configuration, mating and attachment characteristics, functional characteristics, and performance requirements. For computer software it means data identifying source, functional characteristics, and performance requirements but specifically excludes the source code, algorithms, processes, formulas, and flow charts of the software.

Limited rights means the rights of the Government in limited rights data as set forth in the Limited Rights Notice of paragraph (g)(3) if included in this clause.

14

Limited rights data means data, other than computer software, that embody trade secrets or are commercial or financial and confidential or privileged, to the extent that such data pertain to items, components, or processes developed at private expense, including minor modifications.

Restricted computer software means computer software developed at private expense and that is a trade secret, is commercial or financial and confidential or privileged, or is copyrighted computer software, including minor modifications of the computer software.

Restricted rights, as used in this clause, means the rights of the Government in restricted computer software, as set forth in a Restricted Rights Notice of paragraph (g) if included in this clause, or as otherwise may be provided in a collateral agreement incorporated in and made part of this contract, including minor modifications of such computer software.

Technical data means recorded information (regardless of the form or method of the recording) of a scientific or technical nature (including computer databases and computer software documentation). This term does not include computer software or financial, administrative, cost or pricing, or management data or other information incidental to contract administration. The term includes recorded information of a scientific or technical nature that is included in computer databases (See 41 U.S.C. 116).

Unlimited rights means the rights of the Government to use, disclose, reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, in any manner and for any purpose, and to have or permit others to do so.

(b) Allocation of rights.

(1) Except as provided in paragraph (c) of this clause, the Government shall have unlimited rights in-

(i) Data first produced in the performance of this contract;

(ii) Form, fit, and function data delivered under this contract;

(iii) Data delivered under this contract (except for restricted computer software) that constitute manuals or instructional and training material for installation, operation, or routine maintenance and repair of items, components, or processes delivered or furnished for use under this contract; and

(iv) All other data delivered under this contract unless provided otherwise for limited rights data or restricted computer software in accordance with paragraph (g) of this clause.

(2) The Contractor shall have the right to-

(i) Assert copyright in data first produced in the performance of this contract to the extent provided in paragraph (c)(1) of this clause;

(ii) Use, release to others, reproduce, distribute, or publish any data first produced or specifically used by the Contractor in the performance of this contract, unless provided otherwise in paragraph (d) of this clause;

15

(iii) Substantiate the use of, add, or correct limited rights, restricted rights, or copyright notices and to take other appropriate action, in accordance with paragraphs (e) and (f) of this clause; and

(iv) Protect from unauthorized disclosure and use those data that are limited rights data or restricted computer software to the extent provided in paragraph (g) of this clause.

(c) Copyright-

(1) Data first produced in the performance of this contract.

(i) Unless provided otherwise in paragraph (d) of this clause, the Contractor may, without prior approval of the Contracting Officer, assert copyright in scientific and technical articles based on or containing data first produced in the performance of this contract and published in academic, technical or professional journals, symposia proceedings, or similar works. The prior, express written permission of the Contracting Officer is required to assert copyright in all other data first produced in the performance of this contract.

(ii) When authorized to assert copyright to the data, the Contractor shall affix the applicable copyright notices of 17 U.S.C. 401 or 402, and an acknowledgment of Government sponsorship (including contract number).

(iii) For data other than computer software, the Contractor grants to the Government, and others acting on its behalf, a paid-up, nonexclusive, irrevocable, worldwide license in such copyrighted data to reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly by or on behalf of the Government. For computer software, the Contractor grants to the Government, and others acting on its behalf, a paid-up, nonexclusive, irrevocable, worldwide license in such copyrighted computer software to reproduce, prepare derivative works, and perform publicly and display publicly (but not to distribute copies to the public) by or on behalf of the Government.

(2) Data not first produced in the performance of this contract. The Contractor shall not, without the prior written permission of the Contracting Officer, incorporate in data delivered under this contract any data not first produced in the performance of this contract unless the Contractor-

(i) Identifies the data; and

(ii) Grants to the Government, or acquires on its behalf, a license of the same scope as set forth in paragraph (c)(1) of this clause or, if such data are restricted computer software, the Government shall acquire a copyright license as set forth in paragraph (g)(4) of this clause (if included in this contract) or as otherwise provided in a collateral agreement incorporated in or made part of this contract.

(3) Removal of copyright notices. The Government will not remove any authorized copyright notices placed on data pursuant to this paragraph (c), and will include such notices on all reproductions of the data.

(d) Release, publication, and use of data. The Contractor shall have the right to use, release to others, reproduce, distribute, or publish any data first produced or specifically used by the Contractor in the performance of this contract, except-

16

(1) As prohibited by Federal law or regulation (e.g., export control or national security laws or regulations);

(2) As expressly set forth in this contract; or

(3) If the Contractor receives or is given access to data necessary for the performance of this contract that contain restrictive markings, the Contractor shall treat the data in accordance with such markings unless specifically authorized otherwise in writing by the Contracting Officer.

(e) Unauthorized marking of data.

(1) Notwithstanding any other provisions of this contract concerning inspection or acceptance, if any data delivered under this contract are marked with the notices specified in paragraph (g)(3) or (g) (4) if included in this clause, and use of the notices is not authorized by this clause, or if the data bears any other restrictive or limiting markings not authorized by this contract, the Contracting Officer may at any time either return the data to the Contractor, or cancel or ignore the markings. However, pursuant to 41 U.S.C. 4703, the following procedures shall apply prior to canceling or ignoring the markings.

(i) The Contracting Officer will make written inquiry to the Contractor affording the Contractor 60 days from receipt of the inquiry to provide written justification to substantiate the propriety of the markings;

(ii) If the Contractor fails to respond or fails to provide written justification to substantiate the propriety of the markings within the 60-day period (or a longer time approved in writing by the Contracting Officer for good cause shown), the Government shall have the right to cancel or ignore the markings at any time after said period and the data will no longer be made subject to any disclosure prohibitions.

(iii) If the Contractor provides written justification to substantiate the propriety of the markings within the period set in paragraph (e)(1)(i) of this clause, the Contracting Officer will consider such written justification and determine whether or not the markings are to be cancelled or ignored. If the Contracting Officer determines that the markings are authorized, the Contractor will be so notified in writing. If the Contracting Officer determines, with concurrence of the head of the contracting activity, that the markings are not authorized, the Contracting Officer will furnish the Contractor a written determination, which determination will become the final agency decision regarding the appropriateness of the markings unless the Contractor files suit in a court of competent jurisdiction within 90 days of receipt of the Contracting Officer’s decision. The Government will continue to abide by the markings under this paragraph (e)(1)(iii) until final resolution of the matter either by the Contracting Officer’s determination becoming final (in which instance the Government will thereafter have the right to cancel or ignore the markings at any time and the data will no longer be made subject to any disclosure prohibitions), or by final disposition of the matter by court decision if suit is filed.

17

(2) The time limits in the procedures set forth in paragraph (e)(1) of this clause may be modified in accordance with agency regulations implementing the Freedom of Information Act ( 5 U.S.C. 552) if necessary to respond to a request thereunder.

(3) Except to the extent the Government’s action occurs as the result of final disposition of the matter by a court of competent jurisdiction, the Contractor is not precluded by paragraph (e) of the clause from bringing a claim, in accordance with the Disputes clause of this contract, that may arise as the result of the Government removing or ignoring authorized markings on data delivered under this contract.

(f) Omitted or incorrect markings.

(1) Data delivered to the Government without any restrictive markings shall be deemed to have been furnished with unlimited rights. The Government is not liable for the disclosure, use, or reproduction of such data.

(2) If the unmarked data has not been disclosed without restriction outside the Government, the Contractor may request, within 6 months (or a longer time approved by the Contracting Officer in writing for good cause shown) after delivery of the data, permission to have authorized notices placed on the data at the Contractor’s expense. The Contracting Officer may agree to do so if the Contractor-

(i) Identifies the data to which the omitted notice is to be applied;

(ii) Demonstrates that the omission of the notice was inadvertent;

(iii) Establishes that the proposed notice is authorized; and

(iv) Acknowledges that the Government has no liability for the disclosure, use, or reproduction of any data made prior to the addition of the notice or resulting from the omission of the notice.

(3) If data has been marked with an incorrect notice, the Contracting Officer may-

(i) Permit correction of the notice at the Contractor’s expense if the Contractor identifies the data and demonstrates that the correct notice is authorized; or

(ii) Correct any incorrect notices.

(g) Protection of limited rights data and restricted computer software.

18

(1) The Contractor may withhold from delivery qualifying limited rights data or restricted computer software that are not data identified in paragraphs (b)(1)(i), (ii), and (iii) of this clause. As a condition to this withholding, the Contractor shall-

(i) Identify the data being withheld; and

(ii) Furnish form, fit, and function data instead.

(2) Limited rights data that are formatted as a computer database for delivery to the Government shall be treated as limited rights data and not restricted computer software.

(3) [Reserved]

(h) Subcontracting. The Contractor shall obtain from its subcontractors all data and rights therein necessary to fulfill the Contractor’s obligations to the Government under this contract. If a subcontractor refuses to accept terms affording the Government those rights, the Contractor shall promptly notify the Contracting Officer of the refusal and shall not proceed with the subcontract award without authorization in writing from the Contracting Officer.

(i) Relationship to patents or other rights. Nothing contained in this clause shall imply a license to the Government under any patent or be construed as affecting the scope of any license or other right otherwise granted to the Government.

(End of clause)

19

52.227- 15 Representation of Limited Rights Data and Restricted Computer Software (Dec 2007)

(a) This solicitation sets forth the Government’s known delivery requirements for data (as defined in the clause at 52.227-14, Rights in Data-General). Any resulting contract may also provide the Government the option to order additional data under the Additional Data Requirements clause at 52.227-16, if included in the contract. Any data delivered under the resulting contract will be subject to the Rights in Data-General clause at 52.227-14 included in this contract. Under the latter clause, a Contractor may withhold from delivery data that qualify as limited rights data or restricted computer software, and deliver form, fit, and function data instead. The latter clause also may be used with its Alternates II and/or III to obtain delivery of limited rights data or restricted computer software, marked with limited rights or restricted rights notices, as appropriate. In addition, use of Alternate V with this latter clause provides the Government the right to inspect such data at the Contractor’s facility.

(b) By completing the remainder of this paragraph, the offeror represents that it has reviewed the requirements for the delivery of technical data or computer software and states [offeror check appropriate block]-

¨ None of the data proposed for fulfilling the data delivery requirements qualifies as limited rights data or restricted computer software; or

¨ Data proposed for fulfilling the data delivery requirements qualify as limited rights data or restricted computer software and are identified as follows:

________________

________________

________________

(c) Any identification of limited rights data or restricted computer software in the offeror’s response is not determinative of the status of the data should a contract be awarded to the offeror.

52.227-16 Additional Data Requirements (June 1987)

(a) In addition to the data (as defined in the clause at 52.227-14, Rights in Data-General clause or other equivalent included in this contract) specified elsewhere in this contract to be delivered, the Contracting Officer may, at any time during contract performance or within a period of 3 years after acceptance of all items to be delivered under this contract, order any data first produced or specifically used in the performance of this contract.

(b) The Rights in Data-General clause or other equivalent included in this contract is applicable to all data ordered under this Additional Data Requirements clause. Nothing contained in this clause shall require the Contractor to deliver any data the withholding of which is authorized by the Rights in Data-General or other equivalent clause of this contract, or data which are specifically identified in this contract as not subject to this clause.

(c) When data are to be delivered under this clause, the Contractor will be compensated for converting the data into the prescribed form, for reproduction, and for delivery.

(d) The Contracting Officer may release the Contractor from the requirements of this clause for specifically identified data items at any time during the 3-year period set forth in paragraph (a) of this clause.

20

(End of clause)

52.252-2 Clauses Incorporated by Reference (FEB 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es):

www.acquisition.gov

(End of Clause)

HSAR Clauses

3052.209-70 - Prohibition on Contracts with Corporate Expatriates (JUN 2006)

(a) Prohibitions.

Section 835 of the Homeland Security Act, 6 U.S.C. 395, prohibits the Department of Homeland Security from entering into any contract with a foreign incorporated entity which is treated as an inverted domestic corporation as defined in this clause, or with any subsidiary of such an entity. The Secretary shall waive the prohibition with respect to any specific contract if the Secretary determines that the waiver is required in the interest of national security.

(b) Definitions. As used in this clause:

Expanded Affiliated Group means an affiliated group as defined in section 1504(a) of the Internal Revenue Code of 1986 (without regard to section 1504(b) of such Code), except that section 1504 of such Code shall be applied by substituting ‘more than 50 percent’ for ‘at least 80 percent’ each place it appears.

Foreign Incorporated Entity means any entity which is, or but for subsection (b) of section 835 of the Homeland Security Act, 6 U.S.C. 395, would be, treated as a foreign corporation for purposes of the Internal Revenue Code of 1986.

Inverted Domestic Corporation. A foreign incorporated entity shall be treated as an inverted domestic corporation if, pursuant to a plan (or a series of related transactions)—

(1) The entity completes the direct or indirect acquisition of substantially all of the properties held directly or indirectly by a domestic corporation or substantially all of the properties constituting a trade or business of a domestic partnership;

(2) After the acquisition at least 80 percent of the stock (by vote or value) of the entity is held—

(i) In the case of an acquisition with respect to a domestic corporation, by former shareholders of the domestic corporation by reason of holding stock in the domestic corporation; or

(ii) In the case of an acquisition with respect to a domestic partnership, by former partners of the domestic partnership by reason of holding a capital or profits interest in the domestic partnership; and

(3) The expanded affiliated group which after the acquisition includes the entity does not have substantial business activities in the foreign country in which or under the law of which the entity is created or organized when compared to the total business activities of such expanded affiliated group. Person, domestic, and foreign have the meanings given such terms by paragraphs

21

(1), (4), and (5) of section 7701(a) of the Internal Revenue Code of 1986, respectively.

(c) Special rules. The following definitions and special rules shall apply when determining whether a foreign incorporated entity should be treated as an inverted domestic corporation.

(1) Certain stock disregarded. For the purpose of treating a foreign incorporated entity as an inverted domestic corporation these shall not be taken into account in determining ownership:

(i) Stock held by members of the expanded affiliated group which includes the foreign incorporated entity; or

(ii) Stock of such entity which is sold in a public offering related to an acquisition described in section 835(b)(1) of the Homeland Security Act, 6 U.S.C. 395(b)(1).

(2) Plan deemed in certain cases. If a foreign incorporated entity acquires directly or indirectly substantially all of the properties of a domestic corporation or partnership during the 4-year period beginning on the date which is 2 years before the ownership requirements of subsection (b)(2) are met, such actions shall be treated as pursuant to a plan.

(3) Certain transfers disregarded. The transfer of properties or liabilities (including by contribution or distribution) shall be disregarded if such transfers are part of a plan a principal purpose of which is to avoid the purposes of this section.

(d) Special rule for related partnerships. For purposes of applying section 835(b) of the Homeland Security Act, 6 U.S.C. 395(b) to the acquisition of a domestic partnership, except as provided in regulations, all domestic partnerships which are under common control (within the meaning of section 482 of the Internal Revenue Code of 1986) shall be treated as a partnership.

(e) Treatment of Certain Rights.

(1) Certain rights shall be treated as stocks to the extent necessary to reflect the present value of all equitable interests incident to the transaction, as follows:

(i) warrants;

(ii) options;

(iii) contracts to acquire stock;

(iv) convertible debt instruments; and

(v) others similar interests.

22

(2) Rights labeled as stocks shall not be treated as stocks whenever it is deemed appropriate to do so to reflect the present value of the transaction or to disregard transactions whose recognition would defeat the purpose of Section 835.

(f) Disclosure. The offeror under this solicitation represents that [Check one]:

¨ it is not a foreign incorporated entity that should be treated as an inverted domestic corporation pursuant to the criteria of (HSAR) 48 CFR 3009.108-7001 through 3009.108-7003;

¨ it is a foreign incorporated entity that should be treated as an inverted domestic corporation pursuant to the criteria of (HSAR) 48 CFR 3009.108-7001 through 3009.108-7003, but it has submitted a request for waiver pursuant to 3009.108-7004, which has not been denied; or

¨ it is a foreign incorporated entity that should be treated as an inverted domestic corporation pursuant to the criteria of (HSAR) 48 CFR 3009.108-7001 through 3009.108-7003, but it plans to submit a request for waiver pursuant to 3009.108-7004.

(g) A copy of the approved waiver, if a waiver has already been granted, or the waiver request, if a waiver has been applied for, shall be attached to the bid or proposal.

(End of clause)

23

3052.212-70 - Contract Terms & Conditions for DHS Acquisition of Commercial Items (SEP 2012)

The Contractor agrees to comply with any provision or clause that is incorporated herein by reference to implement agency policy applicable to acquisition of commercial items or components. The provision or clause in effect based on the applicable regulation cited on the date the solicitation is issued applies unless otherwise stated herein. The following provisions and clauses are incorporated by reference:

[The Contracting Officer should either check the provisions and clauses that apply or delete the provisions and clauses that do not apply from the list. The Contracting Officer may add the date of the provision or clause if desired for clarity.]

(a) Provisions.

 ¨ 3052.209-72 Organizational Conflicts of Interest.

 ¨ 3052.216-70 Evaluation of Offers Subject to An Economic Price Adjustment Clause.

 ¨ 3052.219-72 Evaluation of Prime Contractor Participation in the DHS Mentor Protégé Program.

(b) Clauses.

¨ 3052.203-70 Instructions for Contractor Disclosure of Violations.

¨ 3052.204-70 Security Requirements for Unclassified Information Technology Resources.

x 3052.204-71 Contractor Employee Access.

¨ Alternate I

¨ 3052.205-70 Advertisement, Publicizing Awards, and Releases.

¨ 3052.209-73 Limitation on Future Contracting.

¨ 3052.215-70 Key Personnel or Facilities.

¨ 3052.216-71 Determination of Award Fee.

¨ 3052.216-72 Performance Evaluation Plan.

¨ 3052.216-73 Distribution of Award Fee.

¨ 3052.217-91 Performance. (USCG)

¨ 3052.217-92 Inspection and Manner of Doing Work. (USCG)

¨ 3052.217-93 Subcontracts. (USCG)

¨ 3052.217-94 Lay Days. (USCG)

¨ 3052.217-95 Liability and Insurance. (USCG)

¨ 3052.217-96 Title. (USCG)

24

 ¨ 3052.217-97 Discharge of Liens. (USCG)

¨ 3052.217-98 Delays. (USCG)

¨ 3052.217-99 Department of Labor Safety and Health Regulations for Ship Repair. (USCG)

¨ 3052.217-100 Guarantee. (USCG)

¨ 3052.219-70 Small Business Subcontracting Plan Reporting.

¨ 3052.219-71 DHS Mentor Protégé Program.

¨ 3052.228-70 Insurance.

¨ 3052.228-90 Notification of Miller Act Payment Bond Protection. (USCG)

¨ 3052.228-91 Loss of or Damage to Leased Aircraft. (USCG)

¨ 3052.228-92 Fair Market Value of Aircraft. (USCG)

¨ 3052.228-93 Risk and Indemnities. (USCG)

¨ 3052.236-70 Special Provisions for Work at Operating Airports.

¨ 3052.242-72 Contracting Officer’s Technical Representative.

¨ 3052.247-70 F.o.B. Origin Information.

¨ Alternate I

¨ Alternate II

¨ 3052.247-71 F.o.B. Origin Only.

¨ 3052.247-72 F.o.B. Destination Only.

(End of clause)

25

3052.204-70 Security requirements for unclassified information technology resources. (Jun 2006)

(a) The Contractor shall be responsible for Information Technology (IT) security for all systems connected to a DHS network or operated by the Contractor for DHS, regardless of location. This clause applies to all or any part of the contract that includes information technology resources or services for which the Contractor must have physical or electronic access to sensitive information contained in DHS unclassified systems that directly support the agency’s mission.

(b) The Contractor shall provide, implement, and maintain an IT Security Plan. This plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under this contract.

(1) Within     [“insert number of days”] days after contract award, the contractor shall submit for approval its IT Security Plan, which shall be consistent with and further detail the approach contained in the offeror’s proposal. The plan, as approved by the Contracting Officer, shall be incorporated into the contract as a compliance document.

(2) The Contractor’s IT Security Plan shall comply with Federal laws that include, but are not limited to, the Computer Security Act of 1987 (40 U.S.C. 1441 et seq.); the Government Information Security Reform Act of 2000; and the Federal Information Security Management Act of 2002; and with Federal policies and procedures that include, but are not limited to, OMB Circular A-130.

(3) The securitplan shall specifically include instructions regarding handling and protecting sensitive information at the Contractor’s site (including any information stored, processed, or transmitted using the Contractor’s computer systems), and the secure management, operation, maintenance, programming, and system administration of computer systems, networks, and telecommunications systems.

(c) Examples of tasks that require security provisions include -

(1) Acquisition, transmission or analysis of data owned by DHS with significant replacement cost should the contractor’s copy be corrupted; and

(2) Access to DHS networks or computers at a level beyond that granted the general public (e.g., such as bypassing a firewall).

(d) At the expiration of the contract, the contractor shall return all sensitive DHS information and IT resources provided to the contractor during the contract, and certify that all non-public DHS information has been purged from any contractor-owned system. Components shall conduct reviews to ensure that the security requirements in the contract are implemented and enforced.

(e) Within 6 months after contract award, the contractor shall submit written proof of IT Security accreditation to DHS for approval by the DHS Contracting Officer. Accreditation will proceed according to the criteria of the DHS Sensitive System Policy Publication, 4300A (Version 2.1, July 26, 2004) or any replacement publication, which the Contracting Officer will provide upon request. This accreditation will include a final security plan, risk assessment, security test and evaluation, and disaster recovery plan/continuity of operations plan. This accreditation, when accepted by the Contracting Officer, shall be incorporated into the contract as a compliance document. The contractor shall comply with the approved accreditation documentation.

(End of clause)

26

3052.204-71 - Contractor Employee Access - Alt II (SEP 2012)

(a) Sensitive Information, as used in this clause, means any information, which if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense, homeland security or foreign policy. This definition includes the following categories of information:

(1) Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure Information Act of 2002 (Title II, Subtitle B, of the Homeland Security Act, Public Law 107-296, 196 Stat. 2135), as amended, the implementing regulations thereto (Title 6, Code of Federal Regulations, Part 29) as amended, the applicable PCII Procedures Manual, as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the PCII Program Manager or his/her designee);

(2) Sensitive Security Information (SSI), as defined in Title 49, Code of Federal Regulations, Part 1520, as amended, “Policies and Procedures of Safeguarding and Control of SSI,” as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the Assistant Secretary for the Transportation Security Administration or his/her designee);

(3) Information designated as “For Official Use Only,” which is unclassified information of a sensitive nature and the unauthorized disclosure of which could adversely impact a person’s privacy or welfare, the conduct of Federal programs, or other programs or operations essential to the national or homeland security interest; and

(4) Any information that is designated “sensitive” or subject to other controls, safeguards or protections in accordance with subsequently adopted homeland security information handling procedures.

(b) “Information Technology Resources” include, but are not limited to, computer equipment, networking equipment, telecommunications equipment, cabling, network drives, computer drives, network software, computer software, software programs, intranet sites, and internet sites.

(c) Contractor employees working on this contract must complete such forms as may be necessary for security or other reasons, including the conduct of background investigations to determine suitability. Completed forms shall be submitted as directed by the Contracting Officer. Upon the Contracting Officer’s request, the Contractor’s employees shall be fingerprinted, or subject to other investigations as required. All Contractor employees requiring recurring access to Government facilities or access to sensitive information or IT resources are required to have a favorably adjudicated background investigation prior to commencing work on this contract unless this requirement is waived under Departmental procedures.

(d) The Contracting Officer may require the Contractor to prohibit individuals from working on the contract if the Government deems their initial or continued employment contrary to the public interest for any reason, including, but not limited to, carelessness, insubordination, incompetence, or security concerns.

(e) Work under this contract may involve access to sensitive information. Therefore, the Contractor shall not disclose, orally or in writing, any sensitive information to any person unless authorized in writing by the Contracting Officer. For those Contractor employees authorized access to sensitive information, the Contractor shall ensure that these persons receive training concerning the protection and disclosure of sensitive information both during and after contract performance.

(f) The Contractor shall include the substance of this clause in all subcontracts at any tier where the subcontractor may have access to Government facilities, sensitive information, or resources.

(End of clause)

27

3052.222- 70 Strikes or Picketing Affecting Timely Completion of the Contract Work (DEC 2003)

Notwithstanding any other provision hereof, the Contractor is responsible for delays arising out of labor disputes, including but not limited to strikes, if such strikes are reasonably avoidable. A delay caused by a strike or by picketing which constitutes an unfair labor practice is not excusable unless the Contractor takes all reasonable and appropriate action to end such a strike or picketing, such as the filing of a charge with the National Labor Relations Board, the use of other available Government procedures, and the use of private boards or organizations for the settlement of disputes.

(End of clause)

3052.222- 71 Strikes or Picketing Affecting Access to a DHS Facility (DEC 2003)

If the Contracting Officer notifies the Contractor in writing that a strike or picketing: (a) is directed at the Contractor or subcontractor or any employee of either; and (b) impedes or threatens to impede access by any person to a DHS facility where the site of the work is located, the Contractor shall take all appropriate action to end such strike or picketing, including, if necessary, the filing of a charge of unfair labor practice with the National Labor Relations Board or the use of other available judicial or administrative remedies.

(End of clause)

28