Exhibit 10.25

Certain identified information has been excluded from this exhibit because it is both not material and is the type of information that the registrant treats as private or confidential.

24361819Q0007

United States
Office of Personnel Management

 

Office of Procurement Operations

CREDIT MONITORING AND IDENTITY PROTECTION SERVICES

RFQ Number: 24361819Q0007

REVISED December 3, 2018

U.S. Office of Personnel Management
Office of Procurement Operations (OPO)
600 Arch St. Suite 3400
Philadelphia, Pa 19106

24361819Q0007

TABLE OF CONTENT

Section/Title			Page(s)
1.0	INSTRUCTIONS, CONDITIONS, AND NOTICES TO QUOTERS		3-5
	1.1	Introduction	3
	1.2	Method of Acquisition	3
	1.3	Contract Type	3
	1.4	Acquisition Milestones	4
	1.5	Acceptance Period	4
	1.6	Period of Performance	4
	1.7	Commitment of Public Funds	5
	1.8	Communications Prior to Award	5
	1.9	Preparation Costs	5
	1.10	BPA Call Agreement Terms and Conditions	5
	1.11	Retainage	5
2.0	QUOTATION INSTRUCTIONS TO QUOTERS		6-11
	2.1	Quotation Submission Deadline	6
	2.2	Quotation Format and Content	6
	2.3	General Information	6-7
	2.4	Additional Instructions to Quoters	7-8
	2.5	Technical Quotation	8-11
	2.6	Pricing Quotation	11
3.0	EVALUATION CRITERIA		12-13
	3.1	Basis of Award	12
	3.2	Evaluation Factors	12-13

4.0	ATTACHMENTS		14-90
	Attachment 1	Performance Work Statement	15-49
	Attachment 2	FAR Clauses	50-52
	Attachment 3	OPM Specific Clauses	53-75
	Attachment 4	Quality Assurance Surveillance Plan	76-81
	Attachment 5	Pricing Schedule Worksheet	82
	Attachment 6	Past Project Form	83

2

24361819Q0007

Section 1.0 INSTRUCTIONS, CONDITIONS, AND NOTICES TO QUOTERS

1.1 INTRODUCTION

The U.S. Office of Personnel Management (OPM), through the Credit Monitoring and Identity Protection Services (CM IPS) Program, is responsible for providing credit monitoring and identity protection services to approximately 22.1 million current, former, and prospective Federal employees, contractors, and others in response to the 2015 personnel records and background investigation records cybersecurity incidents.

These services are required in order to comply with the Congressionally-mandated coverage extension provision of Consolidated Appropriations Act of 2017, Public Law 115-31, whereby OPM is mandated to continue to facilitate the provision of identity theft coverage to individuals impacted by the 2015 cybersecurity incidents for a period of not less than 10 years and includes not less than $5 million in identity theft insurance. The mandated coverage extension will cover individuals through Fiscal Year 2026.

1.2 METHOD OF ACQUISITION

The acquisition is being competed as authorized by FAR 8.405-3(c)(2). The solicitation will be issued against the General Services Administration (GSA) Federal Supply Schedule (FSS) Identity Monitoring Data Breach Response and Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA) under Tier 1. The North American Industrial Classification (NAICS) that applies to the acquisition is NAICS Code 561450 - Administrative and Support Services for Credit Bureaus.

OPM will award a BPA Call resulting from this solicitation to the responsible Quoter whose quotation provides the best value to the Government while meeting all requirements through the evaluation of price and non-price factors considered as described in Section 2.0 (QUOTATION INSTRUCTIONS TO QUOTERS) and Section 3.0 (EVALUATION CRITERIA). The Government will use a tradeoff analysis between price and non-price factors to determine best value.

1.3 CONTRACT TYPE

OPM anticipates awarding a single firm fixed price BPA Call against the successful vendor’s BPA for Identity Monitoring Data Breach Response and Protection Services.

Below is the breakdown of BPA Call CLINs:

TRANSITION-IN
CLIN	TYPE
Six Month Transition-In Operations	FFP
Address Validation (Not to Exceed 3 million addresses)	T&M
BASE AND OPTION PERIODS
CLIN	TYPE
Twelve Months of Services for Base Period	FFP
Twelve Months of Services for Option Period I	FFP
Twelve Months of Services for Option Period II	FFP
Twelve Months of Services for Option Period III	FFP
Six Months of Services for Option Period VI	FFP
TRANSITION-OUT
Six Month Transition-Out Operations (Optional CLIN)	FFP
FAR 52.217-8: OPTION TO EXTEND PERIOD
Six Months of Option to Extend Period	FFP

3

24361819Q0007

1.4 ACQUISITION MILESTONES

The milestones (schedule) provided below are estimates and may be subject to change.

Milestone	Projected Date
Request for Quotation issued	November 8, 2018
Questions due to OPM	November 19, 2018
Anticipated Response Date for Questions	November 21, 2018
Revised RFQ Due Date (on or before)	December 4, 2018 at 2:00 PM EST
Anticipated Award Date	December 21, 2018
Anticipated Start of Performance Period	January 1, 2019

1.5 ACCEPTANCE PERIOD

Unless otherwise specified, the Contractor’s quote must be valid for at least (90) days from the solicitation due date.

1.6 PERIOD OF PERFORMANCE

The total Period of Performance (POP) for this acquisition is (5) years as outlined below. In addition, FAR 52.217-8 will be included, which shall allow for an additional period of up to (6) months of service.

Period	Period of Performance
Transition-In Period	January 1, 2019 to June 30, 2019
Base Period	July 1, 2019 to June 30, 2020
Option Period I	July 1, 2020 to June 30, 2021
Option Period II	July 1, 2021 to June 30, 2022
Option Period III	July 1, 2022 to June 30, 2023
Option Period IV	July 1, 2023 to December 31, 2023
Transition-Out Activities	Six Month Period
FAR 52.217-8: Option to Extend Period	January 1, 2024 to June 30, 2024

4

24361819Q0007

1.7 COMMITMENT OF PUBLIC FUNDS

The Contracting Officer is the only individual who can legally commit the Government to the expenditure of public funds in connection with the proposed acquisition. Any other commitment, either explicit or implied, is invalid.

1.8 COMMUNICATION PRIOR TO AWARD

All communications shall be directed, in writing (via email) to the attention of the Contracting Officer, Breean Jaroski, at Breean.Jaroski@opm.gov.

All questions must be submitted to the individual identified above via email no later than 5:00pm Eastern Time (ET) on November 19, 2018.

Communications with other officials may compromise the competitiveness of this acquisition and result in cancellation of the requirement.

1.9 PREPARATION COSTS

This RFQ does not commit the Government to pay for the preparation and submission of a quote.

1.10        BPA CALL AGREEMENT AND TERMS AND CONDITIONS

The BPA Call awarded as a result of this solicitation shall be subject to the terms and conditions of the Quoter’s BPA, this RFQ, and the attached FAR Clauses (Attachment 2) and OPM Specific Clauses (Attachment 3), which all will be incorporated into and made a part of any resulting award.

1.11        RETAINAGE

The Government will hold a Retainage until all restoration and insurance claims/cases have been officially closed. The Retainage will be 14% of the last month’s invoice.

5

24361819Q0007

Section 2.0 QUOTATION INSTRUCTIONS TO QUOTERS

2.1 Quotation Submission Deadline

Quotations must be submitted via email directly to the Contracting Officer listed below.

Revised Quotations are due no later than 2:00pm (Eastern) on December 4, 2018.

Name:	Breean Jaroski
Title:	Contracting Officer
Email:	breean.jaroski@opm.gov

2.2 Quotation Format and Content

Quotations must be submitted in two separate volumes, Pricing and Technical. Each of the parts shall be separate and complete, so that evaluation of one may be accomplished independently from the other.

Format: Single spaced using 12 inch Times New Roman font within an 8.5 by 11 inches page size. A 10 inch font will be accepted for graphics ONLY (i.e. charts, graphs, tables, etc.). No hard copy or facsimile submissions will be accepted. Extraneous materials (brochures, etc.) will not be considered.

Volume I: Pricing

- Pricing Spreadsheet (provided by Government)

Volume II: Technical (37 page maximum per below breakdown)

- Cover Sheet/Executive Summary: maximum of (1) page

- Table of Contents: maximum of (1) page

- Technical Approach: maximum of (25) pages

- Past Performance: Past Project Forms have a maximum of (10) pages total for all projects

2.3 General Information

(1) The Quoter quotation (Cover Sheet) must show--

(i) The solicitation number;

(ii) Quoter’s (DUNS) number;

(iii) The name, address, telephone and e-mail address of the Quoter;

(iv) Socio-Economic status (e.g., Service Disabled Veteran Owned Small Business, 8(a) Business, Woman-Owned Small Business, HUBZone Business, Small Disadvantaged Business, or Small Business).

6

24361819Q0007

(v) A statement specifying the extent of agreement with all terms, conditions, and provisions included in the solicitation and agreement to furnish any or all items upon which prices are offered at the price set opposite each item;

(vi) Names, titles, telephone number and e-mail address of person(s) authorized to negotiate on the Quoter’s behalf with the Government in connection with this solicitation; and

(vii) Name, title, and signature of person authorized to sign the quote.

(viii) Verification of compliance with FAR 52.222-35, 52.222.37, or 52.222-38. Verification shall be in the form of information from Veterans Employment & Training Services (VETS) 4212 Service Desk.

(ix) In accordance with FAR Clause 52.212-3;contractor must show completion of reps and certs

2.4 Additional Instructions to Quoters

(1) Unless otherwise permitted in the solicitation, quotations submitted must be on an all-or-none basis, e.g., quotations that propose to provide any item or combination of items shall be determined to be nonresponsive.

(2) Quotations submitted in response to this solicitation shall be in English and in U.S. dollars.

(3) Quoters may submit modifications to their quotations at any time before the solicitation closing date and time, and may submit modifications in response to an amendment, or to correct a mistake at any time before award.

(4) Quoters may submit revised quotations after award only if requested or allowed by the Contracting Officer.

(5) Quotations may be withdrawn at any time before award. Withdrawals are effective upon receipt of notice by the Contracting Officer.

(6) The Contracting Officer is the only individual who can legally commit the Government to the expenditure of public funds in connection with the proposed acquisition. Any other commitment, either explicit or implied, is invalid.

(7) The Government may determine that a quote is unacceptable if the prices proposed are materially unbalanced between line items. Unbalanced pricing exists when, despite an acceptable total evaluated price, the price of one or more line items is significantly overstated or understated as indicated by the application of cost or price analysis techniques. A quote may be rejected if the Contracting Officer determines that the lack of balance poses an unacceptable risk to the Government.

7

24361819Q0007

(8) Restriction on disclosure and use of data. Quoters that include in their quotes data that they do not want disclosed to the public for any purpose, or used by the Government except for evaluation purposes, shall:

(x) Mark the title page with the following legend: This quote includes data that shall not be disclosed outside the Government and shall not be duplicated, used or disclosed--in whole or in part--for any purpose other than to evaluate this quote. If, however, a purchase order is awarded to this Quoter as a result of--or in connection with-- the submission of this data, the Government shall have the right to duplicate, use, or disclose the data to the extent provided in the resulting purchase order. This restriction does not limit the Government’s right to use information contained in this data if it is obtained from another source without restriction. The data subject to this restriction are contained in sheets [insert numbers or other identification of sheets]; and

(xi) Mark each sheet of data it wishes to restrict with the following legend: Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this quote.

2.5 Technical Quotation

The technical portion of the quotation shall be limited to (37) pages, not counting; Contractor Teaming Arrangement (CTA) Agreements. Do not include cost/pricing information in your technical Volume.

The technical volume should be written so that management and technically oriented personnel can make a thorough evaluation and arrive at a sound determination as to whether the quotation meets the requirements of this solicitation. To this end, the technical quotation shall be so specific, detailed and complete as to clearly and fully demonstrate the Quoter’s capability to perform the technical requirements of this solicitation.

Statements such as “the Quoter understands,” “will comply with the Performance Work Statement,” “standard procedures will be employed,” “well known techniques will be used” and general paraphrasing of the PWS are considered inadequate.

Where contractor teaming arrangements are proposed, the Contractor must provide a copy of the CTA Agreement(s) as part of the Quote. The CTA Agreement must contain all of the elements GSA has identified as being typically of interest to the Government and as specifically represented within the GSA CTA Agreement template offered at https://www.gsa.gov/portal/content/202253 and clearly detail the distribution of effort (by type and percentage) between the parties in performance of the Government’s requirement. A copy of the CTA Agreement should be submitted with the technical volume. CTAs which are not in affirmative agreement with the above items are not in conformance with this solicitation and shall not be considered for award.

8

24361819Q0007

The technical volume of the quotation should include, at a minimum:

Factor 1: Technical Approach

The Technical Approach should include a description of the contractor’s knowledge and understanding of the requirements as outlined in the PWS which includes the methodologies, processes, and techniques used to successfully complete the PWS requirements. This factor considers the extent which the contractor understands the requirements of the PWS, and the contractor’s technical approach to meeting those requirements.

A. Technical Approach to BPA Call Tasks -- The Government will assess the Quoter’s detailed technical approach to the tasks listed in the PWS. The evaluation will be based on expected ability to successfully execute all tasks in accordance with performance and quality standards, and ability to introduce innovations and process improvements. You should present your approach in sufficient detail to demonstrate your understanding of the requirements of the work to be performed. You may describe any methodologies that you believe would assist in successfully performing the work requirements. More specifically, the technical solution will be evaluated based on the degree to which, overall the Quoter demonstrates an understanding and ability to meet the scope and work described in the PWS. This factor includes the quality of the understanding of the PWS as well as the suitability of the approach to meeting OPM’s objectives to include typical deliverable and methodology for performance of the work.

B. In support of the evaluation of the Technical Approach, each contractor must include, but not limited to the following:

● Description/Narrative of the contractor’s knowledge and understanding of the requirements as outlined in the PWS.

● The methodologies and techniques used to fulfill the PWS requirements including the management of the task.

● Identification of specific skill categories with a description of specific duties each will perform. The contractor shall include a “crosswalk” between the labor categories identified in this PWS and their proposed labor categories based on their IPS BPA.

Factor 2: Past Performance

An evaluation of Past Performance allows the Government to evaluate the Quoter’s demonstrated record of performance on projects similar in scope, magnitude, and complexity in order to assess the degree of confidence the Government has in the Quoter’s ability to provide the services described in the solicitation.

The contractor shall demonstrate relevant past performance or affirmatively state that it possesses no relevant past performance. The Contractor shall submit a maximum of three (3) projects for evaluation. The Government’s evaluation will focus on recent and relevant experience in a performance-based environment of similar scope, magnitude, and complexity to this requirement. For a cited contract to be considered recent, the Quoter must have been actively working on it within the past (5) years. Your response should address your company’s expertise and accomplishments in areas directly relevant to the requested services described in the PWS.

9

24361819Q0007

The Government will determine the relevance of a past performance project/contract by analyzing the following and comparing it to the RFQ:

“Scope” by considering the type of service provided (i.e. is the project/contract similar to the major requirement areas of the PWS).

“Magnitude” by considering various measures such as, but limited to, any or all of the following: number of hours per year, total dollar value, number of personnel in similar skill sets, and/or number of users supported.

“Complexity” by considering various measures such as, but not limited to, any or all of the following: type of personnel qualifications and certification requirements in performance of the effort; typical responsibilities required of the personnel; type of services required, etc.

The Quoter must use the Past Project Form (Attachment 6) provided in RFQ to submit contract information under this Factor for each project submitted.

While the Government seeks here to evaluate the past performance by the prime contractor it may also consider the past performance by subcontractors/teaming partners. In addition, the Government may consider the prime contractor’s past performance as a subcontractor. However, past performance as a prime contractor will be considered more relevant. The Government may consider the past performance information that it possesses of the offeror, or its subcontractors/teaming partners, on any contracts performed within the past (5) years. Greater weight shall be afforded to past performance by the prime contractor.

Where contractor teaming arrangements are proposed, an additional maximum of (3) projects for partner(s)/subcontractor(s) may be submitted. An evaluation of relevance will be done for no more than three (3) projects submitted by the Contractor for itself and for no more than three (3) projects submitted for a partner or each subcontractor. The Contractor is therefore cautioned to submit only its three (3) most relevant efforts and is cautioned to submit only the three (3) most relevant efforts of its partner or subcontractors. If the Contractor or its partner or subcontractors submit more than three (3) projects each for consideration, only three (3) per entity will be reviewed. The three (3) reviewed for each entity will be the first three (3) as displayed within the quotation from front to back.

The Government reserves the right to obtain information for use in the evaluation of past performance from any sources including, but not limited to the Contractor Performance Assessment Reporting system (CPARS), Past Performance Information Retrieval System (PPIRS), Federal Awardee Performance and Integrity Information System (FAPIIS), and Electronic Subcontract Reporting System (eSRS), or other databases/sources outside the Government, regardless of whether such information has been provided by the Quoter. References will be verified at OPM’s discretion.

10

24361819Q0007

Information provided in response to this factor will assist the Government in determining the degree of risk associated with award of this project to the Contractor in question based upon that Contractor’s past and present performance on other relevant projects.

2.6 Pricing Quotation

Quoters must use the Government provided Pricing Schedule Excel Worksheet (Attachment 5) found within the solicitation to submit all cost. A price must be provided for all line items listed on the Government’s Pricing Spreadsheet. If the vendor has no charge for a certain line item they must acknowledge that there is no cost associated with that task. In addition, they must explain why there is no additional cost and confirm that the task will still be completed. Quoters may submit additional supporting pricing data if desired, but evaluation will be based off of the Government provided pricing sheet.

Quoters shall submit a detailed breakdown of pricing by unit cost; in addition provide a total summary price for each potential performance period (i.e. the sum of all line items within that performance period). Quoters submitting partial pricing information shall be ineligible for award. The unit cost prevails if a discrepancy exists between the unit cost and the extended price.

All quoted services, equipment, labor categories and respective pricing must be included within the contractor’s current GSA Identity Protection Services (IPS) BPA. In the event the contractor’s proposed services, equipment, labor categories and respective pricing do not match the categories provided in the pricing schedule; the contractor shall provide a crosswalk which maps the categories to the corresponding vendor quoted categories from the contractor’s GSA IPS BPA. The contractor’s proposed rates and associated pricing shall be inclusive of all the contractor’s direct costs, indirect costs and profit and shall include all costs associated with providing the services described in the PWS and the contractor’s technical quotation.

Prices (for the base and additional ordering periods) will be evaluated to ensure that they are fair and reasonable for performance of the requirements established in the RFQ and as quoted in the technical submission. The contractor is cautioned that its quotation may be rejected if it is found to be materially unbalanced in the base period or any additional ordering periods. Unbalanced pricing exists when, despite an acceptable total evaluated price, the price of one or more line items is significantly overstated or understated.

It is fully expected that additional discounts off of the Quoter’s IPS BPA Price List will be provided to the Government in response to this RFQ. When offering discounts, quotes must clearly and succinctly identify both the schedule price and the discount price for each discounted labor rate.

11

24361819Q0007

Section 3.0 EVALUATION CRITERIA

3.1 Basis of Award:

This acquisition is being conducted in accordance with FAR 8.405-3. OPM will evaluate the quotations to determine the best value to the government.

The Government will make award to the responsible Quoter whose quotation conforms to the requirements of the solicitation and is evaluated as being the most advantageous to the Government, price and non-price factors considered. OPM will make that determination based on the contractor’s quote using the following evaluation criteria. The non-price factors of Technical Approach and Past Performance are listed below in their descending order of importance. For this solicitation, non-price factors, when combined, are more important than price. Award will not be automatically determined by numerical calculation or formula relationship between price and technical merit. The Government will utilize a tradeoff analysis process. This process allows for a tradeoff between non-price factors and price, and allows the Government to accept other than the lowest priced Quote or other than the highest technically rated Quote to achieve a best value BPA Call award.

3.2 Evaluation Factors

The Government will use the following factors to evaluate each Quoter’s quotation. The factors are presented in descending order of importance. All non-price factors, when combined, are more important than price.

FACTOR 1 - TECHNIAL APPROACH

FACTOR 2 – PAST PERFORMANCE

FACTOR 3 – PRICE

Technical Factors 1 through 2 are considered non-price factors and will be evaluated separately from Factor 3; the results of Factor 3 (Price) will be applied during the best value determination.

3.2.1 Technical Approach (Evaluation Factor 1)

The Government will evaluate each Quoter’s Technical Approach to determine their level of understanding of the technical requirements and challenges and a solid plan for successfully executing all of the tasks in the PWS.

3.2.2 Past Performance (Evaluation Factor 2)

The Government’s evaluation will focus on recent and relevant experience of similar scope, magnitude and complexity to this requirement. Past performance will be evaluated to determine the Quoter’s performance risk for this solicitation and will be evaluated on how well the Quoter performed on the contracts/work identified in the Quoter’s quotation in order to assess the degree of confidence the Government has in the Quoter’s ability to provide the services described in the solicitation.

12

24361819Q0007

3.2.3 Price (Evaluation Factor 3)

The evaluation of the quotation’s price will be measured on an aggregate basis, by adding the total evaluated price for the total period of performance including options for all line items. Price will not be given a specific rating, but will be evaluated and provided to the Contracting Officer as part of the best value determination. All proposed labor rates and costs must be at or below the Quoter’s IPS BPA Pricing.

OPM will be seeking additional discounts from the Quoter’s IPS BPA Price List. Price will be evaluated separate from all non-price elements of the quotation. A rating will not be assigned to the evaluation of price.

The Government shall evaluate quotations and may award based on initial quotes. Therefore, the Quoter’s initial quotation should contain the Quoter’s best terms/price.

13

24361819Q0007

Section 4.0 ATTACHMENTS

Attachment 1 – Performance Work Statement (PWS)

Attachment 2 – FAR Clauses

Attachment 3 – OPM Specific Clauses

Attachment 4 – Quality Assurance Surveillance Plan (QASP)

Attachment 5 – Pricing Schedule Worksheet

Attachment 6 – Past Project Form

14

24361819Q0007

Attachment 1 – Performance Work Statement (PWS)

PERFORMANCE WORK STATEMENT
U.S. OFFICE OF PERSONNEL MANAGEMENT (OPM)
CREDIT MONITORING AND IDENTITY PROTECTION SERVICES

1.0 INTRODUCTION

The U.S. Office of Personnel Management (OPM) is soliciting quotations for Credit Monitoring and Identity Protection Services, including: 1) Transition-In Services; 2) Project Management Services; 3) Notification Support Services; 4) Website Services; 5) Call Center Services; 6) Identity Support Services; 7) Identity Theft Insurance; 8) Identity Restoration Services; 9) Offline Mailed Alternative Services; and 10) Optional Transition-Out Services.

2.0 BACKGROUND

In 2015, OPM discovered two separate but related cybersecurity incidents that impacted the data of approximately 22.1 million current, former, and prospective Federal employees, contractors, and others. First, OPM discovered malicious cyber activity on its network that affected the personnel data of approximately 4.2 million current and former Federal government employees. Second, OPM discovered malicious cyber activity on its network that affected the background investigation records of approximately 21.5 million individuals, primarily current, former, and prospective Federal employees and contractors. All but approximately 600,000 individuals who were impacted by the personnel records incident were also impacted by the background investigation records incident. This means that approximately 3.6 million individuals who were impacted by the personnel records incident were also impacted by the background investigation records incident.

OPM offered credit monitoring and identity protection services to individuals impacted by both incidents. Currently OPM uses two award vehicles to provide credit monitoring and identity protection services; one award for those impacted by the background investigation incident (approximately 21.5 million individuals) and one award for those only impacted by the personnel records incident (approximately 600,000 individuals). Dependent minor children under the age of 18 years as of July 1, 2015 were eligible for service under both awards. The exact number of dependent minor children who may be eligible for services cannot be determined.

Services for the approximately 22.1 million individuals who were impacted by the 2015 cybersecurity incidents are set to expire on December 31, 2018. The services included notification; credit report access; credit monitoring; identity theft insurance and recovery; offline mailed alternative monitoring; and project management. In order to comply with the Congressionally-mandated coverage extension provision of Consolidated Appropriations Act of 2017, Public Law 115-31, OPM is mandated to continue to facilitate the provision of identity theft coverage to individuals impacted by the 2015 cybersecurity incidents for a period of not less than 10 years and includes not less than $5 million in identity theft insurance. The mandated coverage extension will cover individuals through Fiscal Year 2026.

15

24361819Q0007

3.0 PERIOD OF PERFORMANCE

The full period of performance is from January 1, 2019 to December 31, 2023.

Period	Period of Performance
Transition-In Period	January 1, 2019 to June 30, 2019
Base Period	July 1, 2019 to June 30, 2020
Option Period I	July 1, 2020 to June 30, 2021
Option Period II	July 1, 2021 to June 30, 2022
Option Period III	July 1, 2022 to June 30, 2023
Option Period IV and Transition Out Period	July 1, 2023 to December 31, 2023

4.0 DEFINITIONS

● Approval and / or Direction by the Contracting Officer and the Government are used interchangeably in this document. Unless stated otherwise, approval by the Government should be interpreted as the Contracting Officer providing approval of deliverables and communicating decisions and / or preferences of the Government.

● Credit Monitoring is defined as the process of monitoring credit history in order to detect any suspicious activity or changes.

● Dependent Minor Children are defined as children of impacted individuals who are under the age of 18 as of July 1, 2015. When dependent minor children turn 18 years of age, they shall be eligible to establish their own accounts with the service provider. The exact number of dependent minor children who may be eligible for services cannot be determined.

● Enrolled Individuals are defined as impacted individuals who have accepted some or all of the services (credit monitoring, credit reports, and identity monitoring) provided under this BPA Call. Note: Access to identity theft insurance and identity restoration services is to be provided to the impacted individuals regardless of their enrollment in credit monitoring or identity monitoring.

● Identity Protection is defined as establishing appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of records against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual on whom information is maintained.

● Impacted Individuals are defined as individuals whose sensitive information, including Social Security numbers, were compromised in the 2015 cybersecurity incidents involving personnel records and background investigation records. As dependent minor children are also eligible to receive services, references to impacted individuals shall also include minor children even if it is not explicitly stated.

16

24361819Q0007

● Cybersecurity Incident / Cyber Incident is used interchangeable in this document. It is defined as an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of Information or an Information System; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

● Personally Identifiable Information (PII) as defined in the Office of Management and Budget (OMB) Circular No. A-130 and Memorandum M-17-12 as well as in any successor(s), means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. As noted in Appendix II of OMB Circular No. A-130, there are many different types of information that can be used to distinguish or trace an individual’s identity, and, therefore, the term PII is necessarily broad. In determining whether information is PII, an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual must be undertaken. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available – in any medium and from any source – that would make it possible to identify an individual.

● Protected Contractor Information System is defined as an information system that is owned or operated by or for a Contractor and that processes, stores, or transmits protected information.

● Protected Information is defined as information provided to the contractor by or on behalf of the Government or provided by impacted individuals in connection with the performance of the BPA Call; or collected, received, transmitted, developed, used or stored by or on behalf of the Contractor in support of the performance of the BPA Call.

5.0 PERFORMANCE REQUIREMENTS

5.1 Transition-In Services

5.1.1 The Contractor shall identify and transition the required services for all impacted individuals. This is inclusive of both impacted individuals who previously enrolled for services with the previous vendor and those who did not. Refer to Section 5.3 for further information.

5.1.2 The Contractor shall allow for pre-enrollment during the Transition-In period prior to enrollment activation on July 1, 2019. Individuals in possession of their impact letter and 25-digit PIN code shall be allowed to establish an account via the Contractor’s online web portal by web or phone. Pre-enrollment shall allow for individuals to establish a username, password, and account preferences after providing their 25-digit PIN code so their account can be activated. The date on which pre-enrollment shall be effective shall be April 1, 2019. This is inclusive of both impacted individuals who previously enrolled for services with the previous vendor and those who did not. Refer to Section 5.3 for further information.

17

24361819Q0007

Performance Standards:

● Call Center Agent Scripts and Frequently Asked Questions (FAQs) shall be formalized no later than Tuesday February 19, 2019.

● Call Center Interactive Voice Response (IVR) script shall be formalized no later than Tuesday February 19, 2019.

● Call Center shall be fully operational (with Call Center Agent Scripts, FAQs, and IVR script implemented) no later than Friday March 1, 2019.

● Website shall be fully operational no later than Monday March 18, 2019.

● Pre-enrollment availability shall be established no later than Monday April 1, 2019.

● All credit monitoring and identity protection services shall be available no later than Monday July 1, 2019.

Deliverables:

● Transition-in Plan furnished to the Government with a comprehensive timeline for transition-in activities no later than Thursday January 31, 2019, updated at the discretion of the Contracting Officer.

● Transition-in Progress Reports every Wednesday for the length of the transition-in period.

5.2 Project Management Services

5.2.1 The Contractor shall develop a Project Management Plan (PMP) that includes, but is not limited to, a Work Plan, a Quality Control Plan, Risk Management / Mitigation Plan, Resource Management Plan, a Government Escalation Notification Plan, and a Test and Evaluation Plan.

The Contractor shall develop and maintain a detailed Project Management Plan (PMP) which sets forth the high level approach and procedures for managing, executing, and evaluating the tasks associated with executing the services listed within this document. The Contractor’s PMP is the means by which the Contractor tracks progress against the requirements of the BPA Call. The PMP shall identify and prioritize tasks for completion across all areas of support on an ongoing basis. For each task identified in the PMP, the Contractor shall design a detailed approach identifying key activities and milestones, develop processes and procedures, and execute the tasks according to plan to identify, prevent and mitigate against non-recurrence of defective services. The Contractor shall monitor progress, risks, and facilitate continuous improvement. The Contractor shall have regular status update meetings with the Government in which the Contractor and Government review milestone progress and / or interim deliverables.

Within the PMP are the following deliverables:

● Work Plan: The Contractor shall maintain a Work Plan at the task-level that tracks milestones, activities and sub-activities. This Work Plan shall also identify owners, due dates, and dependencies. The Contractor shall also update this Work Plan on an on-going 18 basis and provide to the Contracting Officer and Contracting Officer’s Representative as required.

18

24361819Q0007

● Quality Control Plan: The Contractor shall maintain a Quality Control Plan that identifies how the Contractor shall determine and implement its quality policy. The Quality Control Plan shall incorporate inputs from the Quality Assurance Surveillance Plan (QASP) and document quality control, quality assurance, and quality improvement procedures. The Quality Control Plan shall evaluate performance and determine whether performance complies with quality standards and identify ways to eliminate unsatisfactory performance.

● Risk Management / Mitigation Plan: The Contractor shall maintain a Risk Management / Mitigation Plan that documents the procedures used to identify and manage risk and the parties responsible for managing various areas of risk. This shall include procedures determining risk events that are likely to affect performance, executing risk identification and quantification, planning risk response, and documenting results and lessons learned.

● Resource Management Plan: The Contractor shall maintain a Resource Management Plan that identifies how resource planning shall be carried out. The Resource Management Plan shall document the resources needed to accomplish work and performance, the process of determining the resources needed in specific quantities, and the specific timeframes in which the resources are needed to maintain performance.

● Government Escalation Notification Plan: The Contractor shall maintain an Escalation Notification Plan that identifies which parameters / circumstances must be met before issues are escalated to the Program Office and Contracting Officer. The Government Escalation Notification Plan shall also include a list of contact names with their phone and email information. This document shall be reviewed every 6 months and updated as necessary.

● Test and Evaluation Plan: The Contractor shall maintain a Test and Evaluation Plan that identifies the tasks, activities, and reviews that are required so that the Contractor’s systems can be adequately tested to ensure successful implementation.

The Contracting Officer may notify the Contractor of required modifications to the PMP during the period of performance. The Contractor shall then coordinate suggested modifications and obtain acceptance of the PMP from the Contracting Officer. Any modifications to the program during the period of performance shall be provided to the Contracting Officer for review no later than 10 calendar days prior to effective date of the change. The PMP shall be subject to the Government’s review and approval. The Government may find the PMP “unacceptable” whenever the Contractor’s procedures do not accomplish quality control objective(s). The Contractor shall revise the PMP within 10 calendar days from receipt of notice that PMP contents are deemed “unacceptable.”

19

24361819Q0007

Performance Standards:

● Project Management Plan(s) include, but is not limited to, Work Plan, Quality Control Plan, Risk Management / Mitigation Plan, Resource Management Plan, Government Escalation Notification Plan, and Test and Evaluation Plan.

Deliverables:

● Draft Project Management Plan furnished to the Government no later than Monday January 14, 2019, whereupon the Government will have 5 business days to review and provide feedback.

● Finalized Project Management Plan furnished to the Government no later than 5 business days after receipt of Government feedback to Draft Project Management Plan.

5.3 Notification, Communication and Outreach, and Enrollment Support Services

5.3.1 The Government will provide the Contractor with information sufficient to enable multi-factor authentication for the purpose of enrollment.

The Government will provide the Contractor a random secret and a master list of 256-bit numbers (keyed-hash message authentication code, also known as an HMAC) for each impacted individual. The impacted individuals will provide the Contractor a 25-digit PIN code (24 random digits +1 digit of Luhn checksum) that was delivered to them by the Government and the last 4 digits of their SSN. The Contractor shall take these 2 pieces of information and the Government-provided random secret and generate hash using the HMAC SHA3- 256 algorithm. The output of the hash will be matched against the list of 256-bit numbers the Government provided to the Contractor. A match will indicate to the Contractor that the impacted individuals are eligible for the identity support services in Section 5.7.

5.3.2 The Government anticipates administering initial notifications over a 6 to 12 week period to impacted individuals who previously elected to enroll for services with the previous vendor, as well as individuals who previously submitted a verification request, commencing on March 1, 2019.

The Government has previously mailed impact notification letters via the United States Postal Service (USPS) to those impacted by the 2015 cybersecurity incidents. If there is a change in service providers, the Government reserves the right to mail service provider change notification letters to some or all of the impacted individual population. The mailed impact notification letters contain the 25-digit PIN code that will allow impacted individuals to enroll for services. Each impacted individual was previously assigned a 25-digit PIN code for the purpose of enrollment, and the Government does not anticipate the 25-digit PIN code to change throughout the life of the Congressional mandate.

In the event of a service provider change, the Government will work with the previous vendor to obtain the HMACs that have previously been used for the purpose of determining the individuals who require a service provider change notification letter. Thus, service provider change notification letters will be mailed to individuals who previously elected to enroll for services with the previous vendor, as well as to individuals who have previously submitted a verification request via the Verification Center for the purpose of receiving a verification letter. The population size the Government anticipates mailing service provider change notifications letters is approximately 3 million individuals.

20

24361819Q0007

If the Government elects to mail service provider change notification letters, the Government expects to complete mailing the bulk of initial notifications prior to the start of pre-enrollment services availability. However, this is only an estimate, as the Government also recognizes the magnitude of validating current addresses for those who require a service provider change notification letter, as well as printing and mailing the notification letters. Allowing notification letters to be mailed throughout the duration of the Transition-In Period, commencing on March 1, 2019, will allow the Government to obtain valid addresses and mail notification letters to the impacted population within an appropriate amount of time. The Contractor shall be prepared to respond to queries and requests from the impacted population and the general public via call center services no later than March 1, 2019, and accept pre-enrollments no later than April 1, 2019.

5.3.3 The Government anticipates continuing to mail impact verification letters to impacted individuals throughout the period of performance of the BPA Call.

The Government recognizes that all individuals, including those not impacted by the 2015 cybersecurity incidents, require a means to determine their impact status at any time during the period of performance of the BPA Call. Therefore, the Government has established a Verification Center (https://opmverify.dmdc.osd.mil/) to assist individuals who previously received a letter notifying them that their data had been impacted by the 2015 cybersecurity incidents and would like to have a verification letter sent. The Verification Center also assists those who believe they may have been impacted by the incident, but have not received a letter.

The identity confirmation process used by the Verification Center has been developed to protect an individual’s personal information. After an individual submits their personal information, it is matched against information within a separate Government database. If an individual contacts the Verification Center and it is determined that their Social Security number and other personal information were included in 2015 cybersecurity incidents, the Government will mail an impact verification letter to the individual via USPS that will list their assigned 25-digit PIN code along with enrollment instructions. If an individual contacts the Verification Center and it is determined that their information was not included in the 2015 cybersecurity incidents, the Government will mail an impact verification letter to the individual via the U.S. Postal Service with that information.

The Government estimates that each individual submitting a verification request will receive a reply via the U.S. Postal Service within approximately four weeks of submitting a request. The four week period is an estimate, which may vary based on the quantity of requests received. The Government reserves the right to mail impact verification letters sooner than the four week estimate, as well as longer than the four week estimate, as required, depending on the volume of requests at a particular timeframe.

21

24361819Q0007

In conjunction with OPM, the Verification Center is managed and overseen by the Department of Defense. The management and oversight of the Verification Center, as well as the website location of the Verification Center, may change over the course of the period of performance.

5.3.4 The Contractor shall validate the identity of impacted individuals who desire to enroll using the data provided by the Government.

Once impacted individuals receive their 25-digit PIN code provided within their letter, they shall have the ability to enroll themselves by web via the Contractor’s website or phone via call center agents. For individuals calling to enroll by phone, they may be asked to enter the 25-digit PIN code before being advanced to a Call Center agent who will be able to assist the caller with the enrollment process. However, the Contractor shall have an Interactive Voice Response (IVR) that accommodates all callers with a Call Center Agent, including addressing instances in which individuals are not eligible for the services. Therefore, all callers, including those who have not previously enrolled, or are not eligible for services, or would like to determine their impact status, shall have the opportunity and ability to speak with a Call Center Agent at all times during regular call center hours throughout the period of performance, even if they do not presently have a 25-digit PIN code.

5.3.5 The Government anticipates periodic communication and outreach with individuals, stakeholder groups, and the general public throughout the performance period, as required.

The Government recognizes the need to communicate directly with individuals, stakeholder groups, and the general public through various means throughout the period of performance. The Government has established a Cybersecurity Resource Center (https://www.opm.gov/cybersecurity/) to provide information, changes, and updates on, including but not limited to, the 2015 cybersecurity incidents, enrollment and services, how to verify impact status, and answers to Frequently Asked Questions (FAQs). The website location of the Cybersecurity Resource Center may change over the course of the period of performance.

Periodically, at the sole discretion of the Government, the Government may refresh content on the Cybersecurity Resource Center. Additionally, as needed, the Government reserves the right to communicate and to perform outreach directly with individuals, stakeholder groups, and the general public by means of, including but not limited to, updates to the Cybersecurity Resource Center; Cybersecurity Resource Center Listserv Messages; Postmaster Communications distributed across federal agencies via Senior Accountable Officials (SAOs) for Privacy and Cybersecurity, and Human Capital Officers; as well as communications and conference calls with unions, federal worker and management groups, Contracting Associations, and the press.

5.4 The Contractor shall support Address Validation services, as needed

(OPTIONAL Time and Materials CLIN – Not to Exceed 3 million addresses)

If notification of impacted individuals is required, the Government plans on using address validation services to obtain the most reliable and up to date addresses for those impacted by the 2015 cybersecurity incidents. If exercised, the Government reserves the right to validate the 22 addresses of approximately 3 million individuals who require service provider change notification letters, during the period of performance.

22

24361819Q0007

5.4.1 If exercised, the Government shall provide the Contractor a list of nine digit social security numbers (SSN) in a CSV text file (delimited by pipe (|)). The data may be broken into multiple batches. Each batch shall be encrypted and provided to the Contractor in a secure manner. The delivery of each batch may be done via uploading the data to a secure file transfer protocol (SFTP) site maintained by the Contractor, using a courier service, or using a different secure means agreed upon by the Government and the Contractor.

5.4.2 If exercised, Contractor may receive multiple batches. The Government reserves the right to provide additional batch of records throughout the period of performance. If exercised, the Government anticipates mailing the initial batches of impacted notification letters during the Transition-In Period, and the Government reserves the right to provide additional batches of records as needed throughout the life of the period of performance. Encryption keys will be passed on to the vendor through an out-of-band process.

5.4.3 The Contractor shall process each batch separately. If the data is sent via SFTP, the Government prefers that the Contractor move each batch from the SFTP to the operational system, unencrypted on the system and then processed through their database. The results should be encrypted using a Government-provided passphrase (unique for each batch to be sent to the Government) and uploaded to the vendor SFTP site for retrieval. Data should be returned in the format specified below. All residual information from an individual batch should be deleted from the system once the Government confirms receipt of the data and quality assures its contents. This shall be repeated until all of the batches are processed. If the data is sent via a different means, the Contractor shall work with the Government to adopt a secure process for transmitting the data. Information from each batch shall be forwarded to the Government as soon as it is completed.

5.4.4 Wiping system requirements: The Contractor shall remove all copies of the data files provided to the Contractor by the Government upon completion. Once the Government has acknowledged receipt of the data files and quality has been assured of its contents, the Contractor shall remove all copies of the files / records that were returned to Government.

5.4.5 US addresses (includes APO / DPO / FPO and US territories serviced by the United States Postal Service) shall be returned in separate files per batch. If International addresses can be returned in the US address format (i.e., Canada with 2 digit Province codes), they may be in the US file, but International addresses should be complete if they are included with US addresses.

5.4.6 All data shall be encrypted using GNU Privacy Guard AES256 algorithm or a compatible encryption program that can be unencrypted using GNU Privacy Guard.

Performance Standard:

● Data should be returned in a CSV text file using the pipe (|) as the delimiter with the following fields for the US addresses. Address provided should be the best address for a given name and SSN pairing. If there are multiple names associated with an SSN, provide 23 all name and SSN pairings with the best address for each. Please make sure leading zeros in numeric fields (SSN, Zip code) are not dropped in the transfer.

23

24361819Q0007

Field	Field Length
SSN	9 Characters
First Name	Contractor Determined
Middle Name	Contractor Determined
Last Name	Contractor Determined
Address Line 1	Contractor Determined
Address Line 2	Contractor Determined
City	Contractor Determined
State	2 Characters
Zip Code	5 Characters
Date of Last Address Update	YYYY-MM-DD

5.5 Website Services

5.5.1 The Contractor shall establish and operate a dedicated and branded website for impacted individuals to access all services included in the BPA Call. The Government may require the website to link with a “.gov” website.

Performance Standards:

● Website shall be 508 compliant.

● Website shall be compliant with IAWNIST-SP-800-171.

● Website shall be accessible on major browsers for all versions that are currently supported.

● Website shall be fully operational no later than Monday March 18, 2019.

● Website shall be available 99.99% of the time, exclusive to reasonable maintenance periods to be determined in conjunction with the Government. The Contractor shall provide at least 12 hours advance notice prior to any maintenance periods.

● Website shall utilize multi-factor authentication methods for impacted individuals.

Deliverable:

● Report shall consists of the following measures: operational status of the website with number of times accessed, number of enrollments by website, number of enrollments for credit monitoring services, and number of enrollments for identity monitoring services. Refer to Section 11: Contractor Reporting for further information.

● Report shall be provided monthly throughout the BPA Call.

5.6 Call Center Services

5.6.1 The Contractor shall establish and operate Call Center Services for impacted individuals to utilize for customer support. All callers, including those who have not previously enrolled, or are not eligible for services, or would like to determine their impact status, shall have the opportunity and ability to speak with a Call Center Agent at all times during regular call center hours during the period of performance of the BPA Call.

24

24361819Q0007

Performance Standards:

● Call Center shall be 508 compliant, at minimum, accommodate Teletypewriter (TTY) / Telecommunications Device for the Deaf (TDD), or other assistance for individuals with disabilities.

● Call Center shall be located in the United States.

● Call Center shall provide a dedicated U.S. toll-free telephone number.

● Call Center shall provide international telephone access.

● Call Center shall provide services in both English and Spanish.

● Call Center shall be fully operational no later than Friday March 1, 2019.

● Call Center shall be operational 12 hours a day, Monday through Saturday, from 9:00 AM ET – 9:00 PM ET, unless otherwise approved by the Contracting Officer.

● Call Center shall be available 100.00% of the time, unless otherwise discussed and approved by the Government.

● Call Center shall have wait times not to exceed 15 minutes before human assistance is rendered.

● Call Center procedures shall allow the first call center agent an individual speaks with to perform routine functions (i.e. ability to unlock an account, reset a password, review an alert, etc.) without being transferred to a second call center agent.

● Call Center shall have average wait times that shall not exceed 10 minutes.

● Call Center shall establish and maintain daily call logs, which includes a complete account of all incoming phone calls.

● Call Center shall record all calls, and the Government reserves the right to audit call logs and recorded calls.

Deliverable:

● Report shall consist of the following measures: operational status of the Call Center, number of calls received, number of calls abandoned or dropped, number of calls which resulted in the caller enrolling for services, number of calls transferred, average and maximum wait time, and average length of call. Refer to Section 11: Contractor Reporting for further information.

● Report shall be provided monthly throughout the BPA Call.

5.6.2 The Contractor shall respond to queries, enrollments, and requests for use of provided services from impacted individuals based on scripts approved by the Government and assist impacted individuals in understanding and obtaining desired services. All callers, including those who have not previously enrolled, or are not eligible for services, or would like to determine their impact status, shall have the opportunity and ability to speak with a Call Center Agent at all times during regular call center hours throughout the period of performance, even if they do not presently have a 25-digit PIN code.

The Contractor shall provide call center services that support two functions: (1) responding to calls and answering questions about the incident, explaining the services being provided, and assisting individuals with support related to enrollment and other provided services; and (2) assisting individuals in submitting their information to the Government’s Verification Center website for the purpose of determining their impact status and eligibility to enroll.

25 

24361819Q0007

The Government established a Verification Center to assist individuals who previously received a letter notifying them that their data had been impacted by the cyber incident and would like to have a copy of their letter resent. The Center also assists those who believe they may have been impacted by the incident, but have not received their letter.

For the Verification Center inquiries, the call center agents shall input the individual’s name, social security number, date of birth, address, and other requested information into the Government’s Verification Center website. The agent shall advise callers that they will receive responses from the Government within a specified time period that will indicate whether or not the caller was impacted by the 2015 cyber incidents. The agent shall also answer caller’s inquiries about the Verification Center process utilizing FAQs provided by the Government.

Performance Standards:

● The Contractor shall ask call center agents to use scripts approved by the Government to answer questions about the incident, explain the services being provided, and assist individuals with support related to enrollment and other provided services. The Contractor shall draft scripts derived from FAQs provided by the Government. When the Government updates its FAQs, it will share it with the Contractor for the Contractor to update its scripts. The Contractor shall work in conjunction with the Government to further update / revise scripts as needed to reflect new / updated questions and answers, processes, or information. Call center agents shall use scripts that the Government has reviewed and approved.

● The Contractor shall ask call center agents to use Verification Center scripts approved by the Government to help individuals submit their information to the Government’s Verification Center website and answer questions about the Verification Center process. The Contractor shall draft a Verification Center script derived from FAQs provided by the Government. When the Government updates its FAQs, it will share it with the Contractor for the Contractor to update its Verification Center script. The Contractor shall work in conjunction with the Government to further update / revise the script as needed to reflect new / updated information. Call center agents shall use the Verification Center script that the Government has reviewed and approved.

Deliverables:

● Call center scripts and FAQs to answer frequently asked questions about the incident, explain the services being provided, and assist individuals with support related to enrollment and other provided services shall be established no later than Tuesday February 19, 2019. Following the Government’s review, the Contractor will update scripts to reflect the Government’s revisions. Call center scripts FAQs shall be used once the call center is operational.

● Verification Center scripts and FAQs to help individuals submit their information to the Government’s Verification Center website and answer questions about the Verification Center process shall be established no later than Tuesday February 19, 2019. Following the Government’s review, the Contractor will update the Verification Center script to reflect the Government’s revisions. Verification Center scripts and FAQs shall be used once the call center is operational.

26 

24361819Q0007

5.6.3 The Contractor shall address special requests, issues, or inquiries provided by the Government.

The Government shall provide the Contractor with special requests, issues, or inquiries which may include, but are not limited to, those requests, issues, or inquiries from impacted individuals as well as members of the general public, Members of Congress and other governmental entities, stakeholder groups, and the press.

Performance Standard:

● Call Center shall establish a tracking document no later than Tuesday February 19, 2019.

Deliverable:

● Tracking document shall include the date the request was made, requestor’s information (name, phone number, and / or email address), summary of the issue or request, status of the request, summary of the resolution, and any recommended follow-up actions or lessons learned that either the Contractor or Government may adopt as a result of the inquiry.

5.6.4 The Contractor shall provide impacted individuals with the information needed to pursue Identity Theft Insurance and Identity Restoration Services.

All impacted individuals are eligible for Identity Theft Insurance and Identify Restoration Services, even if they do not enroll in other optional services (e.g., credit monitoring services or identity monitoring services). When identity restoration service information and / or identity theft insurance information are requested, the Contractor shall provide the requested information. If applicable, the Contractor shall connect impacted individuals with licensed fraud investigators.

Performance Standards:

● Call center agent shall initiate process for impacted individual to pursue Identity Theft Insurance and / or Identity Restoration Services within 15 minutes of phone connection.

● The Contractor shall provide services on an on-going basis until issue is resolved / closed.

5.7 Identity Support Services

The Contractor shall provide impacted individuals with credit monitoring and identity protection services. Impacted individuals may elect to enroll themselves to receive credit report access, credit monitoring services, and / or identity monitoring services at any time while the BPA Call is active; however, all impacted individuals (and their dependent minor children) are entitled to identity theft insurance and identity restoration services regardless of their status as an enrolled individual. The Contractor shall support impacted individuals requesting identity theft insurance and identity restoration services as long as their request was made on or prior to the end date of the BPA Call.

27 

24361819Q0007

5.7.1 Credit Report Access.

The Contractor shall obtain, make available, and provide access to national credit reports for impacted individuals who enroll for credit monitoring-related services. All impacted individuals who enroll for credit monitoring-related services are eligible for online access to review their credit report at any time.

Performance Standards:

● Contractor shall make available initial credit reports within 48 hours of enrollment into credit monitoring services. Subsequent reports shall be made available in accordance with the Fair Credit Reporting Act and in accordance with applicable federal and state laws.

● Contractor shall make available updated credit reports to individuals who may have previously enrolled under prior identity protection services.

● Contractor shall make available to enrolled individuals credit reports provided from all three national credit reporting agencies (e.g., Experian, Equifax, and TransUnion).

● When dependent minor children turn 18 years of age, Contractor shall make available under their own account initial credit reports within 48 hours of enrollment into monitoring services upon request by the former dependent minor.

● For the purpose of enrollment (or re-enrollment) for impacted individuals, the Contractor shall include relevant information in the Terms and Conditions (T&Cs) and Privacy Policy that acknowledges the personally identifiable information provided by the individual may be later provided to the Government for the purpose of providing a service provider change notification letter, in the event that the service provider changes prior to the end of the Congressional mandate period. Refer to Section 6.0: Transition-Out Activities for further information.

5.7.2 Credit Monitoring Services.

The Contractor shall actively monitor the Tri-Bureau Credit Reports from Experian, Equifax, and TransUnion on an on-going basis for impacted individuals upon enrollment and will alert financial institutions and impacted individuals of any suspicious or abnormal activities. The Contractor shall provide online access and monitoring alerts for impacted individuals to review at any time.

Performance Standards:

● Contractor shall offer online credit monitoring services on an on-going basis 24 hours a day, 7 days a week, exclusive to reasonable maintenance periods to be determined in conjunction with the Government.

● Contractor shall identify and notify impacted individuals of findings or changes no later than 24 hours after each occurrence.

● Contractor shall actively monitor credit reports for impacted individuals (as well as their dependent minor children).

28 

24361819Q0007

● If available, when dependent minor children turn 18 years of age, Contractor shall make available under their own account credit monitoring services within 48 hours of enrollment into monitoring services upon request by the former dependent minor.

● For the purpose of enrollment (or re-enrollment) for impacted individuals, the Contractor shall include relevant information in the Terms and Conditions (T&Cs) and Privacy Policy that acknowledges the personally identifiable information provided by the individual may be later provided to the Government for the purpose of providing a service provider change notification letter, in the event that the service provider changes prior to the end of the Congressional mandate period. Refer to Section 6.0: Transition-Out Activities for further information.

5.7.3 Identity Monitoring Services.

The Contractor shall obtain, make available, and provide identity monitoring services for impacted individuals who choose to have their identity monitored. Identity monitoring services include, but are not limited to, monitoring the Internet (“dark web”) and monitoring databases that track criminal records, arrest records, bookings, court records, pay day loans, bank accounts, sex offender lists, change of addresses, and Social Security number traces.

Performance Standards:

● Contractor shall offer online identity monitoring services on an on-going basis 24 hours a day, 7 days a week.

● Contractor shall identify and notify enrolled individuals of findings or changes no later than 24 hours after each occurrence.

● Contractor shall offer identity monitoring services to impacted individuals (as well as their dependent minor children).

● When dependent minor children turn 18 years of age, Contractor shall make available under their own account identity monitoring services within 48 hours of enrollment into monitoring services upon request by the former dependent minor.

● For the purpose of enrollment (or re-enrollment) for impacted individuals, the Contractor shall include relevant information in the Terms and Conditions (T&Cs) and Privacy Policy that acknowledges the personally identifiable information provided by the individual may be later provided to the Government for the purpose of providing a service provider change notification letter, in the event that the service provider changes prior to the end of the Congressional mandate period. Refer to Section 6.0: Transition-Out Activities for further information.

5.8 Identity Theft Insurance.

The Contractor shall obtain, make available, and provide identity theft insurance to all impacted individuals, regardless of their enrollment status in other services.

The Contractor shall reimburse impacted individuals up to $5,000,000 for expenses associated with recovery services should the individual become the subject of identity theft or fraud as a result of the cyber incident involving personnel records. The scope of this coverage includes all claims submitted on or prior the date of the expiration of the BPA Call, and may require the Contractor’s performance beyond the expiration of the BPA Call to restore the impacted individual’s identity to the pre-compromised state.

29 

24361819Q0007

Performance Standard:

● Contractor shall offer identity theft insurance on an on-going basis while the BPA Call is still active.

● Contractor shall offer identity monitoring services in accordance with terms of the insurance agreement submitted with the General Services Administration’s Identity Protection Services (IPS) Multi Award Blanket Purchase Agreement (BPA).

● Contractor shall offer coverage up to $5,000,000 per impacted individual, with no deductible. The benefits of this insurance shall include, at a minimum, coverage for: lost wages, travel expenses, elder care and child care, initial legal consultation, and any other expenses specifically tied to the identity restoration.

● Contractor shall offer identity theft insurance to impacted individuals (as well as their dependent minor children).

● When dependent minor children turn 18 years of age, Contractor shall make available identity theft insurance under their own account upon request by the former dependent minor.

5.9 Identity Restoration Services:

The Contractor shall obtain, make available, and provide identity restoration services to impacted individuals, regardless of their enrollment status in other services.

Any impacted individual shall have access to identity theft recovery experts (and licensed fraud investigators, if needed), should his / her identity be stolen during the period of performance for the services offered, until the impacted individual’s identity is restored to his / her pre-compromised state. The Contractor shall assign an individual case manager to work with the impacted individual requiring identity restoration services. The Contractor shall offer the option of working under the authority of a Limited Power of Attorney, when required. These services shall include, but not be limited to, counseling, investigating, and resolving identity theft issues. The scope of this coverage includes all claims submitted on or prior to the date of the expiration of the BPA Call, and may require performance beyond the expiration of the BPA Call to restore the impacted individual’s identity to the pre-compromised state.

Performance Standard:

● Contractor shall offer identity theft insurance on an on-going basis while the BPA Call is still active.

● Contractor shall assign a case manager who will contact the impacted individual within 1 business day of initiation of the identity restoration service process.

● Contractor shall offer identity restoration services to impacted individuals (as well as their dependent minor children).

30 

24361819Q0007

● When dependent minor children turn 18 years of age, Contractor shall make available identity restoration services coverage upon request by the former dependent minor.

5.10 Offline Mailed Alternative Services

The Contractor shall provide impacted individuals an offline alternative to a comparable suite of identity protection and credit monitoring services.

Because timeliness is so important when attempting to prevent or limit credit or identity theft, the Government recommends that impacted individuals access their identity protection and credit monitoring services via the Contractor’s online dedicated, branded website portal, which is accessible 24 hours a day, 7 days a week. However, the Contractor shall provide an offline mailed alternative for those who indicate that they need a different means to access their information.

Performance Standard:

● Contractor shall provide offline alternative in addition to the online access for those who have requested an offline means.

● Upon enrollment in the offline mailed alternative, the Contractor shall obtain, make available and mail credit reports from all three national credit reporting agencies (i.e., Experian, Equifax, and TransUnion).

● Offline mailed credit monitoring of credit reports from Experian, Equifax and TransUnion. The Contractor shall provide mailed credit monitoring of credit reports from all three national credit reporting agencies (i.e., Experian, Equifax, and TransUnion) and monitoring alerts for changes to credit reports. The Contractor shall identify changes in credit reports and notify via mail impacted individuals of findings or changes no later than 24 hours after occurrence (postmarked no later than 24 hours after occurrence).

● Offline mailed identity monitoring services for enrolled individuals. Identity monitoring services includes, but is not limited to monitoring of the Internet and monitoring of database sources including criminal records, arrest records, court records, pay day loan, bank accounts, check databases, sex offender, change of address, and social security number trace. The Contractor shall identify changes and notify via mail impacted individuals of findings or changes after each occurrence. The Contractor may decide to exclude some of the identity monitoring database sources from offline mailed alternative notifications, and limit such monitoring to online website portal/email alerts only (i.e. sex offender monitoring). Additionally, rather than mailing identity monitoring findings or changes no later than 24 hours after occurrence, the Contractor may decide to batch and mail multiple identity monitoring changes in one mailing over a period of time (i.e. weekly, biweekly, monthly basis) provided Contractor shall identify changes and notify via mail impacted individuals of findings or changes no later than one month after occurrence. The Contractor shall state its assumptions when providing responses regarding the identity monitoring services included in the mailed alternative as well as the frequency of mailings.

31 

24361819Q0007

● Mailings shall not be required in months than an individual does not have credit or identity monitoring findings or changes.

● Contractor may require the vendor to complete a Mailed Alternative Enrollment Form; however Contractor shall not require a public notary to enroll. If a completed Mailed Alternative Enrollment Form is required by the Contractor for enrollment, form will be mailed to those who indicate their preference for the offline mailed alternative at no cost to the individual. The Contractor may decide to batch and mail Mailed Alternative Enrollment Forms over a period of time (i.e. days, weekly, biweekly) provided Contractor shall mail forms to impacted individuals no later than two weeks after occurrence.

● Offline mailed alternative will be made available in accordance with the Fair Credit Reporting Act and in accordance with Federal and applicable State Laws

● Contractor shall offer offline mailed alternative services to impacted individuals (as well as their dependent minor children).

● When dependent minor children turn 18 years of age, Contractor shall make available offline mailed alternative services coverage upon request by the former dependent minor.

Deliverable:

● Mailed alert templates (for credit reports, credit monitoring, and identity monitoring) for review and approval by Government no later than April 1, 2019.

● Mailed Alternative Enrollment Form (if required by the Contractor) no later than April 1, 2019.

6.0 TRANSITION-OUT ACTIVITIES

6.1 Project Management Services and Transition-Out of Operations

6.1.1 The Contractor shall support a phase out or transition-out of services upon BPA Call completion and shall cooperate with the Government and / or any successor(s). All developed materials and data are property of the Government.

6.1.2 The Contractor shall submit a Transition-Out Plan to facilitate a smooth and orderly transition. This smooth and orderly transition includes the requirement that there can be no disruption of any services identified and described in this Performance Work Statement. To facilitate a smooth and orderly transition, the Contractor shall provide all developed materials and data to the Government and will maintain operations throughout the transition until directed by the Government.

Performance Standards:

● Maintain operations throughout the transition until directed by the Government.

Deliverables:

● Transition-Out Plan furnished to the Government with a comprehensive timeline for transition-out activities at a time agreed to after award.

32 

24361819Q0007

● Transition-Out Progress Reports every Wednesday for the length of the transition-in period with the successor, if applicable.

6.2 Transition-Out Activities During Transition-Out Period

6.2.1 For the purpose of providing previously enrolled individuals a service provider change notification letter, the Contractor shall be expected to provide the Government data on all hashes matched against the list of 256-bit numbers the Government provided to the Contractor

6.2.1.1 The Contractor shall provide all hashes matched against the list of 256-bit numbers the Government provided to the Contractor within 5 business days at the start of the Transition-Out Period.

6.2.1.2 The Government reserves the right to request the Contractor to provide all hashes matched during the Transition-Out Period on up to 3 more occasions.

Performance Standards:

● Contractor shall provide the Government with data during timeframes requested by the Government.

● All data shall be encrypted using GNU Privacy Guard AES256 algorithm or a compatible encryption program that can be unencrypted using GNU Privacy Guard.

6.2.2 If requested by the Government, the Contractor shall also provide the Government the nine digit social security numbers (SSN) of individuals who have elected to enroll in services and have agreed to the Terms and Conditions (T&Cs) and Privacy Policy of the Contractor.

6.2.2.1 The Contractor shall provide the nine digit social security numbers of individuals who have enrolled within 5 business days at the start of the Transition-Out Period.

6.2.2.2 The Government reserves the right to request the Contractor to provide the matched during the Transition-Out Period on up to 3 more occasions.

Performance Standards:

● Contractor shall provide the Government with data during timeframes requested by the Government.

● Contractor shall the list of nine digit social security numbers (SSN) in a CSV text file (delimited by pipe (|)). The data may be broken into multiple batches. Each batch shall be encrypted and provided to the Contractor in a secure manner. The delivery of each batch may be done via uploading the data to a secure file transfer protocol (SFTP) site maintained by the Contractor, using a courier service, or using a different secure means agreed upon by the Government and the Contractor.

● All data shall be encrypted using GNU Privacy Guard AES256 algorithm or a compatible encryption program that can be unencrypted using GNU Privacy Guard.

6.2.3 End of Service Notifications to Enrolled Individuals During Transition-Out Period

6.2.3.1 Upon direction by the Government, the Contractor shall send electronic service provider change notification alert emails to enrolled individuals notifying them of the end of their services on dates specified by the Government after the conclusion of the Transition-Out Period. The content of the electronic notification shall be provided by the Government. The Contractor shall refrain from sending communications not expressly approved by the Government.

33 

24361819Q0007

6.2.3.1.1 The Contractor shall provide the Government electronic notification proof(s) for approval no later than 48 hours after receiving content provided by the Government. The Government shall approve email notification proof(s) within 24 hours to enable the Contractor to begin preparing the content for distribution.

6.2.3.2 The Contractor shall send mailed communications of the content that would have been shared electronically with enrolled individuals who have enrolled in the offline mailed alternative.

6.2.3.2.1 The Contractor shall provide the Government mailed notification proof(s) for approval no later than 48 hours after receiving content provided by the Government. The Government shall approve mailed notification proof(s) within 24 hours to enable the Contractor to begin preparing the content for distribution.

Performance Standards:

● All enrolled individuals shall receive electronic alerts at timeframes specified by the Government.

● All enrolled individuals who have enrolled in the offline mailed alternative receive their alerts by mail shall be mailed notifications.

● The email notifications and the mailed notifications shall coincide with the mailing of new service provider change letters sent by the Government.

6.2.4 Website Services During Transition-Out Period

6.2.4.1 The Contractor shall place a “banner” electronic notification on select web page(s) (to include, but not limited to log-in, landing, and validation pages such as) and any other website redirect, and any other website that references OPM and / or the cybersecurity incidents, commencing at the start of the Transition-Out Period, with content provided by the Government. The Contractor shall refrain from posting content not expressly approved by the Government.

6.2.4.2 The Contractor shall include select FAQs provided by the Government on select web pages, commencing at the start of the Transition-Out Period, with content provided by the Government. The Contractor shall refrain from posting content not expressly approved by the Government.

6.2.4.3 The Contractor shall provide the Government with the banner and FAQ proof(s) for approval no later than 48 hours after receiving content provided by the Government. The Government shall approve the banner and FAQ proofs within 24 hours to enable the Contractor to post the banner on its web portal page(s).

6.2.4.4 The Government reserves the right to edit and revise the content of the banner and FAQs at any time, and as many times as required during the Option to Extend services period.

Performance Standards:

● Banner and FAQs will be posted onto select web page(s) within the timeframes specified by the Government

34 

24361819Q0007

6.2.5 Increased Call Center Support Services During Transition-Out Period

6.2.5.1 The Contractor shall support all call center inquiries and requests related to Transition-Out Activities.

6.2.5.2 All callers, including those not eligible for services in this BPA Call, shall be accommodated with the ability to speak with a live call center agent to discuss Transition-Out Activities.

Performance Standards:

● The Contractor shall draft updated IVRs, scripts, and FAQs that support enrollment and verification support inquires and requests related to Transition-Out Activities. The Contractor shall update existing IVRs, scripts and FAQs derived from FAQs provided by the Government. When the Government updates its Transition FAQs, it will be shared with the Contractor for the Contractor to update its scripts. The Contractor shall work in conjunction with the Government to further update / revise scripts as needed to reflect new / updated questions and answers, processes, or information. Call center agents shall use scripts that the Government has reviewed and approved.

Deliverables:

● Call center IVRs, scripts and FAQs updated no later than 7 calendar days after the Government provides Transition FAQs. Following the Government’s review, the Contractor will update scripts to reflect the Government’s revisions. Call center scripts shall be used once the call center is operational.

6.3 Transition-Out Activities After Transition-Out Period

6.3.1 Website Services After Transition-Out Period

6.3.1.1 The Contractor shall maintain “static” web page(s) for up to 45 days after the end of web portal services. The content shall be provided by the Government.

6.3.1.1.1 The Contractor shall provide the Government with the content for the static web page(s), for approval no later than 48 hours after receiving the content provided by the Government. The Government shall approve the content proof within 24 hours to enable the Contractor to create the static web page(s). The static content page may contain up to three (3) click-through re-direct links at the Government’s request, but the page does not need to automatically redirect to another site. The Contractor shall refrain from posting content not expressly approved by the Government.

6.3.1.1.2 The Contractor shall provide the Government with proof(s) / mock-up(s) for content changes to select web page(s) that reference the services under the order. The Contractor shall provide the requested content changes for approval no later than 48 hours after receiving content provided by the Government. The Government shall approve the content proof(s) / mock-up(s) within 24 hours to enable the Contractor to implement web content changes. The Contractor shall refrain from posting content not expressly approved by the Government.

Performance Standards:

● Website shall remain 508 compliant.

● Website shall remain accessible on major browsers for all versions that are currently supported.

35 

24361819Q0007

● Website shall remain available 99.99% of the time, exclusive to reasonable maintenance periods to be determined in conjunction with the Government.

● Banner will be posted onto select web page(s) within the timeframes specified by the Government.

6.3.2 Resolution of All Identity Theft Insurance Claims and Restoration Service Cases Reporting After Transition-Out Period

6.3.2.1 The Contractor shall provide the Government a monthly status report on the resolution of all cases opened prior to 11:59:59 PM Eastern Time on the last day of the Transition-Out Period.

Deliverables:

● Monthly Progress Reports until the closure of all insurance claims and cases.

● Monthly Progress Report shall include:

○ Identity Theft Insurance Claims

■ Current Month Only:

● Number of Claims Paid and Total Value of Claims Paid

● Number of Claims Denied and Total Value of Claims Paid

● Number of Claims Pending/Open and Total Value of Claims Pending/Open

■ Cumulative

● Total Number of Claims Paid and Total Value of Claims Paid

● Total Number of Claims Denied and Total Value of Claims Paid

● Total Number of Claims Pending/Open and Total Value of Claims Pending/Open

○ Identity Theft Restoration Cases

■ Current Month Only:

● Number of Open/Pending Cases

● Number of Closed Cases

● Open Restorations, Net

■ Cumulative

● Total number of Open/Pending Cases

● Total number of Closed Cases

● Open Restorations, Net

7.0 PERSONNEL REQUIREMENTS

The Contractor shall provide a proper skills mix and experience to perform the BPA Call objectives.

36 

24361819Q0007

7.1 Key Personnel

Per OPM Specific Clause 1752.209-71: Contractor’s Key Personnel (July 2005), the key personnel specified in this BPA Call are considered to be essential to work performance. At least five (5) days prior to diverting any of the specified individuals to other programs or BPA Calls (or as soon as possible, if an individual must be replaced, for example, as a result of leaving employment with the Contractor), the Contractor shall notify the Contracting Officer and shall submit comprehensive justification for the diversion or replacement request (including proposed substitutions for key personnel and transition plan) to permit evaluation by the Government of the impact on performance under this BPA Call. The Contractor shall not divert or otherwise replace any key personnel without the written consent of the Contracting Officer and the Government’s designated program office. Identification of key personnel is subject to approval of the Government. The Government may modify the BPA Call to add or delete key personnel at the request of the Contractor or Government.

Prior to utilizing employees other than specified personnel, the Contractor shall notify the Government Contracting Officer and the COR. This notification must be no later than five (5) calendar days in advance of any proposed substitution and must include justification in sufficient detail to permit evaluation of the impact on BPA Call performance.

7.1.1 Project Manager: The Contractor shall provide a Project Manager who shall be responsible for all work performed by the Contractor under this effort. The Project Manager shall be a single point of contact for the Contracting Officer and the Contracting Officer’s Representative (COR). The name of the Project Manager and the name of any alternate who shall act for the Contractor in the absence of the Project Manager shall be provided to the Government as part of the Contractor’s quotation. The Project Manager is further designated as Key Personnel by the Government. During the Project Manager’s absence, only one alternate shall have full authority to act for the Contractor on all matters relating to work performed under this BPA Call. Additionally, the Contractor shall not replace the Project Manager without prior acknowledgment from the Contracting Officer.

7.2 Continuity of Support

The Contractor shall ensure that the contractually required level of support for this requirement is maintained at all required times. It is incumbent upon on the Contractor to maintain all performance standards set forth under the awarded BPA Call. If, for any reason, the Contractor’s staffing levels are not maintained due to vacations, appointments, or other reasons, and replacement personnel will not be provided, the Contractor shall provide emailed notification to the Contracting Officer’s Representative prior to the employee’s absence. Otherwise, the Contractor shall provide a fully qualified replacement.

8.0 SECURITY REQUIREMENTS

8.1 The Contractor shall meet all Government Security Requirements at the time of submission.

8.1.1 The Contractor shall protect, secure, and encrypt protected information in accordance with:

a) NIST-SP-800-171;

b) NIST SP-800-53-REV4 Appendix J; and

c) In addition to the requirement in NIST SP 800-171, 3.5.3, to use multi-factor authentication for access to a protected contractor information system, the Contractor shall meet all requirements specified in NIST 800- 63-2 to achieve Level of Assurance 3 of the protected contractor information system for protected contractor information system impacted individuals (and their dependent minor children, if this option is exercised). Use of single-factor authentication is only permitted in individual cases for impacted individuals and their dependent minor children who are not capable of supporting multi-factor authentication (i.e., does not have email, phone, or text message access).

37 

24361819Q0007

8.1.2 The Contractor shall perform in accordance with the System Security Plan submitted within its submission under the General Services Administration’s Identity Protection Services (IPS) Multi Award Blanket Purchase Agreement (BPA). The Contractor shall update its System Security Plan, as required, with any needed security or technical corrections, or upon a security relevant change and provide the updated plan to the Government for review. The System Security Plan and any revisions shall meet the requirements of:

a) NIST-SP-800-171;

b) NIST-SP-800-53 REV4 (PL 2, PL 7, PL 8); and

c) NIST-SP-800-18.

8.1.3 The Contractor shall provide information security continuous monitoring data of its systems to the Government in accordance with NIST-SP-800-137, on a weekly basis through providing the Government with Continuous Monitoring Data.

8.1.4 The Contractor shall support onsite security inspections by the Government at any location where protected information is collected, stored or used. The Contractor shall provide the Government personnel network drops, conference room for briefings, most recent and historical network data (e.g., configuration, vulnerability scans) and appropriate network monitoring tools used by the Contractor. Appropriate Contractor personnel supporting the inspection shall be available at the Contractor’s worksite.

8.1.5 When the Contractor discovers any and all suspected or actual cyber incident that affects a protected contractor information system or the protected information residing therein, or that affects the Contractor’s ability to perform the requirements of the BPA Call, the Contractor shall:

a) Conduct a review for evidence of compromise of protected information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing protected contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised protected information, or that affect the Contractor’s ability to perform the requirements of the BPA Call.

b) Per OPM Specific Claus 1752.224-77: Information Security Incidents (ISI) (Dec 2015), the Contractor shall report, within 30 minutes of discovery, any and all suspected or actual cyber incidents to the OPM Security Monitoring Center (SMC) at CyberSolutions@opm.gov, 844-377-6109. The OPM SMC is available 24 hours per day, 365 days per year. OPM SMC personnel will initiate a Remedy Ticket, notify appropriate parties, and submit a US-CERT report with the Department of Homeland Security.

38 

24361819Q0007

c) In addition to reporting to the OPM SMC, in consultation with OPM SMC personnel, the Contractor shall complete a cyber incident report to Department of Defense (DoD) within one hour at http://dibnet.dod.mil. The cyber incident report shall include, at a minimum, the required elements at located at http://dibnet.dod.mil.

d) Contractor shall also plan to set out their procedures regarding the discovery of a suspected or actual cyber incident in the Escalation Notification Plan (see Section 5.2)

e) Obtain a medium assurance certificate requirement. In order to report cyber incidents, the Contractor or Subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/Pages/certificate.aspx.

8.2 The Government reserves the right to inspect and validate Contractor’s facilities, protocols, and processes for compliance. If the Government determines that the Contractor does not meet security requirements, the Contractor shall provide a plan within three calendar days for the Government’s approval to achieve compliance.

9.0 PRIVACY REQUIREMENTS

9.1 The Contractor shall meet all Government Privacy Requirements at the time of submission.

9.1.1 The Contractor shall protect, secure, and encrypt protected information in accordance with:

a) NIST-SP-800-171;

b) NIST SP-800-53-REV4 Appendix J;

c) NIST SP-800-88 (Guidelines for Media Sanitization);

d) Federal OMB Privacy Policies and Guidance, see www.whitehouse.gov/omb/privacy_general

9.1.2 The Contractor shall only use protected information for the purpose for which it was provided. Protected information shall not:

a) Be shared with any other entity except for Subcontractors under the agreement, unless expressly authorized by the impacted individual;

b) Be sold or transferred unless approved in writing by the Contracting Officer;

c) Be used for marketing of any kind;

d) Be used in any speaking engagements, presentations, or materials unless approved in writing by the Contracting Officer; and

e) Be used to communicate and / or convey information about the services being offered and / or the performance measures that the Contractor must uphold unless approved in writing by the Contracting Officer

9.1.3 The Contractor shall limit access to protected information to only those employees requiring access to the information to perform the services within the BPA Call. Furthermore, the Contractor shall only provide protected information to those who completed training (e.g., privacy awareness training), received authorization by the Contractor, and / or were expressly authorized by the impacted individual. The Contractor shall also only provide protected information to Government employees with a documented, mission-related need-to-know purpose, or who were approved by the Contracting Officer.

39 

24361819Q0007

9.1.4 The Contractor shall notify the Government in the event of any suspected or confirmed compromise of protected information within 1 hour of discovery of the incident.

9.1.5 Upon completion of the BPA Call, the Contractor shall conduct sanitization and destruction of all protected information, except for information needed for pending and on-going restoration claims or subject to a preservation obligation related to anticipated or ongoing litigation. Any sanitization or destruction of information shall be done in accordance with NIST-SP-800-171 and NIST 800-88. Within 30 calendar days after the end of the performance period, the Contractor shall provide notification to the Contracting Officer prior to undergoing any destruction of information. The notification shall include a description of the information that will be destroyed, as well as, a description of the information required for the completion of pending and on-going restoration claims. The Contractor shall not destroy any information without written approval from the Contracting Officer. The Contractor shall certify to the destruction of all protected information no more than 30 days after receiving written approval from the Contracting Officer, with the exception of information needed for pending and on-going restoration claims or that should be preserved in relationship to litigation requirements.

9.2 The Government reserves the right to inspect and validate Contractor’s facilities, protocols, and processes for compliance. If the Government determines that the Contractor does not meet privacy requirements, Contractor shall provide a plan within 3 calendar days for the Government’s approval to achieve compliance.

9.3 The Contractor shall apply requirements of the OMB Circular No. A-130 (and any guidance that references or is a successor to OMB Circular No. A-130 guidance), and the Freedom of Information Act (5 U.S.C. 552, as amended).

9.3.1 Contractor shall protect, secure, and report on the status of information in accordance with:

a) Federal Acquisition Regulation, Subpart 24.1—Protection of Individual Privacy

b) Federal Acquisition Regulation, Subpart 24.2—Freedom of Information Act

10.0 SPECIAL REQUIREMENTS

This section describes special requirements for this effort. The following sub-sections provide details of various considerations for this effort.

40 

24361819Q0007

10.1 Government Furnished Materials and Information

The Government will make available the following information for use by the Contractor in the performance of this BPA Call.

● Initial and subsequent data sets of impacted individuals (See Section 5.3).

● FAQs (initial and updated) for both the call center and website.

10.2 Section 508 Compliance

Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as well any successor amendments, requires Federal agencies acquiring Electronic and Information Technology (EIT) to ensure that Federal employees and members of the public with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees and members of the public who are not individuals with disabilities.

All EIT used, or procured as ancillary products or services, under this BPA Call must meet the following 36 CFR 1194 accessibility standards.

● 1194.21 - Software Applications and Operating Systems

● 1194.22 - Web Based Intranet and Internet Information and Application

● 1194.23 - Telecommunications Products

● 1194.24 - Video and Multimedia Products

● 1194.25 - Self-contained, Closed Products

● 1194.26 - Desktop and Portable Computers

● 1194.31 - Functional Performance Criteria

● 1194.32 – Information, Documentation, and Support

The full text of the accessibility standards is available at: http://www.access-board.gov/. The standards do not require the installation of specific accessibility-related software or the attachment of an assistive technology device(s), but merely require that the EIT be compatible with such software and device(s) so that it can be made accessible if so required in the future.

10.3 Data Safeguards and Disposal

Safely store and protect from unauthorized disclosure and destruction, either direct or as a result of negligence, data collected for the impacted individuals during the designated time frame. After the resolution of the last enrollee’s claim, purge all PII provided by the ordering agency to the Contractor, including any backed-up data and any other PII or PHI held by the Contractor pursuant to this agreement and in compliance with the appropriate disposition. Certify in writing the date the information was deleted and method used for deletion. All PII or PHI will be maintained, handled, disclosed, and disposed of in accordance with the Public Law 107-347 titled E-Government Act of 2002 and the Federal Records Act.

Contractors shall guarantee strict confidentiality of the information / data that is provided by the Government during the performance of this BPA Call and all orders or modifications under the BPA Call. Failure to comply with this requirement may result in legal and / or criminal infraction(s).

The Government has determined that the information / data that the Contractor will be receiving during the performance of this effort is of a sensitive nature and the Contractor is explicitly required to notify the agency of any subpoena, court order or other third party request for the Government’s records (i.e., any individual e-mail addresses or other nonpublic information that may have been given to or generated by the Contractor in performing work under the BPA Call). In addition, the Contractor may be under an independent legal obligation to preserve documents and information that may be potentially relevant to anticipated or ongoing litigation including, but not limited to, email and other electronically stored information.

41 

24361819Q0007

The Contractor, in whole or in part, can only disclose or disseminate the information / data, after the Contractor receives prior written approval from the Contracting Officer. Whenever the Contractor is uncertain with regard to the proper handling of information / data under this effort, the Contractor shall obtain a written determination from the Contracting Officer.

Contractor personnel assigned to the performance work are required to certify that all employees hired for the resultant task have employment background checks in compliance with the Fair Credit Reporting Act (FCRA) 15 U.S.C. § 1681 dated September 2012, as well any successor acts.

If at any time during performance of this BPA Call, or orders awarded thereafter, the Contractor shall be responsible for the immediate removal of any personnel who are deemed a security risk from performance under the BPA Call. The Contractor shall be responsible for the replacement of acceptable personnel. The Contractor must immediately notify the Contracting Officer when personnel who are deemed a security risk are identified.

The Contractor agrees to assume responsibility for protecting the confidentiality of Government records, which are not public information. Each contractor, employee of the Contractor, or Contractor’s Subcontractor or partner to whom information may be made available or disclosed shall be notified in writing by the Contractor that such information may be disclosed or disseminated only for a purpose and to the extent authorized herein.

Any request for inter-agency sharing of information about individuals shall comply with OMB M-01-05, http://www.whitehouse.gov/omb/memoranda_m01-05/ as well as any subsequent or successor OMB guidance.

The Contractor shall keep protected information confidential and use appropriate safeguards to maintain its security in accordance with minimum Federal standards. The Contractor must also explain and certify that its Subcontractor(s) or partners will adhere to the same minimum Federal standards when working with sensitive data. Additionally, the Contractor shall not use the protected information for any purpose other than contacting the impacted individual. Any type of marketing, up-selling, after marketing, or soliciting of any individuals is prohibited.

Services provided shall be performed in accordance with applicable Federal laws and policies including the Identity Theft and Assumption Deterrence Act, as amended by Public Law 105-318, 112 Statute 3007 (Oct. 30, 1998), and implemented by 18 U.S.C. § 1028.

Contractors are required to adhere to all applicable OMB guidance, including any policies issued during the term of this BPA Call. This includes any updates to OMB M-07-16 and OMB M-06-19.

42 

24361819Q0007

10.4 Threats

Any and all threats to the Government, including those that affect any Government building(s) and / or employee(s), should be directed immediately to the Government.

10.5 Disclosure of Contract and / or Programmatic Information, Data, or Statistics

The Contractor shall not release any information, data or statistics obtained under the auspices of the BPA Call, regardless of medium (e.g., film, tape, document, speaking engagement, marketing materials, press release, website, presentation) to anyone outside the Contractor’s organization unless given the express approval by the Contracting Officer, or if the information is otherwise in the public domain before the date of release. Anything that may be publically disclosed by the Contractor related to this engagement shall be approved by the Contracting Officer before release.

In addition, the Contractor shall provide the Government 5 calendar day advanced notice prior to any scheduled meeting with a Member of Congress or their staff, or any other Government stakeholders. Any disclosure of information or discussion related to the BPA Call shall require the Contractor to provide the Contracting Officer a written memorandum of the discussions within 2 calendar days of said meeting.

When approached for media requests, the Contractor shall coordinate responses with the Government.

10.6 Travel

Limited travel to Government facilities and / or other Contractor facilities may be required to accomplish the requirements. All travel costs must be included in the pricing of this BPA Call.

11.0 CONTRACTOR REPORTING

The Contractor shall provide the Government the following types of status reporting. Transition-In Reporting and Monthly Status Reporting can be combined and / or broken out by mutual agreement of the Government and the Contractor. The Contractor shall include a statement in all reports that certifies all documentation furnished is in accordance with applicable BPA Call requirements. Furthermore, the Contractor shall certify that all documentation is accurate, complete and true to the best of the Contractor’s knowledge.

1. Transition-In Reporting

Report to include the following sections; where possible, the Government prefers a graphical / visual representation of measures

● Executive Summary

a. Number of total pre-enrollments (after pre-enrollment period established)

b. Select website measures (to be decided by the Contractor and the Government and may include all measures listed under the website reporting section below)

43 

24361819Q0007

c. Select call center measures (to be decided by the Contractor and the Government and may include all measures listed under the call center reporting section below)

d. Explanation of any measures listed on the Executive Summary page

e. Remediation information to support any measures listed on the Executive Summary page

● Contractor Website Reporting (after website operations established)

a. Operational Status of the website established for impacted individuals under this BPA Call summarized in percentage (reporting period and cumulative)

b. Number of times accessed (reporting period and cumulative)

c. Description of any events related to inoperability of website including remedy and plans to prevent future occurrence (reporting period only)

d. Customer feedback provided through website (reporting period only)

● Contractor Call Center Reporting (after Call Center operations established)

a. Operational Status of the call center established for impacted individuals under this BPA Call expressed as a percentage (reporting period and cumulative)

b. Number of calls received per day (reporting period and cumulative)

c. Number of calls dropped per day (reporting period and cumulative)

d. Number of pre-enrollments by call center (reporting period and cumulative)

e. Number of transferred calls from one agent to a second agent (reporting period and cumulative)

f. Average and maximum wait time expressed in h:mm:ss format (reporting period and cumulative)

g. Average call length expressed in h:mm:ss format (reporting period and cumulative)

h. Breakdown by call type, if data is available (reporting period and cumulative)

i. Summary of performance against standards established for call center including remedy and plans to prevent future occurrence if standard is not met (reporting period only)

j. Customer feedback provided through call center (reporting period only)

k. Number of Verification inquiries submitted on the OPM website (reporting period and cumulative)

Performance Standard:

● Contractor shall provide Transition-in Progress Reports on a weekly basis every Wednesday no later than 10:00 AM EST for the length of the transition-in period.

● Contractor generated format, subject to approval and feedback of the Government.

● Format shall be standard XML, XLS, CSV, or a format agreed upon by the Contractor and the Government.

Deliverable:

● Transition-In Progress Report, on a weekly basis; see measures above.

44 

24361819Q0007

2. Monthly Status Reporting

Report to include the following sections; where possible, the Government prefers a graphical / visual representation of measures

● Executive Summary

a. Number of total enrollments

b. Number enrolled in credit monitoring

c. Number enrolled in identity monitoring

d. Enrollment rate (expressed as a percentage)

e. Number of Restoration Cases that are Open

f. Number of Restoration Cases that are Closed

g. Insurance claim amount paid to date (expressed as $)

h. Select website measures (to be decided by the Contractor and the Government and may include all measures listed under the website reporting section below)

i. Select call center measures (to be decided by the Contractor and the Government and may include all measures listed under the call center reporting section below)

j. Explanation of any measures listed on the Executive Summary page

k. Remediation information to support any measures listed on the Executive Summary page

● Contractor Website Reporting

e. Operational Status of the website established for impacted individuals under this BPA Call summarized in percentage (reporting period and cumulative)

f. Number of times accessed (reporting period and cumulative)

g. Number of enrollments by website, and their dependent minor children, if this option is exercised (reporting period and cumulative)

h. Number of enrollments for credit monitoring services (reporting period and cumulative)

i. Number of enrollments for identity monitoring services (reporting period and cumulative)

j. Description of any events related to inoperability of website including remedy and plans to prevent future occurrence (reporting period only)

k. Customer feedback provided through website (reporting period only)

● Contractor Call Center Reporting

l. Operational Status of the call center established for impacted individuals under this BPA Call expressed as a percentage (reporting period and cumulative)

m. Number of calls received per day (reporting period and cumulative)

n. Number of calls dropped per day (reporting period and cumulative)

o. Number of enrollments by call center (reporting period and cumulative)

p. Number of transferred calls from one agent to a second agent (reporting period and cumulative)

45 

24361819Q0007

q. Average and maximum wait time expressed in h:mm:ss format (reporting period and cumulative)

r. Average call length expressed in h:mm:ss format (reporting period and cumulative)

s. Breakdown by call type, if data is available (reporting period and cumulative)

t. Summary of performance against standards established for call center including remedy and plans to prevent future occurrence if standard is not met (reporting period only)

u. Customer feedback provided through call center (reporting period only)

v. Number of Verification inquiries submitted on the OPM website (reporting period and cumulative)

● Services Provided Summary (report period and cumulative):

Number of individuals (impacted and minor) who enrolled in services

i. Credit Monitoring

1. Number of impacted individuals enrolled (reporting period and cumulative)

ii. Identity Monitoring

1. Number of individuals (impacted and minor) enrolled

a. Number of activity alerts provided by alert (reporting period and cumulative)

iii. Identity Theft Insurance

1. Number of claims requesting identity theft insurance services submitted (reporting period and cumulative)

2. Status of claims submitted (reporting period and cumulative)

a. Number of open claims

b. Number of closed claims

c. Total value of insurance claims submitted by individuals

d. Total value of insurance expenses paid to individuals (both open / closed claims)

i. Total amount of insurance payments to individuals with closed claims

ii. Types of claims submitted (e.g., lost wages, travel expenses)

iv. Identity Restoration Services

1. Number of individuals (impacted and minor) requesting identity restoration services (reporting period and cumulative)

2. Status of claims submitted (reporting period and cumulative)

a. Number of open identity restoration cases

b. Number of closed identity restoration cases

c. Type and quantity of services rendered to restore identity

v. Offline Alternative Services

1. Number of impacted individuals enrolled

46 

24361819Q0007

2. Number of individuals to whom credit reports have been mailed

3. Number of activity alerts provided by alert mailed (both credit monitoring and identity monitoring)

Performance Standard:

● Contractor shall provide Status Report(s) starting in July 2019 on a monthly basis.

● Contractor generated format, subject to approval and feedback of the Government

● Format shall be standard XML, XLS, CSV, or a format agreed upon by the Contractor and the Government.

Deliverable:

● Status Report(s); see measures above.

12.0 DELIVERABLE AND MILESTONE SCHEDULE

#	PWS Section	TYPE OF DELIVERABLE	FREQUENCY	DUE DATES
1	5.2 Project Management	Draft Project Management Plan (includes Work Plan, Quality Control Plan, Risk Management / Mitigation Plan, Resource Management Plan, Escalation Notification Plan, and Test and Evaluation Plan)	One Time	No later than Monday January 14, 2019
2	5.2 Project Management Plan	Finalized Project Management Plan (includes Work Plan, Quality Control Plan, Risk Management / Mitigation Plan, Resource Management Plan, Government Escalation Notification Plan, and Test and Evaluation Plan)	One Time, updated as needed	No later than 5 business days after receipt of Government feedback to Draft Project Management Plan
3	5.1 Transition-In	Transition-In Plan	One Time, updated as needed	No later than Thursday January 31, 2019
4	5.1 Transition-In	Transition-In Progress Reports	Weekly	Every Wednesday during Transition-In period
5	5.1 Transition-In / 5.5 Call Center Services	Call Center Scripts and FAQs	One Time, updated as needed	No later than Tuesday February 19, 2019
6	5.1 Transition-In / 5.5 Call Center Services	Call Center IVR Script	One Time, updated as needed	No later than Tuesday February 19, 2019

47 

24361819Q0007

7	5.6 Call Center Services	Special Request Tracker	Weekly	Template no later than No later than Tuesday February 19, 2019. Regular delivery at a time during working hours mutually agreed upon by Contractor and Contracting Officer
8	5.10 Offline Mailed Alternative	Mailed Alert Templates	One Time, updated as needed	No later than April 1, 2019
9	5.10 Offline Mailed Alternative	Mailed Alternative Enrollment Form (if required by Contractor)	One Time, updated as needed	No later than April 1, 2019
10	6.0 Transition-Out	Transition-Out Plan	One Time, updated as needed	Mutually Agreed upon by Contractor and Contracting Officer after BPA Call award
11	6.0 Transition-Out	Transition-Out Progress Reports	Weekly	Every Wednesday during Transition-Out period
12	7.0 Security Requirements / 8.0 Privacy Requirements	System Security Plan	One Time, updated as needed	Submitted with response
13	10. Contractor Reporting	Contractor Status Report(s)	Monthly	Monthly reports will be provided at a date and time mutually agreed upon by the Contractor and Contracting Officer

All Deliverables must meet professional standards and all requirements set forth in the BPA Call. The Contractor shall treat all deliverables as the property of the U.S. Government of which the Government and its designated officials have unlimited use. The Contractor shall not retain, use, sell, or disseminate copies of any deliverable without the permission of the Contracting Officer.

All deliverables will be inspected for content, completeness, accuracy, and conformance to requirements and objectives, goals, and outcomes specified in this document. Unless specifically noted and mutually agreed upon, the Government may take up to ten calendar days after receipt of the deliverable to inspect and review the deliverable, provide comments and feedback, and accept or reject the deliverable. If necessary, the Contractor may take up to five calendar days to address the comments or feedback provided by the Government, unless specifically noted and mutually agreed upon.

Unless specifically noted and mutually agreed upon, all BPA Call deliverables shall be submitted via email to the Contracting Officer’s Representative and Contracting Officer.

48 

24361819Q0007

The Contracting Officer’s approval is required prior to engaging in any contractual relationship in support of any order requiring the disclosure of information, documentary material and / or records generated under, or relating to, work performed under this BPA Call. The Contractor (and its Sub-contractor, partners, etc.) is required to abide by Government and agency guidance for protecting sensitive and protected information.

49 

24361819Q0007

Attachment 2 – FAR Clauses

The terms, conditions, and clauses of the Awardee’s IPS BPA and GSA Schedule Contract shall apply to the BPA Call as applicable to this procurement. Additional provisions and causes are hereby incorporated into this Solicitation / Order:

52.252-2 Clauses Incorporated by Reference.

Clauses Incorporated By Reference (Feb 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): https://www.acquisition.gov

● 52.204-21 Basic Safeguarding of Covered Contractor Information Systems (Jun 2016)

● 52.209-11: Representation by Corporations Regarding Delinquent Tax Liability or a Felony Conviction under any Federal Law (Feb 2016)

● 52.219-14 Limitations on Subcontracting (Jan 2017)

● 52.212-1 Instructions to Offerors – Commercial Items (Jan 2017)

52.209-7 Information Regarding Responsibility Matters. (Jul 2013)

As prescribed at 9.104-7(b), insert the following provision:

(a) Definitions. As used in this provision—

“Administrative proceeding” means a non-judicial process that is adjudicatory in nature in order to make a determination of fault or liability (e.g., Securities and Exchange Commission Administrative Proceedings, Civilian Board of Contract Appeals Proceedings, and Armed Services Board of Contract Appeals Proceedings). This includes administrative proceedings at the Federal and State level but only in connection with performance of a Federal contract or grant. It does not include agency actions such as contract audits, site visits, corrective plans, or inspection of deliverables.

“Federal contracts and grants with total value greater than $10,000,000” means—

(1) The total value of all current, active contracts and grants, including all priced options;

and

(2) The total value of all current, active orders including all priced options under indefinite-delivery, indefinite-quantity, 8(a), or requirements contracts (including task and delivery and multiple-award Schedules).

“Principal” means an officer, director, owner, partner, or a person having primary management or supervisory responsibilities within a business entity (e.g., general manager; plant manager; head of a division or business segment; and similar positions).

(b) The offeror [ ] has [ ] does not have current active Federal contracts and grants with total value greater than $10,000,000.

50

24361819Q0007

(c) If the offeror checked “has” in paragraph (b) of this provision, the offeror represents, by submission of this offer, that the information it has entered in the Federal Awardee Performance and Integrity Information System (FAPIIS) is current, accurate, and complete as of the date of submission of this offer with regard to the following information:

(1) Whether the offeror, and/or any of its principals, has or has not, within the last five years, in connection with the award to or performance by the offeror of a Federal contract or grant, been the subject of a proceeding, at the Federal or State level that resulted in any of the following dispositions:

(i) In a criminal proceeding, a conviction.

(ii) In a civil proceeding, a finding of fault and liability that results in the payment of a monetary fine, penalty, reimbursement, restitution, or damages of $5,000 or more.

(iii) In an administrative proceeding, a finding of fault and liability that results in—

(A) The payment of a monetary fine or penalty of $5,000 or more; or

(B) The payment of a reimbursement, restitution, or damages in excess of $100,000.

(iv) In a criminal, civil, or administrative proceeding, a disposition of the matter by consent or compromise with an acknowledgment of fault by the Contractor if the proceeding could have led to any of the outcomes specified in paragraphs (c)(1)(i), (c)(1)(ii), or (c)(1)(iii) of this provision.

(2) If the offeror has been involved in the last five years in any of the occurrences listed in (c)(1) of this provision, whether the offeror has provided the requested information with regard to each occurrence.

(d) The offeror shall post the information in paragraphs (c)(1)(i) through (c)(1)(iv) of this provision in FAPIIS as required through maintaining an active registration in the System for Award Management database via https://www.acquisition.gov (see 52.204-7).

52.217-5 Evaluation of Options. (Jul 1990)

Except when it is determined in accordance with FAR 17.206(b) not to be in the Government’s best interests, the Government will evaluate offers for award purposes by adding the total price for all options to the total price for the basic requirement. Evaluation of options will not obligate the Government to exercise the option(s).

52.217-8 Option to Extend Services (Nov 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 30 days.

51

24361819Q0007

52.217-9 Option to Extend the Term of the Contract. (Mar 2000)

As prescribed in 17.208(g), insert a clause substantially the same as the following:

(a) The Government may extend the term of this contract by written notice to the Contractor within 30 days; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 60 days before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 6 months.

52.237-3 Continuity of Services (JAN 1991)

(a) The Contractor recognizes that the services under this contract are vital to the Government and must be continued without interruption and that, upon contract expiration, a successor, either the Government or another contractor, may continue them. The Contractor agrees to—

(1) Furnish phase-in training; and

(2) Exercise its best efforts and cooperation to effect an orderly and efficient transition to a successor.

(b) The Contractor shall, upon the Contracting Officer’s written notice, (1) furnish phase-in, phase-out services for up to 90 days after this contract expires and (2) negotiate in good faith a plan with a successor to determine the nature and extent of phase-in, phase-out services required. The plan shall specify a training program and a date for transferring responsibilities for each division of work described in the plan, and shall be subject to the Contracting Officer’s approval. The Contractor shall provide sufficient experienced personnel during the phase-in, phase-out period to ensure that the services called for by this contract are maintained at the required level of proficiency.

(c) The Contractor shall allow as many personnel as practicable to remain on the job to help the successor maintain the continuity and consistency of the services required by this contract. The Contractor also shall disclose necessary personnel records and allow the successor to conduct on-site interviews with these employees. If selected employees are agreeable to the change, the Contractor shall release them at a mutually agreeable date and negotiate transfer of their earned fringe benefits to the successor.

(d) The Contractor shall be reimbursed for all reasonable phase-in, phase-out costs (i.e., costs incurred within the agreed period after contract expiration that result from phase-in, phase-out operations) and a fee (profit) not to exceed a pro rata portion of the fee (profit) under this contract.

52

24361819Q0007

Attachment 3 – OPM Clauses

1752.205-70            Announcement of Contract Award (July 2006)

OPM complies with FAR 5.3, Synopses of Contract Awards, in terms of synopsizing and publicly announcing contract awards. These actions take place at the time of, and not before, the contract is awarded. Contract award, in this case, means signature of the contractual document by the Contracting Officer and forwarding of the contractual document to the contract awardee. If the contract awardee wishes to make a separate public announcement, the awardee must obtain the approval of the Contracting Officer prior to releasing the announcement, and must plan to make announcement only after the contract has been awarded.

1752.209-74            Organizational Conflicts of Interest (July 2005)

(a)       The Contractor warrants that, to the best of the Contractor’s knowledge and belief, there are no relevant facts or circumstances which could give rise to an organizational conflict of interest (OCI), as defined in FAR 9.5, Organizational and Consultants Conflicts of Interest, or that the Contractor has disclosed all such relevant information.

(b)       The Contractor agrees that if an actual or potential OCI is discovered after award, the Contractor shall make a full disclosure in writing to the Contracting Officer. This disclosure must include a description of actions, which the Contractor has taken or proposes to take, after consultation with the Contracting Officer, to avoid, mitigate, or neutralize the actual or potential conflict.

(c)       The Contracting Officer may terminate this contract for convenience, in whole or in part, if it deems such termination necessary to avoid an OCI. If the Contractor was aware of a potential OCI prior to award or discovered an actual or potential conflict after award and did not disclose or misrepresented relevant information to the Contacting Office, the Government may terminate the contract for default, debar the Contractor from Government contracting, or pursue such other remedies as may be permitted by law or this contract.

(d)       The Contractor must include this clause in all subcontracts and in lower tier subcontracts unless a waiver is requested from, and granted by, the Contracting Officer.

(e)       In the event that a requirement changes in such a way as to create a potential conflict of interest for the Contractor, the Contractor must:

(1)      Notify the Contracting Officer of a potential conflict, and;

(2)      Recommend to the Government an alternate approach which would avoid the potential conflict, or

(3)      Present for approval a conflict of interest mitigation plan that will:

(i)         Describe in detail the changed requirement that creates the potential conflict of interest; and

53

24361819Q0007

(ii)        Outline in detail the actions to be taken by the Contractor or the Government in the performance of the task to mitigate the conflict, division of subcontractor effort, and limited access to information, or other acceptable means.

(4)      The Contractor must not commence work on a changed requirement related to a potential conflict of interest until specifically notified by the Contracting Officer to proceed.

(5)      If the Contracting Officer determines that it is in the best interest of the Government to proceed with work, notwithstanding a conflict of interest, a request for waiver must be submitted in accordance with FAR 9.503.

1752.209-75           Reducing Text Messaging While Driving (Oct 2009)

(a)      In accordance with Section 4 of the Executive Order, “Federal Leadership on Reducing Text Messaging While Driving,” dated October 1, 2009, you are hereby encouraged to:

(1)       Adopt and enforce policies that ban text messaging while driving company-owned or -rented vehicles or Government-owned, -leased or –rented vehicles, or while driving privately-owned vehicles when on official Government business or when performing any work for or on behalf of the Government; and

(2)       Consider new company rules and programs, and reevaluating existing programs to prohibit text messaging while driving, and conducting education, awareness, and other outreach for company employees about the safety risks associated with texting while driving. These initiatives should encourage voluntary compliance with the company’s text messaging policy while off duty.

(b)     For purposes of complying with the Executive Order:

(1)      “Texting” or “Text Messaging” means reading from or entering data into any handheld or other electronic device, including for the purpose of SMS texting, e-mailing, instant messaging, obtaining navigational information, or engaging in any other form of electronic data retrieval or electronic data communication.

(2)      “Driving” means operating a motor vehicle on an active roadway with the motor running, including while temporarily stationary because of traffic, a traffic light or stop sign, or otherwise. It does not include operating a motor vehicle with or without the motor running when one has pulled over to the side of, or off, an active roadway and has halted in a location where one can safely remain stationary.

1752.219-70            Small Business Subcontracting Plan (Feb 2013)

(a)      If your company is required to file a Small Business Subcontracting Plan in accordance with FAR 52.219-9, please use the Subcontracting Plan Template attached to this solicitation for that purpose.

54

24361819Q0007

(b)       The on-line Electronic Subcontracting Reporting System (eSRS) must now be used for input of the reports required by FAR 52.219-9(d)(10)(iii). To comply with this requirement, please do the following:

(1)       If your company does not yet have an eSRS account, then please sign up for one at www.esrs.gov. A user guide that explains how to use eSRS is available at: http://esrs.gov/documents/esrs_contractor_user_guide_1.7.pdf. If you notice that your company contact information or DUNS number in eSRS are not correct, then please make corrections through the System for Award Management (SAM) website at http://www.sam.gov/. That data will then flow from the SAM to the Federal Procurement Data System – Next Generation (FPDS-NG) and then finally into the eSRS system. Repopulation of your eSRS contact info can take two business days after you make corrections in the SAM. Please include the e-mail addresses of the contracting officer in eSRS for notification in block 13 of the report.

(2)       Starting with fiscal year 2005, submit your Summary Subcontracting Reports (SSRs – Old SF 295) and your Individual Subcontracting Reports (ISRs – Old SF 294) for contracts into the eSRS. Midyear reports are not required in eSRS for FY 2004 and 2005.

(3)       For fiscal year 2006 onward also submit your midyear (March) ISRs into eSRS.

(4)       If you have not yet submitted a final report for any contracts closed during FY 2004 onward, you should do so now using the eSRS.

(5)       Please continue to submit to the Contracting Officer paper prints of all the reports you input to eSRS, until further notice. (This continues to be a FAR requirement)

(6)       If you have a Blanket Purchase Agreement (BPA) with OPM, please submit your ISRs via paper. FPDS-NG, which provides data into eSRS, does not identify subcontracting plans resulting from BPAs and other types of orders.

1752.222-70            Notice of Requirement for Certification of Nonsegregated Facilities (July 2005)

By signing this offer or contract, the contractor will be deemed to have signed and agreed to the provisions of Federal Acquisition Regulations (FAR) Clause 52.222-21, Certification of Nonsegregated Facilities, incorporated by reference in this solicitation/contract. The certification provides that the bidder or offeror does not maintain or provide for its employees, facilities which are segregated on a basis of race, color, religion, or national origin, whether such facilities are segregated by directive or on a de facto basis. The certification also provides that the bidder/offeror does not and will not permit its employees to perform their services at any location under its control where segregated facilities are maintained. FAR Clause 52.222-21 must be included in all subcontracts as well.

1752.222-71            Special Requirements for Employing Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans (July 2005)

(a)       If this contract contains FAR Clause 52.222-35 (Equal Opportunity for Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans), your company must comply with the requirements of this clause, including the listing of employment opportunities with the local office of the state employment service system.

(b)       If this contract contains FAR clauses 52.222-37 (Employment Reports on Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans) or 52.222-38  (Compliance with Veterans’ Employment Reporting Requirements), you are reminded that your company must comply with the special reporting requirements described in those clauses.

55

24361819Q0007

Your company must submit information on several aspects of its employment and hiring of special disabled and Vietnam era veterans or other veterans who served on active duty during a war or in a campaign or expedition for which a campaign badge has been authorized. You must submit this information no later than September 30 of each year, in the “Federal Contractor Veterans’ Employment Report” or VETS-100 Report. The U.S. Department of Labor has established a web site for submitting this report. The address is: http://www.vets100.cudenver.edu.

1752.223-71             Environmentally Preferable Products and Services (January 2017)

(a)        Executive Order 13693, Planning for Federal Sustainability in the Next Decade, requires in agency acquisitions of goods and services (i) use of sustainable environmental practices, including acquisition of biobased, environmentally preferable, energy-efficient, water-efficient, and recycled-content products, and (ii) use of paper of at least 30 percent post-consumer fiber content.

(b)        By signing this offer or contract, the contractor will be deemed to have signed and agreed that all goods and services provided under this contract will comply with the above requirements of Executive Order 13693.

1752.224-70             Definition of Terms (Dec 2015)

The following definitions apply to this contract:

a. Information: This term is synonymous with the term Data. Both terms refer to single or multiple instances of any recorded or communicated fact or opinion being stored or transferred in any digital or analog format or medium.

b. Controlled Unclassified Information (CUI): This term refers to that sub-category of Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 USC Section 552a (the Privacy Act) that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

c. Personally Identifiable Information (PII): This term refers to that sub-category of CUI that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.

d. Information System: This term refers to a system composed of people and equipment that processes or interprets Information.

e. Information Technology (IT) System: This term refers to that sub-category of Information System composed of hardware, software, data, and networks that processes or interprets Information.

56

24361819Q0007

f. Information Security Incident (ISI): This term refers to any event that includes the known, potential, or suspected exposure, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access of any Contractor or Government Information or Information Systems.

g. Record:

(1) For the purpose of Records Management, this term refers to all recorded Information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transactions of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the US Government or because of the informational value of the data in them.

(2) For the purpose of the Privacy Act, this term refers to any item, collection, or grouping of Information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, or criminal or employment history, and that contains the person’s name, or the identifying number, symbol, or other identifier assigned to the individual, such as a fingerprint, voiceprint, or a photograph.

h. System of Records on individuals: This term refers to a group of any Records from which Information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.

i. Operation of a System of Records: This term refers to the performance of any of the activities associated with maintaining the System of Records, including the collection, use, and dissemination of Records.

j. Privileged User: This term refers to a user that is assigned an organization-defined privileged role that allows that individual to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, but are not limited to, IT system development, key management, account management, network and system administration, database administration, and web administration.

1752.224-71             Freedom of Information Act Requests (Sep 2009)

(a)       Offerors are reminded that information furnished under this solicitation may be subject to disclosure under the Freedom of Information Act (FOIA). Therefore:

(1)       All items that are confidential to business, or contain trade secrets, proprietary, or personnel information must be clearly marked in all documents submitted to the U.S. Office of Personnel Management (OPM or The Government). Marking of items will not necessarily preclude disclosure when the OPM determines disclosure is warranted by FOIA. However, if such items are not marked, all information contained within the submitted documents will be deemed to be releasable.

57

24361819Q0007

(2)        No later than five (5) business days after award of a contract, blanket purchase agreement (BPA), or order, the Contractor must provide OPM a redacted copy of the contract/BPA/order in electronic format. This copy will be used to satisfy any requests for copies of the contract/BPA/order under the FOIA. If the Contracting Officer believes that any redacted information does not require protection from public release, the issue will be resolved in accordance with paragraph 3.104-4(d) of the Federal Acquisition Regulation.

(b)       Any information made available to the Contractor by the Government must be used only for the purpose of carrying out the provisions of this contract and must not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract.

(c)       In performance of this contract, the Contractor assumes responsibility for protection of the confidentiality of Government records and must ensure that all work performed by its subcontractors shall be under the supervision of the Contractor or the Contractor’s responsible employees.

(d)       Each officer or employee of the Contractor or any of its subcontractors to whom any Government record may be made available or disclosed must be notified in writing by the Contractor that information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such information, by any means, for a purpose or to an extent unauthorized herein, may subject the offender to criminal sanctions imposed by 19 U.S.C. 641. That section provides, in pertinent part, that whoever knowingly converts to their use or the use of another, or without authority, sells, conveys, or disposes of any record of the United States or whoever receives the same with intent to convert it to their use or gain, knowing it to have been converted, shall be guilty of a crime punishable by a fine of up to $10,000, or imprisoned up to ten years, or both.

1752.224-72 Access to Contractor Information Technology (IT) Systems (Dec 2015)

During the period of performance of the contract and throughout any contract close-out period, the Contractor must provide OPM, or its designate, with immediate access to all IT systems used by the Contractor to support the performance of the contract for the purpose of inspection and forensic analysis in the event of an Information Security Incident (ISI).

1752.224-73 Protecting Information (Dec 2015)

a. Applicability

(1) This clause applies to the Contractor, its subcontractors and teaming partners, and employees (hereafter referred to collectively as “Contractor”).

(2) These requirements are applicable to all Information, regardless of medium, maintained by the Contractor for the performance of this contract.

(3) These requirements are in addition to all applicable requirements established by the Privacy Act of 1974 (5 U.S.C. 552a); and to all other requirements established by various Federal statutes, mandates, and Executive Orders for the management and security of Information and Information Systems. The following additional requirements should not be construed to alter or diminish civil and/or criminal liabilities provided under the Privacy Act or any other applicable Federal statutes.

58

24361819Q0007

b. Authorization to Handle Controlled Unclassified Information (CUI)

(1) Prior to receiving, collecting, transmitting, storing, using, accessing, sharing, or removing CUI from any approved locations; the Contractor must receive approval in writing from the Chief Information Officer (CIO) through the Contracting Officer (CO) or Contracting Officer’s Representative (COR).

(2) If the Contractor should begin to receive, collect, transmit, store, use, access, or share CUI without appropriate approval, it should be reported as an Information Security Incident (ISI).

(3) Prior to removing CUI from any approved location, electronic device, removable media, or storage container, approval must be received in writing from the CO or COR.

c. Authorization to Use Information Technology (IT) Systems

(1) Prior to designing, developing, operating, accessing, or using an IT system that will store or process Information other than general information necessary to manage the contract (such as billing), the Contractor must receive approval in writing from the CIO through the CO or COR.

(2) The time required to obtain approval may be lengthy, and the Contractor should identify this requirement as soon as possible.

(3) If the Contractor should begin to operate, access, or use an IT system without appropriate approval, it must be reported as an ISI.

d. Retention of Authorizing Documentation

The Contractor must maintain a current and complete file of all documentation authorizing handling of CUI during the period of performance of the contract, unless otherwise instructed by the Contracting Officer. Documentation will be made accessible during inspections or upon written request by the CO or the COR.

1752.224-74             Privacy Act (Dec 2015)

The following Federal Acquisition Regulation (FAR) clauses apply as prescribed within FAR 24.104 for solicitations and contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an OPM function.

59

24361819Q0007

Additionally, in instances where the Contractor is required to access a system of records on individuals to accomplish an OPM function, the contractor is subject to the Privacy Act, Privacy Act Notification, and applicable agency regulations.

52.224-1 Privacy Act Notification

Privacy Act Notification (Apr 1984)

The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties.

(End of clause)

52.224-2 Privacy Act

Privacy Act (Apr 1984)

(a) The Contractor agrees to—

(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies—

(i) The systems of records; and

(ii) The design, development, or operation work that the contractor is to perform;

(2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and

(3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records.

(b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency.

(c)(1) “Operation of a system of records,” as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.

(2) “Record,” as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph.

60

24361819Q0007

(3) “System of records on individuals,” as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

1752.224-75             Information Protection Policies and Procedures (Dec 2015)

The Contractor must ensure its policies and procedures address compliance with all information protection requirements of this contract. The policies and procedures must address the following:

a. Proper identification, marking, control, storage, transmission, use, and handling of Controlled Unclassified Information (CUI), regardless of medium.

b. Proper control, storage, and protection of mobile devices, portable data storage devices, and communication devices containing CUI.

c. Proper use of FIPS 140-2 compliant encryption, redaction, and masking methods to protect CUI while at rest and in transit throughout contractor networks, and on host and client platforms.

d. Proper use of FIPS 140-2 compliant encryption methods to protect CUI transmitted in email attachments, including policy that passwords must not be communicated in the same email as the attachment.

e. Roles and responsibilities and proper actions to be taken during Information Security Incidents (ISIs).

f. Proper procedures for obtaining authorized access to information technology (IT) systems.

g. General IT security and protection training for all employees.

h. Specialized IT security and protection training for IT security staff.

i. Information Systems policy compliance requirements and procedures.

This is not an all-inclusive list and may include additional requirements which the contractor shall address during performance.

1752.224-76             Compliance with Information Protection Requirements (Dec 2015)

The Chief Information Officer, through the Contracting Officer or Contracting Officer’s Representative, reserves the right to verify compliance with information security requirements established by this contract. Verification may include, but is not limited to, onsite or offsite inspections, documentation reviews, process observation, network and IT system scanning. The Contractor will fully comply with all OPM-initiated inspections as permissible by law.

1752.224-77             Information Security Incidents (ISI) (Dec 2015)

a. ISI Reporting Activities

(1) Contractors must report any and all ISI involving OPM Information to the OPM Security Monitoring Center (SMC) at CyberSolutions@opm.gov, 844-377-6109. The SMC is available 24 hours per day, 365 days per year.

61 

24361819Q0007

(2) Contractors must report any and all ISI involving information technology (IT) systems and Controlled Unclassified Information (CUI) immediately upon becoming aware of the ISI but no later than 30 minutes after becoming aware of the ISI, regardless of day or time; regardless of internal investigation, evaluation, or confirmation of procedures or activities; and regardless of whether the ISI is suspected, known, or determined to involve IT systems operated in support of this contract.

(3) Contractors reporting an ISI to the SMC by email or phone must copy the Contracting Officer (CO) or Contracting Officer’s Representative (COR) if possible; but if not, must notify the CO or COR immediately after reporting to the SMC.

(4) When reporting an ISI to the SMC by email:

(a) Do not include any CUI in the subject or body of any email;

(b) Use FIPS 140-2 compliant encryption methods to protect CUI to be included as an email attachment, and do not include passwords in the same email as the encrypted attachment; and

(c) Provide any supplementary information or reports related to a previously reported incident directly to the OPM SMC with the following text in the subject line of the email: “Supplementary Information / Report related to previously reported incident # [insert number].”

b. ISI Review and Response Activities

(1) The Contractor must provide full access and cooperation for all activities determined by CO or COR to be required to ensure an effective review and response to protect OPM’s Information and Information Systems operated in support of this contract.

(2) The Contractor must promptly respond to all requests by the CO or COR for ISI and system-related information, including but not limited to disk images, log files, event information, and any other information determined by OPM to be required for a rapid but comprehensive technical and forensic review.

(3) OPM, at its sole discretion, may obtain the assistance of Federal agencies and/or third party firms to aid in ISI Review and Response activities.

c. ISI Determination Activities

(1) The Contractor must not make any determinations related to an ISI associated with Information Systems or Information maintained by the Contractor in support of the activities authorized by this contract, including determinations related to notification of affected individuals and/or Federal agencies (except reporting criminal activity to Law Enforcement Organizations) and offering of services, such as credit monitoring.

62

24361819Q0007

(2) The Contractor must not conduct any internal ISI-related review or response activities that could modify or eliminate any existing technical configuration or information or forensic technical evidence existing at the time of the ISI without approval from the OPM Chief Information Officer (CIO) through the CO or COR.

(3) All determinations related to an ISI associated with Information Systems or Information maintained by the Contractor in support of the activities authorized by this contract will be made only by the OPM CIO through the CO or COR.

(4) The Contractor must report criminal activity to Law Enforcement Organizations upon becoming aware of such activity.

1752.224-78             Information Security Inspections (Dec 2015)

a. The Contractor must permit and cooperate with any mutually agreed upon pre-scheduled onsite or offsite information security inspections, such as:

(1) Before initiation of the performance period;

(2) As periodically scheduled for contract oversight and compliance purposes;

(3) As determined by the OPM Chief Information Officer (CIO) through the Contracting Officer (CO) or Contracting Officer’s Representative (COR) to be required for evaluation of or in response to any reported Information Security Incident (ISI); or

(4) As determined by the OPM CIO through the CO or COR to be required to address any risk of non-compliance with the requirements of this contract.

b. OPM will provide the Contractor with a Post-Inspection Report, which will state findings and specify the Contractor’s requirement for remediating findings to maintain compliance with this contract.

c. The Contractor must provide a formal response to the OPM Post-Inspection Report within fifteen (15) days of receipt of the report for critical/high risk findings and within thirty (30 days for all other findings.

1752.224-79             Suspension of Contract for Security Concerns (Dec 2015)

If at any time during Contract performance it is determined that the Contractor is not in full compliance with the security requirements of this Contract, the Government may immediately suspend performance under this Contract and require the immediate return of all Controlled Unclassified Information (CUI) materials and information to the Government at full Contractor expense. Any work suspension resulting from a security lapse will not be subject to equitable adjustment; all costs incurred will be borne by the Contractor.

63

24361819Q0007

1752.232-70             Invoice Requirements Large Business (Oct 2012)

(a)      A proper invoice must include the following items (except for interim payments on cost reimbursement contracts for services):

(1)       Name and address of the contractor.

(2)       Invoice date and invoice number. (Contractors should date invoices as close as possible to the date of transmission.)

(3)       Contract number or other authorization for supplies delivered or services performed (including order number and contract line item number).

(4)       Description, quantity, unit of measure, unit price, and extended price of supplies delivered or services performed.

(5)       Shipping and payment terms (e.g., shipment number and date of shipment, discount for prompt payment terms). Bill of lading number and weight of shipment will be shown for shipments on Government bills of lading.

(6)       Name and address of contractor official to whom payment is to be sent (must be the same as that in the contract or in a proper notice of assignment).

(7)       Name (where practicable), title, phone number, and mailing address of person to notify in the event of a defective invoice.

(8)       Taxpayer Identification Number (TIN). The contractor must include its TIN on the invoice only if required by agency procedures. (See 4.9 TIN requirements.)

(9)        Electronic funds transfer (EFT) banking information.

(i)        The contractor shall have submitted correct EFT banking information in accordance with the applicable solicitation provision (e.g., 52.232-38, Submission of Electronic Funds Transfer Information with Offer), contract clause (e.g., 52.232-33, Payment by Electronic Funds Transfer-Central Contractor Registration, or 52.232-34, Payment by Electronic Funds Transfer-Other Than Central Contractor Registration), or applicable agency procedures.

(ii)        The last four digits of the contractor’s bank account must be shown on each invoice submitted for payment. This information will be used as a cross-reference in situations where the EFT banking information in the Central Contract Registration is suspect.

(iii)       EFT banking information is not required if the Government waived the requirement to pay by EFT.

(10)     The vendor’s certification that their EFT banking information in the Central Contractor Registration is current, accurate and complete as of the date of the invoice.

(11)     Any other information or documentation required by the contract (e.g., evidence of shipment).

(b)      Any invoice that does not contain all of the information listed in paragraph (a) above will be rejected as improper, and a new complete corrected invoice must be submitted. The payment due date for the corrected invoice will be calculated from the date it is received in the Prompt Pay e-mail box.

(c)        ALL large business invoices—without exception—must have unique identifying numbers, and be submitted via e-mail to OPM’s Prompt Pay e-mail box at:

PromptPay@opm.gov

Please note that OPM cannot guarantee payment of invoices sent by any other means, such as regular mail or e-mail to other addresses.

64

24361819Q0007

(d)      Please attach only one invoice to each e-mail, and use the following format for the subject line of the e-mail:

<Contractor name>&<Invoice no>&<Amount>&<Contract Number>/<Call or Order Number>

Example:

ABC Co&AB-1298433&10000.00&OPM00-00-X-0000/X0000

(e)      Payment due dates will only be calculated from the date that invoices are received in the Prompt Pay e-mail box.

(f)       Inquiries regarding payment of invoices should be e-mailed to InvoiceInquiries@opm.gov. The relevant invoice must be attached to the inquiry e-mail, and the subject line of the e-mail must state “INQUIRY,” followed by the information described in paragraph (d) above.

Example: 

INQUIRY: ABC Co&AB-1298433&10000.00&OPM00-00-X-0000/X0000

Do NOT use the Prompt Pay e-mail box for inquiries.

(g)      If the supplies, services, technical or other reports are rejected for failure to conform to the technical requirements of the contract, or for damage in transit or otherwise, the invoice will be rejected and returned to the Contractor.

1752.232-71             Method of Payment (July 2005)

(a)        Payments under this contract will be made either by check or by wire transfer through the Treasury Financial Communications System at the option of the Government.

(b)       The Contractor must forward the following information in writing to the Contracting Officer not later than seven (7) days after receipt of notice of award:

(1)       Full Name (where practicable), title, telephone number, and complete mailing address of responsible official(s):

(i) to whom check payments are to be sent, and

(ii) who may be contacted concerning the bank account information requested below.

(2) The following bank account information required to accomplish wire transfers:

(i) Name, address, and telegraphic abbreviation of the receiving financial institution.

(ii)      Receiving financial institution’s 9-digit American Bankers Association (ABA) identifying number for routing transfer of funds. (Provide this number only if the receiving financial institution has access to the Federal Reserve Communications System.)

65

24361819Q0007

(iii)      Recipient’s name and account number at the receiving financial institution to be credited with the funds. If the receiving financial institution does not have access to the Federal Reserve Communications System, provide the name of the correspondent financial institution through which the receiving institution receives electronic funds transfer messages. If a correspondent financial institution is specified, also provide:

(A)       Address and telegraphic abbreviation of the correspondent financial institution.

(B)       The correspondent financial institution’s 9-digit ABA identifying number for routing transfer of funds.

(c)        Any changes to the information furnished under paragraph (b) of this clause shall be furnished to the Contracting Officer in writing at least 30 days before the effective date of the change. It is the Contractor’s responsibility to furnish these changes promptly to avoid payments to erroneous addresses or bank accounts.

(d)       The document furnishing the information required in paragraphs (b) and (c) must be dated and contain the signature, title, and telephone number of the Contractor official authorized to provide it, as well as the Contractor’s name and contract number

1752.232-74             Providing Accelerated Payment to Small Business Subcontractors (Oct 2012)

(a) This clause implements the temporary policy provided by OMB Policy Memorandum M-12-16, Providing Prompt Payment to Small Business Subcontractors, dated July 11, 2012. (Note: OMB Policy Memorandum M-12-16 is accessible on line at: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-16.pdf.)

(b) Upon receipt of accelerated payments from the Government, the contractor is required to pay all small business subcontractors on an accelerated timetable to the maximum extent practicable after receipt of invoice and all proper documents.

(c) Include the substance of this clause, including this paragraph (b), in all subcontracts with small business.

1752.233-70             OPM Protest Procedures [Applicable to Solicitations Only] (January 2017)

(a)        An interested party who files a protest with OPM has the option of requesting review and consideration of the protest by either the Contracting Officer (CO) or the Senior Procurement Executive (SPE). The protest must clearly indicate the official to whom it is directed.

(b)        If the protest is directed to the SPE, a copy of the protest must be sent to the Director of Contracts at the same time the protest is filed with the CO in accordance with FAR 52.233-2. The address of the Director of Contracts is:

Elijah Anderson

Director of Contracts, Office of Procurement Operations

U.S. Office of Personnel Management

1900 E Street N.W., Room 1342

Washington, DC 20415

66

24361819Q0007

(c)        Review and consideration of a protest by the SPE is an alternative to review and consideration by the CO.

1752.237-70             Non-Personal Services (July 2005)

(a)       As stated in the Office of Federal Procurement Policy Letter 92-1, dated September 23, 1992, Inherently Governmental Functions, no personal services shall be performed under this contract. No Contractor employee will be directly supervised by the Government. All individual employee assignments, and daily work direction, shall be given by the applicable employee supervisor. If the Contractor believes any Government action or communication has been given that would create a personal services relationship between the Government and any Contractor employee, the Contractor must promptly notify the Contracting Officer of this communication or action.

(b)       The Contractor must not perform any inherently Governmental actions under this contract. No Contractor employee shall hold him or herself out to be a Government employee, agent, or representative. No Contractor employee may state orally or in writing at any time that he or she is acting on behalf of the Government. In all communications with third parties in connection with the contract, Contractor employees must identify themselves as Contractor employees and specify the name of the company for which they work. In all communications with other Government Contractors in connection with this contract, the Contractor employee must state that they have no authority to in any way change the contract and that if the other Contractor believes this communication to be a direction to change their contract, they should notify the Contracting Officer for that contract and not carry out the direction until a clarification has been issued by the Contracting Officer.

(c)       The Contractor must insure that all of its employees working on this contract are informed of the substance of this clause. Nothing in this clause limits the Government’s rights in any way under any other provision of the contract, including those related to the Government’s right to inspect and accept the services to be performed under this contract. The substance of this clause must be included in all subcontracts at any tier.

1752.239-75             Information System Security Requirements (Dec 2015)

a. The activities required by this contract necessitate the Contractor’s access to Government Information, including Controlled Unclassified Information (CUI). Contractors are required to comply with current Federal regulations and guidance found in the Federal Information Security Modernization Act (FISMA); Privacy Act of 1974; E-Government Act of 2002, Section 208; National Institute of Standards and Technology (NIST); Federal Information Processing Standards (FIPS); Office of Management and Budget (OMB) memorandums; and other relevant Federal laws and regulations with which OPM must comply.

b. The Contractor shall comply with implementation of required security controls for protection of the Government Information based on the sensitivity of the data within the system as outlined by Federal regulatory requirements, including but not limited to, Health Insurance Portability and Accountability Act (HIPAA), IRS 1075 for federal tax information, Executive Order 13556 for Controlled Unclassified Information (CUI) and any additional regulatory requirements.

67

24361819Q0007

c. The Contractor shall implement and maintain an Information security program that is compliant with FISMA, NIST Special Publications, OMB guidelines, OPM security policies, and other applicable laws, throughout the performance of this contract.

d. The Contractor facilities and IT systems shall meet the security requirements for the same impact level or greater as defined by the FIPS 199 as required for the protection of Government Information. The OPM Chief Information Officer, through the Contracting Officer or Contracting Officer’s Representative shall provide written approval of the FIPS 199 security categorization.

1752.239-77             Federal Reporting Requirements (Dec 2015)

The Contractor must comply with both OPM IT Security policies and OPM’s continuous monitoring reporting requirements as required by the Federal Information Security Modernization Act (FISMA). The Contractor must provide OPM with the requested information within the timeframes provided for each request. Failure to do so may result in the loss of OPM’s authorization to receive and process sensitive information or operate an IT system containing sensitive information. Reporting requirements may change each reporting period.

1752.239-80             Information Technology (IT) Security and Privacy Awareness Training (Dec 2015)

a. The Contractor must ensure that all Contractor employees complete OPM-provided mandatory security and privacy training prior to gaining access to OPM IT systems and periodically thereafter based on OPM policy requirements. OPM will provide notification and instructions for completing this training. Non-compliance shall result in revocation of system access.

b. With written permission and justification from the Chief Information Officer, through the Contracting Officer or Contracting Officer’s Representative, in lieu of the OPM-provided training, the Contractor may provide its own continuous training and awareness for Contract employees. All costs and resource allocations required must be the sole responsibility of the Contractor. Evidence of training for contractor employees shall be provided to OPM upon request.

1752.239-83             Secure Technical Implementation (Dec 2015)

a. The Contractor must certify applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration (FDCC)\United States Government Configuration Baseline (USGCB).

b. The standard installation, operation, maintenance, updates, and/or patching of software must not alter the configuration settings from the approved FDCC\USGCB configuration.

c. Applications designed for normal end users must run in the standard user context without elevated system administration privileges.

68

24361819Q0007

d. The Contractor must apply due diligence at all times to ensure that the required level of security is always in place to protect OPM systems and information, such as using Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG). The Contracting Officer or Contracting Officer’s Representative (COR) reserves the right to verify compliance.

1752.239-84             Data Protection Requirements (Dec 2015)

a. Controlled Unclassified Information (CUI) shall be encrypted in transit and at rest using Federal Information Process Standard (FIPS) 140 and validated by the Cryptographic Module Validation Program (CMVP).

b. The Contractor must provide the validation certificate number to the Contracting Officer or Contracting Officer’s Representative (COR) for verification. This shall occur prior to award and upon any changes to the cryptographic module. This shall only occur for the cryptographic modules.

c. The Contractor shall redact or mask all CUI that is not essential to users, including privileged users.

1752.239-85             Security Monitoring and Alerting Requirements (Dec 2015)

All contractor-operated systems that use or store OPM Information must meet or exceed OPM IT Security policy requirements pertaining to security monitoring and alerting. The minimum requirements are listed further below:

a. System and Network Visibility and Policy Enforcement at the following levels:

(1) Edge

(2) Server / Host

(3) Workstation / Laptop / Client

(4) Network

(5) Application

(6) Database

(7) Storage

(8) User

b. Alerting and Monitoring

c. System, User, and Data Segmentation

69

24361819Q0007

1752.239-86             Contractor Information Technology (IT) System Oversight / Compliance (Dec 2015)

a. The Contractor must support OPM in its efforts to assess and monitor the IT systems and infrastructure used in support of the performance of this contract. The Contractor must provide logical and physical access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, devices, applications and databases used in performance of the contract, regardless of location, upon Agency request. The Contractor will be expected to perform automated scans and continuous monitoring activities which may include, but will not limited be to, authenticated and unauthenticated scans of networks, operating systems, applications, and databases and provide the results of the scans to the Contracting Officer’s Representative (COR), or allow the COR to run the scans directly.

b. All Contractor systems must participate in the OPM Information Security Continuous Monitoring (ISCM) program utilizing the OPM Information Security Continuous Monitoring Plan for security control monitoring and must submit to the COR, the report on security control monitoring as required following the OPM Information Security Continuous Monitoring Reporting template as defined in the OPM IT Security Policy.

c. All Contractor systems must perform vulnerability scanning as defined by OPM IT Security continuous monitoring program and will provide requested vulnerability scanning reports to the COR in accordance with OPM’s continuous monitoring program plan.

d. All Contractor systems must participate in the implementation of automated security controls testing mechanisms and provide automated test results in Security Compliant Automation Protocol (SCAP) compliant data to the COR in accordance with OPM’s continuous monitoring program.

1752.242-71             Return of OPM and OPM-Activity-Related Information (Dec 2015)

● Within thirty (30) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, unless otherwise instructed by the Contracting Officer, the Contractor must return all original OPM-provided and OPM-Activity-Related Information, such as records, files, and metadata in electronic or hardcopy format, including but not limited to the following:

(1) provided by OPM;

(2) obtained by the Contractor while conducting activities in accordance with the contract with OPM;

(3) distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or

(4) received from the Contractor by any other related organization and/or any other component or separate business entity.

70

24361819Q0007

● Within forty-five (45) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, unless otherwise instructed by the Contracting Officer, the Contractor must provide the Contracting Officer and COR with an associated Certification of Verified Return of all original OPM and OPM-Activity-Related Information, such as records, files, and metadata in electronic or hardcopy format, including but not limited to the following:

(1) provided by OPM;

(2) obtained by the Contractor while conducting activities in accordance with the contract with OPM;

(3) distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or

(4) received from the Contractor by any other related organization and/or any other component or separate business entity.

1752.242-72             Secure Destruction of All OPM and OPM-Activity-Related Information (Dec 2015)

a. Within sixty (60) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, BUT ONLY after the Contracting Officer (CO) or Contracting Officer’s Representative (COR) has accepted and approved the Contractor’s compliance with the Certification of Verified Return, the Contractor must execute secure destruction of all copies of all OPM and OPM-activity-related files and information (including but not limited to all records, files, and metadata in electronic or hardcopy format) not returned to OPM and held in possession by the Contractor, by procedures approved by the CO or COR in advance and in accordance with applicable OPM IT Security Policy Requirements, including but not limited to the following:

(1) provided by OPM;

(2) obtained by the Contractor while conducting activities in accordance with the contract;

(3) distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or

(4) received from the Contractor by any other related organization and/or any other component or separate business entity.

b. Within seventy-five (75) days after the end of the contract performance period or after the contract is suspended or terminated by the CO, BUT ONLY after the CO or COR has accepted and approved the Contractor’s compliance with the Certification of Verified Return, the Contractor must provide the CO or COR with Certification of Secure Destruction of all existing active and archived originals and/or copies of all OPM and OPM-activity-related files and information, (including but not limited to all records, files, and metadata in electronic or hardcopy format); by procedures approved by OPM in advance and in accordance with applicable OPM IT Security Policy Requirements; including but not limited to the following:

(1) provided by OPM;

(2) obtained by the Contractor while conducting activities in accordance with the contract;

71

24361819Q0007

(3) distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or

(4) received from the Contractor by any other related organization and/or any other component or separate business entity.

1752.242-73             Mandatory Requirement for Contractor Return of all OPM-Owned and Leased Computing and Information Storage Equipment (Dec 2015)

a. Within sixty (60) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, or within a time period approved by the Contracting Officer or Contracting Officer’s Representative (COR), the Contractor must return all OPM-owned and leased computing and information storage equipment.

b. Within seventy-five (75) days after the end of the contract performance period or after the contract is suspended or terminated by the Contracting Officer, the Contractor must provide OPM with Certified Verification of Return of all OPM-Owned and Leased Computing and Information Storage Equipment.

1752.242-88             Contract Performance Information (July 2005)

(a)       Dissemination of Contract Performance Information

The Contractor must not publish, permit to be published, or distribute for public consumption, any information, oral or written, concerning the results or conclusions made pursuant to the performance of this contract, without the prior written consent of the Contracting Officer. Two copies of any material proposed to be published or distributed must be submitted to the Contracting Officer for approval.

(b)       Contractor Testimony

All requests for the testimony of the Contractor or its employees, and any intention to testify as an expert witness relating to: (a) any work required by, and or performed under, this contract: or (b) any information provided by any party to assist the Contractor in the performance of this contract, must be immediately reported to the Contracting Officer. Neither the Contractor nor its employees must testify on a matter related to work performed or information provided under this contract, either voluntarily or pursuant to a request, in any judicial or administrative proceeding unless approved by the Contracting Officer or required by a judge in a final court order.

72

24361819Q0007 

Attachment

Contractor Staffing Change Report

Contract/Order/Call Number:

Employees who left the BPA Call in the past 60 days:

(If no employees have left the BPA Call during this period, indicate “none in the column labeled “last name.”)

Last Name First MI Date Separated

Employees who joined the BPA Call in the past 60 days:

(If no employees have joined the BPA Call during this period, indicate “none in the column labeled “last name.”)

Last Name First MI Date Separated

Manager’s Certification:

Contract Number:	Company Name:	Project Manager	Date:
		(Please Print):

Project Manager’s Signature Date

73

24361819Q0007 

Information Technology Contract Clause Deliverables

The below Deliverables Table shall be incorporated into the master deliverable table of the contract as applicable.

Deliverables associated with each contract clause are identified in the table below.

Contract Clause	Contract Clause Title	Deliverable(s)
1752.224-77	Information Security Incidents (ISI) (Dec 2015)	The Contractor must report all security incidents to the SMC immediately upon becoming aware of the ISI but no later than thirty (30) minutes after becoming aware of the ISI.
1752.224-78	Information Security Inspections (Dec 2015)	The Contractor must provide a formal response to the OPM Post-Inspection Report within fifteen (15) days of receipt of the report for critical/high risk findings and within thirty (30days for all other findings.
1752.239-75	Information System Security Requirements (Dec 2015)	The Contractor must complete a FIPS 199 for approval by the OPM CIO.
1752.239-77	Federal Reporting Requirements (September 2014)	The Contractor must provide OPM with FISMA and OPM continuous monitoring information.
1752.239-83	Secure Technical Implementation (Dec 2015)	The Contractor must certify applications are fully functional and operate as intended on systems using the Federal Desktop Core Configuration (FDCC) / US Government Configuration Baseline (USGCB).
1752.239-84	Data Protection Requirements (Dec 2015)	The Contractor must provide the validation certificate number for FIPS 140 as validated by the Cryptographic Module Validation Program (CMVP) .
1752.239-86	Contractor Information Technology (IT) System Oversight / Compliance (Dec 2015)	All Contractor systems must perform vulnerability scanning as defined by OPM IT Security Policy and provide scanning reports to the OPM CIO (or designate). All Contractor systems must participate in the implementation of automated security controls testing mechanisms and provide automated test results in Security Compliant Automation Protocol (SCAP) compliant data to the OPM CIO (or designate).
1752.242-71	Return of OPM and OPM-Activity-Related Information (Dec 2015)	Within forty-five (45) days after the end of the contract performance period of after the contract is terminated, the Contractor must provide OPM with an associated Certification of Verified Return of all original (and at least one duplicate copy of those information types specified by OPM) OPM and OPM-Activity-Related Information.
1752.242-72	Secure Destruction of All OPM and OPM-Activity-Related Information (Dec 2015)	Within seventy-five (75) days after the end of the contract performance period or after the contract is terminated, the Contractor must provide OPM with Certification of Secure Destruction of all existing active and archived originals and/or copies of all OPM and

74

24361819Q0007 

Contract Clause	Contract Clause Title	Deliverable(s)
		OPM-activity-related files and information.
1752.242-73	Mandatory Requirement for Contractor Return of all OPM-Owned and Leased Computing and Information Storage Equipment (Dec 2015)	Within seventy-five (75) days after the end of the contract performance period or after the contract is terminated, the Contractor must provide OPM with Certification of Verified Return of all OPM-Owned and Leased Computing and Information Storage Equipment.

75

24361819Q0007 

Attachment 4 – Quality Assurance Surveillance Plan

QUALITY ASSURANCE SURVEILLANCE PLAN

U.S. OFFICE OF PERSONNEL MANAGEMENT (OPM)

CREDIT MONITORING AND IDENTITY PROTECTION SERVICES

INTRODUCTION

This quality assurance surveillance plan (QASP) is pursuant to the requirements listed in the Performance Work Statement (PWS). This plan sets forth the procedures and guidelines OPM will use in ensuring the required performance standards and service levels are achieved by the contractor.

Purpose

The purpose of the QASP is to describe the systematic methods used to monitor performance and to identify the required documentation and the resources to be employed. The QASP provides a means for evaluating whether the contractor is meeting the performance standards/quality levels identified in the PWS and the contractor’s quality control plan (QCP), and to ensure that the government pays only for the level of services received.

This QASP defines the roles and responsibilities of all members of the integrated project team (IPT), identifies the performance objectives, defines the methodologies used to monitor and evaluate the contractor’s performance, describes quality assurance documentation requirements, and describes the analysis of quality assurance monitoring results.

Performance Management Approach

The PWS structures the acquisition around “what” service or quality level is required, as opposed to “how” the contractor should perform the work (i.e., results, not compliance). This QASP will define the performance management approach taken by OPM to monitor and manage the contractor’s performance to ensure the expected outcomes or performance objectives communicated in the PWS are achieved. Performance management rests on developing a capability to review and analyze information generated through performance assessment. The ability to make decisions based on the analysis of performance data is the cornerstone of performance management; this analysis yields information that indicates whether expected outcomes for the project are being achieved by the contractor.

Performance management represents a significant shift from the more traditional quality assurance (QA) concepts in several ways. Performance management focuses on assessing whether outcomes are being achieved and to what extent. This approach migrates away from scrutiny of compliance with the processes and practices used to achieve the outcome. A performance-based approach enables the contractor to play a large role in how the work is performed, as long as the proposed processes are within the stated constraints. The only exceptions to process reviews are those required by law (federal, state, and local) and compelling business situations, such as safety and health. A “results” focus provides the contractor flexibility to continuously improve and innovate over the course of the BPA Callas long as the critical outcomes expected are being achieved and/or the desired performance levels are being met.

76

24361819Q0007 

Performance Management Strategy

The contractor is responsible for the quality of all work performed. The contractor measures that quality through the contractor’s own quality control (QC) program. QC is work output, not workers, and therefore includes all work performed under this BPA Call regardless of whether the work is performed by contractor employees or by subcontractors. The contractor’s QCP will set forth the staffing and procedures for self-inspecting the quality, timeliness, responsiveness, customer satisfaction, and other performance requirements in the PWS. The contractor will develop and implement a performance management system with processes to assess and report its performance to the designated government representative. The contractor’s QCP will set forth the staffing and procedures for self-inspecting the quality, timeliness, responsiveness, customer satisfaction, and other performance requirements in the PWS. This QASP enables the government to take advantage of the contractor’s QC program.

The government representative(s) will monitor performance and review performance reports furnished by the contractor to determine how the contractor is performing against communicated performance objectives. The government will make determination regarding incentives based on performance measurement metric data and notify the contractor of those decisions. The contractor will be responsible for making required changes in processes and practices to ensure performance is managed effectively.

ROLES AND RESPONSIBILITIES

The Contracting Officer

The Contracting Officer (CO) is responsible for monitoring BPA Call compliance, BPA Call administration, and cost control and for resolving any differences between the observations documented by the Contracting Officer’s Representative (COR) and the contractor. The CO will designate one full-time COR as the government authority for performance management. The number of additional representatives serving as technical inspectors depends on the complexity of the services measured, as well as the contractor’s performance, and must be identified and designated by the CO.

The Contracting Officer’s Representative

The Contracting Officer’s Representative (COR) is designated in writing by the CO to act as his or her authorized representative to assist in administering a BPA Call. COR limitations are contained in the written appointment letter. The COR is responsible for technical administration of the project and ensures proper government surveillance of the contractor’s performance. The COR is not empowered to make any contractual commitments or to authorize any contractual changes on the government’s behalf. Any changes that the contractor deems may affect BPA Call price, terms, or conditions shall be referred to the CO for action. The COR will have the responsibility for completing QA monitoring forms used to document the inspection and evaluation of the contractor’s work performance. Government surveillance may occur under the inspection of services clause for any service relating to the BPA Call.

IDENTIFICATION OF REQUIRED PERFORMANCE STANDARDS/QUALITY LEVELS

The required performance standards and/or quality levels are included in the PWS and in the attached titled, “Performance Requirements.” If the contractor meets the required service or performance level, it will be paid the monthly amount agreed on in the BPA Call. If the contractor exceeds the service or performance level, the CPARS will reflect an elevated performance level. Failure to meet the required service or performance level will result in the CPARS reflecting a negative evaluation of the contractor’s performance.

77

24361819Q0007 

METHODOLOGIES TO MONITOR PERFORMANCE

Organization

The QASP is organized in accordance with the five bullets below and is in accordance with FAR 52.246-4, Inspection of Services – Fixed Price:

● Column 1 – Performance Objective: Lists the performance objective that the Government will survey. The absence of any BPA Call requirement from the QASP shall not detract from its enforceability to limit the rights or remedies of the Government under any other provisions of the BPA Call, including the clauses entitled “Inspection of Services” and “Default.”

● Column 2 – Required Service: Defines the standard of performance for each listed objective.

● Column 3 – Performance Standard: Sets forth the maximum allowable deviation from standard performance for that service that may occur before the Government will invoke the incentive / disincentive.

● Column 4 – Method of Surveillance: Sets forth the surveillance methods the Government will use to evaluate the Contractor’s performance for the listed tasks. This column also establishes the period of the planned surveillance.

● Column 5 – Incentive / Disincentive: Sets forth the performance evaluation incentive/disincentive that the listed BPA Call requirement represents.

Government Quality Assurance

Contractor performance will be surveyed to determine if it meets the BPA Call standards.

QUALITY ASSURANCE SURVEILLANCE PLAN
Performance Objective	Required Service	Performance Standard	Method of Surveillance	Incentive/ Disincentive
1. Quality of Service and Reports	Quality of work conforms to BPA Call requirements and specifications at minimum 90% of time. Quality of work is accurate and of good workmanship at minimum 90% of time. Performance standards are met 100% of the time.	-No more than 10% of deliverables and data will fail to meet the specifications of the BPA Call. -No more than 10% of deliverables and data will be inaccurate. -No more than 0% of services will fail to meet the performance standards of the BPA Call.	100% Inspection: -Submission Dates -Management Reports -Status Reviews -Performance Standards Period: Monthly	Past Performance Incentive -Incentive: If Contractor performs in accordance with performance standards, then favorable comments will be documented in CPARS. -Reduction: If Contractor fails to perform in accordance with performance standard, then unfavorable comments will be documented on CPARS.

78

24361819Q0007 

2. Schedule	Timeliness of completion on deliverables with regards to delivery schedules, milestones, administrative requirements, and Government technical direction 100% of the time. Deliverables are submitted within the time frames stated in the BPA Call.	-No more than 0% of deliverables may be later than the specified time without prior Government consent.	100% Inspection: -Submission dates -Management reports -Status reviews Period: Monthly	Past Performance Incentive -Incentive: If Contractor performs in accordance with performance standards, then favorable comments will be documented in CPARS. -Reduction: If Contractor fails to perform in accordance with performance standard, then unfavorable comments will be documented on CPARS.
3. Project Management	Project activity with regards to integration and coordination conforms to requirements and specifications Staff members shall respond to Government inquiries within 2 hours during normal business hours. BPA Call personnel and Subcontractors (if any) are managed effectively.	-No inquiry shall go responded more than 2 hours during normal business hours. -Staff turnover is minimal. -Government technical direction required to solve problems surfacing during performance is minimal.	100% Inspection: -COR will survey during phone calls, e-mails and meetings with the Contractor Period: Daily	Past Performance Incentive -Incentive: If Contractor performs in accordance with performance standards, then favorable comments will be documented in CPARS. -Reduction: If Contractor fails to perform in accordance with performance standard, then unfavorable comments will be documented on CPARS.
4. Cost Control	Project activities stay within budget 100% of the time. Invoices submitted on a monthly basis for the Government to track burn rate, acceptance and approval in a timely fashion.	-Project activities stay within with budget with no more than 0% overage in costs without prior Government consent. -Invoices comply with BPA Call terms and conditions and are submitted no later than 10 calendar days following the close of the previous month.	100% Inspection: -Submission Dates -Burn rate tracked by COR -Yearly accomplishment report Period: Annually	Past Performance Incentive -Incentive: If Contractor performs in accordance with performance standards, then favorable comments will be documented in CPARS. -Reduction: If Contractor fails to perform in accordance with performance standard, then unfavorable comments will be documented on CPARS.

79

24361819Q0007 

Performance Evaluation

● Performance of a service will be evaluated to determine whether or not it meets the performance requirements of the BPA Call. When the performance requirement is not met, the Contracting Officer will issue a Discrepancy Report (DR) to the Contractor. The Discrepancy Report is drafted by the COR, who forwards it to the Contracting Officer; this follows the program’s BPA Call monitoring procedures. The Contractor shall respond to the DR by completing the appropriate blocks of the form and returning it to the Contracting Officer within five calendar days of receipt. In the case of DRs issued as the result of other methods of surveillance, the Contracting Officer shall take appropriate measures according to the clause entitled “Inspection of Services.” Depending on the quality and timeliness of the response to the DR, incentives / disincentives will be provided by the Contracting Officer (CO) and Contracting Officer’s Representative (COR) in the Contractor Performance Assessment Reporting System (CPARS) database.

QUALITY ASSURANCE DOCUMENTATION

The Performance Management Feedback Loop

The performance management feedback loop begins with the communication of expected outcomes. Performance standards are expressed in the PWS and are assessed using the performance monitoring techniques.

Monitoring and Surveillance Documentation

The government’s QA surveillance, accomplished by the COR, will be reported using the attached monitoring forms. The forms, when completed, will document the government’s assessment of the contractor’s performance under the BPA Call to ensure that the required results of high quality products and services that meet the customers’ requirements are being achieved.

The COR will retain a copy of all completed QA monitoring and surveillance documentation.

ANALYSIS OF QUALITY ASSURANCE ASSESSMENT

Determining Performance

Government shall use the monitoring methods cited to determine whether the performance standards/service levels/AQLs have been met. If the contractor has not met the minimum requirements, it may be asked to develop a corrective action plan to show how and by what date it intends to bring performance up to the required levels. Failure to meet the AQL may result in the CPARS reflecting a negative evaluation of the contractor’s performance. Likewise, if the contractor exceeds the performance standards, the CPARS will reflect an elevated performance level.

80

24361819Q0007 

Reporting

At the end of each month, if applicable and required by the Contracting Officer, the COR may prepare a written report summarizing the overall results of the quality assurance surveillance of the contractor’s performance. This written report, which includes the contractor’s submitted monthly report and the completed quality assurance monitoring forms, will become part of the QA documentation. If required by the Contracting Officer, this report will enable the government to demonstrate whether the contractor is meeting the stated objectives and/or performance standards, including cost/technical/scheduling objectives.

Reviews and Resolution

The COR may require the contractor’s project manager, or a designated alternate, to meet with the COR and other government IPT personnel, as deemed necessary, to discuss performance evaluation. The COR will define a frequency of in-depth reviews with the contractor, including appropriate self-assessments by the contractor; however, if the need arises, the contractor will meet with the COR as often as required or per the contractor’s request. The agenda of the reviews may include:

1. Monthly performance assessment data and trend analysis

2. Issues and concerns of both parties

3. Projected outlook for upcoming months and progress against expected trends, including a corrective action plan analysis

4. Recommendations for improved efficiency and/or effectiveness

5. Issues arising from the performance monitoring processes

The Government must coordinate and communicate with the contractor to resolve issues and concerns regarding marginal or unacceptable performance. The COR and contractor should jointly formulate tactical and long -term courses of action. Decisions regarding changes to metrics, thresholds, or service levels should be clearly documented. Changes to service levels, procedures, and metrics will be incorporated as a BPA Call modification at the convenience of the CO.

81

24361819Q0007 

Attachment 5 – Pricing Schedule Worksheet

Please see provided Excel Worksheet.

82

24361819Q0007 

Attachment 6 – Past Project Form

Please see provided Word Document.

83

 

UPDATED CLAUSE:

52.217-9 Option to Extend the Term of the Contract. (Mar 2000)

As prescribed in 17.208(g), insert a clause substantially the same as the following:

(a)   The Government may extend the term of this contract by written notice to the Contractor within 30 days; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 60 days before the contract expires. The preliminary notice does not commit the Government to an extension.

(b)   If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c)   The total duration of this contract, including the exercise of any options under this clause, shall not exceed 66 months.

 

 

 

 

24361819F0014_P00008 Page:     4

1752.232-72 Limitation of Government’s Obligation (May 2009)

(a)      Contract line item 20001 is incrementally funded. For these item(s), the sum of $68,884,750.00 of the total price is presently available for payment and allotted to this contract. An allotment schedule is set forth in paragraph (j) of this clause.

(b)      For item(s) identified in paragraph (a) of this clause, the Contractor agrees to perform up to the point at which the total amount payable by the Government, including reimbursement in the event of termination of those item(s) for the Government’s convenience, approximates the total amount currently allotted to the contract. The Contractor is not authorized to continue work on those item(s) beyond that point. The Government will not be obligated in any event to reimburse the Contractor in excess of the amount allotted to the contract for those item(s) regardless of anything to the contrary in the clause entitled “Termination for Convenience of the Government.” As used in this clause, the total amount payable by the Government in the event of termination of applicable contract line item(s) for convenience includes costs, profit, and estimated termination settlement costs for those item(s).

(c)      Notwithstanding the dates specified in the allotment schedule in paragraph (j) of this clause, the Contractor will notify the Contracting Officer in writing at least thirty days prior to the date when, in the Contractor’s best judgment, the work will reach the point at which the total amount payable by the Government, including any cost for termination for convenience, will approximate 85 percent of the total amount then allotted to the contract for performance of the applicable item(s). The notification will state (1) the estimated date when that point will be reached and (2) an estimate of additional funding, if any, needed to continue performance of applicable line items up to the next scheduled date for allotment of funds identified in paragraph (j) of this clause, or to a mutually agreed upon substitute date. The notification will also advise the Contracting Officer of the estimated amount of additional funds that will be required for the timely performance of the item(s) funded pursuant to this clause, for a subsequent period as may be specified in the allotment schedule in paragraph (j) of this clause or otherwise agreed to by the parties. If after such notification additional funds are not allotted by the date identified in the Contractor’s notification, or by an agreed substitute date, the Contracting Officer will terminate any item(s) for which additional funds have not been allotted, pursuant to the clause of this contract entitled “Termination for Convenience of the Government.”

(d)      When additional funds are allotted for continued performance of the contract line item(s) identified in paragraph (a) of this clause, the parties will agree as to the period of contract performance which will be covered by the funds. The provisions of paragraphs (b) through (d) of this clause will apply in like manner to the additional allotted funds and agreed substitute date, and the contract will be modified accordingly.

(e)      If, solely by reason of failure of the Government to allot additional funds, by the dates indicated below, in amounts sufficient for timely performance of the contract line item(s) identified in paragraph (a) of this clause, the Contractor incurs additional costs or is delayed in the performance of the work under this contract and if additional funds are allotted, an equitable adjustment will be made in the price or prices (including appropriate target, billing, and ceiling prices where applicable) of the item(s), or in the time of delivery, or both. Failure to agree to any such equitable adjustment hereunder will be a dispute concerning a question of fact within the meaning of the clause entitled “Disputes.”

24361819F0014_P00008 Page:   5

(f)       The Government may at any time prior to termination allot additional funds for the performance of the contract line item(s) identified in paragraph (a) of this clause.

(g)      The termination provisions of this clause do not limit the rights of the Government under the clause entitled “Default.” The provisions of this clause are limited to the work and allotment of funds for the contract line item(s) set forth in paragraph (a) of this clause. This clause no longer applies once the contract is fully funded except with regard to the rights or obligations of the parties concerning equitable adjustments negotiated under paragraphs (d) and (e) of this clause.

(h)      Nothing in this clause affects the right of the Government to terminate this contract pursuant to the clause of this contract entitled “Termination for Convenience of the Government.”

(i)       Nothing in this clause shall be construed as authorization of voluntary services whose acceptance is otherwise prohibited under 31 U.S.C. 1342.

(j)       The parties contemplate that the Government will allot funds to this contract in accordance with the following schedule:

On execution of Exercise of Option II	$68,884,750.00
On or before 12/31/2021	$13,776,950.00