Loren Data's SAM Daily™

FBO DAILY - FEDBIZOPPS ISSUE OF MAY 30, 2015 FBO #4936
SOLICITATION NOTICE

R -- OPM Privacy Act Incident Services - OPM RFQ OPM3215T0019 - Pricing Sheet & PDF Version of RFQ

Notice Date

5/28/2015
 

Notice Type

Combined Synopsis/Solicitation
 

NAICS

541990 — All Other Professional, Scientific, and Technical Services
 

Contracting Office

Office of Personnel Management, Boyers Contracting Group, Boyers Contracting Group, 1137 Branchton Road, Boyers, Pennsylvania, 18018, United States
 

ZIP Code

18018
 

Solicitation Number

OPM3215T0019
 

Archive Date

6/14/2015
 

Point of Contact

James C. Thieme, Phone: (724) 794-7171, Leslie L. Henderson, Phone: (724) 794-7172
 

E-Mail Address

james.thieme@opm.gov, leslie.henderson@opm.gov
(james.thieme@opm.gov, leslie.henderson@opm.gov)
 

Small Business Set-Aside

N/A
 

Description

OPM RFQ OPM3215T0019 - Privacy Act Incedent Services Pricing Sheet PDF Version of the RFQ Blanket Purchase Agreement (BPA) Request for Quotation (RFQ) Procedures RFQ Number: OPM3215T0019 RFQ Issuance Date: May 28, 2015 Project Title: OPM Privacy Act Incident Services The U.S. Office of Personnel Management (OPM) is soliciting quotations for Privacy Act Incident Services as detailed in the attached Combined Synopsis/Solicitation and Statement of Work Documents. COMBINED SYNOPSIS/SOLICITATION RFQ # OPM3215T0019 Contracting Office Address: The U.S. Office of Personnel Management ATTN: James C. Thieme 1137 Branchton Rd. Boyers, PA 16018 REQUIREMENT: This is a combined synopsis/solicitation for commercial items prepared in accordance with Federal Acquisition Regulation (FAR) Part 12.6, as supplemented with additional information included in this notice. This solicitation is issued as Request for Quotations (RFQ) number OPM3215T0019, and incorporates FAR provisions and clauses as amended in the currently applicable Federal Acquisition Circular (FAC 05-82 effective 07 May 2015). The North American Industrial Classification System (NAICS) code is: 541990 - All Other Professional, Scientific, and Technical Services. The small business size standard is $15 million. Competition is not limited solely to small business. OPM intends to award a Blanket Purchasing Agreement (BPA) with firm-fixed unit prices and to simultaneously issue the first Call against that BPA. The BPA will have a term of one year plus four additional one-year option periods. Deliverables/Service Requirements: Section A - BPA Setup 1. Background The U.S. Office of Personnel Management (OPM) is soliciting quotations for Privacy Act Incident Services, including: 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. These services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII). 2. Scope The Government has a requirement to notify and provide services to individuals when their PII may have or is compromised due to a Privacy Act incident. The Government may select and award any combination of the following services in any quantity. 3. Services The Contractor will provide the following services within 5 calendar days, excluding Sunday, of award of a Call against the BPA. 3.1 Notification Services The Government will determine the notification method to be used for affected individuals and may use different methods for the same incident. 3.1.1 Electronic Mail (email) Notification 3.1.1.1 Government email Notification: The Government may use email to make notifications to affected individuals. The Contractor will provide any necessary information to assist and permit the Government to make email notifications, such as service information, call center information, website information, etc., within 48 hours of a Call against this BPA. This information and assistance will be provided at no cost to the Government. 3.1.1.2 Contractor email Notification: The Contractor will prepare and send email notifications to affected individuals using read receipts. Emails (or attachments) will appear on Government letterhead, will contain Government-approved language, and will contain the signature of the Government official(s). Emails may contain one or more attachments. Email notification proof(s) will be provided to the Government for approval not later than 48 hours after award of a Call against the BPA. The Government will approve the email notification within 24 hours to enable the Contractor to begin preparation for distribution. The Contractor will require, receipt, track, and manage read receipts for email notifications. 3.1.2 Letter Notifications 3.1.2.1 Government Letter Notification: The Government may prepare, print, and mail notification letters to affected individuals. The Contractor will provide any necessary information to assist and permit the Government make letter notifications, such as service information, call center information, website information, etc., within 48 hours of award of a Call against the BPA. This information and assistance will be provided at no cost to the Government. 3.1.2.2 Contractor Letter Notifications: The Contractor will prepare, print, and mail notification letters using first class US Postal Service (USPS) mail to individuals affected by Privacy Act incidents. Letters will be printed with Government letterhead, will contain Government-approved language, and will contain the signature of the Government official(s). Letters may contain one or more attachments. Letter proof(s) will be provided to the Government for approval, not later than award of a Call against the BPA. The Government will approve the letters within 48 hours to enable the Contractor to begin printing and preparation for mailing. 3.1.2.3 Return Receipt: The Contractor will provide return receipt for letter notifications. The Contractor will receive, track, and manage return receipts. 3.1.3 Return Notification Processing The Contractor will track return notifications. For return letter notifications, the Contractor will use Address Research services to obtain valid address information, and re-send updated, re-dated notifications. For return email notifications, the Contractor will notify the Government and await further guidance. The Government may elect to use Address Research services for return email notifications. The Contractor will notify the Government of returned re-sent notifications on a weekly basis and await further guidance. Services for individuals receiving re-sent notifications will be offered for the full period of performance based on the re-dated notification. If the Government provides the updated address for the re-sent notification, the Contractor will not charge Address Research fees. 3.1.4 Address Research The Contractor will provide best-effort research to obtain valid email and mailing address information for notifications. The National Change of Address (NCOA) will be used for addressing cleansing services. 3.1.5 Call Center Support The Contractor shall operate a U.S.-based call center at least 12 hours per day (preferably 8:00 am to 8:00 pm US Central Time), Monday through Saturday, for customer support using an expert response team to answer questions about the incident, explain the services being offered, and reassure the individuals that the Contractor will resolve any harm to the individuals. The call center support personnel will respond to questions by affected individuals based on materials approved by the Government and assist them in understanding and obtaining desired services as awarded by the Government. The Contractor will update the materials as needed to reflect new questions and responses, updated instructions for services, etc. Affected individuals will be connected to a licensed fraud investigator, as needed. The call center will be English language based. The Contractor will provide a dedicated U.S. toll-free telephone number. The Contractor shall record and present special requests or issues to the Government for further consideration. 3.1.6 Website Operations The Contractor will establish and operate a website for customer support for each incident. The website will be available 99.99% of the time, exclusive of reasonable maintenance periods, to provide information to affected individuals, and permit individuals to subscribe to services, as appropriate. 3.2 Credit Report Access Services The Contractor will provide online access for the affected individuals to review their credit reports at any time. The Government will determine which credit bureau(s) will be utilized. 3.3 Credit Monitoring Services The Contractor will actively monitor the tri-bureau credit reports for affected individuals and will alert financial institutions and affected individuals of any suspicious or abnormal activities. 3.4 Identity Theft Insurance and Recovery Services The Contractor will reimburse affected individuals up to $100 thousand, $500 thousand or $1 million for expenses associated with recovery services should the individual become the subject of identity theft or fraud as a result of this incident. The affected individuals will have unlimited access to fraud and identity theft recovery experts, should their identity be stolen during the period of performance for the services offered, until their identities are fully restored, even after the period of performance for the services expires. 3.5 Project Management Services 3.5.1 The Contractor will provide an expertly experienced project manager to manage all projects for this contract. The project manager will be considered Key Personnel for the BPA and the underlying Calls. 3.5.2 The Contractor will de-duplicate services (such as credit monitoring, credit report access, call center support, and identity theft insurance and recovery) for active projects to extend services for affected individuals based on the most recent incident. For active projects, the Contractor will provide updates to each Government customer. For de-duplicated services, the Contractor will prorate services to the highest month, and will charge incident #2 (the most recent incident) only for the extended services, as appropriate. Example 1 (remaining service for incident #1 is greater than the service for incident #2, resulting in no charge for incident #2): Incident #1 provides 18 months of service. Incident #2 occurs 4 months after incident #1 (18-4=14 months remaining services for incident #1), and offers 12 months of service. Incident #1 will be charged for the full 18 months of services. Incident #2 will not be charged because 14 (remaining services months from incident #1) is greater than 12 (months of services for incident #2) so the service offering from incident #1 remains in effect. Example 2 (remaining service for incident #1 is less than service for incident #2, resulting in reduced charge for incident #2): Incident #1 provides 12 months of service. Incident #2 occurs 8 months after incident #1 (12-8=4 months remaining services for incident #1), and offers 18 months of services. Incident #1 will be charged for the full 12 months of service. Incident #2 will be charged (18-4) = 14 months of service. 3.5.3 The Contractor will provide a daily summary report of the number of notifications sent and the period of performance for the services, the number of notifications returned as undeliverable, the number of support center calls, the number of website logons, and the number of services provisioned. 3.5.4 The Contractor will provide a weekly report tracking each affected individual, including notification method and date sent or re-sent; notification receipt, read, or return dates; support center call dates; website logon dates; service begin and end dates; and identity theft status and costs. 3.5.5 The Contractor will maintain a list of affected individuals for which the Government must take additional action, such as options for return notifications, requests for extended or additional services, or questions not previously answered in call center materials. The Contractor will review this list daily with the Government to ensure timely resolution of the issues. 4. BPA Unit Pricing Offerors are instructed to provide unit prices for their offerings on the Excel Spreadsheet attached to this posting. Offerors must provide prices for the base year and each additional option year. Section B - Call 1 Call 1 will require the following approximated services. 1. Contractor email Notification: 2,100,000 units 2. Contractor Letter Notification: 1,100,000 units 3. Return Receipt: 0 units 4. Return Notification Processing: As required 5. Address Research: As required for returned letter notifications and as requested for returned email notifications 6. Call Center Support: As required to support 3,200,000 notifications 7. Website Operations: 1 website 8. Credit Report Access: As approved by Government 9. Credit Monitoring Services: 3,200,000 units 10. Identity Theft and Recovery Services: 3,200,000 units 11. Project Management Services: As required to support 3,200,000 notifications Section C -Terms & Conditions: Quotations are due by 15:00 local time in Boyers, PA, Saturday May 29, 2015, via email referencing the RFQ number in subject line to: James.Thieme@opm.gov. Contractors shall include a separate technical quote and complete the attached excel spreadsheet for their pricing quote. In the technical portion of the quotation the contractor must provide an executive summary detailing their corporate capabilities and demonstrating that they have sufficient resources and capacity to meet OPM's needs. This section must also include a resume for the proposed project manager. Further, the contractor must provide a detailed listing of all the services that are provided under each of their contract line items (CLINS) with a narrative that clearly demonstrates how their offerings meet OPM's requirements as specified in the RFQ. Finally, the contractor must provide a minimum of three, but no more than five, past performance examples over the past three years of projects equal to or larger than the requirements of OPM's first Call. Quotations shall also include the following information: 1. RFQ number. 2. Time specified for receipt of offers. 3. Name, address, and telephone number of offeror. 4. A technical description of the items being offered in sufficient detail to evaluate compliance with the requirements in the solicitation. This may include product literature, or other documents, if necessary 5. Price for each line item of the requirement in the solicitation and any discount terms for the base year and each of the four option years. 6. A completed copy of the representations and certifications at FAR 52.212-3 (see FAR 52.212-3(b) for those representations and certifications that the offeror shall complete electronically). 7. Prospective contractors must be registered in the Federal government's System for Award Management (SAM) database. Information regarding how to register or update your registration which SAM carried over from the Central Contractor Registration (CCR) may be obtained at: www.sam.gov. 8. The Offeror agrees to hold the prices in its offer firm for 30 calendar days from the date specified for receipt of offers, unless another time period is specified in an addendum to the RFP. 9. Any offer, modification, revision, or withdrawal of an offer received at the Government office designated in the solicitation after the exact time specified for receipt shall not be considered. 10. Award evaluation shall be in accordance with FAR 13.106-2 and shall be based on technical capability, past performance and price. 11. A decision to exercise an option under the awarded contract shall be managed in accordance with FAR 52.217-9 Option to Extend the Term of the Contract which is incorporated by reference. This solicitation will be posted on the www.FBO.gov website only. Offerors that fail to furnish the required information and representations, or those which reject the terms and conditions of the solicitation may be excluded from consideration. 12. The following clauses and provisions apply to this acquisition: Incorporated by reference are FAR 52.212-1, Instructions to Offerors-Commercial Items, and FAR 52.212-4, Contract Terms and Conditions-Commercial Items. FAR 52.212-3 Offeror Representations and Certifications-Commercial Items and FAR 52.212-5, Contract Terms and Conditions-Commercial Items Required to Implement Statutes or Executive Orders-Commercial Items are incorporated by full text. Additional FAR clauses apply. 13. Offeror Representations and Certifications-Commercial Items (Mar 2015) The Offeror shall complete only paragraph (b) of this provision if the Offeror has completed the annual representations and certification electronically via the System for Award Management (SAM) website accessed through http://www.acquisition.gov. If the Offeror has not completed the annual representations and certifications electronically, the Offeror shall complete only paragraphs (c) through (p) of this provision. PLEASE NOTE THAT PORTIONS OF THIS CLAUSE HAVE BEEN OMITTED DUE TO LENGTH. PARAGRAPHS (c) THROUGH (o) ARE AVAILABLE AT: https://acquisition.gov/far. (b)(1) Annual Representations and Certifications. Any changes provided by the offeror in paragraph (b)(2) of this provision do not automatically change the representations and certifications posted on the SAM website. (2) The offeror has completed the annual representations and certifications electronically via the SAM website accessed through http://www.acquisition.gov. After reviewing the SAM database information, the offeror verifies by submission of this offer that the representations and certifications currently posted electronically at FAR 52.212-3, Offeror Representations and Certifications-Commercial Items, have been entered or updated in the last 12 months, are current, accurate, complete, and applicable to this solicitation (including the business size standard applicable to the NAICS code referenced for this solicitation), as of the date of this offer and are incorporated in this offer by reference (see FAR 4.1201), except for paragraphs ______________. [Offeror to identify the applicable paragraphs at (c) through (o) of this provision that the offeror has completed for the purposes of this solicitation only, if any. These amended representation(s) and/or certification(s) are also incorporated in this offer and are current, accurate, and complete as of the date of this offer. Any changes provided by the offeror are applicable to this solicitation only, and do not result in an update to the representations and certifications posted electronically on SAM.] 14. 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items (May 2015) CERTAIN PORTIONS OF THIS CLAUSE HAVE BEEN OMITTED DUE TO LENGTH RESTRICTIONS ON FBO. FULL TEXT OF THE CLAUSE IS AVAILABLE AT: https://acquisition.gov/far. (a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (1) 52.222-50, Combating Trafficking in Persons (Mar 2015) (22 U.S.C. Chapter 78 and E.O. 13496). (2) 52.233-3, Protest After Award (Aug 1996) (31 U.S.C. 3553). (3) 52.233-4, Applicable Law for Breach of Contract Claim (Oct 2004) (Pub. L. 108-77, 108-78). (b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: [Contracting Officer check as appropriate.] _X_ (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (Sept 2006), with Alternate I (Oct 1995) (41 U.S.C. 4704 and 10 U.S.C. 2402). _X_ (2) 52.203-13, Contractor Code of Business Ethics and Conduct (Apr 2010) (41 U.S.C. 3509)). _X_ (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment Act of 2009 (June 2010) (Section 1553 of Pub. L. 111-5). (Applies to contracts funded by the American Recovery and Reinvestment Act of 2009.) _X_ (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract Awards (Jul 2013) (Pub. L. 109-282) (31 U.S.C. 6101 note). _X_ (6) 52.204-14, Service Contract Reporting Requirements (Jan 2014) (Pub. L. 111-117, section 743 of Div. C). _X_ (8) 52.209-6, Protecting the Government's Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment. (Aug 2013) (31 U.S.C. 6101 note). _X_ (9) 52.209-9, Updates of Publicly Available Information Regarding Responsibility Matters (Jul 2013) (41 U.S.C. 2313). _X_ (16) 52.219-8, Utilization of Small Business Concerns (Oct 2014) (15 U.S.C. 637(d)(2) and (3)). _X_ (19) 52.219-14, Limitations on Subcontracting (Nov 2011) (15 U.S.C. 637(a)(14)). _X_ (25) 52.219-28, Post Award Small Business Program Representation (Jul 2013) (15 U.S.C. 632(a)(2)). _X_ (28) 52.222-3, Convict Labor (June 2003) (E.O. 11755). _X_ (29) 52.222-19, Child Labor-Cooperation with Authorities and Remedies (Jan 2014) (E.O. 13126). _X_ (30) 52.222-21, Prohibition of Segregated Facilities (Apr 2015). _X_ (31) 52.222-26, Equal Opportunity (Apr 2015) (E.O. 11246). _X_ (32) 52.222-35, Equal Opportunity for Veterans (Jul 2014)(38 U.S.C. 4212). _X_ (33) 52.222-36, Equal Opportunity for Workers with Disabilities (Jul 2014) (29 U.S.C. 793). _X_ (34) 52.222-37, Employment Reports on Veterans (Jul 2014) (38 U.S.C. 4212). _X_ (35) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). _X_ (36) 52.222-54, Employment Eligibility Verification (Aug 2013). (Executive Order 12989). (Not applicable to the acquisition of commercially available off-the-shelf items or certain other types of commercial items as prescribed in 22.1803.) _X_ (40) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving (Aug 2011) (E.O. 13513). _X_ (50) 52.232-33, Payment by Electronic Funds Transfer-System for Award Management (Jul 2013) (31 U.S.C. 3332). _X_ (54)(i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx. 1241(b) and 10 U.S.C. 2631). (c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: [Contracting Officer check as appropriate.] _X_ (1) 52.222-41, Service Contract Labor Standards (May 2014) (41 U.S.C. chapter 67). _X_ (2) 52.222-42, Statement of Equivalent Rates for Federal Hires (May 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67). _X_ Fair Labor Standards Act and Service Contract Labor Standards-Price Adjustment (Multiple Year and Option Contracts) (May 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67). _X_ (7) 52.222-17, Nondisplacement of Qualified Workers (May 2014)(E.O. 13495). 15. OPM-Specific Clauses 15.1 1752.200-70 On-Site Working Conditions (July 2005) (a) OPM facilities are smoking restricted workplaces. Due to the nature of the work, facilities, and requirements, contractor staff may only smoke outside in designated smoking areas. (b) Normal operating hours are 7:00 am to 5:30 pm, Monday through Friday. Meeting task objectives within specific timeframes may require the working of extended/overtime hours. Any extended hours must be authorized in advance, and certified as worked by the task Government Project Manager(s). (c) Government personnel observe the following days as holidays: New Year's Day January 1 * Martin Luther King's Birthday Third Monday in January President's Day Third Monday in February Memorial Day Last Monday in May Independence Day July 4* Labor Day First Monday in September Columbus Day Second Monday in October Veterans Day November 11 Thanksgiving Day Fourth Thursday in November Christmas Day December 25* * If the date falls on a Saturday, the Government holiday is the preceding Friday. If the date falls on a Sunday, the Government holiday is the following Monday. (d) In addition to the days designated as holidays, the Government observes the following days: • Any other day designated by Federal Statute • Any other day designated by Executive Order • Presidential Inauguration Day • Any other day designated by the President's Proclamation (e) It is understood and agreed between the Government and the Contractor that observance of such days by Government personnel shall not otherwise be a reason for an additional period of performance, or entitlement of compensation except as set forth within the contract. In the event the Contractor's personnel work during the holiday, they may be reimbursed by the Contractor, however, no form of holiday or other premium compensation will be reimbursed either as a direct or indirect cost, other than their normal compensation for the time worked. This provision does not preclude reimbursement for authorized overtime work if applicable to this contract. (f) When the Federal, State, Local or other Governmental entity grants excused absence to its employees, assigned Contractor personnel may also be dismissed. The Contractor agrees to continue to provide sufficient personnel to perform critical tasks already in operation or scheduled, and must be guided by the instructions issued by the CO or COR. (g) If Government personnel are unavailable due to furlough or any other reason, the Contractor must contact the CO or the COR to receive direction. It is the Government's decision as to whether the contract price/cost will be affected. Generally, the following situations apply: (1) Contractor personnel who are able to continue contract performance (either on-site or at a site other than their normal workstation), must continue to work and the contract price shall not be reduced or increased. (2) Contractor personnel who are not able to continue contract performance (e.g., support functions) may be asked to cease their work effort. This may result in a reduction to the contract price. 15.2 1752.205-70 Announcement of Contract Award (July 2006) OPM complies with FAR 5.3, Synopses of Contract Awards, in terms of synopsizing and publicly announcing contract awards. These actions take place at the time of, and not before, the contract is awarded. Contract award, in this case, means signature of the contractual document by the Contracting Officer and forwarding of the contractual document to the contract awardee. If the contract awardee wishes to make a separate public announcement, the awardee must obtain the approval of the Contracting Officer prior to releasing the announcement, and must plan to make announcement only after the contract has been awarded. 15.3 1752.209-70 Contractor Performance Capabilities (July 2005) The Contractor must be capable of performing all the tasks described in the Statement of Work. The Government shall not be liable for any costs or other involvement in the purchase, repair, maintenance or replacement of Contractor items used to implement or comply with requirements of the contract. Likewise, the Government shall in no way be held accountable by the Contractor for the Contractor's inability to perform under this Contract due to Government technology implementations and or changes. 15.4 1752.209-71 Contractor's Key Personnel (July 2005) (a) In order to ensure a smooth and orderly startup of work, it is essential that the key personnel specified in the Contractor's proposal be available on the effective date of the contract. If these personnel are not made available at that time, the Contractor must notify the Government Contracting Officer and show cause. If the Contractor does not show cause, the Contractor may be subject to default action. (b) The Contractor shall not of its own will remove or replace any personnel designated as "key" personnel without the written concurrence of the cognizant Contracting Officer. Prior to utilizing employees other than specified personnel, the Contractor shall notify the Government Contracting Officer and the COR. This notification must be no later than five (5) calendar days in advance of any proposed substitution and must include justification (including resume(s) of proposed substitution(s)) in sufficient detail to permit evaluation of the impact on contract performance. (c) Substitute personnel qualifications must be equal to, or greater than, those of the personnel being substituted. If the Government Contracting Officer and the COR determine that the proposed substitute personnel is unacceptable, or that the reduction of effort would be so substantial as to impair the successful performance of the work under the contract, the Contractor may be subject to default action. If deemed necessary by the Government, substitute personnel must be given a one-(1) day orientation by Contractor personnel at no additional cost to the Government and with no change in the delivery schedule. (d) In the event that the performance of assigned Contractor personnel or any substitute(s) is determined by the Government to be unsatisfactory at any time during the life of the Contract, the Government reserves the right to request and receive satisfactory personnel replacement within five (5) calendar days of receipt by the Contractor of written notification. Notification will include the reason for requesting replacement personnel. (e) The Contractor-supplied personnel are employees of the Contractor and under the administrative control and supervision of the Contractor. The Contractor, through its personnel, shall perform the tasks prescribed herein. The Contractor must select, supervise, and exercise control and direction over its employees (including subcontractors) under this Contract. The Government shall not exercise any supervision or control over the Contractor in its performance of contractual services under this contract. The Contractor is accountable to the Government for the action of its personnel. (f) The Contractor is herewith notified that employee recruiting and employee retention practices shall be monitored on a regular basis. 15.5 1752.209-72 Qualifications of Contractor's Employees (July 2005) The Contracting Officer may require dismissal from work of those employees which he/she deems incompetent, careless, insubordinate, unsuitable or otherwise objectionable, or whose continued employment he/she deems contrary to the public interest or inconsistent with the best interest of national security. The Contractor must fill out, and cause each of its employees on the contract work to fill out, for submission to the Government, such forms as may be necessary for security or other reasons. Upon request of the Contracting Officer, the Contractor's employees must be fingerprinted. Each employee of the Contractor who works on this contract shall be a citizen of the United States of America, or an alien who has been lawfully admitted for permanent residence as evidenced by Alien Registration Receipt Card Form 1-151, or who presents other evidence from the Immigration and Naturalization Service that employment will not affect his/her immigration status. 15.6 1752.209-73 Standards of Conduct (June 2006) (a) Personnel assigned by the contractor to the performance of work under this order must be acceptable to the Government in terms of personal and professional conduct. Contractor personnel shall conform to standards of conduct as follows: (1) No contractor employees shall solicit new business while performing work under this order. (2) The contractor and its employees shall not discuss with unauthorized persons any information obtained in the performance of work under this order. (b) Should the continued assignment to work under this order of any person in the contractor's organization be deemed by the Contracting Officer to conflict with the interests of the Government, that person shall be removed immediately from assignment, and the reason for removal shall be fully documented in writing by the Contracting Officer. Employment and staffing difficulties shall not be justification for failure to meet established schedules, and if such difficulties impair performance, the contractor may be subject to default. 15.7 1752.209-74 Organizational Conflicts of Interest (Jan 2015) (a) The Contractor warrants that, to the best of the Contractor's knowledge and belief, there are no relevant facts or circumstances which could give rise to an organizational conflict of interest (OCI), as defined in FAR 9.5, Organizational and Consultants Conflicts of Interest, or that the Contractor has disclosed all such relevant information. (b) Disclosure of Organizational Conflict of Interest after Contract Award: If the Contractor identifies an actual or potential organizational conflict of interest that has not already been adequately disclosed and resolved (or waived in accordance with FAR 9.503), the Contractor shall make a prompt and full disclosure in writing to the Contracting Officer. This disclosure shall include a description of the action the Contractor has taken or proposes to take in order or resolve the conflict. This reporting requirement also includes subcontractors' actual or potential organizational conflicts of interest not adequately disclosed and resolved prior to award. (c) Mitigation plan. If there is a mitigation plan in the contract, the Contractor shall periodically update the plan, based on changes such as changes to the legal entity, the overall structure of the organization, subcontractor arrangements, contractor management, ownership, ownership relationships, or modification of the work scope. Further, all personnel must receive company sponsored OCI training within 30 days of joining this contract. (d) The Contracting Officer may terminate this contract for convenience, in whole or in part, if it deems such termination necessary to avoid an OCI. If the Contractor was aware of a potential OCI prior to award or discovered an actual or potential conflict after award and did not disclose or misrepresented relevant information to the Contacting Office, the Government may terminate the contract for default, debar the Contractor from Government contracting, or pursue such other remedies as may be permitted by law or this contract. (e) The Contractor must include this clause in all subcontracts and in lower tier subcontracts unless a waiver is requested from, and granted by, the Contracting Officer. (f) OPM may communicate with offerors at any time about its OCI plans and such exchanges do not constitute discussions. (g) In the event that a requirement changes in such a way as to create a potential conflict of interest for the Contractor, the Contractor must: (1) Notify the Contracting Officer of a potential conflict, and; (2) Recommend to the Government an alternate approach which would avoid the potential conflict, or (3) Present for approval a conflict of interest mitigation plan that will: (i) Describe in detail the changed requirement that creates the potential conflict of interest; and (ii) Outline in detail the actions to be taken by the Contractor or the Government in the performance of the task to mitigate the conflict, division of subcontractor effort, and limited access to information, or other acceptable means. (4) The Contractor must not commence work on a changed requirement related to a potential conflict of interest until specifically notified by the Contracting Officer to proceed. (5) If the Contracting Officer determines that it is in the best interest of the Government to proceed with work, notwithstanding a conflict of interest, a request for waiver must be submitted in accordance with FAR 9.503. (h) Limitation of Future Contracting (1) The Contracting Officer has determined that this acquisition may give rise to a potential organizational conflict of interest. Accordingly, the attention of prospective offerors is invited to FAR Subpart 9.5--Organizational Conflicts of Interest. (2) The nature of this conflict is: At this time, no organizational conflict of interest is identified. (3) The restrictions upon future contracting are as follows: (i) If the Contractor, under the terms of this contract, or through the performance of tasks pursuant to this contract, is required to develop specifications or statements of work that are to be incorporated into a solicitation, the Contractor shall be ineligible to perform the work described in that solicitation as a prime or first-tier subcontractor under an ensuing contract. This restriction shall remain in effect for a reasonable time, as agreed to by the Contracting Officer and the Contractor, sufficient to avoid unfair competitive advantage or potential bias (this time shall in no case be less than the duration of the initial production contract). The Government shall not unilaterally require the Contractor to prepare such specifications or statements of work under this contract. (ii) To the extent that the work under this contract requires access to proprietary, business confidential, or financial data of other companies, and as long as these data remain proprietary or confidential, the Contractor shall protect these data from unauthorized use and disclosure and agrees not to use them to compete with those other companies. 15.8 1752.209-75 Reducing Text Messaging While Driving (Oct 2009) (a) In accordance with Section 4 of the Executive Order, "Federal Leadership on Reducing Text Messaging While Driving," dated October 1, 2009, you are hereby encouraged to: (1) Adopt and enforce policies that ban text messaging while driving company-owned or -rented vehicles or Government-owned, -leased or -rented vehicles, or while driving privately-owned vehicles when on official Government business or when performing any work for or on behalf of the Government; and (2) Consider new company rules and programs, and reevaluating existing programs to prohibit text messaging while driving, and conducting education, awareness, and other outreach for company employees about the safety risks associated with texting while driving. These initiatives should encourage voluntary compliance with the company's text messaging policy while off duty. (b) For purposes of complying with the Executive Order: (1) "Texting" or "Text Messaging" means reading from or entering data into any handheld or other electronic device, including for the purpose of SMS texting, e-mailing, instant messaging, obtaining navigational information, or engaging in any other form of electronic data retrieval or electronic data communication. (2) "Driving" means operating a motor vehicle on an active roadway with the motor running, including while temporarily stationary because of traffic, a traffic light or stop sign, or otherwise. It does not include operating a motor vehicle with or without the motor running when one has pulled over to the side of, or off, an active roadway and has halted in a location where one can safely remain stationary. 15.9 1752.222-70 Notice of Requirement for Certification of Nonsegregated Facilities (July 2005) By signing this offer or contract, the contractor will be deemed to have signed and agreed to the provisions of Federal Acquisition Regulations (FAR) Clause 52.222-21, Certification of Nonsegregated Facilities, incorporated by reference in this solicitation/contract. The certification provides that the bidder or offeror does not maintain or provide for its employees, facilities which are segregated on a basis of race, color, religion, or national origin, whether such facilities are segregated by directive or on a de facto basis. The certification also provides that the bidder/offeror does not and will not permit its employees to perform their services at any location under its control where segregated facilities are maintained. FAR Clause 52.222-21 must be included in all subcontracts as well. 15.10 1752.222-71 Special Requirements for Employing Veterans (May 2015) (a) If this contract contains FAR Clause 52.222-35 (Equal Opportunity for Veterans, Veterans), your company must comply with the requirements of this clause, including the listing of employment opportunities with the local office of the state employment service system. (b) If this contract contains FAR clauses 52.222-37 (Employment Reports on Veterans) or 52.222-38 (Compliance with Veterans' Employment Reporting Requirements), you are reminded that your company must comply with the special reporting requirements described in those clauses. Your company must submit information on several aspects of its employment and hiring of special disabled and Vietnam era veterans or other veterans who served on active duty during a war or in a campaign or expedition for which a campaign badge has been authorized. You must submit this information no later than September 30 of each year, in the "Federal Contractor Veterans' Employment Report" or VETS-100 Report. The U.S. Department of Labor has established a web site for submitting this report. The address is: http://www.vets100.cudenver.edu. 15.11 1752.223-71 Environmentally Preferable Products and Services (Feb 2013) (a) Executive Order 13423, Strengthening Federal Environmental, Energy, and Transportation Management, requires in agency acquisitions of goods and services (i) use of sustainable environmental practices, including acquisition of biobased, environmentally preferable, energy-efficient, water-efficient, and recycled-content products, and (ii) use of paper of at least 30 percent post-consumer fiber content. (b) By signing this offer or contract, the contractor will be deemed to have signed and agreed that all goods and services provided under this contract will comply with the above requirements of Executive Order 13514. 15.12 1752.224-70 Protecting Sensitive Information (Sep 2014) (a) Applicability This clause applies to the Contractor, its subcontractors, and Contractor personnel (hereafter referred to collectively as "Contractor") and addresses specific OPM requirements in addition to those included in the Federal Acquisition Regulation (FAR), Privacy Act of 1974 (5 U.S.C. 552a - the Act), the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Pub. L. 104-191, 110 Stat. 1936), the Sarbanes-Oxley Act of 2002 (SOX, Pub. L. 107-204, 116 Stat 745), and other laws, mandates, or executive orders pertaining to the development and operations of information systems and the protection of sensitive information and data. The following should not be construed to alter or diminish civil and/or criminal liabilities provided under various laws or mandates. (b) Authorization to Use, Store, or Share Sensitive Information (1) Written approval by the Chief Information Officer (CIO), or delegate, is required prior to the use or storage of OPM Sensitive Information or sharing of OPM Sensitive Information by the Contractor with any subcontractor, person, or entity other than OPM. (2) Contractor must not remove Sensitive Information from approved location(s), electronic device(s), or other container(s), without prior approval of the CIO, or designate. (c) Information Types The term Information is synonymous with Data, regardless of format or medium. Personally Identifiable Information (PII) is a subset of Sensitive Information. Sensitive PII is a subset of PII, and therefore a subset of Sensitive Information. All requirements for Sensitive Information apply to PII and Sensitive PII. All requirements for PII apply to Sensitive PII. (1) Sensitive Information is any information, which if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual, the Government, or the Government's interests. Sensitive Information is subject to stricter handling requirements because of the increased risk if the data are compromised. Some categories of Sensitive Information include Financial, Medical or Health, Legal, Strategic and Business, Human Resources, Personally Identifiable Information (PII), and Sensitive PII. These categories of information require appropriate protection as stand-alone information and may require additional protection in aggregate. (2) Personally Identifiable Information (PII) PII, as defined in OMB Memorandum M-07-16, refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important to recognize that non-PII can become PII whenever additional information that is publicly available - in any medium and from any source - is or can be combined to identify an individual. As an example, PII includes a name and an address because it uniquely identifies an individual, but alone may not constitute Sensitive PII. (3) Sensitive PII Sensitive PII refers to information that can be used to target, harm, or coerce an individual or entity, assume or alter an individual's or entity's identity, or alter the outcome of an individual's or entity's activities. Sensitive PII requires stricter handling because of the increased risk to an individual or associates if the information is compromised. Some categories of Sensitive PII include stand-alone information, such as Social Security numbers (SSN) or biometric identifiers. Other information such as a financial account, date of birth, maiden names, citizenship status, or medical information, in conjunction with the identity of an individual (directly or indirectly inferred), are also considered Sensitive PII. In addition, the context of the information may determine whether it is sensitive, such as a list of employees with poor performance ratings or a list of employees who have filed a grievance or compliant. (d) Information Security Incidents (ISI) An ISI is an incident that includes the known, potential, or suspected exposure, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access of any Contractor or Government systems or information, including, but not limited to, Sensitive Information. (1) ISI Reporting Requirements All ISIs must be reported in accordance with the requirements below; even if it is believed the Incident may be limited, small, or insignificant. OPM will determine when an Incident requires additional focus and attention. a. Contractor employees must report all ISIs to the OPM Situation Room immediately, but not later than 30 minutes, after becoming aware of the Incident, at: sitroom@opm.gov, (202) 418-0111, Fax (202) 606-0624, regardless of day or time. b. When notifying the OPM Situation Room, copy the Contracting Officer, FISFCResourceOversight@opm.gov, and FISITSST@opm.gov. If reporting by phone e-mail the Contracting Officer, FISFCResourceOversight@opm.gov, and FISITSST@opm.gov immediately after reporting the incident to the Situation Room. c. If you have questions regarding these procedures, contact the Contracting Officer. d. Do NOT include any Sensitive Information in the subject or body of any e-mail. To transmit Sensitive Information, use FIPS 140-2 compliant encryption methods to protect Sensitive Information in attachments to email. Passwords must not be communicated in the same email as the attachment. e. Contractor employees must also provide any supplementary information or reports related to a previously reported incident directly to the OPM Situation Room; with the following text in the subject line of the email: "Supplementary Information/Report related to previously reported incident ## [insert number]." (2) ISI Response Requirements a. All determinations related to ISIs, including response activities, notifications to affected individuals and/or federal agencies, and related services (e.g., credit monitoring) will be made by authorized OPM officials at OPM's discretion. b. The Contractor and Contractor employees must provide full access and cooperation for all activities determined by OPM to be required to ensure an effective Incident Response, including providing all requested images, log files, and event information to facilitate rapid resolution of ISIs. c. Incident Response activities determined to be required by OPM may include but are not limited to, inspections; investigations; forensic reviews; data analyses and processing; and final determinations of responsibility for the Incident and/or liability for any additional Response activities. d. OPM, at its sole discretion, may obtain the assistance of federal agencies and/or third party firms to aid in Incident Response activities. e. The Contractor must accept responsibility and liability; financial and other for an ISI, including the costs for Reporting, Review and Response, Determination, and Resolution including notifications to and credit monitoring for affected individuals. (e) Contractor Policy Document for Protection of Sensitive Information The Contractor is responsible for the proper handling and protection of Sensitive Information to prevent unauthorized disclosure. The Contractor must produce policy documentation requiring approval by the CIO, or designate, regarding the protection and handling of Sensitive Information. The policy must address the following, at a minimum: (1) Proper marking, control, storage and handling of Sensitive Information residing electronic media, including computers and removable media, and on paper documents. (2) Proper control and storage of mobile technology, portable data storage devices, and communication devices. (3) Proper use of FIPS 140-2 compliant encryption methods to protect Sensitive Information while at rest and in transit throughout OPM, Contractor, and/or subcontractor networks, and on host and client platforms. (4) Proper use of FIPS 140-2 compliant encryption methods to protect Sensitive Information in email attachments, including policy that passwords must not be communicated in the same email as the attachment. (5) ISIs. (6) Contractor Access to OPM IT Systems. (7) IT Security and Privacy Awareness Training. (8) Specialized IT Security Awareness Training for Security Staff. (9) Information Systems Policy Compliance requirements and procedures. (10) Contract Performance Information. 15.13 1752.224-71 Freedom of Information Act Requests (Sep 2009) (a) Offerors are reminded that information furnished under this solicitation may be subject to disclosure under the Freedom of Information Act (FOIA). Therefore: (1) All items that are confidential to business, or contain trade secrets, proprietary, or personnel information must be clearly marked in all documents submitted to the U.S. Office of Personnel Management (OPM or The Government). Marking of items will not necessarily preclude disclosure when the OPM determines disclosure is warranted by FOIA. However, if such items are not marked, all information contained within the submitted documents will be deemed to be releasable. (2) No later than five (5) business days after award of a contract, blanket purchase agreement (BPA), or order, the Contractor must provide OPM a redacted copy of the contract/BPA/order in electronic format. This copy will be used to satisfy any requests for copies of the contract/BPA/order under the FOIA. If the Contracting Officer believes that any redacted information does not require protection from public release, the issue will be resolved in accordance with paragraph 3.104-4(d) of the Federal Acquisition Regulation. (b) Any information made available to the Contractor by the Government must be used only for the purpose of carrying out the provisions of this contract and must not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. (c) In performance of this contract, the Contractor assumes responsibility for protection of the confidentiality of Government records and must ensure that all work performed by its subcontractors shall be under the supervision of the Contractor or the Contractor's responsible employees. (d) Each officer or employee of the Contractor or any of its subcontractors to whom any Government record may be made available or disclosed must be notified in writing by the Contractor that information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such information, by any means, for a purpose or to an extent unauthorized herein, may subject the offender to criminal sanctions imposed by 19 U.S.C. 641. That section provides, in pertinent part, that whoever knowingly converts to their use or the use of another, or without authority, sells, conveys, or disposes of any record of the United States or whoever receives the same with intent to convert it to their use or gain, knowing it to have been converted, shall be guilty of a crime punishable by a fine of up to $10,000, or imprisoned up to ten years, or both. 15.14 1752.232-71 Method of Payment (July 2005) (a) Payments under this contract will be made either by check or by wire transfer through the Treasury Financial Communications System at the option of the Government. (b) The Contractor must forward the following information in writing to the Contracting Officer not later than seven (7) days after receipt of notice of award: (1) Full Name (where practicable), title, telephone number, and complete mailing address of responsible official(s): (i) to whom check payments are to be sent, and (ii) who may be contacted concerning the bank account information requested below. (2) The following bank account information required to accomplish wire transfers: (i) Name, address, and telegraphic abbreviation of the receiving financial institution. (ii) Receiving financial institution's 9-digit American Bankers Association (ABA) identifying number for routing transfer of funds. (Provide this number only if the receiving financial institution has access to the Federal Reserve Communications System.) (iii) Recipient's name and account number at the receiving financial institution to be credited with the funds. If the receiving financial institution does not have access to the Federal Reserve Communications System, provide the name of the correspondent financial institution through which the receiving institution receives electronic funds transfer messages. If a correspondent financial institution is specified, also provide: (A) Address and telegraphic abbreviation of the correspondent financial institution. (B) The correspondent financial institution's 9-digit ABA identifying number for routing transfer of funds. (c) Any changes to the information furnished under paragraph (b) of this clause shall be furnished to the Contracting Officer in writing at least 30 days before the effective date of the change. It is the Contractor's responsibility to furnish these changes promptly to avoid payments to erroneous addresses or bank accounts. (d) The document furnishing the information required in paragraphs (b) and (c) must be dated and contain the signature, title, and telephone number of the Contractor official authorized to provide it, as well as the Contractor's name and contract number. 15.15 1752.232-73 Small Business Invoice Requirements (October 2012) (a) A proper invoice must include the following items (except for interim payments on cost reimbursement contracts for services): (1) Name and address of the contractor. (2) Invoice date and invoice number. (Contractors should date invoices as close as possible to the date of transmission.) (3) Contract number or other authorization for supplies delivered or services performed (including order number and contract line item number). (4) Description, quantity, unit of measure, unit price, and extended price of supplies delivered or services performed. (5) Shipping and payment terms (e.g., shipment number and date of shipment, discount for prompt payment terms). Bill of lading number and weight of shipment will be shown for shipments on Government bills of lading. (6) Name and address of contractor official to whom payment is to be sent (must be the same as that in the contract or in a proper notice of assignment). (7) Name (where practicable), title, phone number, and mailing address of person to notify in the event of a defective invoice. (8) Taxpayer Identification Number (TIN). The contractor must include its TIN on the invoice only if required by agency procedures. (See 4.9 TIN requirements.) (9) Electronic funds transfer (EFT) banking information. (i) The contractor shall have submitted correct EFT banking information in accordance with the applicable solicitation provision (e.g., 52.232-38, Submission of Electronic Funds Transfer Information with Offer), contract clause (e.g., 52.232-33, Payment by Electronic Funds Transfer-Central Contractor Registration, or 52.232-34, Payment by Electronic Funds Transfer-Other Than Central Contractor Registration), or applicable agency procedures. (ii) The last four digits of the contractor's bank account must be shown on each invoice submitted for payment. This information will be used as a cross-reference in situations where the EFT banking information in the Central Contract Registration is suspect. (iii) EFT banking information is not required if the Government waived the requirement to pay by EFT. (10) The vendor's certification that their EFT banking information in the Central Contractor Registration is current, accurate and complete as of the date of the invoice. (11) Any other information or documentation required by the contract (e.g., evidence of shipment). (b) Any invoice that does not contain all of the information listed in paragraph (a) above will be rejected as improper, and a new complete corrected invoice must be submitted. The payment due date for the corrected invoice will be calculated from the date it is received in the Prompt Pay e-mail box. (c) ALL small business invoices-without exception-must have unique identifying numbers, and be submitted via e-mail to OPM's Small Business Invoice e-mail box at: SmallBusinessInvoices@opm.gov Please note that OPM cannot guarantee payment of invoices sent by any other means, such as regular mail or e-mail to other addresses. (d) Please attach ONLY one invoice to each e-mail, and use the following format for the subject line of the e-mail: <Contractor name>&<Invoice no>&<Amount>&<Contract Number>/<Call or Order Number> Example: ABC Co&AB-1298433&10000.00&OPM00-00-X-0000/X0000 (e) Payment due dates will only be calculated from the date that invoices are received in the Small Business Invoice e-mail box. (f) Inquiries regarding payment of invoices should be e-mailed to InvoiceInquiries@opm.gov. The relevant invoice must be attached to the inquiry e-mail, and the subject line of the e-mail must state "INQUIRY," followed by the information described in paragraph (d) above. Example: INQUIRY: ABC Co&AB-1298433&10000.00&OPM00-00-X-0000/X0000 Do NOT use the Prompt Pay e-mail box for inquiries. (g) If the supplies, services, technical or other reports are rejected for failure to conform to the technical requirements of the contract, or for damage in transit or otherwise, the invoice will be rejected and returned to the Contractor. 15.16 1752.232-74 Providing Accelerated Payment to Small Business Subcontractors (Oct 2012) (a) This clause implements the temporary policy provided by OMB Policy Memorandum M-12-16, Providing Prompt Payment to Small Business Subcontractors, dated July 11, 2012. (Note: OMB Policy Memorandum M-12-16 is accessible on line at: http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-16.pdf.) (b) Upon receipt of accelerated payments from the Government, the contractor is required to pay all small business subcontractors on an accelerated timetable to the maximum extent practicable after receipt of invoice and all proper documents. (c) Include the substance of this clause, including this paragraph (b), in all subcontracts with small business. 15.17 1752.233-70 OPM Protest Procedures [Applicable to Solicitations Only] (Dec 2010) (a) An interested party who files a protest with OPM has the option of requesting review and consideration of the protest by either the Contracting Officer (CO) or the Senior Procurement Executive (SPE). The protest must clearly indicate the official to whom it is directed. (b) If the protest is directed to the SPE, a copy of the protest must be sent to the Director of the Contracting Group at the same time the protest is filed with the CO in accordance with FAR 52.233-2. The address of the Director of the Contract Group is: Gregory F. Blaszko, Director Contracting Group, FSC U.S. Office of Personnel 600 Arch Street, Suite 3400 Philadelphia, PA 19106 (c) Review and consideration of a protest by the SPE is an alternative to review and consideration by the CO. 15.18 1752.237-70 Non-Personal Services (July 2005) (a) As stated in the Office of Federal Procurement Policy Letter 92-1, dated September 23, 1992, Inherently Governmental Functions, no personal services shall be performed under this contract. No Contractor employee will be directly supervised by the Government. All individual employee assignments, and daily work direction, shall be given by the applicable employee supervisor. If the Contractor believes any Government action or communication has been given that would create a personal services relationship between the Government and any Contractor employee, the Contractor must promptly notify the Contracting Officer of this communication or action. (b) The Contractor must not perform any inherently Governmental actions under this contract. No Contractor employee shall hold him or herself out to be a Government employee, agent, or representative. No Contractor employee may state orally or in writing at any time that he or she is acting on behalf of the Government. In all communications with third parties in connection with the contract, Contractor employees must identify themselves as Contractor employees and specify the name of the company for which they work. In all communications with other Government Contractors in connection with this contract, the Contractor employee must state that they have no authority to in any way change the contract and that if the other Contractor believes this communication to be a direction to change their contract, they should notify the Contracting Officer for that contract and not carry out the direction until a clarification has been issued by the Contracting Officer. (c) The Contractor must insure that all of its employees working on this contract are informed of the substance of this clause. Nothing in this clause limits the Government's rights in any way under any other provision of the contract, including those related to the Government's right to inspect and accept the services to be performed under this contract. The substance of this clause must be included in all subcontracts at any tier. 15.19 1752.239-70 Internet Protocol Version 6 (Ipv6) (Sep 2014) (a) In accordance with OPM Directives, this acquisition requires all functionality, capabilities and features to be supported and operational in both a dual-stack IPv4/IPv6 environment and an IPv6 only environment. Furthermore, all management, user interfaces, configuration options, reports and other administrative capabilities that support IPv4 functionality will support comparable IPv6 functionality. The Contractor is required to certify that its products have been tested to meet the requirements for both a dual-stack IPv4/IPv6 and IPv6 only environment. OPM reserves the right to require the Contractor's products to be tested within an OPM or third party test facility to show compliance with this requirement. (b) In accordance with FAR 11.002(g) and OPM Directives, this acquisition must comply with the NIST USGv6 Profile and IPv6 Test Program. The Contractor must fund and provide resources necessary to support these testing requirements. 15.20 1752.239-71 Information Technology Systems Security (Jul 2014) (a) The Contractor must implement, maintain, and use an Information security program that is compliant with FISMA, NIST, OMB guidelines, OPM security policies, and other applicable laws, throughout the performance of this Contract. (b) The Contractor facilities and IT systems must meet the security requirements for the same impact level or greater as defined by the FIPS 199 for the Information being accessed. The OPM CIO (or designate) must provide written approval of the FIPS 199 security categorization. 15.21 1752.239-73 Section 508 Standards (Sep 2014) (a) All electronic and information technology (EIT) procured through this Contract must meet the applicable accessibility standards at 36 CFR 1194, unless an OPM exception to this requirement exists. 36 CFR 1194 implements Section 508 of the Rehabilitation Act of 1973, as amended, and is viewable at http://www.access-board.gov/sec508/508standards.htm. (b) The following standards have been determined to be applicable to this Contract: (1) 1194.21. Software applications and operating systems (2) 1194.22. Web-based intranet and Internet information and applications (3) 1194.23 Telecommunications products (4) 1194.24 Video and multimedia products (5) 1194.25 Self-Contained, closed products (6) 1194.26 Desktop and portable computers (7) 1194.31 Functional performance criteria (8) 1194.41 Information, documentation, and support (c) OPM is required by Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. 794d), to offer access to electronic and information technology for disabled individuals within its employment, and for disabled members of the public seeking information and services. This access must be comparable to that which is offered to similar individuals who do not have disabilities. Standards for complying with this law are prescribed by the Architectural and Transportation Barriers Compliance Board ("The Access Board"). (d) Deliverable(s) must incorporate these standards as well as any OPM specific standards. The attached technical description contains further information on how this may be done. (e) The final work product must include documentation that the deliverable conforms with Section 508 Standards, promulgated by the US Access Board. (f) In the event of a dispute between the Contractor and OPM, OPM's assessment of the Section 508 compliance will control and the Contractor will make any additional changes needed to conform with OPM's assessment, at no additional charge to OPM. 15.22 1752.239-74 Compliance with Security IT Policies (Sep 2014) (a) Information systems and system services provided to OPM by the Contractor must comply with the current OPM IT, IT security, security and privacy policies and guidance. (b) Contractors are also required to comply with current federal regulations and guidance found in the Federal Information Security Management Act (FISMA), Privacy Act of 1974, E-Government Act of 2002, Section 208, National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS) and the 800-Series Special Publications (SP), Office of Management and Budget (OMB) memorandum, and other relevant federal laws and regulations that OPM must comply with. 15.23 1752.239-75 Minimum Information System Security Requirements (Jul 2014) (a) Contractor and federal systems must adhere to minimum security requirements following the guidance provided in NIST's FIPS publication 200, Minimum Security Requirements for Federal Information and Information Systems and the corresponding security controls described in the most current version of NIST Special Publication 800-53, Recommended Security and Privacy Controls for Federal Information Systems and Organizations. (b) Federal Information Processing Standard (FIPS) publication 199 must be utilized to determine the security categorization (High, Moderate, or Low) for OPM and Contractor systems. OPM must determine the categorization for Contractor systems. The security categorization, as determined by OPM, must be utilized to identify the security control baseline requirements. The OPM CIO must provide written approval on the FIPS 199 security categorization and has the authority, working with the System Owner to approve or change the categorization rating. 15.24 1752.239-76 Security Assessment and Authorization (Sep 2014) (a) This Contract requires the Contractor to develop, deploy, and/or use information technology (IT) systems to access and/or store Government Information, including Controlled Unclassified Information (CUI). (b) All IT systems that input, store, process, and/or output Government Information must be provided an Authority to Operate (ATO) signed by the OPM CIO (or designate) and the OPM Executive Business Sponsor. (c) The IT systems must meet the security requirements for the same impact level or greater as defined by the Federal Information Process Standard (FIPS) 199 for the Information being accessed. The OPM CIO (or designate) must provide written approval of the FIPS 199 security categorization. (d) A Privacy Threshold Analysis (PTA) must be completed for all systems. Based on the PTA, the OPM Chief Privacy Officer will determine whether a Privacy Impact Assessment (PIA) is required. (e) Security A&A documentation must be developed with the use of OPM security documentation templates, as adapted for Contractor IT systems. Templates are available for all security documentation including the System Security Plan, Security Assessment Report, Contingency Plan, Incident Response Plan, etc. The Security A&A process must be followed throughout the IT system lifecycle process to ensure proper oversight by OPM. (f) The Contractor must complete the A&A process independently of OPM, including the selection and funding of an approved Federal Risk and Authorization Management Program (FEDRAMP) Third-Party Assessor Organization (3PAO) to validate the security and privacy controls in place for the systems and the overall accuracy of A&A packages. The Contractor must submit to OPM a signed A&A package approved by the Contractor Chief Information Officer (CIO) or higher level executive, along with the report and supporting documentation such as system and configuration scans from the 3PAO at least ninety (90) days prior to operation of the IT system. Should OPM not consider the signed package to meet OPM A&A requirements for any reason, OPM retains the right to not issue an ATO for the system. Should OPM consider it possible for the Contractor to improve the compliance of the A&A package, OPM may provide general or detailed information to the Contractor for possible modification to the package to improve compliance and resubmission to OPM after modification. OPM reserves the right to not provide any information related to packages determined to be non-compliant; and to limit the number of re-submissions of a modified package before OPM makes a final determination that a resubmitted package will not receive an ATO and no further resubmissions will be accepted. OPM is the final authority on the compliance of a submitted package with OPM A&A requirements, and no appeals are available. (g) The Contractor must submit an updated A&A package, along with the 3PAO report, and supporting documentation to the OPM CIO at least 90 days before the expiration of existing ATO for security review and verification of security controls. Security reviews may include onsite visits that involve physical or logical inspection of the Contractor environment and IT systems. ATO extensions will only be granted in extenuating circumstances. (h) The Contractor must ensure a plan of action and milestones (POA&M) is generated for each security finding and is remediated within a time frame commensurate with the level of risk, as follows: (1) High Risk = 30 days; (2) Moderate Risk = 90 days; and (3) Low Risk = 120 days. 15.25 1752.239-77 Privacy Act Compliance (Nov 2012) (a) Contractors must comply with the Privacy Act of 1974 rules and regulations in the design, development, or operation of any system of records on individuals to accomplish an OPM function for a System of Records (SOR). (b) In the event of violations of the Act, a civil action may be brought against OPM involved when the violation concerns the design, development, or operation of a SOR on individuals to accomplish an OPM function, and criminal penalties may be imposed upon the officers or employees of OPM when the violation concerns the operation of a SOR on individuals to accomplish an OPM function. For purposes of the Act, when the contract is for the operation of a SOR on individuals to accomplish an OPM function, the contractor/subcontractor is considered to be an employee of the agency. 15.26 1752.239-78 Federal Reporting Requirements (Sep 2014) Contractors operating information systems on behalf of OPM must comply with Federal Information Security Management Act (FISMA) reporting requirements. Annual and quarterly data collection will be coordinated by OPM. Contractors must provide OPM with the requested information based on the timeframes provided with each request. Contractor systems must comply with monthly data feed requirements as coordinated by OPM. Reporting requirements are determined by the Office of Management and Budget (OMB), and may change each reporting period. The Contractor will provide OPM with all information to fully satisfy FISMA reporting requirements for Contractor systems. 15.27 1752.239-79 Cloud Computing (Sep 2014) (a) Prior to using any commercial Cloud Service Provider (CSP), the Contractor shall obtain approval from the OPM Chief Information Officer (CIO). (b) Information stored in a cloud environment remains the sole property of OPM, not the Contractor or the CSP. (c) The CSP must be held accountable for all the protections levied on the Contractor, and must be held accountable for all other requirements for IT systems and CUI, unless waived in writing by the OPM CIO. (d) The CSP must allow OPM access to OPM Information including data schemas, meta data, and other associated data artifacts that are required to ensure OPM can fully and appropriately retrieve OPM Information from the CSP. (e) The CSP must be evaluated by a Federal Risk and Authorization Management Program (FEDRAMP) Third Party Assessment Organization (3PAO). The most current, and any subsequent, security assessment reports must be made available to the Contracting Officer and CIO for consideration, including the CSP's Systems Security Plan, as part of the Contractor's Systems Security Plan. (f) The Contractor must require the CSP to follow cloud computing Contract best practices identified in "Creating Effective Cloud Computing Contracts for the Federal Government" produced by the Federal CIO Council and Federal Chief Acquisition Officers Council, and NIST guidance. 15.28 1752.239-81 Specialized IT Security Awareness Training for Security Staff (Sep 2014) (a) Contractor IT security personnel are required to complete specialized IT security training based on the role-based requirements below. The Contractor is required to report training completed to ensure competencies that address this training. The Contractor must ensure training hours satisfying the below training requirements are submitted to the COR upon completion of training. IT Security Roles/Functions Minimum Hours Required for Specialized Training Contractor System Manager\Owner 5 Information Security Specialist Information System Security Officer (ISSO) 20 Privacy Officer 5 System Administrator/Network Administrator/Database Administrator Service Desk Personnel/Helpdesk/Programmer/Developer 10 Other IT Personnel with security responsibilities 2 (b) The Information Security Officer and Information Security Specialists must be a Certified Information Systems Security Professional (CISSP) within 6 months of Contract award and maintain their certification throughout the period of performance, which will serve to fulfill the requirement for specialized training. 15.29 1752.239-84 FIPS 140 Encryption Requirements (Jul 2014) Cryptographic modules used to protect OPM information must be compliant with the current FIPS 140 version and validated by the Cryptographic Module Validation Program (CMVP). The Contractor must provide the validation certificate number to OPM for verification. Encryption is required to protect federal and Contractor data when transmitting 15.30 1752.239-85 Security Monitoring and Alerting Requirements (Sep 2014) All Contractor-operated systems that use or store OPM information must meet or exceed OPM policy pertaining to security monitoring and alerting. These requirements include but are not limited to: (a) System and Network Visibility and Policy Enforcement at the following levels: (1) Edge (2) Server / Host (3) Workstation / Laptop / Client (4) Network (5) Application (6) Database (7) Storage (8) User (b) Alerting and Monitoring (c) System, User, and Data Segmentation 15.31 1752.239-86 Contractor System Oversight/Compliance (Sep 2014) (a) The Federal Government has the authority to conduct site reviews for compliance validation. Full cooperation by Contractor and third-party providers is required for audits and forensics. (b) The Contractor must support OPM in its efforts to assess and monitor the Contactor systems and infrastructure. The Contractor must provide logical and physical access to the Contractor's facilities, installations, technical capabilities, operations, documentation, records, and databases upon request. The Contractor will be expected to perform automated scans and continuous monitoring activities which may include, but will not limited be to, authenticated and unauthenticated scans of networks, operating systems, applications, and databases and provide the results of the scans to the OPM CIO, or designate, or allow OPM (or its designate) to run the scans directly. (c) All Contractor systems must participate in Information Security Continuous Monitoring (ISCM) and Reporting as defined in the OPM IT Policy. (d) All Contractor systems must perform vulnerability scanning as defined by OPM IT Security Policy and provide scanning reports to the OPM CIO, or designate, on a monthly basis. (e) All Contractor systems must participate in the implementation of automated security controls testing mechanisms and provide automated test results in Security Compliant Automation Protocol (SCAP) compliant data to the OPM CIO, or designate, on a monthly basis. 15.32 1752.239-87 Additional Security Requirements (Sep 2014) (a) As prescribed in the FAR clause 24.104, if the Contract involves the design, development, or operation of a system of records on individuals, the Contractor must implement requirements in FAR clause 52.224-1, "Privacy Act Notification" and FAR clause 52.224-2, "Privacy Act"2 (b) Information technology acquisitions must use OPM established configuration settings, or utilize common security configurations available from the National Institute of Standards and Technology's website at http://checklists.nist.gov where OPM standards do not exist. (FAR part 39). 15.33 1752.242-70 Contract Performance Information (Sep 2014) (a) Dissemination of Contract Performance Information: The Contractor must not publish, permit to be published, or distribute for public consumption, any information, oral or written, concerning the results or conclusions made pursuant to the performance of this Contract, without the prior written consent of the Contracting Officer. Two copies of any material proposed to be published or distributed must be submitted to the Contracting Officer for approval. (b) Contractor Testimony: All requests for the testimony of the Contractor or its employees, and any intention to testify as an expert witness relating to: (i) any work required by, and or performed under, this Contract; or (ii) any information provided by any party to assist the Contractor in the performance of this Contract, must be immediately reported to the Contracting Officer. Neither the Contractor nor its employees must testify on a matter related to work performed or information provided under this Contract, either voluntarily or pursuant to a request, in any judicial or administrative proceeding unless approved by the Contracting Officer or required by a judge in a final court order. 15.34 1752.242-71 Mandatory Requirement for Contractor Return of All OPM and OPM-Activity-Related Information, (Including But Not Limited to All Records, Files, and Metadata in Electronic or Hardcopy Format) (Sep 2014) (a) Within thirty (30) days after the end of the Contract performance period or after the Contract is suspended or terminated by OPM or by the Contractor for any reason, the Contractor must return all original (and at least one duplicate copy of those information types specified by OPM) of all OPM-provided and OPM-Activity-Related Information, (including but not limited to all records, files, and metadata in electronic or hardcopy format); including but not limited to the following: (1) provided by OPM; or 2 Access to the Federal Acquisition Regulation (FAR) can be obtained on the web at http://farsite.hill.af.mil/farsite_alt.html, or by contacting the Contracting Officer/Contract Specialist. (2) Obtained by the Contractor while conducting activities in accordance with the Contract with OPM; or (3) Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (4) Received from the Contractor by any other related organization and/or any other component or separate business entity. (b) Within forty-five (45) days after the end of the Contract performance period or after the Contract is suspended or terminated by OPM or the Contractor for any reason, the Contractor must provide OPM with an associated Certification of Verified Return of all original (and at least one duplicate copy of those information types specified by OPM) of all OPM and OPM-Activity-Related Information, (including but not limited to all records, files, and metadata in electronic or hardcopy format); including but not limited to the following: (1) Provided by OPM; or (2) Obtained by the Contractor while conducting activities in accordance with the Contract with OPM; or (3) Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (4) Or received from the Contractor by any other related organization and/or any other component or separate business entity. (c) This certification must be provided by a third party firm approved by OPM in advance. All costs and resource allocations required for this third party service must be the sole responsibility of the Contractor. 15.35 1752.242-72 Mandatory Requirement for Verified Secure Destruction of All OPM and OPM-Activity-Related Information, (Including But Not Limited To All Records, Files, and Metadata in Electronic or Hardcopy Format) (Sep 2014) (a) Within sixty (60) days after the end of the Contract performance period or after the Contract is suspended or terminated by OPM or by the Contractor for any reason, BUT ONLY after OPM has accepted and approved the Contractor's compliance with the Certified Verification of Return of Information Requirement, the Contractor must execute secure destruction (either by the Contractor or third party firm approved in advance by OPM) of all existing active and archived originals and/or copies of all OPM and OPM-activity-related files and information, (including but not limited to all records, files, and metadata in electronic or hardcopy format); by procedures approved by OPM in advance and in accordance with applicable OPM IT Security Policy Requirements; including but not limited to the following: (1) Provided by OPM; or (2) Obtained by the Contractor while conducting activities in accordance with the Contract with OPM; or (3) Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (4) Received from the Contractor by any other related organization and/or any other component or separate business entity. (b) Within seventy-five (75) days after the end of the Contract performance period or after the Contract is suspended or terminated by OPM or the Contractor for any reason, BUT ONLY after OPM has accepted and approved the Contractor's compliance with the Certified Verification of Return of Information Requirement, the Contractor must provide OPM with Certification of Secure Destruction of all existing active and archived originals and/or copies of all OPM and OPM-activity-related files and information, (including but not limited to all records, files, and metadata in electronic or hardcopy format); by procedures approved by OPM in advance and in accordance with applicable OPM IT Security Policy Requirements; including but not limited to the following: (1) Provided by OPM; or (2) Obtained by the Contractor while conducting activities in accordance with the Contract with OPM; or (3) Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity; or (4) Received from the Contractor by any other related organization and/or any other component or separate business entity. (c) This certification must be provided by a third party firm approved by OPM in advance. All costs and resource allocations required for this third party service must be the sole responsibility of the Contractor.
 

Web Link

FBO.gov Permalink
(https://www.fbo.gov/notices/29baa069e82488c70e79320ba2130951)
 

Place of Performance

Address: US Office of Personnel Management, 1900 E Street, NW, Washington, District of Columbia, 20415, United States

Zip Code: 20415
 

Record

SN03745566-W 20150530/150529040036-29baa069e82488c70e79320ba2130951 (fbodaily.com)
 

Source

FedBizOpps Link to This Notice
(may not be valid after Archive Date)

---

| FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |