NSWC, DAHLGREN DIVISION DCMA Manassas C 17632 · PDF fileDepartment of Defense/Defense Information Systems Agency ... of a final network-based architecture where federated enclaves

2. AMENDMENT/MODIFICATION NO. 3. EFFECTIVE DATE 4. REQUISITION/PURCHASE REQ. NO. 5. PROJECT NO. (If applicable)

24 07-Jul-2017 See Section G N/A6. ISSUED BY CODE N00178 7. ADMINISTERED BY (If other than Item 6) CODE S2404A

NSWC, DAHLGREN DIVISION

17632 Dahlgren Road Suite 157

Dahlgren VA 22448-5110

[email protected] 540-653-7805

DCMA Manassas

14501 George Carter Way, 2nd Floor

Chantilly VA 20151

SCD: C

8. NAME AND ADDRESS OF CONTRACTOR (No., street, county, State, and Zip Code) 9A. AMENDMENT OF SOLICITATION NO.

SimVentions 11905 Bowman Drive, Suite 502 Fredericksburg VA 22408-7307 9B. DATED (SEE ITEM 11)

10A. MODIFICATION OF CONTRACT/ORDER NO.

[X] N00178-04-D-4124-0009

10B. DATED (SEE ITEM 13)

CAGECODE

1R5Z0 FACILITY CODE 15-Aug-2016

11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONS

[ ]The above numbered solicitation is amended as set forth in Item 14. The hour and date specified for receipt of Offers [ ] is extended, [ ] is not extended.Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods: (a) By completing Items 8 and 15, and returning one (1) copy of the amendment; (b) By acknowledging receipt of this amendment on each copy of the offer submitted; or (c) Byseparate letter or telegram which includes a reference to the solicitation and amendment numbers. FAILURE OF YOUR ACKNOWLEDGEMENT TO BE RECEIVED AT THEPLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY RESULT IN REJECTION OF YOUR OFFER. If by virtue of thisamendment you desire to change an offer already submitted, such change may be made by telegram or letter, provided each telegram or letter makes reference to the solicitationand this amendment, and is received prior to the opening hour and date specified.12. ACCOUNTING AND APPROPRIATION DATA (If required)

SEE SECTION G

13. THIS ITEM APPLIES ONLY TO MODIFICATIONS OF CONTRACTS/ORDERS,IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14.

(*) A. THIS CHANGE ORDER IS ISSUED PURSUANT TO: (Specify authority) THE CHANGES SET FORTH IN ITEM 14 ARE MADE IN THE CONTRACT ORDER NO. INITEM 10A.

[ ] [ ] B. THE ABOVE NUMBERED CONTRACT/ORDER IS MODIFIED TO REFLECT THE ADMINISTRATIVE CHANGES (such as changes in paying office, appropriation

date, etc.)SET FORTH IN ITEM 14, PURSUANT TO THE AUTHORITY OF FAR 43.103(b).

[ ] C. THIS SUPPLEMENTAL AGREEMENT IS ENTERED INTO PURSUANT TO AUTHORITY OF:

[X] D. OTHER (Specify type of modification and authority)Unilateral per FAR 52.232-22 Limitation of Funds

E. IMPORTANT: Contractor [ X ] is not, [ ] is required to sign this document and return copies to the issuing office.14. DESCRIPTION OF AMENDMENT/MODIFICATION (Organized by UCF section headings, including solicitation/contract subject matter where feasible.)

SEE PAGE 2

15A. NAME AND TITLE OF SIGNER (Type or print) 16A. NAME AND TITLE OF CONTRACTING OFFICER (Type or print)

Michelle L Briscoe, Contracting Officer

15B. CONTRACTOR/OFFEROR 15C. DATE SIGNED 16B. UNITED STATES OF AMERICA 16C. DATE SIGNED BY /s/Michelle L Briscoe 07-Jul-2017

(Signature of person authorized to sign) (Signature of Contracting Officer) NSN 7540-01-152-8070PREVIOUS EDITION UNUSABLE

30-105 STANDARD FORM 30 (Rev. 10-83)Prescribed by GSAFAR (48 CFR) 53.243

1. CONTRACT ID CODE PAGE OF PAGES

AMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT U 1 2

GENERAL INFORMATION

The purpose of this modification is to incrementally fund this contract. Accordingly, said Task Order is modified asfollows:

1. In Section G, the funding requisition number and accounting information is added;

2. In Section H, the clause NAVSEA 5252.232-9104 ALLOTMENT OF FUNDS is updated to reflect theincremental funding provided for this modification;

3. In Section H, the FUNDING PROFILE is updated to reflect the incremental funding provided for thismodification;

Except as provided herein, all terms and conditions of the contract remain unchanged and in full force and effect.

A conformed copy of this Task Order is attached to this modification for informational purposes only.

The Line of Accounting information is hereby changed as follows:

The total amount of funds obligated to the task is hereby

CLIN/SLIN Type Of Fund From ($) By ($) To ($)

7001BY RDT&E

7001CL RDT&E

7001EQ O&MN,N

The total value of the order is hereby

CLIN/SLIN From ($) To ($)

7001AA

By ($)

7001BY

7001CL

7001EQ

The Period of Performance of the following line items is hereby changed as follows:

CLIN/SLIN From To

7001EQ 7/7/2017 - 8/31/2017

CONTRACT NO.

N00178-04-D-4124 DELIVERY ORDER NO.

N00178-04-D-4124-0009 AMENDMENT/MODIFICATION NO.

24 PAGE

2 of 2 FINAL

SECTION C DESCRIPTIONS AND SPECIFICATIONS

CYBERSECURITY AND RISK MANAGEMENT

OF

UNITED STATES NAVY WARFARE SYSTEMS

C.l.0 SCOPE

The contractor shall provide Cybersecurity, Risk Management, Certification and Accreditation, InformationAssurance oversight, technical support and documentation, as specified in the DoD Instruction 8500.01 andSECNAV Instruction 5239.3B to the Naval Surface Warfare Center Dahlgren Division (NSWCDD) (which includesNSWC Dahlgren and the non-engineering support for Combat Direction Systems Activity (CDSA) Dam Neck). DoDI 8500.01 defines this policy to include Risk Management, Operational Resilience, Integration andInteroperability, Cyberspace Defense, DoD Information, Identity Assurance, Information Technology, CybersecurityWorkforce and Mission Partners. SECNAV Instruction 5239.3B, establishes the Information Assurance policy forthe Department of the Navy (DoN) consistent with national and Department of Defense (DoD) policies. Thecontractor shall be responsible for the support of Cybersecurity efforts and recommendation, documentation,evaluation, validation and risk management from inception to decommission per DoD Acquisition LifecycleManagement for multiple US Naval Warfare and Combat Systems, and the associated information technologyequipment including the AEGIS Ship Self Defense System (SSDS) and other existing and future systems. TheContractor shall also provide Information Assurance Officer (IAO) support, also known as Information SystemsSecurity Office (ISSO), and Certification and Accreditation package preparation, validation and sustainment forexisting and future US Navy systems.

C.2.0 APPLICABLE DOCUMENTS

For performance of the contract, a list of applicable documents is listed below. Any documents included asreferences in the below documents are also applicable.

OPNAVINST 5239.1C Navy Information Assurance (IA) Program, August 20, 2008

DoN CIO Memo 02-10: IA Policy Update for Platform Information Technology (PIT), April 26, 2010

NAVSEA CIO, PIT C&A Business Rules (Afloat), March 12, 2013

NAVSEA CIO, PIT C&A Business Rules (Non-Afloat), March 12, 2013

NAVSEAINST 9400.2, Implementation of Naval Sea Systems Command (NAVSEA) Afloat Information Assurance(IA) Governance and Guidance, August 18, 2010

NAVSEAINST 9400.2-M, NAVSEA Afloat IA Implementation Manual, April 2012

DoD 8570.01-M, or successor: Information Assurance Workforce Improvement Program, January 24, 2012

NIST SP 800-30 Rev 1, Guide for Conducting Risk Assessments, September 2012

NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems, May 2010

NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, April2013

Department of Defense/Defense Information Systems Agency (DISA) Security Technical Implementation Guides(STIGs), located at http://iase.disa.mil/stigs/Pages/index.aspx

DoDI 8500.01, Cybersecurity, March 14, 2014

DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 12, 2014

CONTRACT NO.



24 PAGE

15 of 123 FINAL

SPAWAR MEMO, Qualification Standards and Registration Procedures for Navy Validators, March 18, 2010

CJCSI 6510.01F, Information Assurance (IA) and Support to Computer Network Defense (CND), February 9, 2011

CNSS 1253, Security Categorization and Control Selection For National Security Systems, October 2009

DoDD 8140.01: Cyber Workforce Management, August 11, 2015

*Note: See Attachments, Exhibit B

REQUIREMENTS

C.3.0 CYBERSECURITY AND RISK MANAGEMENT

The contractor shall implement Cybersecurity and Risk Management as set forth below.

C.3.1 COMBAT SYSTEM ARCHITECTURE

The contractor shall support the development of the Combat System architecture, mapping requirements toarchitecture, documenting combat system policies and plans, and generation of new combat system baselines from afunctional perspective to address gaps discovered after the initial baseline development. Implementation andcertification of new requirements are based on allocated funding as to what can be fielded.

The Contractor will support translation of DoD lifecycle acquisition processes to cybersecurity requirements. Thecontractor will support development of a final network-based architecture where federated enclaves can develop, testand certify their systems in an environment to exchange data and services in a controlled manner using a ship-widenetwork. This ability allows information to be exchanged between units using the external communicationssystem. The contractor will develop enterprise combat system cybersecurity requirements based on: Mandatedrequirements (DoDI 8500.1), Threats (Common Attack Pattern Enumeration & Classification; CAPEC) and bestpractices (e.g. NIST). As part of the process an enterprise combat system cybersecurity architecture will bedeveloped, technical requirements will be mapped to architecture and non-technical requirements will be mapped topolicies and plans. Configuration and solutions follow design and implementation steps. Finally the system istested for compliance against threat penetration and solutions are mapped to requirements for the new architecture. The Contractor will utilize the Vitech Core COTS to support integrated requirements management to ensurecustomer needs are accurately captured, support identification of system functionality, complete system behavioranalysis, and simulation of system performance. The contractor will develop and trace system architecture fromsystem to subsystems and component levels. The Contractor will provide traceability from system design toValidation and Verification plans and procedures, and produce system design documentation directly from the designrepository for customer review of the design progress.

C.3.2 CYBERSECURITY CONCEPT OF OPERATIONS

The contractor shall author or supplement an existing Concept of Operations (CONOPS), for Government approval, to identify how the system is used, where the system is used and the mission criticality of the system, the system’srequired availability, required redundancy in the system’s design and the system’s users’ roles and responsibilitiesrelative to Cybersecurity. (CDRL A029)

C.3.3 CYBERSECURITY REQUIREMENTS

The contractor shall translate a system’s Concept of Operations (CONOPS) into Cybersecurity requirements for thesystem’s hardware, software, and human processes. The contractor shall map the system CONOPS to the SecurityControls per NIST 800-53 and it successors utilizing the Vitech Core Commercial off-the-shelf (COTS) product,provided by the Government. When applicable, the contractor shall author system security requirements forgovernment review and approval. The contractor shall map the Security Controls to system security requirementsthat may be authored by the contractor, Platform System Engineering Agent (PSEA) or government entity. (CDRLA030)

C.3.4 CYBERSECURITY BEST PRACTICES

The contractor shall implement Cybersecurity per the National Security Agency (NSA) and the Defense InformationSystems Agency (DISA) Security Technical Implementation Guides (STIGS) for all aspects of system architecturein the accreditation boundary including operating systems (OS) and network interconnects. The contractor shall

CONTRACT NO.



24 PAGE

16 of 123 FINAL

deliver a report recommending best security practices that exceed the DISA STIGS where applicable by Governmentdetermination. (CDRL A001) Best security practices shall include the implementation of:

Access Controls (Physical, Logical, and Administrative)

Access Control Lists (ACLs)

Anti-Virus Tools

Audit Logs

Certificates & Public Key Infrastructure (PKI)

Cross Domain Interfaces (CDI)

Demilitarized Zone (DMZ)

Encryption

File Integrity Tools

Firewalls

Linux Immutable Flag

Intrusion Prevention System (IPS)

Network Intrusion Detection Systems (NIDS)

Routers

Security-Enhanced Linux (SELinux)

System Information and Event Management (SIEM)

Switches

Data Backup and Restoration

Definitive separation of enclaves

Boundary defense (control point) capabilities

Authentication (network traffic and hardware)

Wireless security

802.x

C.3.5 DoD SECURITY CLASSIFICATION GUIDES

The contractor shall validate that system designs and the associated data in the system comply with applicable DoDSecurity Classification Guides (SCGs) and marking practices. These topics will be discussed at the monthlymeetings.

C.3.6 DoD SECURITY CLASSIFICATION DOMAINS

The contractor shall identify Cross Domain Interface (CDI) security issues and recommend solutions to resolvethem. The contractor shall support the Navy Cross Domain Solution Office (NCDSO) for approval of CDIsolutions. These topics will be discussed at the monthly meetings. (The Navy Cross Domain Solu ons Office is inthe Space and Naval Warfare (SPAWAR) Systems Center (SSC), Charleston, SC)

C.3.7 DoD SUPPLY CHAIN SECURITY

CONTRACT NO.



24 PAGE

17 of 123 FINAL

The government shall provide a Bill of Materials (BoM) for naval systems. The contractor shall validate that theBoM does not violate the General Services Administration (GSA) Excluded Parties List and has no ForeignOwnership Control or Influence (FOCI). The contractor shall diagram the Chain of Custody for the Bill of Materialsat the Lowest Replaceable Unit (LRU). The contactor shall support the government in researching, recommendingand documenting methods to monitor, detect and secure the supply chain from suspect and known infiltrations ofmodified and malicious hardware, software and firmware. The contractor shall provide a report documentingfindings. (CDRL A002)

C.3.8 COMPUTER NETWORK ATTACK

The contractor shall validate the system under "test is secure" by performing as a RED Team or a BLUE Team toperform “White Hat” ethical hacking and vulnerability assessment. The contractor shall perform penetration testingand provide a vulnerability report that includes the attack methods and points of entry into the system under testusing Assured Compliance Assessment Solution (ACAS), Secure Configuration Compliance Validation Initiative(SCCVI) tools and other ethical hacking techniques such as the Metasploit Framework, Core Impact and BackTracktool set. The contractor shall provide a report documenting findings. (CDRL A003)

C.3.9 CYBERSECURITY RESEARCH

The contractor shall produce technical reports and white papers to provide research into the appropriate solutions andthe latest Cybersecurity Technologies and Tactics, Techniques and Procedures (TTP) as applied to Combat SystemsAshore and Afloat. (CDRL A028) The contractor shall support the Government in conducting test and evaluation of Cybersecurity TTP as applied to Combat Systems Ashore and Afloat. Prior to testing the contractor will producea test plan. (CDRL A008) The contractor shall analyze the results of the testing and produce a report documentingresults. The report shall include descriptions of the test procedures, test results and analysis of data. (CDRL A009)

The contractor shall support the design, development, modification and documentation of secure software andscripts. (CDRL A032) The contractor shall support the Government in preparing secure software design documents,writing and compiling secure software code and preparing documentation describing the architecture, componentsand functions of secure software and scripts. The contractor shall provide source code (CDRL A033). The contractorshall provide object code (CDRL A034). The contractor shall provide executable code (CDRL A035). Thecontractor shall provide design environment/libraries (CDRL A036).

C.4.0 DoD INFORMATION TECHNOLOGY (IT) RISK MANAGEMENT SUPPORT FORLAND-BASED TEST SITES (LBTS)

The contractor shall support multiple DoD and DoN programs and projects as assigned in all aspects of theCertification and Accreditation and Risk Management process for site accreditations and testing at LBTS. Thecontractor shall support the programs in determining what type of Risk Management shall be used for a particularsystem or project. The contractor shall prepare documentation and artifacts and perform risk management testingand analysis in support of obtaining approvals from the appropriate Authorizing Official (AO). The contractor shallprovide Fully Qualified Navy and Marine Corps Validator support for Certification and Accreditation and RiskManagement processes. The Validator analyzes the findings and results of the vulnerability and certification testing.

Risk Management documents to be produced, delivered and reviewed include:

Cybersecurity Threat Analysis (CDRL A004)

Cybersecurity Strategy (CDRL A005)

PRA Checklist (CDRL A006)

PIT Determination Request Package (CDRL A007)

PIT Determination Request Letter (CDRL A023)

Risk Management Packages inclusive of ALL required artifacts (CDRL A019)

PIT Risk Approval (PRA) Request Package (CDRL A010)

Interim Authority to Test (IATT) Request (CDRL A011)

CONTRACT NO.



24 PAGE

18 of 123 FINAL

IA Vulnerability Management (IAVM) Plan (CDRL A012)

Incident Response Plan (CDRL A013)

Memorandum of Agreement (MOA) (CDRL A014)

Memorandum of Understanding (MOU) (CDRL A015)

Plan of Action & Milestones (POA&M) (CDRL A016)

Cybersecurity Test Plans (CDRL A017)

The contractor shall monitor changes in DoD and risk management guidance and identify updates to guidance forrequired procedures and documentation. Not all documents listed above will be applicable to all systems and therewill be instances where the documents may be combined under one cover (e.g. Incident Response and ContingencyPlans). In order for risk mitigation processes to provide an enterprise level approach for determination of highestrisk threats to combat and weapons system cyber defense requirements, and mitigation of those risks in the mostcost effective manner the contractor will support development of an enterprise level methodology to cyber defenserequirement definition, identify cyber threat vectors to those requirements, and evaluate and prioritize these threats,determining mitigations and associated costs, and finally generate Return on Investment (ROI) reports for cost vs.risks (CDRL A028).

C.4.1 RISK MANAGEMENT FRAMEWORK (RMF) FOR DoD INFORMATION TECHNOLOGY (IT)

The contractor shall provide support for RMF as described below and in the applicable documents.

Specific sections of a comprehensive RMF Package (CDRL A019) shall be researched, produced, and reviewedfollowing the DoDI 8510.01 - Risk Management Framework (RMF) for DoD Information Technology (IT), NISTSpecial Publication 800-37 (Guide for Applying the Risk Management Framework to Federal Information Systems)and other guidance as appropriate include:

NAVSEA Boundary Review Document

System Concept of Operations (CONOPS) Summary

Operating and Computing Environment

Physical Security Measures / Facilities

Threat Analysis

Threat Categories

Interconnection Threats

Threat Sources

System Architecture Description

System Architecture Diagram

Accreditation Boundary Diagram

External Interfaces and Data Flow Diagram

User Description and Clearances

Security Roles

Hardware/Software List

Ports, Protocols, and Services

Security Control Implementation Plan

CONTRACT NO.



24 PAGE

19 of 123 FINAL

Security Control Validation Plan and Procedures/Report

Cybersecurity IT Security Plan of Actions and Milestones (POA&M)

Change Control Board (CCB) Charter

System Cybersecurity Test Plan

Configuration Management Plan

Contingency Plan

Certification Determination

C.4.1.1 RMF STEP 1 - CATEGORIZE SYSTEM

The contractor shall provide support for the following activities:

(1) Categorize the system in accordance with the Committee on National Security Systems Instruction 1253,“Security Categorization and Control Selection for National Security Systems,” Reference (e) and document theresults in the security plan.

(2) Describe the system (including system boundary) and document the description in the security plan.

(3) Register the system with the Government Cybersecurity Program. See Government implementing policy fordetailed procedures for system registration.

(4) Assist the Government in assigning qualified personnel to RMF roles.

The contractor shall update the RMF process as system information becomes available and as the systemdevelopment continues. The contractor shall continually update the registration information contained within theCertification Authority database.

C.4.1.2 RMF STEP 2 – SELECT SECURITY CONTROLS

The contractor shall develop the necessary security test planning documents and conduct specified validationactivities in support of RMF Step 2 – Select Security Controls, and consequently, the contractor shall ensure thefollowing tasks are completed (CDRL A017).

(1) Common Control Identification. This task is the responsibility of the contractor to provide solutions forcommon controls. Common controls are selected as “common” and provided via the Knowledge Service (KS) basedin risk assessments conducted by the responsible entities at the Tier 1 and Tier 2 levels. The contractor shall assistin identifying the security controls that are provided by the organization as common solutions for IS and PITsystems, and helping to document the assessment and authorization of the controls in a security plan (or equivalentdocument); individual systems within those organizations can leverage these common controls through inheritance.

(2) Security Control Baseline and Overlay Selection. The contractor shall help identify the security control baselinefor the system and document security control applicability and justification in the security plan. In this step, theapplicable security controls baseline and relevant overlays for a system are assigned. The contractor shall follow thefollowing process:

(a) Assist in selecting the applicable initial security control baseline.

(b) Assist in identifying overlays that apply to the IS or PIT system due to information contained within thesystem or environment of operation.

(c) If necessary, the contractor will tailor (modify) a control set in response to increased risk from changes inthreats or vulnerabilities, or variations in risk tolerance.

(d) The contractor will document all identified controls on its respective category in the system security planand POA&M. (CDRL A018)

(e) The contractor will document any supplements to tailoring the baseline security control set, if necessary,

CONTRACT NO.



24 PAGE

20 of 123 FINAL

with additional controls or control enhancements that consider local conditions including environment of operation,organization-specific security requirements, specific threat information, cost-benefit analyses, or specialcircumstances, and are based on risk assessments consistent with NIST SP 800-30.

(f) The contractor will ensure that the resulting set of security controls is documented, along with thesupporting rationale for selection decisions and any system use restrictions, in the security plan. The security planmust identify all common controls inherited from external providers, and establish minimum assurance requirementsfor those controls.

(3) Monitoring Strategy. The contractor will develop and document, using a Test Plan, (CDRL A019) asystem-level strategy for the continuous monitoring of the effectiveness of security controls employed within orinherited by the system, and monitoring of any proposed or actual changes to the system and its environment ofoperation. The strategy must include the plan for annual assessments of a subset of implemented security controls,and the level of independence required of the assessor (e.g., ISSM or SCA).

(4) Security Plan and System-Level Continuous Monitoring Strategy Review and Approval. The contractor willassist in a System-Level Continuous Monitoring Strategy Review and Approval. The contractor will assist theGovernment in developing and implementing processes whereby the AO (or designee) reviews and approves thesecurity plan and system-level continuous monitoring strategy submitted by the ISO or PM/SM.

C.4.1.3 RMF STEP 3 - IMPLEMENT SECURITY CONTROLS

The contractor shall develop the necessary security test planning documents and conduct specified validationactivities in support of RMF Step 3 – IMPLEMENT SECURITY CONTROLS. The contractor shall ensure thefollowing tasks are completed:

(1) Assist as requested on the implementation of the security controls specified in the security plan in accordancewith applicable DoD implementation guidance.

(a) Ensure that products used within an IS or PIT system boundary will be configured in accordance withapplicable STIGs or SRGs where STIGs are not available.

(b) Ensure Security controls are implemented consistent with DoD and DoD Component IA architectures andstandards, employing system and software engineering methodologies, security engineering principles, and securecoding techniques.

(2) Assist with documenting the security control implementation in accordance with DoD implementation guidance,and the security plan, and assist in providing a description of the control implementation (including planned inputs,expected behavior, and expected outputs) if not in accordance with current guidance.

(3) Assist with identifying security controls that are available for inheritance (e.g. common controls) by IS and PITsystems and associating the compliance status provided by hosting or connected systems.

C.4.1.4 RMF STEP 4 - ASSESS SECURITY CONTROLS

The contractor shall provide RMF support for the following activities:

(1) Develop, and review a plan, for Government approval, to assess the security controls. Assist in the developmentof an assessment methodology consistent with current references. The contractor shall assist with the following:

(a) Assist and ensure the coordination of activities is documented in the security assessment plan and theprogram Test and Evaluation (T&E) documentation, to maximize effectiveness, reuse, and efficiency.

(2) Assess the security controls in accordance with the security assessment plan and DoD assessment procedures. Assessment procedures are used to verify that a security control has been properly implemented. SRG and STIGcompliance results will be documented and used as part of the overall security control assessment. Ensure actualresults are documented in the POA&M as part of the security authorization package, along with any artifactsproduced during the assessment (e.g., output from automated test tools or screen shots that depict aspects of systemconfiguration). Ensure that for inherited security controls, assessment test results and supporting documentation aremaintained by the providing system and are made available to Security Control Assessor (SCA) of receivingsystems.

CONTRACT NO.



24 PAGE

21 of 123 FINAL

(a) Record Security Control Compliance Status. If no vulnerabilities are found through the process ofexecuting the assessment procedures, the security control is recorded as compliant. If vulnerabilities are found, thecontrol is recorded as Non-Compliant (NC) in the POA&M, with sufficient explanation. Security controls that arenot technically or procedurally relevant to the system, as determined by the AO, will be recorded as not applicable(NA) in the POA&M, with sufficient justification. The status and results of all security control assessments in thecontrol set will be documented in the appropriate PRA documentations.

(b) Assign Vulnerability Severity Value for Security Controls based on applicable references.

(c) Determine Risk Level for Security Controls based on applicable references and consultations with SecurityControl Assessor (SCA).

(d) Assist in assessing and Characterizing Aggregate Level of Risk to the System.

(3) Prepare the Security Assessment Report (SAR) or appropriate PRA enclosure which documents the issues,findings, and recommendations from the security control assessment. The SAR documents the SCA’s findings ofcompliance with assigned security controls based on actual assessment results.

(4) Conduct remediation actions on NC security controls based on the findings and recommendations of the SARand reassess remediated control(s), as appropriate.

C.4.1.5 RMF STEP 5 - AUTHORIZE SYSTEM


(1) Prepare the POA&M based on the vulnerabilities identified during the security control assessment. ThePOA&M shall : (CDRL A016)

(a) Identify tasks that need to be accomplished to remediate or mitigate.

(b) Specify resources required to accomplish the elements of the plan.

(c) Include milestones for completing tasks and their scheduled completion dates.

(d) Once posted to the POA&M, vulnerabilities will be updated after correction or mitigation actions arecompleted, but not removed.

(e) Inherited vulnerabilities must be addressed on the POA&Ms.

(f) Assist the DoD Component with monitoring and tracking the overall execution of system-level POA&Msacross the entire Component until identified security vulnerabilities have been remediated and the RMFdocumentation is appropriately adjusted.

(2) Assemble the security authorization package and submit the package to the AO for Adjudication.

C.4.1.6 STEP 6 - MONITOR SECURITY CONTROLS


(1) Assist in determining the security impact of proposed or actual changes to the IS or PIT system and itsenvironment of operation.

(a) Continuously monitor the system or information environment for security relevant events and configurationchanges that negatively affect security posture.

(b) Periodically assess the quality of security controls implementation against performance indicators, such as:security incidents; feedback from external inspection agencies; exercises; and operational evaluations.

(2) Assess a subset of the security controls employed within and inherited by the IS or PIT system in accordancewith the AO-approved system-level continuous monitoring strategy.

(a) The results of the annual assessment must be documented in an SAR and the POA&M will also be

CONTRACT NO.



24 PAGE

22 of 123 FINAL

updated as appropriate. (CDRL A016)

(3) Assist in conducting remediation actions based on the results of ongoing monitoring activities, assessment ofrisk, and outstanding items in the POA&M.

(4) Assist the government in ensuring the security plan and POA&M are updated based on the results of thesystem-level continuous monitoring process.

(5) Report the security status of the system (including the effectiveness of security controls employed within andinherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordancewith the monitoring strategy.

C.4.2 PLATFORM INFORMATION TECHNOLOGY (PIT) RISK APPROVAL (PRA)

Specific sections of the PRA Package (CDRL A010) shall be researched, produced and reviewed following theNAVSEAINST 9400.2-M, NAVSEA Afloat IA Implementation Manual and other guidance as appropriate, including:

PRA Request Letter

Enclosure 1 - Defense in Depth Architecture

System Hardware and Software Table

Shipboard Architecture Defense-In-Depth Diagram

System External Interface Diagram

Cross Domain Interface Table

NIST 800-53 Security Control Solutions or Implementation Table

Enclosure 2 - Test Events

Enclosure 3 – IA Risk Database

Cybersecurity Risk Management Database

Risk Cube and Summary Risk Statement

Enclosure 4 – PIT Determination Letter

Enclosure 5 - Acceptance of Non-applicable (N/A) Security Controls Letter

C.4.3 TEST PLANNING, EXECUTION, AND REPORTING

The contractor shall develop and execute Cybersecurity Test Plans (CDRL A017) to satisfy the risk managementrequirements of the RMF and PRA processes. The contractor shall analyze the results of the risk management testsand produce a report that supports the applicable risk management process (RMF/PRA). The report will include alist of vulnerabilities mapped to the appropriate Security Control with a risk assessment that includes likelihood andimpact statements in context of the system under test. The report will include recommended mediations andmitigations specific to the system under test. (CDRL A028)

The contractor shall execute test procedures using the following test tools and mechanisms. The list is notexhaustive and will change as directives and instructions are updated and better analysis tools become available:

8500.1 Security Control Review

DISA Security Technical Implementation Guide (STIG) reviews including the use of

DISA Security Requirements Guides (SRG)

CONTRACT NO.



24 PAGE

23 of 123 FINAL

Manual STIG reviews of operating systems, databases, network devices, security appliances, and applications

ACAS vulnerability assessments using the NESSUS scanner

Network Traffic Analysis tools (e.g., nmap, wireshark, tcpdump, pcap)

Identification and Characterization of Cross Domain Solutions and Interfaces

Compilation of Hardware/Software List specific to the system under test

Identification of Ports, Protocols, and Services List

Security Content Automation Protocol (SCAP) Benchmark Tools

C.4.4 SYSTEM SECURITY ADMINISTRATOR AND OPERATORS MANUAL (SSAOM)

The contractor shall develop the System Security Administrator and Operators Manual (SSAOM) (CDRL A021).The SSAOM is the shipboard cybersecurity “how to” document intended for Users and System Administrators.The Contractor shall conduct a verification of the SSAOM prior to delivery to the ship. This critical phase of theRMF/PRA will require additional support to develop the SSOAM and conduct the laboratory and shipboardverification surveys. The contractor shall use a Government template to author step-by-step procedures to operateshipboard products used in the crew’s performance of cybersecurity duties. The contractor shall author theprocedures with captioned screen captures such that Navy personnel can perform the required duties.

C.4.5 INTEGRATED PRODUCT TEAM (IPT) or WORKING GROUP (WG) MEETING

The contractor shall prepare responses, to include briefing materials (CDRL A031), and reports to action itemsassigned at Integrated Product Team/Working Group (IPT or WG) meetings. The contractor shall identifysignificant issues and risks with recommended solutions. (CDRL A028) The contractor shall attend SupportProgram Reviews, System Requirements Reviews (SRRs), and other design and requirement reviews to providesecurity and accreditation issue inputs.

C.4.6 IAVM AND IAVA TRACKING SUPPORT

The contractor shall provide Information Assurance Vulnerability Management (IAVM) and Information AssuranceVulnerability Alert (IAVA) tracking support. The contractor shall provide support for the execution of theInformation Assurance Vulnerability Management (IAVM) process for both the RMF and PIT Risk Managementprocesses, utilizing the DoD IAVM process and common implementation for both Afloat Combat Systems andsystems at Land-Based Test Sites (LBTS). The contractor shall provide and track Computer Security EngineeringDeficiency Reports (CDRL A020) as part of IAVM. The contractor shall prepare and submit an IAVM Plan (CDRLA012). The plan shall include monitoring the World Wide Web, trade papers, weblogs, Computer EmergencyResponse Team (CERT) Bulletins, and original equipment manufacturers (OEMs) of microprocessor chips andoperating systems used and contemplated for use in each US Naval Warfare System. For each US Naval WarfareSystem, the contractor shall prepare and submit a separate IAVM Report in electronic Microsoft Excel spreadsheetformat. The IAVM Report (CDRL A024) shall include and cross reference the following:

US Naval Warfare System security requirement

Known vulnerability

Reference source of known vulnerability

Recommended corrective action

Two part risk assessment against known vulnerability

Risk/Impact assessment as if corrective action is not taken

Risk/Impact assessment as if corrective action is taken

Trouble Report/Engineering Deficiency Report Data Base Identification

Priority assigned to Trouble/Deficiency Report by warfare systems group

CONTRACT NO.



24 PAGE

24 of 123 FINAL

Status of Trouble Report/Engineering Deficiency Report

The contractor shall assist in improving the cybersecurity posture of each warfare system by applying lessons learnedfrom the other warfare systems. For warfare system vulnerabilities related to chips, operating systems and genericservices and applications not identified by Government sponsored CERT websites, the contractor shall report thevulnerability to a Government-sponsored CERT website without disclosing the warfare system. This insures acoordinated community-wide effort so that the cybersecurity community stays informed through accepted state of thepractice channels. The contractor shall obtain the information required to perform IAVM on systems for which theymay or may not have direct access. The contract shall use best and common practices for obtaining this informationfor various Commercial off-the-shelf (COTS) products (e.g. Operating Systems, Switches/Routers, Software, etc.). The contractor shall obtain and review IAVA/B/T and determine applicability via the identified assets and/orreviewing of the actual system inventory utilizing the Government off-the-shelf (GOTS) product Cyber RiskEvaluation Vulnerability Integrated Collaborative Environment (CREVICE). The contractor shall follow theprograms process for tracking applicable IAVAs and reporting methods. The contractor shall work with the programin labeling the appropriate impact, likelihood, residual risk, applicable solutions, and cost associated with the IAVArisk remediation. The contractor shall work with the appropriate test teams in the implementation and testing ofapplicable IAVAs. This shall include helping with build packages, test plans (CDRL A017), execution, reports andthe update of the programs cybersecurity residual risk documents. The contractor shall support the compliancetracking and reporting during each phase of the IAVA implementation. Each program’s compliance reporting maybedifferent but the contractor shall use NAVY current practices (e.g. Vulnerability Remediation Asset Manager(VRAM)).

C.4.7 INFORMATION SYSTEM SECURITY OFFICERS (ISSO) / INFORMATION ASSURANCEOFFICERS (IAO) DUTIES

The contractor shall provide ISSO/IAO support in accordance with DoDI 8500.01 and as follows:

(1) Be a point of contract for all security matters related to assigned Information Systems (IS) for the life cycle ofthose systems

(2) Assist the ISSMs, Department Information Officer (DIO), Lead Department IAO, System Administrators, orany other Cyber Security Workforce or managerial Leadership in meeting their duties and responsibilities.

a. Assess system modifications for cybersecurity impacts

b. Participate in configuration management meetings

c. Support Inspections (local spot checks, IG, CSI, etc.)

d. Possess knowledge of current DoD, DoN, NAVSEA, and NIST cybersecurity requirements andprocesses

e. Possess working knowledge of DoD cybersecurity and RMF policy and guidance

f. Possess working knowledge of DoD security controls, DISA STIGS and vulnerability assessments

g. Possess working knowledge of Enterprise Mission Assurance Support Service (eMASS)

(3) Provide accountability for all assigned Risk Management or Certification and Accreditation packages andrelated artifacts.

a. Interface with C&A Leadership including local Corporate IA organization, Echelon IIRepresentatives, Navy Certification Authority (CA), Authorizing Official Designated Representative (AODR), NavyAuthorizing Official (NAO)

b. Research issued C&A and RMF processes and procedures and provide proper guidance toGovernment leadership and Sys Admin CSWF

c. Monitor and test for changes in ISs that might affect the security posture

d. Provide assistance as needed to enable users to obtain and maintain an authority to operate forassigned systems

CONTRACT NO.



24 PAGE

25 of 123 FINAL

e. Review Audit logs for their systems, spot check, and verify that System Administrator actions areauthorized

f. Oversee Annual Review requirements for C&A, DITPR-DoN, or other systems complianceaccountability

g. Attend technical meetings, IPRs, etc. with Technical Administrative Staff and Project POCs andProgram Directors.

h. Ensure conditions of ATO, IATO, IATTs, etc. are understood and met on time

i. Ensure POAMs are updated and submitted on necessary periodicity as defined by the accreditingauthorities

(4) Use appropriate designated automated and manual testing, tracking, and documentation tools in executingthe IAO role, C&A, and RMF processes as mandated by DoD or local policy and best practices (Examples: Retina, EMASS, NESSUS, DADMS, FMAT, IPA2, HBSS, Sharepoint, ILCN, etc.)

(5) Implement and enforce all DoD IS and PIT system cybersecurity policies and procedures as defined bycybersecurity-related documentation.

a. Monitor security vulnerability status

b. Perform annual cybersecurity risk assessments

c. Implement and complete firewall modifications and associated waivers

(6) Ensure that all users have the requisite security clearances and access authorization, and are aware of theircybersecurity responsibilities for DoD IS and PIT systems under their purview before being granted access to thosesystems.

(7) In coordination with the ISSM, initiate protective or corrective measures when a cybersecurity incident orvulnerability is discovered and ensure that a process is in place for authorized users to report all cybersecurity-relatedevents and potential threats and vulnerabilities to the ISSO.

a. Perform incident response and handling for electronic spillages

(8) Ensure that all DoD IS cybersecurity-related documentation is current and accessible to properly authorizedindividuals.

a. Perform and direct development of various cybersecurity packages and other supporting documents

b. Assist with information technology procurement documentation

C.4.8 VALIDATION SERVICES FOR RISK MANAGEMENT AND CERTIFICATION ANDACCREDITATION

The contractor shall support multiple DoD and DoN programs and projects in providing the Validation Service forRisk Management and Certification and Accreditation packages. The contractor shall serve as a trusted agent of andreport to the Certifying Authority (CA) as the CA representative for certification and accreditation purposes whileworking with the Program Manager and User Representative (UR). The contractor shall conduct validationprocedures to confirm or establish by testing, evaluation, examining, investigating, or competent evidence thatInformation System (IS) assigned Information Assurance Controls (IACs) are implemented correctly and are effectivein their application. The Validator shall provide the CA with an accurate technical evaluation of the application,system, or network, documenting the security posture, capabilities and vulnerabilities against relevant IACs anddrafting a certification determination (CD).

The contractor shall provide Validator support for the following activities, documentation, and artifacts in support ofobtaining certification and accreditation approvals from the appropriate Authorizing Official (AO):

Gather C&A and other information about the IT being certified

Document Site or System information in DoN DIACAP or RMF format

CONTRACT NO.



24 PAGE

26 of 123 FINAL

Develop the DIACAP or RMF Implementation Plan and Validation Procedures

Execute C&A Test Plans and Validation Procedures

Document C&A Test and Validation Procedure Results

Perform Risk Analysis

Develop Certification Determination

C.5.0 DoD INFORMATION TECHNOLOGY (IT) RISK MANAGEMENT SUPPORT FOR FLEETOPERATIONAL SYSTEMS

The contractor shall support multiple DoD and DoN programs and projects in all aspects of the Certification andAccreditation and Risk Management process for deployed systems. The contractor shall support the programs indetermining what type of Risk Management shall be utilized for a particular system or project. The contractor shallprepare documentation and artifacts and perform risk management testing and analysis in support of obtainingapprovals from the appropriate Authorizing Official (AO). The contractor shall provide Fully Qualified Navy andMarine Corps Validator support for Certification and Accreditation and Risk Management processes. The Validatoranalyzes the findings and results of the vulnerability and certification testing.

Risk Management documents to be produced, delivered and reviewed include:

Cybersecurity Threat Analysis (CDRL A004)

Cybersecurity Strategy (CDRL A005)

PRA Checklist (CDRL A006)

PIT Determination Request Package (CDRL A007)

PIT Determination Request Letter (CDRL A023)

Risk Management Packages inclusive of ALL required artifacts (CDRL A019)

PIT Risk Approval (PRA) Request Package (CDRL A010)

Interim Authority to Test (IATT) Request (CDRL A011)

IA Vulnerability Management (IAVM) Plan (CDRL A012)

Incident Response Plan (CDRL A013)

Memorandum of Agreement (MOA) (CDRL A014)

Memorandum of Understanding (MOU) (CDRL A015)

Plan of Action & Milestones (POA&M) (CDRL A016)

Cybersecurity Test Plans (CDRL A017)

The contractor should monitor changes in DoD and risk management guidance and identify any additionaldocumentation that shall or any updates to guidance for required procedures and documentation. Not all documentslisted above will be applicable to all systems and there will be instances where the documents may be combinedunder one cover (e.g. Incident Response and Contingency Plans). In order for risk mitigation processes to providean enterprise level approach for determination of highest risk threats to combat and weapons system cyber defenserequirements, and mitigation of those risks in the most cost effective manner the contractor will supportdevelopment of an enterprise level methodology to cyber defense requirement definition, identify cyber threat vectorsto those requirements, and evaluate and prioritize these threats, determining mitigations and associated costs, andfinally generate ROI reports for cost vs. risks.

C.5.1 RISK MANAGEMENT FRAMEWORK (RMF) FOR DoD INFORMATION TECHNOLOGY (IT)

CONTRACT NO.



24 PAGE

27 of 123 FINAL

The contractor shall provide support for RMF as described below and in the applicable documents.

Specific sections of a comprehensive RMF Package (CDRL A019) shall be researched, produced, and reviewedfollowing the DoDI 8510.01 - Risk Management Framework (RMF) for DoD Information Technology (IT), NISTSpecial Publication 800-37 (Guide for Applying the Risk Management Framework to Federal Information Systems)and other guidance as appropriate include:

NAVSEA Boundary Review Document

System Concept of Operations (CONOPS) Summary

Operating and Computing Environment

Physical Security Measures / Facilities

Threat Analysis

Threat Categories

Interconnection Threats

Threat Sources

System Architecture Description

System Architecture Diagram

Accreditation Boundary Diagram

External Interfaces and Data Flow Diagram

User Description and Clearances

Security Roles

Hardware/Software List

Ports, Protocols, and Services

Security Control Implementation Plan

Security Control Validation Plan and Procedures/Report

Cybersecurity IT Security Plan of Actions and Milestones (POA&M)

Change Control Board (CCB) Charter

System Cybersecurity Test Plan

Configuration Management Plan

Contingency Plan

Certification Determination

C.5.1.1 RMF STEP 1 - CATEGORIZE SYSTEM

The contractor shall provide support for the following activities:

(1) Categorize the system in accordance with the Committee on National Security Systems Instruction 1253,“Security Categorization and Control Selection for National Security Systems,” Reference (e) and document theresults in the security plan.

(2) Describe the system (including system boundary) and document the description in the security plan.

CONTRACT NO.



24 PAGE

28 of 123 FINAL

(3) Register the system with the DoD Component Cybersecurity Program. See Government implementing policy fordetailed procedures for system registration.

(4) Assist on assigning qualified personnel to RMF roles.

The contractor shall update the RMF process as system information becomes available and as the systemdevelopment continues. The contractor shall continually update the registration information contained within theCertification Authority database.

C.5.1.2 RMF STEP 2 – SELECT SECURITY CONTROLS

The contractor shall develop the necessary security test planning documents and conduct specified validationactivities in support of RMF Step 2 – Select Security Controls, and consequently, the contractor shall ensure thefollowing tasks are completed: (CDRL A017)

(1) Common Control Identification. This task is the responsibility of the contractor to provide solutions forcommon controls. Common controls are selected as “common” and provided via the Knowledge Service (KS) basedon risk assessments conducted by the responsible entities at the Tier 1 and Tier 2 levels. The contractor shall assiston identifying the security controls that are provided by the organization as common solutions for IS and PITsystems, and helping to document the assessment and authorization of the controls in a security plan (or equivalentdocument), individual systems within those organizations can leverage these common controls through inheritance.

(2) Security Control Baseline and Overlay Selection. The contractor shall help identify the security control baselinefor the system and document security control applicability and justification in the security plan. In this step, theapplicable security controls baseline and relevant overlays for a system are assigned. The contractor shall follow thefollowing process:

(a) Assist in selecting the applicable initial security control baseline.

(b) Assist in identifying overlays that apply to the IS or PIT system due to information contained within thesystem or environment of operation.

(c) If necessary, the contractor will tailor (modify) a control set in response to increased risk from changes inthreats or vulnerabilities, or variations in risk tolerance.

(d) The contractor will document all identified controls on its respective category in the system security planand POA&M. (CDRL A018)

(e) The contractor will document any supplements to tailoring the baseline security control set with additionalcontrols or control enhancements that consider local conditions including environment of operation, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances, and arebased on risk assessments consistent with NIST SP 800-30.

(f) The contractor will ensure that the resulting set of security controls is documented, along with thesupporting rationale for selection decisions and any system use restrictions, in the security plan. The security planmust identify all common controls inherited from external providers, and establish minimum assurance requirementsfor those controls.

(3) Monitoring Strategy. The contractor will develop and document, using a Test Plan (CDRL A019), asystem-level strategy for the continuous monitoring of the effectiveness of security controls employed within orinherited by the system, and monitoring of any proposed or actual changes to the system and its environment ofoperation. The strategy must include the plan for annual assessments of a subset of implemented security controls,and the level of independence required of the assessor (e.g., ISSM or SCA).

(4) Security Plan and System-Level Continuous Monitoring Strategy Review and Approval. The contractor willassist in a System-Level Continuous Monitoring Strategy Review and Approval. The contractor will assist theGovernment in developing and implementing processes whereby the AO (or designee) reviews and approves thesecurity plan and system-level continuous monitoring strategy submitted by the ISO or PM/SM.

C.5.1.3 RMF STEP 3 - IMPLEMENT SECURITY CONTROLS

The contractor shall develop the necessary security test planning documents and conduct specified validation

CONTRACT NO.



24 PAGE

29 of 123 FINAL

activities in support of RMF Step 3 – IMPLEMENT SECURITY CONTROLS. The contractor shall ensure thefollowing tasks are completed: (CDRL A017)

(1) Assist as requested on the implementation of the security controls specified in the security plan in accordancewith applicable DoD implementation guidance.

(a) Ensure that products used within an IS or PIT system boundary will be configured in accordance withapplicable STIGs or SRGs where STIGs are not available.

(b) Ensure Security controls are implemented consistent with DoD and DoD Component IA architectures andstandards, employing system and software engineering methodologies, security engineering principles, and securecoding techniques.

(2) Assists with documenting the security control implementation in accordance with DoD implementationguidance, and the security plan, and assist in providing a description of the control implementation (includingplanned inputs, expected behavior, and expected outputs) if not in accordance with current guidance.

(3) Assists with identifying security controls that are available for inheritance (e.g. common controls) by IS and PITsystems and associating the compliance status provided by hosting or connected systems.

C.5.1.4 RMF STEP 4 - ASSESS SECURITY CONTROLS


(1) Develop, review, and approve a plan to assess the security controls. Assist in the development of an assessmentmethodology consistent with current references. The contractor shall assist with the following: (CDRL A019)

(a) Assist and ensure the coordination of activities is documented in the security assessment plan and theprogram Test and Evaluation (T&E) documentation, to maximize effectiveness, reuse, and efficiency.

(2) Assess the security controls in accordance with the security assessment plan and DoD assessment procedures. Assessment procedures are used to verify that a security control has been properly implemented. SRG and STIGcompliance results will be documented and used as part of the overall security control assessment. Ensure actualresults are documented in the POA&M as part of the security authorization package, along with any artifactsproduced during the assessment (e.g., output from automated test tools or screen shots that depict aspects of systemconfiguration). Ensure that for inherited security controls, assessment test results and supporting documentation aremaintained by the providing system and are made available to SCAs of receiving systems on request.

(a) Record Security Control Compliance Status. If no vulnerabilities are found through the process ofexecuting the assessment procedures, the security control is recorded as compliant. If vulnerabilities are found, thecontrol is recorded as NC in the POA&M, with sufficient explanation. Security controls that are not technically orprocedurally relevant to the system, as determined by the AO, will be recorded as not applicable (NA) in thePOA&M, with sufficient justification. The status and results of all security control assessments in the control setwill be documented in the appropriate PRA documentations.

(b) Assign Vulnerability Severity Value for Security Controls based on applicable references.

(c) Determine Risk Level for Security Controls based on applicable references and consultations with SCA.

(d) Assist on assessing and Characterizing Aggregate Level of Risk to the System.

(3) Prepare the (Security Assessment Report) SAR or appropriate PRA enclosure which documents the issues,findings, and recommendations from the security control assessment. The SAR documents the SCA’s findings ofcompliance with assigned security controls based on actual assessment results.

(4) Conduct remediation actions on Non-Compliant (NC) security controls based on the findings andrecommendations of the SAR and reassess remediated control(s), as appropriate.

C.5.1.5 RMF STEP 5 - AUTHORIZE SYSTEM


(1) Prepare the POA&M based on the vulnerabilities identified during the security control assessment. The

CONTRACT NO.



24 PAGE

30 of 123 FINAL

POA&M shall specify: (CDRL A016)

(a) Identifies tasks that need to be accomplished to remediate or mitigate.

(b) Specifies resources required to accomplish the elements of the plan.

(c) Includes milestones for completing tasks and their scheduled completion dates.

(d) Once posted to the POA&M, vulnerabilities will be updated after correction or mitigation actions arecompleted, but not removed.

(e) Inherited vulnerabilities must be addressed on the POA&Ms.

(f) Assists the Government with monitoring and tracking the overall execution of system-level POA&Msacross the entire Component until identified security vulnerabilities have been remediated and the RMFdocumentation is appropriately adjusted.

(2) Assemble the security authorization package and submit the package to the AO for adjudication.

C.5.1.6 STEP 6 – RMF MONITOR SECURITY CONTROLS


(1) Assist in determining the security impact of proposed or actual changes to the IS or PIT system and itsenvironment of operation.

(a) Continuously monitors the system or information environment for security relevant events andconfiguration changes that negatively affect security posture.

(b) Periodically assesses the quality of security controls implementation against performance indicators, suchas: security incidents; feedback from external inspection agencies; exercises; and operational evaluations

(2) Assess a subset of the security controls employed within and inherited by the IS or PIT system in accordancewith the AO-approved system-level continuous monitoring strategy.

(a) The results of the annual assessment must be documented in an SAR and the POA&M will also beupdated.

(3) Assist in conducting remediation actions based on the results of ongoing monitoring activities, assessment ofrisk, and outstanding items in the POA&M.

(4) Assist the Government in ensuring the security plan and POA&M are updated based on the results of thesystem-level continuous monitoring process.

(5) Report the security status of the system (including the effectiveness of security controls employed within andinherited by the system) to the AO and other appropriate organizational officials on an ongoing basis in accordancewith the monitoring strategy.

C.5.2 PLATFORM INFORMATION TECHNOLOGY (PIT) RISK APPROVAL (PRA)

Specific sections of the PRA Package (CDRL A010) that are required to be researched, produced and reviewedfollowing the NAVSEAINST 9400.2-M, NAVSEA Afloat IA Implementation Manual and other guidance asappropriate include:

PRA Request Letter

Enclosure 1 - Defense in Depth Architecture

System Hardware and Software Table

Shipboard Architecture Defense-In-Depth Diagram

CONTRACT NO.



24 PAGE

31 of 123 FINAL

System External Interface Diagram

Cross Domain Interface Table

NIST 800-53 Security Control Solutions or Implementation Table

Enclosure 2 - Test Events

Enclosure 3 – IA Risk Database

Cybersecurity Risk Management Database Risk Cube and Summary Risk Statement

Enclosure 4 – PIT Determination Letter

Enclosure 5 - Acceptance of Non-applicable (N/A) Security Controls Letter

C.5.3 TEST PLANNING, EXECUTION, AND REPORTING

The contractor shall develop and execute Cybersecurity Test Plans (CDRL A017) to satisfy the risk managementrequirements of the RMF and PRA processes. The contractor shall analyze the results of the risk management testsand produce a report that supports the applicable risk management process (RMF/PRA). The report will include alist of vulnerabilities mapped to the appropriate Security Control with a risk assessment that includes likelihood andimpact statements in context of the system under test. The report will include recommended mediations/mitigationsspecific to the system under test.

The contractor shall execute test procedures using the following test tools and mechanisms. The list is notexhaustive and will change as directives and instructions are updated and better analysis tools become available:

8500.1 Security Control Review

DISA Security Technical Implementation Guide (STIG) reviews including the use of

DISA Security Requirements Guides (SRG)

Manual STIG reviews of operating systems, databases, network devices, security appliances, and applications

ACAS vulnerability assessments using the NESSUS scanner

Network Traffic Analysis tools (e.g., nmap, wireshark, tcpdump, pcap)

Identification and Characterization of Cross Domain Solutions and Interfaces

Compilation of Hardware/Software List specific to the system under test

Identification of Ports, Protocols, and Services List

Security Content Automation Protocol (SCAP) Benchmark Tools

C.5.4 SYSTEM SECURITY ADMINISTRATOR AND OPERATORS MANUAL (SSAOM)

The contractor shall develop the System Security Administrator and Operators Manual (SSAOM) (CDRL A021).The SSAOM is the shipboard cybersecurity “how to” documents intended for Users and System Administrators.The Contractor shall conduct a verification of the SSAOM prior to delivery to the ship. This critical phase of theRMF/PRA will require additional support to develop the SSOAM and conduct the laboratory and shipboardverification surveys. The contractor shall use a Government template to author step by step procedures to operateshipboard products used in the crew’s performance of cybersecurity duties. The contractor shall author theprocedures with captioned screen captures such that Navy personnel can perform the required duties.

C.5.5 INTEGRATED PRODUCT TEAM (IPT) or WORKING GROUP (WG) MEETING

The contractor shall prepare responses, to include briefing materials and reports (CDRL A028) to action items

CONTRACT NO.



24 PAGE

32 of 123 FINAL

assigned at Integrated Product Team or Working Group (IPT or WG) meetings. The contractor shall identifysignificant issues and risks with recommended solutions. The contractor shall attend Support Program Reviews,System Requirements Reviews (SRRs), and other design and requirement reviews as necessary to provide securityand accreditation issue inputs.

C.5.6 IAVM AND IAVA TRACKING SUPPORT

The contractor shall provide Information Assurance Vulnerability Management (IAVM) and Information AssuranceVulnerability Alert (IAVA) tracking support via the CREVICE methodology. The contractor shall provide supportfor the execution of the Information Assurance Vulnerability Management (IAVM) process for both the RMF andPIT Risk Management processes, utilizing the DoD IAVM process and common implementation for both AfloatCombat Systems and systems at Land-Based Test Sites (LBTS). The contractor shall provide and track ComputerSecurity Engineering Deficiency Reports (CDRL A020) as part of IAVM. The contractor shall prepare and submitan IAVM Plan (CDRL A012). The plan shall include monitoring the World Wide Web, trade papers, weblogs,Computer Emergency Response Team (CERT) Bulletins, and original equipment manufacturers (OEMs) ofmicroprocessor chips and operating systems used and contemplated for use in each US Naval Warfare Systemissuing a task order. For each US Naval Warfare System, the contractor shall prepare and submit a separate IAVMReport in CREVICE report format. The IAVM Report (CDRL A024) shall include and cross reference thefollowing:

US Naval Warfare System security requirement

Known vulnerability

Reference source of known vulnerability

Recommended corrective action

Two part risk assessment against known vulnerability

Risk/Impact assessment as if corrective action is not taken

Risk/Impact assessment as if corrective action is taken

Trouble Report/Engineering Deficiency Report Data Base Identification

Priority assigned to Trouble/Deficiency Report by warfare systems group

Status of Trouble Report/Engineering Deficiency Report

The contractor shall assist with improving the cybersecurity posture of each warfare system by applying lessonslearned from the other warfare systems. For warfare system vulnerabilities related to chips, operating systems andgeneric services and applications not identified by Government sponsored CERT websites, the contractor shallreport the vulnerability to a Government sponsored CERT website without disclosing the warfare system. Thisinsures a coordinated community-wide effort so that the cybersecurity community stays informed through acceptedstate of the practice channels. The contractor shall obtain the information required to perform IAVM on systems forwhich they may or may not have direct access. The contractor shall use best and common practices for obtainingthis information for various Commercial off-the-shelf (COTS) and Government off-the-shelf (GOTS) products (e.g.Operating Systems, Switches/Routers, Software, etc.). The contractor shall obtain and review IAVA/B/T anddetermine applicability via the identified assets and/or reviewing of the actual system inventory. The contractorshall follow the programs process for tracking applicable IAVAs and reporting methods. The contractor shall workwith the program in labeling the appropriate impact, likelihood, residual risk, and cost of recommended solutionassociated with the mitigation of the IAVA. The contractor shall work with the appropriate test teams in theimplementation and testing of applicable IAVAs. This shall include helping with build packages, test plans (CDRLA017), execution, reports and the update of the programs cybersecurity residual risk documents. The contractorshall support the compliance tracking and reporting during each phase of the IAVA implementation. Each program’scompliance reporting maybe different but the contractor shall use NAVY current practices (e.g. VulnerabilityRemediation Asset Manager (VRAM)).

C.5.7 VALIDATION SERVICES FOR RISK MANAGEMENT AND CERTIFICATION ANDACCREDITATION

CONTRACT NO.



24 PAGE

33 of 123 FINAL

The contractor shall support multiple DoD and DoN programs (such as Aegis, Ship Self Defense System, USMarine Corps, GATOR) and projects in providing the Validation Service for Risk Management and Certification andAccreditation packages. The contractor shall serve as a trusted agent of and report to the Certifying Authority (CA)as the CA representative for certification and accreditation purposes while working with the Program Manager andUser Representative (UR). The contractor shall conduct validation procedures to confirm or establish by testing,evaluation, examining, investigating, or competent evidence that Information System (IS) assigned InformationAssurance Controls (IACs) are implemented correctly and are effective in their application. The Validator shallprovide the CA with an accurate technical evaluation of the application, system, or network, documenting thesecurity posture, capabilities and vulnerabilities against relevant IACs and drafting a certification determination(CD).

The contractor shall provide Validator support for the following activities, documentation, and artifacts in support ofobtaining certification and accreditation approvals from the appropriate Authorizing Official (AO):

Gather C&A and other information about the IT being certified

Document Site or System information in DoN DIACAP or RMF format

Develop the DIACAP or RMF Implementation Plan and Validation Procedures

Execute C&A Test Plans and Validation Procedures

Document C&A Test and Validation Procedure Results

Perform Risk Analysis

Develop Certification Determination

C.6.0 OTHER DIRECT CHARGES

C.6.1 TRAVEL

The contractor will be reimbursed for travel to provide support at a Government site or other site (such CampPendleton, California, Wallops Island, Virginia, Washington, DC or Japan) as may be specified and approved bythe Contracting Officer’s Representative (COR) under this effort. The Contractor, prior to commencement of travel,shall receive approval from the COR for all travel. The contractor shall provide details and status of any open actionitems for which the contractor is responsible and/or quick-look test results following a field test. The contractor shallprovide a trip report (CDRL A025).

C.6.2 MATERIAL & OTHER DIRECT CHARGES

The costs of general purpose business expenses required for the conduct of normal business operations will not beconsidered allowable direct costs in the performance of the contract. General purpose business expenses include thecosts for items such as telephones (including cell phones) and telephone charges, copy machines, word processingequipment, personal computers, and other office equipment and supplies. The cost for purchase of Commercial ofThe Shelf (COTS) as approved by the Procuring Contracting Officer (PCO) shall be allowable as Direct Charges. Examples of allowable ODCs include:

a) CONSUMABLE ODCs - Consumable ODCs include material and supplies that are utilized in the execution ofSOW tasking and are not transferrable to the Government at the end of the task order. Anticipated consumablesinclude: IT, Security, Vendor-Specific, and Government directed training for emergent technology.

(b) ASSET ODCs - Asset ODCs include equipment and property procured in support of the execution of SOWtasking and are transferrable to the Government at the end of the task order. COR concurrence is required prior toContractor procurement of Asset ODCs. In the case of Information Technology assets, all government approvalprocesses must be completed prior to Contractor procurement. Assets procured during the execution of this taskorder shall be accounted for and reported in accordance with the Contractor property management tracking andaccountability. Anticipated Assets ODCs include: Equipment, Hardware, and Machined Items/ prototypes.

C.6.3 APPROVALS

Prior written approval from the Contracting Officer shall be required for all purchases of materials under the following

CONTRACT NO.



24 PAGE

34 of 123 FINAL

circumstances:

(1) A purchase of materials that are above per individual item purchase may be executed with COR review and

written approval. Advance PCO approval is not required.

(2) A purchase of materials that exceeds per individual purchase may NOT be executed unless the COR Reviews

the proposed purchase and the PCO issues written approval.

(3) Separate multiple purchases of amounts valued below those thresholds stated in this section shall not be

submitted to circumvent the COR and PCO review and approval procedure. Splitting purchase requirements to

defeat purchasing thresholds shall not be approved.

C.6.4 PROCEDURE FOR OBTAINING COR AND CO APPROVAL

To obtain COR and/or PCO approval, the contractor shall:

(a) Submit a written request for purchase of materials to the COR through e-mail. The COR shall review the

request. If it is in accordance with C.6.3 above and requires PCO approval, the COR shall submit the request via

the Contract Specialist to the PCO for review and approval.

(b) Minimum requirements for a written request for purchase are as follows

(1) Complete description of the material to be purchased

(2) Quantity

(3) Unit Cost and Total Cost

(4) Estimated Delivery/Freight charges

(5) Any associated service charges such as assembly, configuration, packing, etc.

(6) An explanation of the need for the material

(7) List the competitive quotes received from potential suppliers

(8) The basis for the selection of the selected supplier

(9) Explanation of the determination of price reasonableness regarding the selected supplier costs

(10) If the procurement is sole sourced to a particular supplier or manufacturer, include the rationale for limiting the

procurement to that supplier or manufacturer.

(11) The contractor may seek the assistance of the Contract Specialist for guidance on item 10 above.

(c) Once the COR and/or CO have reviewed the request, the Government shall notify the contractor of the outcome.

Issues or details may be discussed with the Contract Specialist acting on behalf of the CO until a final Government

determination is made as to whether to approve, modify, or reject the purchase.

(d)The contractor is required to possess and maintain an adequate Property Management System throughout

C.7.0 GOVERNMENT FURNISHED OFFICE SPACE

The principal place of performance shall be at the Contractor’s facilities with the exception of the following office

CONTRACT NO.



24 PAGE

35 of 123 FINAL

space that will be provided to the Contractor at task order start up:

At NSWC Dahlgren, VA-

LABOR CATEGORY NO. OF PERSONSSr. Security System Engineer 2Security Engineer 6

At CDSA Dam Neck, VA-

LABOR CATEGORY NO. OF PERSONSSr. Security System Engineer 1Security Engineer 4Jr. Security System Engineer 1Security Network Engineer 1

* At least one (1) Sr. Security Engineer and one (1) Security Engineer shall have Top Secret Clearance for each ofthe Dahlgren and Dam Neck locations (See Mandatory Requirement #3)

** At least one (1) Security Engineer must be SCI Eligible for the Dahlgren location. (See Mandatory Requirement#3)

At Marine Corps Base, Quantico, VA-

LABOR CATEGORY NO. OF PERSONSSecurity Engineer 1

C.8.0 PLAN OF ACTIONS AND MILESTONES (POA&M) REQUIREMENTS

As requested, the contractor shall develop a POA&M (CDRL A016) for each work area within the Statement ofWork (SOW). The signed POA&M shall be provided electronically to the Contract Specialist and the COR withintwenty one (21) calendar days after issuance of the order, Exercise of Option, POA&M issuance, and/orModifications to the POA&M or the order which affect the Level of Effort or Dollar Ceilings. While contractorformat is acceptable, with Government’s approval, the following information, as a minimum, shall appear in eachPOA&M.

Date POA&M prepared (and revision number if applicable)

Work Area (number and title)

Contract and Task Order Number

POA&M Period of Performance

Contractor Interfaces/Points of Contact (technical area)

Task Manager (name, phone number and email)

Others as appropriate

Government Interfaces/POC:

COR (name and code)

Signatures (each POA&M must be signed by a contractor representative and have the signature block for signatureby the COR)

Estimated work years for the period of the work area to include subcontractors identified by name and total cost(including fee)

Work summary (a brief description of work supported within this work area) to include a listing of planneddeliverables and due dates for each

CONTRACT NO.



24 PAGE

36 of 123 FINAL

Travel - total estimated cost; by destination show: number of people, number of days & number of trips.

Estimate of Cost

C.9.0 MANAGEMENT STATUS REPORTS

C.9.1 WEEKLY REPORT

The contractor shall provide a Weekly Activity Report (WAR) (CDRL A026) by Program including a summary ofactivities accomplished during the week, on-going activities, on-site support this week, upcoming plannedactivities, on-site (program) support next month, and hours worked for the week.

C.9.2 MONTHLY REPORT

The contractor shall submit a monthly Progress Report covering technical and financial data (CDRL A027). Thecutoff date of the report shall be the same as that used for invoicing purposes by the prime contractor. Any and allsubcontractor/consultant data shall be current through the “as of” date of the report. The monthly report in finalmonth of each contract period shall include a cumulative list of all deliverable items provided in that period. Thefollowing information shall be provided as a minimum:

C.9.2.1 Technical

Discuss efforts planned during the reporting period and upcoming planned activities and meetings.

Discuss the status of assigned deliverables, which include CDRL reference, deliverable title, date due and datedelivered.

Identify problems encountered (technical/schedule/cost) and resolutions.

Identify all unresolved problems/issues at the end of the reporting period.

Identify technical and program risks associated with the program and provide a risk mitigation plan.

Provide status of action items and planned activities.

C.9.2.2 Expenditure Data

Provide current and cumulative expenditures of both hours and dollars by Contract Line Item (CLIN), WorkElement, and Area.

Separately show expenditures by CLIN,Work Element, and Area (Show amount funded and compute a fundingbalance).

Provide line graphs showing expenditures of both hours and dollars. These graphs shall show contracted, planned,funded and incurred.

Provide the names of all personnel charging to the CLIN,Work Element, and Area. Organize these data by contractlabor category and show both current and cumulative hours charged for each person.

Total expenditures shall be compared to those invoiced for the same period and differences explained.

C.10.0 ANNUAL IN-PROGRESS REVIEWS (IPR)

The contractor shall prepare In-Progress Reviews to be held annually. The Contractor's In-Progress Reviewpresentation (CDRL A022) shall contain, at a minimum, the following written information in power point form:

Contract Number, Period of Performance, Total Value

An organization chart listing all personnel who are currently working under the contract. The chart shall show areasof responsibility and lines of control. The chart shall include and identify subcontractor personnel.

Description of each task completed or currently being performed, to include the SOW or Technical DirectionReference Number and a detailed description of technical efforts to date, schedules, progress made, problemsencountered and resolved, recommendations, and planned efforts.

CONTRACT NO.



24 PAGE

37 of 123 FINAL

Identification of any administrative problems encountered in performance of the contract.

A graphic depiction of expenditures and work hours.

The format for the IPR presentation shall be mutually agreed upon by the Contractor and COR. Agenda items shalladdress the status of action items from the previous IPR and pertinent issues. Emergent/future interest items andmeetings shall be discussed during the IPR. A listing of Action Items, Meeting Minutes with attached attendancelisting which reflects those attending; organization/code; telephone and e-mail address; shall be provided to theGovernment Representatives by the Contractor within 5 working days of the IPR.

C.11 SECURITY

C.11.1 Personnel

The Department of Defense Contract Security Classification Specification (DD Form 254) (Attachments J.1)provides the security classification requirements for this order.

All Personnel associated with this contract shall be required to have at a minimum a DoD SECRET clearance attime of award, interim clearances are acceptable. The contractor will have access to information and compartmentswith a “Secret” classification. In addition documentation with markings of ‘For Official Use Only’ (FOUO) will behandled. All deliverables associated with this contract are “unclassified” unless otherwise specified. Access toclassified spaces and material and generation of classified material shall be in accordance with the attached DD Form254. In the performance of this Task Order, personnel may be required to handle classified information at theOCONUS location of Okinawa, Japan.

C.11.2 The contractor shall require access to Communications Security (COMSEC), Non-SCI intelligence, NATO,FOUO, PII information and SIPRnet in the performance of this contract to support or in order to perform CyberSecurity Engineering, Information Assurance (IA) for Certification and Accreditation (C&A), technical support anddocumentation to the Naval Surface Warfare Center Dahlgren Division (NSWCDD), and Combat Direction SystemsActivity (CDSA) Dam Neck.

C.11.3 Facility

The Contractor’s facility is required to possess and maintain a TOP SECRET facility clearance as verified withinthe Industrial Security Facility Database (ISFD) with SECRET storage capability.

C.11.4 Physical

The Contractor shall be responsible for safeguarding all Government information or property provided for Contractoruse. At the end of each work period, Government information, facilities, equipment and materials shall be securedas specified by the National Industrial Security Program Operating Manual (NISPOM) and the NSWCDDCommand Security Manual. Secret storage is required at the contractor’s facility in order to meet requirements ofreceiving and generating classified material in accordance with this contract. Access to classified spaces and material,and generation of classified material, shall be in accordance with the attached DD254.

C.11.5 The Contractor shall assist in the development/maintenance of information/presentations and thedevelopment and update of strategies to implement cyber security systems engineering decisions. The contractorshall collect, analyze and manage data and assist in the development and presentation of status, information, anddecision briefings. To fully execute this requirement, the contractor requires access to Top Secret/SensitiveCompartmented Information TS/SCI (SI/TK/G/HCS) cyber-warfare information, incident reports, tools, techniquesand meetings related to combat systems ashore and afloat cyber-security and information assurance planning andsystems engineering. COMSEC is required to allow the Contractor to receive keying material to support STEphones at the contractor’s facility. Defense Courier Service is required to transport keying material. Secret InternetProtocol Router Network (SIPRNET) is necessary to complete analysis and deliverables. NATO access is requiredfor SIPRNET access. For Official Use Only (FOUO) and Personally Identifiable Information (PII) generated and/orprovided under this contract shall be safeguarded and marked as specified in DoD 5400.7-R Chapters 3 and 4.

C.11.6 Electronic Spillage

Electronic Spillages (ES) are unacceptable and pose a risk to national security. An electronic spillage is defined asclassified data placed on an Information System (IS), media or hardcopy document possessing insufficient security

CONTRACT NO.



24 PAGE

38 of 123 FINAL

controls to protect the data at the required classification level, thus posing a risk to national security (e.g., sensitivecompartmented information (SCI) onto collateral, Secret onto Unclassified, etc.) The contractor's performance as itrelates to ES will be evaluated by the Government. ES reflects on the overall security posture of NSWCDD and alack of attention to detail with regard to the handling of classified information of IS security discipline and will bereflected in the contractor's performance rating. In the event that a contractor is determined to be responsible for anES, all direct and indirect costs incurred by the Government for ES remediation will be charged to the contractor.

NSWCDD Security will continue to be responsible for the corrective action plan in accordance with the securityguidance reflected on the DoD Contract Security Classification Specification - DD-254. NSWCDD Security willidentify the contractor facility and contract number associated with all electronic spillages during the investigationthat involve contractor support. NSWCDD Security will notify the Contracts Division with the contractor facilityname and contract number, incident specifics and associated costs for cleanup. The Contracting Officer will beresponsible to work with the Contractor Facility to capture the costs incurred during the spillage clean up. TheContractor is also responsible for taking Information Security Awareness training annually, via their FacilitySecurity Officer (FSO), as part of the mandatory training requirements. If a spillage occurs additional training shallbe required to prevent recurrence.

C.11.7 Portable Electronic Devices (PEDs)

Non-government and/or personally owned portable electronic devices (PEDs) are prohibited in all NSWCDDbuildings with the exception of personally owned cell phones which are authorized for use in spaces up to andincluding Controlled Access Areas. The Contractor shall ensure the onsite personnel remain compliant with thisPED policy. NSWCDD instruction defines PEDs as the following: any electronic device designed to be easilytransported, with the capability to store, record, receive or transmit text, images, video, or audio data in any formatvia any transmission medium. PED’s include, but are not limited to, pagers, laptops, radios, compact discs andcassette players/recorders. In addition, this includes removable storage media such as flash memory, memory sticks,multimedia cards and secure digital cards, micro-drive modules, ZIP drives, ZIP disks, recordable CDs, DVDs,MP3 players, iPADs, digital picture frames, electronic book readers, kindle, nook, cameras, external hard dishdrives, and floppy diskettes.

PED’s belonging to an external organization shall not be connected to NSWCDD networks or infrastructure withoutprior approval from the NSWCDD Information Assurance and Compliance Branch. This approval will be grantedusing the Temporary Approval Request for Information System (TARIS) form and action tracker process.

Personally owned hardware or software shall not be connected or introduced to any NSWCDD hardware, network orinformation system infrastructure.

C.12 MANDATORY REQUIREMENTS

Contractors must meet the following mandatory requirements at time of proposal submission, or have an acceptableplan to meet the requirements by the start date of contract performance. In addition, mandatory requirements must bemaintained throughout the life of the Task Order. The mandatory requirements are as follows:

Requirement 1 – Facility Location – The Prime contractor's primary facility providing support to the task ordermust be located within 60 miles of NSWCDD. An additional site will be established within 60 miles of CDSA.

Requirement 2 – Facility Clearance – The Prime contractor’s primary facility providing support to this contract isrequired to have a Top Secret level clearance with Secret storage capability.

Requirement 3 - Personnel Security Clearances - All individuals performing technical support under this TaskOrder are required to have, as a minimum, a Secret security clearance. Two (2) persons from the Senior SecuritySystem Engineer labor category and two (2) persons from the Security Engineer labor category shall have a TopSecret Security clearance.

SCI Eligible: At least one (1) personnel from the Senior Security System Engineer labor category and at least one(1) Security Engineer must be SCI Eligible.

Single Scope Background Investigation (SSBI) – All persons performing as Privileged Users (Individuals who haveaccess to system control, monitoring, or administration functions (e.g., system administrator, IAO/ISSO, systemprogrammers, etc.)) are required to have and maintain a final adjudicated SSBI with an IT level-1 designation inJPAS. If it is associated with a TS or TS/SCI contract, the investigation will be at the expense of the contractor, iffor a SECRET contract it will be at the expense of the government.

CONTRACT NO.



24 PAGE

39 of 123 FINAL

Requirement 4 – Sensitive Compartmented Information (SCI) Clearance: Once sponsored, the Contractor shallobtain and maintain a SCI clearance throughout the period of performance of the contract.

Requirement 5 - Certification: Personnel performing CyberSecurity functions on DoD systems must meet thequalification requirements established in the DoD 8570.01-M, or successor/DoD 8140.01, and follow-on guidancefor the category and function level in which they are performing.

(1) All Senior Security Systems Engineer requires a DoD 8570.01-M, or successor/DoD 8140.01 InformationAssurance management (IAM) level II or level III certification or equivalent; when performing as an InformationAssurance Officer or Information Systems Security Officer, an IAM Level II certification or equivalent per DoD8570.01, or successor/DoD 8140.01 must be held and maintained.

(2) All Security Engineers require a DoD 8570.01-M, or successor/DoD 8140.01 Information Assurance Technical(IAT) level II or level III certification or equivalent ; when performing as an Information Assurance Officer orInformation Systems Security Officer, an IAM Level II certification or equivalent per DoD 8570.01, orsuccessor/DoD 8140.01 must be held and maintained.

(3) All Security Software Engineer, Cybersecurity Engineer, and the Security Network Engineer require anInformation Assurance Technical (IAT) level II certification or equivalent.

(4) All Junior Security Systems Engineer requires a DoD 8570.01-M, or successor/DoD 8140.01 InformationAssurance management (IAM) level II or Information Assurance Technical (IAT) level II certification or equivalent.

Requirement 6 - Appointments: Personnel proposed as Validators must possess a "Qualified Validator"appointment by the Navy or Marine Corps. Both Navy and Marine Corps Validation are required under this taskorder.

a) At least two (2) Personnel proposed in the Senior Security Systems Engineer Labor Category must beappointed as Fully Qualified [Navy or Marine Corps] Validator. (see Exhibit B.17)

b) At least two (2) Personnel proposed in the Security Engineer Labor Category must be appointment as anIntermediate [Navy or Marine Corps] Validator. (see Exhibit B.17)

C.13 ENTERPRISE-WIDE CONTRACTOR MANPOWER REPORTING APPLICATION (ECMRA)

The Contractor shall report Contractor labor hours (including subcontractor labor hours) required for performance ofservices provided under this contract for the Cyber Security and Risk Management via a secure data collection site.

Contracted services excluded from reporting are based on Product Service Codes (PSCs).

The excluded PSCs are:

(1) W, Lease or Rental of Equipment; (2) X, Lease or Rental of Facilities; (3) Y,

Construction of Structures and Facilities; (4) S, Utilities ONLY; (5) V,

Freight and Shipping ONLY.

The Contractor is required to completely fill in all required data fields using the following web address:https://doncmra.nmci.navy.mil.

Reporting inputs will be for the labor executed during the period of performance during each Government fiscalyear(FY), which runs October 1 through September 30. While inputs may be reported any time during the FY, alldata shall be reported no later than October 31 of each calendar year.

Contractors may direct questions to the help desk, linked at https://doncmra.nmci.navy.mil.

C.14 SKILLS AND TRAINING

The Contractor shall provide capable personnel with qualifications, experience levels, security clearances, andnecessary licenses, certifications, and training required by Federal, State, and Local laws and regulations.Cybersecurity functions require certifications specified in DoDD 8570.01, or successor/ DoD 8140.01 Information

CONTRACT NO.



24 PAGE

40 of 123 FINAL

https://doncmra.nmci.navy.mil/

Assurance Training, Certification, and Workforce Management, and DFARS 252.239- 7001 INFORMATIONASSURANCE CONTRACTOR TRAINING AND CERTIFICATION and follow-on guidance as well as FullyQualified Navy Validators and Fully Qualified Marine Corps Validators. Training necessary to ensure that personnelperforming under this task order maintain the knowledge and skills to successfully perform the required functions isthe responsibility of the Contractor. Training necessary to maintain professional certification is the responsibility ofthe Contractor.

C.15 SUBCONTRACTORS or CONSULTANTS

In addition to the information required by FAR 52.244-2 Alternate 1 (JUN 2007), the contractor shall include thefollowing information in requests to add subcontractors or consultants during performance, regardless of subcontracttype or pricing arrangement.

(1) Clearly present the business case for the addition of the subcontractor or consultant,

(2) If applicable, the impact on subcontracting goals, and

(3) Impact on providing support at the contracted value.

NOTE: Regarding FAR 52.244-2 Alternate 1 (JUN 2007) - Teaming arrangement with any firm not included in theContractor's basic MAC contract must be submitted to the MAC Contracting Officer for approval. Team member(Subcontract) additions after Task Order award must be approved by the Task Order Contracting Officer.

C.16 INFORMATION SECURITY AND COMPUTER SYSTEM USAGE

In accordance with U.S. Navy policy, any personnel, including the contractor, who utilizes DoD-owned systems,shall assume responsibility for adherence to restrictions regarding internet and e-mail usage. Navy policy prohibitsracist, sexist, threatening, pornographic, personal business, subversive or politically partisan communications. Allpersonnel, including the contractor, are accountable and must act accordingly. DoD computer systems are monitoredto ensure that the use is authorized, to facilitate protection against unauthorized access, and to verify securityprocedures, survivability and operational security. During monitoring, information may be examined, recorded,copied, and used for authorized purposes. All information, including personal information, placed on or sent over aDoD system may be monitored. Use of a DoD system constitutes consent to monitoring. Unauthorized use mayresult in criminal prosecution. Evidence of unauthorized use collected during monitoring may be used as a basis forrecommended administrative, criminal or adverse action.

C.17 USE OF INFORMATION SYSTEM (IS) RESOURCES

Contractor Provision of IS Resources:

Except in special circumstances explicitly detailed elsewhere in this document, the Contractor shall provide all ISresources needed in the performance of this contract. This includes, computers, software, networks, and addresses. Certain tasks may require that the information and data to be processed will be required to be on computers that arein a standalone configuration not connected to a network that is connected to the internet or any corporate networks.

Contractor Use of DoD and NSWCDD IS Resources:

In the event that the contractor shall need to have access to DoD and/or NSWCDD IS resources, the login nameused for access shall conform to the Navy Marine Corps Intranet (NMCI) login naming convention. If the contractorrequires access to applications/systems that utilize client certificates for authentication, the contractor is responsiblefor obtaining requisite certificates from a DoD or External Certificate Authority.

If this contract requires that the contractor be granted access and use of NSWCDD IS resources (at any site), the ISshall be accredited for contractor use in accordance with procedures specified by the IS Security Office.

C.18 DIGITAL DELIVERY OF DATA

(a) Delivery by the Contractor to the Government of certain technical data and other information is now frequentlyrequired to be made in digital form rather than in hardcopy form. The method of delivery of such data and/or otherinformation (i.e., in electronic, digital, paper hardcopy, or other form) shall not be deemed to affect in any way eitherthe identity of the information (i.e., as “technical data” or “computer software”) or the Government’s and theContractor’s respective rights therein.

CONTRACT NO.



24 PAGE

41 of 123 FINAL

(b) Whenever technical data and/or computer software deliverables required by this contract are to be delivered indigital form, any authorized, required, or permitted markings relating to the Government’s rights in and to suchtechnical data and/or computer software must also be digitally included as part of the deliverable and on or in thesame medium used to deliver the technical data and/or software. Such markings must be clearly associated with thecorresponding technical data and/or computer software to which the markings relate and must be included in such away that the marking(s) appear in human-readable form when the technical data and/or software is accessed and/orused. Such markings must also be applied in conspicuous human-readable form on a visible portion of any physicalmedium used to effect delivery of the technical data and/or computer software. Nothing in this paragraph shallreplace or relieve the Contractor’s obligations with respect to requirements for marking technical data and/orcomputer software that are imposed by other applicable clauses such as, where applicable and without limitation,DFARS 252.227-7013 and/or DFARS 252.227-7014.

(c) Digital delivery means (such as but not limited to Internet tools, websites, shared networks, and the like)sometimes require, as a condition for access to and/or use of the means, an agreement by a user to certain terms,agreements, or other restrictions such as but not limited to “Terms of Use,” licenses, or other restrictions intendedto be applicable to the information being delivered via the digital delivery means. The Contractor expresslyacknowledges that, with respect to deliverables made according to this contract, no such terms, agreements, or otherrestrictions shall be applicable to or enforceable with respect to such deliverables unless such terms, agreements, orother restrictions expressly have been accepted in writing by the Contracting Officer; otherwise, the Government’srights in and to such deliverables shall be governed exclusively by the terms of this contract.

C.19 IDENTIFICATION BADGES

The contractor shall be required to obtain identification badges from the Government for all contractor personnellocated on or requiring regular access to Government property. The identification badge shall be visible at all timeswhile employees are on Government property. The contractor shall furnish all requested information required tofacilitate issuance of identification badges and shall conform to applicable regulations concerning the use andpossession of the badges. The contractor shall be responsible for ensuring that all identification badges issued tocontractor employees are returned to the appropriate Security Office within 48 hours following completion of theTask Order, relocation or termination of an employee, and upon request by the Contracting Officer.

C.20 SENSITIVE, PROPRIETARY, AND PERSONAL INFORMATION

Work under this contact may require that personnel have access to Privacy Information. Contractor personnel shalladhere to the Privacy Act, Title 5 of the U.S. Code. Section 552a and applicable agency rules and regulations.Access to and preparation of sensitive information subject to privacy Act and Business Sensitive safeguarding anddestruction may be required in the execution of tasking associated with this contract. Administratively sensitiveinformation/data must not be shared outside of the specific work areas. All personnel with access to privacy act datain support of this contract must sign a privacy act certification.

C.21 NON-DISCLOSURE AGREEMENTS (NDAs)

NDAs may be utilized to allow for access to company sensitive or proprietary data. For tasks requiring NDAs thecontractor shall obtain appropriate agreements for all of their employees that are associated with the task requiringsuch an agreement.

Contractor personnel may be required, from time to time to sign non-disclosure statements as applicable to specificSOW tasking. The COR will notify the contractor of the number and type of personnel that will need to sign theNon-Disclosure Agreements. The signed Non-Disclosure Agreements shall be executed prior to accessing data orproviding support for information that must be safeguarded and shall be returned to the COR for endorsement andretention. Copies of all executed NDAs shall be provided to the COR.

C.22 NON-PERSONAL SERVICES and INHERENTLY GOVERNMENTAL FUNCTIONS

(a) The Government will neither supervise contractor employees nor control the method by which the contractorperforms the required tasks. The Government will not direct the hiring, dismissal or reassignment of contractorpersonnel. Under no circumstances shall the Government assign tasks to, or prepare work schedules for, individualcontractor employees. It shall be the responsibility of the contractor to manage its employees and to guard againstany actions that are of the nature of personal services or give the perception that personal services are being provided.If the contractor feels that any actions constitute, or are perceived to constitute personal services, it shall be thecontractor's responsibility to notify the Contracting Officer immediately in accordance with the clause 52.243-7.

CONTRACT NO.



24 PAGE

42 of 123 FINAL

(b) Inherently-Governmental functions are not within the scope of this Task Order. Decisions relative to programssupported by the contractor shall be the sole responsibility of the Government. The contractor may be required toattend technical meetings for the Government; however, they are not, under any circumstances, authorized torepresent the Government or give the appearance that they are doing so.

C.23 CONTROL OF CONTRACTOR PERSONNEL

The contractor shall comply with the requirements of NAVSEA, NSWCDD and Marine Corps instructionsregarding performance in Government facilities. All persons engaged in work while on Government property shall besubject to search of their persons (no bodily search) and vehicles at any time by the Government, and shall reportany known or suspected security violations to the appropriate Security Department. Assignment, transfer, andreassignment of contractor personnel shall be at the discretion of the contractor. However, when the Governmentdirects, the contractor shall remove from contract performance any person who endangers life, property, or nationalsecurity through improper conduct. All contractor personnel engaged in work while on Government property shallbe subject to the Standards of Conduct contained in SECNAVINST 5370.2J.

C.24 NOTIFICATION OF POTENTIAL ORGANIZATIONAL CONFLICT(S) OF INTEREST

Offerors are reminded that certain arrangements may preclude, restrict or limit participation, in whole or in part, aseither a subcontractor or as a prime contractor under this competitive procurement. Notwithstanding the existence ornon-existence of an OCI clause in the current contract, the offeror shall comply with FAR 9.5 and identify if an OCIexists at any tier or arises at any tier at any time during contract performance. The contractor shall provide noticewithin 14 days of receipt of any information that may indicate a Potential OCI and how they shall mitigate this.

C.25 ON-SITE ENVIRONMENTAL AWARENESS

C.25.1 The contractor shall strictly adhere to all Federal, State and local laws and regulations, Executive Orders,and Department of Defense and Navy policies.

C.25.2 The contractor shall ensure that each contractor employee who has been or will be issued a Common AccessCard (CAC) completes the annual NSWCDD Environmental Awareness Training (EAT) within 30 days ofcommencing contract performance and annually thereafter as directed by their NSWCDD training coordinator or theirCOR.

C.25.3 The contractor shall ensure that each contractor employee not required to complete the training described inpart (b) above (i.e., those who do not have and will not be issued a CAC) reads the NSWCDD EnvironmentalPolicy Statement within 30 days of commencing contract performance. This document will be available from theCOR, however, the policy is also provided on the publicly-available NSWCDD website,https://wwwdd.nmci.navy.mil/program/Safety_and_Environmental_Office.

C.25.4 Within 30 days of commencing contract performance, the contractor shall certify by e-mail to their COR thatthe requirements captured by (b) and (c) above have been met. The e-mail shall include each employee name andwork site and shall indicate which requirement—(b) or (c) above--each employee has satisfied.

C.25.5 Contractor copies of the records generated by the actions described in (b) and (c) above will be maintainedand disposed of by the contractor in accordance with SECNAVINST 5210.8D (http://doni.daps.dla.mil/Directives/05000%20General%20Management%20Security%20and%20Safety%20Services/05-200%20Management%20Program%20and%20Techniques%20Services/5210.8D.pdf).

C.26 ON-SITE SAFETY REQUIREMENTS

C.26.1 The contractor shall strictly adhere to Federal Occupational Safety and Health Agency (OSHA) Regulations,Environmental Protection Agency (EPA) Regulations, and all applicable state and local requirements.

C.26.2 The contractor shall ensure that each contractor employee reads the document entitled, "Occupational Safetyand Health (OSH) Policy Statement" within 30 days of commencing performance at NSWCDD. This document isavailable at: https://wwwdd.nmci.navy.mil/program/Safety_and_Environmental_Office/Safety/Safety.html

C.26.3 The contractor shall provide each contractor employee with the training required to do his/her job safely andin compliance with applicable regulations. The contractor shall document and provide, upon request, qualifications,certifications, and licenses as required.

CONTRACT NO.



24 PAGE

43 of 123 FINAL

https://wwwdd.nmci.navy.mil/program/Safety_and_Environmental_Office/Safety/Safety.html

C.26.4 The contractor shall provide each contractor employee with the personal protective equipment required to dotheir job safely and in compliance with all applicable regulations.

C.26.5 Contractors working with ionizing radiation (radioactive material or machine sources) must comply withNAVSEA S0420-AA-RAD-010 (latest revision)[provided upon request]. Prior to bringing radioactive materials ormachine sources on base, the contractor must notify the Command Radiation Safety Officer in the Safety &Environmental Office.

C.26.6 The contractor shall ensure that all hazardous materials (HAZMAT) procured for NSWCDD are procuredthrough or approved through the HAZMAT procurement process. HAZMAT brought into NSWCDD work spacesshall be reviewed and approved by the Safety & Environmental Office prior to use by submitting an Authorized UseList addition form and Safety Data Sheet that shall be routed through the government supervisor responsible for thespecific work area. The Authorized Use List addition form can be found at https://wwwdd.nmci.navy.mil/program/Safety_and_Environmental_Office/.

C.26.7 Upon request the contractor shall submit their OSHA 300 Logs (injury/illness rates) for review by the SafetyOffice. If a contractor's injury/illness rates are above the Bureau of Labor & Statistics industry standards, a safetyassessment will be performed by the Safety Office to determine if any administrative or engineering controls can beutilized to prevent further injuries/illnesses, or if any additional PPE or training will be required.

C.26.8 Applicable contractors shall submit Total Case Incident Rate (TCIR) and Days Away, Restricted andTransfer (DART) rates for the past three years upon request by the Safety Office. A contractor meets the definition ofapplicable if its employees worked 1,000 hours or more in any calendar quarter on site and where oversight is notdirectly provided in day to day activities by the command.

C26.9 The contractor shall report all work-related injuries/illnesses that occurred while working at NSWCDD to theSafety Office.

C.26.10 The contractor shall ensure that all on-site contractor work at NSWCDD is in accordance with theNSWCDDINST 5100.1D Occupational Safety and Health Instruction, available at: https://wwwdd.nmci.navy.mil/program/Safety_and_Environmental_Office/Safety/Safety.html

C.27 SHIPBOARD PROTOCOL

C.27.1 This tasking may involve platform engineering and fleet support onboard ship. As such, the offeror isreminded of his responsibility to assure that shipboard protocol is stringently followed. Specifically, visit clearancesmust be arranged through the Government sponsor and must be forwarded to the individual command being visitedas well as to all supporting commands, such as the base, squadron, tender, etc. that the visitor must pass through toget to the ship; the contractor is responsible for obtaining and maintaining specialized training (i.e. nuclearawareness, safety, quality control, etc.) and certification (i.e. SUBSAFE certificates etc.); personnel performing onboard US Navy Ships must have at least a Secret Security Clearance; if not led by a government representative thecontractor is responsible for briefing the ship command upon arrival; and the contractor is responsible for debriefingthe ship command upon departure to include operational status of the equipment.

C.27.2 The Contractor shall ensure its personnel adhere to these requirements when performing shipboard tasking.Compliance shall be reported in the trip report.

C.27.3 All assigned personnel must possess at least a SECRET Security Clearance.

C.27.4 All personnel, while shipboard, shall conform to the rules and regulations of the ship. It is the responsibilityof the Contractor to determine the proper rules, regulations, actions, policy and procedures.

C.27.5 Alarms - actual or drill shall be reported and procedures appropriately adhered.

C.27.6 Safety - hardhats, tag-outs, safety shoes, goggles, safety harnesses, etc., as appropriate shall be utilized.

C.27.7 Some shipboard tasking may require ascending and descending vertical ladders to and from the highestpoints of the ship both pier side and underway.

C.27.8 Must be able stand; walk; climb stairs; balance; stoop; kneel; crouch or crawl around and lift a maximum of50 lbs (single person) in the test environment.

CONTRACT NO.



24 PAGE

44 of 123 FINAL

https://wwwdd.nmci.navy.mil/program/Safety_and_Environmental_Office/Safety/Safety.html

C.27.9 HAZMAT - Bringing hazardous materials aboard, using hazardous materials is strictly prohibited.

C.27.10 The designated team lead shall, upon arrival, brief the Commanding Officer or his/her designatedrepresentative as to the purpose of the visit and expected duration.

C.27.11 The designated team lead shall, upon final departure, debrief the Commanding Officer or his/her designatedrepresentative as to the success of the tasking and the operational condition of affected equipment.

C.27.12 The Contractor shall comply with COMUSFLTFORCOM/COMPACFLT INSTRUCTION 6320.3B(http://www.public.navy.mil/surfor/IDCorpsmen_Docs/MEDICAL_SCREENING_FOR_US-GOVERNMENT_CIVILIAN_EMPLOYEES_CONTRACTORS_GUESTS_AND_VISITORS_PRIOR_TO_EMBARKING_FLEET_UNITS.pdf) regarding the medical and dental screening of all personnel that may embark aboardany U.S. Navy vessel.

C.27.13 The Contractor shall be ensure that repair and maintenance employees working aboard vessels, dry docksand piers shall have a valid 10 hour OSHA Maritime Shipyard Employment Course #7615 (https://www.osha.gov/dte/outreach/maritime/maritime_procedures.pdf) completion card within 60 days of employment, renewable every 5years from the date of the initial training.

TASK ORDER CLAUSES:

HQ C-1-0001 ITEM(S) A001- A036- DATA REQUIREMENTS (NAVSEA) (SEP 1992)

The data to be furnished hereunder shall be prepared in accordance with the Contract Data Requirements List, DDForm 1423, Exhibit(s) , attached hereto.

HQ C-2-0002 ACCESS TO PROPRIETARY DATA OR COMPUTER SOFTWARE (NAVSEA) (JUN 1994)

(a) Performance under this contract may require that the Contractor have access to technical data, computer software,or other sensitive data of another party who asserts that such data or software is proprietary. If access to such data orsoftware is required or to be provided, the Contractor shall enter into a written agreement with such party prior togaining access to such data or software. The agreement shall address, at a minimum, (1) access to, and use of, theproprietary data or software exclusively for the purposes of performance of the work required by this contract, and (2)safeguards to protect such data or software from unauthorized use or disclosure for so long as the data or softwareremains proprietary. In addition, the agreement shall not impose any limitation upon the Government or itsemployees with respect to such data or software. A copy of the executed agreement shall be provided to theContracting Officer. The Government may unilaterally modify the contract to list those third parties with which theContractor has agreement(s).

(b) The Contractor agrees to: (1) indoctrinate its personnel who will have access to the data or software as to therestrictions under which access is granted; (2) not disclose the data or software to another party or other Contractorpersonnel except as authorized by the Contracting Officer; (3) not engage in any other action, venture, oremployment wherein this information will be used, other than under this contract, in any manner inconsistent withthe spirit and intent of this requirement; (4) not disclose the data or software to any other party, including, but notlimited to, joint venturer, affiliate, successor, or assign of the Contractor; and (5) reproduce the restrictive stamp,marking, or legend on each use of the data or software whether in whole or in part.

(c) The restrictions on use and disclosure of the data and software described above also apply to such informationreceived from the Government through any means to which the Contractor has access in the performance of thiscontract that contains proprietary or other restrictive markings.

(d) The Contractor agrees that it will promptly notify the Contracting Officer of any attempt by an individual,company, or Government representative not directly involved in the effort to be performed under this contract to gainaccess to such proprietary information. Such notification shall include the name and organization of the individual,company, or Government representative seeking access to such information.

(e) The Contractor shall include this requirement in subcontracts of any tier which involve access to informationcovered by paragraph (a), substituting "subcontractor" for "Contractor" where appropriate.

(f) Compliance with this requirement is a material requirement of this contract.

HQ C-2-0011 COMPUTER SOFTWARE AND/OR COMPUTER DATABASE(S) DELIVERED TO

CONTRACT NO.



24 PAGE

45 of 123 FINAL

AND/OR RECEIVED FROM THE GOVERNMENT (NAVSEA) (APR 2004)

(a) The Contractor agrees to test for viruses all computer software and/or computer databases, as defined in the clauseentitled “RIGHTS IN NONCOMMERCIAL COMPUTER SOFTWARE AND NONCOMERCIAL COMPUTERSOFTWARE DOCUMENTATION” (DFARS 252.227-7014), before delivery of that computer software or computerdatabase in whatever media and on whatever system the software is delivered. The Contractor warrants that any suchcomputer software and/or computer database will be free of viruses when delivered.

(b) The Contractor agrees to test any computer software and/or computer database(s) received from the Governmentfor viruses prior to use under this contract.

(c) Unless otherwise agreed in writing, any license agreement governing the use of any computer software to bedelivered as a result of this contract must be paid-up and perpetual, or so nearly perpetual as to allow the use of thecomputer software or computer data base with the equipment for which it is obtained, or any replacement equipment,for so long as such equipment is used. Otherwise the computer software or computer database does not meet theminimum functional requirements of this contract. In the event that there is any routine to disable the computersoftware or computer database after the software is developed for or delivered to the Government, that routine shallnot disable the computer software or computer database until at least twenty-five calendar years after the delivery dateof the affected computer software or computer database to the Government.

(d) No copy protection devices or systems shall be used in any computer software or computer database deliveredunder this contract to restrict or limit the Government from making copies. This does not prohibit licenseagreements from specifying the maximum amount of copies that can be made.

(e) Delivery by the Contractor to the Government of certain technical data and other data is now frequently requiredin digital form rather than as hard copy. Such delivery may cause confusion between data rights and computersoftware rights. It is agreed that, to the extent that any such data is computer software by virtue of its delivery indigital form, the Government will be licensed to use that digital-form data with exactly the same rights andlimitations as if the data had been delivered as hard copy.

(f) Any limited rights legends or other allowed legends placed by a Contractor on technical data or other datadelivered in digital form shall be digitally include on the same media as the digital-form data and must be associatedwith the corresponding digital-form technical data to which the legends apply to the extent possible. Such legendsshall also be placed in human-readable form on a visible surface of the media carrying the digital-form data asdelivered, to the extent possible.

HQ C-2-0032 INFORMATION AND DATA FURNISHED BY THE GOVERNMENT - ALTERNATE II(NAVSEA) (SEP 2009)

(a) NAVSEA Form 4340/2 or Schedule C, as applicable, Government Furnished Information, attached hereto,incorporates by listing or specific reference, all the data or information which the Government has provided or willprovide to the Contractor except for

(1) The specifications set forth in Section C, and

(2) Government specifications, including drawings and other Government technical documentation which arereferenced directly or indirectly in the specifications set forth in Section C and which are applicable to this contractas specifications, and which are generally available and provided to Contractors or prospective Contractors uponproper request, such as Federal or Military Specifications, and Standard Drawings, etc.

(b) Except for the specifications referred to in subparagraphs (a)(1) and (2) above, the Government will not beobligated to provide to the Contractor any specification, drawing, technical documentation or other publicationwhich is not listed or specifically referenced in NAVSEA Form 4340/2 or Schedule C, as applicable,notwithstanding anything to the contrary in the specifications, the publications listed or specifically referenced inNAVSEA Form 4340/2 or Schedule C, as applicable, the clause entitled "GOVERNMENT PROPERTY" (FAR52.245-1) or "GOVERNMENT PROPERTY INSTALLATION OPERATION SERVICES " (FAR 52.245-2), asapplicable, or any other term or condition of this contract.

(c)(1) The Contracting Officer may at any time by written order:

(i) delete, supersede, or revise, in whole or in part, data listed or specifically referenced in NAVSEA Form4340/2 or Schedule C, as applicable; or

CONTRACT NO.



24 PAGE

46 of 123 FINAL

(ii) add items of data or information to NAVSEA Form 4340/2 or Schedule C, as applicable; or

(iii) establish or revise due dates for items of data or information in NAVSEA Form 4340/2 or Schedule C, asapplicable.

(2) If any action taken by the Contracting Officer pursuant to subparagraph (c)(1) immediately above causes anincrease or decrease in the costs of, or the time required for, performance of any part of the work under this contract,the contractor may be entitled to an equitable adjustment in the contract amount and delivery schedule in accordancewith the procedures provided for in the "CHANGES" clause of this contract.

HQ C-2-0037 ORGANIZATIONAL CONFLICT OF INTEREST (NAVSEA) (JUL 2000)

(a) "Organizational Conflict of Interest" means that because of other activities or relationships with other persons, aperson is unable or potentially unable to render impartial assistance or advice to the Government, or the person'sobjectivity in performing the contract work is or might be otherwise impaired, or a person has an unfair competitiveadvantage. "Person" as used herein includes Corporations, Partnerships, Joint Ventures, and other businessenterprises.

(b) The Contractor warrants that to the best of its knowledge and belief, and except as otherwise set forth in thecontract, the Contractor does not have any organizational conflict of interest(s) as defined in paragraph (a).

(c) It is recognized that the effort to be performed by the Contractor under this contract may create a potentialorganizational conflict of interest on the instant contract or on a future acquisition. In order to avoid this potentialconflict of interest, and at the same time to avoid prejudicing the best interest of the Government, the right of theContractor to participate in future procurement of equipment and/or services that are the subject of any work underthis contract shall be limited as described below in accordance with the requirements of FAR 9.5.

(d) (1) The Contractor agrees that it shall not release, disclose, or use in any way that would permit or result indisclosure to any party outside the Government any information provided to the Contractor by the Governmentduring or as a result of performance of this contract. Such information includes, but is not limited to, informationsubmitted to the Government on a confidential basis by other persons. Further, the prohibition against release ofGovernment provided information extends to cover such information whether or not in its original form, e.g., wherethe information has been included in Contractor generated work or where it is discernible from materialsincorporating or based upon such information. This prohibition shall not expire after a given period of time.

(2) The Contractor agrees that it shall not release, disclose, or use in any way that would permit or result indisclosure to any party outside the Government any information generated or derived during or as a result ofperformance of this contract. This prohibition shall expire after a period of three years after completion of performanceof this contract.

(3) The prohibitions contained in subparagraphs (d)(1) and (d)(2) shall apply with equal force to any affiliate ofthe Contractor, any subcontractor, consultant, or employee of the Contractor, any joint venture involving theContractor, any entity into or with which it may merge or affiliate, or any successor or assign of the Contractor. Theterms of paragraph (f) of this Special Contract Requirement relating to notification shall apply to any release ofinformation in contravention of this paragraph (d).

(e) The Contractor further agrees that, during the performance of this contract and for a period of three years aftercompletion of performance of this contract, the Contractor, any affiliate of the Contractor, any subcontractor,consultant, or employee of the Contractor, any joint venture involving the Contractor, any entity into or with whichit may subsequently merge or affiliate, or any other successor or assign of the Contractor, shall not furnish to theUnited States Government, either as a prime contractor or as a subcontractor, or as a consultant to a prime contractoror subcontractor, any system, component or services which is the subject of the work to be performed under thiscontract. This exclusion does not apply to any recompetition for those systems, components or services furnishedpursuant to this contract. As provided in FAR 9.505-2, if the Government procures the system, component, orservices on the basis of work statements growing out of the effort performed under this contract, from a source otherthan the contractor, subcontractor, affiliate, or assign of either, during the course of performance of this contract orbefore the three year period following completion of this contract has lapsed, the Contractor may, with theauthorization of the cognizant Contracting Officer, participate in a subsequent procurement for the same system,component, or service. In other words, the Contractor may be authorized to compete for procurement(s) for systems,components or services subsequent to an intervening procurement.

(f) The Contractor agrees that, if after award, it discovers an actual or potential organizational conflict of interest, it

CONTRACT NO.



24 PAGE

47 of 123 FINAL

shall make immediate and full disclosure in writing to the Contracting Officer. The notification shall include adescription of the actual or potential organizational conflict of interest, a description of the action which theContractor has taken or proposes to take to avoid, mitigate, or neutralize the conflict, and any other relevantinformation that would assist the Contracting Officer in making a determination on this matter. Notwithstandingthis notification, the Government may terminate the contract for the convenience of the Government if determined tobe in the best interest of the Government.

(g) Notwithstanding paragraph (f) above, if the Contractor was aware, or should have been aware, of an organizationalconflict of interest prior to the award of this contract or becomes, or should become, aware of an organizationalconflict of interest after award of this contract and does not make an immediate and full disclosure in writing to theContracting Officer, the Government may terminate this contract for default.

(h) If the Contractor takes any action prohibited by this requirement or fails to take action required by thisrequirement, the Government may terminate this contract for default.

(i) The Contracting Officer's decision as to the existence or nonexistence of an actual or potential organizationalconflict of interest shall be final.

(j) Nothing in this requirement is intended to prohibit or preclude the Contractor from marketing or selling to theUnited States Government its product lines in existence on the effective date of this contract; nor, shall thisrequirement preclude the Contractor from participating in any research and development or delivering any designdevelopment model or prototype of any such equipment. Additionally, sale of catalog or standard commercial itemsare exempt from this requirement.

(k) The Contractor shall promptly notify the Contracting Officer, in writing, if it has been tasked to evaluate oradvise the Government concerning its own products or activities or those of a competitor in order to ensure propersafeguards exist to guarantee objectivity and to protect the Government's interest.

(l) The Contractor shall include this requirement in subcontracts of any tier which involve access to information orsituations/conditions covered by the preceding paragraphs, substituting "subcontractor" for "contractor" whereappropriate.

(m) The rights and remedies described herein shall not be exclusive and are in addition to other rights and remediesprovided by law or elsewhere included in this contract.

(n) Compliance with this requirement is a material requirement of this contract.

HQ C-2-0051 SPECIFICATIONS AND STANDARDS (NAVSEA) (AUG 1994)

(a) Definitions.

(i) A "zero-tier reference" is a specification, standard, or drawing that is cited in the contract (including itsattachments).

(ii) A "first-tier reference" is either: (1) a specification, standard, or drawing cited in a zero-tier reference, or (2) aspecification cited in a first-tier drawing.

(b) Requirements.

All zero-tier and first-tier references, as defined above, are mandatory for use. All lower tier references shall be usedfor guidance only.

HQ C-2-0059 UPDATING SPECIFICATIONS AND STANDARDS (NAVSEA) (AUG 1994)

If, during the performance of this or any other contract, the contractor believes that any contract contains outdated ordifferent versions of any specifications or standards, the contractor may request that all of its contracts be updated toinclude the current version of the applicable specification or standard. Updating shall not affect the form, fit orfunction of any deliverable item or increase the cost/price of the item to the Government. The contractor shouldsubmit update requests to the Procuring Contracting Officer with copies to the Administrative Contracting Officerand cognizant program office representative for approval. The contractor shall perform the contract in accordance withthe existing specifications and standards until notified of approval/disapproval by the Procuring Contracting Officer.Any approved alternate specifications or standards will be incorporated into the contract.

CONTRACT NO.



24 PAGE

48 of 123 FINAL

Ddl-C30 HAZARDOUS MATERIALS USED ON GOVERNMENT SITE

(a) This clause applies if hazardous materials are utilized at any time during the performance of work on aGovernment site. Under this Task Order, Hazardous materials are defined in Federal Standard No. 313 and includeitems such as chemicals, paint, thinners, cleaning fluids, alcohol, epoxy, flammable solvents, or asbestos.

(b) The Contractor shall have an active Hazard Communication Program in place for all Contractor employees per29 C.F.R. 1910.1200. Before delivery of any hazardous materials onto Government property, the Contractor shallprovide the both the PCO and the Contracting Officer's Representative (COR) with an inventory and Material SafetyData Sheet (MSDS) for these materials.

Ddl-C41 TERMINATION OF EMPLOYEES WITH NSWCDD BASE ACCESS

(a) The Contractor shall insure that all employees who have a Common Access Card (CAC) turn in the CACimmediately upon termination of their employment under this order. The above requirement shall be made a part ofthe standard employee facility clearance procedures for all separated personnel. The Contractor shall adviseNSWCDD Physical Security of all changes in their contract personnel requiring NSWCDD base access.

(b) For involuntarily separated personnel and those separated under adverse circumstances, the Contractor shallnotify NSWCDD Physical Security in advance of the date, time and location where the NSWCDD representative may physically retrieve the CAC prior to the employee departing the Contractor’s facility. In the event the employeeis separated in his or her absence, the Contractor shall immediately notify NSWCDD Physical Security of theseparation and make arrangements between the former employee and NSWCDD Physical Security for the return ofthe CAC.

CONTRACT NO.



24 PAGE

49 of 123 FINAL

SECTION D PACKAGING AND MARKING

D.1 HQ-D-1-0001 DATA PACKAGING LANGUAGE

Data to be delivered by Integrated Digital Environment (IDE) or other electronic media shall be as specified in thecontract.

All unclassified data to be shipped shall be prepared for shipment in accordance with best commercial practices.

Classified reports, data, and documentation shall be prepared for shipment in accordance with National IndustrialSecurity Program Operating Manual (NISPOM), DOD 5220.22-M dated 28 February 2006.

D.2 HQ-D-2-0008 MARKING OF REPORTS (NAVSEA) (SEP 1990)

All reports delivered by the Contractor to the Government under this contract shall prominently show on the coverof the report:

(1) Name and business address of the Contractor

(2) Contract number

(3) Contract dollar amount

(4) Whether the contract was competitively or non-competitively awarded

(5) Sponsor:

________________________________________________________

(Name of Individual Sponsor)

________________________________________________________

(Name of Requiring Activity)

All Deliverables shall be packaged and marked IAW Best Commercial Practice.

CONTRACT NO.



24 PAGE

50 of 123 FINAL

SECTION E INSPECTION AND ACCEPTANCE

E.1 INSPECTION AND ACCEPTANCE

E.2 TASK ORDER REVIEW AND ACCEPTANCE PROCEDURES

(a) This Task order as defined in FAR 37.6. Contractor performance will be evaluated in accordance with the QualityAssurance Surveillance Plan (QASP) that is provided below.

(b) The QASP defines this evaluation and acceptance to be part of the annual Contractor Performance AssessmentReporting System (CPARS). The contractor may obtain more information regarding the CPARS process at thefollowing internet site: http://cpars.navy.mil

E.3 PERFORMANCE TASK ORDER REVIEW AND ACCEPTANCE PROCEDURES - THE QUALITYASSURANCE SURVEILLANCE PLAN (QASP)

E.3.1 The contractor’s performance in each of the task areas of Statement Of Work will be continually monitored inconjunction with the Contractor Performance Assessment Reporting System (CPARS) and the criteria set forthbelow. The results of this evaluation will factor into the Government’s Option Exercise determination and will beincluded in the contractor’s CPARs evaluation, which is accomplished on an annual basis. The evaluation will bebased on contractor performance during the previous period. The primary Government official responsible for theQASP evaluation is the Contracting Officers Representative (COR) for the contract. Other Government individualshaving information relevant to the quality of contractor performance may assist the COR, as necessary.

E.3.2 Contractor performance will be assessed on a continuing basis throughout the year based on review andassessment of products and deliverables (technical and management), by observation of personnel during technicalmeetings and task execution, by monthly progress and status reports for the Contractor, formal In-Progress Reviews,and general contacts with the contractor.

E.3.3 Contractor performance will be evaluated in five general areas. A rating of Exceptional, Very Good,Satisfactory, Marginal or Unsatisfactory (as defined in Table 42-1 @ FAR 42.1503) will be assigned to each area. These general areas are described below. The items identified under each area represent the types of considerationsto be addressed. They should not be considered an exclusive list. The degree of Government technical directionnecessary to solve problems that arise during performance will be a consideration for each area. Improvements madein an area during the evaluation period will also be considered as will degradation in the overall quality ofperformance.

E.3.3.1 Quality of Product or Service – Addresses the extent to which the contractor (a) met contract technicalrequirements, including the accuracy (information conveyed by products and services are factually accurate and,where applicable, annotated with supporting source) and completeness of reports/ data delivered (products arecomplete, well-coordinated with all related managers and personnel, and presented in concise and understandableformat); (b) employed methods and approaches to ensure fully successful performance; (c) consistently conveyed hisintended approach clearly and completely to ensure that there were no surprises; (d) was proactive and demonstratedinitiative; (e) remained flexible to internal or external changes; (f) was effective in developing and implementingprocess improvements to make the end product development more efficient and the end product display moreeffective and (g) Services are provided in a professional unbiased manner.

E.3.3.2 Schedule – Addresses the extent to which the contractor met contract schedules, including the need fordeadline extensions. Delivery of products and services are within deadlines identified by the COR or hisrepresentative.

E.3.3.3 Cost Control – Addresses the contractor’s overall effectiveness in controlling both direct, indirect costs, andother direct costs as well as the incidence of cost overruns.

E.3.3.4 Business Relations – Addresses the responsiveness of the contractor’s upper-level management toGovernment concerns and needs, the effectiveness of the contractor’s management interface with the Government, andthe overall cooperativeness and receptiveness of the contractor in dealing with the Government, and the overallcooperativeness and receptiveness of the contractor in dealing with the Government on both technical and

CONTRACT NO.



24 PAGE

51 of 123 FINAL

management issues.

E.3.3.5 Management of Key Personnel – Addresses the overall quality of the contractor’s team, including theireducation, relevant experience, skill levels and expertise as well as the degree of compliance with the terms of thecontract regarding Key Personnel. Also includes the effectiveness of the contractor’s efforts to retain or attractqualified personnel.

Contract Clauses:

HQ E-1-0001 INSPECTION AND ACCEPTANCE LANGUAGE FOR DATA

Inspection and acceptance of all data shall be as specified on the attached Contract Data Requirements List(s), DDForm 1423.

HQ E-1-0007 INSPECTION AND ACCEPTANCE LANGUAGE FOR LOE SERVICES

Item(s) 7000 – 7300 Inspection and Acceptance shall be made by the Contracting Officer’s Representative (COR) atNSWCDD, Dahlgren Virginia.

CONTRACT NO.



24 PAGE

52 of 123 FINAL

SECTION F DELIVERABLES OR PERFORMANCE

The periods of performance for the following Items are as follows:

7000 9/1/2016 - 8/31/2017

7001AA 9/1/2016 - 8/31/2017

7001AB 9/1/2016 - 8/31/2017

7001AC 9/1/2016 - 8/31/2017

7001AD 9/1/2016 - 8/31/2017

7001AE 9/1/2016 - 8/31/2017

7001AF 9/1/2016 - 8/31/2017

7001AG 9/1/2016 - 8/31/2017

7001AH 9/1/2016 - 8/31/2017

7001AJ 9/1/2016 - 8/31/2017

7001AK 9/1/2016 - 8/31/2017

7001AL 9/1/2016 - 8/31/2017

7001AM 9/1/2016 - 8/31/2017

7001AN 9/1/2016 - 8/31/2017

7001AP 9/1/2016 - 8/31/2017

7001AQ 9/1/2016 - 8/31/2017

7001AR 9/1/2016 - 8/31/2017

7001AS 9/1/2016 - 8/31/2017

7001AT 9/1/2016 - 8/31/2017

7001AU 9/1/2016 - 8/31/2017

7001AV 9/1/2016 - 8/31/2017

7001AW 9/1/2016 - 8/31/2017

7001AX 9/1/2016 - 8/31/2017

7001AY 9/1/2016 - 8/31/2017

7001AZ 9/1/2016 - 8/31/2017

7001BA 9/1/2016 - 8/31/2017

7001BB 9/1/2016 - 8/31/2017

7001BC 9/1/2016 - 8/31/2017

7001BD 9/27/2016 - 8/31/2017

7001BE 9/27/2016 - 8/31/2017

7001BF 9/27/2016 - 8/31/2017

7001BG 9/27/2016 - 8/31/2017

7001BH 9/27/2016 - 8/31/2017

7001BJ 9/27/2016 - 8/31/2017

7001BK 9/27/2016 - 8/31/2017

7001BL 9/27/2016 - 8/31/2017

7001BN 9/27/2016 - 8/31/2017

7001BP 9/27/2016 - 8/31/2017

7001BQ 9/28/2016 - 8/31/2017

7001BR 10/28/2016 - 8/31/2017

7001BS 10/28/2016 - 8/31/2017

CONTRACT NO.



24 PAGE

53 of 123 FINAL

7001BT 11/16/2016 - 8/31/2017

7001BU 11/16/2016 - 8/31/2017

7001BV 11/16/2016 - 8/31/2017

7001BW 11/16/2016 - 8/31/2017

7001BX 11/23/2016 - 8/31/2017

7001BY 11/23/2016 - 8/31/2017

7001BZ 12/9/2016 - 8/31/2017

7001CA 12/9/2016 - 8/31/2017

7001CB 12/9/2016 - 8/31/2017

7001CC 12/9/2016 - 8/31/2017

7001CD 12/9/2016 - 8/31/2017

7001CE 12/9/2016 - 8/31/2017

7001CF 12/9/2016 - 8/31/2017

7001CG 12/9/2016 - 8/31/2017

7001CH 12/28/2016 - 8/31/2017

7001CJ 12/28/2016 - 8/31/2017

7001CK 1/4/2017 - 8/31/2017

7001CL 1/4/2017 - 8/31/2017

7001CM 1/4/2017 - 8/31/2017

7001CN 2/3/2017 - 8/31/2017

7001CP 2/3/2017 - 8/31/2017

7001CQ 2/3/2017 - 8/31/2017

7001CR 2/3/2017 - 8/31/2017

7001CS 2/3/2017 - 8/31/2017

7001CT 2/3/2017 - 8/31/2017

7001CU 9/1/2016 - 8/31/2017

7001CV 9/1/2016 - 8/31/2017

7001CX 9/1/2016 - 8/31/2017

7001CY 9/1/2016 - 8/31/2017

7001CZ 9/1/2016 - 8/31/2017

7001DA 2/24/2017 - 8/31/2017

7001DB 2/24/2017 - 8/31/2017

7001DC 2/24/2017 - 8/31/2017

7001DD 2/24/2017 - 8/31/2017

7001DE 2/24/2017 - 8/31/2017

7001DF 2/24/2017 - 8/31/2017

7001DG 2/24/2017 - 8/31/2017

7001DH 2/24/2017 - 8/31/2017

7001DJ 3/10/2017 - 8/31/2017

7001DK 3/10/2017 - 8/31/2017

7001DL 3/10/2017 - 8/31/2017

7001DM 3/10/2017 - 8/31/2017

7001DN 3/10/2017 - 8/31/2017

7001DP 3/10/2017 - 8/31/2017

7001DQ 3/10/2017 - 8/31/2017

7001DR 3/10/2017 - 8/31/2017

CONTRACT NO.



24 PAGE

54 of 123 FINAL

7001DS 3/10/2017 - 8/31/2017

7001DT 3/10/2017 - 8/31/2017

7001DU 3/30/2017 - 8/31/2017

7001DV 3/30/2017 - 8/31/2017

7001DW 3/30/2017 - 8/31/2017

7001DX 3/30/2017 - 8/31/2017

7001DY 4/11/2017 - 8/31/2017

7001DZ 4/11/2017 - 8/31/2017

7001EA 4/11/2017 - 8/31/2017

7001EB 4/11/2017 - 8/31/2017

7001EC 4/21/2017 - 8/31/2017

7001ED 4/21/2017 - 8/31/2017

7001EE 4/21/2017 - 8/31/2017

7001EF 4/21/2017 - 8/31/2017

7001EG 5/11/2017 - 8/31/2017

7001EH 5/22/2017 - 8/31/2017

7001EJ 5/22/2017 - 8/31/2017

7001EK 5/21/2017 - 8/31/2017

7001EL 5/21/2017 - 8/31/2017

7001EM 6/2/2017 - 8/31/2017

7001EN 6/20/2017 - 8/31/2017

7001EP 6/20/2017 - 8/31/2017

7001EQ 7/7/2017 - 8/31/2017

9000 9/1/2016 - 8/31/2017

9001AA 9/1/2016 - 8/31/2017

9001AC 9/1/2016 - 8/31/2017

9001AD 9/1/2016 - 8/31/2017

9001AF 9/1/2016 - 8/31/2017

9001AG 9/1/2016 - 8/31/2017

9001AN 9/1/2016 - 8/31/2017

9001AQ 9/1/2016 - 8/31/2017

9001AW 9/1/2016 - 8/31/2017

9001AX 9/1/2016 - 8/31/2017

9001AY 9/1/2016 - 8/31/2017

9001AZ 9/28/2016 - 8/31/2017

9001BN 9/28/2016 - 8/31/2017

9001BQ 10/28/2016 - 8/31/2017

9001BT 11/16/2016 - 8/31/2017

9001BW 11/16/2016 - 8/31/2017

9001BY 11/23/2016 - 8/31/2017

9001CK 1/4/2017 - 8/31/2017

9001CV 9/1/2017 - 8/31/2018

9001CW 9/1/2016 - 8/31/2017

9001CX 9/1/2016 - 8/31/2017

9001CY 9/1/2016 - 8/31/2017

9001CZ 9/1/2016 - 8/31/2017

CONTRACT NO.



24 PAGE

55 of 123 FINAL

9001DG 2/24/2017 - 8/31/2017

9001DL 3/10/2017 - 8/31/2017

9001DM 3/10/2017 - 8/31/2017

9001DY 4/11/2017 - 8/31/2017

9001DZ 4/28/2017 - 8/31/2017

CLIN - DELIVERIES OR PERFORMANCE

The periods of performance for the following Items are as follows:

7000 9/1/2016 - 8/31/2017

7001AA 9/1/2016 - 8/31/2017

7001AB 9/1/2016 - 8/31/2017

7001AC 9/1/2016 - 8/31/2017

7001AD 9/1/2016 - 8/31/2017

7001AE 9/1/2016 - 8/31/2017

7001AF 9/1/2016 - 8/31/2017

7001AG 9/1/2016 - 8/31/2017

7001AH 9/1/2016 - 8/31/2017

7001AJ 9/1/2016 - 8/31/2017

7001AK 9/1/2016 - 8/31/2017

7001AL 9/1/2016 - 8/31/2017

7001AM 9/1/2016 - 8/31/2017

7001AN 9/1/2016 - 8/31/2017

7001AP 9/1/2016 - 8/31/2017

7001AQ 9/1/2016 - 8/31/2017

7001AR 9/1/2016 - 8/31/2017

7001AS 9/1/2016 - 8/31/2017

7001AT 9/1/2016 - 8/31/2017

7001AU 9/1/2016 - 8/31/2017

7001AV 9/1/2016 - 8/31/2017

7001AW 9/1/2016 - 8/31/2017

7001AX 9/1/2016 - 8/31/2017

7001AY 9/1/2016 - 8/31/2017

7001AZ 9/1/2016 - 8/31/2017

7001BA 9/1/2016 - 8/31/2017

7001BB 9/1/2016 - 8/31/2017

7001BC 9/1/2016 - 8/31/2017

7001BD 9/27/2016 - 8/31/2017

7001BE 9/27/2016 - 8/31/2017

7001BF 9/27/2016 - 8/31/2017

7001BG 9/27/2016 - 8/31/2017

7001BH 9/27/2016 - 8/31/2017

7001BJ 9/27/2016 - 8/31/2017

7001BK 9/27/2016 - 8/31/2017

CONTRACT NO.



24 PAGE

56 of 123 FINAL

7001BL 9/27/2016 - 8/31/2017

7001BN 9/27/2016 - 8/31/2017

7001BP 9/27/2016 - 8/31/2017

7001BQ 9/28/2016 - 8/31/2017

7001BR 10/28/2016 - 8/31/2017

7001BS 10/28/2016 - 8/31/2017

7001BT 11/16/2016 - 8/31/2017

7001BU 11/16/2016 - 8/31/2017

7001BV 11/16/2016 - 8/31/2017

7001BW 11/16/2016 - 8/31/2017

7001BX 11/23/2016 - 8/31/2017

7001BY 11/23/2016 - 8/31/2017

7001BZ 12/9/2016 - 8/31/2017

7001CA 12/9/2016 - 8/31/2017

7001CB 12/9/2016 - 8/31/2017

7001CC 12/9/2016 - 8/31/2017

7001CD 12/9/2016 - 8/31/2017

7001CE 12/9/2016 - 8/31/2017

7001CF 12/9/2016 - 8/31/2017

7001CG 12/9/2016 - 8/31/2017

7001CH 12/28/2016 - 8/31/2017

7001CJ 12/28/2016 - 8/31/2017

7001CK 1/4/2017 - 8/31/2017

7001CL 1/4/2017 - 8/31/2017

7001CM 1/4/2017 - 8/31/2017

7001CN 2/3/2017 - 8/31/2017

7001CP 2/3/2017 - 8/31/2017

7001CQ 2/3/2017 - 8/31/2017

7001CR 2/3/2017 - 8/31/2017

7001CS 2/3/2017 - 8/31/2017

7001CT 2/3/2017 - 8/31/2017

7001CU 9/1/2016 - 8/31/2017

7001CV 9/1/2016 - 8/31/2017

7001CX 9/1/2016 - 8/31/2017

7001CY 9/1/2016 - 8/31/2017

7001CZ 9/1/2016 - 8/31/2017

7001DA 2/24/2017 - 8/31/2017

7001DB 2/24/2017 - 8/31/2017

7001DC 2/24/2017 - 8/31/2017

7001DD 2/24/2017 - 8/31/2017

7001DE 2/24/2017 - 8/31/2017

7001DF 2/24/2017 - 8/31/2017

7001DG 2/24/2017 - 8/31/2017

7001DH 2/24/2017 - 8/31/2017

7001DJ 3/10/2017 - 8/31/2017

7001DK 3/10/2017 - 8/31/2017

CONTRACT NO.



24 PAGE

57 of 123 FINAL

7001DL 3/10/2017 - 8/31/2017

7001DM 3/10/2017 - 8/31/2017

7001DN 3/10/2017 - 8/31/2017

7001DP 3/10/2017 - 8/31/2017

7001DQ 3/10/2017 - 8/31/2017

7001DR 3/10/2017 - 8/31/2017

7001DS 3/10/2017 - 8/31/2017

7001DT 3/10/2017 - 8/31/2017

7001DU 3/30/2017 - 8/31/2017

7001DV 3/30/2017 - 8/31/2017

7001DW 3/30/2017 - 8/31/2017

7001DX 3/30/2017 - 8/31/2017

7001DY 4/11/2017 - 8/31/2017

7001DZ 4/11/2017 - 8/31/2017

7001EA 4/11/2017 - 8/31/2017

7001EB 4/11/2017 - 8/31/2017

7001EC 4/21/2017 - 8/31/2017

7001ED 4/21/2017 - 8/31/2017

7001EE 4/21/2017 - 8/31/2017

7001EF 4/21/2017 - 8/31/2017

7001EG 5/11/2017 - 8/31/2017

7001EH 5/22/2017 - 8/31/2017

7001EJ 5/22/2017 - 8/31/2017

7001EK 5/21/2017 - 8/31/2017

7001EL 5/21/2017 - 8/31/2017

7001EM 6/2/2017 - 8/31/2017

7001EN 6/20/2017 - 8/31/2017

7001EP 6/20/2017 - 8/31/2017

7001EQ 7/7/2017 - 8/31/2017

9000 9/1/2016 - 8/31/2017

9001AA 9/1/2016 - 8/31/2017

9001AC 9/1/2016 - 8/31/2017

9001AD 9/1/2016 - 8/31/2017

9001AF 9/1/2016 - 8/31/2017

9001AG 9/1/2016 - 8/31/2017

9001AN 9/1/2016 - 8/31/2017

9001AQ 9/1/2016 - 8/31/2017

9001AW 9/1/2016 - 8/31/2017

9001AX 9/1/2016 - 8/31/2017

9001AY 9/1/2016 - 8/31/2017

9001AZ 9/28/2016 - 8/31/2017

9001BN 9/28/2016 - 8/31/2017

9001BQ 10/28/2016 - 8/31/2017

9001BT 11/16/2016 - 8/31/2017

9001BW 11/16/2016 - 8/31/2017

9001BY 11/23/2016 - 8/31/2017

CONTRACT NO.



24 PAGE

58 of 123 FINAL

9001CK 1/4/2017 - 8/31/2017

9001CV 9/1/2017 - 8/31/2018

9001CW 9/1/2016 - 8/31/2017

9001CX 9/1/2016 - 8/31/2017

9001CY 9/1/2016 - 8/31/2017

9001CZ 9/1/2016 - 8/31/2017

9001DG 2/24/2017 - 8/31/2017

9001DL 3/10/2017 - 8/31/2017

9001DM 3/10/2017 - 8/31/2017

9001DY 4/11/2017 - 8/31/2017

9001DZ 4/28/2017 - 8/31/2017

The periods of performance for the following Option Items are as follows:

7100 9/1/2017 - 8/31/2018

7101AA 9/1/2017 - 8/31/2018

7200 9/1/2018 - 8/31/2019

7201AA 9/1/2018 - 8/31/2019

7300 9/1/2019 - 8/31/2020

7301AA 9/1/2019 - 8/31/2020

9100 9/1/2017 - 8/31/2018

9101AA 9/1/2017 - 8/31/2018

9200 9/1/2018 - 8/31/2019

9201AA 9/1/2018 - 8/31/2019

9300 9/1/2019 - 8/31/2020

9301AA 9/1/2019 - 8/31/2020

F.1 PLACE OF PERFORMANCE

Services to be performed hereunder will be provided at NSWCDD Dahlgren, VA., Quantico, VA, and Dam Neck,VA

HQ F-1-0003 PERFORMANCE LANGUAGE FOR LOE SERVICES

The Contractor shall perform the work described in SECTION C, at the level of effort specified in SECTION B, asfollows:

ITEM(S) FROM TO

7001 09/01/2016-08/31/20177101 09/01/2017-08/31/20187201 09/01/2018-08/31/20197301 09/01/2019-08/31/2020

CONTRACT NO.



24 PAGE

59 of 123 FINAL

HQ F-2-0003 DATA DELIVERY LANGUAGE FOR SERVICES ONLY PROCUREMENTS

All data to be furnished under this contract shall be delivered prepaid to the destination(s) and at the time(s)specified on the Contract Data Requirements List(s), DD Form 1423.

The periods of performance for the Data Items are as follows:

7900 09/01/2016-08/31/20177901 09/01/2017-08/31/20187902 09/01/2018-08/31/20197903 09/01/2019-08/31/2020

F.2 DELIVERY/PERFORMANCE/DATA RIGHTS

This is a task order for the provision of services by the contractor. In accordance with law and policy and with theprovisions of this task order, contractor personnel shall perform as required by this task order, and such work shallinclude working in cooperation and collaboration with Government personnel. Performance of this contract workshall require, among other things, the contractor to access and use Government-owned data such as software,documentation, technical data, process and report templates, and the like. Any and all software, documentation,technical data, and the like generated from such access and use shall also be and remain Government –owned dataand shall be included in an appropriate technical report or other deliverable. The contractor's use of and access toGovernment-owned data shall neither constitute nor create any contractor rights in or license to such data; the onlycontractor permissions to use and access the data shall be those necessarily required by the contractor to perform thework herein. On occasion and incidental to the provision of support services by the contractor, the contractor may betasked to independently create discrete new data products (e.g., a computer software program, drawings, etc.) that donot derive from existing data. Such products shall be specifically identified by the Government in writing and shallbe delivered pursuant to the appropriate Contract Data Requirements List (CDRL) document. Rights in suchproducts shall be governed by the appropriate task order clauses.

CONTRACT NO.



24 PAGE

60 of 123 FINAL

SECTION G CONTRACT ADMINISTRATION DATA

G.1 ACCOUNTING DATA

G.2 SPECIAL INVOICE INSTRUCTIONS

Each SLIN providing funding designates a specific project area/work area/work breakdown structure (WBS) item.Tracking and reporting shall be accomplished at the project/work area/WBS item level. Each identified project/workarea/WBS shall be invoiced by its associated CLIN and ACRN. If multiple ACRNs are associated with a singleproject/work area/WBS, the contractor shall consult with the Contracting Officer Representative for additionalinvoicing instructions.

G.3 PAYMENT INSTRUCTION

In accordance with (DFARS) PGI 204.7108 "Line item specific: Single Funding"(d) (1) INVOICING ANDPAYMENT INSTRUCTIONS FOR MULTIPLE ACCOUNTING CLASSIFICATION CITATIONS The followingpayment instructions apply to this task order:

252.204-0001 Line Item Specific: Single Funding. (SEP 2009) The payment office shall make payment using theACRN funding of the line item being billed.

Note: The Government may change the Payment Instruction.

G.4 Ddl-G10 GOVERNMENT CONTRACT ADMINISTRATION POINTS-OF-CONTACT ANDRESPONSIBILITIES

Procuring Contracting Officer (PCO):

(a) Name: Michelle L. Briscoe Code: 0242Address: Naval Surface Warfare Center, Dahlgren Division

17632 Dahlgren Road, Suite 157 Dahlgren, Virginia 22448-5100

Phone: 540-653-0028E-mail: [email protected]

(b) PCO responsibilities are outlined in FAR 1.602-2. The PCO is the only person authorized to approve changesin any of the requirements of this Task Order, notwithstanding provisions contained elsewhere in this contract, thesaid authority remains solely the PCO’s. The contractor shall not comply with any order, direction or request ofGovernment personnel unless it is issued in writing and signed by the Contracting Officer or is pursuant to specificauthority otherwise included as part of this contract. In the event the contractor effects any change at the direction ofany person other than the PCO, the change will be considered to be unauthorized.

Contract Specialist:

(a) Name: Daniel Belcher Code: 0242Address: Naval Surface Warfare Center, Dahlgren Division

17632 Dahlgren Road, Suite 157 Dahlgren, Virginia 22448-5100

Phone: 540-653-7805E-mail: [email protected]

CONTRACT NO.



24 PAGE

61 of 123 FINAL

mailto:[email protected]


(b) The Contract Specialist is the representative of the Contracting Officer for all contractual

matters.

Administrative Contracting Officer (ACO)

(a) Name: DCMA Hampton - Team EVSAA

Juanita Clarke

Address: 2000 Enterprise Parkway, Suite 200

Hampton, VA 23666

Phone: (757) 251-6141

E-mail: [email protected]

(b) The Administrative Contracting Officer (ACO) of the cognizant Defense Contract Management Agency (DCMA)is designated as the authorized representative of the Contracting Officer for purposes of administering this Task Orderin accordance with FAR 42.3. However, in view of the technical nature of the supplies and services to be furnished,technical cognizance is retained by the Naval Surface Warfare Center, Dahlgren Division.

Contracting Officer Representative (COR):

(a) Name:

(1) Primary COR:

Kimberly Bissett

Code: A03

Address: 5443 Bronson Rd, Ste 110, Dahlgren, VA 22448-5100

Phone: 540-653-8320


(2) Secondary COR:

Janet Bohlmann

Code: A40

Address: 18372 Frontage Road, Suite 318, Dahlgren, VA 22448-5160

Phone: (540) 653-7457


(b) The COR is the PCO’s appointed representative for technical matters. The COR is not a contracting officer anddoes not have the authority to direct the accomplishment of effort which is beyond the scope of the Task Order or tootherwise change any Task Order requirements. An informational copy of the COR appointment letter whichprovides a delineation of COR authority and responsibilities is provided as an attachment to this Task Order.

Alternate Contracting Officer Representative (ACOR):

(a) Name: Jeena Brabant

Code: V03

Address:

CONTRACT NO.



24 PAGE

62 of 123 FINAL


Phone: (540) 653-4970


(b) The ACOR is responsible for COR responsibilities and functions in the event that the COR is unavailable dueto leave, illness, or other official business. The ACOR is appointed by the PCO; a copy of the ACOR appointmentis provided as an attachment to this Task Order.

Government Subject Matter Expert (SME)

The Government SME is the COR's subject matter expert (SME) for specific work areas.

G.5 Ddl-G11 CONSENT TO SUBCONTRACT

For subcontracts and consulting agreements for services, where the prime contractor anticipates that hours deliveredwill be counted against the hours in the Level of Effort clause below, Consent to Subcontract authority is retained bythe Procuring Contracting Officer.

The following subcontractors are approved on this order:

*Booz Allen Hamilton

*Cask Technologies

*Cyber Security Engineering Associates (CSEA)

*Cybrex, LLC

*DCS

*Smartronix, Inc.

*System Technology Forum Limited

*N-FOSEC Consulting, LLC

G.6 252.232-7006 WIDE AREA WORKFLOW PAYMENT INSTRUCTIONS (MAY 2013)

(a) Definitions. As used in this clause—

"Department of Defense Activity Address Code (DoDAAC)" is a six position code that uniquely identifies a unit,activity, or organization.

"Document type" means the type of payment request or receiving report available for creation in Wide AreaWorkFlow (WAWF).

"Local processing office (LPO)" is the office responsible for payment certification when payment certification is doneexternal to the entitlement system.

(b) Electronic invoicing. The WAWF system is the method to electronically process vendor payment requests andreceiving reports, as authorized by DFARS 252.232-7003, Electronic Submission of Payment Requests andReceiving Reports.

(c) WAWF access. To access WAWF, the Contractor shall—

(1) Have a designated electronic business point of contact in the System for Award Management athttps://www.acquisition.gov; and

(2) Be registered to use WAWF at https://wawf.eb.mil/ following the step-by-step procedures for self-registrationavailable at this web site.

(d) WAWF training. The Contractor should follow the training instructions of the WAWF Web-Based TrainingCourse and use the Practice Training Site before submitting payment requests through WAWF. Both can be

CONTRACT NO.



24 PAGE

63 of 123 FINAL


accessed by selecting the "Web Based Training" link on the WAWF home page at https://wawf.eb.mil/

(e) WAWF methods of document submission. Document submissions may be via web entry, Electronic DataInterchange, or File Transfer Protocol.

(f) WAWF payment instructions. The Contractor must use the following information when submittingpayment requests and receiving reports in WAWF for this contract/order:

(1) Document type. The Contractor shall use the following document type(s).

Cost Voucher

(2) Inspection/acceptance location. The Contractor shall select the following inspection/acceptance location(s) inWAWF, as specified by the contracting officer.

Destination (N00178)

(3) Document routing. The Contractor shall use the information in the Routing Data Table below only to fill inapplicable fields in WAWF when creating payment requests and receiving reports in the system.

Routing Data Table

Field Name in WAWF Data to be entered in WAWFPay Official DoDAAC HQ0338

Issue by DoDAAC N00178Admin DoDAAC S5111A

Inspect By DoDAAC Not ApplicableShip to Code Not ApplicableShip From Code Not ApplicableMark for Code Not ApplicableService Approver(DoDAAC) N00178

Service Acceptor (DoDAAC) Not ApplicableAccept at Other DoDAAC Not ApplicableLPO DoDAAC Not ApplicableDCAA Auditor DoDAAC HAA47B

Other DoDAAC(s) Not Applicable

(4) Payment request and supporting documentation. The Contractor shall ensure a payment request includesappropriate contract line item and subline item descriptions of the work performed or supplies delivered, unitprice/cost per unit, fee (if applicable), and all relevant back-up documentation, as defined in DFARS Appendix F,(e.g. timesheets) in support of each payment request.

(5) WAWF email notifications. The Contractor shall enter the e-mail address identified below in the "SendAdditional Email Notifications" field of WAWF once a document is submitted in the system.

[email protected]

[email protected]

(g) WAWF point of contact.

(1) The Contractor may obtain clarification regarding invoicing in WAWF from the following contracting activity’sWAWF point of contact: [email protected].

(2) For technical WAWF help, contact the WAWF helpdesk at 866-618-5988.

G.7 HQ G-2-0009 SUPPLEMENTAL INSTRUCTIONS REGARDING INVOICING (NAVSEA) (APR 2015)

CONTRACT NO.



24 PAGE

64 of 123 FINAL

(a) For other than firm fixed priced contract line item numbers (CLINs), the Contractor agrees to segregate costsincurred under this contract/task order (TO), as applicable, at the lowest level of performance, either at the technicalinstruction (TI), sub line item number (SLIN), or contract line item number (CLIN) level, rather than on a totalcontract/TO basis, and to submit invoices reflecting costs incurred at that level. Supporting documentation in WideArea Workflow (WAWF) for invoices shall include summaries of work charged during the period covered as well asoverall cumulative summaries by individual labor categories, rates, and hours (both straight time and overtime)invoiced; as well as, a cost breakdown of other direct costs (ODCs), materials, and travel, by TI, SLIN, or CLINlevel. For other than firm fixed price subcontractors, subcontractors are also required to provide labor categories,rates, and hours (both straight time and overtime) invoiced; as well as, a cost breakdown of ODCs, materials, andtravel invoiced. Supporting documentation may be encrypted before submission to the prime contractor for WAWFinvoice submittal. Subcontractors may email encryption code information directly to the Contracting Officer (CO)and Contracting Officer Representative (COR). Should the subcontractor lack encryption capability, thesubcontractor may also email detailed supporting cost information directly to the CO and COR; or other method asagreed to by the CO.

(b) Contractors submitting payment requests and receiving reports to WAWF using either Electronic DataInterchange (EDI) or Secure File Transfer Protocol (SFTP) shall separately send an email notification to the CORand CO on the same date they submit the invoice in WAWF. No payments shall be due if the contractor does notprovide the COR and CO email notification as required herein.

G.8 EARLY DISMISSAL AND CLOSURE OF GOVERNMENT FACILITIES

When a Government facility is closed and/or early dismissal of Federal employees is directed due to severe weather,security threat, or a facility related problem that prevents personnel from working, onsite Contractor personnelregularly assigned to work at that facility should follow the same reporting and/or departure directions given toGovernment personnel. The Contractor shall not direct charge to the contract for time off, but shall follow parentcompany policies regarding taking leave (administrative or other). Non-essential Contractor personnel, who are notrequired to remain at or report to the facility, shall follow their parent company policy regarding whether they shouldgo/stay home or report to another company facility. Subsequent to an early dismissal and during periods ofinclement weather, on-site Contractors should monitor radio and television announcements before departing for workto determine if the facility is closed or operating on a delayed arrival basis.

When Federal employees are excused from work due to a holiday or a special event (that is unrelated to severeweather, a security threat, or a facility related problem), on-site Contractors will continue working established workhours or take leave in accordance with parent company policy. Those Contractors who take leave shall not directcharge the non-working hours to the task order. Contractors are responsible for predetermining and disclosing theircharging practices for early dismissal, delayed openings, or closings in accordance with the FAR, applicable costaccounting standards, and company policy. Contractors shall follow their disclosed charging practices during thetask order period of performance, and shall not follow any verbal directions to the contrary. The Contracting Officerwill make the determination of cost allowability for time lost due to facility closure in accordance with FAR,applicable Cost Accounting Standards, and the Contractor's established accounting policy.

Accounting Data

SLINID PR Number Amount -------- -------------------------------------------------- ---------------------7001AB

Standard Number: N0002416WX00633-AA Award - Incremental Funding to support WE 003 - Cyber Support for SSDS MK2 in Service Engineering Support. 10 USC 2410a authority is being invoked

LLA : AB 1761106 1A2A 251 67854 067443 2D M95450 6RCAEM5111CH Standard Number: M954516RCAEM51-AA Award - funding in support of Cyber Security WE-009.

CONTRACT NO.



24 PAGE

65 of 123 FINAL

LLA : AC 1761319 T7AC 251 67854 067443 2D C9C890 6RCR6FF7173V

LLA : AD 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003548680

10 USC 2410(a) Authority is invoked.

7001AF 130058432600001 LLA : AE 1761804 8C1C 251 24VCS 0 050120 2D 000000 A00003531149

7001AG 130058433000001 LLA : AF 1761804 8D3D 251 240V0 0 050120 2D 000000 A00003531196

7001AH 130059026100001 LLA : AG 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003569895

7001AJ 130058976900001 LLA : AH 1761319 A5XB 251 WS010 0 050120 2D 000000 A00003567727

7001AK 130058982300001 LLA : AJ 1761319 A4EC 251 WS060 0 050120 2D 000000 A00003567655

7001AL 130058672600001 LLA : AK 1761319 A5XB 251 WS010 0 050120 2D 000000 A00003548350

7001AM 130058976800001 LLA : AL 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003567520

7001AN 130058458300001

CONTRACT NO.



24 PAGE

66 of 123 FINAL

LLA : AM 1761804 8C1C 251 24VCS 0 050120 2D 000000 A00003533071

7001AP 130058672300001 LLA : AQ 1731611 1224 251 SH400 0 050120 2D 000000 A00003548281

7001AQ 130058427700003 LLA : AP 1761319 64PF 251 CV378 0 050120 2D 000000 A00003530833

7001AR 130058994200001 LLA : AN 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003568186

9001AC 130058750600002 LLA : AB 1761106 1A2A 251 67854 067443 2D M95450 6RCAEM5111CH

9001AD 130058595100001 LLA : AC 1761319 T7AC 251 67854 067443 2D C9C890 6RCR6FF7173V

9001AF 130058432600002 LLA : AE 1761804 8C1C 251 24VCS 0 050120 2D 000000 A00003531149

9001AG 130058433000002 LLA : AF 1761804 8D3D 251 240V0 0 050120 2D 000000 A00003531196

9001AN 130058458300002 LLA : AM 1761804 8C1C 251 24VCS 0 050120 2D 000000 A00003533071

9001AQ 130058427700004 LLA : AP 1761319 64PF 251 CV378 0 050120 2D 000000 A00003530833

MOD 01

7001AS 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

CONTRACT NO.



24 PAGE

67 of 123 FINAL

7001AT 130058977000001 LLA : AS 1761319 A5XB 251 WS010 0 050120 2D 000000 A00003567889

7001AU 130058673300001 LLA : AT 1761319 A5DR 251 WS020 0 050120 2D 000000 A00003548534

MOD 02

7001AV 130059497100001

7001AW 130059235100001 LLA : AV 1761804 8C1C 251 24VCS 0 050120 2D 000000 A00003582174

7001AX 130059351800003 LLA : AW 1761804 8D3D 251 240V0 0 050120 2D 000000 A10003589338

7001AY 130059229300001 LLA : AX 1761804 8C1C 251 24VCS 0 050120 2D 000000 A00003581800

7001AZ 130059273500002 LLA : AY 1751319 64PF 251 CV378 0 050120 2D 000000 A10003584691

7001BA 130059641300001

7001BB 130059581600001 LLA : BA 1761804 8B5B 251 24VCS 0 050120 2D 000000 A00003605319

7001BC 130059662900001 LLA : BB 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003611590

9001AW 130059235100002 LLA : AV 1761804 8C1C 251 24VCS 0 050120 2D 000000 A00003582174

CONTRACT NO.



24 PAGE

68 of 123 FINAL

10 USC 2410(A) AUTHORITY IS INVOKED.

9001AX 130059351800004 LLA : AW 1761804 8D3D 251 240V0 0 050120 2D 000000 A10003589338

9001AY 130059229300002 LLA : AX 1761804 8C1C 251 24VCS 0 050120 2D 000000 A00003581800

MOD 03

7001AH 130059026100001 LLA : AG 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003569895

7001AS 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001BD 130059008600001 LLA : BC 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003569211

7001BE 130059351100001 LLA : BD 1761804 8D3D 251 240V0 0 050120 2D 000000 A00003589276

7001BF 130059220300001 LLA : BE 1731611 1224 251 SH400 0 050120 2D 000000 A00003581242

7001BG 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001BH 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001BJ 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001BK 130059220900001

CONTRACT NO.



24 PAGE

69 of 123 FINAL

LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001BL 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001BN 130060034400001 LLA : BN 1751611 C281 251 24VCS 0 050120 2D 000000 A00003638496

7001BP 130060034400002 LLA : BN 1751611 C281 251 24VCS 0 050120 2D 000000 A10003638496

MOD 04

7001BQ 130060114300001 LLA : BP 1761319 A5XZ 251 WS100 0 050120 2D 000000 A00003644451 Mod 03- Incremental Funding in support of WE 026

9001AZ 130060007500001 LLA : BM 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003637530 Mod 04 - Incremental funding in support of WE 018

9001BN 130060034400003 LLA : BN 1751611 C281 251 24VCS 0 050120 2D 000000 A10003638496 Mod 04 - Incremental Funding for WE 005

MOD 05

7001BQ 130060114300001 LLA : BP 1761319 A5XZ 251 WS100 0 050120 2D 000000 A00003644451

7001BR 130058994700001 LLA : BQ 1711611 1224 251 SH400 0 050120 2D 000000 A00003568238

7001BS 130060390400001 LLA : BR 97X4930 NH1E 254 77777 0 050120 2F 000000 A00003673612

9001BQ 130060114300001 LLA : BP 1761319 A5XZ 251 WS100 0 050120 2D 000000 A00003644451

CONTRACT NO.



24 PAGE

70 of 123 FINAL

MOD 06

7001BT 130060695100001 LLA : BS 1731611 1227 251 SH500 0 050120 2D 000000 A00003700699

7001BU 130058663300001 LLA : BT 1761810 84TE 251 VUS00 0 050120 2D 000000 A00003547994

7001BV 130060566800001 LLA : BU 1761810 A4UU 253 WS030 0 050120 2D 000000 A00003691892 Mod 06- Incremental Funding to support WE-022

7001BW 130060647800001 LLA : BV 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003697570

9001BT 130060695100001 LLA : BS 1731611 1227 251 SH500 0 050120 2D 000000 A00003700699 Mod 06- Incremental Funding in support of 7001BT

9001BW 130060647800002 LLA : BV 97X4930 NH1E 251 77777 0 050120 2F 000000 A10003697570

MOD 07

7001BX 130060951300001 LLA : BW 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003721984 Mod 07- Incremental Funding in support of WE 200.

7001BY 130060833800003 LLA : BX 1771319 64PF 251 CV378 0 050120 2D 000000 A00003713348 Mod 07- Incremental Funding in support of WE 004

9001BY 130060833800004 LLA : BX 1771319 64PF 251 CV378 0 050120 2D 000000 A00003713348 Mod 07- Incremental Funding in support of SLIN 7001By

MOD 08

7001BZ 130061232400001 LLA : BY 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003744290 Mod 08- Incremental Funding to support WE-200

7001CA 130061232600001 LLA : BZ 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003744403

CONTRACT NO.



24 PAGE

71 of 123 FINAL

7001CB 130061145900001 LLA : CA 1761810 84TE 251 VUS00 0 050120 2D 000000 A00003738146

7001CC 130061275700001 LLA : CB 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003746907

7001CD 130061275800001 LLA : CC 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003746911

7001CE 130061275900001 LLA : CD 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003747139

7001CF 130061300200001 LLA : CE 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003748995

7001CG 130061311500001 LLA : CF 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003750673

MOD 09

7001CH 130061340200001 LLA : CG 1721611 1317 251 SH317 0 050120 2D 000000 A00003752545

7001CJ 130061275500001 LLA : CH 1731611 1224 251 SH400 0 050120 2D 000000 A00003746721

MOD 10

7001CK 130061536100001 LLA : CJ 1771611 1227 251 SH500 0 050120 2D 000000 A00003766898

7001CL 130061583100001 LLA : CK 1771319 T7AC 251 67854 067443 2D C9C890 7RCR7AV2173V

7001CM 130061275300001 LLA : CL 1731611 1224 251 SH400 0 050120 2D 000000 A00003746718

CONTRACT NO.



24 PAGE

72 of 123 FINAL

9001CK 130061536100001 LLA : CJ 1771611 1227 251 SH500 0 050120 2D 000000 A00003766898

MOD 11

7001BY 130060833800005 LLA : BX 1771319 64PF 251 CV378 0 050120 2D 000000 A00003713348


7001CN 130062040700001 LLA : CM 1771804 8B5B 251 CV312 0 050120 2D 000000 A00003808525

7001CP 130061996700001 LLA : CN 97X4930 NH1K 253 77777 0 050120 2F 000000 A00003805244

7001CQ 130061996800001 LLA : CP 97X4930 NH1K 253 77777 0 050120 2F 000000 A00003805245

7001CR 130061959500001 LLA : CQ 1771319 A5XB 251 WS010 0 050120 2D 000000 A00003802698

7001CS 130061989100001 LLA : CR 1771804 8B2B 251 WS010 0 050120 2D 000000 A00003804311

7001CT 130062080900001 LLA : CS 1771319 M7KC 251 67854 067443 2D C22740 7RCR7AG3113M

MOD 12

7001CU 130062378600001 LLA :

CONTRACT NO.



24 PAGE

73 of 123 FINAL

CT 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003833482

9001CV 130062354000001 LLA : CU 97X4930 NH1E 253 77777 0 050120 2F 000000 A00003833069

MOD 13

7001CV 130062057500001 LLA : CV 1761611 C281 251 24VCS 0 050120 2D 000000 A00003809402

7001CX 130062498500001 LLA : CW 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003845295

7001CY 130062510100001 LLA : CX 1771106 1A2A 257 67854 067443 2D M95450 7RCCU54917QM

7001CZ 130062500000001 LLA : CY 1771106 1A2A 251 67854 067443 2D M95450 7RCDXA0517LY

9001CW 130062057500001 LLA : CV 1761611 C281 251 24VCS 0 050120 2D 000000 A00003809402

9001CX 130062498500002 LLA : CW 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003845295

9001CY 130062510100001 LLA : CX 1771106 1A2A 257 67854 067443 2D M95450 7RCCU54917QM

9001CZ 130062500000001 LLA : CY 1771106 1A2A 251 67854 067443 2D M95450 7RCDXA0517LY

MOD 14


7001DA 130062060200001 LLA : CZ 1761611 C281 251 24VCS 0 050120 2D 000000 A00003809544

7001DB 130062060200002 LLA : DA 1761611 C281 251 24VCS 0 050120 2D 000000 A10003809544

7001DC 130061919000001

CONTRACT NO.



24 PAGE

74 of 123 FINAL

LLA : DB 1771319 A501 251 WS010 0 050120 2D 000000 A00003800794

7001DD 130061964900001 LLA : DC 1771319 A501 251 WS010 0 050120 2D 000000 A00003802587

7001DE 130062270200001 LLA : DD 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003825569

7001DF 130062340000001 LLA : DE 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003830854

7001DG 130062211600001 LLA : DF 1761611 C281 251 24VCS 0 050120 2D 000000 A00003821020

7001DH 130062368700001 LLA : DG 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003833130

9001DG 130062211600001 LLA : DF 1761611 C281 251 24VCS 0 050120 2D 000000 A00003821020

MOD 15

7001DJ 130062866900001 LLA : DH 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003880535

7001DK 130062835400001 LLA : DJ 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003877795

7001DL 130062630700001 LLA : DK 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003859426

7001DM 130062817200001 LLA : DL 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003875735

7001DN 130062742800001

CONTRACT NO.



24 PAGE

75 of 123 FINAL

LLA : DM 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003868642

7001DP 130062696000001 LLA : DN 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003864614

7001DQ 130062712500001 LLA : DP 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003866143

7001DR 130062810900001 LLA : DQ 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003875305

7001DS 130062745300001

7001DT 130063026800001 LLA : DS 1771106 1A2A 251 67854 067443 2D M95450 7RCA5B2211PR

9001DL 130062630700002 LLA : DK 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003859426

9001DM 130062817200001 LLA : DL 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003875735

MOD 16

7001CN 130062040700002 LLA : CM 1771804 8B5B 251 CV312 0 050120 2D 000000 A00003808525

7001DU 130062709000001 LLA : DT 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003865825

7001DV 130063244000001 LLA : DU 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003910329

CONTRACT NO.



24 PAGE

76 of 123 FINAL

7001DW 130062869200001 LLA : DV 1761810 84TE 257 VUS00 0 050120 2D 000000 A00003880760

7001DX 130062869400001 LLA : DW 1771611 1227 257 SH500 0 050120 2D 000000 A00003880829

MOD 17

7001DY 130063580400001 LLA : DX 1771106 1A2A 257 67854 067443 2D M95450 7RCDY68117LY

7001DZ 130063580500001 LLA : DY 1771319 T7AE 255 67854 067443 2D C33730 7RCR7CE8175G

7001EA 130063402200001 LLA : DZ 1771804 8C2C 257 WS100 0 050120 2D 000000 A00003921049

7001EB 130063373300001 LLA : EA 1771507 A4E5 251 WS030 0 050120 2D 000000 A00003917990


MOD 18

7001EC 130063519800001 LLA : EB 1771611 1227 251 SH500 0 050120 2D 000000 A00003931256

7001ED 130063578600001 LLA : EC 1771319 C4FD 251 24VCS 0 050120 2D 000000 A00003936124

CONTRACT NO.



24 PAGE

77 of 123 FINAL

FED: 9/30/2018

7001EE 130063686200001 LLA : ED 1771804 8D3D 251 240V0 0 050120 2D 000000 A00003943993

7001EF 130063738600001 LLA : EE 1771319 A5XZ 251 WS100 0 050120 2D 000000 A00003948443

MOD 19

7001AR 130058994200001 LLA : AN 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003568186

7001BJ 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001BK 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001DP 130062696000001 LLA : DN 97X4930 NH1E 255 77777 0 050120 2F 000000 A00003864614

9001AG 130058433000002 LLA : AF 1761804 8D3D 251 240V0 0 050120 2D 000000 A00003531196

9001AQ 130058427700004 LLA : AP 1761319 64PF 251 CV378 0 050120 2D 000000 A00003530833

9001AX 130059351800004 LLA : AW 1761804 8D3D 251 240V0 0 050120 2D 000000 A10003589338

9001BN 130060034400003 LLA : BN 1751611 C281 251 24VCS 0 050120 2D 000000 A10003638496

9001BY 130060833800004 LLA : BX 1771319 64PF 251 CV378 0 050120 2D 000000 A00003713348

CONTRACT NO.



24 PAGE

78 of 123 FINAL

9001CX 130062498500002 LLA : CW 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003845295


9001DZ 130063855600001 LLA : DY 1771319 T7AE 255 67854 067443 2D C33730 7RCR7CE8175G

MOD 20

7001EG 130063817400001 LLA : EF 1761810 81CC 251 VU021 0 050120 2D 000000 A00003954730

9001DL 130062630700002 LLA : DK 97X4930 NH1E 251 77777 0 050120 2F 000000 A00003859426

MOD 21

7001BL 130059220900001 LLA : AR 1761804 8B2B 251 WS010 0 050120 2D 000000 A00003581315

7001EH 130064212800001 LLA : EG 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003986527

7001EJ 130064212800001 LLA : EG 97X4930 NH1E 257 77777 0 050120 2F 000000 A00003986527

7001EK 130064208000001 LLA : EH 1771804 8C1C 251 24VCS 0 050120 2D 000000 A00003986265

7001EL 130064324100001 LLA :

CONTRACT NO.



24 PAGE

79 of 123 FINAL

EJ 1721611 1224 251 SH400 0 050120 2D 000000 A00003994927

MOD 22

7001EM 130064475400001 LLA : EK 1761810 A4UU 251 WS030 0 050120 2D 000000 A00004006264

MOD 23

7001EN 130064985400001 LLA : EL 1771804 8C2C 257 WS100 0 050120 2D 000000 A00004041807

7001EP 130064753200001 LLA : EM 97X4930 NH1E 257 77777 0 050120 2F 000000 A00004025546

MOD 24


7001EQ 130065417900001 LLA : EN 1771106 1A2A 251 67854 067443 2D M95450 7RCDXE2017LY

CONTRACT NO.



24 PAGE

80 of 123 FINAL

donald.galbraith

Highlight

SECTION H SPECIAL CONTRACT REQUIREMENTS

H.1 TASK ORDER LABOR CATEGORY QUALIFICATIONS

Ddl-H14 KEY PERSONNEL – DESIRED QUALIFICATIONS

To perform the requirements of the Statement of Work (SOW), the Government desires personnel with theappropriate experience and professional qualifications. Key Personnel qualification levels are considered to bedesired for those individuals whose resumes are submitted for evaluation with the proposal. Resumes for anyreplacement personnel that are submitted following award shall be equal to or better than the individuals initiallyproposed as required by the clause 5252.237-9106, SUBSTITUTION OF PERSONNEL (SEP 1990), incorporatedunder Section H. Following award, the qualification levels are considered to be minimums for any growth beyondthose individuals initially proposed or in labor categories where no resumes were required for proposal purposes.The applicable labor categories and associated qualifications are listed in Sections H.1 and H.2.

In addition to the specific experience listed below, general experience in information assurance, computer systemcertification and accreditation, information system vulnerability management, information security and securityengineering, information system architecture development, cybersecurity engineering and cybersecurity research anddevelopment apply to the accomplishment of the technical objectives of the SOW will be favorably considered(although it may not be used to meet the minimum requirements), as will experience utilizing automated systems,including personal computers/workstations and basic software applications such as word processors, spreadsheets,graphics/presentation packages, databases, and e-mail. Importantly, substitution of relevant academic degree(s) forqualifying experience may be considered on a case-by-case basis.

(a) Experience – The desired experience for each Key Labor Category must be directly related to the tasks andprograms listed in the SOW. Key labor categories are listed by title. Additionally, qualifications for certain Keylabor categories cite requirements for general tactical experience and/or Aegis-specific experience, as described below:

(1) Cybersecurity and Information Assurance Experience – General Cybersecurity experience refers to prior experiencein any of the following: information assurance, computer system certification and accreditation, information systemvulnerability management, information security and security engineering, information system architecturedevelopment, cybersecurity engineering and cybersecurity research and development.

(2) Specific Experience – Specific experience is defined as those experiences defined in the SOW and specifically inthe labor category descriptions below.

(b) Professional Development - Professional development includes honors, degrees, publications, professionallicenses and certifications and similar evidence of professional accomplishments that directly impact the offerorsability to perform the order. The years of experience listed below are in addition to appropriate professionaldevelopment. It is incumbent upon the offer or to demonstrate that the proposed personnel have appropriatecredentials to perform the work.

(c) Accumulation of Qualifying Experience -All categories of experience may be accumulated concurrently. Forexample, if the candidate worked while going to school, the work and education time may be credited concurrently.One exception is in the area of specific experience and general combat system experience. Specific experience maycount as general cybersecurity experience, but general cybersecurity experience may not count as specificexperience. All experience must be clearly supported by the resume or it will be discounted during the evaluation.Non-Key Personnel are the non-resumed personnel proposed to provide hours on this requirement. Post Award:Based on the Key Labor Category Desired Qualifications listed below and the SOW, the contractor will elect andmanage the workforce supporting this contract. While government approval is required only for the Resumed KeyPersonnel, the entire workforce will be evaluated based on the contractor’s performance of the SOW in accordancewith the QASP.

* Note: See Mandatory Requirements for Certifications needed for Key and Non-Key Personnel.

H.2 KEY LABOR CATEGORY DESIRED QUALIFICATIONS

Program Manager:

CONTRACT NO.



24 PAGE

81 of 123 FINAL

(a) Five years’ experience in Program Management (PM) in DoD systems and five years of leadership experienceand responsibility in DoD contract management, to include management of a major technical support contract (Navypreferred) and a thorough knowledge of the Navy’s contractual process.

(b) Experience demonstrating a thorough understanding of the Cybersecurity mission, engineering and researchand development, as well as experience with management of a major technical information support contract (Navypreferred).

(c) Experience in understanding of computer security, DoD IA policies and the ability to communicate clearly andsuccinctly in written and oral presentations.

(d) Possesses the ability to manage a technical team, develop cost estimates and schedules, prepare status reportsand prepare budget reports.

(e) Understanding of acquisition and logistics support, and change control.

(f) Experience working with customers to identify and coordinate new cybersecurity and Information Technology(IT) system and developments and/or enhancements.

(g) Identify cybersecurity design alternatives, researches existing cybersecurity systems in the marketplace andrecommends viable cybersecurity solutions.

(h) Maintain effective communication and working relationships with customers and project team members.

(i) Identify, track, monitor and communicate project-related issues, scope changes, variances and contingenciesthat may arise during the implementation and maintenance of cybersecurity projects.

(j) Experience in managing subcontractors (if subcontracting is proposed).

Senior Security Systems Engineer:

(a) 5 years’ experience in engineering and securing DoD systems and be certified as IAM Level II or Level III perDoD 8570.01, or successor.

(b) When performing as an Information Assurance Office or Information Systems Security Officer, an IAM Level IIor Level III certification per DoD 8570.01, or successor, must be held and maintained. If performing as a PrivilegedUser (Individuals who have access to system control, monitoring, or administration functions (e.g., systemadministrator, IAO/ISSO, system programmers, etc.)) a final adjudicated Single Scope Background Investigation(SSBI) with an IT level-1 designation in JPAS must be achieved and maintained.

(c) At least two (2) Senior Security Systems Engineer shall have a Top Secret Security Clearances; and at least one(1) Senior Security Systems Engineer shall be SCI eligible. (See Mandatory Requirements C.12.0);

(d) Fully Qualified Navy Validator. (See Mandatory Requirements C.12.0)

(e) At least two Senior Security Systems Engineers shall be a Fully Qualified Marine Corps Validator. (SeeMandatory Requirements C.12.0)

(f) Possess an in-depth understanding of computer security, military system specifications, DoD IA policies, and theability to communicate clearly and succinctly in written and oral presentations.

(g) Experience executing all aspects of the Systems Engineering Technical Review (SETR) Process.

(h) Possess an in-depth understanding and experience in DoD Information Assurance Certification and AccreditationProcess (DIACAP), Platform IT (PIT), and the implementation of Cyber Security and IA boundary defensetechniques and various IA-enabled appliances. Examples of these appliances and applications are Firewalls, IDS,IPS, Switch/Routers, Cross Domain Solutions (CDS) and Host Based Security Systems (HBSS).

CONTRACT NO.



24 PAGE

82 of 123 FINAL

(i) Possess the ability to:

1. Author DoD IA Certification and Accreditation (C&A) artifacts.

2. Document a system from an IA perspective using Microsoft Office including MS Word, MS Excel, MSVisio and other appropriate tools.

3. Derive, document and/or identify system CONOPS for Mission Assurance Categorization per DoDI8500.2.

4. Lead the research, recommend and document logical and physical solutions that prevent, detect and correctthe system to be certified and accredited.

5. Research and apply DISA Security Technical Implementation Guides (STIGs) and NSA recommendations.

6. Lead the identification of disagreements between as built specifications, security requirements and DoDsecurity policies and design implementations to bring the system into compliance.

7. Plan, Develop, execute and document results of security test procedures.

8. Lead the analysis and testing of a designated US Naval warfare system against known vulnerabilities basedupon security approaches and known hacker techniques and exploits.

9. Lead and perform as Information Assurance Officer to be focal point for all security matters related to specificsets of information systems.

10. Lead the preparation and execution an Information Assurance Vulnerability Management (IAVM) Plan.

11. Lead the preparation and production of a System Security Administrator and Operators Manual(SSAOM).

12. Lead obtaining Authorization To Operate (ATO) and resolve issues in the event a US Naval warfaresystem is issued an Interim Authorization To Operate (IATO).

13. Lead the technical support effort in identifying and specifying requirements and performing riskassessments.

Senior Cybersecurity Engineer

(a) Five (5) years’ experience in cybersecurity requirements development, cyber threat analysis, cyber systemsengineering, cyber systems architecture development or cybersecurity policy development experience.

(b) Five (5) years’ experience working with Navy combat systems such as AEGIS, Ship Self Defense System,Cooperative Engagement Capability, Ground/Air Task Oriented Radar, Solid State Laser, Railgun or other combatsystems.

(c) Minimum certification as IAT Level II per DoD 8570.01, or successor. If performing as a Privileged User(Individuals who have access to system control, monitoring, or administration functions (e.g., system administrator,IAO/ISSO, system programmers, etc.)) a final adjudicated Single Scope Background Investigation (SSBI) with anIT level-1 designation in JPAS must be achieved and maintained. (See Mandatory Requirements C.12.0)

(d) Possess an understanding of cybersecurity, military system specifications, DoD IA policies and the ability tocommunicate clearly and succinctly in written and oral presentations.

(e) Possess the ability to:

1. Develop cybersecurity requirements, policy standards, best practices, guidance and procedures forcombat systems.

2. Conduct cybersecurity related research, analysis and coordination activities in support of DOD cyber

CONTRACT NO.



24 PAGE

83 of 123 FINAL

https://marinecorpsconceptsandprograms.com/programs/aviation/antps-80-groundair-task-oriented-radar-gator

assurance and policy efforts are multiple classification levels.

3. Lead working groups to develop cybersecurity strategies to meet emerging threats.

4. Perform analysis of cybersecurity, intelligence and information technology policy gaps for combatsystems.

5. Perform cybersecurity system engineering design, analysis and documentation of combat systems.

6. Develop cybersecurity risk assessment analysis and risk mitigation plans for combat systems.

7. Develop documentation of cybersecurity requirements, gap analysis, threat analysis, systemengineering, risk assessment and mitigation for combat systems.

H.3 NON-KEY PERSONNEL – MINIMUM REQUIRED QUALIFICATIONS

In order to provide additional clarification to the Statement of Work, minimum qualifications are provided fornon-key personnel. The contractor shall provide non-key personnel who meet or exceed the minimum qualificationsprovided below. Prior to charging non-key personnel labor to this order, the contractor shall provide writtencertification stating the individual's name, labor category, and certification that the individual meets or exceeds theminimum qualifications of the labor category. This written certification shall be made by email to the ContractSpecialist and the COR.

Security Engineer

(a) 5 years’ experience in analyzing and securing DoD or Information Technology systems for compliance withspecifications, requirements and policies.

(b) Certified as IAT Level II or Level III per DoD 8570.01, or successor. When performing as an InformationAssurance Officer or Information System Security Officer, an IAM Level II certification per DoD 8570.01, orsuccessor, must be held and maintained.

(c) If performing as a Privileged User (Individuals who have access to system control, monitoring, oradministration functions (e.g., system administrator, IAO/ISSO, system programmers, etc.)) a final adjudicatedSingle Scope Background Investigation (SSBI) with an IT level-1 designation in JPAS must be achieved andmaintained.

(d) Two (2) Intermediate Navy Validator. (see Mandatory Requirement C.12.0)

(e) Understanding of computer security, military system specifications, DoD IA policies and the ability tocommunicate clearly and succinctly in written and oral presentations.

(f) Two (2) Security Engineer shall have Top Secret Clearances.

(g) Possess the ability to:

1. Author DoD IA Certification and Accreditation artifacts.

2. Document a system from an IA perspective using Microsoft Office including MS Word, MS Excel and MSVisio and other appropriate tools.


4. Research and recommend logical and physical solutions that prevent, detect and correct the system to becertified and accredited.

5. Apply DISA Security Technical Implementation Guides (STIGs) and NSA recommendations.

6. Identify disagreements between as built specifications, security requirements and DoD security policies andrecommend approaches to bring the system into compliance.

CONTRACT NO.



24 PAGE

84 of 123 FINAL

7. Author and revise system requirements and specifications to meet DoD security policies.

8. Perform vulnerability tests as Red Team and Blue Team using manual techniques, Assured ComplianceAssessment Solution (ACAS) and other similar and appropriate IA and security tools.

9. Plan, execute and document risk assessments against known vulnerabilities based upon security approachesand known hacker techniques and exploits.

10. Identify and perform security analysis of connectivity relationships between the subject US Naval warfaresystem and the equipment to which it interfaces, both physically and virtually.

11. Lead and perform as Information Assurance Officer to be focal point for all security matters related tospecific sets of information systems.

12. Define an Information Assurance Vulnerability Management (IAVM) Plan.

13. Plan, execute and document results of security tests.

Security Software Engineer

(a) Five ( 5) years’ experience in software engineering applied to program development; modeling and simulationapplied to DoD or Information Technology systems.

(b) Minimum certification as IAT Level II per DoD 8570.01, or successor.

(c) Minimum certification as penetration tester and possess one of the following certificates: Global InformationAssurance Certification (GIAC) Penetration Tester (GPEN), Offensive Security Certified Professional (OSCP),License Penetration Tester (LPT) and Certified Penetration Tester (CPT). (See Mandatory Requirements C.12.0)

(d) At least two of the SSE shall possess one of the following certificates: GIAC Exploit Researcher andAdvanced Penetration Tester (GXPN), Offensive Security Certified Expert (OFCE), Certified Expert PenetrationTester (CEPT), Offensive Security Exploitation Expert (OSEE).

(e) If performing as a Privileged User (Individuals who have access to system control, monitoring, oradministration functions (e.g., system administrator, IAO/ISSO, system programmers, etc.)) a final adjudicatedSingle Scope Background Investigation (SSBI) with an IT level-1 designation in JPAS must be achieved andmaintained.

(f) Understanding of computer security, military system specifications, DoD IA policies and the ability tocommunicate clearly and succinctly in written and oral presentations.

(g) Possess the ability to:


2. Debug and reverse engineer software.

3. Analyze Windows Events and Linux syslog’s, boot logs and dmesg logs

4. Program and debug Web 2.0, Java, Perl, Ada, C++, Tool Command Language (tcl/tk) scripts andgraphical user interfaces (GUIs) using Microsoft Visual tcl and Rational ClearCase for software configurationmanagement.

5. Recommend software modifications to systems to mitigate known vulnerabilities.

6. Operate and administrate computer systems running HP-UX, UNIX, Solaris, Linux and MicrosoftWindows.

7. Identify security flaws in compiled and human readable source code.

8. Understand code utilizing real-time VxWorks and Lynx OS operating systems, Common Object Resource

CONTRACT NO.



24 PAGE

85 of 123 FINAL

Broker Architecture (CORBA), firewalls and networking protocols.

9. Understand how to implement NSA approved encryption technologies and devices.

10. Apply DISA Security Technical Implementation Guides (STIGs).

11. Apply virtual hosting and server technology in system architectures.

12. Understand and apply the concept of deceptive technology such as honey pots in system architectures.

13. Participate in Code Reviews.

14. Perform Static Source Code Analysis.

15. Author recommendations for improving software and code design.

16. Contribute to a System Security Administrator and Operators Manual (SSAOM)

Junior Security Systems Engineer

(a) Three (3) years’ experience in engineering and securing DoD or Information Technology systems. The JSSEshall be certified as IAM Level II or IAT Level II per DoD 8570.01, or successor. If performing as a PrivilegedUser (Individuals who have access to system control, monitoring, or administration functions (e.g., systemadministrator, IAO/ISSO, system programmers, etc.)) a final adjudicated Single Scope Background Investigation(SSBI) with an IT level-1 designation in JPAS must be achieved and maintained.

(b) Possesses an understanding of computer security, military system specifications, DoD IA policies, DIACAP,PIT and the ability to communicate clearly and succinctly in written and oral presentations.

(c) The JSSE shall have an understanding and Experience with Cyber Security and IA boundary defensetechniques and various IA-enabled appliances. Examples of these appliances and applications are Firewalls, IDS,IPS, Switch/Routers, Cross Domain Solutions (CDS) and Host Based Security Systems (HBSS). The individualshould have an understanding of the SETR Process.

(d) Possess the ability to:

1. Assist in the authoring of DoD IA Certification and Accreditation artifacts.



4. Research and recommend logical and physical solutions that prevent, detect and correct the system to becertified and accredited.

5. Research and apply DISA Security Technical Implementation Guides (STIGs) and NSA recommendations.

6. Assist in the identifying disagreements between as built specifications, security requirements and DoDsecurity policies and design implementations to bring the system into compliance.

7. Develop, execute and document results of security test procedures.

8. Assist in the analysis and testing a designated US Naval warfare system against known vulnerabilitiesbased upon security approaches and known hacker techniques and exploits.

9. Assist in the creation and execution of an Information Assurance Vulnerability Management (IAVM) Plan.

10. Assist in the preparation and production of a System Security Administrator and Operators Manual(SSAOM).

CONTRACT NO.



24 PAGE

86 of 123 FINAL

11. Assist in preparations for obtaining Authority To Operate (ATO) and resolve issues in the event a USNaval warfare system is issued an Interim Authority To Operate (IATO).

12. In addition, provide technical support in identifying and specifying requirements and performing riskassessments.

Security Network Engineer

(a) Three ( 3) years’ experience in network engineering applied to program development, modeling and/orsimulation applied to DOD or Information Technology systems.

(b) The SNE must have a Minimum certification as IAT Level II per DoD 8570.01, or successor. The SNE shallpossess an understanding of computer security, military system specifications, DOD IA policies and the ability tocommunicate clearly and succinctly in written and oral presentations.

(c) Possesses the ability to:

1. Apply the TCP/IP protocols including multicast, UDP and TCP.

2. Implement a Demilitarized Zone (DMZ).

3. Apply and configure firewalls and switches to system architectures to define and protect enclaves.

4. Analyze Windows Events and Linux syslogs, boot logs and dmesg logs.

5. Recommend network modifications to systems to mitigate known vulnerabilities.

6. Operate and administrate computer systems running HP-UX, UNIX, Solaris, Linux and MicrosoftWindows.

7. Understand how to implement NSA approved encryption technologies, Virtual Private Networks (VPNs)and resolve Cross Domain issues.

8. Apply DISA Security Technical Implementation Guides (STIGs).

9. Apply virtual hosting and server technology in system architectures.

10. Understand and apply the concept of deceptive technology such as honeypots in system architectures.

11. Participate in Design Reviews.

12. Author recommendations for improving network and code design.

13. Contribute to a System Security Administrator and Operators Manual (SSAOM).

Technical Writer/Editor

(a) Five ( 5) years’ experience in technical writing and authoring presentations.

(b) Ability to communicate clearly and succinctly in written and oral presentations.

(c) Possess the ability to:

1. Author and edit documents in Microsoft Word including the ability to format and number.

2. Contribute to the SSAOM as a proofreader and an editor.

3. Contribute to the authoring of IA artifacts.

4. Author presentations in Microsoft Power Point including the ability to design content including clip art;format images, tables, outlines, styles, themes; embed objects including video and spreadsheets; and animatepresentation graphics.

CONTRACT NO.



24 PAGE

87 of 123 FINAL

5. Knowledge Engineering to make complex concepts understandable.

H .4 5252.237-9106 SUBSTITUTION OF PERSONNEL (Sep 1990)

(a) The Contractor agrees that a partial basis for award of this contract is the list of key personnel proposed.Accordingly, the Contractor agrees to assign to this contract those key persons whose resumes were submitted withthe proposal necessary to fulfill the requirements of the contract. No substitution shall be made without priornotification to and concurrence of the Contracting Officer in accordance with this requirement. (b) All proposedsubstitutes shall have qualifications equal to or higher than the qualifications of the person to be replaced. TheContracting Officer shall be notified in writing of any proposed substitution at least forty-five (45) days, or ninety(90) days if a security clearance is to be obtained, in advance of the proposed substitution. Such notification shallinclude: (1) an explanation of the circumstances necessitating the substitution; (2) a complete resume of the proposedsubstitute; and (3) any other information requested by the Contracting Officer to enable him/her to judge whether ornot the Contractor is maintaining the same high quality of personnel that provided the partial basis for award.

H.5 POST AWARD CONTRACTOR PERSONNEL APPROVAL

(a) Requests for post award approval of additional and/or replacement Resumed Key Personnel shall be submittedvia e-mail. E-mail submissions shall be made simultaneously to the Contract Specialist, COR, and the AlternateCOR. Electronic notification via e-mail from the Contracting Officer will serve as written approval/disapproval. Thisapproval is required before an individual may begin charging to the Task Order.

(b) Resumes shall be submitted in the format required. However, in order to expedite contract administration,contractor format may be used providing sufficient information is submitted for an independent comparison of theindividual’s qualifications with labor category requirements.

(c) If the employee is not a current employee of the contractor (or a subcontractor), a copy of the accepted offer letter(which identifies a projected start date and the agreed to annual salary) shall be provided.

(d) TRIPWIRE NOTIFICATION. If the employee is a current employee of the contractor (or a subcontractor), thefully burdened hourly rate that will be invoiced under the Task Order shall be provided. If the labor rate to beinvoiced for the individual will exceed any Navy labor rate tripwire for service contracts in effect at time of therequest for approval, the Contractor shall fully justify why the proposed individual is required for contractperformance and the specific benefit to be derived from the individual’s addition to the Task Order.

H.6 RESUME FORMAT AND CONTENT REQUIREMENTS

In order to facilitate evaluation, all resumes shall contain the following minimum information :

H.6.1 Complete Name

H.6.2 Task Order Labor Category

H.6.3 Contractor Labor Category

H.6.4 Percentage of time to be allocated to this effort

H.6.5 Current level of security clearance level per JPAS (identify if interim or final)

H.6.6 Current work location and planned work location upon award of this Task Order

H.6.7 Note if the individual is key on another contract with a period of performance that will overlap thisrequirement. Note plans to satisfy both contracts if the Offeror is selected for award.

H.6.8 Chronological Work History / Experience – Show experience and date(s) as follows:

(a) Employer: Dates (month/year); Title(s) held

(b) Work experience shall be presented separately for each employer, clearly marked with proper category ofexperience (i.e, Relevant Experience; Non-Relevant Experience.). If relevant and non-relevant experience wereobtained while at the same employer, separate time periods shall be noted for each assignment. (This is necessary toprevent an offeror from describing relevant experience obtained in a six month assignment for Company A asapplicable to the entire 10-year employment with that firm and to ensure offerors' proposals are evaluated on an equal

CONTRACT NO.



24 PAGE

88 of 123 FINAL

basis). Responsibilities shall be discussed in sufficient detail for each assignment so as to permit comparison withdesired experience levels in Section H. Specific examples of work assignments, accomplishments, and products shallbe provided.

(c) Phrases such as "assisted with", "participated in", or "supported" are UNACCEPTABLE except as introductoryto a detailed description of the actual work performed. If no such description is provided, the sentence or bulletedinformation will NOT be considered in the resume evaluation process. This is because evaluators would not be ableto identify the specific technical work contributions made by the individual.

(d) Resume information is encouraged to be presented in bullet format. This will allow evaluators to focus onrelevant information.

(e) Offerors shall note that the lack of specific definition in job responsibilities, services performed or productsproduced may be viewed as a lack of understanding of the Government’s overall technical requirements.

(f) All relevant military experience claimed shall be described such that each relevant tour is treated as a separateemployer. Time frames/titles/responsibilities shall be provided in accordance with the level of detail prescribedabove. Military experience not documented in this manner will not be considered.

(g) Gaps in experience shall be explained.

(h) The cut-off date for any experience claimed shall be the closing date of the solicitation.

(i) PROFESSIONAL DEVELOPMENT – Show any honors, degrees, publications, professional licenses,certifications and other evidence of professional accomplishments that are directly relevant and impact the offeror’sability to perform under the Task Order. For education and training, the following format is preferred:

Academic: Degree(s); Date(s); Institution; Major/Minor

Non-Academic: Course title, date(s), approximate length

Professional licenses and certifications.

*Note: The date obtained for each, as well as the date when each license/certification requires renewal.

Offeror. The employee certification shall include the following statement: CERTIFICATION: "I certify that theexperience and professional development described herein are complete and accurate in all respects. I consent to thedisclosure of my resume for NSWCDD Contract No. N00178-04-D-4124-0009 by SimVentions and intend to makemyself available to work under any resultant contract to the extent proposed."

________________________________ _____________________________

Employee Signature and Date Offeror Signature andDate

Resumes without this certification will be unacceptable and will not be considered. The employee certification shallnot be dated earlier than the issue date of this solicitation.

(j) If the employee is not a current employee of the offeror (or a proposed subcontractor), a copy of the accepted offerletter shall be provided. The letter shall identify the projected start date. The Cost Proposal shall includedocumentation that identifies the agreed-to salary amount.

H.7 5252.202-9101 ADDITIONAL DEFINITIONS (MAY 1993)

As used throughout this contract, the following terms shall have the meanings set forth below:

(a) DEPARTMENT - means the Department of the Navy.

(b) REFERENCES TO THE FEDERAL ACQUISITION REGULATION (FAR) - All references to the FAR in thiscontract shall be deemed to also reference the appropriate sections of the Defense FAR Supplement (DFARS), unlessclearly indicated otherwise.

CONTRACT NO.



24 PAGE

89 of 123 FINAL

(c) REFERENCES TO ARMED SERVICES PROCUREMENT REGULATION OR DEFENSE ACQUISITIONREGULATION – All references in this document to either the Armed Services Procurement Regulation (ASPR) orthe Defense Acquisition Regulation (DAR) shall be deemed to be references to the appropriate sections of theFAR/DFARs.

H.8 NAVSEA 5252.242-9115 TECHNICAL INSTRUCTIONS (APR 2015)

(a) Performance of the work hereunder may be subject to written technical instructions signed by the ContractingOfficer and the Contracting Officer's Representative specified in Section G of this contract. As used herein, technicalinstructions are defined to include the following:

(1) Directions to the Contractor which suggest pursuit of certain lines of inquiry, shift work emphasis, fill indetails or otherwise serve to accomplish the contractual statement of work.

(2) Guidelines to the Contractor which assist in the interpretation of drawings, specifications or technical portionsof work description.

(b) Technical instructions must be within the general scope of work stated in the contract. Technical instructionsmay not be used to: (1) assign additional work under the contract; (2) direct a change as defined in the "CHANGES"clause of this contract; (3) increase or decrease the contract price or estimated contract amount (including fee), asapplicable, the level of effort, or the time required for contract performance; or (4) change any of the terms, conditionsor specifications of the contract.

(c) If, in the opinion of the Contractor, any technical instruction calls for effort outside the scope of the contract or isinconsistent with this requirement, the Contractor shall notify the Contracting Officer in writing within ten (10)working days after the receipt of any such instruction. The Contractor shall not proceed with the work affected by thetechnical instruction unless and until the Contractor is notified by the Contracting Officer that the technicalinstruction is within the scope of this contract.

(d) Nothing in the foregoing paragraph shall be construed to excuse the Contractor from performing that portion ofthe contractual work statement which is not affected by the disputed technical instruction.

H.9 FUNDING PROFILE

It is estimated that these incremental funds will provide for the number of hours of labor stated below. The followingdetails funding to date:

H.10 5252.216-9122 LEVEL OF EFFORT – ALTERNATE 1 (MAY 2010)

(a) The Contractor agrees to provide the total level of effort specified below in performance of the work described inSections B and C of this task order. The total level of effort for the performance of this task order shall be man-hoursof direct labor, including subcontractor direct labor for those subcontractors specifically identified in the Contractor'sproposal as having hours included in the proposed level of effort. The table below and information for blanks inparagraph (b) and (d) are to be completed by the Offeror.

CONTRACT NO.



24 PAGE

90 of 123 FINAL

(b) Of the total man-hours of direct labor set forth above, it is estimated that 2,164 man-hours are uncompensatedeffort. Uncompensated effort is defined as hours provided by personnel in excess of 40 hours per week withoutadditional compensation for such excess work. Total Times Accounting (TTA) efforts are included in this definition.All other effort is defined as compensated effort. If no effort is indicated in the first sentence of this paragraph,uncompensated effort performed by the Contractor shall not be counted in fulfillment of the level of effort obligationsunder this contract.

(c) Effort performed in fulfilling the total level of effort obligations specified above shall only include effort performedin direct support of this contract and shall not include time and effort expended on such things as (local travel to andfrom an employee's usual work location), uncompensated effort while on travel status, truncated lunch periods, work(actual or inferred) at an employee's residence or other non-work locations (except as provided in paragraph (i)below), or other time and effort which does not have a specific and direct contribution to the tasks described inSections B and C.

(d) The level of effort for this contract shall be expended at an average rate of approximately 3,208 hours per week. Itis understood and agreed that the rate of man-hours per month may fluctuate in pursuit of the technical objective,provided such fluctuation does not result in the use of the total man-hours of effort prior to the expiration of the termhereof, except as provided in the following paragraph.

(e) If, during the term hereof, the Contractor finds it necessary to accelerate the expenditure of direct labor to such anextent that the total man-hours of effort specified above would be used prior to the expiration of the term, theContractor shall notify the Contracting Officer in writing setting forth the acceleration required, the probable benefitswhich would result, and an offer to undertake the acceleration at no increase in the estimated cost or fee together withan offer, setting forth a proposed level of effort, cost breakdown, and proposed fee, for continuation of the work untilexpiration of the term hereof. The offer shall provide that the work proposed will be subject to the terms andconditions of this contract and any additions or changes required by then current law, regulations, or directives, andthat the offer, with a written notice of acceptance by the Contracting Officer, shall constitute a binding contract. TheContractor shall not accelerate any effort until receipt of such written approval by the Contracting Officer. Anyagreement to accelerate will be formalized by contract modification.

(f) The Contracting Officer may, by written order, direct the Contractor to accelerate the expenditure of direct laborsuch that the total man-hours of effort specified in paragraph (a) above would be used prior to the expiration of theterm. This order shall specify the acceleration required and the resulting revised term. The Contractor shallacknowledge this order within five days of receipt.

(g) The Contractor shall provide and maintain an accounting system, acceptable to the Administrative ContractingOfficer and the Defense Contract Audit Agency (DCAA), which collects costs incurred and effort (compensated anduncompensated, if any) provided in fulfillment of the level of effort obligations of this contract. The Contractor shallindicate on each invoice the total level of effort claimed during the period covered by the invoice, separatelyidentifying compensated effort and uncompensated effort, if any.

(h) Within 45 days after completion of the work under each separately identified period of performance hereunder, theContractor shall submit the following information in writing to the Contracting Officer with copies to the cognizantContract Administration Office and to the DCAA office to which vouchers are submitted: (1) the total number ofman-hours of direct labor expended during the applicable period; (2) a breakdown of this total showing the numberof man-hours expended in each direct labor classification and associated direct and indirect costs; (3) a breakdown ofother costs incurred; and (4) the Contractor's estimate of the total allowable cost incurred under the contract for theperiod. Within 45 days after completion of the work under the contract, the Contractor shall submit, in addition, inthe case of a cost underrun; (5) the amount by which the estimated cost of this contract may be reduced to recoverexcess funds. All submissions shall include subcontractor information.

(i) Unless the Contracting Officer determines that alternative worksite arrangements are detrimental to contractperformance, the Contractor may perform up to 10% of the hours at an alternative worksite, provided the Contractorhas a company-approved alternative worksite plan. The primary worksite is the traditional "main office" worksite.

CONTRACT NO.



24 PAGE

91 of 123 FINAL

An alternative worksite means an employee’s residence or a telecommuting center. A telecommuting center is ageographically convenient office setting as an alternative to an employee’s main office. The Government reserves theright to review the Contractor’s alternative worksite plan. In the event performance becomes unacceptable, theContractor will be prohibited from counting the hours performed at the alternative worksite in fulfilling the totallevel of effort obligations of the contract. Regardless of work location, all contract terms and conditions, includingsecurity requirements and labor laws, remain in effect. The Government shall not incur any additional cost norprovide additional equipment for contract performance as a result of the Contractor’s election to implement analternative worksite plan.

(j) Notwithstanding any of the provisions in the above paragraphs and subject to the LIMITATION OF FUNDS orLIMITATION OF COST clauses, as applicable, the period of performance may be extended and the estimated costmay be increased in order to permit the Contractor to provide all of the man-hours listed in paragraph (a) above. Thecontractor shall continue to be paid fee for each man-hour performed in accordance with the terms of the contract.

H.11 NAVSEA 5252.232-9104 ALLOTMENT OF FUNDS (JAN 2008)

(a) This contract is incrementally funded with respect to both cost and fee. The amount(s) presently available andallotted to this contract for payment of fee for incrementally funded contract line item number/contract subline itemnumber (CLIN/SLIN), subject to the clause entitled "FIXED FEE" (FAR 52.216-8) or "INCENTIVE FEE" (FAR52.216-10), as appropriate, is specified below. The amount(s) presently available and allotted to this contract forpayment of cost for incrementally funded CLINs/SLINs is set forth below. As provided in the clause of this contractentitled "LIMITATION OF FUNDS" (FAR 52.232-22), the CLINs/SLINs covered thereby, and the period ofperformance for which it is estimated the allotted amount(s) will cover are as follows:

(b) The parties contemplate that the Government will allot additional amounts to this contract from time to time forthe incrementally funded CLINs/SLINs by unilateral contract modification, and any such modification shall stateseparately the amount(s) allotted for cost, the amount(s) allotted for fee, the CLINs/SLINs covered thereby, and theperiod of performance which the amount(s) are expected to cover.

(c) CLINs/SLINs are fully funded and performance under these CLINs/SLINs is subject to the clause of this contractentitled "LIMITATION OF COST" (FAR 52.232-20).

(d) The Contractor shall segregate costs for the performance of incrementally funded CLINs/SLINs from the costs ofperformance of fully funded CLINs/SLINs.

H.12 SAVINGS INITIATIVES

CONTRACT NO.



24 PAGE

92 of 123 FINAL

H.13 LABOR TRIPWIRE JUSTIFICATIONS

(a) The Contractor shall advise the COR and the Contract Specialist, by email, if the pending addition of anyindividual (Key or non-Key) will be at a fully loaded (through target fee) labor rate that exceeds the labor tripwireamount in a contract labor category with no previous tripwire approval. If the contract labor category has not beenapproved, the Contractor may not proceed with the addition until he is advised by the Contract Specialist that therequest has been approved.

(b) The Contractor’s request shall include: the proposed individual’s resume, labor hourly rate build-up, labor hoursper work year, detailed justification for the addition of the particular individual based on his/her technical expertiseand projected technical impact on the Task Order/Technical Instruction. If the individual is a Subcontractor orconsultant, the rate build-up shall include the Prime Contractor’s pass through rate.

(c) Currently, the labor tripwire is regardless of the number of labor hours the proposed individual will work. The Contractor will be advised of any changes to this tripwire level that occur during performance.

H.14 252.239-7001 INFORMATION ASSURANCE CONTRACTOR TRAINING AND CERTIFICATION(JAN 2008)

(a) The Contractor shall ensure that personnel accessing information systems have the proper and current informationassurance certification to perform information assurance functions in accordance with DoD 8570.01-M, or successor,Information Assurance Workforce Improvement Program. The Contractor shall meet the applicable informationassurance certification requirements, including—

(1) DoD-approved information assurance workforce certifications appropriate for each category and level as listedin the current version of DoD 8570.01-M, or successor; and

(2) Appropriate operating system certification for information assurance technical positions as required by DoD8570.01-M, or successor.

(b) Upon request by the Government, the Contractor shall provide documentation supporting the informationassurance certification status of personnel performing information assurance functions.

(c) Contractor personnel who do not have proper and current certifications shall be denied access to DoD informationsystems for the purpose of performing information assurance functions.

H.15 5252.227-9113 GOVERNMENT-INDUSTRY DATA EXCHANGE PROGRAM (APR 2015)

(a) The Contractor shall participate in the appropriate interchange of the Government-Industry Data ExchangeProgram (GIDEP) in accordance with GIDEP PUBLICATION 1 dated April 2008. Data entered is retained by theprogram and provided to qualified participants. Compliance with this requirement shall not relieve the Contractorfrom complying with any other requirement of the contract.

(b) The Contractor agrees to insert paragraph (a) of this requirement in any subcontract hereunder exceeding When so inserted, the word "Contractor" shall be changed to "Subcontractor".

(c) GIDEP materials, software and information are available without charge from:

GIDEP Operations Center

P.O. Box 8000

Corona, CA 92878-8000

CONTRACT NO.



24 PAGE

93 of 123 FINAL

Phone: (951) 898-3207

FAX: (951) 898-3250

Internet: http://www.gidep.org

CONTRACT NO.



24 PAGE

94 of 123 FINAL

SECTION I CONTRACT CLAUSES

CLAUSES INCORPORATED BY REFERENCE

52.224-2 Privacy Act APR 1984

52.232-40Providing Accelerated Payments to Small BusinessSubcontractors

Dec 2013

52.237-3 Continuity of Services Jan 1991

252.203-7003 Agency Office of the Inspector General Dec 2012

252.204-7000 Disclosure of Information Aug 2013

252.204-7005 Oral Attestation of Security Responsibilities Nov 2001

252.204-7009Limitations on the Use or Disclosure of Third-Party ContractorReported Cyber Incident Information

Aug 2015

252.239-7009 Representation on Use of Cloud Computing Aug 2015

252.239-7010 Cloud Computing Services Aug 2015

*All clauses in the offerors MAC contract apply to this Task Order, except for the following:52.216-1652.216-1752.219-352.219-452.227-352.227-13

Note: Regarding 52.244-2 -- SUBCONTRACTS (OCT 2010) - ALTERNATE I (JUNE 2007), Teamingarrangement with any firm not included in the Contractor's basic MAC contract must be submitted to the basicMAC Contracting Officer for approval. Team member (subcontract) additions after Task Order award must beapproved by the Task Order Contracting Officer.

CLAUSES INCORPORATED BY FULL TEXT

52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000) (NAVSEA VARIATION)(APR 2015)

(a) The Government may extend the term of this contract by written notice(s) to the Contractor within the periodsspecified below. If more than one option exists the Government has the right to unilaterally exercise any such optionwhether or not it has exercised other options.

ITEMS LATEST OPTION EXERCISE DATA7100, 7901, 9100 No later than 12 months after the Task Order Award

date7200, 7902, 9200 No later than 24 months after the Task Order Award

date7300, 7903, 9300 No later than 36 months after the Task Order Award

date

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any option(s) under this clause, shall not exceed five(5) years, however, in accordance with paragraph (j) of the requirement of this contract entitled "LEVEL OFEFFORT – ALTERNATE 1", (NAVSEA 5252.216-9122), if the total manhours delineated in paragraph (a) of the

CONTRACT NO.



24 PAGE

95 of 123 FINAL

LEVEL OF EFFORT requirement, have not been expended within the period specified above, the Government mayrequire the Contractor to continue to perform the work until the total number of manhours specified in paragraph (a)of the aforementioned requirement have been expended.

52.219-6 -Notice of Total Small Business Set-Aside (Nov 2011)

(a) Definition. “Small business concern,” as used in this clause, means a concern, including its affiliates, that isindependently owned and operated, not dominant in the field of operation in which it is bidding on Governmentcontracts, and qualified as a small business under the size standards in this solicitation.

(b) Applicability. This clause applies only to--

(1) Contracts that have been totally set aside or reserved for small business concerns; and

(2) Orders set aside for small business concerns under multiple-award contracts as described in 8.405-5 and16.505(b)(2)(i)(F).*

(c) General.

(1) Offers are solicited only from small business concerns. Offers received from concerns that are not smallbusiness concerns shall be considered nonresponsive and will be rejected.

(2) Any award resulting from this solicitation will be made to a small business concern.

(d) Agreement. A small business concern submitting an offer in its own name shall furnish, in performing the contract, only end items manufactured or produced by small business concerns in the United States or its outlying areas. If this procurement is processed under simplified acquisition procedures and the total amount of this contract does not exceed , a small business concern may furnish the product of any domestic firm. This paragraph does not apply to construction or service contracts.

52.243-7 NOTIFICATION OF CHANGES (APR 1984)

(a) Definitions. "Contracting Officer," as used in this clause, does not include any representative of the ContractingOfficer.

"Specifically Authorized Representative (SAR)," as used in this clause, means any person the Contracting Officer hasso designated by written notice (a copy of which shall be provided to the Contractor) which shall refer to thissubparagraph and shall be issued to the designated representative before the SAR exercises such authority.

(b) Notice. The primary purpose of this clause is to obtain prompt reporting of Government conduct that theContractor considers to constitute a change to this contract. Except for changes identified as such in writing andsigned by the Contracting Officer, the Contractor shall notify the Administrative Contracting Officer in writingpromptly, within ____ (to be negotiated) calendar days from the date that the Contractor identifies any Governmentconduct (including actions, inactions, and written or oral communications) that the Contractor regards as a change tothe contract terms and conditions. On the basis of the most accurate information available to the Contractor, thenotice shall state --

(1) The date, nature, and circumstances of the conduct regarded as a change;

(2) The name, function, and activity of each Government individual and Contractor official or employee involved inor knowledgeable about such conduct;

(3) The identification of any documents and the substance of any oral communication involved in such conduct;

(4) In the instance of alleged acceleration of scheduled performance or delivery, the basis upon which it arose;

(5) The particular elements of contract performance for which the Contractor may seek an equitable adjustment underthis clause, including --

(i) What contract line items have been or may be affected by the alleged change;

(ii) What labor or materials or both have been or may be added, deleted, or wasted by the alleged change;

CONTRACT NO.



24 PAGE

96 of 123 FINAL

(iii) To the extent practicable, what delay and disruption in the manner and sequence of performance and effect oncontinued performance have been or may be caused by the alleged change;

(iv) What adjustments to contract price, delivery schedule, and other provisions affected by the alleged change areestimated; and

(6) The Contractor’s estimate of the time by which the Government must respond to the Contractor’s notice tominimize cost, delay or disruption of performance.

(c) Continued performance. Following submission of the notice required by paragraph (b) of this clause, theContractor shall diligently continue performance of this contract to the maximum extent possible in accordance withits terms and conditions as construed by the Contractor, unless the notice reports a direction of the ContractingOfficer or a communication from a SAR of the Contracting Officer, in either of which events the Contractor shallcontinue performance; provided, however, that if the Contractor regards the direction or communication as a changeas described in paragraph (b) of this clause, notice shall be given in the manner provided. All directions,communications, interpretations, orders and similar actions of the SAR shall be reduced to writing promptly andcopies furnished to the Contractor and to the Contracting Officer. The Contracting Officer shall promptlycountermand any action which exceeds the authority of the SAR.

(d) Government response. The Contracting Officer shall promptly, within _____ (to be negotiated) calendar daysafter receipt of notice, respond to the notice in writing. In responding, the Contracting Officer shall either --

(1) Confirm that the conduct of which the Contractor gave notice constitutes a change and when necessary direct themode of further performance;

(2) Countermand any communication regarded as a change;

(3) Deny that the conduct of which the Contractor gave notice constitutes a change and when necessary direct themode of further performance; or

(4) In the event the Contractor’s notice information is inadequate to make a decision under subparagraphs (d)(1), (2),or (3) of this clause, advise the Contractor what additional information is required, and establish the date by which itshould be furnished and the date thereafter by which the Government will respond.

(e) Equitable adjustments.

(1) If the Contracting Officer confirms that Government conduct effected a change as alleged by the Contractor, andthe conduct causes an increase or decrease in the Contractor’s cost of, or the time required for, performance of anypart of the work under this contract, whether changed or not changed by such conduct, an equitable adjustment shallbe made --

(i) In the contract price or delivery schedule or both; and

(ii) In such other provisions of the contract as may be affected.

(2) The contract shall be modified in writing accordingly. In the case of drawings, designs or specifications whichare defective and for which the Government is responsible, the equitable adjustment shall include the cost and timeextension for delay reasonably incurred by the Contractor in attempting to comply with the defective drawings,designs or specifications before the Contractor identified, or reasonably should have identified, such defect. When thecost of property made obsolete or excess as a result of a change confirmed by the Contracting Officer under thisclause is included in the equitable adjustment, the Contracting Officer shall have the right to prescribe the manner ofdisposition of the property. The equitable adjustment shall not include increased costs or time extensions for delayresulting from the Contractor’s failure to provide notice or to continue performance as provided, respectively, inparagraphs (b) and (c) of this clause.

NOTE: The phrases "contract price" and "cost" wherever they appear in the clause, may be appropriately modified toapply to cost-reimbursement or incentive contracts, or to combinations thereof.

252.203-7999 PROHIBITION ON CONTRACTING WITH ENTITIES THAT REQUIRE CERTAININTERNAL CONFIDENTIALITY AGREEMENTS (DEVIATION 2015-O0010)(FEB 2015)

CONTRACT NO.



24 PAGE

97 of 123 FINAL

(a) The Contractor shall not require employees or subcontractors seeking to report fraud, waste, or abuse to sign orcomply with internal confidentiality agreements or statements prohibiting or otherwise restricting such employees orcontactors from lawfully reporting such waste, fraud, or abuse to a designated investigative or law enforcementrepresentative of a Federal department or agency authorized to receive such information.

(b) The Contractor shall notify employees that the prohibitions and restrictions of any internal confidentialityagreements covered by this clause are no longer in effect.

(c) The prohibition in paragraph (a) of this clause does not contravene requirements applicable to Standard Form312, Form 4414, or any other form issued by a Federal department or agency governing the nondisclosure ofclassified information.

(d) (1) In accordance with section 743 of Division E, Title VIII, of the Consolidated and Further ContinuingResolution Appropriations Act, 2015, (Pub. L. 113-235), use of funds appropriated (or otherwise made available)under that or any other Act may be prohibited, if the Government determines that the Contractor is not incompliance with the provisions of this clause.

(2) The Government may seek any available remedies in the event the Contractor fails to perform in accordwith the terms and conditions of the contract as a result of Government action under this clause.

252.204-7008 COMPLIANCE WITH SAFEGUARDING COVERED DEFENSE INFORMATIONCONTROLS (DEC 2015)

(a) Definitions. As used in this provision—

“Controlled technical information,” “covered contractor information system,” and “covered defense information” aredefined in clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

(b) The security requirements required by contract clause 252.204-7012, Covered Defense Information and CyberIncident Reporting, shall be implemented for all covered defense information on all covered contractor informationsystems that support the performance of this contract.

(c) For covered contractor information systems that are not part of an information technology (IT) service or systemoperated on behalf of the Government (see 252.204-7012(b)(1)(ii))—

(1) By submission of this offer, the Offeror represents that it will implement the security requirements specifiedby National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “ProtectingControlled Unclassified Information in Nonfederal Information Systems and Organizations” (see http://dx.doi.org/10.6028/NIST.SP.800-171), not later than December 31, 2017.

(2)(i) If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that isin effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit tothe Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of—

(A) Why a particular security requirement is not applicable; or

(B) How an alternative but equally effective, security measure is used to compensate for the inability tosatisfy a particular requirement and achieve equivalent protection.

(ii) An authorized representative of the DoD CIO will adjudicate offeror requests to vary from NIST SP800-171 requirements in writing prior to contract award. Any accepted variance from NIST SP 800-171 shall beincorporated into the resulting contract.

252.204-7012 SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENTREPORTING (DEC 2015)


“Adequate security” means protective measures that are commensurate with the consequences and probability ofloss, misuse, or unauthorized access to, or modification of information.

CONTRACT NO.



24 PAGE

98 of 123 FINAL

http://dx.doi.org/10.6028/NIST.SP.800-171

“Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of asystem, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of anobject, or the copying of information to unauthorized media may have occurred.

“Contractor attributional/proprietary information” means information that identifies the contractor(s), whetherdirectly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., programdescription, facility locations), personally identifiable information, as well as trade secrets, commercial or financialinformation, or other commercially sensitive information that is not customarily shared outside of the company.

“Contractor information system” means an information system belonging to, or operated by or for, the Contractor.

“Controlled technical information” means technical information with military or space application that is subject tocontrols on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.Controlled technical information would meet the criteria, if disseminated, for distribution statements B through Fusing the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The termdoes not include information that is lawfully publicly available without restrictions.

“Covered contractor information system” means an information system that is owned, or operated by or for, acontractor and that processes, stores, or transmits covered defense information.

“Covered defense information” means unclassified information that—

(i) Is—

(A) Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or

(B) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support ofthe performance of the contract; and

(ii) Falls in any of the following categories:

(A) Controlled technical information.

(B) Critical information (operations security). Specific facts identified through the Operations Security processabout friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectivelyso as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of OperationsSecurity process).

(C) Export control. Unclassified information concerning certain items, commodities, technology, software, orother information whose export could reasonably be expected to adversely affect the United States national securityand nonproliferation objectives. To include dual use items; items identified in export administration regulations,international traffic in arms regulations and munitions list; license applications; and sensitive nuclear technologyinformation.

(D) Any other information, marked or otherwise identified in the contract, that requires safeguarding ordissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g.,privacy, proprietary business information).

“Cyber incident” means actions taken through the use of computer networks that result in a compromise or an actualor potentially adverse effect on an information system and/or the information residing therein.

“Forensic analysis” means the practice of gathering, retaining, and analyzing computer-related data for investigativepurposes in a manner that maintains the integrity of the data.

“Malicious software” means computer software or firmware intended to perform an unauthorized process that willhave adverse impact on the confidentiality, integrity, or availability of an information system. This definitionincludes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and someforms of adware.

“Media” means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks,

CONTRACT NO.



24 PAGE

99 of 123 FINAL

magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, orprinted within an information system.

‘‘Operationally critical support’’ means supplies or services designated by the Government as critical for airlift,sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, orsustainment of the Armed Forces in a contingency operation.

“Rapid(ly) report(ing)” means within 72 hours of discovery of any cyber incident.

“Technical information” means technical data or computer software, as those terms are defined in the clause atDFARS 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause isincorporated in this solicitation or contract. Examples of technical information include research and engineering data,engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports,technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computersoftware executable code and source code.

(b) Adequate security. The Contractor shall provide adequate security for all covered defense information on allcovered contractor information systems that support the performance of work under this contract. To provideadequate security, the Contractor shall—

(1) Implement information systems security protections on all covered contractor information systemsincluding, at a minimum—

(i) For covered contractor information systems that are part of an Information Technology (IT) service orsystem operated on behalf of the Government—

(A) Cloud computing services shall be subject to the security requirements specified in the clause252.239-7010, Cloud Computing Services, of this contract; and

(B) Any other such IT service or system (i.e., other than cloud computing) shall be subject to thesecurity requirements specified elsewhere in this contract; or

(ii) For covered contractor information systems that are not part of an IT service or system operated on behalf of theGovernment and therefore are not subject to the security requirement specified at paragraph (b)(1)(i) of this clause—

(A) The security requirements in National Institute of Standards and Technology (NIST) SpecialPublication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems andOrganizations,” http://dx.doi.org/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issuedor as authorized by the Contracting Officer, as soon as practical, but not later than December 31, 2017. TheContractor shall notify the DoD CIO, via email at [email protected], within 30 days of contract award, of anysecurity requirements specified by NIST SP 800-171 not implemented at the time of contract award; or

(B) Alternative but equally effective security measures used to compensate for the inability to satisfy aparticular requirement and achieve equivalent protection accepted in writing by an authorized representative of theDoD CIO; and

(2) Apply other information systems security measures when the Contractor easonably determines thatinformation systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may berequired to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.

(c) Cyber incident reporting requirement.

(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or thecovered defense information residing therein, or that affects the contractor’s ability to perform the requirements of thecontract that are designated as operationally critical support, the Contractor shall—

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limitedto, identifying compromised computers, servers, specific data, and user accounts. This review shall also includeanalyzing covered contractor information system(s) that were part of the cyber incident, as well as other informationsystems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify

CONTRACT NO.



24 PAGE

100 of 123 FINAL

http://dx.doi.org/10.6028/NIST.SP.800-171


compromised covered defense information, or that affect the Contractor’s ability to provide operationally criticalsupport; and

(ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil.

(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD andshall include, at a minimum, the required elements at http://dibnet.dod.mil.

(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, theContractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyberincidents. For information on obtaining a DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/Pages/index.aspx.

(d) Malicious software. The Contractor or subcontractors that discover and isolate malicious software inconnection with a reported cyber incident shall submit the malicious software in accordance with instructionsprovided by the Contracting Officer.

(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, theContractor shall preserve and protect images of all known affected information systems identified in paragraph(c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of thecyber incident report to allow DoD to request the media or decline interest.

(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, theContractor shall provide DoD with access to additional information or equipment that is necessary to conduct aforensic analysis.

(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, theContracting Officer will request that the Contractor provide all of the damage assessment information gathered inaccordance with paragraph (e) of this clause.

(h) DoD safeguarding and use of contractor attributional/proprietary information. The Government shallprotect against the unauthorized use or release of information obtained from the contractor (or derived frominformation obtained from the contractor) under this clause that includes contractor attributional/proprietaryinformation, including such information submitted in accordance with paragraph (c). To the maximum extentpracticable, the Contractor shall identify and mark attributional/proprietary information. In making an authorizedrelease of such information, the Government will implement appropriate procedures to minimize the contractorattributional/proprietary information that is included in such authorized release, seeking to include only thatinformation that is necessary for the authorized purpose(s) for which the information is being released.

(i) Use and release of contractor attributional/proprietary information not created by or for DoD. Information thatis obtained from the contractor (or derived from information obtained from the contractor) under this clause that isnot created by or for DoD is authorized to be released outside of DoD—

(1) To entities with missions that may be affected by such information;

(2) To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(3) To Government entities that conduct counterintelligence or law enforcement investigations;

(4) For national security purposes, including cyber situational awareness and defense purposes (including withDefense Industrial Base (DIB) participants in the program at 32 CFR part 236); or

(5) To a support services contractor (“recipient”) that is directly supporting Government activities under acontract that includes the clause at 252.204-7009, Limitations on the Use or Disclosure of Third-Party ContractorReported Cyber Incident Information.

(j) Use and release of contractor attributional/proprietary information created by or for DoD. Information that isobtained from the contractor (or derived from information obtained from the contractor) under this clause that iscreated by or for DoD (including the information submitted pursuant to paragraph (c) of this clause) is authorized tobe used and released outside of DoD for purposes and activities authorized by paragraph (i) of this clause, and for any

CONTRACT NO.



24 PAGE

101 of 123 FINAL

http://dibnet.dod.mil/


http://iase.disa.mil/pki/eca/Pages/index.aspx

other lawful Government purpose or activity, subject to all applicable statutory, regulatory, and policy basedrestrictions on the Government’s use and release of such information.

(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulationson the interception, monitoring, access, use, and disclosure of electronic communications and data.

(l) Other safeguarding or reporting requirements. The safeguarding and cyber incident reporting required by thisclause in no way abrogates the Contractor’s responsibility for other safeguarding or cyber incident reportingpertaining to its unclassified information systems as required by other applicable clauses of this contract, or as aresult of other applicable U.S. Government statutory or regulatory requirements.

(m) Subcontracts. The Contractor shall—

(1) Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, foroperationally critical support, or for which subcontract performance will involve a covered contractor informationsystem, including subcontracts for commercial items, without alteration, except to identify the parties; and

(2) When this clause is included in a subcontract, require subcontractors to rapidly report cyber incidentsdirectly to DoD at http://dibnet.dod.mil and the prime Contractor. This includes providing the incident reportnumber, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon aspracticable

252.227-7013 RIGHTS IN TECHNICAL DATA--NONCOMMERCIAL ITEMS (FEB 2014)


(1) “Computer data base” means a collection of data recorded in a form capable of being processed by a computer.The term does not include computer software.

(2) “Computer program” means a set of instructions, rules, or routines recorded in a form that is capable ofcausing a computer to perform a specific operation or series of operations.

(3) “Computer software” means computer programs, source code, source code listings, object code listings,design details, algorithms, processes, flow charts, formulae and related material that would enable the software to bereproduced, recreated, or recompiled. Computer software does not include computer data bases or computer softwaredocumentation.

(4) “Computer software documentation” means owner's manuals, user's manuals, installation instructions,operating instructions, and other similar items, regardless of storage medium, that explain the capabilities of thecomputer software or provide instructions for using the software.

(5) "Covered Government support contractor" means a contractor (other than a litigation support contractorcovered by 252.204-7014) under a contract, the primary purpose of which is to furnish independent and impartialadvice or technical assistance directly to the Government in support of the Government’s management and oversightof a program or effort (rather than to directly furnish an end item or service to accomplish a program or effort),provided that the contractor—

(i) Is not affiliated with the prime contractor or a first-tier subcontractor on the program or effort, or with anydirect competitor of such prime contractor or any such first-tier subcontractor in furnishing end items or services ofthe type developed or produced on the program or effort; and

(ii) Receives access to technical data or computer software for performance of a Government contract thatcontains the clause at 252.227-7025, Limitations on the Use or Disclosure of Government-Furnished InformationMarked with Restrictive Legends.

(6) “Detailed manufacturing or process data” means technical data that describe the steps, sequences, andconditions of manufacturing, processing or assembly used by the manufacturer to produce an item or component orto perform a process.

(7) “Developed” means that an item, component, or process exists and is workable. Thus, the item orcomponent must have been constructed or the process practiced. Workability is generally established when the item,component, or process has been analyzed or tested sufficiently to demonstrate to reasonable people skilled in the

CONTRACT NO.



24 PAGE

102 of 123 FINAL


http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm


applicable art that there is a high probability that it will operate as intended. Whether, how much, and what type ofanalysis or testing is required to establish workability depends on the nature of the item, component, or process, andthe state of the art. To be considered “developed,” the item, component, or process need not be at the stage where itcould be offered for sale or sold on the commercial market, nor must the item, component, or process be actuallyreduced to practice within the meaning of Title 35 of the United States Code.

(8) “Developed exclusively at private expense” means development was accomplished entirely with costs chargedto indirect cost pools, costs not allocated to a government contract, or any combination thereof.

(i) Private expense determinations should be made at the lowest practicable level.

(ii) Under fixed-price contracts, when total costs are greater than the firm-fixed-price or ceiling price of thecontract, the additional development costs necessary to complete development shall not be considered whendetermining whether development was at government, private, or mixed expense.

(9) “Developed exclusively with government funds” means development was not accomplished exclusively orpartially at private expense.

(10) “Developed with mixed funding” means development was accomplished partially with costs charged toindirect cost pools and/or costs not allocated to a government contract, and partially with costs charged directly to agovernment contract.

(11) “Form, fit, and function data” means technical data that describes the required overall physical, functional,and performance characteristics (along with the qualification requirements, if applicable) of an item, component, orprocess to the extent necessary to permit identification of physically and functionally interchangeable items.

(12) “Government purpose” means any activity in which the United States Government is a party, includingcooperative agreements with international or multi-national defense organizations, or sales or transfers by the UnitedStates Government to foreign governments or international organizations. Government purposes include competitiveprocurement, but do not include the rights to use, modify, reproduce, release, perform, display, or disclose technicaldata for commercial purposes or authorize others to do so.

(13) “Government purpose rights” means the rights to—

(i) Use, modify, reproduce, release, perform, display, or disclose technical data within the Government withoutrestriction; and

(ii) Release or disclose technical data outside the Government and authorize persons to whom release ordisclosure has been made to use, modify, reproduce, release, perform, display, or disclose that data for United Statesgovernment purposes.

(14) “Limited rights” means the rights to use, modify, reproduce, release, perform, display, or disclose technicaldata, in whole or in part, within the Government. The Government may not, without the written permission of theparty asserting limited rights, release or disclose the technical data outside the Government, use the technical datafor manufacture, or authorize the technical data to be used by another party, except that the Government mayreproduce, release, or disclose such data or authorize the use or reproduction of the data by persons outside theGovernment if—

(i) The reproduction, release, disclosure, or use is—

(A) Necessary for emergency repair and overhaul; or

(B) A release or disclosure to—

(1) A covered Government support contractor in performance of its covered Government support contract for use,modification, reproduction, performance, display, or release or disclosure to a person authorized to receive limitedrights technical data; or

(2) A foreign government, of technical data other than detailed manufacturing or process data, when use of suchdata by the foreign government is in the interest of the Government and is required for evaluational or informationalpurposes;

(ii) The recipient of the technical data is subject to a prohibition on the further reproduction, release,

CONTRACT NO.



24 PAGE

103 of 123 FINAL

disclosure, or use of the technical data; and

(iii) The contractor or subcontractor asserting the restriction is notified of such reproduction, release,disclosure, or use.

(15) “Technical data” means recorded information, regardless of the form or method of the recording, of ascientific or technical nature (including computer software documentation). The term does not include computersoftware or data incidental to contract administration, such as financial and/or management information.

(16) “Unlimited rights” means rights to use, modify, reproduce, perform, display, release, or disclose technicaldata in whole or in part, in any manner, and for any purpose whatsoever, and to have or authorize others to do so.

(b) Rights in technical data. The Contractor grants or shall obtain for the Government the following royalty free,world-wide, nonexclusive, irrevocable license rights in technical data other than computer software documentation(see the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentationclause of this contract for rights in computer software documentation):

(1) Unlimited rights. The Government shall have unlimited rights in technical data that are—

(i) Data pertaining to an item, component, or process which has been or will be developed exclusively withGovernment funds;

(ii) Studies, analyses, test data, or similar data produced for this contract, when the study, analysis, test, orsimilar work was specified as an element of performance;

(iii) Created exclusively with Government funds in the performance of a contract that does not require thedevelopment, manufacture, construction, or production of items, components, or processes;

(iv) Form, fit, and function data;

(v) Necessary for installation, operation, maintenance, or training purposes (other than detailed manufacturingor process data);

(vi) Corrections or changes to technical data furnished to the Contractor by the Government;

(vii) Otherwise publicly available or have been released or disclosed by the Contractor or subcontractorwithout restrictions on further use, release or disclosure, other than a release or disclosure resulting from the sale,transfer, or other assignment of interest in the technical data to another party or the sale or transfer of some or all of abusiness entity or its assets to another party;

(viii) Data in which the Government has obtained unlimited rights under another Government contract or as aresult of negotiations; or

(ix) Data furnished to the Government, under this or any other Government contract or subcontractthereunder, with—

(A) Government purpose license rights or limited rights and the restrictive condition(s) has/have expired; or

(B) Government purpose rights and the Contractor's exclusive right to use such data for commercialpurposes has expired.

(2) Government purpose rights.

(i) The Government shall have government purpose rights for a five-year period, or such other period as maybe negotiated, in technical data—

(A) That pertain to items, components, or processes developed with mixed funding except when theGovernment is entitled to unlimited rights in such data

as provided in paragraphs (b)(1)(ii) and (b)(1)(iv) through (b)(1)(ix) of this clause; or

(B) Created with mixed funding in the performance of a contract that does not require the development,manufacture, construction, or production of items, components, or processes.

CONTRACT NO.



24 PAGE

104 of 123 FINAL

(ii) The five-year period, or such other period as may have been negotiated, shall commence upon execution ofthe contract, subcontract, letter contract (or similar contractual instrument), contract modification, or option exercisethat required development of the items, components, or processes or creation of the data described in paragraph (b)(2)(i)(B) of this clause. Upon expiration of the five-year or other negotiated period, the Government shall haveunlimited rights in the technical data.

(iii) The Government shall not release or disclose technical data in which it has government purpose rightsunless—

(A) Prior to release or disclosure, the intended recipient is subject to the non-disclosure agreement at227.7103-7 of the Defense Federal Acquisition Regulation Supplement (DFARS); or

(B) The recipient is a Government contractor receiving access to the data for performance of a Governmentcontract that contains the clause at DFARS 252.227-7025, Limitations on the Use or Disclosure of Government-Furnished Information Marked with Restrictive Legends.

(iv) The Contractor has the exclusive right, including the right to license others, to use technical data inwhich the Government has obtained government purpose rights under this contract for any commercial purposeduring the time period specified in the government purpose rights legend prescribed in paragraph (f)(2) of this clause.

(3) Limited rights.

(i) Except as provided in paragraphs (b)(1)(ii) and (b)(1)(iv) through (b)(1)(ix) of this clause, the Governmentshall have limited rights in technical data—

(A) Pertaining to items, components, or processes developed exclusively at private expense and marked withthe limited rights legend prescribed in paragraph (f) of this clause; or

(B) Created exclusively at private expense in the performance of a contract that does not require thedevelopment, manufacture, construction, or production of items, components, or processes.

(ii) The Government shall require a recipient of limited rights data for emergency repair or overhaul to destroy thedata and all copies in its possession promptly following completion of the emergency repair/overhaul and to notifythe Contractor that the data have been destroyed.

(iii) The Contractor, its subcontractors, and suppliers are not required to provide the Government additionalrights to use, modify, reproduce, release, perform, display, or disclose technical data furnished to the Governmentwith limited rights. However, if the Government desires to obtain additional rights in technical data in which it haslimited rights, the Contractor agrees to promptly enter into negotiations with the Contracting Officer to determinewhether there are acceptable terms for transferring such rights. All technical data in which the Contractor has grantedthe Government additional rights shall be listed or described in a license agreement made part of the contract. Thelicense shall enumerate the additional rights granted the Government in such data.

(iv) The Contractor acknowledges that—

(A) Limited rights data are authorized to be released or disclosed to covered Government support contractors;

(B) The Contractor will be notified of such release or disclosure;

(C) The Contractor (or the party asserting restrictions as identified in the limited rights legend) may requireeach such covered Government support contractor to enter into a non-disclosure agreement directly with theContractor (or the party asserting restrictions) regarding the covered Government support contractor’s use of suchdata, or alternatively, that the Contractor (or party asserting restrictions) may waive in writing the requirement for anon-disclosure agreement; and

(D) Any such non-disclosure agreement shall address the restrictions on the covered Government supportcontractor's use of the limited rights data as set forth in the clause at 252.227-7025, Limitations on the Use orDisclosure of Government-Furnished Information Marked with Restrictive Legends. The non-disclosure agreementshall not include any additional terms and conditions unless mutually agreed to by the parties to the non-disclosureagreement.

(4) Specifically negotiated license rights. The standard license rights granted to the Government under paragraphs

CONTRACT NO.



24 PAGE

105 of 123 FINAL

http://www.acq.osd.mil/dpap/dars/dfars/html/current/227_71.htm



(b)(1) through (b)(3) of this clause, including the period during which the Government shall have governmentpurpose rights in technical data, may be modified by mutual agreement to provide such rights as the parties considerappropriate but shall not provide the Government lesser rights than are enumerated in paragraph (a)(14) of thisclause. Any rights so negotiated shall be identified in a license agreement made part of this contract.

(5) Prior government rights. Technical data that will be delivered, furnished, or otherwise provided to theGovernment under this contract, in which the Government has previously obtained rights shall be delivered,furnished, or provided with the pre-existing rights, unless—

(i) The parties have agreed otherwise; or

(ii) Any restrictions on the Government's rights to use, modify, reproduce, release, perform, display, or disclosethe data have expired or no longer apply.

(6) Release from liability. The Contractor agrees to release the Government from liability for any release ordisclosure of technical data made in accordance with paragraph (a)(14) or (b)(2)(iii) of this clause, in accordance withthe terms of a license negotiated under paragraph (b)(4) of this clause, or by others to whom the recipient hasreleased or disclosed the data and to seek relief solely from the party who has improperly used, modified,reproduced, released, performed, displayed, or disclosed Contractor data marked with restrictive legends.

(c) Contractor rights in technical data. All rights not granted to the Government are retained by the Contractor.

(d) Third party copyrighted data. The Contractor shall not, without the written approval of the Contracting Officer,incorporate any copyrighted data in the technical data to be delivered under this contract unless the Contractor is thecopyright owner or has obtained for the Government the license rights necessary to perfect a license or licenses in thedeliverable data of the appropriate scope set forth in paragraph (b) of this clause, and has affixed a statement of thelicense or licenses obtained on behalf of the Government and other persons to the data transmittal document.

(e) Identification and delivery of data to be furnished with restrictions on use, release, or disclosure.

(1) This paragraph does not apply to restrictions based solely on copyright.

(2) Except as provided in paragraph (e)(3) of this clause, technical data that the Contractor asserts should befurnished to the Government with restrictions on use, release, or disclosure are identified in an attachment to thiscontract (the Attachment). The Contractor shall not deliver any data with restrictive markings unless the data arelisted on the Attachment.

(3) In addition to the assertions made in the Attachment, other assertions may be identified after award when basedon new information or inadvertent omissions unless the inadvertent omissions would have materially affected thesource selection decision. Such identification and assertion shall be submitted to the Contracting Officer as soon aspracticable prior to the scheduled date for delivery of the data, in the following format, and signed by an officialauthorized to contractually obligate the Contractor:

Identification and Assertion of Restrictions on the Government's Use, Release, or Disclosure of Technical Data.

The Contractor asserts for itself, or the persons identified below, that the Government's rights to use, release, ordisclose the following technical data should be restricted—

Technical Data Name of Person

to be Furnished Basis for Asserted Rights Asserting

With Restrictions* Assertion** Category*** Restrictions****

(LIST) (LIST) (LIST) (LIST)

*If the assertion is applicable to items, components, or processes developed at private expense, identify both the dataand each such item, component, or process.

**Generally, the development of an item, component, or process at private expense, either exclusively or partially, isthe only basis for asserting restrictions on the Government's rights to use, release, or disclose technical datapertaining to such items, components, or processes. Indicate whether development was exclusively or partially atprivate expense. If development was not at private expense, enter the specific reason for asserting that theGovernment's rights should be restricted.

CONTRACT NO.



24 PAGE

106 of 123 FINAL

***Enter asserted rights category (e.g., government purpose license rights from a prior contract, rights in SBIR datagenerated under another contract, limited or government purpose rights under this or a prior contract, or specificallynegotiated licenses).

****Corporation, individual, or other person, as appropriate.

Date _________________________________

Printed Name and Title _________________________________

_________________________________

Signature _________________________________

(End of identification and assertion)

(4) When requested by the Contracting Officer, the Contractor shall provide sufficient information to enable theContracting Officer to evaluate the Contractor's assertions. The Contracting Officer reserves the right to add theContractor's assertions to the Attachment and validate any listed assertion, at a later date, in accordance with theprocedures of the Validation of Restrictive Markings on Technical Data clause of this contract.

(f) Marking requirements. The Contractor, and its subcontractors or suppliers, may only assert restrictions on theGovernment's rights to use, modify, reproduce, release, perform, display, or disclose technical data to be deliveredunder this contract by marking the deliverable data subject to restriction. Except as provided in paragraph (f)(5) ofthis clause, only the following legends are authorized under this contract: the government purpose rights legend atparagraph (f)(2) of this clause; the limited rights legend at paragraph (f)(3) of this clause; or the special license rightslegend at paragraph (f)(4) of this clause; and/or a notice of copyright as prescribed under 17 U.S.C. 401 or 402.

(1) General marking instructions. The Contractor, or its subcontractors or suppliers, shall conspicuously andlegibly mark the appropriate legend on all technical data that qualify for such markings. The authorized legends shallbe placed on the transmittal document or storage container and, for printed material, each page of the printed materialcontaining technical data for which restrictions are asserted. When only portions of a page of printed material aresubject to the asserted restrictions, such portions shall be identified by circling, underscoring, with a note, or otherappropriate identifier. Technical data transmitted directly from one computer or computer terminal to another shallcontain a notice of asserted restrictions. Reproductions of technical data or any portions thereof subject to assertedrestrictions shall also reproduce the asserted restrictions.

(2) Government purpose rights markings. Data delivered or otherwise furnished to the Government withgovernment purpose rights shall be marked as follows:

GOVERNMENT PURPOSE RIGHTS

Contract No.

Contractor Name

Contractor Address

Expiration Date

The Government's rights to use, modify, reproduce, release, perform, display, or disclose these technical data arerestricted by paragraph (b)(2) of the Rights in Technical Data—Noncommercial Items clause contained in the aboveidentified contract. No restrictions apply after the expiration date shown above. Any reproduction of technical data orportions thereof marked with this legend must also reproduce the markings.

(End of legend)

(3) Limited rights markings. Data delivered or otherwise furnished to the Government with limited rights shall bemarked with the following legend:

LIMITED RIGHTS

Contract No.

CONTRACT NO.



24 PAGE

107 of 123 FINAL

Contractor Name

Contractor Address

The Government's rights to use, modify, reproduce, release, perform, display, or disclose these technical data arerestricted by paragraph (b)(3) of the Rights in Technical Data--Noncommercial Items clause contained in the aboveidentified contract. Any reproduction of technical data or portions thereof marked with this legend must alsoreproduce the markings. Any person, other than the Government, who has been provided access to such data mustpromptly notify the above named Contractor.

(End of legend)

(4) Special license rights markings.

(i) Data in which the Government's rights stem from a specifically negotiated license shall be marked with thefollowing legend:

SPECIAL LICENSE RIGHTS

The Government's rights to use, modify, reproduce, release, perform, display, ordisclose these data are restricted by Contract No. _____(Insert contractnumber)____, License No. ____(Insert license identifier)____. Any reproductionof technical data or portions thereof marked with this legend must also reproducethe markings.

(End of legend)

(ii) For purposes of this clause, special licenses do not include government purpose license rights acquired undera prior contract (see paragraph (b)(5) of this clause).

(5) Pre-existing data markings. If the terms of a prior contract or license permitted the Contractor to restrict theGovernment's rights to use, modify, reproduce, release, perform, display, or disclose technical data deliverable underthis contract, and those restrictions are still applicable, the Contractor may mark such data with the appropriaterestrictive legend for which the data qualified under the prior contract or license. The marking procedures inparagraph (f)(1) of this clause shall be followed.

(g) Contractor procedures and records. Throughout performance of this contract, the Contractor and itssubcontractors or suppliers that will deliver technical data with other than unlimited rights, shall—

(1) Have, maintain, and follow written procedures sufficient to assure that restrictive markings are used only whenauthorized by the terms of this clause; and

(2) Maintain records sufficient to justify the validity of any restrictive markings on technical data delivered underthis contract.

(h) Removal of unjustified and nonconforming markings.

(1) Unjustified technical data markings. The rights and obligations of the parties regarding the validation ofrestrictive markings on technical data furnished or to be furnished under this contract are contained in the Validationof Restrictive Markings on Technical Data clause of this contract. Notwithstanding any provision of this contractconcerning inspection and acceptance, the Government may ignore or, at the Contractor's expense, correct or strike amarking if, in accordance with the procedures in the Validation of Restrictive Markings on Technical Data clause ofthis contract, a restrictive marking is determined to be unjustified.

(2) Nonconforming technical data markings. A nonconforming marking is a marking placed on technical datadelivered or otherwise furnished to the Government under this contract that is not in the format authorized by thiscontract. Correction of nonconforming markings is not subject to the Validation of Restrictive Markings onTechnical Data clause of this contract. If the Contracting Officer notifies the Contractor of a nonconforming markingand the Contractor fails to remove or correct such marking within sixty (60) days, the Government may ignore or, atthe Contractor's expense, remove or correct any nonconforming marking.

CONTRACT NO.



24 PAGE

108 of 123 FINAL

(i) Relation to patents. Nothing contained in this clause shall imply a license to the Government under anypatent or be construed as affecting the scope of any license or other right otherwise granted to the Government underany patent.

(j) Limitation on charges for rights in technical data.

(1) The Contractor shall not charge to this contract any cost, including, but not limited to, license fees, royalties,or similar charges, for rights in technical data to be delivered under this contract when—

(i) The Government has acquired, by any means, the same or greater rights in the data; or

(ii) The data are available to the public without restrictions.

(2) The limitation in paragraph (j)(1) of this clause—

(i) Includes costs charged by a subcontractor or supplier, at any tier, or costs incurred by the Contractor toacquire rights in subcontractor or supplier technical data, if the subcontractor or supplier has been paid for suchrights under any other Government contract or under a license conveying the rights to the Government; and

(ii) Does not include the reasonable costs of reproducing, handling, or mailing the documents or other mediain which the technical data will be delivered.

(k) Applicability to subcontractors or suppliers.

(1) The Contractor shall ensure that the rights afforded its subcontractors and suppliers under 10 U.S.C. 2320, 10U.S.C. 2321, and the identification, assertion, and delivery processes of paragraph (e) of this clause are recognizedand protected.

(2) Whenever any technical data for noncommercial items, or for commercial items developed in any part atGovernment expense, is to be obtained from a subcontractor or supplier for delivery to the Government under thiscontract, the Contractor shall use this same clause in the subcontract or other contractual instrument, includingsubcontracts or other contractual instruments for commercial items, and require its subcontractors or suppliers to doso, without alteration, except to identify the parties. This clause will govern the technical data pertaining tononcommercial items or to any portion of a commercial item that was developed in any part at Government expense,and the clause at 252.227-7015 will govern the technical data pertaining to any portion of a commercial item thatwas developed exclusively at private expense. No other clause shall be used to enlarge or diminish theGovernment's, the Contractor's, or a higher-tier subcontractor's or supplier's rights in a subcontractor's or supplier'stechnical data.

(3) Technical data required to be delivered by a subcontractor or supplier shall normally be delivered to the nexthigher-tier contractor, subcontractor, or supplier. However, when there is a requirement in the prime contract for datawhich may be submitted with other than unlimited rights by a subcontractor or supplier, then said subcontractor orsupplier may fulfill its requirement by submitting such data directly to the Government, rather than through ahigher-tier contractor, subcontractor, or supplier.

(4) The Contractor and higher-tier subcontractors or suppliers shall not use their power to award contracts aseconomic leverage to obtain rights in technical data from their subcontractors or suppliers.

(5) In no event shall the Contractor use its obligation to recognize and protect subcontractor or supplier rights intechnical data as an excuse for failing to satisfy its contractual obligation to the Government.

(End of clause)

ALTERNATE I (JUN 1995) add the following paragraph (l) to the basic clause:

(l) Publication for sale.

(1) This paragraph only applies to technical data in which the Government has obtained unlimited rights or a licenseto make an unrestricted release of technical data.

(2) The Government shall not publish a deliverable technical data item or items identified in this contract as beingsubject to paragraph (l) of this clause or authorize others to publish such data on its behalf if, prior to publication forsale by the Government and within twenty-four (24) months following the date specified in this contract for delivery

CONTRACT NO.



24 PAGE

109 of 123 FINAL


of such data or the removal of any national security or export control restrictions, whichever is later, the Contractorpublishes that item or items for sale and promptly notifies the Contracting Officer of such publication(s). Any suchpublication shall include a notice identifying the number of this contract and the Government's rights in thepublished data.

(3) This limitation on the Government's right to publish for sale shall continue as long as the data are reasonablyavailable to the public for purchase.

ALTERNATE II (MAR 2011) add the following paragraphs (a)(17) and (b)(7) to the basic clause:

(a)(17) "Vessel design" means the design of a vessel, boat, or craft, and its

components, including the hull, decks, superstructure, and the exterior surface

shape of all external shipboard equipment and systems. The term includes designs covered by 10 U.S.C. 7317, anddesigns protectable under 17 U.S.C. 1301, et seq.

(b)(7) Vessel designs. For a vessel design (including a vessel design embodied in a useful article) that is developedor delivered under this contract, the Government shall have the right to make and have made any useful article thatembodies the vessel design, to import the article, to sell the article, and to distribute the article for sale or to use thearticle in trade, to the same extent that the Government is granted rights in the technical data pertaining to the vesseldesign

252.227-7014 RIGHTS IN NONCOMMERCIAL COMPUTER SOFTWARE AND NONCOMMERCIALCOMPUTER SOFTWARE DOCUMENTATION (FEB 2014)


(1) “Commercial computer software” means software developed or regularly used for non-governmental purposeswhich—

(i) Has been sold, leased, or licensed to the public;

(ii) Has been offered for sale, lease, or license to the public;

(iii) Has not been offered, sold, leased, or licensed to the public but will be available for commercial sale, lease,or license in time to satisfy the delivery requirements of this contract; or

(iv) Satisfies a criterion expressed in paragraph (a)(1)(i), (ii), or (iii) of this clause and would require only minormodification to meet the requirements of this contract.

(2) “Computer database” means a collection of recorded data in a form capable of being processed by a computer.The term does not include computer software.

(3) “Computer program” means a set of instructions, rules, or routines, recorded in a form that is capable of causinga computer to perform a specific operation or series of operations.

(4) “Computer software” means computer programs, source code, source code listings, object code listings, designdetails, algorithms, processes, flow charts, formulae, and related material that would enable the software to bereproduced, recreated, or recompiled. Computer software does not include computer databases or computer softwaredocumentation.

(5) “Computer software documentation” means owner's manuals, user's manuals, installation instructions, operatinginstructions, and other similar items, regardless of storage medium, that explain the capabilities of the computersoftware or provide instructions for using the software.

(6) "Covered Government support contractor" means a contractor (other than a litigation support contractor coveredby 252.204-7014) under a contract, the primary purpose of which is to furnish independent and impartial advice ortechnical assistance directly to the Government in support of the Government’s management and oversight of aprogram or effort (rather than to directly furnish an end item or service to accomplish a program or effort), providedthat the contractor—

(i) Is not affiliated with the prime contractor or a first-tier subcontractor on the program or effort, or with any

CONTRACT NO.



24 PAGE

110 of 123 FINAL


direct competitor of such prime contractor or any such first-tier subcontractor in furnishing end items or services ofthe type developed or produced on the program or effort; and

(ii) Receives access to technical data or computer software for performance of a Government contract that containsthe clause at 252.227-7025, Limitations on the Use or Disclosure of Government-Furnished Information Markedwith Restrictive Legends.

(7) “Developed” means that—

(i) A computer program has been successfully operated in a computer and tested to the extent sufficient todemonstrate to reasonable persons skilled in the art that the program can reasonably be expected to perform itsintended purpose;

(ii) Computer software, other than computer programs, has been tested or analyzed to the extent sufficient todemonstrate to reasonable persons skilled in the art that the software can reasonably be expected to perform itsintended purpose; or

(iii) Computer software documentation required to be delivered under a contract has been written, in any medium,in sufficient detail to comply with requirements under that contract.

(8) “Developed exclusively at private expense” means development was accomplished entirely with costs charged toindirect cost pools, costs not allocated to a government contract, or any combination thereof.

(i) Private expense determinations should be made at the lowest practicable level.

(ii) Under fixed-price contracts, when total costs are greater than the firm-fixed-price or ceiling price of thecontract, the additional development costs necessary to complete development shall not be considered whendetermining whether development was at government, private, or mixed expense.

(9) “Developed exclusively with government funds” means development was not accomplished exclusively orpartially at private expense.

(10) “Developed with mixed funding” means development was accomplished partially with costs charged to indirectcost pools and/or costs not allocated to a government contract, and partially with costs charged directly to agovernment contract.

(11) “Government purpose” means any activity in which the United States Government is a party, includingcooperative agreements with international or multi-national defense organizations or sales or transfers by the UnitedStates Government to foreign governments or international organizations. Government purposes include competitiveprocurement, but do not include the rights to use, modify, reproduce, release, perform, display, or disclose computersoftware or computer software documentation for commercial purposes or authorize others to do so.

(12) “Government purpose rights” means the rights to—

(i) Use, modify, reproduce, release, perform, display, or disclose computer software or computer softwaredocumentation within the Government without restriction; and

(ii) Release or disclose computer software or computer software documentation outside the Government andauthorize persons to whom release or disclosure has been made to use, modify, reproduce, release, perform, display,or disclose the software or documentation for United States government purposes.

(13) “Minor modification” means a modification that does not significantly alter the nongovernmental function orpurpose of the software or is of the type customarily provided in the commercial marketplace.

(14) “Noncommercial computer software” means software that does not qualify as commercial computer softwareunder paragraph (a)(1) of this clause.

(15) “Restricted rights” apply only to noncommercial computer software and mean the Government's rights to—

(i) Use a computer program with one computer at one time. The program may not be accessed by more than oneterminal or central processing unit or time shared unless otherwise permitted by this contract;

(ii) Transfer a computer program to another Government agency without the further permission of the Contractor

CONTRACT NO.



24 PAGE

111 of 123 FINAL


if the transferor destroys all copies of the program and related computer software documentation in its possession andnotifies the licensor of the transfer. Transferred programs remain subject to the provisions of this clause;

(iii) Make the minimum number of copies of the computer software required for safekeeping (archive), backup, ormodification purposes;

(iv) Modify computer software provided that the Government may—

(A) Use the modified software only as provided in paragraphs (a)(15)(i) and (iii) of this clause; and

(B) Not release or disclose the modified software except as provided in paragraphs (a)(15)(ii), (v), (vi) and (vii)of this clause;

(v) Permit contractors or subcontractors performing service contracts (see 37.101 of the Federal AcquisitionRegulation) in support of this or a related contract to use computer software to diagnose and correct deficiencies in acomputer program, to modify computer software to enable a computer program to be combined with, adapted to, ormerged with other computer programs or when necessary to respond to urgent tactical situations, provided that—

(A) The Government notifies the party which has granted restricted rights that a release or disclosure toparticular contractors or subcontractors was made;

(B) Such contractors or subcontractors are subject to the use and non-disclosure agreement at 227.7103-7 ofthe Defense Federal Acquisition Regulation Supplement (DFARS) or are Government contractors receiving access tothe software for performance of a Government contract that contains the clause at DFARS 252.227-7025, Limitationson the Use or Disclosure of Government-Furnished Information Marked with Restrictive Legends;

(C) The Government shall not permit the recipient to decompile, disassemble, or reverse engineer thesoftware, or use software decompiled, disassembled, or reverse engineered by the Government pursuant to paragraph(a)(15)(iv) of this clause, for any other purpose; and

(D) Such use is subject to the limitations in paragraphs (a)(15)(i) through (iii) of this clause;

(vi) Permit contractors or subcontractors performing emergency repairs or overhaul of items or components ofitems procured under this or a related contract to use the computer software when necessary to perform the repairs oroverhaul, or to modify the computer software to reflect the repairs or overhaul made, provided that—

(A) The intended recipient is subject to the use and non-disclosure agreement at DFARS 227.7103-7 oris a Government contractor receiving access to the software for performance of a Government contract that containsthe clause at DFARS 252.227-7025, Limitations on the Use or Disclosure of Government-Furnished InformationMarked with Restrictive Legends;

(B) The Government shall not permit the recipient to decompile, disassemble, or reverse engineer thesoftware, or use software decompiled, disassembled, or reverse engineered by the Government pursuant to paragraph(a)(15)(iv) of this clause, for any other purpose; and

(C) Such use is subject to the limitations in paragraphs (a)(15)(i) through (iii) of this clause; and

(vii) Permit covered Government support contractors in the performance of covered Government support contractsthat contain the clause at 252.227-7025, Limitations on the Use or Disclosure of Government-Furnished InformationMarked with Restrictive Legends, to use, modify, reproduce, perform, display, or release or disclose the computersoftware to a person authorized to receive restricted rights computer software, provided that—

(A) The Government shall not permit the covered Government support contractor to decompile, disassemble,or reverse engineer the software, or use software decompiled, disassembled, or reverse engineered by the Governmentpursuant to paragraph (a)(15)(iv) of this clause, for any other purpose; and

(B) Such use is subject to the limitations in paragraphs (a)(15)(i) through (iv) of this clause.

(16) “Unlimited rights” means rights to use, modify, reproduce, release, perform, display, or disclose computersoftware or computer software documentation in whole or in part, in any manner and for any purpose whatsoever,and to have or authorize others to do so.

(b) Rights in computer software or computer software documentation. The Contractor grants or shall obtain for the

CONTRACT NO.



24 PAGE

112 of 123 FINAL






Government the following royalty free, world-wide, nonexclusive, irrevocable license rights in noncommercialcomputer software or computer software documentation. All rights not granted to the Government are retained by theContractor.

(1) Unlimited rights. The Government shall have unlimited rights in—

(i) Computer software developed exclusively with Government funds;

(ii) Computer software documentation required to be delivered under this contract;

(iii) Corrections or changes to computer software or computer software documentation furnished to the Contractorby the Government;

(iv) Computer software or computer software documentation that is otherwise publicly available or has beenreleased or disclosed by the Contractor or subcontractor without restriction on further use, release or disclosure, otherthan a release or disclosure resulting from the sale, transfer, or other assignment of interest in the software to anotherparty or the sale or transfer of some or all of a business entity or its assets to another party;

(v) Computer software or computer software documentation obtained with unlimited rights under anotherGovernment contract or as a result of negotiations; or

(vi) Computer software or computer software documentation furnished to the Government, under this or any otherGovernment contract or subcontract thereunder with—

(A) Restricted rights in computer software, limited rights in technical data, or government purpose license rights andthe restrictive conditions have expired; or

(B) Government purpose rights and the Contractor's exclusive right to use such software or documentation forcommercial purposes has expired.

(2) Government purpose rights.

(i) Except as provided in paragraph (b)(1) of this clause, the Government shall have government purpose rights incomputer software developed with mixed funding.

(ii) Government purpose rights shall remain in effect for a period of five years unless a different period has beennegotiated. Upon expiration of the five-year or other negotiated period, the Government shall have unlimited rightsin the computer software or computer software documentation. The government purpose rights period shallcommence upon execution of the contract, subcontract, letter contract (or similar contractual instrument), contractmodification, or option exercise that required development of the computer software.

(iii) The Government shall not release or disclose computer software in which it has government purpose rights toany other person unless—

(A) Prior to release or disclosure, the intended recipient is subject to the use and non-disclosure agreement atDFARS 227.7103-7; or

(B) The recipient is a Government contractor receiving access to the software or documentation for performance of aGovernment contract that contains the clause at DFARS 252.227-7025, Limitations on the Use or Disclosure ofGovernment Furnished Information Marked with Restrictive Legends.

(3) Restricted rights.

(i) The Government shall have restricted rights in noncommercial computer software required to be delivered orotherwise provided to the Government under this contract that were developed exclusively at private expense.

(ii) The Contractor, its subcontractors, or suppliers are not required to provide the Government additional rightsin noncommercial computer software delivered or otherwise provided to the Government with restricted rights.However, if the Government desires to obtain additional rights in such software, the Contractor agrees to promptlyenter into negotiations with the Contracting Officer to determine whether there are acceptable terms for transferringsuch rights. All noncommercial computer software in which the Contractor has granted the Government additionalrights shall be listed or described in a license agreement made part of the contract (see paragraph (b)(4) of thisclause). The license shall enumerate the additional rights granted the Government.

CONTRACT NO.



24 PAGE

113 of 123 FINAL



(iii) The Contractor acknowledges that—

(A) Restricted rights computer software is authorized to be released or disclosed to covered Government supportcontractors;

(B) The Contractor will be notified of such release or disclosure;

(C) The Contractor (or the party asserting restrictions, as identified in the restricted rights legend) may require eachsuch covered Government support contractor to enter into a non-disclosure agreement directly with the Contractor(or the party asserting restrictions) regarding the covered Government support contractor’s use of such software, oralternatively, that the Contractor (or party asserting restrictions) may waive in writing the requirement for anon-disclosure agreement; and

(D) Any such non-disclosure agreement shall address the restrictions on the covered Government support contractor'suse of the restricted rights software as set forth in the clause at 252.227-7025, Limitations on the Use or Disclosureof Government-Furnished Information Marked with Restrictive Legends. The non-disclosure agreement shall notinclude any additional terms and conditions unless mutually agreed to by the parties to the non-disclosureagreement.

(4) Specifically negotiated license rights.

(i) The standard license rights granted to the Government under paragraphs (b)(1) through (b)(3) of this clause,including the period during which the Government shall have government purpose rights in computer software, maybe modified by mutual agreement to provide such rights as the parties consider appropriate but shall not provide theGovernment lesser rights in computer software than are enumerated in paragraph (a)(15) of this clause or lesser rightsin computer software documentation than are enumerated in paragraph (a)(14) of the Rights in Technical Data--Noncommercial Items clause of this contract.

(ii) Any rights so negotiated shall be identified in a license agreement made part of this contract.

(5) Prior government rights. Computer software or computer software documentation that will be delivered,furnished, or otherwise provided to the Government under this contract, in which the Government has previouslyobtained rights shall be delivered, furnished, or provided with the pre-existing rights, unless—

(i) The parties have agreed otherwise; or

(ii) Any restrictions on the Government's rights to use, modify, reproduce, release, perform, display, or disclosethe data have expired or no longer apply.

(6) Release from liability. The Contractor agrees to release the Government from liability for any release ordisclosure of computer software made in accordance with paragraph (a)(15) or (b)(2)(iii) of this clause, in accordancewith the terms of a license negotiated under paragraph (b)(4) of this clause, or by others to whom the recipient hasreleased or disclosed the software, and to seek relief solely from the party who has improperly used, modified,reproduced, released, performed, displayed, or disclosed Contractor software marked with restrictive legends.

(c) Rights in derivative computer software or computer software documentation. The Government shall retain itsrights in the unchanged portions of any computer software or computer software documentation delivered under thiscontract that the Contractor uses to prepare, or includes in, derivative computer software or computer softwaredocumentation.

(d) Third party copyrighted computer software or computer software documentation. The Contractor shall not,without the written approval of the Contracting Officer, incorporate any copyrighted computer software or computersoftware documentation in the software or documentation to be delivered under this contract unless the Contractor isthe copyright owner or has obtained for the Government the license rights necessary to perfect a license or licenses inthe deliverable software or documentation of the appropriate scope set forth in paragraph (b) of this clause, and priorto delivery of such—

(1) Computer software, has provided a statement of the license rights obtained in a form acceptable to theContracting Officer; or (2) Computer software documentation, has affixed to the transmittal document a statement ofthe license rights obtained.

(e) Identification and delivery of computer software and computer software documentation to be furnished with

CONTRACT NO.



24 PAGE

114 of 123 FINAL


restrictions on use, release, or disclosure.

(1) This paragraph does not apply to restrictions based solely on copyright.

(2) Except as provided in paragraph (e)(3) of this clause, computer software that the Contractor asserts should befurnished to the Government with restrictions on use, release, or disclosure is identified in an attachment to thiscontract (the Attachment). The Contractor shall not deliver any software with restrictive markings unless thesoftware is listed on the Attachment.

(3) In addition to the assertions made in the Attachment, other assertions may be identified after award when basedon new information or inadvertent omissions unless the inadvertent omissions would have materially affected thesource selection decision. Such identification and assertion shall be submitted to the Contracting Officer as soon aspracticable prior to the scheduled date for delivery of the software, in the following format, and signed by an officialauthorized to contractually obligate the Contractor:

Identification and Assertion of Restrictions on the Government's Use, Release, or Disclosure of Computer Software.

The Contractor asserts for itself, or the persons identified below, that the Government's rights to use, release, ordisclose the following computer software should be restricted:

Computer Software Name of Person

to be Furnished Basis for Asserted Rights Asserting

With Restrictions* Assertion** Category*** Restrictions****

(LIST) (LIST) (LIST) (LIST)

*Generally, development at private expense, either exclusively or partially, is the only basis for asserting restrictionson the Government's rights to use, release, or disclose computer software.

**Indicate whether development was exclusively or partially at private expense. If development was not at privateexpense, enter the specific reason for asserting that the Government's rights should be restricted.

***Enter asserted rights category (e.g., restricted or government purpose rights in computer software, governmentpurpose license rights from a prior contract, rights in SBIR software generated under another contract, or specificallynegotiated licenses).

****Corporation, individual, or other person, as appropriate.

Date ______________________________

Printed Name and Title ______________________________

______________________________

Signature ______________________________

(End of identification and assertion)

(4) When requested by the Contracting Officer, the Contractor shall provide sufficient information to enable theContracting Officer to evaluate the Contractor's assertions. The Contracting Officer reserves the right to add theContractor's assertions to the Attachment and validate any listed assertion, at a later date, in accordance with theprocedures of the Validation of Asserted Restrictions—Computer Software clause of this contract.

(f) Marking requirements. The Contractor, and its subcontractors or suppliers, may only assert restrictions on theGovernment's rights to use, modify, reproduce, release, perform, display, or disclose computer software by markingthe deliverable software or documentation subject to restriction. Except as provided in paragraph (f)(5) of this clause,only the following legends are authorized under this contract: the government purpose rights legend at paragraph(f)(2) of this clause; the restricted rights legend at paragraph (f)(3) of this clause; or the special license rights legend atparagraph (f)(4) of this clause; and/or a notice of copyright as prescribed under 17 U.S.C. 401 or 402.

(1) General marking instructions. The Contractor, or its subcontractors or suppliers, shall conspicuously andlegibly mark the appropriate legend on all computer software that qualify for such markings. The authorized legendsshall be placed on the transmittal document or software storage container and each page, or portions thereof, of

CONTRACT NO.



24 PAGE

115 of 123 FINAL

printed material containing computer software for which restrictions are asserted. Computer software transmitteddirectly from one computer or computer terminal to another shall contain a notice of asserted restrictions. However,instructions that interfere with or delay the operation of computer software in order to display a restrictive rightslegend or other license statement at any time prior to or during use of the computer software, or otherwise cause suchinterference or delay, shall not be inserted in software that will or might be used in combat or situations thatsimulate combat conditions, unless the Contracting Officer's written permission to deliver such software has beenobtained prior to delivery. Reproductions of computer software or any portions thereof subject to assertedrestrictions, shall also reproduce the asserted restrictions.

(2) Government purpose rights markings. Computer software delivered or otherwise furnished to the Governmentwith government purpose rights shall be marked as follows:

GOVERNMENT PURPOSE RIGHTS

Contract No.

Contractor Name

Contractor Address

Expiration Date

The Government's rights to use, modify, reproduce, release, perform, display, or disclose this software are restrictedby paragraph (b)(2) of the Rights in Noncommercial Computer Software and Noncommercial Computer SoftwareDocumentation clause contained in the above identified contract. No restrictions apply after the expiration dateshown above. Any reproduction of the software or portions thereof marked with this legend must also reproduce themarkings.

(End of legend)

(3) Restricted rights markings. Software delivered or otherwise furnished to the Government with restricted rightsshall be marked with the following legend:

RESTRICTED RIGHTS

Contract No.

Contractor Name

Contractor Address

The Government's rights to use, modify, reproduce, release, perform, display, or disclose this software are restrictedby paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer SoftwareDocumentation clause contained in the above identified contract. Any reproduction of computer software or portionsthereof marked with this legend must also reproduce the markings. Any person, other than the Government, who hasbeen provided access to such software must promptly notify the above named Contractor.

(End of legend)

(4) Special license rights markings.

(i) Computer software or computer software documentation in which the Government's rights stem from aspecifically negotiated license shall be marked with the following legend:

SPECIAL LICENSE RIGHTS

The Government's rights to use, modify, reproduce, release, perform, display, ordisclose these data are restricted by Contract No. _____(Insert contractnumber)____, License No. ____(Insert license identifier)____. Any reproduction ofcomputer software, computer software documentation, or portions thereof markedwith this legend must also reproduce the markings.

CONTRACT NO.



24 PAGE

116 of 123 FINAL

(End of legend)

(ii) For purposes of this clause, special licenses do not include government purpose license rights acquired undera prior contract (see paragraph (b)(5) of this clause).

(5) Pre-existing markings. If the terms of a prior contract or license permitted the Contractor to restrict theGovernment's rights to use, modify, release, perform, display, or disclose computer software or computer softwaredocumentation and those restrictions are still applicable, the Contractor may mark such software or documentationwith the appropriate restrictive legend for which the software qualified under the prior contract or license. Themarking procedures in paragraph (f)(1) of this clause shall be followed.

(g) Contractor procedures and records. Throughout performance of this contract, the Contractor and itssubcontractors or suppliers that will deliver computer software or computer software documentation with other thanunlimited rights, shall—

(1) Have, maintain, and follow written procedures sufficient to assure that restrictive markings are used only whenauthorized by the terms of this clause; and

(2) Maintain records sufficient to justify the validity of any restrictive markings on computer software or computersoftware documentation delivered under this contract.

(h) Removal of unjustified and nonconforming markings.

(1) Unjustified computer software or computer software documentation markings. The rights and obligations of theparties regarding the validation of restrictive markings on computer software or computer software documentationfurnished or to be furnished under this contract are contained in the Validation of Asserted Restrictions--ComputerSoftware and the Validation of Restrictive Markings on Technical Data clauses of this contract, respectively.Notwithstanding any provision of this contract concerning inspection and acceptance, the Government may ignoreor, at the Contractor's expense, correct or strike a marking if, in accordance with the procedures of those clauses, arestrictive marking is determined to be unjustified.

(2) Nonconforming computer software or computer software documentation markings. A nonconforming markingis a marking placed on computer software or computer software documentation delivered or otherwise furnished tothe Government under this contract that is not in the format authorized by this contract. Correction ofnonconforming markings is not subject to the Validation of Asserted Restrictions--Computer Software or theValidation of Restrictive Markings on Technical Data clause of this contract. If the Contracting Officer notifies theContractor of a nonconforming marking or markings and the Contractor fails to remove or correct such markingswithin sixty (60) days, the Government may ignore or, at the Contractor's expense, remove or correct anynonconforming markings.

(i) Relation to patents. Nothing contained in this clause shall imply a license to the Government under any patentor be construed as affecting the scope of any license or other right otherwise granted to the Government under anypatent.

(j) Limitation on charges for rights in computer software or computer software documentation.

(1) The Contractor shall not charge to this contract any cost, including but not limited to license fees, royalties, orsimilar charges, for rights in computer software or computer software documentation to be delivered under thiscontract when—

(i) The Government has acquired, by any means, the same or greater rights in the software or documentation; or

(ii) The software or documentation are available to the public without restrictions.

(2) The limitation in paragraph (j)(1) of this clause—

(i) Includes costs charged by a subcontractor or supplier, at any tier, or costs incurred by the Contractor to acquirerights in subcontractor or supplier computer software or computer software documentation, if the subcontractor orsupplier has been paid for such rights under any other Government contract or under a license conveying the rightsto the Government; and

(ii) Does not include the reasonable costs of reproducing, handling, or mailing the documents or other media in

CONTRACT NO.



24 PAGE

117 of 123 FINAL

which the software or documentation will be delivered.

(k) Applicability to subcontractors or suppliers.

(1) Whenever any noncommercial computer software or computer software documentation is to be obtained from asubcontractor or supplier for delivery to the Government under this contract, the Contractor shall use this sameclause in its subcontracts or other contractual instruments, and require its subcontractors or suppliers to do so,without alteration, except to identify the parties. No other clause shall be used to enlarge or diminish theGovernment's, the Contractor's, or a higher tier subcontractor's or supplier's rights in a subcontractor's or supplier'scomputer software or computer software documentation.

(2) The Contractor and higher tier subcontractors or suppliers shall not use their power to award contracts aseconomic leverage to obtain rights in computer software or computer software documentation from theirsubcontractors or suppliers.

(3) The Contractor shall ensure that subcontractor or supplier rights are recognized and protected in theidentification, assertion, and delivery processes required by paragraph (e) of this clause.

(4) In no event shall the Contractor use its obligation to recognize and protect subcontractor or supplier rights incomputer software or computer software documentation as an excuse for failing to satisfy its contractual obligation tothe Government.

(End of clause)

ALTERNATE I (JUN 1995) add the following paragraph (l) to the basic clause:

(l) Publication for sale.

(1) This paragraph only applies to computer software or computer software documentation in which the Governmenthas obtained unlimited rights or a license to make an unrestricted release of the software or documentation.

(2) The Government shall not publish a deliverable item or items of computer software or computer softwaredocumentation identified in this contract as being subject to paragraph (l) of this clause or authorize others topublish such software or documentation on its behalf if, prior to publication for sale by the Government and withintwenty-four (24) months following the date specified in this contract for delivery of such software or documentation,or the removal of any national security or export control restrictions, whichever is later, the Contractor publishesthat item or items for sale and promptly notifies the Contracting Officer of such publication(s). Any such publicationshall include a notice identifying the number of this contract and the Government's rights in the published softwareor documentation.

(3) This limitation on the Government's right to publish for sale shall continue as long as the software ordocumentation are reasonably available to the public for purchase.

252.239-7000 PROTECTION AGAINST COMPROMISING EMANATIONS (JUN 2004)

(a) The Contractor shall provide or use only information technology, as specified by the Government, that has beenaccredited to meet the appropriate information assurance requirements of—

(1) The National Security Agency National TEMPEST Standards (NACSEM No. 5100 or NACSEM No.5100A, Compromising Emanations Laboratory Test Standard, Electromagnetics (U)); or

(2) Other standards specified by this contract, including the date through which the required accreditation iscurrent or valid for the contract.

(b) Upon request of the Contracting Officer, the Contractor shall provide documentation supporting the accreditation.

(c) The Government may, as part of its inspection and acceptance, conduct additional tests to ensure that informationtechnology delivered under this contract satisfies the information assurance standards specified. The Governmentmay conduct additional tests—

CONTRACT NO.



24 PAGE

118 of 123 FINAL

(1) At the installation site or contractor's facility; and

(2) Notwithstanding the existence of valid accreditations of information technology prior to the award of thiscontract.

(d) Unless otherwise provided in this contract under the Warranty of Supplies or Warranty of Systems andEquipment clause, the Contractor shall correct or replace accepted information technology found to be deficientwithin 1 year after proper installations.

(1) The correction or replacement shall be at no cost to the Government.

(2) Should a modification to the delivered information technology be made by the Contractor, the 1-year periodapplies to the modification upon its proper installation.

(3) This paragraph (d) applies regardless of f.o.b. point or the point of acceptance of the deficient informationtechnology.

CONTRACT NO.



24 PAGE

119 of 123 FINAL

SECTION J LIST OF ATTACHMENTS

Exhibit B OPNAVIST 5239.1C Navy Information Assurance (IA) Program

Exhibit B DoN CIO Memo 02-10: IA Policy Update for Platform Information Technology (PIT)

Exhibit B NAVSEA CIO, PIT C&A Business Rules (Afloat)

Exhibit B NAVSEA CIO, PIT C&A Business Rules (Non-Afloat)

Exhibit B NAVSEAINST 9400.2 Implementation of NAVSEA Afloat Information Assurance

Exhibit B NAVSEAINST 9400.2-M NAVSEA Afloat IA Implementation Manual

Exhibit B DoD 8570.01-M, or successor : IA Workforce Improvement Program

Exhibit B NIST SP 800-30 REV 1, Guide for Conducting Risk Assessments

Exhibit B NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems

Exhibit B NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems andOrganizations

Exhibit B DoDI 8500.01, Cybersecurity

Exhibit B DoDI 8510.01, Risk Managment Framework (RFM) for DoD IT

Exhibit B SPAWAR Memo, Qualification Standards and Registration Procedures for Navy Validators

Exhibit B CJCSI 6510.01F, Information Assurance (IA) and Support to Computer Network Defense (CND)

Exhibit B CNSS 1253, Security Categorization and Control Selection for National Security Systems

Exhibit B PIT RISK Approval Supplemental Guidance V.2..1

Exhibit B Navy Qualified Validator Program

Exhibit B 8140.01 Cyber: Cyber Workforce Management

Attachment J.2: ACOR

Exhibit A - signed CDRLs

Attachment J.3 - COR Appointment Letter

Attachment J.4 - COR Appointment Letter_K. Bissett

Attachment J.1: DD254 Rev. 1 - Updated 5/19/17

Attachment J.1.1: DD254-SCI updated 8/12/16

HQ J-2-0002 STANDARD LANGUAGE FOR CONTRACTS

The following document(s), exhibit(s), and other attachment(s) form a part of this contract:

Attachment J.1 DD254

CONTRACT NO.



24 PAGE

120 of 123 FINAL

Attachment J.2: ACOR Appointment Letter

Attachment J.3: COR Appointment Letter

Attachment J.4: COR Appointment Letter - K. Bissett

Exhibit A CDRLs A001





























CONTRACT NO.



24 PAGE

121 of 123 FINAL








Exhibit B OPNAVIST 5239.1C Navy Information Assurance (IA) Program

Exhibit B DoN CIO Memo 02-10: IA Policy Update for Platform Information Technology (PIT)

Exhibit B NAVSEA CIO, PIT C&A Business Rules (Afloat)

Exhibit B NAVSEA CIO, PIT C&A Business Rules (Non-Afloat)

Exhibit B NAVSEAINST 9400.2 Implementation of NAVSEA Afloat Information Assurance

Exhibit B NAVSEAINST 9400.2-M NAVSEA Afloat IA Implementation Manual

Exhibit B DoD 8570.01-M, or successor : IA Workforce Improvement Program

Exhibit B NIST SP 800-30 REV 1, Guide for Conducting Risk Assessments

Exhibit B NIST SP 800-34 Rev 1, Contingency Planning Guide for Federal Information Systems

Exhibit B NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and

Organizations

Exhibit B DoDI 8500.01, Cybersecurity

Exhibit B DoDI 8510.01, Risk Managment Framework (RFM) for DoD IT

Exhibit B SPAWAR Memo, Qualification Standards and Registration Procedures for Navy Validators

Exhibit B CJCSI 6510.01F, Information Assurance (IA) and Support to Computer Network Defense (CND)

Exhibit B CNSS 1253, Security Categorization and Control Selection for National Security Systems

Exhibit B PIT RISK Approval Supplemental Guidance V.2..1

Exhibit B Navy Qualified Validator Program

Exhibit B 8140.01 Cyber: Cyber Workforce Management

Distro List:

[email protected]

[email protected]

[email protected]

[email protected] - CLIN/SLIN: 7001/DS

CONTRACT NO.



24 PAGE

122 of 123 FINAL





[email protected] - CLIN/SLIN: 7001/DT

[email protected] - CLIN/SLIN: 7001/DZ

CONTRACT NO.



24 PAGE

123 of 123 FINAL

