On Site Secured Document Shredding
Department of the Army, Army Contracting Command | Published April 8, 2016 - Deadline April 10, 2016
(42) (i) 52.225-3, Buy American--Free Trade Agreements--Israeli Trade Act (May 2014) (41U.S.C. chapter 83, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, Pub. L. 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 109-283, 110- 138, 112-41, 112-42, and 112-43).
(ii) Alternate I (May 2014) of 52.225-3.
(iii) Alternate II (May 2014) of 52.225-3.
(iv) Alternate III (May 2014) of 52.225-3.
(43) 52.225-5, Trade Agreements (Nov 2013) (19 U.S.C. 2501, et seq., 19 U.S.C. 3301 note).
_X (44) 52.225-13, Restrictions on Certain Foreign Purchases (Jun 2008) (E.O.'s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury).
(45) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Jul 2013) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note).
(46) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (Nov 2007) (42 U.S.C. 5150).
(47) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (Nov 2007) (42 U.S.C. 5150).
(48) 52.232-29, Terms for Financing of Purchases of Commercial Items (Feb 2002) (41 U.S.C. 4505), 10 U.S.C. 2307(f)).
(49) 52.232-30, Installment Payments for Commercial Items (Oct 1995) (41 U.S.C. 4505, 10U.S.C. 2307(f)).
_X (50) 52.232-33, Payment by Electronic Funds Transfer- System for Award Management (Jul 2013) (31 U.S.C. 3332).
(51) 52.232-34, Payment by Electronic Funds Transfer-Other Than System for Award Management (Jul 2013) (31 U.S.C. 3332).
(52) 52.232-36, Payment by Third Party (May 2014) (31 U.S.C. 3332).
(53) 52.239-1, Privacy or Security Safeguards (Aug 1996) (5 U.S.C. 552a).
(54) (i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx 1241(b) and 10 U.S.C. 2631).
(ii) Alternate I (Apr 2003) of 52.247-64.
(c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or executive orders applicable to acquisitions of commercial items:
[Contracting Officer check as appropriate.]
(1) 52.222-17, Nondisplacement of Qualified Workers (May 2014) (E.O. 13495)
_X (2) 52.222-41, Service Contract Labor Standards (May 2014) (41 U.S.C. chapter 67.).
_X (3) 52.222-42, Statement of Equivalent Rates for Federal Hires (May 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67).
_X (4) 52.222-43, Fair Labor Standards Act and Service Contract Labor Standards -- Price Adjustment (Multiple Year and Option Contracts) (May 2014) (29 U.S.C.206 and 41 U.S.C. chapter 67).
_X (5) 52.222-44, Fair Labor Standards Act and Service Contract Labor Standards -- Price Adjustment (May 2014) (29 U.S.C. 206 and 41 U.S.C. chapter 67).
(6) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment--Requirements (May 2014) (41 U.S.C. chapter 67).
(7) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services--Requirements (May 2014) (41 U.S.C. chapter 67).
_X (8) 52.222-55, Minimum Wages Under Executive Order 13658 (Dec 2014) (E.O. 13658).
(9) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations. (May 2014) (42U.S.C. 1792).
(10) 52.237-11, Accepting and Dispensing of $1 Coin (Sep 2008) (31 U.S.C. 5112(p)(1)).
(d) Comptroller General Examination of Record The Contractor shall comply with the provisions of this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, and does not contain the clause at 52.215-2, Audit and Records -- Negotiation.
(1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor's directly pertinent records involving transactions related to this contract.
(2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR Subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved.
(3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law.
(e)(1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c) and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1) in a subcontract for commercial items. Unless otherwise indicated below, the extent of the flow down shall be as required by the clause-
(i) 52.203-13, Contractor Code of Business Ethics and Conduct (Apr 2010) (41 U.S.C. 3509).
(ii) 52.219-8, Utilization of Small Business Concerns (Oct 2014) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds $650,000 ($1.5 million for construction of any public facility), the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities.
(iii) 52.222-17, Nondisplacement of Qualified Workers (May 2014) (E.O. 13495). Flow down required in accordance with paragraph (1) of FAR clause 52.222-17.
(iv) 52.222-21, Prohibition of Segregated Facilities (Apr 2015). (v) 52.222-26, Equal Opportunity (Apr 2015) (E.O. 11246).
(vi) 52.222-35, Equal Opportunity for Veterans (Jul 2014) (38 U.S.C. 4212).
(vii) 52.222-36, Equal Opportunity for Workers with Disabilities (Jul 2014) (29 U.S.C. 793).
(viii) 52.222-37, Employment Reports on Veterans (Jul 2014) (38 U.S.C. 4212).
(ix) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40.
(x) 52.222-41, Service Contract Labor Standards (May 2014), (41 U.S.C. chapter 67).
(xi) (A) 52.222-50, Combating Trafficking in Persons (Mar 2015) (22 U.S.C. chapter 78 and E.O. 13627).
(B) Alternate I (Mar 2015) of 52.222-50 (22 U.S.C. chapter 78 E.O. 13627).
(xii) 52.222-51, Exemption from Application of the Service Contract Labor Standards to Contracts for Maintenance, Calibration, or Repair of Certain Equipment--Requirements (May 2014) (41 U.S.C. chapter 67.)
(xiii) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services--Requirements (May 2014) (41 U.S.C. chapter 67)
(xiv) 52.222-54, Employment Eligibility Verification (Aug 2013).
(xv) 52.222-55, Minimum Wages Under Executive Order 13658 (Dec 2014) (E.O. 13658).
(xvi) 52.225-26, Contractors Performing Private Security Functions Outside the United States (Jul 2013) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 2008; 10 U.S.C. 2302 Note).
(xvii) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations. (May 2014) (42 U.S.C. 1792). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6.
(xviii) 52.247-64, Preference for Privately-Owned U.S. Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx 1241(b) and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64.
(2) While not required, the contractor may include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations.
(End of Clause)
52.217-8 -- Option to Extend Services.
As prescribed in 17.208(f), insert a clause substantially the same as the following:
Option to Extend Services (Nov 1999)
The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 30 days.
(End of Clause)
52.217-9 -- Option to Extend the Term of the Contract.
As prescribed in 17.208(g), insert a clause substantially the same as the following:
Option to Extend the Term of the Contract (Mar 2000)
(a) The Government may extend the term of this contract by written notice to the Contractor within 30 days; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 60 days before the contract expires. The preliminary notice does not commit the Government to an extension.
(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.
(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 3 years.
(End of Clause)
52.252-2 -- Clauses Incorporated by Reference.
As prescribed in 52.107(b), insert the following clause:
Clauses Incorporated by Reference (Feb 1998)
This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es):http://farsite.hill.af.mil
(End of Clause)
252.201-7000 Contracting Officer's Representative.
As prescribed in 201.602-70, use the following clause:
CONTRACTING OFFICER'S REPRESENTATIVE (DEC 1991)
(a) Definition."Contracting officer's representative" means an individual designated in accordance with subsection 201.602-2 of the Defense Federal Acquisition Regulation Supplement and authorized in writing by the contracting officer to perform specific technical or administrative functions.
(b) If the Contracting Officer designates a contracting officer's representative (COR), the Contractor will receive a copy of the written designation. It will specify the extent of the COR's authority to act on behalf of the contracting officer. The COR is not authorized to make any commitments or changes that will affect price, quality, quantity, delivery, or any other term or condition of the contract.
(End of clause)
52.201-4000 (TACOM) Army Contracting Command - Warren (DTA) Ombudsperson (APR 2011)
Information regarding the TACOM-Warren Ombudsperson is located at the website http://contracting.tacom.army.mil/acqinfo/ombudsperson.htm
[End of Provision]
52.204-4005 (TACOM) Required Use of Electronic Contracting (AUG 2012)
(a) All contract awards, modifications and delivery orders issued by TACOM will be issued electronically. The contractor has the option to receive these actions either via the Worldwide Web (WWW) or Electronic Data Interchange (EDI). Many provisions/clauses that appear "by reference", meaning only clause titles and regulation site are listed; their full texts can be found at the website: http://farsite.hill.af.mil/
(b) In order to be eligible to receive an award under this solicitation, the successful offeror must be registered with the Department of Defense (DOD) System for Award Management (SAM). The SAM registration process may be done electronically at the World Wide Web (WWW) site: https://www.sam.gov/portal/public/SAM. (In order to be registered to use EDI, you must use the long form for registration. Certification information, including information on the EDI 838 TPP, must be furnished to the Contracting Officer within 60 calendar days after contract award to complete networking requirements within the Government.)
(c) Worldwide Web Distribution. The contractor will receive an electronic Notice of the Award, Modification, or Delivery Order via e-mail. If you choose the WWW option, you must download the file from the appropriate TACOM webpage:
Warren: http://contracting.tacom.army.mil/CFDATA/AWARDS/AWARD_RPT01.cfm Rock Island - JMTC: https://acquistion.army.mil/asfi/Red River Army Depot: https://www.redriver.army.mil/ Anniston Army Depot: https://acquistion.army.mil/asfi/
(d) Electronic Data Interchange. If you choose to receive contract awards, modifications and delivery orders through EDI, they will be delivered electronically via the Federal Acquisition Network (FACNET). Federal Standard Version 3050 of Standard X12 from the American National Standards Institute (ANSI) will be used as the format for these electronic transactions.
(1) You must complete the EDI 838 Trading Partner Profile, and must agree (i) to subcontract with a DoD certified VAN or Value Added Service (VAS) provider, or (ii) to become DoD certified as a Value Added Network (VAN). The EDI 838 Training Partner Profile is contained in the basic SAM registration form and includes portions of the registration form which are titled "Optional".
(2) You must select a VAN from the official DoD approved list. DoD Certified VANs are listed at http://www.acq.osd.mil/dpap/ebiz/VANs.htm . If your VAN is later removed from the official list, or if you voluntarily drop your initially selected VAN, then you must switch to a VAN that remains on the official DoD approved list. You must maintain an active account on a DoD approved VAN for the entire duration of the contract, beginning no later than the 60th day after award.
(e) Unless otherwise specified elsewhere in the contract, all data items you are required to provide under this contract must be submitted electronically. Please go to the following webpage for http://contracting.tacom.army.mil/acqinfo/ebidnotice.htm
(f) Additional information can be obtained by sending a message to: usarmy.detroit.acc.mbx.wrn-web- firstname.lastname@example.org or by calling (586) 282-7059.
[End of Clause]
52.204-4009 (TACOM) Mandatory Use of contractor To Government Electronic Communication (MAR 2005)
(a) All references in the contract to the submission of written documentation shall mean electronic submission. All electronic submissions shall be in the formats and media described in the website: http://contracting.tacom.army.mil/acqinfo/ebidnotice.htm
(b) This shall include all written unclassified communications between the Government and the Contractor except contract awards and contract modifications which shall be posted on the internet. Return receipt shall be used if a commercial application is available. Classified information shall be handled in full accordance with the appropriate security requirements.
(c) In order to be contractually binding, all Government communications requiring a Contracting Officer signature must be sent from the Contracting Officer's e-mail address. The Contractor shall designate the personnel with signature authority who can contractually bind the contractor. All binding contractor communication shall be sent from this contractor e-mail address(es).
(d) Upon award, the Contractor shall provide the Contracting Officer with a list of e-mail addresses for all administrative and technical personnel assigned to this contract.
(e) Unless exempted by the Procuring Contracting Officer in writing, all unclassified written communication after contract award shall be transmitted electronically.
[End of Clause]
52.209-4020 (TACOM) Anti-Terrorism (AT) Level I Training Requirement (JUL 2014)
All contractor employees, including subcontractor employees, requiring access to Army installations, facilities, or controlled access areas shall complete AT Level I awareness training within 60 calendar days after contract start date or effective date of incorporation of this requirement into the contract, whichever applies. The contractor shall submit certificates of completion for each contractor employee and subcontractor employee requiring access to Army installations, facilities, or controlled access areas to the COR (or to the contracting officer, if a COR is not assigned) within 60 calendar days after completion of training. AT Level I awareness training is available at https://jkodirect.jten.mil Course #JS-US007-14.
[End of Clause]
52.209-4025 MAR 2013
Notice of Training Opportunities at the Detroit Arsenal
The contractor is notified that in accordance with training requirements required in the performance of this solicitation, and subsequent contract, that the G2 Office of TACOM LCMC can provide the following training upon request to contracting personnel. This opportunity is extended to all contractor personnel performing at the Detroit Arsenal and TACOM LCMC Organizations, including Selfridge Air National Guard Base.
Training is available for AT/OPSEC requirements including but not limited to: iWatch Training, Annual Security Training, and OPSEC Training as part of Annual Security training.
Contractors should make requests for training to the buyer listed on this solicitation and contract.
(End of Notice)
52.232-4000 (TACOM) Contracting Officer's Authority (APR 2006)
The Contracting Officer is the only person authorized to approve additions or changes in any of the requirements under any contract, resulting from this solicitation, notwithstanding any provisions contained elsewhere in this contract, the said authority remains solely in the Contracting Officer. In the event that the contractor effects any change at the direction of any person other than the Contracting Officer, such change shall be solely at the risk of the contractor. (See General Provision, entitled: "Notification of Changes,: FAR 52.243-7 or paragraph C of FAR 52.212-4).
[End of Clause]
52.242-4007 (TACOM) Wide Area Workflow (WAWF), Codes and Designated Acceptors (AUG 2012)
The contractor shall use WAWF to electronically process invoices for payment and receiving reports. The contractor shall register to use WAWF and take the Web-based training at https://wawf.eb.mil. Direct any questions relating to the system and vendor training to the Ogden Help Desk at 866-618-5988.
To properly route an invoice and receiving report through WAWF, the contractor shall indicate the following when prompted:
1. Select the appropriate type of invoice as indicated below. It is imperative that contractors select the proper type of invoice. Improper selection of an invoice type will result in the delay of a payment or the rejection of an invoice submittal.
Invoice and Receiving Report Combo (Supplies)Use for contracts that are entirely for supply requirements or for contracts that are predominantly for supply requirements but also includes minimal service line items.
X Invoice 2-in-1 (Services)Use for contracts that are entirely for service requirements.
2. Use the following DoDAAC (Department of Defense Activity Address Code) codes when prompted:
• Your firm's CAGE Code: (found in Block 15A of SF 33; Block 17a of SF 1449; Block 14 of SF 1442; Block 7 of SF 26) (Indicate)• Issue and Admin DoDAAC Code: (found in Block 7 of SF 33; Block 9 of SF 1449; Block 7 of SF 1442; Block 5 of SF 26) (Indicate)• Ship-To DoDAAC Code: (if deliverables are involved) (found in Section B of the contract where SF 33, SF 1442, or SF 26 is the cover page; Block 15 of SF 1449) (Indicate)• Accept-By DoDAAC Code: (Indicate)• Payment DoDAAC Code: (found in Block 25 of SF 33; Block 18a of SF 1449; Block 27 of SF 1442; Block 12 of SF 26) (Indicate)
3. Include the Purchase Request Number as specified in each Contract Line Item Number (CLIN). This number can be found at the bottom of the extended description of each CLIN. NOTE: The purchase request number may be different for each CLIN.
4. Indicate the proper Unit of Measure as specified in each CLIN. Failure to indicate the proper Unit of Measure will lead to vendor pay issues.
5. Indicate the following Acceptor, Alternate Acceptor, and Contract Specialist when the WAWF system prompts for "additional e-mail submission" after clicking "Signature".• Primary Acceptor Name: (Indicate)• Primary Acceptor e-mail: (Indicate)
• Alternate Acceptor Name: (Indicate)• Alternate Acceptor e-mail: (Indicate)
• Contract Specialist Name: (Indicate)• Contract Specialist e-mail: (Indicate)
To track the status of an invoice, in WAWF click on the link, "Pay Status" (myInvoice-External link) found under the tab named "Lookup" or by going to https://myinvoice.csd.disa.mil/index.html. If the payment office indicated in the contract is Columbus, direct any payment related questions to the Defense Finance Accounting Services (DFAS) Columbus at 800-756-4571. If the payment office is other than Columbus, contact the contract administrator for the customer service phone/fax numbers.
[End of clause]
52.237-4000 (TACOM) Contractor Manpower Reporting (CMR) (MAY 2013)
The Office of the Assistant Secretary of the Army (Manpower & Reserve Affairs) operates and maintains a secure Army data collection site where the contractor will report ALL contractor labor hours (including subcontractor labor hours) required for performance of services provided under this contract via secure data
collection site. The contractor is required to completely fill in all required data fields in the format using the following web address: https://cmra.army.mil . The required information includes the following:
(1) Contracting Office, Contracting Officer, Contracting Officer's Technical Representative;
(2) Contract number, including task and delivery order number;
(3) Beginning and ending dates covered by reporting period;
(4) Contractor name, address, phone number, e-mail address, identity of contractor employee entering data;
(5) Direct labor hours (including sub-contractors);
(6) Direct labor dollars paid this reporting period (including sub-contractors);
(7) Total payments (including sub-contractors);
(8) Predominant Federal Service Code (FSC) reflecting services provided by contractor (and separate predominant FSC for each sub-contractor if different);
(9) Data collection cost;
(10) Organizational title associated with the Unit Identification Code (UIC) for the Army Requiring Activity (the Army Requiring Activity is responsible for providing the contractor with its UIC for the purposes of reporting this information);
(11) Locations where contractor and sub-contractors perform the work (specified by zip code in the United States and nearest city, country, when in an overseas location, using standardized nomenclature provided on website);
(12) Presence of deployment or contingency contract language; and
(13) Number of contractor and sub-contractor employees deployed in theater this reporting period (by country).
Reporting inputs will be for the labor executed during the period of performance during each Government fiscal year (FY), which runs October 1 through September30. While inputs may be reported any time during the FY, all data shall be reported no later than October 31 of each calendar year, beginning with 2013. Contractors may direct questions to the help desk at : https://cmra.army.mil and clicking on the "Send an Email" link which is located under the Help Resources ribbon on the right hand side of the login page.
[End of Clause]
52.242-4016 (TACOM) Communications (FEB 2013)
Communications on technical matters pertaining to the contract shall be direct between the contractor and the Contracting Officer Representative (COR). Communications for the COR shall be addressed to:Name: -1-E-mail: -2-
The Administrative Contracting Officer's (ACO) name and email address are also provided if known at this time:
ACO: -3-E-mail: -4-Please see the appointment letters prepared at time of contract award for functions the Technical Representative and ACO will perform on this contract.
[End of Clause]
52.246-4009 (TACOM) Inspection and Acceptance Points: Destination (FEB 1995)
Inspection and acceptance of supplies offered under this purchase order shall take place as specified here. Inspection: DESTINATION.
[End of Clause]
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
As prescribed in 204.7304(c), use the following clause:
SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (AUG 2015)
(a) Definitions. As used in this clause-
"Adequate security" means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
"Compromise" means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
"Contractor attributional/proprietary information" means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
"Contractor information system" means an information system belonging to, or operated by or for, the Contractor.
"Controlled technical information" means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
"Covered contractor information system" means an information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
"Covered defense information" means unclassified information that-
(A) Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or
(B) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and
(ii) Falls in any of the following categories:
(A) Controlled technical information.
(B) Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
(C) Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and munitions list; license applications; and sensitive nuclear technology information.
(D) Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information).
"Cyber incident" means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.
"Forensic analysis" means the practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
"Malicious software" means computer software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware.
"Media" means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system.
‘‘Operationally critical support'' means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
"Rapid(ly) report(ing)" means within 72 hours of discovery of any cyber incident.
"Technical information" means technical data or computer software, as those terms are defined in theclause at DFARS 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
(b) Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under this contract. To provide adequate security, the Contractor shall-
(1) Implement information systems security protections on all covered contractor information systems including, at a minimum-
(i) For covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government-
(A) Cloud computing services shall be subject to the security requirements specified in the clause 252.239- 7010, Cloud Computing Services, of this contract; and
(B) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract; or
(ii) For covered contractor information systems that are not part of an IT service of system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1)(i) of this clause-
(A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, http://dx.doi.org/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Contracting Officer; or
(B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection approved in writing by an authorized representative of the DoD CIO prior to contract award; and
(2) Apply other information systems security measures when the Contractor
reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.
(c) Cyber incident reporting requirement.
(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support, the Contractor shall-
(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the
Contractor's network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor's ability to provide operationally critical support; and
(ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil.
(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at http://dibnet.dod.mil.
(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/certificate.html.
(d) Malicious software. The Contractor or subcontractors that discover and isolate malicious software in connection with a reported cyber incident shall submit the malicious software in accordance with instructions provided by the Contracting Officer.
(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.
(h) DoD safeguarding and use of contractor attributional/proprietary information. The Government shall protect against the unauthorized use or release of information obtained from the contractor (or derived from information obtained from the contractor) under this clause that includes contractor attributional/proprietary information, including such information submitted in accordance with paragraph (c). To the maximum extent practicable, the Contractor shall identify and mark attributional/proprietary information. In making an authorized release of such information, the Government will implement appropriate procedures to minimize the contractor attributional/proprietary
information that is included in such authorized release, seeking to include only that information that is necessary for the authorized purpose(s) for which the information is being released.
(i) Use and release of contractor attributional/proprietary information not created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is not created by or for DoD is authorized to be released outside of DoD-
(1) To entities with missions that may be affected by such information;
(2) To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
(3) To Government entities that conduct counterintelligence or law enforcement investigations;
(4) For national security purposes, including cyber situational awareness and defense purposes (including with Defense Industrial Base (DIB) participants in the program at 32CFR 236); or
(5) To a support services contractor ("recipient") that is directly supporting Government activities under a contract that includes the clause at 252.204-7009, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information.
(j) Use and release of contractor attributional/proprietary information created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is created by or for DoD (including the information submitted pursuant to paragraph (c) of this clause) is authorized to be used and released outside of DoD for purposes and activities authorized by paragraph (i) of this clause, and for any other lawful Government purpose or activity, subject to all applicable statutory, regulatory, and policy based restrictions on the Government's use and release of such information.
(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.
(l) Other safeguarding or reporting requirements. The safeguarding and cyber incident reporting required by this clause in no way abrogates the Contractor's responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicable clauses of this contract, or as a result of other applicable U.S. Government statutory or regulatory requirements.
(m) Subcontracts. The Contractor shall-
(1) Include the substance of this clause, including this paragraph (m), in all subcontracts, including subcontracts for commercial items; and(2) Require subcontractors to rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil and the prime Contractor. This includes providing the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable.(End of clause)