V ORDER FOR SUPPLIES OR SERVICES PAGE OF PAGES

IMPORTANT: Ma.k all packages and papers with contract and/or order numbers. 1 83

1. DATE OF ORDER 2. CONTRACT NO. (ffany) 6. SHIP TO:

09/29/2014 a. NAME OF CONSIGNEE

3. ORDER NO. 4. REQUISITIONIREFERENCE NO.

NRC-HQ-|l-14-T-0002 NSIR-14-0128 US NUCLEAR REGULATORY COMMISSION-

5. ISSUING OFFICE (Address correspondence to) b. STREETADDRESS

US NRC - HQ MAIL PROCESSING CENTERACQUISITION MANAGEMENT DIVISION 4930 BOILING BROOK PARKWAY

MAIL STOP 3WFN-05-C64MPWASHINGTON DC 20555-0001

c. CITY d. STATE a. ZIP CODE

ROCKVILLE MD 208,52

7. TO: DANIEL HACKENBERG f. SHIP VIAa. NAME OF CONTRACTOR

MAR INCORPORATED B. TYPE OF ORDER

b. COMPANY NAME Wa. PURCHASE [] b. DELIVERY

c. STREET ADDRESS REFERENCE YOUR:1803 RESEARCH BOULEVARD Except for billing instructions on the

reverse, this delivery order is subjectSUITE 204 to instructions contained on this side

only of this form and is issued

Please furnish the following on the terms subject to the terms and conditions

and conditions specified on both sides of of the above-numbered contract

d. CITY e. STATE If ZIP CODE this order and on the attached sheet if any,ROCKVILLE MD 208506106 including delivery as indicated.

9. ACCOUNTING AND APPROPRIATION DATA 10. REQUISITIONING OFFICE

See Schedule OFFICE OF NUCLEAR SECURITY11. BUSINESS CLASSIFICATION (Check appropriate box(es)) 12. F.O.B. POINT

5] a. SMALL. [] b. OTHER THAN SMALL K] c. DISADVANTAGED [l]d. WOMEN-OWNED K] e. HUBZone

f] f. SERVICE-DISABLED 0 g. WOMEN-OWNED SMALL BUSINESS (WOSB) K] h. EDWOSBVETERAN-OWNED ELIGIBLE UNDER THE WOSB PROGRAM

13. PLACE OF 14. GOVERNMENT BIL NO. 15. DELIVER TO FOB. (POINT 16. DISCOUNT TERMS

ON OR BEFORE (Date)a. INSPECTION b. ACCEPTANCE MultipleDestination Destination

17. SCHEDULE (See reverse for Rejections)

QUANTITY UNIT QUANTITYITEM NO. SUPPLIES OR SERVICES ORDERED UNIT PRICE AMOUNT ACCEPTED

(a) (b) (c) (d) (e) (f) (g)

NSIR Cyber Security Regulatory ProgramDevelopment and Support (CSRPDS)

Continued ...

18. SHIPPING POINT 19. GROSS SHIPPING WEIGHT 20. INVOICE NO. 17(h)TOTAL(Cont

pages)21: MAIL INVOICE TO:

a. NAME N$2,451,833.32 4US NUCLEAR REGULATORY COMMISSION

SEE BILLINGINSTRUCTIONS b. STREETADDRESS ONE WHITE FLINT NORTH

ONREVERSýE (orPO. Box) 11555 ROCKVILLE PIKE 17(i)

iGRANDMAILSTOP 03-EI7A TOTAL

c. CITY i. STATE '. ZIP CODE $12,069,298.33 4ROCKVILLE IMD 20852-2738

22. UNITED STATES OF 09/29/2014 23. NAME (Typed)AMERICA BY (Signature) L JOSEPH L. WIDDUP

r JA l' ý ~TITLE: CONTRACTINGIORDERING OFFICERAUTHORIZED FOR LOCAL REPRODUCTIONPREVIOUS EDITION NOT USABLE

ITPLA7PUR - A DM0

OPTIONAL FORM 347 (Re-. 2r20l2)Prescribed by GSA/FAR 48 CFR 53.213(f)

SUNSI REVIEW COMPLETE OCT 0 3 2014 R10G

ORDER FOR SUPPLIES OR SERVICES PAGE NO

SCHEDULE- CONTINUATION 2

IMPORTANT: Mark all packages and papers with contract and/or order numbers.

DATE OF ORDER 1CONTRACT NO. ORDER NO.

09/29/2014 1GS35F0229K NRC-HQ-11-14-T-0002

ITEM NO. SUPPLIESISERVICES QUANTITYfUNITJ UNIT AMOUNT QUANTITYORDERED PRICE ACCEPTED

(a) (b) (c) (d) (e) (f (g)

00001

00002

10001

20001

30001

40001

Base YearFirm-Fixed-Price Services - see Attachment2 for breakdown.Line Item Ceiling$1,134,719.40Incrementally Funded Amount: $140,000.00

Accounting Info:

2014-X0200-FEEBASED-11-11D005-11-5-186-1004-252AFunded: $140,000.00

NSIR Cyber Security Regulatory Program and

Development Support

Base YearLabor-Hour Services, Travel Costs, and

Training Costs - see Attachment 2 for

breakdown.Line Item Ceiling$1,317,113.92Incrementally Funded Amount: $190,500.00

Accounting Info:2014-X0200-FEEBASED-11-11D005-17-5-186

-1004-252AFunded: $190,500.00

Option Year 1

(Option Line Item)Anticipated Exercise DatelO/01/2015Line Item Ceiling$2,354,851.00

Option Year 2(Option Line Item)Anticipated Exercise DatelO/01/2016

Line Item Ceiling$2,387,531.68

Option Year 3

(Option Line Item)Anticipated Exercise DatelO/01/2017Line Item Ceiling$2,420,704.88

Option Year 4(Option Line Item)

Continued ...

1,134,719.40

1,317,113.92

0.00

0.00

0.00

0.00

TOTAL CARRIED FORWARD TO 1ST PAGE (ITEM 17(H)) $2,451,833.32AUTHRIOUSED TON LNOTL KEPUSULE INPREVIOUS EDITION NOT USABLE

OPTIOUNAL FORG M FA (R- 4t2036)Praefibed by GSA FAR (48 CFR) 53.213(f)

,i ORDER FOR SUPPLIES OR SERVICES PAGE NOSSCHEDULE CONTINUATION 3

IMPORTANT: Mark all packages and papers with contract and/or order numbers.

DATE OF ORDER ICONTRACT NO. ORDER NO.

09/29/2014 IGS35F0229K NRC-HQ-11-14-T-0002

ITEM NO. SUPPLIESISERVICES QUANTITY UNIT UNIT AMOUNT QUANTITYORDERED PRICE ACCEPTED

(a) (b) (c) (d) (e) 1 (1) 1 -- (g)

Anticipated Exercise DatelO/01/2018Line Item Ceiling$2,454,377.45

The obligated amount of award: $330,500.00.The total for this award is shown in box17(i).

TOTAL CARRIED FORWARD TO 1ST PAGE (ITEM 17(H)) 0U.UUAUHOr- MR.i

.~w fO(eV TUV

PREVIOUS EDITION NOT USABLEUP"IONbe RM S •48 A R ev. 48 82o)

Prescrbed by GSA FAR (48 CFR ) 53.213(f)

Contents

SECTION B - SUPPLIES OR SERVICES/PRICES ......................................... 3B.2 CONSIDERATION AND OBLIGATION ............................................................. 3SECTION C - DESCRIPTION/SPECIFICATIONS/WORK STATEMENT ...... 3SECTION D - PACKAGING AND MARKING .................................................. 3D.1 BRANDING .............................................. 3SECTION E - INSPECTION AND ACCEPTANCE .......................................... 3E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013) ................ 3SECTION F - DELIVERIES OR PERFORMANCE .......................................... 4F.1 TASK/DELIVERY ORDER PERIOD OF PERFORMANCE (SEP 2013) ........ 4F.2 PLACE OF DELIVERY-REPORTS ........................................................... 4SECTION G - CONTRACT ADMINISTRATION DATA .................................. 4G.1 ELECTRONIC PAYMENT (SEP 2013) .......................................................... 4SECTION H - SPECIAL CONTRACT REQUIREMENTS ................................ 4H.1 2052.215-77 TRAVEL APPROVALS AND REIMBURSEMENT (OCT 1999) ........ 4H.2 2052.222-70 NONDISCRIMINATION BECAUSE OF AGE (JAN 1993) ............. 5H.3 52.237-2 PROTECTION OF GOVERNMENT BUILDINGS, EQUIPMENT,AND VEGETATION (APR 1984) .............................................................................. 5H.4 52.244-2 SUBCONTRACTS (OCT 2010) ........................................................... 5H.5 52.244-5 COMPETITION IN SUBCONTRACTING (DEC 1996) ....................... 8H.6 SEAT BELTS ...................................................................................................... 8H.7 2052.204.70 SECURITY (MAR 2004) ............................................................... 8H.8 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGYLEVEL I OR LEVEL II ACCESS APPROVAL (AUG 2011) ....................................... 10H.10 SAFETY OF ON-SITE CONTRACTOR PERSONNEL ................................... 15H.11 NRC INFORMATION TECHNOLOGY SECURITY TRAINING (AUG 2011) ...... 15H.12 CONTRACTING OFFICER REPRESENTATIVE ............................................. 16H.13 DENIAL OF FEDERAL BENEFITS TO INDIVIDUALS CONVICTED OFDRUG TRAFFICKING OR POSSESSION (AUG 2011) ........................................... 18H.14 COMPENSATION FOR ON-SITE CONTRACTOR PERSONNEL (AUG2011) ALTERNATE I (AUG 2011) ............................................................................ 18H.15 PERSONNEL REQUIREMENTS ............................ 19H.16 2052.204-71 SITE ACCESS BADGE REQUIREMENTS (JAN 1993) ....... 19H.17 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS ....... 19H.18 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONICPAYMENT/REMITTANCE ADDRESS ........................................................... 20H.19 GREEN PURCHASING (SEP 2013) .................................................... 20H.20 CONTRACTOR RESPONSIBILITY FOR PROTECTING PERSONALLYIDENTIFIABLE INFORMATION (PII) ............................................................. 20H.21 DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TONUCLEAR FACILITIES, ACCESS TO CLASSIFIED INFORMATION ORSAFEGUARDS INFORMATION, OR PERFORMING IN SPECIALLYS ENSITIVE PO SITIO NS ................................................................................ 22H.22 AUTHORITY TO USE GOVERNMENT PROVIDED SPACE AT NRCHEADQUARTERS (SEP 2013) ...................................................................... 23H.23 WHISTLEBLOWER PROTECTION FOR NRC CONTRACTOR AND

1

SUBCONTRACTOR EMPLOYEES ............................................................... 23H.24 SECURITY REQUIREMENTS RELATING TO THE PRODUCTION OFREPORT(S) OR THE PUBLICATION OF RESULTS UNDER CONTRACTS,AGREEMENTS, AND GRANTS ................................................................... 23H.25 NRC INFORMATION TECHNOLOGY SECURITY ............................... 25H.26 COMPLIANCE WITH U.S. IMMIGRATION LAWS AND REGULATIONS 25H.27 ANNUAL AND FINAL CONTRACTOR PERFORMANCE EVALUATIONS

........................................................................................................................... 2 5H.28 IT SECURITY REQUIREMENTS - NRC AND CONTRACTOR (NON-NRC)FA C ILITIES (A PR 2014) ................................................................................. 26H.29 IT SECURITY REQUIREMENTS - CERTIFICATION ANDA C C R ED ITATIO N ....................................................................................... . 27H.30 INFORMATION TECHNOLOGY (IT) SECURITY REQUIREMENTS -GENERAL (APR 2014) ............................... ... 28H.31 IT SECURITY REQUIREMENTS - DEVELOPMENT AND OPERATIONSAND MAINTENANCE REQUIREMENTS (APR 2014) .................................. 32SECTION I - CONTRACT CLAUSES .......................................................... 381.1 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR2 0 0 0 ) .................................................................................................................. 3 81.2 52.227-17 RIGHTS IN DATA--SPECIAL WORKS. (DEC 2007) ............... 38SECTION J - LIST OF ATTACHMENTS ...................................................... 401 STATEMENT OF W ORK .............................................................................. 402 PRICE SCHEDULE ..................................................................................... 403 BILLING INSTRUCTIONS FIXED PRICE .................................................... 404 BILLING INSTRUCTIONS LABOR HOUR .................................................. 40

2

.r a

SECTION B - SUPPLIES OR SERVICES/PRICES

B.1 SCHEDULE OF SUPPLIES OR SERVICES - See Attachment 2

B.2 CONSIDERATION AND OBLIGATION

The amount of funds obligated in this task order may be unilaterally increased from timeto time by the Contracting Officer by written modification to this order. When and if theamount(s) paid and payable to the contractor hereunder is equal to the obligatedamount, the contractor shall not be obligated to continue performance of the work unlessand until the Contracting Officer increases the amount obligated on this contract bywritten modification. Any work undertaken by the contractor in excess of the obligatedamount specified above is at the contractor's sole risk.

SECTION C - DESCRIPTION/SPECIFICATIONS/WORK STATEMENT

See Attachment 1 - Statement of Work

SECTION D - PACKAGING AND MARKING

D.1 BRANDING

The Contractor is required to use the statement below in any publications, presentations,articles, products, or materials funded under this contract/order, to the extent practical, inorder to provide NRC with recognition for its involvement in and contribution to theproject. If the work performed is funded entirely with NRC funds, then the contractormust acknowledge that information in its documentation/presentation.

Work Supported by the U.S. Nuclear Regulatory Commission (NRC), Office of NuclearSecurity and Incident Response, under Contract/order number (see page 1 of thisorder).

SECTION E - INSPECTION AND ACCEPTANCE

E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall bemade by the NRC Contracting Officer's Representative (COR) at the destination,accordance with FAR 52.247-34 - F.o.b. Destination.

Contract Deliverables:

1. See Attachment 1 - Statement of Work

3

SECTION F - DELIVERIES OR PERFORMANCE

F.1 TASK/DELIVERY ORDER PERIOD OF PERFORMANCE (SEP 2013)

This order shall commence on November 1, 2014 and will expire on October 31, 2015.

Option Year 1 (if exercised) will be November 1, 2015 through October 31, 2016.

Option Year 2 (if exercised) will be November 1, 2016 through October 31, 2017.

Option Year 3 (if exercised) will be November 1, 2017 through October 31, 2018.

Option Year 4 (if exercised) will be November 1, 2018 through October 31, 2019.

F.2 PLACE OF DELIVERY-REPORTS

The items to be furnished hereunder shall be delivered, with all charges paid by theContractor, to the Primary and Alternate Contracting Officer's Representatives (COR)(hardcopy or email as directed). See names and addresses in Section H.13.

SECTION G - CONTRACT ADMINISTRATION DATA

G.1 ELECTRONIC PAYMENT (SEP 2013)

The Debt Collection Improvement Act of 1996 requires that all payments except IRS taxrefunds be made by Electronic Funds Transfer. Payment shall be made in accordancewith FAR 52.232-33, entitled "Payment by Electronic Funds Transfer-System AwardManagement".

To receive payment, the contractor shall prepare invoices in accordance with NRC'sBilling Instructions. Claims shall be submitted on the payee's letterhead, invoice, or onthe Government's Standard Form 1034, "Public Voucher for Purchases and ServicesOther than Personal," and Standard Form 1035, "Public Voucher for Purchases Otherthan Personal - Continuation Sheet." The preferred method of submitting invoices iselectronically to: OCFO ObligationsResource@nrc.gov.

SECTION H - SPECIAL CONTRACT REQUIREMENTS

H.1 2052.215-77 TRAVEL APPROVALS AND REIMBURSEMENT (OCT 1999)

(a) All foreign travel must be approved in advance by the NRC on NRC Form 445,Request for Approval of Official Foreign Travel, and must be in compliance with FAR52.247-63 Preference for U.S. Flag Air Carriers. The contractor shall submit NRC Form445 to the NRC no later than 30 days before beginning travel.

(b) The contractor must receive written approval from the NRC Contracting Officer'sRepresentative (COR) before taking travel that was unanticipated in the Schedule (i.e.,travel not contemplated in the Statement of Work, or changes to specific travel identifiedin the Statement of Work).

4

(c) The contractor will be reimbursed only for those travel costs incurred that aredirectly related to this contract and are allowable subject to the limitations prescribed inFAR 31.205-46.

(d) It is the responsibility of the contractor to notify the contracting officer inaccordance with the Limitations of Cost clause of this contract when, at any time, thecontractor learns that travel expenses will cause the contractor to exceed the estimatedcosts specified in the Schedule.

(e) Reasonable travel costs for research and related activities performed at State andnonprofit institutions, in accordance with Section 12 of Pub. L. 100-679, shall be chargedin accordance with the contractor's institutional policy to the degree that the limitations ofOffice of Management and Budget (OMB) guidance are not exceeded. Applicableguidance documents include OMB Circular A-87, Cost Principles for State and LocalGovernments; OMB Circular A-122, Cost Principles for Nonprofit Organizations; andOMB Circular A-21, Cost Principles for Educational Institutions.

H.2 2052.222-70 NONDISCRIMINATION BECAUSE OF AGE (JAN 1993)

It is the policy of the Executive Branch of the Government that:

(a) Contractors and subcontractors engaged in the performance of Federal contractsmay not, in connection with the employment, advancement, or discharge of employeesor in connection with the terms, conditions, or privileges of their employment,discriminate against persons because of their age except upon the basis of a bona fideoccupational qualification, retirement plan, or statutory requirements; and

(b) That contractors and subcontractors, or persons acting on their behalf, may notspecify, in solicitations or advertisements for employees to work on Governmentcontracts, a maximum age limit for employment unless the specified maximum age limitis based upon a bona fide occupational qualification, retirement plan, or statutoryrequirement.

H.3 52.237-2 PROTECTION OF GOVERNMENT BUILDINGS, EQUIPMENT, ANDVEGETATION (APR 1984)

The Contractor shall use reasonable care to avoid damaging existing buildings,equipment, and vegetation on the Government installation. If the Contractor's failure touse reasonable care causes damage to any of this property, the Contractor shall replaceor repair the damage at no expense to the Government as the Contracting Officerdirects. If the Contractor fails or refuses to make such repair or replacement, theContractor shall be liable for the cost, which may be deducted from the contract price.

H.4 52.244-2 SUBCONTRACTS (OCT 2010)

(a) Definitions. As used in this clause--

"Approved purchasing system" means a Contractor's purchasing system that hasbeen reviewed and approved in accordance with Part 44 of the Federal AcquisitionRegulation (FAR).

5

A

"Consent to subcontract" means the Contracting Officer's written consent for theContractor to enter into a particular subcontract.

"Subcontract" means any contract, as defined in FAR Subpart 2.1, entered into by asubcontractor to furnish supplies or services for performance of the prime contract or asubcontract. It includes, but is not limited to, purchase orders, and changes andmodifications to purchase orders.

(b) When this clause is included in a fixed-price type contract, consent to subcontractis required only on unpriced contract actions (including unpriced modifications orunpriced delivery orders), and only if required in accordance with paragraph (c) or (d) ofthis clause.

(c) If the Contractor does not have an approved purchasing system, consent to

subcontract is required for any subcontract that--

(1) Is of the cost-reimbursement, time-and-materials, or labor- hour type; or

(2) Is fixed-price and exceeds--

(i) For a contract awarded by the Department of Defense, the Coast Guard, or theNational Aeronautics and Space Administration, the greater of the simplified acquisitionthreshold or 5 percent of the total estimated cost of the contract; or

(ii) For a contract awarded by a civilian agency other than the Coast Guard and theNational Aeronautics and Space Administration, either the simplified acquisitionthreshold or 5 percent of the total estimated cost of the contract.

(d) If the Contractor has an approved purchasing system, the Contractor neverthelessshall obtain the Contracting Officer's written consent before placing the followingsubcontracts: None

(e)(1) The Contractor shall notify the Contracting Officer reasonably in advance ofplacing any subcontract or modification thereof for which consent is required underparagraph (b), (c), or (d) of this clause, including the following information:

(i) A description of the supplies or services to be subcontracted.

(ii) Identification of the type of subcontract to be used.

(iii) Identification of the proposed subcontractor.

(iv) The proposed subcontract price.

(v) The subcontractor's current, complete, and accurate certified cost or pricing dataand Certificate of Current Cost or Pricing Data, if required by other contract provisions.

(vi) The subcontractor's Disclosure Statement or Certificate relating to CostAccounting Standards when such data are required by other provisions of this contract.

6

(vii) A negotiation memorandum reflecting--

(A) The principal elements of the subcontract price negotiations;

(B) The most significant considerations controlling establishment of initial orrevised prices;

(C) The reason certified cost or pricing data were or were not required;

(D) The extent, if any, to which the Contractor did not rely on the subcontractor'scertified cost or pricing data in determining the price objective and in negotiating the finalprice;

(E) The extent to which it was recognized in the negotiation that thesubcontractor's certified cost or pricing data were not accurate, complete, or current; theaction taken by the Contractor and the subcontractor; and the effect of any suchdefective data on the total price negotiated;

(F) The reasons for any significant difference between the Contractor's priceobjective and the price negotiated; and

(G) A complete explanation of the incentive fee or profit plan when incentives areused. The explanation shall identify each critical performance element, managementdecisions used to quantify each incentive element, reasons for the incentives, and asummary of all trade-off possibilities considered.

(2) The Contractor is not required to notify the Contracting Officer in advance ofentering into any subcontract for which consent is not required under paragraph (b), (c),or (d) of this clause.

(f) Unless the consent or approval specifically provides otherwise, neither consent bythe Contracting Officer to any subcontract nor approval of the Contractor's purchasingsystem shall constitute a determination--

(1) Of the acceptability of any subcontract terms or conditions;

(2) Of the allowability of any cost under this contract; or

(3) To relieve the Contractor of any responsibility for performing this contract.

(g) No subcontract or modification thereof placed under this contract shall provide forpayment on a cost-plus-a-percentage-of- cost basis, and any fee payable under cost-reimbursement type subcontracts shall not exceed the fee limitations in FAR 15.404-4(c)(4)(i).

(h) The Contractor shall give the Contracting Officer immediate written notice of anyaction or suit filed and prompt notice of any claim made against the Contractor by anysubcontractor or vendor that, in the opinion of the Contractor, may result in litigationrelated in any way to this contract, with respect to which the Contractor may be entitledto reimbursement from the Government.

7

(i) The Government reserves the right to review the Contractor's purchasing system asset forth in FAR Subpart 44.3.

(j) Paragraphs (c) and (e) of this clause do not apply to the following subcontracts,which were evaluated during negotiations: All

H.5 52.244-5 COMPETITION IN SUBCONTRACTING (DEC 1996)

(a) The Contractor shall select subcontractors (including suppliers) on a competitivebasis to the maximum practical extent consistent with the objectives and requirements ofthe contract.

(b) If the Contractor is an approved mentor under the Department of Defense PilotMentor-Protege Program (Pub. L. 101 -510, section 831 as amended), the Contractormay award subcontracts under this contract on a noncompetitive basis to its protbges.

H.6 SEAT BELTS

Contractors, subcontractors, and grantees, are encouraged to adopt and enforce on-the-job seat belt policies and programs for their employees when operating company-owned, rented, or personally owned vehicles.

H.7 2052.204.70 SECURITY (MAR 2004)

(a) Contract Security and/or Classification Requirements (NRC Form 187). Thepolicies, procedures, and criteria of the NRC Security Program, NRC ManagementDirective (MD) 12 (including MD 12.1, "NRC Facility Security Program;" MD 12.2, "NRCClassified Information Security Program;" MD 12.3, "NRC Personnel Security Program;"MD 12.4, "NRC Telecommunications Systems Security Program;" MD 12.5, "NRCAutomated Information Systems Security Program;" and MD 12.6, "NRC SensitiveUnclassified Information Security Program"), apply to performance of this contract,subcontract or other activity. This MD is incorporated into this contract by reference asthough fully set forth herein. The attached NRC Form 187 (See List of Attachments)furnishes the basis for providing security and classification requirements to primecontractors, subcontractors, or others (e.g., bidders) who have or may have an NRCcontractual relationship that requires access to classified Restricted Data or NationalSecurity Information or matter, access to sensitive unclassified information (e.g.,Safeguards), access to sensitive Information Technology (IT) systems or data,unescorted access to NRC controlled buildings/space, or unescorted access toprotected and vital areas of nuclear power plants.

(b) It is the contractor's duty to protect National Security Information, Restricted Data,and Formerly Restricted Data. The contractor shall, in accordance with theCommission's security regulations and requirements, be responsible for protectingNational Security Information, Restricted Data, and Formerly Restricted Data, and forprotecting against sabotage, espionage, loss, and theft, the classified documents andmaterial in the contractor's possession in connection with the performance of work underthis contract. Except as otherwise expressly provided in this contract, the contractorshall, upon completion or termination of this contract, transmit to the Commission anyclassified matter in the possession of the contractor or any person under the contractor's

8

control in connection with performance of this contract. If retention by the contractor ofany classified matter is required after the completion or termination of the contract andthe retention is approved by the contracting officer, the contractor shall complete acertificate of possession to be furnished to the Commission specifying the classifiedmatter to be retained. The certification must identify the items and types or categories ofmatter retained, the conditions governing the retention of the matter and their period ofretention, if known. If the retention is approved by the contracting officer, the securityprovisions of the contract continue to be applicable to the matter retained.

(c) In connection with the performance of the work under this contract, the contractormay be furnished, or may develop or acquire, safeguards information, or confidential orprivileged technical, business, or financial information, including Commission plans,policies, reports, financial plans, internal data protected by the Privacy Act of 1974 (Pub.L. 93.579), or other information which has not been released to the public or has beendetermined by the Commission to be otherwise exempt from disclosure to the public.The contractor shall ensure that information protected from public disclosure ismaintained as required by NRC regulations and policies, as cited in this contract or asotherwise provided by the NRC. The contractor will not directly or indirectly duplicate,disseminate, or disclose the information in whole or in part to any other person ororganization except as may be necessary to perform the work under this contract. Thecontractor agrees to return the information to the Commission or otherwise dispose of itat the direction of the contracting officer. Failure to comply with this clause is groundsfor termination of this contract.

(d) Regulations. The contractor agrees to conform to all security regulations andrequirements of the Commission which are subject to change as directed by the NRCDivision of Facilities and Security (DFS) and the Contracting Officer. These changes willbe under the authority of the FAR Changes clause referenced in this document.

The contractor agrees to comply with the security requirements set forth in NRCManagement Directive 12.1, NRC Facility Security Program which is incorporated intothis contract by reference as though fully set forth herein. Attention is directedspecifically to the section titled "Infractions and Violations," including "AdministrativeActions" and "Reporting Infractions."

(e) Definition of National Security Information. The term National Security Information,as used in this clause, means information that has been determined pursuant toExecutive Order 12958 or any predecessor order to require protection againstunauthorized disclosure and that is so designated.

(f) Definition of Restricted Data. The term Restricted Data, as used in this clause,means all data concerning design, manufacture, or utilization of atomic weapons; theproduction of special nuclear material; or the use of special nuclear material in theproduction of energy, but does not include data declassified or removed from theRestricted Data category pursuant to Section 142 of the Atomic Energy Act of 1954, asamended.

(g) Definition of Formerly Restricted Data. The term Formerly Restricted Data, as usedin this clause, means all data removed from the Restricted Data category under Section142-d of the Atomic Energy Act of 1954, as amended.

9

(h) Definition of Safeguards Information. Sensitive unclassified information thatspecifically identifies the detailed security measures of a licensee or an applicant for thephysical protection of special nuclear material; or security measures for the physicalprotection and location of certain plant equipment vital to the safety of production ofutilization facilities. Protection of this information is required pursuant to Section 147 ofthe Atomic Energy Act of 1954, as amended.

(i) Security Clearance. The contractor may not permit any individual to have access toRestricted Data, Formerly Restricted Data, or other classified information, except inaccordance with the Atomic Energy Act of 1954, as amended, and the Commission'sregulations or requirements applicable to the particular type or category of classifiedinformation to which access is required. The contractor shall also execute a StandardForm 312, Classified Information Nondisclosure Agreement, when access to classifiedinformation is required.

(j) Criminal Liabilities. It is understood that disclosure of National Security Information,Restricted Data, and Formerly Restricted Data relating to the work or services orderedhereunder to any person not entitled to receive it, or failure to safeguard any RestrictedData, Formerly Restricted Data, or any other classified matter that may come to thecontractor or any person under the contractor's control in connection with work underthis contract, may subject the contractor, its agents, employees, or subcontractors tocriminal liability under the laws of the United States. (See the Atomic Energy Act of1954, as amended, 42 U.S.C. 2011 et seq.; 18 U.S.C. 793 and 794; and ExecutiveOrder 12958.)

(k) Subcontracts and Purchase Orders. Except as otherwise authorized in writing bythe contracting officer, the contractor shall insert provisions similar to the foregoing in allsubcontracts and purchase orders under this contract.

(I) In performing the contract work, the contractor shall classify all documents, material,and equipment originated or generated by the contractor in accordance with guidanceissued by the Commission. Every subcontract and purchase order issued hereunderinvolving the origination or generation of classified documents, material, and equipmentmust provide that the subcontractor or supplier assign classification to all documents,material, and equipment in accordance with guidance furnished by the contractor.

H.8 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I ORLEVEL II ACCESS APPROVAL (AUG 2011)

The contractor must identify all individuals selected to work under this contract. TheNRC Contracting Officer's Representative (COR) shall make the final determination ofthe level, if any, of IT access approval required for all individuals working under thiscontract/order using the following guidance. The Government shall have full andcomplete control and discretion over granting, denying, withholding, or terminating ITaccess approvals for contractor personnel performing work under this contract/order.

The contractor shall conduct a preliminary security interview or review for eachemployee requiring IT level I or II access and submit to the Government only the namesof candidates that have a reasonable probability of obtaining the level of IT accessapproval for which the employee has been proposed. The contractor shall pre-screen itsapplicants for the following:

10

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five(5) years; (c) record of any military courts-martial convictions in the past ten (10) years;(d) illegal use of narcotics or other controlled substances possession in the past year, orillegal purchase, production, transfer, or distribution of narcotics or other controlledsubstances in the last seven (7) years; and (e) delinquency on any federal debts orbankruptcy in the last seven (7) years.

The contractor shall make a written record of its pre-screening interview or review(including any information to mitigate the responses to items listed in (a) - (e)), and havethe employee verify the pre-screening record or review, sign and date it. The contractorshall supply two (2) copies of the signed contractor's pre-screening record or review tothe NRC Contracting Officer's Representative (COR), who will then provide them to theNRC Office of Administration, Division of Facilities and Security, Personnel SecurityBranch with the employee's completed IT access application package.

The contractor shall further ensure that its personnel complete all IT access approvalsecurity applications required by this clause within fourteen (14) calendar days ofnotification by the NRC Contracting Officer's Representative (COR) of initiation of theapplication process. Timely receipt of properly completed records of the pre-screeningrecord and IT access approval applications (submitted for candidates that have areasonable probability of obtaining the level of security assurance necessary for accessto NRC's IT systems/data) is a requirement of this contract/order. Failure of thecontractor to comply with this requirement may be a basis to terminate the contract/orderfor cause, or offset from the contract's invoiced cost or price the NRC's incurred costs ordelays as a result of inadequate pre-screening by the contractor.

SECURITY REQUIREMENTS FOR IT LEVEL I

Performance under this contract/order will involve contractor personnel who performservices requiring direct access to or operate agency sensitive information technologysystems or data (IT Level I). The IT Level I involves responsibility for the planning,direction, and implementation of a computer security program; major responsibility forthe direction, planning, and design of a computer system, including hardware andsoftware; or the capability to access a computer system during its operation ormaintenance in such a way that could cause or that has a relatively high risk of causinggrave damage; or the capability to realize a significant personal gain from computeraccess.

Contractor personnel shall not have access to sensitive information technologysystems or data until they are approved by DFS/PSB and they have been so informed inwriting by the NRC Contracting Officer's Representative (COR). Temporary IT accessmay be approved by DFS/PSB based on a favorable review or adjudication of theirsecurity forms and checks. Final IT access may be approved by DFS/PSB based on afavorably review or adjudication of a completed background investigation. However,temporary access authorization approval will be revoked and the employee maysubsequently be denied IT access in the event the employee's investigation cannot befavorably adjudicated. Such an employee will not be authorized to work under any NRCcontract/order requiring IT access without the approval of DFS/PSB, as communicated inwriting to the contractor by the NRC Contracting Officer's Representative (COR). Wheretemporary access authorization has been revoked or denied by DFS/PSB, the contractor

11

shall assign another contractor employee to perform the necessary work under thiscontract/ order without delay to the contract/order performance schedule, or withoutadverse impact to any other terms or conditions of the contract/order. When anindividual receives final IT access approval from DFS/PSB, the individual will be subjectto a reinvestigation every ten (10) years thereafter (assuming continuous performanceunder contract/order at NRC) or more frequently in the event of noncontinuousperformance under contract/order at NRC.

The contractor shall submit a completed security forms packet, including the OPMStandard Form (SF) 86 (Questionnaire for National Security Positions), two (2) copies ofthe Contractor's signed pre-screening record and two (2) FD 258 fingerprint charts, tothe NRC PO who will then provide them to DFS/PSB for review and adjudication, prior tothe individual being authorized to perform work under this contract/order requiringaccess to sensitive information technology systems or data. Non-U.S. citizens mustprovide official documentation to the DFS/PSB, as proof of their legal residency. Thisdocumentation can be a Permanent Resident Card, Temporary Work Visa, EmploymentAuthorization Card, or other official documentation issued by the U.S. Citizenship andImmigration Services. Any applicant with less than seven (7) years residency in the U.S.will not be approved for IT Level I access. The Contractor shall submit the documents tothe NRC Contracting Officer's Representative (COR) who will give them to DFS/PSB.The contractor shall ensure that all forms are accurate, complete, and legible. Based onDFS/PSB review of the contractor employee's security forms and/or the receipt ofadverse information by NRC, the contractor individual may be denied access to NRCfacilities and sensitive information technology systems or data until a final determinationis made by DFS/PSB and thereafter communicated to the contractor by the NRCContracting Officer's Representative (COR) regarding the contractor person's eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level I contractors shall besubject to the attached NRC Form 187 and SF-86 which furnishes the basis for providingsecurity requirements to contractors that have or may have an NRC contractualrelationship which requires access to or operation of agency sensitive informationtechnology systems or remote development and/or analysis of sensitive informationtechnology systems or data or other access to such systems and data; access on acontinuing basis (in excess more than 30 calendar days) to NRC buildings; or otherwiserequires issuance of an unescorted NRC badge.

SECURITY REQUIREMENTS FOR IT LEVEL II

Performance under this contract/order will involve contractor personnel that developand/or analyze sensitive information technology systems or data or otherwise haveaccess to such systems or data (IT Level II).

The IT Level II involves responsibility for the planning, design, operation, ormaintenance of a computer system and all other computer or IT positions.

Contractor personnel shall not have access to sensitive information technologysystems or data until they are approved by DFS/PSB and they have been so informed inwriting by the NRC Contracting Officer's Representative (COR). Temporary access maybe approved by DFS/PSB based on a favorable review of their security forms andchecks. Final IT access may be approved by DFS/PSB based on a favorablyadjudication. However, temporary access authorization approval will be revoked and the

12

contractor employee may subsequently be denied IT access in the event the employee'sinvestigation cannot be favorably adjudicated. Such an employee will not be authorizedto work under any NRC contract/order requiring IT access without the approval ofDFS/PSB, as communicated in writing to the contractor by the NRC Contracting Officer'sRepresentative (COR). Where temporary access authorization has been revoked ordenied by DFS/PSB, the contractor is responsible for assigning another contractoremployee to perform the necessary work under this contract/order without delay to thecontract/order performance schedule, or without adverse impact to any other terms orconditions of the contract/order. When a contractor employee receives final IT accessapproval from DFS/PSB, the individual will be subject to a review or reinvestigationevery ten (10) years (assuming continuous performance under contract/order at NRC) ormore frequently in the event of noncontinuous performance under contract/order atNRC.

The contractor shall submit a completed security forms packet, including the OPMStandard Form (SF) 86 (Questionnaire for National Security Positions), two (2) copies ofthe Contractor's signed pre-screening record and two (2) FD 258 fingerprint charts,through the NRC Contracting Officer's Representative (COR) to DFS/PSB for review andadjudication, prior to the contractor employee being authorized to perform work underthis contract/order. Non-U.S. citizens must provide official documentation to theDFS/PSB, as proof of their legal residency. This documentation can be a PermanentResident Card, Temporary Work Visa, Employment Authorization Card, or other officialdocumentation issued by the U.S. Citizenship and Immigration Services. Any applicantwith less than seven (7) years residency in the U.S. will not be approved for IT Level IIaccess. The Contractor shall submit the documents to the NRC Contracting Officer'sRepresentative (COR) who will give them to DFS/PSB. The contractor shall ensure thatall forms are accurate, complete, and legible. Based on DFS/ PSB review of thecontractor employee's security forms and/or the receipt of adverse information by NRC,the contractor employee may be denied access to NRC facilities, sensitive informationtechnology systems or data until a final determination is made by DFS/PSB regardingthe contractor person's eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level II contractors shall besubject to the attached NRC Form 187, SF-86, and contractor's record of the pre-screening which furnishes the basis for providing security requirements to contractorsthat have or may have an NRC contractual relationship which requires access to oroperation of agency sensitive information technology systems or remote developmentand/or analysis of sensitive information technology systems or data or other access tosuch systems or data; access on a continuing basis ( in excess of more than 30 calendardays) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

CANCELLATION OR TERMINATION OF IT ACCESS/REQUEST

When a request for IT access is to be withdrawn or canceled, the contractor shallimmediately notify the NRC Contracting Officer's Representative (COR) by telephone sothat the access review may be promptly discontinued. The notification shall contain thefull name of the contractor employee and the date of the request. Telephonenotifications must be promptly confirmed by the contractor in writing to the NRCContracting Officer's Representative (COR), who will forward the confirmation toDFS/PSB. Additionally, the contractor shall immediately notify the NRC ContractingOfficer's Representative (COR) in writing, who will in turn notify DFS/PSB, when a

13

contractor employee no longer requires access to NRC sensitive automated informationtechnology systems or data, including the voluntary or involuntary separation ofemployment of a contractor employee who has been approved for or is being processedfor IT access.

The contractor shall flow the requirements of this clause down into all subcontractsand agreements with consultants for work that requires them to access NRC ITresources.

H.9 RULES OF BEHAVIOR FOR AUTHORIZED COMPUTER USE (MAR 2011)

In accordance with Appendix III, "Security of Federal Automated InformationResources," to Office of Management and Budget (OMB) Circular A-130, "Managementof Federal Information Resources," NRC has established rules of behavior for individualusers who access all IT computing resources maintained and operated by the NRC oron behalf of the NRC. In response to the direction from OMB, NRC has issued the"Agency-wide Rules of Behavior for Authorized Computer Use" policy, hereafter referredto as the rules of behavior. The rules of behavior for authorized computer use will beprovided to NRC computer users, including contractor personnel, as part of the annualcomputer security awareness course.

The rules of behavior apply to all NRC employees, contractors, vendors, and agents(users) who have access to any system operated by the NRC or by a contractor oroutside entity on behalf of the NRC. This policy does not apply to licensees. The nextrevision of Management Directive 12.5, "NRC Automated Information Security Program,"will include this policy. The rules of behavior can be viewed athttp://www.internal.nrc.gov/CSO/documents/ROB.pdf or use NRC's external Web-basedADAMS at http://wba.nrc.gov:8080/ves/ (Under Advanced Search, type ML082190730 inthe Query box).

The rules of behavior are effective immediately upon acknowledgement of them by theperson who is informed of the requirements contained in those rules of behavior. Allcurrent contractor users are required to review and acknowledge the rules of behavior aspart of the annual computer security awareness course completion. All new NRCcontractor personnel will be required to acknowledge the rules of behavior within oneweek of commencing work under this contract and then acknowledge as current usersthereafter. The acknowledgement statement can be viewed athttp://www.internal.nrc.gov/CSO/documents/ROBAck.pdf or use NRC's external Web-based ADAMS at http://wba.nrc.gov:8080/ves/ (Under Advanced Search, typeML082190730 in the Query box).

The NRC Computer Security Office will review and update the rules of behaviorannually beginning in FY 2011 by December 31st of each year. Contractors shallensure that their personnel to which this requirement applies acknowledge the rules ofbehavior before beginning contract performance and, if the period of performance for thecontract lasts more than one year, annually thereafter. Training on the meaning andpurpose of the rules of behavior can be provided for contractors upon written request tothe NRC Contracting Officer's Representative (COR).

The contractor shall flow down this clause into all subcontracts and other agreementsthat relate to performance of this contract/order if such subcontracts/agreements will

14

authorize access to NRC electronic and information technology (EIT) as that term isdefined in FAR 2.101.

H.10 SAFETY OF ON-SITE CONTRACTOR PERSONNEL

Ensuring the safety of occupants of Federal buildings is a responsibility shared by theprofessionals implementing our security and safety programs and the persons beingprotected. The NRC's Office of Administration (ADM) Division of Facilities and Security(DFS) has coordinated an Occupant Emergency Plan (OEP) for NRC Headquartersbuildings with local authorities. The OEP has been approved by the MontgomeryCounty Fire and Rescue Service. It is designed to improve building occupants' chancesof survival, minimize damage to property, and promptly account for building occupantswhen necessary.

The contractor's Project Director shall ensure that all personnel working full time on-siteat NRC Headquarters read the NRC's OEP, provided electronically on the NRC Intranetat http://www.internal.nrc.gov/ADM/OEP.pdf The contractor's Project Director also shallemphasize to each staff member that they are to be familiar with and guided by theOEP, as well as by instructions given by emergency response personnel in situationswhich pose an immediate health or safety threat to building occupants.

The NRC COR shall ensure that the contractor's Project Director has communicated therequirement for on-site contractor staff to follow the guidance in the OEP. The NRCCOR also will assist in accounting for on-site contract persons in the event of a majoremergency (e.g., explosion occurs and casualties or injuries are suspected) duringwhich a full evacuation will be required, including the assembly and accountability ofoccupants. The NRC DFS will conduct drills periodically to train occupants and assessthese procedures.

H.11 NRC INFORMATION TECHNOLOGY SECURITY TRAINING (AUG 2011)

NRC contractors shall ensure that their employees, consultants, and subcontractorswith access to the agency's information technology (IT) equipment and/or IT servicescomplete NRC's online initial and refresher IT security training requirements to ensurethat their knowledge of IT threats, vulnerabilities, and associated countermeasuresremains current. Both the initial and refresher IT security training courses generally lastan hour or less and can be taken during the employee's regularly scheduled work day.

Contractor employees, consultants, and subcontractors shall complete the NRC'sonline annual, "Computer Security Awareness" course on the same day that theyreceive access to the agency's IT equipment and/or services, as their first action usingthe equipment/service. For those contractor employees, consultants,and subcontractorswho are already working under this contract, the on-line training must be completed inaccordance with agency Network Announcements issued throughout the year, withinthree weeks of issuance of this modification.

Contractor employees, consultants, and subcontractors who have been grantedaccess to NRC information technology equipment and/or IT services must continue totake IT security refresher training offered online by the NRC throughout the term of thecontract. Contractor employees will receive notice of NRC's online IT security refreshertraining requirements through agency-wide notices.

15

The NRC reserves the right to deny or withdraw Contractor use or access to NRC ITequipment and/or services, and/or take other appropriate contract administrative actions(e.g., disallow costs, terminate for cause) should the Contractor violate the Contractor'sresponsibility under this clause.

H.12 CONTRACTING OFFICER REPRESENTATIVE

(a) The contracting officer's authorized representative (hereinafter referred to as theCOR) for this task order ("contract") is:

Primary Contracting Officer's Representative:

Name:Address:

Telephone Number:Email:

Mario FernandezThree White Flint North, Mail Stop: 3WFN/8 C7011601 Landsdown StreetNorth Bethesda, MD 20852301-251-3687mario.fernandez @ nrc.gov

Alternate Contracting Officer's Representative (authority for SOW Section C.7.7,Develop and Present Cyber Security Training):

Name:Address:

Telephone Number:Email:

Andrea TrueNRC Technical Training CenterOsborne Office Center5746 Marlin Road, Suite 200Chattanooga, TN 37411-5677423-855-6675andrea.true @ nrc.qov

(b) Performance of the work under this contract is subject to the technical direction ofthe NRC COR. The term "technical direction" is defined to include the following:

(1) Technical direction to the contractor which shifts work emphasis between areas ofwork or tasks, authorizes travel which was unanticipated in the Schedule (i.e., travel notcontemplated in the Statement of Work (SOW) or changes to specific travel identified inthe SOW), fills in details, or otherwise serves to accomplish the contractual SOW.

(2) Provide advice and guidance to the contractor in the preparation of drawings,specifications, or technical portions of the work description.

(3) Review and, where required by the contract, approval of technical reports,drawings, specifications, and technical information to be delivered by the contractor tothe Government under the contract.

(c) Technical direction must be within the general statement of work stated in thecontract. The COR does not have the authority to and may not issue any technicaldirection which:

(1) Constitutes an assignment of work outside the general scope of the contract.

16

(2) Constitutes a change as defined in the "Changes" clause of this contract.

(3) In any way causes an increase or decrease in the total estimated contract cost,the fixed fee, if any, or the time required for contract performance.

(4) Changes any of the expressed terms, conditions, or specifications of the contract.

(5) Terminates the contract, settles any claim or dispute arising under the contract, orissues any unilateral directive whatever.

(d) All technical directions must be issued in writing by the COR or must be confirmedby the COR in writing within ten (10) working days after verbal issuance. A copy of thewritten direction must be furnished to the contracting officer. A copy of NRC Form 445,Request for Approval of Official Foreign Travel, which has received final approval fromthe NRC must be furnished to the contracting officer.

(e) The contractor shall proceed promptly with the performance of technical directionsduly issued by the COR in the manner prescribed by this clause and within the COR'sauthority under the provisions of this clause.

(f) If, in the opinion of the contractor, any instruction or direction issued by the COR iswithin one of the categories as defined in paragraph (c) of this section, the contractormay not proceed but shall notify the contracting officer in writing within five (5) workingdays after the receipt of any instruction or direction and shall request the contractingofficer to modify the contract accordingly. Upon receiving the notification from thecontractor, the contracting officer shall issue an appropriate contract modification oradvise the contractor in writing that, in the contracting officer's opinion, the technicaldirection is within the scope of this article and does not constitute a change under the"Changes" clause.

(g) Any unauthorized commitment or direction issued by the COR may result in anunnecessary delay in the contractor's performance and may even result in the contractorexpending funds for unallowable costs under the contract.

(h) A failure of the parties to agree upon the nature of the instruction or direction orupon the contract action to be taken with respect thereto is subject to 52.233-1 -Disputes.

(i) In addition to providing technical direction as defined in paragraph (b) of the section,the COR shall:

(1) Monitor the contractor's technical progress, including surveillance andassessment of performance, and recommend to the contracting officer changes inrequirements.

(2) Assist the contractor in the resolution of technical problems encountered duringperformance.

17

(3) Review all costs requested for reimbursement by the contractor and submit to thecontracting officer recommendations for approval, disapproval, or suspension ofpayment for supplies and services required under this contract.

(4) Assist the contractor in obtaining the badges for the contractor personnel.

(5) Immediately notify the Security Branch, Division of Facilities and Security(SB/DFS) (via e-mail) when a contractor employee no longer requires accessauthorization and return of any NRC issued badge to SB/DFS within three days aftertheir termination.

(6) Ensure that all contractor employees that require access to classified RestrictedData or National Security Information or matter, access to sensitive unclassifiedinformation (Safeguards, Official Use Only, and Proprietary information) access tosensitive IT systems or data, unescorted access to NRC controlled buildings/space, orunescorted access to protected and vital areas of nuclear power plants receive approvalof SB/DFS prior to access in accordance with Management Directive and Handbook12.3.

(7) For contracts for the design, development, maintenance or operation of PrivacyAct Systems of Records, obtain from the contractor as part of closeout procedures,written certification that the contractor has returned to NRC, transferred to the successorcontractor, or destroyed at the end of the contract in accordance with instructionsprovided by the NRC Systems Manager for Privacy Act Systems of Records, all records(electronic or paper) which were created, compiled, obtained or maintained under thecontract.

H.13 DENIAL OF FEDERAL BENEFITS TO INDIVIDUALS CONVICTED OF DRUGTRAFFICKING OR POSSESSION (AUG 2011)

In the event that an award is made to an individual, Section 5301 of the Anti-DrugAbuse Act of 1988 (P.L. 100-690), codified at 21 U.S.C. 862, authorizes denial ofFederal benefits such as grants, contracts, purchase orders, financial aid, and businessand professional licenses to individuals convicted of drug trafficking or possession.

H.14 COMPENSATION FOR ON-SITE CONTRACTOR PERSONNEL (AUG 2011)ALTERNATE I (AUG 2011)

(a) NRC facilities may not be available due to (1) designated federal holiday, any otherday designated by federal statute, Executive Order, or by Presidential Proclamation; (2)early dismissal of NRC employees during working hours (e.g., special holidays oremergency situations); or (3) occurrence of emergency conditions during nonworkinghours (e.g., inclement weather).

(b) When NRC facilities are unavailable, the compensation and deduction policy statedbelow shall be followed for contractor employees performing work on-site at the NRCfacility:

(c) The contractor shall not charge the NRC for work performed by on- site contractoremployees who were reassigned to perform other duties off site during the time the NRCfacility was closed.

18

(d) On-site contractor staff shall be guided by the instructions given by a third party(e.g., Montgomery County personnel, in the case of a water emergency) in situationswhich pose an immediate health or safety threat to employees.

(e) The contractor's Project Director shall first consult the NRC Officer'sRepresentative (COR) before releasing on-site personnel in situations which do notimpose an immediate safety or health threat to employees (e.g., special holidays). Thatsame day, the contractor must then alert the Contracting Officer of the NRC ContractingOfficer's Representative's (COR) direction. The contractor shall continue to providesufficient personnel to perform the requirements of essential tasks as defined in theStatement of Work which already are in operation or are scheduled.

H.15 PERSONNEL REQUIREMENTS

This task order requires work with classified and unclassified information and systems.Some Contractor personnel may require an "L" or a "Q" clearance. All Contractorpersonnel with access to NRC information systems or NRC sensitive information musthave an IT Level I or II approved access in accordance with Management Directive 12.3,NRC Personnel Security Program.

H.16 2052.204-71 SITE ACCESS BADGE REQUIREMENTS (JAN 1993)

During the life of this contract, the rights of ingress and egress for contractor personnelmust be made available as required. In this regard, all contractor personnel whoseduties under this contract require their presence on-site shall be clearly identifiable by adistinctive badge furnished by the Government. The COR shall assist the contractor inobtaining the badges for contractor personnel. It is the sole responsibility of thecontractor to ensure that each employee has proper identification at all times. Allprescribed identification must be immediately delivered to the Security Office forcancellation or disposition upon the termination of employment of any contractorpersonnel. Contractor personnel shall have this identification in their possession duringon-site performance under this contract. It is the contractor's duty to assure thatcontractor personnel enter only those work areas necessary for performance of contractwork and to assure the safeguarding of any Government records or data that contractorpersonnel may come into contact with.

H.17 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS

(a) All offerors will receive preaward and postaward notices in accordance with FAR15.503.

(b) It is also brought to your attention that the contracting officer is the only individualwho can legally obligate funds or commit the NRC to the expenditure of public funds inconnection with this procurement. This means that unless provided in a contractdocument or specifically authorized by the contracting officer, NRC technical personnelmay not issue contract modifications, give formal contractual commitments, or otherwisebind, commit, or obligate the NRC contractually. Informal unauthorized commitments,which do not obligate the NRC and do not entitle the contractor to payment, may include:

(1) Encouraging a potential contractor to incur costs prior to receiving a contract;

19

(2) Requesting or requiring a contractor to make changes under a contract withoutformal contract modifications;

(3) Encouraging a contractor to incur costs under a cost-reimbursable contract in excessof those costs contractually allowable; and

(4) Committing the Government to a course of action with regard to a potential contract,contract change, claim, or dispute.

H.18 USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONICPAYMENT/REMITTANCE ADDRESS

The Debt Collection Improvement Act of 1996 requires that all Federal payments exceptIRS tax refunds be made by Electronic Funds Transfer. It is the policy of the NuclearRegulatory Commission to pay government vendors by the Automated Clearing House(ACH) electronic funds transfer payment system. Item 15C of the Standard Form 33may be disregarded.

H.19 GREEN PURCHASING (SEP 2013)

(a) In furtherance of the sustainable acquisition goals included in Executive Order13514, "Federal Leadership in Environmental, Energy, and Economic Performance,"products and services acquired under this contract/order shall be energy-efficient(Energy Star or Federal Energy Management Program (FEMP) designated), water-efficient, biobased, environmentally preferable (e.g., Electronic Product EnvironmentalAssessment Tool (EPEAT) certified), non-ozone depleting, recycled content, and non-toxic or less toxic alternatives, to the maximum extent practicable in meeting NRCcontractual requirements.

(b) See NRC's Green Purchasing Plan (GPP) at:http://pbadupws.nrc.gov/docs/ML1219//ML12191 Al 30.pdf and the General ServiceAdministration's (GSA) Green Procurement Compilation at:http://www.gsa.gov/portal/content/198257.

(c) The contractor shall flow down this clause into all subcontracts and other agreementsthat relate to performance of this contract/order.

H.20 CONTRACTOR RESPONSIBILITY FOR PROTECTING PERSONALLYIDENTIFIABLE INFORMATION (P11)

In accordance with the Office of Management and Budget's guidance to Federalagencies and the Nuclear Regulatory Commission's (NRC) implementing policy andprocedures, a contractor (including subcontractors and contractor employees), whoperforms work on behalf of the NRC, is responsible for protecting, from unauthorizedaccess or disclosure, personally identifiable information (PII) that may be provided,developed, maintained, collected, used, or disseminated, whether in paper, electronic, orother format, during performance of this contract.

A contractor who has access to NRC owned or controlled P11, whether provided to thecontractor by the NRC or developed, maintained, collected, used, or disseminated by the

20

contractor during the course of contract performance, must comply with the followingrequirements:

(1) General. In addition to implementing the specific requirements set forth in thisclause, the contractor must adhere to all other applicable NRC guidance, policy andrequirements for the handling and protection of NRC owned or controlled PII. Thecontractor is responsible for making sure that it has an adequate understanding of suchguidance, policy and requirements.

(2) Use, Ownership, and Nondisclosure. A contractor may use NRC owned orcontrolled PII solely for purposes of this contract, and may not collect or use such PII forany purpose outside the contract without the prior written approval of the NRCContracting Officer. The contractor must restrict access to such information to onlythose contractor employees who need the information to perform work under thiscontract, and must ensure that each such contractor employee (including subcontractors'employees) signs a nondisclosure agreement, in a form suitable to the NRC ContractingOfficer, prior to being granted access to the information. The NRC retains soleownership and rights to its P11. Unless the contract states otherwise, upon completion ofthe contract, the contractor must turn over all PIH in its possession to the NRC, and mustcertify in writing that it has not retained any NRC owned or controlled PII except asotherwise authorized in writing by the NRC Contracting Officer.

(3) Security Plan. When applicable, and unless waived in writing by the NRCContracting Officer, the contractor must work with the NRC to develop and implement asecurity plan setting forth adequate procedures for the protection of NRC owned orcontrolled PII as well as the procedures which the contractor must follow for notifying theNRC in the event of any security breach. The plan will be incorporated into the contractand must be implemented and followed by the contractor once it has been approved bythe NRC Contracting Officer. If the contract does not include a security plan at the timeof contract award, a plan must be submitted for the approval of the NRC ContractingOfficer within 30 days after contract award.

(4) Breach Notification. The contractor must immediately notify the NRC ContractingOfficer and the NRC Contracting Officer's Representative (COR) upon discovery of anysuspected or confirmed breach in the security of NRC owned or controlled P11.

(5) Legal Demands for Information. If a legal demand is made for NRC owned orcontrolled PIH (such as by subpoena), the contractor must immediately notify the NRCContracting Officer and the NRC Contracting Officer's Representative (COR). Afternotification, the NRC will determine whether and to what extent to comply with the legaldemand. The Contracting Officer will then notify the contractor in writing of thedetermination and such notice will indicate the extent of disclosure authorized, if any.The contractor may only release the information specifically demanded with the writtenpermission of the NRC Contracting Officer.

(6) Audits. The NRC may audit the contractor's compliance with the requirements ofthis clause, including through the use of online compliance software.

(7) Flow-down. The prime contractor will flow this clause down to subcontractors thatwould be covered by any portion of this clause, as if they were the prime contractor.

21

(8) Remedies:

(a) The contractor is responsible for implementing and maintaining adequate securitycontrols to prevent the loss of control or unauthorized disclosure of NRC owned orcontrolled PHI in its possession. Furthermore, the contractor is responsible for reportingany known or suspected loss of control or unauthorized access to PH1 to the NRC inaccordance with the provisions set forth in Article 4 above.

(b) Should the contractor fail to meet its responsibilities under this clause, the NRCreserves the right to take appropriate steps to mitigate the contractor's violation of thisclause. This may include, at the sole discretion of the NRC, termination of the subjectcontract.

(9) Indemnification. Notwithstanding any other remedies available to the NRC, thecontractor will indemnify the NRC against all liability (including costs and fees) for anydamages arising out of violations of this clause.

H.21 DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TO NUCLEARFACILITIES, ACCESS TO CLASSIFIED INFORMATION OR SAFEGUARDSINFORMATION, OR PERFORMING IN SPECIALLY SENSITIVE POSITIONS

All contractor employees, subcontractor employees, and consultants proposed forperformance or performing under this contract shall be subject to pre-assignment,random, reasonable suspicion, and post-accident drug testing applicable to: (1)individuals who require unescorted access to nuclear power plants, (2) individuals whohave access to classified or safeguards information, (3) individuals who are required tocarry firearms in performing security services for the NRC, (4) individuals who arerequired to operate government vehicles or transport passengers for the NRC, (5)individuals who are required to operate hazardous equipment at NRC facilities, or (6)individuals who admit to recent illegal drug use or those who are found through othermeans to be using drugs illegally. The Plan includes a contractor's employees and theirsubcontractors are subject to the procedures and terms of their employment agreementswith their employer.

The NRC Drug Program Manager will schedule the drug testing for all contractoremployees, subcontractor employees, and consultants who are subject to testing underthis clause. Any NRC contractor found to be using, selling, or possessing illegal drugs,or any contractor with a verified positive drug test result under this program while in aduty status will immediately be removed from working under the NRC contract. Thecontractor's employer will be notified of the denial or revocation of the individual'sauthorization to have access to information and ability to perform under the contract. Theindividual may not work on any NRC contract for a period of not less than one year fromthe date of the failed drug test and will not be considered for reinstatement unlessevidence of rehabilitation, as determined by the NRC "drug testing contractor's" MedicalReview Officer, is provided.

Contractor drug testing records are protected under the NRC Privacy Act Systems ofRecords, System 35, "Drug Testing Program Records - NRC" found at:http://www.nrc.gov/reading-rm/foia/privacy-systems.html

22

H.22 AUTHORITY TO USE GOVERNMENT PROVIDED SPACE AT NRCHEADQUARTERS (SEP 2013)

Prior to occupying any Government provided space at NRC Headquarters in RockvilleMaryland, the Contractor shall obtain written authorization to occupy specificallydesignated government space, via the NRC Contracting Officer's Representative (COR),from the Chief, Space Design Branch, Office of Administration. Failure to obtain thisprior authorization can result in one, or a combination, of the following remedies asdeemed appropriate by the Contracting Officer.

(1) Rental charge for the space occupied will be deducted from the invoice amount duethe Contractor

(2) Removal from the space occupied

(3) Contract Termination

H.23 WHISTLEBLOWER PROTECTION FOR NRC CONTRACTOR ANDSUBCONTRACTOR EMPLOYEES

(a) The U.S. Nuclear Regulatory Commission (NRC) contractor and its subcontractor aresubject to the Whistleblower Employee Protection public law provisions as codified at 42U.S.C. 5851. NRC contractor(s) and subcontractor(s) shall comply with therequirements of this Whistleblower Employee Protection law, and the implementingregulations of the NRC and the Department of Labor (DOL). See, for example, DOLProcedures on Handling Complaints at 29 C.F.R. Part 24 concerning the employerobligations, prohibited acts, DOL procedures and the requirement for prominent postingof notice of Employee Rights at Appendix A to Part 24 entitled: "Your Rights Under theEnergy Reorganization Act".

(b) Under this Whistleblower Employee Protection law, as implemented by regulations,NRC contractor and subcontractor employees are protected from discharge, reprisal,threats, intimidation, coercion, blacklisting or other employment discrimination practiceswith respect to compensation, terms, conditions or privileges of their employmentbecause the contractor or subcontractor employee(s) has provided notice to theemployer, refused to engage in unlawful practices, assisted in proceedings or testifiedon activities concerning alleged violations of the Atomic Energy Act of 1954 (asamended) and the Energy Reorganization Act of 1974 (as amended).

(c) The contractor shall insert this or the substance of this clause in any subcontractsinvolving work performed under this contract.

H.24 SECURITY REQUIREMENTS RELATING TO THE PRODUCTION OFREPORT(S) OR THE PUBLICATION OF RESULTS UNDER CONTRACTS,AGREEMENTS, AND GRANTS

Review and Approval of Reports

(a) Reporting Requirements. The contractor/grantee shall comply with the terms andconditions of the contract/grant regarding the contents of the draft and final report,summaries, data, and related documents, to include correcting, deleting, editing,

23

revising, modifying, formatting, and supplementing any of the information containedtherein, at no additional cost to the NRC. Performance under the contract/grant will notbe deemed accepted or completed until it complies with the NRC's directions. Thereports, summaries, data, and related documents will be considered draft until approvedby the NRC. The contractor/grantee agrees that the direction, determinations, anddecisions on approval or disapproval of reports, summaries, data, and relateddocuments created under this contract/grant remain solely within the discretion of theNRC.

(b) Publication of Results. Prior to any dissemination, display, publication, or release ofarticles, reports, summaries, data, or related documents developed under thecontract/grant, the contractor/grantee shall submit them to the NRC for review andapproval. The contractor/ grantee shall not release, disseminate, display or publisharticles, reports, summaries, data, and related documents, or the contents therein, thathave not been reviewed and approved by the NRC for release, display, dissemination orpublication. The contractor/grantee agrees to conspicuously place any disclaimers,markings or notices, directed by the NRC, on any articles, reports, summaries, data, andrelated documents that the contractor/grantee intends to release, display, disseminate orpublish to other persons, the public, or any other entities. The contractor/grantee agrees,and grants, a royalty-free, nonexclusive, irrevocable worldwide license to thegovernment, to use, reproduce, modify, distribute, prepare derivative works, release,display or disclose the articles, reports, summaries, data, and related documentsdeveloped under the contract/grant, for any governmental purpose and to have orauthorize others to do so.

(c) Identification/Marking of Sensitive Unclassified Non-Safeguards Information (SUNSI)and Safeguards Information (SGI). The decision, determination, or direction by the NRCthat information possessed, formulated or produced by the contractor/granteeconstitutes SUNSI or SGI is solely within the authority and discretion of the NRC. Inperforming the contract/grant, the contractor/grantee shall clearly mark SUNSI and SGI,to include for example, OUO-Allegation Information or OUO-Security RelatedInformation on any reports, documents, designs, data, materials, and written information,as directed by the NRC. In addition to marking the information as directed by the NRC,the contractor shall use the applicable NRC cover sheet (e.g., NRC Form 461Safeguards Information) in maintaining these records and documents. Thecontractor/grantee shall ensure that SUNSI and SGI is handled, maintained andprotected from unauthorized disclosure, consistent with NRC policies and directions. Thecontractor/grantee shall comply with the requirements to mark, maintain, and protect allinformation, including documents, summaries, reports, data, designs, and materials inaccordance with the provisions of Section 147 of the Atomic Energy Act of 1954 asamended, its implementing regulations (10 CFR 73.21), Sensitive Unclassified Non-Safeguards and Safeguards Information policies, and NRC Management Directives andHandbooks 12.5, 12.6 and 12.7.

(d) Remedies. In addition to any civil, criminal, and contractual remedies available underthe applicable laws and regulations, failure to comply with the above provisions, and/orNRC directions, may result in suspension, withholding, or offsetting of any paymentsinvoiced or claimed by the contractor/grantee.

(e) Flowdown. If the contractor/grantee intends to enter into any subcontracts or otheragreements to perform this contract/grant, the contractor/grantee shall include all of the

24

above provisions in any subcontracts or agreements.

H.25 NRC INFORMATION TECHNOLOGY SECURITY

NRC contractors shall ensure that their employees, consultants, and subcontractors withaccess to the agency's information technology (IT) equipment and/or IT servicescomplete NRC's online initial and refresher IT security training requirements to ensurethat their knowledge of IT threats, vulnerabilities, and associated countermeasuresremains current. Both the initial and refresher IT security training courses generally lastan hour or less and can be taken during the employee's regularly scheduled work day.

Contractor employees, consultants, and subcontractors shall complete the NRC's onlineannual, "Computer Security Awareness" course on the same day that they receiveaccess to the agency's IT equipment and/or services, as their first action using theequipment/service. For those contractor employees, consultants, and subcontractorswho are already working under this contract, the on-line training must be completed inaccordance with agency Network Announcements issued throughout the year, withinthree weeks of issuance of this modification.

Contractor employees, consultants, and subcontractors who have been granted accessto NRC information technology equipment and/or IT services must continue to take ITsecurity refresher training offered online by the NRC throughout the term of the contract.Contractor employees will receive notice of NRC's online IT security refresher trainingrequirements through agency-wide notices.

The NRC reserves the right to deny or withdraw Contractor use or access to NRC ITequipment and/or services, and/or take other appropriate contract administrative actions(e.g., disallow costs, terminate for cause) should the Contractor violate the Contractor'sresponsibility under this clause.

H.26 COMPLIANCE WITH U.S. IMMIGRATION LAWS AND REGULATIONS

NRC contractors are responsible to ensure that their alien personnel are not in violationof United States immigration laws and regulations, including employment authorizationdocuments and visa requirements. Each alien employee of the Contractor must belawfully admitted for permanent residence as evidenced by Permanent Resident Form I-551 (Green Card), or must present other evidence from the U.S. Department ofHomeland Security/U.S. Citizenship and Immigration Services that employment will notaffect his/her immigration status. The U.S. Citizenship and Immigration Servicesprovides information to contractors to help them understand the employment eligibilityverification process for non-US citizens. This information can be found on their website,http://www.uscis.gov/portal/site/uscis.

The NRC reserves the right to deny or withdraw Contractor use or access to NRCfacilities or its equipment/services, and/or take any number of contract administrativeactions (e.g., disallow costs, terminate for cause) should the Contractor violate theContractor's responsibility under this clause.

H.27 ANNUAL AND FINAL CONTRACTOR PERFORMANCE EVALUATIONS

Annual and final evaluations of contractor performance under this contract will be

25

prepared in accordance with FAR Subpart 42.15, "Contractor Performance Information,"normally at or near the time the contractor is notified of the NRC's intent to exercise thecontract option. Final evaluations of contractor performance will be prepared at theexpiration of the contract during the contract closeout process.

The Contracting Officer will transmit the NRC Contracting Officer's Representative's(COR) annual and final contractor performance evaluations to the contractor's ProjectManager, unless otherwise instructed by the contractor. The contractor will be permittedthirty days to review the document and submit comments, rebutting statements, oradditional information.

Where a contractor concurs with, or takes no exception to an annual performanceevaluation, the Contracting Officer will consider such evaluation final and releasable forsource selection purposes. Disagreements between the parties regarding a performanceevaluation will be referred to an individual one level above the Contracting Officer,whose decision will be final.

The Contracting Officer will send a copy of the completed evaluation report, marked"Source Selection Information", to the contractor's Project Manager for their records assoon as practicable after it has been finalized. The completed evaluation report also willbe used as a tool to improve communications between the NRC and the contractor andto improve contract performance.

The completed annual performance evaluation will be used to support future awarddecisions in accordance with FAR 42.1502 and 42.1503. During the period theinformation is being used to provide source selection information, the completed annualperformance evaluation will be released to only two parties - the Federal governmentpersonnel performing the source selection evaluation and the contractor underevaluation if the contractor does not have a copy of the report already.

H.28 IT SECURITY REQUIREMENTS - NRC AND CONTRACTOR (NON-NRC)FACILITIES (APR 2014)

Backups

The contractor shall ensure that backup media is created, encrypted (in accordance withinformation sensitivity) and verified to ensure that data can be retrieved and is restorableto NRC systems based on information sensitivity levels. Backups shall be executed tocreate readable media that allows successful file/data restoration at the followingfrequencies:

• At least every 1 calendar day for a high sensitivity system* At least every 1 calendar day for a moderate sensitivity system• At least every 7 calendar days for a low sensitivity system

Perimeter Protection

The Contractor must employ perimeter protection mechanisms, such as firewalls androuters, to deny all communications unless explicitly allowed by exception.

The contractor must deploy and monitor intrusion detection capability and have an

26

always deployed and actively engaged security monitoring capability in place forsystems placed in operation for the NRC. Intrusion detection and monitoring reports willmade available to the NRC upon request for following security categorizations andreporting timeframes:

* 5 calendar days after being requested for a high sensitivity system* 10 calendar days after being requested for a moderate sensitivity system* 15 calendar days after being requested for a low sensitivity system

H.29 IT SECURITY REQUIREMENTS - CERTIFICATION AND ACCREDITATION

SECURITY RISK ASSESSMENT

The contractor shall work with the NRC Contracting Officer's Representative (COR) inperforming Risk Assessment activities according to NRC policy, standards, andguidance. The contractor shall perform Risk Assessment activities that include analyzinghow the architecture implements the NRC documented security policy for the system,assessing how management, operational, and technical security control features areplanned or implemented and how the system interconnects to other systems or networkswhile maintaining security.

SYSTEM SECURITY PLAN

The contractor shall develop the system security plan (SSP) according to NRC policy,standards, and guidance to define the implementation of IT security controls necessaryto meet both the functional assurance and security requirements. The contractor willensure that all controls required to be implemented are documented in the SSP.

ASSESSMENT PROCEDURES - SECURITY TEST & EVALUATION

The contractor shall follow NRC policy, standards, and guidance for execution of the testprocedures. These procedures shall be supplemented and augmented by tailored testprocedures based on the control objective as it applies to NRC. The contractor shallinclude verification and validation to ensure that appropriate corrective action was takenon identified security weaknesses.

The contractor shall perform ST&E activities, including but not limited to, coordinatingthe ST&E and developing the ST&E Plan, execution ST&E test cases anddocumentation of test results. The contractor shall prepare the Plan of Action andMilestones (POA&M) based on the ST&E results.

PLAN OF ACTION AND MILESTONES (POA&M) MAINTENANCE & REPORTING

The contractor shall provide a determination, in a written form agreed to by the NRCContracting Officer's Representative (COR) and Computer Security Office, on whetherthe implemented corrective action was adequate to resolve the identified informationsecurity weaknesses and provide the reasons for any exceptions or risked-baseddecisions. The contractor shall document any vulnerabilities indicating which portions ofthe security control have not been implemented or applied.

The contractor shall develop and implement solutions that provide a means of planning

27

and monitoring corrective actions; define roles and responsibilities for risk mitigation;assist in identifying security funding requirements; track and prioritize resources; andinform decision-makers of progress of open POA&M items.

The contractor shall perform verification of IT security weaknesses to ensure that allweaknesses identified through third party (e.g., OIG) audits are included in the POA&Msthat the quarterly reporting to OMB is accurate, and the reasons for any exceptions orrisked-based decisions are reasonable and clearly documented. This verificationprocess will be done in conjunction with the continuous monitoring activities.

CERTIFICATION & ACCREDITATION DOCUMENTATION

The contractor shall create, update maintain all Certification and Accreditation (C&A)documentation in accordance with the following NRC Certification and Accreditationprocedures and guidance:

-C&A Non-SGI Unclassified Systems-C&A SGI Unclassified Systems-C&A Classified Systems

The Contractor must develop contingency plan and ensure annual contingency testing iscompleted within one year of previous test and provide an updated security plan and testreport according to NRC's policy and procedure.

The Contractor must conduct annual security control testing according to NRC's policyand procedure and update POA&M, SSP, etc. to reflect any findings or changes tomanagement, operational and technical controls.

H.30 INFORMATION TECHNOLOGY (IT) SECURITY REQUIREMENTS - GENERAL(APR 2014)

Basic Contract IT Security Requirements

The contractor agrees to insert terms that conform substantially to the language of the ITsecurity requirements, excluding any reference to the Changes clause of this contract,all subcontracts under this contract.

For unclassified information used for the effort, the contractor shall provide aninformation security categorization document indicating the sensitivity of the informationprocessed as part of this contract if the information security categorization was notprovided in the statement of work. The determination shall be made using NationalInstitute of Standards and Technology (NIST) Special Publication (SP) 800-60 and mustbe approved by CSO. The NRC contracting officer and Contracting Officer'sRepresentative (COR) shall be notified immediately before the contractor begins toprocess information at a higher sensitivity level.

If the effort includes use or processing of classified information, the NRC contractingofficer and Contracting Officer's Representative (COR) shall be notified before thecontractor begins to process information at a more restrictive classification level.

All work under this contract shall comply with the latest version of policy, procedures and

28

standards. Individ