U.S. Department of Health & Human Services
Email Updates 
Font Size 
Print 
Download Reader 
Part 352--Solicitation Provisions and Contract Clauses, continuedHHS Acquisition Regulation (HHSAR)Sections on this page:
Authority: 5 U.S.C. 301; 40 U.S.C. 121(c)(2). [Changed by APM 2010-01] [Changed by FAC 2005-45] [Technical Correction 09-2010] 352.231-70 Salary rate limitation.As prescribed in 331.101-70(b), the Contracting Officer shall insert the following clause: Salary Rate Limitation (January 2010) (a) Pursuant to the current and applicable prior HHS appropriations acts, the Contractor shall not use contract funds to pay the direct salary of an individual at a rate in excess of the federal Executive Schedule Level I in effect on the date an expense is incurred. (b) For purposes of the salary rate limitation, the terms ‘‘direct salary,’’ ‘‘salary,’’ and ‘‘institutional base salary’’ have the same meaning and are collectively referred to as ‘‘direct salary’’ in this clause. An individual’s direct salary is the annual compensation that the Contractor pays for an individual’s direct effort (costs) under the contract. Direct salary excludes any income that an individual may be permitted to earn outside of duties to the Contractor. Direct salary also excludes fringe benefits, overhead, and general and administrative expenses (also referred to as indirect costs or facilities and administrative [F&A] costs). (NOTE: The salary rate limitation does not restrict the salary that an organization may pay an individual working under an HHS contract or order; it merely limits the portion of that salary that may be paid with federal funds.) (c) The salary rate limitation also applies to individuals under subcontracts. If this is a multiple-year contract or order, it may be subject to unilateral modification by the Contracting Officer to ensure that an individual is not paid at a rate that exceeds the salary rate limitation provision established in the HHS appropriations act in effect when the expense is incurred regardless of the rate initially used to establish contract or order funding. (d) See the salaries and wages pay tables on the U.S. Office of Personnel Management website for federal Executive Schedule salary levels that apply to the current and prior periods. (End of clause) 352.231-71 Pricing of adjustments.As prescribed in 331.102-70, the Contracting Officer shall insert the following clause: Pricing of Adjustments (January 2001) When costs are a factor in determination of a contract price adjustment pursuant to the "Changes" clause or any provision of this contract, the applicable cost principles and procedures set forth below shall form the basis for determining such costs:
(End of clause) 352.232-70 Incremental funding.As prescribed in 332.705-2(b)(1), the Contracting Officer shall insert the provision provided below in all solicitations when a cost-reimbursement contract for severable services using incremental funding is contemplated. Incremental Funding (June 2010) The Government intends to negotiate and award a cost-reimbursement contract using incremental funding as described in the clauses at FAR 52.232–22, “Limitation of Funds,” and 352.232-71, “Estimated Cost – Incrementally Funded Contract.” The initial obligation of funds under the contract is expected to cover [insert the appropriate period or increment of performance]. The Government intends to obligate additional funds up to and including the full estimated cost of the contract for the remaining years of performance by unilateral contract modification. However, the Government is not required to reimburse the Contractor for costs incurred in excess of the total amount obligated, nor is the Contractor required to perform beyond the level supported by the total amount obligated. (End of provision) 352.232-71 Estimated cost - incrementally funded contract.As prescribed in 332.705-2(b)(2), the Contracting Officer shall insert the clause provided below in “Section B: Supplies or Services and Prices/Costs” in all cost-reimbursement contracts for severable services using incremental funding. The Contracting Officer must insert applicable information as shown below, including information about the planned periods or other increments of performance and their associated funding. The Contracting Officer also may revise the language to reflect the specific type of cost-reimbursement contract awarded (e.g., cost-plus-fixed-fee, cost-plus-award-fee). Estimated Cost - Incrementally Funded Contract (June 2010) (a) The total estimated cost to the Government for full performance of this contract, including all allowable direct and indirect costs, is $______[insert full amount]. (b) The following represents the schedule* by which the Government expects to allot funds to this contract:
* To be inserted after negotiation (c) Total funds currently obligated and available for payment under this contract are $______[insert amount funded to date]. (d) The Contracting Officer may issue unilateral modifications to obligate additional funds to the contract and make related changes to paragraphs (b) and/or (c) above. (e) Until this contract is fully funded, the requirements of the clause at FAR 52.232–22, Limitation of Funds, shall govern. Once the contract is fully funded, the requirements of the clause at FAR 52.232-20, Limitation of Cost, govern. (End of clause) 352.232-72 Limitation of Government’s obligation.As prescribed in 332.705-2(b)(3), insert the following clause in solicitations and resultant incrementally funded fixed-price, time and materials or labor-hour contracts for severable services: Limitation of Government’s Obligation (June 2010) (a) Contract line items * through * are incrementally funded. For these items, the sum of $ * of the total price is the amount currently obligated, available for payment, and allotted to this contract. A projected allotment schedule is set forth in paragraph (i) of this clause. However, the Government may at any time allot additional funds for the performance of these contract line items. (b) For items identified in paragraph (a) of this clause, the Contractor agrees to perform up to the point at which the total amount payable by the Government, including reimbursement in the event of termination of those item(s) for the Government’s convenience, approximates, but does not exceed, the total amount currently allotted to the contract. The Contractor is not required to continue work on those items beyond that point. The Government shall not be required in any event to pay the Contractor in excess of the amount allotted to the contract for those items notwithstanding anything to the contrary in the clause entitled “Termination for Convenience of the Government.” As used in this clause, the total amount payable by the Government in the event of such termination of the contract line item(s) identified in paragraph (a) above includes costs, profit, and estimated/negotiated termination settlement costs for those item(s). (c) Notwithstanding the dates specified in the allotment schedule in paragraph (i) of this clause, the Contractor shall notify the Contracting Officer in writing at least 90 days prior to the date when, in the Contractor’s best judgment, the work will reach the point at which the total amount payable by the Government, including any cost for termination for convenience, will approximate 85 percent of the total amount then allotted to the contract for performance of the applicable items. The Contractor notification shall provide: (1) the estimated date when that point will be reached; and (2) an estimate of additional funding, if any, needed to continue performance of applicable line items up to the next scheduled date for allotment of funds identified in paragraph (i) of this clause, or up to a mutually agreed upon substitute date. The notification shall also advise the Contracting Officer of the estimated amount of additional funds that will be required for the timely performance of the items funded pursuant to this clause, for a subsequent period as may be specified in the allotment schedule in paragraph (i) of this clause or otherwise agreed to by the parties. If, after such notification, additional funds are not allotted by the date identified in the Contractor’s notification, or by a mutually agreed substitute date, the Contracting Officer will terminate any item(s) for which additional funds have not been allotted, pursuant to the clause of this contract entitled “Termination for Convenience of the Government.” (d) When additional funds are allotted for continued performance of the contract line items identified in paragraph (a) of this clause, the parties will agree to the period of contract performance which will be covered by the funds. The provisions of paragraphs (b) and (c) of this clause will apply in like manner to the additional allotted funds and mutually agreed date, and the contract will be modified accordingly. (e) If, solely by reason of failure of the Government to allot additional funds by the dates indicated below in amounts sufficient for timely performance of the contract line items identified in paragraph (a) of this clause, the Contractor incurs additional costs or is delayed in the performance of the work under this contract and if additional funds are subsequently allotted, an equitable adjustment will be made in the price or prices (including appropriate target, billing, and ceiling prices where applicable) of the items, or in the time of delivery, or both. Failure to agree to any such equitable adjustment hereunder will be a dispute concerning a question of fact under the clause entitled “Disputes.” (f) The termination provisions of this clause do not limit the rights of the Government under the clause entitled “Default.” This clause no longer applies once the contract is fully funded except with regard to the rights or obligations of the parties concerning equitable adjustments negotiated under paragraphs (d) and (e) of this clause. (g) Nothing in this clause affects the right of the Government to terminate this contract pursuant to the clause of this contract entitled “Termination for the Convenience of the Government.” Furthermore, in the event of a termination for convenience of the contract, for line item(s) identified in paragraph (a) of this clause, the Government’s liability is limited to the total amount allotted and obligated for those line item(s) as of the date of such termination. (h) Nothing in this clause shall be construed as authorization of voluntary services whose acceptance is prohibited under 31 U.S.C. 1342. (i) The following represents the mutually-agreed schedule* by which the Government will allot funds to this contract. [The illustrated schedule may be revised as necessary to suit the specific circumstances of the contract.]
* To be inserted after negotiation. (End of clause) Alternate I (June 2010) If only one contract line item will be incrementally funded, substitute the following paragraph (a) for paragraph (a) of the basic clause: (a) Contract line item ___*___ is incrementally funded. For this item, the sum of $ * of the total price is currently available for payment and allotted to this contract. A projected allotment schedule is set forth in paragraph (i) of this clause. However, the Government may at any time allot additional funds for the performance of this contract line item. * To be inserted after negotiation.
352.233-70 Choice of law (overseas)As prescribed in 333.215-70(a), the Contracting Officer shall insert the following clause: Choice of Law (Overseas) (January 2010) This contract shall be construed in accordance with the substantive laws of the United States of America. By the execution of this contract, the Contractor expressly agrees to waive any rights to invoke the jurisdiction of local national courts where this contract is performed and agrees to accept the exclusive jurisdiction of the Civilian Board of Contract Appeals and the United States Court of Federal Claims for hearing and determination of any and all disputes that may arise under the Disputes clause of this contract. (End of clause) 352.233-71 Litigation and claims.As prescribed in 333.215-70(b), the Contracting Officer shall insert the following clause: Litigation and Claims (January 2006) (a) The Contractor shall provide written notification immediately to the Contracting Officer of any action, including any proceeding before an administrative agency, filed against the Contractor arising out of the performance of this contract, including, but not limited to the performance of any subcontract hereunder; and any claim against the Contractor the cost and expense of which is allowable under the clause entitled ‘‘Allowable Cost and Payment.’’ (b) Except as otherwise directed by the Contracting Officer, the Contractor shall furnish immediately to the Contracting Officer copies of all pertinent papers received by the Contractor with respect to such action or claim. To the extent not in conflict with any applicable policy of insurance, the Contractor may, with the Contracting Officer’s approval, settle any such action or claim. If required by the Contracting Officer, the Contractor shall effect an assignment and subrogation in favor of the Government of all the Contractor’s rights and claims (except those against the Government) arising out of any such action or claim against the Contractor; and authorize representatives of the Government to settle or defend any such action or claim and to represent the Contractor in, or to take charge of, any action. (c) If the Government undertakes a settlement or defense of an action or claim, the Contractor shall furnish all reasonable assistance in effecting a settlement or asserting a defense. Where an action against the Contractor is not covered by a policy of insurance, the Contractor shall, with the approval of the Contracting Officer, proceed with the defense of the action in good faith. The Government shall not be liable for the expense of defending any action or for any costs resulting from the loss thereof to the extent that the Contractor would have been compensated by insurance which was required by law or regulation or by written direction of the Contracting Officer, but which the Contractor failed to secure through its own fault or negligence. In any event, unless otherwise expressly provided in this contract, the Government shall not reimburse or indemnify the Contractor for any liability loss, cost, or expense, which the Contractor may incur or be subject to by reason of any loss, injury or damage, to the person or to real or personal property of any third parties as may accrue during, or arise from, the performance of this contract. (End of clause) 352.234-1 Notice of earned value management system – pre-award Integrated Baseline Review.As prescribed in 334.203-70(a), the Contracting Officer shall insert the following provision: Notice of Earned Value Management System – The offeror shall provide documentation that its proposed Earned Value Management System (EVMS) complies with the EVMS guidelines in ANSI/EIA Standard-748 (current version at time of solicitation).
(1) The plan shall— (i) Describe the EVMS the offeror intends to use in performance of the contract; (ii) Distinguish between the offeror’s existing management system and modifications proposed to meet the guidelines; (iii) Describe the management system and its application in terms of the EVMS guidelines; (iv) Describe the proposed procedure for application of the EVMS requirements to subcontractors; (v) Provide documentation describing the process and results, including Government participation if applicable, of any third-party evaluation or self-evaluation of the system’s compliance with the EVMS guidelines; and (vi) Provide a schedule of events leading up to formal validation and Government acceptance of the offeror’s EVMS, if the value of the offeror’s proposal, including options, is $25 million or more. (2) The offeror shall provide information and assistance, as required by the Contracting Officer, to support review of the plan. (3) The Contracting Officer will review the offeror’s EVMS implementation plan prior to contract award. (4) The offeror’s EVMS plan must provide milestones indicating when the offeror anticipates that the EVMS will be compliant with the ANSI/EIS Standard-748 guidelines.
(End of provision)
352.234-2 Notice of earned value management system – post-award Integrated Baseline Review.As prescribed in 334.203-70(b), the Contracting Officer shall insert the following provision: Notice of Earned Value Management System –
(a) The offeror shall provide documentation that its proposed Earned Value Management System (EVMS) complies with the EVMS guidelines in ANSI/EIA Standard-748 (current version in effect at time of solicitation). (b) If the offeror proposes to use a system that currently does not meet the requirements of paragraph (a) of this provision, the offeror shall submit a comprehensive plan for compliance with the guidelines. (1) The plan shall— (i) Describe the EVMS the offeror intends to use in performance of the contract; (ii) Distinguish between the offeror’s existing management system and modifications proposed to meet the guidelines; (iii) Describe the management system and its application in terms of the EVMS guidelines; (iv) Describe the proposed procedure for application of the EVMS requirements to subcontractors; (v) Provide documentation describing the process and results, including Government participation if applicable, of any third-party evaluation or self-evaluation of the system’s compliance with the EVMS guidelines; and (vi) Provide a schedule of events leading up to formal validation and Government acceptance of the offeror’s EVMS, if the value of the offeror’s proposal, including options, is $25 million or more. (2) The offeror shall provide information and assistance, as required by the Contracting Officer, to support review of the plan. (3) The Contracting Officer will review the offeror’s EVMS implementation plan prior to contract award. (4) The offeror’s EVMS plan must provide milestones indicating when the offeror anticipates that the EVM system will be compliant with the ANSI/EIA Standard-748 guidelines. (c) The offeror shall identify in its offer the subcontractors, or subcontracted effort if subcontractors have not been identified, to which the requirements of EVMS will be applied. Prior to contract award, the offeror and HHS shall agree on the subcontractors, or subcontracted effort, subject to the EVMS requirement. (d) HHS will conduct an Integrated Baseline Review after contract award. (End of provision) 352.234-3 Full earned value management system.As prescribed in 334.203-70(c), the Contracting Officer shall insert the following clause: Full Earned Value Management System (October 2008)
(1) Apply the current system to the contract; and (2) Take necessary and timely actions to meet the milestones in the Contractor’s EVMS plan approved by the Contracting Officer.
(f) The Contractor shall provide access to all pertinent records and data requested by the Contracting Officer or a duly authorized representative as necessary to permit Government surveillance to ensure that the EVMS conforms, and continues to conform, with the requirements referenced in paragraph (a) of this clause. (g) The Contractor shall require the subcontractors specified below to comply with the requirements of the clause: (Insert list of applicable subcontractors.) (End of clause) Alternate I (October 2008) As prescribed in 334.203-70(d), the Contracting Officer shall substitute the following paragraphs (a), (b), and (c) for paragraphs (a), (b), and (c) of the basic clause and delete paragraph (e) of the basic clause: (a) The Contractor shall use an Earned Value Management System (EVMS) that is compliant with the schedule-related guidelines in ANSI/EIA Standard-748 (current version at the time of award) to manage this contract. If the Contractor’s current EVMS is not compliant at the time of award, see paragraph (b) of this clause. The Contractor shall submit EVM reports in accordance with the requirements of this contract. (b) If, at the time of award, the Contractor’s schedule-related EVM system is not in compliance with the schedule-related EVMS guidelines in ANSI/EIA Standard-748 (current version at time of award), or the Contractor does not have an existing schedule control system that is compliant with such guidelines, the Contractor shall— (1) Apply the current system to the contract; and (2) Take necessary and timely actions to meet the milestones in the Contractor’s EVMS plan approved by the Contracting Officer. (c) HHS will not formally validate or accept the Contractor’s schedule-related EVMS with respect to this contract. The use of the Contractor’s EVMS for this contract does not imply HHS acceptance of the Contractor’s EVMS for application to future contracts. The Contracting Officer or designee will conduct a Compliance Review to assess the Contractor’s compliance with its approved plan. If the Contractor does not follow the approved implementation schedule or correct all resulting system deficiencies noted during the Compliance Review within a reasonable time, the Contracting Officer may take remedial action that may include, but is not limited to, suspension of or reduction in progress payments, or a reduction in fee. 352.237-70 Pro-Children Act.As prescribed in 337.103-70(a), the Contracting Officer shall insert the following clause: Pro-Children Act (January 2006) (a) Public Law 103–227, Title X, Part C, also known as the Pro-Children Act of 1994 (Act), 20 U.S.C. 7183, imposes restrictions on smoking in facilities where certain federally funded children’s services are provided. The Act prohibits smoking within any indoor facility (or portion thereof), whether owned, leased, or contracted for, that is used for the routine or regular provision of (i) kindergarten, elementary, or secondary education or library services or (ii) health or day care services that are provided to children under the age of 18. The statutory prohibition also applies to indoor facilities that are constructed, operated, or maintained with Federal funds. (b) By acceptance of this contract or order, the Contractor agrees to comply with the requirements of the Act. The Act also applies to all subcontracts awarded under this contract for the specified children’s services. Accordingly, the Contractor shall ensure that each of its employees, and any subcontractor staff, is made aware of, understand, and comply with the provisions of the Act. Failure to comply with the Act may result in the imposition of a civil monetary penalty in an amount not to exceed $1,000 for each violation and/or the imposition of an administrative compliance order on the responsible entity. Each day a violation continues constitutes a separate violation. (End of clause) 352.237-71 Crime Control Act—reporting of child abuse.As prescribed in 337.103-70(b), the Contracting Officer shall insert the following clause: Crime Control Act of 1990—Reporting of Child Abuse (January 2006) (a) Public Law 101–647, also known as the Crime Control Act of 1990 (Act), imposes responsibilities on certain individuals who, while engaged in a professional capacity or activity, as defined in the Act, on federal land or in a federally-operated (or contracted) facility, learn of facts that give the individual reason to suspect that a child has suffered an incident of child abuse. (b) The Act designates ‘‘covered professionals’’ as those persons engaged in professions and activities in eight different categories including, but not limited to, physicians, dentists, medical residents or interns, hospital personnel and administrators, nurses, health care practitioners, chiropractors, osteopaths, pharmacists, optometrists, podiatrists, emergency medical technicians, ambulance drivers, alcohol or drug treatment personnel, psychologists, psychiatrists, mental health professionals, child care workers and administrators, and commercial film and photo processors. The Act defines the term ‘‘child abuse’’ as the physical or mental injury, sexual abuse or exploitation, or negligent treatment of a child. (c) Accordingly, any person engaged in a covered profession or activity under an HHS contract or subcontract, regardless of the purpose of the contract or subcontract, shall immediately report a suspected child abuse incident in accordance with the provisions of the Act. If a child is suspected of being harmed, the appropriate State Child Abuse Hotline, local child protective services (CPS), or law enforcement agency shall be contacted. For more information about where and how to file a report, the Childhelp USA, National Child Abuse Hotline (1–800–4–A–CHILD) shall be called. Any covered professional failing to make a timely report of such incident shall be guilty of a Class B misdemeanor. (d) By acceptance of this contract or order, the Contractor agrees to comply with the requirements of the Act. The Act also applies to all applicable subcontracts awarded under this contract. Accordingly, the Contractor shall ensure that each of its employees, and any subcontractor staff, is made aware of, understand, and comply with the provisions of the Act. (End of clause) 352.237-72 Crime Control Act—requirement for background checks.As prescribed in 337.103-70(c), the Contracting Officer shall insert the following clause: Crime Control Act of 1990—Requirement for Background Checks
(a) Public Law 101–647, also known as the Crime Control Act of 1990 (Act), requires that all individuals involved with the provision of child care services to children under the age of 18 undergo a criminal background check. ‘‘Child care services’’ include, but are not limited to, social services, health and mental health care, child (day) care, education (whether or not directly involved in teaching), and rehabilitative programs. Any conviction for a sex crime, an offense involving a child victim, or a drug felony, may be grounds for denying employment or for dismissal of an employee providing any of the services listed above. (b) The Contracting Officer will provide the necessary information to the Contractor regarding the process for obtaining the background check. The Contractor may hire a staff person provisionally prior to the completion of a background check, if at all times prior to the receipt of the background check during which children are in the care of the newly-hired person, the person is within the sight and under the supervision of a previously investigated staff person. (c) By acceptance of this contract or order, the Contractor agrees to comply with the requirements of the Act. The Act also applies to all applicable subcontracts awarded under this contract. Accordingly, the Contractor shall ensure that each of its employees, and any subcontractor staff, is made aware of, understand, and comply with the provisions of the Act. (End of clause) 352.239-70 Standard for security configurations.As prescribed in 339.101(d)(1), the Contracting Officer shall insert the following clause: Standard for Security Configurations (January 2010) (a) The Contractor shall configure its computers that contain HHS data with the applicable Federal Desktop Core Configuration (FDCC) (see http://nvd.nist.gov/fdcc/index.cfm) and ensure that its computers have and maintain the latest operating system patch level and anti-virus software level. (Note: FDCC is applicable to all computing systems using Windows XP™ and Windows Vista™, including desktops and laptops—regardless of function—but not including servers.) (b) The Contractor shall apply approved security configurations to information technology (IT) that is used to process information on behalf of HHS. The following security configuration requirements apply: (NOTE: The Contracting Officer shall specify applicable security configuration requirements in solicitations and contracts based on information provided by the Project Officer, who shall consult with the OPDIV/STAFFDIV Chief Information Security Officer.) (c) The Contractor shall ensure IT applications operated on behalf of HHS are fully functional and operate correctly on systems configured in accordance with the above configuration requirements. The Contractor shall use Security Content Automation Protocol (SCAP)-validated tools with FDCC Scanner capability to ensure its products operate correctly with FDCC configurations and do not alter FDCC settings – see http://scap.nist.gov/validation/. The Contractor shall test applicable product versions with all relevant and current updates and patches installed. The Contractor shall ensure currently supported versions of information technology products meet the latest FDCC major version and subsequent major versions. (d) The Contractor shall ensure IT applications designed for end users run in the standard user context without requiring elevated administrative privileges. (e) The Contractor shall ensure hardware and software installation, operation, maintenance, update, and patching will not alter the configuration settings or requirements specified above. (f) The Contractor shall (1) include Federal Information Processing Standard (FIPS) 201-compliant (see http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf), Homeland Security Presidential Directive 12 (HSPD-12) card readers with the purchase of servers, desktops, and laptops; and (2) comply with FAR Subpart 4.13, Personal Identity Verification. (g) The Contractor shall ensure that its subcontractors (at all tiers) which perform work under this contract comply with the requirements contained in this clause. (End of clause) 352.239-71 Standard for encryption language.As prescribed in 339.101(d)(2), the Contracting Officer shall insert the following clause: Standard for Encryption Language (January 2010) (a) The Contractor shall use Federal Information Processing Standard (FIPS) 140-2-(PDF) compliant encryption (Security Requirements for Cryptographic Module, as amended) to protect all instances of HHS sensitive information during storage and transmission. (Note: The Government has determined that HHS information under this contract is considered “sensitive” in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, dated February 2004.) (b) The Contractor shall verify that the selected encryption product has been validated under the Cryptographic Module Validation Program (see http://csrc.nist.gov/cryptval/) to confirm compliance with FIPS 140-2 (as amended). The Contractor shall provide a written copy of the validation documentation to the Contracting Officer and the Contracting Officer’s Technical Representative. (c) The Contractor shall use the Key Management Key (see FIPS 201, Chapter 4, as amended) on the HHS personal identification verification (PIV) card; or alternatively, the Contractor shall establish and use a key recovery mechanism to ensure the ability for authorized personnel to decrypt and recover all encrypted information (see http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf). The Contractor shall notify the Contracting Officer and the Contracting Officer’s Technical Representative of personnel authorized to decrypt and recover all encrypted information. (d) The Contractor shall securely generate and manage encryption keys to prevent unauthorized decryption of information in accordance with FIPS 140-2 (as amended). (e) The Contractor shall ensure that this standard is incorporated into the Contractor’s property management/control system or establish a separate procedure to account for all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive HHS information. (f) The Contractor shall ensure that its subcontractors (at all tiers) which perform work under this contract comply with the requirements contained in this clause. (End of clause) 352.239-72 Security requirements for federal information technology resources.As prescribed in 339.7103, the Contracting Officer shall insert the following clause: Security Requirements for Federal Information Technology Resources
(a) Applicability. This clause applies whether the entire contract or order (hereafter “contract”), or portion thereof, includes information technology resources or services in which the Contractor has physical or logical (electronic) access to, or operates a Department of Health and Human Services (HHS) system containing, information that directly supports HHS’ mission. The term “information technology (IT)”, as used in this clause, includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services) and related resources. This clause does not apply to national security systems as defined in FISMA. (b) Contractor responsibilities. The Contractor is responsible for the following: (1) Protecting federal information and federal information systems in order to ensure their— (i) Integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; (ii) Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and. (iii) Availability, which means ensuring timely and reliable access to and use of information. (2) Providing security of any Contractor systems, and information contained therein, connected to an HHS network or operated by the Contractor, regardless of location, on behalf of HHS. (3) Adopting, and implementing, at a minimum, the policies, procedures, controls, and standards of the HHS Information Security Program to ensure the integrity, confidentiality, and availability of federal information and federal information systems for which the Contractor is responsible under this contract or to which it may otherwise have access under this contract. The HHS Information Security Program is outlined in the HHS Information Security Program Policy, which is available on the HHS Office of the Chief Information Officer’s (OCIO) website. (c) Contractor security deliverables. In accordance with the timeframes specified, the Contractor shall prepare and submit the following security documents to the Contracting Officer for review, comment, and acceptance: (1) IT Security Plan (IT-SP) – due within 30 days after contract award. The IT-SP shall be consistent with, and further detail the approach to, IT security contained in the Contractor’s bid or proposal that resulted in the award of this contract. The IT-SP shall describe the processes and procedures that the Contractor will follow to ensure appropriate security of IT resources that are developed, processed, or used under this contract. If the IT-SP only applies to a portion of the contract, the Contractor shall specify those parts of the contract to which the IT-SP applies. (i) The Contractor’s IT-SP shall comply with applicable federal laws that include, but are not limited to, the Federal Information Security Management Act (FISMA) of 2002 (PDF) (Title III of the E-Government Act of 2002, Public Law 107-347), and the following federal and HHS policies and procedures: (A) Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources. (B) National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18 (PDF), Guide for Developing Security Plans for Federal Information Systems, in form and content, and with any pertinent contract Statement of Work/Performance Work Statement (SOW/PWS) requirements. The IT-SP shall identify and document appropriate IT security controls consistent with the sensitivity of the information and the requirements of Federal Information Processing Standard (FIPS) 200, Recommended Security Controls for Federal Information Systems. The Contractor shall review and update the IT-SP in accordance with NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems and FIPS 200, on an annual basis. (C) HHS-OCIO Information Systems Security and Privacy Policy. (ii) After resolution of any comments provided by the Government on the draft IT-SP, the Contracting Officer shall accept the IT-SP and incorporate the Contractor’s final version into the contract for Contractor implementation and maintenance. On an annual basis, the Contractor shall provide to the Contracting Officer verification that the IT-SP remains valid. (2) IT Risk Assessment (IT-RA) – due within 30 days after contract award. The IT-RA shall be consistent, in form and content, with NIST SP 800-30, Risk Management Guide for Information Technology Systems, and any additions or augmentations described in the HHS-OCIO Information Systems Security and Privacy Policy. After resolution of any comments provided by the Government on the draft IT-RA, the Contracting Officer shall accept the IT-RA and incorporate the Contractor’s final version into the contract for Contractor implementation and maintenance. The Contractor shall update the IT-RA on an annual basis. (3) FIPS 199 Standards for Security Categorization of Federal Information and Information Systems Assessment (FIPS 199 Assessment) – due within 30 days after contract award. The FIPS 199 Assessment shall be consistent with the cited NIST standard. After resolution of any comments by the Government on the draft FIPS 199 Assessment, the Contracting Officer shall accept the FIPS 199 Assessment and incorporate the Contractor’s final version into the contract. (4) IT Security Certification and Accreditation (IT-SC&A) – due within 3 months after contract award. The Contractor shall submit written proof to the Contracting Officer that an IT-SC&A was performed for applicable information systems – see paragraph (a) of this clause. The Contractor shall perform the IT-SC&A in accordance with the HHS Chief Information Security Officer’s Certification and Accreditation Checklist; NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems; and NIST SP 800-53, Recommended Security Controls for Federal Information Systems. An authorized senior management official shall sign the draft IT-SC&A and provide it to the Contracting Officer for review, comment, and acceptance. (i) After resolution of any comments provided by the Government on the draft IT-SC&A, the Contracting Officer shall accept the IT-SC&A and incorporate the Contractor’s final version into the contract as a compliance requirement. (ii) The Contractor shall also perform an annual security control assessment and provide to the Contracting Officer verification that the IT-SC&A remains valid. Evidence of a valid system accreditation includes written results of (A) annual testing of the system contingency plan and (B) the performance of security control testing and evaluation. (d) Personal identity verification. The Contractor shall identify its employees with access to systems operated by the Contractor for HHS or connected to HHS systems and networks. The Contracting Officer’s Technical Representative (COTR) shall identify, for those identified employees, position sensitivity levels that are commensurate with the responsibilities and risks associated with their assigned positions. The Contractor shall comply with the HSPD-12 requirements contained in “HHS-Controlled Facilities and Information Systems Security” requirements specified in the SOW/PWS of this contract. (e) Contractor and subcontractor employee training. The Contractor shall ensure that its employees, and those of its subcontractors, performing under this contract complete HHS-furnished initial and refresher security and privacy education and awareness training before being granted access to systems operated by the Contractor on behalf of HHS or access to HHS systems and networks. The Contractor shall provide documentation to the COTR evidencing that Contractor employees have completed the required training. (f) Government access for IT inspection. The Contractor shall afford the Government access to the Contractor’s and subcontractors’ facilities, installations, operations, documentation, databases, and personnel used in performance of this contract to the extent required to carry out a program of IT inspection (to include vulnerability testing), investigation, and audit to safeguard against threats and hazards to the integrity, confidentiality, and availability, of HHS data or to the protection of information systems operated on behalf of HHS. (g) Subcontracts. The Contractor shall incorporate the substance of this clause in all subcontracts that require protection of federal information and federal information systems as described in paragraph (a) of this clause, including those subcontracts that— (1) Have physical or electronic access to HHS' computer systems, networks, or IT infrastructure; or (2) Use information systems to generate, store, process, or exchange data with HHS or on behalf of HHS, regardless of whether the data resides on a HHS or the Contractor's information system. (h) Contractor employment notice. The Contractor shall immediately notify the Contracting Officer when an employee either begins or terminates employment (or is no longer assigned to the HHS project under this contract), if that employee has, or had, access to HHS information systems or data. (i) Document information. The Contractor shall contact the Contracting Officer for any documents, information, or forms necessary to comply with the requirements of this clause. (j) Contractor responsibilities upon physical completion of the contract. The Contractor shall return all HHS information and IT resources provided to the Contractor during contract performance and certify that all HHS information has been purged from Contractor-owned systems used in contract performance . (k) Failure to comply. Failure on the part of the Contractor or its subcontractors to comply with the terms of this clause shall be grounds for the Contracting Officer to terminate this contract. (End of clause) 352.239-73 Electronic information and technology accessibility.(a) As prescribed in 339.201–70(a), the Contracting Officer shall insert the following provision: Electronic and Information Technology Accessibility (January 2010) (a) Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998, and the Architectural and Transportation Barriers Compliance Board Electronic and Information (EIT) Accessibility Standards (36 CFR Part 1194), require that, unless an exception applies, all EIT products and services developed, acquired, maintained, or used by any federal department or agency permit— (1) Federal employees with disabilities to have access to and use information and data that is comparable to the access and use of information and data by federal employees who are not individuals with disabilities; and (2) Members of the public with disabilities seeking information or services from a federal agency to have access to and use of information and data that is comparable to the access and use of information and data by members of the public who are not individuals with disabilities. (b) Accordingly, any vendor submitting a proposal/quotation/bid in response to this solicitation must demonstrate compliance with the established EIT accessibility standards. Information about Section 508 is available at http://www.section508.gov/. The complete text of Section 508 Final Provisions can be accessed at http://www.access-board.gov/sec508/standards.htm. (c) The Section 508 accessibility standards applicable to this solicitation are identified in the Statement of Work/Specification/Performance Work Statement. In order to facilitate the Government’s evaluation to determine whether EIT products and services proposed meet applicable Section 508 accessibility standards, offerors must prepare an HHS Section 508 Product Assessment Template, in accordance with its completion instructions, and provide a binding statement of conformance. The purpose of the template is to assist HHS acquisition and program officials in determining that EIT products and services proposed support applicable Section 508 accessibility standards. The template allows vendors or developers to self-evaluate their products or services and document in detail how they do or do not conform to a specific Section 508 accessibility standard. Instructions for preparing the HHS Section 508 Evaluation Template may be found under Section 508 policy on the HHS Office on Disability website (http://www.hhs.gov/od/). (d) Respondents to this solicitation must also provide any additional detailed information necessary for determining applicable Section 508 accessibility standards conformance, as well as for documenting EIT products or services that are incidental to the project, which would constitute an exception to Section 508 requirements. If a vendor claims its products or services, including EIT deliverables such as electronic documents and reports, meet applicable Section 508 accessibility standards in its completed HHS Section 508 Product Assessment Template, and it is later determined by the Government – i.e., after award of a contract/order, that products or services delivered do not conform to the described accessibility standards in the Product Assessment Template, remediation of the products or services to the level of conformance specified in the vendor’s Product Assessment Template will be the responsibility of the Contractor and at its expense. (End of provision) (b) As prescribed in 339.201–70(b), the Contracting Officer shall insert the following clause: Electronic and Information Technology Accessibility (January 2010) (a) Pursuant to Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998, all electronic and information technology (EIT) products and services developed, acquired, maintained, or used under this contract/order must comply with the “Electronic and Information Technology Accessibility Provisions” set forth by the Architectural and Transportation Barriers Compliance Board (also referred to as the “Access Board”) in 36 CFR Part 1194. Information about Section 508 is available at http://www.section508.gov/. The complete text of Section 508 Final Provisions can be accessed at http://www.access-board.gov/sec508/standards.htm. (b) The Section 508 accessibility standards applicable to this contract/order are identified in the Statement of Work/Specification/Performance Work Statement. The Contractor must provide a written Section 508 conformance certification due at the end of each contract/order exceeding $150,000 when the contract/order duration is one year or less. If it is determined by the Government that EIT products and services provided by the Contractor do not conform to the described accessibility standards in the Product Assessment Template, remediation of the products or services to the level of conformance specified in the Contractor’s Product Assessment Template will be the responsibility of the Contractor at its own expense. (c) In the event of a modification(s) to this contract/order, which adds new EIT products or services or revises the type of, or specifications for, products or services the Contractor is to provide, including EIT deliverables such as electronic documents and reports, the Contracting Officer may require that the contractor submit a completed HHS Section 508 Product Assessment Template to assist the Government in determining that the EIT products or services support Section 508 accessibility standards. Instructions for documenting accessibility via the HHS Section 508 Product Assessment Template may be found under Section 508 policy on the HHS Office on Disability website (http://www.hhs.gov/od/). (c) As prescribed in 339.201–70(c), the Contracting Officer shall add the following paragraph to the end of clause 352.239-73(b): Prior to the Contracting Officer exercising an option for a subsequent performance period/additional quantity or adding funding for a subsequent performance period under this contract, as applicable, the Contractor must provide a Section 508 Annual Report to the Contracting Officer and Project Officer. Unless otherwise directed by the Contracting Officer in writing, the Contractor shall provide the cited report in accordance with the following schedule. Instructions for completing the report are available in the Section 508 policy on the HHS Office on Disability website under the heading Vendor Information and Documents. The Contractor’s failure to submit a timely and properly completed report may jeopardize the Contracting Officer’s exercising an option or adding funding, as applicable. Schedule for Contractor Submission of Section 508 Annual Report (to be completed by the Contracting Officer at time of contract/order award) Go to
|