task order no. 012 under delivery order no. nrc-03-10-081. · 2012. 12. 6. · nrc-03-10-081...

ORDER FOR SUPPLIES OR SERVICES PAGE Of PAGES

IMPORTANT: Mlur.npaocage•aldpa with lo-ana and/ororderlnualw. BPA NO. 1 21

1. DATE OF ORDER . / CONTRACT MO. W ac•A 6.SHIP01.,4Q 1 /- NRC-03-10-081 _ _8HP_ _

3. ORDER NO. 163DIP1CAI1ON NO. 4. REoUJSm ON/EFERENCE NO. a. NAME OF CONSIGNEENRR-12-001 U.S. Nuclear Regulatory Comaission

NRC-T012 b. STREET ADDRESS

S. ISSUKIN OFFICE (AMdean w niDwtoa ) Linda Yee

U.S. Nuclear Regulatory Comsnission Mail Stop OWFN 13E24Div. of ContractsAtt: Stp:r-EOlSO sCITY d STATE ?EP CODEMail Stop: TKB-01-BlOX ,cr /•SrWashington, DC 20555 Washington DC 20555

7. TO:. I. SHIP VIA

a.NAUE OF CONTRACTOR

SOUTHWEST RESEARCH INSTITUTE INC 8. TYPE OF ORDER

b. COMPANY NAME al a. PURCHASE -- b. DEUVIYREFERENCE YOUR Expt for Wft Inenustioea on fth fmaea. Va

Pleaseida me Do Wel4g an fte Wroa anid de order Is auj-edt sw dainmc. STREET ADDRESS condkions SPedled an both sMki md of at oder conenald on rds side any d Ih tbrn nd Is

6220 CULEBRA RD and on' 2 •w alhdM shat I my, scMV i8wed Aubpe 8to toMumWaw aidm,,devery as kaidlcte" . of th above,4-lmered sonlkact.

d.CITY .STATE t ZIP CODESAN ANTONIO TX 782385166

9. ACCOUNTING AND APPROPRIATION DATA 10. REQUISITIONING OFFICE N

RFPA: NRR-12-001, rAIMIS: 120063B&R: 2012-x0200-20-11-4-151, Job Code: J4663, BOC: 252AA~prop. No.: 31x0200.220, Obl; $94,408, DUNS: 007936842

11. BUSINESS CLASSIFICATION (Chock What a•oa)) 12. F.O.f. POINT

F a SMALL 7X . OTHER THAN SMALL 1 1r DISADVANTAGED Ed. WIAENMSNREO a. NUBZona /g. WOMENOWNED SMALL BUINEBSS (WOSB)

I. SERVICE.OISABLED ELIGILE UNDER THE VMMEN4owNED F h ECONtOMICALL.Y DISADVNAmGED lVDMNI-OWNawVETERAN-OWNED SMALL BUSINESS PROGRAM 1 SMALL BUSINESS M

1S. PLACE OF 14. GOVERNMENT BI. NO. 15. DELIVER TO F.O.B. POINT 18. DISCOUNTTERMSON OR BEFORE (Daft)

a. INSPECTION b. ACCEPTANCE

17. SCHEDULE (Se rewerse for Roe, laoi)

QUANTTTY UIT QUANTITYITEM NO. SUPPLIES OR SERVICES ORDERED UNIT PRICE AMOUNT ACC

(_) (_ ) I_ _ (d) () M1 (9)

The Contractor shall provide services in accordance with theattached Statement of Work entitled: "Diablo Canyon PowerPlant Seismic Hazard Review,.

Total CPFF Amount: $94,408Total Obligated Amount: $94,408Period of Performance: 10-13-2011 through 12-31-2011

NRC COR: Linda Yee 301-415-3072Technical Monitor: James Polickoski 301-415-5430Statement of Work Attached

TOTAL TASK ORDER CEILING: $94,408

DUNS: 007936842 NAICS: 541.690 PSC: R499

ACCEPTED:

Signature:Print Name/Ti feL.B•. Kal uiach, Executive Director,

Contracts

18. SHIPPING POINT 19. GROSS SHIPPING WEIGMT

21. MAIL INVOICE TO

SEE BILLUNGINSTRUCT[ONS

ONREVERSE

a. NAMEDepartment of Interior / NBCNRCPavment• sNBCDenvergrnbc. gov

M7ALart

m m

b.STRET ADDRESS (or P.O. BoeAttn: Fiscal Services Branch - D27707301 W. Mansfield Avenue

11.ADTAL

Steve PoolBranch Chief, MSA

TITLE CONTRACTIN

AUTHOR•IZ FOR LOCAL REPRODUCTrONPREVIOUS EDITION NOT USABLE

OPTIONAL FORM3 47 (PREV. •'• t )PRESCRIBED BY GSAFAR 48 CFR . 3.213(M

fSUNSI REVIEW O1

TEMPLATE-ADMUO0 00%,

J

NRC4•3-1O-081 NRC-T012Table of Contents

DELIVERY ORDER TERMS AND CONDITIONS NOT SPECIFIED IN THE CONTRACT ............ 2

A.1 BRIEF DESCRIPTION OF WORK (MAR 1987) ............................................................ 2A.2 CONSIDERATION AND OBLIGATION-COST PLUS FIXED FEE (JUN 1988)

ALTERNATE I (JUN 1991) ............................................................................................ 2A.3 BU DG ET ............................................................................................................................ 2A4 DURATION OF CONTRACT PERIOD (MAR 1987) ....................................................... 2A.5 2052_215-70 KEY PERSONNEL (JAN 1993) ............................................................... 4A.6 2052.215-71 PROJECT OFFICER AUTHORITY (NOVEMBER 2006) .......................... 4A.7 2052.215-78 TRAVEL APPROVALS AND REIMBURSEMENT -ALTERNATE 1 (OCT

1999) ................................................................................................................................. 6A.8 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL

II ACCESS APPROVAL (JUL 2007) .............................................................................. 7A-9 SEAT BELTS ................................................................................................................ 9A.10 APPROPRIATE USE OF GOVERNMENT FURNISHED INFORMATION TECHNOLOGY

(IT) EQUIPMENT AND/ OR IT SERVICES/ ACCESS (MARCH 2002) ........................ 9A.1 I NRC INFORMATION TECHNOLOGY SECURITY TRAINING (AUG 2003) ..................... 9A.12 WHISTLEBLOWER PROTECTION FOR NRC CONTRACTOR AND SUBCONTRACTOR

EMPLOYEES (JULY 2008) .......................................................................................... 10A.13 PROHIBITON OF FUNDING TO ACORN (NOV 2009) ................................................. 10A.14 REDUCING TEXT MESSAGING WHILE DRIVING (OCT 2009) ................................. 10A.15 GREEN PURCHASING (JUN 2011) ........................................................................... 11

ATTACHMENT A

IT SECURITY REQUIREMENTS - CERTIFICATION AND

ACCREDITATION (MAR 2011) .......................................................................................... 12

ATTACHMENT B:

INFORMATION TECHNOLOGY (IT) SECURITY REQUIREMENTS -

GENERAL (JULY 2011) ...................................................................................................... 14

ATTACHMENT C:

IT SECURITY REQUIREMENTS - NRC AND CONTRACTOR (NON-NRC)

FACILITIES (MAR 2011) ...................................................................................................... 18

ATTACHMENT D:

STATEMENT OF W ORK ................................................................................................... 19

NRC-03-10-081 NRC-T012

DELIVERY ORDER TERMS AND CONDITIONS NOT SPECIFIED IN THE CONTRACT

A.1 BRIEF DESCRIPTION OF WORK (MAR 1987)

The objective of this task order is to obtain contractor support support to assist the NRC seismic hazard analysisteam in the review and analysis of the PG&E Shoreline Fault Zone Analysis Report and the additional seismic hazardconcern related to DCPP.

A.2 CONSIDERATION AND OBLIGATION-COST PLUS FIXED FEE (JUN 1988) ALTERNATE I (JUN1991)

(a) The total estimated cost to the Government for full performance of this contract is $94,408.00, of which the sumof $87,443 represents the estimated reimbursable costs, and of which $6,964 represents the fixed fee.

(b) There shall be no adjustment in the amount of the Contractors fixed fee by reason of differences between anyestimate of cost for performance of the work under this contract and the actual cost for performance of that work.

(c) The amount currently obligated by the Government with respect to this contract is $94,408, of which the sum of$84,443 represents the estimated reimbursable costs, and of which $6,964 represents the fixed fee.

(d) It is estimated that the amount currently allotted will cover performance through December 31,2011.

A.3 BUDGET

Cost Elemen

Total Estimated Cost-Plus-Fixed-Fee: $94,408

A.4 DURATION OF CONTRACT PERIOD (MAR 1987)

This contract shall commence on October 13, 2011 (effective date) and will expire December 31, 2011.

NRC-03-10-081 NRC-T012

A.5 2052.215-70 KEY PERSONNEL (JAN 1993)

(a) The following individuals are considered to be essential to the successful performance of the work hereunder:

Larry AndersonJames McCalpin

The contractor agrees that personnel may not be removed from the contract work or replaced without compliancewtth paragraphs (b) and (c) of this section.

(b) If one or more of the key personnel, for whatever reason, becomes, or is expected to become, unavailable forwork under this contract for a continuous period exceeding 30 work days, or is expected to devote substantially lesseffort to the work than Indicated in the proposal or Initially anticipated, the contractor shall immediately notify thecontracting officer and shall, subject to the con-currence of the contracting officer, promptly replace the personnel withpersonnel of at least substantially equal ability and qualifications.

(c) Each request for approval of substitutions must be in writing and contain a detailed explanation of thecircumstances necessitating the proposed substitutions. The request must also contain a complete resume for theproposed substitute and other information requested or needed by the contracting officer to evaluate the proposedsubstitution. The contracting officer and the project officer shall evaluate the contractor's request and the contractingofficer shall promptly notify the contractor of his or her decision in writing.

(d) If the contracting officer determines that suitable and timely replacement of key personnel who have beenreassigned, terminated, or have otherwise become unavailable for the contract work is not reasonably forthcoming, orthat the resultant reduction of productive effort would be so substantial as to impair the successful completion of thecontract or the service order, the contract may be terminated by the contracting officer for default or for theconvenience of the Government, as appropriate. If the contracting officer finds the contractor at fault for thecondition, the contract price or fixed fee may be equitably adjusted downward to compensate the Government for anyresultant delay, loss, or damage.

A.6 2052.215-71 PROJECT OFFICER AUTHORITY (NOVEMBER 2006)

(a) The contracting officer's authorized representative (hereinafter referred to as the project officer) for this contract

is:

Name: Unda Yee

Address: Mail Stop OWFN 13E24Washington, DC 20555

Telephone Number: 301-415-2945

(b) Performance of the work under this contract is subject to the technical direction of the NRC project officer. Theterm "technical direction" is defined to include the following:

NRC-03-10-081 NRC-T012

(1) Technical direction to the contractor which shifts work emphasis between areas of work or tasks, authorizestravel which was unanticipated in the Schedule (i.e., travel not contemplated In the Statement of Work (SOW) orchanges to specific travel identified in the SOW), fills in details, or otherwise serves to accomplish the contractualSOW.

(2) Provide advice and guidance to the contractor in the preparation of drawings, specifications, or technicalportions of the work description.

(3) Review and, where required by the contract, approval of technical reports, drawings, specifications, andtechnical information to be delivered by the contractor to the Government under the contract.

(c) Technical direction must be within the general statement of work stated in the contract The project officer doesnot have the authority to and may not Issue any technical direction which:

(1) Constitutes an assignment of work outside the general scope of the contract.

(2) Constitutes a change as defined in the "Changes" clause of this contract.

(3) In any way causes an increase or decrease in the total estimated contract cost, the fixed fee, if any, or thetime required for contract performance.

(4) Changes any of the expressed terms, conditions, or specifications of the contract

(5) Terminates the contract, settles any claim or dispute arising under the contract, or issues any unilateraldirective whatever.

(d) All technical directions must be issued in writing by the project officer or must be confirmed by the project officerin writing within ten (10) working days after verbal issuance. A copy of the written direction must be furnished to thecontracting officer. A copy of NRC Form 445, Request for Approval of Official Foreign Travel, which has received finalapproval from the NRC must be fumished to the contracting offier.

(e) The contractor shall proceed promptly with the performance of technical directions duly issued by the projectofficer in the manner prescribed by this clause and within the project officer's authority under the provisions of thisclause.

(f) If, In the opinion of the contractor, any instruction or direction issued by the project officer is within one of thecategories as defined in paragraph (c) of this section, the contractor may not proceed but shall notify the contractingofficer in writing within five (5) working days after the receipt of any instruction or direction and shall request thecontracting officer to modify the contract accordingly. Upon receiving the notification from the contractor, thecontracting officer shall issue an appropriate contract modification or advise the contractor in writing that, in thecontracting officer's opinion, the technical direction is within the scope of this article and does not constitute a changeunder the "Changes" dause.

(g) Any unauthorized commitment or direction issued by the project officer may result in an unnecessary delay inthe contractor's performance and may even result in the contractor expending funds for unallowable costs under thecontract.

(h) A failure of the parties to agree upon the nature of the instruction or direction or upon the contract action to betaken with respect thereto is subject to 52.233-1 -Disputes.

(I) In addition to providing technical direction as defined in paragraph (b) of the section, the project officer shall:

NRC-03-10-081 NRC-T012

(1) Monitor the contractor's technical progress, including surveillance and assessment of performance, andrecommend to the contracting officer changes in requirements.

(2) Assist the contractor in the resolution of technical problems encountered during performance.

(3) Review all costs requested for reimbursement by the contractor and submit to the contracting: officerrecommendations for approval, disapproval, or suspension of payment for supplies and services required under thiscontract.

(4) Assist the contractor in obtaining the badges for the contractor personnel.

(5) Immediately notify the Securtty Branch, Division of Facilities and Security (SBIDFS) (via e-mail) when acontractor employee no longer requires access authorization and return of any NRC issued badge to SBIDFS withinthree days after their termination.

(6) Ensure that all contractor employees that require access to classified Restricted Data or National SecurityInformation or matter, access to sensitive unclassified information (Safeguards, Official Use Only, and Proprietaryinformation) access to sensitive IT systems or data, unescorted access to NRC controlled buildingsispace, orunescorted access to protected and vital areas of nuclear power plants receive approval of SBEDFS prior to access inaccordance with Management Directive and Handbook 12.3.

(7) For contracts for the design, development, maintenance or operation of Privacy Act Systems of Records,obtain from the contractor as part of closeout procedures, written certification that the contractor has returned to NRC,transferred to the successor contractor, or destroyed at the end of the contract in accordance with Instructionsprovided by the NRC Systems Manager for Privacy Act Systems of Records, all records (electronic or paper) whichwere created, compiled, obtained or maintained under the contract

A.7 2062.215-78 TRAVEL APPROVALS AND REIMBURSEMENT -ALTERNATE 1 (OCT 1999)

(a) Total expenditure for travel may not exceed $10,085 without the prior approval of the contracting officer.

(b) All foreign travel must be approved in advance by the NRC on NRC Form 445, Request for Approval ofOfficial Foreign Travel, and must be in compliance with FAR 52.247-63 Preference for U.S. Flag Air Carriers. Thecontractor shall submit NRC Form 445 to the NRC no later than 30 days prior to the commencement of travel

(c) The contractor will be reimbursed only for those travel costs incurred that are directly related to this contractand which are allowable subject to the limitations prescribed in FAR 31.205-46.

(d) It is the responsibility of the contractor to notify the contracting officer In accordance with the FAR Umitationsof Cost clause of this contract when, at any time, the contractor learns that travel expenses will cause the contractor toexceed the travel ceiling amount identified in paragraph (a) of this clause.

(e) Reasonable travel costs for research and related activities performed at State and nonprofit institutions, inaccordance with Section 12 of Pub. L 100-679, shall be charged in accordance with the contractor's institutionalpolicy to the degree that the limitations of Office of Management and Budget (OMB) guidance are not exceeded.Applicable guidance documents include OMB Circular A-87, Cost Principles for State and Local Governments; OMBCircular A-122, Cost Principles for Nonprofit Organizations; and OMB Circular A-21, Cost Principles for EducationalInstitutions.

NRC-03-1 -081 NRC-TO12

A.8 SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL IIACCESS APPROVAL (JUL 2007)

The proposerlContractor must identify all individuals and propose the level of Information Technology (IT) approve:for each, using the following guidance. The NRC sponsoring office shall make the final determination of the level, ifany, of IT approval required for all individuals working under this contract. The Government shall have and exercisefull and complete control and discretion over granting, denying, withholding, or terminating IT access approvals forindividuals performing work under this contract.

The Contractor shal conduct a preliminary security interview or review for each IT level I or II access approvalContractor applicant and submit to the Government only the names of candidates that have a reasonable probabilityof obtaining the level of IT security access for which the candidate has been proposed. The Contractor will pre-screenits applicants for the following:

(a) felony arrest in the last seven years; (b) alcohol related arrest within the last five years;, (c) record ofany military courts-martial convictions in the past ten years; (d) Illegal use of narcotics or other controlledsubstances possession in the past year, or illegal purchase, production, transfer, or distribution of arcotics or othercontrolled substances in the last seven years; (e) delinquency on any federal debts or bankruptcy In the last sevenyears.

The Contractor shall make a written record of its pre-screening interview or review (including any information tomitigate the responses to items listed in (a) - (e)), and have the applicant verify the pre-screening record or review,sign and date It. Two copies of the signed Contractor's pre-screening record or review will be supplied to FSB/DFSwith the Contractor employee's completed building access application package.

The Contractor shall further ensure that its employees, any subcontractor employees and consultants complete allIT access security applications required by this clause within ten business days of notification by FSB/DFS of initiationof the application process. Timely receipt of properly completed records of the pre-screening record and IT accesssecurity applications (submitted for candidates that have a reasonable probability of obtaining the level of securityassurance necessary for access to NRC's facilities) is a contract requirement Failure of the Contractor to comply withthis contract administration requirement may be a basis to cancel the award, or terminate the contract for default, oroffset from the contracts invoiced cost or price the NRC's incurred costs or delays as a result of Inadequatepre-screening by the Contractor. In the event of cancellation or termination, the NRC may select another firm forcontract award.

SECURITY REQUIREMENTS FOR IT LEVEL I

Performance under this contact will involve prime Contractor personnel, subcontractors or others who performservices requiring direct access to or operate agency sensitive information technology systems or data (IT Level I).The IT Level I involves responsibility for the planning, direction, and implementation of a computer security program;major responsibility for the direction, planning, and design of a computer system, including hardware and software; orthe capability to access a computer system during Its operation or maintenance in such a way that could cause or thathas a relatively high risk of causing grave damage; or the capability to realize a significant personal gain fromcomputer access.

A Contractor employee shall not have access to sensitive information technology systems or data until he/she Isapproved by FSB/DFS. Temporary IT access may be approved based on a favorable review or adjudication of theirsecurity forms and checks. Final IT access may be approved based on a favorably review or adjudication. However,temporary access authorization approval will be revoked and the employee may subsequently be denied IT access inthe event the employee's investigation cannot be favorably adjudicated. Such an employee will not be authorized towork under any NRC contract requiring IT access without the approval of FSB/DFS. Where temporary access

NRC-03-10-081 NRC-T012

authorization has been revoked or denied, the Contractor is responsible for assigning another individual to perform thenecessary work under this contract without delay to the contract's performance schedule, or without adverse impact toany other terms or conditions of the contract. When an individual receives final iT access, the individual will be subjec-to a reinvestigation every ten years.

The Contractor shall submit a completed security forms packet, including the OPM Standand Form (SF) 85P(Questionnaire for Public Trust Positions), two copies of the Contractor's signed pre-screening remord and two FD 25•fingerprint charts, through the PO to FSB/DFS for review and favorable adjudication, prior to the individual performingwork under this contract. The Contractor shall assure that all forms are accurate, complete, and legible. Based onFSB/DFS review of the Contractor applicants security forms and/or the receipt of adverse information by NRC, theindividual may be denied access to NRC facilities, sensitive information technology systems or data until a finaldetermination is made of his/her eligibility.

In accordance with NRCAR 2052.204 70 "Security," IT Level I Contractors shall be subject to the attached NRCForm 187 (See Section J for List of Attachments) and SF- 85P which furnishes the basis for providing securityrequirements to prime Contractors, subcontractom or others (e.g., bidders) who have or may have an NRC contractualrelationship which requires access to or operation of agency sensitive information technology systems or remotedevelopment and/or analysis of sensitive information technology systems or data or other access to such systems anddata; access on a continuing basis (in excess more than 30 calendar days) to NRC buildings; or otherwise requiresissuance of an unescorted NRC badge.

SECURITY REQUIREMENTS FOR IT LEVEL II

Performance under this contract will involve Contractor personnel that develop and/or analyze sensitive informationtechnology systems or data or otherwise have access to such systems or data (IT Level II).

The IT Level 11 involves responsibility for the planning, design, operation, or maintenance of a computer system andall other computer or IT positions.

A Contractor employee shall not have access to sensitive information technology systems or data until he/she Isapproved by FSB/DFS. Temporary access may be approved based on a favorable review of their security forms andchecks. Final IT access may be approved based on a favorably adjudication. However, temporary accessauthorization approval will be revoked and the employee may subsequently be denied IT access in the event theemployee's investigation cannot be favorably adjudicated. Such an employee will not be authorized to work underany NRC contract requiring IT access without the approval of FSBIDFS. Where temporary-access authorization hasbeen revoked or denied, the Contractor is responsible for assigning another individual to perform the necessary workunder this contract without delay to the contract's performance schedule, or without adverse impact to any other termsor conditions of the contract. When an individual receives final IT access, the individual will be subject to a review orreinvestigation every ten years.

The Contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 85P(Questionnaire for Public Trust Positions), two copies of the Contractor's signed pre-screening record and two FD 258fingerprint charts, through the PO to FSB/DFS for review and favorable adjudication, prior to the Individual performingwork under this contract. The Contractor shall assure that all forms are accurate, complete, and legible. Based onFSB/DFS review of the Contractor applicant's security forms and/or the receipt of adverse information by NRC, theindividual may be denied access to NRC facilities, sensitive information technology systems or data until a finaldetermination is made of his/her eligibility.

In accordance with NRCAR 2052.204 70 "Security," IT Level II Contractors shall be subject to the attached NRCForm 187 (See Section J for List of Attachments), SF- 85P, and Contractor's record of the pre-screening whichfurnishes the basis for providing security requirements to prime Contractors, subcontractors or others (e.g. bidders)who have or may have an NRC contractual relationship which requires access to or operation of agency sensitiveinformation technology systems or remote development and/or analysis of sensitive Information technology systems or

NRC-03-10-081 NRC-T012

data or other access to such systems or data; access on a continuing basis (in excess of more than 30 calendar days)to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

CANCELLATION OR TERMINATION OF IT ACCESS/REQUEST

When a request for IT access is to be withd•rawn or canceieý-, the Contra•or shad[ immediately noty the PO bytelephone in order that he/she will immediately contact FSBIDFS so that the access review may be promptlydiscontinued. The notification shall contain the full name of the individual, and the date of the request. Telephonenotifications must be promptly confirmed by the Contractor in writing to the PO who will forward the confirmation viaemail to FSB/DFS. Additionally, FSBIDFS must be immediately notified in writing when an Individual no longerrequires access to NRC sensitive automated information technology systems or data, including the voluntary orinvoluntary separation of employment of an individual who has been approved for or is being processed for IT access.

(End of Clause)A.9 SEAT BELTS

Contractors, subcontractors, and grantees, are encouraged to adopt and enforce on-the-job seat belt policies andprograms for their employees when operating company-owned, rented, or personally owned vehicles.

A.10 APPROPRIATE USE OF GOVERNMENT FURNISHED INFORMATION TECHNOLOGY (IT)EQUIPMENT ANDI OR IT SERVICES/ ACCESS (MARCH 2002)

As part of contract performance the NRC may provide the contractor with information technology (IT) equipmentand IT services or IT access as identified in the solicitation or subsequently as identified in the contract or deliveryorder. Government furnished IT equipment, or IT services, or IT access may include but is not limited to computers,copiers, facsinile machines, printers, pagers, software, phones, Internet access and use, and email access and use.The contractor (including the contractor's employees, consultants and subcontractors) shall use the governmentfurnished IT equipment, and I or IT provided services, and/ or IT access solely to perform the necessary effortsrequired under the contract. The contractor (including the contractor's employees, consultants and subcontractors)are prohibited from engaging or using the government IT equipment and government provided IT services or ITaccess for any personal use, misuse, abuses or any other unauthorized usage.

The contractor is responsible for monitoring its employees, consultants and subcontractors to ensure thatgovernment furnished IT equipment and/ or IT services, and/ or IT access are not being used for personal use,misused or abused. The government reserves the right to withdraw or suspend the use of Its government furnishedIT equipment, IT services and/or IT access arising from contractor personal usage, or misuse or abuse; and/ ortodisallow any payments associated with contractor (including the contractor's employees, consultants andsubcontractors) personal usage, misuses or abuses of IT equipment, IT services and/ or IT access; andl/ or toterminate for cause the contract or delivery order arising from violation of this provision.

A.11 NRC INFORMATION TECHNOLOGY SECURITY TRAINING (AUG 2003)

NRC contractors shall ensure that their employees, consultants, and subcontractors with access to the agency'sinformation technology (IT) equipment and/or IT services complete NRC's online initial and refresher IT securitytraining requirements to ensure that their knowledge of IT threats, vulnerabilities, and associated countermeasuresremains curent. Both the initial and refresher IT security training courses generally last an hour or less and can betaken during the employee's regularly scheduled work day.

Contractor employees, consultants, and subcontractors shall complete the NRC's online, "Computer SecurityAwareness course on the same day that they receive access to the agency's IT equipment and/or services, as their

NRCO03-10.081 NRC-TO12

first action using the equipment/service. For those contractor employees, consultants, and subcontractors who arealready working under this contract, the on-line training must be completed in accordance with agency NetworkAnnouncements issued throughout the year 2003 within three weeks of issuance of this modification.

Contractor employees, consultants, end subcontractors who have been granted a=._ss to NRC informationtechnology equipment and/or F" services must continue to take .T security refresher training offered oniine- by the Nithroughout the term of the contract. Contractor employees will receive notice of NRC's online IT security refreshe.training requirements through agency-wide notices.

The NRC reserves the right to deny or withdraw Contractor use or access to NRC IT equipment and/or servces,and/or take other appropriate contract administrative actions (e.g., disallow costs, terminate for cause) should theContractor violate the Contractor's responsibility under this clause.

A.12 WHISTLEBLOWER PROTECTION FOR NRC CONTRACTOR AND SUBCONTRACTOREMPLOYEES (JULY 2006)

(a) The U.S. Nuclear Regulatory Commission (NRC) contractor and its subcontractor are subject to theWhistleblower Employee Protection public law provisions as codified at 42 U.S.C. 5851. NRC contractor(s) andsubcontractor(s) shall comply with the requirements of this Whlstleblower Employee Protection law, and theimplementing regulations of the NRC and the Department of Labor (DOL). See, for example, DOL Procedures onHandling Complaints at 29 C.F.R. Part 24 concerning the employer obligations, prohibited acts, DOL procedures andthe requirement for prominent posting of notice of Employee Rights at Appendix A to Part 24.

(b) Under this Whistleblower Employee Protection law, as implemented by regulations, NRC contractor andsubcontractor employees are protected from discharge, reprisal, threats, intimidation, coercion, blacklisting or otheremployment discrimination practices with respect to compensation, terms, conditions or privileges of their employmentbecause the contractor or subcontractor employee(s) has provided notice to the employer, refused to engage inunlawful practices, assisted in proceedings or testified on activities concerning alleged violations of the Atomic EnergyAct of 1954 (as amended) and the Energy Reorganization Act of 1974 (as emended).

(c) The contractor shall insert this or the substance of this clause in any subcontracts involving work performedunder this contract.

A.13 PROHIBITON OF FUNDING TO ACORN (NOV 2009)

In accordance with section 163 of the Continuing Appropriations Resolution, 2010, Division B of Public Law No.111-68 (CR), until further notice, no federal funds may be provided to the Association of Community Organizations forReform Now (ACORN), or any of Its affiliates, subsidiaries, or allied organizations. Additional information can be foundat httpi/www.whitehouse.goviomblaasets/memoranda_2010/m 10-02.pdf

A.14 REDUCING TEXT MESSAGING WHILE DRMING (OCT 2009)

(a) In accordance with Section 4 of Executive Order 13513, "Federal Leadership on Reducing Text MessagingWhile Driving,"(October 1, 2009), the Contractor or Recipient Is encouraged to:

(1) Adopt and enforce policies that ban text messaging while driving company-owned or rented vehicles orGovernment-owned vehicles, or while driving privately-owned vehicles when on official Government business or whenperforming any work for or on behalf of the Government; and

NRC-03-1-081 NRC-T012

(2) Consider new rules and programs to further the policies described in (a)(1), reevaluate existing programs toprohibit text messaging while driving, and conduct education, awareness, and other outreach programs for employeewabout the safety risks associated with text messaging while driving. These initiatives should encourage voluntarycompliance with the text messaging policy while off duty.

(b) For purposes of complying with the Executive Order.

(1) '"exting" or "Text Messaging" means reading from or entering data into any handheid or other electronicdevice, including for the purpose of SMS texting, e-mailing, instant messaging, obtaining navigational information, orengaging in any other form of electronic data retrieval or electronic data communication.

(2) "Driving" means operating a motor vehicle on an active roadway with the motor running, including whiletemporarily stationary because of traffic, a traffic light or stop sign, or otherwise. It does not include operating a motorvehicle with or without the motor running when one has pulled over to the side of, or off, an active roadway and hashalted in a location where one can safely remain stationary.

(c) The Contractor or Recipient shall encourage its subcontractor(s) or sub-recipient(s) to adopt and enforce thepolicies and initiatives described in this clause.

A.15 GREEN PURCHASING (JUN 2011)

(a) In furtherance of the sustainable acquisition goals of Executive Order 13514, "Federal Leadership inEnvironmental, Energy, and Economic Performance" products and services provided under this contract/order shall beenergy- efficient (Energy Star or Federal Energy Management Program (FEMP) designated), water-efficient,biobased, environmentally preferable (e.g., Electronic Product Environmental Assessment Tool (EPEAT) certified),non-ozone depleting, contain recycled content, or are non-toxic or less toxic altematives, where such products andservices meet agency performance requirements. httpg/www.fedeenter.gov/programs/eol3514/

(b) The contractor shall flow down this clause into all subcontracts and other agreements that relate to performanceof this contractlorder.

NRC-03-1t.0-81 NRC-TO12

ATTACHMENT A

IT SECURITY REQUIREMENTS - CERTIFICATION AND A0CREDMTkTIOIV

SECURI7Y RISK ASSESSMENTThe contractor shall work with the NRC project officer in performing Risk Assessment activities according to NRCpolicy, standards, and guidance. The contractor shall perform Risk Assessment activities that include analyzing howthe architecture implements the NRC documented security policy for the system, assessing how management,operational, and technical security control features are planned or implemented and how the system interconnects toother systems or networks while maintaining security.

SYSTEM SECURITY PLANThe contractor shall develop the system security plan (SSP) according to NRC policy, standards, and guidance todefine the implementation of IT security controls necessary to meet both the functional assurance and securityrequirements. The contractor will ensure that all controls required to be implemented are documented in the SSP.

ASSESSMENT PROCEDURES - SECURITY TEST & EVALUATIONThe contractor shall follow NRC policy, standards, and guidance for execution of the test procedures. Theseprocedures shall be supplemented and augmented by tailored test procedures based on the control objective as itapplies to NRC. The contractor shall include verification and validation to ensure that appropriate corrective action wastaken on identified security weaknesses.

The contractor shall perform ST&E activities, including but not limited to, coordinating the ST&E and developing theST&E Plan, execution ST&E test cases and documentation of test results. The contractor shall prepare the Plan ofAction and MIlestones (POA&M) based on the ST&E results.

PLAN OF ACTION AND WLESTONES (POA&A) MAINTENANCE & REPORTINGThe contractor shall provide a determination, in a written form agreed to by the NRC project officer and ComputerSecurity Office, on whether the implemented corrective action was adequate to resolve the identified informationsecurity weaknesses and provide the masons for any exceptions or nsked-based decisions. The contractor shalldocument any vulnerabilities indicating which portions of the security control have not been implemented or applied.

The contractor shall develop and implement solutions that provide a means of planning and monitoring correctiveactions; define roles and responsibilities for risk mitigation; assist in identifying security funding requirements; trackand prioritize resources; and inform decision-makers of progress of open POA&M items.

The contractor shall perform verification of IT security weaknesses to ensure that all weaknesses identified throughthird party (e.g.., 01G) audits are included in the POA&Ms that the quarterly reporting to OMB is accurate, and thereasons for any exceptions or risked-based decisions are reasonable and clearly documented. This verificationprocess will be done in conjunction with the continuous monitoring activities.

CERTIFICATION & ACCREDITATION DOCUMENTATIONThe contractor shall create, update maintain all Certification and Accreditation (C&A) documentation in accordancewith the following NRC Certification and Accreditation procedures and guidance:

SC&A Non-SGI Unclassified SystemsSC&A SGI Unclassified SystemsSC&A C4assified Systems

The Contractor must develop contingency plan and ensure annual contingency testing is completed within one year ofprevious test and provide an updated security plan and test report according to NRC's policy and procedure.

NRC-03-10.O81 NRC-TO1 2

The Contractor must conduct annual security control testing according to NRC's policy and procedure and updatePOA&M, SSP, etc. to reflect any findings or changes to management, operational and technical controls.

-End of CiausL-.

NRC.03-10-081 NRC-T012

ATTACHMENT B

INFORMATION TECHNOL.OY (M SECURPrY REQUIREM• •TS - GENEH kL ¢,ILY 20Toý

asic Contract IT Security RequirementsFor unclassified information used for the effort, the contractor shall provide an information security categorizationdocument indicating the sensitivity of the information processed as part of this contract if the information securitycategorization was not provided in the statement of work. The determination shall be made using National Institute ofStandards and Technology (NIST) Special Publication (SP) 800-60 and must be approved by CSO. The NRCcontracting officer and project officer shall be notified Immediately before the contractor begins to process informationat a higher sensitivity level.

If the effort includes use or processing of classified information, the NRC contracting officer and project officer shall benotified before the contractor begins to process information at a more restrictive classification level.

All work under this contract shall comply with the latest version of policy, procedures and standards. Individual taskorders will reference latest versions of standards or exceptions as necessary. These policy, procedures and standardsinclude: NRC Management Directive (MD) volume 12 Security, Computer Security Office policies, procedures andstandards, National Institute of Standards and Technology (NIST) guidance and Federal Information ProcessingStandards (FIPS), and Committee on National Security Systems (CNSS) policy, directives, instructions, and guidance.This information is available at the following Finks:

NRC Policies, Procedures and Standards (CSO internal website):]Wmp:I/ww.imemalj.mc.•olCSO/_pliciesbtmI

NRC Policy and Procedures For Handling, Marking and Protecting Sensitive Unclassified Non-Safeguards Information(SUNSI):

All NRC Management Directives (public website):http'/twww.nrc._0ov/adi•-rm/do-ccollections/mananemcLt-dircctiveu

NIST SP and FIPS documentation is located at:

CNSS documents are located at:h .t_ -//www.onss._2ov/

The Contractor shall ensure compliance with the latest version of NIST guidance and FIPS standards available atcontract issuance and continued compliance with the latest versions within one year of the release date.

When e-mail is used, the Contractors shall only use NRC provided e-mail accounts to send and receive sensitiveinformation (information that is not releasable to the public) or mechanisms to protect the Information duringtransmission to NRC that have been approved by CSO.

All Contractor employees must sign the NRC Agency-Wide Rules of Behavior for Authorized Computer Use prior to

being granted access to NRC computing resources.

The Contractor shall adhere to following NRC policies:

NRC-03-10-081 NRC-T012

1. Management Directive 12.5, Automated Information Security Program2. NRC Sensitive Unclassified Non-Safeguards Information (SUNSI)3. Computer Security Policy for Encryption of Data at Rest Wnen Outside of Apenzy Fsc:iiiies4. Policy for Copying, Scanning, Printing, and F.dng SGI & C-assffis ro.natrix5. Computer Security Information Protection Poliy,6. Remote Access Policy7. Use of Commercial Wireless Devices, Services and Tezhnoiogiss Policy8. Laptop Security Policy9. Computer Security Incident Response Policy

Contractor will adhere to NRC's prohibition of use of personal devices to process and store NRC sensitive information.

All electronic process of NRC sensitive information, including system development and operations and maintenanceperformed at non-NRC facilities shall be in facilities. networks, and computers that have been accredited by NRC forprocessing information at the highest sensitivity of the information that is processed or will ultimately be processed.

Conlract Performance And CloseoutThe contractor shall ensure that the NRC data processed during the performance of this contract shall be purged fromall data storage components of the contractor's computer facility. Tools used to perform data purging shall beapproved by the CISO. The contractor shall provide written certification to the NRC contracting officer that thecontractor does not retain any NRC data within 30 calendar days after contract completion. Until all data is purged,the contractor shall ensure that any NRC data remaining in any storage component will be protected to preventunauthorized disclosure.

When contractor employees no longer require access to an NRC system, the contractor shall notify the project officerwithin 24 hours.

Upon contract completion, the contractor shall provide a status list of all contractor employees who were users of NRCsystems and shall note if any users still require access to the system to perform work if a follow-on contract or taskorder has been issued by NRC.

Control Of Informatfon And DataThe contractor shall not publish or disclose in any manner, without the contracting officer's written consent, the detailsof any security controls or countermeasures either designed or developed by the contractor under this contract orotherwise provided by the NRC.

Any IT system used to process NRC sensitive information shall:

1. Include a mechanism to require users to uniquely Identify themselves to the system before beginning toperform any other actions that the system is expected to provide.

2. Be able to authenticate data that includes information for verifying the claimed identity of individual users (e.g.,passwords)

3. Protect authentication data so that it cannot be accessed by any unauthorized user4. Be able to enforce individual accountability by providing the capability to uniquely identify each individual

computer system user5. Report to appropriate security personnel when attempts are made to guess the authentication data whether

inadvertently or deliberately.

Access ControlsAny contractor system being used to process NRC data shall be able to define and enforce access privileges forindividual users. The discretionary access controls mechanisms shall be configurable to protect objects (e.g., files,folders) from unauthorized access.

NRC-03-10-081 NRC-T012

The contractor system being used to process NRC data shall provide only essential capabilities and specificallyprohibit and/or restrict the use of specified functions, ports, protocols, and/or services.

The contractors shall only use NRC aDproved me-thods to send and receive in;orrion consid-ared sensitive orclassified. Speaifir.aly,

1. Classified information - All NRC Classified data being transmitted over a ns-.w;oric shali use .HGA approveden-'ryption and adhere to guidan:ie in MD 12.2 NRC Ciassified Information Sezurity Program, [D 12.5 NRCAutomated information Security Program and Committee on National Security Systems. Classified processingshall be only within facilities, computers, and spaces that have been specifically approved for classifiedprocessing.

2. A~l Infonnatlon -All SGI being transmitted over a network shall adhere to guidance in MD 12.7 NRCSafeguards Information Security Program and MD 12.5 NRC Automated Information Security Program. SGIprocessing shall be only within facilities, computers, and spaces that have been specifically approved for SGIprocessing. Cryptographic modules provided as part of the system shall be validated under the CryptographicModule Validation Program to conform to NIST FIPS 140-2 overall level 2 and must be operated in FIPS mode.The contractor shall provide the FIPS 140-2 cryptographic module certificate number and a brief description ofthe encryption module that includes the encryption algorithm(s) used, the key length, and the vendor of theproduct.

The most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) forthe performance of specified tasks must be enforced by the system through assigned access authorizations.

Separation of duties for contractor systems used to process NRC information must be enforced by the system throughassigned access authorizations.

The mechanisms within the contractor system or application that enforces access control and other security featuresshall be continuously protected against tampering and/or unauthorized changes.

Configureidon StandardsAD systems used to process NRC sensitive information shall meet NRC configuration standards available at:htljJlwww.intema.nrc.uov lCSO/amxdard.sll .

Medsa HandlingAll media used by the contractor to store or process NRC information shall be controlled in accordance with thesensitivity level.

The contractor shall not perform sanitization or destruction of media approved for processing NRC informationdesignated as SGI or Classified. The contractor must provide the media to NRC for destruction.

Vulnerability ManagementThe Contractor must adhere to NRC patch management processes for all systems used to process NRC information.Patch Management reports will made available to the NRC upon request for following security categorizations andreporting timefranies:

* 5 calendar days after being requested for a high sensitivity system- 10 calendar days after being requested for a moderate sensitivity system* 15 calendar days after being requested for a low sensitivity system

For any contractor system used to process NRC information, the contractor must ensure that information loaded intothe system is scanned for viruses prior to posting; servers are scanned for viruses, adware, and spyware on a regularbasis; and virus signatures are updated at the following frequency:.

NRC-03-10-081 NRC-T012

I 1 calendar day for a high sensitivity system* 3 calendar days for a moderate sensitivity system• 7 calendar days for a low, sensfi'vih,? sv=cem

-- :..ncf of Qba use-

NRC-03-10-081 NRC-T012

ATTACHME-NT C

IT SEC"URrtT REQUIREMENTS - NRC AN~D 00kTRA-C70F (O-IRý)FARL -L-,hS.

BACKUPSThe contractor shall ensure that backup media is created, encrypted (in accordance with information sensitivity) andverified to ensure that data can be retrieved and is restorable to NRC systems based on information sensitivity levels.Backups shall be executed to create readable media that allows successful file/data restoration at the followingfrequencies:

* At least every 1calendar day for a high sensitivity system* At least every 1calendar day for a moderate sensitivity system* At least every Z calendar days for a low sensitift system

PERIMETER PROTECTIONThe Contractor must employ perimeter protection mechanisms, such as firewalls and routers, to deny allcommunications unless explicitly allowed by exception.

The contractor must deploy and monitor Intrusion detection capability and have an always deployed and activelyengaged security monitoring capability in place for systems placed in operation for the NRC. Intrusion detection andmonitoring reports will made available to the NRC upon request for following security categorizations and reportingtimeframes:

* 5 calendar days after being requested for a high sensitivity system* 10 calendar days after being requested for a moderate sensitivity system* 15 calendar days after being requested for a low sensitivity system

CONTRACTOR FACILITYREVIEW AND APPROVAL PROCESSThe contractor shall complete a security survey of the proposed facility in accordance with MD 12.1 In order for NRCto determine the adequacy and effectiveness of the administration of the security program and the protection affordedNRC information, employees, and assets before the facility is used for any NRC effort that includes IT.

Upon facility approval per MD 12.1, the contractor shall perform a full certification and obtain accreditation of thefacility and computing systems that will be used by the contractor as part of the NRC effort that includes fI prior tocommencing the effort. The certification shall be performed at the level of the highest sensitivity of the data that isused at the facility or will ultimately be used by the product of the effort.

-End of Clause-

NRC..03-110-0811 NRC-TO12

STATEMENT OF WORK

Project Title:

Job Code:

Task Area:

Task Order#

Central Coastal California Region Seismic Hazard Review for Diablo CanyonPower Plant

J-4663

Seismic Hazard Review

Budget Structure Code:

NRC Issuing Office:

NRC Project Officer.

NRC Technical Monitor.

Fee Recoverable:

TAC Numbers:

Performing Organization:

Twelve (12) - Diablo Canyon Power Plant, Units I and 2

2012-x0200-20-11-4-151

Office of Nuclear Reactor Regulation

Linda Yee, 301-415-3072, LindaYe@u.,

James Polickoski, 301-415-5430, James.Polickos1dd@mg.,

No

Diablo Canyon Power Plant, Unit 1 - ME5306Diablo Canyon Power Plant, Unit 2 - ME5307

Center for Nuclear Waste Regulatory Analyses

1.0 BACKGROUND

The U.S. Nuclear Regulatory Commission (NRC) is currently performing an Independent, confirmatory analysis ofPacific Gas and Electric's (PG&E's) January 2011 Report on the Analysis of the Shoreline Fault Zone followingdiscovery of the Shoreline Fault close to the intake structure of the Diablo Canyon Power Plant (DCPP) 3 years ago.

The NRC is also reviewing an additional concern that references similar data as discussed in the above PG&E

Shoreline Fault Zone Analysis Report, data from original licensing, and other data requiring further review.

2.0 TASK ORDER OBJECTIVE

The objective of the task order is to obtain contractor support to assist the NRC seismic hazard analysis team in thereview and analysis of the PG&E Shoreline Fault Zone Analysis Report and the additional seismic hazard concernrelated to DCPP.

3.0 SCOPE OF WORK

The contractor shall provide three seismic hazard scientists andlor engineers to the Technical Monitor (TM) during theperformance of the PG&E Shoreline Fault Zone Analysis Report review and additional concern review.

NRC-03-10-081 NRC-T012

The following documents will be provided for this requested analysis support

a. DCL-11-005, uReport on the Analysis of the Shoreline Fault Zone, Central Coastal California, Report to the U.S. Nuclear Reguiatory Commission," January 2011

b. Research Informejon Letter (RIL) -0-01, Preliminr.ry Dterministic ,enaiys-s Y Seismic anrý., at DiabtbCanyon NP from Nevwy identified 'Shoreline Fault,' pril 8, 2002

c. Documentation related to the additional concern

The TMI, may issue technical direction during the duration of the task order. Technical direction must be within thegeneral statement of work (SOW) stated in the task order, and shall not constitute new assignments of work orchanges of such nature as to justify an adjustment in cost or period of performance. The contractor shall refer to thebasic contract for further information and guidance on any technical directions issued under this task order.

Any modifications to the scope of work, cost, or period of performance of the task order must be Issued by theContracting Officer and will be coordinated with the Project Officer.

4.0 SPECIFIC TASKS

The below four specific tusks should be performed, and shall be performed In accordance with the requirements,standards, deliverables, and completion timeframes specified in the base contract's Statement of Work.

4.1 Task I - DCPP Site visit

Site visit planned for week of October 17, 2011

4.2 Task 2 - Shoreline Fauft Zone Analysis Report Review

Weeks of October 24, 2011 through December 2, 2011

4.3 Task 3 - Additional Concern Review

Weeks of October 24, 2011 through December 2, 2011

4.4 Task 4 - Documnentation of Analysis Review Results

Feeder to RIL 09-001 due December 16, 2011

5.0 TECHNICAL REPORTING REQUIREMENTS FOR SEISMIC HAZARD ANALYSISRBEw

The contractor shall provide written feeder input to the update to the NRC Research Information Letter (RIL) 09-001,and will provide analysis and review conclusion documentation for the discussed concern. The input shall beprovided in Microsoft Word format and in an electronic format acceptable to the TM.

NRC-03-10-081 NRC-TO12

6.0 PERSONNEL REQUIREMENTS

These seismic hazard scientists/engineers shall have the. foli•wing crpeten•.:

a. Central Coastal California regional seismik: eretise il-D rn sPeciui S oSZI:XII" "~:=aiizet ps::)'ezizalreview

b. Pateoseismi: ex:pises to anaiyze Central Coastal Caiifirnmi geologyc. Motion/rate analysis expertise of Central Coastal California geologic features

It shall be the responsblity of the contractor to assign qualified technical staff, employees, and subcontractors, whohave the required educational background, experience, or combination thereof, to meet both the technical andregulatory objectives of the work specified in this SOW. The NRC will rely on representation made by the contractorconcerning the qualifications of the personnel proposed for assignment to this task order including assurance that allinformation contained in the technical and cost proposals, including resumes and conflict of interest disclosures, isaccurate and truthful.

7.0 MEETINGS AND TRAVEL

One 3-day tip to plant site located in San Luis Obispo, California.

One 2-day trip to NRC headquarters located in Rockville, Maryland to review and discuss technical findings.

Contractor shall coordinate all travel arrangements in advance with the TM. Off-normal travel time may be required toensure timely arrival at the site, as scheduled by the TM.

task order no. 012 under delivery order no. nrc-03-10-081. · 2012. 12. 6. · nrc-03-10-081...

Documents