[Federal Register Volume 84, Number 55 (Thursday, March 21, 2019)]
[Proposed Rules]
[Pages 10469-10475]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-04654]
=======================================================================
-----------------------------------------------------------------------
AGENCY FOR INTERNATIONAL DEVELOPMENT
48 CFR Parts 739 and 752
[0412-AA87]
United States Agency for International Development Acquisition
Regulation (AIDAR): Security and Information Technology Requirements
AGENCY: U.S. Agency for International Development.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The U.S. Agency for International Development (USAID) seeks
public comment on a proposed rule that would amend the USAID
Acquisition Regulation (AIDAR) to incorporate a revised definition of
information technology and other requirements relating to information
security and information technology approvals. The Federal Information
Technology Acquisition Reform Act requires improved management of the
acquisition of Information technology resources. This proposed rule
revising the AIDAR, if adopted, would provide increased oversight of
contractor acquisition and use of information technology resources.
DATES: Comments must be received no later than May 20, 2019.
ADDRESSES: Address all comments concerning this notice to Carol
Ketrick, Bureau for Management, Office of Acquisition and Assistance,
Policy
[[Page 10470]]
Division (M/OAA/P), Room 867F, SA-44, Washington, DC 20523-2052. Submit
comments, identified by title of the action and Regulatory Information
Number (RIN) by any of the following methods:
1. Through the Federal eRulemaking Portal at http://www.regulations.gov by following the instructions for submitting
comments.
2. By Mail addressed to: USAID, Bureau for Management, Office of
Acquisition & Assistance, Policy Division, Room 867-F, SA-44,
Washington, DC 20523-2052.
Comments on the information collection request under Section E,
Paperwork Reduction Act must be submitted to both USAID and OMB/OIRA as
follows:
USAID--Carol Ketrick at [email protected].
OMB/OIRA--email to [email protected], fax to (202) 395-
6974, or mail to the Office of Information and Regulatory Affairs,
Office of Management and Budget, 725 17th Street NW, Washington, DC
20503.
FOR FURTHER INFORMATION CONTACT: Carol Ketrick, Telephone: 202-567-4676
or email: [email protected].
SUPPLEMENTARY INFORMATION:
A. Instructions
All comments must be in writing and submitted through one of the
methods specified in the Addresses section above. All submissions (and
attachments) must include the title of the action and RIN for this
rulemaking. Please include your name, title, organization, postal
address, telephone number, and email address in the text of the
message.
Please note that USAID recommends sending all comments to the
Federal eRulemaking Portal because security screening precautions have
slowed the delivery and dependability of surface mail to USAID/
Washington.
All comments will be made available at http://www.regulations.gov
for public review without change, including any personal information
provided. We recommend that you do not submit information that you
consider Confidential Business Information (CBI) or any information
that is otherwise protected from disclosure by statute.
USAID will only address comments that explain why this proposed
rule would be inappropriate, ineffective, or unacceptable without a
change. Comments that are insubstantial or outside the scope of the
rule may not be considered.
B. Background
On September 5, 2014, the Office of Management and Budget (OMB) and
the National Security Council (NSC) convened a President's Management
Council, with one of the focus areas being improvement of cybersecurity
in Federal acquisitions, in particular, accountability of contractors
providing IT systems and services to the Federal government.
Accordingly, USAID is taking steps to address information security
for information and information systems that support the operations and
assets of the agency, including those managed by contractors. The new
requirements will strengthen protections of Agency information systems/
facilities.
Following the cybersecurity review directed by OMB ``Follow-Up to
President's Management Council Cybersecurity Meeting, September 5,
2014'', which was completed by the agency Office of the Chief of
Information Officer (CIO) in October 2014, a revised clause 752.204-72
Access to USAID facilities and USAID's Information Systems (now titled
Homeland Security Presidential Directive-12 (HSPD-12) and Personal
Identity Verification (PIV)), and new special contract requirements
were developed and implemented on an interim basis under USAID
Acquisition and Assistance Policy Directive (AAPD) 16-02 SPECIAL
CONTRACT REQUIREMENTS FOR INFORMATION TECHNOLOGY (IT) on May 3, 2016.
The requirements in the AAPD were updated and reissued as AAPD 16-02
(Revised) on May 1, 2018. The policy published in the AAPD 16-02
(Revised) provides a new definition of information technology, and
includes various requirements applicable to information and system
security, as well as requirements for Electronic and Information
Technology Accessibility, software licenses, and prior agency approval
of IT purchases.
This AIDAR proposed rule, when finalized and effective, will
establish the new definition, the revised AIDAR clause 752.204-72
Homeland Security Presidential Directive-12 (HSPD-12) and Personal
Identity Verification (PIV), and AIDAR clauses based on some of the
special contract requirements from the AAPD 16-02 (Revised). The
remaining special contract requirements regarding information and
system security in AAPD 16-02 (Revised) that are not included in this
proposed rule will be assessed after finalization of the currently open
FAR cases on Controlled Unclassified Information (CUI) and Breaches of
Personally Identifiable Information (PII). In addition to the contract
requirements originating from the AAPD 16-02 (Revised), a proposed
clause providing requirements for development and/or maintenance of
third-party USAID-financed websites is included in the rule.
Accordingly, USAID is proposing to amend the U.S. Agency for
International Development (USAID) Acquisition Regulation (AIDAR) to
revise various sections that will implement policy and procedures for
contracts and orders for, or include a requirement for, information
technology (IT) supplies, services and/or systems. These requirements
will ensure that contractors comply with the current Agency IT
policies. The requirements in this proposed rule would implement the
requirements under the following authorities: The E-Government Act of
2002; Federal Information Technology Acquisition Reform ACT (FITARA)
(Section 831 of the National Defense Authorization Act for Fiscal Year
2015, Pub. L. 113-291) and; Section 508 of the Rehabilitation Act of
1973, as amended (29 U.S.C. 794d) (``Section 508''); Privacy Act of
1974 (5 U.S.C. 552a--the Act); Federal Information Security Management
Act (FISMA) of 2002 (FISMA, Pub. L. 107-347. 44 U.S.C. 3531-3536);
National Institute of Standards and Technology (NIST) Special
Publication 800-53 revision 4 or the current version; and Office of
Management and Budget (OMB) Circular A-130.
USAID proposes to add AIDAR subpart 739, revise AIDAR 752.204-72,
and include new clauses as follows:
FAR subpart 739 provides the Agency definition of
``information technology'' as issued in AAPD 16-02 (Revised). As part
of the AAPD 16-02 (Revised), a Class Deviation to FAR Part 2.101(b)
definition of ``information technology'' was approved by the head of
the contracting activity. This new definition broadens and clarifies
the definition to include services such as cloud services; it is
derived from the definition set forth in the Office of Management and
Budget's (OMB's) guidance at OMB Memo M-15-14, Management Oversight of
Federal Information Technology dated June 10, 2015. AIDAR 739.2 adds
this definition, which also appears at 752.239-XX Use of Information
Technology Approval and 752.239-XX Limitation on Use of Information
Technology.
AIDAR Clause 752.204-72 Access to USAID Facilities and
USAID's Information Systems is being replaced in its entirety with a
new title Homeland Security Presidential Directive-12 (HSPD-12) and
Personal
[[Page 10471]]
Identity Verification (PIV) and significant changes to reflect
additional restrictions and reporting to better implement Homeland
Security Presidential Directive-12 (HSPD-12) (August 27, 2004) and PIV
procedures.
The revision improves requirements for contractor personnel
provided access to agency facilities and information systems, as well
as timely monitoring of such access when the employee's employment is
terminated. The revised clause requires submission of staff reports
listing employees that require access to USAID facilities or
information systems, and also specifies the Agency's authority to
suspend or terminate the access to any systems and/or facilities if an
Information Security Incident or other electronic access violation,
use, or misuse incident gives cause for such action.
AIDAR 752.204-XX USAID-Financed Third-party websites
requires that Contractors adhere to certain requirements when
developing, launching, and maintaining a third-party website funded by
USAID for the purpose of meeting the project implementation goals. This
applies to sites hosted on environments external to USAID boundaries
and not directly controlled by USAID policies and staff. The clause
requires adherence to Agency branding requirements and limits the
contractor to collecting only the amount of information necessary to
complete the specific business need as required by statute, regulation,
or Executive Order.
AIDAR 752.239-XX Limitation on Information Technology
prohibits the acquisition of information technology under an award as
defined in the clause unless prior approval is obtained from the
contracting officer.
The clause ensures that only information technology approved by the
Agency Chief Information officer (CIO) is acquired, pursuant to the
Federal Information Technology Acquisition Reform ACT (FITARA)(Section
831 of the National Defense Authorization Act for Fiscal Year 2015,
Pub. L. 113-291). All agency IT investment decisions, including
software and IT equipment, must be made consistent with the agency's
enterprise architecture. USAID must consider the total cost of
ownership including the costs associated with risk issues, including
security and privacy of data, and the costs of ensuring security of the
IT system itself.
This clause is consistent with the guidance promulgated by OMB in
support of the Federal Information Technology Acquisition Reform Act
(FITARA) and related information technology (IT) management practices
in OMB Memo M-15-14 Management Oversight of Federal Information
Technology.
AIDAR 752.239-XX Software License addresses the need to
ensure that acquired software is aligned with the agency's enterprise
architecture; it will also enable the Agency to consolidate licenses
when appropriate in alignment with OMB Category Management Policy 16-1.
The clause clarifies that renewal of software licenses may only
occur in accordance with the mutual agreement of the parties; or an
option renewal clause allowing the Government to unilaterally exercise
one or more options to extend the term of the award. Since renewal of a
software license would require the obligation of funds by the Federal
Government, renewal must not be automatic.
Commercial off the shelf software solutions are offered to the
public under standard agreements that may take a variety of forms,
including license agreements, terms of service (TOS), terms of sale or
purchase, and similar agreements. Customarily, these standard
agreements contain terms and conditions that are appropriate when the
purchaser is a private party but are inappropriate when the purchaser
is the Federal Government.
AIDAR 752.239-XX Information and Communication Technology
(ICT) Accessibility requires contractors to implement Section 508 of
the Rehabilitation Act of 1973, as amended (29 U.S.C. 794d) (``Section
508''). This clause applies to all development, procurement,
maintenance, and information communication technology for use by USAID
and members of the U.S. public.
AIDAR 752.239-XX Information Technology Approval requires
that contractors acquire only the information technology specified in
the contract, and specifies a process to request approval if the
Contractor determines that acquisition of information technology is
necessary to meet the Government's requirements under the award. The
clause ensures that only information technology approved by the Agency
Chief Information Officer (CIO) is acquired, pursuant to the Federal
Information Technology Acquisition Reform ACT (FITARA)(Section 831 of
the National Defense Authorization Act for Fiscal Year 2015, Pub. L.
113-291). All agency IT investment decisions, including software and IT
equipment, must be made consistent with the agency's enterprise
architecture. USAID must consider the total cost of ownership including
the costs associated with risk issues, including security and privacy
of data, and the costs of ensuring security of the IT system itself.
This clause is consistent with the guidance promulgated by OMB in
support of the Federal Information Technology Acquisition Reform Act
(FITARA) and related information technology (IT) management practices
in OMB Memo M-15-14 Management Oversight of Federal Information
Technology.
AIDAR 752.239-XX Skills and Certification Requirements for
Privacy and Security Staff requires that Contractor personnel
performing the roles of Information System Security Officer and
Information Security Specialists possess a Certified Information
Systems Security Professional (CISSP) certification. All USAID
contractors who have significant information security responsibilities
as defined by OPM 5 CFR part 930 must complete specialized IT security
training.
Additionally, contractor personnel filling the role of Privacy
Analysts must possess a Certified Information Privacy Professional
(CIPP) credential with a CIPP/US to ensure that Privacy Analysts have
the expertise required to implement U.S. government privacy laws,
regulations and policies specific to government practice.
C. Regulatory Planning and Review
This proposed rule has been determined to be ``nonsignificant''
under Executive Order 12866, Regulatory Planning and Review, dated
September 30, 1993 and, therefore, is not subject to review.
This proposed rule is not a major rule under 5 U.S.C. 804.
D. Regulatory Flexibility Act
The proposed rule does not have a significant economic impact on a
substantial number of small entities within the meaning of the
Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Therefore, an Initial
Regulatory Flexibility Analysis has not been performed.
E. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The
proposed rule contains an information collection requirement.
Accordingly, USAID has submitted a request to the Office of Management
and Budget for approval of a new information collection requirement
concerning ``Access to USAID Facilities and USAID's Information
Systems'' and the
[[Page 10472]]
monthly reports of employees requiring access.
Access to USAID Facilities and USAID's Information Systems
Public reporting burden for this collection of information is
estimated to average initially eight hours immediately after contract
award to develop the list of employee's requiring access, then 2 hours
per month to update such a list, including the time for reviewing
instructions, gathering/maintaining the employee names, and forwarding
the list to the agency for processing. The recordkeeping requirements
are minor. While a contractor is required to identify and submit the
list of its employees who require access, there is no requirement to
collect this information in a particular format for submission to the
agency.
The annual reporting burden is estimated as follows:
Total number of respondents and the amount of time estimated for an
average respondent to respond: 138 contractors; eight hours for the
initial report, 24 hours annually thereafter for submission of the
monthly reports.
Total public burden (in hours) associated with the collection:
1,104 hours initially, and 3,312 hours annually thereafter.
Total public burden (in cost) associated with the collection:
Initial submission, $54,537, then $163,613 annually thereafter.
When submitting comments on these information collections, your
comments should address one or more of the following four points:
(1) Evaluate whether the proposed collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden of
the proposed collection of information, including the validity of the
methodology and assumptions used;
(3) Ways to enhance the quality, utility, and clarity of the
information to be collected; and
(4) Ways which USAID can minimize the burden of the collection of
information on those who are to respond, including through the use of
appropriate automated, electronic, mechanical, or other technological
collection techniques or other forms of information technology, e.g.,
permitting electronic submission of responses.
List of Subjects in 48 CFR parts 739 and 752
Government procurement.
For the reasons discussed in the preamble, USAID proposes to amend
48 CFR Parts 739 and 752 as set forth below:
0
1. Add part 739 to read as follows:
PART 739--Acquisition of Information Technology
Sec.
739.002 Definitions
739.003 [Reserved]
Authority: Sec. 621, Pub. L. 87-195, 75 Stat. 445, (22 U.S.C.
2381) as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; and 3 CFR
1979 Comp., p. 435.
739.002 Definitions.
As used in this part--
Information Technology means
(1) Any services or equipment, or interconnected system(s) or
subsystem(s) of equipment, that are used in the automatic acquisition,
storage, analysis, evaluation, manipulation, management, movement,
control, display, switching, interchange, transmission, or reception of
data or information by the agency; where
(2) Such services or equipment are ``used by an agency'' if used by
the agency directly or if used by a contractor under a contract with
the agency that requires either use of the services or equipment or
requires use of the services or equipment to a significant extent in
the performance of a service or the furnishing of a product.
(3) The term ``information technology'' includes computers,
ancillary equipment (including imaging peripherals, input, output, and
storage devices necessary for security and surveillance), peripheral
equipment designed to be controlled by the central processing unit of a
computer, software, firmware and similar procedures, services
(including provisioned services such as cloud computing and support
services that support any point of the lifecycle of the equipment or
service), and related resources.
(4) The term ``information technology'' does not include any
equipment that is acquired by a contractor incidental to a contract
that does not require use of the equipment.
739.003 [Reserved]
PART 752--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
2. The authority for part 752 continues to read as follows:
Authority: Sec. 621, Pub. L. 87-195, 75 Stat. 445, (22 U.S.C.
2381) as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; and 3 CFR
1979 Comp., p. 435.
0
3. Amend section 752.204-72 by revising the section heading and the
clause to read as follows:
752.204-72 Homeland Security Presidential Directive-12 (HSPD-12) and
Personal Identity Verification (PIV).
* * * * *
Homeland Security Presidential Directive-12 (HSPD-12) and Personal
Identity Verification (PIV) (Date)
(a) Individuals engaged in the performance of this award as
employees, consultants, or volunteers of the contractor must comply
with all applicable HSPD-12 and PIV procedures, as described below,
and any subsequent USAID or Government-wide HSPD-12 and PIV
procedures/policies.
(b) A U.S. citizen or resident alien engaged in the performance
of this award as an employee, consultant, or volunteer of a U.S firm
may obtain access to USAID facilities or logical access to USAID's
information systems only when and to the extent necessary to carry
out this award and in accordance with this clause. The contractor's
employees, consultants, or volunteers who are not U.S. citizens or
resident aliens as well as employees, consultants, or volunteers of
non-U.S. firms, irrespective of their citizenship, will not be
granted logical access to U.S. Government information technology
systems (such as Phoenix, GLAAS, etc.) and must be escorted to use
U.S. Government facilities (such as office space).
(c) (1) No later than five business days after award, the
Contractor must provide to the Contracting Officer's Representative
(COR) a complete list of employees that require access to USAID
facilities or information systems.
(2) Before a contractor (or a contractor employee, consultant,
or volunteer) or subcontractor at any tier may obtain a USAID ID
(new or replacement) authorizing the individual routine access to
USAID facilities in the United States, or logical access to USAID's
information systems, the individual must provide two forms of
identity source documents in original form to the Enrollment Office
personnel when undergoing processing. One identity source document
must be a valid Federal or State Government-issued picture ID.
Contractors may contact the USAID Security Office to obtain the list
of acceptable forms of documentation. Submission of these documents,
to include documentation of security background investigations, is
mandatory in order for the contractor to receive a PIV or PIV-
Alternative (PIV-A)/Facilities Access Card (FAC) card and be granted
access to any of USAID's information systems. All such individuals
must physically present these two source documents for identity
proofing at their enrollment.
(d) The Contractor must send a staffing report to the COR by the
fifth day of each month. The report must contain the listing of
[[Page 10473]]
all staff members with access who were separated or hired under this
contract in the past sixty (60) calendar days. This report must be
submitted even if no separations or hiring occurred during the
reporting period. Failure to submit the `Contractor Staffing Change
Report' each month may, at USAID's discretion, result in the
suspension of all logical access to USAID information systems and/or
facilities access associated with this contract. USAID will provide
the contractor the format for this report.
(e) Contractor employees are strictly prohibited from sharing
logical access to USAID information systems and Sensitive
Information. USAID will disable accounts and revoke logical access
to USAID IT systems if Contractor employees share accounts.
(f) USAID, at its discretion, may suspend or terminate the
access to any systems and/or facilities when an Information Security
Incident or electronic access violation, use, or misuse incident
gives cause for such action. The suspension or termination may last
until such time as USAID determines that the situation has been
corrected or no longer exists.
(g) The Contractor must notify the COR and the USAID Service
Desk at least five business days prior to the Contractor employee's
removal from the contract. For unplanned terminations of Contractor
employees, the Contractor must immediately notify the COR and the
USAID Service Desk ([email protected] or (202) 712-1234). The
Contractor or its Facilities Security Officer must return USAID PIV/
FAC cards and remote authentication tokens issued to Contractor
employees to the COR prior to departure of the employee or upon
completion or termination of the contract, whichever occurs first.
(h) The contractor is required to insert this clause (including
this paragraph (h) in any subcontracts that require the
subcontractor, subcontractor employee, or consultant to have routine
physical access to USAID space or logical access to USAID's
information systems.
(End of Clause)
0
4. Add section 752.204-XX to read as follows:
752.204-XX USAID-Financed Third-Party Websites.
Insert the following clause in USAID-funded solicitations and
contracts that require development and/or maintenance of a third-party
website to achieve project implementation goals.
USAID-Financed Third-Party Websites (Date)
(a) Definitions: ``Third-party websites''
Websites hosted on environments external to USAID boundaries and
not directly controlled by USAID policies and staff, except through
the terms and conditions of a contract. Third-party websites include
project websites.
(b) The contractor must adhere to the following requirements
when developing, launching, and maintaining a third-party website
funded by USAID for the purpose of meeting the project
implementation goals:
(1) Prior to website development, the Contractor must provide
information as required in Section C-Statement of Work of the
contract (including a copy of their Contractor's privacy policy) to
the Contracting Officer's Representative (COR), for USAID's Bureau
for Legislative and Public Affairs (LPA) evaluation and approval.
The Contractor must notify the COR of the website URL as far in
advance of the site's launch as possible and must not launch the
website until USAID's approval has been provided through the COR.
The Contractor must provide the COR any changes to the Contractor's
privacy policy for the duration of the contract.
(2) The Contractor must collect only the amount of information
necessary to complete the specific business need as required by
statute, regulation, or Executive Order.
(3) The Contractor must comply with Agency branding and marking
requirements comprised of the USAID logo and brandmark with the
tagline ``from the American people,'' located on the USAID website
at www.usaid.gov/branding, and USAID Graphics Standards manual at
http://www.usaid.gov.
(4) The website must be marked on the index page of the site and
every major entry point to the website with a disclaimer that
states:
``The information provided on this website is not official U.S.
Government information and does not represent the views or positions
of the U.S. Agency for International Development or the U.S.
Government.''
(5) The website must provide persons with disabilities access to
information that is comparable to the access available to others. As
such, all site content must be compliant with the requirements of
the Section 508 of the Rehabilitation Act, as amended (29 U.S.C.
794d) (``Section 508'') and other terms and conditions of the
contract.
(6) The Contractor must identify and provide to the COR, in
writing, the contact information for the Contractor's information
security point of contact. The contractor is responsible for
updating the contact information whenever there is a change in
personnel assigned to this role.
(7) The Contractor must provide adequate protection from
unauthorized access, alteration, disclosure, or misuse of
information processed, stored, or transmitted on the websites. To
minimize security risks and ensure the integrity and availability of
information, the Contractor must use sound: System/software
management; engineering and development; and secure-coding practices
consistent with USAID standards and information security best
practices. Rigorous security safeguards, including but not limited
to, virus protection; network intrusion detection and prevention
programs; and vulnerability management systems must be implemented
and critical security issues must be resolved as quickly as possible
or within 30 calendar days. Contact the USAID Chief Information
Security Officer (CISO) at [email protected] for specific standards and
guidance.
(8) The Contractor must conduct periodic vulnerability scans,
mitigate all security risks identified during such scans, and report
subsequent remediation actions to CISO at [email protected] and COR
within 30 calendar days from the date vulnerabilities are
identified. The report must include disclosure of the tools used to
conduct the scans. Alternatively, the contractor may authorize USAID
CISO at [email protected] to conduct periodic vulnerability scans via
its Web-scanning program. The sole purpose of USAID scanning will be
to minimize security risks. The Contractor will be responsible for
taking the necessary remediation action and reporting to USAID as
specified above.
(c) For general information, agency graphics, metadata, privacy
policy, and Section 508 compliance requirements, refer to http://www.usaid.gov.
(End of Clause)
0
5. Add section 752.239-XX to read as follows:
752.239-XX Limitation on Acquisition of Information Technology.
Insert the following clause in all solicitations and contracts
unless the special contract requirement Information Technology Approval
is included.
Limitation on Acquisition of Information Technology (Date)
(a) Definitions. As used in this contract:
Information Technology means
(1) Any services or equipment, or interconnected system(s) or
subsystem(s) of equipment, that are used in the automatic
acquisition, storage, analysis, evaluation, manipulation,
management, movement, control, display, switching, interchange,
transmission, or reception of data or information by the agency;
where
(2) such services or equipment are ``used by an agency'' if used
by the agency directly or if used by a contractor under a contract
with the agency that requires either use of the services or
equipment or requires use of the services or equipment to a
significant extent in the performance of a service or the furnishing
of a product.
(3) The term ``information technology'' includes computers,
ancillary equipment (including imaging peripherals, input, output,
and storage devices necessary for security and surveillance),
peripheral equipment designed to be controlled by the central
processing unit of a computer, software, firmware and similar
procedures, services (including provisioned services such as cloud
computing and support services that support any point of the
lifecycle of the equipment or service), and related resources.
(4) The term ``information technology'' does not include any
equipment that is acquired by a contractor incidental to a contract
that does not require use of the equipment.
(b) The Federal Information Technology Acquisition Reform Act
(FITARA) requires Agency Chief Information Officer (CIO) review and
approval of contracts that include information technology or
information technology services.
[[Page 10474]]
(c) The Contractor must not acquire information technology as
defined in this clause without the prior written approval by the
contracting officer as specified in this clause.
(d) Request for Approval Requirements:
(1) If the Contractor determines that any information technology
will be necessary to meet the Government's requirements or to
facilitate activities in the Government's statement of work, the
Contractor must request prior written approval from the Contracting
Officer.
(2) As part of the request, the Contractor must provide the
Contracting Officer a description and an estimate of the total cost
of the information technology equipment, software, or services to be
procured under this contract. The Contractor must simultaneously
notify the Contracting Officer's Representative (COR) and the Office
of the Chief Information Office at [email protected].
(e) The Contracting Officer will provide written approval to the
Contractor through modification to the contract expressly specifying
the information technology equipment, software, or services approved
for purchase by the COR and the Agency CIO. The Contracting Officer
will include the applicable clauses and any special contract
requirements in the modification.
(f) Except as specified in the contracting officer's written
approval, the Government is not obligated to reimburse the
Contractor for any costs incurred for information technology as
defined in this clause. Such approval does not relieve the
Contractor from the responsibility to maintain current compliance at
all times--including through any updates or modifications to the
information technology--with all terms and conditions of the
contract, as well as relevant statutes and regulations.
(g) The Contractor must insert the substance of this clause,
including this paragraph (g), in all subcontracts.
(End of Clause)
0
6. Add section 752.239-XX to read as follows:
752.239-XX Software License.
Insert the following clause in solicitations and contracts for new
software licenses or to renew existing licenses, and in solicitations
and contracts which may include a requirement for new software licenses
or renewal of existing licenses.
Software License Addendum (Date)
(a) This clause incorporates certain terms and conditions
relating to Federal procurement actions. The terms and conditions of
this Addendum take precedence over the terms and conditions
contained in any license agreement or other contract documents
entered into between the parties.
(b) Governing Law: Federal procurement law and regulations,
including the Contract Disputes Act, 41 U.S.C. 601 et seq., and the
Federal Acquisition Regulation (FAR), govern the agreement between
the parties. Litigation arising out of this contract may be filed
only in those fora that have jurisdiction over Federal procurement
matters.
(c) Attorney's Fees: Attorney's fees are payable by the Federal
government in any action arising under this contract only pursuant
to the Equal Access in Justice Act, 5 U.S.C. 504.
(d) No Indemnification: The Federal government will not be
liable for any claim for indemnification; such payments may violate
the Anti-Deficiency Act, 31 U.S.C. 1341(a).
(e) Assignment: Payments may only be assigned in accordance with
the Assignment of Claims Act, 31 U.S.C. 3727, and FAR Subpart 32.8,
``Assignment of Claims.''
(f) Patent and Copyright Infringement: Patent or copyright
infringement suits brought against the United States as a party may
only be defended by the U.S. Department of Justice (28 U.S.C. 516).
(g) Renewal of Support after Expiration of this Award: Service
will not automatically renew after expiration of the initial term of
award.
(h) Renewal may only occur in accord with (1) the mutual
agreement of the parties; or (2) an option renewal clause allowing
the Government to unilaterally exercise one or more options to
extend the term of the award.
(End of Clause)
0
7. Add section 752.239-72 to read as follows:
752.239-72 Information and Communication Technology Accessibility.
Insert the following clause in solicitations and contracts that
include acquisition of Information and Communication Technology (ICT)
supplies and/or services for use by Federal employees or U.S. members
of the public.
Information and Communication Technology Accessibility
(Date)
(a) Federal agencies are required by Section 508 of the
Rehabilitation Act of 1973, as amended (29 U.S.C. 794d), to offer
access to information and communication technology for disabled
individuals within its employment, and for disabled members of the
public seeking information and services. This access must be
comparable to that which is offered to similar individuals who do
not have disabilities. Standards for complying with this law are
prescribed by the Architectural and Transportation Barriers
Compliance Board (``The Access Board'') in 36 CFR part 1194, which
implements Section 508 of the Rehabilitation Act of 1973, as
amended, and is viewable at http://www.access-board.gov/sec508/508standards.htm. The contractor must comply with any future updates
of standards by the Access Board.
(b) Except as indicated elsewhere in the contract, all ICT
procured through this contract must meet the applicable
accessibility standards at 36 CFR part 1194 as follows:
(1) Section 1194.21 Software applications and operating systems
(2) 1194.22 Web-based intranet and internet information and
applications;
(3) Section 1194.23 Telecommunications products;
(4) Section 1194.24 Video and multimedia products;
(5) Section 1194.25 Self-contained, closed products;
(6) Section 1194.26 Desktop and portable computers;
(7) Section 1194.31 Functional performance criteria; and
(8) Section 1194.41 Information, documentation, and support.
(c) Deliverable(s) must incorporate these standards as well.
(d) The final work product must include documentation that the
deliverable conforms with the Section 508 Standards promulgated by
the US Access Board.
(End of Clause)
0
8. Add section 752.239-XX to read as follows:
752.239-XX Use of Information Technology Approval.
Insert the following clause in all USAID solicitations and
contracts for Information Technology (IT) services or supplies or
include a requirement for the contractor to provide IT services or
supplies.
Use of Information Technology Notification (Date)
(a) Definitions. As used in this contract:
Information Technology means
(1) Any services or equipment, or interconnected system(s) or
subsystem(s) of equipment, that are used in the automatic
acquisition, storage, analysis, evaluation, manipulation,
management, movement, control, display, switching, interchange,
transmission, or reception of data or information by the agency;
where
(2) Such services or equipment are ``used by an agency'' if used
by the agency directly or if used by a contractor under a contract
with the agency that requires either use of the services or
equipment or requires use of the services or equipment to a
significant extent in the performance of a service or the furnishing
of a product.
(3) The term ``information technology'' includes computers,
ancillary equipment (including imaging peripherals, input, output,
and storage devices necessary for security and surveillance),
peripheral equipment designed to be controlled by the central
processing unit of a computer, software, firmware and similar
procedures, services (including provisioned services such as cloud
computing and support services that support any point of the
lifecycle of the equipment or service), and related resources.
(4) The term ``information technology'' does not include any
equipment that is acquired by a contractor incidental to a contract
that does not require use of the equipment. (OMB M-15-14)
(b) The Federal Information Technology Acquisition Reform Act
(FITARA) requires
[[Page 10475]]
Agency Chief Information Officer (CIO) review and approval of
contracts or interagency agreements for information technology or
information technology services.
(c) The approved information technology and/or information
technology services are specified in the Schedule of this contract.
The Contractor must not acquire additional information technology
without the prior written approval of the Contracting Officer as
specified in this clause.
(d) Request for Approval Requirements:
(1) If the Contractor determines that any information technology
in addition to that information technology specified in the Schedule
will be necessary to meet the Government's requirements or to
facilitate activities in the Government's statement of work, the
Contractor must request prior written approval from the Contracting
Officer.
(2) As part of the request, the Contractor must provide the
Contracting Officer a description and an estimate of the total cost
of the information technology equipment, software, or services to be
procured under this contract. The Contractor must simultaneously
notify the Contracting Officer's Representative (COR) and the Office
of the Chief Information Officer at [email protected].
(e) The Contracting Officer will provide written approval to the
Contractor expressly specifying the information technology
equipment, software, or services approved for purchase by the COR
and the Agency CIO. Additional clauses or special contract
requirements may be applicable and will be incorporated by the
Contracting Officer through a modification to the contract.
(f) Except as specified in the Contracting Officer's written
approval, the Government is not obligated to reimburse the
Contractor for costs incurred in excess of the information
technology equipment, software or services specified in the
Schedule. Such approval does not relieve the Contractor from the
responsibility to maintain current compliance at all times--
including through any updates or modifications to the information
technology--with meeting all terms and conditions of the contract,
as well as relevant statutes and regulations.
(d) The Contractor must insert the substance of this clause,
including this paragraph (g), in all subcontracts.
(End of Clause)
0
9. Add section 752.239-XX to read as follows:
752.239-XX Skills and Certification Requirements for Privacy and
Security Staff.
Insert the following clause in solicitations and contracts for
Information Technology (IT) services and in solicitations and contracts
that include a component for IT services.
Skills and Certification Requirements for Privacy and Security Staff
(Date)
(a) Applicability: This clause applies to the Contractor, its
subcontractors and personnel providing support under this contract
and addresses the Privacy Act of 1974 (5 U.S.C. 552a--the Act) and
Federal Information Security Management Act (FISMA) of 2002 (FISMA,
Pub. L. 107-347. 44 U.S.C. 3531-3536).
(b) Contractor personnel filling the role of Information System
Security Officer and Information Security Specialists must possess a
Certified Information Systems Security Professional (CISSP)
certification at time of contract award and maintain their
certification throughout the period of performance. This will
fulfill the requirements for specialized training due to the
continuing education requirements for the certification. Contractor
personnel must provide proof of their certification status upon
request.
(c) Contractor personnel filling the role of Privacy Analysts
must possess a Certified Information Privacy Professional (CIPP)
credential with a CIPP/USat the time of the contract award and must
maintain the credential throughout the period of performance. This
will fulfill the requirements for specialized training due to the
continuing education requirements for the certification. Contractor
personnel must provide proof of their certification status upon
request.
(End of Clause)
Mark Walther,
Chief Acquisition Officer, Acting.
[FR Doc. 2019-04654 Filed 3-20-19; 8:45 am]
BILLING CODE 6116-02-P