Department of Homeland Security
Customs & Border Protection (CBP)
Provisions Statement for Third Party Software Licenses and Maintenance

1.0

GENERAL INFORMATION AND SCOPE

U.S. Customs and Border Protection (CBP), Office of Information and Technology (OIT)
requires the renewal of Google Maps Platform software. This is in support of the
Automated Targeting System (ATS). Google Maps Platform is required for visualization
of maps and geocoding services within CBP OIT applications.
The purpose of this firm-fixed price contract is for the contractor to provide the following
license renewal for support and maintenance:
Item Description
Google Maps Platform (12 month license/support term)

*In accordance with the attached Bill of Materials

The Contractor shall provide technical support, codes for fixes, access to product
documentation and any updates.
1.1 Period of Performance

The period of performance will be 3/17/20-3/16/21.

1.2 Place of Performance

Place of performance will be at government facilities.
2.0

TYPE OF CONTRACT

Customs and Border Protection will award a firm fixed price contract.
3.0

PERSONALLY IDENTIFIABLE INFORMATION (PM

When a contractor, on the behalf of CBP, handles Sensitive PII data, stores and transmits,
the contractor will Accredit (ATO) this information system to the HHM FIPS level.

Page 1 of 32

 4.0

INVOICING AND PAYMENT

ELECTRONIC INVOICING AND PAYMENT REQUIREMENTS - INVOICE
PROCESSING PLATFORM (IPP) (JAN 2016)
Beginning April 11, 2016, payment requests for all new awards must be submitted
electronically through the U. S. Department of the Treasury's Invoice Processing
Platform System (IPP). Payment terms for existing contracts and orders awarded prior to
April 11, 2016 remain the same. The Contractor must use IPP for contracts and orders
awarded April 11, 2016 or later, and must use the non-IPP invoicing process for those
contracts and orders awarded prior to April 11, 2016.
"Payment request" means any request for contract financing payment or invoice
payment by the Contractor. To constitute a proper invoice, the payment request must
comply with the requirements identified in FAR 32.905(b), "Payment documentation and
process" and the applicable Prompt Payment clause included in this contract. The HT
website address is: https://www.ipp.gov.
The IPP was designed and developed for Contractors to enroll, access and use IPP
for submitting requests for payment. Contractor assistance with enrollment can be
obtained by contacting IPPCustomerSupport@fins.treas.gov or phone (866) 973-3131.
If the Contractor is unable to comply with the requirement to use IPP for submitting
invoices for payment, the Contractor must submit a waiver request in writing to the
contracting officer.
(b) In accordance with FAR 32.904(b), the CO, in conjunction with the COR and
NFC, will determine whether the invoice is proper or improper within seven (7) days of
receipt. Improper invoices will be returned to the contractor within seven (7) days of
receipt.
REVIEW AND APPROVAL REQUIREMENTS
(a) To constitute a proper invoice, invoices shall include, at a minimum, all the items
required in FAR 32.905.
The minimum requirements are:
Name and address of the contractor.
Invoice date and invoice number.
Contract number or other authorization for supplies delivered or services performed
(including order number and contract line item number.
Description, quantity, unit of measure, unit price, and extended price of supplies
delivered or services performed.
Shipping and payment terms (e.g. shipment number and date of shipment, discount
for prompt payment terms). Bill of lading number and weight of shipment will be shown
for shipments on Government bills of lading.
Name and address of contractor official to whom payment is to be sent (must be the
same as that in the contract or in a proper notice of assignment).

Page 2 of 32

 Name (where practicable), title, phone number, and mailing address of person to
notify in the event of a defective invoice.
Taxpayer identification number (TIN).
Electronic funds transfer (EFT) banking information.
Any other information or documentation required by the contract (e.g. evidence of
shipment).
(b) Supplemental documentation required for review and approval of invoices, at the
written direction of the contracting officer, may be submitted directly to either the
contracting officer, or the contracting officer's representative. Contractors shall submit
all supplemental invoice documentation along with the original invoice.
(c) Invoices that fail to provide the information required by the Prompt Payment clause
(FAR 52.232-25) may be rejected by the Government and returned to the contractor.

5.0

POINT OF CONTACT

(b)(6); (b)(7)(C)

Page 3 of 32

 6.0

DHS CLAUSES

Enterprise Architecture (EA) Compliance

The Offeror shall ensure that the design conforms to the Department of Homeland
Security (DHS) and Customs and Border Protection (CBP) Enterprise Architecture (EA),
the DHS and CBP Technical Reference Models (TRM), and all DHS and CBP policies
and guidelines (such as the CBP Information Technology Enterprise Principles and the
DHS Service Oriented Architecture - Technical Framework), as promulgated by the DHS
and CBP Chief Information Officers (CIO), Chief Technology Officers (CTO) and Chief
Architects (CA).
The Offeror shall conform to the Federal Enterprise Architecture (FEA) model and the
DHS and CBP versions of the FEA model, as described in their respective EAs. All
models will be submitted using Business Process Modeling Notation (BPMN 1.1 or
BPMN 2.0 when available) and the CBP Architectural Modeling Standards. Universal
Modeling Language (UML2) may be used for infrastructure only. Data semantics shall be
in conformance with the National Information Exchange Model (NIEM). Development
solutions will also ensure compliance with the current version of the DHS and CBP target
architectures.
Where possible, the Offeror shall use DHS/CBP approved products, standards, services,
and profiles, as reflected by the hardware, software, application, and infrastructure
components of the DHS/CBP TRM/standards profile. If new hardware, software, or
infrastructure components are required to develop, test, or implement the program, these
products will be coordinated through the DHS and CBP formal Technology Insertion (TI)
process (to include a trade study with no less than four alternatives, one of which
reflecting the status quo and another reflecting multi-agency collaboration). The
DHS/CBP TRM/standards profile will be updated as TIs are resolved.
All developed solutions shall be compliant with the Homeland Security (HLS) EA.
All IT hardware and software shall be compliant with the HLS EA.
Compliance with the HLS EA shall be derived from and aligned through the CBP EA.
Description information for all data assets, information exchanges and data standards,
whether adopted or developed, shall be submitted to the Enterprise Data Management
Office (EDMO) for review, approval, and insertion into the DHS Data Reference Model
and Enterprise Architecture Information Repository.
Development of data assets, information exchanges, and data standards will comply with
the DHS Data Management Policy MD 103-01. All data-related artifacts will be
developed and validated according to DHS Data Management Architectural Guidelines.
Applicability of Internet Protocol version 6 (IPv6) to DHS-related components
(networks, infrastructure, and applications) specific to individual acquisitions shall be in
accordance with the DHS EA (per OMB Memorandum M-05-22, August 2, 2005),
regardless of whether the acquisition is for modification, upgrade, or replacement. All EA

Page 4 of 32

 related component acquisitions shall be IPv6 compliant, as defined in the USGv6 Profile
(NIST Special Publication 500-267) and the corresponding declarations of conformance,
defined in the USGv6 Test Program.
Encryption Compliance
If encryption is required, the following methods are acceptable for encrypting sensitive
information:
1. FIPS 197 (Advanced Encryption Standard (AES)) 256 algorithm and
cryptographic modules that have been validated under FIPS 140-2.
2. National Security Agency (NSA) Type 2 or Type 1 encryption.
3. Public Key Infrastructure (PKI) (see paragraph 5.5.2.1 of the Department of
Homeland Security (DHS) IT Security Program Handbook (DHS Management
Directive (MD) 4300A) for Sensitive Systems).
DHS Enterprise Architecture Compliance
All solutions and services shall meet DHS Enterprise Architecture policies, standards,
and procedures. Specifically, the contractor shall comply with the following HLS EA
requirements:
4. All developed solutions and requirements shall be compliant with the HLS EA.
5. All IT hardware and software shall be compliant with the HLS EA Technical
Reference Model (TRM) Standards and Products Profile.
6. Description information for all data assets, information exchanges and data
standards, whether adopted or developed, shall be submitted to the Enterprise
Data Management Office (EDMO) for review, approval and insertion into the
DHS Data Reference Model and Enterprise Architecture Information Repository.
7. Development of data assets, information exchanges and data standards will
comply with the DHS Data Management Policy MD 103-01 and all data-related
artifacts will be developed and validated according to DHS data management
architectural guidelines.
8. Applicability of Internet Protocol Version 6 (IPv6) to DHS-related components
(networks, infrastructure, and applications) specific to individual acquisitions
shall be in accordance with the DHS Enterprise Architecture (per OMB
Memorandum M-05-22, August 2, 2005) regardless of whether the acquisition is
for modification, upgrade, or replacement. All EA-related component acquisitions
shall be IPv6 compliant as defined in the U.S. Government Version 6 (USGv6)
Profile National Institute of Standards and Technology (NIST) Special
Publication 500-267) and the corresponding declarations of conformance defined
in the USGv6 Test Program.

Page 5 of 32

 Security Review Requirement
The following requirements should be included in all acquisition documents.
Security Review

The Government may elect to conduct periodic reviews to ensure that the security
requirements contained in this contract are being implemented and enforced. The
Contractor shall afford DHS, including the organization of the DHS Office of the Chief
Information Officer, the Office of the Inspector General, authorized Contracting Officer's
Technical Representative (COTR), and other government oversight organizations, access
to the Contractor's facilities, installations, operations, documentation, databases and
personnel used in the performance of this contract. The Contractor will contact the DHS
Chief Information Security Officer to coordinate and participate in the review and
inspection activity of government oversight organizations external to the DHS. Access
shall be provided to the extent necessary for the government to carry out a program of
inspection, investigation, and audit to safeguard against threats and hazards to the
integrity, availability and confidentiality of DHS data or the function of computer systems
operated on behalf of DHS, and to preserve evidence of computer crime.
Interconnection Security Agreement (ISA)
The following requirements should be included in the acquisition document if the service
being supplied requires a connection to a non-DHS, Contractor system, or DHS system of
different sensitivity.
Interconnection Security Agreement Requirements

Interconnections between DHS and non-DHS IT systems shall be established only
through controlled interfaces and via approved service providers. Connections with other
Federal agencies shall be documented based on interagency agreements; memoranda of
understanding, service level agreements or interconnect service agreements.

Required Protections for DHS Systems Hosted in Non-DHS Data Centers
Security Authorization
A Security Authorization of any infrastructure directly in support of the DHS information
system shall be performed as a general support system (GSS) prior to DHS occupancy to
characterize the network, identify threats, identify vulnerabilities, analyze existing and
planned security controls, determine likelihood of threat, analyze impact, determine risk,
recommend controls, perform remediation on identified deficiencies, and document the
results. The Security Authorization shall be performed in accordance with the DHS
Security Policy and the controls provided by the hosting provider shall be equal to or
stronger than the FIPS 199 security categorization of the DHS information system.

Page 6 of 32

 At the beginning of the contract, and annually thereafter, the contractor shall provide the
results of an independent assessment and verification of security controls. The
independent assessment and verification shall apply the same standards that DHS applies
in the Security Authorization Process of its information systems. Any deficiencies noted
during this assessment shall be provided to the COTR for entry into the DHS' Plan of
Action and Milestone (POA&M) Management Process. The contractor shall use the
DHS' POA&M process to document planned remedial actions to address any deficiencies
in information security policies, procedures, and practices, and the completion of those
activities. Security deficiencies shall be corrected within the timeframes dictated by the
DHS POA&M Management Process. Contractor procedures shall be subject to periodic,
unannounced assessments by DHS officials. The physical aspects associated with
contractor activities shall also be subject to such assessments.
On a periodic basis, the DHS and its Components, including the DHS Office of Inspector
General, may choose to evaluate any or all of the security controls implemented by the
contractor under these clauses. Evaluation could include, but it not limited to
vulnerability scanning. The DHS and its Components reserve the right to conduct audits
at their discretion. With ten working days' notice, at the request of the Government, the
contractor shall fully cooperate and facilitate in a Government-sponsored security control
assessment at each location wherein DHS information is processed or stored, or
information systems are developed, operated, maintained, or used on behalf of DHS,
including those initiated by the Office of the Inspector General. The government may
conduct a security control assessment on shorter notice (to include unannounced
assessments) determined by DHS in the event of a security incident.
Enterprise Security Architecture
The contractor shall utilize and adhere to the DHS Enterprise Security Architecture to the
best of its ability and to the satisfaction of the DHS COTR. Areas of consideration could
include:
1)Use of multi-tier design (separating web, application and data base) with policy
enforcement between tiers
2) Compliance to DHS Identity Credential Access Management (ICAM)
3) Security reporting to DHS central control points (i.e. the DHS Security Operations
Center (SOC) and integration into DHS Security Incident Response
4) Integration into DHS Change Management (for example, the Infrastructure Change
Control Board (ICCB) process)
5) Performance of activities per continuous monitoring requirements
Continuous Monitoring
The contractor shall participate in DHS' Continuous Monitoring Strategy and methods or
shall provide a Continuous Monitoring capability that the DHS determines acceptable.
The DHS Chief Information Security Officer (C ISO) issues annual updates to its

Page 7 of 32

 Continuous Monitoring requirements via the Annual Information Security Performance
Plan. At a minimum, the contractor shall implement the following processes:
1.Asset Management
2. Vulnerability Management
3. Configuration Management
4. Malware Management
5. Log Integration
6. Security Information Event Management (SIEM) Integration
7. Patch Management
8. Providing near-real-time security status information to the DHS SOC
Specific Protections
Specific protections that shall be provided by the contractor include, but are not limited to
the following:
Security Operations
The Contractor shall operate a SOC to provide the security services described below. The
Contractor shall support regular reviews with the DHS Information Security Office to
coordinate and synchronize the security posture of the contractor hosting facility with that
of the DHS Data Centers. The SOC personnel shall provide 24x7x365 staff to monitor
the network and all of its devices. The contractor staff shall also analyze the information
generated by the devices for security events, respond to real-time events, correlate
security device events, and perform continuous monitoring. It is recommended that the
contractor staff shall also maintain a trouble ticket system in which incidents and outages
are recorded. In the event of an incident, the contractor facility SOC shall adhere to the
incident response plan.
Computer Incident Response Services
The Contractor shall provide Computer Incident Response Team (CIRT) services. The
contractor shall adhere to the standard Incident Reporting process as determined by the
Component and is defined by a DHS-specific incident response plan that adheres to DHS
policy and procedure for reporting incidents. The contractor shall conduct Incident
Response Exercises to ensure all personnel are familiar with the plan. The contractor
shall notify the DHS SOC of any incident in accordance with the Incident Response Plan
and work with DHS throughout the incident duration.
Firewall Management and Monitoring
The Contractor shall provide firewall management services that include the design,
configuration, implementation, maintenance, and operation of all firewalls within the
hosted DHS infrastructure in accordance with DHS architecture and security policy. The
contractor shall provide all maintenance to include configuration, patching, rule

Page 8 of 32

 maintenance (add, modify, delete), and comply with DHS' configuration management /
release management requirements when changes are required. Firewalls shall operate
24x7x365. Analysis of the firewall logs shall be reported to DHS COTR in weekly status
reports. If an abnormality or anomaly is identified, the contractor shall notify the
appropriate DHS point of contact in accordance with the incident response plan.
Intrusion Detection Systems and Monitoring
The Contractor shall provide the design, configuration, implementation, and maintenance
of the sensors and hardware that are required to support the NIDS solution. The
contractor is responsible for creating and maintaining the NIDS rule sets. The NIDS
solution should provide real-time alerts. These alerts and other relevant information shall
be located in a central repository. The NIDS shall operate 24x7x365. A summary of alerts
shall be reported to DHS COTR in weekly status reports. If an abnormality or anomaly is
identified, the contractor shall notify the appropriate DHS point of contact in accordance
with the incident response plan.
Physical and Information Security and Monitoring
The Contractor shall provide a facility using appropriate protective measures to provide
for physical security. The facility will be located within the United States and its
territories. The contractor shall maintain a process to control physical access to DHS IT
assets. DHS IT Assets shall be monitored 24x7x365. A summary of unauthorized access
attempts shall be reported to the appropriate DHS security office.
Vulnerability Assessments
The Contractor shall provide all information from any managed device to DHS, as
requested, and shall assist, as needed, to perform periodic vulnerability assessments of
the network, operating systems, and applications to identify vulnerabilities and propose
mitigations. Vulnerability assessments shall be included as part of compliance with the
continuous monitoring of the system.
Anti-malware (e.g., virus, spam)
The Contractor shall design, implement, monitor and manage to provide comprehensive
anti-malware service. The contractor shall provide all maintenance for the system
providing the anti-malware capabilities to include configuration, definition updates, and
comply with DHS' configuration management / release management requirements when
changes are required. A summary of alerts shall be reported to DHS COTR in weekly
status reports. If an abnormality or anomaly is identified, the contractor shall notify the
appropriate DHS point of contact in accordance with the incident response plan.
Patch Management

Page 9 of 32

 The Contractor shall perform provide patch management services. The contractor shall
push patches that are required by vendors and the DHS system owner. This is to ensure
that the infrastructure and applications that directly support the DHS information system
are current in their release and that all security patches are applied. The contractor shall
be informed by DHS which patches that are required by DHS through the Information
Security Vulnerability Management bulletins and advisories. Core applications, the ones
DHS utilizes to fulfill their mission, shall be tested by DHS. However, the contractor
shall be responsible for deploying patches as directed by DHS. It is recommended that all
other applications (host-based intrusion detection system (HIDS), network intrusion
detection system (NIDS), Anti-malware, and Firewall) shall be tested by the contractor
prior to deployment in a test environment.
Log Retention
Log files for all infrastructure devices, physical access, and anti-malware should be
retained online for 180 days and offline for three years.
Personal Identification Verification (PIV) Credential Compliance
Authorities:
HSPD-12 —Policies for a Common Identification Standard for Federal Employees and
Contractorsil
OMB M-11-11 "Continued Implementation of Homeland Security Presidential Directive
(HSPD) 12— Policy for a Common Identification Standard for Federal Employees and
Contractors"
OMB M-06-16 —Acquisition of Products and Services for Implementation of HSPD-121
NIST FIPS 201 —Personal Identity Verification (PIV) of Federal Employees and
Contractorsil
NIST SP 800-63 —Electronic Authentication Guideline!
OMB M-10-15 —FY 2010 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Managementll
Procurements for products, systems, services, hardware, or software involving controlled
facility or information system shall be PIV-enabled by accepting HSPD-12 PIV
credentials as a method of identity verification and authentication.
Procurements for software products or software developments shall be PIV-enabled by
accepting HSPD-12 PIV credentials as a method of identity verification and
authentication.
Procurements for software products or software developments shall be compliant by PIV
by accepting PIV credentials as the common means of authentication for access for
federal employees and contractors.

Page 10 of 32

 PIV-enabled information systems must demonstrate that they can correctly work with
PIV credentials by responding to the cryptographic challenge in the authentication
protocol before granting access.
If a system is identified to be non-compliant with HSPD-12 for PIV credential
enablement, a remediation plan for achieving HSPD-12 compliance shall be required for
review, evaluation, and approval by the CISO.
OAST (Office on Accessible Systems and Technology) Compliance
Accessibility Requirements (Section 508)
Section 508 Requirements
Section 508 of the Rehabilitation Act, as amended by the Workforce Investment Act of
1998 (P.L. 105-220) (codified at 29 U.S.C. § 794d) requires that when Federal agencies
develop, procure, maintain, or use information and communications technology (ICT), it
shall be accessible to people with disabilities. Federal employees and members of the
public with disabilities must be afforded access to and use of information and data
comparable to that of Federal employees and members of the public without disabilities.
1. All products, platforms and services delivered as part of this work statement that,
by definition, are deemed ICT or that contain ICT shall conform to the revised
regulatory implementation of Section 508 Standards, which are located at
36 C.F.R. § 1194.1 & Apps. A, C & D, and available at
https://www.gpo.gov/fdsys/pkg/CFR-2017-tit1e36-v013/pdeCFR-2017-tit1e36vo13-part1194.pdf. In the revised regulation, ICT replaced the term electronic and
information technology (EIT) used in the original 508 standards.
Item that contains Information and Communications Technology
(ICT): Visualization Software
Applicable Exception: National Security
CBP-20091030-001

Authorization #:

2. Exceptions for this work statement have been determined by DHS and only the
exceptions described herein may be applied. Any request for additional
exceptions shall be sent to the Contracting Officer and a determination will be
made according to DHS Directive 139-05, Office of Accessible Systems and
Technology, dated January 29, 2016 and DHS Instruction 139-05-001, Managing
the Accessible Systems and Technology Program, dated January 11, 2017.

ISO (Information Security) COMPLIANCE
•

Information Security Clause:

Page 11 of 32

 "All services provided under this task order must be compliant with DHS Information
Security Policy, identified in MD4300.1, Information Technology Systems Security
Program and 4300A Sensitive Systems Handbook."
"All hardware, software, and services provided under this task order must be compliant
with DHS 4300A DHS Sensitive System Policy and the DHS 4300A Sensitive Systems
Handbook."
•

Interconnection Security Agreements

Interconnections between DHS and non-DHS IT systems shall be established only
through controlled interfaces and via approved service providers. The controlled
interfaces shall be accredited at the highest security level of information on the network.
Connections with other Federal agencies shall be documented based on interagency
agreements; memoranda of understanding, service level agreements or interconnect
service agreements.
HSAR Clauses
3052.204-70 Security Requirements for Unclassified Information Technology
Resources (JUN 2006)
(a) The Contractor shall be responsible for Information Technology (IT) security for all
systems connected to a DHS network or operated by the Contractor for DHS, regardless
of location. This clause applies to all or any part of the contract that includes information
technology resources or services for which the Contractor must have physical or
electronic access to sensitive information contained in DHS unclassified systems that
directly support the agency's mission.
(b) The Contractor shall provide, implement, and maintain an IT Security Plan. This plan
shall describe the processes and procedures that will be followed to ensure appropriate
security of IT resources that are developed, processed, or used under this contract.
(1) Within 15 days after contract award, the contractor shall submit for approval its IT
Security Plan, which shall be consistent with and further detail the approach contained in
the offeror's proposal. The plan, as approved by the Contracting Officer, shall be
incorporated into the contract as a compliance document.
(2) The Contractor's IT Security Plan shall comply with Federal laws that include, but are
not limited to, the Computer Security Act of 1987 (40 U.S.C. 1441 et seq.); the
Government Information Security Reform Act of 2000; and the Federal Information
Security Management Act of 2002; and with Federal policies and procedures that include,
but are not limited to, OMB Circular A-130.
(3) The security plan shall specifically include instructions regarding handling and
protecting sensitive information at the Contractor's site (including any information
stored, processed, or transmitted using the Contractor's computer systems), and the
secure management, operation, maintenance, programming, and system administration of
computer systems, networks, and telecommunications systems.

Page 12 of 32

 (c) Examples of tasks that require security provisions include-(1) Acquisition, transmission or analysis of data owned by DHS with significant
replacement cost should the contractor's copy be corrupted; and
(2) Access to DHS networks or computers at a level beyond that granted the general
public (e.g., such as bypassing a firewall).
(d) At the expiration of the contract, the contractor shall return all sensitive DHS
information and IT resources provided to the contractor during the contract, and certify
that all non-public DHS information has been purged from any contractor-owned system.
Components shall conduct reviews to ensure that the security requirements in the contract
are implemented and enforced.
(e) Within 6 months after contract award, the contractor shall submit written proof of IT
Security accreditation to DHS for approval by the DHS Contracting Officer.
Accreditation will proceed according to the criteria of the DHS Sensitive System Policy
Publication, 4300A (Version 8.0, March 14, 2011) or any replacement publication, which
the Contracting Officer will provide upon request. This accreditation will include a final
security plan, risk assessment, security test and evaluation, and disaster recovery
plan/continuity of operations plan. This accreditation, when accepted by the Contracting
Officer, shall be incorporated into the contract as a compliance document. The contractor
shall comply with the approved accreditation documentation.
Security Review
The Government may elect to conduct periodic reviews to ensure that the security
requirements contained in this contract are being implemented and enforced. The
Contractor shall afford DHS, including the organization of the DHS Office of the Chief
Information Officer, the Office of the Inspector General, authorized Contracting Officer's
Technical Representative (COTR), and other government oversight organizations, access
to the Contractor's facilities, installations, operations, documentation, databases and
personnel used in the performance of this contract. The Contractor will contact the DHS
Chief Information Security Officer to coordinate and participate in the review and
inspection activity of government oversight organizations external to the DHS. Access
shall be provided to the extent necessary for the government to carry out a program of
inspection, investigation, and audit to safeguard against threats and hazards to the
integrity, availability and confidentiality of DHS data or the function of computer
systems operated on behalf of DHS, and to preserve evidence of computer crime.
SAFEGUARDING OF SENSITIVE INFORMATION (MAR 2015)
(a) Applicability. This clause applies to the Contractor, its subcontractors, and
Contractor employees (hereafter referred to collectively as "Contractor"). The Contractor
shall insert the substance of this clause in all subcontracts.
(b) Definitions. As used in this clause—
"Personally Identifiable Information (P11)" means information that can be used to
distinguish or trace an individual's identity, such as name, social security number, or
biometric records, either alone, or when combined with other personal or identifying
information that is linked or linkable to a specific individual, such as date and place of

Page 13 o132

 birth, or mother's maiden name. The definition of Pll is not anchored to any single
category of information or technology. Rather, it requires a case-by-case assessment of
the specific risk that an individual can be identified. In performing this assessment, it is
important for an agency to recognize that non-personally identifiable information can
become personally identifiable information whenever additional information is made
publicly available—in any medium and from any source—that, combined with other
available information, could be used to identify an individual.
Pll is a subset of sensitive information. Examples of Pll include, but are not limited to:
name, date of birth, mailing address, telephone number, Social Security number (SSN),
email address, zip code, account numbers, certificate/license numbers, vehicle
identifiers including license plates, uniform resource locators (URLs), static Internet
protocol addresses, biometric identifiers such as fingerprint, voiceprint, iris scan,
photographic facial images, or any other unique identifying number or characteristic, and
any information where it is reasonably foreseeable that the information will be linked with
other information to identify the individual.
"Sensitive Information" is defined in HSAR clause 3052.204-71, Contractor Employee
Access, as any information, which if lost, misused, disclosed, or, without authorization is
accessed, or modified, could adversely affect the national or homeland security interest,
the conduct of Federal programs, or the privacy to which individuals are entitled under
section 552a of Title 5, United States Code (the Privacy Act), but which has not been
specifically authorized under criteria established by an Executive Order or an Act of
Congress to be kept secret in the interest of national defense, homeland security or
foreign policy. This definition includes the following categories of information:
(1) Protected Critical Infrastructure Information (PCII) as set out in the Critical
Infrastructure Information Act of 2002 (Title II, Subtitle B, of the Homeland Security Act,
Public Law 107-296, 196 Stat. 2135), as amended, the implementing regulations thereto
(Title 6, Code of Federal Regulations, Part 29) as amended, the applicable PCII
Procedures Manual, as amended, and any supplementary guidance officially
communicated by an authorized official of the Department of Homeland Security
(including the PCII Program Manager or his/her designee);
(2) Sensitive Security Information (SSI), as defined in Title 49, Code of Federal
Regulations, Part 1520, as amended, "Policies and Procedures of Safeguarding and
Control of SSI," as amended, and any supplementary guidance officially communicated
by an authorized official of the Department of Homeland Security (including the Assistant
Secretary for the Transportation Security Administration or his/her designee);
(3) Information designated as "For Official Use Only," which is unclassified information of
a sensitive nature and the unauthorized disclosure of which could adversely impact a
person's privacy or welfare, the conduct of Federal programs, or other programs or
operations essential to the national or homeland security interest; and
(4) Any information that is designated "sensitive" or subject to other controls, safeguards
or protections in accordance with subsequently adopted homeland security information
handling procedures.
"Sensitive Information Incident" is an incident that includes the known, potential, or
suspected exposure, loss of control, compromise, unauthorized disclosure, unauthorized

Page 14 of 32

 acquisition, or unauthorized access or attempted access of any Government system,
Contractor system, or sensitive information.
"Sensitive Personally Identifiable Information (SPII)" is a subset of PII, which if lost,
compromised or disclosed without authorization, could result in substantial harm,
embarrassment, inconvenience, or unfairness to an individual. Some forms of Pll are
sensitive as stand-alone elements. Examples of such Pll include: Social Security
numbers (SSN), driver's license or state identification number, Alien Registration
Numbers (A-number), financial account number, and biometric identifiers such as
fingerprint, voiceprint, or iris scan. Additional examples include any groupings of
information that contain an individual's name or other unique identifier plus one or more
of the following elements:
(1)
Truncated SSN (such as last 4 digits)
(2)
Date of birth (month, day, and year)
(3)
Citizenship or immigration status
(4)
Ethnic or religious affiliation
(5)
Sexual orientation
(6)
Criminal History
(7)
Medical Information
(8)
System authentication information such as mother's maiden name, account
passwords or personal identification numbers (PIN)
Other Pll may be "sensitive" depending on its context, such as a list of employees and
their performance ratings or an unlisted home address or phone number. In contrast, a
business card or public telephone directory of agency employees contains Pll but is not
sensitive.
(c) Authorities. The Contractor shall follow all current versions of Government policies
and guidance accessible at http://www.dhs.gov/dhs-security-and-training-requirementscontractors, or available upon request from the Contracting Officer, including but not
limited to:
(1) DHS Management Directive 11042.1 Safeguarding Sensitive But Unclassified (for
Official Use Only) Information
(2) DHS Sensitive Systems Policy Directive 4300A
(3) DHS 4300A Sensitive Systems Handbook and Attachments
(4) DHS Security Authorization Process Guide
(5) DHS Handbook for Safeguarding Sensitive Personally Identifiable Information
(6) DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel
Suitability and Security Program
(7) DHS Information Security Performance Plan (current fiscal year)
(8) DHS Privacy Incident Handling Guidance
(9) Federal Information Processing Standard (FIPS) 140-2 Security Requirements for
Cryptographic Modules accessible at
http://csrc.nist.gov/groups/STM/cmvp/standards.html
(10) National Institute of Standards and Technology (NIST) Special Publication 800-53
Security and Privacy Controls for Federal Information Systems and Organizations
accessible at http://csrc.nist.gov/publications/PubsSPs.html
(11) NIST Special Publication 800-88 Guidelines for Media Sanitization accessible at
http://csrc.nist.gov/publications/PubsSPs.html

Page 15 of 32

 (d) Handling of Sensitive Information. Contractor compliance with this clause, as well as
the policies and procedures described below, is required.
(1) Department of Homeland Security (DHS) policies and procedures on Contractor
personnel security requirements are set forth in various Management Directives (MDs),
Directives, and Instructions. MD 11042.1, Safeguarding Sensitive But Unclassified (For
Official Use Only) Information describes how Contractors must handle sensitive but
unclassified information. DHS uses the term "FOR OFFICIAL USE ONLY" to identify
sensitive but unclassified information that is not otherwise categorized by statute or
regulation. Examples of sensitive information that are categorized by statute or
regulation are PCII, SSI, etc. The DHS Sensitive Systems Policy Directive 4300A and
the OHS 4300A Sensitive Systems Handbook provide the policies and procedures on
security for Information Technology (IT) resources. The DHS Handbook for
Safeguarding Sensitive Personally Identifiable Information provides guidelines to help
safeguard SPII in both paper and electronic form. DHS Instruction Handbook 121-01007 Department of Homeland Security Personnel Suitability and Security Program
establishes procedures, program responsibilities, minimum standards, and reporting
protocols for the DHS Personnel Suitability and Security Program.
(2) The Contractor shall not use or redistribute any sensitive information processed,
stored, and/or transmitted by the Contractor except as specified in the contract.
(3) All Contractor employees with access to sensitive information shall execute DHS
Form 11000-6, Department of Homeland Security Non-Disclosure Agreement (NDA), as
a condition of access to such information. The Contractor shall maintain signed copies
of the NDA for all employees as a record of compliance. The Contractor shall provide
copies of the signed NDA to the Contracting Officer's Representative (COR) no later
than two (2) days after execution of the form.
(4) The Contractor's invoicing, billing, and other recordkeeping systems maintained to
support financial or other administrative functions shall not maintain SPII. It is
acceptable to maintain in these systems the names, titles and contact information for the
COR or other Government personnel associated with the administration of the contract,
as needed.
(e) Authority to Operate. The Contractor shall not input, store, process, output, and/or
transmit sensitive information within a Contractor IT system without an Authority to
Operate (ATO) signed by the Headquarters or Component CIO, or designee, in
consultation with the Headquarters or Component Privacy Officer. Unless otherwise
specified in the ATO letter, the ATO is valid for three (3) years. The Contractor shall
adhere to current Government policies, procedures, and guidance for the Security
Authorization (SA) process as defined below.
(1) Complete the Security Authorization process. The SA process shall proceed
according to the DHS Sensitive Systems Policy Directive 4300A (Version 11.0, April 30,
2014), or any successor publication, OHS 4300A Sensitive Systems Handbook (Version
9.1, July 24, 2012), or any successor publication, and the Security Authorization Process
Guide including templates.

Page 16 of 32

 (i) Security Authorization Process Documentation. SA documentation shall
be developed using the Government provided Requirements
Traceability Matrix and Government security documentation
templates. SA documentation consists of the following: Security
Plan, Contingency Plan, Contingency Plan Test Results,
Configuration Management Plan, Security Assessment Plan, Security
Assessment Report, and Authorization to Operate Letter. Additional
documents that may be required include a Plan(s) of Action and
Milestones and Interconnection Security Agreement(s). During the
development of SA documentation, the Contractor shall submit a
signed SA package, validated by an independent third party, to the
COR for acceptance by the Headquarters or Component CIO, or
designee, at least thirty (30) days prior to the date of operation of the
IT system. The Government is the final authority on the compliance of
the SA package and may limit the number of resubmissions of a
modified SA package. Once the ATO has been accepted by the
Headquarters or Component CIO, or designee, the Contracting Officer
shall incorporate the ATO into the contract as a compliance
document. The Government's acceptance of the ATO does not
alleviate the Contractor's responsibility to ensure the IT system
controls are implemented and operating effectively.
(ii) Independent Assessment. Contractors shall have an independent third
party validate the security and privacy controls in place for the
system(s). The independent third party shall review and analyze the
SA package, and report on technical, operational, and management
level deficiencies as outlined in NIST Special Publication 800-53
Security and Privacy Controls for Federal Information Systems and
Organizations. The Contractor shall address all deficiencies before
submitting the SA package to the Government for acceptance.
(iii) Support the completion of the Privacy Threshold Analysis (PTA) as
needed. As part of the SA process, the Contractor may be required to
support the Government in the completion of the PTA. The
requirement to complete a PTA is triggered by the creation, use,
modification, upgrade, or disposition of a Contractor IT system that
will store, maintain and use P11, and must be renewed at least every
three (3) years. Upon review of the PTA, the DHS Privacy Office
determines whether a Privacy Impact Assessment (PIA) and/or
Privacy Act System of Records Notice (SORN), or modifications
thereto, are required. The Contractor shall provide all support
necessary to assist the Department in completing the PIA in a timely
manner and shall ensure that project management plans and
schedules include time for the completion of the PTA, PIA, and SORN
(to the extent required) as milestones. Support in this context
includes responding timely to requests for information from the
Government about the use, access, storage, and maintenance of Pll
on the Contractor's system, and providing timely review of relevant
compliance documents for factual accuracy. Information on the DHS
privacy compliance process, including PTAs, PIAs, and SORNs, is
accessible at http://www.dhs.gov/privacy-compliance.

Page 17 of 32

 (2) Renewal of A TO. Unless otherwise specified in the ATO letter, the ATO shall be
renewed every three (3) years. The Contractor is required to update its SA package as
part of the ATO renewal process. The Contractor shall update its SA package by one of
the following methods: (1) Updating the SA documentation in the DHS automated
information assurance tool for acceptance by the Headquarters or Component CIO, or
designee, at least 90 days before the ATO expiration date for review and verification of
security controls; or (2) Submitting an updated SA package directly to the COR for
approval by the Headquarters or Component CIO, or designee, at least 90 days before
the ATO expiration date for review and verification of security controls. The 90 day
review process is independent of the system production date and therefore it is
important that the Contractor build the review into project schedules. The reviews may
include onsite visits that involve physical or logical inspection of the Contractor
environment to ensure controls are in place.
(3) Security Review. The Government may elect to conduct random periodic reviews to
ensure that the security requirements contained in this contract are being implemented
and enforced. The Contractor shall afford DHS, the Office of the Inspector General, and
other Government organizations access to the Contractor's facilities, installations,
operations, documentation, databases and personnel used in the performance of this
contract. The Contractor shall, through the Contracting Officer and COR, contact the
Headquarters or Component CIO, or designee, to coordinate and participate in review
and inspection activity by Government organizations external to the DHS. Access shall
be provided, to the extent necessary as determined by the Government, for the
Government to carry out a program of inspection, investigation, and audit to safeguard
against threats and hazards to the integrity, availability and confidentiality of Government
data or the function of computer systems used in performance of this contract and to
preserve evidence of computer crime.
(4) Continuous Monitoring. All Contractor-operated systems that input, store, process,
output, and/or transmit sensitive information shall meet or exceed the continuous
monitoring requirements identified in the Fiscal Year 2014 DHS Information Security
Performance Plan, or successor publication. The plan is updated on an annual basis.
The Contractor shall also store monthly continuous monitoring data at its location for a
period not less than one year from the date the data is created. The data shall be
encrypted in accordance with FIPS 140-2 Security Requirements for Cryptographic
Modules and shall not be stored on systems that are shared with other commercial or
Government entities. The Government may elect to perform continuous monitoring and
IT security scanning of Contractor systems from Government tools and infrastructure.
(5) Revocation of A TO. In the event of a sensitive information incident, the Government
may suspend or revoke an existing ATO (either in part or in whole). If an ATO is
suspended or revoked in accordance with this provision, the Contracting Officer may
direct the Contractor to take additional security measures to secure sensitive
information. These measures may include restricting access to sensitive information on
the Contractor IT system under this contract. Restricting access may include
disconnecting the system processing, storing, or transmitting the sensitive information
from the Internet or other networks or applying additional security controls.
(6) Federal Reporting Requirements. Contractors operating information systems on
behalf of the Government or operating systems containing sensitive information shall

Page 18 of 32

 comply with Federal reporting requirements. Annual and quarterly data collection will be
coordinated by the Government. Contractors shall provide the COR with requested
information within three (3) business days of receipt of the request. Reporting
requirements are determined by the Government and are defined in the Fiscal Year
2014 DHS Information Security Performance Plan, or successor publication. The
Contractor shall provide the Government with all information to fully satisfy Federal
reporting requirements for Contractor systems.
(f) Sensitive Information Incident Reporting Requirements.
(1) All known or suspected sensitive information incidents shall be reported to the
Headquarters or Component Security Operations Center (SOC) within one hour of
discovery in accordance with 4300A Sensitive Systems Handbook Incident Response
and Reporting requirements. When notifying the Headquarters or Component SOC, the
Contractor shall also notify the Contracting Officer, COR, Headquarters or Component
Privacy Officer, and US-CERT using the contact information identified in the contract. If
the incident is reported by phone or the Contracting Officer's email address is not
immediately available, the Contractor shall contact the Contracting Officer immediately
after reporting the incident to the Headquarters or Component SOC. The Contractor
shall not include any sensitive information in the subject or body of any e-mail. To
transmit sensitive information, the Contractor shall use FIPS 140-2 Security
Requirements for Cryptographic Modules compliant encryption methods to protect
sensitive information in attachments to email. Passwords shall not be communicated in
the same email as the attachment. A sensitive information incident shall not, by itself, be
interpreted as evidence that the Contractor has failed to provide adequate information
security safeguards for sensitive information, or has otherwise failed to meet the
requirements of the contract.
(2) If a sensitive information incident involves Pll or SPII, in addition to the reporting
requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting,
Contractors shall also provide as many of the following data elements that are available
at the time the incident is reported, with any remaining data elements provided within 24
hours of submission of the initial incident report:
(i) Data Universal Numbering System (DUNS);
(ii) Contract numbers affected unless all contracts by the company are
affected;
(iii) Facility CAGE code if the location of the event is different than the prime
contractor location;
(iv)Point of contact (POC) if different than the POC recorded in the System
for Award Management (address, position, telephone, email);
(v) Contracting Officer POC (address, telephone, email);
(vi) Contract clearance level;
(vii)Name of subcontractor and CAGE code if this was an incident on a
subcontractor network;
(viii) Government programs, platforms or systems involved;
(ix)Location(s) of incident;
(x) Date and time the incident was discovered;
(xi) Server names where sensitive information resided at the time of the
incident, both at the Contractor and subcontractor level;

Page 19 of 32

 (xii)Description of the Government Pll and/or SPII contained within the
system;
(xiii) Number of people potentially affected and the estimate or actual
number of records exposed and/or contained within the system; and
(xiv) Any additional information relevant to the incident.
(g) Sensitive Information Incident Response Requirements.
(1) All determinations related to sensitive information incidents, including
response activities, notifications to affected individuals and/or Federal
agencies, and related services (e.g., credit monitoring) will be made in
writing by the Contracting Officer in consultation with the Headquarters or
Component CIO and Headquarters or Component Privacy Officer.
(2) The Contractor shall provide full access and cooperation for all activities
determined by the Government to be required to ensure an effective incident
response, including providing all requested images, log files, and event
information to facilitate rapid resolution of sensitive information incidents.
(3) Incident response activities determined to be required by the Government
may include, but are not limited to, the following:
(1) Inspections,
(ii) Investigations,
(iii) Forensic reviews, and
(iv) Data analyses and processing.
(4) The Government, at its sole discretion, may obtain the assistance from other
Federal agencies and/or third-party firms to aid in incident response
activities.
(h) Additional Pll and/or SPII Notification Requirements.
(1) The Contractor shall have in place procedures and the capability to notify any
individual whose Pll resided in the Contractor IT system at the time of the sensitive
information incident not later than 5 business days after being directed to notify
individuals, unless otherwise approved by the Contracting Officer. The method and
content of any notification by the Contractor shall be coordinated with, and subject to
prior written approval by the Contracting Officer, in consultation with the Headquarters or
Component Privacy Officer, utilizing the DHS Privacy Incident Handling Guidance. The
Contractor shall not proceed with notification unless the Contracting Officer, in
consultation with the Headquarters or Component Privacy Officer, has determined in
writing that notification is appropriate.
(2) Subject to Government analysis of the incident and the terms of its instructions to
the Contractor regarding any resulting notification, the notification method may
consist of letters to affected individuals sent by first class mail, electronic means,
or general public notice, as approved by the Government. Notification may
require the Contractor's use of address verification and/or address location
services. At a minimum, the notification shall include:

Page 20 of 32

 (i) A brief description of the incident;
(ii) A description of the types of Pll and SPII involved;
(iii)A statement as to whether the P11 or SPII was encrypted or protected
by other means;
(iv) Steps individuals may take to protect themselves;
(v) What the Contractor and/or the Government are doing to investigate
the incident, to mitigate the incident, and to protect against any future
incidents; and
(vi) Information identifying who individuals may contact for additional
information.
(i) Credit Monitoring Requirements. In the event that a sensitive information incident
involves Pll or SPII, the Contractor may be required to, as directed by the Contracting
Officer:
(1) Provide notification to affected individuals as described
above; and/or
(2) Provide credit monitoring services to individuals whose
data was under the control of the Contractor or resided in
the Contractor IT system at the time of the sensitive
information incident for a period beginning the date of the
incident and extending not less than 18 months from the
date the individual is notified. Credit monitoring services
shall be provided from a company with which the
Contractor has no affiliation. At a minimum, credit
monitoring services shall include:
(i) Triple credit bureau monitoring;
(ii) Daily customer service;
(iii)Alerts provided to the individual for changes and fraud; and
(iv) Assistance to the individual with enrollment in the services and the use of
fraud alerts; and/or
(3) Establish a dedicated call center. Call center services
shall include:
(i) A dedicated telephone number to contact customer service within a fixed
period;
(ii) Information necessary for registrants/enrollees to access credit reports
and credit scores;
(iii)Weekly reports on call center volume, issue escalation (i.e., those calls
that cannot be handled by call center staff and must be resolved by call
center management or DHS, as appropriate), and other key metrics;
(iv) Escalation of calls that cannot be handled by call center staff to call
center management or DHS, as appropriate;
(v) Customized FAQs, approved in writing by the Contracting Officer in
coordination with the Headquarters or Component Chief Privacy Officer;
and
(vi) Information for registrants to contact customer service representatives
and fraud resolution representatives for credit monitoring assistance.

Page 21 of 32

 (j) Certification of Sanitization of Government and Government-Activity-Related Files and
Information. As part of contract closeout, the Contractor shall submit the certification to
the COR and the Contracting Officer following the template provided in NIST Special
Publication 800-88 Guidelines for Media Sanitization.

INFORMATION TECHNOLOGY SECURITY AND PRIVACY TRAINING
(MAR 2015)

(a)Applicability. This clause applies to the Contractor, its subcontractors, and Contractor
employees (hereafter referred to collectively as "Contractor"). The Contractor shall
insert the substance of this clause in all subcontracts.
(b)Security Training Requirements.
(1) All users of Federal information systems are required by Title 5, Code of Federal
Regulations, Part 930.301, Subpart C, as amended, to be exposed to security awareness
materials annually or whenever system security changes occur, or when the user's
responsibilities change. The Department of Homeland Security (DHS) requires that
Contractor employees take an annual Information Technology Security Awareness
Training course before accessing sensitive information under the contract. Unless
otherwise specified, the training shall be completed within thirty (30) days of contract
award and be completed on an annual basis thereafter not later than October 31st of each
year. Any new Contractor employees assigned to the contract shall complete the training
before accessing sensitive information under the contract. The training is accessible at
http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor
shall maintain copies of training certificates for all Contractor and subcontractor
employees as a record of compliance. Unless otherwise specified, initial training
certificates for each Contractor and subcontractor employee shall be provided to the
Contracting Officer's Representative (COR) not later than thirty (30) days after contract
award. Subsequent training certificates to satisfy the annual training requirement shall be
submitted to the COR via e-mail notification not later than October 31st of each year.
The e-mail notification shall state the required training has been completed for all
Contractor and subcontractor employees.
(2) The DHS Rules of Behavior apply to every DHS employee, Contractor and
subcontractor that will have access to DHS systems and sensitive information. The DHS
Rules of Behavior shall be signed before accessing DHS systems and sensitive
information. The DHS Rules of Behavior is a document that informs users of their
responsibilities when accessing DHS systems and holds users accountable for actions
taken while accessing DHS systems and using DHS Information Technology resources
capable of inputting, storing, processing, outputting, and/or transmitting sensitive
information. The DHS Rules of Behavior is accessible at http://www.dhs.gov/dhssecurity-and-training-requirements-contractors. Unless otherwise specified, the DHS
Rules of Behavior shall be signed within thirty (30) days of contract award. Any new
Contractor employees assigned to the contract shall also sign the DHS Rules of Behavior
before accessing DHS systems and sensitive information. The Contractor shall maintain

Page 22 of 32

 signed copies of the DHS Rules of Behavior for all Contractor and subcontractor
employees as a record of compliance. Unless otherwise specified, the Contractor shall email copies of the signed DHS Rules of Behavior to the COR not later than thirty (30)
days after contract award for each employee. The DHS Rules of Behavior will be
reviewed annually and the COR will provide notification when a review is required.
(c) Privacy Training Requirements. All Contractor and subcontractor employees that will
have access to Personally Identifiable Information (PII) and/or Sensitive PII (SPII) are
required to take Privacy at DHS: Protecting Personal Information before accessing PII
and/or SPII. The training is accessible at http://www.dhs.gov/dhs-security-and-trainingrequirements-contractors. Training shall be completed within thirty (30) days of contract
award and be completed on an annual basis thereafter not later than October 31st of each
year. Any new Contractor employees assigned to the contract shall also complete the
training before accessing PII and/or SPII. The Contractor shall maintain copies of
training certificates for all Contractor and subcontractor employees as a record of
compliance. Initial training certificates for each Contractor and subcontractor employee
shall be provided to the COR not later than thirty (30) days after contract award.
Subsequent training certificates to satisfy the annual training requirement shall be
submitted to the COR via e-mail notification not later than October 31st of each year.
The e-mail notification shall state the required training has been completed for all
Contractor and subcontractor employees.

Interconnection Security Agreement (ISA)
INTERCONNECTION SECURITY AGREEMENTS TERMS AND CONDITIONS
Interconnections between DHS and non-DHS IT systems shall be established only
through controlled interfaces and via approved service providers. The controlled
interfaces shall be accredited at the highest security level of information on the network.
Connections with other Federal agencies shall be documented based on interagency
agreements; memoranda of understanding, service level agreements or interconnect
service agreements.
Required Protections for DHS Systems Hosted in Non-DHS Data Centers
SECURITY AUTHORIZATION
A Security Authorization of any infrastructure directly in support of the DHS information
system shall be performed as a general support system (GSS) prior to DHS occupancy to
characterize the network, identify threats, identify vulnerabilities, analyze existing and
planned security controls, determine likelihood of threat, analyze impact, determine risk,
recommend controls, perform remediation on identified deficiencies, and document the
results. The Security Authorization shall be performed in accordance with the DHS
Security Policy and the controls provided by the hosting provider shall be equal to or
stronger than the FIPS 199 security categorization of the DHS information system.

Page 23 of 32

 At the beginning of the contract, and annually thereafter, the contractor shall provide the
results of an independent assessment and verification of security controls. The
independent assessment and verification shall apply the same standards that DHS applies
in the Security Authorization Process of its information systems. Any deficiencies noted
during this assessment shall be provided to the COTR for entry into the DHS' Plan of
Action and Milestone (POA&M) Management Process. The contractor shall use the
DHS' POA&M process to document planned remedial actions to address any deficiencies
in information security policies, procedures, and practices, and the completion of those
activities. Security deficiencies shall be corrected within the timeframes dictated by the
DHS POA&M Management Process. Contractor procedures shall be subject to periodic,
unannounced assessments by DHS officials. The physical aspects associated with
contractor activities shall also be subject to such assessments.
On a periodic basis, the DHS and its Components, including the DHS Office of Inspector
General, may choose to evaluate any or all of the security controls implemented by the
contractor under these clauses. Evaluation could include, but it is not limited to
vulnerability scanning. The DHS and its Components reserve the right to conduct audits
at their discretion. With ten working days notice, at the request of the Government, the
contractor shall fully cooperate and facilitate in a Government-sponsored security control
assessment at each location wherein DHS information is processed or stored, or
information systems are developed, operated, maintained, or used on behalf of DHS,
including those initiated by the Office of the Inspector General. The government may
conduct a security control assessment on shorter notice (to include unannounced
assessments) determined by DHS in the event of a security incident.
ENTERPRISE SECURITY ARCHITECTURE TERMS AND CONDITIONS
The contractor shall utilize and adhere to the DHS Enterprise Security Architecture to the
best of
its ability and to the satisfaction of the DHS COTR. Areas of consideration could include:
1. Use of multi-tier design (separating web, application and data base) with policy
enforcement between tiers
2. Compliance to DHS Identity Credential Access Management (ICAM)
3. Security reporting to DHS central control points (i.e. the DHS Security Operations
Center (SOC) and integration into DHS Security Incident Response
4. Integration into DHS Change Management (for example, the Infrastructure Change
Control Board (ICCB) process)
5. Performance of activities per continuous monitoring requirements

3052.204-71 CONTRACTOR EMPLOYEE ACCESS (SEP 2012)
Sensitive Information, as used in this clause, means any information, which if lost,
misused, disclosed, or, without authorization is accessed, or modified, could adversely

Page 24 of 32

 affect the national or homeland security interest, the conduct of Federal programs, or the
privacy to which individuals are entitled under section 552a of title 5, United States Code
(the Privacy Act), but which has not been specifically authorized under criteria
established by an Executive Order or an Act of Congress to be kept secret in the interest
of national defense, homeland security or foreign policy. This definition includes the
following categories of information:
(1) Protected Critical Infrastructure Information (PCII) as set out in the Critical
Infrastructure Information Act of 2002 (Title II, Subtitle B, of the Homeland Security
Act, Public Law 107-296, 196 Stat. 2135), as amended, the implementing regulations
thereto (Title 6, Code of Federal Regulations, Part 29) as amended, the applicable PCII
Procedures Manual, as amended, and any supplementary guidance officially
communicated by an authorized official of the Department of Homeland Security
(including the PCII Program Manager or his/her designee);
(2) Sensitive Security Information (SSI), as defined in Title 49, Code of Federal
Regulations, Part 1520, as amended, "Policies and Procedures of Safeguarding and
Control of SSI," as amended, and any supplementary guidance officially communicated
by an authorized official of the Department of Homeland Security (including the
Assistant Secretary for the Transportation Security Administration or his/her designee);
(3) Information designated as "For Official Use Only," which is unclassified information
of a sensitive nature and the unauthorized disclosure of which could adversely impact a
person's privacy or welfare, the conduct of Federal programs, or other programs or
operations essential to the national or homeland security interest; and
(4) Any information that is designated "sensitive" or subject to other controls, safeguards
or protections in accordance with subsequently adopted homeland security information
handling procedures.
(b) "Information Technology Resources" include, but are not limited to, computer
equipment, networking equipment, telecommunications equipment, cabling, network
drives, computer drives, network software, computer software, software programs,
intranet sites, and internet sites.
(c) Contractor employees working on this contract must complete such forms as may be
necessary for security or other reasons, including the conduct of background
investigations to determine suitability. Completed forms shall be submitted as directed by
the Contracting Officer. Upon the Contracting Officer's request, the Contractor's
employees shall be fingerprinted, or subject to other investigations as required. All
Contractor employees requiring recurring access to Government facilities or access to
sensitive information or IT resources are required to have a favorably adjudicated
background investigation prior to commencing work on this contract unless this
requirement is waived under Departmental procedures.
(d) The Contracting Officer may require the Contractor to prohibit individuals from
working on the contract if the Government deems their initial or continued employment
contrary to the public interest for any reason, including, but not limited to, carelessness,
and insubordination, incompetence, or security concerns.
(e) Work under this contract may involve access to sensitive information. Therefore, the
Contractor shall not disclose, orally or in writing, any sensitive information to any person
unless authorized in writing by the Contracting Officer. For those Contractor employees

Page 25 of 32

 authorized access to sensitive information, the Contractor shall ensure that these persons
receive training concerning the protection and disclosure of sensitive information both
during and after contract performance.
(f) The Contractor shall include the substance of this clause in all subcontracts at any tier
where the subcontractor may have access to Government facilities, sensitive information,
or resources.
(g) Before receiving access to IT resources under this contract the individual must receive
a security briefing, which the Contracting Officer's Technical Representative (COTR)
will arrange, and complete any nondisclosure agreement furnished by DHS.
(h) The Contractor shall have access only to those areas of DHS information technology
resources explicitly stated in this contract or approved by the COTR in writing as
necessary for performance of the work under this contract. Any attempts by Contractor
personnel to gain access to any information technology resources not expressly
authorized by the statement of work, other terms and conditions in this contract, or as
approved in writing by the COTR, is strictly prohibited. In the event of violation of this
provision, DHS will take appropriate actions with regard to the contract and the
individual(s) involved.
(i) Contractor access to DHS networks from a remote location is a temporary privilege
for mutual convenience while the Contractor performs business for the DHS Component.
It is not a right, a guarantee of access, a condition of the contract, or Government
Furnished Equipment (GFE).
(j) Contractor access will be terminated for unauthorized use. The Contractor agrees to
hold and save DHS harmless from any unauthorized use and agrees not to request
additional time or money under the contract for any delays resulting from unauthorized
use or access.
(k) Non-U.S. citizens shall not be authorized to access or assist in the development,
operation, management or maintenance of Department IT systems under the contract,
unless a waiver has been granted by the Head of the Component or designee, with the
concurrence of both the Department's Chief Security Officer (CSO) and the Chief
Information Officer (CIO) or their designees. Within DHS Headquarters, the waiver may
be granted only with the approval of both the CSO and the CIO or their designees. In
order for a waiver to be granted:
(1) There must be a compelling reason for using this individual as opposed to a U. S.
citizen; and
(2) The waiver must be in the best interest of the Government.
(1) Contractors shall identify in their proposals the names and citizenship of all non-U.S.
citizens proposed to work under the contract. Any additions or deletions of non-U.S.
citizens after contract award shall also be reported to the contracting officer.
•

System Security documentation appropriate for the SEI,C status

Security Certification/Accreditation
CBP Program Offices shall provide personnel (System Owner and Information System
Security Officers) with the appropriate clearance levels to support the security
certification/accreditation processes under this Agreement in accordance with the current

Page 26 of 32

 version of the DHS MD 4300A, DHS Sensitive Systems Policy and Handbook, CBP
Information Systems Security Policies and Procedures Handbook HB-1400-05, and all
applicable National Institute of Standards and Technology (NIST) Special Publications
(800 Series). During all SELC phases of CBP systems, CBP personnel shall develop
documentation and provide any required information for all levels of classification in
support of the certification/accreditation process. In addition, all security
certification/accreditation will be performed using the DHS certification/accreditation
process, methodology and tools. An ISSO performs security actions for an information
system. There is only one ISSO designated to a system, but multiple Alternate ISSOs
may be designated to assist the ISSO. While the ISSO performs security functions, the
System Owner is always responsible for information system security (4300A). System
owners shall include information security requirements in their capital planning and
investment control (CPIC) business cases for the current budget year and for the Future
Years Homeland Security Program (FYHSP) for each DHS information system. System
owners or AOs shall ensure that information security requirements and POA&Ms are
adequately funded, resourced and documented in accordance with current OMB
budgetary guidance.
Disaster Recovery Planning & Testing — Hardware
If the system owner requires a robust DR solution (full redundancy and failover
capabilities (for near zero downtime) then the funded DR solution must match the
production environment like-for-like. This solution would also include additional
software licenses, hardware, firmware and storage for the DR environment.
The system owner or program office must also include travel, per diem and
approximately 16 over the core hours for travel to recovery facilities twice per fiscal year
for system administrators, DBA's, end users or testers
If the system owner requires a moderate DR solution that would provide a working
environment that is capable of handling their mission essential functions then they can
fund a scaled down solution which should still take into consideration additional
hardware, software licenses, and storage for the DR environment.
The system owner or program office is still responsible for the costs associated with
testing their DR solution; however, for a scaled down solution, it may be possible to
leverage or share staff already designated to participate in DR activities.
If the system owner only requires a low DR solution then the system owner or program
office can use internal resources to perform a table-top exercise, which generally does not
require travel, additional hardware or software licenses.
•

Monitoring/reviewing contractor security requirements clause

Security Review and Reporting
(a) The Contractor shall include security as an integral element in the management of
this contract. The Contractor shall conduct reviews and report the status of the
implementation and enforcement of the security requirements contained in this contract
and identified references.

Page 27 of 32

 (b) The Government may elect to conduct periodic reviews to ensure that the security
requirements contained in this contract are being implemented and enforced. The
Contractor shall afford DHS including the organization of the DHS Office of the Chief
Information Officer, Office of Inspector General, the CBP Chief Information Security
Officer, authorized Contracting Officer's Technical Representative (COTR), and other
government oversight organizations, access to the Contractor's and subcontractors'
facilities, installations, operations, documentation, databases, and personnel used in the
performance of this contract. The Contractor will contact the DHS Chief Information
Security Officer to coordinate and participate in the review and inspection activity of
government oversight organizations external to the DHS. Access shall be provided to the
extent necessary for the government to carry out a program of inspection, investigation,
and audit to safeguard against threats and hazards to the integrity, availability, and
confidentiality of DHS/CBP data or the function of computer systems operated on behalf
of DHS/CBP, and to preserve evidence of computer crime.
•

Access to Unclassified Facilities, Information Technology Resources, and
Sensitive Information

The assurance of the security of unclassified facilities, Information Technology (IT)
resources, and sensitive information during the acquisition process and contract
performance are essential to the DHS mission. DHS Management Directive (MD)
11042.1 Safeguarding Sensitive But Unclassified (For Official Use Only) Information,
describes how contractors must handle sensitive but unclassified information. DHS MD
4300.1 Information Technology Systems Security and the DHS Sensitive Systems
Handbook prescribe policies and procedures on security for IT resources. Contractors
shall comply with these policies and procedures, any replacement publications, or any
other current or future DHS policies and procedures covering contractors specifically for
all Task Orders that require access to DHS facilities, IT resources or sensitive
information. Contractors shall not use or redistribute any DHS information processed,
stored, or transmitted by the contractor except as specified in the task order.
OMB-M-07-18 FDCC
In acquiring information technology, agencies shall include the appropriate information
technology security policies and requirements, including use of common security
configurations available from the National Institute of Standards and Technology's
website at http://checklists.nist.gov. Agency contracting officers should consult with the
requiring official to ensure the appropriate standards are incorporated.
Engineering Platforms
•

Common Enterprise Services (CES) — Deliver the systems, infrastructure, and
operational capabilities to fully implement the three service levels defined as part
of the DHS/CBP Common Enterprise Services and support DHS Component use
of those services. This includes the build out and integration of all required
services and infrastructure, which must include the Single Sign-on Portal and

Page 28 of 32

 CBP Enterprise Services Bus (ESB), required for the CES. Capabilities shall be
designed to the DHS standard operating architecture (SOA), transportable
between DHS data centers (CBP National Data Center, Stennis, and DHS 2nd data
center).
•

Single Sign-on Portal — Design, build, and operate a single sign-on Portal consistent with DHS' enterprise portal solution (for which ICE is the steward) - to
provide a common point of access, with a single sign-on capability to existing
applications and to provide the infrastructure for integrating diverse internal
and/or external information and transactional resources. This includes the
migration of the current ACE Portal to the Single Sign-on Portal as rapidly as
feasible.

ITP (Infrastructure Transformation Program) COMPLIANCE
All back-end system hardware and software shall be hosted in the DHS Enterprise Data
Center unless Component provides a migration plan or obtains an approved waiver from
DHS CIO.
All DHS Wide Area Network circuits must be part of the OneNet architecture unless a
waiver is approved by DHS CIO.

•

Help Desk and Operations Support

The contractor shall provide third tier reporting for trouble calls received from the Help
Desk, the DHS Task Manager, or the users. The Contractor shall respond to the initiators
of trouble calls as by receiving telephonic notifications of problems, resolving them, or
directing them to the proper technical personnel for resolution. Problems that cannot be
resolved immediately or with the requirements of the performance standards are to be
brought to the attention of the DHS Task Manager. The Contractor shall document
notification and resolution of problems in Remedy.
•

Interfacing

As requested by the COTR, assistance in consolidating all systems with the DHS
Consolidated Data Center. Resources to be consolidated with the DHS Consolidated
Data Center, for each system will be determined by the COTR.
DHS GEOSPATIAL INFORMATION SYSTEM COMPLIANCE
All geospatial implementations shall comply with the policies and requirements set forth
for the DHS Geospatial Information Infrastructure (GII). This shall include submission
to the Enterprise Architecture Board, or their designee, for review and approval of
insertion of hardware, software, services, appliances, and/or structural metadata into the
Homeland Security Enterprise Architecture (HLS EA).

Page 29 of 32

 TRANSITION PLAN
The DHS CIO has established portfolio targets for the IT infrastructure that include
production system consolidation at a DHS data center, and transition to OneNet. The
contractor must be prepared to support CBP government leads, within the purview of this
task order, to provide any required transition planning or program execution, associated
with meeting the agreed to transition timeline, as directed by Government personnel.
This includes the following types of tasking's:
•
•
•
•
•
•

•
•

Coordination with Government representatives
Review, evaluation and transition of current support services
Transition of historic data to new contractor system
Government-approved training and certification process
Transfer of all necessary business and/or technical documentation
Orientation phase and program to introduce Government personnel, programs,
and users to the Contractor's team, tools, methodologies, and business
processes, equipment, furniture, phone lines, computer equipment, etc.
Transfer of Government Furnished Equipment (GFE) and Government
Furnished Information (GFI), and GFE inventory management assistance
Applicable debriefing and personnel out-processing procedures

Portfolio Review
Screening/Watchlist/Credentialing
Includes all activities that support the tracking and monitoring of travelers, conveyances
and cargo crossing U.S. borders, traffic pattern analysis, database (Federal, State, and
Local) linking and querying, managing status verification and tracking systems.
Different investments and systems may support distinct screening and watchlist activities
for people, cargo, and tangible goods. Credentialing encompasses all activities that
determine a person's eligibility for a particular license, privilege, or status, from
application for the credential through issuance, use, and potential revocation of the issued
credential.

Supply Chain Risk Management
Supply Chain Risks result from adversarial exploitation of the organizations,
people, activities, information, resources, or facilities that provide hardware,
software, or services. These risks can result in a loss of confidentiality, integrity, or
availability of information or information systems. A compromise to even minor
system components can lead to adverse impacts to organizational operations
(including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, and the Nation.

Page 30 of 32

 The following should be included in all hardware and software requests to ensure
the confidentiality, integrity, and availability of government information:
Supply Chain Risk Management Terms and Conditions:
The Contractors supplying the Government hardware and software shall provide the
manufacture's name, address, state and/or domain of registration, and the Data
Universal Numbering System (DUNS) number for all components comprising the
hardware and software. If subcontractors or subcomponents are used, the name, address,
state and/or domain of registration and DUNs number of those suppliers must also be
provided.

Subcontractors are subject to the same general requirements and standards as prime
contractors. Contractors employing subcontractors shall perform due diligence to ensure
that these standards are met.
The Government shall be notified when a new contractor/subcontractor/service provider
is introduced to the supply chain, or when suppliers of parts or subcomponents are
changed.
Contractors shall provide, implement, and maintain a Supply Chain Risk Management
Plan that addresses internal and external practices and controls employed to minimize
the risk posed by counterfeits and vulnerabilities in systems, components, and software.
The Plan shall describe the processes and procedures that will be followed to ensure
appropriate supply chain protection of information system resources developed,
processed, or used under this contract.
The Supply Chain Risk Management Plan shall address the following elements:
I. How risks from the supply chain will be identified,
2. What processes and security measures will be adopted to manage these risks to
the system or system components, and
3.How the risks and associated security measures will be updated and monitored.
The Supply Chain Risk Management Plan shall remain current through the life of the
contract or period of peiformance. The Supply Chain Risk Management Plan shall be
provided to the Contracting Officer Technical Representative (COTR) 30 days post
award.
The Contractor acknowledges the Government's requirement to assess the Contractors
Supply Chain Risk posture. The Contractor understands and agrees that the Government
retains the right to cancel or terminate the contract, if the Government determines that
continuing the contract presents an unacceptable risk to national security.
The Contractor shall disclose, and the Government will consider, relevant industry
standards certifications, recognitions and awards, and acknowledgments.
The Contractor shall provide only new equipment unless otherwise expressly approved,
in writing, by the Contracting Officer (CO). Contractors shall only provide Original
Equipment Manufacturers (OEM) parts to the Government. In the event that a shipped
OEM part fails, all replacement parts must be OEM parts.
The Contractor shall be excused from using new OEM (i.e. "grey market," previously
used) components only with formal Government approval. Such components shall be
procured from their original genuine source and have the components shipped only from
manufacturers authorized shipment points.

Page 31 of 32

 For software products, the contractor shall provide all OEM software updates to correct
defects for the lffe of the product (i.e. until the "end of life.'). Software updates and
patches must be made available to the government for all products procured under this
contract.
Contractors shall employ formal and accountable transit, storage, and delivery
procedures (i.e., the possession of the component is documented at all times from initial
shipping point to final destination, and every transfer of the component from one
custodian to another is fully documented and accountable) for all shipments to fulfill
contract obligations with the Government.
All records pertaining to the transit, storage, and delivery will be maintained and
available for inspection for the lessor of the term of the contract, the period of
performance, or one calendar year from the date the activity occurred.
These records must be readily available for inspection by any agent designated by the US
Government as having the authority to examine them.
This transit process shall minimize the number of times en route components undergo a
change of custody and make use tamper-proof or tamper-evident packaging for all
shipments. The supplier, at the Government's request, shall be able to provide shipping
status at any time during transit.
The Contractor is fully liable for all damage, deterioration, or losses incurred during
shipment and handling, unless the damage, deterioration, or loss is due to the
Government. The Contractor shall provide a packing slip which shall accompany each
container or package with the information identOling the contract number, the order
number, a description of the hardware/software enclosed (Manufacturer name, model
number, serial number), and the customer point of contact. The contractor shall send a
shipping notification to the intended government recipient or contracting officer. This
shipping notification shall be sent electronically and will state the contract number, the
order number, a description of the hardware/software being shipped (manufacturer
name, model number, serial number), initial shipper, shipping date and identifring
(tracking) number.
Product Assurance
Information Assurance (IA) is considered a requirement for all systems used to input, process,
store, display, or transmit sensitive or national security information. IA is achieved through the
acquisition and appropriate implementation of evaluated or validated commercial-off-the-shelf
(COTS) IA and IA-enabled Information Technology (IT) products. These products provide for the
availabffity of systems. The products also ensure the integrity and confidentiality of information
and the authentication and nonrepudiation of parties in electronic transactions.
Strong preference is given to the acquisition of COTS IA and IA-enabled IT products (to be used
on systems entering, processing, storing, displaying, or transmitting sensitive information) that
have been evaluated and validated by authorized commercial laboratories or by NIST, as
appropriate, in accordance with the following:
- The National Institute of Standards and Technology (NIST) FIPS validation program
- The NSA/NIST National Information Assurance Partnership (NIAP) Evaluation and Validation
Program
- The International Common Criteria for Information Security Technology Evaluation Mutual
Recognition Agreement

Page 32 of 32