Defense Federal Acquisition Regulation Supplement
Part 252—Solicitation Provisions and Contract Clauses
(Revised November 18, 2013)
252.204-7000 Disclosure of Information.
As prescribed in 204.404-70(a), use the following clause:
DISCLOSURE OF INFORMATION (AUG 2013)
(a) The Contractor shall not release to anyone outside the Contractor's organization any unclassified information, regardless of medium (e.g., film, tape, document), pertaining to any part of this contract or any program related to this contract, unless—
(1) The Contracting Officer has given prior written approval;
(2) The information is otherwise in the public domain before the date of release; or
(3) The information results from or arises during the performance of a project that has been scoped and negotiated by the contracting activity with the contractor and research performer and determined in writing by the contracting officer to be fundamental research in accordance with National Security Decision Directive 189, National Policy on the Transfer of Scientific, Technical and Engineering Information, in effect on the date of contract award and the USD (AT&L) memoranda on Fundamental Research, dated May 24, 2010, and on Contracted Fundamental Research, dated June 26, 2008, (available at DFARS PGI 204.4).
(b) Requests for approval under paragraph (a)(1) shall identify the specific
information to be released, the medium to be used, and the purpose for the release.
The Contractor shall submit its request to the Contracting Officer at least 10 business
days before the proposed date for release.
(c) The Contractor agrees to include a similar requirement, including this paragraph (c), in each subcontract under this contract. Subcontractors shall submit
requests for authorization to release through the prime contractor to the Contracting Officer.
(End of clause)
252.204-7001 Commercial and Government Entity (CAGE) Code Reporting.
As prescribed in 204.7207, use the following provision:
Commercial and Government Entity (CAGE) Code Reporting
(AUG 1999)
(a) The offeror is requested to enter its CAGE code on its offer in the block with its name and address. The CAGE code entered must be for that name and address. Enter “CAGE” before the number.
(b) If the offeror does not have a CAGE code, it may ask the Contracting Officer to request one from the Defense Logistics Information Service (DLIS). The Contracting Officer will—
(1) Ask the Contractor to complete section B of a DD Form 2051, Request for Assignment of a Commercial and Government Entity (CAGE) Code;
(2) Complete section A and forward the form to DLIS; and
(3) Notify the Contractor of its assigned CAGE code.
(c) Do not delay submission of the offer pending receipt of a CAGE code.
(End of provision)
252.204-7002 Payment for Subline Items Not Separately Priced.
As prescribed in 204.7104-1(b)(3)(iv), use the following clause:
Payment for Subline Items Not Separately Priced (DEC 1991)
(a) If the schedule in this contract contains any contract subline items or exhibit subline items identified as not separately priced (NSP), it means that the unit price for that subline item is included in the unit price of another, related line or subline item.
(b) The Contractor shall not invoice the Government for any portion of a contract line item or exhibit line item which contains an NSP until—
(1) The Contractor has delivered the total quantity of all related contract subline items or exhibit subline items; and
(2) The Government has accepted them.
(c) This clause does not apply to technical data.
(End of clause)
252.204-7003 Control of Government Personnel Work Product.
As prescribed in 204.404-70(b), use the following clause:
CONTROL OF GOVERNMENT PERSONNEL WORK PRODUCT (APR 1992)
The Contractor’s procedures for protecting against unauthorized disclosure of information shall not require Department of Defense employees or members of the Armed Forces to relinquish control of their work products, whether classified or not, to the Contractor.
(End of clause)
252.204-7004 Alternate A, System for Award Management.
ALTERNATE A, SYSTEM FOR AWARD MANAGEMENT (MAY 2013)
As prescribed in 204.1105, substitute the following paragraph (a) for paragraph (a) of the provision at FAR 52.204-7:
(a) Definitions. As used in this clause--
“System for Award Management (SAM) database” means the primary Government repository for contractor information required for the conduct of business with the Government.
“Commercial and Government Entity (CAGE) code” means—
(1) A code assigned by the Defense Logistics Information Service (DLIS) to identify a commercial or Government entity; or
(2) A code assigned by a member of the North Atlantic Treaty Organization that DLIS records and maintains in the CAGE master file. This type of code is known as an “NCAGE code.”
“Data Universal Numbering System (DUNS) number” means the 9-digit number assigned by Dun and Bradstreet, Inc. (D&B) to identify unique business entities.
“Data Universal Numbering System +4 (DUNS+4) number” means the DUNS number assigned by D&B plus a 4-character suffix that may be assigned by a business concern. (D&B has no affiliation with this 4-character suffix.) This 4-character suffix may be assigned at the discretion of the business concern to establish additional SAM records for identifying alternative Electronic Funds Transfer (EFT) accounts (see FAR 32.11) for the same parent concern.
“Registered in the System for Award Management (SAM) database” means that—
(1) The contractor has entered all mandatory information, including the DUNS
number or the DUNS+4 number, and Contractor and Government Entity (CAGE) code into the SAM database; and
(2) The contractor has completed the Core Data, Assertions, Representations and Certifications, and Points of Contact sections of the registration in the SAM database;
(3) The Government has validated all mandatory data fields, to include validation of the Taxpayer Identification Number (TIN) with the Internal Revenue
Service (IRS). The Contractor will be required to provide consent for TIN validation to the Government as part of the SAM registration process; and
(4) The Government has marked the record “Active.”
252.204-7005 Oral Attestation of Security Responsibilities.
As prescribed in 204.404-70(c), use the following clause:
ORAL ATTESTATION OF SECURITY RESPONSIBILITIES (NOV 2001)
(a) Contractor employees cleared for access to Top Secret (TS), Special Access Program (SAP), or Sensitive Compartmented Information (SCI) shall attest orally that they will conform to the conditions and responsibilities imposed by law or regulation on those granted access. Reading aloud the first paragraph of Standard Form 312, Classified Information Nondisclosure Agreement, in the presence of a person designated by the Contractor for this purpose, and a witness, will satisfy this requirement. Contractor employees currently cleared for access to TS, SAP, or SCI may attest orally to their security responsibilities when being briefed into a new program or during their annual refresher briefing. There is no requirement to retain a separate record of the oral attestation.
(b) If an employee refuses to attest orally to security responsibilities, the Contractor shall deny the employee access to classified information and shall submit a report to the Contractor’s security activity.
(End of clause)
252.204-7006 Billing Instructions.
As prescribed in 204.7109, use the following clause:
BILLING INSTRUCTIONS (OCT 2005)
When submitting a request for payment, the Contractor shall—
(a) Identify the contract line item(s) on the payment request that reasonably reflect contract work performance; and
(b) Separately identify a payment amount for each contract line item included in the payment request.
(End of clause)
252.204-7007 Alternate A, Annual Representations and Certifications.
As prescribed in 204.1202, use the following provision:
ALTERNATE A, ANNUAL REPRESENTATIONS AND CERTIFICATIONS
(MAY 2013)
Substitute the following paragraphs (d) and (e) for paragraph (d) of the provision at FAR 52.204-8:
(d)(1) The following representations or certifications in the System for Award Management (SAM) database are applicable to this solicitation as indicated:
(i) 252.209-7001, Disclosure of Ownership or Control by the Government of a Terrorist Country. Applies to all solicitations expected to result in contracts of $150,000 or more.
(ii) 252.209-7003, Reserve Officer Training Corps and Military Recruiting on Campus—Representation. Applies to all solicitations with institutions of higher education.
(iii) 252.216-7008, Economic Price Adjustment—Wage Rates or Material Prices Controlled by a Foreign Government. Applies to solicitations for fixed-price supply and service contracts when the contract is to be performed wholly or in part in a foreign country, and a foreign government controls wage rates or material prices and may during contract performance impose a mandatory change in wages or prices of materials.
(iv) 252.225-7042, Authorization to Perform. Applies to all solicitations when performance will be wholly or in part in a foreign country.
(v) 252.229-7012, Tax Exemptions (Italy)—Representation. Applies to solicitations and contracts when contract performance will be in Italy.
(vi) 252.229-7013, Tax Exemptions (Spain)—Representation. Applies to solicitations and contracts when contract performance will be in Spain.
(vii) 252.247-7022, Representation of Extent of Transportation by Sea. Applies to all solicitations except those for direct purchase of ocean transportation services or those with an anticipated value at or below the simplified acquisition threshold.
(2) The following representations or certifications in SAM are
applicable to this solicitation as indicated by the Contracting Officer: [Contracting Officer check as appropriate.]
___ (i) 252.209-7002, Disclosure of Ownership or Control by a Foreign Government.
___ (ii) 252.225-7000, Buy American—Balance of Payments
Program Certificate.
___ (iii) 252.225-7020, Trade Agreements Certificate.
___ Use with Alternate I.
____(iv) 252.225-7022, Trade Agreements Certificate—Inclusion of Iraqi End Products.
___ (v) 252.225-7031, Secondary Arab Boycott of Israel.
___ (vi) 252.225-7035, Buy American—Free Trade
Agreements—Balance of Payments Program Certificate.
___ Use with Alternate I.
___ Use with Alternate II.
___ Use with Alternate III.
___Use with Alternate IV.
___ Use with Alternate V.
(e) The offeror has completed the annual representations and certifications electronically via the SAM website at https://www.acquisition.gov/. After reviewing the SAM database information, the offeror verifies by submission of the offer that the representations and certifications currently posted electronically that apply to this solicitation as indicated in FAR 52.204-8(c) and paragraph (d) of this provision have been entered or updated within the last 12 months, are current, accurate, complete, and applicable to this solicitation (including the business size standard applicable to the NAICS code referenced for this solicitation), as of the date of this offer, and are incorporated in this offer by reference (see FAR 4.1201); except for the changes identified below [offeror to insert changes, identifying change by provision number, title, date]. These amended representation(s) and/or certification(s) are also incorporated in this offer and are current, accurate, and complete as of the date of this offer.
FAR/DFARS Provision # |
Title |
Date |
Change |
|
|
|
|
Any changes provided by the offeror are applicable to this solicitation only, and do not result in an update to the representations and certifications located in the SAM database.
(End of provision)
252.204-7008 Reserved.
252.204-7009 Reserved.
252.204-7010 Requirement for Contractor to Notify DoD if the Contractor’s Activities are Subject to Reporting Under the U.S.-International Atomic Energy Agency Additional Protocol.
As prescribed in 204.470-3, use the following clause:
REQUIREMENT FOR CONTRACTOR TO NOTIFY DOD IF THE CONTRACTOR’S ACTIVITIES ARE SUBJECT TO REPORTING UNDER THE U.S.-INTERNATIONAL ATOMIC ENERGY AGENCY ADDITIONAL PROTOCOL (JAN 2009)
(a) If the Contractor is required to report any of its activities in accordance with Department of Commerce regulations (15 CFR Part 781 et seq.) or Nuclear Regulatory Commission regulations (10 CFR Part 75) in order to implement the declarations required by the U.S.-International Atomic Energy Agency Additional Protocol (U.S.-IAEA AP), the Contractor shall—
(1) Immediately provide written notification to the following DoD Program Manager:
[Contracting Officer to insert Program Manager’s name, mailing address, e-mail address, telephone number, and facsimile number];
(2) Include in the notification—
(i) Where DoD contract activities or information are located relative to the activities or information to be declared to the Department of Commerce or the Nuclear Regulatory Commission; and
(ii) If or when any current or former DoD contract activities and the activities to be declared to the Department of Commerce or the Nuclear Regulatory Commission have been or will be co-located or located near enough to one another to result in disclosure of the DoD activities during an IAEA inspection or visit; and
(3) Provide a copy of the notification to the Contracting Officer.
(b) After receipt of a notification submitted in accordance with paragraph (a) of this clause, the DoD Program Manager will—
(1) Conduct a security assessment to determine if and by what means access may be granted to the IAEA; or
(2) Provide written justification to the component or agency treaty office for a national security exclusion, in accordance with DoD Instruction 2060.03, Application of the National Security Exclusion to the Agreements Between the United States of America and the International Atomic Energy Agency for the Application of Safeguards in the United States of America. DoD will notify the Contractor if a national security exclusion is applied at the Contractor’s location to prohibit access by the IAEA.
(c) If the DoD Program Manager determines that a security assessment is required—
(1) DoD will, at a minimum—
(i) Notify the Contractor that DoD officials intend to conduct an assessment of vulnerabilities to IAEA inspections or visits;
(ii) Notify the Contractor of the time at which the assessment will be conducted, at least 30 days prior to the assessment;
(iii) Provide the Contractor with advance notice of the credentials of the DoD officials who will conduct the assessment; and
(iv) To the maximum extent practicable, conduct the assessment in a manner that does not impede or delay operations at the Contractor’s facility; and
(2) The Contractor shall provide access to the site and shall cooperate with DoD officials in the assessment of vulnerabilities to IAEA inspections or visits.
(d) Following a security assessment of the Contractor’s facility, DoD officials will notify the Contractor as to—
(1) Whether the Contractor’s facility has any vulnerabilities where potentially declarable activities under the U.S.-IAEA AP are taking place;
(2) Whether additional security measures are needed; and
(3) Whether DoD will apply a national security exclusion.
(e) If DoD applies a national security exclusion, the Contractor shall not grant access to IAEA inspectors.
(f) If DoD does not apply a national security exclusion, the Contractor shall apply managed access to prevent disclosure of program activities, locations, or information in the U.S. declaration.
(g) The Contractor shall not delay submission of any reports required by the Department of Commerce or the Nuclear Regulatory Commission while awaiting a DoD response to a notification provided in accordance with this clause.
(h) The Contractor shall incorporate the substance of this clause, including this paragraph (h), in all subcontracts that are subject to the provisions of the U.S.-IAEA AP.
(End of clause)
252.204-7011 Alternative Line Item Structure.
As prescribed in 204.7109(b), insert the following provision:
ALTERNATIVE LINE ITEM STRUCTURE (SEP 2011)
(a) Line items are the basic structural elements in a solicitation or contract that provide for the organization of contract requirements to facilitate pricing, delivery, inspection, acceptance and payment. Line items are organized into contract line items, subline items, and exhibit line items. Separate line items should be established to account for separate pricing, identification (see section 211.274 of the Defense Federal Acquisition Regulation Supplement), deliveries, or funding. The Government recognizes that the line item structure in this solicitation may not conform to every offeror’s practices. Failure to correct these issues can result in difficulties in accounting for deliveries and processing payments. Therefore, offerors are invited to propose an alternative line item structure for items on which bids, proposals, or quotes are requested in this solicitation to ensure that the resulting contract structure is economically and administratively advantageous to the Government and the Contractor.
(b) If an alternative line item structure is proposed, the structure must be consistent with subpart 204.71 of the Defense Federal Acquisition Regulation Supplement and PGI 204.71. A sample line item structure and a proposed alternative structure are as follows:
Solicitation:
ITEM NO. |
SUPPLIES/SERVICE |
QUANTITY |
UNIT |
UNIT PRICE |
AMOUNT |
0001 |
Computer, Desktop with CPU, Monitor, Keyboard and Mouse |
20 |
EA |
|
|
|
|
|
|
|
|
Alternative line item structure offer where monitors are shipped separately:
ITEM NO. |
SUPPLIES/SERVICE |
QUANTITY |
UNIT |
UNIT PRICE |
AMOUNT |
0001 |
Computer, Desktop with CPU, Keyboard and Mouse |
20 |
EA |
|
|
0002 |
Monitor |
20 |
EA |
|
|
|
|
|
|
|
|
(End of provision)
252.204-7012 Safeguarding of Unclassified Controlled Technical Information.
As prescribed in 204.7303, use the following clause:
SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)
(a) Definitions. As used in this clause—
“Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
“Attribution information” means information that identifies the Contractor, whether directly or indirectly, by the grouping of information that can be traced back to the Contractor (e.g., program description or facility locations).
“Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
“Contractor information system” means an information system belonging to, or operated by or for, the Contractor.
“Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B-through-F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
“Cyber incident” means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.
“Exfiltration” means any unauthorized release of data from within an information system. This includes copying the data through covert network channels or the copying of data to unauthorized media.
“Media” means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system.
“Technical information” means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
(b) Safeguarding requirements and procedures for unclassified controlled technical information. The Contractor shall provide adequate security to safeguard unclassified controlled technical information from compromise. To provide adequate security, the Contractor shall—
(1) Implement information systems security in its project, enterprise, or company-wide unclassified information technology system(s) that may have unclassified controlled technical information resident on or transiting through them. The information systems security program shall implement, at a minimum—
(i) The specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls identified in the following table; or
(ii) If a NIST control is not implemented, the Contractor shall submit to the Contracting Officer a written explanation of how—
(A) The required security control identified in the following table is not applicable; or
(B) An alternative control or protective measure is used to achieve equivalent protection.
(2) Apply other information systems security requirements when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.
Table 1 -- Minimum Security Controls for Safeguarding
Minimum required security controls for unclassified controlled technical information requiring safeguarding in accordance with paragraph (d) of this clause. (A description of the security controls is in the NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations” (http://csrc.nist.gov/publications/PubsSPs.html).)
Access Control |
Audit & Accountability |
Identification and Authentication |
Media Protection |
System & Comm Protection |
AC-2 |
AU-2 |
IA-2 |
MP-4 |
SC-2 |
AC-3(4) |
AU-3 |
IA-4 |
MP-6 |
SC-4 |
AC-4 |
AU-6(1) |
IA-5(1) |
|
SC-7 |
AC-6 |
AU-7 |
|
Physical and Environmental Protection |
SC-8(1) |
AC-7 |
AU-8 |
Incident Response |
PE-2 |
SC-13 |
AC-11(1) |
AU-9 |
IR-2 |
PE-3 |
|
AC-17(2) |
|
IR-4 |
PE-5 |
SC-15 |
AC-18(1) |
Configuration Management |
IR-5 |
|
SC-28 |
AC-19 |
CM-2 |
IR-6 |
Program Management |
|
AC-20(1) |
CM-6 |
|
PM-10 |
System & Information Integrity |
AC-20(2) |
CM-7 |
Maintenance |
|
SI-2 |
AC-22 |
CM-8 |
MA-4(6) |
Risk Assessment |
SI-3 |
|
|
MA-5 |
RA-5 |
SI-4 |
Awareness & Training |
Contingency Planning |
MA-6 |
|
|
AT-2 |
CP-9 |
|
|
|
Legend:
AC: Access Control MA: Maintenance
AT: Awareness and Training MP: Media Protection
AU: Auditing and Accountability PE: Physical & Environmental Protection
CM: Configuration Management PM: Program Management
CP: Contingency Planning RA: Risk Assessment
IA: Identification and Authentication SC: System & Communications Protection
IR: Incident Response SI: System & Information Integrity
(c) Other requirements. This clause does not relieve the Contractor of the requirements specified by applicable statutes or other Federal and DoD safeguarding requirements for Controlled Unclassified Information (CUI) as established by Executive Order 13556, as well as regulations and guidance established pursuant thereto.
(d) Cyber incident and compromise reporting.
(1) Reporting requirement. The Contractor shall report as much of the following information as can be obtained to the Department of Defense via (http://dibnet.dod.mil/) within 72 hours of discovery of any cyber incident, as described in paragraph (d)(2) of this clause, that affects unclassified controlled technical information resident on or transiting through the Contractor’s unclassified information systems:
(i) Data Universal Numbering System (DUNS).
(ii) Contract numbers affected unless all contracts by the company are affected.
(iii) Facility CAGE code if the location of the event is different than the prime Contractor location.
(iv) Point of contact if different than the POC recorded in the System for Award Management (address, position, telephone, email).
(v) Contracting Officer point of contact (address, position, telephone, email).
(vi) Contract clearance level.
(vii) Name of subcontractor and CAGE code if this was an incident on a Sub-contractor network.
(viii) DoD programs, platforms or systems involved.
(ix) Location(s) of compromise.
(x) Date incident discovered.
(xi) Type of compromise (e.g., unauthorized access, inadvertent release, other).
(xii) Description of technical information compromised.
(xiii) Any additional information relevant to the information compromise.
(2) Reportable cyber incidents. Reportable cyber incidents include the following:
(i) A cyber incident involving possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through Contractor’s, or its subcontractors’, unclassified information systems.
(ii) Any other activities not included in paragraph (d)(2)(i) of this clause that allow unauthorized access to the Contractor’s unclassified information system on which unclassified controlled technical information is resident on or transiting.
(3) Other reporting requirements. This reporting in no way abrogates the Contractor’s responsibility for additional safeguarding and cyber incident reporting requirements pertaining to its unclassified information systems under other clauses that may apply to its contract, or as a result of other U.S. Government legislative and regulatory requirements that may apply (e.g., as cited in paragraph (c) of this clause).
(4) Contractor actions to support DoD damage assessment. In response to the reported cyber incident, the Contractor shall—
(i) Conduct further review of its unclassified network for evidence of compromise resulting from a cyber incident to include, but is not limited to, identifying compromised computers, servers, specific data and users accounts. This includes analyzing information systems that were part of the compromise, as well as other information systems on the network that were accessed as a result of the compromise;
(ii) Review the data accessed during the cyber incident to identify specific unclassified controlled technical information associated with DoD programs, systems or contracts, including military programs, systems and technology; and
(iii) Preserve and protect images of known affected information systems and all relevant monitoring/packet capture data for at least 90 days from the cyber incident to allow DoD to request information or decline interest.
(5) DoD damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor point of contact identified in the incident report at (d)(1) of this clause provide all of the damage assessment information gathered in accordance with paragraph (d)(4) of this clause. The Contractor shall comply with damage assessment information requests. The requirement to share files and images exists unless there are legal restrictions that limit a company's ability to share digital media. The Contractor shall inform the Contracting Officer of the source, nature, and prescription of such limitations and the authority responsible.
(e) Protection of reported information. Except to the extent that such information is lawfully publicly available without restrictions, the Government will protect information reported or otherwise provided to DoD under this clause in accordance with applicable statutes, regulations, and policies. The Contractor shall identify and mark attribution information reported or otherwise provided to the DoD. The Government may use information, including attribution information and disclose it only to authorized persons for purposes and activities consistent with this clause.
(f) Nothing in this clause limits the Government’s ability to conduct law enforcement or counterintelligence activities, or other lawful activities in the interest of homeland security and national security. The results of the activities described in this clause may be used to support an investigation and prosecution of any person or entity, including those attempting to infiltrate or compromise information on a contractor information system in violation of any statute.
(g) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (g), in all subcontracts, including subcontracts for commercial items.
(End of clause)
1998
EDITION 252.204-
| File Type | application/msword |
| File Modified | 2013-11-19 |
| File Created | 2013-11-19 |