Order No. 31310019F0149 Under Contract No. GS35F192BA

2 of 27

19. 20. 21. 22. 23. 24. ITEM NO. SCHEDULE OF SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT

Funded: $702,432.93 Accounting Info:

Funded: $40,981.86 Accounting Info:

Funded: $347,917.46

10001 Option Period 1 Ceiling Price 0.00 See Attachment 1 for Authorized Labor Categories and Fixed Hourly Rates Amount: $1,059,977.13(Option Line Item) Anticipated Exercise Date09/30/2020

Period of Performance: 10/01/2020 to 09/30/2021

20001 Option Period 2 Ceiling Price 0.00 See Attachment 1 for Authorized Labor Categories and Fixed Hourly Rates Amount: $847,176.84(Option Line Item) Anticipated Exercise Date09/30/2021

Period of Performance: 10/01/2021 to 09/30/2022

The obligated amount of award: $1,091,332.25. The total for this award is shown in box 26.

32a. QUANTITY IN COLUMN 21 HAS BEEN

RECEIVED INSPECTED ACCEPTED, AND CONFORMS TO THE CONTRACT, EXCEPT AS NOTED:

32b. SIGNATURE OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32c. DATE 32d. PRINTED NAME AND TITLE OF AUTHORIZED GOVERNMENT REPRESENTATIVE

32e. MA LING ADDRESS OF AUTHORIZED GOVERNMENT REPRESENTATIVE 32f. TELEPHONE NUMBER OF AUTHORIZED GOVERNMENT REPRESENTATIVE

32g. E-MA L OF AUTHORIZED GOVERNMENT REPRESENTATIVE

33. SHIP NUMBER 34. VOUCHER NUMBER 35. AMOUNT VERIFIED 36. PAYMENT 37. CHECK NUMBER CORRECT FOR

COMPLETE PARTIAL FINAL PARTIAL FINAL

38. S/R ACCOUNT NUMBER 39. S/R VOUCHER NUMBER 40. PAID BY

41a. I CERTIFY THIS ACCOUNT IS CORRECT AND PROPER FOR PAYMENT 42a. RECEIVED BY (Print) 41b. SIGNATURE AND TITLE OF CERTIFY NG OFFICER 41c. DATE 42b. RECEIVED AT (Location)

42c. DATE REC'D (YY/MM/DD) 42d. TOTAL CONTAINERS

STANDARD FORM 1449 (REV. 2/2012) BACK GS35F192BA 31310019F0149 3

BRIEF DESCRIPTION OF WORK ALTERNATE I

The title of this project is: Mission Application Portal Phase 1 Project for Data Analytics

CONSIDERATION AND OBLIGATION-Labor Hour Contract

(a) The ceiling price to the Government for full performance under this task order for the base year is $1,091,332.25 and for the base and all option years is $2,998,486.22. 5 (b) The task order includes direct labor hours at specified fixed hourly rates, inclusive of wages, fringe, overhead, general and administrative expenses, and profit.

(d) If this is an incrementally – funded task order, FAR 52.232-22 “Limitation of Funds” applies.

PERIOD OF PERFORMANCE

Base Period: 10/01/2019 – 09/30/2020 Option Period 1: 10/01/2020 – 09/30/2021 Option Period 2: 10/01/2021 – 09/30/2022

INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officer’s Representative (COR) at the destination, accordance with FAR 52.247-34 - F.o.b. Destination.

BRANDING

The Contractor is required to use the statement below in any publications, presentations, articles, products, or materials funded under this contract/order, to the extent practical, in order to provide NRC with recognition for its involvement in and contribution to the project. If the work performed is funded entirely with NRC funds, then the contractor must acknowledge that information in its documentation/presentation.

Work Supported by the U.S. Nuclear Regulatory Commission (NRC), Office of Chief Information Officer under Contract Number GS35F192BA, Order Number 31310019F0149.

NRCAR Clauses Incorporated By Reference 2052.209-72 CONTRACTOR ORGANIZATIONAL CONFLICTS OF INTEREST. (JAN 1993) 2052.215-73 AWARD NOTIFICATION AND COMMITMENT OF PUBLIC FUNDS (OCT 1999) 2052.222-70 NONDISCRIMINATION BECAUSE OF AGE. (JAN 1993)

52.217-8 OPTION TO EXTEND SERVICES. (NOV 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The GS35F192BA 31310019F0149 4

Contracting Officer may exercise the option by written notice to the Contractor anytime before the contract expires.

52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor within the then-current contract period; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 10 days before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 3 years.

52.227-17 Rights in Data-Special Works.

As prescribed in 27.409(e), insert the following clause:

Rights in Data-Special Works (Dec 2007)

(a) Definitions. As used in this clause-

“Data” means recorded information, regardless of form or the media on which it may be recorded. The term includes technical data and computer software. The term does not include information incidental to contract administration, such as financial, administrative, cost or pricing, or management information.

“Unlimited rights” means the rights of the Government to use, disclose, reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, in any manner and for any purpose, and to have or permit others to do so.

(b) Allocation of Rights.

(1) The Government shall have-

(i) Unlimited rights in all data delivered under this contract, and in all data first produced in the performance of this contract, except as provided in paragraph (c) of this clause.

(ii) The right to limit assertion of copyright in data first produced in the performance of this contract, and to obtain assignment of copyright in that data, in accordance with paragraph (c)(1) of this clause.

(iii) The right to limit the release and use of certain data in accordance with paragraph (d) of this clause.

(2) The Contractor shall have, to the extent permission is granted in accordance with paragraph (c)(1) of this clause, the right to assert claim to copyright subsisting in data first produced in the performance of this contract. GS35F192BA 31310019F0149 5

(1) Data first produced in the performance of this contract.

(i) The Contractor shall not assert or authorize others to assert any claim to copyright subsisting in any data first produced in the performance of this contract without prior written permission of the Contracting Officer. When copyright is asserted, the Contractor shall affix the appropriate copyright notice of 17 U.S.C. 401 or 402 and acknowledgment of Government sponsorship (including contract number) to the data when delivered to the Government, as well as when the data are published or deposited for registration as a published work in the U.S. Copyright Office. The Contractor grants to the Government, and others acting on its behalf, a paid-up, nonexclusive, irrevocable, worldwide license for all delivered data to reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, by or on behalf of the Government.

(ii) If the Government desires to obtain copyright in data first produced in the performance of this contract and permission has not been granted as set forth in paragraph (c)(1)(i) of this clause, the Contracting Officer shall direct the Contractor to assign (with or without registration), or obtain the assignment of, the copyright to the Government or its designated assignee.

(2) Data not first produced in the performance of this contract. The Contractor shall not, without prior written permission of the Contracting Officer, incorporate in data delivered under this contract any data not first produced in the performance of this contract and that contain the copyright notice of 17 U.S.C. 401 or 402, unless the Contractor identifies such data and grants to the Government, or acquires on its behalf, a license of the same scope as set forth in paragraph (c)(1) of this clause.

(d) Release and use restrictions. Except as otherwise specifically provided for in this contract, the Contractor shall not use, release, reproduce, distribute, or publish any data first produced in the performance of this contract, nor authorize others to do so, without written permission of the Contracting Officer.

(e) Indemnity. The Contractor shall indemnify the Government and its officers, agents, and employees acting for the Government against any liability, including costs and expenses, incurred as the result of the violation of trade secrets, copyrights, or right of privacy or publicity, arising out of the creation, delivery, publication, or use of any data furnished under this contract; or any libelous or other unlawful matter contained in such data. The provisions of this paragraph do not apply unless the Government provides notice to the Contractor as soon as practicable of any claim or suit, affords the Contractor an opportunity under applicable laws, rules, or regulations to participate in the defense of the claim or suit, and obtains the Contractor’s consent to the settlement of any claim or suit other than as required by final decree of a court of competent jurisdiction; and these provisions do not apply to material furnished to the Contractor by the Government and incorporated in data to which this clause applies.

52.252-2 CLAUSES INCORPORATED BY REFERENCE. (FEB 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these addresses: GS35F192BA 31310019F0149 6 http://www.acquisition.gov/far https://www.nrc.gov/about-nrc/contracting/48cfr-ch20.html

CONTRACTING OFFICER’S REPRESENTATIVE

(a) The contracting officer's representative, hereinafter referred to as the COR, for this order is: COR:

Name: Gayathri Sastry Address: 11555 Rockville Pike, Rockville MD, 28052 Telephone Number: 301-415-8344 Email: [email protected]

Alternate COR: Melissa Ash Address: 11555 Rockville Pike, Rockville MD, 28052 Telephone Number: 301-415-7251 Email: [email protected]

(b) The COR shall:

(1) Monitor contractor performance and recommend changes in requirements to the contracting officer.

(2) Inspect and accept products/services provided under the order.

(3) Review all contractor invoices requesting payment for products/services provided under the order and make recommendations for approval, disapproval, or suspension.

REGISTRATION IN FEDCONNECT® (JULY 2014)

The Nuclear Regulatory Commission (NRC) uses Compusearch Software Systems’ secure and auditable two-way web portal, FedConnect®, to communicate with vendors and contractors. FedConnect® provides bi-directional communication between the vendor/contractor and the NRC throughout pre-award, award, and post-award acquisition phases. Therefore, in order to do business with the NRC, vendors and contractors must register to use FedConnect® at https://www.fedconnect.net/FedConnect. The individual registering in FedConnect® must have authority to bind the vendor/contractor. There is no charge for using FedConnect®. Assistance with FedConnect® is provided by Compusearch Software Systems, not the NRC. FedConnect® contact and assistance information is provided on the FedConnect® web site at https://www.fedconnect.net/FedConnect.

GREEN PURCHASING (JUL 2016)

The schedule contractor’s cost proposal or proposal shall include the following information to identify the major category(ies) of environmental products and/or services included in the proposal, as applicable. The schedule contractor’s shall list planned use of the following sustainable (green) acquisition categories from the list below. GS35F192BA 31310019F0149 7

Green Purchasing Categories:  EPA Designated Product Category – • Comprehensive Procurement Guidelines (CPG) designated products containing recovered materials (also known as recycled-content products)  Recovered Materials/Sustainability Product Categories – • Energy efficient products o ENERGY STAR ® products o Federal Energy Management Program (FEMP)-designated product • Biobased products (USDA BioPreferred products) • Environmentally preferable products o Electronic Product Environmental Assessment Tool (EPEAT)-registered products o Water-efficient products (e.g., EPA WaterSense) o Non-toxic/less toxic products o EPA Significant New Alternatives Policy Program (SNAP)-listed products o Other Environmentally Preferable (End of Provision)

2052.215-70 KEY PERSONNEL. (JAN 1993)

(a) The following roles are considered to be essential to the successful performance of the work hereunder:

 Project Manager (PM)  Technical Lead

(b) If one or more of the key personnel, for whatever reason, becomes, or is expected to become, unavailable for work under this contract for a continuous period exceeding 30 work days, or is expected to devote substantially less effort to the work than indicated in the proposal or initially anticipated, the Contractor shall immediately notify the contracting officer and shall, subject to the concurrence of the contracting officer, promptly replace the personnel with personnel of at least substantially equal ability and qualifications.

(c) Each request for approval of substitutions must be in writing and contain a detailed explanation of the circumstances necessitating the proposed substitutions. The request must also contain a complete resume for the proposed substitute and other information requested or needed by the contracting officer to evaluate the proposed substitution. The contracting officer and the project officer shall evaluate the Contractor's request and the contracting officer shall promptly notify the Contractor of his or her decision in writing.

(d) If the contracting officer determines that suitable and timely replacement of key personnel who have been reassigned, terminated, or have otherwise become unavailable for the contract work is not reasonably forthcoming, or that the resultant reduction of productive effort would be so substantial as to impair the successful completion of the contract or the service order, the contract may be terminated by the contracting officer for default or for the convenience of the Government, as appropriate. If the contracting officer finds the Contractor at fault for the condition, the contract price or fixed fee may be equitably adjusted downward to compensate the Government for any resultant delay, loss, or damage. GS35F192BA 31310019F0149 8

COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, AS AMENDED

In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board) pursuant to Section 508(2)(A) of the Rehabilitation Act Amendments of 1998, established electronic and information technology (EIT) accessibility standards for the federal government.

The Standards for Section 508 of the Rehabilitation Act (codified at 36 CFR § 1194) were revised by the Access Board, published on January 18, 2017 and minor corrections were made on January 22, 2018, effective March 23, 2018.

The Revised 508 Standards have replaced the term EIT with information and communication technology (ICT). ICT is information technology (as defined in 40 U.S.C. 11101(6)) and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content. Examples of ICT include, but are not limited to: Computers and peripheral equipment; information kiosks and transaction machines; telecommunications equipment; customer premises equipment; multifunction office machines; software; applications; Web sites; videos; and, electronic documents. The text of the Revised 508 Standards can be found in 36 CFR § 1194.1 and in Appendices A, C and D of 36 CFR § 1194 (at https://www.ecfr.gov/cgi-bin/text- idx?SID=caeb8ddcea26ba5002c2eea047698e85&mc=true&tpl=/ecfrbrowse/Title36/36cfr1194 main 02.tpl).

In order to help the NRC comply with Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794d)(Section 508), the Contractor shall ensure that its deliverables (both products and services) within the scope of this contract/order are

1. in conformance with, and 2. support the requirements of the Standards for Section 508 of the Rehabilitation Act, as set forth in Appendices A, C and D of 36 CFR § 1194.

The following is an outline of the Revised 508 Standards that identifies what provisions are always applicable and which ones may be applicable. If “Maybe” is stated in the table below, then those provisions are applicable only if they are within the scope of this acquisition.

Applicable to the Provision of 36 CFR Part 1194 Order? 1. Appendix A to Part 1194 – Section 508 of the Rehabilitation Act: Maybe Application and Scoping Requirements Section 508 Chapter 1: Application and Administration - sets Maybe o forth general application and administration provisions o Section 508 Chapter 2: Scoping Requirements - containing scoping requirements (which, in turn, prescribe which ICT – Maybe and, in some cases, how many – must comply with the technical specifications) 2. Appendix C to Part 1194 – Functional Performance Criteria and Maybe Technical Requirements GS35F192BA 31310019F0149 9

Applicable to the Provision of 36 CFR Part 1194 Order? o Chapter 3: Functional Performance Criteria – applies to ICT where required by 508 Chapter 2 (Scoping Requirements) and Maybe where otherwise referenced in any other chapter of the Revised 508 Standards No o Chapter 4: Hardware Maybe o Chapter 5: Software o Chapter 6: Support Documentation and Services (applicable to, but not limited to, help desks, call centers, training services, Maybe and automated self-service technical support) (Always applies if Chapters 4 or 5 apply) Maybe o Chapter 7: Referenced Standards Maybe 3. Appendix D to Part 1194 – Electronic and Information Technology Accessibility Standards as Originally Published on December 21, 2000

TRAVEL APPROVALS AND REIMBURSEMENT (OCT 1999) - ALTERNATE I (OCT 1999)

(a) Total expenditure for travel may not exceed $0 without the prior approval of the contracting officer. (b) All foreign travel must be approved in advance by the NRC on NRC Form 445, Request for Approval of Official Foreign Travel, and must be in compliance with FAR 52.247-63 Preference for U.S. Flag Air Carriers. The contractor shall submit NRC Form 445 to the NRC no later than 30 days prior to the commencement of travel. (c) The contractor will be reimbursed only for travel costs incurred that are directly related to this contract and are allowable subject to the limitations prescribed in FAR 31.205-46. (d) It is the responsibility of the contractor to notify the contracting officer in accordance with the FAR Limitations of Cost clause of this contract when, at any time, the contractor learns that travel expenses will cause the contractor to exceed the travel ceiling amount identified in paragraph (a) of this clause. (e) Reasonable travel costs for research and related activities performed at State and nonprofit institutions, in accordance with Section 12 of Pub. L. 100-679, must be charged in accordance with the contractor's institutional policy to the degree that the limitations of Office of Management and Budget (OMB) guidance are not exceeded. Applicable guidance documents include OMB Circular A-87, Cost Principles for State and Local Governments; OMB Circular A-122, Cost Principles for Nonprofit Organizations; and OMB Circular A-21, Cost Principles for Educational Institutions.

2052.204-70 SECURITY. (OCT 1999)

(a) Security/Classification Requirements Form. The attached NRC Form 187 (See List of Attachments) furnishes the basis for providing security and classification requirements to prime Contractors, subcontractors, or others (e.g., bidders) who have or may have an NRC contractual relationship that requires access to classified information or matter, access on a continuing basis (in excess of 90 or more days) to NRC Headquarters controlled buildings, or otherwise requires NRC photo identification or card-key badges.

(b) It is the Contractor's duty to safeguard National Security Information, Restricted Data, and Formerly Restricted Data. The Contractor shall, in accordance with the Commission's security regulations and requirements, be responsible for safeguarding National Security Information, GS35F192BA 31310019F0149 10

Restricted Data, and Formerly Restricted Data, and for protecting against sabotage, espionage, loss, and theft, the classified documents and material in the Contractor's possession in connection with the performance of work under this contract. Except as otherwise expressly provided in this contract, the Contractor shall transmit to the Commission any classified matter in the possession of the Contractor or any person under the Contractor's control in connection with performance of this contract upon completion or termination of this contract.

(1) The Contractor shall complete a certificate of possession to be furnished to the Commission specifying the classified matter to be retained if the retention is: (i) Required after the completion or termination of the contract; and (ii) Approved by the contracting officer.

(2) The certification must identify the items and types or categories of matter retained, the conditions governing the retention of the matter and their period of retention, if known. If the retention is approved by the contracting officer, the security provisions of the contract continue to be applicable to the matter retained.

(c) In connection with the performance of the work under this contract, the Contractor may be furnished, or may develop or acquire, proprietary data (trade secrets) or confidential or privileged technical, business, or financial information, including Commission plans, policies, reports, financial plans, internal data protected by the Privacy Act of 1974 (Pub. L. 93-579), or other information which has not been released to the public or has been determined by the Commission to be otherwise exempt from disclosure to the public. The Contractor agrees to hold the information in confidence and not to directly or indirectly duplicate, disseminate, or disclose the information, in whole or in part, to any other person or organization except as necessary to perform the work under this contract. The Contractor agrees to return the information to the Commission or otherwise dispose of it at the direction of the contracting officer. Failure to comply with this clause is grounds for termination of this contract.

(d) Regulations. The Contractor agrees to conform to all security regulations and requirements of the Commission which are subject to change as directed by the NRC Division of Facilities and Security and the Contracting Officer. These changes will be under the authority of the FAR Changes clause referenced in Section I of this document. (e) Definition of National Security Information. As used in this clause, the term National Security Information means information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

(f) Definition of Restricted Data. As used in this clause, the term Restricted Data means all data concerning design, manufacture, or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy, but does not include data declassified or removed from the Restricted Data category under to Section 142 of the Atomic Energy Act of 1954, as amended.

(g) Definition of Formerly Restricted Data. As used in this clause the term Formerly Restricted Data means all data removed from the Restricted Data category under Section 142-d of the Atomic Energy Act of 1954, as amended.

(h) Security clearance personnel. The Contractor may not permit any individual to have access to Restricted Data, Formerly Restricted Data, or other classified information, except in GS35F192BA 31310019F0149 11 accordance with the Atomic Energy Act of 1954, as amended, and the Commission's regulations or requirements applicable to the particular type or category of classified information to which access is required. The Contractor shall also execute a Standard Form 312, Classified Information Nondisclosure Agreement, when access to classified information is required.

(i) Criminal liabilities. Disclosure of National Security Information, Restricted Data, and Formerly Restricted Data relating to the work or services ordered hereunder to any person not entitled to receive it, or failure to safeguard any Restricted Data, Formerly Restricted Data, or any other classified matter that may come to the Contractor or any person under the Contractor's control in connection with work under this contract, may subject the Contractor, its agents, employees, or subcontractors to criminal liability under the laws of the United States. (See the Atomic Energy Act of 1954, as amended, 42 U.S.C. 2011 et seq.; 18 U.S.C. 793 and 794; and Executive Order 12958.)

(j) Subcontracts and purchase orders. Except as otherwise authorized, in writing, by the contracting officer, the Contractor shall insert provisions similar to the foregoing in all subcontracts and purchase orders under this contract.

(k) In performing contract work, the Contractor shall classify all documents, material, and equipment originated or generated by the Contractor in accordance with guidance issued by the Commission. Every subcontract and purchase order issued under the contract that involves originating or generating classified documents, material, and equipment must provide that the subcontractor or supplier assign the proper classification to all documents, material, and equipment in accordance with guidance furnished by the Contractor.

2052.204-71 SITE ACCESS BADGE REQUIREMENTS. (JAN 1993)

During the life of this contract, the rights of ingress and egress for Contractor personnel must be made available as required. In this regard, all Contractor personnel whose duties under this contract require their presence on-site shall be clearly identifiable by a distinctive badge furnished by the Government. The Project Officer shall assist the Contractor in obtaining the badges for Contractor personnel. It is the sole responsibility of the Contractor to ensure that each employee has proper identification at all times. All prescribed identification must be immediately delivered to the Security Office for cancellation or disposition upon the termination of employment of any Contractor personnel. Contractor personnel shall have this identification in their possession during on-site performance under this contract. It is the Contractor's duty to assure that Contractor personnel enter only those work areas necessary for performance of contract work and to assure the safeguarding of any Government records or data that Contractor personnel may come into contact with.

SECURITY REQUIREMENTS RELATING TO THE PRODUCTION OF REPORTS OR THE PUBLICATION OF RESULTS UNDER CONTRACTS, AGREEMENTS, AND GRANTS (JUL 2016)

(a) Reporting Requirements. The Contractor/grantee shall comply with the terms and conditions of the contract/grant regarding the contents of the draft and final report, summaries, data, and related documents, to include correcting, deleting, editing, revising, modifying, formatting, and supplementing any of the information contained therein, at no additional cost to the NRC. Performance under the contract/grant will not be deemed accepted or completed until it complies with the NRC’s directions, as applicable. The GS35F192BA 31310019F0149 12

reports, summaries, data, and related documents will be considered draft until approved by the NRC. The Contractor/grantee agrees that the direction, determinations, and decisions on approval or disapproval of reports, summaries, data, and related documents created under this contract/grant remain solely within the discretion of the NRC.

(b) Publication of Results. Prior to any dissemination, display, publication, or release of articles, reports, summaries, data, or related documents developed under the contract/grant, the Contractor/grantee shall submit them to the NRC for review and approval. The Contractor/ grantee shall not release, disseminate, display or publish articles, reports, summaries, data, and related documents, or the contents therein, that have not been reviewed and approved by the NRC for release, display, dissemination or publication. The Contractor/grantee agrees to conspicuously place any disclaimers, markings or notices, directed by the NRC, on any articles, reports, summaries, data, and related documents that the Contractor/grantee intends to release, display, disseminate or publish to other persons, the public, or any other entities. The Contractor/grantee agrees, and grants, a royalty-free, nonexclusive, irrevocable worldwide license to the government, to use, reproduce, modify, distribute, prepare derivative works, release, display or disclose the articles, reports, summaries, data, and related documents developed under the contract/grant, for any governmental purpose and to have or authorize others to do so.

(c) Identification/Marking of Sensitive Unclassified Non-Safeguards Information (SUNSI) and Safeguards Information (SGI). The decision, determination, or direction by the NRC that information possessed, formulated or produced by the Contractor/grantee constitutes SUNSI or SGI is solely within the authority and discretion of the NRC. In performing the contract/grant, the Contractor/grantee shall clearly mark SUNSI and SGI, to include for example, OUO-Allegation Information or OUO-Security Related Information on any reports, documents, designs, data, materials, and written information, as directed by the NRC. In addition to marking the information as directed by the NRC, the Contractor shall use the applicable NRC cover sheet (e.g., NRC Form 461 Safeguards Information) in maintaining these records and documents. The Contractor/grantee shall ensure that SUNSI and SGI is handled, maintained and protected from unauthorized disclosure, consistent with NRC policies and directions. The Contractor shall comply with the requirements to mark, maintain, and protect all information, including documents, summaries, reports, data, designs, and materials in accordance with the provisions of Section 147 of the Atomic Energy Act of 1954 as amended, its implementing regulations (10 CFR 73.21), Sensitive Unclassified Non- Safeguards and Safeguards Information policies, and NRC Management Directives and Handbooks 12.5, 12.6 and 12.7.

(d) Remedies. In addition to any civil, criminal, and contractual remedies available under the applicable laws and regulations, failure to comply with the above provisions, and/or NRC directions, may result in suspension, withholding, or offsetting of any payments invoiced or claimed by the Contractor.

(e) Flowdown. If the Contractor intends to enter into any subcontracts or other agreements to perform this contract/grant, the Contractor shall include all of the above provisions in any subcontracts or agreements.

NRC INFORMATION TECHNOLOGY SECURITY TRAINING (MAY 2016)

NRC Contractor shall ensure that its employees, consultants, and subcontractors with access to the agency's information technology (IT) equipment and/or IT services complete GS35F192BA 31310019F0149 13

NRC's online initial and refresher IT security training requirements to ensure that their knowledge of IT threats, vulnerabilities, and associated countermeasures remains current. Both the initial and refresher IT security training courses generally last an hour or less and can be taken during the employee's regularly scheduled work day. Contractor employees, consultants, and subcontractors shall complete the NRC's online annual, "Computer Security Awareness" course on the same day that they receive access to the agency's IT equipment and/or services, as their first action using the equipment/service. For those Contractor personnel, consultants, and subcontractors who are already working under this contract, the on-line training must be completed in accordance with agency Network Announcements issued throughout the year, within three weeks of issuance of this modification.

Additional annual required online NRC training includes but is not limited to the following:

(1) Information Security (INFOSEC) Awareness (2) Continuity of Operations (COOP) Awareness (3) Defensive Counterintelligence and Insider Threat Awareness (4) No FEAR Act (5) Personally Identifiable Information (PII) and Privacy Act Responsibilities Awareness Contractor employees, consultants, and subcontractors who have been granted access to NRC information technology equipment and/or IT services must continue to take IT security refresher training offered online by the NRC throughout the term of the contract. Contractor employees will receive notice of NRC's online IT security refresher training requirements through agency-wide notices.

The NRC reserves the right to deny or withdraw Contractor use or access to NRC IT equipment and/or services, and/or take other appropriate contract administrative actions (e.g., disallow costs, terminate for cause) should the Contractor violate the Contractor's responsibility under this clause.

SECURITY REQUIREMENTS FOR ACCESS TO CLASSIFIED MATTER OR INFORMATION (SEP 2013)

Performance under this contract will require access to classified matter or information (National Security Information or Restricted Data) in accordance with the attached NRC Form 187 (See List of Attachments). Prime Contractor personnel, subcontractors or others performing work under this contract shall require a "Q" security clearance (allows access to Top Secret, Secret, and Confidential National Security Information and Restricted Data) or an "L" security clearance (allows access to Secret and Confidential National Security Information and/or Confidential Restricted Data).

The Contractor must identify all individuals to work under this contract. The NRC sponsoring office shall make the final determination of the type of security clearance required for all individuals working under this contract.

The Contractor shall conduct a preliminary security interview or review for each of its employees, subcontractor employees and consultants, and submit to the Government only the names of candidates that have a reasonable probability of obtaining the level of security clearance for which the candidate has been proposed. The Contractor will pre- screen applicants for the following:

(a) pending criminal charges or proceedings; (b) felony arrest records including alcohol GS35F192BA 31310019F0149 14 related arrest within the last seven (7) years; (c) record of any military courts-martial charges and proceedings in the last seven (7) years and courts-martial convictions in the last ten (10) years; (d )any involvement in hate crimes; (e) involvement in any group or organization that espouses extra-legal violence as a legitimate means to an end; (f) dual or multiple citizenship including the issuance of a foreign passport in the last seven (7) years; (g) illegal use possession, or distribution of narcotics or other controlled substances within the last seven (7) years; (h) financial issues regarding delinquent debts, liens, garnishments, bankruptcy and civil court actions in the last seven (7) years.

The Contractor shall make a written record of their pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (h)), and have the candidate verify the record, sign and date it. Two (2) copies of the signed interview record or review will be supplied to DFS/PSB with the applicant's completed security application package.

The Contractor shall further ensure that all Contractor employees, subcontractor personnel and consultants for classified information access approval complete all security applications required by this clause within fourteen (14) calendar days of notification by DFS/PSB of initiation of the application process. Timely receipt of properly completed security applications (submitted for candidates that have a reasonable probability of obtaining the level of security clearance for which the candidate has been proposed) is a contract requirement. Failure of the Contractor to comply with this condition may be a basis to cancel the award, or terminate the contract for default, or offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the Contractor. In the event of termination or cancellation, the Government may select another firm for contract award.

Such Contractor personnel shall be subject to the NRC Contractor personnel security requirements of NRC Management Directive (MD) 12.3, Part I and 10 CFR Part 10.11, which is hereby incorporated by reference and made a part of this contract as though fully set forth herein, and will require a favorably adjudicated Single Scope Background Investigation (SSBI) for "Q" clearances or a favorably adjudicated Access National Agency Check and Inquiries (ANACI), or higher level investigation depending on the position the individual will occupy, for "L" clearances.

Contractor personnel shall not have access to classified information until he/ she is granted a security clearance by DFS/PSB, based on a favorably adjudicated investigation. In the event the Contractor person’s investigation cannot be favorably adjudicated, any interim access approval could possibly be revoked and the individual could be subsequently removed from performing under the contract. If interim approval access is revoked or denied, the Contractor is responsible for assigning another individual to perform the necessary work under this contract without delay to the contract's performance schedule, or without adverse impact to any other terms or conditions of the contract. The individual will be subject to a reinvestigation every five (5) years for "Q" clearances and every ten (10) years for "L" clearances.

temporary access determination can be made by DFS/PSB after the review of the security package. If the individual is granted a temporary access authorization, the individual may not have access to classified information under this contract until DFS/PSB has granted them the appropriate security clearance, and the Contractor has read, understood, and signed the SF 312, "Classified Information Nondisclosure Agreement." The Contractor shall assure that all forms are accurate, complete, and legible (except for Part 2 of the questionnaire, which is required to be completed in private and submitted by the individual to the Contractor in a sealed envelope), as set forth in NRC MD 12.3. Based on DFS/PSB review of the applicant's investigation, the individual may be denied his/her security clearance in accordance with the due process procedures set forth in MD 12.3, E.O. 12968, and 10 CFR Part 10.11. In accordance with NRCAR 2052.204-70 cleared Contractors shall be subject to the attached NRC Form 187 (See Section J for List of Attachments), MD 12.3, SF- 86 and Contractor's signed record or review of the pre-screening which furnishes the basis for providing security requirements to prime Contractors, subcontractors or others who have or may have an NRC contractual relationship which requires access to classified information.

CANCELLATION OR TERMINATION OF SECURITY CLEARANCE ACCESS/ REQUEST

When a request for clearance investigation is to be withdrawn or canceled, the Contractor shall immediately notify the COR by telephone so that the investigation may be promptly discontinued. The notification shall contain the full name of the individual, and the date of the request. Telephone notifications must be promptly confirmed in writing by the Contractor to the COR who will forward the confirmation via email to DFS/PSB. Additionally, DFS/PSB must be immediately notified in writing when an individual no longer requires access to Government classified information, including the voluntary or involuntary separation of employment of an individual who has been approved for or is being processed for access under the NRC "Personnel Security Program."

SAFETY OF ON-SITE CONTRACTOR PERSONNEL

Ensuring the safety of occupants of Federal buildings is a responsibility shared by the professionals implementing our security and safety programs and the persons being protected. The NRC's Office of Administration (ADM) Division of Facilities and Security (DFS) has coordinated an Occupant Emergency Plan (OEP) for NRC Headquarters buildings with local authorities. The OEP has been approved by the Montgomery County Fire and Rescue Service. It is designed to improve building occupants' chances of survival, minimize damage to property, and promptly account for building occupants when necessary.

The Contractor shall ensure that all personnel working full time on-site at NRC Headquarters read the NRC's OEP, provided electronically on the NRC Intranet at http://www.internal.nrc.gov/ADM/OEP.pdf. The Contractor also shall emphasize to each staff member that they are to be familiar with and guided by the OEP, as well as by instructions given by emergency response personnel in situations which pose an immediate health or safety threat to building occupants.

The COR shall ensure that the Contractor has communicated the requirement for on-site Contractor staff to follow the guidance in the OEP. The COR also will assist in accounting for on-site contract persons in the event of a major emergency (e.g., explosion occurs and casualties or injuries are suspected) during which a full evacuation will be required, including the assembly and accountability of occupants. The NRC DFS will conduct drills periodically to GS35F192BA 31310019F0149 16 train occupants and assess these procedures.

SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (JUL 2016)

The Contractor must identify all individuals selected to work under this contract. The COR shall make the final determination of the level, if any, of IT access approval required for all individuals working under this contract/order using the following guidance. The Government shall have full and complete control and discretion over granting, denying, withholding, or terminating IT access approvals for Contractor personnel performing work under this contract/order.

The Contractor shall conduct a preliminary security interview or review for each employee requiring IT level I or II access and submit to the Government only the names of candidates that have a reasonable probability of obtaining the level of IT access approval for which the employee has been proposed. The Contractor shall pre-screen its applicants for the following:

(a) felony arrest in the last seven (7) years; (b) alcohol related arrest within the last five (5) years; (c) record of any military courts-martial convictions in the past ten (10) years; (d) illegal use of narcotics or other controlled substances possession in the past year, or illegal purchase, production, transfer, or distribution of narcotics or other controlled substances in the last seven (7) years; and (e) delinquency on any federal debts or bankruptcy in the last seven (7) years.

The Contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the employee verify the pre-screening record or review, sign and date it. The Contractor shall supply two (2) copies of the signed Contractor's pre-screening record or review to the COR, who will then provide them to the NRC Office of Administration, Division of Facilities and Security, Personnel Security Branch with the employee’s completed IT access application package.

The Contractor shall further ensure that its personnel complete all IT access approval security applications required by this clause within fourteen (14) calendar days of notification by the COR of initiation of the application process. Timely receipt of properly completed records of the pre-screening record and IT access approval applications (submitted for candidates that have a reasonable probability of obtaining the level of security assurance necessary for access to NRC's IT systems/data) is a requirement of this contract/order. Failure of the Contractor to comply with this requirement may be a basis to terminate the contract/order for cause, or to offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the Contractor.

SECURITY REQUIREMENTS FOR IT LEVEL I

Performance under this contract will involve Contractor personnel who perform services requiring direct access to or operation of agency sensitive information technology systems or data (IT Level I). The IT Level I involves responsibility for: (a) the planning, direction, and implementation of a computer security program; (b) major responsibility for the direction, planning, and design of a computer system, including hardware and software; (c) the capability to access a computer system during its operation or maintenance in such a way that could cause or that has a relatively high risk of causing grave damage; or (d) the GS35F192BA 31310019F0149 17 capability to realize a significant personal gain from computer access.

Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the COR. Temporary IT access may be approved by DFS/PSB based on a favorable review or adjudication of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably review or adjudication of a completed background investigation. However, temporary access authorization approval will be revoked and the employee may subsequently be denied IT access in the event the employee’s investigation cannot be favorably adjudicated. Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the Contractor by the COR. Where temporary access authorization has been revoked or denied by DFS/PSB, the Contractor shall assign another Contractor person to perform the necessary work under this contract/order without delay to the contract/order performance schedule, or without adverse impact to any other terms or conditions of the contract/order. When an individual receives final IT access approval from DFS/PSB, the individual will be subject to a reinvestigation every ten (10) years thereafter (assuming continuous performance under contracts/orders at NRC) or more frequently in the event of noncontinuous performance under contracts/orders at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The Contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions), two (2) copies of the Contractor's signed pre-screening record, and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the individual being authorized to perform work under this contract/order requiring access to sensitive information technology systems or data. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level I access. The Contractor shall submit the documents to the COR who will give them to DFS/PSB. The Contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the Contractor person’s security forms and/or the receipt of adverse information by NRC, the Contractor individual may be denied access to NRC facilities and sensitive information technology systems or data until a final determination is made by DFS/PSB. The Contractor individual’s clearance status will thereafter be communicated to the Contractor by the COR regarding the Contractor person’s eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level I Contractors shall be subject to the attached NRC Form 187 and SF-86. Together, these furnish the basis for providing security requirements to Contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems and data; access on a continuing basis (in excess more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge.

SECURITY REQUIREMENTS FOR IT LEVEL II GS35F192BA 31310019F0149 18

Performance under this contract will involve Contractor personnel that develop and/or analyze sensitive information technology systems or data or otherwise have access to such systems or data (IT Level II).

The IT Level II involves responsibility for the planning, design, operation, or maintenance of a computer system and all other computer or IT positions.

Contractor personnel shall not have access to sensitive information technology systems or data until they are approved by DFS/PSB and they have been so informed in writing by the COR. Temporary access may be approved by DFS/PSB based on a favorable review of their security forms and checks. Final IT access may be approved by DFS/PSB based on a favorably adjudication. However, temporary access authorization approval will be revoked and the Contractor employee may subsequently be denied IT access in the event the employee's investigation cannot be favorably adjudicated. Such an employee will not be authorized to work under any NRC contract/order requiring IT access without the approval of DFS/PSB, as communicated in writing to the Contractor by the COR. Where temporary access authorization has been revoked or denied by DFS/PSB, the Contractor is responsible for assigning another Contractor person to perform the necessary work under this contract/order without delay to the contract/order performance schedule, or without adverse impact to any other terms or conditions of the contract/order. When a Contractor person receives final IT access approval from DFS/PSB, the individual will be subject to a review or reinvestigation every ten (10) years (assuming continuous performance under contract/order at NRC) or more frequently in the event of noncontinuous performance under contract/order at NRC.

CORs are responsible for submitting the completed access/clearance request package as well as other documentation that is necessary to DFS/PSB. The Contractor shall submit a completed security forms packet, including the OPM Standard Form (SF) 86 (online Questionnaire for National Security Positions), two (2) copies of the Contractor's signed pre- screening record and two (2) FD 258 fingerprint charts, to DFS/PSB for review and adjudication, prior to the Contractor person being authorized to perform work under this contract/order. Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than seven (7) years residency in the U.S. will not be approved for IT Level II access. The Contractor shall submit the documents to the NRC Contracting Officer’s Representative (COR) who will give them to DFS/PSB. The Contractor shall ensure that all forms are accurate, complete, and legible. Based on DFS/PSB review of the Contractor personnel security forms and/or the receipt of adverse information by NRC, the Contractor employee may be denied access to NRC facilities, sensitive information technology systems or data until a final determination is made by DFS/PSB regarding the Contractor person’s eligibility.

In accordance with NRCAR 2052.204-70 "Security," IT Level II Contractors shall be subject to the attached NRC Form 187, SF-86, and Contractor's record of the pre- screening. Together, these furnish the basis for providing security requirements to Contractors that have or may have an NRC contractual relationship which requires access to or operation of agency sensitive information technology systems, remote development and/or analysis of sensitive information technology systems or data, or other access to such systems or data; access on a continuing basis (in excess of more than 30 calendar days) to NRC buildings; or otherwise requires issuance of an unescorted NRC badge. GS35F192BA 31310019F0149 19

CANCELLATION OR TERMINATION OF IT ACCESS/REQUEST

When a request for IT access is to be withdrawn or canceled, the Contractor shall immediately notify the COR by telephone so that the access review may be promptly discontinued. The notification shall contain the full name of the Contractor employee and the date of the request. Telephone notifications must be promptly confirmed by the Contractor in writing to the COR), who will forward the confirmation to DFS/PSB. Additionally, the Contractor shall immediately notify the COR in writing, who will in turn notify DFS/PSB, when a Contractor person no longer requires access to NRC sensitive automated information technology systems or data, including the voluntary or involuntary separation of employment of a Contractor person who has been approved for or is being processed for IT access.

The Contractor shall flow the requirements of this clause down into all subcontracts and agreements with consultants for work that requires them to access NRC IT resources.

SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL (SEP 2013)

The Contractor shall ensure that all its employees, subcontractor employees or consultants who are assigned to perform the work herein for contract performance for periods of more than 30 calendar days at NRC facilities, are approved by the NRC for unescorted NRC building access.

The Contractor shall conduct a preliminary federal facilities security screening interview or review for each of its personnel, subcontractor personnel, and consultants and submit to the NRC only the names of candidates for contract performance that have a reasonable probability of obtaining approval necessary for access to NRC's federal facilities. The Contractor shall pre-screen its applicants for the following:

The Contractor shall make a written record of its pre-screening interview or review (including any information to mitigate the responses to items listed in (a) - (e)), and have the applicant verify the pre-screening record or review, sign and date it. Two (2) copies of the pre- screening signed record or review shall be supplied to the Division of Facilities and Security, Personnel Security Branch (DFS/PSB) with the Contractor employee's completed building access application package.

The Contractor shall further ensure that its personnel, any subcontractor personnel and consultants complete all building access security applications required by this clause within fourteen (14) calendar days of notification by DFS/PSB of initiation of the application process. Timely receipt of properly completed records of the Contractor's signed pre- screening record or review and building access security applications (submitted for candidates that have a reasonable probability of obtaining the level of access authorization necessary for access to NRC's facilities) is a contract requirement. Failure of the Contractor to comply with this contract administration requirement may be a basis to cancel the award, GS35F192BA 31310019F0149 20 or terminate the contract for default, or offset from the contract's invoiced cost or price the NRC's incurred costs or delays as a result of inadequate pre-screening by the Contractor. In the event of cancellation or termination, the NRC may select another firm for contract award.

A Contractor person, subcontractor person or consultant shall not have access to NRC facilities until he/she is approved by DFS/PSB. Temporary access may be approved based on a favorable NRC review and discretionary determination of their building access security forms. Final building access will be approved based on favorably adjudicated checks by the Government. However, temporary access approval will be revoked and the Contractor's employee may subsequently be denied access in the event the employee's investigation cannot be favorably determined by the NRC. Such employee will not be authorized to work under any NRC contract requiring building access without the approval of DFS/PSB. When an individual receives final access, the individual will be subject to a review or reinvestigation every five (5) or ten (10) years, depending on their job responsibilities at the NRC.

The Government shall have and exercise full and complete control and discretion over granting, denying, withholding, or terminating building access approvals for individuals performing work under this contract. Individuals performing work under this contract at NRC facilities for a period of more than 30 calendar days shall be required to complete and submit to the Contractor representative an acceptable OPM Standard Form 85 (Questionnaire for Non-Sensitive Positions), and two (2) FD 258 (Fingerprint Charts). Non-U.S. citizens must provide official documentation to the DFS/PSB, as proof of their legal residency. This documentation can be a Permanent Resident Card, Temporary Work Visa, Employment Authorization Card, or other official documentation issued by the U.S. Citizenship and Immigration Services. Any applicant with less than five (5) years residency in the U.S. will not be approved for building access. The Contractor shall submit the documents to the COR who will give them to DFS/PSB.

DFS/PSB may, among other things, grant or deny temporary unescorted building access approval to an individual based upon its review of the information contained in the OPM Standard Form 85 and the Contractor's pre-screening record. Also, in the exercise of its authority, the Government may, among other things, grant or deny permanent building access approval based on the results of its review or investigation. This submittal requirement also applies to the officers of the firm who, for any reason, may visit the NRC work sites for an extended period of time during the term of the contract. In the event that DFS/PSB are unable to grant a temporary or permanent building access approval, to any individual performing work under this contract, the Contractor is responsible for assigning another individual to perform the necessary function without any delay in the contract's performance schedule, or without adverse impact to any other terms or conditions of the contract. The Contractor is responsible for informing those affected by this procedure of the required building access approval process (i.e., temporary and permanent determinations), and the possibility that individuals may be required to wait until permanent building access approvals are granted before beginning work in NRC's buildings.

CANCELLATION OR TERMINATION OF BUILDING ACCESS/ REQUEST

The Contractor shall immediately notify the COR when a Contractor or subcontractor person or consultant's need for NRC building access approval is withdrawn or the need by the Contractor employee's for building access terminates. The COR will immediately notify DFS/PSB (via e-mail) when a Contractor person no longer requires building access. The Contractor shall be required to return any NRC issued badges to the COR for return to GS35F192BA 31310019F0149 21

DFS/FSB (Facilities Security Branch) within three (3) days after their termination.

USE OF AUTOMATED CLEARING HOUSE (ACH) ELECTRONIC PAYMENT/ REMITTANCE ADDRESS The Debt Collection Improvement Act of 1996 requires that all Federal payments except IRS tax refunds be made by Electronic Funds Transfer. It is the policy of the Nuclear Regulatory Commission to pay government vendors by the Automated Clearing House (ACH) electronic funds transfer payment system. (End of Clause)

NRC ACQUISTION REGULATION (NRCAR) PROVISIONS AND CLAUSES (AUG 2011)

Applicable NRCAR provisions and clauses located in 48 CFR Chapter 20 are hereby incorporated by reference into this contract/order. (End of Clause)

ELECTRONIC PAYMENT (DEC 2017)

The Debt Collection Improvement Act of 1996 requires that all payments except IRS tax refunds be made by Electronic Funds Transfer. Payment shall be made in accordance with FAR 52.232-33, entitled “Payment by Electronic Funds Transfer-System for Award Management.” To receive payment, the contractor shall prepare invoices in accordance with NRC’s Billing Instructions. Claims shall be submitted through the Invoice Processing Platform (IPP) (https://www.ipp.gov/). Back up documentation shall be included as required by the NRC’s Billing Instructions. (End of Clause)

BILLING INSTRUCTIONS FOR TIME-AND-MATERIALS/LABOR-HOUR TYPE CONTRACTS (AUG 2017)

General: During performance and through final payment of this contract, the contractor is responsible for the accuracy and completeness of data within the System for Award Management (SAM) database and the Invoice Processing Platform (IPP) system and for any liability resulting from the Government’s reliance on inaccurate or incomplete SAM and/or IPP data.

The contractor shall prepare invoices/vouchers for payment of deliverables identified in the contract, in the manner described herein. FAILURE TO SUBMIT INVOICES IN ACCORDANCE WITH THESE INSTRUCTIONS MAY RESULT IN REJECTION OF THE INVOICE AS IMPROPER.

Electronic Invoice/Voucher Submissions: Invoices/vouchers shall be submitted electronically to the U.S. Nuclear Regulatory Commission (NRC) is through the Invoice Processing Platform (IPP) at www.ipp.gov.

Agency Payment Office: Payment will be made by the office designated in the contract in Block 12 of the Standard Form 26, or Block 25 of the Standard Form 33, whichever is applicable.

Frequency: The contractor shall submit invoices at least once each month. GS35F192BA 31310019F0149 22

Supporting Documentation: Any supporting documentation required to substantiate the amount billed shall be included as an attachment to the invoice created in IPP. If the necessary supporting documentation is not included, the invoice will be rejected.

Billing of Costs after Expiration of Task Order: If costs are incurred during the contract period and claimed after the contract has expired, you must cite the period during which these costs were incurred. To be considered a proper expiration invoice/voucher, the contractor shall clearly mark it "EXPIRATION INVOICE" or “EXPIRATION VOUCHER".

Final invoices/vouchers shall be marked "FINAL INVOICE" or "FINAL VOUCHER".

Currency: Invoices/Vouchers must be expressed in U.S. Dollars.

Does my company need to register in IPP?

If your company is currently registered in IPP and doing business with other Federal Agencies in IPP, you will not be required to re-register.

If your company is not currently registered in IPP, please note the following:

 You will be receiving an invitation to register for IPP from IPP Customer Support, [email protected].  IPP Customer Support will send you two emails: the first email will contain the initial administrative IPP User ID and the second email, sent within 24 hours of receipt of the first email, will contain a temporary password.  Please add the Customer Support email address ([email protected]) to your address book so you do not disregard these emails or mistake them for spam.  During registration, one initial administrative user account will be created for your company and this user will be responsible for setting up all other user accounts including other administrators.  Registration is complete when the initial administrative user logs into the IPP web site with the User ID and password provided by Treasury and accepts the rules of behavior.

What type of is training provided?

Vendor training materials, including a first time login tutorial, user guides, a quick reference guide, and frequently asked questions are available on Treasury’s IPP website. Individuals within your company responsible for submitting invoices should review these materials before work begins on the contract.

How do I receive assistance with IPP?

Treasury’s IPP Customer Support team provides vendor assistance related to the IPP application, and is also available to assist IPP users and to answer any questions related to accessing IPP or completing the registration process. IPP application support is also available via phone at (866) 973-3131, Monday through Friday from 8:00 am to 6:00 pm ET, and via email at [email protected].

Specific questions regarding your contract or task order should be directed to the appropriate NRC Contracting Officer. GS35F192BA 31310019F0149 23

INVOICE/VOUCHER FOR PURCHASES AND SERVICES OTHER THAN PERSONAL (SAMPLE FORMAT – INVOICE ATTACHMENT) a. Billing period. Insert the beginning and ending dates (day, month, year) of the period during which costs were incurred and for which reimbursement is requested. b. Labor Hours Expended. Provide a general summary description of the services performed and associated labor hours utilized during the invoice period. Specify the Contract Line Item Number (CLIN) or SubCLIN, as applicable, and information pertaining to the contract’s labor categories/positions, and corresponding authorized hours. c. Direct Costs. Insert the amount billed for the following cost elements, adjustments, suspensions, and total amounts, for both the current billing period and for the cumulative period (from contract inception to end date of this billing period).

1. Direct (Burdened) Labor. This consists of salaries and wages paid (or accrued) for direct performance of the contract itemized, including a burden (or load) for indirect costs (i.e., fringe, overhead, General and Administrative, as applicable), and profit component, as follows:

Labor Hours Burdened Cumulative Category Billed Hourly Rate Total Hours Billed

2. Travel. Total costs associated with each trip must be shown in the following format:

Start Date Destination Costs From To From To $

(Must include separate detailed costs for airfare, per diem, and other transportation expenses. All costs must be adequately supported by copies of receipts or other documentation.) d. Total Amount Billed. Insert columns for total amounts for the current and cumulative periods. e. Adjustments. Insert columns for any adjustments, including outstanding suspensions for unsupported or unauthorized hours or costs, for the current and cumulative periods. f. Grand Totals. GS35F192BA 31310019F0149 24

3. Sample Invoice/Voucher Information (to be included as an attachment)

Sample Invoice/Voucher Information (Supporting Documentation must be attached)

This invoice/voucher represents reimbursable costs for the billing period from through .

Amount Billed Current Period Cumulative (a) Direct Costs

(1) Direct burdened labor $______$______

(2) Travel $______$______

Total Direct Costs: $______$______

(b) Total Amount Billed $______$______

(d) Grand Total $______$______

(The invoice/voucher format provided above must include information similar to that included below in the following to ensure accuracy and completeness.)

SAMPLE SUPPORTING INFORMATION

The budget information provided below is for format purposes only and is illustrative.

Cost Elements:

1) Direct Burdened Labor - $4,800

Labor Hours Burdened Cumulative Category Billed Rate Total Hours Billed Senior Engineer I 100 $28.00 $2,800 975 Engineer 50 $20.00 $1,000 465 Computer Analyst 100 $10.00 $1,000 320 $4,800 1,760 hrs.

Burdened labor rates must come directly from the contract.

2) Travel - $2,640

(i) Airfare: (2 Roundtrip trips for 1 person @ $300 per r/t ticket)

Start Date End Date Days From To Cost GS35F192BA 31310019F0149 25

4/1/2011 4/7/2011 7 Philadelphia, PA Wash, D.C. $300 7/1/2011 7/8/2011 8 Philadelphia, PA Wash, D.C. $300

(ii) Per Diem: $136/day x 15 days = $2,040

Total Amount Billed $99,580 Adjustments (+/-) - 0 Grand Total $99,580

ATTACHMENTS:

ATTACHMENT 1 – Price/Cost Schedule ATTACHMENT 2 – MAP QASP ATTACHMENT 3 – Application Lifecycle Management (ALM) ATTACHMENT 4 – Performance Work Statement (PWS) ATTACHMENT 5 – Master Data Management (MDM) Integrated System Diagram ATTACHMENT 6 – SF187 GS35F192BA 31310019F0149 26

ATTACHMENT 1: Price/Cost Schedule

Base Period

Item Description Fixed Hourly NO. Rate 00001 Product Manager/Scrum Master 00002 Business Analyst 00003 User Researcher 00004 UX Lead/Visual Designer 00005 Data Scientist/Technical Lead 00006 BI Engineer 00007 Data Engineer 00008 DevOps Engineer

Base Period Ceiling Price $1,091,332.25

Option Period 1 Item Description Fixed Hourly No. Rate 10001 Product Manager/Scrum Master 10002 Business Analyst 10003 User Researcher 10004 UX Lead/Visual Designer 10005 Data Scientist/Technical Lead 10006 BI Engineer

10007 Data Engineer 10008 DevOps Engineer

Option Period 1 Ceiling Price $1,059,997.13 GS35F192BA 31310019F0149 27

Option Period 2 Clin Project Title Fixed Hourly Rate 20001 Product Manager/Scrum Master 20002 Business Analyst 20003 User Researcher 20004 UX Lead/Visual Designer 20005 Data Scientist/Technical Lead 20006 BI Engineer

20007 Data Engineer 20008 DevOps Engineer Option Period 2 Ceiling Price $847,176.84

Total Ceiling Price for Base Period and Option Periods: $2,998,486.22

Attachment 2 Mission Analytics Portal (MAP) Deliverables with Quality Assurance Surveillance Plan (QASP)

The following chart sets forth performance standards and quality levels the code and documentation that the contractor shall meet; and methods the NRC may use to assess the standard and quality levels of that code and documentation.

Deliverable Performance Acceptable Method of Standard(s) Quality Level Assessment

Tested Code Code delivered Minimum of 90% Combination of under the order test coverage of manual review and must have all code. All automated testing; substantial test areas of code written feedback to code coverage. are meaningfully the contractor by the Version-controlled tested. COR after the Agency Git / assessment is Bitbucket completed repository of code that comprises product that will remain in the government domain.

Properly GSA 18F Front- 0 linting errors Combination of Styled Code End Guide and 0 warnings manual review and automated testing; written feedback to the contractor by the COR after the assessment is completed

Deliverable Performance Acceptable Method of Standard(s) Quality Level Assessment

Accessible Web Content 0 errors reported https://github.com/pa1 Accessibility using an 1y/pa11y; written Guidelines 2.1 AA automated feedback to the standards scanner and 0 contractor by the errors reported in COR after the manual testing assessment is completed

Deployed Code must Successful build Combination of successfully build with a single manual review and and deploy into command automated testing; staging written feedback to environment. the contractor by the COR after the assessment is completed

Documented All dependencies Combination of Manual review; are listed, and the manual review written feedback to licenses are and automated the contractor by the documented. testing, if COR after the Major functionality available assessment is in the completed software/source code is documented. Individual methods are documented inline in a format that permit the use of tools such as JSDoc. System diagram is provided.

Deliverable Performance Acceptable Method of Standard(s) Quality Level Assessment

Secure OWASP Code submitted Clean tests from a Application must be free of testing SaaS (such as Security medium- and Veracode), along with Verification high-level static documentation Standard 3.0 and dynamic explaining any false security positives; written vulnerabilities feedback to the contractor by the COR after the assessment is completed

User research Usability testing Research plans The NRC will and other user and artifacts manually evaluate the research methods from usability artifacts based on a must be testing and/or research plan conducted at other research provided by the regular intervals methods with vendor at the end of throughout the end users are the second sprint and development available at the every applicable process (not just end of every sprint thereafter; at the beginning applicable sprint, written feedback to or end) the contractor by the COR after the assessment is completed

3 PROVIDERS NRR SUBSCRIBERS OCFO OCFO RRPS 4 CACS HRMHRMS Create-Update EPIDs Time & Labor Request-Update EPIDs Create-Update Assignments S Payroll Request-Update Assignments NMSS Associate CACS to EPIDS-Dockets Pay Periods WBL Labor Hour Reporting Approving Officials Create 30, 40, 70 5 15 Dockets, Fee Cats 1 18 16 MDMS 17 14 OCIO EDMS 6 OCFO EIH 2 Create 50, 52, 99 Dockets Identity, Ktr, Store 30, 40, 70 Dockets FAIMIS Location Share People-Org BL/PL/Prod 11 1 General Ledger Fee Billing OCHCO NRO 3 2 FPPS 3 7 Staff, 8 EPM Organization 8 OCIO NSIR OE ADAMS HOODB EATS OI MDMS Interfaces PMNS CMS Non MDMS AMS Interfaces 1 Dockets, EPIDs, Employee, WBL: 30,40,70 Dockets, Fee Categories 11 Employee Assignment via API HRMS Approving Official 6 Organization 16 2 Data, EIH: Employee-Ktr Identity, Location 12 View of Labor Data 7 Docket, EPID Reference 17 Pay Period Information 3 FPPS: Employee Organization Data CACs Reference Data View 8 Dockets 13 BL/PL/P View Employee Assignment Data, 18 4 RRPS: Request-Update EPIDs via API 14 Labor Costing String 9 Reporting Data EPIDs, CACs, Dockets, BL/PL/P (CAC, Docket, EPID) 5 EDMS: Dockets, Employee-Ktr, Org T&L Hours / Cost / Vendor/ 10 CACs Reference Data 15 Payroll NRC Application Lifecycle Management (ALM) Tools Overview

Track & Plan 1 Jira

Functional Test Selenium/ Ranorex 5

Source Control Management 2 Bitbucket/Git Application Lifecycle Management Deploy CI/CD Pipeline Octopus Deploy 4 Build 3 Bamboo Phased Implementation Approach

Phase 1: Jira Bitbucket Bamboo Octopus Deploy

Phase 2: JMeter Selenium Ranorex

Phase 3: Confluence Descriptions of the Network Environments

DEV (EDTE) Integration UAT Production • Development environment • Test Environment where • Formerly known as Pre-Prod • New custom or existing for applications and new applications and is used for user acceptance software releases that have systems, as well as updates to existing testing of new or updated successfully completed user evaluation environment of applications are assessed application releases. acceptance testing in the new technologies or via integration testing, UAT environment are technology upgrades. regression testing, system • Access is opened to deployed on Production testing, etc. developers, application network servers. • Isolated behind the firewall administrators and selected with limited connectivity to • Access is restricted to NRC users. • Application Changes the Production network. developers and application requires a “Normal” CRQ administrators. • Monthly security patch • Starting point for the deployments are first development of new code • Minor modifications to evaluated on servers in this with developers working custom code or changes to environment before both remotely and on the OS configuration are made implementation on NRC network. here to ensure the software Production network servers. functions as expected before • Application Changes “does deploying to UAT. • Application Changes not” require a CRQ requires a “Normal” CRQ. • Application changes requires a “Standard” CRQ. Performance Work Statement C.1. Background

The reactor safety program has an intensely manual workload management and data retrieval process, resulting from too many disparate systems. This limits data analysis, performance management, and stakeholders’ access to consistent, timely information. This is rooted in uncoordinated business processes that can only produce static, custom reports on an ad hoc basis. The current Office of Nuclear Reactor Regulation (NRR) and the Office of New Reactors (NRO) will be re-merging in October 2019. This reorganization will enable the re-formed NRR to improve workload management, data analytics, and decision-making information service delivery for employees, customers, and stakeholders that relies on a consistent approach that unifies analytics framework, tools, and methodologies.

The NRC has established a Master Data Management (MDM) program to ensure that the agency mission critical systems and staff have timely access to data collected, stored, and processed across the enterprise. The implementation of the MDM System (MDMS) helped reduce ambiguous sources and eliminate the storage of duplicate information. The system provides controls to improve the completeness and quality of the data, including the establishment of stewards for key data; and provides an enterprise- wide foundation for information sharing and exchange.

C.2. Objective

The objective of this acquisition is to acquire Contractor services to improve reactor safety program data analytics and decision support to better serve internal and external stakeholders in a way that is harmonized across the mission area.

C.3. Scope of Work

The scope of this action is to improve reactor safety program data analytics and decision support to better serve internal and external stakeholders in a way that is harmonized across the mission area. The agency plans to continue to iterate, adding subsequent mission areas, based on the outcome of this initial focus area.

The scope of the resulting contract will include all deliverables and due dates necessary to achieve the desired outcomes of the contract. The contractor is required to provide all required services (e.g., personnel, equipment, materials) to complete deliverables and ensure successful contract implementation and ultimate attainment of the objective(s). The quality assurance surveillance plan (QASP) is included as an attachment to this task order.

The following summarizes key areas of requirements:

● Master Data Management (MDM): there are numerous data types and data sources that cover a complex data workflow, which must be managed through an appropriate governance framework and technical architecture.

● Data Retrieval and Consolidation: data should be combined into a centralized reporting data warehouse as real-time as possible to include historical and planned/forecasted data. Furthermore, the data is highly distributed across various plants and fleets, necessitating an appropriate data consolidation architecture.

● Automated Reports: there are a wide range of personas and needs for reports, which should be fast, automated, and convenient. Ideally, these should be accessible through the Web but be able to be exported to file so the reports can be shared, printed, and used in off-line workflows. They should include numerous rollups and support general trend analysis.

1 ● Custom Reports: a number of users require the ability to build and access a broad range of data elements through custom reports. The goal is that these reports be actionable - they should meet a specific operational or decision-point need and allow users to act on the information. In fact, they should support the ability to address emerging and unknown needs. Ideally the data is available through a dashboard that allows drill-down and is supported by a report builder.

● Search: data is distributed across disparate data sources requiring linking, aggregation, deduplication, and reconciliation. This process should work with coded data elements and be real-time and flexible.

The contractor shall refine this understanding through a comprehensive approach to human-centered design where we will seek to understand user needs and pain points through user research.

C.3.1. Tasks/Services

The contractor shall provide all the resources necessary (personnel, equipment and material) to accomplish the tasks and deliverables described in this Performance Work Statement (PWS).

C.3.1.1. Human-centered Design Approach

Our approach will be to follow a systematic process to user research, interaction design, and visual design. This aligns closely with the USDS playbook, which dedicates the first three plays to this: (1) understand what people need, (2) address the whole experience from start to finish, and (3) make it simple and intuitive.

User Research: In alignment with USDS Playbook play number 1, we must first “understand what people need” and “continually test the products we build with real people.” At the project’s onset, we will partner closely with COR and their designees and review all the user research that has been done to date. NRC has already identified a core set of personas and user needs, and the contractor shall work from those. To ensure a successful engagement, the contractor shall will work in close collaboration with the COR and their designees to understand and document the needs for users across these personas. The contractor shall:

1. Create a User Research Plan, which outlines the general scope/problem it is trying to understand, the user research team, the stakeholders and users that it will interview, and the general schedule for this.

2. Draft a Discussion Guide, which outlines the questions that will be asked of the users, such as the goals they are trying to achieve, how the current systems and data are not sufficient, the types of reports and visualizations they would find most useful, and how they would use that information to accomplish work.

3. Perform the User Interviews following the discussion guide, which are recorded so that the contractor can refer to them.

4. Present Insights that provide key direction on how the reports and dashboards should be designed and what data should be collected into the central data warehouse. The contractor shall also seek to understand the nature of the data, how frequently it changes, whether there are quality issues, etc.

5. Create Wireframes, Mockups, and Clickable Prototypes to translate the insights into tangible visualizations that are presented to stakeholders and users for further feedback.

The contractor shall iterate on user interviews, insights, and wireframes/mockups/prototypes until we 2 have gathered enough information to begin implementation. At this point, the contractor shall continue the user research approach in parallel with implementation, feeding the backlog and ensuring we begin to continuously deliver the solution.

Development of User Personas: The contractor starts the user-centered design approach by creating personas representing users. NRC has already identified numerous core personas: Division Director, Fee Policy Analyst, Budget Analyst, Office Director, Manager, Chief Financial Officer, Project Manager, Reactor Engineer, Technical Reviewer, Division Director, Branch Chief, Technical Branch Chief, Technical Assistant, Regional Project Engineer, Operating Experience Engineer, Regional Inspector/Manager, Inspector Lead, NRC Employee, and Fee Validator. The contractor shall continue to develop these personas to guide decisions about product features, navigation, interactions, and visual design. From interviews with real people, the contractor shall capture each persona as a one to two-page description that includes behavior patterns, goals, skills, attitudes and environment, with a few fictional personal details to bring the persona to life. The contractor shall find personas useful to help create a common shared understanding of the user group around which the contractor builds the design process. In addition, the contractor shall use personas to prioritize design considerations through the context of what the user needs and what functions are simply nice to have. Finally, personas provide us a human face and existence to a diversified and scattered user group. The contractor shall further elaborate these personas as part of this work.

Usability Sessions: Usability sessions can take different forms depending on the maturity of the designs and goals of the sessions. For designs that are in early stages (wireframes, mockups), the research and design team will meet with users and/or stakeholders and present the draft designs for initial impressions and feedback. The contractor shall ask prompting questions about the usability of the system, such as “What do you think this button will do?” and “How do you think you would achieve XYZ?” Usability successes and issues will be documented in meeting notes and incorporated into the props as quickly as possible. For designs that are in the later stages (prototypes, implemented application), the contractor shall provide the prop to the users and/or stakeholders and ask them to achieve some functional goal within the system. The contractor shall observe and identify/document usability successes and issues (e.g., when the user seems stumped on how to proceed, when the user is hunting, or when the user asks our research and design team to explain some aspect of the system).

Analytics and Reporting HCD Delivery: The following key steps apply:

(1) Gather requirements: The contractor shall gather requirements from users in alignment with USDS Play 1 “Understand what people need”. This includes information types, ideas on visualization, and key data elements. We keep in mind that data is produced and used outside of the NRC systems in alignment with USDS Play 2 “Address the whole experience, from start to finish”.

(2) Investigate data sources: The contractor shall explore the source data to understand the volume and nature of the underlying data, creating an initial data element dictionary.

(3) Design and implement data warehouse and data marts: Based on the requirements and the source data, the contractor shall design the data warehouse and if necessary additional data marts.

(4) Implement ELT: The contractor shall build scripts in Airflow that load data from the source into the data lake and then from the data lake into the data warehouse/marts. These scripts shall be automated.

(5) Implement BI Dashboards/Reports: The contractor shall build BI dashboards and reports as soon as the requirements are well understood in alignment with USDS Play 3 “Make it simple and intuitive”.

(6) Implement Custom Dashboard/Reports: For a subset of dashboards and reports, the stakeholders 3 may want a custom, polished interface. The contractor is engaged for building the application.

C.3.1.2. High-level Technical Design

The contractor shall follow an iterative and incremental approach to designing and implementing the MAP, whereby it utilizes user research and government Product Owner prioritization to drive our development work and focus on delivering working software that provides real value to users at the end of each increment. Following are the primary technology components that cover the initial set of stories and that the contractor shall deliver according to the required timeline.

● Amazon Web Services (AWS): The contractor shall establish a secure, private network within AWS to host MAP.

Tableau ● Amazon Aurora Serverless ● Apache Airflow

● Apache Superset and DKAN

● Amazon Redshift (w/ Spectrum)

● Amazon Elastic Map Reduce (EMR)

The following image depicts the architecture that the contractor shall implement.

Note: The contractor may adjust to accommodate the true state of the infrastructure and any applicable NRC policies. The primary features of the architecture include the following. 4

● Browser: Viewers and Explorers access dashboards and reports via their browser. ● Tableau Desktop: Creators author dashboards and reports with the Tableau Desktop tool. They then publish these to Tableau Server where they can be accessed by Viewers and Explorers. ● Tableau Server: This server hosts dashboards and report. Viewers interact with these components through their browsers. In general, all dashboards and reports will be directly backed by data that has been cached as extracts on the Tableau Server data repository that are refreshed according to the rate of change in source data. ● NRC Data Warehouse: This will serve as the primary data source for Tableau. The contractor assumes that the MAP data engineering team will be responsible for enhancing this data warehouse - designing and building new data marts in alignment with the MDM plan, as described below. ● Aurora: The contractor intends to use this to host data marts that are not available or sufficiently optimized (yet) in the NRC data warehouse and/or are not appropriately addressed by Tableau’s extract/caching capabilities. Data Engineers will construct and populate these data marts using ETL pipelines that run in Airflow. ● Airflow: Data Engineers implement ETL logic in Python. They orchestrate this logic using Airflow DAGs. The Airflow and component is dynamically created (using AWS Lambda functions, a serverless technology) only when required - this will depend on the frequency at which each data mart needs to be refreshed. ● MAP AWS Accounts and CI/CD: The diagram above depicts two AWS accounts - MAP PROD and MAP DEV. The former contains the production environment, while the latter contains non- production (i.e. development environments). As part of our development process, we establish an automated continuous integration/continuous deployment (CI/CD) pipeline, which is responsible for provisioning immutable infrastructure and deploying components to it. The SemanticBits development team works in the MAP DEV account to develop and test changes to infrastructure and pipelines in an environment that mirrors production (see details in DevSecOps Approach section below). Once validated, those components are deployed to the MAP PROD account via the CI/CD pipeline. All resources in the MAP DEV environment are turned off/destroyed when not in use in order to minimize costs. Separating the two accounts allows administrator-level access to the PROD environment to be strictly limited. ● Availability/Scalability: In order to achieve automated scaling and failover, we will deploy Tableau Server to Linux EC2 instances in a high-availability (HA) configuration. This involves deploying a Tableau Server node in three availability zones (AZs) and behind a load balancer. The load balancer distributes traffic across the three Tableau Server instances. If one instance goes down, the load balancer automatically directs traffic to the other instance. The auto scaling rules ensure that at least one instance is running in each AZ. If an instance goes down, AWS will automatically deploy another. Each availability zone is in a separate physical data center. An outage in one data center will not affect another. All data will be backed up so as to minimize loss and downtime, according to NCR disaster recovery policies (recovery point and recovery time objectives). We will utilize Aurora Postgres RDS, which handles failover and backup automatically. ● Security: Tableau users will be authenticated against the NRC SAML Identity Provider using Microsoft’s ADFS technology. Authorization policy will be managed within Tableau Server. We assume that all NCR data is categorized at the FIPS 199 “moderate” level. Therefore, we will implement the appropriate security controls for that level - e.g. data encryption in transit and at rest; audit logging, monitoring, and alerting; use of hardened baseline operating system image (AMI), including virus scanning and intrusion detection. ● Access to Government Data or IT Systems: The contractor shall access to 1) NRC SAML Identity Provider, 2) the NRC Data Warehouse; and 3) any source systems/data sets for which the MAP team is responsible to integrate. The way in which MAP components access NRC data sources and systems will depend on NRC network security policies. We have depicted two approaches in the diagram above. In one scenario, MAP components directly access NCR data sources via an IPsec VPN tunnel from the MAP AWS network to the NCR network. (This IPsec approach would also apply if NRC data sources and systems were hosted in another non-AWS cloud.) In the other scenario, NCR systems periodically push data to the Ingress S3 bucket. Another scenario (not 5 depicted) would be to use Amazon Direct Connect, in which traffic would travel over a dedicated 802.1q VLAN rather than the Internet. Finally, if NRC systems are hosted in another AWS, we would establish peering connections between VPCs, similar to what is depicted for the MAP DEV environment. The contractor shall work the NRC networking and security team to select the right approach. In the following paragraphs, describes how the above solution addresses the user stories in the SOO. Master Data Management (MDM): The contractor shall build on NRC’s MDM effort to establish a strong data governance process, which will ensure that all data flows, formats, and related business processes are well documented and changes to those flows are managed in a coordinated fashion. A key aspect of the data governance effort is to define key terms and business rules in a manner that is consistent across the enterprise. These terms provide the basis for data warehouse dimensions and measures and ensure that the data warehouse provides consistent numbers across all dashboards and reports. We will implement automated data pipelines that support/replace the currently manual processes so that MAP users have the right data, when they needed. Data Retrieval and Consolidation: Through the MDM and data governance process, the contractors data engineering team will enhance the NRC data warehouse to consolidate and integrate all NCR data sets so that they can be queried in a unified and consistent fashion across the enterprise. Our access to specific datasets and IT systems will be driven largely by user research and could include any or all of those listed in the SOO (i.e. RRPS, EPM, CIPIMS, etc.). Traditional data warehouses have suffered from latency issues - preventing “real-time” or “up-to-date” data retrieval. The solution described above will utilize data pipelines to ingest from source systems and update data marts according to the rate of change for each data set. In the future, if required, the contractor could enable query of truly real-time data streams (e.g. event logs, sensors, etc.) using Spark and AWS Kinesis to stream data to the MAP S3 bucket, where it could be queried via Redshift Spectrum. However, the contractor expects that most of the MAP needs for up-to-date data may be addressed through pipelines that run daily or hourly. The Airflow component will be dynamically created on an as-needed/scheduled basis to execute these pipelines, thereby optimizing resource utilization and minimizing cost, while meeting the needs of MAP users for access to up-to-date data. Automated Reports: The contractor understands that MAP users will need access to a range of automated reports that include performance metrics, roll-ups, trend analysis, and forecasting. These reports should be easily accessible through a Web interface and be able to be exported to file (e.g. PDF) and/or printed. MAP users in the Viewer role will be able to find and interact with custom reports (e.g. through visual components such as filter controls, drill-downs, etc.) that have been created by users in the Explorer or Creator role. Viewers will access these reports through their desktop or mobile device browsers and use the Tableau Server navigation features to find the reports that are of interest to them. Creators/Explorers are able to design sites within Tableau Server that have full-feature web content and a high degree of usability. This will enable Viewers to efficiently find their reports and save them to file or print them, as needed. Tableau itself provides sophisticated features which Creators/Explorers can use to calculate roll-ups, trend-analysis and forecasting. For scenarios that required more sophisticated machine learning techniques, Data Engineers can utilize Python machine learning libraries (e.g. scikit-learn) within ETL pipelines and expose this information in the data warehouse, where it is available to Tableau. Custom Reports: MAP users in the Explorer role will be able to use the Tableau Server Web interface to create custom reports from data sources that have been published by Creators. These reports are organized into Workbooks and Sheets that can be shared with other users of the system, including Viewers, according to the authorization that policy that has been defined for the Tableau Server. The Tableau “Web Authoring” feature provides a rich, Web-based graphical interface for building custom reports. The drag-n-drop authoring tool allows users to explore the data sources and construct sophisticated visualizations. These visualizations can be organized into sheets and workbooks, or composed onto dashboards and data stories, which provide a narrative that guides the user through multiple visualizations. In this way, Explorers will be able to address emerging/unknown questions/needs, and have broad access to a unified/integrated view of all NRC data, which they can use to create actionable, custom reports in a timely fashion. Search: The MAP data warehouse will integrate all the currently disparate NRC data sources into a unified view of real-time/up-to-date data. This will allow users to search and filter the data through the 6 Tableau Web-based interface using uniform, validated identifiers and codes, such as Enterprise Project Identifiers (EPIDs) and Cost Activity Codes (CACs). MAP users in the View and Explorer roles will be able to search/filter the data utilize visual controls, such as auto-complete boxes, sliders, single- and multi-select drop-down lists, geographical maps, and many more. Users can also define “data alerts”, which will send an alert to the user when some data value in a report passes a given threshold. For example, an NRC Project manager could be notified when a contractor’s hours in some category exceed a given limit. In addition to searching/filtering the data itself, Tableau provides search and filter capability for the web content that is created within a site by Explores and Creators - i.e. dashboards, workbooks, data stories. This allows users to quickly navigate to find the reports they need. Data Warehouse Design and Implementation The contractor shall design the data warehouse to include the following logical layers. ● Source Layer: Represents a fully validated, aligned, unified view of all NRC historical data from source systems of record, at the finest level of granularity, and following 3rd normal form. This includes all reference datasets and metadata, such as terminologies/taxonomies, and lookup tables. Typically, only advanced users and data scientists (i.e. Creators) have live access to this layer, while data engineers are responsible for building the ETL pipelines that populate this layer. ● Data Marts Layer: Most users will have access to specific data marts, which are higher-level views of NRC data that have been optimized for a specific analytical or reporting purpose. They are a critical part of the data governance process in that they encapsulate the validation and business logic that is involved in calculating key performance indicators. The data marts are constructed from more finely grained data in the source layer. The contractor shall follow a standard, repeatable, iterative process for data modeling and integrating each new dataset. This process includes the following high-level steps: Step 1: Business Analysis: The contractors first step is to understand the most important business processes and key performance indicators. This involves several highly interactive meetings with the product owner and subject matter experts. We model this process using workflow and data flow diagrams and record important business rules. This step also includes working with data providers, such as RRPS, EPM, CIPIMS, etc. to do high-level feasibility analysis for data access (i.e., what are the institutional or technological barriers to accessing the data?) and data profiling (i.e., what is the volume, velocity, variability, and veracity of the data?). Finally, we identify requirements for security and regulatory compliance (e.g., what data use agreements are necessary? what is the retention period? what roles have access to these data?). Step 2: Dimensional Modeling: In this step we begin to define the key components of data marts that will support specific reporting and analytical functions. For each function, we identify the following: ● Business Process: produces data that we want to measure (e.g. inspections) ● Granularity: the finest level of granularity at which data will be collected (e.g. a single inspection, site, licensee, region) ● Dimensions: determine how the data will be filtered and aggregated; dimensions provide the context around the data (e.g., the who, what, where, when, and why) ● Measurements: identify the facts that are used to generate the key performance indicators (e.g. regional differences for assigned inspection procedures) As part of the data governance process (described below), the contractor creates artifacts that capture this modeling—such as business process workflows, star schema relational models—and a data dictionary, which captures definitions of data elements and business rules. Key parts of this modeling process include identifying strategies for: ● Slowly changing dimensions (SCDs): This strategy allows us to deal with changes in dimensional data over time in order to support asking “as-is” (current) versus “as-was” (historical) questions. We recommend a hybrid approach which supports representing both current and historical data in the same dimension tables. ● Partitioning: In order to support performance engineering of the data warehouse, we identify how the data can be logically and physical partitioned (e.g., by time, geo region, organization) during dimensional modeling. ● Extension: As the data model is iteratively defined, we will need to add new facts/measurements, dimensions and attributes, or change the granularity of facts. There are strategies for making such changes without breaking existing reporting or analytical applications (e.g., adding new columns to 7 existing dimension tables). Step 3: Data Governance: A data governance process is necessary to ensure that we are providing meaningful and reliable insights from the data that we are collecting. This process includes defining: ● Standard vocabulary to ensure that data elements with the same name mean the same thing and consolidating aliases/synonyms. This is necessary to create “conformed dimensions”, which ensure that data from different data marts/reports can be compared in valid and meaningful ways. This includes using standard codes, lookup tables, and terminologies (e.g. Enterprise Project Identifiers (EPIDs) and Cost Activity Codes (CACs)). ● Standard facts ensure that data is collected at a common level of granularity and that measurement names are consistent. This is necessary to create “conformed facts”, ensuring data can be combined in valid ways. ● Validation rules are business rules that must hold true for the dataset to be valid. These go beyond basic validation of individual source datasets (e.g. format, value types, etc.) and include evaluation of global business rules, value ranges, and distributions. We include these validations in the automated ETL pipelines to ensure that invalid data is never included in published data marts. ● Provenance rules identify what metadata is necessary to understand how data was collected and transformed and could include flags to indicate the status of data (e.g., does it represent intermediate or final results?). Step 4: Data Warehouse Modeling: In order to support data governance and dimensional modeling, we create a data warehouse model. This model presents a unified view of all data that is important to the NRC business processes. The model is fully aligned with the data governance process, and data marts produced from this model have the highest degree of veracity. For example, data included in the data warehouse has satisfied all validation and provenance rules. Step 5: Data Engineering: This process typically involves the following. ● Data access: Establishing connectivity with the data source and a data transfer mechanism. This often involves overcoming institutional or technology barriers. There are usually myriad source technologies and formats. So, the platform needs to be able to accommodate this heterogeneity. The contractor will identify a “preferred” secure data transfer channel, as described in the “Access to Government Data or IT Systems” section above. ● Data profiling: Here the contractor shall identify the volume (How large is the data?), velocity (How quickly does it produce or change? Is it a periodic batch, transactional, streaming?), variability (What are the data formats? How do they change over time?), veracity (How do we identify and address erroneous/incomplete data? For exampling, defining expected dispersion and central tendency so as to identify outliers). ● ELT: As described above, the contractor will implement automated pipelines that extract data from the source systems, validated it, publish it to the Source Layer, then construct materialized views in the Data Mart layer. Step 6: Refinement: The contractor shall use an Agile approach to iteratively build the data warehouse platform. In this approach, we work with the product owner and stakeholders to identify and prioritize business processes and datasets for integration into the platform. We then refine the dimensional model, data warehouse model, data governance process, and data engineering processes to demonstrate value at the end of each iteration, rather than requiring a lengthy analysis and modeling process up front. This approach requires effective application of modeling techniques described above such as slowly changing dimensions, partitioning, and extensions. C.3.1.3. DevSecOps Approach SemanticBits has a proven track record of meeting the aggressive timelines with the scope required to meet the business needs. The contractor shall achieve a high level of delivery in part through their DevSecOps approach, which includes a fully automated CI/CD pipeline built with Jenkins to support continuous and frequent deployment. Jenkins detects commits to Git, builds and runs automated unit, integration, code quality, and security tests, and then packages and deploys. Our DevOps engineers implement: ● Infrastructure-as-a-Service (IaaS): All components are deployed to AWS FedRAMP’ed infrastructure, provisioned by us as-needed through reusable, testable Infrastructure-as-Code (IaC) written in Terraform. ● Continuous Integration (CI): The system is tested via Jenkins for every code change. 8 ● Continuous Deployment (CD) to Production: Our projects deploy more than 50 times per Sprint and are able to push hotfixes to production multiple times a day. ● Zero-Downtime Deployment (ZDD): Redeployment does not impact a single user actively interacting with the system via a blue-green rolling deployment strategy that leverages IaC and IaaS on AWS. ● Continuous Security (CS): The contractor will utilize automated, continuous static secure code scanning with SonarQube, code review every pull request, dynamic app scanning with OWASP ZAP, pen testing, and threat modeling. ● Environment Parity: All aspects of each environment (DEV, IMPL, PROD, etc.) are virtually the same (except in scale) for early detection of environmental issues. In the diagram above, the PROD VPC is created in the MAP PROD AWS account, while DEV and IMPL VPCs are created in the MAP DEV AWS account. ● Stateless Services: All backend microservices are disposable, meaning they can be terminated at any time or suddenly die without affecting end users. ● Continuous Monitoring: All aspects are logged and monitored centrally (e.g. via Splunk) and alerting is configured for important events, such as high resource utilization or security violations (e.g. via PagerDuty). Performing Releases: A Release Runbook, drafted and executed by the DevOps Engineer, provides the steps necessary to complete a release and always includes detailed steps on how to “undo” a release, ensuring: ● Backup: Snapshots are created for databases and file systems. S3 buckets are backed up into Glacier. ● Reversion: Each database migration is accompanied by an “undo” step that rolls it back. Reverting migrations is the preferred option by DevOps Engineers. ● Redeploy: The Release Runbook describes the steps required to deploy the previous release, which typically means entering the previous release number in Jenkins and kicking off a build. Security through DevSecOps: The contractor shall implement an automated, autonomous, and robust security approach that integrates into development and operations. The contractor uses a series of controls to design a Defense-in-Depth architecture that follows NIST and CIS recommended guidelines in alignment with US Digital Services (USDS) Play 11 “Manage security and privacy through reusable processes”: ● Encryption at Rest: Each file system (EBS) volume is encrypted; the database volumes are configured to be encrypted at rest; and S3 buckets are encrypted using server-side AES-256. ● Encryption in Transit: Each load balancer listens only on port 443 and uses TLS. All database connections require SSL. ● S3: Each S3 bucket is encrypted with AES-256 and rejects unencrypted communication. ● VPC: Each environment is deployed into its own virtual private cloud (VPC), providing a logical network segregation to protect and minimize cross network/environment access. ● VPN: Lower tiers are restricted to access from within the agency AWS VPN, if available, or via an SSH tunnel and bastion server. ● PKI Authentication: SSH requires users to authenticate by public key. ● Firewalls: Each node has Security Groups assigned following a whitelist approach. Our team integrates a wide range of modern security practices into our DevSecOps processes: ● Infrastructure-as-Code: All of the above physical security measures are implemented as verifiable, reusable, and repeatable peer-reviewed code. ● Static Secure Code Scanning: Code is scanned for bugs and vulnerabilities using SonarQube. ● Code Review: Every code check-in (pull request) must follow a template including checklist items related to security, PII handling, logging, etc. as defined by a code review checklist. ● Dynamic Application Scanning: Upon every automated deployment, all live application endpoints are scanned for vulnerabilities using OWASP ZAP. ● Continuous Monitoring: All infrastructure/software is monitored to the level of line of code via Sensu in alignment with USDS Play 12 “Use data to drive decisions”. ● Penetration Testing: The contractor shall apply modern red-team practices to periodically perform penetration andvulnerability testing, which helps us discover security vulnerabilities ● Threat Modeling: The contractor shall identify the highest-risk aspects of the system and develop 9 lightweight models of the landscape, assumptions, threats, actions, and validations. Data-driven Decision Making: The contractor shall apply a data-driven decision-making process in all aspects of their work. The contractor shall monitor and collect information at all levels of the system, starting with user research on needs, through information about our code such as test coverage and static security analysis, and including data on actual system usage such as user load and query performance. The following are some representative examples: ● User research about the needs of users to drive feature prioritization and interaction/UI design. ● Information about legacy systems to drive modernization design decisions, such as database size, average/peak transaction throughput, user count, etc. ● Web tracking data to drive enhancements, such as site usage reports. ● Monitoring and logging data to identify performance bottlenecks, such as query time and CPU usage. Test-Driven Development (TDD): TDD is central to the contractor’s development process. All code written must be testable in an automated fashion using an appropriate suite of testing frameworks, such as unittest for Python, Postman for APIs, Cypress (based on Selenium) for end-to-end UI, and Artillery for load tests. When starting any new coding task, the first question the contractor shall ask is, how will this be tested? The contractor shall start by ensuring that the story being implemented has clear acceptance criteria and implement tests against those in a test-a-little, code-a-little approach. The relevant SonarQube metrics include: ● Code Coverage: How much of the codebase has been exercised with tests? ● Tests Success Density: # of tests - (# of test errors + # of test failures) / # of tests * 100 ● Security Rating: A = 0 Vulnerability; B = at least 1 Minor Vulnerability; C = at least 1 Major Vulnerability; D = at least 1 Critical Vulnerability; E = at least 1 Blocker Vulnerability C.3.2. Deliverables The deliverables are those items that the contractor plans to provide to the NRC in addition to deliverables described in the QASP. Deliverable Due Date Format Submi t To Codebase Every Sprint Github repository TBD HCD artifacts (discussion guides, user research Every Sprint Confluence or TBD recordings, wireframes, mockups, prototypes, etc.) similar Deployed Software Every Sprint AWS or similar TBD Deployed and Populated Data Warehouse Every Sprint AWS or similar TBD Product and Sprint Backlogs Every Sprint Jira or similar TBD Automated Test Results Every Sprint Jenkins Builds TBD Manual Test Results Every Sprint Jira or similar TBD Manual Accessibility Test Results Quarterly Confluence or TBD similar Authority to Operate Annually Confluence or TBD similar C.3.3. Performance Standards

See QASP that is attached to the task order.

Ensure the Highest Levels of Quality: Our quality approach for NRC MAP is focused on ensuring: ● Quality in Security: sensitive information remains private and protected at all times ● Quality in Production: production system is run correctly and efficiently with 0 downtime ● Quality in Software: new software enhancements and products have minimum defects ● Quality in Data: data in production is validated continuously as correct

10 ● Quality in Schedule: work is completed on-time and meets the definition of done ● Quality in Process: work is executed correctly and efficiently per our Agile approach Our Quality Control (QC) and performance management approach, founded on our CMMI ML3 and ISO 9001:2015 processes and procedures, is focused on delivering high-quality while minimizing risk, and continuously improving over time. Our QC and performance management is built into our processes through our DevSecOps and Agile methodologies, which leverage techniques such as automated testing, continuous code integration (CI), metric generation, and data-driven decisions. Our approach provides a comprehensive, verifiable, and transparent framework for continuous monitoring, control, reporting, and improvements to quality. Ensure Quality in Data: When data is the product, we must ensure that the data we report on accurately reflects the source of the data (validation), and further that this data is to the best of our knowledge: real, logically consistent within the dataset, logically consistent with other datasets, consistent with business definitions, and consistent over time (data quality). We must take a proactive approach to ensuring the quality of data, so that we can identify, triage, and resolve data issues before they are provided to a user or utilized in analysis. This involves assuring the quality of data grain (uniqueness), columns/fields, expected counts and other metrics, enforced relationships, and deviations over time. All checks of data quality will be run automatically, either on a regular schedule (i.e. nightly) or after a load of a certain dataset. If data is loaded or reloaded via a batch process, all data quality checks for the new/reloaded data should pass before it is exposed to end users. C.4. Reporting Requirements The contractor shall provide all of the reports identified in the QASP and the deliverables table on a continuous basis wherever practical and automated. For example, automated test results are available real-time in Jenkins, HCD artifacts are available in Confluence as soon as they are created, etc. In addition, the contractor treats data as an asset in every single project we undertake. This means that: ● Architectural design addresses the data needs from the beginning, such as size, complexity, integration, etc. ● Quality assurance plans detail approaches for data verification in an automated, continuous fashion ● Data security is of the most paramount importance and data security controls are completely automated ● Continuous backup and restore is in place from day one and regularly tested ● Monitoring and logging information is treated as data and accessible for data-driven decision making ● Datasets across systems are aligned on semantically equivalent identifiers ● Rich datasets are built for testing where deidentified data cannot be used in lower tiers The contractor work closely with the government to determine useful data quality reports to track data issues. C.5. Incremental Development for Software The Contractor shall use a human centered design and incremental or agile build model for software design and development. The Agency defines an incremental build model as a method of software development where the product is designed, implemented, and tested incrementally, with increasing functionality and/or capability added in each increment until the product is finished. The contractor’s HCD approach is described at the beginning of this proposal in section C.3.1.1. because it is the process that drives our development from the beginning. In this section, we describe our incremental development process. One-team Attitude and Coordination: The contractor shall work in a collaborative, Agile way with NRC and other contractors as demonstrated by our work at other government agencies, such as the CMS Quality Payment Program project. The contractor facilitate and encourage a one-team attitude at all levels and with all stakeholders: ● Work in the Open: The contractor prefers all of our work to be performed transparently, including open Scrum ceremonies, Jira boards/backlogs, Confluence documentation, Git source code, etc. ● Work Collaboratively: The contractor understands that other teams and individuals bring unique expertise and experience to the overall project. The digital services we build will be part of a larger ecosystem. ● Work Real-time: As part of our process, we prefer to share live prototypes, draft meeting notes directly on shared confluence pages, update backlogs during planning meetings, etc. 11 Scrum-based Agile Process: Our Agile SDLC, depicted below, is based on Scrum and has been adapted over time to work ideally for federal digital services delivery. It is an iterative, incremental process that focuses on stakeholder involvement early and often. Work is subdivided into blocks of time called Sprints; we use 2-week Sprints. At the end of each Sprint a working, executable code product is built and demonstrated to stakeholders and feedback is incorporated into subsequent Sprints (this is called the Sprint Review meeting). The process is driven by a Product Backlog that lists all of the functionality for the system, which is incrementally moved into Sprint Backlogs prior to each Sprint. We will use Jira to manage backlogs and tasking. Continuous improvement is facilitated by Sprint Retrospectives where every team member discusses what did or did not go well. The overall process, including implementing improvements, is governed by a Scrum Manager, who continuously grooms the backlogs, leads Sprint Planning meetings with the team to kick-off

each Sprint, leads daily Scrum meetings, and helps keep the team focused while removing barriers to success. Scrumban-based O&M: Once a system goes into production, O&M needs to be performed to support the system. We perform this work using a Scrumban-based approach. Scrumban supports the case where extremely high-priority tasks, such as a blocker in production or leadership needing a data report, must take priority over existing work. The Business Analyst and Product Owner negotiate on whether these injected tasks are released immediately or as part of the Sprint, as well as which items must be deprioritized back into the Product Backlog. Approach to Overcoming Potential Obstacles: A key to our quality control process is effective risk management. Early risk identification significantly improves our ability to minimize and mitigate risks. Our use of daily Scrum meetings to execute projects inherently supports early risk identification and minimization as it provides a dedicated forum for voicing risks. Risk Identification: Risks raised during the daily Scrum or other identification method (e.g., document review, root cause analysis, etc.) are immediately logged into the risk register (JIRA) where a unique identifier and risk owner are assigned. Initial assessments of the likelihood of risk occurrence and potential impact to the project are typically made during the initial risk registration to help prioritize further risk analysis Risk Evaluation: All identified risks are analyzed to assess their potential impact on the program and project deliverables and their likelihood of occurrence. We make qualitative and quantitative assessments to score with likelihood and potential impact. Risk Mitigation: Risk prioritization is guided based on the risk impact and likelihood, with the most impactful and most likely risks being prioritized the highest for mitigation. Ultimate prioritization of risks, similar to any other item in the Backlog, is the authority of the Product Owner. The risk response plans will be documented

12 Risk Monitoring: The Scrum will be the primary forum for obtaining risk updates from the risk owner. During the Scrum the risk registry (in JIRA) is updated in real-time and is immediately transparent to all stakeholders. As part of the weekly, bi-weekly, and/or monthly status updates, the risk registry is reviewed and prioritized