Federal Emergency Management Agency (FEMA)

Grants Technical Division (GTD) Grants Management

Modernization (GMM) System Integration

Performance Work Statement

November 12, 2022

Version 1.1

Page 1 of 38
 Performance Work Statement
System Integration

I. Background

The Federal Emergency Management Agency (FEMA) has begun an effort to transform the way
it manages grants. The Grants Management Modernization (GMM) Program is an initiative
which seeks to simplify and coordinate business management approaches across all the Agency’s
40+ grants programs. GMM is establishing a common grants life cycle and platform for users
with the new system called FEMA Grants Outcomes (FEMA GO).

The GMM Program is a user-centered, business-driven approach which engages with

stakeholders to fully capture modernization needs, gaps, and transformation opportunities.
Streamlined grants processes will be derived from common business processes to achieve a
unified technology platform. The GMM cross-agency and integrated approach will improve the
oversight and monitoring of funding allocations and support integrated data analytics across the
program areas for improved efficiencies.

GMM will consolidate FEMA’s ten legacy grants IT systems into a single grants management IT
platform. The program will also consolidate FEMA’s grants operations, establishing a common
grants management lifecycle and unifying business processes across grant programs where
possible. These changes will improve the efficiency and effectiveness of FEMA’s grants
operations, thereby strengthening the Agency’s ability to carry out its mission.

II. Purpose

The purpose of this Performance Work Statement (PWS) is to acquire technical services needed
to continue the development efforts of the FEMA GO system. The Contractor shall provide the
necessary resources to implement and manage software integrations critical to Grants
Technology Division (GTD) product delivery and sustained operations. The Contractor shall
ensure all services are provided efficiently and economically, while providing quality products
and services meeting customer requirements. The performance metrics utilized shall ensure all
standards are met as in the summarized in the Performance Requirements Summary (PRS) in
section VII of this PWS.

III. Scope
The Contactor shall provide a multi-vendor management and technical governance and expertise
necessary to sustain and deliver FEMA GO to the GTD’s customers. The Contractor shall utilize
and oversee the FEMA accredited DevSecOps CI/CD pipeline which supports FEMA GO. The
Contractor shall also oversee sustainment and delivery of the legacy systems and their transition
to Agile DevSecOps approaches in an iterative and collaborative fashion. The scope of work
supports FEMA’s goals of secure by design, continuous delivery, deployment on demand,
continuous monitoring, health analytics, and rapid fault remediation; and drive continuous
improvement in the GTD legacy system portfolio over time. The Contractor shall be able to
provide the resources that meet the minimum qualifications, knowledge, and capabilities for
these respective twelve roles that must be provided:

Page 2 of 38
 Senior Software Developer (Minimum of 5) Consultant
Mid-Level Program/Project Manager Software Architect
High-Level Program Manager Quality Assurance Engineer
DevOps Engineer Development Operations Engineer
Data Architect/Engineer Technical Writer
Cloud Engineer Security Engineer

IV. Performance Tasks and Objectives

4.1 Task 1: Transition In
The Contractor Shall:
a. Attend knowledge transfer sessions with the incumbent vendor and FEMA, scheduled by
the government in order to gain a complete understanding of the existing processes, tools
and procedures being used for product delivery.

b. Gain a comprehensive understanding of the environments and discuss with Grants

Technology Division (GTD) leadership possible changes or improvements that might be
made to the product delivery pipeline. See Appendix A – Legacy System Environments
as well as the current FEMA GO Systems.

c. Review existing documentation for the FEMA GO delivery process specifically focusing
on the integration component of the process and related governance opportunities.
Present proposed modifications and improvements, especially relevant to the scope of
work, to GTD leadership.

4.2 Task 2: Project Management Services

The Contractor shall:
a. Manage your operations, your team’s and the various other vendor teams involved in
the FEMA GO delivery process.

b. Provide timely reporting on management, schedule, and technical progress as well as

comprehensive reporting to the GTD leadership and the COR/CO that can be
understood and modified as needed.

c. Conduct meetings with GTD personnel to provide a brief overview of tasks

performed, to include critical accomplishments and upcoming activities, important
risk issues, risks, and dependencies along with milestones, status changes and overall
project status.

d. Develop and deliver to GTD leadership a detailed multi-vendor management strategy

inclusive of roles, functions and work-related artifacts in support of the delivery of
new system capabilities and to the maintenance of the system.

e. Develop and share with GTD leadership the guiding principles, priorities, best
practices, coding standards that ensure maintainability and supportability for the

Page 3 of 38
 expected life of FEMA GO and the general governance guidelines that will be applied
to all development and sustainment vendor teams regarding production deliverable
artifacts. These principles and guidelines must be well documented and periodically
reviewed, updated, and shared with the vendor teams to ensure compliance and the
smooth delivery of artifacts from the vendor teams.

f. Participate in Agile activities and ceremonies, such as demos, and development and
test meetings, with representatives from the Grants Management Modernization
(GMM) Program Management Office (PMO) to demonstrate progress and any current
schedule or technical issues.

g. Conduct Agile research regarding platform technologies and best practices as it

relates to product delivery streams and their integration. Additionally, submit
recommendations including technical and cost trades analysis reports.

h. Provide architectural guidance and alignment to the existing grants management

systems and FEMA GO as it relates to all product delivery streams and their
integration. The Contractor shall advise on the selection of appropriate tools,
frameworks, software, code development and delivery of best practices and other IT
principles to achieve GTD program objectives.

i. Develop, modify, and maintain LGMS Integrated Master Schedule (IMS) that
displays and tracks the following information through weekly status reports from the
LGMS System Owners:
• System Releases - Tracking the durations of Operations and Maintenance
(O&M) and Amazon Web Services (AWS) activities
• Systems Migrating to the Cloud
• Track dependencies and updates to system activities
• Authority to Operate (ATO) and Authority to Proceed (ATP) expiration dates
and milestones
j. Provide weekly and monthly project status reports to the COR/CO and GTD
personnel. Deliver comprehensive reports as required by GTD and the cadence of
these reports, to include but not limited to:
• Weekly Project Status Reports
• Monthly Project Status Reports
• Weekly Integrated Master Schedule (IMS)Timeline
• Manage its operations and teams.

4.3 Task 3: System Integration support to all FEMA Grants Management Systems

The Contractor shall:

a. Provide software integration, development/integration oversight, and delivery
management to support FEMA GO and FEMA’s Legacy Grants Management Systems
(LGMS) in accordance with the Performance Work Statement (PWS). This oversight and
management of the FEMA GO delivery pipeline and process should be through the
application of all guidelines, principles, best practices, multi-vendor management
strategies and governance approaches as discussed and approved by GTD leadership.
Page 4 of 38
 b. Coordinate with GTD personnel to develop a Government Integration Status Tracker to
track the status of the FEMA GO delivery pipeline. Provide folder structure in SharePoint
for the development and management of task order related artifacts and not limited to
process documents.

c. Frequently review and revise as needed the FEMA GO Systems Integration Plan (SIP) to
ensure that current and targeted system-to-system integrations are properly documented.

d. Develop Integration Standard Operating Procedures (SOP) to document current

integration artifacts to include but not limited to the Government integration dashboard,
Work Breakdown Structure (WBS), and the LGMS Integrated Master Schedule (IMS).

e. Meet regularly with designated GTD team representatives, in accordance with agile best
practices to present and discuss all aspects of the System Integrator role. This should
include tasks, blockers, issues, risks, and accomplishments. Pursuant to this the System
Integrator should develop comprehensive reports and charts that capture this information.

f. Perform a gap analysis of all current GTD documentation related to integrations. Based
on the outcome of the gap analysis, make recommendations for improving continuity of
operations.

g. Provide support in drafting comprehensive documentation to include but not limited to

Architectural documentation, Security Operations, Operations and Maintenance (O&M),
Integration, Quality Assurance, Testing and Legacy systems, and Continuity of
Operations.

h. Perform market research on new and emerging technologies to improve efficiencies and
cost and present recommendations to government leadership.

4.4 Task 4: Governance and Code review Support

The System Integrator shall provide recommendations for the coordination of the contract
development release schedule, as well as other relative information for the contract developers to
a designated government representative, at which time the material will be reviewed, approved,
and communicated to the contract developers through the government representative.
Additionally, the Contractor shall:

a. Define and implement a framework to be adopted to GTD integrations automation where

possible.
b. Define the entire product delivery process to be conveyed to the development and
Operations and Maintenance (O&M) teams that ensures that these teams have a thorough
understanding of the code creation, testing and delivery process.
c. Conduct code reviews for any code to be released to ensure all code is compliant with
FEMA standards and best practices and GTD coding conventions. Additionally, enforce
all aspects of the product delivery and system-to-system integration processes to ensure
efficiency, quality of delivery, data integrity, and existing integrations remain intact and
security policies are strictly followed.
Page 5 of 38
 d. Conduct code reviews to assess and document interface/integration impacts, coding
compliancy (FEMA/Industry best practices), test/validation of system functionality and
data correctness and integrity.
e. Perform code analysis using standard tools such as but not limited to Nessus, Fortify,
SonarCube, WebInspect and TwistLock.
f. Perform manual code review to augment the automated code analysis.
g. Propose ways to improve code quality and how to reduce tech debt.
h. Detect when there are coding violations in the rules of code, to include security-specific
guidelines. Guidelines to include the following:
• NIST 853
• DHS 4300A
• FEMA Policy and SOPs
• GTD SOPs
i. Use tools including but not limited to SonarCube and Fortify that scan source code and
provide detailed assessment reports that include at a minimum the following:
• Code quality issues
• Security issues
• Code compliance issues
j. Contribute to the maintenance of system documentation to ensure it is current and an
accurate reflection of the system.

4.5 Task 5: Transition out

The Contractor shall:

During the remaining 60 days of the outgoing vendor contract, FEMA will facilitate knowledge
transfer meetings between the incoming and outgoing vendor. The meetings will be used by the
outgoing vendor for the purposes of transitioning knowledge and responsibilities of all areas that
the outgoing vendor is accountable for – to include but not limited to:
• Oversight and integration of all coding streams for the delivery of FEMA GO
• Review and update all relevant transition documents and artifacts
• Identify the location of technical and program transition related documents in the
appropriate electronic libraries
• Platform operations and maintenance
• Information assurance and security
• Maintenance and optimization of the CI/CD pipeline
• Review all PMO required reports and product delivery roadmaps

V. DELIVERABLES AND DELIVERY SCHEDULE:

No. Task Frequency and/or Due

Deliverable Format
Date
Post Award Kick-Off Within 5 work-days after In person or
1
Meeting award virtually

Page 6 of 38
 Within 15 Days of
2 4.1 Transition In Plan Electronic
Contract award date
Updates to Project
Management that
4.2b Once a month or as needed
incorporates Quality Control
3 4.2j and communicated by the Virtual/Electronic
Plan, reporting on
COR
management, schedule, and
technical progress
Project status reports: Brief
overview of tasks performed,
to include critical
accomplishments and
4.2j
4 upcoming activities, Weekly Virtual/Electronic
4.3e
important risk issues, risks,
and dependencies along with
milestones, status changes
and overall project status,
4.2i Integrated Master Schedule Weekly
5 Virtual/Electronic
4.2j Timeline

During the remaining 60

6 4.5 a Transition Out Plan days of the outgoing Electronic
vendor contract

Quality Control Plan Within 30 days of contract Electronic

7 award date

VI. QUALITY CONTROL PLAN

The Contractor shall provide a QCP in response to the PWS. The QCP shall identify the
Offeror’s approach for maintaining a quality control system that is integrated into the overall
project management plan and meets requirements of the PWS. The Contractor’s QCP shall
address the associated metrics. The Contractor’s QCP shall be linked to the PWS’ Performance
Requirements Summary (PRS). The Contractor shall be solely responsible for the quality of

Page 7 of 38
services provided. The Contractor shall also be liable for Contractor employee negligence and
any fraud, waste, or abuse.

The Government shall provide a copy of its draft QASP to the Contractor as part of the
solicitation documents. Following approval of the Contractor’s QCP and making award, if the
Government determines that updates to its QASP are necessary based on the approved QCP, the
Government shall provide an updated copy of its QASP to the Contractor within 30 days of the
award. If the Government determines that no updates or changes to the QASP are necessary at
that time, the Government shall inform the Contractor.

The Contractor shall maintain the QCP throughout the life of the contract. The QPC shall
outline the processes and activities the Contractor will implement to ensure that all services are
provided in accordance with the goals and requirements of this PWS. QC is work output, not
workers, and therefore includes all work performed under this contract regardless of whether
the work is performed by Contractor employees or by subcontractors. The Contractor’s QCP
will set forth the staffing and procedures for self-inspecting the quality, timeliness,
responsiveness, customer satisfaction, and other performance requirements in the PWS. The
QCP shall fulfill the following requirements:

i. Establish an internal quality control, inspection and feedback system for all
services required by the contract.

ii. Provide the means to identify deficiencies in services and procedures to correct
deficiencies and prevent recurrence.

The QCP shall include, but not be limited to, the following elements:

i. Methods to track timeliness and performance with respect to established standards

for responsiveness and quality of service.

ii. Methods to measure the effectiveness of the Contractor's quality control actions.

iii. The QCP will also identify the individuals within the Contractor's organization
with oversight authority over quality initiatives.
The Contractor’s QCP shall address how to handle Inspection and Acceptance Criteria, Delivery
and Timing, the Collaboration Environment, any Service Level Agreements, the draft Quality
Assurance Surveillance Plan (QASP), and Quality Controls related to, but not limited to:
i. Contract Deliverables
ii. Cybersecurity Corrections
iii. Audit/Evaluation Corrections
iv. Corrective Actions Plans and Validations
v. Software Defects or Issues, Priority of Critical/Moderate/Low
vi. Error Detection in Production, Rate and Count
vii. Deployment to Production, Failed vs First Time Success
viii. Attrition and Recruiting
ix. Team Velocity and burn down
x. Availability and Website Uptime

Page 8 of 38
 xi. U.S. Web Design Standards / 21st Century Integrated Digital Experience Act
(P.L. 115-336§3(e))

These should also include the Definition, Acceptable Quality Level / Performance Standard,
Actual Measurement, Reporting Frequency, Method of Surveillance, etc.

VII. PERFORMANCE REQUIREMENTS SUMMARY

The table below specifies performance metrics with corresponding performance standards,
surveillance methods, and incentives. These metrics apply to all work performed within each of
the work areas. The COR of this contract will document high quality performance to ensure it
becomes part of the Contractor’s past performance record, which will be entered at least annually
into the Contractor Performance Assessment Reporting System (CPARS).

Incentive: The COR will document high quality/high performance and ensure it becomes part of
the Contractor’s past performance record which will be entered at least annually into CPARS.

Disincentive: The COR will document low quality/poor performance and ensures it becomes
part of the Contractor’s past performance record which will be entered at least annually into
CPARS.

Category Required Performance Standard Acceptable Monitoring AQL

(Task) Services / Threshold Quality Method Formula
/ Desired Level
Output (AQL)
Invoices Submission Accurate and complete 85% COR AQL =
of timely invoice reports by the 10th monitors and (Correct #
and business day of the end of reviews of Invoices)
accurate the calendar. invoices / (Total # of
Invoices)
invoices (Monthly)
Measurement will be
calculated based on twelve
(12) months or the end of
the Period of Performance
Meetings Organized Measurement will be 85% GTD PMO AQL =
and calculated based on twelve will provide (Acceptable
productive (12) months or the end of performance # of
meeting the Period of Performance feedback to Meetings) /
(Total # of
facilitation the COR Meetings)
Meetings facilitated by the and/or CO
Attendance Contractor: Meetings as regarding
of GTD well as scheduled technical meeting
Program discussions and touchpoints experience
Meetings are properly coordinated. (As
Planning incorporates scheduled)
necessary meeting materials
to include an agenda
articulating a purpose and
outcome(s) published in
advance of the meeting.
Meeting time is well
managed, and the purpose

Page 9 of 38
 and outcome(s) are
achieved.

Attendance in demos and

development and test
meetings with
representatives from the
GTD PMO to demonstrate
progress and any current
schedule or technical issues.

Weekly attendance of
Legacy Grants Management
Systems and System Owner
meetings to document status
updates in the Dashboard,
Integrated Master Schedule
(IMS), and reports.

Weekly and bi-weekly

touchpoint meetings to
discuss business objectives
are productive and efficient.
Quality of Effective, Measurement will be 85% GTD Task AQL =
Written clear, and calculated based on twelve Manager, (Correct #
Deliverables concise (12) months or the end of COR, and/or of
and writing and the Period of Performance CO review Deliverable
s) / (Total #
Reporting reporting. submitted of
Deliverables do not include deliverables Deliverable
mistakes or require and reporting s)
significant rework before (As
being accepted by the received)
Government.
Timeliness Submission Measurement will be 85% COR AQL =
of Written of timely calculated based on twelve monitors due (Complete
Deliverables and (12) months or the end of dates and & Accurate
complete the Period of Performance notes when Monthly
Status
reports and deliverables Reports) /
other Complete and accurate are (Total
written Weekly Reports submitted submitted/ Monthly
contract every Friday. Monthly completed Status
deliverables Status Reports submitted by (Per Reports)
the 5th business day of the Schedule of
month (e.g., includes a Deliverables
summary of key )
accomplishments, schedule
milestones, issues, risks, GTD Task
dependencies, and the Manager,
overall project status) COR, and/or
CO review
Timely submission of the submitted
System Integration- deliverables
Standard Operating and reporting
Procedures (SOP) (As
Timely and accurate received)
updates to the GTD FEMA
GO System Integration Plan
(SIP)

Page 10 of 38
 Timely and complete
integration dashboard
training materials

Timely and accurate

compilation of meeting
minutes devoid of errors
and do not require rewrites

Timely submission of
updated integration project
plans.

Timely submission of
strategic, enterprise-level
approach to data migration
and data archival/record
retention solutions that can
be applied across multiple
systems/environment

Timely submission of Agile

best practices and
recommendations, and
technical and cost trade
analysis
Dashboard Develop Measurement will be Accepta GTD Task No
Integration calculated based on twelve ble/Una Manager formula
Dashboard (12) months or the end of cceptabl monitors the will be
the Period of Performance e Dashboard utilized
and provides
Implementation and performance
maintaining of the feedback to
integration dashboard. the COR
Regular tracking of the and/or CO
compliance status of regarding the
security documents and dashboard
system integrations as management
scheduled/agreed (As
received)
Align the dashboard with
the Product Roadmap

Dashboard Timely Measurement will be 85% GTD Task AQL =

Updates updates of calculated based on twelve Manger Total # of
system (12) months or the end of monitors timely
status and the Period of Performance status updates to
updates to updates and dashboard/
Dashboard All updates are made the Total # of
weekly or as outlined per Dashboard timely
the schedule of deliverables (Per updates
Schedule of
Deliverables
)

Page 11 of 38
Integrated Develop Measurement will be Accepta GTD Task No
Master Integrated calculated based on twelve ble/Una Manager formula
Schedule Master (12) months or the end of cceptabl monitors the will be
(IMS) Schedule the Period of Performance e Integrated utilized
(IMS) Master
Implementation and Schedule
maintenance of the (IMS).
Integrated Master Schedule Included in
(IMS). Regular tracking of Weekly and
the Authority to Operate Monthly
(ATO) status and reports
milestones for each of the
target programs for the
Legacy Grants Management
Systems
Integrated Timely Measurement will be 85% GTD Task AQL =
Master updates of calculated based on twelve Manager Total # of
Schedule system (12) months or the end of monitors the on time
(IMS) status and the Period of Performance updates and updates to
Updates updates to the the IMS
the All updates are made Integrated schedule/T
Integrated weekly Master otal # of
Master Schedule updates
Schedule (IMS)
(IMS) (Per
Schedule of
Deliverables
)
Work Update the Measurement will be 85% GTD Task AQL =
Breakdown Integration calculated based on twelve Manager Total # of
Structure Work (12) months or the end of monitors the timely
(WBS) Breakdown the Period of Performance updates to updates to
Structure the Work the Work
(WBS) to All updates are made as breakdown Breakdow
reflect scheduled Structure n
current (Per Structure/
tasks, roles, Schedule of Total # of
and Deliverables timely
responsibili ) updates
ties
Documents Provide a Develop, create, and Accepta Included in No
Managemen System manage task order related ble/ Weekly and formula
t Integration artifacts Unacce Monthly will be
folder in the ptable Reports utilized
Grants
Technology
Division
(GTD)
Share Point
site
Review Review Review all processes and Accepta GTD Task No
Processes current procedure documentation ble/Una Manager, formula
and processes and artifacts related to cceptabl COR, and/or will be
Procedures and product delivery and report e CO review utilized
procedures out to GTD on their submitted
findings. deliverables
and reporting
Correct deficiencies or (As

Page 12 of 38
 weaknesses after receiving received)
concurrence from GTD.

Code Review any Review code to be released Accepta GTD Task No

Review – code prior to ensure all code is ble/ Manager, formula
New Code to compliant with FEMA Unacce COR, and/or will be
and/or production standards and best practices ptable CO review utilized
Modified release and GTD coding submitted
Code conventions deliverables
and reporting
(As
received)
Requiremen Review Validate requirements with Accepta GTD Task No
ts Review IV&V SMEs and stakeholders; ble/ Manager, formula
outcomes as Assess acceptance criteria Unacce COR, and/or will be
they relate against requirements and ptable CO review utilized
to user IV&V test results submitted
requirement deliverables
s and reporting
(As
received)
Code Review Assess report output from Accepta GTD Task No
Scanned code quality various code quality and ble/Una Manager, formula
Results and vulnerability assessment cceptabl COR, and/or will be
Review vulnerabilit tools e CO review utilized
y scan submitted
results deliverables
and reporting
(As
received)
Manual Perform Manually review code Accepta GTD Task No
Code periodic periodically focusing on ble/ Manager, formula
Review code review integration points (Evaluate Unacce COR, and/or will be
to augment impact to external ptable CO review utilized
the interfaces) and submit code submitted
automated review reports to include deliverables
code but not limited to adherence and reporting
analysis to best practices, coding (As
conventions and related received)
GTD standards

A review of code samples

to ensure all code is
compliant with FEMA best
practices and GTD coding
conventions

VIII. Key Personnel

The Contractor shall identify key personnel and provide statements of qualifications for these
individuals. FEMA will review the statements of qualifications provided for Key Personnel to
ensure they meet the Government’s standards and provide confirmation of such assessment in
writing from the Contracting Officer (CO). If the performance of Key Personnel does not meet
or exceed the expected performance of an individual with the supplied statement of
qualifications, the Government will request, and the contractor will submit a FEMA approved

Page 13 of 38
replacement for fitness/security screening to FEMA security within 30 days. Any such request
will be made at the discretion of the Government, and in writing by the Contracting Officer
(CO).

The contractor shall not replace any Key Personnel without prior approval by the Government.
The contractor shall provide any request to replace any Key Personnel in writing to the
Contracting Officer (CO) and Contracting Officer’s Representative (COR) no less than two
weeks (10 business days) prior to the departure of the key person. The request shall indicate the
proposed transition period and identify the replacement Key Personnel including a summary of
qualifications. The government will provide written approval or disapproval from the
Contracting Officer within one week (5 business days) of receipt of the request. If the request is
disapproved, the Contracting Officer shall indicate in writing the reason for disapproval. The
contractor shall not be bound by this requirement if the Key Person is terminated for cause,
resigns, or is medically incapacitated. Documentation of these exceptions shall be provided to
the Government.

IX. Travel
Travel is not part of the work. The scope of work does not include reimbursable travel, and
travel expenses subject to cost reimbursement are not anticipated.

X. Invoice Requirements

a. Period of Invoices

Monthly invoices shall be submitted for all costs accrued during the monthly reporting period.
The monthly reporting period may be a calendar month, or any other period used by the
Contractor as a billing cycle, providing that this billing cycle has no fewer than 28 days and
no more than 31 days in it.

b. Invoice Submission Method

The Government prefers soft copy of the invoice and backup documentation submitted to
FEMA-Finance at the email below as well as to the designated COR and CO the following:
1. FEMA Invoices: [email protected]

c. Timeliness

Invoices shall be submitted within three (3) working days of the end of each calendar month
or the Contractor’s accounting cycle.

Page 14 of 38
 Appendix A

Future Systems Integration

Method
Allison Payment Systems TBD
Assistance to Firefighters Grants System (AFG) AWS DMS CDC
JDBC
Assistance to Firefighters Grants System Cloud (AFGC) AWS DMS CDC
JDBC
Automated Construction Estimator (ACE) TBD
Community Information System (CIS) AWS DMS
Contact Call Center Management Program (C3MP) TBD
CoreLogic TBD
Deployment Tracking System (DTS) TBD
Disaster Assistance Improvement Program (DAIP) TBD
Emergency Coordination (NEMIS – EC) TBD
Emergency Management Mission Integrated Environment (EMMIE) AWS DMS CDC
FEMA Application Center Tracker (FAC-Trax) TBD
FEMA Enterprise Identity Management System (FEIMS) SAML
FEMA Financial System Modernization TBD
FEMA Lifecycle Process Management Services (LPMS) TBD
FEMADex TBD
Field Assessment and Collection Tools (FACT) AWS DMS CDC
Grants Reporting Tool Cloud (GRTC) AWS DMS CDC
Grants.gov SOAP/WSDL
Hazard Mitigation Grants Program (HMGP) AWS DMS CDC
Housing and Urban Development (HUD) TBD
IBM Maximo (SaaS) TBD
LexisNexis TBD
Mitigation Electronic Grants System (MT-eGrants) AWS DMS CDC
National Flood Insurance Program (NFIP) TBD
Non-Disaster Grants (NDG) AWS DMS CDC
Non-Disaster Grants Cloud (NDGC) AWS DMS CDC
OMB / MAXTrax TBD
RSMeans TBD
Small Business Administration SOAP/WSDL
System for Award Management (SAM.GOV) SOAP/WSDL

Page 15 of 38
XI. Contract Clauses

SECTION 508 REQUIREMENTS:

Section 508 of the Rehabilitation Act (classified to 29 U.S.C. § 794d) requires that when Federal
agencies develop, procure, maintain, or use information and communications technology (ICT),
it shall be accessible to people with disabilities. Federal employees and members of the public
with disabilities must be afforded access to and use of information and data comparable to that of
Federal employees and members of the public without disabilities.

All products, platforms and services delivered as part of this work statement that, by definition,
are deemed ICT shall conform to the revised regulatory implementation of Section 508
Standards, which are located at 36 C.F.R. § 1194.1 & Appendixes A, C & D, and available
at https://www.ecfr.gov/cgi-bin/text-
idx?SID=e1c6735e25593339a9db63534259d8ec&mc=true&node=pt36.3.1194&rgn=div5. In the
revised regulation, ICT replaced the term electronic and information technology (EIT) used in
the original 508 standards. ICT includes IT and other equipment.

Exceptions for this work statement have been determined by DHS and only the exceptions
described herein may be applied. Any request for additional exceptions shall be sent to the
Contracting Officer and a determination will be made according to DHS Directive 139-05,
Office of Accessible Systems and Technology, dated November 12, 2018 and DHS Instruction
139-05-001, Managing the Accessible Systems and Technology Program, dated November 20,
2018, or any successor publication.

1.1 Section 508 Requirements for Technology Products (include in the SOW, PWS, or
SOO)

Section 508 applicability to Information and Communications Technology

(ICT): Software Development

Applicable Exception: Authorization #: N/A

Applicable Functional Performance Criteria: Does not apply

Applicable 508 requirements for electronic content features and components: Does
not apply

Applicable 508 requirements for software features and components: Does not
apply

Applicable 508 requirements for hardware features and components: Does not
apply

Page 16 of 38
 Applicable 508 requirements for support services and documentation
requirements: Does not apply

1.2 Section 508 Requirements for Technology Services (include in the SOW, PWS, or SOO)

1. When providing installation, configuration or integration services for ICT, the Contractor
shall not reduce the original ICT item's level of Section 508 conformance prior to the
services being performed.

2. When providing maintenance upgrades, substitutions, and replacements to ICT, the

contractor shall not reduce the original ICT’s level of Section 508 conformance prior to
upgrade, substitution or replacement. The agency reserves the right to request an
Accessibility Conformance Report (ACR) for proposed upgrades, substitutions and
replacements prior to acceptance. The ACR should be created using the on the Voluntary
Product Accessibility Template Version 2.2 508 (or successor versions). The template
can be located at https://www.itic.org/policy/accessibility/vpat

3. When developing or modifying ICT, the Contractor is required to validate ICT

deliverables for conformance to the applicable Section 508 requirements. Validation shall
occur on a frequency that ensures Section 508 requirements is evaluated within each
iteration and release that contains user interface functionality.

4. When modifying, installing, configuring or integrating commercially available or

government-owned ICT, the Contractor shall not reduce the original ICT Item’s level of
Section 508 conformance.

5. When developing or modifying web based and electronic content components, except for
electronic documents and non-fillable forms provided in a Microsoft Office or Adobe
PDF format, the Contractor shall demonstrate conformance to the applicable Section 508
standards (including WCAG 2.0 Level A and AA Success Criteria) by conducting testing
using the DHS Trusted Tester for Web Methodology Version 5.0 or successor versions,
and shall ensure testing is conducted by individuals who are certified by DHS on version
5.0 or successor versions (e.g. “DHS Certified Trusted Testers”). The Contractor shall
provide the Trusted Tester Certification IDs to DHS upon request. Information on the
DHS Trusted Tester for Web Methodology Version 5.0, related test tools, test reporting,
training, and tester certification requirements is published at https://www.dhs.gov/trusted-
tester.

6. When developing or modifying electronic documents and forms provided in a Microsoft

Office or Adobe PDF format, the Contractor shall demonstrate conformance to the
applicable to the applicable Section 508 standards (including WCAG Level A and AA
Level 2.0 Success Criteria) by conducting testing using the test methods published under
“Accessibility Tests for Documents” at https://www.dhs.gov/compliance-test-processes.

7. When developing or modifying ICT deliverables that contain the ability to automatically
generate electronic documents and forms in Microsoft Office and Adobe formats, or
when the capability is provided to enable end users to design and author web based
electronic content (i.e. surveys, dashboards, charts, data visualizations, etc.), the
Contractor shall demonstrate the ability to ensure these outputs conform to the applicable

Page 17 of 38
 Section 508 standards (including WCAG 2.0 Level A and AA Success Criteria). The
Contractor shall demonstrate conformance by conducting testing and reporting test results
based on representative sample outputs. For outputs produced as Microsoft Office and
Adobe PDF file formats, the Contractor shall use the test methods published under
“Accessibility Tests for Documents”, which are published
at https://www.dhs.gov/compliance-test-processes. For outputs produced as web based
electronic content, the Contractor shall use the DHS Trusted Tester for Web
Methodology Version 5.0, or successor versions. This methodology is published
at https://www.dhs.gov/trusted-tester

8. When developing or modifying software functions of ICT, the Contractor shall

demonstrate conformance to the applicable Section 508 standards (including the
requirements in Chapter 5 and WCAG 2.0 Level A and AA Success Criteria). When the
requirements in Chapter 5 do not address one or more software functions, the Contractor
shall demonstrate conformance to the Functional Performance Criteria specified in
Chapter 3. The Contractor shall use a test process capable of validating conformance to
all applicable Section 508 standards for software functionality delivered pursuant to this
contract. The Contractor may utilize the DHS Trusted Tester Methodology for Web and
Software Version 4.0 as a component of the overall test process used. This version of the
test process provides partial test coverage of the Section 508 standards that apply to
software. If the Contractor uses this test process, the Contractor shall address the test
coverage gaps through additional test procedures. Information on the DHS Trusted Tester
Methodology for Web and Software Version 4.0, including coverage against the
applicable Section 508 standards for software as well as gaps that need to be addressed
through other test methods, related test tools, and training is published
at https://www.dhs.gov/trusted-tester.

9. Contractor personnel shall possess the knowledge, skills and abilities necessary to
address the accessibility requirements in this work statement.

1.3 Section 508 Deliverables (include in the SOW, PWS, or SOO)

1. Section 508 Test Plans: When developing or modifying ICT pursuant to this contract,
the Contractor shall provide a detailed Section 508 Conformance Test Plan. The Test
Plan shall describe the scope of components that will be tested, an explanation of the test
process that will be used, when testing will be conducted during the project development
life cycle, who will conduct the testing, how test results will be reported, and any key
assumptions.

2. Section 508 Test Results: When developing or modifying ICT pursuant to this contract,
the Contractor shall provide test results in accordance with the Section 508 Requirements
for Technology Services provided in this solicitation.

3. Section 508 Accessibility Conformance Reports: For each ICT item offered through
this contract (including commercially available products, and solutions consisting of ICT
that are developed or modified pursuant to this contract), the Offeror shall provide an
Accessibility Conformance Report (ACR) to document conformance claims against the
applicable Section 508 standards. The ACR shall be based on the Voluntary Product
Accessibility Template Version 2.0 508 (or successor versions). The template can be

Page 18 of 38
 found at https://www.itic.org/policy/accessibility/vpat. Each ACR shall be completed by
following all of the instructions provided in the template, including an explanation of the
validation method used as a basis for the conformance claims in the report.

4. Other Section 508 Documentation: The following documentation shall be provided

upon request for ICT items offered through this contract:

o Documentation of features provided to help achieve accessibility and usability for

people with disabilities.
o Documentation on how to configure and install the ICT Item to support
accessibility.
o Documentation of core functions that cannot be accessed by persons with
disabilities.
o Documentation of remediation plans to address non-conformance to the Section
508 standards

XII. DHS ENTERPRISE ARCHITECTURE COMPLIANCE:

All solutions and services shall meet DHS Enterprise Architecture policies, standards, and
procedures. Specifically, the Contractor shall comply with the following Homeland Security
Enterprise Architecture (HLS EA) requirements:
(a) All developed solutions and requirements shall be compliant with the HLS/FEMA EA.
(b) All IT hardware and/or software shall be compliant with the HLS/FEMA EA Technical
Reference Model (TRM) Standards and Products Profile.
(c) Description information for all data assets, information exchanges and data standards,
whether adopted or developed, shall be submitted to the Enterprise Data Management Office
(EDMO) for review, approval and insertion into the DHS Data Reference Model and Enterprise
Architecture Information Repository.
(d) Development of data assets, information exchanges and data standards will comply with the
DHS Data Management Policy MD 103-01[1] and all data-related artifacts will be developed and
validated according to DHS data management architectural guidelines.
(e) Applicability of IPv6 to DHS-related components (networks, infrastructure, and applications)
specific to individual acquisitions shall be in accordance with the DHS Enterprise Architecture
(per OMB Memorandum M-05-22, August 2, 2005) regardless of whether the acquisition is for
modification, upgrade, or replacement. All EA related component acquisitions shall be IPv6
compliant as defined in the USGv6 Profile (NIST Special Publication 500-267) and the
corresponding declarations of conformance defined in the USGv6 Test Program.

XV. RECORDS MANAGEMENT OBLIGATIONS:

A. Applicability

[1]Department of Homeland Security (DHS) Directives System, Enterprise Data Management Policy, 2008.
https://www.dhs.gov/sites/default/files/publications/mgmt_directive_103_01_enterprise_data_management_policy.p
df

Page 19 of 38
This clause applies to all Contractors whose employees create, work with, or otherwise handle
Federal records, as defined in Section B, regardless of the medium in which the record exists.
B. Definitions
“Federal record” as defined in 44 U.S.C. § 3301, includes all recorded information, regardless of
form or characteristics, made or received by a Federal agency under Federal law or in connection
with the transaction of public business and preserved or appropriate for preservation by that
agency or its legitimate successor as evidence of the organization, functions, policies, decisions,
procedures, operations, or other activities of the United States Government or because of the
informational value of data in them.
The term Federal record:

1. includes FEMA records.

2. does not include personal materials.
3. applies to records created, received, or maintained by Contractors pursuant to their
FEMA contract.
4. may include deliverables and documentation associated with deliverables.

C. Requirements

1. Contractor shall comply with all applicable records management laws and regulations, as
well as National Archives and Records Administration (NARA) records policies,
including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33),
NARA regulations at 36 CFR Chapter XII Subchapter B, and those policies associated
with the safeguarding of records covered by the Privacy Act of 1974 (5 U.S.C. 552a).
These policies include the preservation of all records, regardless of form or
characteristics, mode of transmission, or state of completion.
2. In accordance with 36 CFR 1222.32, all data created for Government use and delivered
to, or falling under the legal control of, the Government are Federal records subject to the
provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act
(FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as
amended and must be managed and scheduled for disposition only as permitted by statute
or regulation.
3. In accordance with 36 CFR 1222.32, Contractor shall maintain all records created for
Government use or created in the course of performing the contract and/or delivered to,
or under the legal control of the Government and must be managed in accordance with
Federal law. Electronic records and associated metadata must be accompanied by
sufficient technical documentation to permit understanding and use of the records and
data.
4. FEMA and its contractors are responsible for preventing the alienation or unauthorized
destruction of records, including all forms of mutilation. Records may not be removed
from the legal custody of FEMA or destroyed except for in accordance with the
provisions of the agency records schedules and with the written concurrence of the Head
of the Contracting Activity. Willful and unlawful destruction, damage or alienation of
Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. In the
event of any unlawful or accidental removal, defacing, alteration, or destruction of

Page 20 of 38
 records, Contractor must report to FEMA. The agency must report promptly to NARA in
accordance with 36 CFR 1230.
5. The Contractor shall immediately notify the appropriate Contracting Officer upon
discovery of any inadvertent or unauthorized disclosures of information, data,
documentary materials, records or equipment. Disclosure of non-public information is
limited to authorized personnel with a need-to-know as described in the [contract
vehicle]. The Contractor shall ensure that the appropriate personnel, administrative,
technical, and physical safeguards are established to ensure the security and
confidentiality of this information, data, documentary material, records and/or equipment
is properly protected. The Contractor shall not remove material from Government
facilities or systems, or facilities or systems operated or maintained on the Government’s
behalf, without the express written permission of the Head of the Contracting Activity.
When information, data, documentary material, records and/or equipment is no longer
required, it shall be returned to FEMA control or the Contractor must hold it until
otherwise directed. Items returned to the Government shall be hand carried, mailed,
emailed, or securely electronically transmitted to the Contracting Officer or address
prescribed in the PWS. Destruction of records is EXPRESSLY PROHIBITED unless in
accordance with Paragraph (4).
6. The Contractor is required to obtain the Contracting Officer's approval prior to engaging
in any contractual relationship (sub-Contractor) in support of this contract requiring the
disclosure of information, documentary material and/or records generated under, or
relating to, contracts. The Contractor (and any sub-Contractor) is required to abide by
Government and FEMA guidance for protecting sensitive, proprietary information,
classified, and controlled unclassified information.
7. The Contractor shall only use Government IT equipment for purposes specifically tied to
or authorized by the contract and in accordance with FEMA policy.
8. The Contractor shall not create or maintain any records containing any non-public FEMA
information that are not specifically tied to or authorized by the contract.
9. The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that
contains information covered by the Privacy Act of 1974 or that which is generally
protected from public disclosure by an exemption to the Freedom of Information Act.
10. The FEMA owns the rights to all data and records produced as part of this contract. All
deliverables under the contract are the property of the U.S. Government for which FEMA
shall have unlimited rights to use, dispose of, or disclose such data contained therein as it
determines to be in the public interest. Any Contractor rights in the data or deliverables
must be identified as required by FAR 52.227-11 through FAR 52.227-20.
11. Training. All Contractor employees assigned to this contract who create, work with, or
otherwise handle records are required to take FEMA-provided records management
training. The Contractor is responsible for confirming training has been completed
according to agency policies, including initial training and any annual or refresher
training.

XVI. SECURITY REQUIREMENTS:

All personnel require access to information up to the sensitive but unclassified, for official use
only (FOUO) levels. Contractor must ensure contractor employees receive a favorably

Page 21 of 38
adjudicated public trust suitability prior to entry on duty (EOD). All individuals will be U.S.
citizens. The contractor shall follow the standards established within DHS and FEMA policy.

Unauthorized Disclosure of Classified or Unclassified Information:

Contractors and Subcontractors who are working on this contract shall receive Unauthorized
Disclosure of Classified or Unclassified Information training.

Access to the training can be obtained at: Unauthorized Disclosure of Classified Information and
Controlled Unclassified Information (usalearning.gov)

Send the certificate of completion to the FEMA Contracting Officer Representative no later than
30 calendar days after awarded contract. New employees entering the contract must receive the
briefing within ten (10) business days of joining the contract.

OPSEC Training:
Contractors and Subcontractors who are working on this contract shall receive the OPSEC
Awareness Brief.

Access to the briefing can be obtained at OPSEC Awareness for Military Members, DOD
Employees and Contractors (usalearning.gov)

Send the certificate of completion to the FEMA Contracting Officer Representative no later than
30 calendar days after awarded contract. New employees entering the contract must receive the
briefing within ten (10) business days of joining the contract.

Insider Threat Training:

Insider Threat training for Contractors can be found at: Insider Threat Awareness
(usalearning.gov)

Certificate of training is required for all cleared contractor employees who are working with
classified or unclassified information. All certificates must be sent to the assigned FEMA
Contracting Officer Representative, before the Contractor or Subcontractor is granted access to
classified or unclassified information but no later than 30 calendar days after awarded
contract. All cleared contractor personnel are required to recertify Insider Threat training
annually thereafter. New employees entering the contract must receive the briefing within ten
(10) business days of joining the contract.

Page 22 of 38
For Official Use Only (FOUO) Information:
In accordance with DHS Management Directive 11042.1 contractors, consultants and others to
whom access is granted will abide by 11042.1; DHS policy regarding the identification and
safeguarding of sensitive but unclassified information originated within DHS. It also applies to
other sensitive but unclassified information received by DHS from other government and non-
governmental activities.

The contractor will:

1. Be aware of and comply with the safeguarding requirements for “For Official Use Only”
(FOUO) information as outlined in this directive.
2. Participate in formal classroom or computer-based training sessions presented to
communicate the requirements for safeguarding FOUO and other sensitive but unclassified
information.
3. Be aware that divulging information without proper authority could result in administrative
or disciplinary action.

Contractors and Consultants shall execute a DHS Form 11000-6, Sensitive but Unclassified
Information Non Disclosure Agreement (NDA), as a condition of access to such information.
Other individuals not assigned to or contractually obligated to DHS, but to whom access to
information will be granted, may be requested to execute an NDA as determined by the
applicable program manager. Execution of the NDA shall be effective upon date of the DHS
Policy and not applied retroactively.

Foreign Travel and Government-Issued Equipment

Per DHS and FEMA IT policy, FEMA employees and contractors are not authorized to take
government-issued equipment, including cell phones, computers, or tablets such as iPads, outside
of the United States regardless of the reason for travel. If government-issued equipment is
required for official foreign travel, FEMA government employees may request a temporary
loaner device through the Mobility Service Center.Office of the Chief Information Officer,
Service Center for the duration of their trip. FEMA contractors must contact their contracting
officer’s representative (COR) for further guidance.

If your device is detected as operating outside of the United States and its territories it will be
disabled, and your information will be forwarded to the Office of Professional Responsibility for
review.

Background Investigations
All contractor personnel who require access to DHS or FEMA information systems, routine
access to DHS or FEMA facilities, or access to sensitive information, including but not limited to

Page 23 of 38
Personally Identifiable Information (PII), shall be subject to a full background investigation
commensurate with the level of the risk associated with the job function or work being
performed. FEMA’s Personnel Security Division (PSD) will determine the risk designation for
each contractor position by comparing the functions and duties of the position against those of a
same or similar federal position, applying the same standard for evaluating the associated
potential for impact on the integrity and efficiency of federal service.

Low Risk without Information System Access

Contractor personnel occupying positions or performing functions with a Low Risk designation
and who do not require access to DHS or FEMA information systems may undergo a Tier 1
investigation with a credit check and must receive a favorable adjudication thereof from FEMA
PSD prior to performing work under this contract. (also reference Facility Access).

Low Risk with Information System Access

Contractor personnel occupying positions or performing functions with a Low Risk designation
and who require access to DHS or FEMA information systems shall undergo a Tier 2 Suitability
Background Investigation (T2) and must receive a favorable adjudication thereof from FEMA
PSD prior to performing work under this contract.

Moderate Risk
Contractor personnel occupying positions or performing functions with a Moderate Risk
designation shall undergo a Tier 2 Suitability Background Investigation (T2) and must receive a
favorable adjudication thereof from FEMA PSD prior to performing work under this contract.

High Risk
Contractor personnel occupying positions or performing functions with a High Risk designation
shall undergo a Tier 4 Suitability Background Investigation (T4) and must receive a favorable
adjudication thereof from FEMA PSD prior to performing work under this contract.

Background Investigation Process

To initiate the request to process contractor personnel, the Contractor shall provide the FEMA
Contracting Officer’s Representative (COR) with all required information and comply with all
necessary instructions to complete Section II of the FEMA Form 121-3-1-6, “Contract
Fitness/Security Screening Request.” The FEMA COR shall ensure that all other applicable
sections of the FEMA Form 121-3-1-6 are complete prior to submitting the form to FEMA PSD
for processing. The Contractor shall also provide the FEMA COR with completed OF 306,
“Declaration for Federal Employment,” forms for all contractor personnel.

Page 24 of 38
Contractor personnel who already have a favorably adjudicated background investigation, may
be eligible to perform work under this contract without further processing by FEMA PSD if:

▪ the investigation was completed within the last five years,

▪ it meets or exceeds the minimum requirement for the position they will occupy or functions
they will perform on this contract,

▪ the contractor personnel have not had a break in employment since the prior favorable
adjudication, and,

▪ FEMA PSD has verified the investigation and confirmed that no new derogatory information
has been disclosed which may require a reinvestigation.

FEMA PSD will notify the COR of the names of the contractor personnel eligible to work based
on prior, favorable adjudication. The COR will, in turn, notify the Contractor of the names of
the favorably adjudicated contractor personnel, at which time the favorably adjudicated
contractor personnel will be eligible to begin work under this contract.

For those contractor personnel who do not have an acceptable, prior, favorable adjudication or
who otherwise require reinvestigation, FEMA PSD will issue an electronic notification via email
directly to the contractor applicant/personnel that contains the following documents, which are
incorporated into this contract by reference, along with a link to the Office of Personnel
Management’s (OPM) Electronic Questionnaires for Investigation Processing (e-QIP) system
and instructions for submitting the necessary information:

▪ Standard Form 85P, “Questionnaire for Public Trust Positions”

▪ Optional Form 306, “Declaration for Federal Employment”

▪ SF 87, “Fingerprint Card” (2 copies)

▪ DHS Form 11000-6, “Non-Disclosure Agreement”

▪ DHS Form 11000-9, “Disclosure and Authorization Pertaining to Consumer Reports

Pursuant to the Fair Credit Reporting Act”

FEMA PSD will only accept complete packages consisting of all of the above document and
Standard Form 85P, which must be completed electronically through the Office of Personnel
Management’s e-QIP system. The Contractor is responsible for ensuring that all contractor
personnel timely and properly submit all required background information.

Page 25 of 38
Once contractor personnel have properly submitted the complete package of all required
background information, FEMA’s Personnel Security Division, at its sole discretion, may grant
contractor personnel temporary eligibility to perform work under this contract prior to
completion of the full background investigation if the Personnel Security Division’s initial
review of the contractor personnel’s background information reveals no issues of concern. In
such cases, FEMA’s Personnel Security Division will provide notice of such temporary
eligibility to the COR who will then notify the Prime Contractor, at which time the identified
contractor personnel will be temporarily eligible to begin work under this contract. Neither the
Prime Contractor nor the contractor personnel has any right to such a grant of temporary
eligibility. The grant of such temporary eligibility shall not be considered as assurance that the
contactor personnel will remain eligible to perform work under this contract upon completion of
and final adjudication of the full background investigation.

Upon favorable adjudication of the full background investigation, FEMA’s Personnel Security
Division will update the contractor personnel’s security file and take no further action. In any
instance where the final adjudication results in an unfavorable determination FEMA’s Personnel
Security Division will notify the contractor personnel directly, in writing, of the decision and will
provide the COR with the name(s) of the contractor personnel whose adjudication was
unfavorable. The COR will then forward that information to the Contractor. Contractor
personnel who receive an unfavorable adjudication shall be ineligible to perform work under this
contract. Unfavorable adjudications are final and not subject to review or appeal.

Continued Eligibility and Reinvestigation

Eligibility determinations based on a Low Risk T1, Moderate Risk T2S or High Risk T4 are
valid for five years from the date that the investigation was completed and closed. Contractor
personnel required to undergo a background investigation to perform work under this contract
shall be ineligible to perform work under this contract upon the expiration the background
investigation unless and until the contractor personnel have undergone a reinvestigation and
FEMA’s Personnel Security Division has renewed their eligibility to perform work under this
contract.

Exclusion by Contracting Officer

The Contracting Officer, independent of FEMA’s Personnel Security Division, may direct the
Contractor be excluded from working on this contract. Any contractor found or deemed to be
unfit or whose continued employment on the contract is deemed contrary to the public interest or
inconsistent with the best interest of the agency may be removed.

FACILITY ACCESS
The Contractor shall comply with FEMA Directive 121-1 “FEMA Personal Identity Verification
Guidance,” FEMA Directive 121-3 “Facility Access,” and FEMA Manual 121-3-1 “FEMA
Credentialing Access Manual,” to arrange for contractor personnel’s access to FEMA facilities,

Page 26 of 38
which includes, but is not limited to, arrangements to obtain any necessary identity badges for
contractor personnel.

Contractor personnel working within any FEMA facility who do not require access to DHS or
FEMA IT systems and do not qualify for a PIV Card may be issued a Facility Access Card
(FAC). FACs cannot exceed 180 days; all contractors requiring access greater than 180 days will
need to qualify for and receive a PIV card before being allowed facility access beyond 180 days.
Contractor personnel shall not receive a FAC until they have submitted a SF 87, “Fingerprint
Card,” and an OF306, Declaration for Federal Employment, and receive approval from FEMA
PSD. Contractor personnel using a FAC for access to FEMA facilities must be escorted in
Critical Infrastructure areas (i.e., server rooms, weapons rooms, mechanical rooms, etc.) at all
times.

FEMA may deny facility access to any contractor personnel whom FEMA’s Office of the Chief
Security Officer has determined to be a potential security threat.

SEPARATION FROM CONTRACT

The Contractor shall notify the FEMA COR of all terminations/resignations within five calendar
days of occurrence. The Contractor must account for all forms of Government-provided
identification issued to contractor employees under a contract (i.e., the PIV cards or other similar
badges) must return such identification to FEMA as soon as any of the following occurs:
• When no longer needed for contract performance.
• Upon completion of a contractor employee’s employment.
• Upon contract completion or termination.

If an identification card or building pass is not available to be returned, the Contractor shall
submit a report to the FEMA COR, referencing the pass or card number, name of the individual
to whom it was issued, and the last known location and disposition of the pass or card.

The Contractor or contractor personnel’s failure to return all DHS- or FEMA-issued

identification cards and building passes upon expiration, upon the contractor personnel’s removal
from the contract, or upon demand by DHS or FEMA may subject the contractor personnel and
the Contractor to civil and criminal liability.

XVII. CYBER HYGIENE AND PRIVACY CLAUSES

Clauses
1) Safeguarding of Sensitive Information (MAR 2015)
2) Information Technology Security and Privacy Training (MAR 2015)
3) HSAR 48 CFR 3052.204-71 Contractor Employee Access
4) 52.204-9 Personal Identity Verification Of Contractor Personnel (JAN 2011)
5) 52.224-1 Privacy Act Notification (APR 1984)
6) 52.224-2 Privacy Act (APR 1984)
7) FAR 52.224-3 Privacy Training

SAFEGUARDING OF SENSITIVE INFORMATION (MAR 2015)

Page 27 of 38
(a) Applicability. This clause applies to the Contractor, its subcontractors, and Contractor
employees (hereafter referred to collectively as “Contractor”). The Contractor shall insert the
substance of this clause in all subcontracts.

(b) Definitions. As used in this clause—

“Personally Identifiable Information (PII)” means information that can be used to distinguish or
trace an individual's identity, such as name, social security number, or biometric records, either
alone, or when combined with other personal or identifying information that is linked or linkable
to a specific individual, such as date and place of birth, or mother’s maiden name. The definition
of PII is not anchored to any single category of information or technology. Rather, it requires a
case-by-case assessment of the specific risk that an individual can be identified. In performing
this assessment, it is important for an agency to recognize that non-personally identifiable
information can become personally identifiable information whenever additional information is
made publicly available—in any medium and from any source—that, combined with other
available information, could be used to identify an individual.

PII is a subset of sensitive information. Examples of PII include, but are not limited to: name,
date of birth, mailing address, telephone number, Social Security number (SSN), email address,
zip code, account numbers, certificate/license numbers, vehicle identifiers including license
plates, uniform resource locators (URLs), static Internet protocol addresses, biometric identifiers
such as fingerprint, voiceprint, iris scan, photographic facial images, or any other unique
identifying number or characteristic, and any information where it is reasonably foreseeable that
the information will be linked with other information to identify the individual.

“Sensitive Information” is defined in HSAR clause 3052.204-71, Contractor Employee Access, as

any information, which if lost, misused, disclosed, or, without authorization is accessed, or
modified, could adversely affect the national or homeland security interest, the conduct of Federal
programs, or the privacy to which individuals are entitled under section 552a of Title 5, United
States Code (the Privacy Act), but which has not been specifically authorized under criteria
established by an Executive Order or an Act of Congress to be kept secret in the interest of
national defense, homeland security or foreign policy. This definition includes the following
categories of information:

(1) Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure
Information Act of 2002 (Title II, Subtitle B, of the Homeland Security Act, Public Law 107-
296, 196 Stat. 2135), as amended, the implementing regulations thereto (Title 6, Code of Federal
Regulations, Part 29) as amended, the applicable PCII Procedures Manual, as amended, and any
supplementary guidance officially communicated by an authorized official of the Department of
Homeland Security (including the PCII Program Manager or his/her designee);

Sensitive Security Information (SSI), as defined in Title 49, Code of Federal Regulations, Part
1520, as amended, “Policies and Procedures of Safeguarding and Control of SSI,” as amended,
and any supplementary guidance officially communicated by an authorized official of the
Department of Homeland Security (including the Assistant Secretary for the Transportation
Security Administration or his/her designee);

Page 28 of 38
(2) Information designated as “For Official Use Only,” which is unclassified information of a
sensitive nature and the unauthorized disclosure of which could adversely impact a person’s
privacy or welfare, the conduct of Federal programs, or other programs or operations essential to
the national or homeland security interest; and

(3) Any information that is designated “sensitive” or subject to other controls, safeguards or
protections in accordance with subsequently adopted homeland security information handling
procedures.

“Sensitive Information Incident” is an incident that includes the known, potential, or suspected
exposure, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or
unauthorized access or attempted access of any Government system, Contractor system, or
sensitive information.

“Sensitive Personally Identifiable Information (SPII)” is a subset of PII, which if lost,

compromised or disclosed without authorization, could result in substantial harm, embarrassment,
inconvenience, or unfairness to an individual. Some forms of PII are sensitive as stand-alone
elements. Examples of such PII include: Social Security numbers (SSN), driver’s license or state
identification number, Alien Registration Numbers (A-number), financial account number, and
biometric identifiers such as fingerprint, voiceprint, or iris scan. Additional examples include any
groupings of information that contain an individual’s name or other unique identifier plus one or
more of the following elements:

(1) Truncated SSN (such as last 4 digits)

(2) Date of birth (month, day, and year)
(3) Citizenship or immigration status
(4) Ethnic or religious affiliation
(5) Sexual orientation
(6) Criminal History
(7) Medical Information
(8) System authentication information such as mother’s maiden name, account passwords or
personal identification numbers (PIN)

Other PII may be “sensitive” depending on its context, such as a list of employees and their
performance ratings or an unlisted home address or phone number. In contrast, a business card or
public telephone directory of agency employees contains PII but is not sensitive.

(c) Authorities. The Contractor shall follow all current versions of Government policies and
guidance accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors, or
available upon request from the Contracting Officer, including but not limited to:

(1) DHS Management Directive 11042.1 Safeguarding Sensitive But Unclassified (for
Official Use Only) Information
(2) DHS Sensitive Systems Policy Directive 4300A
(3) DHS 4300A Sensitive Systems Handbook and Attachments
(4) DHS Security Authorization Process Guide
(5) DHS Handbook for Safeguarding Sensitive Personally Identifiable Information

Page 29 of 38
(6) DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel
Suitability and Security Program
(7) DHS Information Security Performance Plan (current fiscal year)
(8) DHS Privacy Incident Handling Guidance
(9) Federal Information Processing Standard (FIPS) 140-2 Security Requirements for
Cryptographic Modules accessible at http://csrc.nist.gov/groups/STM/cmvp/standards.html
(10) National Institute of Standards and Technology (NIST) Special Publication 800-53
Security and Privacy Controls for Federal Information Systems and Organizations accessible at
http://csrc.nist.gov/publications/PubsSPs.html
(11) NIST Special Publication 800-88 Guidelines for Media Sanitization accessible at
http://csrc.nist.gov/publications/PubsSPs.html

(d) Handling of Sensitive Information. Contractor compliance with this clause, as well as the
policies and procedures described below, is required.

(1) Department of Homeland Security (DHS) policies and procedures on Contractor

personnel security requirements are set forth in various Management Directives (MDs),
Directives, and Instructions. MD 11042.1, Safeguarding Sensitive But Unclassified (For Official
Use Only) Information describes how Contractors must handle sensitive but unclassified
information. DHS uses the term “FOR OFFICIAL USE ONLY” to identify sensitive but
unclassified information that is not otherwise categorized by statute or regulation. Examples of
sensitive information that are categorized by statute or regulation are PCII, SSI, etc. The DHS
Sensitive Systems Policy Directive 4300A and the DHS 4300A Sensitive Systems Handbook
provide the policies and procedures on security for Information Technology (IT) resources. The
DHS Handbook for Safeguarding Sensitive Personally Identifiable Information provides
guidelines to help safeguard SPII in both paper and electronic form. DHS Instruction Handbook
121-01-007 Department of Homeland Security Personnel Suitability and Security Program
establishes procedures, program responsibilities, minimum standards, and reporting protocols for
the DHS Personnel Suitability and Security Program.

(2) The Contractor shall not use or redistribute any sensitive information processed, stored,
and/or transmitted by the Contractor except as specified in the contract.

(3) All Contractor employees with access to sensitive information shall execute DHS Form
11000-6, Department of Homeland Security Non-Disclosure Agreement (NDA), as a condition of
access to such information. The Contractor shall maintain signed copies of the NDA for all
employees as a record of compliance. The Contractor shall provide copies of the signed NDA to
the Contracting Officer’s Representative (COR) no later than two (2) days after execution of the
form.

(4) The Contractor’s invoicing, billing, and other recordkeeping systems maintained to
support financial or other administrative functions shall not maintain SPII. It is acceptable to
maintain in these systems the names, titles and contact information for the COR or other
Government personnel associated with the administration of the contract, as needed.

(e) Authority to Operate. The Contractor shall not input, store, process, output, and/or
transmit sensitive information within a Contractor IT system without an Authority to Operate
(ATO) signed by the Headquarters or Component CIO, or designee, in consultation with the

Page 30 of 38
Headquarters or Component Privacy Officer. Unless otherwise specified in the ATO letter, the
ATO is valid for three (3) years. The Contractor shall adhere to current Government policies,
procedures, and guidance for the Security Authorization (SA) process as defined below.

(1) Complete the Security Authorization process. The SA process shall proceed according to
the DHS Sensitive Systems Policy Directive 4300A (Version 11.0, April 30, 2014), or any
successor publication, DHS 4300A Sensitive Systems Handbook (Version 9.1, July 24, 2012), or
any successor publication, and the Security Authorization Process Guide including templates.

(i) Security Authorization Process Documentation. SA documentation shall be developed

using the Government provided Requirements Traceability Matrix and Government security
documentation templates. SA documentation consists of the following: Security Plan,
Contingency Plan, Contingency Plan Test Results, Configuration Management Plan, Security
Assessment Plan, Security Assessment Report, and Authorization to Operate Letter. Additional
documents that may be required include a Plan(s) of Action and Milestones and Interconnection
Security Agreement(s). During the development of SA documentation, the Contractor shall
submit a signed SA package, validated by an independent third party, to the COR for acceptance
by the Headquarters or Component CIO, or designee, at least thirty (30) days prior to the date of
operation of the IT system. The Government is the final authority on the compliance of the SA
package and may limit the number of resubmissions of a modified SA package. Once the ATO
has been accepted by the Headquarters or Component CIO, or designee, the Contracting Officer
shall incorporate the ATO into the contract as a compliance document. The Government’s
acceptance of the ATO does not alleviate the Contractor’s responsibility to ensure the IT system
controls are implemented and operating effectively.

(ii) Independent Assessment. Contractors shall have an independent third party validate the
security and privacy controls in place for the system(s). The independent third party shall review
and analyze the SA package, and report on technical, operational, and management level
deficiencies as outlined in NIST Special Publication 800-53 Security and Privacy Controls for
Federal Information Systems and Organizations. The Contractor shall address all deficiencies
before submitting the SA package to the Government for acceptance.

Support the completion of the Privacy Threshold Analysis (PTA) as needed. As part of the SA
process, the Contractor may be required to support the Government in the completion of the PTA.
The requirement to complete a PTA is triggered by the creation, use, modification, upgrade, or
disposition of a Contractor IT system that will store, maintain and use PII, and must be renewed
at least every three (3) years. Upon review of the PTA, the DHS Privacy Office determines
whether a Privacy Impact Assessment (PIA) and/or Privacy Act System of Records Notice
(SORN), or modifications thereto, are required. The Contractor shall provide all support
necessary to assist the Department in completing the PIA in a timely manner and shall ensure that
project management plans and schedules include time for the completion of the PTA, PIA, and
SORN (to the extent required) as milestones. Support in this context includes responding timely
to requests for information from the Government about the use, access, storage, and maintenance
of PII on the Contractor’s system, and providing timely review of relevant compliance documents
for factual accuracy. Information on the DHS privacy compliance process, including PTAs, PIAs,
and SORNs, is accessible at http://www.dhs.gov/privacy-compliance.

Page 31 of 38
(2) Renewal of ATO. Unless otherwise specified in the ATO letter, the ATO shall be
renewed every three (3) years. The Contractor is required to update its SA package as part of the
ATO renewal process. The Contractor shall update its SA package by one of the following
methods:
(1) Updating the SA documentation in the DHS automated information assurance tool for
acceptance by the Headquarters or Component CIO, or designee, at least 90 days before the ATO
expiration date for review and verification of security controls; or (2) Submitting an updated SA
package directly to the COR for approval by the Headquarters or Component CIO, or designee, at
least 90 days before the ATO expiration date for review and verification of security controls. The
90 day review process is independent of the system production date and therefore it is important
that the Contractor build the review into project schedules. The reviews may include onsite visits
that involve physical or logical inspection of the Contractor environment to ensure controls are in
place.

(3) Security Review. The Government may elect to conduct random periodic reviews to
ensure that the security requirements contained in this contract are being implemented and
enforced. The Contractor shall afford DHS, the Office of the Inspector General, and other
Government organizations access to the Contractor’s facilities, installations, operations,
documentation, databases and personnel used in the performance of this contract. The Contractor
shall, through the Contracting Officer and COR, contact the Headquarters or Component CIO, or
designee, to coordinate and participate in review and inspection activity by Government
organizations external to the DHS. Access shall be provided, to the extent necessary as
determined by the Government, for the Government to carry out a program of inspection,
investigation, and audit to safeguard against threats and hazards to the integrity, availability and
confidentiality of Government data or the function of computer systems used in performance of
this contract and to preserve evidence of computer crime.

(4) Continuous Monitoring. All Contractor-operated systems that input, store, process,
output, and/or transmit sensitive information shall meet or exceed the continuous monitoring
requirements identified in the Fiscal Year 2014 DHS Information Security Performance Plan, or
successor publication. The plan is updated on an annual basis. The Contractor shall also store
monthly continuous monitoring data at its location for a period not less than one year from the
date the data is created. The data shall be encrypted in accordance with FIPS 140-2 Security
Requirements for Cryptographic Modules and shall not be stored on systems that are shared with
other commercial or Government entities. The Government may elect to perform continuous
monitoring and IT security scanning of Contractor systems from Government tools and
infrastructure.

(5) Revocation of ATO. In the event of a sensitive information incident, the Government
may suspend or revoke an existing ATO (either in part or in whole). If an ATO is suspended or
revoked in accordance with this provision, the Contracting Officer may direct the Contractor to
take additional security measures to secure sensitive information. These measures may include
restricting access to sensitive information on the Contractor IT system under this
contract. Restricting access may include disconnecting the system processing, storing, or
transmitting the sensitive information from the Internet or other networks or applying additional
security controls.

Page 32 of 38
(6) Federal Reporting Requirements. Contractors operating information systems on behalf of
the Government or operating systems containing sensitive information shall comply with Federal
reporting requirements. Annual and quarterly data collection will be coordinated by the
Government. Contractors shall provide the COR with requested information within three (3)
business days of receipt of the request. Reporting requirements are determined by the
Government and are defined in the Fiscal Year 2014 DHS Information Security Performance
Plan, or successor publication. The Contractor shall provide the Government with all information
to fully satisfy Federal reporting requirements for Contractor systems.

(f) Sensitive Information Incident Reporting Requirements.

(1) All known or suspected sensitive information incidents shall be reported to the
Headquarters or Component Security Operations Center (SOC) within one hour of discovery in
accordance with 4300A Sensitive Systems Handbook Incident Response and Reporting
requirements. When notifying the Headquarters or Component SOC, the Contractor shall also
notify the Contracting Officer, COR, Headquarters or Component Privacy Officer, and US-CERT
using the contact information identified in the contract. If the incident is reported by phone or the
Contracting Officer’s email address is not immediately available, the Contractor shall contact the
Contracting Officer immediately after reporting the incident to the Headquarters or Component
SOC. The Contractor shall not include any sensitive information in the subject or body of any e-
mail. To transmit sensitive information, the Contractor shall use FIPS 140-2 Security
Requirements for Cryptographic Modules compliant encryption methods to protect sensitive
information in attachments to email. Passwords shall not be communicated in the same email as
the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence
that the Contractor has failed to provide adequate information security safeguards for sensitive
information, or has otherwise failed to meet the requirements of the contract.

(2) If a sensitive information incident involves PII or SPII, in addition to the reporting
requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting,
Contractors shall also provide as many of the following data elements that are available at the
time the incident is reported, with any remaining data elements provided within 24 hours of
submission of the initial incident report:

(i) Data Universal Numbering System (DUNS);

(ii) Contract numbers affected unless all contracts by the company are affected;
(iii) Facility CAGE code if the location of the event is different than the prime Contractor
location;
(iv) Point of contact (POC) if different than the POC recorded in the System for Award
Management (address, position, telephone, email);
(v) Contracting Officer POC (address, telephone, email);
(vi) Contract clearance level;
(vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor
network;
(viii) Government programs, platforms or systems involved;
(ix) Location(s) of incident;
(x) Date and time the incident was discovered;
(xi) Server names where sensitive information resided at the time of the incident, both at the
Contractor and subcontractor level;

Page 33 of 38
(xii) Description of the Government PII and/or SPII contained within the system;
(xiii) Number of people potentially affected and the estimate or actual number of records
exposed and/or contained within the system; and
(xiv) Any additional information relevant to the incident.

(g) Sensitive Information Incident Response Requirements.

(1) All determinations related to sensitive information incidents, including response

activities, notifications to affected individuals and/or Federal agencies, and related services (e.g.,
credit monitoring) will be made in writing by the Contracting Officer in consultation with the
Headquarters or Component CIO and Headquarters or Component Privacy Officer.

(2) The Contractor shall provide full access and cooperation for all activities determined by
the Government to be required to ensure an effective incident response, including providing all
requested images, log files, and event information to facilitate rapid resolution of sensitive
information incidents.

(3) Incident response activities determined to be required by the Government may include,
but are not limited to, the following:

(i) Inspections,
(ii) Investigations,
(iii) Forensic reviews, and
(iv) Data analyses and processing.

(4) The Government, at its sole discretion, may obtain the assistance from other Federal
agencies and/or third-party firms to aid in incident response activities.

(h) Additional PII and/or SPII Notification Requirements.

(1) The Contractor shall have in place procedures and the capability to notify any individual
whose PII resided in the Contractor IT system at the time of the sensitive information incident not
later than 5 business days after being directed to notify individuals, unless otherwise approved by
the Contracting Officer. The method and content of any notification by the Contractor shall be
coordinated with, and subject to prior written approval by the Contracting
Officer, in consultation with the Headquarters or Component Privacy Officer, utilizing the DHS
Privacy Incident Handling Guidance. The Contractor shall not proceed with notification unless
the Contracting Officer, in consultation with the Headquarters or Component Privacy Officer, has
determined in writing that notification is appropriate.

(2) Subject to Government analysis of the incident and the terms of its instructions to the
Contractor regarding any resulting notification, the notification method may consist of letters to
affected individuals sent by first class mail, electronic means, or general public notice, as
approved by the Government. Notification may require the Contractor’s use of address
verification and/or address location services. At a minimum, the notification shall include:

(i) A brief description of the incident;

(ii) A description of the types of PII and SPII involved;

Page 34 of 38
(iii) A statement as to whether the PII or SPII was encrypted or protected by other means;
(iv) Steps individuals may take to protect themselves;
(v) What the Contractor and/or the Government are doing to investigate the incident, to
mitigate the incident, and to protect against any future incidents; and
(vi) Information identifying who individuals may contact for additional information.

(i) Credit Monitoring Requirements. In the event that a sensitive information incident
involves PII or SPII, the Contractor may be required to, as directed by the Contracting Officer:

(1) Provide notification to affected individuals as described above; and/or

(2) Provide credit monitoring services to individuals whose data was under the control of the
Contractor or resided in the Contractor IT system at the time of the sensitive information incident
for a period beginning the date of the incident and extending not less than 18 months from the
date the individual is notified. Credit monitoring services shall be provided from a company with
which the Contractor has no affiliation. At a minimum, credit monitoring services shall include:

(i) Triple credit bureau monitoring;

(ii) Daily customer service;
(iii) Alerts provided to the individual for changes and fraud; and
(iv) Assistance to the individual with enrollment in the services and the use of fraud alerts;
and/or

(3) Establish a dedicated call center. Call center services shall include:

(i) A dedicated telephone number to contact customer service within a fixed period;
(ii) Information necessary for registrants/enrollees to access credit reports and credit scores;
(iii) Weekly reports on call center volume, issue escalation (i.e., those calls that cannot be
handled by call center staff and must be resolved by call center management or DHS, as
appropriate), and other key metrics;
(iv) Escalation of calls that cannot be handled by call center staff to call center management
or DHS, as appropriate;
(v) Customized FAQs, approved in writing by the Contracting Officer in coordination with
the Headquarters or Component Chief Privacy Officer; and
(vi) Information for registrants to contact customer service representatives and fraud
resolution representatives for credit monitoring assistance.

(j) Certification of Sanitization of Government and Government-Activity-Related Files and

Information. As part of contract closeout, the Contractor shall submit the certification to the COR
and the Contracting Officer following the template provided in NIST Special Publication 800-88

XVIII. INFORMATION TECHNOLOGY SECURITY AND PRIVACY TRAINING

(MAR 2015)

Applicability. This clause applies to the Contractor, its subcontractors, and Contractor employees
(hereafter referred to collectively as “Contractor”). The Contractor shall insert the substance of
this clause in all subcontracts.

Page 35 of 38
Security Training Requirements.

All users of Federal information systems are required by Title 5, Code of Federal Regulations,
Part 930.301, Subpart C, as amended, to be exposed to security awareness materials annually or
whenever system security changes occur, or when the user’s responsibilities change. The
Department of Homeland Security (DHS) requires that Contractor employees take an annual
Information Technology Security Awareness Training course before accessing sensitive
information under the contract. Unless otherwise specified, the training shall be completed within
thirty (30) days of contract award and be completed on an annual basis thereafter not later than
October 31st of each year. Any new Contractor employees assigned to the contract shall
complete the training before accessing sensitive information under the contract. The training is
accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The
Contractor shall maintain copies of training certificates for all Contractor and subcontractor
employees as a record of compliance. Unless otherwise specified, initial training certificates for
each Contractor and subcontractor employee shall be provided to the Contracting Officer’s
Representative (COR) not later than thirty (30) days after contract award. Subsequent training
certificates to satisfy the annual training requirement shall be submitted to the COR via e-mail
notification not later than October 31st of each year. The e-mail notification shall state the
required training has been completed for all Contractor and subcontractor employees.

The DHS Rules of Behavior apply to every DHS employee, Contractor and subcontractor that
will have access to DHS systems and sensitive information. The DHS Rules of Behavior shall be
signed before accessing DHS systems and sensitive information. The DHS Rules of Behavior is a
document that informs users of their responsibilities when accessing DHS systems and holds
users accountable for actions taken while accessing DHS systems and using DHS Information
Technology resources capable of inputting, storing, processing, outputting, and/or transmitting
sensitive information. The DHS Rules of Behavior is accessible at http://www.dhs.gov/dhs-
security-and-training-requirements-contractors. Unless otherwise specified, the DHS Rules of
Behavior shall be signed within thirty (30) days of contract award. Any new Contractor
employees assigned to the contract shall also sign the DHS Rules of Behavior before accessing
DHS systems and sensitive information. The Contractor shall maintain signed copies of the DHS
Rules of Behavior for all Contractor and subcontractor employees as a record of compliance.
Unless otherwise specified, the Contractor shall e-mail copies of the signed DHS Rules of
Behavior to the COR not later than thirty (30) days after contract award for each employee. The
DHS Rules of Behavior will be reviewed annually and the COR will provide notification when a
review is required.

Privacy Training Requirements. All Contractor and subcontractor employees that will have access
to Personally Identifiable Information (PII) and/or Sensitive PII (SPII) are required to take
Privacy at DHS: Protecting Personal Information before accessing PII and/or SPII. The training
is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors.
Training shall be completed within thirty (30) days of contract award and be completed on an
annual basis thereafter not later than October 31st of each year. Any new Contractor employees
assigned to the contract shall also complete the training before accessing PII and/or SPII. The
Contractor shall maintain copies of training certificates for all Contractor and subcontractor
employees as a record of compliance. Initial training certificates for each Contractor and
subcontractor employee shall be provided to the COR not later than thirty (30) days after contract
award. Subsequent training certificates to satisfy the annual training requirement shall be

Page 36 of 38
submitted to the COR via e-mail notification not later than October 31st of each year. The e- mail
notification shall state the required training has been completed for all Contractor and
subcontractor employees.

XIX. PRIVACY REQUIREMENTS RESPONSIBILITIES

To accomplish the tasks outlined in this contract, FEMA will provide the contractor access to
Grants Technology Division- Streamlined Platform for Agile Release and Transformation
Acceleration (SPARTA)and all of the PII/SPII that is contained within the SPARTA.

The information sharing outlined in this contract is authorized by the following System of
Records Notice(s) and Routine Use(s):

DHS/FEMA-004 Non-Disaster Grant Management Information Files March 13, 2015, 80 FR

13404; covers the collection of non-disaster grant information; Routine Use F.

DHS/FEMA-008 Disaster Recovery Assistance Files April 30, 2013, 78 FR 25282; covers the
collection of IA disaster survivor information. All these SORNs collect information for the
purpose of registering, tracking, and administering FEMA grant programs, Routine Use F.

DHS/FEMA-009 Hazard Mitigation Disaster Public Assistance and Disaster Loan Programs
March 24, 2014, 79 FR 16015, SORN covers disaster-related grants and loans; Routine Use F.

DHS/ALL-004 General Information Technology Access Account Records System (GITAARS)

November 27, 2012, 77 FR 70792; SORN covers user information collected to grant access to
the IT systems supporting FEMA’s disaster grant programs; Routine Use F

DHS/ALL-026 Department of Homeland Security Personal Identity Verification Management

System June 25, 2009, 74 FR 30301; Routine Use F

The information sharing outlined in this contract is authorized by the following Privacy Impact
Assessments:

DHS/FEMA/PIA-052 Grants Management Modernization (GMM). FEMA Privacy recommends

coverage under this PIA since changes to the PTA are mostly administrative and do not affect the
privacy risks of the system.

The contractors will also have access to PII of first name, last name, email addresses, and work
phone numbers of FEMA employees via Global Address List (GAL) by way of FEMA laptops
use. The information sharing is authorized by Routine Use F of DHS/ALL-014 Department of
Homeland Security Personnel Contact Information" March 16, 2018 83 FR 11780. The
information sharing is also covered by the following Privacy Impact Assessments:
DHS/ALL/PIA-015 Web Portal and DHS/ALL/PIA-059 Employee Collaboration Tool.

Responsibilities – “Need to Know” Access to PII

The contractor will limit access to the PII provided by FEMA under this contract only to the
contractor’s authorized personnel who need to know the information to accomplish the tasks
outlined in this contract.

Page 37 of 38
Responsibilities – Prohibition on Computer Matching
The contractor shall ensure no computer matching, as that term is defined in 5 U.S.C. § 552a(o),
will occur for the purpose of establishing or verifying eligibility or compliance as it relates to
cash or in-kind assistance or payments under federal benefit programs.

Recipient Requirement
If at any time during the term of this contract any part of FEMA PII, in any form, that the
contractor obtains from FEMA ceases to be required by the contractor for the performance of the
contract, or upon termination of the contract, whichever occurs first, the contractor shall, within
fourteen (14) days thereafter, promptly notify FEMA and securely return PII to FEMA, or, at
FEMA’s written request destroy, un-install and/or remove all copies of such PII in the
contractor’s possession or control, and certify in writing to FEMA that such tasks have been
completed.

Authorities
This information sharing outlined in this contract is authorized by The Robert T. Stafford
Disaster Relief and Emergency Assistance Act, as amended, 42 U.S.C. §§ 5121-5206 (2013);
Debt Collection Improvement Act of 1996 (31 U.S.C. § 7701(c)(2)); the Homeland Security Act
of 2002, Pub. L. No. 107-296, Title V (2002) (codified as amended at 6 U.S.C. §§ 311-321n); the
Privacy Act of 1974 as amended (2012), 5 U.S.C. § 552a et seq. (Privacy Act).

(End of PERFORMANCE WORK STATEMENT)

Page 38 of 38