Exhibit 2200: Heat Treat Flowdown Requirements

The following paragraphs are taken from Bestweld Inc.’s Quality Manual. Exhibit 2200: Flowdown requirements and purchase order supplemental requirements for Heat Treat

ORDER OF PRECEDENCE. Any inconsistencies in this Purchase Order shall be resolved in the following order: (i) Purchase Order exclusive of appendices, drawings, specifications and other plans or documents, (ii) appendices, (iii) drawings and specifications, (iv) other plans or documents referenced in the Purchase Order. Seller shall immediately bring any inconsistencies to the attention of the Purchaser in writing.

Purpose: In support of Bestweld Quality System, the following are flow down requirements for U.S. Naval Shipbuilding and Ship Repair

MERCURY – All goods delivered under this Purchase Order shall not contain or have come in direct contact with mercury, mercury compounds or with any mercury containing device employing a single boundary of containment. Mercury contamination will be cause for rejection of the goods.

LIMITATIONS ON SULPHUR CONTENT – Gas or oil-fired furnaces used to heat-treat Cu-Ni, Nickel-Chromium-Iron (Ni-Cr-Fe) Alloy 600, and Nickel-Copper (Ni-Cu) pressure boundary parts shall have the following limitations on Sulfur content:

  • Gas: 30 grains per 100 cubic foot
  • Oil: 0.5 percent by weight

POLYCHLORINATED BIPHENYLS PROHIBITION – Seller shall not tender for delivery Products that are known or suspected of containing polychlorinated biphenyls.

COMPLIANCE WITH LAWS AND WORKSITE SAFETY. In performing work under this Purchase Order, Seller shall comply with all applicable foreign or domestic laws, ordinances and regulations to include but not limited to the Occupational Safety and Health and Toxic Substance Control Acts.

DELIVERY OF SELLER DATA

All drawings, procedures, manuals, forms, test reports, software (including software documentation) and other data that is required to be delivered under this Order (“Seller Data”) shall comply with the terms of this Order. Seller Data shall be delivered to Buyer on or before the time specified in this Order, or if no time is specified, 45 days after receipt of this Order. Seller shall submit Seller Data to the Buyer address shown on the first page of this Order unless otherwise specified in this Order. If no delivery information is specified or Seller is unsure of where to send the Seller Data, Seller shall contact Buyer’s authorized purchasing representative for further instructions. Buyer may withhold payment if Seller fails to deliver any Seller Data in accordance with the terms of this Order. When furnished with the shipment, Seller shall enclose all required Seller Data in the first box of the shipment and mark, CERTIFICATES AND/OR TEST REPORTS ENCLOSED.

The use of yellow tape, wrapping and plastic pipe caps is strictly prohibited.

Bestweld, Inc. – PO Supplemental Requirements for Heat Treat

Flow down of Customer Requirements to Suppliers and Subcontractors – These Clauses shall be imposed as required for specific orders by agreement between the Bestweld buyer and seller.

DOD RATED ORDER.

  1. This Order supports Buyer’s work under a Prime Contract with the U.S. Government. Applicable priority rating defaults to “DO,” unless otherwise stated on the face of this Order. This is a rated Order certified for national defense use. Seller is required to follow the requirements of the defense priorities and allocation system regulation (15 CFR Part 700) and all other applicable regulations for obtaining controlled Products and other Products and Services needed to fill this Order.
  2. Seller shall include the substance of this provision in all subcontracts Seller places in support of this Order.

INSPECTION.

  1. Except as otherwise provided in this Order, Seller shall maintain an inspection and quality control system acceptable to Buyer to be performed on Products delivered under this Order. As part of the system, Seller shall prepare records evidencing all inspections made under the system and the outcome. Buyer or Buyer’s customer shall have the right to perform reviews and evaluations as reasonably necessary to ascertain Seller compliance with an inspection or quality control system that is acceptable. The right of review, whether exercised or not, does not relieve Seller of its obligations under this Order.
  2. Buyer or Buyer’s customer has the right to inspect and test all Products to the extent practicable, at all places and times, including the period of manufacture, and in any event before acceptance. Buyer assumes no contractual obligation to perform any inspection and test for the benefit of Seller. If Buyer or Buyer’s customer performs an inspection or test on the premises of Seller or a subcontractor of Seller, Seller shall furnish, and shall require its subcontractors to furnish, at no increase in Order price, all reasonable facilities and assistance for the safe and convenient performance of such inspection and test. Buyer reserves the right to charge to Seller any additional cost of inspection or test by Buyer or Buyer’s customer when (1) Products are not ready at the time such inspection or test is required by this Order or has been otherwise scheduled by mutual agreement of the parties, or (2) reinspection or retest of the Products is necessitated by prior rejection
  3. Buyer has the right either to reject or to require correction of nonconforming Products. Products are nonconforming when they are defective in material or workmanship or are otherwise not in conformity with requirements of this Order. Buyer may reject nonconforming supplies with or without disposition instructions.
  4. Seller shall remove Products rejected or required to be corrected; however, Buyer may require or permit correction in place, promptly after notice, by and at the expense of Seller. Seller shall not tender for acceptance corrected or rejected supplies without disclosing the former rejection or requirement for correction, and, when required, shall disclose the corrective action taken.

Bestweld, Inc. – PO Supplemental Requirements for Heat Treat

Flow down of Customer Requirements to Suppliers and Subcontractors – These Clauses shall be imposed as required for specific orders by agreement between the Bestweld buyer and seller.

  • Seller, at its own expense, shall promptly rectify any defects discovered during any inspection or test.
  • If Seller fails to promptly remove, replace, or correct rejected Products that are required to be removed or to be replaced or corrected, Buyer may either:

(i) Remove, replace, or correct the Product(s) and charge the cost to Seller; or

(ii) Terminate this Order for default.

If Buyer elects to correct the deficiencies in the Product(s), then the parties agree that Seller will pay Buyer’s actual costs and Buyer’s labor at Buyer’s fully-burdened hourly rates (as appropriate) utilizing the then-current Government-approved rate set authorized for change-order activity. If Seller fails to correct or replace the Product(s) within the delivery schedule, Buyer may require their delivery with an equitable price reduction. Failure to agree to a price reduction shall be a dispute.

  • Products that have been reworked or repaired by Seller after having been rejected by Buyer shall be identified as “Resubmitted.” Seller shall annotate the packing slip with the words “Resubmitted Material,” the reason for the previous rejection, and the Buyer Inspection Report, Discrepancy Report, or Quality Notification Number if known. If the Products were inspected at source and rejected, such information shall also be annotated on the packing slip.
  • Seller shall flow down the substance of this provision to all of its suppliers engaged for performance under this Order.
  • Neither Buyer’s in-process inspection nor Buyer’s approval of any of Seller’s drawings, procedures or other submittals shall: (i) constitute acceptance of any work; or (ii) relieve Seller of complying fully with all of the requirements of this Order.

SUSPECT/COUNTERFEIT PARTS. (back to top)

  1. “Suspect/counterfeit parts” are parts that may be of new manufacture, but are misleadingly labeled to provide the impression they are of a different class or quality or from a different source than is actually the case. The term “suspect/counterfeit parts” also includes refurbished parts, with or without false labeling, that are represented as new parts or any parts that are designated as suspect by the U.S. Government, including but not limited to parts listed in alerts published by the Defense Contract Management Agency under the Government-Industry Data Exchange Program (GIDEP).
  2. Seller will ensure that suspect/counterfeit parts are not incorporated into any Products. The intentional or unintentional use, incorporation, or delivery of suspect/counterfeit parts is strictly prohibited. This includes a suspect/counterfeit part being provided either as an end item deliverable or as a component or subcomponent of an end item deliverable under this Order.

Bestweld, Inc. – PO Supplemental Requirements for Heat Treat

Flow down of Customer Requirements to Suppliers and Subcontractors – These Clauses shall be imposed as required for specific orders by agreement between the Bestweld buyer and seller.

  • Seller represents and warrants that it has policies and

procedures in place to ensure that none of the Products furnished to Buyer under this Order are or contain “suspect/counterfeit parts.” Seller further certifies, to the

best of its knowledge and belief, that no “suspect/counterfeit parts” have been or will be furnished to Buyer by Seller under this Order.

D.    If Seller becomes aware or suspects that it has furnished suspect/counterfeit parts or if Buyer determines, including as a result of alerts from the U.S. Government, that Seller has supplied suspect/counterfeit parts to Buyer and so notifies Seller, Seller shall immediately replace the suspect/counterfeit parts with parts acceptable to Buyer and conforming to the requirements of this Order. Notwithstanding any other provision of this Order, Seller shall be liable for all costs incurred by Buyer to remove and replace the suspect/counterfeit parts, including without limitation all costs incurred by Buyer relating to the removal of such suspect/counterfeit parts, the reinsertion of replacement parts and any testing necessitated by the reinstallation of Seller’s Products after suspect/counterfeit parts have been exchanged. The parties agree that Seller will pay Buyer’s actual costs and Buyer’s labor at Buyer’s fully-burdened hourly rates (as appropriate) utilizing the then-current Government-approved rate set authorized for change-order activity. All such costs shall be deemed direct damages.

E.    Buyer may, at its discretion:

(i) Remove and or retain or both all Products supplied by Seller that are suspected of being or containing suspect/counterfeit parts pending reporting to the appropriate law enforcement authorities and final disposition of the Products by them. Seller shall be liable for all costs relating to Buyer’s removal and retention of the suspect/counterfeit parts.

(ii) Turn over to the appropriate authorities (e.g., without limitation, the Defense Criminal Investigative Service, Naval Criminal Investigative Service, Federal Bureau of Investigation, Offices of the Inspector General, etc.) any Products suspected of being or containing suspect/counterfeit parts and reserves the right to withhold payment for the Products pending the results of any investigation or proceedings related to the matter.

F.    Seller’s warranty against suspect/counterfeit parts shall survive any termination or expiration of this Order.

G.    Seller shall insert a clause containing all of the terms of this provision in all subcontracts under this Order.

Bestweld, Inc. – PO Supplemental Requirements for Heat Treat

Flow down of Customer Requirements to Suppliers and Subcontractors – These Clauses shall be imposed as required for specific orders by agreement between the Bestweld buyer and seller

FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems.

Basic Safeguarding of Covered Contractor Information Systems (Jun 2016)

(a) Definitions. As used in this clause–

“Covered contractor information system” means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.

“Federal contract information” means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

“Information” means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).

“Safeguarding” means measures or controls that are prescribed to protect information systems.

(b) Safeguarding requirements and procedures.

    (1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

       (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

       (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

       (iii) Verify and control/limit connections to and use of external information systems.

       (iv) Control information posted or processed on publicly accessible information systems.

       (v) Identify information system users, processes acting on behalf of users, or devices.

       (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

       (vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

       (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

       (ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

       (x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

       (xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

       (xii) Identify, report, and correct information and information system flaws in a timely manner.

       (xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

       (xiv) Update malicious code protection mechanisms when new releases are available.

       (xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

    (2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.

(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

(End of Clause)

FAR 52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities.

Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018)

(a) Definitions. As used in this clause–

“Covered article” means any hardware, software, or service that–

    (1) Is developed or provided by a covered entity;

    (2) Includes any hardware, software, or service developed or provided in whole or in part by a covered entity; or

    (3) Contains components using any hardware or software developed in whole or in part by a covered entity.

“Covered entity” means–

    (1) Kaspersky Lab;

    (2) Any successor entity to Kaspersky Lab;

    (3) Any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or

    (4) Any entity of which Kaspersky Lab has a majority ownership.

(b) Prohibition. Section 1634 of Division A of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91) prohibits Government use of any covered article. The Contractor is prohibited from–

    (1) Providing any covered article that the Government will use on or after October 1, 2018; and

    (2) Using any covered article on or after October 1, 2018, in the development of data or deliverables first produced in the performance of the contract.

(c) Reporting requirement.

    (1) In the event the Contractor identifies a covered article provided to the Government during contract performance, or the Contractor is notified of such by a subcontractor at any tier or any other source, the Contractor shall report, in writing, to the Contracting Officer or, in the case of the Department of Defense, to the website at https://dibnet.dod.mil. For indefinite delivery contracts, the Contractor shall report to the Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil.

    (2) The Contractor shall report the following information pursuant to paragraph (c)(1) of this clause:

        (i) Within 1 business day from the date of such identification or notification: the contract number; the order number(s), if applicable; supplier name; brand; model number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.

        (ii) Within 10 business days of submitting the report pursuant to paragraph (c)(1) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of a covered article, any reasons that led to the use or submission of the covered article, and any additional efforts that will be incorporated to prevent future use or submission of covered articles.

(d) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (d), in all subcontracts, including subcontracts for the acquisition of commercial items.

(End of clause)

52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment.

As prescribed in 4.2105(b), insert the following clause:

Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment (Aug 2020)

      (a) Definitions. As used in this clause—

      Backhaul means intermediate links between the core network, or backbone network, and the small subnetworks at the edge of the network (e.g., connecting cell phones/towers to the core telephone network). Backhaul can be wireless (e.g., microwave) or wired (e.g., fiber optic, coaxial cable, Ethernet).

      Covered foreign country means The People’s Republic of China.

      Covered telecommunications equipment or services means–

           (1) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities);

           (2) For the purpose of public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities);

           (3) Telecommunications or video surveillance services provided by such entities or using such equipment; or

           (4) Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.

      Critical technology means–

           (1) Defense articles or defense services included on the United States Munitions List set forth in the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations;

           (2) Items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, and controlled-

                (i) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or

                (ii) For reasons relating to regional stability or surreptitious listening;

           (3) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by part 810 of title 10, Code of Federal Regulations (relating to assistance to foreign atomic energy activities);

           (4) Nuclear facilities, equipment, and material covered by part 110 of title 10, Code of Federal Regulations (relating to export and import of nuclear equipment and material);

           (5) Select agents and toxins covered by part 331 of title 7, Code of Federal Regulations, part 121 of title 9 of such Code, or part 73 of title 42 of such Code; or

           (6) Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).

      Interconnection arrangements means arrangements governing the physical connection of two or more networks to allow the use of another’s network to hand off traffic where it is ultimately delivered (e.g., connection of a customer of telephone provider A to a customer of telephone company B) or sharing data and other information resources.

      Reasonable inquiry means an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity that excludes the need to include an internal or third-party audit.

      Roaming means cellular communications services (e.g., voice, video, data) received from a visited network when unable to connect to the facilities of the home network either because signal coverage is too weak or because traffic is too high.

      Substantial or essential component means any component necessary for the proper function or performance of a piece of equipment, system, or service.

      (b) Prohibition.   (1) Section 889(a)(1)(A) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232) prohibits the head of an executive agency on or after August 13, 2019, from procuring or obtaining, or extending or renewing a contract to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. The Contractor is prohibited from providing to the Government any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception at paragraph (c) of this clause applies or the covered telecommunication equipment or services are covered by a waiver described in FAR 4.2104.

           (2) Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232) prohibits the head of an executive agency on or after August 13, 2020, from entering into a contract, or extending or renewing a contract, with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception at paragraph (c) of this clause applies or the covered telecommunication equipment or services are covered by a waiver described in FAR 4.2104. This prohibition applies to the use of covered telecommunications equipment or services, regardless of whether that use is in performance of work under a Federal contract.

      (c) Exceptions. This clause does not prohibit contractors from providing—

           (1) A service that connects to the facilities of a third-party, such as backhaul, roaming, or interconnection arrangements; or

           (2) Telecommunications equipment that cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles.

      (d) Reporting requirement. (1) In the event the Contractor identifies covered telecommunications equipment or services used as a substantial or essential component of any system, or as critical technology as part of any system, during contract performance, or the Contractor is notified of such by a subcontractor at any tier or by any other source, the Contractor shall report the information in paragraph (d)(2) of this clause to the Contracting Officer, unless elsewhere in this contract are established procedures for reporting the information; in the case of the Department of Defense, the Contractor shall report to the website at https://dibnet.dod.mil. For indefinite delivery contracts, the Contractor shall report to the Contracting Officer for the indefinite delivery contract and the Contracting Officer(s) for any affected order or, in the case of the Department of Defense, identify both the indefinite delivery contract and any affected orders in the report provided at https://dibnet.dod.mil.

           (2) The Contractor shall report the following information pursuant to paragraph (d)(1) of this clause

                (i) Within one business day from the date of such identification or notification: the contract number; the order number(s), if applicable; supplier name; supplier unique entity identifier (if known); supplier Commercial and Government Entity (CAGE) code (if known); brand; model number (original equipment manufacturer number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.

                (ii) Within 10 business days of submitting the information in paragraph (d)(2)(i) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of covered telecommunications equipment or services, and any additional efforts that will be incorporated to prevent future use or submission of covered telecommunications equipment or services.

      (e) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (e) and excluding paragraph (b)(2), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items.

(End of clause)

252.204-7000 Disclosure of information

Disclosure of Information (OCT 2016)

(a) The Contractor shall not release to anyone outside the Contractor’s organization any unclassified information, regardless of medium (e.g., film, tape, document), pertaining to any part of this contract or any program related to this contract, unless –

(1) The Contracting Officer has given prior written approval;

(2) The information is otherwise in the public domain before the date of release; or

(3) The information results from or arises during the performance of a project that involves no covered defense information (as defined in the clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting) and has been scoped and negotiated by the contracting activity with the contractor and research performer and determined in writing by the contracting officer to be fundamental research (which by definition cannot involve any covered defense information), in accordance with National Security Decision Directive 189, National Policy on the Transfer of Scientific, Technical and Engineering Information, in effect on the date of contract award and the Under Secretary of Defense (Acquisition, Technology, and Logistics) memoranda on Fundamental Research, dated May 24, 2010, and on Contracted Fundamental Research, dated June 26, 2008 (available at DFARS PGI 204.4).

(b) Requests for approval under paragraph (a)(1) shall identify the specific information to be released, the medium to be used, and the purpose for the release. The Contractor shall submit its request to the Contracting Officer at least 10 business days before the proposed date for release.

(c) The Contractor agrees to include a similar requirement, including this paragraph (c), in each subcontract under this contract. Subcontractors shall submit requests for authorization to release through the prime contractor to the Contracting Officer.

(End of clause)

252.204-7008 Compliance with Safeguarding Covered Defense Information Controls.

As prescribed in 204.7304(a), use the following provision:

COMPLIANCE WITH SAFEGUARDING COVERED DEFENSE INFORMATION CONTROLS (OCT 2016)

(a)        Definitions. As used in this provision—

“Controlled technical information,” “covered contractor information system,” “covered defense information,” “cyber incident,” “information system,” and “technical information” are defined in clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

(b)        The security requirements required by contract clause 252.204-7012, shall be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract.

(c)        For covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government (see

252.204-7012(b)(2)—

(1)        By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (see http://dx.doi.org/10.6028/NIST.SP.800-171) that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.

(2)(i) If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of—

(A)       Why a particular security requirement is not applicable; or

(B)       How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.

(ii) An authorized representative of the DoD CIO will adjudicate offeror requests to vary from NIST SP 800-171 requirements in writing prior to contract award. Any accepted variance from NIST SP 800-171 shall be incorporated into the resulting contract.

(End of provision)

252.204-7009 Limitations on the use or disclosure of third-party contractor reported cyber incident information.

LIMITATIONS ON THE USE OR DISCLOSURE OF THIRD-PARTY CONTRACTOR REPORTED CYBER INCIDENT INFORMATION (OCT 2016)

(a) Definitions. As used in this clause –

Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

Covered defense information means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is –

(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Media means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.

Technical information means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data – Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

(b) Restrictions. The Contractor agrees that the following conditions apply to any information it receives or creates in the performance of this contract that is information obtained from a third-party’s reporting of a cyber incident pursuant to DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (or derived from such information obtained under that clause):

(1) The Contractor shall access and use the information only for the purpose of furnishing advice or technical assistance directly to the Government in support of the Government’s activities related to clause 252.204-7012, and shall not be used for any other purpose.

(2) The Contractor shall protect the information against unauthorized release or disclosure.

(3) The Contractor shall ensure that its employees are subject to use and non-disclosure obligations consistent with this clause prior to the employees being provided access to or use of the information.

(4) The third-party contractor that reported the cyber incident is a third-party beneficiary of the non-disclosure agreement between the Government and Contractor, as required by paragraph (b)(3) of this clause.

(5) A breach of these obligations or restrictions may subject the Contractor to –

(i) Criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States; and

(ii) Civil actions for damages and other appropriate remedies by the third party that reported the cyber incident, as a third party beneficiary of this clause.

(c) Subcontracts. The Contractor shall include this clause, including this paragraph (c), in subcontracts, or similar contractual instruments, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial items, without alteration, except to identify the parties.

(End of clause)

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

As prescribed in 204.7304(c), use the following clause:

SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (OCT 2016)

(a)        Definitions. As used in this clause—

“Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.

“Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

“Contractor attributional/proprietary information” means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.

“Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

“Covered contractor information system” means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.

“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—

(1)        Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2)        Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

“Cyber incident” means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

“Forensic analysis” means the practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

“Malicious software” means computer software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware.

“Media” means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.

‘‘Operationally critical support’’ means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.

“Rapidly report” means within 72 hours of discovery of any cyber incident.

“Technical information” means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data—

Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

(b)        Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections:

(1)        For covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply:

(i)         Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract.

(ii)        Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract.

(2)        For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this clause, the following security requirements apply:

(i)         Except as provided in paragraph (b)(2)(ii) of this clause, the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer.

(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at [email protected], within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.

(B)       The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.

(C)       If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract.

(D)       If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.

(3)        Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

(c)        Cyber incident reporting requirement.

(1)        When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—

(i)         Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii)        Rapidly report cyber incidents to DoD at http://dibnet.dod.mil.

(2)        Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at http://dibnet.dod.mil.

(3)        Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see

http://iase.disa.mil/pki/eca/Pages/index.aspx.

(d)       Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.

(e)        Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

(f)        Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

(g)        Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.

(h)        DoD safeguarding and use of contractor attributional/proprietary information. The Government shall protect against the unauthorized use or release of information obtained from the contractor (or derived from information obtained from the contractor) under this clause that includes contractor attributional/proprietary information, including such information submitted in accordance with paragraph (c). To the maximum extent practicable, the Contractor shall identify and mark attributional/proprietary information. In making an authorized release of such information, the Government will implement appropriate procedures to minimize the contractor attributional/proprietary information that is included in such authorized release, seeking to include only that information that is necessary for the authorized purpose(s) for which the information is being released.

(i)         Use and release of contractor attributional/proprietary information not created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is not created by or for DoD is authorized to be released outside of DoD—

(1)        To entities with missions that may be affected by such information;

(2)        To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(3)        To Government entities that conduct counterintelligence or law enforcement investigations;

(4)        For national security purposes, including cyber situational awareness and defense purposes (including with Defense Industrial Base (DIB) participants in the program at 32 CFR part 236); or

(5)        To a support services contractor (“recipient”) that is directly supporting Government activities under a contract that includes the clause at 252.204-7009, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information.

(j)         Use and release of contractor attributional/proprietary information created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is created by or for DoD (including the information submitted pursuant to paragraph (c) of this clause) is authorized to be used and released outside of DoD for purposes and activities authorized by paragraph (i) of this clause, and for any other lawful Government purpose or activity, subject to all applicable statutory, regulatory, and policy based restrictions on the Government’s use and release of such information.

(k)        The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.

(l)         Other safeguarding or reporting requirements. The safeguarding and cyber incident reporting required by this clause in no way abrogates the Contractor’s responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicable clauses of this contract, or as a result of other applicable U.S. Government statutory or regulatory requirements.

(m)       Subcontracts. The Contractor shall—

(1)        Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties. The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause, and, if necessary, consult with the Contracting Officer; and

(2)        Require subcontractors to—

(i)         Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the Contracting Officer, in accordance with paragraph (b)(2)(ii)(B) of this clause; and

(ii)        Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as required in paragraph (c) of this clause.

(End of clause)

252.204-7015 Notice of Authorized Disclosure of Information for Litigation Support.

As prescribed in 204.7403(b), use the following clause:

NOTICE OF AUTHORIZED DISCLOSURE OF INFORMATION FOR LITIGATION SUPPORT (MAY 2016)

(a) Definitions. As used in this clause –

Computer software means computer programs, source code, source code listings, object code listings, design details, algorithms, processes, flow charts, formulae, and related material that would enable the software to be reproduced, recreated, or recompiled. Computer software does not include computer data bases or computer software documentation.

Litigation support means administrative, technical, or professional services provided in support of the Government during or in anticipation of litigation.

Litigation support contractor means a contractor (including its experts, technical consultants, subcontractors, and suppliers) providing litigation support under a contract that contains the clause at 252.204-7014, Limitations on the Use or Disclosure of Information by Litigation Support Contractors.

Sensitive information means controlled unclassified information of a commercial, financial, proprietary, or privileged nature. The term includes technical data and computer software, but does not include information that is lawfully, publicly available without restriction.

Technical data means recorded information, regardless of the form or method of the recording, of a scientific or technical nature (including computer software documentation). The term does not include computer software or data incidental to contract administration, such as financial and/or management information.

(b) Notice of authorized disclosures Notwithstanding any other provision of this solicitation or contract, the Government may disclose to a litigation support contractor, for the sole purpose of litigation support activities, any information, including sensitive information, received –

(1) Within or in connection with a quotation or offer; or

(2) In the performance of or in connection with a contract.

(c) Flowdown. Include the substance of this clause, including this paragraph (c), in all subcontracts, including subcontracts for commercial items.

(End of clause)

252.204-7018 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services.

As prescribed in 204.2105(c), use the following clause:

PROHIBITION ON THE ACQUISITION OF COVERED DEFENSE TELECOMMUNICATIONS EQUIPMENT OR SERVICES (JAN 2021)

(a) Definitions. As used in this clause –

Covered defense telecommunications equipment or services means –

(1) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, or any subsidiary or affiliate of such entities;

(2) Telecommunications services provided by such entities or using such equipment; or

(3) Telecommunications equipment or services produced or provided by an entity that the Secretary of Defense reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.

Covered foreign country means –

(1) The People’s Republic of China; or

(2) The Russian Federation.

Covered missions means –

(1) The nuclear deterrence mission of DoD, including with respect to nuclear command, control, and communications, integrated tactical warning and attack assessment, and continuity of Government; or

(2) The homeland defense mission of DoD, including with respect to ballistic missile defense.

“Critical technology” means –

(1) Defense articles or defense services included on the United States Munitions List set forth in the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations;

(2) Items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, and controlled –

(i) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or

(ii) For reasons relating to regional stability or surreptitious listening;

(3) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by part 810 of title 10, Code of Federal Regulations (relating to assistance to foreign atomic energy activities);

(4) Nuclear facilities, equipment, and material covered by part 110 of title 10, Code of Federal Regulations (relating to export and import of nuclear equipment and material);

(5) Select agents and toxins covered by part 331 of title 7, Code of Federal Regulations, part 121 of title 9 of such Code, or part 73 of title 42 of such Code; or

(6) Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).

Substantial or essential component means any component necessary for the proper function or performance of a piece of equipment, system, or service.

(b) Prohibition. In accordance with section 1656 of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91), the contractor shall not provide to the Government any equipment, system, or service to carry out covered missions that uses covered defense telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless the covered defense telecommunication equipment or services are covered by a waiver described in Defense Federal Acquisition Regulation Supplement 204.2104.

(c) Procedures. The Contractor shall review the list of excluded parties in the System for Award Management (SAM) at https://www.sam.gov for entities that are excluded when providing any equipment, system, or service, to carry out covered missions, that uses covered defense telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless a waiver is granted.

(d) Reporting.

(1) In the event the Contractor identifies covered defense telecommunications equipment or services used as a substantial or essential component of any system, or as critical technology as part of any system, during contract performance, the Contractor shall report at https://dibnet.dod.mil the information in paragraph (d)(2) of this clause.

(2) The Contractor shall report the following information pursuant to paragraph (d)(1) of this clause:

(i) Within 3 business days from the date of such identification or notification: The contract number; the order number(s), if applicable; supplier name; brand; model number (original equipment manufacturer number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended.

(ii) Within 30 business days of submitting the information in paragraph (d)(2)(i) of this clause: Any further available information about mitigation actions undertaken or recommended. In addition, the Contractor shall describe the efforts it undertook to prevent use or submission of a covered defense telecommunications equipment or services, and any additional efforts that will be incorporated to prevent future use or submission of covered telecommunications equipment or services.

(e) Subcontracts. The Contractor shall insert the substance of this clause, including this paragraph (e), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items.

(End of clause)

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

NIST SP 800-171 DOD ASSESSMENT REQUIREMENTS (NOV 2020)

(a) Definitions.

Basic Assessment” means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that—

(1) Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);

(2) Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and

(3) Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.

“Covered contractor information system” has the meaning given in the clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, of this contract.

“High Assessment” means an assessment that is conducted by Government personnel using NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information that—

(1) Consists of—

(i) A review of a contractor’s Basic Assessment;

(ii) A thorough document review;

(iii) Verification, examination, and demonstration of a Contractor’s system security plan to validate that NIST SP 800-171 security requirements have been implemented as described in the contractor’s system security plan; and

(iv) Discussions with the contractor to obtain additional information or clarification, as needed; and

(2) Results in a confidence level of “High” in the resulting score.

“Medium Assessment” means an assessment conducted by the Government that—

(1) Consists of—

(i) A review of a contractor’s Basic Assessment;

(ii) A thorough document review; and

(iii) Discussions with the contractor to obtain additional information or clarification, as needed; and

(2) Results in a confidence level of “Medium” in the resulting score.

(b) Applicability. This clause applies to covered contractor information systems that are required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, in accordance with Defense Federal Acquisition Regulation System (DFARS) clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, of this contract.

(c) Requirements. The Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment, as described in NIST SP 800-171 DoD Assessment Methodology at https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html, if necessary.

(d) Procedures. Summary level scores for all assessments will be posted in the Supplier Performance Risk System (SPRS) (https://www.sprs.csd.disa.mil/) to provide DoD Components visibility into the summary level scores of strategic assessments.

(1) Basic Assessments. A contractor may submit, via encrypted email, summary level scores of Basic Assessments conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology to mailto:[email protected] for posting to SPRS.

(i) The email shall include the following information:

(A) Version of NIST SP 800-171 against which the assessment was conducted.

(B) Organization conducting the assessment (e.g., Contractor self-assessment).

(C) For each system security plan (security requirement 3.12.4) supporting the performance of a DoD contract—

(1) All industry Commercial and Government Entity (CAGE) code(s) associated with the information system(s) addressed by the system security plan; and

(2) A brief description of the system security plan architecture, if more than one plan exists.

(D) Date the assessment was completed.

(E) Summary level score (e.g., 95 out of 110, NOT the individual value for each requirement).

(F) Date that all requirements are expected to be implemented (i.e., a score of 110 is expected to be achieved) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171.

(ii) If multiple system security plans are addressed in the email described at paragraph (b)(1)(i) of this section, the Contractor shall use the following format for the report:

System Security PlanCAGE Codes supported by this planBrief description of the plan architectureDate of assessmentTotal ScoreDate score of 110 will achieved

(2) Medium and High Assessments. DoD will post the following Medium and/or High Assessment summary level scores to SPRS for each system security plan assessed:

(i) The standard assessed (e.g., NIST SP 800-171 Rev 1).

(ii) Organization conducting the assessment, e.g., DCMA, or a specific organization (identified by Department of Defense Activity Address Code (DoDAAC)).

(iii) All industry CAGE code(s) associated with the information system(s) addressed by the system security plan.

(iv) A brief description of the system security plan architecture, if more than one system security plan exists.

(v) Date and level of the assessment, i.e., medium or high.

(vi) Summary level score (e.g., 105 out of 110, not the individual value assigned for each requirement).

(vii) Date that all requirements are expected to be implemented (i.e., a score of 110 is expected to be achieved) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171.

(e) Rebuttals.

(1) DoD will provide Medium and High Assessment summary level scores to the Contractor and offer the opportunity for rebuttal and adjudication of assessment summary level scores prior to posting the summary level scores to SPRS (see SPRS User’s Guide https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf).

(2) Upon completion of each assessment, the contractor has 14 business days to provide additional information to demonstrate that they meet any security requirements not observed by the assessment team or to rebut the findings that may be of question.

(f) Accessibility.

(1) Assessment summary level scores posted in SPRS are available to DoD personnel, and are protected, in accordance with the standards set forth in DoD Instruction 5000.79, Defense-wide Sharing and Use of Supplier and Product Performance Information (PI).

(2) Authorized representatives of the Contractor for which the assessment was conducted may access SPRS to view their own summary level scores, in accordance with the SPRS Software User’s Guide for Awardees/Contractors available at https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf.

(3) A High NIST SP 800-171 DoD Assessment may result in documentation in addition to that listed in this clause. DoD will retain and protect any such documentation as “Controlled Unclassified Information (CUI)” and intended for internal DoD use only. The information will be protected against unauthorized use and release, including through the exercise of applicable exemptions under the Freedom of Information Act (e.g., Exemption 4 covers trade secrets and commercial or financial information obtained from a contractor that is privileged or confidential).

(g) Subcontracts.

(1) The Contractor shall insert the substance of this clause, including this paragraph (g), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items (excluding COTS items).

(2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800-171 DoD Assessment, as described in https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government.

(3) If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology, to mailto:[email protected] for posting to SPRS along with the information required by paragraph (d) of this clause.

Where Quality is Tradition Since 1981 Contact Bestweld