Attached files
TIRNO-09-C-00019 MOD# 0008
IR1052.204-9003 - IRS Security Awareness Training Requirements
Include the following clause in solicitations, contracts, task/delivery/purchase orders, interagency agreements, and BPAs that require contractors and contractor employees to have staff-like access to IRS SBU information (electronic or paper-based) or information systems at an IRS facility or a contractor-owned/managed facility.
IRS SECURITY AWARENESS TRAINING REQUIREMENTS (AUG 2010)
|
(a)
|
The Federal Information Security Management Act of 2002 (FISMA) requires each federal agency to provide periodic information security awareness training to all employees, including contractors, involved in the management, use, or operation of Federal information and information systems. In addition, IRS contractors and their employees are subject to the Taxpayer Browsing Protection Act of 1997, which prohibits willful unauthorized inspection of returns and return information. Violation of the Act could result in civil and criminal penalties.
|
|
(b)
|
Contractors and their employees who require staff-like access to IRS information or information systems at an IRS facility or a contractor-owned/managed facility shall complete IRS security awareness training annually, as specified in the contract.1
|
NOTE: "IRS information" means Sensitive But Unclassified (SBU) information, as defined in Internal Revenue Manual 10.8.1 - Policy and Guidance. SBU may be categorized in one or more of the following groups—
o Returns and Return Information
o Sensitive Law Enforcement Information
o Employee Information
o Personally Identifiable Information
o Other Protected Information
|
(c)
|
The contractor shall ensure all contractor employees who require staff-like access to IRS owned or controlled facilities, or IRS information or information systems, regardless of their physical location, complete one or more Information Protection briefings on computer security, disclosure, privacy, physical security, and/or UNAX, as specified by CSLP. Individually
|
1 As used in this clause, the term "contract" includes contracts, task/delivery/purchase orders, interagency agreements, and Blanket Purchase Agreements (BPAs).
Page - 2
TIRNO-09-C-00019 MOD# 0008
|
|
and collectively, these briefings make up the IRS Security Awareness Training (SAT) requirements for the Service's information assets. |
Personnel required to complete SAT include, but are not necessarily limited to, contractor employees involved in any of the following activities:
| o | Manage, program or maintain IRS information in a production environment; |
| o | Operate an information system on behalf of the IRS; |
| o | Conduct testing or development of information or information systems on behalf of the IRS; or |
| o | Provide advisory and assistance (consulting) services, or administrative support. |
Unless otherwise provided under the terms of the immediate contract/order, contractor employees in the following service categories with facilities access only who do not have access to IRS workspace, or who work in buildings where a clean desk policy is in place for all IRS employees, are not required to complete SAT -with the exception of Physical Security Training.:
| o | Medical; |
| o | Cafeteria; |
| o | Landscaping; |
| o | Janitorial and cleaning (daylight operations); |
| o | Building maintenance; or |
| o | Other maintenance and repair. |
|
(d)
|
All new contractor employees shall receive a system security orientation within the first ten (10) business days following initial assignment to any IRS contract/order, and IT security awareness training (commensurate with the individual's duties and responsibilities) within five (5) business days of being granted access to an IRS IT system.
|
|
(e)
|
For each contractor employee assigned to this contract/order, the contractor shall submit confirmation of completed SAT (using the form at the Mandatory Briefing web site or upon email request to CSLP at CSLP@irs.gov), via email, to the Contracting Officer's Technical Representative (COTR) and the Contractor Security Lifecycle Program (CSLP) upon completion, but not later than ten (10) business days of starting work on this contract/task order.
|
|
(f)
|
Thereafter, each contractor employee assigned to this contract/order shall complete SAT annually not later than April 30th of each year in which there is an ongoing period of performance (in either the base period or any exercised option period). The contractor shall submit confirmation of
|
Page - 3
TIRNO-09-C-00019 MOD# 0008
|
|
completed annual SAT on all contractor employees assigned to this contract/order, via email, to the CO, COTR, and the Contractor Security Lifecycle Program (CSLP) upon completion, or not later than May 12th of the then current calendar year or as requested by CSLP (whichever date is earlier). |
|
(g)
|
Contractors shall verify in writing within 30 days of award, and by May 12, of each year thereafter or as requested by CSLP (whichever date is earlier), that all of their affected employees have successfully completed the specified training. Verification reports shall be signed by an official with the authority to legally bind the Contractor.
|
|
(h)
|
SAT is available on the Mandatory Briefing web site or if this site is not accessible, SAT materials will be made available by CSLP upon request via email to CSLP@irs.gov).
|
|
(i)
|
Contractor employees who fail to comply with IRS security policy (to include completion and certification of SAT requirements within the timeframe specified) may be subject to having their access to IRS IT systems and facilities suspended, revoked or terminated (termporarily or permanently).
|
[End of clause]
Alternate 1 (AUG 2010)
Substitute the following paragraph (g) for paragraphs (g) of the basic clause when an existing contract, task/delivery/purchase order, interagency agreement, or BPA is being modified.
|
(g)
|
Contractors shall verify in writing within 30 days of contract modification, and by May 12, of each year thereafter, that all of their affected employees have successfully completed the specified SAT. Verification reports shall be signed by an official with the authority to legally bind the Contractor.
|
Page - 4
TIRNO-09-C-00019 MOD# 0008
IR1052.204.9005 - Submission of Security Forms and Related Materials
Include the following clause in all new solicitations, contracts, interagency agreements, task/delivery/purchase orders, and BPAs, including simplified acquisitions, and existing contracts and orders as prescribed in P&P No. 39.1(C) - Managing Contractor Access to IRS Owned or Controlled Facilities, Information Systems, or Sensitive But Unclassified (SBU) Information
SUBMISSION OF SECURITY FORMS AND RELATED MATERIALS
(AUG 2010)
|
(a)
|
Contractor personnel hired for work within the United States or its territories and possessions and who require access, wherever the location, to IRS owned or controlled facilities or work on contracts that involve the design, operation, repair, or maintenance of information systems, and/or require access to sensitive but unclassified information, security items or products, must meet the following three eligibility criteria before a full background investigation will be initiated:
|
|
(1)
|
Must be Federal tax compliant, both timely filed and timely payment of any taxes due;
|
|
(2)
|
Shall either be at a minimum a U.S. citizen for high risk access, or have lawful permanent resident status for low and moderate risk (3 years of US residency required for moderate risk); and
|
|
(3)
|
For all males born after 1959, must be registered with Selective Service.
|
|
(b)
|
All contractor personnel performing under the contract that require either escorted or unescorted access to IRS facilities, SBU information or information systems are subject to (and must receive a favorable adjudication or affirmative results with respect to) the following suitability pre-screening criteria, as applicable:
|
|
(1)
|
Credit report results (moderate and high risk investigations only); and/or
|
(2) Federal Bureau of Investigation fingerprint results.
|
(c)
|
Each contract employee assigned to work under this contract/order shall undergo investigative processing appropriate to the position sensitivity and risk level designation associated with the work to be performed, as described in TD P 15-71, Chapter I, Section 1. In support of this
|
Page - 5
TIRNO-09-C-00019 MOD# 0008
|
|
undertaking, the contractor shall furnish the following electronic documents to the Contractor Security Lifecycle Program (CSLP), per the instructions available on the publicly accessible website for IRS Procurement, within 10 business days of assigning (or reassigning) a contractor employee to this contract/order and prior to the contract employee performing any work there under: |
| o | The IRS provided Risk Assessment Checklist (RAC), and |
| o | All required security forms (for new contractor employees), are available through the publicly accessible website for IRS Procurement. |
(Note: These documents (the RAC and security forms) are also available upon request from CSLP via email at CSLP@irs.gov)
|
(d)
|
Concurrent with submission of the above-referenced materials to CSLP, the contractor shall email the Contracting Officer (CO), and the Contracting Officer's Technical Representative (COTR) to confirm this requirement has been completed. The notice shall identify the subject contractor employee by name and relevant contract/task order number(s), and list the materials submitted.
|
|
(e)
|
Contractor personnel whose duration of employment exceeds 180 days must be eligible for access, per certification of tax compliance, and shall undergo, at a minimum a National Agency Check and Inquiries as a condition of work under the government contract. If the duration of employment is less than 180 days or access is infrequent (e.g., 2-3 days per month) and the contractor requires unescorted access, the contractor employee must be eligible for access, per certification of tax compliance, and require at a minimum a fingerprint check (Special Agreement Check). No background investigation or tax check is completed if the duration of employment is less than 180 days or access is infrequent when there is escort provided by an IRS employee or an approved contractor employee at the same or higher position risk level.
|
|
(f)
|
The contractor employee may commence work only upon notice of an interim or final approval for staff-like access, revalidation of access for contractor employee transfers from one IRS contract/order to another, or approved escorted access.
|
(End of Clauses)
IR1052.204.9006 - Notification of Change in Contractor Employee Employment Status, Assignment, or Standing
Page - 6
TIRNO-09-C-00019 MOD# 0008
Include the following clause in all new solicitations, contracts, interagency agreements, task/delivery/purchase orders, and BPAs, including simplified acquisitions, and existing contracts and orders as prescribed in P&P No. 39.1(C) - Managing Contractor Access to IRS Owned or Controlled Facilities, Information Systems, or Sensitive But Unclassified (SBU) Information
NOTIFICATION OF CHANGE IN CONTRACTOR EMPLOYEE EMPLOYMENT STATUS, ASSIGNMENT, OR STANDING (AUG 2010)
(a) The contractor shall notify the Contracting Officer's Technical Representative (COTR) and the Contractor Security Lifecycle Program (CSLP), via email, within one (1) business day of the contractor becoming aware of any change in the employment status, assignment, or standing of a contractor employee to this contract/order -to include, but not limited to, the following conditions:
| o | Receipt of the employee's notice of intent to separate from employment or discontinue work under this IRS contract/task order; |
| o | Knowledge of the employee's voluntary separation from employment or performance on this contract/task order (if no prior notice was given); |
| o | Transfer or reassignment of the employee and performance of duties under this contract/task order, in whole or in part, to another IRS contract/task order (and identify the gaining contract and representative duties/responsibilities to allow for an assessment of suitability based on position sensitivity/risk level designation); |
| o | Separation, furlough or release from employment; |
| o | Anticipated extended absence of more than 45 days; |
| o | Change of legal name; |
| o | Change to citizenship or lawful permanent resident status, or employment eligibility; |
| o | Change in gender or other distinction when physical attributes figure prominently in the biography of an individual; |
| o | Actual or perceived conflict of interest in continued performance under this contract/task order (provide explanation); |
| o | Death. |
Page - 7
TIRNO-09-C-00019 MOD# 0008
(b) The notice shall include the following minimum information:
| o | Name of contractor employee |
| o | Nature of the change in status, assignment or standing (i.e., provide a brief non-personal, broad-based explanation) |
| o | Affected contract/task order number(s) |
| o | Actual or anticipated date of departure or separation |
| o | When applicable, the name of the IRS facility(s) this individual routinely works from or has access to when performing work under this contract/order |
| o | Identificaon of any Government Furnished Property (GFP), Government Furnished Equipment (GFE), or Government Furnished Information (GFI) (to include Personal Identity Verification (PIV) credentials or badges) provided to the contractor employee and its whereabouts or status. |
|
(c)
|
In the event the subject contractor employee is working on multiple contracts/orders, notification shall be combined, and the cognizant COTR for each affected contract/order shall be included in the joint notification along with the CSLP.
|
|
(d)
|
As a general rule, the change in the employment status, assignment, or standing of a contractor employee to this contract/order would not form the basis for an excusable delay for failure to perform this contract under its terms.
|
(End of Clause)
IR1052.239-9007 - Access, Use or Operation of IRS Information Technology (IT) Systems by Contractors
As prescribed in 1039.9201, include the following clause in all solicitations, contracts, interagency agreements, task/delivery/purchase orders, and BPAs, including simplified acquisitions, when contractor employees will access, use or operate IRS information technology systems, equipment or resources.
ACCESS, USE OR OPERATION OF IRS INFORMATION TECHNOLOGY (IT) SYSTEMS BY CONTRACTORS (AUG 2010)
In performance of this contract, the contractor agrees to comply with the following requirements and assumes responsibility for compliance by his/her employees:
1. IRS Information Technology Security Policy and Guidance.
Page - 8
TIRNO-09-C-00019 MOD# 0008
All current and new IRS contractor employees authorized staff-like (unescorted) access to Treasury/IRS owned or controlled facilities and information systems, or work, wherever located, on those contracts which involve the design, operation, repair or maintenance of information systems and access to sensitive but unclassified information shall comply with the IRS Information Technology Security Policy and Guidance. Internal Revenue Manual (IRM) 10.8.1 . A copy of IRM 10.8.1 may be requested from the Contracting Officer or Contracting Officer's Technical Representative (COTR) or obtained from the publicly available portions of the IRM at http://www.irs.gov/irm/.
2. Access Request and Authorization.
Within (10) business days after contract award, issuance of a task order or other award notice, or acceptance of new or substitute contractor employees by the COTR, the contractor shall provide the COTR and the Contractor Security Lifecycle Program, (CSLP) a list of names of all applicable contractor employees and the IRS location(s) identified in the contract for which access is requested. A security screening, if determined appropriate by the IRS and in accordance with IRM 10.23.2. Contractor Investigations , and Department of the Treasury Security Manual (TD P) 15-71. Chapter II. Section 2 , will be conducted by the IRS for each contractor employee requiring access to IRS' IT systems, or as otherwise deemed appropriate by the COTR. The Government reserves the right to determine the fitness or suitability of a contractor employee to receive or be assigned staff-like access under a contract, and whether the employee shall be permitted to perform or continue performance under the contract. Security screenings of contractor employees which reveal the following may be grounds for declining staff-like access under a contract: conviction of a felony, a crime of violence or a serious misdemeanor, a record of arrests for continuing offenses, or failure to file or pay Federal income tax. (Note: This is not an inclusive list.) Upon notification from Personnel Security of an acceptable (favorably adjudicated) contractor employee security screening, the COTR will complete an Online 5081 (OL5081), Automated Information System (AIS) User Registration/Change Request, for each prime or subcontractor employee and require an electronic signature from each employee indicating the contractor employee has read and fully understands the security requirements governing access to the Service's IT systems. IRS approval of the OL5081 is required before a contractor employee is granted access to, use or operation of IRS IT systems. IRM 10.8.1 includes more detailed information on the OL 5081.
3. Contractor Acknowledgement.
The contractor also acknowledges and agrees that he or she understands that all contract employees must comply with all laws, IRS system security rules, IRS security policies, standards, and procedures. The contractor also acknowledges
Page - 9
TIRNO-09-C-00019 MOD# 0008
that a contract employee's unsanctioned, negligent, or willful violation of the laws, IRS system security rules, IRS security policies, standards, and procedures may result in the revocation of access to IRS information technology systems, immediate removal from IRS premises and the contract, and for violations of Federal statute or state laws, the contract employee may be subject to arrest by Federal law enforcement agents.
4. Limited Personal Use of Government IT Resources.
|
a.
|
Contractors, like employees, have no inherent right to use Government IT resources, and this policy does not create the right to use Government IT resources for nongovernmental purposes. However, as a courtesy, the privileges (and restrictions) established by IRM 10.8.27. IRS Policy On Limited Personal Use of Government Information Technology Resources for employees, are extended to contractors.
|
|
b.
|
Contractors, like employees, have the privilege to use Government IT resources for nongovernmental purposes when such use:
|
| o | involves minimal additional expense to the Government; |
| o | occurs during non-work hours for reasonable duration and frequency; |
| o | does not violate the Codes of Ethical Conduct; |
| o | does not overburden any of the IRS' IT resources; |
| o | does not adversely affect the performance of official duties; |
| o | does not interfere with the mission or operations of the IRS; and |
| o | complies with existing Federal Government, Department of the Treasury, and IRS policies for, but not limited to—ethics, security, disclosure, and privacy. |
|
c.
|
Contractors, like employees, are specifically prohibited from inappropriate Internet usage such as participation in: gambling, pornography, personal communication on social networking sites, peer-to-peer (P2P) file sharing, downloading unauthorized programs or software, and other activities that open IRS information or information systems to security risks. Specific examples are referenced in IRM 10.8.27. Exhibit 10.8.27-1. Prohibited Uses of Government IT Resources.
|
|
d.
|
Contractors, like employees, are specifically prohibited from the pursuit of private commercial business activities or profit-making ventures using the Government's IT resources. The ban also includes the use of the Government's IT resources to assist relatives, friends, or other persons in such activities.
|
|
e.
|
Contractors, like employees, are specifically prohibited from engaging in any political fundraising activity, endorsing any product or service,
|
Page - 10
TIRNO-09-C-00019 MOD# 0008
|
|
participating in any lobbying activity, or engaging in any prohibited partisan political activity, in accordance with, Title 5 - Code of Federal Regulations (CFR) - Part 735, Office of Personnel Management, Employee Responsibilities and Conduct. |
|
f.
|
Contractors, like employees, should have no expectation of privacy, while using any Government IT resources at any time, including (but not limited to) accessing the Internet or using e-mail.
|
Any unauthorized use may be reported to the Contracting Officer's Technical Representative (COTR), the Contracting Officer, and the Computer Security Incident Response Center (CSIRC) (for subsequent referral to the Department of Treasury Inspector General for Tax Administration (TIGTA) and/or the Personnel Security, Centralized Adjudication Group (CAG), as appropriate).
5. Replacement Personnel.
The contractor acknowledges that in the event of an alleged violation of the policies and rules on access, use or operation of IRS' IT resources, the IRS, at its discretion, may immediately withdraw access privileges of the contractor employee alleged to have violated said policies and rules, and request suspension of that employee from performance under this or any IRS contract pending the conclusion of its investigation of the matter. At the conclusion of the its investigation, if the IRS determines that extended or permanent revocation of access to IRS' IT resources computer systems and/or facilities, or other disciplinary action is warranted or in its best interest, the contractor agrees to remove the contractor employee that was the subject of the investigation within one day of official notification by the IRS of its access eligibility determination, and provide a replacement within five days. Replacement personnel must be acceptable to the IRS. The proposed replacement personnel must have a substantive amount of experience in the job position in which they will be performing; including equal or greater qualifications as the individual being replaced. In evaluating proposed replacement personnel, the IRS reserves the right to make an assessment on the technical and/or professional qualifications of the proposed substituting individual(s). The Contracting Officer (on the advice and recommendation of the COTR) has the right to disallow the proposed substituting individual(s) from performing under the subject contract, when the technical and/or professional qualifications of the proposed replacement personnel are determined (1) not to be substantially equivalent to the technical and/or professional qualifications of the personnel they are to replace, or (2) not sufficient to reasonably insure successful performance, or (3) otherwise endanger contract performance, progression, or completion. New hires or replacement personnel are subject to and must receive an acceptable (favorably adjudicated) contractor employee security screening conducted by Personnel Security.
Page - 11
TIRNO-09-C-00019 MOD# 0008
6. Monitoring Notification.
IRS management retains the right to monitor both the content and the level of access of contractor employees' use of IRS IT systems. Contractor employees do not have a right, nor should they have an expectation, of privacy while using any IRS information technology system at any time, including accessing the Internet or using e-mail. Data maintained on government office equipment may be subject to discovery and Freedom of Information Act requests. By using government information technology systems, consent to monitoring and recording is implied with or without cause, including (but not limited to) accessing the Internet or using e-mail or the telephone. Any use of government information technology systems is made with the understanding that such use is generally not secure, is not private and is not anonymous.
7. Subcontracts.
The Contractor shall incorporate this clause in all subcontracts, subcontract task or delivery orders or other subcontract performance instrument where the subcontractor employees will require access, use or operation of IRS information technology systems.
[End of clause]
Page - 12
TIRNO-09-C-00019 MOD# 0008
Page - 13