48 C.F.R. §§ 2452.239-70

Current through September 30, 2024
Section 2452.239-70 - Access to HUD systems

As prescribed in 2439.107(a), insert the following clause:

ACCESS TO HUD SYSTEMS (APR 2019)

(a)Definitions. As used in this clause-

Access means the ability to obtain, view, read, modify, delete, and/or otherwise make use of information resources.

Application means the use of information resources (information and information technology) to satisfy a specific set of user requirements (see Office of Management and Budget (OMB) Circular A-130).

Contract means any authorized contractual instrument, including, but not restricted to, task orders, purchase orders, Blanket Purchase Agreement calls, etc.

Contractor employee means an employee of the prime contractor or of any subcontractor, affiliate, partner, joint venture, or team members with which the Contractor is associated. It also includes consultants engaged by any of those entities.

Mission-critical system means an information technology or telecommunications system used or operated by HUD or by a HUD contractor, or organization on behalf of HUD, that processes any information, the loss, misuse, disclosure, or unauthorized access to, or modification of which would have a debilitating impact on the mission of the agency.

NACI means a National Agency Check with Inquiries, the minimum background investigation prescribed by the Office of Personnel Management (OPM).

PIV Card means the Personal Identity Verification (PIV) Card, the Federal Government-issued identification credential (i.e., identification badge).

Sensitive information means any information of which the loss, misuse, or unauthorized access to, or modification of, could adversely affect the national interest, the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.

System means an interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people (see OMB Circular A-130). System includes any system owned by HUD or owned and operated on HUD's behalf by another party.

(b)General.
(1) The performance of this contract requires contractor employees to have access to a HUD system or systems. All such employees who do not already possess a current PIV Card acceptable to HUD shall be required to provide personal background information, undergo a background investigation (NACI or other OPM-required or approved investigation), including an FBI National Criminal History Fingerprint Check, and obtain a PIV Card prior to being permitted access to any such system in performance of this contract. HUD may accept a PIV Card issued by another Federal Government agency but shall not be required to do so. No contractor employee will be permitted access to any HUD system without a PIV Card.
(2) All contractor employees who require access to mission-critical systems or sensitive information contained within a HUD system or application(s) are required to have a more extensive background investigation. The investigation shall be commensurate with the risk and security controls involved in managing, using, or operating the system or applications(s).
(c)Citizenship-related requirements. Each affected contractor employee as described in paragraph (b) of this clause shall be:
(1) A United States (U.S.) citizen; or,
(2) A national of the United States (see 8 U.S.C. 1408 ); or,
(3) An alien lawfully admitted into, and lawfully permitted to be employed in the United States, provided that for any such individual, the Government is able to obtain sufficient background information to complete the investigation as required by this clause. Failure on the part of the contractor to provide sufficient information to perform a required investigation or the inability of the Government to verify information provided for affected contractor employees will result in denial of their access.
(d)Background investigation process.
(1) The Contracting Officer's Representative (COR) shall notify the Contractor of those contractor employee positions requiring background investigations.
(i) For each contractor employee requiring access to HUD information systems, the Contractor shall submit the following properly completed forms: Electronic Standard Form (SF) 85, "Questionnaire for Non-sensitive Positions" via e-QIP, completed USAccess enrollment (electronic fingerprinting) and Optional Form (OF) 306 (Items 1 through 17). The SF-85 and OF-306 are available from the OPM website, http://www.opm.gov. The electronic questionnaire is available on OPM's e-QIP site, https://www.opm.gov/investigations/e-qip-application/.
(ii) For each contractor employee requiring access to mission-critical systems and/or sensitive information contained within a HUD system and/or application(s), the Contractor shall submit the following properly completed forms: Electronic SF-85P, "Questionnaire for Public Trust Positions" via e-QIP;" Electronic Standard Form (SF) 85, "Questionnaire for Non-sensitive Positions via e-QIP," completed USAccess enrollment (electronic fingerprinting) and Optional Form (OF) 306 (Items 1 through 17). The SF-85 and OF-306 are available from the OPM website, http://www.opm.gov. The Electronic questionnaire is available on OPM's e-QIP site, https://www.opm.gov/investigations/e-qip-application/; and a Fair Credit Reporting Act form (authorization for the credit-check portion of the investigation). Contractor employees shall complete the Medical Release behind the SF-85P.
(iii) The electronic questionnaires (e-QIP) SF-85, 85P, and OF-306 are available from OPM's websites https://www.opm.gov/investigations/e-qip-application/ and http://www.opm.gov. The COR will provide all other forms that are not obtainable via the internet.
(2) The Contractor shall deliver the forms and information required in paragraph (d)(1) of this clause to the COR as securely as possible.
(3) Affected contractor employees who have had a Federal background investigation without a subsequent break in Federal employment or Federal contract service exceeding 2 years may be exempt from the investigation requirements of this clause, subject to verification of the previous investigation. For each such employee, the Contractor shall submit the following information in lieu of the forms and information listed in paragraph (d)(1) of this clause: PIV and Pre-Security Form.
(4) The investigation process shall consist of a range of personal background inquiries and contacts (written and personal) and verification of the information provided on the investigative forms described in paragraph (d)(1) of this clause.
(5) Upon completion of the investigation process, the COR will notify the Contractor if any contractor employee is determined to be unsuitable to have access to the system(s), application(s), or information. Such an employee may not be given access to those resources. If any such employee has already been given access pending the results of the background investigation, the Contractor shall ensure that the employee's access is revoked immediately upon receipt of the COR's notification.
(6) Failure of the COR to notify the Contractor (see paragraph (d)(1) of this clause) of any employee who should be subject to the requirements of this clause and is known, or should reasonably be known, by the Contractor to be subject to the requirements of this clause, shall not excuse the Contractor from making such employee(s) known to the COR. Any such employee who is identified and is working under the contract, without having had the appropriate background investigation or furnished the required forms for the investigation, shall cease to perform such work immediately and shall not be given access to the system(s)/application(s) described in paragraph (b) of this clause until the Contractor has provided the investigative forms to the COR for the employee, as required in paragraph (d)(1) of this clause.
(7) The Contractor shall notify the COR in writing whenever a contractor employee for whom a background investigation package was required and submitted to HUD, or for whom a background investigation was completed, terminates employment with the Contractor, or otherwise is no longer performing work under this contract that requires access to the system(s), application(s), or information. The Contractor shall provide a copy of the written notice to the Contracting Officer.
(e)PIV Cards.
(1) HUD will issue a PIV Card to each contractor employee who is to be given access to HUD systems and does not already possess a PIV Card acceptable to HUD (see paragraph (b) of this clause). HUD will not issue the PIV Card until the contractor employee has (1) successfully cleared an FBI National Criminal History Fingerprint Check, (2) HUD has initiated the background investigation for the contractor employee, and (3) a Security Approval Notice from HUD PSD via PSDContractorIn-box@hud.gov has been received. Initiation is defined to mean that all background information required in paragraph (d)(1) of this clause has been delivered to HUD. The employee may not be given access prior to those three events. HUD may issue a PIV Card and grant access pending the completion of the background investigation. HUD will revoke the PIV Card and the employee's access if the background investigation process for the employee, including adjudication of the investigation results, has not been completed within 6 months after the issuance of the PIV Card.
(2) PIV Cards shall identify individuals as contractor employees. Contractor employees shall display their PIV Cards on their persons at all times while working in a HUD facility, and shall present cards for inspection upon request by HUD officials or HUD security personnel.
(3) The Contractor shall be responsible for all PIV Cards issued to the Contractor's employees and shall immediately notify the COR if any PIV Card(s) cannot be accounted for. The Contractor shall promptly return PIV Cards to HUD as required by the FAR clause at 52.204-9. The Contractor shall notify the COR immediately whenever any contractor employee no longer has a need for his/her HUD-issued PIV Card (e.g., the employee terminates employment with the Contractor, the employee's duties no longer require access to HUD systems). The COR will instruct the Contractor as to how to return the PIV Card. Upon expiration of this contract, the COR will instruct the Contractor as to how to return all HUD-issued PIV Cards not previously returned. Unless otherwise directed by the Contracting Officer, the Contractor shall not return PIV Cards to any person other than the COR.
(4) The Contractor shall submit a report to the Contracting Officer and COR no later than five (5) calendar days after the end of each calendar quarter that provides the status of each employee who is required to work in a HUD facility during the performance of the contract. At a minimum, the report shall identify the Contractor and the contract number, and list for each employee the following information:
(i) Employee name;
(ii) Name of HUD facility where employee works;
(iii) Date background check submitted;
(iv) Date PIV Card issued;
(v) PIV card number;
(vi) Date employee no longer has need of the HUD PIV Card;
(vii) Date Contracting Officer and COR were notified that employee no longer has need of the HUD PIV Card; and
(viii) Date PIV Card returned to COR.
(f)Control of access. HUD shall have and exercise full and complete control over granting, denying, withholding, and terminating access of contractor employees to HUD systems. The COR will notify the Contractor immediately when HUD has determined that an employee is unsuitable or unfit to be permitted access to a HUD system. The Contractor shall immediately notify such employee that he/she no longer has access to any HUD system, physically retrieve the employee's PIV Card from the employee, and provide a suitable replacement employee in accordance with the requirements of this clause.
(g)Incident response notification. An incident is defined as an event, either accidental or deliberate, that results in unauthorized access, loss, disclosure, modification, or destruction of information technology systems, applications, or data. The Contractor shall immediately notify the COR and the Contracting Officer of any known or suspected incident, or any unauthorized disclosure of the information contained in the system(s) to which the Contractor has access.
(h)Nondisclosure of information.
(1) Neither the Contractor nor any of its employees shall divulge or release data or information developed or obtained during performance of this contract, except to authorized Government personnel with an established need to know, or upon written approval of the Contracting Officer. Information contained in all source documents and other media provided by HUD is the sole property of HUD.
(2) The Contractor shall require that all employees who may have access to the system(s)/applications(s) identified in paragraph (b) of this clause sign a pledge of nondisclosure of information. The employees shall sign these pledges before they are permitted to perform work under this contract. The Contractor shall maintain the signed pledges for a period of 3 years after final payment under this contract. The Contractor shall provide a copy of these pledges to the COR.
(i)Security procedures.
(1) The Contractor shall comply with applicable Federal and HUD statutes, regulations, policies, and procedures governing the security of the system(s) to which the Contractor's employees have access including, but not limited to:
(i) The Federal Information Security Management Act (FISMA);
(ii) Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources;
(iii) HUD Handbook 2400.25, Information Technology Security Policy;
(iv) HUD Handbook 732.3, Personnel Security/Suitability;
(v) Federal Information Processing Standards 201 (FIPS 201), Sections 2.1 and 2.2;
(vi) Homeland Security Presidential Directive 12 (HSPD-12); and
(vii) OMB Memorandum M-05-24, Implementing Guidance for HSPD-12.

The HUD Handbooks are available online at: http://www.hud.gov/offices/adm/hudclips/ or from the COR.

(2) The Contractor shall develop and maintain a compliance matrix that lists each requirement set forth in paragraphs (b), (c), (d), (e), (f), (g), (h), (i)(1), and (m) of this clause with specific actions taken, and/or procedures implemented, to satisfy each requirement. The Contractor shall identify an accountable person for each requirement, the date upon which actions/procedures were initiated/completed, and certify that information contained in this compliance matrix is correct. The Contractor shall ensure that information in this compliance matrix is complete, accurate, and up-to-date at all times for the duration of this contract. Upon request, the Contractor shall provide copies of the current matrix to HUD.
(3) The Contractor shall ensure that its employees, in performance of the contract, receive annual training (or once if the contract is for less than one year) in HUD information technology security policies, procedures, computer ethics, and best practices in accordance with HUD Handbook 2400.25.
(j)Access to Contractor's systems. The Contractor shall afford HUD, including the Office of Inspector General, access to the Contractor's facilities, installations, operations, documentation (including the compliance matrix required under paragraph (i)(2) of this clause), databases, and personnel used in performance of the contract. Access shall be provided to the extent required to carry out, but not limited to, any information security program activities, investigation, and audit to safeguard against threats and hazards to the integrity, availability, and confidentiality of HUD data and systems, or to the function of information systems operated on behalf of HUD, and to preserve evidence of computer crime.
(k)Contractor compliance with this clause. Failure on the part of the Contractor to comply with the terms of this clause may result in termination of this contract for default.
(l)Physical access to Federal Government facilities. The Contractor and any subcontractor(s) shall also comply with the requirements of HUDAR clause 2452.237-75 when the Contractor's or subcontractor's employees will perform any work under this contract on site in a HUD or other Federal Government facility.
(m)Subcontracts. The Contractor shall incorporate this clause in all subcontracts where the requirements specified in paragraph (b) of this clause are applicable to performance of the subcontract.

(End of clause)

48 C.F.R. §§2452.239-70

84 FR 15134, Apr. 15, 2019
81 FR 13755, 3/15/2016; 84 FR 15134, 5/15/2019