Exhibit 10.13

 

New Microsoft Word Document_executed alclearllc_page001.jpg  ;rz.fi _,i Sccurlf)' ' 'e.Yi' ¥ Adm1nis11· 1.lon IOTA NUMllllR-OTHER TltANSACTION AGREE MENT REOUISITION NUMBER 70T020209NTOIA00921192090IA079 I lSSlJf,O TO]ISSUED BY Nu.int; &. Addr s!-.;Ak:lear. LLCNunu; & Addrc!is: 65 b.lSl 55•h Street, 17''1 l'loor·fr;l11$f >ol'lation Sccu1·ity Atl111iu• tr;1tlon Nt>w York, NY L002270 I S 12"' Str<-.:1 t:.IN:7.7· 1733•t25/\rlingl on, V/\ 20598 DIJNS:962·10948:1En1ai1: (ik1r ia.Uria( t$.1.d h:o...1nil I .l)C;tliorl of Eo1i1y. N YC (HadquarlCr.s) --· l'mgrdm 1'SA PRE./® Al'l'LICATION E::XPA:llSIO:'>i l'criod of Per fclnn11rtc1:: 0 1 20 2020 100 I 19 2030 (01\P, lhfee. }'l'!ilr b;,\$e-r1eriOll, lwO, lw<i -re r optiOI! l't:I iolh, t'l d lhn•t'> UllC' }'t'il.f OpllOll . PSC R499 I FISCAL DATA A<: ounting I.inc: Obligated : lPURPOSE Th\.: purpOf>C of this .AgtC\:lllCnt is to i;; tablisli the tusks uc•:t>s ury tn <l·vclt)p, d<:lhrcr. n{l d deploy hio1nctrit· vc11ing apphca1ic1n ;cnpnhilili cs 10 cx.p;nld' th.p11l1tic '!=. cnrolllnenl oppor111ni1jes {Or 'J'SA Prc/Q.(1 ;\pplicntion Pros,t'ittn 11 n:ttuircd under the TS.I\ Moderoizmio111\ct of201&. Section t•>37(d). 11.R. 302. j AU'rHORIZl•:DSICNAl'URf,;.<;-1d1tL\ u(;z,-<1 t/..U;.,01-011-2020 ... --·Date ·--i-th:i11 n1's Sign<l1ure Oah: 1g OfTtccr's Signiiturc yC·\.D. 1J-TYrEO NAME ANO TITLETYf'EO NAME AND TITLf ···. --····--·

 

 

 

New Microsoft Word Document_executed alclearllc_page002.jpg ARTICLE I -PARTIES This Other Transaction Agreement (hereinafter referred to as "Agreement" or "OTA"} is entered into between the United States of America (hereinafter referred to as the ''Government'') Transportation Security Administration (hereinafter referred to as "TSA") and Alclcar, LLC. The TSA and Alclear, LLC agree to cooperate in good faith and to perform their respective obl igations using their cooperative good faith efforts i n executing the purpose of this Agreement. ARTICLE II -AUTHORITY TSA and Alclear, LLC enter into this Agreement under the authority of the Aviation and Transportation Security Act, Pub. L. 107-71, 115 Stat. 597,specifically 49 U.S.C. l 14(m), and l 06(1) and (m), which authorizes agreements and other transactions on such terms and conditions as the Administrato r determines necessary. ARTICLE Ill -SCOPE The purpose of this Agreement is to establish the tasks necessary to develop, del iver, and deploy biometric vetting application capabi lities to expand the public 's enrollment opportun ities for TSA Pre./® Application Program as required under the TSA Modern ization Act of 2018, Section 1937(d), H.R. 302. This includes the ability to offer convenient and accessible enrollment options, reliably perfonn identity validation and verification as well as vet the applicant by means of the applicant's biometric data by conducting a criminal history records check through the Federa l Bureau of Investigation (FBI}. At a minimum , Alclear, LLC must del iver the following: l. the ability to offer start-to-finish on line or mobile enrollment capability; reliably perfonn identity validation and verification at standards comparable to NIST 800-63A as indicated in the Statement of Work; protect privacy and data security including any persona ll y identifiab l e information in a manner consistent with section 552a of the Privacy Act of 1974 (5 U.S.C. 552) and vet the applicant by mean s of the applicant's biometric data by conduct ing a criminal history records check through the FBJ. To accomplish these general requirements, Alclear, LLC must meet the specific requirements found in the following attachments: Attachment #01 -Statemen t of Work (SOW) Attachment #02 -TSA Pre./ ® Expansion Requirements Matrix Attachment #03 -Site Survey Attachment #04 -Enroll ment Locations Attachment #05 -Fee Coll ecti on Requirements

 

 

 

New Microsoft Word Document_executed alclearllc_page003.jpg Attachment #06 -TSA Pre../ ® Licens i ng Agreement Attachment #07 -TSA Pre../ ® Creative Toolkit Attachment #08 -Privacy Act and Paperwork Reduction Statement Attachment #09 -Name Entry Policy Attachment# 10 -Required Enrollment Documentation Attachment # 1 l -TSA MD 3700.4, FINAL, 08 1209v.4 Attachment # 12-TSA MD 1400.3, FINAL, 140408 Attachment # 13-TSA-MD-2800-71 Attachment # 14 - l I 042. l Safeguarding Sensitive Bui Unclass ified (For Official Use Only) Information Attachment # 15 -4300A Sensitive Systems Policy Attachment# 16 -43008.000 OHS National Security Systems Policy Cover page Attachment# 17 -4300B.OOO_Table of Contents Attachment# 18 -43008. l 00 -National Security Systems Policy Attachment #19-4300B .101 - Risk Management Framework Attachment #20 -43008. 102 -National Security Systems Security Control Guidance Attachment #2 1 -43008 .103-l - System Securi ty Plans FINAL Attachment #22 -4300B. 103.2 - Risk Assessment Repo11s Attachment #23 -43008. l03-3 - Security Assessment Reports Attachment #24-4300B .103-4 - Plans of Action and Milestones Attachment #25 -43008. 106 - User Minimum Requirements Attachment #26 -43008. l 07 - Decommi ssion ing Strategy Attachment #27 -4300B .108-I - NSS References Attachment #28 -43008. 108.2 - NSS Po licy Change Request Attachment #29 -43008.200 COMSEC Attachment #30 -TSA Prev'® Expansion -Volume 3 Element Matrix Attachment #3 1 -Outsourcing Rap8ack Guide Attachment #32 -Outsourcing Agreement_ V l .O ARTICLE IV - RESPONSIBILITIES The parties agree to cooperate, act in good faith, and to meet their respect ive obligations in furtherance of the purposes of this OTA and TSA Prev'® Application Expansion Statement of Work (SOW) and SOW Attachments and other relevant documents, which are incorporated by reference by this article. ARTICLE V-EFFECTIVE DATE AND TERM The effective date of this Agreement is the date on wh ich it is signed by the TSA or Alclear, LLC, wh i chever is later. This agreement will conti nue in effect for a three (3)-year base period, with two (2), two-year options and three (3), one-year options for a potential total period of

 

 

 

New Microsoft Word Document_executed alclearllc_page004.jpg performance of Ten Years (10) from the effective date, unless earlier term i nated by the parties as provided herein . A lclcar, LLC agrees to meet the following timcl incs : No later than 90 days from OTA award, the Entity must be ready to begin integration/interface testing with TSA and TSA-required systems (to include TSA and pay.gov testing) as referenced in SOW Section 4.7. 1 No later than 270 days from OTA award, the Entity must achieve Authority to Operate (ATO) from TSA as referenced in SOW Section 4.7.I. *No later than 270 days from OTA award, the Entity must achieve approval to begin enrolling applicants (i.e., launch operations) from TSA. In order to receive approval to launch operations, the Entity must provide evidence that all operations and technology are established and meeting the requirements described in SOW Section 4.7. ARTICL E V.1-EFFECTIVE DATE ANO TERM OPTIONS The Government wi ll provide the Entity a written notice of exercise of an option at least 30 days before the OTA expires. lfthe Government extends, then the extended OTA shall be considered to include all extension periods. The total duration of this OTA, includ i ng the exercise of any options under this tenn, shall not exceed 120 months. ARTICLE VI -ACCEPTANCE AND TESTING A lclcar, LLC will perform in accordance to the Statement of Work (SOW), SOW attachments, and related attachments. ARTICLE VII - FUNDING AND LIMITATIONS The Entity shall collect and remit fee payment to TSA, pursuant to 6 U.S.C. 469, for each application that it submits. The Entity shall remit fees to TSA in form and manner consistent with SOW Attachment #05 - Fee Collection Requirements, describing requi rements for the collection of government funds. ARTICLE VIU -BILLING PROCEDURE AN D PAYMENT This Agreement docs not involve any payments from the Government to Alclcar, LLC -rather, the Entity shall remi t the specified fees amounts to TSA in accordance with Articl e VII of this agreement, as paym ent for TSA to complete process ing of each subm itted appl ication . A lclear, LLC is also required to provide a fee to the FBI for conducting a criminal history records check.

 

 

 

New Microsoft Word Document_executed alclearllc_page005.jpg No appropriated or other Government funding wi ll be obligated under th i s Agreement. A lclear, LLC agrees to provide these enrollment capabilities, throughout the life of this agreement , at no cost to the government. Beyond the TSA and FBI fees, Alclear, LLC is encouraged to establish novel business models and pricing mechani sms to recover the costs of its efforts and continue to expand enrollments. Add itionally, TSA docs not provide for any government reimbursement of any cost incurred in making necessary sn1dies or designs for the preparation of the systems or i ncurred in obtaining services or supplies. ARTICLE IX - AUDITS TSA shall have the right to examine or audit relevant financial records for each Alclear, LLC facil ity, whi le this Agreement, or any part thereof, rema ins in force and effect, and for a period of three years after expi ration or termination of the tenns of this Agreement. For each facility, A lclcar, LLC shall mainta in: proj ect records, technology maintenance records, and data associated with this TSA Pre./® Appl ication Expansion while this Agreement, or any pan thereof, remains in force and effect, and for a per i od or three years afler any resulting final termination settlement. Ifthis Agreement is completely or partially tenninated, the records relating to the work terminated shall be made avai lable for three years after any resulting final termination settlement. Records relating to appeals under the "Disputes" provision in Article XII regarding this Agreement shall be made avai lable unt il such appeals arc finally resolved. As used in this prov ision, "records" i ncludes books, documents and other data, rega rdless or type and regardless of whether such items are in written fonn, in the form of computer or other electronic data, or in any other form that relate to this TSA Pre,; ® Application Expansion for each facility. Alclear, LLC shall also main tain all records and other evidence sufficient to reflect fees collected from the public, and fees forward to TSA as payment for TSA vetting and program maintenance, in accordance with Attachment 4in the conduct ofTSA Pre./® Application Expansion. The Contracting Officer, Contracting Officer's Representative, or the authorized representat ives of these officers shall have the right to examine and audit those records at any time. This right of examination shall include inspection at all reasonable times at Alclear, LLC's offices directly responsi ble for managing the TSA Pre./® Application Expansion. The Comptroller General of the United States shall also have access to, and the right to examine, any records invo lving transactions related to this Agreemen t. This a1iicle shall not be construed to require Alclear, LLC, or its contractors or subcontractors who are associated with or engaged in activities relating to this OTA, to create or maintain any record that they do not maintain in the ordinary course of business pursuant to a prov ision of law, provided that those entities maintain records which conform to generally accepted account ing procedures. ARTICLE X - AUTHORIZED REPRESENTATIVES

 

 

 

New Microsoft Word Document_executed alclearllc_page006.jpg TSA Contacts: G loria Uria, OTA Contracting Officer E-ma il :G loria.Uria@tsa.dhs.gov Telephone : 571-227-2429 Megan Kesler OTA Contract Specialist E-ma il: Megan .Kesler@tsa.dhs.gov Telephone: 571-227-2007 Pablo Landrau, COR E-mai l: Pablo.Landrau@L a.dhs .gov Telephone: 571-227-3140 Alclear, LLC Contacts (Please include telephone numbers and emai l addresses.) The COR is responsible for the techn ical adm in istration and liaison of this Agreement. The COR i s not authorized to change the scope of work, to make any comm itment or otherwise obl igate the TSA,or authorize any changes which affect the liability of the TSA. Alclear, LLC will infonn the Contracting Officer in the event that the COR takes any action which is interpreted by A lclear, LLC as a change in scope or liability to either pa1ty. ARTICLE XI - LIMITATIONS ON LIABILITY Subject to the provisions of Federal law, including the Federal Torts Claims Act, each party expressly agrees without exception or reservation that it shall be solely and exclusively l iable for the acts or omissions of its own agents and/or employees and that neither party looks to the other to save or hold it ha1mlcss for the consequences of any act or omission on the pa1t of one or more of its own agents or employees, subject to the same cond itions provided above. Alclear, LLC has the aftirmative duty to notify the TSA Contracting Officer in the event that Alclear, LLC believes that any act or om ission of a TSA agent or employee would increase A lclear, LLC costs and cause Alckar, LLC to seek compensation from TSA beyond TSA's liability as stated in Article IV (Responsibilities), or Article VI (Funding And Li mitations). Claims against either party for damages of any natu re whatsoever pursued under this Agreement shall be limited to direct damages not to exceed the aggregate outstan ding amount of funding obligated under this Agreement at the time the dispute arises.IfAlclear, LLC receives any communication which it interprets as instructions to change the work encompassed in this Agreement, or to incur costs not covered by fund ing obligated at that ti me, Alclear, LLC must not act on that communicat ion, and must contact the Contracting Officer verbally and in writing immediately. In no event, beyond the Entity's liabilities under the Protection of Information (Article XVIII), shall either party be liable to the other for consequential, punitive, specia l and incidental damages, clai ms for lost profi ts, or other indirect damages.

 

 

 

New Microsoft Word Document_executed alclearllc_page007.jpg No third pa1iy shall assert any rights under this Agreement unless expressly provided herein. ARTICLE XII - DISPUTES Where possible, disputes shall be resolved by in forma l discussion between the Contracting Officer for TSA and an authorized representative of Alclear, LLC. All disputes arising under or related to this Agreement shall be resolved under this Article. Disputes, as used in this Agreement, mean a written demand or written assertion by one of the parties seeking, as a matter of right, the adjustment or interpretation of Agreement terms,or other relief arising under this Agreement.The dispute shall be made in writing and signed by a duly authorized representative of Alclear, LLC or the TSA Contracting Officer. At a minimum, a dispute under this Agreement shall i nclude a statement of facts, adequate supporting data, and a request for relief. In the event the parties are unable to resolve any disagreement through good faith negotiations, Alclear, LLC may submit the d ispute to the Deputy Assistant Administrator for Contracting and Procurement. Ifthe decision of the Deputy Assistant Administrator for Contracting and Procurement is unsatisfactory, the decision may be appealed to the TSA Assistant Administrator for Contracting and Procurement. The part ies agree that the TSA Assistant Administrator/Head of the Contracting Activity for Contracti ng and Procurement's decision shall be final and not subject to further jud icial or administrative review and shall be enforceable and binding upon the parties. ARTICLE XIII -TERM INATION In add ition to any other tenn ination rights provided by th is Agreement, either party may terminate th i s Agreement at an y time prior LO its expiration date, with or without cause, by giving the other party at least thirty (30) days' prior written notice of termination. Upon receipt ofa notice of tennination, the receiving party shall take immediate steps to stop the accrual of any additional obligations that might require payment. IfAlclear, LLC exercises its right to withdraw voluntarily from the project, Alclear, LLC agrees to reimburse the United States Government for all monies disbursed to it under this Agreement. ARTICLE XIV-SUSPENSION In add ition to any other termination rights provided by th is Agreement, the Government reserves the right to suspend work of the provider until the performance flaw is corrected and confirmed by the Government. This suspension will be at no cost to the Government. If performance issues continue to occur and are not corrected in a timely manner, the Government will proceed wi th the termination in accordance with Article XIII. ARTICLE XV - CHANGES AND/OR MODIFICATIONS Changes or modifications to this Agreement shall be in writing and signed by the TSA Contracting Officer and the authorized representative of Alclear, LLC. The modification shall

 

 

 

New Microsoft Word Document_executed alclearllc_page008.jpg cite the subject provision to this Agreement and shall state the exact nature of the modif ication . No oral statement by any person shall be interpreted as modifying or otherwise affecting the terms of this Agreement. Reasonable administrative mod ifications such as changes in address changes, Key Personnel, name of the TSA Contracti ng Officer, etc. may be issued unilaterally by TSA. A ll changes or mod ification to this Agreement will be at no cost to the Government . The Contracting Officer may at any ti me, by wri llen order, unilaterall y direct changes within the general scope of this agreement in order to correct a security weakness, revise the schedule for specific activity, change operational parameters, adapt to new threats, or provide for more efficient operations,and shall mod ify the contract accord ingly. I f any such change cannot be accommod ated by the performer within the time allowed by the Contracting Officer, the Governmen t may suspend the performer's right to conduct any operations under this agreemen t, until the change can be implemented, for a fixed period, or permanen tly. A RTICLE XVI -NEW OR U PGRA DED TECH NOLOGIES, SOLUTIONS, AND PROVIDERS The Government encow·ages Alclear, LLC to continuously propose to TSA technological and process i mprovements to further enhance TSA Pre./® enrollments . To that end, the Government reserves the right to modify th is and other OTAs to incorporate these improvements, if in the best interest of the government . All changes or modification to th is Agreement will be at no cost to the Government . ARTICLE XVII - CONSTRUCTION OF THE AGREEMENT This Agreement is issued pursuant to the authority of the Aviation and Transportation Security Act, Pub. L. 107-71, 1 15 Stat. 597, specifically 49 O.S.C. l 14(m), and 106(1) and (m) and is not a procu rement contract, grant,cooperative agreement, or other financial assistance. I t is not i ntended to be, nor shall it be construed as a partnership, corporatio n, or other business organization. Both parties agree to provide their best efforts to achieve the objectives of this Agreement. The Agreement constitutes the entire a1:,JTeement behveen the parties with respect to the subject matter and supersedes all prior agreements, understandi ng, negotiations and discussions whether oral or written of the parties. Each pa11y acknowledges that there arc no exceptions taken or reserved under this Agreement . A RTICLE XVIII - PROTECTION OF IN FORMATION/EMPLOYEE ACCESS/SAFEGUARDING SENSITIVE INFORMATION Applicability. This article applies to Alclear, LLC, its subcontractors, and Entity employees (hereafter referred to collectively as "OTA Entity"). The OTA Entity shall insert the substance of th is article in all subcontracts.

 

 

 

New Microsoft Word Document_executed alclearllc_page009.jpg Definitions Sensitive Information, as used in this a1ticle, means any information, the loss, misuse, disclosure,or unautho rized access to or modification of which could adversely affect the national or homeland security interest, or the conduct of Federa l programs, or the pr ivacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authori zed under criteria established by an Execut ive Order or an Act of Congress to be kept secret in the interest of nationa l defense, homeland security or foreign pol icy. This definition includes the following categories of infonn ation: )"Personally Identifiab l e Information (Pll)" means i nfonnat ion that can be used to distinguish or trace an individual's identity, such as name, social security num ber, or biometric records, either alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, or mother's maiden name. The definition of PII is not anchored to any singl e category of infonnat ion or technology. Rather, it requires a case-by-case assessment of the specific risk that an individua l can be identified . In perfonning this assessment, it is important for an agency to recognize that non-personally identifiable information can become personally identifiable information whenever additional information is made publ icly avai lable-in any medium and from any source-that, combined with other available information, could be used to identify an individual. Pll is a subset of sensitive i nfonnat ion. Examples of Pll incl ude, but are not l imited to: name, date of birth, mailing address, telephone number, Social Security number (SSN), email address, zip code, account numbers, certificate/license numbers, vehicle identifiers including license plates, uniform resource locators (URLs), static Internet protocol addresses, biometr ic identifiers such as fingerprint, vo iceprint, iris scan, photograph ic facial images, or any other un ique identifying number or characteristi c,and any in fonnation where it is reasonably foreseeable that the info1mation will be linked with other information to identify the individual. Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure Information Act of2002 (Title II, Subtitle B, of the Homeland Security Act, Public Law 107-296, 196 Stat. 2 135), as amended, the implementing regulations thereto (Title 6. Code of Federa l Regulations, Part 29) as amended, the applicable PCll Procedures Manual,as amended , and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the PCII Program Manager or his/her designee); Sensitive Security Information (SSI), as defined in Title 49. Code of Federal Regulations. Pait 1520,as amended, "Policies and Procedures of Safeguarding and Contro l of SSI," as amended, and any supplementary guidance officially commun icated by an authorized omcial or the Department of Homeland Security (including the Assistant Secretary for the Transportation Security Administration or his/her designee); Information designated as ''For Official Use Only," which is unclassified information ofa sensitive nature and the unauthorized disclosure of which could adversely impact a

 

 

 

New Microsoft Word Document_executed alclearllc_page010.jpg person's privacy or wel fare, the conduct of Federa l programs, or other programs or operations essential to the national or homeland securit y interest; and Any information that is designated "sensitive" or subject to other controls, safe1:,'Uards or protections in accordance with subsequently adopted homeland security information handling procedures . "Sensitive lnfom1ation Incident" is an incident that includes the known, potential , or suspected exposure,loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unautl1orized access or attempted access of any Govenunent system, OTA Enti ty system, or sensitive infonnation. Sensitive Persona lly Identifiable lnfonnation (SPll)" is a subset of Pll, wh ich if lost, comprom ised or discl osed without authorization, could result in substantial harm, embarrassment , inconvenience, or unfairness lo an indiv idual. Some fonns of PII are sensitive as stand-alone elements. Examples of such PU include: Social Security numbers (SSN), driver's license or state identification number, Alien Registration Num bers (A-number), financia l account number, and biometr ic identifiers such as fingerprint, voiceprint, or iris scan. Add itiona l examples include any groupings of infonnation that contain an individua l 's name or other unique identifier plus one or more of the following elements: (I) (2) (3) (4) (5) (6) (7) Truncated SSN (such as last 4 digits) Date of birth (month, day, and ye.ar) Citizensh ip or immigration status Ethnic or religious affi liation Sexual orientation Criminal History Medical Information System authentication informa tion such as mother's maiden name,account passwords or persona l identification numbers (PIN) Other PII may be "sensitive" depending on its context,such as a l ist of empl oyees and their perfonnance ratings or an unlisted home address or phone number. In contrast,a business card or public telephone directory of agency employees contains Pil but is not sensitive. "Information Technology Resources" include, but are not l imited to,computer equ ipment, networking equipment,telecommunications equipment, cabl ing, network dri ves, computer drives, network software, computer software, software programs, intranet sites, and internet sites. PROTECTION OF INFORMATION The parties agree that they shall take appropriate measures to protec t proprie tary, pri vileged , or otherwise confidential infonnat i on that may come into their possession as a result of this Agreement. Records and Release of Information

 

 

 

New Microsoft Word Document_executed alclearllc_page011.jpg Pursuant to 49 U.S .C. § I l4(r), Sensitive Securi ty lnfonnation and Nondisclosure of Security Activities, Sensitive Security Infonnation (SSI) is a category of sensitive but unclassified (SBU) infonnation that must be protected because it is information that, if publicly released, would be detrimental to the security of transportation. Under 49 Code of Federa l Regulations Part I520.5(a), the SSI Regulation also prov ides additional reasons for protecting information as SS! beyond the cond ition that the release of the information wou ld be detrimental to the security of transportation. SSI may not be disclosed except in accordance with the provisions or that rule. Title 49 of the Code of Federal Regulations, Part 1520 defines the scope, categorization, handling requirements and disposition of info1mation deemed SSI is the 49 C.F.R.Part 1520 (http://ecfr.gpoaccess.gov/) .All members assigned to work under th is Agreement are subj ect to the provisions of 49 CFR Part I520, Protection of Sensitive Security Information, and shall safeguard and handle any SSI in accordance with the pol icies and procedures outlined in 49 Part 1520, as well as the DHS and TSA policies and procedures for handling and safeguarding SSL A ll members assigned to work under this Agreement must complete the TSA mandated SSI Awareness Training course prior to accessing SSI, and on an annual basis for the duration of the OTA or for the duration of the requester's need for access to SS!, whichever is later. The Agreement Holder shall place this requi rement in all contracts, sub-contracts, joint venture agreements, and teaming agreements related to the perfonnance of this agreement.For purposes of this OTA, the OTA Agreemen t ho l der (OTA Entity) wou ld fall under the provis ion of 49 CFR § I520.7(k): Each person employed by, contracted to, or actingfor a covered person, including a grantee of DHS or DOT. and including a person formerly in such position . Pursuant to 49 C.F.R. Part !520.9(a)(3), the Agreement Holder must contact SSI@tsa.dhs .gov for gu idance on handling requests to access to SSI (before using SS! materials) for any other purpose besides activities falling within the scope of the agreement by other persons, including requests from expe1ts, consultants, and legal counsel ("requesters") hired by the Agreement Holder. The Agreement Holder shall include the Contracting Officer (CO) and Contracting Officer Representative (COR) as a carbon copy "cc" recipient of its contact to SSl@tsa.dhs.gov. The TSA SSI office must first make a determination as to whether the requesters are a "covered person" with a "need to know" under 49 C.F.R. Parts 1520.7 and I520. I I.Further recipients of SSI shall be provided NDAs, in accordance with these contract provisions, and with a copy of the SS/ Quick Reference Guide/or DHS Employees and Contrac/ors. (Non-Disclosure Agreements (N DAs). The Contracting Officer will provide the non-disclosure Conn (DHS Fonn 1 1000-6), as necessary, to the Agreement hol der when circumstances warrant. NDAs are required to be signed by all OTA personnel when access to SSI is necessary for perfonnance of the a1:,1feement. By sign ing the NOA, the recipient certifies in writing that they will take the necessary steps to prevent the unauthorized disclosure and use of information. Bre.ach. In accordance wi th 49 C.F.R . Part l 520.9(c), the Agreement holder agrees that in the event of any actual or suspected breach of SSI (i.e., loss of control,compromise, unauthorized disclosure, access for an unau thorized purpose, or other unautho rized access, whether physical or electronic), the Agreement hol der shall immediatel y, and in no event later than one hour of discovery, report the breach to the Contracting Officer and the COR. The Agreement holder is responsi ble for positively verifying that notification is received and acknowledged by at least one of the foregoing Government officials.

 

 

 

New Microsoft Word Document_executed alclearllc_page012.jpg Background. Members assigned to work under th is Agreement must obtai n speci fi e authorization in order to obtain SSL SSI will not be available or otherwise provided or disclosed to any person not specifically authorized to receive it. As part of this OTA, SSI may only be accessed by ind ividuals which have successfu lly passed a Security Threat Assessment. This assessment may include a criminal h isto1y records check (CHRC) and/or a check against terrorism databases. In fonnation Requirements. Cons i stent with the criteria release described above, the Agreement Holder shall provide the appropriate infonnation to the TSA COR as identified below. Note that this requirement applies likewise to all contracts, sub-contracts, joint venture agreements,and teaming agreements related to the performance of th is agreement. This information wi ll be hand led in accord ance with the applicable Privacy Act system of records notice (SORN), Transportation Security Threat Assessmen t System (T-STAS) noted below . The Agreement Holder shall provide the following information for all employees who require access to SSI in a single password protected Microsoft Excel spreadsheet emai led to the COR. The password for the password protected spreadsheet shall be sent to the COR in a separate emai l,at the same time. Employee Full Name Employee Gender: (i.e., Male or Fema le) Employee Birth Date Employee Citizenship Social Security Num ber (for U .S. Citizens and Legal Permanent Residents only) Known Traveler Number (KTN), if available Privacy Act Statement. TSA will use the information provided to conduct a security threat assessment on individua ls who seek access to Sensitive Security Information (SSI). The informat ion will be shared with in OHS with personnel who need the inform ation to perform their officia l duties. Additionally, OHS may share the informat ion wi th law enforcement, i ntelligence, or other governmen t agenci es as necessa ry to identi fy and respond to potential or actual threats to transportation security in accordance with the routine uses identified in the appl icable Privacy Act system of records notice (SORN), DHS!fSA 002, Transportation Security Threat Assessment System (T-STAS). This SORN was last publ ished in the Federa l Register on August I I , 20 14,and can be found at 79 FR 46862-46866. Authority: 49 USC 114. Furnish ing this information is voluntary. However, fai lure to furnish the requested i nfonnat ion may delay or prevent the completion of your securi ty threat assessment, wi thout which you may not be granted access to the SSL fV.Notificat ion of Assessment. Individuals who receive a successfu l Security Threat Assessment will be eligible to receive SSL If it is determined that covered individuals arc not eligible to receive access to part icular SS!based on the threat assessment,the TSA Contacting Officer or COR wi ll prov ide the company po i nt of contact with noti fication that the indi vi dual does not qualify to receive SSL Appeal of the determina tion will not be pennitted due to the time sensitive nature of the acquisition process, however, the potential OTA Entity may nom inate

 

 

 

New Microsoft Word Document_executed alclearllc_page013.jpg another individual to receive SSI access . In the event thal an indi vidua l is determined to be a security threat and the individual believes that the results of the screening are inaccurate , he or she may request access to their records by submitting a Privacy Act Request through TSA's Freedom oflnformation Act (FOIA) internet site at: hnps://www.tsa.gov/foia/reguests. However, due to the demanding acquisition schedule, TSA wi ll not delay an acquis ition to resolve these issues. Publicity and Dissemination of Agreement Information The Agreement holder shall not publish , permit to be published, or distribute for public consumption, any information, oral or written, concerning the results or conclusions made pursuant to the performance of this Agreement without the prior written consent of the Contracting Officer. The Agreement holder shall submit any request for public release at least ten (I0) business days in advance of the planned release. Under no circumstances shall the Agreement holder release any requested submi ttal prior to TSA approval. Any material proposed lo be published or distributed shall be submi tted v ia emai l to lhe Contracting Officer. The Contracting Officer will follow the procedu res in Management Directives 1700.3 and 1700.4. The Office of the Administra tor retains the authority to deny publication authorization. Any conditions on the approval for release will be clearly described. Notice of disapproval will be accompanied by an explanation of the basis or bases for disapproval. Any contact with or by a Media firm or personnel related to this Agreement and in accordance wilh the terms of this Agreement shall be referred to lhe Contracting Officer. OTA ENTITY EMPLOYEE ACCESS OTA Entity employees working on this contract must complete such forms as may be necessary for security or other reasons, including the conduct of background investigations to determine suitability. Completed forms shall be submitted as directed by the Contracting Officer. Upon the Contracting Officer's request, the OTA entity's employees shall be fingerprinted, or subj ect to other in vestigations as required . All OTA entity employees requiring recurring access to Government facilities or access to sensitive infonnation or IT resources are required to have a favorably adjudicated background investigation prior to commencing work on th is contract unless this requirement is wa ived under Departmental procedures. The Contracting Officer may require the OTA Entity to prohib it individuals from working on the contract if the government deems their initial or continued employmen t contrary to the public interest for any reason, including, but not limited to, carelessness, insubordination , incompetence, or security concerns. Work under this contract may involve access to sensitive information. Therefore, the OTA Entity shall not disclose, orally or in wri ting, any sensitive information to any person un less authorized i n writing by the Contracting Officer. For those OTA Entity employees authorized access to sensitive infonnation, the OTA Entity shall ensure that these persons receive training concerning the protection and disclosure of sensitive information both during and after contract

 

 

 

New Microsoft Word Document_executed alclearllc_page014.jpg perfonnance. The OTA Entity shall include the substance of this article in all subcontracts at any tier where the subcontractor may have access to Government facil ities, sensitive information, or rcsomccs. Before receiving access to IT resources under this OTA the individual m ust receive a security briefing, which the Contracting Officer's Technical Representative (COR) will arrange, and complete any nondisclosure agreement furnished by DHS. The OTA Entity shall have access only to those areas of OHS information technology resources expl icitly stated in this contract or approved by the COR in writing as necessary for perfonnance or the work under th is contract. Any attempts by OTA Entity personnel to gain access to any information technology resources not expressly authorized by the statement of work,other terms and conditions in this contract, or as approved in writing by the COR, is strictly prohibited. In the event of violation of this provision, DHS will take appropriate actions with regard to the contract and the individua l(s) involved. OTA Entity access to OHS networks from a remote location is a temporary privilege for mutual convenience wh ile the OTA Entity perfonns business for the OHS Componen t. It is not a ri ght, a guarantee of access, a condition of the contract, or Government Furnished Equipment (GFE).OTA Entity access will be termina ted for unauthorized use. The OTA Entity agrees to hold and save OHS hannless from any unautho rized use and agrees not to request additional time or money under the contract for any delays resu lting from unauthorized use or access. Non -U .S. citizens shall not be authorized to access or assist in the development,operation, management or maintenance ofOepartment IT systems under the contract, unless a waiver has been granted by the Head of the Component or designee, with the concunence of both the Depaitment's Chief Security Officer (CSO) and the Chieflnformation Officer (CIO) or their designces. Within OHS Headq uarters, the waiver may be granted only with the approval of both the CSO and the CIO or their designees. In order for a waiver to be granted: ) The individual must be a legal permanent resident of the U.S. or a citizen of Ireland, Israel, the Republic of the Philippines,or any nation on the Allied Nations List main tained by the Depaltment of State; There must be a compelling reason for using this ind ividual as opposed to a U.S. citizen; and The waiver must be in the best interest of the Governmen t. OTA Entity's shall identify in their proposals the names and citizenship of all non-U.S . citizens proposed to work under the contract. Any additions or deletions ofnon-U.S. citizens after contract award sha ll also be reported to the contracting officer. Applicability. This article applies to Alclear, LLC, its subcontractors, and Entity employees (hereafter referred to collectively as "OTA Entity"). The OTA Entity shall insert the substance of this article i n all subcontracts. 3.Safeguarding of Sensitive Information

 

 

 

New Microsoft Word Document_executed alclearllc_page015.jpg Authorities . The OTA Entity shall follow all current versions of Government policies and guidance accessible at http://www.d bs.gov/dhs-securi ty-and-trainin g-req uirements-contractors, or available upon request from the Contracting Officer, includ ing but not l imited to: ( l ) OHS Management Directive 1 1042.l Safeguarding Sensitive But Unclass ified (for Official Use Only) Information DHS Sensitive Systems Policy Directive 4300A DHS 4300A Sensitive Systems Handbook and Attachmen ts DHS Security Authorization Process Guide DHS Handbook for Safeguarding Sensitive Persona lly Identifiable Information OHS Instmction Handbook 121-0 1-007 Department of Homelan d Security Personnel Suitabi lity and Security Program DHS lnfonnation Securi ty Perfonnance Plan (current fi scal year) DHS Privacy Incident Handling Guidance Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptogra ph ic Modu les accessible at http://csrc.nist.gov/groups/STM/cmvp/standards.html National Institute of Standards and Technology (N IST) Special Publication 800-53 Securi ty and Privacy Controls for Federal Information Systems and Organizat i ons accessible at btto ://csrc.ni st.gov/publ i cati ons/PubsSPs.html NIST Special Publication 800-88 Gu idelines for Media Sanitization accessible at http ://csrc.nist.gov/pub!ications/PubsSPs.htmI Handling of Sensitive Information. OTA Entity compliance with the po licies and procedures descri bed below, is required . Department of Homeland Security (DHS) policies and procedures on OTA Entity personnel security requirements are set forth in var ious Management Directives (MDs), Directives, and lnstmctions. MD I 1042.I , Safeguarding Sensitive But Unclassified (For Official Use Only) Information describes how OTA Entity must handle sensitive but uncl assi fied informat i on. DHS uses the tenn "FOR OFFICIAL USE ONLY" to identify sensitive but unclassified information that is not otherwise categorized by statute or regula tion. Examples of sensitive information that are categorized by statute or regula tion are PCII, SSI, etc. The DHS Sensitive Systems Policy Directive 4300A and the DHS 4300A Sensitive Systems Handbook provide the policies and procedures on security for Information Technology (IT) resources. The DHS Handbook for Safeguarding Sensitive Personally Identifiable Inf ormation provides guidel ines to help safeguard SPll in both paper and electronic form. DHS Instruction Handbook J 21-01-007 Department of Homeland Security Personnel Suitability and Security Program establ ishes procedu res, program responsibi lities, minimum standards, and reporting protocols for the DHS Personnel Suitability and Security Program. The OTA Entity shall not use or redistribute any sensitive in formation processed, stored, and/or transm itted by the OTA Entity except as specifi ed in the contract. All OTA Entity employees with access to sensitive infonnation shall execute DHS Form 11000-6, Department ofHom.e/and Security Non-Disclosure Agreement (NDA). as

 

 

 

New Microsoft Word Document_executed alclearllc_page016.jpg a condition of access to such in formation . The OTA Entity shall maintain signed copies of the NDA for all employees as a record of compliance. The OTA Entity shall provide copies of the signed NDA to the Contracting Officer's Representative (COR) no later than two (2) days after execution of the form. The OTA Entity's invoicing, bi ll ing, and other recordkeeping systems main tained to support financial or other administrative functions shall not main tain SPll. It is acceptable to maintain in these systems the names, titles and contact information for the COR or other Government personnel associated with the administration of the contract, as needed. Au thority to Operate. The OTA Entity shall not input, store, process, output, and/or transm it sensi tive information within an OTA Entity IT system wi thout an Authori ty to Operate (ATO) signed by the Headq ua1iers or Component CIO, or designee, in consultation with the Headqua1iers or Component Privacy Officer. Un less otherwise specified in the ATO letter, the ATO is valid for three (3) years. The OTA Entity shall adhere to current Government policies , procedures, and gu idance for the Security Authorization (SA) process as defined below. ) Complete the Securi ty Authorizati on process. The SA process shall proceed according to the DHS Sensitive Systems Policy Directive 4300A (Version 11.0, April 30, 2014), or any successor publication, DHS 4300A Sensitive Systems Handbook (Version 9.1, Ju ly 24, 2012), or any successor publ ication, and the Security Awhorization. Process Guide including templates. Security Authorization Process Documentation. SA documentation shall be developed using the Government provided Requirements Traceability Matrix and Goverrunent security documentation templates. SA documentation consists of the following: Security Plan, Contingency Plan, Contingency Plan Test Results, Configuration Management Plan, Security Assessment Plan, Security Assessment Report, and Author ization to Operate Letter. Addit ional documen ts that may be required include a Plan(s) or Action and Mi lestones and lntercoru1ec tion Security Agreement(s) . During the development of SA documentation, the OTA Entity shall submit a signed SA package, validated by an independent third party, to the COR for acceptance by the Headquarters or Component CIO, or dcsignee, at least thi1ty (30) days prior to the date of operation of the IT system. The Government is the final authori ty on the compliance of the SA package and may limit the number of resubmissions of a modified SA package. Once the ATO has been accepted by the Headquarters or Component CIO, or designee, the Contracting Officer shall incorporate the ATO into the contract as a compliance document. The Government's acceptance of the ATO does not alleviate the OTA Entity's responsibi lity to ensure the IT system controls are implemented and operating effectivel y. Independent Assessmen t. OTA Entities shall have an independent th ird pa1ty validate the security and privacy controls in place for the system(s). The independent th ird party shall review and analyze the

 

 

 

New Microsoft Word Document_executed alclearllc_page017.jpg SA package, and report on technical, operationa l, and management level deficiencies as outlined in NIST Special Publication 800-53 Security and Privacy Controlsfor Federal Infonnation Systems and Organizations. TSA reserves the right to serve as the independent party to review and analyze security and pr ivacy controls. The OTA Entity shall address all deficiencies before subm itting the SA package to the Government for acceptance. Support the completion of the Privacy Threshold Analysis (PTA) as needed. As part of the SA process, the OTA Entity may be required to support the Government in the completion of the PTA. The requirement to complete a PTA is triggered by the creation, use, modification, upgrade, or disposition of a OTA Entity IT system that will store, maintain and use Pll,and must be renewed at l east every three (3) years. Upon review of the PTA, the DHS Privacy Office determines whether a Privacy Impact Assessment (PIA) and/or Privacy Act System of Records Notice (SORN), or modifications thereto, are required . The OTA Entity shall provide all support necessary to assist the Department in completing the PIA in a timely manner and shall ensure that project management plans and schedules include time for the completion of the PTA, PIA, and SORN (to the extent required) as milestones . Support in this context includes responding timely to requests for information from the Government about the use, access, storage, and maintenance of Pll on the OTA Entity's system, and providing timely review of relevant compliance documents for factual accuracy . Information on the DHS privacy compl iance process, including PTAs, PIAs, and SORNs, is accessible at http://www.dhs .gov/privacy-compliance. Renewal of ATO. Unless otherwise specified in the ATO letter, the ATO shall be renewed every three (3) years. The OTA Entity is required to update its SA package as part of the ATO renewa l process. The OTA Enti ty shall update its SA package by one of the following methods: (1) Updating the SA documentation in the DHS automated infonnation assurance tool for acceptance by the Headqua1ters or Component CIO, or designee, at least 90 days before the ATO expiration date for review and ver ification of security controls; or (2) Submitting an updated SA package directly to the COR for approval by the Headquarters or Component CIO, or designee, at least 90 days before the ATO expiration date for review and verification of security controls. The 90-day review process is independent of the system production date and therefore it is important that the OTA Entity build the review into project schedules. The reviews may include onsite visits that involve physical or logical inspection of the OTA Entity environment to ensure controls arc in place. Security Review. The Government may elect to conduct random period ic reviews to ensure that the security requi rements contained in this contract are being implemented and enforced. The OTA Entity shall afford DHS, the Office of the Inspector General, and other Government organizations access to the OTA Entity's facilities, installations, operations, documentation, databases and personnel used in the performance of this

 

 

 

New Microsoft Word Document_executed alclearllc_page018.jpg contract. The OTA Enti ty shall, th rough the Contracting Officer and COR, contact the Headqua1iers or Component CIO, or designee, to coordinate and pa1iicipate in review and inspection activity by Government organizations external to the OHS. Access shall be provided, to the extent necessary as determ ined by the Government, for the Government to carry out a program of inspection, investigation, and audit to safeguard against threats and haza rds to the integrity, availabil ity and confiden tiality of Government data or the function of computer systems used in perfonnance of this contract and to preserve evidence of computer crime. Continuous Monitoring. All OTA Entity-operated systems that input,store, process, output, and/or transm it sensitive infonnat ion sha ll meet or exceed the continuous monitoring requi rements identified in the Fiscal Year 2014 DHS Information Security Pe1formance Plan, or successor publ ication . The plan is updated on an ann ual basis. The OTA Entity shall also store monthly continuous monitoring data at its location for a period not less than one year from the date the data is created. The data shall be encrypted in accordance with FfPS 140-2 Security Requirements.for Ciyptographic Modules and shall not be stored on systems that arc shared with other commercial or Governmen t entities. The Government may elect to perform continuous mon itoring and IT securi ty scanning of OTA Entity systems from Government tools and in frastructure. Revocation of ATO. In the event of a sensitive informat ion inciden t, the Governmen t may suspend or revoke an ex isting ATO (either in part or in whole). Ifan ATO is suspended or revoked in accordance with this provision, the Contracting Officer may direct the OTA Entity to take add itiona l security measures to se.cure sensitive i nfonnat ion. These measu res may i nclude restricting access to sensi ti ve infonnation on the OTA Entity IT system under this contract. Restricting access may include disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. Federal Reporting Requirements. OTA Entity's operating infonn ation systems on behal f or the Government or operating systems contai n i ng sensitive in fonnation shall comply with Federal reporting requirements. Annual and qua1ierly data collection will be coordinated by the Gove1mnent. OTA Entity's shall provide the COR with requested information wi thin three (3) business days of recei pt of the request. Report ing requirements arc determined by the Government and arc defined in the Fiscal Year 2014 DHS hiformation Security Pe1formance Plan, or successor publication. The OTA Entity shall prov ide the Government wi th all in fonnation to full y satisfy Federal reporting requirements for OTA Entity systems. Sensitive Informa tion Incident Reporting Requirements. All known or suspected sensitive infonnation incidents shall be repo1ied to the Headqua1iers or Component Security Operations Center (SOC) within one hour of discovery in accordance with 4300A Sensitive Systems Handbook !11.cide11t Response and

 

 

 

New Microsoft Word Document_executed alclearllc_page019.jpg Reporting requirements . When notifying the Headquarters or Component SOC, the OTA Entity shall also notify the Contracting Officer, COR, Headqua1iers or Component Privacy Officer,and US-CERT using the contact information identified in the contract. Ifthe incident is reported by phone or the Contracting Officer's email address is not immediately avai lable, the OTA Entity sha ll contact the Contracting Officer immediately after reporting the incident to the Headquarte rs or Component SOC. The OTA Entity shall not includ e any sensitive information i n the subject or body of any e-mail. To transmit sensitive info1mation, the OTA Entity shall useFJPS 140-2 Security Requireme ntsfor Cryptographic lvfodules compliant encryption methods to protect sensitive information in attachments to email. Passwords shall not be communicated in the same emai l as the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence that the OTA Entity has failed to provide adequate informat ion securi ty safeguards for sensitive information,or has otherw ise failed to meet the requirements of the contract. If a sensitive informa tion incident involves PI! or SPII, in addition to the reporting requirements in 4300A Sensitive Systems Handbook Incident Response an.d Reporting, OTA Entity's shall also provide as many of the following data clements that arc ava ilable at the time the incident is reported, with any rema ining data elements provided with in 24 hours of subm ission of the i n i tial incident report : Data Universal Numbering System (DUNS); Contract numbers affected unless all contracts by the company are affected; (iii)Facil ity CAGE code if the location of the event is different than the prime OTA Entity location; (iv) (v) (vi) (vii) Point of contact (POC) if d ifferent than the POC recorded in the System for Awa rd Management (address,position, telephone, email); Contracting Officer POC (address, telephone,email); Contract clearance level; Name of subcon tractor and CAGE code if this was an incident on a subcontractor network; Governmen t programs, platfonns or systems involved; Location(s) of incident; Date and time the incident was discovered ; Server names where sensitive informa tion resided at the time of the incident, both at the OTA Entity and subcontractor level; )Description of the Government PIT and/or SPII contained within the system; )Number of peopl e potent ially affected and the estimate or actual number of records exposed and/or contain ed with in the system; and Any additional information relevant to the incident. Sensitive Information incident Response Requirements . (I) All determ inations related to sensitive information incidents, including response activities, notification s to affected individuals and/or Federal agencies, and related services (e.g., credit monitori ng) will be mad e in wri ting by the Contract ing Officer in consultation with the Headquarters or Component CIO and Headquarters or Component Privacy Officer.

 

 

 

New Microsoft Word Document_executed alclearllc_page020.jpg The OTA Entity shall prov ide full access and coopera ti on for all activities determined by the Government to be required to ensure an effective incident respon se, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. Incident response activities determined to be required by the Government may includ e, but are not limited to, the following: Inspecti ons, Investigations, (iii)Forensic review s, and (iv)Data analyses and processing. The Government, at its sole discretion, may obtain the assistance from other Federal agencies and/or third-party firms to aid in incident response activities. Add itional Pl! and/or SP!! Notificat ion Requirements . ( l) The OTA Entity shall have in place procedures and the capabi lity to notify any individual whose Pll resided in the OTA Entity IT system at the time of the sensitive information incident not later than 5 business days after being directed to notify i ndividua l s, un less otherwise approved by the Contract i ng Oflicer. The method and content of any notification by the OTA Entity shall be coordinated with, and subject to prior written approval by the Contracting Officer, in consultation with the Headquarters or Component Privacy Officer, utilizing the DHS Privacy incident Handling Guidance. The OTA Entity shall not proceed with notification unless the Contracting Officer, in consultat ion with the Headquarters or Component Privacy Officer, has determined in writing that notification is appropriate. Subj ect to Government analysis of the incident and the tenns of its instructions to the OTA Entity regarding any resulting notification, the notification method may consist of letters to affected individuals sent by first class mail,electronic means, or general public notice, as approved by the Government. Notification may require the OTA Entity's use of address verification and/or address location services. At a minimum, the notification shall incl ude: A brief description of the incident; A description of the types of PI! and SPII involved; (iii)A statement as to whether the PII or SPll was encrypted or protected by other means; Steps individuals may take to protect themse lves; What the OTA Entity and/or the Government are doi ng to investigate the incident, to mitigate the incident, and to protect against any future incidents; and Information identifying who individuals may contact for additional info1mation. Credit Monitoring Requir ements. In the event that a sensitive information incident involves Pl! or SPII, the OTA Enti ty may be requ i red to,as directed by the Contracting Officer: (I)Provide notification to affected individuals as described above; and/or Provide credit monitoring services to individual s whose data was under the control of the OTA Entity or resided in the OTA Entity IT system at the time of the

 

 

 

New Microsoft Word Document_executed alclearllc_page021.jpg sensitive information inciden t for a period begi nn ing the date of the incident and extending not less than 18 months from the date the individual is notified . Credit monitoring services shall be provided from a company with which the OTA Entity has no affi liation. At a minimum, credit monitoring services shall include: Triple credit bureau monitoring ; (ii)Dai ly customer service; A lerts prov ided to the individua l for changes and fraud; and Assistance to the individual with eru-ollment in the services and the use of fraud alerts; and/or Establish a dedicated call center. Call center services shall include: A dedicated telephone number to contact customer service within a fixed period; lnfonnation necessa ry for registrants/enrollees to access credit reports and credit scores; Weekly reports on call center volume, issue escalation (i.e., those calls that cannot be handled by call center staff and must be resolved by call center management or OHS, as appropriate),and other key metrics; Escalation of calls that cannot be handled by call center staff to call center managemen t or OHS, as appropriate; Customized FAQs, approved in writing by the Contracting Officer in coordination with the Headquarters or Component Chief Privacy Officer; and Information for registrants to contact customer service representat ives and fraud reso lution representat ives for credit monitoring assistance. Certification of Sanitization of Government and Government-Activity-Re lated Files and Jnfonnation. As part of contract closeout, the OTA Entity shall submit the certification to the COR and the Contracting Officer following the template provided in NIST Special Publication 800-88 Guidelinesfor Media Sanitization. (End of clause) The parties agree that they shall take appropriate measures to protect proprietary, privil eged,or otherwise confidential information that may come into their possession as a result of this Agreement. ARTICLE XIX-RIGHTS IN DATA The Government espouses no ownership rights in data or software, created or produced by performers under this agreement, including tools provided to the Government. Applicant data is not data created or produced under the OTA; applicant data wi ll be considered TSA data. The Government reserves the right to order access to or del ivery of, and license to review all Entity data or software produced or uti lized under the OTA for purposes of audi t and compl iance. Such l icense shall provide a right of use, solel y for the purposes of this OTA . ARTICLE XX PRIVA CY ACT

 

 

 

New Microsoft Word Document_executed alclearllc_page022.jpg The Entity agrees to-Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, developmen t, or operation of any system of records on individuals to accompl ish an agency function when the contract specifically identifies-The systems of records; and The design, development, or operation work that the Entity is to perform; Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement i n the proposed subcontract requires the redesign, developm ent,or operation or a system of records on individuals that is subject to the Act; and Include this clause, including th is paragraph (3), in all subcontracts awarded under th is contract which requ ires the design, development, or operation of such a system of records. In the event of violations of the Act, a civi l action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of record s on individuals to accompl ish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Entity is considered to be an employee of the agency. (c)(l) "Operation ofa system of records," as used in this clause,means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemina tion ofrecords. "Record," as used in this clause, means any item, collection, or grouping of information about an i ndividua l that i s maintained by an agency, incl udin g, but not l imited to, educati on, fmancial transactions, medical history, and criminal or employmen t history and that contains the person's name, or the identifying number, symbol,or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. "System of records on individuals," as used in this clause, means a group of any records under the contro l of any agency from which information i s retrieved by the name of the individual or by some identifying number, symbol, or other identifying pait icular assigned to the individual. PRIVACY ACT NOTIFICATION The Entity wi ll be required to design, develop, or operate a system of re.cords on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Pub l ic Law 93-579, December 31, 1974 (5 U.S.C.552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal pen alties.

 

 

 

New Microsoft Word Document_executed alclearllc_page023.jpg ARTICLE XX.I -DATA STORAGE AND USAGE All appl icant data collected and stored by the Entity for the purpose of applying for TSA Prev'® must be held in a separate database that can follow TSA prescribed data reten tion requirements. Data received and collected for the benefit of the Government shall be maintained in accordance with National Archives and Record s Adm in istration (NARA) guidelines. The Entity shall not use data collected from TSA applicants for any purpose other than subm ission to TSA unless the Entity obtains express perm i ssion from TSA as well as from each individua l appl icant after complet ion of the enrollment process for TSA Prev'®. The Entity must clearl y distinguish the completion of the enro llment process for TSA Prev'® before requesting permission from applicants to continue communication regarding any other marketing opportunities not affiliated with TSA Prev'®. Any such marketing communications would require the appl icants to affirmatively opt-in to such additional marketing. Entities are prohibited from us i ng, in any capacity, infonnat ion pertai n i ng to an appl icant's eligibi lity determ ination for TSA Prev'®. All prohibitions must be cl early stated in Terms and Conditions which are presented to applicants at the beginning of the enrollment process prior to the collection of information. TSA recognizes that the Entity may perform other functions for appl icants that rely on uti lizing the same applicant data clements. All concepts that require us ing appl icant data for purposes outside of submission to TSA require written approval from TSA. Additionally, the Entity must obtain and store wri tten authorization from each appl i cant to use the appl icant's biographic or biometric data for any purposes beyond those d irectly related to TSA Prev'® and must segregate TSA data from other data that the Entity may maintain on the same applicant even where the same data element (e.g., name) appears. The Entity shall operate a "system of records" wi thin the Privacy Act of I 974, 5 U.S.C. 552a, that limits the authorized disclosure and use ofTSA data. ARTICLE XX.II - INTERRELAT IONSHIPS OF ENTITY The Government has entered into other contractua l relationships in order to provide technical support services in the conduct of studies, analyses and engineering activities separate from the work to be performed under th is Agreement, yet having links and interfaces to them. Furth er, the Governmen t may extend these ex isting relationships or enter into new relationships. The Performer may be required to coordinate with such other Entiry(s) through the Program Manager in providing suitable, non-conflicting technical interfaces and in avoidance of duplication of effort. By suitable tasking, such other Entity(s) may be requested to assist the Government in the technical review of the Performer's technical efforts. Information on reports provided under this SOW and related documents may, at the discretion of the Government, be provided to such other Entity(s) for the purpose of such review. A Non-Disclosure Agreement (NDA),DHS Fonn 11000-6, shall be signed by all Entity employees assigned to perform services und er this OTA prior to any work.

 

 

 

New Microsoft Word Document_executed alclearllc_page024.jpg ARTICLE XXI II - LIMITATION OF ASSIGNMENT Alclear, LLC may not assi!:,'11 its rights or obligations under this Agreement to any other entity or person without the prior written consent of the TSA. ARTICLE XXIV - PUBLICITY All publicity or public affairs activities related to the subject matter of this Agreement must be coordinated with the TSA Office of Strategic Communication and Public Affairs. ARTICLE XXV -THE LICENSING OF THE TSA PRE./®TRADEMARK l . The TSA Pre./® trademark constitutes OHS-owned intellectual property, and is used in connection with the Department's effo1is to facilitate expedited security screening experiences for selected travelers of participating airlines. DHS hereby confers to the OTA Entity a nonexclusive, nontransferable, royalty free use of the TSA Pre./® trademark, including the right to copy, display and distribute, for the sole and exclusive purpose of including the trademark on materials authorized by OHS as part of OTA Entity's marketing to prospective TSA Pre./® Program members. The OTA Entity shall be allowed to use the DHS "TSA Pre./®" trademark for advertising and promotional purposes in support of the TSA Pre./® Application Program and prospective members. Such use of this trademark shall include,but is not limited to : customer communications, advertising and marketing efforts and materials, interna l materia ls, lega l disclosures,customer statement marketing (e.g. statement message, statement ad, statement insert, etc.), d irect mail, letters, emails, flyers,postcards, online webpages, online secure session pages, interna l communication, training tools/reference materia ls, account agreements, terms and conditions disclosures, Guide to Benefits, or other uses as specifically authorized in writing by TSA. Any partnership marketing efforts or promotiona l tie-ins i nvolving the TSA Pre./® Application Program must be reviewed and approved by TSA prior to implementation . Market ing messaging must maintain the integrity of the product (expedited a irpo1t security screening) and product extensions or enhancements that infer an association with security screening services or expedi ted screening for a purpose other than aviation security will not be allowed (e.g., expedited screen ing or entry services where TSA Pre./® enrollment or status is used in place of or to expedite a non-aviation security screening. For example, TSA Pre./® "fast lanes" or "TSA Pre./® VIP lanes" at large events, stadiums, etc.). Inaddition, the OTA Entity shall provide to TSA all marketing and advertis ing plans for review and approval prior to launch to ensure acceptab le positioning/p lacement of the TSA Pre./® brand within the media marketplace and for max imum synergy with TSA -led efforts . To maintai n the legal protections associated with the trademark,TSA on beha l f of OHS must control the use of the trademark. OTA Entity agrees that no modifications to DHS Materials, if provided, will be published without TSA review and prior written approval from TSA (email communication is sufficient) other than the inclusion of Alclear, LLC's logos and other necessary data. OTA Entity also agrees that it shall not use the trademark in a manner or context that reflects unfa vorably upon any component of OHS or which will diminish or damage the goodwill associated with the TSA Pre./® trademark. Accordingly, such marketing materials

 

 

 

New Microsoft Word Document_executed alclearllc_page025.jpg shall be "non-controversial ," mean ing the advertisements wi ll be consistent with normal standards for mainstream public advertising, as well as DHS and TSA media policy. In addition, the term precludes any political advertising, including but not limited to those pertaining to candidates, issues, parties, campaign comm ittees, specific elections, etc., or any other advertising that may create a sense of sponsorship or imply endorsement by the government. Add itionally, to protect and ensure the Governments interest against dilution of the TSA Pre./® trademark, i.e., dil ution by "blurring"and/or diluti on by "tarnishment", for Material s created by OTA Entity rega rding participation in the TSA Pre./® Program, OTA Entity agrees to release the Materials only after obtaining TSA's prior written approval (email communication is sufficient). TSA prior approva l is not needed for each individual item, provided that the use is substantially the same as pr ior approved materials. TSA will provide approva l for classes of items associated with advertising. 2. OTA Entity will represent itself as an independent entity,and not as an affiliate of the TSA or OHS. Any use of the TSA Pre./® trademark on OTA En ti ty Materials shall incl ude the following or sim ilar cred it, as appropriate: "OTA Entity is not a government entity or affi liated with the Federal government. OTA Entity provides pre-enrollment services for the Transportation Security Adm in istration's TSA Pre./® Risk Based Screening Program. The TSA Pre./® trademark is used under l icense wi th the permission of the U.S . Department of Homeland Security."(The notice must be displayed in a type font of legible size). The OTA Entity is authorized by TSA to sub-license the TSA Pre./® trademark to other organizations or agencies. OTA Entity will provide the TSA POC below with b i-annual reports listing all organizations with whom the OTA Entity has partnered to market the TSA Pre./® Program. The OTA Entity acknowledges that use of the Mark docs not constitute an endorsement by OHS. TSA or the U.S. Government of OTA Entity and that OTA Entity wi ll not state or imply that TSA , OHS or any entity or the U .S. Government endorses the OTA Enti ty or the goods and services associated with OTA Entity. OTA Entity shall abide by the TSA Pre./® License agreement. (See SOW attachment # 6). ARTICLE XXVI - SURVIVAL OF PROVISIONS In the event of the completion of the performance of the scope of work of the OTA, or the termination of th is OTA, wh ichever event occurs first, the following prov isions shall remain in full force and effect : A rticle I-Parti es; Article IV Respon sibil ities; Article VII -Fund ing and Limitations; Article - Audits; Aiticle XII - Disputes ; Article XI-Limitation of Liability; Aiticle XVII - Protection of Informat ion; A11icle XX-Privacy Act; A11icle XXV-Publicity; A11icle

 

 

 

New Microsoft Word Document_executed alclearllc_page026.jpg XXV I -The Licensing of the TSA Pre./® Tradem ark; Article XXIX -Requ ired Federal Procurement Provisions; and Article XXVII -Survival of Provisions . ARTICLE XXVII - FL0\\1DO\\'N PROVISIONS A ll clauses within the Statement of Work (SOW), SOW attachments, and related documents !low down in the provisions of the OTA . A ll SOW,SOW Attachments, and related documents flow down to subcontractors,suppliers, and all partners and affiliates, etc., of Alclear, LLC. ARTI CLE XXVIII - INSURAN CE Alclear, LLC must arrange insurance or otherwise for the foll protect ion of Alclear, LLC from and against all liabil ity to the th ird parties out of, or rel ated to, it's performance or this OTA . The Department of Homeland Security (OHS) has not determ ined at th is point that the TSA Pre./® Application Expansion initiative satisfies the technical criteria for SAFETY Act Designation and presumptively satisfies the criteria for SAFETY Act Certification. ARTICLE XXIX - SECTION 504 COMPLIANCE (APR 2017) Alclear, LLC shall comply fully with Section 504 of the Rehabil itation Act of 1973, as amended, which prohibits discrimination against q ua lified individuals wi th disabil ities. No otherwise q ua lified individu al with a disabi lity shall, solely by reason of his or her disability, be excluded from part icipat ion in, be den ied the benefits ot or be subjected to discrimination under any program or activity for which the En ti ty/Provider is awarded a contract and/or receives Federal fmancial assistance from the Transportation Security Administration. This includes, but is not limited to, providing reasona ble accommoda tions and effective commun ication to persons with d isabilities and ensuring physical accessibi lity to all part icipants. The Entity/Prov ider shall ensure this requirement flows to all affected subcontracts. ARTICLE XXX - INFORMATION TECHNOLOGY SECURITY AND PRIVACY TRAINING Applicabil ity. This clause applies to the OTA Entity, its subcontractors, and OTA Entity employees (hereafter referred to collectively as "OTA Entity"). The OTA Entity shall inse1t the substance of this article in all subcontracts. Security Training Requ i rements. All users of Federal information systems are required by Title 5, Code of Federal Regu lations, Part 930.30 I, Subpa1t C, as amended, to be exposed to security awareness materials annually or whenever system security changes occur, or when the user's responsibil ities change. The Department of Homeland Security (OHS) requires that OTA Entity empl oyees take an annual Information Technology Securi ty Awareness Train ing course before accessing sensi ti ve infonnation under the contract. Unless otherwise specified, the training shall be completed within thirty (30) days of contract award and be completed on an annual basis thereafter not later

 

 

 

New Microsoft Word Document_executed alclearllc_page027.jpg than October 31st of each yea r. Any new OTA En ti ly employees assigned lo the contract shall complete the training before accessing sensitive infonnation wider the contract. The training is accessible at http://www.dhs.gov/dhs-security-and-training-reguiremen ts-contractors. The OTA Entity shall maintain copies of training certificates for all Entity and subcontractor employees as a record of compliance. Un less otherwise specified, initial training certificates for each OTA Entity and subcontractor employee shall be provided to the Contracting Officer's Representative (COR) not l ater lhan thirly (30) days alter contract award. Subsequent train i ng cerlilicales to satisfy the annual training requirement shall be submitted to the COR via e-mail notification not later than October 31st of each year. The e-mail notification shall state the required training has been completed for all Enti ty and subcontractor employees. (2) The OHS Rules of Behavior apply to every OHS employee, OTA Entity and subcontractor that will have access to OHS systems and sensitive i nfonnalion. The OHS Rules of Behavior shall be signed before accessing OHS systems and sensitive info1mation . The OHS Rules of Behavior is a document that informs users of their respon sibilities when accessing OHS systems and holds users accountable for actions taken wh ile accessing OHS systems and using OHS Information Technology resources capable of inputting, storing, processing, outputting, and/or transm itting sensitive information. The OHS Rules of Behavior is access ible at hllp://www .dhs.go v/dhs-security-and -lrain i ng -requi remen ts-conl raclors. Unless otherwise specified, the OHS Rules of Behavior shall be signed within thirty (30) days of contract award. Any new OTA Entity employees assigned to the contract shall also si!:,'11 the OHS Rules of Behavior before accessing OHS systems and sensitive information. The OTA Entity shall maintain signed copies of the OHS Rules of Behavior for all Entity and subcontractor employees as a record of compliance. Un l ess otherw ise speci fied, the OTA Entity shall e-mai l copies of the signed OHS Rules of Behavior to lhe COR not later than thirty (30) days aner con tract award for each employee. The OHS Rules of Behavior will be reviewed annually and the COR will provide notification when a review is required. Privacy Training Requirements. All OTA Entity and subcontractor employees that wi ll have access to Personally Identifiabl e Information (Pll) and/or Sensitive Pll (SPll) are required to take Pri vacy at OHS: Protecting Personal Jnfom1at i on before accessing Pll and/or SPll. The train ing is accessible at http ://www.dbs.gov/dhs-securi ty-aad-trainin !!-rea uiremeats-contractors. Training shall be completed within thirty (30) days of contract award and be completed on an annual basis thereafter not later than October 31st of each year. Any new OTA Entity employees assigned to the contract shall a lso complete the trainin g before accessing Piland/or SPII. The OTA Entity shall maintain copies of training certificates for all OTA Entity and subcontractor employees as a record or complian ce. I nitial training certi ficates for each OTA Enlity and subcontractor employee shall be provided to the COR not later than thirty (30) days after contract award. Subsequent training certificates to satisfy the annual training requirement shall be submitted to the COR via e-mai l notification not later than October 31st of each year. Thee mai l notification shall state the required training has been completed for all OTA Entity and subcontractor employees . ARTICLE XXXI - EMPLOYMENT ELIGIBILITY VERIFICATION

 

 

 

New Microsoft Word Document_executed alclearllc_page028.jpg The OTA Entity is required to enro ll in the E-Veri fy program within 30 days of OTA award, i f not enrolled at the time of award.For each employee assigned to the OTA, the OTA Entity shall in itiate verification with in 90 calendar days after date of OTA award or within 30 calendar days of the employee's assignment to the OTA, wh ichever date is later. ARTICLE XXXII REQUIRED FEDERAL PROCUREMENT PROVISIONS The Entity and its subcontractors shall comply with the following: 1.0 Title VI of the Civi l Rights Act of 1964 relating to nondiscrimination in Federa lly assisted program. 2.0 Contracts awarded by the Provider of this Proj ect must compl y with all prov isions established by laws and statutes.