USAID 752.204-72 Access to USAID facilities and USAID's information systems. Basic (May 2024) (Current)

As prescribed in AIDAR 704.1303, when contract performance requires the contractor—including its employees, volunteers, or subcontractor employees at any tier—to have routine physical access to USAID-controlled facilities or logical access to USAID’s information systems, the contracting officer must insert the clause found at FAR 52.204–9 and AIDAR 752.204–72 (‘‘Access to USAID Facilities and USAID’s Information Systems’’) in the solicitation and contract.
 

Access to USAID Facilities and USAID's Information Systems. (MAY 2024)

(a) The Contractor must ensure that individuals engaged in the performance of this award as employees or volunteers of the Contractor, or as subcontractors or subcontractor employees at any tier, comply with all applicable personal identity verification (PIV) and Homeland Security Presidential Directive-12 (HSPD-12) procedures, including those summarized below, and any subsequent USAID or Government-wide procedures and policies related to PIV or HSPD-12.

(b) An individual engaged in the performance of this award may obtain access to USAID facilities or logical access to USAID's information systems only when and to the extent necessary to carry out this award. USAID issues various types of credentials to users who require physical access to Agency facilities and/or logical access to Agency information systems, in accordance with USAID's Automated Directives System (ADS) 542, available at https://www.usaid.gov/about-us/agency-policy/series-500/542.

(c) (1) No later than five (5) business days after award, unless the Contracting Officer authorizes a longer time period, the Contractor must provide to the Contracting Officer's Representative a complete list of individuals that require access to USAID facilities or information systems under this contract.

(2) Before an individual may obtain a USAID credential (new or replacement) authorizing the individual routine access to USAID facilities, or logical access to USAID's information systems, the individual must physically present two forms of identity source documents in original form to the Enrollment Office personnel when undergoing processing. To obtain a PIV card, one identity source document must be a valid Federal or State Government-issued picture ID from the I-9 list available at https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents. For other types of credentials the Contractor can obtain the list of acceptable forms from the Contracting Officer's Representative. Submission of these documents, as well as documentation of any applicable security background investigation, is mandatory in order for the individual to receive a credential granting facilities and/or logical access.

(d) (1) No later than the 5th day of each month, the Contractor must provide the Contracting Officer's Representative with the following:

(i) a list of individuals with access who were separated in the past sixty (60) calendar days, and

(ii) a list of individuals hired in the past sixty (60) calendar days who require access under this contract.

(2) This information must be submitted even if no separations or hiring occurred during the past sixty (60) calendar days.

(3) Failure to comply with the requirements in paragraph (d)(1) may result in the suspension of all facilities and/or logical access associated with this contract.

(e) The Contractor must ensure that individuals do not share logical access to USAID information systems and sensitive information.

(f) USAID may suspend or terminate the access to any systems and/or facilities in the event of any violation, abuse, or misuse. The suspension or termination may last until the situation has been corrected or no longer exists.

(g) The Contractor must notify the Contracting Officer's Representative and the USAID Service Desk (CIO-HELPDESK@usaid.gov or 202-712-1234) at least five (5) business days prior to the removal of any individuals with credentials from the contract. For unplanned terminations, the Contractor must immediately notify the Contracting Officer's Representative and the USAID Service Desk. Unless otherwise instructed by the Contracting Officer, the Contractor must return all credentials and remote authentication tokens to the Contracting Officer's Representative prior to departure of the individual or upon completion or termination of the contract, whichever occurs first.

(h) The Contractor must insert this clause, including this paragraph (h), in any subcontracts that require the subcontractor or a subcontractor employee to have routine physical access to USAID facilities or logical access to USAID's information systems. The Contractor is responsible for providing the Contracting Officer's Representative with the information required under paragraphs (c)(1) and (d)(1) of this clause for any applicable subcontractor or subcontractor employee.

(End of clause)

 

(e) The contractor is required to insert this clause in any subcontracts that require the subcontractor, subcontractor employee, or consultant to have routine physical access to USAID space or logical access to USAID's information systems.

Mandatory (Exception);
(Applies if the subcontractor will have routine physical access to USAID space or logical access to USAID's information systems.)

52.204-21 Basic Safeguarding of Covered Contractor Information Systems.

52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities.

52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities.

252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

252.204-7018 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services.

252.204-7017 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services-Representation.

252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

252.239-7010 Cloud Computing Services.

252.239-7017 Notice of Supply Chain Risk.

252.239-7018 Supply Chain Risk.

252.239-7010 Cloud Computing Services.

252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information.

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

252.204-7018 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.

252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System.

3052.204-70 Security requirements for unclassified information technology resources.

3052.204-71 Contractor employee access.

3052.204-71 Contractor employee access.

552.204-9 Personal Identity Verification Requirements.

552.204-9 Personal Identity Verification Requirements.

552.238-110 Commercial Satellite Communication (COMSATCOM) Services.

552.204-9 Personal Identity Verification Requirements.

952.204-77 Computer security.

952.223-76 Conditional payment of fee or profit-safeguarding restricted data and other classified information and protection of worker safety and health.

970.5203-1 Management controls.

970.5204-1 Counterintelligence.

970.5204-3 Access to and ownership of records.

52.204-21 Basic Safeguarding of Covered Contractor Information Systems.

52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities.

52.204-28 Federal Acquisition Supply Chain Security Act Orders-Federal Supply Schedules, Governmentwide Acquisition Contracts, and Multi-Agency Contracts.

52.204-29 Federal Acquisition Supply Chain Security Act Orders-Representation and Disclosures.

52.204-30 Federal Acquisition Supply Chain Security Act Orders-Prohibition.

52.204-27 Prohibition on a ByteDance Covered Application.

252.204-7016 Covered Defense Telecommunications Equipment or Services-Representation.

252.204-7017 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services—Representation.

252.204-7018 Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services.

252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.

252.204-7020 NIST SP 800-171 DoD Assessment Requirements.

252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.

252.204-7000 Disclosure of Information.

252.204-7008 Compliance with Safeguarding Covered Defense Information Controls.

252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information.

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

252.239-7000 Protection Against Compromising Emanations.

252.239-7009 Representation of Use of Cloud Computing.

252.239-7010 Cloud Computing Services.

252.239-7017 Notice of Supply Chain Risk.

252.239-7018 Supply Chain Risk.

252.245-7000 Government-Furnished Mapping, Charting, and Geodesy Property.

252.246-7007 Contractor Counterfeit Electronic Part Detection and Avoidance System.

1852.246-74 Contractor Counterfeit Electronic Part Detection and Avoidance

3052.204-72 Safeguarding of Controlled Unclassified Information.

3052.204-73 Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents.

3052.204-71 Contractor employee access.

552.204-9 Personal Identity Verification Requirements.

552.239-70 Information Technology Security Plan and Security Authorization.

552.239-71 Security Requirements for Unclassified Information Technology Resources.

552.238-110 Commercial Satellite Communication (COMSATCOM) Services.

652.239-70 Information Technology Security Plan and Accreditation.

652.239-71 Security Requirements for Unclassified Information Technology Resources.

752.239-70 Information Technology Authorization.

752.239-72 USAID-Financed Project Websites.

752.227-71 Planning, Collection, and Submission of Digital Information to USAID.

952.204-78 DOE Directives.

970.5203-1 Management controls.

970.5204-3 Access to and ownership of records.

952.204-77 Computer security.

Working with a set of FAR clauses from an RFP or contract?

Try pasting them into our tool to instantly generate a risk profile, including the basic flow down recommendation.

Info

Works best with Chrome and Edge browsers!