Modification No. 04 to Undefinitized Project Agreement No. 01, entered into December 23, 2020, between the Company and Advanced Technology International
EX-10.43 11 exhibit1043.htm EX-10.43 exhibit1043
Exhibit 10.43 CERTAIN INFORMATION IDENTIFIED WITH [***] HAS BEEN EXCLUDED FROM THIS EXHIBIT BECAUSE IT IS BOTH (i) NOT MATERIAL AND (ii) WOULD BE COMPETITIVELY HARMFUL IF PUBLICLY DISCLOSED. Applied Technologies Center 315 Sigma Drive Summerville, SC 29486 www.ati.org 92634891_7 PROJECT AGREEMENT NO.: 01 Modification No. 04 to Project Agreement No. 01; MCDC2011-001 serves to definitize Project Agreement No. 01 as indicated below. MCDC BASE AGREEMENT NO.: 2020-530 PROJECT TITLE: MCDC2011-001; Rapid Advanced Development to Large Scale Manufacturing of NVX-CoV-2373 PARTIES: Advanced Technology International (“MCDC CMF”) and Novavax, Inc. (“Project Agreement Holder”) This Project Agreement is awarded under the authority of MCDC Base Agreement No. 2020-530, and herein incorporates all the terms and conditions thereof. 1. PAYMENT METHOD The Payment Method for this Project Agreement is Cost Plus Fixed Fee with a not to exceed ceiling. In accordance with 10 U.S.C. 2306(a) and 41 U.S. Code 3905(a), the usage of a cost-plus- percentage-of-cost contract is prohibited. 2. TERM OF THE PROJECT AGREEMENT The period of performance for this Project Agreement is from July 06, 2020 through December 31, 2021. 3. OBLIGATION The MCDC CMF’s liability to make payments to the Project Agreement Holder is limited to only those funds obligated under this Project Agreement or by modification to the Project Agreement. MCDC CMF may incrementally fund this Project Agreement. 4. ESTIMATED COST AND FIXED FEE The total estimated cost and fixed fee for the services to be provided by the Project Agreement Holder is as follows: ESTIMATED COST Estimated Cost $1,618,230,860 Fixed Fee $ 129,458,468 Total Cost $1,747,689,328 5. INCREMENTAL FUNDING
92634891_7 The total amount of funding currently available for payment and allotted to this Project Agreement is $1,600,339,523. The amount specified, or as such amount may be increased from time to time, shall apply irrespective of any other provisions of this Project Agreement and any work performed in excess thereof shall be at the Project Agreement Holder’s risk. This amount covers all allowable direct and indirect costs as well as the associated fixed fee. If at any time the Project Agreement Holder has reason to believe that the Total Estimated Cost which will accrue in the performance of this Project Agreement in the next succeeding [***], when added to all other payments previously accrued, will exceed [***] of the then current total authorized funding, the Project Agreement Holder shall notify the MCDC CMF to that effect, advising the estimate of additional funds required for the period specified. The Project Agreement Holder is not obligated to continue performance under this Project Agreement (including actions under the Termination clause of the MCDC Base Agreement) or otherwise incur costs in excess of the amount allotted to the Project Agreement by the MCDC CMF. 6. MILESTONE PAYMENT SCHEDULE The Project Agreement Holder shall segregate and track all Project Agreement costs separately and shall document the accomplishments of each Project Payable Milestone under each Project Agreement. Acceptance of Milestones shall be contingent upon approval from the Government Agreements Officer Representative (AOR) detailed in Clause No. 10, Technical and Administrative Representatives. Milestone payments will be paid in the amount indicated in the attached Milestone Payment Schedule (Attachment A) and are adjustable based on actual expenditures. Indirect costs shall be represented in the form of rates, which shall be applied to their appropriate allocation bases. Provisional rates shall be used for interim billing purposes to estimate the amount of indirect costs to be paid. At the conclusion of the award, the Project Agreement Holder shall recalculate final indirect cost rates for each respective fiscal period and invoice MCDC CMF the difference between actual indirect costs incurred and billed. 7. PAYMENT OF FIXED FEE The fixed fee amount specified herein is established by the mutual acceptance of this agreement and, subject to any adjustments required by other provisions of this Project Agreement, will be paid in installments at the time of each provisional payment on account of the allowable costs. The amount of fixed fee paid for interim billings will be based upon the ratio that the Project Agreement Holder’s incurred allowable costs bear to the total estimated cost, up to the fixed fee ceiling. In the event the work cannot be completed within the estimated cost, the MCDC CMF may increase the estimated cost without increasing the fixed fee. Upon completion of the award, the Project Agreement Holder shall invoice MCDC CMF the balance of any unpaid portion of the fixed fee amount. 8. APPROACH TO MEETING THE OTHER TRANSACTION AUTHORITY In accordance with provision contained in 10 U.S.C. 2371(b) governing the use Other Transaction Agreements each MCDC Member Organization must meet at least one of the following conditions: have at least one nontraditional defense contractor or nonprofit research institution participating to a significant extent in the performance of an awarded Project Agreement; all significant participants in the Project Agreement other than the Federal Government are small businesses (including small businesses participating in a program described under section 9 of the Small Business Act (15 U.S.C. 638)) or nontraditional defense contractors; or provide a cost share of no less than one third of the value of the Project Agreement awarded to the Member Organization. The Project Agreement Holder’s approach to meeting the Other Transaction Authority requirement is identified below. Throughout the period of performance of any Project Agreement, the CMF and the Government will actively monitor the award to ensure compliance with this provision in accordance with implementation guidance from Headquarters - Department of the Army (HQDA) and/or Office of the Secretary of Defense (OSD). The Project Agreement Holder will be given the opportunity to
92634891_7 become compliant with the guidance should they be found non-compliant. Failure to comply may result in termination. The signed certifications submitted as part of the proposal are hereby incorporated into this Project Agreement. The Project Agreement Holder was proposed as a nontraditional defense contractor and determined to be providing a significant contribution. 9. STATEMENT OF WORK The Statement of Work, Attachment A, provides a detailed description of the work to be accomplished and reports and deliverables required by this Project Agreement. All changes to Attachment A must be incorporated via written modification to this Project Agreement. Additional guidance on report requirements is in Attachment B, Report Requirements. 10. TECHNICAL AND ADMINISTRATIVE REPRESENTATIVES The following technical and contractual representatives of the Parties are hereby designated for this Project Agreement. Either party may change their designated representatives by written notification to the other. MCDC CMF Contractual Representative: MCDC Contracts Advanced Technology International 315 Sigma Drive Summerville, SC 29486 Email: [***] Phone: [***] Government Technical Representatives: Agreements Officer Representative (AOR): [***] Email: [***] Phone: [***] Project Agreement Holder’s Representatives Technical Representative: Contractual Representative: [***] [***] 21 Firstfield Road 21 Firstfield Road Gaithersburg, MD 20878 Gaithersburg, MD 20878 Email: [***] Email: [***] Phone: [***] Phone: [***] 11. MARKING OF DELIVERABLES Any Data delivered under this Project Agreement, by the Project Agreement Holder, shall be marked with a suitable notice or legend.
92634891_7 12. SECURITY ADMINISTRATION The security level for this project is UNCLASSIFIED. 13. ATTACHMENTS Attachments listed herein are hereby incorporated by reference into this Project Agreement. A. Statement of Work, “Rapid Advanced Development to Large Scale Manufacturing of NVX- CoV-2373” B. Report Requirements C. Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment D. Clause for MCDC Consortium Other Transaction Authority Agreements Standard Language OWS for Consortium OTA 14. GOVERNMENT FURNISHED PROPERTY At this time, Government Furnished Property is not provided for use under this Project Agreement. 15. DATA RIGHTS Please reference Section 8 of Attachment A, Statement of Work. 16. FOLLOW-ON PRODUCTION PROVISION In accordance with 10.U.S.C. 2371b(f), and upon a determination that this competitively awarded prototype project has been successfully completed, this prototype project may result in the award of a follow-on production contract or transaction without the use of competitive procedures. 17. SECURITY & OPSEC The below language shall be used as Paragraph 6 of Article XVII in the Project Agreement Holder’s Base Agreement: Access and General Protection/Security Policy and Procedures. This standard language text is applicable to ALL Project Agreement Holder employees working on critical program information or covered defense information related to Operation Warp Speed (OWS), and to those with an area of performance within an Army controlled installation, facility or area. Project Agreement Holder employees shall comply with applicable installation, facility and area commander installation/facility access and local security policies and procedures (provided by government representative). The Project Agreement Holder also shall provide all information required for background checks necessary to access critical program information or covered defense information related to OWS, and to meet installation access requirements to be accomplished by installation Provost Marshal Office, Director of Emergency Services or Security Office. The Project Agreement Holder workforce must comply with all personal identity verification requirements as directed by DOD, HQDA and/or local policy. In addition to the changes otherwise authorized by the changes clause of this agreement, should the Force Protection Condition (FPCON) at any individual facility or installation change, the Government may require changes in Project Agreement Holder security matters or processes. 18. ENTIRE AGREEMENT This Project Agreement and the MCDC Base Agreement under which it is issued constitute the entire understanding and agreement between the parties with respect to the subject matter hereof.
92634891_7 Except as provided herein, all Terms and Conditions of the MCDC Base Agreement and its modifications remain unchanged and in full force and effect. The Project Agreement Holder is required to sign this document and return to Advanced Technology International to finalize this action. Novavax, Inc. Advanced Technology International By: /s/ John A. Herrmann III By: /s/ [***] Name: John A. Herrmann III Name: [***] Title: EVP, Chief Legal Officer Title: Director – Contracts & Procurement Date: 22 December 2020 Date: Dec 23 2020
92634891_7 Attachment A Statement of Work This page intentionally left blank. See separate document for Attachment A.
92634891_7 Attachment A Statement of Work (Incorporated as of Modification No. 04; changes to Sections 1, 3, 4, and 5 are indicated in bold italics. Enclosure 3 has been superseded.) For Rapid (WF10) Advanced Research & Development to Large Scale Manufacturing of NVX-CoV- 2373 as a Vaccine for SARS-CoV-2 Coronavirus RPP #: 20-11 Project Identifier: MCDC2011-001 Consortium Member: Novavax, Inc. Title of Proposal: Rapid (WF10) Advanced Research & Development to Large Scale Manufacturing of NVX-CoV-2373 as a Vaccine for SARS-CoV-2 Coronavirus Requiring Activity: Joint Mission between the Department of Health and Human Services and Department of Defense to Combat COVID-19 1.0 INTRODUCTION, SCOPE, AND OBJECTIVES 1.1 Introduction To meet the needs of the Coronavirus Disease 2019 (COVID-19) pandemic, the United States Government (USG) is identifying and will support development and at-scale manufacturing of selected vaccine candidates, to ensure timely availability to the US population when needed. This is the primary focus of the mission being executed by the Department of Health and Human Services (HHS) and Department of Defense (DoD), in support of Operation Warp Speed (OWS). The USG is interested in pursuing prototype vaccines that are in an advanced stage of development, and will support companies that can, in parallel with nonclinical, clinical and regulatory development, rapidly establish the manufacturing capacity required to meet the USG’s objective of supplying a safe and effective Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) vaccine to the entire US population. The USG is tasked with marshaling the efforts of the US biotechnology industry to achieve this goal. 1.2 Definition of the Prototype Project Consistent with USG objectives, the “prototype project” under this agreement is defined as the manufacture and delivery of 100M doses of a SARS-CoV-2 vaccine, NVX-CoV2373, which is suitable for use in humans under a sufficiently informed deployment strategy, and the advanced positioning of a stockpile of critical long lead raw materials for the Matrix-M adjuvant. As such, the “prototype project” will effectively demonstrate Novavax’s ability to rapidly stand up large scale manufacturing and seamlessly transition into ongoing production. The NVX-CoV-2373 vaccine is comprised of the Matrix-M™ adjuvant, and antigen (SARS-CoV-2 spike protein). The vaccine is filled into a multi-dose vial ([***]) and is stored at refrigerated temperature (2-8oC). Successful development of the prototype will demonstrate Novavax’s ability to rapidly stand up large scale manufacturing and seamlessly transition into ongoing production capability, in order to rapidly manufacture
92634891_7 to meet surge requirements with little advance notification, and demonstrate capability to stockpile and distribute large quantities of the vaccine to respond when needed, including in order to supply use in clinical studies, under an Emergency Use Authorization (EUA), or pursuant to other clearance from the U.S. Food and Drug Administration (FDA). Successful completion of the prototype will require three coordinated and integrated lines of effort: a) Large scale manufacturing, compliant with 21 CFR Parts 210 and 211, and the Drug Supply Chain Security Act (DSCA), to the extent applicable at the time of manufacturing by statute and FDA interpretive guidance thereof. b) Parallel nonclinical and clinical studies required to determine if the vaccine is safe and effective. c) Compliance with all applicable U.S. regulatory requirements. It is important to note that while results of nonclinical and clinical studies are critical to develop use case scenarios and, in turn, inform the USG’s deployment strategy as it relates to product manufactured under this agreement, successful development of the prototype is dependent only on the validity of data from these studies. The degree to which the data are “positive” or “negative” is not a factor in demonstration of the prototype. 1.3 Follow-on Activity This prototype project includes unpriced options for follow-on production/procurement. During the performance of the prototype, the USG and Novavax will negotiate the scope and price of production/procurement. If the prototype project is successful, the USG may then enter into follow-on production/procurement by executing these options through a separate stand-alone production/procurement agreement, to be negotiated in terms of scope and price as described in the following paragraph. In accordance with 10.U.S.C. 2371b(f), and upon demonstration of the prototype, or at the accomplishment of particularly favorable or unexpected results that would justify transitioning to production/procurement, EUA, or Biologics License Application (BLA) approved by the FDA, the USG and Novavax may enter into a non-competitive production/procurement follow-on agreement or contract for additional production/procurement, to partially or completely meet the USG objective of supplying a safe and effective SARS-CoV-2 vaccine to vaccinate up to 300M people in the targeted population (≈560M additional doses). 1.4 Scope Novavax has defined a scope of activities in order to successfully develop the prototype, as defined above. The scope is based on the following assumptions regarding manufacturing and clinical dose: o Manufacturing Assumptions and Clinical Dose The NVX-CoV-2373 vaccine is comprised of the Matrix-M™ adjuvant, and antigen (SARS- CoV-2 spike protein). A dose range of 5-25 µg of antigen is under clinical study. The anticipated dose based on clinical data obtained to date is [***]µg of antigen with [***]µg of Matrix-M adjuvant. For planning purposes, the [***] ([***]µg antigen/dose) has been used and the calculations in this scope of work have been based on this dose. The antigen production is the rate-limiting step in vaccine production. The Matrix-M adjuvant will be available prior to antigen production. Dose production has been calculated based on the
92634891_7 availability of antigen. Novavax is planning on a batch-by-batch rapid fill/finish once antigen is manufactured and available. The estimated production schedule based on the [***]µg antigen/dose (base case) and [***] µg antigen /dose (anticipated case) is in the table below: Estimated Schedule of Cumulative Doses Manufactured by Month Dosage Oct 2020 Nov 2020 Dec 2020 Jan 2021 Feb 2021 [***] µg/dose (base case) [***] [***] [***] [***] [***]** [***] µg/dose (anticipated case) [***] [***] 100,000,000* *Actual cumulative projected production at [***] µg/dose is [***] in December 2020. Some doses may be in progress at the end of December 2020. **Actual cumulative projected production at [***] µg/dose is [***] in February 2021. The scope includes the following activities: o Manufacturing Manufacturing of 100M doses (at [***]µg/dose, ≈[***]) of NVX-CoV-2373 vaccine in 2020 for distribution to the Government upon EUA under section 564 of the Food, Drug, and Cosmetic (FD&C) Act or a biologics licensure granted under Section 351(a) of the Public Health Service Act by the U.S. FDA. Establishment of large-scale current Good Manufacturing Practice (cGMP) manufacturing capacity compliant with 21 CFR Parts 210 and 211, and the DSCA to the extent applicable at the time of manufacturing by statute and FDA interpretive guidance thereof. Comparability among clinical vaccine lots and commercial lots using a comparability protocol linked to the product associated with the Phase 1 clinical study. For adjuvant components, the same raw material lot(s) will be used for the current and new Contract Manufacturing Organization (CMO) processes for the comparability protocol, and the same test lab will be used to ensure only process differences are being evaluated. Validation of manufacturing processes will be performed to cGMP standards. o Clinical Phase 3 pivotal clinical trial harmonized with USG clinical strategies. A Phase 3 clinical trial in pediatric populations (<18 years). Phase 2 studies in at-risk subpopulations (co-morbidities, [***], immunocompromised), as well as studies to support manufacturing site comparability. o Non-clinical Studies to support EUA and regulatory approval (BLA). o Regulatory EUA submission when data supports it, while maintaining progress toward eventual BLA submission.
92634891_7 BLA submission when appropriate. Regulatory support activities (Investigational New Drug (IND) submissions) for manufacturing, clinical, non-clinical studies. Meetings as-needed with regulators. o Project Management Mandatory reporting requirements, as described in the Base Agreement. Submission of Quarterly Progress Reports. Format will be agreed on by the contractor and Agreements Officer’s Representative (AOR), and will include both technical and financial status and expenditure forecast. Facilitation of biweekly teleconferences with Novavax and USG Subject Matter Experts. Final prototype project report and applicable patents report(s). Work Breakdown Structure (WBS) and Integrated Master Schedule (IMS). All Regulatory correspondence relevant to the scope of work proposed, including communications with the FDA, and all submissions. 1.4.1 Novavax Project Plan This is Novavax’s plan as of the date of the submission. Novavax desires to move quickly to large scale development as rapidly as possible, in order to meet the objectives of this proposal. As the COVID-19 pandemic is an evolving situation, Novavax may need to adapt its plan in response to FDA guidance, opportunities for manufacturing efficiencies, and clinical trial data. 1.5 Resolution of Conflicting Language If there is a conflict between the Project Agreement (of which this Statement of Work is part) and the Base Agreement (Medical CBRN Consortium (MCDC) Base Agreement No.: 2020-530), the Project Agreement language will supersede and control the relationship of the parties. 2.0 APPLICABLE REFERENCES N/A 3.0 REQUIREMENTS 3.1 Major Task: cGMP Manufacturing of NVX-CoV-2373 compliant with 21 CFR 210 and 211 3.1.1 Subtask: Raw Materials – Obtain Critical Starting Materials for Adjuvant Manufacturing Sufficient Saponin to manufacture up to 100M vaccine doses will be purchased (Desert King, headquartered in San Diego, CA, facilities in Chile). Long-lead, critical, and limited-supply materials ([***]) will be purchased for the additional 560M vaccine doses to meet the contact requirement, in order to ensure capability to rapidly manufacture to meet surge requirements with little advance notification and demonstrate capability to stockpile and distribute large quantities of the vaccine to respond when needed.
92634891_7 3.1.2 Subtask: Raw Materials – Obtain Critical Starting Materials for Antigen and Fill/Finish Manufacturing Sufficient materials (vials, stoppers, other consumables) to manufacture up to 100M vaccine doses will be purchased (sources TBD). 3.1.3 Subtask: Raw Materials – [***] Intermediates to Produce Matrix-M Adjuvant Matrix-M Adjuvant [***] to supply large-scale manufacturing of vaccine doses will be manufactured at [***] and PolyPeptide (Torrance, CA & Malmö, Sweden). Technology transfer and start-up of the PolyPeptide facility in Torrance, CA will be completed. Long lead, critical, and limited supply materials will be purchased in order to achieve the goal of large-scale production. 3.1.4 Subtask: Matrix-M Adjuvant Manufacturing to Supply 100M Vaccine Doses Matrix-M Adjuvant bulk components will be manufactured at ACG Biologics (Seattle, WA) to supply 100M vaccine doses. Technology transfer and start-up of the AGC Bio facility in Seattle will be completed. An analytical comparability manufacturing study and validation studies will be performed as part of the tech transfer to each manufacturing site. 3.1.5 Subtask: Antigen Manufacturing to Supply 100M Vaccine Doses Antigen will be manufactured at Fuji (2 sites – College Station, TX and Research Triangle Park, NC) to supply 100M vaccine doses. Technology transfer and scale-up activities will be completed. An analytical comparability manufacturing study and validation studies will be performed as part of the tech transfer to each manufacturing site. 3.1.6 Subtask: Fill/Finish of 100M Vaccine Doses 100M doses of finished vaccine in [***] vials will be manufactured at Baxter (Bloomington, IN, USA). This will include secondary packaging. Technology transfer and scale-up activities will be completed. An analytical comparability manufacturing study and validation studies will be performed as part of the tech transfer to each manufacturing site. 3.1.7 Subtask: Shipping and Storage Novavax assumes that it will maintain a Vendor Managed Inventory (VMI) system for a period of 12 months, with shipments to 10 geographic zones in the USA. Novavax will perform activities to establish compliance with DSCA to the extent applicable at the time of manufacturing, by statute and FDA interpretive guidance thereof. 3.2 Major Task: Clinical Studies Novavax will perform these clinical trials and deliver the results in an interim Clinical Study Report (CSR) at the completion of enrollment, and the final CSR when available. These trials will be conducted using a Clinical Research Organization (CRO) that is to be determined. 3.2.1 Subtask: Phase 3 Global Efficacy Study, Adults ≥ 18 and < 75 years Study: Phase 3 – Global Efficacy Study (to be harmonized with other USG studies), 2019nCoV-301. Population: Adults ≥ 18 years, inclusive of subjects with more severe co-morbid conditions. Locations: North America, Europe; may include Africa, Asia, Oceania, South America. Primary Objectives: Clinical efficacy, safety, immunogenicity. Design: Randomized, observer-blinded, placebo-controlled.
92634891_7 Test Product(s); Dose Regimen; Route of Administration: Vaccine + Matrix-M – dose determined by Phase 2 dose confirmation study, Placebo; ~0.5 mL dose Intramuscular (IM) injection, up to 2 doses at Day 0 and Day 21. Enrollment: TOTAL N: ~30,000 (adjusted for expected endpoint incidence). [***] 3.2.2 Subtask: Phase 2 Efficacy Expansion (US), Adults ≥ 18 and < 75 years Study: Phase 2 - Part 3 efficacy expansion (US), 2019nCoV-204. Population: Adults ≥ 18 and < 75 years. Locations: USA. Primary Objectives: Clinical efficacy, safety, immunogenicity. Design: Randomized, observer-blinded, placebo-controlled. Test Product(s); Dose Regimen; Route of Administration: Vaccine + Matrix-M – [***]; not greater than 25 µg antigen + 50 µg adjuvant, [***] to allow for rapid initiation. Placebo. ~0.5 mL dose IM injection, up to 2 doses at Day 0 and Day 21. Enrollment: TOTAL: [***]. [***]. Adjusted for expected event occurrence. Event driven analysis. Initiation of study gated on completion of Phase 1 study, dose-selection and regulatory approval. 3.2.3 Subtask: Phase 2 Study in Immunocompromised Persons (HIV-positive adult subjects) (Africa) Study: Phase 2 study in immunocompromised persons (HIV-positive adult subjects) (Africa). Population: Adults ≥ 18 and < 65 years. Locations: Republic of South Africa (RSA) Primary Objectives: Safety, immunogenicity (serum and cellular). Design: Randomized, observer-blinded, placebo-controlled. Test Product(s); Dose Regimen; Route of Administration: Vaccine + Matrix-M; Placebo, 0.5 mL dose IM injection, up to 2 doses at Day 0 and Day 21. Enrollment: Total N = 2,640 – 2,880 (with n=240 - 480 HIV+); 1:1 Vaccine to placebo. Initiation gated on completion of Phase 1 study, dose selection, and regulatory approval. 3.2.4 Subtask: [***] Study: [***]. Population: [***] Locations: [***]. Primary Objectives: [***]. Design: Randomized, observer-blinded, placebo-controlled. Test Product(s); Dose Regimen; Route of Administration: Vaccine + Matrix-M [***]. Enrollment: [***]. Initiation gated on benefit:risk assessment (derived from Task 2.3.1 and/or 2.3.2 and/or other Phase 2 studies) and regulatory approval to conduct studies in this vulnerable population. 3.2.5 Subtask: Phase 2 Manufacturing Site Lot Consistency/Comparability Study (US or other) Study: Phase 2 manufacturing site lot consistency/comparability study (US or other), 2019nCoV-201. Population: Adults ≥ 18 to < 50 years. Locations: USA.
92634891_7 Primary Objectives: Safety, immunogenicity. Design: Randomized, observer-blinded, placebo-controlled. Test Product(s); Dose Regimen; Route of Administration: Vaccine + Matrix-M; [***]. Enrollment: ~600 per cohort, each cohort having [***]. Study size may be adjusted to allow non-inferiority testing. 3.2.6 Subtask: [***] Study: [***]. Population: [***]. Locations: [***]. Primary Objectives: [***]. Design: Randomized, observer-blinded, placebo-controlled. Test Product(s); Dose Regimen; Route of Administration: Vaccine + Matrix-M; [***]. Enrollment: Total = 800 mothers + baby. Initiation gated on benefit:risk assessment (derived from Task 2.3.1 and/or 2.3.2 and/or other Phase 2 studies) and regulatory approval to conduct studies in this vulnerable population. 3.2.7 Subtask: Pharmacovigilance; Establishment of Registration Safety Database A registration safety database will be established to comply with FDA requirements for product safety and licensure. 3.2.8 Subtask: [***] Study: [***]. Population: [***]. Location: [***]. Primary Objective: [***]. Design: Randomized, observer-blinded, placebo (or active vaccine) control. Test Product(s); Dose Regimen; Route of Administration: Vaccine + Matrix-M – [***]. Enrollment: TOTAL: N ~12,500 (based on agreed VE, power, and LBCI). [***]. Adjusted for expected event occurrence if robust demonstration of clinical efficacy is required by the FDA. Event driven analysis for study termination. 3.3 Major Task: Non-Clinical Studies Novavax will perform these non-clinical studies and deliver the results in a study report at completion. 3.3.1 Mouse Study, Immunogenicity Study 702-100. [***] in mice for vaccine efficacy profile to comply with FDA guidelines. 3.3.2 Rhesus Study, Immunogenicity Study 702-099. [***] in rhesus monkeys for vaccine efficacy profile to comply with FDA guidelines. 3.3.3 Hamster Study, Immunogenicity Study 702-102. Immunogenicity/challenge study in hamster [***] for vaccine efficacy profile to comply with FDA guidelines.
92634891_7 3.3.4 Mouse Study, T-Cell Immunogenicity Study 702-103. T-cell immunogenicity/challenge study in mice [***] for vaccine efficacy profile to comply with FDA guidelines. 3.3.5 Hamster Study, T-Cell Immunogenicity Study 702-105. Immunogenicity/challenge study in hamster [***] for vaccine efficacy profile to comply with FDA guidelines. 3.3.6 Mouse Study, T-Cell Immunogenicity Study 702-104. Immunogenicity/challenge study in hamster [***] for vaccine efficacy profile to comply with FDA guidelines. 3.3.7 Non-Clinical Studies: Collaboration with Univ. of Maryland School of Medicine Three studies to study enhancement/inhibition and neutralization, and virus challenge of vaccinated mice: 1. Validation of Spike nanoparticles in cell inhibition studies: In vitro inhibition studies on cell line permissive to r2019-nCoV, readout TBD. 2. Neutralization studies with virus against bleeds from mice, In vitro microneutralization studies on cell line permissive to r2019-nCoV, TCID50 or fluorescence readout (TBD). 3. Virus challenge of vaccinated mice (mice vaccinated outside and shipped to UM for challenge), Challenge of vaccinated mice (shipped in for infection from Novavax), Lung pathology, Titer, viral Ribonucleic Acid (RNA) quantitation, pathology scoring and reports. 3.3.8 Structural Study of COVID-19 Spike Protein and its Complex with Host Receptor (cooperation with Baylor College of Medicine) Study to determine the structures of recombinant COVID-19. Spike protein in nanoparticles used in Novavax’s human vaccine and in complex with its host receptor ACE2. Will obtain a high-resolution cryoEM structure of full-length COVID-19 Spike protein and a high-resolution cryoEM structure of full- length COVID-19 Spike protein in complex with human receptor ACE2. 3.3.9 Neutralizing Assay Histopathology for On-going [***] Histopathology readings for current neutralization studies in [***]. This will support the safety profile of the vaccine for FDA approval. 3.3.10 Mouse Study, Immunogenicity [***] Studies Individual immunogenicity studies [***] in mice for vaccine efficacy profile in different sub-populations to comply with FDA guidelines. 3.3.11 Durability of NVX-CoV2373 Vaccine Immunity and SARS-CoV-2 Protection at [***] in Rhesus Macaques Study 702-110. This study is designed to evaluate the long-term immunogenicity and protective efficacy of NVX-CoV2373 nanoparticle vaccine when administered with Matrix-MTM by IM injections on Study Days 0 and 21, to Non-Human Primates (NHP). Each study group will contain [***] NHPs ([***] per sex). Blood samples will be collected prior to vaccination and at multiple time points following vaccination as outlined below. Samples will be shipped to Novavax Inc. for performance of assays to determine the vaccine immunogenicity. Animals from placebo and active treatment groups will be challenged with SARS-CoV-2 virus at [***] following last treatment and monitored for clinical illness, viral RNA and sgRNA (nasal swabs, BAL) to assess the protective efficacy of the vaccine. 3.3.12 Immunogenicity and Protective Efficacy of Sub-Protective Doses of NVX-CoV2373 in Rhesus Macaques Study 702-111. This study is designed to evaluate the immunogenicity and protective efficacy of sub- optimal doses of NVX-CoV2373 nanoparticle vaccine administered with a fixed dose of Matrix-MTM by
92634891_7 IM injections on Study Days 0 and 21, to NHPs. Each study group will contain [***] NHPs ([***] per sex). Blood samples will be collected prior to vaccination and at various time points following vaccination as outlined below. Samples will be shipped to Novavax Inc. for performance of assays to determine the vaccine immunogenicity. Animals from placebo and active treatment groups will be challenged with SARS-CoV-2 virus at [***] following last treatment and monitored for clinical illness, viral RNA and sgRNA (nasal swabs, BAL) to assess the protective efficacy of the vaccine. 3.4 Major Task: Regulatory Affairs Novavax will conduct the regulatory activities below, including BLA prep and submission, and provide the meeting minutes and applications to the USG. 3.4.1 Subtask: EUA Submission and Supporting Meetings and Regulatory Filings An EUA will be submitted to the FDA upon obtaining sufficient clinical data. EUA, FDA meetings to support EUA, submission planning support for the Chemistry, Manufacturing, and Controls (CMC) team, EUA strategy and meeting support, and submission preparation support activities, will all be completed. 3.4.2 Subtask: IND Submission Updates and FDA Meetings This task will include submissions to the IND and possible FDA meetings that will be required prior to the BLA submission. 3.4.3 Subtask: BLA Submission A BLA will be submitted to the FDA upon obtaining sufficient clinical data, FDA meetings to support BLA, submission planning support for the CMC team, BLA strategy and meeting support, and submission preparation support activities, will all be completed. 3.5 Major Task: Project Management and Reporting 3.5.1 Subtask: Kick-Off Meeting and Initial Baseline Review of IMS Novavax shall conduct a Kick-Off Meeting and an initial review with the USG of the IMS, upon initiation of the program. 3.5.2 Subtask: Biweekly Meetings with OWS Novavax shall submit the agenda in advance. Any technical updates shall be provided in advance for the Government team to review. Minutes shall be submitted after the biweekly meeting to the USG. 3.5.3 Subtask: Written Quarterly Reports Novavax shall submit quarterly reports to the USG. 3.5.4 Subtask: Written Annual Reports Novavax shall submit the annual reports to the USG. 3.5.5 Subtask: Written Final Report Novavax shall submit the final report to the USG. 3.6 Optional Task: Follow-On Production Follow-on production of finished doses of vaccine up to 560M doses. 4.0 DELIVERABLES Del. # Deliverable Description Due Date Milestone Reference SOW Reference Government Role Data Type/Data Rights Manufacturing
92634891_7 Del. # Deliverable Description Due Date Milestone Reference SOW Reference Government Role Data Type/Data Rights 4.1 [***] [***] 5.1 3.1.1 Reviewer [***] 4.2 [***] [***] 5.2 3.1.2 Reviewer [***] 4.3 [***] [***] 5.3 3.1.3 Reviewer [***] 4.4 [***] [***] 5.4 3.1.4 Reviewer [***] 4.5 [***] [***] 5.5 3.1.5 Reviewer [***] 4.6 [***] [***] 5.6 3.1.6 Reviewer [***] 4.7 [***] [***] 5.7 3.1.7 Reviewer [***] Clinical 4.8 [***] [***] 5.8 3.2.1 Reviewer [***] 4.9 [***] [***] 5.9 3.2.2 Reviewer [***] 4.10 [***] [***] 5.10 3.2.3 Reviewer [***] 4.11 [***] [***] 5.11 3.2.4 Reviewer [***] 4.12 [***] [***] 5.12 3.2.5 Reviewer [***] 4.13 [***] [***] 5.13 3.2.6 Reviewer [***] 4.14 [***] [***] 5.14 3.2.7 Reviewer [***] 4.15 [***] [***] 5.15 3.2.8 Reviewer [***] Non- Clinical 4.16 [***] [***] 5.16 3.3.1 Reviewer [***] 4.17 [***] [***] 5.17 3.3.2 Reviewer [***] 4.18 [***] [***] 5.18 3.3.3 Reviewer [***] 4.19 [***] [***] 5.19 3.3.4 Reviewer [***] 4.20 [***] [***] 5.20 3.3.5 Reviewer [***] 4.21 [***] [***] 5.21 3.3.6 Reviewer [***] 4.22 [***] [***] 5.22 3.3.7 Reviewer [***] 4.23 [***] [***] 5.23 3.3.8 Reviewer [***] 4.24 [***] [***] 5.24 3.3.9 Reviewer [***] 4.25 [***] [***] 5.25 3.3.10 Reviewer [***] 4.26 [***] [***] 5.26 3.3.11 Reviewer [***] 4.27 [***] [***] 5.27 3.3.12 Reviewer [***] Regulatory Affairs 4.28 [***] [***] 5.28 3.4.1 Reviewer [***] 4.29 [***] [***] 5.29 3.4.2 Reviewer [***] 4.30 [***] [***] 5.30 3.4.3 Reviewer [***] Project Management 4.31 [***] [***] 5.31 3.5 Reviewer [***] 4.32 [***] [***] 5.32 3.5.1 Reviewer [***] 4.33 [***] [***] 5.33 3.5.2 Reviewer [***] 4.34 [***] [***] 5.34 3.5.3 Reviewer [***]
92634891_7 Del. # Deliverable Description Due Date Milestone Reference SOW Reference Government Role Data Type/Data Rights 4.35 [***] [***] 5.35 3.5.4 Reviewer [***] 4.36 [***] [***] 5.36 3.5.4 Reviewer [***] 4.37 [***] [***] 5.37 3.5.5 Reviewer [***] 4.38 [***] [***] 5.35 N/A Reviewer [***] TBD [***] [***] Option 1 3.6 Reviewer [***] Note: Attachment D of the Project Agreement shall be referenced for supplemental security requirements associated with deliverables under this project. 5.0 MILESTONE PAYMENT SCHEDULE The milestones below are for reference and costs for the project will be invoiced monthly on a cost reimbursable basis as the work progresses. Milestone # Milestone Description (Deliverable Reference) Due Date Total Program Funds Manufacturing [***] 5.1 [***] [***] [***] 5.2 [***] [***] [***] 5.3 [***] [***] [***] 5.4 [***] [***] [***] 5.5 [***] [***] [***] 5.6 [***] [***] [***] 5.7 [***] [***] [***] Clinical [***] 5.8 [***] [***] [***] 5.9 [***] [***] [***] 5.10 [***] [***] [***] 5.11 [***] [***] [***] 5.12 [***] [***] [***] 5.13 [***] [***] [***] 5.14 [***] [***] [***] 5.15 [***] [***] [***] Non- Clinical [***] 5.16 [***] [***] [***] 5.17 [***] [***] [***] 5.18 [***] [***] [***] 5.19 [***] [***] [***] 5.20 [***] [***] [***] 5.21 [***] [***] [***]
92634891_7 Milestone # Milestone Description (Deliverable Reference) Due Date Total Program Funds 5.22 [***] [***] [***] 5.23 [***] [***] [***] 5.24 [***] [***] [***] 5.25 [***] [***] [***] 5.26 [***] [***] [***] 5.27 [***] [***] [***] Regulatory Affairs [***] 5.28 [***] [***] [***] 5.29 [***] [***] [***] 5.30 [***] [***] [***] Project Management [***] 5.31 [***] [***] [***] 5.32 [***] [***] [***] 5.33 [***] [***] [***] 5.34 [***] [***] [***] 5.35 [***] [***] [***] 5.36 [***] [***] [***] 5.37 [***] [***] [***] 5.38 [***] [***] [***] Reservation Fees 5.39 [***] [***] [***] 5.40 [***] [***] [***] 5.41 [***] [***] [***] Total (Cost Plus Fixed Fee) $1,747,689,328 Period of Performance (July 6, 2020 – December 31, 2021) 18 Months (Base) Option 1: Follow-On Production Cost: [***] 6.0 SHIPPING PROVISIONS The shipment of physical deliverables shall be coordinated with the AOR. Data deliverables shall be provided in accordance with the agreement, and in coordination with the AOR. 7.0 INTELLECTUAL PROPERTY, DATA RIGHTS, AND COPYRIGHTS 7.1 BACKGROUND IP (a) Ownership. Prior to June 8, 2020, Novavax had funded the development of NVX-CoV2373, and other antecedent vaccine programs relevant to Novavax’ proprietary position in the development of NVX- CoV2373, as well as its sf9/baculovirus manufacturing platform, (all “Background IP”) through private
92634891_7 funding or in collaboration with a funding partner other than the U.S. Government. Such private and non- governmental funding has continued since June 8, 2020 and is expected to continue during the performance of the Project Agreement. A list of all patents and patent applications included in the Background IP is provided below as Enclosure 4. Background IP also consists of (a) manufacturing know-how, including, without limitation, the NVAX-Cov2373 manufacturing process definitions, process development/characterization reports, laboratory scale process procedures, manufacturing records, analytical test methods, product quality target ranges/specifications, quality target product profile, critical quality attributes (collectively “Background Know-How”), (b) data from pre-clinical and clinical research studies, analytical and process development research, and data related to, or generated using, the Background Know-How (collectively, “Background Data”), and (c) proprietary manufacturing materials, including, without limitation, sf9 cell banks (master and working), baculovirus virus stock (master and working), product standards, reference standards, and critical reagents (“Background Materials”). On June 8, 2020, Novavax and the U.S. Department of Defense entered into a Letter Contract for specified U.S.-based clinical and manufacturing development of NVX-CoV2373 which acknowledged Background IP and made no explicit U.S. Government claims to Background IP or subsequent data arising therefrom. The U.S. Government hereby acknowledges such Background IP in full and further acknowledges that it has no ownership rights to Novavax Background IP under this Project Agreement. (b) Background IP Limited License to Government. Subject to the terms of the Project Agreement, Novavax grants the U.S. Government a nonexclusive, worldwide, nontransferable, non-sublicenseable license to use the Background IP to the limited extent necessary for the U.S. Government to review and use the Deliverables tendered by Novavax under this Agreement identified in Section 4.0 above, and for no other purpose; provided that the U.S. Government agrees that it may not disclose the Background IP to third parties, or allow third parties to have access to, use, practice or have practiced the Background IP, without Novavax’s prior written consent. To the extent that a Deliverable with Foreground IP incorporates or uses Background IP, the Deliverable shall be deemed and considered to comprise Background IP and shall be used by the U.S. Government in accordance with this Background IP Limited License. (c) Background IP License to Novavax. Subject to the terms of the Project Agreement, the U.S. Government grants to Novavax a nonexclusive, worldwide, nontransferable, irrevocable, paid-up license to any intellectual property (including patents and patent applications) to which the U.S. Government has rights thereto, provided that such license is limited to such intellectual property rights necessary to perform Novavax’s obligations under the Project Agreement. 7.2 FOREGROUND IP (a) Ownership. Notwithstanding anything in the Base Agreement to the contrary, Novavax owns all rights, title and interest in and to any development, modification, discovery, invention or improvement, whether or not patentable, conceived, made, reduced to practice, or created in connection with activities funded under the Project Agreement, including, without limitation, all data and inventions, and intellectual property rights in any of the foregoing (“Foreground IP”). (b) Foreground IP Special License. Subject to the terms of the Project Agreement, Novavax grants the U.S. Government a nonexclusive, worldwide, nontransferable, irrevocable, paid-up license to practice or have practiced the Foreground IP for or on behalf of the U.S. Government (“Foreground IP Special License”). 8.0 DATA RIGHTS
92634891_7 Article XI, §11.03 of the Base Agreement is hereby amended, consistent with the “Specifically Negotiated License Rights” capability at Article XI, §§11.01(12) and 11.03(4), as follows: 8.1 Data Ownership. Novavax owns all rights, title and interest to all Data (as defined in Article XI, Section 11.01(7) of the Base Agreement) generated as a result of the work performed under this Project Agreement, including Subject Data. 8.2 Rights to Data. (a) Subject Data. Subject to the terms of the Project Agreement, Novavax grants to the U.S. Government a Government purpose rights license to Subject Data that will convert to an unlimited rights license (as the term is defined in Article XI, Section 11.01(14) of the Base Agreement)1 after three (3) years from the date of delivery. As used herein, “Subject Data” shall mean Technical Data under Article XI, §11.01(13) of the Base Agreement Deliverables that are considered Subject Data are identified in the Deliverable Table set forth in Section 4.0 above. (b) Transfer of Data. Each party, upon written request to the other party, shall have the right to review and to request delivery of Subject Data, and delivery of such Data shall be made to the requesting party within two weeks of the request, except to the extent that such Data are subject to a claim of confidentiality or privilege by a third party. (c) Background IP Limited License. To the extent that Subject Data incorporates or uses Background IP, the data shall be deemed and considered to comprise Background IP and shall be used by the U.S. Government in accordance with the Background IP Limited License set forth in Section 7.3 above. 8.3 Background Technical Data Rights Assertions. Novavax asserts background technical data rights as follows: The Background Data, as defined in Section 7.1 above, was developed through private funding or in collaboration with a funding partner other than the U.S. Government. Such funding is expected to continue; accordingly, Novavax asserts Background Data as Category A Data pursuant to section 11.02(1) of the Base Agreement and the U.S. Government shall have no rights therein. 9.0 REGULATORY RIGHTS This agreement includes research with an investigational drug, biologic or medical device that is regulated by the U.S. Food and Drug Administration (FDA) and requires FDA pre-market approval or clearance before commercial marketing may begin. It is expected that this agreement will result in the FDA authorization, clearance and commercialization of NVX-CoV-2373 as a Vaccine for SARS-CoV-2 Coronavirus (the “Technology”). Novavax is the Sponsor of the Regulatory Application (an investigational new drug application (IND), investigational device exemption (IDE), emergency use authorization (EUA), new drug application (NDA), biologics license application (BLA), premarket approval application (PMA), or 510(k) 1 As used herein, “Government Use” as used “Purpose Rights“ has the meaning set forth in this Section 4.0 means Government purpose rights as defined in the Base Agreement, Article XI, Section 11.01(9).) of the Base Agreement, as modified by Section 8.2(b) below.
92634891_7 pre-market notification filing (510(k)) or another regulatory filing submitted to the FDA) that controls research under this contract. As the Sponsor of the Regulatory Application to the FDA (as the terms “sponsor” and “applicant” are defined or used in at 21 CFR §§3.2(c), 312.5, 600.3(t), 812.2(b), 812 Subpart C, or 814.20), Novavax has certain standing before the FDA that entitles it to exclusive communications related to the Regulatory Application. This clause protects the return on research and development investment made by the U.S. Government in the event of certain regulatory product development failures related to the Technology. Novavax agrees to the following: a. Communications. Novavax will provide the U.S. Government with all communications and summaries thereof, both formal and informal, to or from FDA regarding the Technology and ensure that the U.S. Government representatives are invited to participate in any formal or informal Sponsor meetings with FDA; b. Rights of Reference. The U.S. Government is hereby granted a right of reference as that term is defined in 21 C.F.R. § 314.3(b) (or any successor rule or analogous applicable law recognized outside of the U.S.) to any Regulatory Application submitted in support of the statement of work for the Project Agreement. When it desires to exercise this right, the U.S. Government agrees to notify Novavax in writing describing the request along with sufficient details for Novavax to generate a letter of cross-reference for the U.S. Government to file with the appropriate FDA office. The U.S. Government agrees that such letters of cross- reference may contain reporting requirements to enable Novavax to comply with its own pharmacovigilance reporting obligations to the FDA and other regulatory agencies. Nothing in this paragraph reduces the U.S. Government’s data rights as articulated in other provisions of the Project Agreement. c. DoD Medical Product Priority. PL-115-92 allows the DoD to request, and FDA to provide, assistance to expedite development and the FDA’s review of products to diagnose, treat, or prevent serious or life- threatening diseases or conditions facing American military personnel. Novavax recognizes that only the DoD can utilize PL 115-92. As such, Novavax will work proactively with the DoD to leverage this this law to its maximal potential under this Project Agreement. Novavax shall submit a mutually agreed upon Public Law 115-92 Sponsor Authorization Letter to the U.S. Government within 30 days of award. 10.0 ENSURING SUFFICIENT SUPPLY OF THE PRODUCT a. In recognition of the Government’s significant funding for the development and manufacturing of the product in this Project Agreement and the Government’s need to provide sufficient quantities of a safe and effective COVID-19 vaccine to protect the United States population, the Government shall have the remedy described in this section to ensure sufficient supply of the product to meet the needs of the public health or national security. This remedy is not available to the Government unless and until both of the following conditions are met: i. Novavax gives written notice, required to be submitted to the Government no later than 15 business days, of: a. any formal management decision to terminate manufacturing of the NVX-CoV- 2373 vaccine prior to delivery of 100 million doses to USG; b. any formal management decision to discontinue sale of the NVX-CoV-2373 vaccine to the Government prior to delivery of 100 million doses to USG; or c. any filing that anticipates Federal bankruptcy protection; and
92634891_7 ii. Novavax has submitted an Emergency Use Authorization under §564 of the FD&C Act or a biologics license application provisions of §351(a) of the Public Health Service Act (PHSA). b. If both conditions listed in section (a) occur, Novavax, upon the request of the Government, shall provide the following items necessary for the Government to pursue manufacturing of the NVX-CoV-2373 vaccine with a third party for exclusive sale to the U.S. Government: i. a writing evidencing a non-exclusive, nontransferable, irrevocable (except for cause), royalty-free paid-up license to practice or have practiced for or on behalf of the U.S. Government any Background IP as defined in clause 7.1 necessary to manufacture or have manufactured the NVX-CoV2373 vaccine; ii. necessary FDA regulatory filings or authorizations owned or controlled by Novavax related to NVX-Cov2373 and any confirmatory instrument pertaining thereto; and iii. any outstanding Deliverables contemplated or materials purchased under this Project Agreement. c. This Article shall be incorporated into any contract for follow-on activities for the Government to acquire and use additional doses of the product. Per section 1.3, the estimated quantity for follow-on production/procurement is approximately 560 million doses. d. This Article will survive the acquisition or merger of the Contractor by or with a third party. This Article will survive the expiration of this agreement. 11. SECURITY The security classification level for this effort is UNCLASSIFIED. Attachment D of the Project Agreement shall be referenced for supplemental security requirements associated with the execution of this project. 12.0 MISCELLANEOUS REQUIREMENTS (SAFETY, ENVIRONMENTAL, ETC.) N/A 13.0 GOVERNMENT FURNISHED PROPERTY/MATERIAL/INFORMATION 14.0 AGREEMENTS OFFICER’S REPRESENTATIVE (AOR) AND ALTERNATE AOR CONTACT INFORMATION AOR NAME: [***] EMAIL: [***] PHONE: [***] AGENCY NAME/DIVISION/SECTION: Joint Program Executive Office, Joint Program Lead-Enabling Biotechnologies Alternate AOR
92634891_7 NAME: TBD MAILING ADDRESS: EMAIL: PHONE: AGENCY NAME/DIVISION/SECTION: HHS/ASPR/BARDA
92634891_7 ENCLOSURE 3: (SUPERSEDED) N/A – this enclosure has been superseded from the original and is no longer applicable.
92634891_7 ENCLOSURE 4: PATENT LISTING [Pursuant to Regulation S-K, Item 601(a)(5), this enclosure setting forth the patent listing has not been filed. The Registrant agrees to furnish supplementally a copy of any omitted exhibits to the Securities and Exchange Commission upon request; provided, however, that the Registrant may request confidential treatment of omitted items.]
92634891_7 Attachment B Report Requirements This page intentionally left blank. See separate document for Attachment B.
92634891_7 REPORT REQUIREMENTS If classified information is required to be submitted under this Agreement, it must be submitted to the addresses specified in the SOW or DD254. No classified information should be submitted directly to ATI. Any applicable Contract Data Requirements Lists (CDRLs), Data Item Descriptions (DIDs) or other report guidance for this Project may be included at the end of this attachment. ATI, in addition to the AOR, must receive a copy of the Quarterly Status Reports and the Final Status Report. Quarterly Status Reports, Annual Status Reports, and Final Status Reports should be submitted to [***]. All other deliverables shall be submitted to the AOR only, but ATI must be notified that the deliverable has been submitted to the AOR. The AOR will provide ATI a completed Sign- off Memorandum as evidence the milestone deliverable was received and deemed acceptable. If you would like a copy of the Report Requirements template in MS Word, please email [***] A. QUARTERLY STATUS REPORT The Recipient shall submit or otherwise provide a Quarterly Status Report in the format as shown in this attachment on the last day of the month of the calendar quarter (i.e., March 31, June 30, and December 31). A sample template is provided. I. The Recipient’s Technical Status Report will, at a minimum, address the following: Comments on Technical/Cost/Schedule Performance, Project Quad Chart, Milestone Status, Non-Traditional Defense Contractor Participation and Plans for the Next Quarter. B. PAYABLE MILESTONES/DELIVERABLES The Recipient shall submit to the Agreements Officer Representative and MCDC CMF Representative documentation describing the extent of accomplishment of Payable Milestones and Deliverables. I. Submission of Payable Milestones/Deliverables. The Recipient is required to submit all deliverables identified as Payable Milestones, as shown in the Payable Milestone Schedule, as well as any other deliverables/reports listed in the Statement of Work. II. Sign-off Memorandum. The Sign-off Memorandum as shown in this attachment shall accompany all submissions indicated in section B.I. The Agreements Officer Representative shall provide written approval using the Sign-off Memorandum to the MCDC Consortium Management Firm. The Sign-off Memorandum will be used to verify that all submissions are technically acceptable. It will also be used to substantiate invoice payment for firm fixed price agreements. C. ANNUAL STATUS REPORTING I. The Project Agreement Holder shall submit an Annual Status Report on September 30 each year (same format as Quarterly Status Report for one year period) for all projects whose periods of performances are greater than
92634891_7 one year in accordance with the terms and conditions of the MCDC Base Agreement. The Annual Status Report must also include the following: i. [***]. ii. [***]. iii. [***]. iv. [***]. v. [***]. vi. [***].
92634891_7 Quarterly Status Report for <Project Agreement Holder Name> Project No. MCDC-XX-XX-XXX Reporting Period: DATE - DATE Project Agreement Holder <Project Lead> <Other Project Team Member(s)> Project Team Technical POC Name Company Street Address City, State Zip Code Phone Number Email address Submitted: <date>
92634891_7 1. Comments on Technical/Cost/Schedule Performance The purpose of this section is to bring project stakeholders up to speed on current project status. It is not intended to be a line-by-line account of the quarter’s activities; details of that nature are reserved for the latter section of this report. Rather, this section should highlight technical, cost, and schedule performance for the quarter, and report overall progress towards successful technology transition and implementation – an executive summary-like synopsis. This section should also be used to cite project- related concerns. Properly crafted, this section is typically about one-half page in length. 2. Project Quad Chart Quad charts are used for many purposes, including high level briefings. Therefore, it is imperative that information be current and accurate, especially in regards to the lower quadrants. The text - where populated - in the quad chart below is for sample purposes only. < Project Agreement Title> Goals & Objectives Project Information Briefly describe the goals of the project; include the technical objectives and the implementation targets. Project Lead: Team Members: Period of Performance: Funding: Cumulative Amt Invoiced: Total Cost Share Reported: Milestones & Technical Achievements Implementation & Payoff Apr 16: Kickoff Meeting Schedule: Target date for implementation. Status: Current status towards implementation event. Jun 16: Design Analysis complete Jul 16: Materials/Equipment Rec’d Oct 16: Prototype construction complete Briefly describe what benefits will accrue from this project’s successful completion and implementation. Be quantitative to the greatest extent possible. May 17: Initial testing complete Oct 17: Production units implemented in shipyard processes Current Status: Technical = Green/Yellow/Red (delta) Schedule = Green/Yellow/Red (delta) Cost = Green/Yellow/Red (delta) Current Status Legend: Green = Good/On Budget Yellow = Minor Weakness/Known Risk Red = Major Weakness/Critical Delta: = upgrade from last assessment; = downgrade from last assessment; = no change
92634891_7 3. Supplemental Information In order to improve the usefulness of the quad charts and provide sufficient project information, the Quarterly Status Report must be supplemented with data described below. 3.1 Milestone Status: No. Milestone Due Date Percent Complete This Period Cumulative Percent Complete 1 2 3 3.2 Non-Traditional Defense Contractor Participation Name of Nontraditional* Planned Start Date Actual Start Date Reason for Deviation from Plan 3.3 Plans for Next Quarter Major achievements planned for the next quarter MEMORANDUM: Agreements Officer Representative Sign-Off To: Agreements Officer Representative (AOR) From: Date: Reference: (a) MCDC Base Agreement between ATI and Agreement No. (b) Project Agreement No. Subject: Milestone Approval The following deliverable(s) associated with the Milestone(s) listed below have been completed: MS# Deliverable XX It is requested that verification of these accomplishments be provided to the MCDC Consortium Management Firm. To: MCDC Consortium Management Firm
92634891_7 CERTIFICATION BY AGREEMENTS OFFICER REPRESENTATIVE: The Project Agreement Holder has made satisfactory progress and provided the required deliverables associated with this milestone. I certify the work performed is in accordance with the approved Statement of Work (SOW) included in the agreement. Other comments or concerns regarding this or future milestones: [Note: For any non-satisfactory areas include a discussion of what was not acceptable, references to previous correspondence on the issue, and what corrective actions are needed to effect payment.] Agreements Officer Representative Date:
92634891_7 Attachment C Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment This page intentionally left blank. See separate document for Attachment C.
92634891_7 Attachment C Prohibition on the Use of Certain Telecommunications and Video Surveillance Services or Equipment. This Article is to ensure compliance with Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232). Based on the information provided below, the Government may be unable to enter into a new project agreement, exercise an option under an existing project, bilaterally modify a project agreement to extend the term of a project, execute an additional phase, or incrementally fund an existing project with the Member. A. Definitions Backhaul means intermediate links between the core network, or backbone network, and the small subnetworks at the edge of the network (e.g., connecting cell phones/towers to the core telephone network). Backhaul can be wireless (e.g., microwave) or wired (e.g., fiber optic, coaxial cable, Ethernet). Covered foreign country means The People’s Republic of China. Covered telecommunications equipment or services means– (1) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities); (2) For the purpose of public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities); (3) Telecommunications or video surveillance services provided by such entities or using such equipment; or (4) Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the Government of a covered foreign country. Critical technology means– (1) Defense articles or defense services included on the United States Munitions List set forth in the International Traffic in Arms Regulations under subchapter M of chapter I of title 22, Code of Federal Regulations; (2) Items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations under subchapter C of chapter VII of title 15, Code of Federal Regulations, and controlled- (i) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or (ii) For reasons relating to regional stability or surreptitious listening; (3) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by part 810 of title 10, Code of Federal Regulations (relating to assistance to foreign atomic energy activities); (4) Nuclear facilities, equipment, and material covered by part 110 of title 10, Code of Federal Regulations (relating to export and import of nuclear equipment and material); (5) Select agents and toxins covered by part 331 of title 7, Code of Federal Regulations, part 121 of title 9 of such Code, or part 73 of title 42 of such Code; or
92634891_7 (6) Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817). Interconnection arrangements means arrangements governing the physical connection of two or more networks to allow the use of another's network to hand off traffic where it is ultimately delivered (e.g., connection of a customer of telephone provider A to a customer of telephone company B) or sharing data and other information resources. Reasonable inquiry means an inquiry designed to uncover any information in the entity's possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity that excludes the need to include an internal or third-party audit. Roaming means cellular communications services (e.g., voice, video, data) received from a visited network when unable to connect to the facilities of the home network either because signal coverage is too weak or because traffic is too high. Substantial or essential component means any component necessary for the proper function or performance of a piece of equipment, system, or service. B. Prohibition (1) The Member is prohibited from providing to the Government any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless the Member is providing (i) a service that connects to the facilities of a third-party, such as backhaul, roaming, or interconnection arrangements; or (ii) telecommunications equipment that cannot route or redirect user data traffic or permit visibility into any user data or packets that such equipment transmits or otherwise handles, or the covered telecommunication equipment or services. A waiver, for a period not exceeding August 13, 2021, may be requested. (2) The Member acknowledges and accepts that the Government is prohibited from entering into a new project agreement, exercising an option under an existing project, bilaterally modifying the project agreement to extend the term of a project, executing an additional phase, incrementally funding an existing project with the member or with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception at paragraph (b)(1) of this article applies, regardless of whether that use is in performance of work under a Federal contract or agreement. C. Certification (to be completed upon Agreements Officer Request) The Member shall review the list of excluded parties in the System for Award Management (SAM) (https://www.sam.gov) for entities excluded from receiving federal awards for “covered telecommunications equipment or services.” Based on that review: (1) □ The Member certifies that it does □ does not □ provide covered telecommunications equipment or services as a part of its offered products or services to the Government in the performance of any contract, subcontract, other transaction agreement, or other contractual instrument. (2) If the Member does provide covered telecommunications equipment or services as a part of its offered products or services to the Government in the performance of any contract, subcontract, other transaction agreement, or other contractual instrument as described in paragraph (c)(1), the Member certifies that it will □ will not □ provide covered telecommunications equipment or services to the Government in the performance of any contract, subcontract, other transaction agreement, or other contractual instrument resulting from this solicitation. If the Member will provide covered telecommunications equipment or services to the Government in the performance of any contract, subcontract, other transaction agreement, or other contractual instrument resulting from this solicitation (C)(2), the Member shall provide the additional disclosure information required at paragraph (D)(1) of this Article. (3) The Member certifies, after conducting a reasonable inquiry, for purposes of this certification, that it does □ does not □ use covered telecommunications equipment or services, or use any equipment, system, or service that uses covered telecommunications equipment or services. If the Member does use covered telecommunications equipment or services, or use any equipment, system, or service that uses covered telecommunications equipment or services as
92634891_7 described under this paragraph (C)(3), the Member shall provide the additional disclosure information required at paragraph (D)(2) of this Article. D. Disclosures (1) Disclosure for the certification in paragraph (C)(2) of this Article. If the Member does provide covered telecommunications equipment or services to the Government in the performance of any contract, subcontract, other transaction agreement, or other contractual instrument in in paragraph (C)(2) of this provision, the Member shall provide the following information: (i) For covered equipment— a) The entity that produced the covered telecommunications equipment (include entity name, unique entity identifier, Commercial and Government Entity (CAGE) code, and whether the entity was the Original Equipment Manufacturer (OEM) or a distributor, if known); b) A description of all covered telecommunications equipment offered (include brand; model number, such as OEM number, manufacturer part number, or wholesaler number; and item description, as applicable); and c) Explanation of the proposed use of covered telecommunications equipment and any factors relevant to determining if such use would be permissible under the prohibition in paragraph (B)(1) of this Article. (ii) For covered services— a) If the service is related to item maintenance: A description of all covered telecommunications services offered (include on the item being maintained: Brand; model number, such as OEM number, manufacturer part number, or wholesaler number; and item description, as applicable); or b) If not associated with maintenance, the Product Service Code (PSC) of the service being provided; and explanation of the proposed use of covered telecommunications services and any factors relevant to determining if such use would be permissible under the prohibition in paragraph (B)(1) of this Article. (2) If the Member does use covered telecommunications equipment or services, or use any equipment, system, or service that uses covered telecommunications equipment or services in in paragraph (C)(3) of this Article, the Member shall provide the following information: (i) For covered equipment— a) The entity that produced the covered telecommunications equipment (include entity name, unique entity identifier, CAGE code, and whether the entity was the OEM or a distributor, if known); b) A description of all covered telecommunications equipment offered (include brand; model number, such as OEM number, manufacturer part number, or wholesaler number; and item description, as applicable); and c) Explanation of the proposed use of covered telecommunications equipment and any factors relevant to determining if such use would be permissible under the prohibition in paragraph (B)(2) of this Article. (ii) For covered services— a) If the service is related to item maintenance: A description of all covered telecommunications services offered (include on the item being maintained: Brand; model number, such as OEM number, manufacturer part number, or wholesaler number; and item description, as applicable); or b) If not associated with maintenance, the PSC of the service being provided; and explanation of the proposed use of covered telecommunications services and any factors relevant to determining if such use would be permissible under the prohibition in paragraph (B)(2) of this Article. E. Reporting Requirement (1) In the event the Member identifies covered telecommunications equipment or services used as a substantial or essential component of any system, or as critical technology as part of any system, during agreement performance, or the Member is notified of such by a subcontractor at any tier or by any other source, the Member shall report the information in paragraph (E)(2) of this Article to the Agreements Officer and to the Department of Defense website at https://dibnet.dod.mil. The Member must notify the CMF that a report has been made. (2) The Member shall report the following information pursuant to paragraph (E)(1) of this clause:
92634891_7 (i) Within one (1) business day from the date of such identification or notification: the agreement number; the order number(s), if applicable; supplier name; supplier unique entity identifier (if known); supplier CAGE code (if known); brand; model number (original equipment manufacturer number, manufacturer part number, or wholesaler number); item description; and any readily available information about mitigation actions undertaken or recommended. (ii) Within ten (10) business days of submitting the information in paragraph (E)(2)(i) of this clause: any further available information about mitigation actions undertaken or recommended. In addition, the Member shall describe the efforts it undertook to prevent use or submission of covered telecommunications equipment or services, and any additional efforts that will be incorporated to prevent future use or submission of covered telecommunications equipment or services. F. Subcontracts The Member shall insert the substance of this article, including this paragraph (F) and excluding paragraph (B)(2), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items.
92634891_7 Attachment D Clause for MCDC Consortium Other Transaction Authority Agreements Standard Language OWS for Consortium OTA This page intentionally left blank. See separate document for Attachment D.
92634891_7 Attachment D Clause for MCDC Consortium Other Transaction Authority Agreements Standard Language OWS for Consortium OTA (Incorporated as of Modification No. 04) Required MCDC Base Agreement Modifications The Medical CBRN Consortium (MCDC) Base Agreement, Article XVII, SECURITY & OPSEC shall apply to this Project Agreement. In addition, the below language shall replace Paragraph 6 of Article XVII of the MCDC Base Agreement, in regard to this Project Agreement. (6) Access and General Protection/Security Policy and Procedures. This standard language text is applicable to ALL PAH employees working on critical program information or covered defense information related to Operation Warp Speed (OWS), and to those with an area of performance within an Army controlled installation, facility or area. PAH employees shall comply with applicable installation, facility and area commander installation/facility access and local security policies and procedures (provided by government representative). The PAH also shall provide all information required for background checks necessary to access critical program information or covered defense information related to OWS, and to meet installation access requirements to be accomplished by installation Provost Marshal Office, Director of Emergency Services or Security Office. The PAH workforce must comply with all personal identity verification requirements as directed by DOD, HQDA and/or local policy. In addition to the changes otherwise authorized by the changes clause of this agreement, should the Force Protection Condition (FPCON) at any individual facility or installation change, the Government may require changes in PAH security matters or processes. Required SOW Language for Deliverables (in body of SOW or Deliverables Section) Information Security Classification guidance for Operation Warp Speed - The security level for this agreement is UNCLASSIFIED. “Controlled technical information,” “covered contractor information system,” “covered defense information,” “cyber incident,” “information system,” and “technical information” are defined in DFARS Clause ###-###-####, Safeguarding Covered Defense Information and Cyber Incident Reporting. Personnel Security In addition to the industry standards for employment background checks, Novavax must be willing to have key individuals, in exceptionally sensitive positions, identified for additional vetting by the United States Government. Supply Chain Resiliency Plan Novavax shall develop and submit within [***] after execution of Modification [#3], a comprehensive Supply Chain Resiliency Program that provides identification and reporting of critical components associated with the secure supply of drug substance, drug product, and work-in-process through to finished goods. a) A critical component is defined as any material that is essential to the product or the manufacturing process associated with that product. Included in the definition are consumables and disposables associated with manufacturing. NOT included in the definition are facility and capital equipment. Consideration of critical components includes the evaluation and potential impact of raw materials, excipients, active ingredients, substances, pieces, parts, software, firmware, labeling, assembly, testing, analytical and environmental componentry, reagents, or utility materials which are used in the manufacturing of a drug, cell banks, seed stocks, devices and key processing components and equipment. A clear example of a critical component is one where a sole supplier is utilized. Novavax shall identify key equipment suppliers, their locations, local resources, and the associated control processes at the time of award. This document shall address planning and scheduling for active pharmaceutical ingredients, upstream, downstream, component assembly, finished drug product and delivery events as necessary for the delivery of product.
92634891_7 a) Communication for these requirements shall be updated as part of an annual review, or as necessary, as part of regular contractual communications. b) For upstream and downstream processing, both single-use and re-usable in-place processing equipment, and manufacturing disposables also shall be addressed. For finished goods, the inspection, labeling, packaging, and associated machinery shall be addressed taking into account capacity capabilities. c) The focus on the aspects of resiliency shall be on critical components and aspects of complying with the contractual delivery schedule. Delivery methods shall be addressed, inclusive of items that are foreign-sourced, both high and low volume, which would significantly affect throughput and adherence to the contractually agreed deliveries. Novavax shall articulate in the plan, the methodology for inventory control, production planning, scheduling processes and ordering mechanisms, as part of those agreed deliveries. a) Production rates and lead times shall be understood and communicated to the Contracting/Agreement Officer or the Contracting/Agreement Officer's Representative as necessary. b) Production throughput critical constraints should be well understood by activity and by design, and communicated to contractual personnel. As necessary, communication should focus on identification, exploitation, elevation, and secondary constraints of throughput, as appropriate. Reports for critical items should include the following information: a) Critical Material b) Vendor c) Supplier, Manufacturing / Distribution Location d) Supplier Lead Time e) Shelf Life f) Transportation / Shipping restrictions The CO and COR reserve the right to request un-redacted copies of technical documents, during the period of performance, for distribution within the Government. Documents shall be provided within [***] after CO issues the request in writing. Novavax may arrange for additional time if deemed necessary, and agreed to by the CO. Manufacturing Data Requirements: Novavax shall submit within [***] after execution of Modification [#3], detailed data regarding project materials, sources, and manufacturing sites, including but not limited to: physical locations of sources of raw and processed material by type of material; location and nature of work performed at manufacturing, processing, and fill/finish sites; and location and nature of non-clinical and clinical studies sites. The Government may provide a table in tabular format for Novavax, to be used to submit such data which would include but not be limited to the following: Storage/inventory of ancillary materials (vials, needles, syringes, etc.) Shipment of ancillary materials (vials, needles, syringes, etc.) Disposal of ancillary materials (vials, needles, syringes, etc.) Seed development or other starting material manufacturing Bulk drug substance and/or adjuvant production Fill, finish, and release of product or adjuvant Storage/inventory of starting materials, bulk substance, or filled/final product or adjuvant Stability information of bulk substance and/or finished product Shipment of bulk substance of final product Disposal of bulk substance or final product Product Development Source Material and Manufacturing Reports and Projections: Novavax shall submit a detailed spreadsheet regarding critical project materials that are sourced from a location other than the United States, sources, and manufacturing sites, including but not limited to: physical locations of sources of raw and processed material by type of material; location and nature of work performed at manufacturing sites; and location and nature of non-clinical and clinical study sites. Novavax will provide manufacturing reports and manufacturing dose tracking projections/actuals utilizing the “COVID-19 Dose Tracking Templates”, on any contract/agreement that is manufacturing product Novavax will submit Product Development Source Material Report
92634891_7 o Within [***] of execution of Modification [#3] o Within [***] of substantive changes are made to sources and/or materials o Or on the [***] contract anniversary. Novavax will update the Dose Tracking Template [***] during manufacturing campaigns and daily during response operations (where a Public Health Emergency has been declared) and COVID-19 response, with the first deliverable submission within [***] of Modification [#3]. Updates to be provided weekly in advance of commercial-scale manufacturing and daily once material for use in response operations begins manufacture The Government will provide written comments to the Product Development Source Material and Manufacturing Report within [***] after the submission If corrective action is recommended, Novavax must address all concerns raised by the Government in writing Novavax Locations: Novavax shall submit detailed data regarding locations where work will be performed under this contract, including addresses, points of contact, and work performed per location, to include sub-contractors. Contractor will submit Work Locations Report: Within [***] of execution of Modification [#3] Within [***] after a substantive location or capabilities change Within [***] of a substantive change if the work performed supports medical countermeasure development that addresses a threat that has been declared a Public Health Emergency by the HHS Secretary or a Public Health Emergency of International Concern (PHEIC) by the WHO Required SOW Language for Security Section This project requires an OPSEC Plan and a Security Plan. Novavax shall develop a comprehensive security program that provides overall protection of personnel, information, data, and facilities associated with fulfilling the Government requirement. This plan shall establish security practices and procedures that demonstrate how Novavax will meet and adhere to the security requirements outlined below prior to the commencement of product manufacturing, and shall be delivered to the Government within [***] of execution of Modification[#3]. Novavax shall provide a Risk Assessment to evaluate which subcontractors, consultants, researchers, etc. performing work on behalf of this effort, are required to comply with all Operation Warp Speed and Project Agreement security requirements and prime contractor security plans. a) The Government will review the plan and Risk Assessment in detail and submit comments within [***] to the Contracting Officer (CO) to be forwarded to Novavax. Novavax shall review the Draft Security Plan comments, and, submit a Final Security Plan to the U.S. Government within [***] after receipt of the comments. b) The Security Plan shall include a timeline for compliance of all the required security measures outlined by the Government. c) Upon completion of initiating all security measures, Novavax shall supply to the Contracting Officer a letter certifying compliance to the elements outlined in the Final Security Plan. d) The OPSEC plan will include identifying the critical information related to this contract, why it needs to be protected, where it is located, who is responsible for it, and how to protect it. At a minimum, the Final Security Plan shall address the following items: Security Requirements: 1. Facility Security Plan Description: As part of the partner facility’s overall security program, Novavax shall submit a written security plan with their proposal to the Agreement Officer for review and approval by Operation Warp Speed security subject matter experts. The performance of work under the Project Agreement will be in accordance with the approved security plan. The security plan will include the following processes and procedures at a minimum: Security Administration organization chart and responsibilities written security risk assessment for site
92634891_7 threat levels with identification matrix (High, Medium, or Low) enhanced security procedures during elevated threats liaison procedures with law enforcement annual employee security education and training program Personnel Security policies and procedures candidate recruitment process background investigations process employment suitability policy employee access determination rules of behavior/ conduct termination procedures non-disclosure agreements Physical Security Policies and Procedures internal/external access control protective services identification/badging employee and visitor access controls parking areas and access control perimeter fencing/barriers product shipping, receiving and transport security procedures facility security lighting restricted areas signage intrusion detection systems alarm monitoring/response closed circuit television product storage security other control measures as identified Information Security identification and marking of sensitive information access control storage of information document control procedures retention/ destruction requirements Information Technology/Cyber Security Policies and Procedures intrusion detection and prevention systems threat identification employee training (initial and annual) encryption systems identification of sensitive information/media password policy (max days 90) lock screen time out policy (minimum time 20 minutes) removable media policy laptop policy removal of IT assets for domestic/foreign travel access control and determination VPN procedures WiFi and Bluetooth disabled when not in use system document control system backup system disaster recovery incident response system audit procedures property accountability 2. Site Security Master Plan Description: The partner facility shall provide a site schematic for security systems which includes: main access points; security cameras; electronic access points; IT Server Room; Product Storage Freezer/Room; and bio- containment laboratories.
92634891_7 3. Site Threat / Vulnerability / Risk Assessment Description: The partner facility shall provide a written risk assessment for the facility addressing: criminal threat, including crime data; foreign/domestic terrorist threat; industrial espionage; insider threats; natural disasters; and potential loss of critical infrastructure (power/water/natural gas, etc.) This assessment shall include recent data obtained from local law enforcement agencies. The assessment should be updated annually. 4. Physical Security Description: Closed Circuit Television (CCTV) Monitoring a) Layered (internal/external) CCTV coverage with time-lapse video recording for buildings and areas where critical assets are processed or stored. b) CCTV coverage must include entry and exits to critical facilities, perimeters, and areas within the facility deemed critical to the execution of the contract. c) Video recordings must be maintained for a minimum of 30 days. d) CCTV surveillance system must be on emergency power backup. e) CCTV coverage must include entry and exits to critical facilities, perimeters, and areas within the facility deemed critical to the execution of the contract. f) Video recordings must be maintained for a minimum of 30 days. g) CCTV surveillance system must be on emergency power backup. Facility Lighting a) Lighting must cover facility perimeter, parking areas, critical infrastructure, and entrances and exits to buildings. b) Lighting must have emergency power backup. c) Lighting must be sufficient for the effective operation of the CCTV surveillance system during hours of darkness. Shipping and Receiving a) Must have CCTV coverage and an electronic access control system. b) Must have procedures in place to control access and movement of drivers picking up or delivering shipments. c) Must identify drivers picking up Government products by government issued photo identification. Access Control a) Must have an electronic intrusion detection system with centralized monitoring. b) Responses to alarms must be immediate and documented in writing. c) Employ an electronic system (i.e., card key) to control access to areas where assets critical to the contract are located (facilities, laboratories, clean rooms, production facilities, warehouses, server rooms, records storage, etc.). d) The electronic access control should signal an alarm notification of unauthorized attempts to access restricted areas. e) Must have a system that provides a historical log of all key access transactions and kept on record for a minimum of12 months. f) Must have procedures in place to track issuance of access cards to employees and the ability to deactivate cards when they are lost or an employee leaves the company. g) Response to electronic access control alarms must be immediate and documented in writing and kept on record for a minimum of 12 months. h) Should have written procedures to prevent employee piggybacking access i) to critical infrastructure (generators, air handlers, fuel storage, etc.) should be controlled and limited to those with a legitimate need for access. j) Must have a written manual key accountability and inventory process. k) Physical access controls should present a layered approach to critical assets within the facility. Employee/Visitor Identification a) Should issue company photo identification to all employees. b) Photo identification should be displayed above the waist anytime the employee is on company property.
92634891_7 c) Visitors should be sponsored by an employee and must present government issued photo identification to enter the property. d) Visitors should be logged in and out of the facility and should be escorted by an employee while on the premises at all times. Security Fencing Requirements for security fencing will be determined by the criticality of the program, review of the security plan, threat assessment, and onsite security assessment. Protective Security Forces Requirements for security officers will be determined by the criticality of the program, review of the security plan, threat assessment, and onsite security assessment. Protective Security Forces Operations a) Must have in-service training program. b) Must have Use of Force Continuum. c) Must have communication systems available (i.e., landline on post, cell phones, handheld radio, and desktop computer). d) Must have Standing Post Orders. e) Must wear distinct uniform identifying them as security officers. 5. Security Operations Description: Information Sharing a) Establish formal liaison with law enforcement. b) Meet in person at a minimum annually. Document meeting notes and keep them on file for a, minimum of 12 months. POC information for LE Officer that attended the meeting must be documented. c) Implement procedures for receiving and disseminating threat information. Training a) Conduct new employee security awareness training. b) Conduct and maintain records of annual security awareness training. Security Management a) Designate a knowledgeable security professional to manage the security of the facility. b) Ensure subcontractor compliance with all Government security requirements. 6. Personnel Security Description: Records Checks Verification of social security number, date of birth, citizenship, education credentials, five-year previous employment history, five-year previous residence history, FDA disbarment, sex offender registry, credit check based upon position within the company; motor vehicle records check as appropriate; and local/national criminal history search. Hiring and Retention Standards a) Detailed policies and procedures concerning hiring and retention of employees, employee conduct, and off boarding procedures. b) Off Boarding procedures should be accomplished within 24 hour of employee leaving the company. This includes termination of all network access. 7. Information Security Description: Physical Document Control a) Applicable documents shall be identified and marked as procurement sensitive, proprietary, or with appropriate government markings. b) Sensitive, proprietary, and government documents should be maintained in a lockable filing cabinet/desk or other storage device and not be left unattended. c) Access to sensitive information should be restricted to those with a need to know. Document Destruction Documents must be destroyed using approved destruction measures (i.e, shredders/approved third party vendors / pulverizing / incinerating). 8. Information Technology & Cybersecurity Description: Identity Management a) Physical devices and systems within the organization are inventoried and accounted for annually. b) Organizational cybersecurity policy is established and communicated.
92634891_7 c) Asset vulnerabilities are identified and documented. d) Cyber threat intelligence is received from information sharing forums and sources. e) Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. f) Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes. g) Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) Access Control a) Limit information system access to authorized users. b) Identify information system users, processes acting on behalf of users, or devices and authenticate identities before allowing access. c) Limit physical access to information systems, equipment, and server rooms with electronic access controls. d) Limit access to/ verify access to use of external information systems. Training a) Ensure that personnel are trained and are made aware of the security risks associated with their activities and of the applicable laws, policies, standards, regulations, or procedures related to information technology systems. Audit and Accountability a) Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity. Records must be kept for minimum must be kept for 12 months. b) Ensure the actions of individual information system users can be uniquely traced to those users. c) Update malicious code mechanisms when new releases are available. d) Perform periodic scans of the information system and real time scans of files from external sources as files are downloaded, opened, or executed. Configuration Management a) Establish and enforce security configuration settings. b) Implement sub networks for publically accessible system components that are physically or logically separated from internal networks. Contingency Planning a) Establish, implement, and maintain plans for emergency response, backup operations, and post-disaster recovery for information systems to ensure the availability of critical information resources at all times. Incident Response a) Establish an operational incident handling capability for information systems that includes adequate preparation, detection, analysis, containment, and recovery of cybersecurity incidents. Exercise this capability annually. Media and Information Protection a) Protect information system media, both paper and digital. b) Limit access to information on information systems media to authorized users. c) Sanitize and destroy media no longer in use. d) Control the use of removable media through technology or policy. Physical and Environmental Protection a) Limit access to information systems, equipment, and the respective operating environments to authorized individuals. b) Intrusion detection and prevention system employed on IT networks. c) Protect the physical and support infrastructure for all information systems. d) Protect information systems against environmental hazards. e) Escort visitors and monitor visitor activity. Network Protection Employ intrusion prevention and detection technology with immediate analysis capabilities. 9. Transportation Security Description: Adequate security controls must be implemented to protect materials while in transit from theft, destruction, manipulation, or damage.
92634891_7 Drivers a) Drivers must be vetted in accordance with the Government Personnel Security Requirements. b) Drivers must be trained on specific security and emergency procedures. c) Drivers must be equipped with backup communications. d) Driver identity must be 100 percent confirmed before the pick-up of any Government product. e) Drivers must never leave Government products unattended, and two drivers may be required for longer transport routes or critical products during times of emergency. f) Truck pickup and deliveries must be logged and kept on record for a minimum of 12 months. Transport Routes a) Transport routes should be pre-planned and never deviated from except when approved or in the event of an emergency. b) Transport routes should be continuously evaluated based upon new threats, significant planned events, weather, and other situations that may delay or disrupt transport. Product Security a) Government products must be secured with tamper resistant seals during transport, and the transport trailer must be locked and sealed. Tamper resistant seals must be verified as “secure” after the product is placed in the transport vehicle. b) Government products should be continually monitored by GPS technology while in transport, and any deviations from planned routes should be investigated and documented. c) Contingency plans should be in place to keep the product secure during emergencies such as accidents and transport vehicle breakdowns. 10. Security Reporting Requirements Description: The partner facility shall notify the Agreement Officer within 24 hours of any activity or incident that is in violation of established security standards or indicates the loss or theft of government products. The facts and circumstances associated with these incidents will be documented in writing for government review. 11. Security Audits Description: The partner facility agrees to formal security audits conducted at the discretion of the government. Security audits may include both prime and subcontractor.