SOLICITATION NOTICE
U -- Online Radiologic Technologists Courses
- Notice Date
- 4/23/2010
- Notice Type
- Combined Synopsis/Solicitation
- NAICS
- 611430
— Professional and Management Development Training
- Contracting Office
- Department of Veteran Affairs;Employee Education System (EES);Attn: Contracting Office BLDG 50;#1 Jefferson Barracks Dr;Saint Louis MO 63125
- ZIP Code
- 63125
- Solicitation Number
- VA-777-10-RP-0145
- Response Due
- 5/10/2010
- Archive Date
- 6/9/2010
- Point of Contact
- George CurtnerContract Specialist
- E-Mail Address
-
Contract Specialist
(tom.curtner@va.gov)
- Small Business Set-Aside
- N/A
- Description
- STATEMENT OF WORK Online Radiology Courses for VHA Radiologic Technologists Little Rock Employee Education System 10.LR.ONLINERADCOURSE.A 1. SCOPE a.Background The Department of Veterans Affairs has approximately 2500 radiologic technologist and radiologic technologist (therapeutic) staff. The American Registry of Radiologic Technology (ARRT) requires that to maintain certification, all RTR and RTT must achieve 24 hours of continuous education (CE). This education can be category A or B. The distinction between Category A and Category B activities is not based on the nature of the activity itself, but rather is based upon whether the activity has been reviewed and approved by a Recognized Continuing Education Evaluation Mechanism (RCEEM). A RCEEM is a quality control mechanism for CE activities. One option for satisfying the CE requirements is to earn 24 credits of continuing education during the biennium. A minimum of 12 credits must be from Category A activities. The other 12 credits may be from Category A or Category B activities. A maximum of 12 Category B credits may be claimed in a biennium. A maximum of 12 CE credits per biennium may be claimed for tumor boards. Directed readings, home study courses, or Internet activities reported in a biennium may not be repeated for credit in the same or any subsequent biennium. The CE requirements are linked to a two-year cycle (biennium) that is defined in relation to a registrant's birth month. The biennium begins on the first day of the registrant's birth month. The biennium extends for two years on the last day of the month that precedes the registrant's birth month. Each registrant's biennium dates are identified in the lower left corner of the annual Application for Renewal of Registration and are printed on the carrier they receive with their pocket credential card after renewal of registration is complete. Biennium dates may also be verified by accessing the RT Directory on the ARRT Web Page (www.arrt.org) or through the automated phone system by selecting option 5, CE Information. All CE credits must be completed between these dates. The renewal of registration will continue on an annual basis, with the CE requirements being reported every other year. The two-year CE cycle was selected to allow flexibility in fulfilling the requirements (i.e., if no CE can be earned in the first year, the second year is still available to complete the credits). The completion of one biennium will mark the beginning of the next biennium. Credits earned in one biennium cannot be carried forward into the next biennium. The continuing education requirement is not dependent on the number of ARRT certificates held by an individual. For example, a technologist certified in both radiography and mammography need earn only 24 credits per biennium for the ARRT. For ARRT, the credits do not have to be specific to radiography or mammography but must be relevant to the radiologic sciences and/or patient care. All technologists should select CE topics that are related to their area of practice and that will address the needs of the patient and the Registered Technologist. NOTE: This does not address the CE requirement for the Mammography Quality Standards Act (MQSA) of the Food and Drug Administration (FDA). All activities applied toward the CE requirements must meet the ARRT's definition of a continuing education activity. The definition states that a learning activity must be planned, organized and administered to enhance the knowledge and skills underlying the professional performance that a technologist uses to provide services to patients, the public or the medical profession. Activities meeting this definition may qualify as either Category A or Category B credit, depending upon whether they have been approved by a RCEEM. The RCEEM acts as a quality control mechanism for the CE activities. The individual participating in the CE activity does not submit the activity to a RCEEM for approval. Instead, the individual is responsible for selecting activities that the sponsor has already submitted to a RCEEM for Category A credit. There are a number of activities that do not require submission to a RCEEM to qualify for Category A credit. They include: (1) Activities meeting ARRT's definition of an Approved Academic Course; (2) CPR certification through the Heart Association, Red Cross or American Safety and Health Institute; and (3) Activities relevant to the radiologic sciences and/or patient care that have been approved by the American Medical Association (AMA Category 1) or the American Nurses Association (ANA) through the American Nurses Credentialing Center (ANCC). All other CE activities must be approved by a RCEEM in order to be assigned Category A credits. The ARRT recognizes that some states have legislation requiring CE credits to maintain a state license to practice in the profession. An ARRT registrant who completes CE activities in the state in which he or she is licensed as part of his or her state's licensing requirements may count the CE credit as Category A if the state regulatory agency is mandated by law to evaluate CE activities for licensing purposes and has approved the activity for CE credit. The state licensing agencies currently approved as meeting ARRT criteria are Florida, Illinois, Iowa, Kentucky, Massachusetts, New Mexico, Oregon and Texas. Activities that an individual intends to use for Category B credit must satisfy the ARRT's definition as a continuing education activity even though they have not been submitted to a RCEEM for approval. The activity must be a legitimate continuing education activity regardless of whether it is or is not reviewed by a RCEEM. Category A activities are awarded the number of CE credits assigned by the evaluation mechanism (i.e., RCEEM, state licensing agency). Activities not submitted to a RCEEM for approval, but which meet the ARRT's definition of a CE activity, will be awarded one CE credit for each contact hour. A contact hour is defined as being equal to 50 to 60 minutes. Activities longer than one hour should be assigned whole or partial CE credit based on the 50-minute hour. Educational activities of 30 to 49 minutes in duration will be awarded one-half CE credit. An activity that lasts less than 30 minutes will receive no credit. The technologist is responsible for keeping the original documents for one full year after the end of the reporting cycle. b.Objectives 1.Provide a minimum of 50 online training courses accredited by the American Registry of Radiologic Technology (ARRT) for radiologic technologist of Category A online Continuing Education (CE) for a time period of one year from the date of award with an option to renew for four one-year periods. 2.Provide specific courses to VA employees that are listed below. 3.Provide the administrative support necessary for radiologic technologists working through host VAMCs to access the online courses via the VA Learning Management System (LMS) from the date of contract award for a period of one year. 4.Provide the Employee Education System (EES) with all necessary training history learner data to support such courses as part of the EES/VA LMS system. 5.Provide monthly activity reports to responsible VA managers including the COTR and the Office of Patient Care Services. 2. CONTRACTING OFFICER'S TECHNICAL REPRESENTATIVE (COTR) Odas Parsons Ed.D. Project Manager Little Rock Employee Education Resource Center 2200 Ft. Roots Drive, 138-E Building 11 North Little Rock, AR 72114 Phone 501.257.4197 FAX 501.257.4190 E-mail: Odas.Parsons@va.gov 3. Specific TASKS a.Online Content. The vendor providing the ARRT-accredited online courses will continue to provide access to previously allocated CEs per eligible VA employee for radiologic technology courses for a period of one year from the date of contract award. The module courses shall be Category A approved by the American Registry of Radiologic Technology. The authors of these CE shall be higher education faculty or qualified practitioners, with extensive academic and professional experience. A self assessment and final exam shall be provided with each CE. A 75% minimum success rate is required on the final exam. Upon successful completion of the course, an electronic certificate notification will be emailed to each learner completing the course. b.Content Requirements. The content provided by the vendor shall constitute Section 508 compatible, web-based courses that can be accessed from the VA LMS. In order to provide sufficient content breadth to the VA employees, the vendor shall deliver access to a minimum of 50 online courses. The VA requires specific courses to be delivered as part of the 50 total online courses. The vendor shall deliver the following courses to VA employees as part of the overall fifty courses: a.Radiation Biology b.Accelerated Partial Breast Irradiation: A New Paradigm for Treatment of Breast Cancer c.Advance Directives: Implications for Radiology d.Biological Effects of Ionizing Radiation e.Breast Imaging: The Use of MRI as a Diagnostic Adjunct f.Cardiovascular Disease g.Communication h.Computed Tomography: Adrenal Gland Imaging i.Computer Applications in Radiology j.CT Simulation and Immobilization of the Pediatric Patient k.Digital Imaging in Radiogrpahy: Image Quality Control l.Digital Imaging in Radiography: The Basics m.Dosimetry Calculations: Basic Monitor Unit Determination n.Ergonomics for Radiologic Technologists: Posture o.Ergonomics for Radiologic Technologists: Moving and Lifting p.HIPAA: Overview and Patient Confidentiality q.HIPAA: Security Standards for Health Care Records r.HIPAA: Management of Patient Health Care Records s.IMRT: Introduction to Intensity Modulated Radiation Therapy t.Mammographic Equipment: Generators, Tub and Photon Production u.Medical Charting and Documentation v.Pharmacology for Radiologic Technologists w.Professionalism: Ethics and the Law x.Quality Assurance in Radiation Oncology y.Radiologic Physics z.Mammography: Accommodating Positioning Challenges aa.Iodinated Contrast Media c.Provision of Content to VA Radiologic Technologists. The educational institution shall provide quality Radiologic Technology Web-based on-line module continuing education (CE) credits for approximately 2,500 staff. These employees are located within the 163 medical systems in the Department of Veterans Affairs, (VA) Veterans Health Administration (VHA), across the United States and territories. To locate the stations, please review www.va.gov, access health icon and review VHA General Information. This provides an opportunity for staff to complete professional education requirements at times and locations that enable ultimate successful completion. CE credits shall be accessible 24 hours per day, 7 days a week and accessed via home computers or at work. d.Course Sessions. The vendor shall provide the equivalent of 7,000 CE sessions available to eligible VA radiologic technologists until the expiration of the contract or until all 7,000 CE sessions have been used. The intent of this provision is to insure that as many of the 7,000 course "opportunities" provided by the vendor are used by eligible VA employees. Specifically, the vendor will allow unused CE to be used by other VAMCs - so as to give every eligible employee a full opportunity to complete the subject courses. It is understood, that some employees may elect to satisfy CE requirements in other ways - resulting in less than a full utilization of their original allotment. The vendor, in collaboration with the VA, will share in the responsibility for assuring that all potential training opportunities are made available and eligible program mangers are fully informed, so that unused CE can be used by other eligible VA employees. The vendor shall make available a minimum of 50 online courses for VA employees. The vendor will provide notice to the VA when 80% of the total 7,000 course opportunities have been reached so that the VA can plan for amending the contract. e.Help Desk Support. The vendor shall provide help desk support to VA employees taking subject courses. The help desk hours will be normal business hours excluding federal holidays. f.Provide Digital Data Report. The vendor shall provide digital data reporting and linkages as required by EES. The educational institutional shall provide a managerial report of module completion activity and employee participation. This report shall be forwarded to the COTR and the VHA National Radiology Program Office. This shall occur by the 15th of the new month for previous month activity. g.Management Reports. The vendor shall provide management reports to the COTR and the Office of Diagnostic Services and all participating VA Medical Centers as required. h.Evaluation of Program Effectiveness. The vendor shall work with the participating VAMCs, EES, and the VHA National Radiology Program Office to evaluate the effectiveness of the program and develop appropriate recommendations for follow up work. Specifically, in addition to enrollment and usage data, the vendor is to offer a survey questionnaire to employees completing subject courses for the purpose of obtaining and reporting employee responses. A report is to be submitted to the EES PROGRAM MANAGER of this contract by November 30, 2010 to allow sufficient time for the VA to plan appropriately for program continuation. 4. PERIOD OF PERFORMANCE The period of performance will commence on the date of contract award and end one year later or when all 7000 CE sessions have been used whichever occurs first. VA retains the option to renew the contract for a period of one year following the completion of this contract. Optional periods are on one year increments for four years. 5. DELIVERABLES DeliverableSchedule Allocate 7000 ARRT Category A approved CEsUpon contract award to one year after award. Provide a minimum of 50 courses available to VA employeesUpon contract award to one year after award. Provide the specific courses listed in the Statement of workUpon contract award to one year after award. Provide help desk support for VA employees taking subject coursesUpon contract award to one year after award. Provide digital data reportsReports should be received by the 15th of each month for the previous month's activity. Management ReportsAs requested by the COTR Section 508 ComplianceUpon contract award Program EvaluationNovember 30, 2010 6. EVALUATION FACTORS FactorsCriterionInfo to be Submitted ARRT Category A Approved CEsOnly vendors with ARRT Accredited courses will be considered.The vendor shall provide evidence that courses submitted to the VA will be accredited by ARRT. Provide a minimum of 50 courses accredited by ARRT available to VA employeesVendors with less than 50 courses will not be considered.The vendor shall communicate the number of courses that will be provided to the VA. Provide the specific courses to the VA as outlined within the SOWAll the required courses shall be provided to the VA. Only those vendors that can provide the specific courses listed in the SOW will be considered.The vendor shall provide a list of proposed courses to the VA and specifically state which of the required courses they could not immediately deliver. Provide a help desk for VA employees taking subject coursesOnly vendors that demonstrate the ability to set-up and administer a help desk for the courses will be considered.The vendor shall provide evidence that a help desks exists and can adequately handle the volume for VA Employees. Data and Managerial ReportsOnly vendors that can deliver timely and accurate usage and management reports will be considered.The vendor shall provide sample usage reports to the Contracting Officer outlining the type of information given to clients. 7. SECURITY REQUIREMENTS Information System Security The contractor shall ensure adequate LAN/Internet, data, information, and system security in accordance with VA standard operating procedures and standard contract language, conditions laws, and regulations. The contractor's firewall and web server shall meet or exceed the government minimum requirements for security. Per VA Handbook 6500, contractor access to the VA Intranet using non-VA owned Other Equipment (OE) will be provided via approved VA Virtual Private Network (VPN) access protocols, currently Remote Enterprise Security Compliance Update Environment (RESCUE), which will offer access to a limited set of VA applications and services. All government data shall be protected behind an approved firewall. Any security violations or attempted violations shall be reported to the VA project manager and VA Information Security Officer as soon as possible. The contractor shall follow all applicable VA policies and procedures governing information security, especially those that pertain to certification accreditation. Security Training All contractor employees and subcontractors under this contract or order are required to complete the VA's on-line Information Security Awareness Training Course and the Privacy Policy Training Course annually at external link https://www.ees-learning.net/librix/loginhtml.asp?v=librix or if an LMS account is provided at https://www.lms.va.gov/plateau/user/login.jsp. The Privacy Policy Training requirement may be fulfilled under additional privacy awareness training options, based on the prerogative of the Contracting Officer (CO), pending assigned VA duties of the contractor employees and subcontractors under this contract. Contractors must provide signed certifications of completion to the CO during each year of the contract. This requirement is in addition to any other training that may be required of the contractor and subcontractor(s). Rules of Behavior Requirement All contractor employees and subcontractors under this contract will sign a VA National Rules of Behavior agreement annually and be given a copy for their records. Contractor Personnel Security All contractor employees who require access to the Department of Veterans Affairs' computer systems or VA information shall be the subject of a background investigation and must receive a favorable adjudication from the VA Security and Investigations Center (07C). This requirement is applicable to all subcontractor personnel requiring the same access. If the security clearance investigation is not completed prior to the start date of the contract, the employee may work on the contract while the security clearance is being processed, but the contractor will be responsible for the actions of those individuals they provide to perform work for the VA. 1. Background Investigation The position sensitivity for this effort has been designated as low risk level and no background investigation is necessary at this time as the contractor employees do not require access to Department of Veterans Affairs' computer systems or VA information. 2. Contractor Responsibilities a. The contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the Office of Personnel Management (OPM) through the VA, the contractor shall reimburse the VA within 30 days. b. Background investigations from investigating agencies other than OPM are permitted if the agencies possess an OPM and Defense Security Service certification. The Vendor Cage Code number must be provided to the Security and Investigations Center (07C), which will verify the information and advise the contracting officer whether access to the computer systems can be authorized. c. The contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship and are able to read, write, speak and understand the English language. d. After contract award and prior to contract performance, the contractor shall provide the following information to the CO: (1) List of names of contractor personnel. (2) Social Security Number of contractor personnel. (3) Home address of contractor personnel or the contractor's address. e. The contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract. f. Failure to comply with the contractor personnel security requirements may result in termination of the contract for default. 3. Government Responsibilities a. The VA Security and Investigations Center (07C) will provide the necessary forms to the contractor or to the contractor's employees after receiving a list of names and addresses. b. Upon receipt, the VA Security and Investigations Center (07C) will review the completed forms for accuracy and forward the forms to OPM to conduct the background investigation. c. The VA facility will pay for investigations conducted by the OPM in advance. In these instances, the contractor will reimburse the VA facility within 30 days. d. The VA Security and Investigations Center (07C) will notify the contracting officer and contractor after adjudicating the results of the background investigations received from OPM. 13. Eletronic and Information Technology Standards INTERNET/INTRANET The contractor shall comply with Department of Veterans Affairs (VA) Directive 6102 and VA Handbook 6102 (Internet/Intranet Services). VA Directive 6102 sets forth policies and responsibilities for the planning, design, maintenance support, and any other functions related to the administration of a VA Internet/Intranet Service Site or related service (hereinafter referred to as Internet). This directive applies to all organizational elements in the Department. This policy applies to all individuals designing and/or maintaining VA Internet Service Sites; including but not limited to full time and part time employees, contractors, interns, and volunteers. This policy applies to all VA Internet/Intranet domains and servers that utilize VA resources. This includes but is not limited to va.gov and other extensions such as, ".com,.edu,.mil,.net,.org," and personal Internet service pages managed from individual workstations. VA Handbook 6102 establishes Department-wide procedures for managing, maintaining, establishing, and presenting VA Internet/Intranet Service Sites or related services (hereafter referred to as "Internet"). The handbook implements the policies contained in VA Directive 6102, Internet/Intranet Services. This includes, but is not limited to, File Transfer Protocol (FTP), Hypertext Markup Language (HTML), Simple Mail Transfer Protocol (SMTP), Web pages, Active Server Pages (ASP), e-mail forums, and list servers. VA Directive 6102 and VA Handbook 6102 are available at: Internet/Intranet Services Directive 6102 http://www.va.gov/pubs/directives/Information-Resources-Management-(IRM)/6102d.doc Internet/Intranet Services Handbook 6102 http://www.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)/6102h.doc Internet/Intranet Services Handbook 6102 Change 1 - updates VA's cookie use policy, Section 508 guidelines, guidance on posting of Hot Topics, approved warning notices, and minor editorial errors. http://www.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)/61021h.doc In addition, any technologies that enable a Network Delivered Application (NDA) to access or modify resources of the local machine that are outside of the browser's "sand box" are strictly prohibited. Specifically, this prohibition includes signed-applets or any ActiveX controls delivered through a browser's session. ActiveX is expressly forbidden within the VA while.NET is allowed only when granted a waiver by the VA CIO *PRIOR* to use. JavaScript is the preferred language standard for developing relatively simple interactions (i.e., forms validation, interactive menus, etc.) and Applets (J2SE APIs and Java Language) for complex network delivered applications. 14. Confidentiality and Nondisclosure It is agreed that: 1. The preliminary and final deliverables and all associated working papers, application source code, and other material deemed relevant by the VA which has been generated by the contractor in the performance of this task order are the exclusive property of the U.S. Government and shall be submitted to the CO at the conclusion of the task order. 2. The CO will be the sole authorized official to release verbally or in writing, any data, the draft deliverables, the final deliverables, or any other written or printed materials pertaining to this task order. No information shall be released by the contractor. Any request for information relating to this task order presented to the contractor shall be submitted to the CO for response. 3. Press releases, marketing material or any other printed or electronic documentation related to this project, shall not be publicized without the written approval of the CO. VAAR 852-273-75 - Contracting Officer will place this statement on all contracts Attached clause VAAR 852.273-75) VAAR 852.273-75 SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (Interim - October 2008)(a) The contractor and their personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA personnel, regarding information and information system security. These include, but are not limited to Federal Information Security Management Act (FISMA), Appendix III of OMB Circular A-130, and guidance and standards, available from the Department of Commerce's National Institute of Standards and Technology (NIST). This also includes the use of common security configurations available from NIST's Web site at: http://checklists.nist.gov (b) To ensure that appropriate security controls are in place, Contractors must follow the procedures set forth in "VA Information and Information System Security/Privacy Requirements for IT Contracts" located at the following Web site: http://www.iprm.oit.va.gov (End of Clause) R. If System Platform Certification and Accreditation Apply: If the contractor maintains personally identifiable demographic data (such as names, Social Security Numbers, etc.) about persons authorized by the VA to take their courses for the purpose of tracking course completion or accrediting information or for other purposes, then the contractor's servers must be certified and accredited according to National Institute of Standards and Technology (NIST) security standards. These requirements are located here: NIST Std 800-37 Guide for the Security Accreditation and Certification of Federal Systems. http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf NIST Std 800-53 Recommended Security Controls for Federal Systems. http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf FIPS Pub 200 Minimum Security Requirements for Federal Information and Information Systems. http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf FIPS Pub 199 Standards for Security Categorization of Federal Information and Information Systems. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf NOTE: According to guidance received from VHA Security folks, if the database stores the SSN, the system is automatically categorized as Moderate. VHA Dir 2004-002 Use of Commercial or External Web Hosting Services for VHA Websites, states: "Effective management controls have been established and maintained Administration-wide for the creation and use of externally-hosted data to protect the integrity and security of sensitive data (such as patient data, employee data, and identifiable-quality assurance data); therefore, it is VHA policy that contractors who host sensitive data for any VHA entity must establish Business Associate Agreements, as defined under the Health Insurance Portability and Accountability Act, for the protection of individually-identifiable health information used or disclosed by business associates." http://vaww1.va.gov/vhapublications/ViewPublication.asp?pub_ID=298 NOTE: In this Directive, they mention VA Dir 6214 as the guidance for Cyber-Security. VA Dir 6214 was replaced with the NIST Standards mentioned above. If the courses are hosted on the awarded contractor(s)' servers, the employee training history data must be transmitted to either the VA LMS or the VCampus Enterprise Knowledge Platform (EKP). The required data fields are listed above in the section Technical Requirements, Data Transmission. Reporting employee training data must be provided to the VA or VCampus EKP daily. An alternative to the contractor delivering the courses from their servers is to provide the courses to the VA so they will be hosted by a VA designated system. If this is done all employee data tracking and reporting will be handled by the VA designated system and the contractor's servers need not be certified and accredited as long as the contractor does not retain any personally identifiable demographic data about people who are authorized by the VA to take courses provided under this contract. VA Information and Information System Security/Privacy Requirements for IT Contracts, August 2008 Please review weblink http://www.iprm.oit.va.gov/ and within this link select: http://www.iprm.oit.va.gov/docs/Security_and_Privacy_Requirements_for_IT_Contracts_Attachment.pdf to review VA Information and Information System Security/Privacy Requirements for IT Contracts, August 2008. Some of the requirements include: VA Information Custodial Requirements Information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the contracting officer. This clause expressly limits the contractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d)(1). Information generated by a Contractor as a part of the contractor's normal business operations, such as medical records created in the course of providing treatment, is subject to a review by the Office of General Counsel (OGC) to determine if the information is the property of VA and subject to VA policy. If the information is determined by OGC to not be the property of VA, the restrictions required for VA information will not apply. VA information will not be co-mingled with any other data on the contractors/subcontractors information systems/media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. VA also reserves the right to conduct IT resource inspections to ensure data separation and on-site inspection of information destruction/media sanitization procedures to ensure they are in compliance with VA policy requirements. Prior to termination or completion of this contract, contractor will not destroy information received from VA or gathered or created by the contractor in the course of performing this contract without prior written approval by the VA contracting officer. Any data destruction done on behalf of VA by a contractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, and applicable VA Records Control Schedules. The contractor will receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. Applicable Federal information security regulations include all Federal Information Processing Standards (FIPS) and Special Publications (SP) issued by the National Institute of Standards and Technology (NIST). If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies, including FIPS or SP, in this contract. Contractors collecting, storing, or disseminating personal identifiable information (PII) or protected health information (PHI) data must conform to all pertinent regulations, laws, and VA directives related to privacy. Contractors must provide access for VA privacy reviews and assessments and provide appropriate documentation as directed. The contractor shall not make copies of VA information except as necessary to perform the terms of the agreement or to preserve electronic information stored on contractor electronic storage media for restoration in case any electronic equipment or data used by the contractor needs to be restored to an operating state. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to terminate the contract for default or terminate for cause under Federal Acquisition Regulation ("FAR") part 12. If a VHA contract is terminated for cause, the associated business associate agreement (BAA) will also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01 Business Associates. Contractor will store, transport or transmit VA sensitive information in an encrypted form, using a VA-approved encryption application that meets the requirements of NIST's FIPS 140-2 standard. The contractor's firewall and Web services security controls, if applicable, shall meet or exceed VA's minimum requirements. VA directives are available on the VA directives Web site at http://wwwl Nagovivapubsf. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA's prior written approval. The contractor will refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. Notwithstanding the provision above, the contractor shall not release medical quality assurance records protected by 38 U.S.C. 5705 or records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus protected under 38 U.S.C. 7332 under any circumstances, including in response to a court order, and shall immediately refer such court orders or other inquiries to the VA contracting officer for response. The contractor will not use technologies banned in VA in meeting the requirements of the contract (e.g., Bluetooth enabled devices). Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA's prior written approval. The contractor will refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. Notwithstanding the provision above, the contractor shall not release medical quality assurance records protected by 38 U.S.C. 5705 or records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus protected under 38 U.S.C. 7332 under any circumstances, including in response to a court order, and shall immediately refer such court orders or other inquiries to the VA contracting officer for response. The contractor will not use technologies banned in VA in meeting the requirements of the contract (e.g., Bluetooth enabled devices). Information System Hosting, Operation, Maintenance or Use For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. The contractor security control procedures must be identical, not equivalent, to those procedures used to secure VA systems. A privacy impact assessment (PIA) must also be provided to the COTR and approved by VA Privacy Service prior to operational approval. All external Internet connections involving VA information must be reviewed and approved by VA prior to implementation. Adequate security controls for collecting, processing, transmitting, and storing of personally identifiable information, as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls need to be stated within the PIA and supported by a risk assessment. If these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII. Outsourcing (contractor facility/contractor equipment/contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (C&A) of the contractor's systems in accordance with NIST Special Publication 800-37 and VA Handbook 6500 and a privacy impact assessment of the contractor's systems prior to operation of the systems. Government-owned (government facility/government equipment) contractor-operated systems, third party or business partner networks require a system interconnection agreement and a memorandum of understanding (MOU) which detail what data types will be shared, who will have access, and the appropriate level of security controls for all systems connected to VA networks. The contractor must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the information security officer (ISO) for entry into VA's Plan of Action and Milestone (POA&M) management process. The contractor will use VA's POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the Government. Contractor procedures will be subject to periodic, unannounced assessments by VA officials. The physical security aspects associated with contractor activities will also be subject to such assessments. As updates to the system occur, an updated PIA must be submitted to the VA Privacy Service through the COTR for approval. All electronic storage media used on non-VA leased or owned IT equipment that is used to store, process, or access VA sensitive information must have all VA sensitive information removed, cleared, sanitized, or destroyed in accordance with VA policies and procedures upon: (1) completion or termination of the contract or (2) disposal or return of the IT equipment by the contractor or any person acting on behalf of the contractor, whichever is earlier. All electronic storage media used on non-VA leased or owned IT equipment that is used to store, process, or access VA sensitive information must have all VA sensitive information removed, cleared, sanitized, or destroyed in accordance with VA policies and procedures upon: (1) completion or termination of the contract or (2) disposal or return of the IT equipment by the contractor or any person acting on behalf of the contractor, whichever is earlier. 8. REHABILITATION ACT, SECTION 508 COMPLIANCE Courseware and the site must be compliant with section 508 of the Rehabilitation Act as validated by the VHA Section 508 Office. All federal agencies, when they develop, procure, maintain, or use electronic and information technology, are required to give disabled employees and members of the public access to information that is comparable to the access available to others. A good Section 508 website can be found at http://www.section508.gov. Since Section 508 requirements can be vague, we suggest adhering to the Web Accessibility Initiative (WAI), which is a World Wide Web Consortium Standard. We suggest that all content vendors adhere to Conformance Level "A" requirements. Pertinent sections for compliance are sections 21, 22, 24, and 31. Information on this standard can be found at http://www.w3c.org/wai, specifically, in the document "Web Content Accessibility Guidelines 1.0". Also, a checklist has been added as an appendix to ensure compliance. Vendors are encouraged to complete the checklist to determine if online courses meet the section 508 standards. 9. VA DIRECTIVE 6102 COMPLIANCE This directive establishes policy for the Department of Veterans Affairs (VA) employees in managing, maintaining, establishing, and presenting information on VA's Internet/Intranet Service Sites and use of related Internet services. The VA 6102 Handbook implements the policies contained in VA Directive 6102, Internet/Intranet Services. This includes but is not limited to File Transfer Protocol (FTP), Hypertext Markup Language (HTML), Simple Mail Transfer Protocol (SMTP), Web pages, Active Server Pages (ASP), e-mail forums, and list servers. The VA 6102 Handbook is available at: http://www.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)/6102h.pdf (End Statement of Work) Appendix VHA Section 508 Office (19F) Health Data & Informatics (HD&I) Section 508 Checklist for Web-based Internet Information and Applications For assistance completing this document, contact your HDI representative or contact the VHA OI HDI Section 508 mail group. Application Name/Version #Project Manager Name/Signature508 Compliance Name/SignatureDate 1194.22CheckpointYesNoN/AComments (a)A text equivalent for every non-text element shall be provided (e.g., via "alt", "longdesc", or in element content). a.1Are ALT attributes provided for all images?**** a. Are ALT attributes provided for image-type buttons in forms?**** b. Are complex images (such as charts or graphs) accompanied by a "longdesc" attribute?**** c. Are ALT attributes provided for area elements of client-side image maps?**** a.2Does the alternative text concisely convey the meaning and/or intent of the image it accompanies?**** a. Are empty ALT attributes ("") provided for images used as list bullets?**** b. Are empty ALT attributes ("") provided for images used as spacers?**** c. Are empty ALT attributes ("") provided for images that are decorative in nature and not required for the content of the page?**** d. Do tree and outline components provide textual name, type, state and level information?**** a.3Are text equivalents provided for background, animated and interactive content?**** a. Is alternative text provided for progress bars and progress images?**** b. Do CSS background images that convey meaning have textual equivalents?**** c. Are ALT attributes provided for animated images?**** d. Is a non-animated equivalent or method to step through animated content available?**** e. Does screen transition animation settle within 5 seconds?**** f. Are there text equivalents for audio information (including transcripts of spoken information)?**** g. Do video files have audio equivalents or full-text descriptions?**** h. Are ALT attributes provided for applets?**** i. Are electronic files (such as.pdf,.doc, and.ppt) accessible or do they have text equivalents?**** (b)Equivalent alternatives for any multimedia presentation shall be synchronized with the presentation. b.1Is synchronized captioning provided for audio content in the video?**** b.2Are clear and meaningful audio descriptions of visual content provided and synchronized in the video?**** 1194.22CheckpointYesNoN/AComments (c)Web pages shall be designed so that all information conveyed with color is also available without color, for example from context or markup. c.1Where color is used to convey meaning, are text, icons or symbols provided to convey the same meaning? For example: " Task 1 " Task 2 (*IMPORTANT*) " Task 3**** c.2Does the page avoid using color alone to convey non-textual information?**** a. Is a text or symbolic indicator provided along with color to show whether an item or control is selected?**** c.3Is information, that has been conveyed with color, available if someone could not see the screen or had to change display colors and contrast?**** c.4Where instructions are given, are actions or controls described in terms other than color? ("Press green Start button" rather than "Press green button".)**** (d)Documents shall be organized so they are readable without requiring an associated style sheet. d.1Is the reading order of content and elements correct when viewed without style sheets or when read with assistive technology?**** d.2With style sheets turned off is dynamic content rendered inline with controls that change it?**** (e)Redundant text links shall be provided for each active region of a server-side image map.**** e.1If the page uses a server-side image map, is there a separate set of links that duplicates the functionality provided by activating regions of that image map?**** (f)Client-side image maps shall be provided instead of server-side image maps except where the regions cannot be defined with an available geometric shape. f.1Are client-side image maps being used instead of server-side except where the clickable region cannot be defined by a circle, rectangle, or polygon?**** (g)Row and column headers shall be identified for data tables. g.1Are the header elements for a data table provided in the same table as the content?**** g.2Are all row and column header cells identified with a
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/VA/VAAAC/VAAAC/VA-777-10-RP-0145/listing.html)
- Record
- SN02130504-W 20100425/100423235031-e390b463ea37bbb0412b12da08d0aeb8 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |