Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF MAY 07, 2011 FBO #3451
SOLICITATION NOTICE

Q -- DNA Extraction - NIH Human Biospecimen Guidelines

Notice Date
5/5/2011
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
622110 — General Medical and Surgical Hospitals
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, National Heart, Lung and Blood Institute, Rockledge Dr. Bethesda, MD, Office of Acquisitions, 6701 Rockledge Dr RKL2/6100 MSC 7902, Bethesda, Maryland, 20892-7902
 
ZIP Code
20892-7902
 
Solicitation Number
NHLBI-CSB-(HG)-2011-107-DLM
 
Archive Date
5/31/2011
 
Point of Contact
Dorothy Maxwell, Phone: 301-435-0352
 
E-Mail Address
maxwelld@mail.nih.gov
(maxwelld@mail.nih.gov)
 
Small Business Set-Aside
N/A
 
Description
Attached is the required NIH Human Biospecimen Guidlines. This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in FAR 12.6 as supplemented with additional information included in this notice. This announcement constitutes the only solicitation and a separate written solicitation will not be issued. The solicitation number is NHLBI-CSB-(HG)-2011-107-DLM and is issued as a Request for Quotation (RFQ). The solicitation/contract will include all applicable provisions and clauses in effect through Federal Acquisition Circular 2005-51, May 2, 2011. Period of Performance: The proposed period of performance for this service will consist on one (12) month basic contract period, four (4) options to renew for a twelve month period each. This requirement will be set-aside for those quotations in the Washington D.C./Maryland/Virginia Metropolitan area. The North American Industry Classification (NAICS) Code is 622110 and the business size standard is $34.5M. This acquisition is being conducted using Simplified Acquisition Procedures in accordance with FAR Part 13. The Contractor must adhere to NIH Information and Physical Access Security Requirements Security Information. (See Article "H" for Requirements.) Statement of Work Background: The National Institutes of Health (NIH) is the nation's leading medical research agency and the primary Federal agency conducting and supporting making medical discoveries that improve people's health and save lives. Investigators in the Division of Intramural Research for the National Human Genome Research Institute at NIH manage diverse IRB-approved human clinical protocols for a variety of rare genetic disorders that involve DNA-based molecular research analysis. As required by the IRB, any result(s) of a DNA-based molecular research study that originates from the research laboratory must be validated on human samples handled for genomic DNA extraction in a CLIA-approved (licensed) laboratory to be reportable to the patient. Inbound/outbound transportation with future & timely access to high quality genomic DNA for an estimated 200 samples per year is required. More can be added based on the customer need and the reagents/kits available for DNA extraction, that optimize quality, management, tracking and long-term storage as requested by NHGRI. Purpose: NHGRI/NIH investigators require future and timely access to high quality genomic DNA extracted under CLIA-approved licensed laboratory conditions that includes the capacity for long-term storage. DNA extraction from whole blood EDTA and/or buccal cell samples must be performed by standard laboratory methods/kit that optimize purity and total yield to produce high-quality genomic DNA for an estimated 200 human samples per year. The final DNA product must be prepared for long-term storage in a cryotube to withstand storage at minus 80-degree centigrade freezer conditions for minimum one or more years until requested/required by NIH/NHGRI investigator(s) for future diagnostic/validation assay(s). REQUIRED ELEMENTS: • CLIA licensed laboratory setting (valid license)-MANDATORY CRITERIA • State-of-the- art laboratory facility located within the Washington, DC, Maryland, Virginia Metropolitan area to provide specimen handling (human samples), processing and repository management for NIH/NHGRI investigators. • The laboratory will produce high-quality genomic DNA under valid CLIA-approved license as part of this contract. • Timely access to inventory of NIH/NHGRI sample(s) that can be "pulled" upon request for transport back to primary investigator/NHGRI • Capacity for long-term frozen storage maintenance for at least 1 year but capable of extending this to 5 or more years, depending on NHGRI/NIH requirements. Contractor Requirements: The Contracted laboratory shall provide for the following: 1. Inbound/outbound transportation to laboratory (located in the Washington DC, Maryland and Virginia Metropolitan area) from NIH and/or offsite setting where sample received. Samples may be drawn at NIH-CC or obtained and shipped from offsite setting (coordinated by investigator) and transported to laboratory for DNA extraction. Upon request of NIH/NHGRI investigator, stored DNA sample(s) may be pulled for transport back to primary investigator at NHGRI/NIH and/or shipped directly to a designated testing laboratory. 2. DNA extraction: Methodology used should apply standard laboratory procedures required in a CLIA-approved setting that optimize and meet NIH/NHGRI requirements for high quality DNA extraction and long-term frozen storage. The respondent must receive whole blood in EDTA vacutainers or equivalent and/or buccal cell specimens and prepare them for DNA extraction. All reagents/DNA extraction kits, storage tubes used must optimize for purity, total yield and long-term storage. From one mL of whole blood with a normal white cell count (range of 5-10 million WBC/mL blood), the expected yield range is 15-50 ug DNA. A standard DNA extraction kit (e.g., Gentra Puregene DNA Extraction Kit) can be used for DNA extraction from whole blood EDTA and/or buccal cheek swab samples. Hydrated DNA should be assayed for purity and yield (ug) by spectrophotometry, with report available for investigator/NHGRI. The final DNA product should be prepared for long-term storage in a cryotube to withstand long-term storage in a -80 degree centigrade freezer. For 10-mL EDTA tube with normal WBC, the expected total DNA yield is approximately 150-500 ug of DNA with purity range expected 1.6-2.0. 3. Adherence to best practices that follow NIH Guidelines for Human Biospecimen Storage and Tracking within the NIH Intramural Research Program (Approve by NIH Steering Committee July 2008) is required. (SEE ATTACHED REQUIRED GUIDELINES). 4. A sample tracking mechanism for NIH/NHGRI samples should incorporate NHGRI/NIH sample accession number and/or patient information as specified per protocol (protocol #, subject study ID, NIH medical record number, sample date) and outcome variables of DNA extraction (sample type, sample date, DNA concentration/total yield, freeze/thaw #), etc. as required by NHGRI/NIH investigator. 5. Adherence to NIH Information and Physical Access Security Requirements. (See Article " H") Government Responsibilities : • Package/ship human samples in compliance with human biological specimens and paperwork used for standard sample request. Reporting Requirements and Deliverables • Access to Inventory list of processed/stored samples with a report of sample date/type, DNA concentration, volume and total yield (ug) should be made available to NHGRI/NIH. • For each sample, minimum 1 Cryotube of DNA stored long-term (-80 degree centigrade) until requested for return. • Upon request of the NHGRI/NIH Principal Investigator or his/her designee, DNA aliquots should be returned to NIH with appropriate documentation (protocol #, sample name, accession number, sample date/type, DNA concentration, volume and total yield (ug), freeze/thaw #). Program Management and Control Requirements : • Management of human samples must be in compliance with CLIA and adhere to NIH Information and Physical Access Security requirements (Article H) regarding Personally Identifiable Information (PII). Inspection and Acceptance Requirements: • Upon arrival of sample DNA extracts/aliquots to destination, the package and contents must be undamaged. • Upon arrival of sample DNA extracts/aliquots to destination, the package and contents must be at proper temperature and include proper sample paperwork. Technical Evaluation Criteria: 1. Understanding of the Requirement and Adequacy of the Proposed Approach of Tasks (40 points) 1. The offeror must clearly describe the proposed process for performing the work requested (as opposed to repeating the requirements). The evaluation will focus on the offeror's demonstrated technical approach, scientific capabilities, and experience in handling, processing and repository of human specimens. (SEE ATTACHED REQUIRED GUIDELINES). The proposal itself will be considered a work sample. 2. Qualifications of Personnel & Laboratory Facility (30 points) Supporting materials should include description concerning the suitability of laboratory facilities and resources and capabilities in molecular biology and management activities similar to those solicited. Qualifications, availability, and experience of proposed professional/technical staff. 3. Past Performance of the Company (20 points) Experience of the organization as described and past performance of the company's similar projects as documented in Contractor Performance Reports (CPARS). 4. Documentation of valid/current CLIA certification and relevant medical laboratory permits. (10 points) Price is not a weighted evaluation factor. A basic analysis of the proposed cost or price of the work will be performed to determine the relative merits of the offeror's proposal and in selecting the offeror whose proposal is considered to offer the best value to the Government. The cost proposal shall include the amounts of the basic elements of the proposed cost or price. These elements may include, as applicable, study management, transportation (courier)/shipping, supplies, and per sample extraction & storage costs. FAR Provisions which apply to this acquisition are: 1) FAR Clause 52.212-1 Instructions to Offerors Commercial Items (JUN 2008); 2) As stated in FAR Clause 52.212-2 (a), the Government will award a contract resulting from this solicitation to the responsible Offeror whose offer conforming to the solicitation will be most advantageous to the Government, price and other factors considered; 3) FAR Clause 52.212-4, Contract Terms and Conditions Required To Implement Statues or Executive Orders Commercial Items, Contract Terms and Conditions Commercial Items; and 4) FAR Clause 52.212-5, Contract Terms and Conditions Required to Implement Statutes or Executive Orders Commercial Items Deviation for Simplified Acquisitions. The Offeror must include in their quotation the hourly rate, unit price, total cost per year, the price list, shipping and handling costs, the delivery period after contract award, the prompt payment discount terms, the F.O.B. Point (Destination or Origin), the Dun & Bradstreet Number (DUNS), the Taxpayer Identification Number (TIN), and the certification of business size. Note: In order to receive an award, offerors must have a valid registration in the Central Contractor Registration (CCR) www.ccr.gov and Online Representations and Certifications Application (ORCA) www.bpn.gov. The clauses are available in full text at http://www.arnet.gov/far. Interested parties capable of furnishing the Government with the item specified in this synopsis should submit their quotation to the below address. Quotations will be due ten (10) calendar days from the publication date of this synopsis or May 16, 2011 7:30 a.m., Eastern Standard Time. The quotation must reference Solicitation number NHLBI-CSB-(HG)-2011-107-DLM. All responsible sources may submit a quotation, which if timely received, shall be considered by the agency. Quotations must be submitted in writing to the National Heart, Lung, and Blood Institute, 6701 Rockledge Blvd., Room 6149, Bethesda, Maryland 20892, Attention: Dorothy Maxwell. Responses may be submitted electronically to maxwelld@mail.nih.gov. Responses will only be accepted if dated and signed by an authorized company representative. ARTICLE H. NIH INFORMATION AND PHYSICAL ACCESS SECURITY Information Security is applicable to this acquisition. This acquisition requires the Contractor to • develop, have the ability to access, or host and/or maintain Federal information and/or Federal information system(s). • access, or use, Personally Identifiable Information (PII), including instances of remote access to or physical removal of such information beyond agency premises or control. The Contractor and all subcontractors performing under this acquisition shall comply with the following requirements: a. Information Type: [X] Administrative, Management and Support Information: Personal Identity and Authentication Information Information Type ______________________________ ______________________________ [X] Mission Based Information: Health Care Research and Practitioner Education Information Type Research and Development Information Type ______________________________ b. Security Categories and Levels: Confidentiality Level: [ ] Low [X] Moderate [ ] High Integrity Level: [ ] Low [X] Moderate [ ] High Availability Level: [ ] Low [X] Moderate [ ] High Overall Level: [ ] Low [X] Moderate [ ] High c. Position Sensitivity Designations: The following sensitivity level(s), clearance type(s), and investigation requirements apply to this contract: [ ] Level 6: Public Trust - High Risk. Contractor/subcontractor employees assigned to Level 6 positions shall undergo a Suitability Determination and Background Investigation (BI). [X ] Level 5: Public Trust - Moderate Risk. Contractor/subcontractor employees assigned to Level 5 positions with no previous investigation and approval shall undergo a Suitability Determination and a Minimum Background Investigation (MBI), or a Limited Background Investigation (LBI). [ ] Level 1: Non-Sensitive Contractor/subcontractor employees assigned to Level 1 positions shall undergo a Suitability Determination and National Agency Check and Inquiry Investigation (NACI). The Contractor shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff (including subcontractor staff) working under this acquisition where the Contractor will develop, have the ability to access, or host and/or maintain a federal information system(s). The roster shall be submitted to the Project Officer, with a copy to the Contracting Officer, within 14 calendar days of the effective date of this contract. Any revisions to the roster as a result of staffing changes shall be submitted within 15 calendar days of the change. The Contracting Officer will notify the Contractor of the appropriate level of investigation required for each staff member. An electronic template, "Roster of Employees Requiring Suitability Investigations," is available for contractor use at http://ocio.nih.gov/docs/public/Suitability-roster.xls Suitability Investigations are required for contractors who will need access to NIH information systems and/or to NIH physical space. However, contractors who do not need access to NIH physical space will not need an NIH ID Badge. Each contract employee needing a suitability investigation will be contacted via email by the NIH Office of Personnel Security and Access Control (DPSAC) within 30 days. The DPSAC email message will contain instructions regarding fingerprinting as well as links to the electronic forms contract employees must complete. Additional information can be found at the following website: http://idbadge.nih.gov/background/index.asp All contractor and subcontractor employees shall comply with the conditions established for their designated position sensitivity level prior to performing any work under this contract. Contractors may begin work after the fingerprint check has been completed. d. Information Security Training d.1 Mandatory Training All employees having access to (1) Federal information or a Federal information system or (2) personally identifiable information, shall complete the NIH Information Security Awareness Training course at http://irtsectraining.nih.gov/ before performing any work under this contract. Thereafter, employees having access to the information identified above shall complete an annual NIH-specified refresher course during the life of this contract. The Contractor shall also ensure subcontractor compliance with this training requirement. d.2 Role-based Training HHS requires role-based training when responsibilities associated with a given role or position, could, upon execution, have the potential to adversely impact the security posture of one or more HHS systems. Read further guidance at: Secure One HHS Memorandum on Role-Based Training Requirement" For additional information see the following: http://ocio.nih.gov/security/security-communicating.htm#RoleBased The Contractor shall maintain a list of all information security training completed by each contractor/subcontractor employee working under this contract. The list shall be provided to the Project Officer and/or Contracting Officer upon request. e. Rules of Behavior The Contractor shall ensure that all employees, including subcontractor employees, comply with the NIH Information Technology General Rules of Behavior, which are available at http://ocio.nih.gov/security/nihitrob.html. f. Personnel Security Responsibilities 1. The Contractor shall notify the Contracting Officer, Project Officer, and I/C ISSO within five working days before a new employee assumes a position that requires a suitability determination or when an employee with a suitability determination or security clearance stops working under this contract. The Government will initiate a background investigation on new employees requiring suitability determination and will stop pending background investigations for employees that no longer work under this acquisition. 2. The Contractor shall provide the Project Officer with the name, position title, e-mail address, and phone number of all new contract employees working under the contract and provide the name, position title and suitability determination level held by the former incumbent. If the employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate suitability level. 3. The Contractor shall provide the Project Officer with the name, position title, and suitability determination level held by or pending for departing employees. Perform and document the actions identified in the Contractor Employee Separation Checklist (attached) when a Contractor/subcontractor employee terminates work under this contract. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request. g. Commitment to Protect Non-Public Departmental Information and Data 1. Contractor Agreement The Contractor, and any subcontractors performing under this contract, shall not release, publish, or disclose non-public Departmental information to unauthorized personnel, and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: - 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) - 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) - Public Law 96-511 (Paperwork Reduction Act) 2. Contractor Employee Non-Disclosure Agreement Each employee, including subcontractors, having access to non-public Department information under this acquisition shall complete the Commitment to Protect Non-Public Information - Contractor Employee Agreement A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer prior to performing any work under this acquisition. h. NIST SP 800-53 Assessment This contract requires the Contractor to develop, host, and/or maintain a Federal information system at the Contractor's or any subcontractors' facility. The Contractor shall submit an annual information security assessment using NIST SP 800-53, Recommended Security Controls for Federal Information Systems. The assessments shall be due annually within 30 days after the anniversary date of the contract, with the final assessment due at contract completion. The assessments shall be based on the Federal IT Security Assessment Framework and NIST SP 800-53 at: NIST SP 800-53, Rev. 3 http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf Annex 1: Baseline Security Controls for Low-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex1-updt.pdf Annex 2: Baseline Security Controls for Moderate-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex2-updt.pdf Annex 3: Baseline Security Controls for High-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex3-updt.pdf The Contractor shall ensure that all of its subcontractors (at all tiers), where applicable, comply with the above reporting requirements. i. Information System Security Plan (ISSP) The Contractor shall update the acceptable ISSP submitted in their proposal every three years following the effect date of the contract or when a major modification has been made to its internal system. One copy each shall be submitted to the Project Officer and Contracting Officer. j. Data Encryption The following encryption requirements apply to all laptop computers containing HHS data at rest and/or HHS data in transit. The date by which the Contractor shall be in compliance will be set by the Project Officer, however, device encryption shall occur before any sensitive data is stored on the laptop computer/mobile device, or within 45 days of the start of the contract, whichever occurs first. 1. The Contractor shall secure all laptop computers used on behalf of the government using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval. 2. The Contractor shall secure all mobile devices, including non-HHS laptops and portable media that contain sensitive HHS information by using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored. 3. The Contractor shall use a FIPS 140-2 compliant key recovery mechanism so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited. Key recovery is required by "OMB Guidance to Federal Agencies on Data Availability and Encryption", November 26, 2001, http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf. Encryption key management shall comply with all HHS and NIH policies (http://intranet.hhs.gov/infosec/docs/guidance/hhs_standard_2007.pdf) and shall provide adequate protection to prevent unauthorized decryption of the information. All media used to store information shall be encrypted until it is sanitized or destroyed in accordance with NIH procedures. Contact the NIH Center for Information Technology for assistance (http://cit.nih.gov/ProductsAndServices/ServiceCatalog/Services.htm?Service=Media+Sanitization+Service). k. Loss and/or Disclosure of Personally Identifiable Information (PII) - Notification of Data Breach The Contractor shall report all suspected or confirmed incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH Incident Response Team via email (IRT@mail.nih.gov) within one hour of discovering the incident. The Contractor shall follow-up with IRT by completing and submitting one of the following two forms within three (3) work days: NIH PII Spillage Report [ http://ocio.nih.gov/docs/public/PII_Spillage_Report.doc ] NIH Lost or Stolen Assets Report [ http://ocio.nih.gov/docs/public/Lost_or_Stolen.doc l. Using Secure Computers to Access Federal Information 1. The Contractor shall use an FDCC compliant computer when processing information on behalf of the Federal government. 2. The Contractor shall install computer virus detection software on all computers used to access information on behalf of the Federal government. Virus detection software and virus detection signatures shall be kept current. m. Special Information Security Requirements for Foreign Contractors/Subcontractors When foreign contractors/subcontractors perform work under this acquisition at non-US Federal Government facilities, provisions of HSPD-12 do NOT apply. n. REFERENCES: INFORMATION SECURITY INCLUDING PERSONALLY IDENTIFIABLE INFORMATION 1. Federal Information Security Management Act of 2002 (FISMA), Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002); http://csrc.nist.gov/drivers/documents/FISMA-final.pdf 2. DHHS Personnel Security/Suitability Handbook: http://www.dhhs.gov/oamp/policies/personnel_security_suitability _handbook.html 3. NIH Computer Security Awareness Training Course: http://irtsectraining.nih.gov/ 4. NIST Special Publication 800-16, Information Technology Security Training Requirements: http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdfAppendix A-D: http://csrc.nist.gov/publications/nistpubs/800-16/AppendixA-D.pdf 5. NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems: http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf 6. NIST SP 800-53, Revision 1, Recommended Security Controls for Federal Information Systems: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf 7. NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume I: http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf; Volume II, Appendices to Guide For Mapping Types of Information and Information Systems To Security Categories, Appendix C at: http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf and Appendix D at: http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf. 8. NIST SP 800-64, Security Considerations in the Information System Development Life Cycle: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf 9. FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems:http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf 10. FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf 11. OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information (05-22-06): http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf 12. OMB Memorandum M-06-16, Protection of Sensitive Agency Information (06-23-06): http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf 13. OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (07-12-06) http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf 14. OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification (09-20-06) http://www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft _memo.pdf 15. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (05-22-07) http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf 16. OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations (06-01-07) http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf 17. Guide for Identifying Sensitive Information, including Information in Identifiable Form, at the NIH (Draft: 10-04-06) (Available from the ISSO) 18. HHS OCIO Policies http://www.hhs.gov/ocio/policy/index.html#Security o. Personally Identifiable Information (PII) Security Plan The Offeror shall submit a PII Security Plan with its technical proposal that addresses each of the following items: 1. Verify the information categorization to ensure the identification of the PII requiring protection. 2. Verify the existing risk assessment. 3. Identify the Contractor's existing internal corporate policy that addresses the information protection requirements of the SOW. 4. Verify the adequacy of the Contractor's existing internal corporate policy that addresses the information protection requirements of the SOW. 5. Identify any revisions, or development, of an internal corporate policy to adequately address the information protection requirements of the SOW. 6. For PII to be physically transported to or stored at a remote site, verify that the security controls of NIST Special Publication 800-53 involving the encryption of transported information will be implemented. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf 7. When applicable, verify how the NIST Special Publication 800-53 security controls requiring authentication, virtual private network (VPN) connections will be implemented. 8. When applicable, verify how the NIST Special Publication 800-53 security controls enforcing allowed downloading of PII will be implemented. 9. Identify measures to ensure subcontractor compliance with safeguarding PII. The details contained in the Offeror's PII Security Plan must be commensurate with the size and complexity of the contract requirements based on the System Categorization specified above in the subparagraph entitled Security Categories and Levels. The Offeror's PII Security Plan will be evaluated by the Government for appropriateness and adequacy. p. Information System Security Plan The Offeror shall submit an Information System Security Plan (ISSP) with its technical proposal using the current template in Appendix A of NIST SP 800-18, Guide to Developing Security Plans for Federal Information Systems (http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf). The details contained in the ISSP must be commensurate with the size and complexity of the contract requirements based on the System Categorization determined above in the subparagraph entitled Security Categories and Levels. The Offeror shall also identify measures to ensure subcontractor compliance with the ISSP. The ISSP will be evaluated by the Government for appropriateness and adequacy. The Contractor will be required to update and resubmit its ISSP every three years following the effective date of the contract or when a major modification has been made to its internal system.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/NHLBI/NHLBI-CSB-(HG)-2011-107-DLM/listing.html)
 
Place of Performance
Address: NIH, Bethesda, Maryland, 20892, United States
Zip Code: 20892
 
Record
SN02440867-W 20110507/110505234549-a40375e62ac2f02302015568e9e2cc5b (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.