Loren Data's SAM Daily™

fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JUNE 02, 2011 FBO #3477
SOLICITATION NOTICE

J -- dRIS hardware abd Software Maintenance

Notice Date
5/31/2011
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, Clinical Center/Office of Purchasing & Contracts, 6707 Democracy Blvd, Suite 106, MSC 5480, Bethesda, Maryland, 20892-5480
 
ZIP Code
20892-5480
 
Solicitation Number
11-002973
 
Archive Date
6/25/2011
 
Point of Contact
Gail Akinbinu, Phone: 301-496-0692
 
E-Mail Address
gakinbinu@cc.nih.gov
(gakinbinu@cc.nih.gov)
 
Small Business Set-Aside
N/A
 
Description
Background The mission of the National Institutes of Health (NIH) is to uncover new knowledge that will lead to better health for everyone. The NIH accomplishes that mission by conducting research in its own laboratories; supporting the research of non-Federal scientists in universities, medical schools, hospitals, and research institutions throughout the country and abroad; helping in the training of research investigators; and fostering communication of biomedical information. The NIH Clinical Center (CC) is a 234-bed federally funded, biomedical research hospital located on the NIH campus in Bethesda, Maryland. The Clinical Center is the delivery setting for all NIH intramural clinical research protocols. The hospital complex consists of two main facilities that are connected to each other by “bridges”. The original 14-story building is 2.5 million square feet and continues to house the clinical laboratories, imaging sciences, surgical suites, and several outpatient clinics. The new 870,000 square foot facility houses inpatient units and day hospitals. The Clinical Center accounts for about half of all NIH-funded clinical research beds in the United States and accommodates about 7,000 inpatient and 70,000 outpatient visits a year. Patients are admitted to the NIH Clinical Center from all over the world for the sole purpose of participating in a clinical research protocol. The Department of Radiology and Imaging Sciences (RAD&IS) provides imaging services to the CC patients who participate in research protocols conducted by the various NIH institutes. Imaging services include X-rays, fluoroscopy, mammography, ultrasound, magnetic resonance imaging (MRI) scans, computed tomography (CT) scans and interventional radiology (special procedures). Diagnostic services in ultrasound, digital mammography, positron emission tomography/computed tomography (PET/CT), and nuclear medicine are also provided. All these diagnostic modalities generate clinical diagnostic images that are sent to and archived on the RAD&IS’s Picture Archiving and Communication System (PACS). The departmental radiologists review the diagnostic images and dictate clinical findings using a Voice Recognition system (VRS). The finds are saved in reports which are stored in the RAD&IS’s Radiology Information System (RIS) and forwarded to the Clinical Research Information System or the Clinical Center’s Hospital Information System (CRIS). Purpose This request is for the purchase of renewing the maintenance contract with Cerner Corp. for it’s Radiology Information System (RIS). The Cener RIS is a proprietary system in daily use by the RAD&IS for critical patient care. The current contract expires May 31, 2011. A renewal of the exiting contract is needed to provide support for the RIS until it is replaced. The replacement date is tentatively set for December 2011 (Contract Number HHSN269301000204P). The renewal should be executed in four-month periods, as a full year of service will probably not be needed. Scope To the continue service of the existing RIS system for the Department of Radiology and Imaging Science in the Clinical Center The Cener RIS is a critical patient care system in daily use within the Clinical Center in support of care of diagnostic and research studies for patients in clinical protocols and the NIH Clinical Center mission of providing quality patient care. 1.Provide 24X7 Monday to Sunday Immediate Response Center Support on hardware and software critical issues that severely impact patient care and require immediate resolution. 2.Provide 24X7 Monday to Sunday on IBM hardware and software with 4hr response time on hardware 3.Provide 24X7 Monday to Sunday on software maintenance for AIX, MQ Series, and Oracle database. 4.Provide update and software patch for Cerner Millennium application software for radiology information system. 5.Provide remote troubleshoot on any reported issue. 6.Provide remote application support and Immediate Answer Center (IAC) during Monday – Friday 9am – 6pm EST. 7.Provide Comprehensive electronic support solution options via Cerner.com 8.Provide Subscription to Cerner’s architecture, troubleshooting, and issue management 9.Provide Access to knowledgebase and tools from Cerner.com 10.Provide software patch release from Cerner.com 11.Provide access to Cerner Knowledge Management (CKM) 12.Provide access to Cerner.com on software updates and upgrades to keep our system current and secure access to RIS system Equipment Maintenance 1 232883 IBM 1812-81A DS4000 EXP810 EXPANSION 0013206V1 1 24x7 M-Su 2 232882 IBM 1814-72A DS4700 EXPRESS MODEL 7 00139885D 1 24x7 M- 3 232884 IBM 3576-E9U TS3310 Tape Expansion Mod 71467 1 24x7 M-Su 4 232885 IBM 3576-L5B TS3310 TAPE LIBRARY 11843 1 24x7 M-Su 5 232886 IBM 7014-T42 RS/6000 System Rack 00005C55C 1 24x7 M-Su 6 232881 IBM 9133-55A SYSTEM P5 00007145H 1 24x7 M-Su Software Maintenance 1 232887 IBM 5771-SWM Software Maintenance for AIX 00007145H 4 24x7 Phone Support 2 223451 MQ Series E0256LL MQ Series for AIX 03-01519 200 24x7 M-Su Phone Support 3 86808 Oracle QC-OR0200-U2 Oracle RT US: EE w/PSO,Pa 1 24x7 M-Su Phone Support Period of Performance Period 1 June 1, 2011 – September 30, 2011 Period 2 October 1, 2011 – January 31, 2012 Period 3 February 1, 2012 – May 31, 2012 Delivery Location, Schedule, and Instructions National Institutes of Health Clinical Center, Building 10 Radiology & Imaging Sciences Security Provisions See attached security clauses: NIH/CC SECURITY – CONTRACT PROVISION September 29, 2009 (rev 12/22/2009) NIH INFORMATION SECURITY THE FOLLOWING MATERIAL IS APPLICABLE TO DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) TASK ORDERS FOR WHICH CONTRACTOR/SUBCONTRACTOR PERSONNEL WILL (1) DEVELOP, (2) HAVE THE ABILITY TO ACCESS, OR (3) HOST AND/OR MAINTAIN A FEDERAL INFORMATION SYSTEM(S). For more information, see HHS Information Security Program Policy at: http://www.hhs.gov/ocio/policy/2004-0002.001.html#intro. IMPORTANT NOTE TO OFFERORS: The requirements in this section shall be addressed in a separate section of the Technical Proposal entitled, “INFORMATION SECURITY This Statement of Work (SOW) requires the Contractor to perform one or more of the following: (1)(1) Develop, (2) have the ability to access, or (3) host and/or maintain a Federal Information system(s). (2)Include when contractor/subcontractor personnel will have access to, or use of, Personally Identifiable Information (PII), including instances of remote access to or physical removal of such information beyond agency premises or control (3)Include when contractor/subcontractor personnel will have regular or prolonged physical access to a Federally-controlled facility. If the SOW requires Hardware the following must be included (4) IT equipment procurement requests (servers, desktops, laptops, Blackberries, PDAs, data storage devices, and all information processing equipment) For more information see: •All IT equipment procurement requests (servers, desktops, laptops, Blackberries, PDAs, data storage devices, and all information processing equipment) must be reviewed by the IC CIO or designee to insure that they conform to HHS, NIH, and Institute and Center (IC) standards before procurement approval is granted. NIH Initial Security Configuration Policy http://irm.cit.nih.gov/security/sec_policy.html#Acq Pursuant to Federal and HHS Information Security Program Policies the contractor and any subcontractor performing under this task order shall comply with the following requirements: a.Federal Information Security Management Act of 2002 (FISMA), Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002); http://csrc.nist.gov/drivers/documents/FISMA-final.pdf b.OMB Memorandum M-06-15, Safeguarding Personally Identifiable c.Information (05-22-06): http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf d.OMB Memorandum M-06-16, Protection of Sensitive Agency Information (06-23-06): e.http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf f.OMB Memorandum M-06-19, Safeguarding Against and Responding to the Breach of Personally Identifiable Information: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-19.pdf g.Guide for Identifying Sensitive Information, including Information in Identifiable Form, http://ocio.nih.gov/security/NIH_Sensitive_Info_Guide.doc h.OMB Memorandum M-07-16, Protection of Sensitive Agency Information. http://www.whitehouse.gov/omb/assets/omb/memoranda/fy2007/m07-16.pdf i.Homeland Security Presidential Directive/HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors (08-27-04): http://www.whitehouse.gov/news/releases/2004/08/print/20040827-8.html j.OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors (08-05-05): http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf k.Federal Information Processing Standards Publication (FIPS PUB) 201-1 (Updated June 26, 2006): http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf l.HHS Interim Policy: Contractual Implementation of Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors [Draft] Include Sections A through G in all contracts A.INFORMATION TYPE **** (NOTE: Based on information provided by the ISSO, PO, and Privacy Officer, select the appropriate general information type(s) below, and provide the specific type of information.) **** [ ]Administrative, Management and Support Information: **** (NOTE: If the above box is checked, the specific type(s) of information from NIST SP 800-60, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems To Security Categories, APPENDIX C, Table 3, at http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf must be inserted here. This information will be provided by the IC ISSO and/or Project Officer) **** [ X ]Mission Based Information: **** (NOTE: If the above box is checked, the specific type(s) of information from NIST SP 800-60, Volume II: Appendices to Guide For Mapping Types Of Information and Information Systems To Security Categories, APPENDIX D, Table 5, at http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf must be inserted here D.14.5 Health Care Research and Practitioner Education Information Type Health Care Research and Practitioner Education fosters advancement in health discovery and knowledge. This includes developing new strategies to handle diseases; promoting health knowledge advancement; identifying new means for delivery of services, methods, decision models and practices; making strides in quality improvement; managing clinical trials and research quality; and providing for practitioner education. B.SECURITY CATEGORIES AND LEVELS **** (NOTE: Based on information provided by the ISSO and Project Officer, select the Security Level for each Security Category. Select the Overall Security Level which is the highest level of the three factors (Confidentiality, Integrity and Availability). NIST SP 800-60, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, Appendices C and D contain suggested Security Levels for Each Information Type at http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf For additional information and assistance for completion of this item, see Table 1, Security Categorization of Federal Information and Information Systems at: http://irm.cit.nih.gov/security/table1.htm )**** ConfidentialityLevel:[X ] Low[ ] Moderate [ ] High Integrity Level:[ ] Low[ X] Moderate [ ] High AvailabilityLevel:[ X ] Low[ ] Moderate [ ] High OverallLevel:[ ] Low[ X ] Moderate [ ] High C.INFORMATION SECURITY and PRIVACY TRAINING HHS Policy requires contractors/subcontractors to receive security and privacy training commensurate with their responsibilities for performing work under the terms and conditions of their contractual agreements. The Contractor shall ensure that each contractor/subcontractor employee has completed the NIH Computer Security Awareness Training and the NIH Privacy Awareness course at: http://irtsectraining.nih.gov/ or an equivalent training course specified by NIH prior to performing any work under this acquisition, and thereafter completing the NIH-specified fiscal year refresher course during the period of performance of this acquisition. The Contractor shall maintain a list by name and title of each Contractor/Subcontractor employee working under this acquisition who has completed the NIH required training. The list (along with any subsequent updates to the list) shall be provided to the Project Officer. Any additional security training completed by Contractor/Subcontractor staff shall be included on this list. [The list of completed training shall be included in the first technical progress report. (See Article C.2. Reporting Requirements). Any revisions to this list as a result of staffing changes shall be submitted with the next required technical progress report.] Additional security training requirements commensurate with the position may be required as defined in NIST Special Publication 800-16, Information Technology Security Training Requirements ( http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf ). This document provides information about information security training that may be useful to the Contractor. Contractor/subcontractor staff shall be required to complete the following additional training prior to performing any work under this acquisition: **** [List the required training courses here] **** This would be for HHS/NIH required Role based Training or other department required training D.RULES OF BEHAVIOR The Contractor/subcontractor employees shall be required to comply with and sign the NIH Information Technology General Rules of Behavior at: http://irm.cit.nih.gov/security/nihitrob.html E.PERSONNEL SECURITY RESPONSIBILITIES The Contractor shall perform and document the following actions: Contractor Notification of New and Departing Employees Requiring Background Investigations (1)The Contractor shall notify the Contracting Officer, the Project Officer, and the Security Investigation Reviewer within five working days before a new employee assumes a position that requires a suitability determination or when an employee with a security clearance stops working under the contract. The Government will initiate a background investigation on new employees requiring security clearances and will stop pending background investigations for employees that no longer work under the contract. (2)New employees: Provide the name, position title, e-mail address, and phone number of the new employee. Provide the name, position title and suitability level held by the former incumbent. If the employee is filling a new position, provide a description of the position and the Government will determine the appropriate security level. (3)Departing employees: •Provide the name, position title, and security clearance level held by or pending for the individual. •Perform and document the actions identified in the "Employee Separation Checklist" (http://ais.nci.nih.gov/forms/ITsecurity-seperation-checklist.rtf) when a Contractor/Subcontractor employee terminates work under this contract. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request. F.(COMMITMENT TO PROTECT NON-PUBLIC DEPARTMENTAL INFORMATION SYSTEMS AND DATA 1.Contractor Agreement The Contractor and its subcontractors performing under this SOW shall not release, publish, or disclose non-public Departmental information to unauthorized personnel, and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: _18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) _18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) _Public Law 96-511 (Paperwork Reduction Act) 2.Contractor Employee Non-Disclosure Agreement Each Contractor/subcontractor employee who may have access to non-public Department information under this acquisition shall complete the Commitment to Protect Non-Public Information – Contractor Employee Agreement http://ocio/docs/public/Nondisclosure.pdf. A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer prior to performing any work under this acquisition. 3.System Interconnection Security Agreement (ISA) and Memorandum of Understanding (MOU) Systems that interconnect exchange or share sensitive information need to meet the OMB A-130 requirement that "written management authorization (often in the form of a Memorandum of Understanding or Agreement,) be obtained prior to connecting with other systems and/or sharing sensitive data/information. The written authorization shall detail the rules of behavior and controls that must be maintained by the interconnecting systems." To meet this requirement it is required a System Interconnection Security Agreement (ISA) and Memorandum of Understanding (MOU) focused on protecting the data exchanged. An MOU and/or ISA will be required for any remote vendor access the NIHnet in order to ensure adequate security and the protection of the NIHNet. NIH ISA Template NIH MOU Template G.NIH PHYSICAL ACCESS SECURITY In accordance with OMB Memorandum M-05-24, background investigations must be completed for all contractor/subcontractor personnel who have (1) access to sensitive information, (2) access to Federal information systems, (3) regular or prolonged physical access to Federally-controlled facilities, or (4) any combination thereof. [Reference: Definition of “Federally-controlled facilities” at Federal Acquisition Regulation (FAR) Subpart 2.1, Definitions] The Statement of Work (SOW) requires the Contractor to have regular or prolonged physical access to a Federally-controlled facility, thereby requiring compliance with the following regulations/policies: Homeland Security Presidential Directive/HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors (08-27-04): http://www.whitehouse.gov/news/releases/2004/08/print/20040827-8.html OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors (08-05-05): http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf HHS Interim Policy: Contractual Implementation of Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors [Draft] HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook (02-01-05): http://www.knownet.hhs.gov/acquisition/pssh.pdf INCLUDE SECTION L AND M WHEN CONTRACTOR/SUBCONTRACTOR PERSONNEL WILL HAVE ACCESS TO, OR USE OF, PERSONALLY IDENTIFIABLE INFORMATION (PII), INCLUDING INSTANCES OF REMOTE ACCESS TO OR PHYSICAL REMOVAL OF SUCH INFORMATION BEYOND AGENCY PREMISES OR CONTROL. FOR ADDITIONAL INFORMATION, SEE: OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information (05-22-06): http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf. OMB Memorandum M-06-16, Protection of Sensitive Agency Information (06-23-06): http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf. OMB Memorandum M-06-19, Safeguarding Against and Responding to the Breach of Personally Identifiable Information: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-19.pdf. Guide for Identifying Sensitive Information, including Information in Identifiable Form, at the NIH: http://irm.cit.nih.gov/security/NIH_Sensitive_Info_Guide.doc.) **** H.Personally Identifiable Information (PII) Security Plan 1)Security and Privacy Clause for Personally Identifiable Information Information security and privacy, including the protection of sensitive/confidential information whether in verbal, written or electronic form, are a high priority of the National Institutes of Health (NIH). Therefore, all contractors and the subcontractors, who may have access to any personally identifiable information, are subject to the rules, regulations and procedures established by the Privacy Act of 1974 (PA) and implementing regulations, as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As such, all contractors and subcontractors shall only collect, maintain and use sensitive/confidential, personally identifiable information as necessary within the scope of the services to be provided to the NIH. In addition, all contractor staff shall use sensitive/confidential information only in the performance of their assigned duties as related to the delivery of those services. Information provided by the NIH may not be shared with any third-party without the express written permission of the Project and Contract Officers and may not be used for any purpose other than for the delivery of specific services to be provided to the NIH. The unauthorized disclosure of any information protected by the PA or HIPAA may be punishable by administrative sanction or by fine and purposeful disclosure may result in criminal charges. The contractor and subcontractors are required to submit a company security/confidentiality policy and related procedures, which are to include the requirement for a signed employee confidentiality agreement. Link to the NIH NDA http://irm.cit.nih.gov/docs/public/Nondisclosure.pdf The Offeror shall submit a PII Security Plan with its technical proposal that addresses each of the following items: 1.Verify the information categorization to ensure the identification of the PII requiring protection. 2.Verify the existing risk assessment. 3.Identify the Contractor’s existing internal corporate policy that addresses the information protection requirements of the SOW. 4.Verify the adequacy of the Contractor’s existing internal corporate policy that addresses the information protection requirements of the SOW. 5.Identify any revisions, or development, of an internal corporate policy to adequately address the information protection requirements of the SOW. 6.For PII to be physically transported to or stored at a remote site, verify that the security controls of NIST Special Publication 800-53 involving the encryption of transported information will be implemented. [http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf] 7.When applicable, verify how the NIST Special Publication 800-53 security controls requiring authentication, virtual private network (VPN) connections will be implemented. 8.When applicable, verify how the NIST Special Publication 800-53 security controls enforcing allowed downloading of PII will be implemented. 9.Identify measures to ensure subcontractor compliance with safeguarding PII. The details contained in the Offeror’s PII Security Plan must be commensurate with the size and complexity of the contract requirements based on the System Categorization specified above in the subparagraph entitled Security Categories and Levels. The Offeror’s PII Security Plan will be evaluated by the Government for appropriateness and adequacy. I.LOSS AND/OR DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION (PII) – NOTIFICATION OF DATA BREACH The Contractor shall be responsible for reporting all incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH Incident Response Team IRT@mail.nih.gov via email within one hour of discovering the incident. The contractor shall follow-up with the IRT by completing and submitting one of the following two forms: NIH PII Spillage Report [ http://irm.cit.nih.gov/security/PII_Spillage_Report.doc ] NIH Lost or Stolen Assets Report [ http://irm.cit.nih.gov/security/Lost_or_Stolen.doc] The notification requirements do not distinguish between suspected and confirmed breaches. NIH Breach Notification Remote storage of CC data is applicable to this acquisition. In accordance with the Interim final rule about Breach Notification for Unsecured Protected Health Information in Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, published in the Federal Register on or about August 13, 2009. 1)The Clinical Center requires that all contractors/subcontractors with access to unsecured protected health information from CC Information Systems provide notice of a breach to the Clinical Center without unreasonable delay and in no case later than 60 days following the discovery of a breach. 2)In the event of a breach, the Clinical Center requires that all contractors/subcontractors to the extent possible, provide the Clinical Center with the identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been breached and any other information related to the breach. The required information must be provided when available but without unreasonable delay and within 60 days in order for the Government to provide notice to affected individuals. J.SPECIAL INFORMATION SECURITY REQUIREMENTS FOR FOREIGN CONTRACTORS/SUBCONTRACTORS When foreign contractors/subcontractors perform work under this acquisition at non-US Federal Government facilities, provisions of HSPD-12 do NOT apply. K.REFERENCES: INFORMATION SECURITY INCLUDING PERSONALLY IDENTIFIABLE INFORMATION (1)Federal Information Security Management Act of 2002 (FISMA), Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002); http://csrc.nist.gov/drivers/documents/FISMA-final.pdf (2)DHHS Personnel Security/Suitability Handbook: http://www.knownet.hhs.gov/acquisition/pssh.pdf (3)NIH Computer Security Awareness Course: http://irtsectraining.nih.gov/ (4)NIST Special Publication 800-16, Information Technology Security TrainingRequirements: http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf Appendix A-D: http://csrc.nist.gov/publications/nistpubs/800-16/AppendixA-D.pdf (5)NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems: http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf (6)NIST SP 800-53, Revision 1, Recommended Security Controls for Federal Information Systems: http://www.csrc.nist.gov/publications/drafts/800-53-rev1-ipd-clean.pdf (7)NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume I: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V1-final.pdf; Volume II, Appendices to Guide For Mapping Types of Information and Information Systems To Security Categories, Appendix C at: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf and Appendix D at: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf. (8)NIST SP 800-64, Security Considerations in the Information System Development Life Cycle: http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf (9)FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf (10)FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf (11)OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information (05-22-06): http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf (12)OMB Memorandum M-06-16, Protection of Sensitive Agency Information (06-23-06): http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf (13)OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (07-12-06) http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf (14)OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification (09-20-06) http://www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf (15)OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (05-22-07) http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf (16)OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations (06-01-07) http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf (17)Guide for Identifying Sensitive Information, including Information in Identifiable Form, at the NIH ( 04-18-2008) (http://irm.cit.nih.gov/security/NIH_Sensitive_Info_Guide.doc (18)HHS OCIO Policies http://www.hhs.gov/ocio/policy/index.html#Security (19)NIH Privacy Awareness Course: http://irtsectraining.nih.gov/ L.REFERENCES: PHYSICAL ACCESS SECURITY (1)HHS Information Security Program Policy: http://intranet.hhs.gov/infosec/docs/policies_guides/ISPP/Information_Security_Program_Policy.pdf (2) Homeland Security Presidential Directive/HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors (08-27-04): http://www.whitehouse.gov/news/releases/2004/08/print/20040827-8.html (3)OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors (08-05-05): http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf (4)OMB Memorandum M-07-06, Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials (01-11-07): http://www.whitehouse.gov/omb/memoranda/fy2007/m07-06.pdf (5)Federal Information Processing Standards Publication (FIPS PUB) 201-1 (Updated June 26, 2006): http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf (6)HHS Interim Policy: Contractual Implementation of Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors [Draft] http://www.hhs.gov/oamp/policies/hspd12contractguide.doc (7)HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook (02-01-05): http://www.hhs.gov/oamp/policies/personnel_security_suitability_handbook.html (8)HHSAR 307.7106, Statement of Work (SOW); HHSAR 307.7108 in new coverage as of 02-01-07: http://knownet.hhs.gov/acquisition/hhsar/Default.htm (9)Federal Acquisition Regulation (FAR) 37.602, Performance Work Statement (PWS): http://acquisition.gov/far/current/html/Subpart%2037_6.html#wp1074648 (10)FAR Subpart 4.13, Personal Identity Verification of Contractor Personnel: http://acquisition.gov/far/current/html/Subpart%204_13.html#wp1074125 (11)FAR 52.204-9, Personal Identity Verification of Contractor Personnel [clause]: http://acquisition.gov/far/current/html/52_200_206.html#wp1139617 DHHS customers must include this subsection if the services required include configuration of any systems or applications for which there exist Agency Configuration Standards or NIST Security Checklist Standards. IF THIS IS NOT APPLICABLE TO THE TASK ORDER, DELETE THIS SUBSECTION M.System Configuration Security If the services required include configuration of any systems or applications for which there exist Agency Configuration Standards or NIST Security Checklist Standards, then the SOW must require that these configurations conform to the Agency or NIST standard. N.Federal Desktop Core Configuration (FDCC) and Federal Information Processing 201 Security Requirements • The Contractor shall ensure new systems are configured with the applicable Federal Desktop Core Configuration (FDCC) (http://nvd.nist.gov/fdcc/download_fdcc.cfm)[1][1] and applicable configurations from http://checklists.nist.gov, as jointly identified by the OPDIV/STAFFDIV Contracting Officer’s Technical Representative (COTR) and the CISO. • The Contractor shall ensure hardware and software installation, operation, maintenance, update, and/or patching will not alter the configuration settings specified in: (a) the FDCC (http://nvd.nist.gov/fdcc/index.cfm); and (b) other applicable configuration checklists as referenced above. • The Contractor shall ensure applications are fully functional and operate correctly on systems configured in accordance with the above configuration requirements. • The Contractor shall ensure applications designed for end users run in the standard user context without requiring elevated administrative privileges. • FIPS 201-compliant, Homeland Security Presidential Directive 12 (HSPD-12) card readers shall: (a) be included with the purchase of servers, desktops, and laptops; and (b) comply with FAR Subpart 4.13, Personal Identity Verification. In accordance with HHS-OCIO-2008-0004.001S “Standard Security Language Configuration in HHS Contracts”, all NIH purchases of servers, desktops, and laptops shall include a Federal Information Processing Standard 201 (FIPS-201)-compliant smartcard reader. A list of approved FIPS-201 compliant devices may be found at http://www.idmanagement.gov/drilldown.cfm?action=gov_app_products. As standards-compliant smartcard readers may not be available from all sources, or may be more cheaply acquired and provisioned separately, IC information technology staff must review the status of emerging NIH standards for compliant peripheral devices, keyboards, card readers, etc. before making purchases. By 01/01/2011, all systems joined to the NIH network or otherwise brought into production use must be provisioned with a FIPS-201 compliant PIV card reader. •The Contractor shall ensure that all of its subcontractors (at all tiers) comply with the above requirements O.Data and System Interoperability Compliance Standards Executive Order 13410 - Promoting Quality and Efficient Health Care in Federal Government Administered or Sponsored Health Care Programs http://www.whitehouse.gov/news/releases/2006/08/20060822.html requires that any system that is used in patient care or that are used in the patient care setting must comply with the CCHIT certification and that those standards are located at http://www.cchit.org. P.ELECTRONIC AND INFORMATION TECHNOLOGY ACCESSIBILITY (January2008) Pursuant to Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998, all electronic and information technology (EIT) products and services developed, acquired, maintained, and/or used under this contract/order must comply with the "Electronic and Information Technology Accessibility Provisions" set forth by the Architectural and Transportation Barriers Compliance Board (also referred to as the "Access Board") in 36 CFR part 1194. Information about Section 508 provisions is available at http://www.section508.gov The complete text of Section 508 Final provisions can be accessed at http://www.accessboard.gov/sec508/provisions.htm. The Section 508 standards applicable to this contract/order are identified in the Statement of Work. The contractor must provide a written Section 508 conformance certification due at the end of each order/contract exceeding $100,000 when the order/contract duration is one year or less. If it is determined By the Government that EIT products and services provided by the Contractor do not conform to the described accessibility in the Product Assessment Template, remediation of the products and/or services to the level of conformance specified in the vendor's Product Assessment Template will be the responsibility of the Contractor at its own expense. In the event of a modification(s) to the contract/order, which adds new EIT products and services or revised the type of, or specifications for, products and services the Contractor is to provide, including EIT deliverables such as electronic documents and reports, the Contracting Officer may require that the contractor submit a completed HHS Section 508 Product Assessment Template to assist the Government in determining that the EIT products and services support Section 508 accessibility requirements. Instructions for documenting accessibility via the HHS Section 508 Product Assessment Template may be found at http://508.hhs.gov. [(End of HHSAR 352.270-19(b)] Prior to the Contracting Officer exercising an option for a subsequent performance period/additional quantity or adding increment funding for a subsequent performance period under this contract, as applicable, the Contractor must provide a Section 508 Annual Report to the Contracting Officer and Contracting Officer's Technical Representative (also known as Project Officer or Contracting Officer's Representative). Unless otherwise directed by the Contracting Officer in writing, the Contractor shall provide the cited report in accordance with the following schedule. Instructions for completing the report are available at: http://508.hhs.gov. under the heading Vendor Information and Documents. The Contractor's failure to submit a timely and properly completed report may jeopardize the Contracting Officer's exercising an option or adding incremental funding, as applicable. Schedule for Contractor Submission of Section 508 Annual Report: [End of HHSAR 352.270-19(c)] 2)PRIVACY ACT- FAR 52.224-1 Privacy Act Notification (Apr 1984) The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties. FAR 52.224-2 Privacy Act (April 1984) (a) The Contractor agrees to— (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies— (i) The systems of records; and (ii) The design, development, or operation work that the contractor is to perform; (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and (3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency. (c)(1) “Operation of a system of records,” as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) “Record,” as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. (3) “System of records on individuals,” as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 3)Personal Identity Verification of Contractor Personnel FAR 52.204-9 (SEPT 2007) (a)The Contractor shall comply with agency personal identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24 and Federal Information Processing Standards Publication (FIPS PUB) Number 201. (b) The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have routine physical access to a Federally-controlled facility and/or routine access to a Federally- controlled information system. 4)EMPLOYMENT ELIGIBILITY VERIFICATION FAR 52.222-54 (JAN 2009) (a) Definitions. As used in this clause— “Commercially available off-the-shelf (COTS) item”— (1) Means any item of supply that is— (i) A commercial item (as defined in paragraph (1) of the definition at 2.101); (ii) Sold in substantial quantities in the commercial marketplace; and (iii) Offered to the Government, without modification, in the same form in which it is sold in the commercial marketplace; and (2) Does not include bulk cargo, as defined in section 3 of the Shipping Act of 1984 (46 U.S.C. App. 1702), such as agricultural products and petroleum products. Per 46 CFR 525.1 (c)(2), “bulk cargo” means cargo that is loaded and carried in bulk onboard ship without mark or count, in a loose unpackaged form, having homogenous characteristics. Bulk cargo loaded into intermodal equipment, except LASH or Seabee barges, is subject to mark and count and, therefore, ceases to be bulk cargo. “Employee assigned to the contract” means an employee who was hired after November 6, 1986, who is directly performing work, in the United States, under a contract that is required to include the clause prescribed at 22.1803. An employee is not considered to be directly performing work under a contract if the employee— (1) Normally performs support work, such as indirect or overhead functions; and (2) Does not perform any substantial duties applicable to the contract. “Subcontract” means any contract, as defined in 2.101, entered into by a subcontractor to furnish supplies or services for performance of a prime contract or a subcontract. It includes but is not limited to purchase orders, and changes and modifications to purchase orders. “Subcontractor” means any supplier, distributor, vendor, or firm that furnishes supplies or services to or for a prime Contractor or another subcontractor. “United States”, as defined in 8 U.S.C. 1101(a)(38), means the 50 States, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. (b) Enrollment and verification requirements. (1) If the Contractor is not enrolled as a Federal Contractor in E-Verify at time of contract award, the Contractor shall— (i) Enroll. Enroll as a Federal Contractor in the E-Verify program within 30 calendar days of contract award; (ii) Verify all new employees. Within 90 calendar days of enrollment in the E-Verify program, begin to use E-Verify to initiate verification of employment eligibility of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); and (iii) Verify employees assigned to the contract. For each employee assigned to the contract, initiate verification within 90 calendar days after date of enrollment or within 30 calendar days of the employee’s assignment to the contract, whichever date is later (but see paragraph (b)(4) of this section). (2) If the Contractor is enrolled as a Federal Contractor in E-Verify at time of contract award, the Contractor shall use E-Verify to initiate verification of employment eligibility of— (i) All new employees. (A) Enrolled 90 calendar days or more. The Contractor shall initiate verification of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); or (B) Enrolled less than 90 calendar days. Within 90 calendar days after enrollment as a Federal Contractor in E-Verify, the Contractor shall initiate verification of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); or (ii) Employees assigned to the contract. For each employee assigned to the contract, the Contractor shall initiate verification within 90 calendar days after date of contract award or within 30 days after assignment to the contract, whichever date is later (but see paragraph (b)(4) of this section). (3) If the Contractor is an institution of higher education (as defined at 20 U.S.C. 1001(a)); a State or local government or the government of a Federally recognized Indian tribe; or a surety performing under a takeover agreement entered into with a Federal agency pursuant to a performance bond, the Contractor may choose to verify only employees assigned to the contract, whether existing employees or new hires. The Contractor shall follow the applicable verification requirements at (b)(1) or (b)(2) respectively, except that any requirement for verification of new employees applies only to new employees assigned to the contract. (4) Option to verify employment eligibility of all employees. The Contractor may elect to verify all existing employees hired after November 6, 1986, rather than just those employees assigned to the contract. The Contractor shall initiate verification for each existing employee working in the United States who was hired after November 6, 1986, within 180 calendar days of— (i) Enrollment in the E-Verify program; or (ii) Notification to E-Verify Operations of the Contractor’s decision to exercise this option, using the contact information provided in the E-Verify program Memorandum of Understanding (MOU). (5) The Contractor shall comply, for the period of performance of this contract, with the requirements of the E-Verify program MOU. (i) The Department of Homeland Security (DHS) or the Social Security Administration (SSA) may terminate the Contractor’s MOU and deny access to the E-Verify system in accordance with the terms of the MOU. In such case, the Contractor will be referred to a suspension or debarment official. (ii) During the period between termination of the MOU and a decision by the suspension or debarment official whether to suspend or debar, the Contractor is excused from its obligations under paragraph (b) of this clause. If the suspension or debarment official determines not to suspend or debar the Contractor, then the Contractor must reenroll in E-Verify. (c) Web site. Information on registration for and use of the E-Verify program can be obtained via the Internet at the Department of Homeland Security Web site: http://www.dhs.gov/E-Verify. (d) Individuals previously verified. The Contractor is not required by this clause to perform additional employment verification using E-Verify for any employee— (1) Whose employment eligibility was previously verified by the Contractor through the E-Verify program; (2) Who has been granted and holds an active U.S. Government security clearance for access to confidential, secret, or top secret information in accordance with the National Industrial Security Program Operating Manual; or (3) Who has undergone a completed background investigation and been issued credentials pursuant to Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors. (e) Subcontracts. The Contractor shall include the requirements of this clause, including this paragraph (e) (appropriately modified for identification of the parties), in each subcontract that— (1) Is for— (i) Commercial or noncommercial services (except for commercial services that are part of the purchase of a COTS item (or an item that would be a COTS item, but for minor modifications), performed by the COTS provider, and are normally provided for that COTS item); or (ii) Construction; (2) Has a value of more than $3,000; and (3) Includes work performed in the United States. Government Furnished Equipment (GFE) There are no government furnished equipment requirements for this order. Inspection and Acceptance Criteria Services are provided on an as needed basis. EVALUATION CRITERIA: 1.Must be able to provide support 24X7X365 for listed equipment and software 2.Must be able to provide original equipment manufacture hardware replacement parts. 3.Must provide Cerner RIS software updates and maintenance services 4.Must provide support for the custom integration implementation at NIH of the Cerner RIS and the NIH CRISe and the Carestream PACS.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/CCOPC/11-002973/listing.html)
 
Place of Performance
Address: 9000 Rockville Pike, Radiology & Imaging Sciences, Bethesda, Maryland, 20892, United States
Zip Code: 20892
 
Record
SN02460422-W 20110602/110531234553-0adad3bb062b0a100ac83b0faf2b3147 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)

FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.