Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF SEPTEMBER 02, 2012 FBO #3935
SOLICITATION NOTICE

R -- Information Rx National Program Fulfillment and Storage - Statement of Work

Notice Date
8/31/2012
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
561431 — Private Mail Centers
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, National Library of Medicine, 6707 Democracy Blvd., Suite 105, Bethesda, Maryland, 20894, United States
 
ZIP Code
20894
 
Solicitation Number
RFQ-NIH-NLM-2012-427-SRE
 
Archive Date
9/29/2012
 
Point of Contact
Sheila R. Edmonds, Phone: 3014966546
 
E-Mail Address
sheila.edmonds@nih.gov
(sheila.edmonds@nih.gov)
 
Small Business Set-Aside
N/A
 
Description
Statement of Work Information Rx National Program Fulfillment and Storage This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; proposals are being requested and a written solicitation will not be issued. This solicitation is being issued as Request for Quotations (RFQ) NIH-NLM-2012-427/SRE. The resultant order will be a firm-fixed price purchase order. In accordance with FAR Parts 12 and 13, the National Institutes of Health (NIH) National Library of Medicine (NLM) intends to procure professional services to assist in its goal to provide order fulfillment for the NLM in all components of its InformationRx outreach program.This acquisition is a 100% total small business set aside. The North American Industry Classification System (NAICS) Code is 561431-Private Mail Centers with a small business size standard of $7.0 million. Background: The Outreach Initiative charged to the National Library of Medicine (NLM) by the Board of Regents is to raise public awareness about the services and programs of the NLM. In furtherance of that mission, the NLM developed the "Information Prescription Project," a free outreach program offered by the NLM to physicians and health professionals to refer their patients to MedlinePlus.gov - a trusted and reliable consumer health information resource. The goal is to have MedlinePlus be the website your doctor prescribes. This national health information resource outreach program was launched in 2004 as a collaborative effort between the NLM and the American College of Physicians (ACP) Foundation as one possible answer to the health literacy challenge that affects nearly half of all American adults. Since its launch in 2004, the NLM has expanded its collaborative effort to include the American Osteopathic Association, the National Medical Association, and the American Association of Physician Assistants. Purpose/Objective: Physicians and health professionals can use InformationRx health information outreach resources to direct their patients to MedlinePlus content, in English or Spanish. The physician's objective may be to help a patient prevent a debilitating illness, understand a new diagnosis, become comfortable with a new treatment plan, or simply learn to better manage a chronic condition. Participating physicians tell NLM that an information prescription helps improve patient communication, encourages compliance, and reduces the number of poor quality internet searches that patients sometimes do on their own. In other words, the InformationRx project can save valuable time, empower patients, and enhance the quality and outcome of an interaction - during an office visit and after a patient returns home. The InformationRx program is a rigorous outreach and evaluation project that seeks to increase pubic and health professional awareness of NLM services and programs. To accomplish the identified objectives, the NLM is seeking the services of a Contractor to assist in its goal to provide order fulfillment for the NLM in all components of its InformationRx outreach program. Tasks/Deliverables: Specifically, the Contractor shall: ● Be the fulfillment house for a variety of different Information Rx health information outreach resource materials and shall coordinate inventory with the NLM ● Receive data daily from web shopping cart page attached to www.informationrx.org website ● Receive fax orders from customers on the Contractor-provided toll free fax number (data to include name and ship to address, product, order quantity); and NLM will have access to inventory and order information through the Contractor's Pro-Mail software ● Enter manual orders into the fulfillment system as needed as a data entry cost. Order fulfillment shall include generation of package label/packing slip to include distribution center information; pick, pack and ship product ● Provide and host a website, www.informationrx.org, for interested partners to place orders. The Contractor shall fulfill website orders and provide account management and promail access. There will be no sharing of the data collected with anyone other than the National Library of Medicine. Period of Performance: The period of performance will be twelve (12) months from date of award, with four (4) additional 12-month option periods. Payment: Partial payments will be made. Monthly invoices are required. Evaluation Criteria Technical factors are of paramount consideration in the award of the purchase order; however, price is also important to the overall award decision. All evaluation factors other than price, when combined, are significantly more important than price. The Government can make tradeoffs among pric and technical factors in determining which Quoter offers the best value by awarding to other than the lowest price Quoter or other than the highest technically rated Quoter. Quoters are advised that award will be made to that Quoter whose quote provides the best overall value to the Government. Technical Evaluation Criteria In determining which quote represents the best value and results in the lowest overall price alternative (considering price, special features, administrative costs, etc.) to meet the Government's needs, the Government shall evaluate quotes using the following technical evaluation criteria, which are listed in the order of relative importance with weights assigned for evaluation processes: Evaluation Criteria The following technical evaluation criteria below are listed in relative importance with weights assigned for evaluation purposes. 1. Understanding the Requirements/Technical Approach (50 Points) • Quality and clarity of the methodological approach involved in accomplishing the objectives of the statement of work to coordinate the overall project and assist in providing order fulfillment. • Evidence of ability to accomplish the specific tasks described in the statement of work. • Understanding of the Government's intent for this procurement and the feasibility of approach to address its overall goals. • Soundness of approach to incorporate Government input on the project. 2. Personnel/Staff Qualifications (25 Points) • Demonstrated qualifications, experience and availability of all proposed personnel, including any consultants and/or subcontractors, and evidence of relevant past work. • Provide resumes of all proposed project personnel that document previous pertinent experience and references • Evidence that proposed team can accomplish tasks in specified timeframe. 3. Organizational Capabilities, Experience and Commitment (25 Points) • Evidence of corporate capability to organize and manage resources and personnel effectively to successfully complete the projects. • Familiarity with the NIH and NLM structure or an organization of similar size and structure and subject matter • For any subcontractor(s) proposed, effectiveness and timeliness of management plan in specifying responsibilities allocated to each organization and how these entities shall interact. • Adequacy of mechanisms in place to hire technically qualified staff on a quick turnaround basis, as needed, and to ensure that personnel assigned to a project are retained during the entire project. • Organizational commitment to quality of product and deployment of necessary resources to meet the project requirements. ARTICLE H-NIH INFORMATION AND PHYSICAL ACCESS SECURITY This acquisition requires the Contractor to: [X] develop, have the ability to access, or host and/or maintain Federal information and/or Federal information system(s). [X] access, or use, Personally Identifiable Information (PII), including instances of remote access to or physical removal of such information beyond agency premises or control. [ ] have regular or prolonged physical access to a "Federally-controlled facility," as defined in FAR Subpart 2.1. The Contractor and all subcontractors performing under this acquisition shall comply with the following requirements: 1. Information Type [X] Administrative, Management and Support Information: The Contractor will provide professional services to assist the National Library of Medicine (NLM) to assist in its goal to provide order fulfillment for the NLM in all components of its Information Rx outreach program. [ ] Mission Based Information: ______________________________ ______________________________ ______________________________ 2. Security Categories and Levels Confidentiality Level: [ X ] Low [ ] Moderate [ ] High Integrity Level: [ X ] Low [ ] Moderate [ ] High Availability Level: [ X ] Low [ ] Moderate [ ] High Overall Level: [ X ] Low [ ] Moderate [ ] High 3. Position Sensitivity Designations The following sensitivity level(s), clearance type(s), and investigation requirements apply to this contract: [ ] Level 6: Public Trust - High Risk. Contractor/subcontractor employees assigned to Level 6 positions shall undergo a Suitability Determination and Background Investigation (BI). [ ] Level 5: Public Trust - Moderate Risk. Contractor/subcontractor employees assigned to Level 5 positions with no previous investigation and approval shall undergo a Suitability Determination and a Minimum Background Investigation (MBI), or a Limited Background Investigation (LBI). [ X ] Level 1: Non-Sensitive Contractor/subcontractor employees assigned to Level 1 positions shall undergo a Suitability Determination and National Agency Check and Inquiry Investigation (NACI). The Contractor shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff (including subcontractor staff) working under this acquisition where the Contractor will develop, have the ability to access, or host and/or maintain a federal information system(s). The roster shall be submitted to the Project Officer, with a copy to the Contracting Officer, within 14 calendar days of the effective date of this contract. Any revisions to the roster as a result of staffing changes shall be submitted within 15 calendar days of the change. The Contracting Officer will notify the Contractor of the appropriate level of investigation required for each staff member. An electronic template, "Roster of Employees Requiring Suitability Investigations," is available for contractor use at http://ocio.nih.gov/docs/public/Suitability-roster.xls. Suitability Investigations are required for contractors who will need access to NIH information systems and/or to NIH physical space. However, contractors who do not need access to NIH physical space will not need an NIH ID Badge. Each contract employee needing a suitability investigation will be contacted via email by the NIH Office of Personnel Security and Access Control (DPSAC) within 30 days. The DPSAC email message will contain instructions regarding fingerprinting as well as links to the electronic forms contract employees must complete. Additional information can be found at the following website: http://idbadge.nih.gov/background/index.asp. All contractor and subcontractor employees shall comply with the conditions established for their designated position sensitivity level prior to performing any work under this contract. Contractors may begin work after the fingerprint check has been completed. 4. Information Security Training a. Mandatory Training All employees having access to (1) Federal information or a Federal information system or (2) personally identifiable information, shall complete the NIH Information Security Awareness Training course at http://irtsectraining.nih.gov/ before performing any work under this contract. Thereafter, employees having access to the information identified above shall complete an annual NIH-specified refresher course during the life of this contract. The Contractor shall also ensure subcontractor compliance with this training requirement. b. Role-based Training HHS requires role-based training when responsibilities associated with a given role or position, could, upon execution, have the potential to adversely impact the security posture of one or more HHS systems. Read further guidance at: Secure One HHS Memorandum on Role-Based Training Requirement" For additional information see the following: http://ocio.nih.gov/security/security-communicating.htm#RoleBased The Contractor shall maintain a list of all information security training completed by each contractor/subcontractor employee working under this contract. The list shall be provided to the Project Officer and/or Contracting Officer upon request. 5. Rules of Behavior The Contractor shall ensure that all employees, including subcontractor employees, comply with the NIH Information Technology General Rules of Behavior, which are available at http://ocio.nih.gov/security/nihitrob.html. 6. Personnel Security Responsibilities a. The Contractor shall notify the Contracting Officer, Project Officer, and I/C ISSO within five working days before a new employee assumes a position that requires a suitability determination or when an employee with a suitability determination or security clearance stops working under this contract. The Government will initiate a background investigation on new employees requiring suitability determination and will stop pending background investigations for employees that no longer work under this acquisition. b. The Contractor shall provide the Project Officer with the name, position title, e-mail address, and phone number of all new contract employees working under the contract and provide the name, position title and suitability determination level held by the former incumbent. If the employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate suitability level. c. The Contractor shall provide the Project Officer with the name, position title, and suitability determination level held by or pending for departing employees. Perform and document the actions identified in the Contractor Employee Separation Checklist (attached) when a Contractor/subcontractor employee terminates work under this contract. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request. 7. Commitment to Protect Non-Public Departmental Information and Data a. Contractor Agreement The Contractor, and any subcontractors performing under this contract, shall not release, publish, or disclose non-public Departmental information to unauthorized personnel, and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: - 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) - 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) - Public Law 96-511 (Paperwork Reduction Act) b. Contractor Employee Non-Disclosure Agreement Each employee, including subcontractors, having access to non-public Department information under this acquisition shall complete the Commitment to Protect Non-Public Information - Contractor Employee Agreement A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer prior to performing any work under this acquisition. 8. NIST SP 800-53 Assessment This contract requires the Contractor to develop, host, and/or maintain a Federal information system at the Contractor's or any subcontractors' facility. The Contractor shall submit an annual information security assessment using NIST SP 800-53, Recommended Security Controls for Federal Information Systems. The assessments shall be due annually within 30 days after the anniversary date of the contract, with the final assessment due at contract completion. The assessments shall be based on the Federal IT Security Assessment Framework and NIST SP 800-53 at: NIST SP 800-53, Rev. 3 http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf Annex 1: Baseline Security Controls for Low-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex1-updt.pdf Annex 2: Baseline Security Controls for Moderate-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex2-updt.pdf Annex 3: Baseline Security Controls for High-Impact Information Systems http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-annex3-updt.pdf The Contractor shall ensure that all of its subcontractors (at all tiers), where applicable, comply with the above reporting requirements. 9. Information System Security Plan (ISSP) The Contractor shall update the acceptable ISSP submitted in their proposal every three years following the effect date of the contract or when a major modification has been made to its internal system. One copy each shall be submitted to the Project Officer and Contracting Officer. 10. Loss and/or Disclosure of Personally Identifiable Information (PII) - Notification of Data Breach The Contractor shall report all suspected or confirmed incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH Incident Response Team via email (IRT@mail.nih.gov) within one hour of discovering the incident. The Contractor shall follow-up with IRT by completing and submitting one of the following two forms within three (3) work days: NIH PII Spillage Report [ http://ocio.nih.gov/docs/public/PII_Spillage_Report.doc ] NIH Lost or Stolen Assets Report [ http://ocio.nih.gov/docs/public/Lost_or_Stolen.doc 11. Data Encryption The following encryption requirements apply to all laptop computers containing HHS data at rest and/or HHS data in transit. The date by which the Contractor shall be in compliance will be set by the Project Officer, however, device encryption shall occur before any sensitive data is stored on the laptop computer/mobile device, or within 45 days of the start of the contract, whichever occurs first. a. The Contractor shall secure all laptop computers used on behalf of the government using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval. b. The Contractor shall secure all mobile devices, including non-HHS laptops and portable media that contain sensitive HHS information by using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored. c. The Contractor shall use a FIPS 140-2 compliant key recovery mechanism so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited. Key recovery is required by "OMB Guidance to Federal Agencies on Data Availability and Encryption", November 26, 2001, http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf. Encryption key management shall comply with all HHS and NIH policies (http://intranet.hhs.gov/infosec/docs/guidance/hhs_standard_2007.pdf) and shall provide adequate protection to prevent unauthorized decryption of the information. All media used to store information shall be encrypted until it is sanitized or destroyed in accordance with NIH procedures. Contact the NIH Center for Information Technology for assistance (http://cit.nih.gov/ProductsAndServices/ServiceCatalog/Services.htm?Service=Media+Sanitization+Service). 12. Vulnerability Scanning Requirements This acquisition requires the Contractor to host an NIH webpage or database. The Contractor shall conduct periodic and special vulnerability scans, and install software/hardware patches. The Contractor shall report the results of these scans to the Project Officer and the OD Information Systems Security Officer on a monthly basis, with reports due 10 calendar days following the end of each reporting period. The Contractor shall ensure that all of its subcontractors (at all tiers), where applicable, comply with the above requirements. 13. Using Secure Computers to Access Federal Information a. The Contractor shall use an FDCC compliant computer when processing information on behalf of the Federal government. b. The Contractor shall install computer virus detection software on all computers used to access information on behalf of the Federal government. Virus detection software and virus detection signatures shall be kept current. 14. Special Information Security Requirements for Foreign Contractors/Subcontractors When foreign contractors/subcontractors perform work under this acquisition at non-US Federal Government facilities, provisions of HSPD-12 do NOT apply. 15. REFERENCES: INFORMATION SECURITY INCLUDING PERSONALLY IDENTIFIABLE INFORMATION http://ocio.nih.gov/docs/public/references_information_security.html 16. Personally Identifiable Information (PII) Security Plan The Offeror shall submit a PII Security Plan with its technical proposal that addresses each of the following items: a. Verify the information categorization to ensure the identification of the PII requiring protection. b. Verify the existing risk assessment. c. Identify the Contractor's existing internal corporate policy that addresses the information protection requirements of the SOW. d. Verify the adequacy of the Contractor's existing internal corporate policy that addresses the information protection requirements of the SOW. e. Identify any revisions, or development, of an internal corporate policy to adequately address the information protection requirements of the SOW. f. For PII to be physically transported to or stored at a remote site, verify that the security controls of NIST Special Publication 800-53 involving the encryption of transported information will be implemented. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf g. When applicable, verify how the NIST Special Publication 800-53 security controls requiring authentication, virtual private network (VPN) connections will be implemented. h. When applicable, verify how the NIST Special Publication 800-53 security controls enforcing allowed downloading of PII will be implemented. i. Identify measures to ensure subcontractor compliance with safeguarding PII. The details contained in the Offeror's PII Security Plan must be commensurate with the size and complexity of the contract requirements based on the System Categorization specified above in the subparagraph entitled Security Categories and Levels. The Offeror's PII Security Plan will be evaluated by the Government for appropriateness and adequacy. 17. Information System Security Plan The Offeror shall submit an Information System Security Plan (ISSP) with its technical proposal using the current template in Appendix A of NIST SP 800-18, Guide to Developing Security Plans for Federal Information Systems (http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf). The details contained in the ISSP must be commensurate with the size and complexity of the contract requirements based on the System Categorization determined above in the subparagraph entitled Security Categories and Levels. The Offeror shall also identify measures to ensure subcontractor compliance with the ISSP. The ISSP will be evaluated by the Government for appropriateness and adequacy. The Contractor shall update the acceptable ISSP submitted in their proposal every three years following the effect date of the contract or when a major modification has been made to its internal system. One copy each shall be submitted to the Project Officer and Contracting Officer. FEDERAL ACQUISITION REQULATION (FAR) CLAUSES The following provisions and clauses apply to this acquisition and are incorporated by reference. Full text may be found at https://www.acquisition.gov/Far FAR 52.212-1 Instructions to Offerors-Commercial Items FAR 52.212-2 Evaluation-Commercial Items FAR 52.212-3 Offeror Representations and Certifications-Commercial Items FAR 52.212-4 Contract Terms and Conditions-Commercial Items FAR 52.212-5 Contract Terms and Conditions Required to Implement Statutes and Executive orders FAR 52.224-1 Privacy Act Notification FAR 52.224-2 Privacy Act All interested parties shall submit electronic responses to Sheila Edmonds at sheila.edmonds@nih.gov. Responses must be received no later than 12:00 NOON EST on Friday, September 14, 2012, and shall not exceed 10 single-sided pages in length, exclusive of the cover page and letter, table of contents, appendices, and resumes. Please reference solicitation number RFQ-NIH-NLM-2012-427/SRE on all correspondence to this notice. Inquiries regarding this notice shall be submitted electronically to sheila.edmonds@nih.gov and shall be received by 12:00 NOON EST on Friday, September 7, 2012.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/OAM/RFQ-NIH-NLM-2012-427-SRE/listing.html)
 
Record
SN02865134-W 20120902/120901000641-53a8da1154a59520d4b203199ec8d5d4 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.