Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF FEBRUARY 26, 2015 FBO #4842
DOCUMENT

D -- Offsite Data Storage - Attachment

Notice Date
2/24/2015
 
Notice Type
Attachment
 
NAICS
541614 — Process, Physical Distribution, and Logistics Consulting Services
 
Contracting Office
Department of Veterans Affairs;Acquisition & Materiel Management;Michael E. DeBakey VA Medical Center;2002 Holcombe BLVD;Houston TX 77030 4298
 
Solicitation Number
VA25615N0407
 
Response Due
2/26/2015
 
Archive Date
3/1/2015
 
Point of Contact
Corey L Labbe
 
E-Mail Address
4-7427<br
 
Small Business Set-Aside
N/A
 
Description
This is a Sources Sought notice for information only. This is not a solicitation for proposals and no contract will be awarded from this announcement. In preparation for future procurement, the Michael E. DeBakey VA Medical Center in Houston, Texas is performing market research to gain knowledge of potential sources and their size classification (service disabled veteran owned small business, veteran owned small business, hub zone, 8(a), small disadvantage business, woman-owned small business, small business, or large business) relative to NACIS 541614 that can offer the services listed below. Interested companies should submit an electronic statement outlining their company's capability and capacity to provide these services to Houston, TX 77459. Also firms shall provide their business size status in accordance with the small business administration website (www.sba.gov) for the above referenced NACIS code that fall within. Please submit statements of capabilities electronically to corey.labbe2@va.gov no later than Wednesday February 26, 2015 @ 1000 CST. Phone inquiries will not be accepted. Please reference announcement number VA256-13-N-0407 in the subject line of your e-mail. Vendor Checklist for this announcement. Vendor name Address Email and phone number Cage Code & DUNS Number Business size FSS Contract Number Capabilities Statement ? ? PERFORMANCE WORK STATEMENT (PWS) DEPARTMENT OF VETERANS AFFAIRS Office of Information & Technology Michael E. DeBakey VA Medical Center FY 15 Off Site Data Storage Date: August 19, 2014 580-15-1-2305-XXXX PWS Version Number: 2.0 ? Contents 1.0BACKGROUND12 2.0APPLICABLE DOCUMENTS12 3.0SCOPE OF WORK13 4.0PERFORMANCE DETAILS13 4.1PERFORMANCE PERIOD13 4.2PLACE OF PERFORMANCE14 4.3TRAVEL15 5.0SPECIFIC TASKS AND DELIVERABLES15 5.1PROJECT MANAGEMENT16 5.1.1CONTRACTOR PROJECT MANAGEMENT PLAN16 5.1.2REPORTING REQUIREMENTS16 5.2 17 6.0GENERAL REQUIREMENTS18 6.1ENTERPRISE AND IT FRAMEWORK18 6.2POSITION/TASK RISK DESIGNATION LEVEL(S) AND CONTRACTOR PERSONNEL SECURITY REQUIREMENTS19 6.2.1POSITION/TASK RISK DESIGNATION LEVEL(S)19 6.2.2CONTRACTOR PERSONNEL SECURITY REQUIREMENTS21 6.3METHOD AND DISTRIBUTION OF DELIVERABLES22 6.4PERFORMANCE METRICS22 6.5FACILITY/RESOURCE PROVISIONS24 6.6GOVERNMENT FURNISHED PROPERTY25 ADDENDUM A26 ADDENDUM B31 ? 1.0 BACKGROUND The mission of the Department of Veterans Affairs (VA), Office of Information & Technology (O&IT), Michael E. DeBakey VA Medical Center (MEDVAMC), Houston, Texas is to provide benefits and services to Veterans of the United States. In meeting these goals, O&IT strives to provide high quality, effective, and efficient Information Technology (IT) services to those responsible for providing care to the Veterans at the point-of-care as well as throughout all the points of the Veterans' health care in an effective, timely and compassionate manner. VA depends on Information Management/Information Technology (IM/IT) systems to meet mission goals. OI&T has the overall business and management responsibilities for all off-site data storage services. This contract and any option years is to insure that Michael E. DeBakey VA Medical Center has off-site data storage services to include all of the proposed services as indicated in the full annual statement of work for contract award. The contractor must possess the expertise, security, support desk functions, and knowledge of the VA infrastructure and architecture. VA Handbook 6500 states: each site will identify and initiate a MOU for storage of the site's backup information. For commercial entities, if contract is required. Backups are to be stored in a secured location away for the facility in order to avoid loss in the event of an accident or malicious incident. The information will be labeled and packed by the VA and transported to the off-site storage facility securely by the contractor. The priority with which the facility can obtain its backups in the event of a catastrophic emergency will be considered. The storage facility will have controlled access, proper environmental controls, and reinforced concrete or steel beam construction that has been earthquake proofed. Access control to the VA information stored at this location will be stringently controlled and periodically tested. Locks and personnel will be used to control the off-site storage to prevent unauthorized access. VA Handbook 6500 also states: OI&T Chief is responsible for establishing, maintaining, and executing written procedures for backup and restoration of production system. The MEDVAMC OI&T seeks a solution to enable MEDVAMC to continue computer processing in case of an unplanned event that would prevent MEDVAMC from using its primary location for its intended computer processing and related purposes. In order to assure that MEDVAMC is able to recover its critical systems in a timely fashion, there is a need to acquire the services of a contractor who can provide Offsite Tape Storage services to MEDVAMC that meets the requirements outlined in this Performance Work Statement (PWS). The contractor shall provide a point of contract (POC) that shall be the liaison between the contractor and the MEDVAMC Contracting Officer's Representative (COR). The Government seeks a full off-site data storage service provider to furnish all personnel, equipment, tools, materials, transportation, management supervision, and other items and services necessary to provide the MEDVAMC with off-site data storage of media at the MEDVAMC. 2.0 APPLICABLE DOCUMENTS In the performance of the tasks associated with this Performance Work Statement, the Contractor shall comply with the following: 1.44 U.S.C. § 3541, "Federal Information Security Management Act (FISMA) of 2002" 2.5 U.S.C. § 552a, as amended, "The Privacy Act of 1974" 3.42 U.S.C. § 2000d "Title VI of the Civil Rights Act of 1964" 4.Department of Veterans Affairs (VA) Directive 0710, "Personnel Suitability and Security Program," May 18, 2007 5.36 C.F.R. Part 1194 "Electronic and Information Technology Accessibility Standards," July 1, 2003 6.OMB Circular A-130, "Management of Federal Information Resources," November 28, 2000 7.32 C.F.R. Part 199, "Civilian Health and Medical Program of the Uniformed Services (CHAMPUS)" 8.VA Directive 6500, "Managing Information Security Risk: VA Information Security Program," September 20,, 2012 9.VA Handbook 6500, "Risk Management Framework for VA Information Systems - Tier 3: VA Information Security Program," September 20, 2012 10.VA Handbook 6500.1, "Electronic Media Sanitization," March 22, 2010 11.VA Handbook 6500.2, "Management of Data Breaches Involving Sensitive Personal Information (SPI)", January 6, 2012 12.VA Handbook 6500.3, "Certification and Accreditation of VA Information Systems," November 24, 2008 13.VA Handbook, 6500.5, "Incorporating Security and Privacy in System Development Lifecycle" March 22, 2010 14.VA Handbook 6500.6, "Contract Security," March 12, 2010 15.VA Directive 6508, VA Privacy Impact Assessment, October 3, 2008 16.VA Directive 6300, Records and Information Management, February 26, 2009 17.VA Handbook, 6300.1, Records Management Procedures, March 24, 2010 18.36 CFR 1234, Facility Standards For Records Storage Facilities 3.0 SCOPE OF WORK The Michael E. DeBakey Veterans Affairs Medical Center Office of Information and Technology requires offsite storage and retrieval services for computer media (e.g. cassettes, CD-ROM, diskettes, and cartridge tapes), media shipping containers and locks. The Contractor shall provide all resources necessary to accomplish the deliverables described in the Performance Work Statement (PWS), except as may otherwise be specified. Service shall include pick-up and delivery for the MEDVAMC, 2002 Holcombe Blvd, Room # BC-237, Houston, TX 77030 to meet the offsite storage requirements. The contractor will pic k up tapes and platters daily, Monday through Friday, except Federal Holidays (refer to Section 4.5 for holidays), from the 2002 Holcombe Blvd, Houston, TX 77030. The data tapes and platters will be stored offsite. 4.0 PERFORMANCE DETAILS MEDVAMC OI&T operates a twenty-four (24) hours a day, seven (7) days a week data center and is tasked with providing all information technology services for MEDVAMC main campus and 17 satellite locations. OI&T is responsible for the delivery and technical support of various software and hardware platforms. OI&T implements VA's information technology vision, standards, architecture, and planning processing, along with providing internal data, information, and communications services to our clients. OI&T performs nightly backups of its data to be prepared for pickup and storage at an offsite facility for Disaster Recovery (DR) purposes. 4.1ROLES AND RESPONSIBILITIES 4.1.1Contractor shall provide all labor, personnel, equipment, supplies, containers, locks, license/certification, insurance, transportation and supervision necessary to provide an environmentally-controlled facility for the purpose of commercial off-site data storage. 4.1.2Upon commencement of contract the contractor shall provide requisite containers and locks for media storage. COR will coordinate pick up of packed containers. 4.1.3The contractor's storage facility will have controlled access, proper environmental controls, and reinforced concrete or steel beam construction that has been earthquake proofed. The facility must meet, and continue to maintain building standards in accordance with the National Archives and Records Administration (NARA) standards issued in 36 CFR 1234 pertaining to facilities that store Federal records (previously numbered 36 CFR 1228 Subpart K, number for standards was changed in Nov 2009). The contractor will ensure access control to the VA information stored at this location will be stringently controlled and periodically tested. Locks and personnel will be used to control the off-site storage to prevent unauthorized access. Contractor provided locks and personnel will be used to control the off-site storage to prevent unauthorized access. Secure storage shall be provided for tapes in a location where conditions and access are controlled according to standard commercial practices and procedures for the safety and preservation of data. The Government shall have access to the tapes 24 hours a day 7 days a week. 4.1.4The storage site must be physically located sufficiently distant from MEDVAMC to ensure the safety of archived materials in the event of a disaster in or near MEDVAMC. However, the storage site must be of adequate distance to provide emergency deliveries within two (2) hours of the Government's notification. 4.1.5The contractor manager shall act as the POC liaison between the OI&T COR and contractor offsite tape storage service provider. The contractor manager shall handle scheduling of all necessary meetings and conference calls and shall provide the COR with a list of any action items resulting from those meetings or calls. 4.1.6The contractor offsite tape services provider has the responsibility to provide support in all technical aspects of the OI&T requirements in accordance with performance work statement. 4.1.7The contractor shall provide MEDVAMC with containers and locks to be used for securely transporting media at no additional cost. Upon termination of this contract or at the end of the contract period, the contractor shall return all media to the facility in the locked containers; these containers and locks will then be emptied and returned to the contractor. Normal wear and tear will be acceptable. Access control to the VA information stored at this location will be stringently controlled. 4.1.8OI&T COR will coordinate all pickup / delivery and testing schedules with the contractor through the contractor's POC. Any questions or concerns will be handled through the POC also. The names of staff authorized to request recall of tapes and the required forms for recall are kept on file with the offsite contractor and with the IT Staff and Facility Information Security Officer. 4.2TECHNICAL REQUIREMENTS 4.2.1The contractor shall provide the use of a site, delivery and pickup of media that will assure MEDVAMC OI&T has the ability to restore its systems if the need arises and to provide a safe and secure location to store the backup media generated at the MEDVAMC OI&T on a nightly basis. Note the Media Pickup and Delivery Schedule - refer to Section 5.1.2 for business hours. 4.2.2The MEDVAMC OI&T has business requirements that require it has an offsite storage contract that provides for closed container storage. Closed Container - Media in closed containers is treated as a single unit and when it is returned, all of the media that was sent is returned in the same single locked container. Closed containers are locked when sent off site and remain locked until returned to the MEDVAMC OI&T. OI&T personnel only access containers when media is stored in container and when media is retrieved when container is returned. 4.2.3All pickup and deliveries shall take place at the MEDVAMC, 2002 Holcombe Blvd, Room # BC-237, Houston, TX. 4.2.4The quantities represented in the chart below are the total number of tapes stored or handled for the month. Transport containers are used by the contractor on a daily bases. Closed containers are transported as requested. 4.2.5Media Pickup and Delivery 1.Temporary Storage Day of WeekType TapeSizeQuantity StoredEstimated Recall per monthEstimated Added per month DailyLTO/SDLT4.5" x 4.5" x 1.0"9942 DailyUDO media platters5.25" x 6.0" x 0.5"505600 2.Permanent Storage Day of WeekType TapeSizeQuantity StoredEstimated Recall per monthEstimated Added per month DailyLTO/SDLT4.5" x 4.5" x 1.0"28310 4.3FUNCTIONAL REQUIREMENTS In addition to meeting the technical requirements the contractor shall: 4.3.1Provide electronic means for the MEDVAMC to manage and view the inventory of media containers that is located at the contractor's offsite location. 4.3.2The contractor's facility shall meet the 36 CFR 1234 storage standards. 4.3.3Ensure its storage facility provides security for its media delivery vehicles for both exiting and entering the facility. Tapes are to be securely transported under lockdown, using TO Contractor's own fleet of GPS-tracked vehicles, specially adapted to transport media. At key points, tapes are scanned for tracking and to document the workflow. 4.3.4Provide the contractor's policies and describe the procedures for the MEDVAMC OI&T to follow in the event of a disaster alert and declaration; mitigation of simultaneous and frivolous declarations. 4.3.5Provide a "closed container" program meaning that OI&T can have closed media containers that are picked up and stored "as is" without being opened. 4.3.6Provide for one daily special emergency - request outside of the regularly scheduled service date and time, to be picked up and delivered within two hours, 24/7 365 days a year (as needed). A list of Government employees authorized to submit emergency requests by telephone or fax will be furnished to the Contractor at the time of award. 4.3.7Provide a unique security number for the OI&T account; this number will be used instead of our company name when we interact with the potential contractor. Additionally, the contractor shall provide unique assigned security numbers for OI&T personnel for the purpose of service interaction; also provide our authorized personnel a unique card bearing this number. 4.3.8OI&T reserves the right to reject/inspect the storage facility based on the criteria contained in this performance work statement prior to acceptance. 4.4LIABILITY INSURANCE REQUIREMENTS: Contractor will be required by FAR 52.228-10 Vehicular and General Public Liability Insurance to carry the following types and amount of insurance as a minimum through the contract period: Workers' Compensation and Employer's Liability$100,000 General Liability:$500,000 per occurrence Automobile Liability: Bodily Injury$200,000 per person $500,000 per occurrence Property Damage$20,000 per occurrence 4.5PERFORMANCE PERIOD The period of performance shall include one (1) base period and one (1) year option periods. Exercise of option periods is at the sole discretion of the Government and contingent upon availability of funds. Work at the government site shall not take place on Federal holidays or weekends unless directed by the Contracting Officer (CO). 1.Base Year January 1, 2015 - September 30, 2015 2.Option Year 1 October 1, 2015 - September 30, 2016 Exercise of option periods is at the sole discretion of the Government and contingent upon availability of funds. Work at the government site shall not take place on Federal holidays or weekends unless directed by the Contracting Officer (CO). There are ten (10) Federal holidays set by law (USC Title 5 Section 6103) that VA follows: Under current definitions, four are set by date: New Year's DayJanuary 1 Independence DayJuly 4 Veterans DayNovember 11 Christmas DayDecember 25 If any of the above falls on a Saturday, then Friday shall be observed as a holiday. Similarly, if one falls on a Sunday, then Monday shall be observed as a holiday. The other six are set by a day of the week and month: Martin Luther King's BirthdayThird Monday in January Washington's BirthdayThird Monday in February Memorial DayLast Monday in May Labor DayFirst Monday in September Columbus DaySecond Monday in October ThanksgivingFourth Thursday in November 4.6PLACE OF PERFORMANCE Pick-up and/or delivery tasks under this PWS shall be performed in VA facilities located in Michael E. DeBakey VA Medical Center, at 2002 Holcombe Blvd, Room BC-237, Houston, TX, 77030. 4.7STORAGE TASKS UNDER THIS PWS SHALL BE PERFORMED AT CONTRACTOR FACILITIES. TRAVEL Travel shall be in accordance with individual task order requirements. 5.0 SPECIFIC TASKS AND DELIVERABLES The Contractor shall perform the following: 1.Specific Mandatory Tasks and Associated Deliverables: Description of Tasks and Associated Deliverables: The contractor shall provide the specific deliverables described below within the performance period. Task One:The contractor will provide lockable slotted containers and locks to the VA for all data tapes. The VA will load data tapes into the lockable containers, and the contractor will be responsible for transporting data tapes to a secure location for Michael E. DeBakey Veterans Affairs Medical Center to meet the offsite storage requirements. The contractor shall not open the containers. (see paragraph B7 Liquidated Damages For Data Breach) Deliverable One: The contractor will perform normal (non-emergency) pickup and delivery of media Monday through Friday between 08:00 am and 3:00 p.m. daily, except Federal Holidays, from the 2002 Holcombe Blvd, Room # BC-237, Houston, TX. The media will be stored offsite. Task Two:IT Security Contract Documentation Deliverable Two: One (1) completed and signed copy of VA Privacy and Information Security Awareness and Rules of Behavior Training Task Three: Unique security for ITCD account Deliverable Three:Provide unique security code for the MEDVAMC OI&T account to distinguish between OI&T tapes and other tapes stored at facility and updated policies and procedures in MS Word document with owner information and steps at start of task order agreement. Task Four:One emergency pickup / delivery within 2 hours of receiving the request daily. Deliverable Four:Provide for one emergency pickup / delivery within 2 hours of receiving the request daily Monday through Friday. Task Five:Pickup/Delivery Logs Deliverable Five:Provide a continuous paper log that includes location, pickup time, pickup date and delivery. 5.1SERVICE LEVEL AGREEMENT 5.1.1The contractor shall provide a toll free telephone number to be used by OI&T for placing service calls. 5.1.2The contractor shall provide live-voice response to the call center's calls as depicted in the Service Level Agreement. The contractor shall have access via pager and/or cell phone to its technical support and field personnel so that the required technical support personnel may be contacted regardless of location. The delivery and pick up of the OI&T data is done Monday through Friday, between the hours of 8:00am and 3:00pm. Type Service Level Comment Routine/Daily Pickup Pickup and delivery within 24 hours Tapes to be picked up by 3:00 PM Emergency Pickup Pickup and delivery within 2 hours None 6.0 PAYMENT Payment will be made monthly in arrears and at the rates identified in 2.2 "Schedule of Price/Cost". 7.0 CONTRACT MONITORING PROCEDURES At the time of contract award the Contracting Officer will appoint a Contracting Officer Representative (COR) to assist with the contract monitoring requirements. The COR will be responsible for handling service related documentation such as, pick-up and delivery logs, and service tickets that verify services called for under the contract have been received by the VA Medical Center. The appointed COR will notify the Contracting Officer of any contract non-compliance immediately upon gaining knowledge of any such incident. Further, the COR will maintain copies of all the above-mentioned documentation. Upon invoicing the COR shall certify that services identified within the billing period have been performed. Once certification has been made, the invoice will be forwarded through the proper billing channels and payment shall be made to the contractor. 8.0 CHANGES TO STATEMENT OF WORK Any changes to this SOW shall be authorized and approved only through written correspondence from the CO. Costs incurred by the contractor through the actions of parties other than the CO shall be borne by the contractor. 9.0 GOVERNMENT RESPONSIBILITIES MEDVAMC will provide access to the specified areas and other resources as required to perform the services. Technicians will be escorted into equipment areas by MEDVAMC staff on an as needed basis. A MEDVAMC Contracting Officer Representative (COR) will be assigned as a primary POC, and to provide information and resources in a manner to maintain project momentum. Additionally, this person will receive deliverables as a result of this project 10.0 GENERAL REQUIREMENTS 10.1POSITION/TASK RISK DESIGNATION LEVEL(S) AND CONTRACTOR PERSONNEL SECURITY REQUIREMENTS 10.1.1The contractor, their personnel, and their subcontractors shall be subject to the Federal laws, regulations, standards, and VA Directives and Handbooks regarding information and information system security as delineated in this contract. 10.1.2Position Sensitivity - The position sensitivity/risk level has been designated as Nonsensitive/Low Risk. 10.1.3Background investigation - The level of background investigation commensurate with the required level of access is Minimum. 10.2CONTRACTOR EXPERIENCE REQUIREMENTS - KEY PERSONNEL: These skilled experienced professional and/or technical personnel are essential for successful contractor accomplishment of the work to be performed under this contract and subsequent task orders and option. These are defined as key personnel and are those persons whose resumes were submitted. The contractor agrees that the key personnel shall not be removed, diverted, or replaced from work without approval of the CO and COTR. Any personnel the contractor offers as substitutes shall have the ability and qualifications equal to or better than the key personnel being replaced. Requests to substitute personnel shall be approved by the COTR and the CO. All requests for approval of substitutions in personnel shall be submitted to the COTR and the CO within 30 calendar days prior to making any change in key personnel. The request shall be written and provide a detailed explanation of the circumstances necessitating the proposed substitution. The contractor shall submit a complete resume for the proposed substitute, any changes to the rate specified in the order (as applicable) and any other information requested by the CO needed to approve or disapprove the proposed substitution. The CO will evaluate such requests and promptly notify the contractor of approval or disapproval thereof in writing. 1.The contractor shall bear the expense of obtaining background investigation commensurate with the required level of access is Minimum. 2.The contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship and are able to read, write, speak and understand the English language. 3.After award, the contractor shall submit information required on the Contractor Background Information Request Form (see Attachment #2) of their employees that will be providing services under this contract. 4.The contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract. 5.Failure to comply with contractor personnel security requirements may result in termination of the contract for default. ADDENDUM A A1.0Physical Security & Safety Requirements: The Contractor and their personnel shall follow all VA policies, standard operating procedures, applicable laws and regulations while on VA property. Violations of VA regulations and policies may result in citation and disciplinary measures for persons violating the law. 1.The Contractor and their personnel shall wear visible identification at all times while they are on the premises. 2.VA does not provide parking spaces at the work site; the Contractor must obtain parking at the work site if needed. It is the responsibility of the Contractor to park in the appropriate designated parking areas. VA will not invalidate or make reimbursement for parking violations of the Contractor under any conditions. 3.Smoking is prohibited inside/outside any building other than the designated smoking areas. 4.Possession of weapons is prohibited. 5.The Contractor shall obtain all necessary licenses and/or permits required to perform the work, with the exception of software licenses that need to be procured from a Contractor or contractor in accordance with the requirements document. The Contractor shall take all reasonable precautions necessary to protect persons and property from injury or damage during the performance of this contract. A2.0Confidentiality and Non-Disclosure The Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations. The Contractor may have access to Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) that is subject to protection under the regulations issued by the Department of Health and Human Services, as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 CFR Parts 160 and 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule"); and 45 CFR Parts 160 and 164, Subparts A and C, the Security Standard ("Security Rule"). Pursuant to the Privacy and Security Rules, the Contractor must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI and EPHI. 1.The Contractor will have access to some privileged and confidential materials of VA. These printed and electronic documents are for internal use only, are not to be copied or released without permission, and remain the sole property of VA. Some of these materials are protected by the Privacy Act of 1974 (revised by PL 93-5791) and Title 38. Unauthorized disclosure of Privacy Act or Title 38 covered materials is a criminal offense. 2.The VA Contracting Officer will be the sole authorized official to release in writing, any data, draft deliverables, final deliverables, or any other written or printed materials pertaining to this contract. The Contractor shall release no information. Any request for information relating to this contract presented to the Contractor shall be submitted to the VA Contracting Officer for response. 3.Contractor personnel recognize that in the performance of this effort, Contractor personnel may receive or have access to sensitive information, including information provided on a proprietary basis by carriers, equipment manufacturers and other private or public entities. Contractor personnel agree to safeguard such information and use the information exclusively in the performance of this contract. Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations as enumerated in this section and elsewhere in this Contract and its subparts and appendices. 4.Contractor shall limit access to the minimum number of personnel necessary for contract performance for all information considered sensitive or proprietary in nature. If the Contractor is uncertain of the sensitivity of any information obtained during the performance this contract, the Contractor has a responsibility to ask the VA Contracting Officer. 5.Contractor shall train all of their employees involved in the performance of this contract on their roles and responsibilities for proper handling and nondisclosure of sensitive VA or proprietary information. Contractor personnel shall not engage in any other action, venture or employment wherein sensitive information shall be used for the profit of any party other than those furnishing the information. The sensitive information transferred, generated, transmitted, or stored herein is for VA benefit and ownership alone. 6.Contractor shall maintain physical security at all facilities housing the activities performed under this contract, including any Contractor facilities according to VA-approved guidelines and directives. The Contractor shall ensure that security procedures are defined and enforced to ensure all personnel who are provided access to patient data must comply with published procedures to protect the privacy and confidentiality of such information as required by VA. 7.Contractor must adhere to the following: a.The use of "thumb drives" or any other medium for transport of information is expressly prohibited. b.Controlled access to system and security software and documentation. c.Recording, monitoring, and control of passwords and privileges. d.All terminated personnel are denied physical and electronic access to all data, program listings, data processing equipment and systems. e.VA, as well as any Contractor (or Subcontractor) systems used to support development, provide the capability to cancel immediately all access privileges and authorizations upon employee termination. f.Contractor PM and VA PM are informed within twenty-four (24) hours of any employee termination. g.Acquisition sensitive information shall be marked "Acquisition Sensitive" and shall be handled as "For Official Use Only (FOUO)". h.Contractor does not require access to classified data. 8.Regulatory standard of conduct governs all personnel directly and indirectly involved in procurements. All personnel engaged in procurement and related activities shall conduct business in a manner above reproach and, except as authorized by statute or regulation, with complete impartiality and with preferential treatment for none. The general rule is to strictly avoid any conflict of interest or even the appearance of a conflict of interest in VA/Contractor relationships. 9.VA Form 0752 shall be completed by all Contractor employees working on this contract, and shall be provided to the CO before any work is performed. In the case that Contractor personnel are replaced in the future, their replacements shall complete VA Form 0752 prior to beginning work. ? ADDENDUM B THE VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE, VA HANDBOOK 6500.6, APPENDIX C, MARCH 12, 2010 B1.GENERAL Contractors, Contractor personnel, Subcontractors, and Subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. B2.ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS a.A Contractor/Subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, Subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b.All Contractors, Subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for Contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c.Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. d.Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the Contractor/Subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. e.The Contractor or Subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the Contractor or Subcontractor's employ. The Contracting Officer must also be notified immediately by the Contractor or Subcontractor prior to an unfriendly termination. B3.VA INFORMATION CUSTODIAL LANGUAGE 1.Information made available to the Contractor or Subcontractor by VA for the performance or administration of this contract or information developed by the Contractor/Subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of VA. This clause expressly limits the Contractor/Subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). 2.VA information should not be co-mingled, if possible, with any other data on the Contractors/Subcontractor's information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the Contractor must ensure that VA information is returned to VA or destroyed in accordance with VA's sanitization requirements. VA reserves the right to conduct on site inspections of Contractor and Subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. 3.Prior to termination or completion of this contract, Contractor/Subcontractor must not destroy information received from VA, or gathered/created by the Contractor in the course of performing this contract without prior written approval by VA. Any data destruction done on behalf of VA by a Contractor/Subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the Contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. 4.The Contractor/Subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. 5.The Contractor/Subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on Contractor/Subcontractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/Subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. 6.If VA determines that the Contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the Contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. 7.If a VHA contract is terminated for cause, the associated Business Associate Agreement (BAA) must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. 8.The Contractor/Subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. 9.The Contractor/Subcontractor's firewall and Web services security controls, if applicable, shall meet or exceed VA minimum requirements. VA Configuration Guidelines are available upon request. 10.Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the Contractor/Subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA prior written approval. The Contractor/Subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. 11.Notwithstanding the provision above, the Contractor/Subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the Contractor/Subcontractor is in receipt of a court order or other requests for the above mentioned information, that Contractor/Subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. 12.For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or a Memorandum of Understanding-Interconnection Service Agreement (MOU-ISA) for system interconnection, the Contractor/Subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COR. B4.SECURITY INCIDENT INVESTIGATION a.The term "security incident" means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The Contractor/Subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the Contractor/Subcontractor has access. b.To the extent known by the Contractor/Subcontractor, the Contractor/Subcontractor's notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the Contractor/Subcontractor considers relevant. c.With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. d.In instances of theft or break-in or other criminal activity, the Contractor/Subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The Contractor, its employees, and its Subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor/Subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. B5.LIQUIDATED DAMAGES FOR DATA BREACH a.Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the Contractor/Subcontractor processes or maintains under this contract. b.The Contractor/Subcontractor shall provide notice to VA of a "security incident" as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. c.Each risk analysis shall address all relevant information concerning the data breach, including the following: 1)Nature of the event (loss, theft, unauthorized access); 2)Description of the event, including: a)date of occurrence; b)data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; 3)Number of individuals affected or potentially affected; 4)Names of individuals or groups affected or potentially affected; 5)Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; 6)Amount of time the data has been out of VA control; 7)The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); 8)Known misuses of data containing sensitive personal information, if any; 9)Assessment of the potential harm to the affected individuals; 10)Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and 11)Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. d.Based on the determinations of the independent risk analysis, the Contractor shall be responsible for paying to VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: 1)Notification; 2)One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; 3)Data breach analysis; 4)Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; 5)One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and 6)Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. B6.SECURITY CONTROLS COMPLIANCE TESTING On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the Contractor under the clauses contained within the contract. With 10 working-day's notice, at the request of the Government, the Contractor must fully cooperate and assist in a Government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The Government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. B7.Contractor Rules Of Behavior: Before being granted access to VA information or information systems, all contractor employees and subcontractor employees requiring such access shall sign on an annual basis an acknowledgement that they have read, understand, and agree to abide by VA's contractor rules of behavior which is included in the training outlined in paragraph 16 (security training). If the contractor anticipates that the services under the contract will be performed by 10 or more individuals, the contractor rules of behavior may be signed by the contractor's designated representative. By signing the rules of behavior on behalf of the contractor, the designated representative agrees to ensure that all such individuals review and understand the contractor rules of behavior when accessing VA's information and information systems. B8.TRAINING a.All Contractor employees and Subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: 1)Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix D relating to access to VA information and information systems; 2)Successfully complete the VA Privacy and Information Security Awareness and Rules of Behavior training and annually complete required security training; 3)Successfully complete Privacy and HIPAA Training if Contractor will have access to PHI; 4)Successfully complete the appropriate VA privacy training and annually complete required privacy training; and 5)Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access b.The Contractor shall provide to the contracting officer and/or the COR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. c.Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. B9.Contractor Personnel Security a.All contractor employees who require access to the Department of Veterans Affairs' computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Security and Investigations Center (07C). The level of background security investigation will be in accordance with VA Directive 0710 dated September 10, 2004 and is available at: http://www.va.gov/pubs/asp/edsdirec.asp Appropriate Background Investigation (BI) forms will be provided upon contract (or task order) award, and are to be completed and returned to the VA Security and Investigations Center (07C) within 30 days for processing. Contractors will be notified by 07C when the BI has been completed and adjudicated. These requirements are applicable to all subcontractor personnel requiring the same access. If the security clearance investigation is not completed prior to the start date of the contract, the employee may work on the contract while the security clearance is being processed, but the contractor will be responsible for the actions of those individuals they provide to perform work for the VA. In the event that damage arises from work performed by contractor personnel, under the auspices of the contract, the contractor will be responsible for resources necessary to remedy the incident. b.The investigative history for contractor personnel working under this contract must be maintained in the databases of either the Office of Personnel Management (OPM) or the Defense Industrial Security Clearance Organization (DISCO). Should the contractor use a contractor other than OPM or Defense Security Service (DSS) to conduct investigations, the investigative company must be certified by OPM/DSS to conduct contractor investigations. 1)Background Investigation The contractor position sensitivity for the effort has been designated as Major Risk and the Background Investigation has been designated as Background Investigation. 2)Contractor Responsibilities i.The contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the Office of Personnel Management (OPM) through the VA, the contractor shall reimburse the VA within 30 days. ii.Background investigations from investigating agencies other than OPM are permitted if the agencies possess an OPM and Defense Security Service certification. The Contractor Cage Code number must be provided to the Security and Investigations Center (07C), which will verify the information and advise the contracting officer whether access to the computer systems can be authorized. iii.The contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship and are able to read, write, speak and understand the English language. 1.Failure to comply with the contractor personnel security requirements may result in termination of the contract for default. 2.Further, the contractor will be responsible for the actions of all individuals provided to work for the VA under this contract. In the event that damages arise from work performed by contractor provided personnel, under the auspices of this contract, the contractor will be responsible for all resources necessary to remedy the incident. 3.Contractor is required to have Business Associate Agreement on file (Nationally with VA) or locally completed as part of the contract file. 3)Government Responsibilities i.The VA Security and Investigations Center (07C) will provide the necessary forms to the contractor or to the contractor's employees after receiving a list of names and addresses. ii.Upon receipt, the VA Security and Investigations Center (07C) will review the completed forms for accuracy and forward the forms to OPM to conduct the background investigation. iii.The VA facility will pay for investigations conducted by the OPM in advance. In these instances, the contractor will reimburse the VA facility within 30 days. iv.The VA Security and Investigations Center (07C) will notify the contracting officer and contractor after adjudicating the results of the background investigations received from OPM. v.The contracting officer will ensure that the contractor provides evidence that investigations have been completed or are in the process of being requested.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/VA/HoVAMC/VAMCCO80220/VA25615N0407/listing.html)
 
Document(s)
Attachment
 
File Name: VA256-15-N-0407 VA256-15-N-0407.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=1882301&FileName=VA256-15-N-0407-000.docx)
Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=1882301&FileName=VA256-15-N-0407-000.docx

 
Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 
Place of Performance
Address: Michael E DeBakey VAMC;2002 Holcombe Blvd;Houston, TX 77030
Zip Code: 77030
 
Record
SN03650441-W 20150226/150224235429-6082fbac98fea7959528d97794f62971 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.