Loren Data's SAM Daily™

FBO DAILY - FEDBIZOPPS ISSUE OF OCTOBER 08, 2016 FBO #5433
DOCUMENT

D -- VA Centralized Adjudication & Background Investigation System (VA-CABS) - Attachment

Notice Date

10/6/2016
 

Notice Type

Attachment
 

NAICS

541512 — Computer Systems Design Services
 

Contracting Office

Department of Veterans Affairs;Technology Acquisition Center;23 Christopher Way;Eatontown NJ 07724
 

ZIP Code

07724
 

Solicitation Number

VA11817N1748
 

Response Due

10/17/2016
 

Archive Date

1/24/2017
 

Point of Contact

CARA DINOCERA
 

Small Business Set-Aside

N/A
 

Description

Request for Information (RFI) DEPARTMENT OF VETERANS AFFAIRS Personnel Security & Suitability Program Management Office Veterans Affairs - Centralized Adjudication & Background Investigation System (VA-CABS) Date: October 6, 2016 THIS IS A REQUEST FOR INFORMATION (RFI) ONLY VA - Centralized Adjudication & Background Investigation System (VA-CABS) 1.0 PURPOSE The Department of Veterans Affairs (VA) is requesting information from industry in order to assess the viability of procuring, deploying, hosting, and sustaining a commercial off-the-shelf (COTS) product that meets the requirements. VA may opt to include product demonstrations during the market research phase, and/or as part of the solicitation process, if a procurement action is initiated. At this point in time VA is only trying to determine the availability of a COTS product that meets the functionality described below. At this time, any incidental services that may be required for the implementation of a COTS solution are to be determined (TBD) and may be the subject of a future RFI if VA determines a procurement action is viable. 2.0 RESPONSE INSTRUCTIONS a.Provide the following: 1.) Brief summary describing your technical approach to meet the requirements and 2.) Responses to "Industry Questions" outlined in Section 3.0 below. The entire file (which includes the technical approach and Industry Q&A) shall not exceed 20 pages. Offerors shall be aware that the file size for email submissions is 5MB. Respondents shall include the following in their submissions: "Name of Company: "Cage Code and DUNS Number: "Address: "Point of Contact /Company Representative: "Phone Number: "Fax Numbers: "Email Address: "Any applicable schedules (General Services Administration (GSA), Mission Oriented Business Integrated Services (MOBIS), Veterans Technology Services (VETS) Government wide Acquisition Contract (GWAC), etc.); "The NAICS code applicable to this acquisition is 541512. The Small Business Size Standard for this NAICS code is $27.5M. Please indicate your company's size and socio-economic status under this NAICS. b.Submit your response via email to the Contract Specialist, Cara DiNocera at cara.dinocera@va.gov by the due date and time specified; c.Submit your response no later than 12:00 P.M. Eastern Time on October 17, 2016; d.If there are any vendor questions regarding the requirement, the Contracting Office will coordinate a comprehensive response and post to Federal Business Opportunities Page (FedBizOps). e.Mark your response as "Proprietary Information" if the information included is considered to be business sensitive and/or includes trade secrets. f.Any Service Disabled Veteran Owned Small Businesses (SDVOSB) or Veteran Owned Small Businesses responding, provide the intent and ability to meet set-aside requirement for performance of this effort which requires at least 50% of the cost of labor planned to be expended for prime employees or employees of eligible SDVOSB/VOSB firms, which must include the prime planned percentage and if under 50%, the names of the potential team members that may be used to fulfill the 50% SDVOSB/VOSB requirement. Road Ahead: Responses to this RFI by interested parties will be used as part of market research. In accordance with FAR 15.201(E), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Any contract that might be awarded based on information received or derived from this RFI will be the outcome of a competitive process. This announcement is based upon the best information available, is subject to future modification, is not a request for proposal, and in no way commits the Government to award of a contract. The product description provided below should not be construed as a draft Performance Work Statement (PWS) but an overview description of the functions and capabilities required of the COTS product. Additional requirements, descriptions and/or documentation are not yet available for release under this RFI. The VA will not be responsible for any costs incurred by responding to this RFI. Organizational Conflict of Interest (OCI) Notification Be advised that the Contracting Officer has determined that Exeter Government Services, 9841 Washingtonian Blvd, STE 400, Gaithersburg, MD 20878, Engineering Services Network (ESN), 2450 Crystal Drive, STE 1015, Arlington, VA 22202 and ACC, 8470 Tyco Rd, Vienna, VA 22182 and Deloitte Consulting LLP, 1919 N. Lynn Street, Arlington, VA 22209, as an Organizational Conflict of Interest under this effort in accordance with Federal Acquisition Regulations 9.505-2, "Preparing specifications and work statements." 3.0 INDUSTRY QUESTIONS 3.1CURRENT PRODUCT DEPLOYMENT 1. Is your COTS product currently being used as an Enterprise Background Investigation Case Management System by other Government agencies? If so: a.Provide the name(s) of the Government agency and agency point of contact (POC); b.Describe architecture associated with your product deployment; c.If your product interfaces to any external systems within the architecture, identify the external system(s) and how the interfaces to these system(s) were developed. 3.2SECURITY 1.Describe which security requirements described herein, cannot be provided in a standard, "out of the box" version of your product; 2.Does your product store and transmit sensitive information using security mechanisms that meet Federal Information Processing Standard (FIPS) 140-2 criteria? 3.Does your product support two factor authentication, including compatibility with Personal Identification Verification (PIV) authentication? If not, would significant development be needed to make it 2FA compliant? 4.Does your product support "PIV enforced" authentication, where "PIV enforced" is defined as authentication to the application is only accomplished through the PIV card chip and PIV PIN. Describe how the hosting location and environment affect your product's ability to support "PIV enforced" authentication. 5.Does your product encrypt data at rest and in transit using accepted encryption protocols, such as HTTPS? 6.Does your product support secure / encrypt data received from or passed to integrating systems in motion utilizing secure data transfer protocols, such as Transport Layer Security (TLS)? 7.What version of Transport Layer Security (TLS) does your product support out of the box? 8.Does your product use SMTP service for end-user email notifications? 9.Does your product have the ability to be installed and configured in FIPS mode? 10.What other security requirements can you suggest as best practice? At a minimum, include how you protect the data, a disaster contingency plan, and network protection. If a cloud offering is anticipated, provide details on your data center, network security and proposed cloud topology, and if it is FedRAMP Complaint? 3.3INTERFACES 1.Describe your product's ability to meet the Identity, Credential, and Access Management (ICAM) Onboarding Solution interface requirements listed in Table 1, and interface to the Computer Associates Identity Management product. Are there any specific requirements that your product cannot meet with a standard, "out of the box" version of your product? Is there an existing interface between your product and the ICAM Onboarding Solution? 2.Does your product employ DirectConnect "out of the box" to download Background Investigation files (*.dif) from OPM using eDelivery? 3.4SECTION 508 COMPLIANCE 1.Has your product been certified as 508 Compliant by a Government Agency, or a commercial vendor? If so, please provide the Agency/vendor, Agency/vendor POC, and date of the certification. Are the certifications test results releasable to VA? 3.5SYSTEM REQUIREMENTS 1.Define the minimum system requirements or hardware specification for the implementation and hosting of your product to fulfill business, security, reporting, performance and capacity requirements for VA-CABS (servers, storage devices, etc.); 2.Provide a system design and/or architecture diagram for a typical implementation; 3.Describe your definition of 'typical' in your response; 4.Describe the user-friendliness of the product Graphical User Interface (GUI) in terms of the configuration of the screens, access to screens, and effective navigation through the product. Describe your product's search function and the ability for users to execute customized searches; a.Elaborate how vulnerabilities with Personal Identifiable Information (PII) will be treated throughout system build, test, and implementation. 5.Describe the extent to which your GUI is configurable by users in terms of: b.Screen Customization c.Report customization d.Dashboard Customization 6.Does your product enable searches for the VA Subject profile using a combination of first name, last name, middle initial, and SEC ID for the purposes of capturing and storing fingerprints? 7.Can your product fulfill the VA-CABS Performance (SLR, Availability) and Capacity (Data Storage) requirements as mentioned below? 8.Does your product have capacity limitations, in terms of quantity of data and/or number of users? 9.How are users access created, managed, and updated? What are the different user roles that are involved in the user creation process? How does your product achieve separation of duties in the user creation process? 10.How are user licenses allocated? Is an enterprise license available, and if so, are there a minimum or maximum number of users required? Does it allow simultaneous access to all the licensed users? What is the fee structure for the user licensing? 11.Do you have experience of deploying similar or larger enterprise solutions? 3.6SYSTEM HOSTING 1.Can you provide hosting services for your product and the VA data? If so, a.Is your hosting environment certified to at least FEDRAMP Moderate? b.What is the out year support fee structure for hosting services? c.How does the out year support fee structure scale depending on the amount of data hosted? d.Can the stored data be transferred in case the hosting contract expires and VA-CABS needs to be hosted with another provider? e.Describe the security requirements and provisions associated with the hosting environment. f.Describe the Disaster Recovery and failover provisions and timeframes for your hosted environment. 2.Do you offer Software as a Service implementations of your product? 3.7REPORTS 1.Describe the ability of your product to allow users to create customized reports. 2.Does your product allow regularly scheduled reports and ad-hoc reports? 3.Does your product allow reports to be saved in the following file format (provide any version compatibility requirements): a.Microsoft Excel b.Portable Document Format (pdf) c.Extensible Markup Language d.Comma Separated Values (CSV) 4.0 BACKGROUND 4.1PROBLEM STATEMENT VA has identified a lack of standardization in processes and quality practices for background investigation and reinvestigation initiation and adjudication. Challenges in these activities have resulted in: "Lack of centralized automated system of record; "Lack of enterprise business processes for investigations and re-investigations; "Inconsistent storage and safeguarding of sensitive data (e.g., Microsoft Excel files on local and shared drives); "Extended investigation processing times, leading to prolonged onboarding process; "Lack of insight into status of investigations and reinvestigations; "Lack of quality standards for adjudication processes and decisions; "Untimely identification and processing for reinvestigations; "Weakened security posture across the enterprise, putting the VA at risk for data breaches and other security threats; "Systemic material weakness discovered through Office of the Inspector General audits (described below) hinders VA in achieving specific requirements and controls; "Favorable adjudicative decisions may be made in cases where further analysis may reflect that an applicant investigation or reinvestigation could be deemed unfavorable; and "VA Subjects maintaining favorable suitability status without proper verification after the initial investigation expires. 4.2PROJECT BACKGROUND The mission of the Personnel Security and Suitability (PSS) Program Management Office (PMO) is to aid VA in suitability and fitness determinations that are properly made for VA Subjects (Employees, Contractors, Trainees, Volunteers, and Affiliates) for the performance of duties in the service of Veterans and to safeguard VA Subjects and Veteran data. This mission also includes issuance of department-wide personnel security and suitability program policy, oversight, and training that supports the safety and security of our nation's Veterans, visitors, staff, and facilities. In order to necessitate the fulfillment of this mission and determine that the desired resources are on-boarded, the PSS PMO is seeking to improve the background investigation and onboarding process by instituting a centralized case management system, VA-CABS, and standardizing processes across the VA enterprise. The need for VA-CABS was established by the PSS PMO through participation in several VA initiatives, including: the remediation of Continuous Readiness in Information Security Program (CRISP) material weakness (recommendations 2006-03 and 2006-04), Centralized Adjudication Facility (CAF) Working Group, and the MyVA Security & Preparedness Support Services Quick Wins. In addition, the PSS PMO evaluated the current business processes to determine that there were variations across VA for investigations and adjudication practices, processes, tools/systems, and responsibilities between user groups. These discoveries and variations also contribute to the CRISP findings, related to material weaknesses in the investigations and reinvestigations for the VA workforce. Due to these variations and stated VA initiatives, the PSS PMO recommended implementing an enterprise case management system, VA-CABS. The recommended solution shall help the VA enterprise with streamlined background investigation and reinvestigation processes. This solution shall modify processes while improving the quality, transparency, and accountability for adjudications, as well as help remediate the material weaknesses. Overall, the implementation of the solution and concurrent initiatives (e.g., compliance and oversight, training) will have a positive impact on Veterans through allowing quicker and more efficient onboarding of personnel that serve Veterans. VA-CABS is required to resolve the existing inefficiencies in the current background investigation and adjudication process by increasing communication between user groups and streamlining the exchange of information between systems. Additional benefits shall include: "Deployment of an Enterprise Solution - Provide PSS stakeholders with one system/solution and utilizes standardized processes and workflows for adjudication. "More Efficient Investigation and Reinvestigation Processing - Provide PSS stakeholders with more clearly defined workflows for a case. "Improved Audit Results - Allow PSS stakeholders to more efficiently remediate CRISP audit findings for investigations as well identify reinvestigations prior to future audits. "Standardization of Adjudication Processes - Provide a more standardized framework for processing and recording adjudications with governance and incorporation of the oversight and compliance and training programs. Current State: Security personnel manually conduct fingerprinting and entry of Subject data attributes into a fingerprint-capture system. Personnel access Office of Personnel Management's (OPM) systems (PIPS/CVS) manually to pull and review data relating to fingerprint results, verify background investigations and adjudications. Personnel push or enter an adjudicative decision into PIPS/CVS and initiate e-QIP. Individual HR stations maintain separate mechanisms, such as spreadsheets, to track background investigation status and reinvestigation monitoring. Required documents are manually maintained through scanning or hard file management. Action letters are drafted and emailed/mailed by security specialists. 4.3SYSTEM OVERVIEW VA-CABS shall provide an automated solution to manage background investigation data across the VA enterprise for VA Subjects as an authoritative data source for background investigation case information. The system shall integrate with both internal (e.g., Identity, Credential, and Access Management (ICAM) Onboarding solution) and external systems (e.g., Office of Personnel Management [OPM]). VA-CABS shall provide the following capabilities: "Receive identity data for VA Subjects from ICAM Onboarding solution and utilize it to establish a VA Subject profile within VA-CABS. The currently deployed ICAM Onboarding solution is the Computer Associates Identity Management product. "Assign prescreening tasks and background investigation cases to appropriate security personnel to perform investigative and adjudicative duties. "Facilitate and trigger associated processes for prescreening, background investigation initiation, and / or adjudication in VA-CABS. "Integration with OPM to automatically receive VA Subject's data in VA-CABS. "The figure below depicts proposed integration points and functions at a high level between VA-CABS, integrating systems, data sources, and users as a part of the Concept of Operations (CONOPS). ? Figure 1: VA-CABS To-Be Concept of Operations OPM = Office of Personnel Management PIPS = Personnel Investigations Processing System CVS = Central Verification System e-QIP = Electronic Questionnaires for Investigations Processing ICAM = Identity, Credential, and Access Management The table below provides existing and/or future interfaces as envisioned for the target state of VA-CABS. The below may not be a full listing of the required interfaces because new interfaces may be identified in the future. The solution's ability to be adaptable, scalable, and to integrate new system interfaces after deployment is also of interest. Table 1: VA-CABS Interfaces VA-CABS Interfaces InterfaceDescriptionData FlowData Sent by VA-CABSData Received by VA-CABS ICAM Onboarding solution The ICAM Onboarding solution will assist with VA Subject onboarding and serve as the authoritative data source for identity data for VA-CABS. The solution is integrated with HR-Smart to provide employee data and will be the authoritative source for contractor data, whereas eCMS is used for Contract data. In addition, the ICAM Onboarding solution will integrate with the HSPD-12 system for PIV Card issuance. The solution will be integrated with VA-CABS at IOC.Bi-directionalVA-CABS shall send status and date information for the following workflows: Special Agreement Check (SAC), e-QIP, background investigation, and suitability adjudicative determination. VA-CABS shall send VA Subject's physical identity attributes required for PIV issuance.VA-CABS shall receive the identity attributes that VA-CABS requires to create or update a profile for a VA Subject. OPMThe OPM conducts background investigations for VA Subjects and provides a report of investigation (ROI) to the VA. The solution will be integrated with VA-CABS at IOC.Bi-directionalIn a Future State, VA-CABS shall send suitability adjudicative determination data to be recorded in CVS and PIPS.VA-CABS shall receive SAC results, background investigation statuses, and Reports of Investigation (ROI) upon OPM's scheduled document transfers. 4.4PROCESS OVERVIEW The table and workflow outlined in Table 2 summarizes the high-level process for a VA Subject to be deemed suitable / fit to work for or on behalf of VA along with the associated timeline. With automated processes, VA subjects will have the required suitability determination by entry on duty. This determination will then facilitate creation of system accounts and issuance of VA credentials (such as PIV). The process flow also depicts on-going monitoring of VA Subject investigations for reinvestigation. The process steps listed below in the table are based on the following assumptions: "A VA Subject has accepted a tentative offer and / or has been assigned to the appropriate contract with VA to initiate security and suitability processes; "The required user identity attributes have been sent to VA-CABS by the ICAM Onboarding solution; "The VA Subject has received a notification for the fingerprinting process at their local facility; "An investigation is scheduled prior to/or close to entry on duty (EOD) or beginning of work performance. Note: The proposed timelines start when a VA Subject visits a VA facility to be fingerprinted. In addition, some of these tasks may occur simultaneously. Table 2: VA-CABS Workflow for a VA Subject VA-CABS Workflow for a VA Subject Timeline (Business Days)Description Day 1The VA Subject visits a VA facility to provide fingerprints. A Security Assistant logs into VA-CABS, searches for appropriate VA Subject, captures the VA Subject fingerprints and submits them to OPM for a Special Agreement Check (SAC). The fingerprints are stored within VA-CABS and attached to the VA Subject Profile. Day 2OPM sends results back to VA-CABS using the eDelivery capability. Days 3 - 5A Security Specialist adjudicates the VA Subject's SAC. Day 5VA-CABS sends the SAC adjudication result to ICAM Onboarding solution. Day 6A Security Assistant/Security Specialist evaluates the VA Subject for reciprocity or debarment. If VA Subject is not eligible for reciprocity and has no bars, the Security Assistant/Specialist initiates e-QIP for the VA Subject. Days 7 - 12VA Subject completes and submits e-QIP. Day 12A Security Assistant/Security Specialist reviews the e-QIP and releases it to OPM. Days 13 - 15 OPM receives e-QIP and schedules the investigation and sends the investigation type and date to VA-CABS. Day 16VA-CABS receives notice that investigation has been scheduled by OPM via eDelivery. Note: VA Subject is now ready to begin work and have a PIV card issued. Day 16 - 106OPM performs investigation on the VA Subject and sends investigation data to VA-CABS. A Security Specialist reviews data to render an adjudicative determination for the VA Subject as favorable or unfavorable (Goal of completion within 90 days). 4.5VA-CABS TO-BE FUNCTIONS AND CAPABILITIES VA-CABS shall provide the VA an enterprise solution that will service as the System of Record (SOR) for investigation-related data. The system will provide the following functions and capabilities to the VA enterprise facilitating personnel security, suitability, and background investigation processes. Table 3: VA-CABS Functions and Capabilities VA-CABS Functions and Capabilities Function/CapabilityDescription VA Subject Profile CreationA profile that contains primary identity data about a VA Subject who will be fingerprinted and / or requires background investigation. Fingerprinting (Prescreening) The process of performing pre-screening checks (e.g., review of the OF306 and resume) for a VA Subject as a part of the on-boarding process; the process of capturing, submitting, and storing fingerprints that are taken for a Special Agreement Check (SAC) during VA Subject onboarding. Background Investigation Initiation/ AdjudicationThe process of initiating, executing, and adjudicating background investigation and reinvestigation for VA Subjects in accordance with applicable policies and procedures. eDeliveryThe process of receiving investigation data between OPM and VA-CABS via an electronic connection. User InterfaceAn easy to navigate interface that security personnel can open, view, and perform job duties related to background investigations. NotificationsPrompts within the system and / or via email that alert the security personnel that there is a required action for a specific case. Automated ProcessThe process of performing investigation and adjudication functions using automated workflows to prompt various role holders to perform specific actions. Consolidated ViewThe process of viewing a role holder's actions within VA-CABS in a consolidated, summary view. Reinvestigation MonitoringThe process of monitoring reinvestigation for current VA employees, contractors, and affiliates that is needed due to five years of employment. ? 4.6ROLE HOLDER MATRIX This section describes the functionality required of VA-CABS for the roles and responsibilities of the security personnel that will interface with VA-CABS. The table below (Table 4) provides the following for security personnel roles and responsibilities: "Actor - the role each security personnel assumes when interfacing with VA-CABS. "Description - a description of the actor and why this individual requires use of VA-CABS. "Scope of Control - the core activities an actor shall be able to perform with the use of VA-CABS. Scope of control does not represent an exhaustive list of activities that an actor may perform under circumstances via VA-CABS. Note: The word jurisdiction is used below and throughout the document to designate a population of VA Subjects for which the actor has the official power to make decisions and perform role holder responsibilities. Jurisdiction is based on the role holder Submitting Office Number (SON). Table 4: VA-CABS Roles and Responsibilities VA-CABS Roles and Responsibilities Actor DescriptionScope of Control VA SubjectA VA Employee, Contractor, Trainee, Volunteer, or Affiliate who is the subject of fingerprint SAC or an OPM background investigation. Note: VA-CABS is dependent on ICAM Onboarding solution (which gathers employee data from HR-Smart and contractor data directly from the Contracting Officer's Representative (COR)) to provide VA Subject identity data.Completes fingerprinting Completes investigation questionnaire via e-QIP Provides updates on incomplete information and / or provides additional details Responds to adjudicative actions Security AssistantA VA Employee responsible for assisting in the execution of personnel security-related functions as they relate to VA Subjects. Note: Proper training has been taken by the role holder to perform required job functions. Within a determined jurisdiction: Receives OF-306 and resume and attaches to VA Subject profile Captures fingerprints Reviews cases for reciprocity and debarment Initiates e-QIP for VA Subject Views and processes e-QIP Approves and releases e-QIP Security SpecialistA VA Employee responsible for the execution of personnel security related-functions as they relate to VA Subjects. Note: Proper training has been taken by the role holder to perform required job functions.Within a determined jurisdiction: Determines that the SAC is complete, makes adjudicative determination, and reports adjudicative determination Performs adjudications for background investigations Senior Security SpecialistA VA Employee at the Submitting Office Number (SON) level responsible for administration of personnel security related-functions as they relate to VA Subjects. Note: Proper training has been taken by the role holder to perform required job functions.Within a determined jurisdiction: Performs adjudications for background investigations Authorized to reassign cases within the SON for adjudication Runs reports on cases within the SON for compliance and governance reporting Performs second-level review of cases for quality assurance Case ManagerA VA Employee at an organization level (e.g., the Veterans Integrated Service Network (VISN) or Regional Office (RO) level) responsible for overseeing the administration of cases across SONs within that organization. Note: This role is an assigned position by the PSS PMO based on seniority and experience. This should be a limited population (such as 2 case managers per level).Within a determined jurisdiction: Reviews cases for quality assurance (in-process and adjudicated cases) Authorized to reassign cases within the SON and between SONs for adjudication Authorized to reopen cases that have been adjudicated for additional information Runs reports on cases within the VISN compliance and governance reporting Compliance SpecialistA VA Employee with the responsibility for oversight to evaluate compliance on how personnel security is administered via VA-CABS. Note: Compliance specialist should not perform duties related to VA-CABS acting in another capacity (i.e., actor).Authorized to pull and create reports on a SON, VISN, and VA enterprise level Conducts governance checks of adjudicated cases Authorized to review case documents for adjudicated cases Read-Only ReviewerA VA Employee with read-only privileges for VA Subject profiles within VA-CABS. Note: Security Specialist is unaware of read-only reviews. Permissions assigned only by System Owner and after training requirements are met.Views details of closed cases on a need-to-know basis Authorized to review case documents for adjudicated cases on a need-to-know basis Authorized to run report on cases on a need-to-know basis Insider Threat ReviewerA VA Employee that can review and edit certain records of VA Subjects in VA-CABS based on insider threat concerns. Note: Security specialist is unaware of reviews. Permissions assigned only by System Owner.Authorized to view cases in VA-CABS. Authorized to upload attachments (e.g., SF312, SCI NDA Form 4414) to cases of VA Subjects Authorized to make free text annotations on cases that (1) the System Owner has granted the reviewer permission for, or (2) adjudicators have marked for insider threat indicators. Authorized to request access to specific cases to make post adjudication modification System OwnerA VA employee that has elevated privileges to make changes within VA-CABS. Note: Systems Owner will be a limited user group.Authorized to pull and create reports on a SON, VISN, and enterprise level Authorized to review case documents for adjudicated cases Authorized to reassign cases within the SONand between SONs for adjudication 5.0 BUSINESS AND TECHNICALREQUIREMENTS 5.1ENTERPRISE VA-CABS HIGH-LEVEL FEATURES This section elaborates on enterprise business features for VA-CABS as applicable to the VA Subject and associated security personnel interacting with the system. The enterprise features are applicable for VA-CABS, irrespective of the integrating systems and / or specific VA Administrations / facilities. This section provides the common framework features for the multiple processes. This is a high level representation of the business requirements and more detailed business functional requirements will be made available during the solicitation process. Note: In addition to the features provided in this section, Section 9.0 provides an overview of VA-CABS business processes. 5.1.1High-Level Assignment Features VA-CABS shall possess the following functionality: 1.Ability to create a VA Subject profile based on the attributes from the ICAM Onboarding solution 2.Ability to communicate Profile creation status to ICAM; 3.Provide support to a GUI for attaching different document types; 4.Assign cases; 5.Send notifications to users; 6.Maintain audit logs. 5.1.2High-Level Prescreening Features: VA-CABS shall possess the following functionality: 1.Allow searching of VA profiles; 2.Capture and retain Fingerprint images; 3.Capture and retain demographic information; 4.Allow entry of Background Investigation dates and other related information; 5.Receive SAC Adjudication dates, documents and other related information from OPM; 6.Provide SAC Adjudication notifications to users. 5.1.3High-Level Background Investigation Processing Features: VA-CABS shall possess the following functionality: 1.Record the VA Subject's investigation attributes in the VA Subject's profile; 2.Automatically update VA Subject's investigation tier from ICAM Onboarding solution; 3.Automatically push information regarding background investigation attributes, statuses, and dates to the ICAM Onboarding solution; 4.Allow users to record e-Qip related attributes; 5.Parse and record Background Investigation schedule attributes from notices received from OPM; 6.Receive the Report Of Investigation (ROI) electronically from OPM and automatically attach the ROI to a VA Subject's profile; 7.Record Suitability Adjudicative Determination automatically based on Issue Code received from OPM; 8.Allow users to record Background investigation and reinvestigation related attributes. 9.Prompt users to record Insider Threat attributes as determined from the background investigation results; 10.Ability to push Adjudicative Determination and date information to ICAM Onboarding solution; 11.Allow users to record Adjudicative Determination in OPM. 5.1.4High-Level Monitoring Features: VA-CABS shall possess the following functionality: 1.Provide a reporting capability for both scheduled and ad-hoc reports; 2.Allow for reports to be saved and exported into standard formats including but not limited to: "Microsoft Excel; "Portable Document Format (PDF); "Extensible Markup Language (XML); "Comma Separated Values (CSV); 3.Provide an approval workflow for the System Owner to make decisions on Insider Threat Reviewer access requests; 4.Notifications 5.1.5High-Level Governance Features: VA-CABS shall possess the following functionality: 1.Provide a case reassignment option; 2.Send notifications related to a reassignment; 3.Provide a "delegate" option; 4.Send notifications related to delegation; 5.Provide a "post-adjudication review" list option; 6.Provide an "open case" and "cancel case" list option; 7.Notifications 5.1.6High-Level Enterprise Features: VA-CABS shall possess the following functionality: 1.Send notifications via email, based upon case management workflow actions and approvals. 5.1.7High-Level Integration Features: VA-CABS shall integrate with ICAM and OPM in accordance with the interface requirements outlined in Table 1. 5.1.8High-Level Data Features: VA-CABS shall possess the following functionality: 1.Provide the ability to associate multiple contracts with a single VA Contractor within the system; 2.Allow role holders the ability to filter data based on existing data elements; 3.Perform various calculations, generate history and audit logs, and ad-hoc reports for users for selected events and actions captured in the VA-CABS; 4.Store VA Subject profile data in a centralized store with appropriate security requirements; 5.Encrypt data at rest and in transit using accepted protocols. 6.0 ENTERPRISE VA-CABS HIGH-LEVEL TECHNICAL REQUIREMENTS This section elaborates on high-level technical requirements for VA-CABS as applicable to VA Subjects and associated security personnel interacting with the system. This section provides the common framework requirements for the multiple processes. This is a high level representation of the technical requirements and more detailed technical requirements will be made available during the solicitation process. 6.1HIGH-LEVEL SECURITY REQUIREMENTS This section provides high-level security requirements to be followed by VA-CABS during design and implementation including infrastructure of VA-CABS. VA-CABS shall: 1.Comply with The Privacy Act of 1974; 2.Comply with VA Handbook 6500; 3.Comply with NIST 800-53 rev.4; 4.Comply with NIST SP 800-30 rev.4; 5.Comply with NIST 800-37; 6.Comply with OPM Agency Delivery R2.4 Technical Paper (pg. 14); 7.Comply with FIPS 140-2; 8.Implement security control measures to manage, reduce, and / or decrease risks and vulnerabilities to a reasonable and appropriate level of risk, in compliance with federal security statutes; 9.Maintain a separation of duties methodology such that a single individual cannot subvert a critical process; 10.Only store and transmit VA sensitive information with proper security mechanisms that meet FIPS 140-2 criteria; 11.Mask PII (such as SSN) and save it in an encrypted manner in the GUI. 6.2HIGH-LEVEL DATA HANDLING REQUIREMENTS (INPUT, CORRELATIVE) This section defines the high-level data handling requirements of VA-CABS, including required data to be available for VA-CABS and how it is correlated. VA-CABS shall: 1.Store data in the solutions primary data store; 2.Ensure data replication between primary and secondary data stores, with the sensitive data encrypted at rest; 3.Utilize only secure data transfer protocols that secure or encrypt data exchanged with integrating systems; 4.Only exchange required data attributes with integrating systems; 5.Utilize attribute data mapping to develop GUIs within VA-CABS; 6.Leverage the Onboarding solution to receive updates to attributes and distribute updated attributes across other integrating systems based on defined rules. 7.0 HIGH-LEVEL PERFORMANCE, CAPACITY, AND AVAILABILITY REQUIREMENTS This section defines the overall VA-CABS requirements around availability, load requirements, ability to scale in future, and integration capabilities with systems such as ICAM Onboarding solution and OPM. 7.1PERFORMANCE This section includes high level requirements for VA-CABS performance, such as speeds for transactions and alerts. VA-CABS shall: 1.Return search results in less than five (5) seconds after a request is submitted; 2.Fully load GUIs less than three (3) seconds after a request is submitted; 3.Ability to submit information to system endpoints via secured transfer protocols in less than eight (8) seconds after the request is submitted to the system. 4.Ability to synchronize data in near real time with the ICAM Onboarding solution; 5.Ability to detect and alert changes in VA Subject statuses and data attributes in near real time; 6.Comply with existing VA and federal information system performance requirements. 7.2CAPACITY This section includes high-level capacity requirements for VA-CABS, such as number of records and users can be in the system. VA-CABS shall: 1.Support the current and future (forecasted) user base of relying applications and systems. The system is expected to support a minimum of 2 million VA Subject profiles; 2.Support at least 1,000 concurrent role holder sessions; 3.Support an average of at least 20,000 VA Subject profile creations on a monthly basis; 4.Support at least a 15% increase in the number of VA Subject profile annually, at a minimum; 5.Support peak traffic time for internal facing services. The peak traffic time is from 8:00am to 9:00pm ET in the continental United States (CONUS), during normal work weeks (Monday through Friday), excluding federal holidays. 7.3AVAILABILITY This section includes high level availability requirements for VA-CABS, such as system downtime and back-ups. VA-CABS shall: 1.Support continuous operations; 2.Be highly available with no single point of failure; 3.Provide 99.5% uptime, with a maximum downtime of 216 minutes per month (includes scheduled downtime); 4.Utilize replication with the master information store to support performance, failover, and high availability; 5.Use various methods for continuous availability such as load balancing, redundancy, backups, continuity, and disaster recovery plans. 7.4BUSINESS CONTINUITY This section includes high level business continuity requirements for VA-CABS for circumstances such as a disaster. VA-CABS shall: 1.Integrate with VA aligned data center business continuity plan; 2.Align for continuity and recovery services at a level equal to or greater than the most demanding application or service, which it relies upon for operation with ICAM Onboarding solution, PSSS, and/or OPM. 3.Back up directories and databases (user store and provisioning store) periodically during off-peak hours resulting in no more than two (2) hours of data loss. 8.0 SERVICE LEVEL REQUIREMENTS This section includes requirements for service level agreements for VA-CABS, including specific criteria and outputs for availability, capacity & performance, and interfaces & security. 8.1AVAILABILITY, CAPACITY, & PERFORMANCE Table 5: Availability, Capacity, & Performance Requirements SLR QuestionSLR CriteriaDescription How many role holders will be on the system hourly?101-1000 How many transactions will each average role holder perform each hour?>10Transaction number may change once a solution is identified. What are the anticipated peak role holder times during the day?Business Day (8:00 AM - 8:00 PM Eastern Standard Time) What is the anticipated peak transaction load (when do you think that there will be the most transactions being performed on the system) during the day?Business Day (8:00 AM - 8:00 PM Eastern Standard Time) How many new role holders will be added in one year?0-500 How many more (if any) transactions will be added in one year?>10Transaction number may change once a solution is identified. What kind of information will be stored (specify average of each kind per month)?Small documents (PDF, Word file) Forms (OF 306) Media ( Biometrics - fingerprints) Averages will be added once the system is deployed. What kind of search capacity is required?High (4000-5000 per hour) What type of system(s) is/are required?Intranet (All VA) Is there a need for heavy application reporting? If yes, when?End of week with an aggregate report at the end of the month 9.0 USE CASE LIST This section provides a listing of the Use Cases for VA-CABS. The detailed Use Case Flow Diagrams will be provided upon solicitation. The following high-level preconditions were made during the development of these use cases: "VA-CABS will have an existing connection with the ICAM Onboarding solution for exchange of data; "VA-CABS will have an existing connection with OPM for exchange of data; "Identified role holders will be granted the system roles mentioned in the use case; "Role holders are logged into VA-CABS to perform their respective duties; however, specific instances of system log in are also noted in the use cases. The VA-CABS Uses Cases are as follows: Table 6: VA-CABS Uses Cases Use Case IDUse Case NameDescriptionActorsPre-ConditionsPost-Conditions UC01VA Subject Profile CreationThis Use Case describes the creation of a VA Subject's profile in VA-CABS leveraging information from the ICAM Onboarding solution, that receives data from HR Smart and eCMS.ICAM Onboarding solution VA-CABSThe VA Subject (employee) accepts the tentative offer and completes the OF-306. The VA Subject (contractors, trainees, and affiliates) becomes affiliated with the VA.VA-CABS creates a profile for the VA Subject populated with additional case data through the fingerprinting and background investigation processes. UC02Fingerprint SubmissionThis Use Case describes the fingerprint submission process for a VA SubjectSecurity Assistant VA-CABS ICAM Onboarding solution OPMThe VA Subject profile is in VA-CABS. The VA Subject received fingerprinting instructions from HR Smart or ICAM Onboarding solution.The VA Subject's fingerprint is submitted to OPM. UC03Subject AssignmentThis Use Case describes the process of assigning the VA Subject profile to the appropriate Security Assistant and / or Security SpecialistSecurity Assistant Security Specialist Sr. Security Specialist ICAM Onboarding solution VA-CABSThe Security Assistant has already obtained the OF-306 and resume through manual / offline processes. The ICAM Onboarding solution has passed VA Subject data attributes and a VA Subject profile has been created within VA-CABS. The VA Subject's fingerprints have been captured.The VA Subject profile is assigned to the appropriate security personnel based on facility SON. UC04Fingerprint Special Agreement Check (SAC) AdjudicationThis Use Case describes the SAC Adjudication process for a VA SubjectSecurity Specialist VA-CABS OPM ICAM Onboarding solutionThe VA Subject's fingerprints have been submitted to OPM. The VA Subject profile is assigned to security personnel based on the workflow in VA-CABS-UC03.The SAC adjudication result is made for the VA Subject and captured in VA-CABS. The ICAM Onboarding solution receives the VA Subject's SAC adjudication results and date from VA-CABS. UC05Background Investigation InitiationThis Use Case describes the process for the initiation of a background investigation for a new VA Subject, or a current VA Subject who has a change to their Position Designation Record (PDR) because of promotion, demotion, or reassignment, or the risk level of the employee's position is changed to a higher level.ICAM Onboarding solution VA-CABS Security Assistant VA Subject OPMThere is a favorable fingerprint SAC adjudication attached to the profile. (Note: Background investigation is initiated for favorable SAC adjudication only) The Security Assistant determines there is no appropriate investigation level scheduled or closed for the VA Subject (Reciprocity).OPM schedules the background investigation. VA-CABS receives confirmation that OPM scheduled the background investigation and updates status of background investigation. The ICAM Onboarding solution receives updated background investigation status and date. UC06Background Investigation AdjudicationThis Use Case describes the process for adjudication of a background investigation for a VA Subject.VA-CABS Security Specialist Senior Security Specialist OPM VA Subject Case ManagerThe VA Subject's background investigation case status has been marked as "Closed Complete" in VA-CABS.The background investigation is adjudicated. The Adjudicative determination is recorded in VA-CABS. VA-CABS transmits adjudicative determination to the ICAM Onboarding solution. UC07ReinvestigationThis Use Case describes the process for the initiation of a reinvestigation for a current VA SubjectVA-CABS ICAM Onboarding solution Security Assistant VA Subject OPMThe VA Subject is an incumbent to a position that is public trust or sensitive, and has a requirement for a reinvestigation (as reflected in the PDR). VA-CABS tracks the closed date of the initial investigation and subsequent investigations.OPM schedules the background investigation. VA-CABS receives confirmation that OPM scheduled the background investigation and updates status of background investigation. The ICAM Onboarding solution receives updated background investigation status and date. UC08ReportsThis Use Case describes the process by which the reporting capability is used within VA-CABSRole holder: "Read-Only Reviewer "Case Manager "Insider Threat Reviewer "System Owner "Compliance Specialist "VA-CABSVA-CABS generates and stores logs of system transactions, VA Subject profile data, and user activity.A report is generated and the appropriate next steps are taken by a role holder. UC09 Insider Threat Review and UpdateThis Use Case describes the process by which an Insider Threat Reviewer can access VA-CABS to perform insider threat monitoring duties.Insider Threat Reviewer System Owner VA-CABSCase has been designated as having insider threat attributes (refer to VA-CABS-UC07) in the adjudication process.Additional details have been added to cases within VA-CABS for the purposes of insider threat mitigation. The Insider Threat Reviewer annotates and uploads documents for cases that have been identified as needing modification for insider threat monitoring purposes. Note: Only unclassified Insider Threat data and / or documentation will be stored in VA-CABS UC10Second Level ReviewThis Use Case describes the process for a second-level review of a caseVA-CABS Security Specialist Senior Security SpecialistA case has been assigned and is in the process of being adjudicated by a Security Specialist. A case's background investigation status from OPM is "Closed Complete." Security Specialist has completed initial assessment and determines a second-level review is required. A second-level review is mandatory based on OPM/PSS policy, or should receive a second-level review based on business processes.Background investigation is adjudicated and adjudicative determination is recorded in VA-CABS. VA-CABS sends adjudicative determination to ICAM Onboarding solution. UC11Delegation Of CaseloadThis Use Case describes the process for the delegation of a Security Assistant /Specialist's full caseload within VA-CABS.VA-CABS Security Assistant Security Specialist Case Manager Senior Security SpecialistA Security Assistant/Specialist is unavailable to perform job duties for a period of time, and requires the delegation of their caseload to another person. There are other Security Assistants/Specialists available within the same SON or VISN that can perform the Security Assistant/Specialist's duties.VA Subject caseload is delegated from one Security Assistant/Specialist to another. UC12Post-Adjudication ReviewThis Use Case describes the process for reviewing and editing a case that has an Adjudicative Determination recorded.VA-CABS Case Manager Senior Security Specialist System OwnerA VA Subject's case exists in VA-CABS. A VA Subject's case has an Adjudicative Determination recorded. A VA Subject's case is listed as "Closed."A VA Subject's case attributes can now be edited and updated. UC13Cancel CasesThis Use Case describes the process for canceling a case that was in the process of being investigated or adjudicated due to a VA Subject who is no longer pursuing a position at the VAVA-CABS Security Specialist Case Manager Senior Security SpecialistA VA Subject's case exists in VA-CABS. A VA Subject is no longer pursuing employment with the VA. A VA Subject's case does not have an Adjudicative Determination. A VA Subject's case has not been closed.The VA Subject's case no longer requires action. The VA Subject's case has a "Canceled" or listed as "Closed" attribute recorded.
 

Web Link

FBO.gov Permalink
(https://www.fbo.gov/notices/ee0035fe85c548ade44f0530a04f551c)
 

Document(s)

Attachment
 

File Name: VA118-17-N-1748 VA118-17-N-1748.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3044729&FileName=VA118-17-N-1748-000.docx)

Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3044729&FileName=VA118-17-N-1748-000.docx

 

File Name: VA118-17-N-1748 VA-CABS RFI _final_10062016 02.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3044730&FileName=VA118-17-N-1748-001.docx)

Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3044730&FileName=VA118-17-N-1748-001.docx

 

Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 

Record

SN04299484-W 20161008/161006234117-ee0035fe85c548ade44f0530a04f551c (fbodaily.com)
 

Source

FedBizOpps Link to This Notice
(may not be valid after Archive Date)

---

| FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |