Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF APRIL 01, 2017 FBO #5608
DOCUMENT

R -- PowerStart Implementation This is a request for Information Only Responses are due by 2:00 p.m EST April 3, 2017 - Attachment

Notice Date
3/30/2017
 
Notice Type
Attachment
 
NAICS
541511 — Custom Computer Programming Services
 
Contracting Office
Department of Veteran Affairs;SAO East;PCAE STL Contracting Officer;11152 South Towne Square;Saint Louis MO 63123
 
ZIP Code
63123
 
Solicitation Number
VA77717N0050
 
Response Due
3/24/2017
 
Archive Date
3/29/2017
 
Point of Contact
John Schiffhauer
 
E-Mail Address
chiffhauer@va.gov<br
 
Small Business Set-Aside
N/A
 
Description
DISCLAIMER This Request for Information (RFI) is issued solely for information and planning purposes only and does not constitute a solicitation. All information received in response to this RFI that is marked as proprietary will be handled accordingly. In accordance with FAR 15.201(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this RFI. Offeror s Submittal of Interest: Interested and capable firms are requested to provide the following data/information to the attention of the Contracting Officer identified herein. a) Company s name: b) Company s address: c) Company s point of contact name: d) Company s phone, fax, and email address: e) Company s Tax ID Number: f) Company s DUNS number and Cage Code: g) Type of business, e.g. Small Service Disabled Veteran Owned Small Business, Veteran Owned Small Business, SBA Certified 8(a) Firm, SBA Certified HUBZone Firm, Women Owned Small Business, SBA Certified Small Disadvantaged Business, Small Business, or Other than Small Business, relative to NAICS code 541511 h) Federal Supply Schedule number (if applicable): i) Statement of Capability that demonstrates the offeror's capability and past performance in providing and meeting the type of service requirement; to include the data and information stated herein. e-Mail submissions will be acceptable at John.Schiffhauer@va.gov. Submissions should be submitted no later than 2:00 p.m., Central Standard Time (CST) on April 3, 2017. NO FAX/ FACSIMILE SUBMISSIONS WILL BE ACCEPTED. Questions: Requests for clarification and/or information regarding this RFI must be submitted to the Contracting Officer in writing (email) ONLY. Any interested Offeror desiring an explanation or interpretation of the anticipated solicitation specifications must request it in writing.  No phone responses will be accepted. NOTE: All responses must reference the RFI # and Description of the project in the Header or Opening Statement. Notice to Potential Offerors: All Offerors who provide goods or services to the United States Federal Government MUST be registered in the System for Award Management (SAM) website, located on at www.sam.gov. It is desirable that Offerors complete their business Online Representations and Certifications Application (ORCA). Additionally, all Service Disabled Veteran Owned Small Businesses or Veteran Owned Small Businesses who respond to a solicitation must be registered with the Department of Veterans Affairs Center for Veterans Enterprise VetBiz Registry located at http://vip.vetbiz.gov. Disclaimer: The purpose of this RFI is to gain knowledge of potential qualified sources and their business size classification, and is issued solely for information and planning purposes only and does not constitute a solicitation. In accordance with FAR 15.201(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. This notice shall not be construed as a commitment by the Government to issue a solicitation or ultimately award a contract, nor does it restrict the Government to a particular acquisition approach. All information received in response to this RFI that is marked as proprietary will be handled accordingly. Responders are solely responsible for all expenses associated with responding to this RFI. The Government is not obligated to nor will it pay for or reimburse respondent parties for any costs associated with responding to this Sources Sought Synopsis Announcement. NOTE: No proprietary, classified, confidential, or sensitive information should be included in your response to this Sources Sought Announcement. The Government reserves the right to use any information provided by respondents for any purpose deemed necessary and legally appropriate, including using technical information provided by respondents in any resultant solicitation. Also, please be advised that Neopost USA, and its authorized resellers, are the only authorized sales, supplies, parts and servicing providers for Neopost-manufactured Mailing Systems. At this time no solicitation exists; therefore, do not request a copy of the Solicitation. After a review of the responses received, a Pre-Solicitation Notice and Solicitation may be published on Federal Business Opportunities (FedBizOpps) website or GSA E-buy. It is the potential Offeror's responsibility to monitor FedBizOpps and E-buy for release of any future solicitation that may result from this Sources Sought Announcement. However, responses to this Sources Sought Announcement will not be considered adequate responses to any resultant solicitation. Comments/Concerns: Please provide the Contracting Officer, under company/firm s letterhead, any comments and/or concerns you may have regarding this Sources Sought Announcement. John Schiffhauer Contract Specialist Department of Veterans Affairs Program Contract Activity Central (PCAC) - St. Louis, MO 314-894-6656 x 65111 John.Schiffhauer@va.gov STATEMENT OF WORK GENERAL OBJECTIVES AND REQUIREMENTS Title Lean Six Sigma Project and General Project Management Update Contract Scope The contractor shall provide all resources necessary to accomplish the deliverables described in the Statement of Work (SOW), except as may otherwise be specified. Modification of a hosted project management propriety software program, GS-35F-0265X. Contractor will provide a developer support package(s) that provides assistance in the build-out of Power Steering reporting capabilities. Platform modifications will be compatible with current VA security settings and internet explorer versions. Platform will continue to provide sufficient security of data entered into the hosted platform repository. Data will be related to process improvement projects and not contain any protected PHI/PII. Expected Outputs: 2 packages of 10 day (80 hours) subject matter expert support in modifying the proprietary PowerSteering tool to allow assigned VA employees to develop enhanced reporting capabilities emphasizing Return on Investment through program costs and expected benefits through monthly, quarterly, and FY intervals by CPAC and RO as a program. Additionally, SME assistance will support VA employees with the build-out of graphic dashboards for executive leaders to access real time reporting data on program status. Background and Program Overview CPAC (Consolidated Patient Account Center) is a  congressionally mandated program  that will consolidate traditional VHA business office functions into  seven regional centers over the next few years. This initiative will transform VHA billing and collections activities, and more closely align VHA with industry practices through the implementation of standardized improvement projects management.   Contract Type Firm-Fixed-Price Purpose This proposed solicitation will improve the alignment with current CPAC strategic guidance to incorporate business process improvement strategies and technological improvements into business operations programs which allows for greater efficiency that provides a more effective and less costly service to veterans. Successful implementation of the elements in this solicitation will allow for significant improvements in key business metrics such as cycle time, return on investment, individual productivity, efficiency, and employee satisfaction over the next ten years while reducing waste and overall costs within the CPAC organization. Objectives This is planned as a one-time contract that includes 20 days of build-out support that provides assistance with the building out of reporting capabilities; efforts will include building on the enhancement features of a standardized project management platform (PowerSteering) accessible to key CPAC staff nationwide. General Requirements 1. For every task, the contractor shall identify in writing all necessary subtasks (if any), associated costs by tasks together with associated sub-milestone dates. The contractor's subtask structure shall be reflected in the technical proposal and detailed project management plan (PMP) if required. 2. All written deliverables will be phrased in layperson language. Statistical and other technical terminology will not be used without providing a glossary of terms. 3. Where a written milestone deliverable is required in draft form, the CPAC PMO will complete their review of the draft deliverable within _10_ calendar days from date of receipt. The contractor shall have _5_ calendar days to deliver the final deliverable from date of receipt of the government s comments. Description of Tasks and Associated Deliverables: The contractor shall provide the specific deliverables described below within the performance period stated in Section 14 of this SOW. Task 1: Contractor will provide developer support package(s) that provides assistance in the build out Power Steering software reporting capabilities. Each package will consist of a specific number of consulting days, based on an 8 hour workday, and will provide advice, consulting, and training on the use and configuration of administrative and reporting applications/widgets contained within the proprietary project management platform, Powersteering. Deliverable 1: There will be two periods of performance provided by the contractor, Period 1 will begin NLT May 1, 2017 and conclude NLT June 30, 2017, the contractor will provide 10 days (80 hours) of consultative support to Revenue Operations process improvement staff to facilitate the development of reporting framework in the Power Steering Project Management Tool. Activities such as consulting on the design of dashboards, user interfaces, manipulation of administrative functions and properties, cumulating data, work tree modifications, report template modifications, project details screen edits, and other administrator level functionality will be supported. Period 2 will run will begin NLT July 1, 2017 and conclude NLT September 30, 2017, the contractor will provide 10 days (80 hours) of consultative support to Revenue Operations process improvement staff to facilitate the development of Return on Investment framework in the Power Steering Project Management Tool. Activities such as consulting on the design of dashboards, construction of pages and templates within the ROI template, manipulation of administrative functions and properties, work tree modifications, project details screen edits, and other administrator level functionality specific to ROI will be supported. Deliverables: Enhanced reporting capabilities emphasizing Return on Investment through program costs and expected benefits through monthly, quarterly, and FY intervals by CPAC and RO as a program. Build-out of graphic dashboards for executive leaders to access real time reporting data on program status. Schedule for Deliverables Task Start no later than Complete no later than Deliverable 1 May 1, 2017 June 30,2017 Deliverable 2 July 1, 2017 September 30, 2017 1. Unless otherwise specified, the number of draft copies and the number of final copies shall be the same. 2. If for any reason the scheduled time for a deliverable cannot be met, the contractor is required to explain why (include the original deliverable due date) in writing to the CO, including a firm commitment of when the work shall be completed. This notice to the CO shall cite the reasons for the delay, and the impact on the overall project. The CO will then review the facts and issue a response in accordance with applicable regulations. Changes to Statement of Work Any changes to this contract shall be authorized and approved only through written correspondence from the CO. A copy of each change will be kept in a project folder along with all other products of the project. Costs incurred by the contractor through the actions of parties other than the CO shall be borne by the contractor. 9.0 Reporting Requirements 1. The contractor shall provide the COTR with monthly reports on utilization of support hours until all hours are utilized or the conclusion of the period of performance, whichever comes first. This report will document the starting number of hours, hours used, date used, and purpose of utilized hours. 10.0 Contract Kick-off The contractor shall not commence performance on the tasks in this SOW until the CO has conducted a kick off meeting or has advised the contractor that a kick off meeting is waived. 11.0 Period of Performance (POP) Period of Performance would be May 1, 2017through September 30, 2017 (Any work if required that occurs at the government site shall not take place on Federal holidays or weekends unless directed by the Contracting Officer (CO), Chief Information Officer (CIO), and Contracting Officer Representative (COR). 12.0 Place of Performance Services being requested by this statement of work are virtual in nature, will not be located at a government facility, and are provided through secure internet platforms across the World Wide Web. The contractor is responsible for providing working stations, access, and all necessary support of contractor assigned personnel. 13.0 Travel Travel is not required by this SOW. 14.0 Government Responsibilities Government will provide access to facility rooms needed to prepare staff if needed in accordance with overall project schedule. There will not be any direct connection to VA networks or systems conducted by the contractor during the full period of performance for this contract. All platform interactions will be accomplished through portal access on the World Wide Web. 15.0 Contractor Experience Requirements Key Personnel These skilled experienced professional and/or technical personnel are essential for successful contractor accomplishment of the work to be performed under this contract and subsequent task orders and option. The contractor agrees that the key personnel shall not be removed, diverted, or replaced from work without approval of the CO and TOPM. Any personnel the contractor offers as substitutes shall have the ability and qualifications equal to or better than the key personnel being replaced, specifically, subject matter expertise in the design and administration of the PowerSteering project management platform.. Requests to substitute personnel shall be approved by the TOPM and the CO. All requests for approval of substitutions in personnel shall be submitted to the TOPM and the CO within 30 calendar days prior to making any change in key personnel. The request shall be written and provide a detailed explanation of the circumstances necessitating the proposed substitution. The contractor shall submit a complete resume for the proposed substitute, any changes to the rate specified in the order (as applicable) and any other information requested by the CO needed to approve or disapprove the proposed substitution. The CO will evaluate such requests and promptly notify the contractor of approval or disapproval thereof in writing. 16.0 Contract Administration After award of Contract, all inquiries and correspondence relative to the administration of the Contract shall be addressed to the attention of the Contracting Officer. Contracting Officer: Telephone Number: Fax Number: Email: Contracting Officer s Representative (COTR): Name: Telephone Number: Fax Number: Email: INVOICING REQUIREMENTS AND ACCEPTANCE: The contractor shall submit an original copy of all invoices to the Austin Financial Services Center with a copy sent by electronic mail to the assigned COTR on the Task Order. Regular Mail: VA Austin Finance Service Center (VAFSC) VAFSC FOS Region 1 Team P. O. Box 149971 Austin, TX 78714 Phone # 512-460-5544 Email: www.fsc.va.gov FAX: 512-460-5540 All invoices submitted must contain the following information: Contract Number Dates of Service Names of Employees Tour of duties worked. C. SECURITY The C&A requirements do not apply and a Security Accreditation Package is not required as per VA HB 6500.6 appendix A. Protected health information will not be disclosed or accessed as part of this contract solicitation. VA ACQUISITION REGULATION SOLICITATION PROVISION AND CONTRACT CLAUSE NOTE: This clause will undergo official rule making by the Office of Acquisitions and Logistics. The below language will be submitted for public review through the Federal Register. The final wording of the clause may be changed from what is outlined below based on public review and comment. Once approved, the final language in the clause can be obtained from the Office of Acquisitions and Logistics Programs and Policy. Security Clauses by Reference: - SUBPART 839.2 INFORMATION AND INFORMATION TECHNOLOGY SECURITY REQUIREMENTS - 852.273-75 - SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (INTERIM- OCTOBER 2008) SECURITY PRIVACY REQUIREMENTS General - All contractors and contractor personnel shall be subject to the same Federal laws, regulations, standards, and VA policies as VA, and VA personnel, regarding information and information system security. Contractors must follow policies and procedures outlined in VA Directive 6500, Information Security Program and its handbooks to ensure appropriate security controls are in place. Access to VA Information and VA Information Systems A contractor shall request logical (technical) and/or physical access to VA information and VA information systems for employees, subcontractors, and affiliates only to the extent necessary: (1) to perform the services specified in the contract, (2) to perform necessary maintenance functions for electronic storage or transmission media necessary for performance of the contract, and (3) for individuals who first satisfy the same conditions, requirements and restrictions that comparable VA employees must meet in order to have access to the same type of VA information. All contractors and subcontractors working with VA Sensitive Information are subject to the same investigative requirements as those of regular VA appointees or employees who have access to the same types of information. The level of background security investigation will be in accordance with VA Directive 0710, Handbook 0710, which are available at: http://www1.va.gov/vapubs/ and VHA Directive 0710 and implementing Handbook 0710.01 which are available at: http://www1.va.gov/vhapublications/index.cfm. Contractors are responsible for screening their employees. The following are VA s approved policy exceptions for meeting VA s background screenings/investigative requirements for certain types of contractors: Contract personnel not accessing VA information resources such as personnel hired to maintain the medical facility grounds, construction contracts, utility system contractors, etc., Contract personnel with limited and intermittent access to equipment connected to facility networks on which no VA sensitive information is available, including contractors who install, maintain, and repair networked building equipment such as fire alarm; heating, ventilation, and air conditioning equipment; elevator control systems, etc. If equipment to be repaired is located within sensitive areas (e.g. computer room/communications closets), VA IT staff must escort contractors while on site. Contract personnel with limited and intermittent access to equipment connected to facility networks on which limited VA sensitive information may reside, including medical equipment contractors who install, maintain, and repair networked medical equipment such as CT scanners, EKG systems, ICU monitoring, etc. In this case, Veterans Health Administration facilities must have a duly executed VA business associate agreement (BAA) in place with the vendor in accordance with VHA Handbook 1600.01, Business Associates, to assure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in addition to the contract. Contract personnel, if on site, should be escorted by VA IT staff. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. Defense Security Service (DSS) administers the NISP on behalf of the Department of Defense and 23 other federal agencies within the Executive Branch. VA will verify clearance through DSS. VA Information Custodial Requirements Information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the contracting officer. This clause expressly limits the contractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d)(1). Information generated by a Contractor as a part of the contractor s normal business operations, such as medical records created in the course of providing treatment, is subject to a review by the Office of General Counsel (OGC) to determine if the information is the property of VA and subject to VA policy. If the information is determined by OGC to not be the property of VA, the restrictions required for VA information will not apply. VA information will not be co-mingled with any other data on the contractors/subcontractors information systems/media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. VA also reserves the right to conduct IT resource inspections to ensure data separation and on-site inspection of information destruction/media sanitization procedures to ensure they are in compliance with VA policy requirements. Prior to termination or completion of this contract, contractor will not destroy information received from VA or gathered or created by the contractor in the course of performing this contract without prior written approval by the VA contracting officer. Any data destruction done on behalf of VA by a contractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, and applicable VA Records Control Schedules. The contractor will receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. Applicable Federal information security regulations include all Federal Information Processing Standards (FIPS) and Special Publications (SP) issued by the National Institute of Standards and Technology (NIST). If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies, including FIPS or SP, in this contract. Contractors collecting, storing, or disseminating personal identifiable information (PII) or protected health information (PHI) data must conform to all pertinent regulations, laws, and VA directives related to privacy. Contractors must provide access for VA privacy reviews and assessments and provide appropriate documentation as directed. The contractor shall not make copies of VA information except as necessary to perform the terms of the agreement or to preserve electronic information stored on contractor electronic storage media for restoration in case any electronic equipment or data used by the contractor needs to be restored to an operating state. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to terminate the contract for default or terminate for cause under Federal Acquisition Regulation ( FAR ) part 12. If a VHA contract is terminated for cause, the associated business associate agreement (BAA) will also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01 Business Associates. Contractor will store, transport, or transmit VA sensitive information in an encrypted form, using a VA-approved encryption application that meets the requirements of NIST s FIPS 140-2 standard. The contractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA directives are available on the VA directives Web site at http://www1.va.gov/vapubs/. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor will refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. Notwithstanding the provision above, the contractor shall not release medical quality assurance records protected by 38 U.S.C. 5705 or records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus protected under 38 U.S.C. 7332 under any circumstances, including in response to a court order, and shall immediately refer such court orders or other inquiries to the VA contracting officer for response. The contractor will not use technologies banned in VA in meeting the requirements of the contract (e.g., Bluetooth enabled devices). Information System Design and Development Information systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA policies developed in accordance with Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle, a privacy impact assessment will be completed, provided to the COTR, and approved by the VA Privacy Service in accordance with VA Privacy Impact Assessment Handbook 6500.3. The security controls must be designed, developed, approved by VA, and implemented in accordance with the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37 and VA Handbook 6500. The contractor will be required to design, develop, or operate a System of Records on individuals to accomplish an agency function subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C.552a) and applicable agency regulations. Violation of the Privacy Act may involve the imposition of criminal and civil penalties. The contractor agrees to - Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies -- The systems of records; and The design, development, or operation work that the contractor is to perform; Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and, Include this Privacy Act clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the contractor is considered to be an employee of the agency. Operation of a system of records means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and contains the person s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint, or a photograph. System of records on individuals means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Information System Hosting, Operation, Maintenance or Use For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. The contractor security control procedures must be identical, not equivalent, to those procedures used to secure VA systems. A privacy impact assessment (PIA) must also be provided to the COTR and approved by VA Privacy Service prior to operational approval. All external Internet connections involving VA information must be reviewed and approved by VA prior to implementation. Adequate security controls for collecting, processing, transmitting, and storing of personally identifiable information, as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls need to be stated within the PIA and supported by a risk assessment. If these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII. Outsourcing (contractor facility/contractor equipment/contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (C&A) of the contractor s systems in accordance with NIST Special Publication 800-37 and VA Handbook 6500 and a privacy impact assessment of the contractor s systems prior to operation of the systems. Government-owned (government facility/government equipment) contractor-operated systems, third party or business partner networks require a system interconnection agreement and a memorandum of understanding (MOU) which detail what data types will be shared, who will have access, and the appropriate level of security controls for all systems connected to VA networks. The contractor must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the information security officer (ISO) for entry into VA s Plan of Action and Milestone (POA&M) management process. The contractor will use VA s POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the Government. Contractor procedures will be subject to periodic, unannounced assessments by VA officials. The physical security aspects associated with contractor activities will also be subject to such assessments. As updates to the system occur, an updated PIA must be submitted to the VA Privacy Service through the COTR for approval. All electronic storage media used on non-VA leased or owned IT equipment that is used to store, process, or access VA sensitive information must have all VA sensitive information removed, cleared, sanitized, or destroyed in accordance with VA policies and procedures upon: (1) completion or termination of the contract or (2) disposal or return of the IT equipment by the contractor or any person acting on behalf of the contractor, whichever is earlier. Information System Security The contractor shall ensure adequate LAN/Internet, data, information, and system security in accordance with VA standard operating procedures and standard contract language, conditions laws, and regulations. The contractor s firewall and web server shall meet or exceed the government minimum requirements for security. All government data shall be protected behind an approved firewall. Any security violations or attempted violations shall be reported to the VA project manager and the VBA Headquarters Information Security Officer as soon as possible. The contractor shall follow all applicable VA policies and procedures governing information security, especially those that pertain to certification accreditation. See VAAR clause 852.273-75 included in this contract. Security Incident Investigation The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor shall immediately notify the Contracting Officer Technical Representative (COTR) and simultaneously, the designated ISO/Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor has access. To the extent known by the contractor, the contractor s notice to VA will identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information/assets were placed at risk or compromised), and any other information that the contractor considers relevant. The contractor will simultaneously report the incident to the appropriate law enforcement entity (is) of jurisdiction, including the VA Offices of the Inspector General and Security and Law Enforcement, in instances of theft or break-in or other criminal activity. The contractor, its employees, and its subcontractors and their employees will cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor will cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. To the extent practicable, the contractor shall mitigate any harmful effects on individuals whose VA information was accessed or disclosed in a security incident. In the event of a data breach with respect to any VA Sensitive Information processed or maintained by the contractor or subcontractor under the contract, the contractor is responsible for liquidated damages to be paid to VA. Security Controls Compliance Testing On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-day s notice, at the request of the Government, the contractor will fully cooperate and assist in a Government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The Government may conduct a security control assessment on shorter notice (to include unannounced assessments) determined by VA in the event of a security incident or at any other time. Security Training All Contractor employees and Sub-Contractor employees requiring access to VA sensitive information and/or VA information systems shall complete the following before being granted access to VA networks or sensitive information: Sign and acknowledge understanding of and responsibilities for compliance with the attached National Rules of Behavior relating to access to VA information and information systems; Successfully complete VA Cyber Security Awareness training and annual refresher training as required; Successfully complete VA General Privacy training and annual refresher training as required; and Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] The Contractor shall provide to the contracting officer a copy of the training certificates for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. These online courses are located at the following web site: https://www.ees-learning.net/. Failure to complete this mandatory training within the timeframe required will be grounds for suspension or termination of all physical and/or electronic access privileges and removal from work on the contract until such time as the training is completed. Contractor Personnel Security All Contractor employees who require access to the Department of Veterans Affairs' computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Security and Investigations Center (07C). The level of background security investigation shall be in accordance with VA Directive 0710 dated September 10, 2004 and is available at:: http://www.va.gov/pubs/asp/edsdirec.asp (VA Handbook 0710, Appendix A, Tables 1 - 3). Appropriate Background Investigation (BI) forms shall be provided upon contract (or task order) award and are to be completed and returned to the VA Security and Investigations Center (07C) within 3 days for processing. Contractors shall be notified by 07C when the BI has been completed and adjudicated. These requirements are applicable to all Sub-Contractor personnel requiring the same access. If the security clearance investigation is not completed prior to the start date of the contract, the employee shall not work on the contract while the security clearance is being processed. Work will commence as soon as the Contractor and Contractor employee receives and email message that states the following: We show that background investigation request on the individual listed below has been completed and the case has been initiated by the Security Investigations Center. When the case is completed, all adjudicative paperwork will be returned to the requesting office. You can provide this email to the Station ISO as proof the investigation has been initiated and access can be granted.   This notice does not ensure completion of VetPro or other required security training.   Those individuals that require VetPro Credentialing or additional security training must receive those completion notifications from the proper authority prior to start date.   The investigative history for Contractor personnel working under this contract must be maintained in the databases of either the Office of Personnel Management (OPM) or the Defense Industrial Security Clearance Organization (DISCO). Should the Contractor use a vendor other than OPM or Defense Security Service (DSS) to conduct investigations, the investigative company must be certified by OPM/DSS to conduct Contractor investigations. Contractor Responsibilities The Contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the Office of Personnel Management (OPM) through the VA, the Contractor shall reimburse the VA within 30 days. Background investigations from investigating agencies other than OPM are permitted if the agencies possess an OPM and Defense Security Service certification. The Vendor Cage Code number must be provided to the Security and Investigations Center (07C), which shall verify the information and advise the contracting officer whether access to the computer systems can be authorized. The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship and are able to read, write, speak, and understand the English language. After contract award and prior to contract performance, the Contractor shall provide the information, in Attachment C, to the CO. The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract. Failure to comply with the Contractor personnel security requirements may result in termination of the contract for default. Further, the Contractor shall be responsible for the actions of all individuals provided to work for the VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor shall be responsible for all resources necessary to remedy the incident. Government Responsibilities The VA Security and Investigations Center (07C) shall provide the necessary forms to the Contractor or to the Contractor's employees after receiving a list of names and addresses. Upon receipt, the VA Security and Investigations Center (07C) shall review the completed forms for accuracy and forward the forms to OPM to conduct the background investigation. The VA facility shall pay for investigations conducted by the OPM in advance. In these instances, the Contractor shall reimburse the VA facility within 30 days. The VA Security and Investigations Center (07C) shall notify the contracting officer and Contractor after adjudicating the results of the background investigations received from OPM. The COTR will ensure that the Contractor provides evidence that investigations have been completed or are in the process of being requested. ELECTRONIC AND INFORMATION TECHNOLOGY STANDARDS INTERNET/INTRANET The Contractor shall comply with Department of Veterans Affairs (VA) Directive 6102 and VA Handbook 6102 (Internet/Intranet Services). VA Directive 6102 sets forth policies and responsibilities for the planning, design, maintenance support, and any other functions related to the administration of a VA Internet/Intranet Service Site or related service (hereinafter referred to as Internet). This directive applies to all organizational elements in the Department. This policy applies to all individuals designing and/or maintaining VA Internet Service Sites; including but not limited to full time and part time employees, Contractors, interns, and volunteers. This policy applies to all VA Internet/Intranet domains and servers that utilize VA resources. This includes but is not limited to va.gov and other extensions such as,.com,.edu,.mil,.net,.org, and personal Internet service pages managed from individual workstations. VA Handbook 6102 establishes Department-wide procedures for managing, maintaining, establishing, and presenting VA Internet/Intranet Service Sites or related services (hereafter referred to as Internet ). The handbook implements the policies contained in VA Directive 6102, Internet/Intranet Services. This includes, but is not limited to, File Transfer Protocol (FTP), Hypertext Markup Language (HTML), Simple Mail Transfer Protocol (SMTP), Web pages, Active Server Pages (ASP), e-mail forums, and list servers. VA Directive 6102 and VA Handbook 6102 are available at: Internet/Intranet Services Directive 6102 http://www.va.gov/pubs/directives/Information-Resources-Management-(IRM)/6102d.doc Internet/Intranet Services Handbook 6102 http://www.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)/6102h.doc Internet/Intranet Services Handbook 6102 Change 1 updates VA's cookie use policy, Section 508 guidelines, guidance on posting of Hot Topics, approved warning notices, and minor editorial errors. http://www.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)/61021h.doc In addition, any technologies that enable a Network Delivered Application (NDA) to access or modify resources of the local machine that are outside of the browser's   "sand box" are strictly prohibited. Specifically, this prohibition includes signed-applets or any ActiveX controls delivered through a browser's session. ActiveX is expressly forbidden within the VA while.NET is allowed only when granted a waiver by the VA CIO *PRIOR* to use. JavaScript is the preferred language standard for developing relatively simple interactions (i.e., forms validation, interactive menus, etc.) and Applets (J2SE APIs and Java Language) for complex network delivered applications. SECTION 508 COMPLIANCE The Contractor shall comply with Section 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998. In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board), pursuant to Section 508(2) (A) of the Rehabilitation Act Amendments of 1998, established Information Technology accessibility standards for the Federal Government. Section 508(a)(1) requires that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology (EIT), they shall ensure that the EIT allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. The Section 508 requirement also applies to members of the public seeking information or services from a Federal department or agency. Section 508 text is available at: http://www.opm.gov/HTML/508-textOfLaw.htm http://www.section508.gov/index.cfm?FuseAction=Content&ID=14 CONFIDENTIALITY AND NONDISCLOSURE The preliminary and final deliverables and all associated working papers, application source code, and other material deemed relevant by the VA which has been generated by the contractor in the performance of this task order are the exclusive property of the U.S. Government and shall be submitted to the CO at the conclusion of the task order. The CO will be the sole authorized official to release verbally or in writing, any data, the draft deliverables, the final deliverables, or any other written or printed materials pertaining to this task order. No information shall be released by the contractor. Any request for information relating to this task order presented to the contractor shall be submitted to the CO for response. Press releases, marketing material or any other printed or electronic documentation related to this project, shall not be publicized without the written approval of the CO.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/VA/VAAAC/VAAAC/VA77717N0050/listing.html)
 
Document(s)
Attachment
 
File Name: VA777-17-N-0050 VA777-17-N-0050_1.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3381111&FileName=VA777-17-N-0050-002.docx)
Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3381111&FileName=VA777-17-N-0050-002.docx

 
Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 
Record
SN04453471-W 20170401/170330234949-8f41941267bb3f4149368d0a64dcf57e (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.