DOCUMENT
Q -- NETWORK ASSESSMENT - Attachment
- Notice Date
- 8/7/2017
- Notice Type
- Attachment
- NAICS
- 541511
— Custom Computer Programming Services
- Contracting Office
- Department of Veterans Affairs;W.J.B. Dorn VA Medical Center;6439 Garners Ferry Road;Columbia SC 29209-1639
- ZIP Code
- 29209-1639
- Solicitation Number
- VA24717Q0924
- Archive Date
- 10/6/2017
- Point of Contact
- JOSEPH LOCKE
- E-Mail Address
-
A
- Small Business Set-Aside
- N/A
- Description
- The Dorn VA Medical Center, 6439 Garners Ferry Road, Columbia, SC 29209 intends to purchase Unify/Atos OpenScape brand name proprietary network assessment that is required before the Atos/Unify OpenScape Branch Telephone System can be installed and replace the existing Unify 3000 PBX, a private telephone network used within an enterprise, currently installed at the Dorn VAMC and associated CBOC s located in Florence, SC, Sumter, SC and Anderson SC. The requirement is for the network to be evaluated for jitter and overall QOS. The total estimated price of this proposed action is $12,059.62, with no options. Interested persons may identify their interest and capability to respond to the requirement or submit proposals. This notice of intent is not a request for competitive proposals or a solicitation for offers. However, parties interested in responding to this notice shall submit technical data, including cost, sufficient to determine capability in providing the same product to Joseph M. Locke, Contract Specialist at joseph.locke@va.gov. Phone number: 803-776-4000, Ext: 7814 by August 11, 2017 no later than 2pm EST. All capability statements received by the closing date of this notification of this synopsis will be considered by the Government. Information received will normally be considered solely for determining whether to conduct a competitive procurement. This acquisition is being conducted under FAR Part 12 commercial procedures. There are no set-aside restrictions for this requirement. The intended procurement will be classified under North American Industry Classification System (NAICS) 541511- Custom Computer Programming. This is for informational purposes only and not to be considered as a commitment by the Government. Any information submitted to this notice of intent is voluntary. STATEMENT OF WORK Network Assessment GENERAL: The WJB Dorn VA Medical Center requires a top down assessment of our network to determine if its performance characteristics are suitable to support planned Voice over IP (VoIP) project(s). DESCRIPTION OF WORK: 2.1 Contractor shall conduct a current-state ( as-is ) on-site analysis that will identify potential problem areas and will include specific action steps necessary to mitigate or eliminate those problems. 2.2 Contractor shall utilizes state of the art technologies to simulate voice traffic and perform comprehensive measurements that indicate the effect of the coexistence of that voice traffic with the traffic regularly traversing that network. 2.3 The analysis shall begin with an in-depth review of the network to be evaluated. One or more Consultants shall travel to each site and study the network and perform the analysis described above. The analysis shall conclude with a detailed written report of the findings, a conference call to review the findings, and a report detailing specific action steps required to remedy the problem areas identified in the assessment. 2.4 Primary data collection and analysis will be performed at the following site: Remote assessments to include Anderson CBOC, Sumter CBOC and Florence CBOC. 2.5 The C&A requirements do not apply, and that a Security Accreditation Package is not required. PLACE OF PERFORMANCE: VA - Columbia will require the following sites be re-assessed: Community Based Outpatient Center 3030 North Highway 81 Anderson, SC 29621 Community Based Outpatient Center 407 North Salem Avenue Sumter, SC 29150 Community Based Outpatient Center 1822 Sally Hill Farms Road Florence, SC 29501 PERIOD OF PERFORMANCE: 30 DAYS AFTER DATE OF AWARD HOURS OF PERFORMANCE: Monday through Friday, 8:00 a.m. 4:00 p.m., excluding holidays. 5.2 GOVERNMENT HOLIDAYS: The ten holidays observed by the Federal Government are: New Year s Day, Martin Luther King s Birthday, President Day, Memorial Day, Independence Day, Labor Day, Columbus Day, Veterans Day, Thanksgiving, Christmas and any other day specifically declared by the President of the United States to be a national holiday. SPECIFIC TASKS: 6.1 Remote Assessment: 6.1.1 In some circumstances, the VAMC/CBOC s may be eligible for a remote assessment. The primary advantages for doing so include reduced costs (saving travel expenses) and increased flexibility. Remote assessments require that VAMC/CBOC s grant the contractor remote access to its network. X YES VA - Columbia will like to discuss the option of a remote assessment. Note that remote assessment eligibility requires approval of the Network Integration Services Practice Manager. NO an on-site assessment is a better option in this environment 6.2 Process: 6.3 Scope of Services Gather existing data network documentation and review with the VA - Columbia technical contact for accuracy and completeness. Review key network device configurations as well as the Wide Area Network (WAN), where applicable. Gather existing voice network documentation and review with the VA - Columbia technical contact for accuracy and completeness. The voice network review will be limited to information required for the planned converged network. Review the network router and/or switch configurations and associated network connectivity for each device that is in the voice critical path. Identify and document single points of failure in voice critical path in the LAN and/or WAN in the links connecting the sites identified in the site table above. Perform a traffic utilization analysis on the VoIP voice path segments using state-of-the art diagnostic tools. Perform further evaluation of any potential network bottlenecks and traffic patterns. Perform RTP traffic load testing across the network utilizing provided customer call patterns. Develop and document recommended configuration changes to be implemented as a result of the findings of this Readiness Assessment. 6.4 Services Not In Scope Additional Fees May Apply: Modifications to network infrastructure electronics, including switches and routers. Design and/or implementation of Quality of Service (QoS) or other traffic prioritization strategies. 6.5 Deliverables: 6.5.1 The contractor shall conduct a follow up conference call in which they will detail the results of the analysis. Written documentation, in electronic format, will be provided prior to that meeting. This documentation is considered work-for-hire and becomes the property of VA - Columbia effective upon receipt of payment for these services. 6.5.2 Deliverables include: Updated network topology map of the key LAN and/or WAN network components that are along the voice path. Connections to remote sites are shown on the drawings, but details at the core sites are limited to the information collected or provided during the on-site assessment. This assessment report will be provided in a PDF format and will be delivered electronically before the debrief session. Identification of any single points of failure along the voice path of the existing network. Network Traffic Analysis reports for all analyzed LAN and/or WAN segments. Recommended network design enhancements that may include one or more of the following: Network equipment upgrade recommendations Network software and configuration recommendations Network bandwidth expansion recommendations 6.6 Network Performance Requirements This section is to be used as a general guideline only, to provide information as to the minimum performance characteristics the network must demonstrate in order to support basic VoIP traffic. More information can be found in VoIP Customer Requirements Guide. Broadcast Traffic Minimize broadcast domains (suggested 100 devices if possible) Broadcast/Multicast traffic < 10% Latency End-to-end LAN/MAN < 10 ms End-to-end WAN latency less than 100 ms Total end to end latency < 250 ms Jitter End-to-end WAN jitter less than 30 ms peak End-to-end LAN jitter less than 10 ms peak Loss Packet loss less than 1% peak over 5 minute period Bandwidth Frame Relay, minimum 256KB CIR Peak link usage on the LAN trunks less than 75% Peak link usage on the WAN less than 75% All Switches should be manageable GOVERNMENT RESPONSIBILITIES: 7.1 Contract Administration/Performance Monitoring: After award of contract, all inquiries and correspondence relative to the administration of the contract shall be addressed to: 7.2. CO/CS RESPONSIBILITIES: The Contracting Officer is the only person authorized to approve changes or modify any of the requirements of this contract. The Contractor shall communicate with the Contracting Officer on all matters pertaining to contract administration. Only the Contracting Officer is authorized to make commitments or issue any modification to include (but not limited to) terms affecting price, quantity or quality of performance of this contract. 7.2.1. The Contracting Officer shall resolve complaints concerning Contractor relations with the Government employees or patients. The Contracting Officer is final authority on validating complaints. In the event the Contractor effects any such change at the direction of any person other than the Contracting Officer without authority, no adjustment shall be made in the contract price to cover an increase in costs incurred as a result thereof. 7.2.2. In the event that contracted services do not meet quality and/or safety expectations, the best remedy will be implemented, to include but not limited to a targeted and time limited performance improvement plan; increased monitoring of the contracted services; consultation or training for Contractor personnel to be provided by the VA; replacement of the contract personnel and/or renegotiation of the contract terms or termination of the contract. 7.3 VA - Columbia shall prepare the site and provide the contractor with information described below. Network diagrams and configuration information shall be provided at least 10 days prior to the scheduled engagement to allow the contractor enough time to study the network and prepare for the assessment. 7.4 VA - Columbia agrees to: 7.4.1 Provide the contractor with a full network diagram of all switches and routers than will transport VoIP traffic. This information must be provided at least one week prior to the scheduled on-site activities. Routers and switches included in the voice path, including all port IDs Data circuits, indicating type and speed (with CIR if applicable) LAN wiring information media type and cable grade 7.4.2 Provide the contractor with SNMP read-only access for all voice path networking equipment at all locations within the scope of this assessment. 7.4.3 Provide the contractor with complete router and switch configuration, including: Router and switch configuration information SNMP read community strings for the voice path networking equipment. IP Addresses for each routers and switches (loopback interface when available) Software (IOS) versions 7.4.4 Provide on-site technical resources that are knowledgeable with the network, has full access to all locations where on-line network electronics are stored, and other miscellaneous support activities. 7.4.5 Complete the VoIP Customer Requirements ver 2.0 (or later) at least one week prior to the on-site visit. 7.4.6 Install endpoints for testing RTP traffic flows. Endpoints must be installed at each remote location or on each LAN segment and remain running throughout the duration of the analysis. Complete instructions for endpoint installation and configuration will be provided in a separate document. Minimum configuration for the endpoint PCs: VA is responsible for providing appropriate laptop/PC with software that meets vendor s specification for assessment. 7.4.7 Provide the contractor with endpoint IP addresses. 7.4.8 Place endpoints on the appropriate VLAN if you intend to run voice traffic on a separate VLAN. (recommended) 7.4.9 Enable RTP header compression, if applicable. 7.4.10 Implement QoS/Diffserv or other traffic prioritization technologies prior to the assessment, if applicable. 7.4.11 Provide the contractor with three (3) IP address for each site that Consultant(s) will visit in-person. 7.4.12 Provide the contractor with three (3) switch ports in a secure area to install network monitoring devices at each site that Consultant(s) will visit in-person. 7.4.13 Provide real or estimated call traffic requirements between each site from each direction. Number of site-to-site calls at each peak hour. Average duration of site-to-site calls DESTRUCTION OF GOVERNMENT PROPERTY: Subject to the terms of the contract and the circumstances surrounding the particular case, the contractor may be liable for shortages, loss, damages, or destruction of Government property. The contractor may also be liable when the use or consumption of Government property unreasonably exceeds the allowances provided for by the task order, the bill of material or other appropriate criteria. The contractor shall investigate and report to management at the VA Medical Center all cases of loss, damage or destruction of Government property in its possession or control as soon as the facts become known or when requested by the property administrator at the VA Medical Center. A report shall also be furnished when completed and accepted products or end items are lost, damaged, or destroyed while in the contractor s possession or control. The contractor shall require any of its subcontractors possessing or controlling Government property accountable under the contract to investigate and report all instances of loss, damage, or destruction of such property. INVOICES: 9.1 Payment will be made upon receipt of a properly prepared detailed invoice, prepared by the Contractor and submitted through Tungsten Network (formerly known as OB10) http://www.tungsten-network.com/us/en/. A properly prepared invoice shall contain: Invoice Number and Date Contractor s Name and Address Accurate Purchase Order Number Supply or Service provided Period Supply or Service Provided Total Amount Due 9.1.2 Please begin submitting your electronic invoices through the Tungsten Network for payment processing, free of charge. 9.1.3 If you have questions about the e-invoicing program or Tungsten Network, contact information is as follows: Tungsten e-Invoice Setup Information: 1-877-489-6135 Tungsten e-Invoice email: VA.Registration@Tungsten-Network.com FSC e-Invoice Contact Information: 1-877-353-9791 FSC e-invoice email: vafsccshd@va.gov 9.1.4 Web Address: HTTP://WWW.FSC.VA.GOV/EINVOICE.ASP 9.2 Performance Deductions: If the contractor fails to meet the Acceptable Quality Level on any performance measure that references a deduction as a disincentive, the following method for calculating and applying the deduction shall be employed: 9.3 Method of calculation: The COR will prepare a contract discrepancy report and will notify the CO in the event the contractor failed to report to work. The CO will provide the contractor with the CDR and documentation (as appropriate) supporting the government s intent to apply the deduction in the following manner: Hourly rate of VA provider who covered the shift times the number of hours in the shift. The contractor has thirty (30) days to respond if the contractor wishes to provide evidence that the government s action or inaction prevented the Contractor from providing services. The Contracting Officer shall make the final determination regarding the deduction after reviewing the contractor s response. MONITORING: Documentation of services performed shall be reviewed prior to certifying payment. The COR will perform periodic spot checks and document with the using service to ensure reports monitoring. VAMC will pay only for services actually performed and in strict accordance with the schedule of price/costs. Contract monitoring and record keeping procedures shall be sufficient to ensure proper payment and allow audit verification that services were provided. 11. QUALITY ASSURANCE SURVELIENCE PLAN (QASP): PERFORMANCE OBJECTIVE PERFORMANCE STANDARD REF PWS METHOD OF ASSESSMENT INCENTIVE/DISINCENTIVES FOR MEETING OR NOT MEETING THE PERFORMANCE STANDARDS Coordinate with site to ensure the laptop is in place Successful VPN Dial-in Par 2 Remote Dial-in 5% of the total invoice amount shall be deducted when performance standard is missed. Dial into laptops installed at the remote locations Successful diagnostic and data capture Par 3 Coordination with the Cisco NW technician at VAMC Columbia 5% of the total invoice amount shall be deducted when performance standard is missed. Perform the diagnostics for the designed place once laptops have been installed Written notification received within 5 days of completed network scan. Provide statistics for each aspect of the network, i.e. phone, data Par 3 Notification received on time 5% of the total invoice amount shall be deducted when performance standard is missed. TERMINATION FOR CONVENIENCE: Subject to a 14 day advance notice, the Government reserves the right to terminate this contract for convenience if the need for this service changes or is no longer required. VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE: Contractor Security Requirements (Handbook 6500.6) All Contractors and Contractor personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA, and VA personnel, regarding information and information system security. Contractor must follow policies and procedures outlined in VA Directive 6500, Information Security Program and its handbooks to ensure appropriate security controls are in place. http://www.iprm.oit.va.gov/docs/VA_Handbook_6500_6_Contract_Security_030210_Final.pdf ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS: 14.1. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. 14.2. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. 14.3. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. 14.4. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. 14.5. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. VA INFORMATION CUSTODIAL LANGUAGE: 15.1. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. 15.2. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. 15.3. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. 15.4. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. 15.5. The contractor/subcontractor shall not make copies of VA patients sensitive information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. 15.6. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. 15.7. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. 15.8. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. 15.9. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. 15.10. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. 15.11. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. 15.12. For service that involves the storage, generating, transmitting, or exchanging of VA Sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COR. 16. LIQUIDATED DAMAGES FOR DATA BREACH: 16.1. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract 16.2. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. 16.3. Each risk analysis shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access) Description of the event, including: date of occurrence; data elements involved, including any PII, such as full name, social security #; date of birth, home address, account number, disability code; Number of individuals affected or potentially affected; Names of individuals or groups affected or potentially affected; Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; Amount of time the data has been out of VA control; The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); Known misuses of data containing sensitive personal information, if any; Assessment of the potential harm to the affected individuals; Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and Whether credit protection services may assist record subjects in avoiding or Mitigating the results of identity theft based on the sensitive personal information that may have been compromised. 16.4. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: 16.4.1 Notification; One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; Data breach analysis; Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and 16.4.2 Necessary legal expenses the subjects of an SPI data breach may incur to repair falsified or damaged credit are not included in the liquidated damages amount and will be handled as actual damages, which the contractor should anticipate as among the costs of doing business, and should consider in developing its cost estimates. 17. SECURITY CONTROLS COMPLIANCE TESTING: On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each locationwherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. 18. SECURE FAX: This fax is intended only for the use of the person or office to which it is addressed and may contain information that is privileged, confidential, or protected by law. All others are hereby notified that the receipt of this fax does not waive any applicable privilege or exemption for disclosure and that any dissemination, distribution, or copying of this communication is prohibited. If you have received this fax in error, please notify this office immediately at the telephone number listed on the front page of the facsimile cover page. 19. BADGES: Contractor is required to wear I.D. badge during the entire time he/she is on VAMC grounds. I.D. badges MUST have an identification picture and shall be issued by VAMC. 20. NO SMOKING POLICY: Except in designated are smoking is strictly prohibited. 21. DATA SECURITY-INFORMATION GATHERED OR CREATED IN PERFORMANCE OF SERVICES: 21.1. Information, including, but not limited to, veteran individually-identifiable information (iii) and personal healthcare information (PHI), gathered or created by the Contractor in the performance of this contract is the exclusive property of VA and must be received, gathered, stored, backed up, maintained, used, disclosed and disposed of in accordance with the terms of this contract and applicable federal and VA information confidentiality and security laws, regulations and policies, including VA Directive and Handbook number 6500. 21.2. The Contractor shall provide access to VA information only to employees, subcontractors, and affiliates only: (1) to the extent necessary to perform the services specified in this contract, (2) to perform necessary maintenance functions for electronic storage or transmission media necessary for performance of this contract, and (3) only to individuals who first satisfy the same conditions, requirements and restrictions that comparable VA employees must meet in order to have access to the same VA information. These restrictions include the same level of background investigations, where applicable. 21.3. ALL VA III AND PHI INFORMATION STORED ON BOTH VA AND NON-VA EQUIPMENT MUST BE ENCRYPTED IN ACCORDANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA). Federal standards established by U.S. Department of Commerce apply, including Federal Information Processing Standard 200 (FIPS200), and National Institute of Standards and Technology Special Publication 800-37, Guide for the Security, Certification and Accreditation. Contractors and subcontractors shall document compliance and make the document available upon request of the Contracting Officer or COR. Contractor and subcontractors shall allow physical inspection by VA personnel to assess its physical and environmental security controls. 21.4. Contractor and its subcontractors must ensure that VA III and PHI is secure at all times and will ensure proper security is used on contractor or subcontractor computers with VA III or PHI information is stored. To avoid risk of loss or theft, VA III and PHI shall NOT be transferred by contractor or its subcontractors to paper, diskettes, CDs, DVDs, USB flash drives, external computer drives, computer notebooks, home computers or any other medium, and shall NOT be removed from the contractor for subcontractor site under any circumstances without specific written authorization of the VA Information Security Officer. The authorized VA III or PHI recipient shall back up files to protect their loss. Back-ups shall be locked and secured. VA III and PHI shall NOT be transferred between contractor or subcontractor computer unless permission is granted by VA for such transfer of data and secure encrypted transmission methods approved by the VA Information Security Officer are utilized. Contractor employees shall be required to sign VA National Rules of Behavior before they can be authorized access to VA information systems. 21.5. The Contractor shall immediately (on the date of discovery of the incident) report any incident of theft, loss or comprise of VA sensitive information to the Contracting Officer, the Contracting Officer s Technical Representative and any other VA Official designated by the Contracting Officer. This report shall be in writing and contain the fullest explanation possible and all the details of the incident available to the contractor. VA must receive notice from the contractor on the date contractor discovers incident. Per review of VA Handbook 6500.6, Contract Security, Appendix A- Information Security and Privacy Checklist: (i) The C&A requirements do not apply and a Security Accreditation Package is not required. (ii) Vendor has a National Business Associate Agreement with Dept. of Veterans Affairs (iii) Acquisition of this service does not involve the storage, generating, transmitting, or exchanging of VA sensitive information to the vendor (iv) There may exist exposure to VA sensitive information, in particular to sensitive personal information (SPI) while implementing contractual services Per VA Maintenance/Installation(Warranty) Contracts (VAIQ 7068822) (v) Minimum Statutory Requirements a. Prohibition on unauthorized disclosure: Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). See VA Handbook 6500.6, Appendix C, paragraph 3.a. b. Requirement for data breach notification: Upon discovery of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access, the contractor/subcontractor shall immediately and simultaneously notify the COTR, the designated ISO, and Privacy Officer for the contract. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. See VA Handbook 6500.6, Appendix C, paragraph 6.a c. Requirement to pay liquidated damages in the event of a data breach: Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: (1) NATURE OF THE EVENT (LOSS, THEFT, UNAUTHORIZED ACCESS); (2) DESCRIPTION OF THE EVENT, INCLUDING: (A) DATE OF OCCURRENCE; (B) DATA ELEMENTS INVOLVED, INCLUDING ANY PII, SUCH AS FULL NAME, SOCIAL SECURITY NUMBER, DATE OF BIRTH, HOME ADDRESS, ACCOUNT NUMBER, DISABILITY CODE; (3) NUMBER OF INDIVIDUALS AFFECTED OR POTENTIALLY AFFECTED (4) NAMES OF INDIVIDUALS OR GROUPS AFFECTED OR POTENTIALLY AFFECTED; (5) EASE OF LOGICAL DATA ACCESS TO THE LOST, STOLEN OR IMPROPERLY ACCESSED DATA IN LIGHT OF THE DEGREE OF PROTECTION FOR THE DATA, E.G., UNENCRYPTED, PLAIN TEXT; (6) AMOUNT OF TIME THE DATA HAS BEEN OUT OF VA CONTROL; (7) THE LIKELIHOOD THAT THE SENSITIVE PERSONAL INFORMATION WILL OR HAS BEEN COMPROMISED (MADE ACCESSIBLE TO AND USABLE BY UNAUTHORIZED PERSONS); (8) KNOWN MISUSES OF DATA CONTAINING SENSITIVE PERSONAL INFORMATION, IF ANY; (9) ASSESSMENT OF THE POTENTIAL HARM TO THE AFFECTED INDIVIDUALS; (10) DATA BREACH ANALYSIS AS OUTLINED IN 6500.2 HANDBOOK, MANAGEMENT OF SECURITY AND PRIVACY INCIDENTS, AS APPROPRIATE; AND (11) WHETHER CREDIT PROTECTION SERVICES MAY ASSIST RECORD SUBJECTS IN AVOIDING OR MITIGATING THE RESULTS OF IDENTITY THEFT BASED ON THE SENSITIVE PERSONAL INFORMATION THAT MAY HAVE BEEN COMPROMISED. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) NOTIFICATION; (2) ONE YEAR OF CREDIT MONITORING SERVICES CONSISTING OF AUTOMATIC DAILY MONITORING OF AT LEAST 3 RELEVANT CREDIT BUREAU REPORTS; (3) DATA BREACH ANALYSIS; (4) FRAUD RESOLUTION SERVICES, INCLUDING WRITING DISPUTE LETTERS, INITIATING FRAUD ALERTS AND CREDIT FREEZES, TO ASSIST AFFECTED INDIVIDUALS TO BRING MATTERS TO RESOLUTION; (5) ONE YEAR OF IDENTITY THEFT INSURANCE WITH $20,000.00 COVERAGE AT $0 DEDUCTIBLE; AND (6) NECESSARY LEGAL EXPENSES THE SUBJECTS MAY INCUR TO REPAIR FALSIFIED OR DAMAGED CREDIT RECORDS, HISTORIES, OR FINANCIAL AFFAIRS (See VA Handbook 6500.6, Appendix C, paragraph 7.a, 7.d) d. Requirement for annual security/privacy awareness training: Before being granted access to VA information or information systems, all contractor employees and subcontractor employees requiring such access shall complete on an annual basis either: (i) the VA security/privacy awareness training (contains VA s security/privacy requirements) within one week of the initiation of the contract, or (ii) security awareness training provided or arranged by the contractor that conforms to VA s security/privacy requirements as delineated in the hard copy of the VA security awareness training provided to the contractor. If the contractor provides their own training that conforms to VA s requirements, the will provide the COTR or CO, a yearly report (due annually on the date of the contract initiation) stating that all applicable employees involved in VA s contract have received their annual security/privacy training that meets VA s requirements and the total number of employees trained. See VA Handbook 6500.6, Appendix C, paragraph 9. Requirement to sign VA s Rules of Behavior: Before being granted access to VA information or information systems, all contractor employee and subcontractor employees requiring such access shall sign on an annual basis an acknowledgement that they have read, understand, and agree to abide by VA s Contractor Rules of Behavior which is attached to this contract. See VA Handbook 6500.6, Appendix C, paragraph 9, Appendix D. Note: If a medical device vendor anticipates that the services under the contract will be performed by 10 or more individuals, the Contractor Rules of Behavior may be signed by the vendor s designated representative. The contract must reflect by signing the Rules of Behavior on behalf of the vendor that the designated representative agrees to ensure that all such individuals review and understand the Contractor Rules of Behavior when accessing VA s information and/or information systems. 22. HHS/OIG: To ensure that the individuals providing services under this contract have not engaged in fraud or abuse regarding Sections 1128 and 1128A of the Social Security Act regarding federal health care programs, the contractor is required to check the Health and Human Service Office of Inspector General, List of excluded individuals/entities on the OIG Website (www.hhs.gov/oig) for each person providing services under this contract. Further the contractor is required to certify in its proposal that all persons listed in the contractor s proposal have been compared against the OIG list and are not listed. During the performance of this contract the Contractor is prohibited from using any individual or business listed on the List of Excluded Individuals/Entities. 23. HIPPA COMPLIANCE: The Contractor must adhere to the provisions of Public Law 104-191, Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the National Standards to Protect the Privacy and Security of Protected Health Information (PHI). A business associate agreement is not required in this case. 24. LIABILITY: VA beneficiaries shall not under any circumstances be charged nor their insurance companies charged for services rendered by the contractor even if VA does not pay for those services. This provision shall survive the termination or ending of the contract. 25. MEDICAL RECORDS: Contractor shall provide health care to patients seeking such care from or through VA. As such, contractor is considered part of the Department health activity for purposes of the following statues and the VA regulations implementing these statues: the Privacy Act, 5.U.S.C. § 552a, and 38 U.S.C. §s 5701, 7705 and 7332. Contractor and its employees may have access to VA patient medical records to the extent necessary for the contract or to perform this contract. Notwithstanding any other provision of this contract, contractor and its employees may disclose patient treatment records only pursuant to explicit disclosure authority from VA. Contractor and its employees are subject to the penalties and liabilities provided statutes and regulations for unauthorized disclosures of such records and their contents. Records created by the contractor in the course of treating VA patients under this agreement are the property of the VA and shall not be accessed, released, transferred or destroyed except in accordance with applicable federal law and regulations. Upon the expiration of this contract or termination of the contract, the contractor will promptly provide the VA with the individually identified VA patient treatment records. 26. ACCESS AUTOMATED DATA PROCESSING FILES: In performance of official duties, the Contractor s employee(s) have regular access to printed and electronic files containing sensitive data, which must be protected under the provisions of the Privacy Act of 1974 (5 USC 552a), and other applicable laws, Federal Regulations, Veterans Affairs statutes and policies. The Contractor s employee(s) are responsible for (1) protecting that data from unauthorized release or from loss, alteration, or unauthorized deletion and (2) following all applicable regulations and instructions regarding access to computerized files, release of access codes, etc., as set out in a computer access agreement which the Contractor s employee(s) sign. 27. CONTRACT ADMINISTRATION DATA: The Contracting Officer is the only person authorized to approve changes or modify any of the requirements under this contract. The Contractor shall communicate with the Contracting Officer on all matters pertaining to contract administration. Only the Contracting Officer is authorized to make commitments or issue changes which will affect price, quantity, or quality of performance of this contract. In the event the Contractor effects any such change at the direction of any person other than the Contracting Officer, the change will be considered to have been made without authority and no adjustment will be made in the contract price to cover any increase in costs incurred as a result thereof. 28. DESIGNATION OF CONTRACTING OFFICER S REPRESENTATIVE (COR): A VA Medical Center representative of the Contracting Officer shall be designated to represent the Contracting Officer in furnishing technical guidance and advice regarding the work being performed under this task order. The foregoing is to be construed as authorization to interpret or furnish advice or information to the Contractor relative to the financial or legal aspects of the task order. Enforcement of these segments is vested and is the sole responsibility of the WJB Dorn Contracting Officer. 29. KEY PERSONNEL AND TEMPORARY EMERGENCY SUBSTITUTIONS: 29.1. The Contractor shall assign to this task order key personnel that will perform under this contract. 29.2. It is the responsibility of the contractor to ensure all vacancies are staffed within a 30-day time frame. The contractor shall provide a written quality control plan regarding staffing this requirement continuously throughout the life of this task order to include, personnel substitutions and temporary emergency substitutions. All contracted physicians performing under this task order must be credentialed by the Department of Veterans Affairs prior to performance. The credentialing will be verified by the COR and the WJB Dorn VAMC Credentialing Department. 30. SECURITY INCIDENT INVESTIGATION: 30.1. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. 30.2. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. 30.3. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. 30.4. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. 31. RECORDS MANAGEMENT LANGUAGE FOR CONTRACTS: The following standard items relate to records generated in executing the contract and should be included in a typical Electronic Information Systems (EIS) procurement contract: 31.1. Citations to pertinent laws, codes and regulations such as 44 U.S.C chapters 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228. 31.2. Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. 31.3. Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records. 31.4. Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act. 31.5. Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract. 31.6. The Government Agency owns the rights to all data/records produced as part of this contract. 31.7. The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract. Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data. 31.8. Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.] or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.]. 31.9. No disposition of documents will be allowed without the prior written consent of the Contracting Officer. The Agency and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records may not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules.
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/VA/CSCVAMC/WJBDDVAMC/VA24717Q0924/listing.html)
- Document(s)
- Attachment
- File Name: VA247-17-Q-0924 VA247-17-Q-0924.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3715114&FileName=VA247-17-Q-0924-000.docx)
- Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3715114&FileName=VA247-17-Q-0924-000.docx
- Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
- File Name: VA247-17-Q-0924 VA247-17-Q-0924.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3715114&FileName=VA247-17-Q-0924-000.docx)
- Record
- SN04616116-W 20170809/170807231900-5bad2da26271ed01eaf29c6244280bae (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |