Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF NOVEMBER 08, 2017 FBO #5829
DOCUMENT

A -- Interconnected Factors that Influence Health, Experiences and Needs (IF THEN) Survey of 10,000 vets - Attachment

Notice Date
11/6/2017
 
Notice Type
Attachment
 
NAICS
541611 — Administrative Management and General Management Consulting Services
 
Contracting Office
US Department of Veterans Affairs;Veterans Health Administration;Service Area Office (SAO) East;323 North Shore Drive, Suite 500;Pittsburgh PA 15212-5319
 
ZIP Code
15212-5319
 
Solicitation Number
36C24E18Q0013
 
Response Due
11/13/2017
 
Archive Date
11/13/2017
 
Point of Contact
Elaine F DiBucci
 
E-Mail Address
822-3432<br
 
Small Business Set-Aside
N/A
 
Description
VA Office of Research and Development (ORD), Durham VA, has a requirement to purchase services in support of Interconnected Factors that Influence Health, Experiences and Needs. These services include conducting a nationally representative survey of 10,000 high-risk Veterans to capture social, behavioral, and health-related constructs unavailable in VA claims or EHR data. Collection of self-reported measures related to patient complexity and linking them to VA claims data can serve to identify risk factors that may improve prediction of hospital admission and identify risk factors that could improve patient selection for Patient Aligned Care Teams (PACT) High-Risk Roadmap interventions and specialized programs. A temporary authority to operate (TATO) or authority to operate (ATO) with the Department of Veteran Affairs will be necessary to complete this requirement. This requirement is detailed in the attached Statement of Work. The purpose of this synopsis is to gain knowledge of potential qualified sources and their size classification (large business, small business, 8(a), SDVOSB, etc.), relative to NAICS code 541611. Responses to this synopsis will be used by the Government to make appropriate acquisition decisions. Based on responses to this synopsis, the Government may issue a RFQ on FBO or GSA Performance Period: Date of award, plus one year. Type of Contract: Firm Fixed Price This notice is not a request for competitive proposals, however; any responsible source who believes it is capable of meeting the requirement may submit a capability statement to the contracting office no later than Monday, November 13, 2017, 16:00, EST. Interest/capability statements may be sent to Elaine DiBucci at elaine.dibucci@va.gov and should include company name, address, point of contact, business size, and product information. No telephone responses will be accepted. This notice is to assist the Government in determining sources only. A solicitation is not currently available. If a solicitation is issued, all interested parties must respond to that solicitation announcement separately from the responses to this announcement. Department of Veterans Affairs Office of Research & Development Survey Administration and Management Interconnected Factors that Influence Health, Experiences and Needs (IF-THEN Survey) Statement of Work (SOW) A. GENERAL INFORMATION Title of Project: Interconnected Factors that Influence Health, Experiences and Needs (IF-THEN) Background: We will conduct a nationally representative survey of 10,000 high-risk Veterans to capture social, behavioral, and health-related constructs unavailable in VA claims or EHR data. Collection of self-reported measures related to patient complexity and linking them to VA claims data can serve to identify risk factors that may improve prediction of hospital admission and identify risk factors that could improve patient selection for Patient Aligned Care Teams (PACT) High-Risk Roadmap interventions and specialized programs. Authority to Operate: A temporary authority to operate (TATO) or authority to operate (ATO) with the Department of Veteran Affairs will be necessary. Authorities to operate and temporary authorities to operate are obtained and managed through the directions outlined in VA handbook 6500.3: http://www1.va.gov/vapubs/viewPublication.asp?Pub_ID=733&FType=2. Non-VA Personnel: Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. Scope of Work: The purpose of this SOW is to outline the task and responsibilities of the successful vendor to complete data collection. Contractor will develop and maintain survey tracking database for 10,000 Veterans to reside on FISMA 140-2 High compliant server. Contractor will conduct survey administration tasks, including: 5.1. Provide a project manager with survey collection experience for this data collection effort. Project manager will update the study team PI (Matthew Maciejewski) on the status of the project and provide quarterly updates on work progress via phone or email. 5.2. The vendor will be responsible for hiring and training of all personnel needed to complete the tasks and ensure all personnel have received training in data security, privacy, and the protection of the participants. 5.3. Develop a Survey Management System for tracking opt-outs, survey mailings and survey returns. Generate a draft survey to be mailed 2-4 weeks prior to initial mailing to be reviewed by the Durham study team prior to mailing to enable any edits that are necessary. Vendor will review, prepare, proof, and print mail survey packets after feedback from the Durham study team. 5.4. Establish toll-free number for Veterans to call who would like to opt-out of survey 5.5. Mail 10,000 Pre-Notification/Opt-Out Postcards (card stock, color, merged with unique ID) that informs participants of the option to opt-out, and will include the toll-free number to call to opt-out. The postcard will also inform participants that the survey will be mailed to them if they do not opt-out. 5.6. Receive and record respondent Opt-Out notifications in Survey Management System to ensure participants who opted-out are not mailed a survey 5.7. Mail 1st survey packet to Veterans who have not opted-out, including: Survey cover letter with VA logo (B/W) 6-8 Survey booklet (2-sided, Color) Windowed envelope Postage paid return US Postal Service First Class mail return envelope (B/W) Incentive (4 Forever Stamps) 5.8. Survey booklets will be in a scannable format, include a unique identifier for linking to data file of 10,000 Veterans and will include a field for patient to enter when he/she completed the survey. Purchase participant incentives: 4 Forever stamps with military theme for inclusion in each survey packet initially mailed to all Veterans who do not opt-out. 5.9. Mail 2nd survey packets to Veterans who did not return the 1st survey packet, including: Survey cover letter with VA logo (B/W) 6-8 Survey booklet (2-sided, Color) Windowed envelope (2-sided, Color) Postage paid return US Postal Service First Class mail return envelope (B/W) 5.10. Scan or double data-entry of returned surveys. 5.11. Within 2 weeks of the closure of the Wave 2 survey window, provide VA with SAS dataset of data file of 10,000 Veterans indicating date of opt out if applicable, date of response to Wave 1 survey if applicable and date of response to Wave 2 survey if applicable to support comparison of survey respondents and non-respondents. 5.12. Document all data verification procedures (e.g., algorithms for handling ambiguous and/or conflicting responses). 5.13. Provide VA with SAS dataset of all survey responses at the completion of the survey field period. For subset of 10,000 Veterans that did not opt-out and were sent a survey, the dataset will include the following dates: Date that Wave 1 survey was mailed out Date that patient completed wave 1 survey (as indicated on the returned survey) Date that Wave 1 survey was entered/scanned Date that Wave 2 survey was mailed out to Wave 1 non-respondents Date that patient completed wave 2 survey (as indicated on the returned survey) Date that Wave 2 survey was entered/scanned 5.14. Maintain patient contact/tracking information and survey responses on a FISMA 140-2 High compliant server. 5.15. Deliver to VA of hard copies of returned surveys by a trackable US Postal Service method. Period of Performance: The period of performance (POP) shall be 12 months. Office of Management and Budget (OMB) has approval has been obtained. Type of Contract: Requirements Payment Method: Send Electronic invoicing through the Department of Veterans Affairs Financial Service Center, Austin, TX. Direct Deposit as set up through Austin Payment will be requested by Individual according to the schedule of their work completion, either bi-weekly or monthly. Place of Performance: The Contractor shall support this effort at approved Contractor facilities as defined by the vendors ATO/TATO & FISMA high certification. B. GENERAL REQUIREMENTS The contractor will present a plan for project organization and staffing that demonstrates a knowledge of effective organizational structure, management, and how best to utilize key and other personnel. The contractor will have the personnel, equipment, material, supplies, forms, and systems of computer programs to manage this study and process the data collected for this study, unless otherwise stated in a specific contract. C. SPECIFIC MANDATORY TASKS AND ASSOCIATED DELIVERABLES Task 1: Select Personnel The contractor will designate personnel considered essential to the work being performed under this contract. If any essential personnel are to be removed from the contract, whether planned or unplanned, the contractor will notify the VA COR and submit written justification, including the names and curriculum vitae of proposed substitutions, in sufficient detail. This will occur within 30 days before departure of the personnel or as soon as possible, if, for example, it is a result of the personnel ending employment with the contractor. The VA COR must concur with the diversion of personnel and approve the replacement. Also, the VA may modify the contract to add or delete key personnel at the request of the contractor. The contractor will designate a main contact for prompt administration during this contract. Personnel working on this contract should have experience in areas including research involving survey sampling design; large-scale, nationwide health surveys; survey research involving Veterans; survey data collection, data entry/scanning and management; techniques for maximizing response rates; programming; statistical analysis; and report writing. Deliverable 1 Notify VA with justifications and details of essential personnel Deliverable 2 Designate an administrative contact Task 2: Regular Communication/Meetings and Recording Decisions The contractor and the VA study team will have an initial meeting within 2 weeks of the contract award to discuss and review the activities of the contract. Topics will include the overall project management plan and schedule. A draft agenda will be prepared by the contractor and approved by the VA study team 3 business days before the meeting. This meeting will be held in the Durham, NC metropolitan area or by telephone. The contractor must communicate weekly with the VA study team or it s designees within VA offices in Durham, NC. At the discretion of the VA study team, the weekly communications will take place in person or over the telephone. The contractor will brief the VA study team and/or designees and survey research staff as to the status of the project, quality control findings, description of any problems anticipated or encountered and their resolution or non-resolution, and milestones obtained or missed. During active data collection, the contractor will report the number and percent of responses and compare the progress in the current survey cycle with that of the previous cycle. The contractor will keep a written log of decisions made during the course of the study and provide the VA COR with an updated log of any new decisions made following the weekly meeting within 7 business days following each meeting. After review of the written decision log, the VA COR will provide any necessary corrections to the decision log, which then will be revised. Deliverable 3 Attend weekly meetings with the VA study team and keep minutes of discussions. Task 3: Project Plan and Procedures The contractor will develop an initial project plan that will describe the procedures to be used to locate and send questionnaires to the maximum number of study participants selected for the study. These procedures must include how the contractor will provide an accounting of all potential participants selected but who did not receive a mailed package. The project plan will include all of the following elements: Procedures to be employed in the training of supervisors, database construction and entry staff, questionnaire mailing staff, and other staff necessary for the project; Quality control measures to ensure that all aspects of contract work are accurate; The databases to be used for the project. Recommendations by the contractor for changes in the approved procedures will be submitted to the VA project staff. Any recommended changes will be incorporated into the project plans only with the written approval of the VA. Deliverable 4 Develop a project plan and procedures within 1 month of contract award and update as necessary. Task 4: Quality Assurance The contractor will develop a quality control plan that covers all aspects of the work to be performed under this contract. The quality control plan will include the following: The contractor will have a management system that identifies potential problems early, ensures high-quality data and adherence to schedules, controls project costs, and maintains close communication with the VA. Project operations will include frequent conversations concerning progress and challenges, meetings to discuss and resolve problems, and regular reporting between the contractor and the VA. As mentioned previously, the contractor will provide training to supervisors, database construction and entry staff, survey mailing staff, and other staff necessary for the project. This training will include study procedures, problem identification, and protection of the rights of human subjects. All people who will collect or handle data must have a certificate in human subjects research protection and Health Insurance Portability and Accountability Act (HIPAA) training, obtained before beginning work on this study and renewed once each year. All contractor personnel will satisfy VA training requirements in privacy, information security, and any additional training related to research and information security as required. The contractor will perform a visual edit of all questionnaire data (i.e., ensuring that a response recorded on the paper survey is formatted such that a value can be captured when scanned). All data that are entered manually will be subject to 100% verification (double-data entry). The contractor will conduct logic and range edit checks on all data, and correct all errors that are resolvable using available information. A tracking system will be designed to identify the Veterans who have not been successfully contacted to complete a questionnaire, or who have not responded to a questionnaire and have not received a follow-up mailing, within a designated time. The contractor will develop and implement a data management system to track the status of any participants selected for the study at any time and at any point in the search, location, questionnaire, or record retrieval process. The contractor will submit raw questionnaire data to compare with final edited data. The VA staff, will make announced and unannounced visits to monitor contractor operations on-site. Deliverable 5 Develop a quality control plan within 1 month of contract award and update as necessary. Deliverable 6 Develop a data management system to track progress of mailings and to facilitate routine reporting Task 5: Submit a Confidentiality Plan and Data Security Procedures Storage and Access to Data Participant responses from the completed mail survey will be scanned into separate, dated electronic databases on a weekly basis and the VA Project Coordinator and or VA designees will be notified when complete. Any partially completed questionnaires will be scanned and their responses will be entered into the database. The VA shall have electronic access to all databases. A cumulative file of all respondent records should be created and maintained by the contractor. Data Security The contractor will ensure the highest degree of security to protect personal and confidential data of Veterans from intentional or unintentional release, loss, or destruction. Prior to receipt of any data files from the VA, the contractor will submit a confidentiality plan and data security procedures for approval by the VA CO and revise it per the VA CO s instructions. Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. The following conditions will be met: A Contractor Security Control Assessment (CSCA) is completed within 30 days of contract approval and yearly on the renewal date of the contract. Ensure that the CSCA is sent to the ISO and the OCS Certification Program Office for review to ensure that appropriate security controls are being implemented in service contracts. A copy of the CSCA is maintained in the Security Management and Reporting Tool (SMART) database. COTR will provide a copy of the completed CSCA to ISO for uploading into SMART database. Data will be transferred, retained, utilized, and destroyed in accordance with VA and VHA policy including the following: VA Handbook 5011/5, Chapter 4 (Alternative Workplace Arrangements); VA Directive and Handbook 6500, Information Security Program; VA Directive and Handbook 6502, Privacy Program; and VHA Directive 1605, VHA Handbook 1605.1 and 1605.2. Deliverable 7 Submit a confidentiality plan and data security procedures. TASK 6: Submit a final dataset with data dictionary and documentation of all data verification procedures. D. SCHEDULE OF DELIVERABLES See Attachment A E. INSPECTION AND ACCEPTANCE CRITERIA Final inspection and acceptance of all work performed, reports and deliverables will occur at the place of delivery designated by the VA Project team. Final approval and acceptance of documentation required herein shall be by letter of approval and acceptance by the VA project team and/or COR. The Contractor shall not construe any letter of acknowledgment of receipt of material as a waiver of review, or as an acknowledgment that the material is in conformance with this SOW. TASKS Deliverable Standard AcceptaBle Quality Level Method(s) of Surveillance Task 1: Select Personnel Deliverable 1 - Notify VA with justifications and details of essential personnel Qualified staff that have completed all specified VA training will be required for this contract. Timeliness: All staff will have completed specified VA training within 1 month of contract start. Quality Indicator: Staff meet VHA standards for handling PHI from VHA data. The PI will review all components of task requirements and provide written and/or oral approval to Contractor. Task 1: Select Personnel Deliverable 2 Designate an administrative contact An administrative contact is identified within 2 weeks of award of contract Timeliness: Appointed within 2 weeks of contract. Quality Indicator: PI approval. The PI will review task requirements and provide written and/or oral approval to Contractor. Task 2: Regular Communication/Meetings and Recording Decisions Deliverable 3 Attend weekly meetings with the VA study team and keep minutes of discussions Scheduled meetings will be attended by necessary personnel. Meeting minutes will be recorded by vendor and distributed after the meeting Timeliness: Minutes will be distributed within 1 week of meeting for revision if necessary. Quality Indicator: PI approval. Action and deliverable required as described in Task, will meet approval of PI. Task 3: Project Plan and Procedures Deliverable 4 Develop a project plan and procedures and update to within 1 months of contract award Project Management Plan (PMP) is comprehensive, is responsive to the SOW, and addresses all SOW tasks as communicated in the Contractor s technical proposal; risks are identified and quantified and include a mitigation plan; contract schedule presents a work breakdown structure including associated activities with start and finish dates; communication plan addresses internal and external customers and stakeholders; and quality assurance demonstrates adherence to the PRS. Updates are provided in a timely manner and are thorough and complete. Timeliness: As stated in Deliverable 4. Quality Indicator: PI approval. Deliverable required as described in Task, will meet approval of PI. Task 4: Quality Assurance Deliverable 5 Develop a quality control plan and update to within 1 month of contract award The Quality Control Plan is comprehensive, is responsive to the SOW, and addresses all SOW tasks as communicated in the Contractor s technical proposal. Updates are provided in a timely manner and are thorough and complete. Timeliness: As stated in Deliverable 4. Quality Indicator: PI approval. Deliverable required as described in Task, will meet approval of PI. Task 4: Quality Assurance Deliverable 6 Develop a data management system to track progress of mailings and to facilitate routine reporting The plan is provided in a timely manner and is thorough and complete. Timeliness: Should be operational with 1 month of contract award. Quality Indicator: PI approval. Deliverable required as described in Task, will meet approval of PI. Task 5: Submit a Confidentiality Plan and Data Security Procedures Deliverable 7 Submit a confidentiality plan and data security procedures The plan is provided within 30 days of contract approval and is thorough and complete. Timeliness: As stated in Deliverable 5. Quality Indicator: PI approval. Contractor-reported data to PI for review, feedback and approval. Task 6: Submit a final dataset with data dictionary and documentation of all data verification procedures. Deliverable 8 Submit a final dataset with data dictionary and documentation of all data verification procedures. The data and documentation is complete Timeliness: As stated in Deliverable 6. Quality Indicator: PI approval. Contractor-reported data to PI for review, feedback and approval. The Government will monitor performance and review deliverables utilizing solicited and unsolicited feedback from all applicable resources as follows: F. CHANGES TO STATEMENT OF WORK Any changes to this SOW shall be authorized and approved only through written correspondence from the CO. A copy of each change will be kept in a project folder along with all other products of the project. Costs incurred by the contractor through the actions of parties other than the CO shall be borne by the contractor. G. GOVERNMENT RESPONSIBILITIES The government shall assure that the contractor has access to VA toll-free telephone numbers for Veterans as appropriate. H. KEY PERSONNEL The Contractor shall be responsible for managing and overseeing the activities of all Contractor personnel, as well as subcontractor efforts used in performance of this effort. The Contractor's management responsibilities shall include all activities necessary to ensure the accomplishment of timely and effective support, performed in accordance with the requirements contained in the statement of work. The Contracting Officer may notify the Contractor and request immediate removal of any personnel assigned to the task order by the Contractor that are deemed to have a conflict of interest with the government or if the performance is deemed to be unsatisfactory. The reason for removal will be documented and replacement personnel shall be identified within three business days of the notification. Employment and staffing difficulties shall not be justification for failure to meet established schedules. 1. Key Personnel: Certain skilled experienced professional and/or technical personnel are essential for accomplishing the work to be performed. These individuals are defined as "Key Personnel" and are those persons whose resumes were submitted and marked by the vendor as "Key Personnel".   Substitutions shall only be accepted if in  compliance with Substitution of Key Personnel" provision identified below. Name Title 2. Substitution of Key Personnel: All Contractor requests for approval of substitutions hereunder shall be submitted in writing to the COR and the Contracting Officer at least thirty (30) calendar days in advance of the effective date, whenever possible, and shall provide a detailed explanation of the circumstances necessitating the proposed substitution, a complete resume for the proposed substitute, and any other information requested by the Contracting Officer necessary to approve or disapprove the proposed substitution. New personnel shall not commence work until all necessary security requirements, as defined in Section J, have been fulfilled and resumes provided and accepted. The COR and the Contracting Officer will evaluate such requests and promptly notify the Contractor of approval or disapproval in writing. PERSONNEL QUALIFICATIONS: Successful contractor shall have personnel with a proven track record of providing full service survey management to Federal clients. Contractor with utilize personnel with privacy and security training required for access to VHA data. The Contractor shall document that the qualifications of the professional, technical and administrative staff proposed are adequate for full performance of tasks. Curriculum Vitae (CVs) or detailed bios are provided for each proposed staff member. The Contractor shall identify the key roles and specific responsibilities for each key role of the professional, technical and administrative staff proposed. The Contractor shall ensure that proposed program managers and senior level professionals are qualified, and available for consultation with VA from 8 am EST to 6 pm PST. Project Manager: Must have 5 to 10 years experience in managing similar large scale surveys. IT manager: Must have as a minimum, 5 years experience in development of software for similar systems. Contractor Personnel Security All contractor employees who require access to the Department of Veterans Affairs' computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Security and Investigations Center (07C). The level of background security investigation will be in accordance with VA Directive 0710 dated September 10, 2004 and is available at: http://www.va.gov/pubs/asp/edsdirec.asp (VA Handbook 0710, Appendix A, Tables 1-3). Appropriate Background Investigation (BI) forms will be provided upon contract (or task order) award, and are to be completed and returned to the VA Security and Investigations Center (07C) within 30 days for processing. Contractors will be notified by 07C when the BI has been completed and adjudicated. These requirements are applicable to all subcontractor personnel requiring the same access. If the security clearance investigation is not completed prior to the start date of the contract, the employee may work on the contract while the security clearance is being processed, but the contractor will be responsible for the actions of those individuals they provide to perform work for the VA. In the event that damage arises from work performed by contractor personnel, under the auspices of the contract, the contractor will be responsible for resources necessary to remedy the incident. J. SECURITY Information System Security Access to VA Information and VA Information Systems: a. A contractor/sub-contractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. d. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. e. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. Information System Hosting, Operation, Maintenance, Or Use For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors/subcontractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The contractor s security control procedures must be equivalent, to those procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also be provided to the COTR and approved by VA Privacy Service prior to operational approval. All external Internet connections to VA s network involving VA information must be reviewed and approved by VA prior to implementation. Adequate security controls for collecting, processing, transmitting, and storing of Personally Identifiable Information (PII), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls are to be assessed and stated within the PIA and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII. Outsourcing (contractor facility, contractor equipment or contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (authorization) (C&A) of the contractor s systems in accordance with VA Handbook 6500.3, Certification and Accreditation and/or the VA OCS Certification Program Office. Government-owned (government facility or government equipment) contractor-operated systems, third party or business partner networks require memorandums of understanding and interconnection agreements (MOU-ISA) which detail what data types are shared, who has access, and the appropriate level of security controls for all systems connected to VA networks. The contractor/subcontractor s system must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the ISO for entry into VA s POA&M management process. The contractor/subcontractor must use VA s POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the government. Contractor/subcontractor procedures are subject to periodic, unannounced assessments by VA officials, including the VA Office of Inspector General. The physical security aspects associated with contractor/subcontractor activities must also be subject to such assessments. If major changes to the system occur that may affect the privacy or security of the data or the system, the C&A of the system may need to be reviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewing and updating all of the documentation (PIA, System Security Plan, Contingency Plan). The Certification Program Office can provide guidance on whether a new C&A would be necessary. The contractor/subcontractor must conduct an annual self-assessment on all systems and outsourced services as required. Both hard copy and electronic copies of the assessment must be provided to the COTR. The government reserves the right to conduct such an assessment using government personnel or another contractor/subcontractor. The contractor/subcontractor must take appropriate and timely action (this can be specified in the contract) to correct or mitigate any weaknesses discovered during such testing, generally at no additional cost. VA prohibits the installation and use of personally-owned or contractor/subcontractor-owned equipment or software on VA s network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW or contract. All of the security controls required for government furnished equipment (GFE) must be utilized in approved other equipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and a personal (host-based or enclave based) firewall that is configured with a VA approved configuration. Software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE. All electronic storage media used on non-VA leased or non-VA owned IT equipment that is used to store, process, or access VA information must be handled in adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of the contract or (ii) disposal or return of the IT equipment by the contractor/subcontractor or any person acting on behalf of the contractor/subcontractor, whichever is earlier. Media (hard drives, optical disks, CDs, back-up tapes, etc.) used by the contractors/subcontractors that contain VA information must be returned to the VA for sanitization or destruction or the contractor/subcontractor must self-certify that the media has been disposed of per 6500.1 requirements. This must be completed within 30 days of termination of the contract. Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are: Vendor must accept the system without the drive; VA s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase. Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for the VA to retain the hard drive, then; (a) The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and (b) Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order or contract. (c) A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (a) and (b) controls above are in place and completed. The ISO needs to maintain the documentation. Security Incident Investigation The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. Liquidated damages for data breach a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. b. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. c. Each risk analysis shall address all relevant information concerning the data breach, including the following: (1) Nature of the event (loss, theft, unauthorized access); (2) Description of the event, including: (a) date of occurrence; (b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; (3) Number of individuals affected or potentially affected; (4) Names of individuals or groups affected or potentially affected; (5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text (6) Amount of time the data has been out of VA control; (7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); (8) Known misuses of data containing sensitive personal information, if any; (9) Assessment of the potential harm to the affected individuals; (10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and (11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. d. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $_37.50_____ Does anyone know what $ value to enter here? per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. Security controls compliance testing On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. Training All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: (1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems; (2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training; (3) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and (4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. M. SECTION 508 The contractor shall comply with Section 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998. In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board), pursuant to Section 508(2) (A) of the Rehabilitation Act Amendments of 1998, established Information Technology accessibility standards for the Federal Government. Section 508(a)(1) requires that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology (EIT), they shall ensure that the EIT allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. The Section 508 requirement also applies to members of the public seeking information or services from a Federal department or agency. Section 508 text is available at: http://www.opm.gov/HTML/508-textOfLaw.htm http://www.section508.gov/index.cfm?FuseAction=Content&ID=14 N. CONFIDENTIALITY AND NONDISCLOSURE It is agreed that: The preliminary and final deliverables and all associated working papers, application source code, and other materials deemed relevant by the VA which have been generated by the contractor in the performance of this task order are the exclusive property of the U.S. Government and shall be submitted to the CO at the conclusion of the task order. The CO will be the sole authorized official to release verbally or in writing, any data, the draft deliverables, the final deliverables, or any other written or printed materials pertaining to this task order. No information shall be released by the contractor. Any request for information relating to this task order presented to the contractor shall be submitted in writing to the CO for response. Press releases, marketing material or any other printed or electronic documentation related to this project, shall not be publicized without the written approval of the CO. The Contractor will sign a National Business Associate Agreement with the VA, in accordance with the mandated guidelines. O. RIGHTS IN DATA Performance of this effort may require the contractor to access and use data and information proprietary to a Government agency or Government contractor which is of such a nature that its dissemination or use, other than in performance of this effort, would be adverse to the interests of the Government and/or others. Contractor and/or contractor personnel shall not divulge or release data or information developed or obtained in performance of this effort, until made public by the Government, except to authorize Government personnel or upon written approval of the Contracting Officer (CO). The contractor shall not use, disclose, or reproduce proprietary data that bears a restrictive legend, other than as required in the performance of this effort. Nothing herein shall preclude the use of any data independently acquired by the contractor without such limitations or prohibit an agreement at no cost to the Government between the contractor and the data owner which provides for greater rights to the contractor. The Department of Veterans Affairs shall have unlimited rights to and ownership of all deliverables provided under this effort, including reports, recommendations, briefings, work plans and all other deliverables. This includes the deliverables provided under the basic award as well as and any optional task deliverables that are exercised by the Contracting Officer. The definition of unlimited rights is contained in Federal Acquisition Regulation (FAR) 27.401, Definitions. P. TASK ORDER TERMINATION VA has the right to terminate (in whole or in part) this task order at any time in accordance with the termination clauses of the governing GSA Schedule Contract. The Contractor will be paid only for the services rendered up to the point of receiving the termination notice, and then only to the extent that those services meet the requirements of this SOW. Q. CONTRACT ADMINISTRATION: Notwithstanding the Contractor's responsibility for total management during the performance of this contract, the administration of the contract will require maximum coordination between the Government and the Contractor. The following individuals will be the Government's points of contact during the performance of this contract: 1. Contracting Officer: TBD Contract Specialist: TBD 2. Contracting Officer s Technical Representative (COR): To be designated at time of contract award. The COR shall be designated on the authority of the Contracting Officer at the time of contract award to monitor all technical aspects of the contract. In no event is the COR empowered to change any of the terms and conditions of the contract. Changes in any section of this contract shall be made only by the Contracting Officer pursuant to a properly executed modification. The types of actions within the purview of the COR s authority are to ensure that the Contractor performs the technical requirements of the contract, and to notify both the Contractor and the Contracting Officer of any deficiencies observed. A memorandum of designation shall be issued to the COR and a copy shall be sent to the Contractor at the time of contract award setting forth in full the responsibilities and limitations of the COR Attachment A Anticipated Schedule of Deliverables DELIVERABLE NUMBER ITEM QUANTITY DELIVERY DATE 1 Task 1: Notify VA with justifications and details of essential personnel 1 report Within 7 days of contract award 2 Task 1: Designate an administrative contact 1 individual Within 7 days of contract award 3 Task 2: Attend weekly meetings with the VA Project Team and keep a written log of discussions 1 per week Weekly during the life of the contract (or as indicated) 4 Task 3: Develop a project plan and procedures 1 Within 1 month of contract award 5 Task 4: Develop a quality control plan 1 Within 1 month of contract award to the completion of the contract 6 Task 4: Develop a data management system 1 Within 1 month of contract award 7 Task 5: Submit a confidentiality plan and data security procedures for approval 1 ea Within 1 month of contract award 8 Task 6: Submit a final dataset with data dictionary and documentation of all data verification procedures. 1 TBD
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/notices/f97c22f72a5c2310b6e1b39be5de8a69)
 
Document(s)
Attachment
 
File Name: 36C24E18Q0013 36C24E18Q0013.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3892480&FileName=36C24E18Q0013-000.docx)
Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3892480&FileName=36C24E18Q0013-000.docx

 
Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 
Record
SN04732811-W 20171108/171106231301-f97c22f72a5c2310b6e1b39be5de8a69 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.