Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF MARCH 16, 2018 FBO #5957
SOLICITATION NOTICE

65 -- automated blood gas analyzers

Notice Date
3/14/2018
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
325413 — In-Vitro Diagnostic Substance Manufacturing
 
Contracting Office
Department of the Army, U.S. Army Medical Command, MEDCOM, North Atlantic Regional Contracting Office, 8901 Rockville Pike, Bldg 54, Bethesda, Maryland, 20889, United States
 
ZIP Code
20889
 
Solicitation Number
W91YTZ-18-T-0182
 
Archive Date
4/10/2018
 
Point of Contact
Linda M. Spindler, Phone: 7067872378
 
E-Mail Address
linda.m.spindler.civ@mail.mil
(linda.m.spindler.civ@mail.mil)
 
Small Business Set-Aside
N/A
 
Description
This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6 and FAR 13, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; proposals are being requested and a written solicitation will not be issued and is expected to result in the award of a firm-fixed price requirement type contract. The resulting award will be made on SF 1449, for commercial supplies and services. Solicitation number W91YTZ-18-T-0182 is issued as request for quote (RFQ). The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2005-96 and DPN 20161222 current as of 7 November 2017. This acquisition is UNRESTRICTED, under size standard 1,250 and NAICS code 325413. The Government anticipates awarding a single award for 2 each blood gas analyzer systems, which includes analyzers, reagents, supplies and services. Location of this requirement is Martin Army Community Hospital, Fort Benning, Georgia 31905. This requirement is for a base period and 1 option year. All responsible Small Businesses offers may submit a quotation which will be considered by the agency. Item No. 0001: BLOOD GAS ANALYZER 1 Job The contractor shall provide Martin Army Community Hospital (BMACH), USAMEDDAC Fort Benning, Georgia laboratory with 2 each automated blood gas analyzers, in accordance with statement of work. Each analyzer shall perform over 400 test per month. Must provide Owner's and Operator's Manual(s). Billing shall occur monthly. Ordering Period: 1 year from Date of Award. Total Base period: ______________________ Option Year 1 Item No. 1001: BLOOD GAS ANALYZER 1 Job The contractor shall provide Martin Army Community Hospital (BMACH), USAMEDDAC Fort Benning, Georgia laboratory with 2 each automated blood gas analyzers, in accordance with statement of work. Each analyzer shall perform over 400 test per month. Billing shall occur monthly. Ordering Period: 1 year after base period ends. Total Option Year One period: ______________________ The following FAR Clauses and Provisions in their latest editions apply to this solicitation. 52.212-1 Instructions to Offers -Commercial Items JAN 2017 Addendum to FAR 52.212-1 Instructions to Offerors-Commercial Items FAR 52.212-1 is hereby amended to reflect the changes shown below: Para (b) Submission of offers All offerors must be registered in the System for Award Management (SAM) prior to award, and lack of registration shall make an offer ineligible for award. Offerors may obtain information on registration Internet at https://www.sam.gov. Or the SAM Help desk at https://www.fsd.gov. THE SOLICITATION MUST BE QUOTED ALL OR NONE. To be delivered FOB Destination to: Martin army Community Hospital, 6600 Van Aalst Boulevard, Fort Benning, Georgia 31905. All questions shall be submitted via email no later than 1:30PM EST March 23, 2018 to linda.m.spindler.civ@mail.mil and frederick.m.kmiecik.civ@mail.mil. Responses will be posted to the Federal Business Opportunities website. Proposals are being accepted via email only. All responsible sources should submit proposals to Linda M. Spindler via e-mail: linda.m.spindler.civ@mail.mil by March 26, 2018 12:00 PM EST. (n) the non-Far Part 12 discretionary FAR, DFARS, AFARS and MEDCOM provisions included herein are incorporated into this solicitation either by reference or in full text. If incorporated by reference, see provision 52.252-1 for locations where full text can be obtained. Cover email shall include: Data Universal Numbering System (DUNS) / CAGE Code, Point of contact for individual authorized to enter in to discussions to include phone and email. All offers must request verification by email to Linda M. Spindler Email: linda.m.spindler.civ@mail.mil to confirm receipt of their proposal was received by the time specified in the solicitation. The Government will not be responsible for any failure of transmission or receipt of the offer, or any failure of the offeror to verify receipt of the emailed offer. Instructions for the Preparation of Proposals Written Documentation. The technical information required for evaluation purposes shall not exceed 20 pages. Each page should be numbered. Technical information may be a brochure or promotional documents, but shall cover salient characteristics, responses to SOW specific tasking, meeting the SOW Information Technology Connectivity, ease of use, training and special features. RFQ shall provide sufficient detail for the Government to determine whether the proposal meets the requirements of the solicitation. Price reasonableness will be based on comparison to market prices and competition. Each offeror shall submit proposed pricing for all contract Line Item Numbers (CLINs) identified in the Request for Quote, unless otherwise noted. Pricing shall include individual pricing as listed above for a base period plus one (1) option year. CLAUSES INCORPORATED BY REFERENCE 52.203-2 Certificate of Independent Price Determination APR 1985 52.203-11 Certification and Disclosure Regarding Payment To Influence Certain Federal Transactions SEP 2007 52.204-16 Commercial and Government Entity Code Reporting JUL 2016 52.222-22 52.222-46 Previous Contracts And Compliance Reports Evaluation of Compensation for Professional Employees FEB 1999 FEB 1993 52.223-1 52.225-25 Bio Based Product Certification Prohibition on Contracting with Entities Engaging In Certain Activities or Transactions Relating to Iran-Representation and Certification MAY 2012 OCT 2015 Incorporated by Full Text 52.209-2 52.209-7 Prohibition on Contracting with Inverted Domestic Corporations-Representations Information Regarding Responsibility Matters NOV 2015 JUL 2013 52.209-11 52.215-20 Representation by Corporations Regarding Delinquent Tax Liability or A Felony Conviction Under Any Federal Law Requirements For Certified Cost or Pricing Data and Data Other Than Certified Cost or Pricing Date (OCT 2010) Alternative IV (OCT 2010) FEB 2016 52.216-1 Type of Contract: Firm Fixed Price APR 1984 52.222-25 52.233-2 Affirmative Action Compliance Service of Protest APR 1984 SEP 2006 52.252-1 (FEB 1998), Solicitation Provisions Incorporated by Reference: The full text of a solicitation provision may be accessed electronically at this/these address (es): www.farsite.hill.af.mil or www.arnet.gov/far. 52.252-5, Authorized Deviations in Provisions (APR 1984): (b) the use in this solicitation or contract of any DoD FAR Supplement (48 CFR Chapter 2) provision with an authorized deviation is indicated by the addition of "(DEVIATION)" after the name of the regulation. 252.203-7005 Representation Relating to Compensation of Former DOD Officials NOV 2011 252.204-7008 252.204-7011 252.213-7000 252.215-7007 252.215-7008 252.222-7007 252.225-7020 252.225-7035 Compliance With Safeguarding Covered Defense Information Controls Alternate Line-Item Structure Notice to Prospective Supplies on Use of Past Performance Information Retrieval System-Statistical Reporting in Past Performance Evaluations Notice of Intent to Resolicit Only One Offer Representation Regarding Combating Trafficking in Persons Trade Agreements Certificate Buy American Free Trade Agreements-Balance of Payments Program Certificate-Basic OCT 2016 SEP 2011 JUN 2015 JUN 2012 OCT 2013 JAN 2015 NOV 2014 NOV 2014 252.225-7050 252.247-7022 Disclosure of Ownership or Control By the Government of A Country That is A State Sponsor of Terrorism Representation of Extent of Transportation By Sea OCT 2015 AUG 1992 52.212-2 Evaluation -Commercial Items OCT 2014 Evaluation -- Commercial Items (Oct 2014) (a) The Government will award a Firm Fixed Price contract resulting from this solicitation to the responsible offeror whose offer conforming to the solicitation will be most advantageous to the Government, price and other factors considered. The following factors shall be used to evaluate offers: (i) Technical capability of the item(s) offered to meet the Government requirement. Offeror compliance with meeting or exceeding salient characteristics, responses to SOW specific tasks, meeting the SOW Information Technology Connectivity, ease of use, training and special features that represents the best value to the Government. During the evaluation of quotes, offeror must be determined to be acceptable by meeting minimum salient characteristics before other technical factors shall be considered. Minimum salient characteristics: 1. Analyzers shall be FDA approved, 100-240V +/- 10%, use FDA approved software for FDA approved testing reagents. 2. Reagent kits must be FDA approved for use in clinical testing with expiration dates no less than 6 months of delivery date that function properly and pass lot to lot testing as required. 3. Operating system must be capable with Windows 10 or higher. 4. Automated QC cartridge with three levels (low, medium and high) controls. 5. Traditional external QC with three levels (low, medium and high) controls. 6. Electrodes, gas, and reagents are self-contained as one unit 7. Random access, continuous operation, remote access and STAT test capability. 8. Barcode Reader and disk drive with read and write and USB port for loading and downloading data 9. Laboratory Information System (LIS) interface with CHCS for 2-way communication with broadcast download and host. 10. Must be able to provide results from samples in both syringe and capillary collection devices 11. Wash/waste is a closed, self-contained disposable unit. 12. No direct plumb or modification of facility for water source for operation or waste drain. 13. Must interface with the DoD Electronic Health Record system. (ii) Price: Will be evaluated separately from Technical and will be evaluated for fairness and price reasonableness. The offeror shall complete the CLIN structure with a total price covering a base period and one option year developed based upon the annual testing requirement. Technical factors, when combined, are significantly more important than price when compared. (b) Options. The Government will evaluate offers for award purposes by adding the total price for all options to the total price for the basic requirement. The Government may determine that an offer is unacceptable if the option prices are significantly unbalanced. Evaluation of options shall not obligate the Government to exercise the option(s). (c) A written notice of award or acceptance of an offer, mailed or otherwise furnished to the successful offeror within the time for acceptance specified in the offer, shall result in a binding contract without further action by either party. Before the offer's specified expiration time, the Government may accept an offer (or part of an offer), whether or not there are negotiations after its receipt, unless a written notice of withdrawal is received before award. Award may be made without discussions with offerors (except communications conducted for the purpose of minor clarification). Therefore, each initial offer should contain the offeror's best terms from a technical and price standpoint. However, the Government reserves the right to conduct discussions if it is later determined by the contracting officer to be necessary. 52.212-3 Offeror Representations and Certifications--Commercial Items (JAN 2017) Alternate I OCT 2014 CLAUSES INCORPORATED BY REFERENCE 52.212-4 Contract Terms and Conditions--Commercial Items JAN 2017 52.212-4 ADDENDUM (w) the non-FAR Part 12 discretionary FAR, DFARS, AFARS, and Local clauses herein are incorporated into this contract either by reference or in full text. If incorporated by reference, see clause 52.252-2 for locations where full text can be found. CLAUSES INCORPORATED BY REFERENCE 52.203-3 Gratuities APR 1984 52.203-6 Restrictions on Subcontractor Sales to the Government-Alternate I SEP 2006 52.203-12 Limitation on Payments to Influence Certain Federal Transactions OCT 2010 52.203-17 Contractor Employee Whistleblower Rights and Requirement to Inform Employees of Whistleblower Rights APR 2014 52.204-4 Printed or Copied on Double-sided Post Consumer Fiber Content Paper MAY 2011 52.204-10 Reporting Executive Compensation and First-Tier Subcontract Awards OCT 2016 52.204-18 Commercial and Government Entity Code Maintenance JUL 2016 52.209-6 52.209-9 52.219-9 Protecting the Government's Interest When Subcontracting With Contractors Debarred, Suspended, or Proposed for Debarment Updates of Publically Availability Information Regarding Responsibility Matters Small Business Subcontracting Plan OCT 2015 JUL 2013 JAN 1999 52.222-3 52.222-19 Convict Labor Child Labor-Cooperation With Authorities and Remedies JUN 2003 JAN 2014 52.222-21 Prohibition Of Segregated Facilities APR 2015 52.222-26 Equal Opportunity SEP 2016 52.222-35 Equal Opportunity For Veterans OCT 2015 52.222-36 Equal Opportunity for Workers with Disabilities JUL 2014 52.222-37 Employment Reports on Veterans OCT 2015 52.222-50 Combating Trafficking in Persons MAR 2015 52.222-54 Employment Verification OCT 2015 52.223-2 Affirmative Procurement of Bio based Products Under Service and Construction Contracts SEP 2013 52.223-3 Hazardous Material Identification and Material Safety Data JAN 1997 52.223-5 Pollution Prevention and Right-to-Know Information MAY 2011 52.223-18 Encouraging Contractor Policies To Ban Text Messaging While Driving AUG 2011 52.224-1 Privacy Act Notification APR 1984 52.224-2 Privacy Act APR 1984 52.225-13 Restrictions on Certain Foreign Purchases JUN 2008 52.228-5 Insurance-Work on A Government Installation JAN 1997 52.232-33 Payment by Electronic Funds Transfer--System for Award Management JUL 2013 52.232-39 Unenforceability of Unauthorized Obligations JUN 2013 52.232-40 Providing Accelerated Payments to Small Business Subcontractors DEC 2013 52.233-3 Protest After Award AUG 1996 52.233-4 Applicable Law for Breach of Contract Claim OCT 2004 52.237-2 Protection Of Government Buildings, Equipment, And Vegetation APR 1984 52.242-5 52.242-13 Payment to Small Business Subcontractors Bankruptcy JAN 2017 JUL 1995 252.203-7000 Requirements Relating to Compensation of Former DoD Officials SEP 2011 252.203-7002 Requirement to Inform Employees of Whistleblower Rights SEP 2013 252.204-7003 252.209-7004 252.219-7003 Control Of Government Personnel Work Product Subcontracting With Firms That Are Owned Or Controlled By the Government of A Country That is A State Sponsor of Terrorism Small Business Subcontracting Plan (DOD Contracts) APR 1992 OCT 2015 MAR 2016 252-225-7002 252.225-7012 252.225-7021 Qualifying Country Sources as Subcontractors Preference for Certain Domestic Commodities Trade Agreements AUG 2016 FEB 2013 SEP 2016 252.225-7048 252.226-7001 Export-Controlled Items Utilization of Indian Organizations, Indian-Owned Economic Enterprises, And Native Hawaiian Small Business Concerns JUN 2013 SEP 2004 252.232-7003 Electronic Submission of Payment Requests and Receiving Reports JUN 2012 252.232-7006 Wide Area Workflow Payment Instructions MAY 2013 252.232-7010 Levies on Contract Payments DEC 2006 252.243-7001 Pricing of Contract Modifications DEC 1991 252.243-7002 Requests for Equitable Adjustments DEC 2012 Incorporated in Full Text 52.209-10 Prohibition On Contracting With Inverted Domestic Corporations NOV 2015 (End of clause) 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000) (a) The Government may extend the term of this contract by written notice to the Contractor within 30 days (insert the period of time within which the Contracting Officer may exercise the option); provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 60 days before the contract expires. The preliminary notice does not commit the Government to an extension. (b) If the Government exercises this option, the extended contract shall be considered to include this option clause. (c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 24 months. (End of clause) 52.219-28 Post Award Small Business Program Representation JUL 2013 52.222-40 Notification of Employee Rights Under the National Labor Relations Act DEC 2010 52.252-2 CLAUSES INCORPORATED BY REFERENCE (FEB 1998) This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address (es): www.farsite.hill.af.mil. (End of clause) 52.252-6 AUTHORIZED DEVIATIONS IN CLAUSES (APR 1984) (a) The use in this solicitation or contract of any Federal Acquisition Regulation (48 CFR Chapter 1) clause with an authorized deviation is indicated by the addition of "(DEVIATION)" after the date of the clause. (b) The use in this solicitation or contract of any DoD FAR Supplement (48 CFR Chapter 2) clause with an authorized deviation is indicated by the addition of "(DEVIATION)" after the name of the regulation. (End of clause) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting OCT 2016 252.204-7015 Disclosure of Information to Litigation Support Contractors MAY 2016 252.244-7000 Subcontracts for Commercial Items and Commercial Components JUN 2013 252.247-7023 252.247-7024 Transportation of Supplies by Sea-Basic Notification of Transportation of Supplies By Sea APR 2014 MAR 2000 End of Additional FAR and DFARS clauses Incorporated in Full Text 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items (Deviation 2013-O0019) JAN 2017 IRAPT- Invoice, Receiving, Acceptance and property Transfer-formerly known as WAWF HIPPA-Health Insurance Portability and Accountability Act (7 July 2014) TFMC-Tobacco Free Medical Campus LEIE (October 2015) STATEMENT OF WORK (SOW) 1. Specific Tasks: 1.1. The contractor shall provide Martin Army Community Hospital (BMACH), USAMEDDAC Fort Benning, Georgia laboratory with 2 each automated blood gas analyzers for the period of 1 April 2018, or date of award, for a one-year base period, plus 1 option year. The vendor is responsible for delivery of reagents, supplies, maintenance of contractor owned equipment and analyzer removal at the end of the contract. This equipment will be located in the Chemistry section of the laboratory under the management of the Department of Pathology. 1.2. Contractor shall provide on-site technical support for installation of analyzers to bring to and maintain a fully operational status. 1.3. Contractor shall ensure the analyzer does not require a water purification/ filtration system or modification of the facility's plumbing for a water supply. 1.4. The contractor shall ensure proper packaging of reagents, supplies, and equipment are shipped at proper refrigerated or frozen temperatures according to manufacturer specifications. 1.5. Contractor shall ensure all shipments arrive Monday through Friday between the hours of 8:00am and 3:00pm EST; excluding Federal holidays and weekends. 1.6. The contractor shall respond to phone calls regarding shipment discrepancies the same day of notification and discrepancy will be corrected within 24 hours. 1.7. Contractor shall provide customer notification of updates on any reagents in writing within 5 business days and ensure continuity of services and availability of reagents during reagent revision when required. 1.8. Reagents must meet quality control guidelines set forth by manufacturer. 1.9. The contractor shall provide all software upgrades at no additional cost. 1.10. The contractor shall notify the laboratory if there is a recall on any reagents or equipment within 24 hours. 1.11. Contractor shall respond to service calls within four hours when one analyzer is not working or the morning of the next duty day if after 5:00pm Monday through Friday and correct deficiencies within 24 hours after arrival on-site. 1.12. Contractor shall respond to service calls within two hours when both analyzers are not working or the morning of the next duty day if after 5:00pm Monday through Friday and correct deficiencies on at least one analyzer immediately and all deficiencies within 36 hours after arrival on- site. 1.13. Contractor shall perform all on-site scheduled service as specified by the manufacturers published maintenance manual as necessary to keep system in good condition including lubrications, cleaning (other than those performed at the operator's level), calibrations, and diagnostics, during the lease period at no additional cost. 1.14. The contractor shall provide 24 hour telephonic troubleshooting. 1.15. The equipment must be capable of performing analysis all of the following test: pH, pCO2, pO2, Na, K, Ca, Cl, Glu, tHb, FO2, MetHb, COHb, HCO3, and ionized calcium on arterial blood, venous blood, capillary blood and mixed venous blood. 2. On-Site Maintenance. 2.1 Contractor shall ensure personnel report to the Equipment Management Suite located in room GC-122 on the ground floor to sign in and obtain a temporary vendor security badge PRIOR to commencing all on-site visits, preventive maintenance service, support or repairs to equipment in the laboratory and any BMACH outlying site that has equipment installed under this contract. 2.2. The contractor shall ensure that repair technicians have been trained on the specific analyzers under contract and have enough experience in order to maintain and repair the analyzers under contract. 2.3. Contractor shall ensure that employees that perform work on this contract do not pose a potential threat to the health, safety, security, general well-being or operational mission of the installation and its' population. 2.4. Contractor shall ensure employees present a neat appearance and can be easily recognized as a contractor employee by a distinguishable uniform or badge on the exterior of their clothing while performing any service at this facility. 2.5. Contractor shall not employ any person who is an employee of the US Government or Department of Defense, either military or civilian, unless such person seeks and receives approval according to DOD 5500.7R, "Joint Ethics Regulation" or if such employment would be contrary to local policies. 2.6. Contractor personnel or any representative of the contractor entering Fort Benning shall abide by all security regulations and shall be subject to security checks. Contractor and all associated sub-contractors employees shall comply with applicable installation/ facility access and local security policies and procedures (provided by Government representative as needed). The contractor shall also provide all information required to meet installation access requirements if required including background checks to be accomplished by installation Provost Marshall Office, Director of Emergency Services or Security Office. Contractor workforce must comply with all personal identity verification requirements (FAR clause 52.204-9 (Personal Identity Verification of Contractor Personnel) as directed by DOD, HQDA and/or local policy. In addition to the changes otherwise authorized by the changes clause of this contract, should the Force Protection Condition (FPCON) at any individual facility or installation change, the Government may require changes in Contractor security matters or processes. 2.7. Contractor shall ensure that any requirement to remove, exchange, or add contractor's equipment during the performance of this contract is coordinated through the Contract Officer's Representative (COR) and must also include the site OIC/NCOIC, Chief EMB and the Property Book Officer. 2.8. The contractor shall furnish all materials required to perform maintenance, repairs, or service. Any costs associated with travel, lodging or meals to conduct services or preventive maintenance will be at the cost of the contractor. 2.9. Completion of Service. Upon completion of services, a written service report shall be provided to the Biomedical Maintenance / Clinical Engineering Manager. The service report shall be completely filled out, provide detailed information regarding the cause of equipment malfunction and corrective action taken, to include the time required to complete the work, price of labor (hourly rate), and a list of parts replaced with a price for each part. In the event all information is not available to contractor's representative when services are performed, the initial service report shall include all information stated above except for price. Contractor shall provide the balance of the required information in writing to the Biomedical Maintenance Branch, Ms. Pamela Francis at pamela.t.francis.civ@mail.mil, within ten days after the services are completed. 2.10. Contractor shall provide new and/or refurbished parts that are certified and documented to meet Original Equipment Manufacturers (OEM) specifications on all manufacturers' mandatory modifications and apply recalls by FDA. 2.11. Contractor shall provide new or updated user manuals when changes are made at no additional cost. 2.12. Contractor shall furnish all applicable MSDS for reagents, equipment and supplies utilized under this contract at no additional cost. 3. INFORMATION TECHNOLOGY (IT) CONNECTIVITY. 3.1. TELECOMMUNICATION. 3.1.1. All contractor systems that will communicate with DoD systems will interconnect through the established MHS B2B gateway. For all Web applications, contractors will connect to a DISA-established Web DMZ. 3.1.2. In accordance with contract requirements, MCS contractors will connect to the B2B gateway via a contractor procured Internet Service Provider (ISP) connection. Contractors will assume all responsibility for establishing and maintaining their connectivity to the B2B gateway. This will include acquiring and maintaining the circuit to the B2B gateway and acquiring a Virtual Private Network (VPN) device compatible with the MHS VPN device. 3.1.3. Contractors shall comply with DoD guidance regarding allowable ports, protocols and risk mitigation strategies. 3.1.4. All costs for VPN hardware and software will be incurred by the contractor. 3.2. U.S. Army Cybersecurity/Risk Management Framework (RMF) Requirements. 3.2.1. System Security Requirements. 3.2.1.1. The vendor shall submit to the Government, included in the quote, the blue section of the Medical Device Cybersecurity Assessment (Questionnaire) provided by government and Nessus Scans. Nessus scanner is to be procured by the vendor, at their own cost, in order to comply with RMF requirements. 3.2.1.2. Vendor agrees to comply with security regulations and guidance listed in attached Appendix A and all Risk Management Framework (RMF) requirements. 3.2.1.3. Failure to meet the requirements may result may result in termination of the delivery order for cause, in accordance with FAR 52.212-4(m). 3.2.1.4. The vendor device or system shall pass pre-validation screening (Vulnerability scans utilizing Nessus and SCAP scans), administered within six (6) months of contract award that will be conducted by Government, and must meet criteria listed below: a. No unmitigated Very High or High Severity/ Category I (CAT I), vulnerabilities as described in the appropriate Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs) located on http://iase.disa.mil/stigs/Pages/index.aspx b. No unmitigated Moderate Severity/Category II (CAT II), vulnerabilities as described in the appropriate Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs) located on http://iase.disa.mil/stigs/Pages/index.aspx c. No unmitigated Very High or High Severity/ Category I (CAT I) vulnerabilities from Nessus vulnerability scans. d. No unmitigated Moderate Severity/ Category II (CAT II) vulnerabilities from Nessus vulnerability scans. 3.2.1.5 The vendor shall mitigate all Very High, High, and Moderate Severity/CAT I and CAT II vulnerabilities discovered during the Assessment and Authorization (A&A) process according to a schedule published by Government. 3.2.1.6. The vendor shall appoint a vendor point of contact responsible for the cybersecurity of the vendor device or system throughout the lifecycle of the system. The vendor shall provide Subject Matter Experts (SMEs) to support all assessments of contracted products and materials, and meet required deliverable timelines. 3.2.1.7. The vendor shall obtain a recommendation of Authority to Operate (ATO) as determined by a Government appointed third party validator within twelve (12) months of contract award. 3.2.1.8. The vendor shall not make any delivery and shall not receive payment for the system until the ATO is granted. Receiving the ATO document from the U.S. Army shall constitute permission to perform on the order and to proceed with delivery. All delivery dates shall be reset in accordance to contract and in days after the date the ATO is communicated in writing to the vendor. Delivery may take place prior to ATO only if written permission is provided by the DLA Contracting Officer. 3.2.1.9. Pursuant to subsequent warranty period and Service Maintenance Agreements (SMA), the vendor shall, after the award of an ATO, ensure that the vendor's device or system maintains its ATO for as long as the equipment is operated by Government. 3.2.1.10. The vendor shall establish appropriate administrative and technical safeguards to ensure the confidentiality, integrity, and availability of Government data under their control. 3.2.1.11. The vendor shall notify the Information Owner and Contracting Officer POCs in writing with any inabilities to comply with DoD security requirements. Vendor will provide anticipated costs and timelines required to address vulnerabilities in question. 3.2.1.12. The vendor shall contact the IA/RMF Office Representative, no later than5 days after delivery order selection or contract award, to start the process. Failure to do so would be considered a vendor caused delay. 3.2.2. RMF Timeframes. The following table provides an overview of the entire Process to obtain approval under Army Cybersecurity requirements. Vendor actions must start as cited in the number of days after date of order column noted below and be completed in the number of days listed below in the Duration column. ID Step Name (Action or Deliverable) Duration (Days) Number of Days After Date of Award Responsible Party 1 1. Categorization 22 Total Days 2 1.1 Vendor RMF Kickoff Meeting (Vendor must contact the RMF Office Rep) 1 5 GOVERNMENT 3 1.2 EDMS Paperwork and Account Creation 10 5 GOVERNMENT 4 1.3 EDMS Functionality Briefing 1 5 GOVERNMENT 5 1.4 Documentation Templates to Vendor 1 1 GOVERNMENT 6 1.5 Hardware/Software Document Production 5 5 VENDOR 7 1.6 STIG Review 2 10 GOVERNMENT 8 1.7 System Categorization 2 12 GOVERNMENT 9 1.8 Categorization Memo Approval 5 17 GOVERNMENT 10 1.9 Security Assessment Plan Creation 3 12 GOVERNMENT 11 1.10 SAP Sent to Vendor 0 15 GOVERNMENT 12 1.11 Contact 3rd Party IV & V 0 15 GOVERNMENT 13 2. Control Selection 6 Total Days 14 2.1 System eMASS Registration 1 12 GOVERNMENT 15 2.2 eMASS Control Selection 1 12 GOVERNMENT 16 2.3 Implementation Plan Completion 5 17 GOVERNMENT 17 3. Implementation 130 Total Days 18 3.1 Documentation Creation and Review GOVERNMENT 19 3.1.1 Vendor Control and Artifact Documentation 90 5 VENDOR 20 3.1.2 PMO Control Documentation 55 40 GOVERNMENT 21 3.1.3 Documentation 100% Complete (Confirm iV and V) 0 95 GOVERNMENT 22 3.2 Scanning 120 16 VENDOR 23 3.2.1 Vendor Initial Scan 10 16 VENDOR 24 3.2.2 ICS Review of Scans and Vulnerability Report 2 26 GOVERNMENT 25 3.2.3 Vendor Technical Remediation 110 27 VENDOR 26 3.3 DHA Registration 60 77 GOVERNMENT 27 3.3.1 DHA A&A Request 1 77 GOVERNMENT 28 3.3.2 Submit Security Plan for Approval 10 77 GOVERNMENT 29 3.4 Submission to IV and V Team; Submit IV and V Request Through Portal 0 137 GOVERNMENT 30 4. Assess 65 Total Days 31 4.1 Packet Review by IV and V Team 29 138 GOVERNMENT 32 4.2 Coordination Meeting 0 165 GOVERNMENT 33 4.3 Onsite I&V 5 168 GOVERNMENT 34 4.4 SCA-V Packet Review 30 173 GOVERNMENT 35 4.5 SCA-V SAR Issuance 0 203 GOVERNMENT 36 5. Packet Authorization 60 Total Days 37 5.1 Vendor Remediation 30 173 VENDOR 38 5.1.1 SAR Review/ Concurrence 10 203 GOVERNMENT 39 5.2 Submit to SCAR 10 213 GOVERNMENT 40 5.3 Submit to SCA 5 223 GOVERNMENT 41 5.4 Submit to AO 5 228 GOVERNMENT 42 5.5 AO Signature 0 233 GOVERNMENT 3.2.3. Assessment and Authorization (A&A). 3.2.3.1 The vendor shall submit all RMF required documentation, as specified by Government Reps for review and approval, no later than four (4) months after request by the Government. 3.2.3.2 The vendor shall obtain approval from the Government, any vendor developed policies, plans, and procedures prior to implementation. 3.2.3.3 The vendor shall provide any additional documentation required by the Government for completion of the A&A process within thirty (30) business days of request by the Government. 3.2.3.4 The vendor shall provide technical scans within one (1) month of the A&A kickoff meeting. 3.2.3.5 The vendor shall provide updated technical scans on a monthly basis, on the 10th day of each month until an ATO is granted. 3.2.3.6 The vendor shall ensure that the vendor device or system is capable of supporting the use of DISA approved intrusion detection and prevention, antivirus, and antimalware applications. The vendor shall provide technical specifications that clearly demonstrate whether the proposed solution can integrate and support either the full security suite or the individual components (e.g. DLP, IPS, Antivirus, etc.) without performance degradation of the medical system/device. In cases where the operation of security applications are not technically achievable, the vendor shall provide detailed justification and a Plan of Actions and Milestones (POA&M) describing steps towards compliance with this requirement. 3.2.3.7 The vendor shall ensure that the vendor device or system is configured in such a way that allows the updating of malware definition signatures on a scheduled basis. Scanning shall encompass the entire system (file system, operating system, real-time processes) by default. In cases where scanning of the entire system may negatively affect its operation, the vendor shall provide a detailed list of exclusions with justifications. 3.2.4 Privileged User Training and Certification Requirements. If a vendor requires a B2B, access, etc. to government networks to maintain, analyze, etc., their products, they must adhere to the following requirements: 3.2.4.1 Information Assurance Contractor Training and Certification. Contractors requiring a privileged-level account for administrative/maintenance support of systems/applications on the Army network will meet Army requirements for a privileged-level account before being granted a network account. Requirements include: 3.2.4.2 Cyber (Information assurance (IA)/information technology (IT)) certification. Per DoD 8570.01-M, DFARS 252.239.7001 and AR 25-2, the contractor employees supporting Cyber (IA/IT) functions shall be appropriately certified upon contract award. Contractors will be defined at Information Assurance Technical level I (IAT - II) and be required to meet minimum Professional Baseline certifications at the time of contract award. Contractors will be given six (6) months to meet Computer Environment (CE) and Cyber Security Fundamental training requirements. Not meeting the requirements in accordance with DoD 8570.01-M will result in the contractor account and access being ‘Disabled' or ‘Deleted' until such time as the conditions of this contract are met. 3.2.4.3 Background Investigation. NACI or above is required. Vendors should email: usarmy.jbsa.medcom.list.medcom-information-assurance@mail.mil to obtain guidance on the process 3.2.4.4. Professional Baseline Certification. The minimum Professional Baseline certification for IAT-II is CompTIA Security+. Higher certifications (GSCL, CISM, CISSP, etc.) will satisfy this requirement. 3.2.4.5. Computer Environment (CE) Certification. Computer Environment (CE) certifications are determined by the role of the contractor and must be met within six months of delivery order issuance. Contractors working on servers are encouraged to have a Microsoft 2008 Server or 2012 Server certification. Contractors working on End-User devices are encouraged to have a professional certification that coincides with the technology inherent in the system (i.e. MCSE, CCNA, RHCSE, etc.). The CompTIA A+ certification will also satisfy the CE certification requirement. 3.2.4. 6. IA Training Requirements. Contractors will meet minimum training requirements within six months of contract award. Contractors will be required to complete Cyber Security Fundamentals located at URL: https://ia.signal.army.mil/IAF/ 3.2.4.7. Training. DoD Cyber Awareness Challenge Training must be completed by all contractor employees and associated sub-contractor employees prior to issuance of network access and annually thereafter. DoD Cyber Awareness Challenge Training is available at the following website: https://ia.signal.army.mil/DoDIAA/ 3.2.4.8. Two-Factor Authentication. Contractors will authenticate using two-factor authentication. The preferred method for authenticating is the Common Access Card (CAC). 3.2.4.9. Army Training Certification Tracking System (ATCTS). Contractors with a need for elevated privileged-level access will be defined to ATCTS. https://atc.us.army.mil/iastar/regulations.php 3.2.4.10. Network Account Request Package (Authorized & Privileged). The contractor will submit a request package through either the ITC One-Stop Shop for contractors requiring on-site access or through the Information Assurance/Cyber Security Branch for contractors requiring remote access to an Army network. Remote access must be through a Defense Health Agency (DHA) Business-To-Business (B2B) solution. Vendors should email: usarmy.jbsa.medcom.list.medcom-information-assurance@mail.mil to obtain remote access through DHA, for Army requirements. 3.2.4.11. Acceptable Use Policy (AUP). All vendors/contractors will sign/acknowledge the Army Standard Acceptable Use Policy (AUP) prior to being granted an Army network account. The Army Standard AUP is available at the following website: https://atc.us.army.mil/iastar/docs/aup.pdf 3.2.5. Warranty and Post-Warranty Service Maintenance Agreement Cybersecurity Requirements. 3.2.5.1 Continuous Risk Management a. The vendor shall maintain a duplicate of the fielded device, system, or group of configurations falling under one authorization; for testing in a vendor supplied lab environment at vendor location for as long as the system is operated by the Government. b. The vendor shall maintain the duplicate system or device in operational condition with the latest security patches installed. 3.2.5.2. The vendor shall update all ATO required supporting documentation in the event of a system policy, procedural, logical or technical changes to the system. 3.2.5.3. The vendor shall maintain the authorized security configuration and notify the government within forty eight (48) hours of any major changes for review. A major upgrade such as major software or hardware revision must be reassessed for ATO. Vendor shall support reauthorizations due to major upgrades. 3.2.5.4. The vendor shall ensure the vendor's device or system is in compliance with the Department of Defense (DoD) Information Assurance Vulnerability Management (IAVM) program upon each deployment. 3.2.5.5. The vendor shall ensure any new deployment (including rebuilds) deploy with a fully patched, accredited version maintained in a lab environment. 3.2.5.6. The vendor shall make the duplicate device or system available for periodic security reviews, within forty five (45) business days of notification by Government. The vendor shall perform monthly vulnerability scans using the most recent and updated version of approved DoD scan tools. 3.2.5.7. Vendor shall maintain system and update to comply with updated STIGS as made available by the Government within three (3) months of notification by the Government. 3.2.5.8. The vendor shall provide vulnerability scan and SCAP scan results to Government on a monthly basis. Vendor shall provide raw scan results and administrative reports no later than the 10th calendar day of each month. 3.2.5.9. The vendor shall close all discovered vulnerabilities within three (3) months of discovery. 3.2.5.10. The vendor shall submit to Government detailed explanations for the inability to close discovered vulnerabilities. 3.2.5.11. The vendor shall submit to Government for approval of any mitigation that addresses any open vulnerabilities. 3.2.5.12. The vendor shall review all required policies, plans, and procedures documentation on an annual basis and submit changes to Government for approval. 3.2.5.13. The vendor shall use the Government approved method for remote access administration (DISA B2B) of system or device. 3.2.6. Appendix A: Cybersecurity Regulations and Guidance. 3.2.6.1 Cybersecurity Regulations and Guidance. The vendor shall use and comply with the most recent published versions as of the date of contractual agreement of the following references as well as all regulations or guidance referenced within those publications: a. United States Law i. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ii. The Federal Information Security Management Act (FISMA) iii. The E-Government Act of 2002 b. Office of Management and Budget (OMB) i. The following publications are located at https://www.whitehouse.gov/omb/agency/default ii. Circular A-130 iii. Guidance M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common Identification Standard for Federal Employees and Vendors c. National Institute of Standards and Technology (NIST) i. The following publications are located at http://www.nist.gov/publication-portal.cfm ii. NIST Special Publication (SP) 800-37 - Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems iii. NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations d. Federal Information Processing Standards (FIPS) i. The following publications are located at http://www.nist.gov/itl/fipscurrent.cfm ii. FIPS Publication (FIPS PUB) 140-2, Security Requirements for Cryptographic Modules iii. FIPS PUB 199 - Standards for Security Categorization of Federal Information and Information Systems iv. FIPS PUB 201-2, Personal Identity Verification of Federal Employees and Vendors e. Department of Defense (DoD) i. The following publications are located at http://www.dtic.mil/whs/directives/ ii. DoD Instruction 5200.2, DoD Personnel Security Program (PSP) iii. DoD Instruction 8500.1, Cybersecurity iv. DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling v. DoD Instruction 8510.01, Risk Management Framework Process (RMF) vi. DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM) vii. DoD Instruction 8580.02, Security of Individually Identifiable Health Information in DoD Health Care Programs viii. DoD Instruction 6025.18, Privacy of Individually Identifiable Health Information in DoD Health Care Programs ix. DoD Directive 5400.11, DoD Privacy Program x. DoD Manual 5400.11-R, Department of Defense Privacy Program 3.4. BUSINESS to BUSINESS (B2B) REQUIREMENTS for CONTRACTOR. 3.4.1. General Security Requirements. 3.4.1.1. The Contractor shall establish appropriate administrative, technical, and physical safeguards to protect any and all Government data, to ensure the confidentiality, integrity, and availability of government data. As a minimum, this shall include provisions for personnel security, electronic security and physical security as listed in the sections that follow. 3.4.2. Personnel Security. 3.4.2.1. The contractor shall comply with DoD Directive 8500.1, "Information Assurance (IA)," DoD Instruction 8500.2, "Information Assurance (IA) Implementation," DoD Directive 5400.11, "DoD Privacy Program," DoD 6025.18-R, "DoD Health Information Privacy Regulation," DoD 5200.2-R, "Personnel Security Program Requirements." AR25-1, "Army Knowledge Management and Information Technology", AR 25-2 "Information Assurance." And local regulations as deemed appropriate by the activity Information Assurance personnel. 3.4.2.2. Contractor responsibilities for ensuring personnel security include, but are not limited to, meeting the following requirements: a. Follow the Army guidelines for submittal of Automated Data Processor/Information Technology (ADP/IT) background investigations and ensure all contractor personnel are designated as ADP/IT-I, ADP/IT-II, or ADP/IT-III where their duties meet the criteria of the position sensitivity designations outlined in AR25-2. b. Initiate, maintain, and document personnel security investigations appropriate to the individual's responsibilities and required access to Information Systems within the logical boundaries of the facility LAN. c. Immediately report to the Martin Army Community Hospital Personnel Security Manager Travis Butler at 762-408-0308 and deny access to any automated information system (AIS), network, or information if a contractor employee filling a sensitive position receives an unfavorable adjudication, if information that would result in an unfavorable adjudication becomes available, or if directed to do so by the appropriate government representative for any reason. d. Ensure that all contractor personnel receive information assurance (IA) training before being granted access to DoD AISs/networks and information. 3.4.3. Electronic Security. 3.4.3.1. Contractor Information Systems (IS)/networks that are involved in the operation of systems in support of BMACH shall operate in accordance with controlling laws, regulations, DoD, Army, and local policy. 3.4.3.2. Certification & Accreditation (C&A) requirements apply to all DoD and contractor's IS/networks that receive process, display, and store or transmit DoD information. The contractor shall comply with the C&A process for safeguarding IS. Certification is the determination of the appropriate level of protection required for IS/networks. Certification also includes a comprehensive evaluation of the technical and non-technical security features and countermeasures required for each system/network. 3.4.3.3. Accreditation is the formal approval by the government to operate the contractor's IS/networks in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. In addition, accreditation allows IS/networks to operate within the given operational environment with stated interconnections; and with appropriate level of protection for the specified period. 3.4.3.4. The contractor shall comply with C&A requirements, as specified by the government that meet appropriate DoD Information Assurance requirements. The C&A requirements shall be met before the contractor's system is authorized to access DoD data or interconnect with any DoD IS/network that receives, processes, stores, displays or transmits DoD data. The contractor shall ensure the proper contractor support staff is available to participate in all phases of the C&A process. They include, but are not limited to: a. Attending and supporting C&A meetings with the government. b. Supporting/conducting the vulnerability mitigation process. c. Supporting the C&A Team during system security testing. 3.4.3.5. Contractors must confirm that there is/networks are locked down prior to initiating testing. a. Conformation of system lock down shall be agreed upon during the definition of the C&A boundary and be signed and documented as part of the System Security Authorization Agreement (SSAA). b. Locking down the system means that there shall be no changes made to the configuration of the system (within the C&A boundary) during the C&A process. 3.4.3.6. Any re-configuration or change in the system during the C&A testing process will require a re-baselining of the system and documentation of system changes. 3.4.3.7. A mitigation strategies include security updates, service packs, and changes to operating procedures as physical and cyber vulnerabilities are detected. Operating system, routers, servers, development platforms and the application being delivered to the government shall be in compliance with all known applicable Department of Defense Computer Emergency Response Team (DoD-CERT) Alert, Bulletin, and Technical Advisory Notices published during the past 36 months. 3.4.3.8. Disposing of Electronic Media. Vendors shall follow the DoD standards, procedures, and use approved products to dispose of unclassified hard drives and other electronic media, as appropriate, in accordance with DoD Memorandum "Disposition of Unclassified Computer Hard Drives," June 4, 2001. Vendors are required to also follow DoD guidance on sanitization of other internal and external media components in DODI 8500.2 "Information Assurance (IA) Implementation," 6 Feb 2003 (see PECS-1 in enclosure 4 Attachment 5) and DoD 5220.22-M "Industrial Security Program Operating Manual (NISPOM)," (Chapter 8). 3.4.3.9. Information Assurance Vulnerability Management (IAVM) The contractor shall implement an information assurance vulnerability management program for all AIS and corresponding subnets that are connected to or intermittently connect to Army networks. The program shall meet the scope and intent of AR25-2 and Martin Army Community Hospital IA policies to provide protection against known threats and vulnerabilities. Compliance with Army IAVM alerts and bulleting is required for these systems, and shall be completed within the specified timeframe. 3.4.4. Information Systems (IS)/Networks Physical Security. 3.4.4.1. The contractor shall employ physical security safeguards for IS/Networks involved in processing or storage of Government Data to prevent the unauthorized access, disclosure, modification, destruction, use, etc., and to otherwise protect the confidentiality and ensure use conforms with DoD regulations. In addition, the contractor will support a Physical Security Audit performed by the Government of the contractor's internal information management infrastructure. The MHS Physical Security Audit Matrix is available at: http://www.tricare.osd.mil/tmis_new/Policy/PSA_Matrix_%20012304%200930%20clean%20version.xls. The contractor shall correct any deficiencies identified by the Government of the contractor's physical security posture. 3.4.5. Special Requirements for Protected Health Information. Whenever a contract is awarded that requires the vendor to collect, use, copy, access or store Protected Health Information (PHI) in commercial office space, the contractors must: 3.4.5.1. Notify the Martin Army Community Hospital HIPAA Security Manager, Ms. Beverly Simmons at 762-408-0032. 3.4.5.2. Follow all DUA and DoD requirements for secure disposal, destruction, and/or sanitization of all equipment that contained PHI. 3.4.6. Information Assurance Contractor Training and Certification. Contractors requiring a privileged-level account for administrative/maintenance support of systems/applications on the Army/BMACH network will meet Army requirements for a privileged-level account before being granted a BMACH network account. Requirements include - 3.4.6.1. Cyber (Information assurance (IA)/information technology (IT)) certification. Per DoD 8570.01-M, DFARS 252.239.7001 and AR 25-2, the contractor employees supporting Cyber (IA/IT) functions shall be appropriately certified upon contract award. Contractors will be defined at Information Assurance Technical level I (IAT - II) and be required to meet minimum Professional Baseline certifications at the time of contract award. Contractors will be given six (6) months to meet Computer Environment (CE) and Cyber Security Fundamental training requirements. Not meeting the requirements in accordance with DoD 8570.01-M will result in the contractor account and access being ‘Disabled' or ‘Deleted' until such time as the conditions of this contract are met. 3.4.6.2. Background Investigation. NACI or above is required.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/USA/MEDCOM/DADA15/W91YTZ-18-T-0182/listing.html)
 
Place of Performance
Address: Martin Army Community Hospital, 6600 Van Aalst Boulevard, Fort Benning, Georgia, 31905, United States
Zip Code: 31905
 
Record
SN04854797-W 20180316/180314231750-791dfbfa1b6700cd482c2c11d078d1fa (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.