Loren Data's SAM Daily™

FBO DAILY - FEDBIZOPPS ISSUE OF APRIL 28, 2018 FBO #6000
MODIFICATION

65 -- Analyzer Leasing and Reagent Services

Notice Date

4/26/2018
 

Notice Type

Modification/Amendment
 

NAICS

334516 — Analytical Laboratory Instrument Manufacturing
 

Contracting Office

Department of the Army, U.S. Army Medical Command, MEDCOM, North Atlantic Regional Contracting Office, 8901 Rockville Pike, Bldg 54, Bethesda, Maryland, 20889, United States
 

ZIP Code

20889
 

Solicitation Number

W91YTZ18Q0004
 

Archive Date

5/15/2018
 

Point of Contact

Johnnie Huffin, Phone: 7067877944
 

E-Mail Address

johnnie.huffin.civ@mail.mil
(johnnie.huffin.civ@mail.mil)
 

Small Business Set-Aside

N/A
 

Description

This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in FAR Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation: quotes are being requested and a written solicitation will not be issued. Solicitation number W91YTZ18Q0004 is issued as a Request for Quotation (RFQ). The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular FAC 2005-95 and Defense Federal Acquisition Supplement Publication (DPN) 20161222. This acquisition is issued on an UNRESTRICTED FULL AND OPEN COMPETITION basis under NAICS CODE: 334516 and Size Standard is 1,000. The Government anticipates awarding a single award issued as Firm Fixed Price. The requirement of this solicitation is for Analyzer leasing and Reagent Services, for Martin Army Community Hospital, Fort Benning, GA 31905. This requirement is for a base period and 2 option periods. All responsible Small Businesses offers may submit a quotation which will be considered by the agency. Quotes are due by 26 April 2018 at 12:00 pm EST. Questions must be submitted via email no later than 23 April 2018. Quotes and questions shall be submitted via email to johnnie.huffin.civ@mail.mil. Please provide a delivery date along with Quote. This is a BRAND NAME OR EQUAL SOLICITATION. The Brand Name is Hologic Cassette Readers and Reagents. If submitting an "or equal" quote, the offer must comply with the Addendum to FAR 52.212-1 and FAR 52.211-6, Brand Name or Equal. RAPID fFN Reagents # 01200 3 EA Period of Performance: 1 April 2018 - 30 September 2018 RAPID fFN CONTROLS #01166 2 EA Period of Performance: 1 April 2018 - 30 September 2018 SPECIMEN COLLECT # 71738-001 3 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT ITEM NO SUPPLIES/SERVICE QUANTITY UNIT UNIT PRICE AMOUNT LABELS #52660-001 2 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT CASSETTE READER #01202 2 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT ITEM NO SUPPLIES/SERVICE QUANTITY UNIT UNIT PRICE AMOUNT. Shipping Charges 200 NET AMT Total Base Period $ RAPID fFN Reagents # 01200 6 EA Period of Performance: 1 October 2018-30 September 2019 NET AMT RAPID fFN CONTROLS #01166 4 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT SPECIMEN COLLECT # 71738-001 6 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT ITEM NO SUPPLIES/SERVICE QUANTITY UNIT UNIT PRICE LABELS #52660-001 4 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT CASSETTE READER #01202 2 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT ITEM NO SUPPLIES/SERVICE QUANTITY UNIT UNIT PRICE. Shipping Charges 382 NET AMT Total OY 1 $ RAPID fFN Reagents # 01200 6 EA Period of Performance: 1 October 2019-30 September 2020 NET AMT RAPID fFN CONTROLS #01166 4 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT ITEM NO SUPPLIES/SERVICE QUANTITY UNIT UNIT PRICE AMOUNT SPECIMEN COLLECT # 71738-001 6 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT ITEM NO SUPPLIES/SERVICE QUANTITY UNIT LABELS #52660-001 4 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT CASSETTE READER #01202 2 EA Period of Performance: 1 April 2018 - 30 September 2018 NET AMT ITEM NO SUPPLIES/SERVICE QUANTITY UNIT UNIT PRICE Shipping Charges 382 NET AMT Total OY 2 $ Total Base Period Plus 2 Option Periods $ Delivery Address Martin Army Community New Hospital Martin Army Community Hospital 6600 Van AALST Boulevard Fort Benning, GA 31905 The following provisions in their latest edition apply to this solicitation FAR Clauses and provisions can be viewed at https://farsite.hil.af.mil. SOLICITATION PROVISIONS 52.212-1 -- INSTRUCTIONS TO OFFERORS -- COMMERCIAL ITEMS (JAN 2017) Addendum to 52.212-1 Para (b) Submission of Offers: The following supplements this paragraph with respect to the information and documents required for submission in response to this solicitation. All responsible offerors must submit: - Technical Description of items being offered (see note) - CLIN/ITEM Number Pricing (filled out) - Company's Dunn and Bradstreet number (DUNS) - CAGE code - Delivery Time - Company Contact Information, for evaluation purposes. Fill out and return 52.212-3 Alt I (Registration in SAM can be substituted for FAR 52.212- 3 Alt I. The information in SAM must be current and complete before an award can be made. Contractor shall not have any Active Exclusion Record in SAM. NOTE: If providing an "equal" item(s), comply with FAR Provision 52.211-6, Brand Name or Equal. Explain in detail how the proposed items will meet the salient characteristics of the items as specified here in the solicitation. Offerors shall demonstrate that the product proposed complies with the technical requirements described in the salient characteristics via the submission of a written capability statement, product literature, or other materials, with their offer. Offerors shall cross-reference their product to its "equal" in the solicitation via the use of part numbers or another methodology that clearly identifies what the submitted product is "equal" to. Offerors shall ensure their proposed quantities result in the same number of items required, as identified in the solicitation. (m) The non-FAR Part 12 discretionary FAR, DFARS, AFARS, and MEDCOM provisions included herein are incorporated into this solicitation either by reference or in full text. If incorporated by reference, see provision 52.252-1 for locations where full text can be obtained. (End of Provision) 52.204-16 - COMMERCIAL AND GOVERNMENT ENTITY CODE REPORTING (JUL 2016) 52.211-6 -- BRAND NAME OR EQUAL (AUG 1999) 52.214-34 - SUBMISSION OF OFFERS IN THE ENGLISH LANGUAGE (APR 1991) 52.225-25 -- PROHIBITION ON ENGAGING IN SANCTIONED ACTIVITIES RELATING TO IRAN- CERTIFICATION (OCT 2015) 52.222-48-EXEMPTION FROM APPLICATION OF THE SERVICE CONTRACT ACT TO CONTRACTS FOR MAINTENANCE, CALIBRATION, OR REPAIR OF CERTAIN EQUIPMENT CERTIFICATION (MAY 2014) 52.209-2 -- PROHIBITION ON CONTRACTING WITH INVERTED DOMESTIC CORPORATIONS - REPRESENTATIONS (NOV 2015) 52.209-11 - REPRESENTATION BY CORPORATIONS REGARDING DELINQUENT TAX LIABILITY OR A FELONY CONVICTION UNDER ANY FEDERAL LAW (FEB 2016) 52.252-1 -- SOLICITATION PROVISIONS INCORPORATED BY REFERENCE (FEB 1998); http://farsite.hill.af.mil/ (Fill-in Text) 52.252-5 -- AUTHORIZED DEVIATIONS IN PROVISIONS (APR 1984) ( "DoD FAR Supplement (48 CFR Chapter 2)" in paragraph (b)) (Filled-in Text) 252.203-7005 -- REPRESENTATION RELATING TO COMPENSATION OF FORMER DOD OFFICIALS (NOV 2011) 252.204-7008 - COMPLIANCE WITH SAFEGUARDING COVERED DEFENSE INFORMATION CONTROLS (OCT 2016) 252.204-7011 -- ALTERNATIVE LINE-ITEM STRUCTURE (SEP 2011) (See CLINS) 252.225-7000 - BUY AMERICAN - BALANCE OF PAYMENTS PROGRAM CERTIFICATE - BASIC (NOV 2014) (End of Addendum to 52.212-1) 52.212-2 -- EVALUATION -- COMMERCIAL ITEMS (OCT 2014) Addendum to 52.212-2 The Government will award a contract resulting from this solicitation to the responsible offeror whose offer conforming to the solicitation will be most advantageous to the Government, price and other factors considered. The following factors shall be used to evaluate offers: Lowest Price Technically Accepted (LPTA). Award may be made without discussions with offerors (except communications conducted for the purpose of minor clarification). Therefore, each initial offer should contain the offeror's best terms from a technical and price standpoint. However, the Government reserves the right to conduct discussions if it is later determined by the contracting officer to be necessary. Paragraph (a) is hereby replaced with the following: (a). The Government will award a Firm-Fixed-Price contract resulting from this solicitation, to the responsible offer conforming to the solicitation that is lowest price technical acceptability. The following factors shall be used to evaluate offers: 1. In Accordance with Brand Name or Equal FAR 52.211-6. Hologic Cassette Readers and Reagents to be considered for award, offers of "equal" products, including "equal" products of the brand name manufacturer, must - a. Meet the salient physical, functional, or performance characteristic specified below and in this solicitation; b. Clearly identify the item by- (i) Brand name, if any; and (ii) Make or model number c. Include descriptive literature such as illustrations, drawings, or a clear reference to previous furnished descriptive data or information available to the Contracting Officer; and clearly describe any modification the offeror plans to make in a product to make it conform to the solicitation requirements. Mark any descriptive material to clearly show the modification. d. Product Quality: Provide evidence for the quality of product. e. Warranty for product detailing length of service coverage, parts covered must beincluded. f. Price will be evaluated for fairness and reasonability in terms of: (i) That the prices are consistent with and reflect the proposed requirement. (ii) Pricing will be evaluated for fair and reasonable in terms of the Government's requirements. The Government is interested in proposals that meet the requirements with acceptable risk, at the lowest price technically acceptable. g. Quoters shall submit quotes to Gordon Health Contracting Cell Office to arrive no later than 12:00 PM eastern standard time on 26 April, 2018. Quotes can be submitted via email to johnnie.huffin.civ@mail.mil. Mailed and faxed submissions are not acceptable. h. Evaluation Process: All quotes will be evaluated on overall product quality, warranty, service repair and price. Must meet the functional characteristics referenced. (End of Addendum to 52.212-2) 52.212-3 -- OFFEROR REPRESENTATIONS AND CERTIFICATIONS -- COMMERCIAL ITEMS (JAN 2017) ALTERNATE I (OCT 2014) CONTRACT CLAUSES 52.212-4 -- CONTRACT TERMS AND CONDITIONS -- COMMERCIAL ITEMS (JAN 2017) Addendum to 52.212-4 (v) The non-FAR Part 12 discretionary FAR, DFARS, AFARS, and LOCAL clauses included herein are incorporated into this contract either by reference or in full text. If incorporated by reference, see clause 52.252-2 for locations where full text can be found. Also, the full text of a clause may be accessed electronically at this/these address(es): http://farsite.hill.af.mil/ https://acquisition.gov/far/index.html 52.204-21 - BASIC SAFEGUARDING OF COVERED CONTRACTOR INFORMATION SYSTEMS (JUN 2016) 52.219-4 -- NOTICE OF PRICE EVALUATION PERFERENCE FOR HUBZONE SMALL BUSINESS CONCERNS (OCT 2014) 52.222-3-CONVICT LABOR (JUN 2003) 52.222-19 -- CHILD LABOR-COOPERATION WITH AUTHORITIES AND REMEDIES (JAN 2014) 52.222-36-EQUAL OPPORTUNITY FOR WORKERS WITH DISABILITIES (JUL 2014) 52.222-50 -- COMBATING TRAFFICKING IN PERSONS (MAR 2015) 52.223-3 - HAZARDOUS MATERIAL IDENTIFICATION AND MATERIAL SAFETY DATA (JAN 1997) 52.223-5 -- POLLUTION PREVENTION AND RIGHT-TO-KNOW INFORMATION (MAY 2011) 52.223-18 -- ENCOURAGING CONTRACTOR POLICIES TO BAN TEXT MESSAGING WHILE DRIVING (AUG 2011) 52.225-13 -- RESTRICTIONS ON CERTAIN FOREIGN PURCHASES (JUN 2008) 52.232-33 -- PAYMENT BY ELECTRONIC FUNDS TRANSFER-SYSTEM FOR AWARD MANAGEMENT (JUL 2013) 52.232-39 -- UNENFORCEABILITY OF UNAUTHORIZED OBLIGATIONS (JUN 2013) 52.232-40 -- PROVIDING ACCELERATED PAYMENTS TO SMALL BUSINESS SUBCONTRACTORS (DEC 2013) 52.233-3 -- PROTEST AFTER AWARD (AUG 1996) 52.233-4 -- APPLICABLE LAW FOR BREACH OF CONTRACT CLAIM (OCT 2004) 52.237-2 -- PROTECTION OF GOVERNMENT BUILDINGS, EQUIPMENT, AND VEGETATION (APR 1984) 52.242-5-PAYMENT TO SMALL BUSINESS SUBCONTRACTORS (JAN 2017) 252.203-7000 -- REQUIREMENTS RELATING TO COMPENSATION OF FORMER DOD OFFICIALS (SEP 2011) 252.203-7002 -- REQUIREMENT TO INFORM EMPLOYEES OF WHISTLEBLOWER RIGHTS (SEP 2013) 252.204-7003 -- CONTROL OF GOVERNMENT PERSONNEL WORK PRODUCT (APR 1992) 252.219-7003-SMALL BUSINESS SUBCONTRACTION PLAN (DOD CONTRACTS) (MAR2016) 252.225-7036 - BUY AMERICAN-FREE TRADE AGREEMENTS-BALANCE OF PAYMENTS PROGRAM (AUG 2016) 252.225-7001 - BUY AMERICAN AND BALANCE OF PAYMENTS PROGRAM (AUG 2016) 252.225-7002-QUALIFYING COUNTRY SOURCES AS SUBCONTRACTORS (AUG 2016) 252.225-7048 -- EXPORT CONTROLLED ITEMS (JUN 2013) 252.232-7003 -- ELECTRONIC SUBMISSION OF PAYMENT REQUESTS AND RECEIVING REPORTS (JUN 2012) 252.232-7006 -- WIDE AREA WORKFLOW PAYMENT INSTRUCTIONS (MAY 2013) 252.232-7010 -- LEVIES ON CONTRACT PAYMENTS (DEC 2006) 252.243-7001--PRICING OF CONTRACT MODIFICATIONS (DEC 1991) 252.243-7002-REQUESTS FOR EQUITABLE ADJUSTMENTS 52.209-10 -- PROHIBITION ON CONTRACTING WITH INVERTED DOMESTIC CORPORATIONS (DEC 2014) 52.217-8 OPTION TO EXTEND SERVICES (NOV 1999): The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 30 days before contract expires. 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000) (a) The Government may extend the term of this contract by written notice to the Contractor within 30 days provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 60 days before the contract expires. The preliminary notice does not commit the Government to an extension. (b) If the Government exercises this option, the extended contract shall be considered to include this option clause. (c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 36 months. 52.219-28 -- POST-AWARD SMALL BUSINESS PROGRAM REREPRESENTATION (JUL 2013) (NAICS: 339113) Filled-in text 52.252-2 -- CLAUSES INCORPORATED BY REFERENCE (FEB 1998) http://farsite.hill.af.mil and https://acquistion.gov/far/index.html (Filled-in text) 52.252-6 -- AUTHORIZED DEVIATIONS IN CLAUSES (APR 1984) ("DoD FAR Supplement (48 CFR Chapter 2)" in paragraph (b)) Filled-in text 252.204-7012 -- SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (OCT 2016) 252.204-7015 - DISCLOSURE OF INFORMATION TO LITIGATION SUPPORT CONTRACTORS (MAY 2016) 252.211-7003 -- ITEM UNIQUE IDENTIFICATION AND VALUATION (DEC 2013) Filled-in text 252.244-7000 -- SUBCONTRACTS FOR COMMERCIAL ITEMS (JUN 2013) 252.247-7023 - TRANSPORTATION OF SUPPLIES BY SEA - BASIC (APR 2014) 52.212-5 -- CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS -- COMMERCIAL ITEMS (OCT 2016) (DEVIATION 2013-O0019) iRAPT Invoicing, Receipt, Acceptance and Property Transfer (iRAPT) - formerly known as WAWF iRAPT is the authorized method to electronically process vendor request for payment. This application allows DOD vendors to submit and track Invoices and Receipt/Acceptance documents electronically. Contractor shall (i) register to use iRAPT at https://wawf.eb.mil and (ii) ensure an electronic business point of contract (POC) is designated in the System for Award Management at https://www.sam.gov within ten (10) calendar days after award of this contract/order. iRAPT Instructions: Questions concerning payments should be directed to the Defense Finance and Accounting Service (DFAS) location listed in Block 18a of your purchase order/contract. Please have your purchase order/contract number ready when calling about payments. You can easily access payment and receipt information using the DFAS web site at http://www.dfas.mil/money/vendor. Your purchase order/contract number or invoice number will be required to inquire status of your payment. The following codes and information will be required to assure successful flow of iRAPT documents. Foreign Vendors will submit banking information in the Comments Tab of the iRAPT invoice. TYPE OF DOCUMENT [X the appropriate block] Invoice (Contractor Only) _X Invoice and Receiving Report (COMBO) Invoice as 2-in-1 (Services Only) Receiving Report (Government Only) CAGE CODE: ISSUE BY DODAAC: W91YTZ ADMIN BY DODAAC: W91YTZ INSPECT BY DODAAC: W33XTL ACCEPT BY DODAAC: W33XTL SHIP TO DODAAC: W33XTL PAYMENT OFFICE FISCAL STATION CODE: HQ0490 EMAIL POINTS OF CONTACT LISTING: (Use Group e-mail accounts if applicable) INSPECTOR Primary: Alternate: ACCEPTOR Primary: Alternate: RECEIVING OFFICE POC: Primary: Alternate: CONTRACT ADMINISTRATOR/ SPECIALIST:Johnnie Huffin, johnnie.huffin.civ@mail.mil, DSN: 773 Comm: (706)787-7944 - Fax: CONTRACTING OFFICER: Gloria F. Brogsdale, Contracting Officer, (706) 787- 7696, Gloria.f.brogsdale.civ@mail.mil. ADDITIONAL CONTACT: Gordon Health Contracting Cell 43 Central Hospital Court, Bldg 332 Fort Gordon, GA 30905 Any modification requests must be in writing and submitted to:ADMIN DODAAC. HIPPA Non-Defense Health Agency (Non-DHA) Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA) (7 July 2014 Introduction In accordance with 45 CFR 164.502(e)(2) and 164.504(e) and paragraph C.3.4.1.3 of DoD 6025.18-R, "DoD Health Information Privacy Regulation," January 24, 2003, this document serves as a BAA between the signatory parties for purposes of the HIPAA and the "HITECH Act" amendments thereof, as implemented by the HIPAA Rules and DoD HIPAA Issuances (both defined below). The parties are a DoD Military Health System (MHS) component, acting as a HIPAA covered entity, and a DoD contractor, acting as a HIPAA business associate. The HIPAA Rules require BAAs between covered entities and business associates. Implementing this BAA requirement, the applicable DoD HIPAA Issuance (DoD 6025.18-R, paragraph C3.4.1.3) provides that requirements applicable to business associates must be incorporated (or incorporated by reference) into the contract or agreement between the parties. (a) Catchall Definition. Except as provided otherwise in this BAA, the following terms used in this BAA shall have the same meaning as those terms in the DoD HIPAA Rules: Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices (NoPP), Protected Health Information (PHI), Required By Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use. -Breach means actual or possible loss of control, unauthorized disclosure of or unauthorized access to PHI or other PII (which may include, but is not limited to PHI), where persons other than authorized users gain access or potential access to such information for any purpose other than authorized purposes, where one or more individuals will be adversely affected. The foregoing definition is based on the definition of breach in DoD Privacy Act Issuances as defined herein. -Business Associate shall generally have the same meaning as the term "business associate" in the DoD HIPAA Issuances, and in reference to this BAA, shall mean [insert name of Business Associate signatory to this BAA]. -Agreement means this BAA together with the documents and/or other arrangements under which the Business Associate signatory performs services involving access to PHI on behalf of the MHS component signatory to this BAA. -Covered Entity shall generally have the same meaning as the term "covered entity" in the DoD HIPAA Issuances, and in reference to this BAA, shall mean [insert name of MHS component signatory to this BAA]. -DHA Privacy Office means the DHA Privacy and Civil Liberties Office. The DHA Privacy Office Director is the HIPAA Privacy and Security Officer for DHA, including the National Capital Region Medical Directorate (NCRMD). -DoD HIPAA Issuances means the DoD issuances implementing the HIPAA Rules in the DoD Military Health System (MHS). These issuances are DoD 6025.18-R (2003), DoDI 6025.18 (2009), and DoD 8580.02-R (2007).-DoD Privacy Act Issuances means the DoD issuances implementing the Privacy Act, which are DoDD 5400.11 (2007) and DoD 5400.11-R (2007). -HHS Breach means a breach that satisfies the HIPAA Breach Rule definition of breach in 45 CFR 164.402. -HIPAA Rules means, collectively, the HIPAA Privacy, Security, Breach and Enforcement Rules, issued by the U.S. Department of Health and Human Services (HHS) and codified at 45 CFR Part 160 and Part 164, Subpart E (Privacy), Subpart C (Security), Subpart D (Breach) and Part 160, Subparts C-D (Enforcement), as amended by the 2013 modifications to those Rules, implementing the "HITECH Act" provisions of Pub. L. 111-5. See 78 FR 5566-5702 (Jan. 25, 2013) (with corrections at 78 FR 32464 (June 7, 2013)). Additional HIPAA rules regarding electronic transactions and code sets (45 CFR Part 162) are not addressed in this BAA and are not included in the term HIPAA Rules. -Service-Level Privacy Office means one or more offices within the military services (Army, Navy, or Air Force) with oversight authority over Privacy Act and HIPAA privacy compliance. I. Obligations and Activities of Business Associate (a) The Business Associate shall not use or disclose PHI other than as permitted or required by the Agreement or as required by law. (b) The Business Associate shall use appropriate safeguards, and comply with the DoD HIPAA Rules with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the Agreement. (c) The Business Associate shall report to Covered Entity any Breach of which it becomes aware, and shall proceed with breach response steps as required by Part V of this BAA. With respect to electronic PHI, the Business Associate shall also respond to any security incident of which it becomes aware in accordance with any Information Assurance provisions of the Agreement. If at any point the Business Associate becomes aware that a security incident involves a Breach, the Business Associate shall immediately initiate breach response as required by part V of this BAA. (d) In accordance with 45 CFR 164.502(e)(1)(ii)) and 164.308(b)(2), respectively), as applicable, the Business Associate shall ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the Business Associate agree to the same restrictions, conditions, and requirements that apply to the Business Associate with respect to such PHI. (e) The Business Associate shall make available PHI in a Designated Record Set, to the Covered Entity or, as directed by the Covered Entity, to an Individual, as necessary to satisfy the Covered Entity obligations under 45 CFR 164.524. (f) The Business Associate shall make any amendment(s) to PHI in a Designated Record Set as directed or agreed to by the Covered Entity pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy Covered Entity's obligations under 45 CFR 164.526. (g) The Business Associate shall maintain and make available the information required to provide an accounting of disclosures to the Covered Entity or an individual as necessary to satisfy the Covered Entity's obligations under 45 CFR 164.528. (h) To the extent the Business Associate is to carry out one or more of Covered Entity's obligation(s) under the HIPAA Privacy Rule, the Business Associate shall comply with the requirements of HIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligation(s); and (i) The Business Associate shall make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. II. Permitted Uses and Disclosures by Business Associate (a) The Business Associate may only use or disclose PHI as necessary to perform the services set forth in the Agreement or as required by law. The Business Associate is not permitted to de-identify PHI under DoD HIPAA issuances or the corresponding 45 CFR 164.514(a)-(c), nor is it permitted to use or disclose de- identified PHI, except as provided by the Agreement or directed by the Covered Entity. (b) The Business Associate agrees to use, disclose and request PHI only in accordance with the HIPAA Privacy Rule "minimum necessary" standard and corresponding DHA policies and procedures as stated in the DoD HIPAA Issuances. (c) The Business Associate shall not use or disclose PHI in a manner that would violate the DoD HIPAA Issuances or HIPAA Privacy Rules if done by the Covered Entity, except uses and disclosures for the Business Associate's own management and administration and legal responsibilities or for data aggregation services as set forth in the following three paragraphs. (d) Except as otherwise limited in the Agreement, the Business Associate may use PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. The foregoing authority to use PHI does not apply to disclosure of PHI, which is covered in the next paragraph. (e) Except as otherwise limited in the Agreement, the Business Associate may disclose PHI for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate, provided that disclosures are required by law, or the Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (f) Except as otherwise limited in the Agreement, the Business Associate may use PHI to provide Data Aggregation services relating to the Covered Entity's health care operations. III. Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions (a) The Covered Entity shall provide the Business Associate with the notice of privacy practices that the Covered Entity produces in accordance with 45 CFR 164.520 and the corresponding provision of the DoD HIPAA Issuances. (b) The Covered Entity shall notify the Business Associate of any changes in, or revocation of, the permission by an Individual to use or disclose his or her PHI, to the extent that such changes affect the Business Associate's use or disclosure of PHI. (c) The Covered Entity shall notify the Business Associate of any restriction on the use or disclosure of PHI that the Covered Entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such changes may affect the Business Associate's use or disclosure of PHI. IV. Permissible Requests by Covered Entity The Covered Entity shall not request the Business Associate to use or disclose PHI in any manner that would not be permissible under the HIPAA Privacy Rule or any applicable Government regulations (including without limitation, DoD HIPAA Issuances) if done by the Covered Entity, except for providing Data Aggregation services to the Covered Entity and for management and administrative activities of the Business Associate as otherwise permitted by this BAA. V. Breach Response (a) In general. In the event of a breach of PII/PHI held by the Business Associate, the Business Associate shall follow the breach response requirements set forth in this Part V, which is designed to satisfy both the Privacy Act and HIPAA as applicable. If a breach involves PII without PHI, then the Business Associate shall comply with DoD Privacy Act Issuance breach response requirements only; if a breach involves PHI (a subset of PII), then the Business Associate shall comply with both Privacy Act and HIPAA breach response requirements. A breach involving PHI may or may not constitute an HHS Breach. If a breach is not an HHS Breach, then the Business Associate has no HIPAA breach response obligations. In such cases, the Business Associate must still comply with breach response requirements under the DoD Privacy Act Issuances. If the DHA Privacy Office determines that a breach is an HHS Breach, then the Business Associate shall comply with both the HIPAA Breach Rule and DoD Privacy Act Issuances, as directed by the DHA Privacy Office, regardless of whether the breach occurs at DHA or at one of the Service components. If the DHA Privacy Office determines that the breach does not constitute an HHS Breach, then the Business Associate shall comply with DoD Privacy Act Issuances, as directed by the applicable Service-Level Privacy Office. The Business Associate shall contact the Covered Entity for guidance when the incident is not an HHS Breach. This Part V is designed to satisfy the DoD Privacy Act Issuances and the HIPAA Breach Rule as implemented by the DoD HIPAA Issuances. In general, for breach response, the Business Associate shall report the breach to the Covered Entity, assess the breach incident, notify affected individuals, and take mitigation actions as applicable. Because DoD defines "breach" to include possible (suspected) as well as actual (confirmed) breaches, the Business Associate shall implement these breach response requirements immediately upon the Business Associate's discovery of a possible breach. (b) Government Reporting Provisions The Business Associate shall report the breach within one hour of discovery to the Covered Entity and to the US Computer Emergency Readiness Team (US CERT) -the other parties as deemed appropriate by the Covered Entity. The Business Associate is deemed to have discovered a breach as of the time a breach (suspected or confirmed) is known, or by exercising reasonable diligence would have been known, to any person (other than the person committing it) who is an employee, officer or other agent of the Business Associate. The Business Associate shall submit the US-CERT report using the online form at https://forms.us- cert.gov/report/. Before submission to US-CERT, the Business Associate shall save a copy of the on-line report. After submission, the Business Associate shall record the US-CERT Reporting Number. Although only limited information about the breach may be available as of the one hour deadline for submission, the Business Associate shall submit the US-CERT report by the deadline. The Business Associate shall e-mail updated information as it is obtained, following the instructions at http://www.us-cert.gov/pgp/email.html. The Business Associate shall provide a copy of the initial or updated US-CERT report to the -Covered Entity and the applicable Service-Level Privacy Office, if requested by either. Business Associate questions about US-CERT reporting shall be directed to the Covered Entity or Service-Level Privacy Office, not the US- CERT office. The additional US Army and the US Army Medical Command (MEDCOM) reporting requirements are addressed in the PII Breach Reporting and Notification Policy. The latest version of this policy can be obtained from the Covered Entity or the MEDCOM Privacy Act/Freedom of Information Act (FOIA) Office at: usarmy.jbsa.medcom.list.medcom-foia-users@mail.mil. If multiple beneficiaries are affected by a single event or related set of events, then a single reportable breach may be deemed to have occurred, depending on the circumstances. The Business Associate shall inform the Covered Entity as soon as possible if it believes that "single event" breach response is appropriate; the Covered Entity will determine how the Business Associate shall proceed and, if appropriate, consolidate separately reported breaches for purposes of Business Associate report updates, beneficiary notification, and mitigation. When a Breach Report initially submitted is incomplete or incorrect due to unavailable information, or when significant developments require an update, the Business Associate shall submit a revised form or forms, stating the updated status and previous report date(s) and showing any revisions or additions in red text. Examples of updated information the Business Associate shall report include, but are not limited to: confirmation on the exact data elements involved, the root cause of the incident, and any mitigation actions to include, sanctions, training, incident containment, follow-up, etc. The Business Associate shall submit these report updates promptly after the new information becomes available. Prompt reporting of updates is required to allow the Covered Entity to make timely final determinations on any subsequent notifications or reports. The Business Associate shall provide updates to the same parties as required for the initial Breach Report. The Business Associate is responsible for reporting all information needed by the Covered Entity to make timely and accurate determinations on reports to HHS as required by the HHS Breach Rule and reports to the Defense Privacy and Civil Liberties Office as required by DoD Privacy Act Issuances. In the event the Business Associate is uncertain on how to apply the above requirements, the Business Associate shall consult with the Covered Entity (or the Service-Level Privacy Office, which will consult with the DHA Privacy Office as appropriate) when determinations on applying the above requirements are needed. (c) Individual Notification Provisions If the DHA Privacy Office determines that individual notification is required, the Business Associate shall provide written notification to individuals affected by the breach as soon as possible, but no later than 10 working days after the breach is discovered and the identities of the individuals are ascertained. The 10 day period begins when the Business Associate is able to determine the identities (including addresses) of the individuals whose records were impacted. The Business Associate's proposed notification to be issued to the affected individuals shall be submitted to the parties to which reports are submitted under paragraph V (a) for their review, and for approval by the DHA Privacy Office. Upon request, the Business Associate shall provide the DHA Privacy Office with the final text of the notification letter sent to the affected individuals. If different groups of affected individuals receive different notification letters, then the Business Associate shall provide the text of the letter for each group. (PII shall not be included with the text of the letter(s) provided.) Copies of further correspondence with affected individuals need not be provided unless requested by the Privacy Office. The Business Associate's notification to the individuals, at a minimum, shall include the following: -The individual(s) must be advised of what specific data was involved. It is insufficient to simply state that PII has been lost. Where names, Social Security Numbers (SSNs) or truncated SSNs, and Dates of Birth (DOBs) are involved, it is critical to advise the individual that these data elements potentially have been breached. -The individual(s) must be informed of the facts and circumstances surrounding the breach. The description should be sufficiently detailed so that the individual clearly understands how the breach occurred. -The individual(s) must be informed of what protective actions the Business Associate is taking or the individual can take to mitigate against potential future harm. The notice must refer the individual to the current Federal Trade Commission (FTC) web site pages on identity theft and the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261. -The individual(s) must also be informed of any mitigation support services (e.g., one year of free credit monitoring, identification of fraud expense coverage for affected individuals, provision of credit freezes, etc.) that the Business Associate may offer affected individuals, the process to follow to obtain those services and the period of time the services will be made available, and contact information (including a phone number, either direct or toll-free, e-mail address and postal address) for obtaining more information. Business Associates shall ensure any envelope containing written notifications to affected individuals are clearly labeled to alert the recipient to the importance of its contents, e.g., "Data Breach Information Enclosed," and that the envelope is marked with the identity of the Business Associate and/or subcontractor organization that suffered the breach. The letter must also include contact information for a designated POC to include, phone number, email address, and postal address. If the Business Associate determines that it cannot readily identify, or will be unable to reach, some affected individuals within the 10 day period after discovering the breach, the Business Associate shall so indicate in the initial or updated Breach Report. Within the 10 day period, the Business Associate shall provide the approved notification to those individuals who can be reached. Other individuals must be notified within 10 days after their identities and addresses are ascertained. The Business Associate shall consult with the DHA Privacy Office, which will determine which media notice is most likely to reach the population not otherwise identified or reached. The Business Associate shall issue a generalized media notice(s) to that population in accordance with Privacy Office approval. The Business Associate shall, at no cost to the government, bear any costs associated with a breach of PII/PHI that the Business Associate has caused or is otherwise responsible for addressing. Breaches are not to be confused with security incidents (often referred to as cyber security incidents when electronic information is involved), which may or may not involve a breach of PII/PHI. In the event of a security incident not involving a PII/PHI breach, the Business Associate shall follow applicable DoD Information Assurance requirements under its Agreement. If at any point the Business Associate finds that a cyber security incident involves a PII/PHI breach (suspected or confirmed), the Business Associate shall immediately initiate the breach response procedures set forth here. The Business Associate shall also continue to follow any required cyber security incident response procedures to the extent needed to address security issues, as determined by DoD/DHA. VI. Termination (a) Termination. Noncompliance by the Business Associate (or any of its staff, agents, or subcontractors) with any requirement in this BAA may subject the Business Associate to termination under any applicable default or other termination provision of the Agreement. (b) Effect of Termination. (1) If the Agreement has records management requirements, the Business Associate shall handle such records in accordance with the records management requirements. If the Agreement does not have records management requirements, the records should be handled in accordance with paragraphs (2) and (3) below. If the Agreement has provisions for transfer of records and PII/PHI to a successor Business Associate, or if DHA gives directions for such transfer, the Business Associate shall handle such records and information in accordance with such Agreement provisions or DHA direction. (2) If the Agreement does not have records management requirements, except as provided in the following paragraph (3), upon termination of the Agreement, for any reason, the Business Associate shall return or destroy all PHI received from the Covered Entity, or created or received by the Business Associate on behalf of the Covered Entity that the Business Associate still maintains in any form. This provision shall apply to PHI that is in the possession of subcontractors or agents of the Business Associate. The Business Associate shall retain no copies of the PHI. (3) If the Agreement does not have records management provisions and the Business Associate determines that returning or destroying the PHI is infeasible, the Business Associate shall provide to the Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Covered Entity and the Business Associate that return or destruction of PHI is infeasible, the Business Associate shall extend the protections of the Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI. VII. Miscellaneous (a) Survival. The obligations of Business Associate under the "Effect of Termination" provision of this BAA shall survive the termination of theAgreement. (b) Interpretation. Any ambiguity in the Agreement shall be resolved in favor of a meaning that permits the Covered Entity and the Business Associate to comply with the HIPAA Rules and the DoD HIPAA Rules. TOBACCO FREE MEDICAL CAMPUS (TFMC) In accordance with Army Regulation 600-63, paragraph 7-3, 14 April 2015; Operations Order 15-48 (Army Medical Command (MEDCOM) Tobacco Free Living - USAMEDCOM), 8 May 2015; and any Operations Order, regulation or other instruction implementing, defining or otherwise addressing the Tobacco Free Medical Campus (TFMC) on any military installation or DoD-controlled location, Contractor personnel are prohibited from using any tobacco product on or within any TFMC while performing under this contract. TFMCs are established at each installation or DoD-controlled location and include: (1) any property or non- residential building that is operated, maintained or assigned to support medical activities, including but not limited to, hospitals, medical laboratories, outpatient clinics (including medical, dental, and veterinary facilities), or aid stations operating for the primary purpose of delivering medical care and services for DOD eligible beneficiaries and /or meeting the mission of the Army Medical Command; (2) all other facilities in which medical activities or administration take place, to include HQ MEDCOM and Defense Health Headquarters; (3) all internal roadways, sidewalks and parking lots; and (4) all sidewalks, parking lots and grounds external but adjacent to the building or related to the migratory corridors surrounding the medical facility. The Contractor shall obtain from the COR any orders, regulations, instructions or other documents implementing, defining or otherwise addressing the TFMC for any given installation or DoD-controlled location where Contractor personnel may perform under this contract and shall instruct Contractor personnel on the TFMC limitations for installations or DoD-controlled locations where they may perform under this contract. Exclusion from Participation in Federal Health Care Programs (October 2015) 1. The Contractor shall not employ or contract with any individual or entity (hereinafter collectively referred to as "person") to provide items or services that will be included in invoices submitted to the Government under this contract if such person is listed on the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) or the TRICARE Sanctioned Provider List. The Government is legally prohibited from paying for provision of items or services by such persons. The prohibition extends to services beyond direct patient care, such as services of persons in executive or leadership roles and administrative and management services, whether or not such services are billed separately. The LEIE may be found at http://oig.hhs.gov/fraud/exclusions.asp, and the TRICARE Sanctioned Provider list at http://www.health.mil/Military-Health-Topics/Access-Cost- Quality-and- Safety/Quality-And-Safety-of-Healthcare/Program-Integrity/Sanctioned-Providers. The LEIE and TRICARE Sanctioned Provider List are hereinafter collectively referred to as "the Lists." 2. Prior to start of contract performance, the Contractor shall (a) query the Lists to determine whether the name of any person the Contractor employs or contracts with to provide services or items for which payment may be made under this contract appears on the Lists, and (b) certify to the Contracting Officer that the Contractor has queried the Lists and no such names appear on either of the Lists. 3. During performance of the contract, and prior to persons other than those whose names were queried in accordance with paragraph 2, above, (hereinafter "new persons") providing services or items under the contract, the Contractor shall (a) query the Lists as in paragraph 2, and (b) certify to the Contracting Officer that the names of such new persons do not appear on either of the Lists. 4. The Contractor is advised that during performance of the contract, MTF personnel will perform a recurrent recheck of the names of contractor personnel working in the MTF against the Lists, as specified in OTSG/MEDCOM Policy Memo 15-037. The Government will notify the Contractor in the event any contractor personnel working in the MTF appear on either of the Lists. 5. Should any person providing items or services under the contract appear on either of the Lists at any time during contract performance, the Contractor shall (a) in cases where the Contractor identified the person, notify the Contracting Officer, and (b) promptly remove that person from the contract. 6. Violation of any aspect of the above paragraphs shall be considered a material breach of the contract and may result in termination of the contract. 7. The Contractor is further advised that, in accordance with Civil Monetary Penalties Law [CMP] (codified at 42 USC § 1320a-7a): a. There are steep civil monetary penalties associated with billing the Government for providing items or services by a person on either of the Lists, and with failing to return to the Government any overpayments received for provision of such items or services. b. Billing under the contract for provision of items or services by a person on either List may also result in exclusion of the person that employs or contracts with such person. 8. HHS OIG has issued a Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs with additional information on the CMP. The Special Advisory Bulletin may be found at http://oig.hhs.gov/exclusions/files/sab-05092013.pdf. (End of Addendum to 52.212-4) PERFORMANCE WORK STATEMENT (PWS) 1. GENERAL. 1.1. The contractor shall provide Martin Army Community Hospital (BMACH), USAMEDDAC Fort Benning, Georgia laboratory with fetal fibronectin cassette readers on a reagent rental basis for the period of April 2018, or date of award, through 30 September 2018 plus 2 option years. This acquisition is a no charge placement. Equipment previously installed with ownership retained by Hologic Inc. would remain for the new period of performance. The vendor is responsible for delivery reagents, supplies, service, preventive maintenance and analyzer removal at the end of the contract. This equipment will be located in the Hematology section of the laboratory under the management of the Department of Pathology. Funding will be allocated annually subject to the availability of funds. 1.2. PERSONNEL. 1.2.1. The contractor shall ensure that repair technicians have been trained on the specific analyzers under contract and have enough experience in order to maintain and repair the analyzers under contract. 1.2.2. Contractor shall ensure that employees that perform work on this contract do not pose a potential threat to the health, safety, security, general well-being or operational mission of the installation and its' population. 1.2.3. Contractor shall ensure employees present a neat appearance and can be easily recognized as a contractor employee by a distinguishable uniform or badge on the exterior of their clothing while performing any service at this facility. 1.2.4. Contractor shall not employ any person who is an employee of the US Government or Department of Defense, either military or civilian, unless such person seeks and receives approval according to DOD 5500.7R, "Joint Ethics Regulation" or if such employment would be contrary to local policies. 1.3. PHYSICAL SECURITY. 1.3.1. Contractor personnel or any representative of the contractor entering Fort Benning shall abide by all security regulations and shall be subject to security checks. Contractor and all associated sub- contractors employees shall comply with applicable installation/ facility access and local security policies and procedures (provided by Government representative as needed). The contractor shall also provide all information required to meet installation access requirements if required including background checks to be accomplished by installation Provost Marshall Office, Director of Emergency Services or Security Office. Contractor workforce must comply with all personal identity verification requirements (FAR clause 52.204-9 (Personal Identity Verification of Contractor Personnel) as directed by DOD, HQDA and/or local policy. In addition to the changes otherwise authorized by the changes clause of this contract, should the Force Protection Condition (FPCON) at any individual facility or installation change, the Government may require changes in Contractor security matters or processes. 1.3.2. Contractor and all associated sub-contractors shall brief all employees on the local iWATCH program (training standards provided by the requiring activity ATO). This locally developed training will be used to inform employees of the types of behavior to watch for and instruct employees to report suspicious activity to the COR. This training shall be completed within 30 calendar days of contract award and within 05 calendar days of new employees commencing performance with the results reported to the COR NLT 30 calendar days after award of contract. 1.3.3. Contractor shall ensure personnel report to the Equipment Management Suite located in room GC- 122 on the ground floor to sign in and obtain a temporary vendor security badge PRIOR to commencing all on-site visits, preventive maintenance service, support or repairs to equipment in the laboratory and any BMACH outlying site that has equipment installed under this contract. 1.3.4. Contractor shall ensure that any requirement to remove, exchange, or add contractor's equipment during the performance of this contract is coordinated through the Contract Officer's Representative (COR) and must also include the site OIC/NCOIC, Chief EMB and the Property Book Officer. 1.4. QUALITY CONTROL. 1.4.1. The contractor shall be responsible to ensure that the quality of service and materials provided under this contract meet or exceed the performance work statement and Quality Assurance Surveillance Plan (QASP). 1.5. PERFORMANCE ASSESSMENT. 1.5.1. The government will evaluate the contractor's performance under this contract using the method of surveillance specified in Technical Exhibit 1, Quality Assurance Surveillance Plan (QASP), for acceptable quality levels (AQL). When an observation indicates defective performance, the Contracting Officer's Representative (COR) will notify the Contracting Officer (KO) immediately so that appropriate actions may be taken to correct the deficiency. 1.6. HOURS OF OPERATION. 1.6.1. Normal Hours. Normal hours of operation are 8:00am to 3:00pm EST, Monday through Friday. 1.6.2. Recognized Holidays. Facility observes all federal holidays. Federal Holidays are as follows: 1 Jan New Year's Day 3rd Monday in Jan Martin Luther King Jr. Birthday 3rd Monday in February President's Day Last Monday in May Memorial Day 4th July Independence Day 1st Monday in Sep Labor Day 2nd Monday in Oct Columbus Day 11 Nov Veteran's Day 4th Thursday in Nov Thanksgiving Day 25 Dec Christmas Day NOTE : When any of the above holidays fall on a Saturday it will be observed on the preceding Friday; holidays that fall on a Sunday will be observed on the following Monday. Any holidays declared by Presidential Executive Order shall be observed in the same manner as the holidays listed above. 2. DEFINITIONS. 2.1. STANDARD DEFINITIONS. 2.1.1. Contracting Officer (KO). A person duly appointed with the authority to enter into and administer contracts on behalf of the U.S. Government. 2.1.2. Contracting Officer Representative (COR). An individual designated by the contracting officer to act as his representative to assist in administering a contract. The source and authority for a COR are contained in the written letter of designation. 2.1.3. Customer Complaint. A means of documenting certain kinds of contract service problems. A government program that is explained to every organization that receives service under this contract which is used to evaluate contractor's performance. 2.1.4. Defective Service. A service output that does not meet the standard of performance associated with 2.1.5. Performance Assessment (PA). Those actions taken by the government to assure services meet the requirements of the Performance Work Statement (PWS) and all other service outputs. 2.1.6. Quality Assurance Surveillance Plan (QASP). An organized written document used for the quality assurance surveillance. The document contains specific methods to perform surveillance of the contractor. 2.1.7. Quality Control. Those actions taken by a contractor to control the performance of services so that they meet the requirements of the PWS. 2.2. TECHNICAL DEFINITIONS. 2.2.1. Material Safety Data Sheets (MSDS). A document that contains information on the potential health effects of exposure to chemicals, other potentially dangerous substances, and on safe working measures when handling chemical or hazardous substances. 2.2.2. Preventive Maintenance Checks and Services (PMCS). Those actions taken by the contractor in order to maintain equipment in this contract in a "like new" operational condition in accordance with the manufacturer's specifications. Accomplished by providing systematic inspections, Calibration Verification Certification (CVC), detection and correction of incipient failures before they occur or before they develop into a major defect, replacement of cracked or worn buttons, covers, etc. Cleaning and lubrication will be included as needed on all internal parts as well as external cleaning after services are performed. 2.2.3. Service Call. Those actions taken by the government to initiate services for repairs that require a representative of the contractor to visit the laboratory to perform service, repairs, or maintenance by the contractor in order to restore the equipment under contract to operational. 2.2.4. Troubleshooting. Those actions taken by the contractor to assist the government equipment operator in resolving any technical deficiencies with the equipment under the contract to maintain or restore the equipment to operational. 3. GOVERNMENT FURNISHED PROPERTY AND SERVICES. N/A 4. CONTRACTOR FURNISHED ITEMS AND SERVICES. 4.1. The contractor will furnish all materials required to perform maintenance, repairs, or service. Any costs associated with travel, lodging or meals to conduct services or preventive maintenance will be at the cost of the contractor. 4.2. Completion of Service. Upon completion of services, a written service report will be provided to the Biomedical Maintenance / Clinical Engineering Manager. The service report shall be completely filled out, provide detailed information regarding the cause of equipment malfunction and corrective action taken, to include the time required to complete the work, price of labor (hourly rate), and a list of parts replaced with a price for each part. In the event all information is not available to contractor's representative when services are performed, the initial service report shall include all information stated above except for price. Contractor shall provide the balance of the required information in writing to the Biomedical Maintenance Branch, Ms. Pamela Francis at pamela.t.francis.civ@mail.mil, within ten days after the services are completed. 4.3. Contractor will report all contractor manpower, including subcontractor manpower, required for performance of this contract. The contractor is required to completely fill in the information in the format provide at the following web address: https://cmra.army.mil. This requirement is mandatory and required by the assistant secretary of the army, Manpower & Reserve Affairs. This is an Army data collection site operated and maintained by this office. Reports are to be completed by 31 October annually. 4.4. Contractor will provide new and/or refurbished parts that are certified and documented to meet Original Equipment Manufacturers (OEM) specifications on all manufacturers' mandatory modifications and apply recalls by FDA. 4.5. Contractor will provide new or updated user manuals when changes are made at no additional cost. 4.6. Contractor shall furnish all applicable MSDS for reagents, equipment and supplies utilized under this contract at no additional cost. 4.7. Contractor will deliver 2 automated rapid cassette readers including the following Components per System: Command Center Reading Unit On Board Computer with Printer Software Operator‘s Manual Maintenance Manual 5. SPECIFIC TASKS. 5.1. Contractor will provide on-site technical support for installation of analyzers to bring to and maintain a fully operational status. 5.2. Contractor will ensure the analyzer does not require a water purification/ filtration system or modification of the facility's plumbing for a water supply. 5.3. The contractor will ensure proper packaging of reagents, supplies, and equipment and that they are shipped at proper refrigerated or frozen temperatures according to manufacturer specifications. 5.4. Contractor will ensure all shipments arrive Monday through Friday between the hours of 8:00am and 3:00pm EST; excluding holidays and weekends according to paragraph 1.6.2 above. 5.5. The contractor shall respond to phone calls regarding shipment discrepancies the same day of notification and discrepancy will be corrected within 24 hours. 5.6. Contractor will provide customer notification of updates on any reagents in writing within 5 business days and ensure continuity of services and availability of reagents during reagent revision when required. 5.7. Reagents must meet quality control guidelines set forth by manufacturer. 5.8. The contractor will provide all software upgrades at no additional cost. 5.9. The contractor will notify the laboratory if there is a recall on any reagents or equipment within 24 hours. 5.10. Contractor will respond to service calls within four hours when one analyzer is not working or the morning of the next duty day if after 5:00pm Monday through Friday and correct deficiencies within 24 hours after arrival on-site. 5.11. Contractor will respond to service calls within two hours when both analyzers are not working or the morning of the next duty day if after 5:00pm Monday through Friday and correct deficiencies on at least one analyzer immediately and all deficiencies within 36 hours after arrival on- site. 5.12. Contractor will perform all on-site scheduled service as specified by the manufacturers published maintenance manual as necessary to keep system in good condition including lubrications, cleaning (other than those performed at the operator's level), calibrations, and diagnostics, during the lease period at no additional cost. 5.13. The contractor will provide 24 hour telephonic troubleshooting. 5.14. The equipment must be capable of performing rapid analysis on single use dry chemistry reagent cassettes that detect fetal fibronectin protein from cervicovaginal specimen. 6. INFORMATION TECHNOLOGY (IT) CONNECTIVITY. 6.1. TELECOMMUNICATION. 6.1.1. All contractor systems that will communicate with DOD systems will interconnect through the established MHS B2B gateway. For all Web applications, contractors will connect to a DISA-established Web DMZ. 6.1.2. In accordance with contract requirements, MCS contractors will connect to the B2B gateway via a contractor procured Internet Service Provider (ISP) connection. Contractors will assume all responsibility for establishing and maintaining their connectivity to the B2B gateway. This will include acquiring and maintaining the circuit to the B2B gateway and acquiring a Virtual Private Network (VPN) device compatible with the MHS VPN device. 6.1.3. Contractors will comply with DoD guidance regarding allowable ports, protocols and risk mitigation strategies. 6.1.4. All costs for VPN hardware and software will be incurred by the contractor. 6.2. U.S. Army Cybersecurity/Risk Management Framework (RMF) Requirements. 6.2.1. System Security Requirements. 6.2.1.1. The vendor shall submit to the Government, included in the quote, the blue section of the Medical Device Cybersecurity Assessment (Questionnaire) provided by government and Nessus Scans. Nessus scanner is to be procured by the vendor, at their own cost, in order to comply with RMF requirements. 6.2.1.2. Vendor agrees to comply with security regulations and guidance listed in attached Appendix A and all Risk Management Framework (RMF) requirements. 6.2.1.3. Failure to meet the requirements may result may result in termination of the delivery order for cause, in accordance with FAR 52.212-4(m). 6.2.1.4. The vendor device or system shall pass pre-validation screening (Vulnerability scans utilizing Nessus and SCAP scans), administered within six (6) months of contract award that will be conducted by Government, and must meet criteria listed below: a. No unmitigated Very High or High Severity/ Category I (CAT I), vulnerabilities as described in the appropriate Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs) located on http://iase.disa.mil/stigs/Pages/index.aspx b. No unmitigated Moderate Severity/Category II (CAT II), vulnerabilities as described in the appropriate Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs) located on http://iase.disa.mil/stigs/Pages/index.aspx c. No unmitigated Very High or High Severity/ Category I (CAT I) vulnerabilities from Nessus vulnerability scans. d. No unmitigated Moderate Severity/ Category II (CAT II) vulnerabilities from Nessus vulnerability scans. 6.2.1.5 The vendor shall mitigate all Very High, High, and Moderate Severity/CAT I and CAT II vulnerabilities discovered during the Assessment and Authorization (A&A) process according to a schedule published by Government. 6.2.1.6. The vendor shall appoint a vendor point of contact responsible for the cybersecurity of the vendor device or system throughout the lifecycle of the system. The vendor shall provide Subject Matter Experts (SMEs) to support all assessments of contracted products and materials, and meet required deliverable timelines. 6.2.1.7. The vendor shall obtain a recommendation of Authority to Operate (ATO) as determined by a Government appointed third party validator within twelve (12) months of contract award. 6.2.1.8. The vendor shall not make any delivery and shall not receive payment for the system until the ATO is granted. Receiving the ATO document from the U.S. Army shall constitute permission to perform on the order and to proceed with delivery. All delivery dates shall be reset in accordance to contract and in days after the date the ATO is communicated in writing to the vendor. Delivery may take place prior to ATO only if written permission is provided by the DLA Contracting Officer. 6.2.1.9. Pursuant to subsequent warranty period and Service Maintenance Agreements (SMA), the vendor shall, after the award of an ATO, ensure that the vendor's device or system maintains its ATO for as long as the equipment is operated by Government. 6.2.1.10. The vendor shall establish appropriate administrative and technical safeguards to ensure the confidentiality, integrity, and availability of Government data under their control. 6.2.1.11. The vendor shall notify the Information Owner and Contracting Officer POCs in writing with any inabilities to comply with DOD security requirements. Vendor will provide anticipated costs and timelines required to address vulnerabilities in question. 6.2.1.12. The vendor shall contact the IA/RMF Office Representative, no later than 5 days after delivery order selection or contract award, to start the process. Failure to do so would be considered a vendor caused delay. 6.2.2. RMF Timeframes. The following table provides an overview of the entire Process to obtain approval under Army Cybersecurity requirements. Vendor actions must start as cited in the number of days after date of order column noted below and be completed in the number of days listed below in the Duration column. ID Step Name (Action or Deliverable) Duration (Days) Number of Days After Date of Award Responsible Party 1 1. Categorization 22 Total Days 2 1.1 Vendor RMF Kickoff Meeting (Vendor must contact the RMF Office Rep) 1 5 GOVERNMENT 3 1.2 EDMS Paperwork and Account Creation 10 5 GOVERNMENT 4 1.3 EDMS Functionality Briefing 1 5 GOVERNMENT 5 1.4 Documentation Templates to Vendor 1 1 GOVERNMENT 6 1.5 Hardware/Software Document Production 5 5 VENDOR 7 1.6 STIG Review 2 10 GOVERNMENT 8 1.7 System Categorization 2 12 GOVERNMENT 9 1.8 Categorization Memo Approval 5 17 GOVERNMENT 10 1.9 Security Assessment Plan Creation 3 12 GOVERNMENT 11 1.10 SAP Sent to Vendor 0 15 GOVERNMENT 12 1.11 Contact 3rd Party IV & V 0 15 GOVERNMENT 13 2. Control Selection 6 Total Days 14 2.1 System eMASS Registration 1 12 GOVERNMENT 15 2.2 eMASS Control Selection 1 12 GOVERNMENT 16 2.3 Implementation Plan Completion 5 17 GOVERNMENT 17 3. Implementation 130 Total Days 18 3.1 Documentation Creation and Review GOVERNMENT 19 3.1.1 Vendor Control and Artifact Documentation 90 5 VENDOR 20 3.1.2 PMO Control Documentation 55 40 GOVERNMENT 21 3.1.3 Documentation 100% Complete (Confirm iV and V) 0 95 GOVERNMENT 22 3.2 Scanning 120 16 VENDOR 23 3.2.1 Vendor Initial Scan 10 16 VENDOR 24 3.2.2 ICS Review of Scans and Vulnerability Report 2 26 GOVERNMENT 25 3.2.3 Vendor Technical Remediation 110 27 VENDOR 26 3.3 DHA Registration 60 77 GOVERNMENT 27 3.3.1 DHA A&A Request 1 77 GOVERNMENT 28 3.3.2 Submit Security Plan for Approval 10 77 GOVERNMENT 29 3.4 Submission to IV and V Team; Submit IV and V Request Through Portal 0 137 GOVERNMENT 30 4. Assess 65 Total Days 31 4.1 Packet Review by IV and V Team 29 138 GOVERNMENT 32 4.2 Coordination Meeting 0 165 GOVERNMENT 33 4.3 Onsite I&V 5 168 GOVERNMENT 34 4.4 SCA-V Packet Review 30 173 GOVERNMENT 35 4.5 SCA-V SAR Issuance 0 203 GOVERNMENT 36 5. Packet Authorization 60 Total Days 37 5.1 Vendor Remediation 30 173 VENDOR 38 5.1.1 SAR Review/ Concurrence 10 203 GOVERNMENT 39 5.2 Submit to SCAR 10 213 GOVERNMENT 40 5.3 Submit to SCA 5 223 GOVERNMENT 41 5.4 Submit to AO 5 228 GOVERNMENT 42 5.5 AO Signature 0 233 GOVERNMENT 6.2.3. Assessment and Authorization (A&A). 6.2.3.1 The vendor shall submit all RMF required documentation, as specified by Government Reps for review and approval, no later than four (4) months after request by the Government. 6.2.3.2 The vendor shall obtain approval from the Government, any vendor developed policies, plans, and procedures prior to implementation. 6.2.3.3 The vendor shall provide any additional documentation required by the Government for completion of the A&A process within thirty (30) business days of request by the Government. 6.2.3.4 The vendor shall provide technical scans within one (1) month of the A&A kickoff meeting. 6.2.3.5 The vendor shall provide updated technical scans on a monthly basis, on the 10th day of each month until an ATO is granted. 6.2.3.6 The vendor shall ensure that the vendor device or system is capable of supporting the use of DISA approved intrusion detection and prevention, antivirus, and antimalware applications. The vendor shall provide technical specifications that clearly demonstrate whether the proposed solution can integrate and support either the full security suite or the individual components (e.g. DLP, IPS, Antivirus, etc.) without performance degradation of the medical system/device. In cases where the operation of security applications are not technically achievable, the vendor shall provide detailed justification and a Plan of Actions and Milestones (POA&M) describing steps towards compliance with this requirement. 6.2.3.7 The vendor shall ensure that the vendor device or system is configured in such a way that allows the updating of malware definition signatures on a scheduled basis. Scanning shall encompass the entire system (file system, operating system, real-time processes) by default. In cases where scanning of the entire system may negatively affect its operation, the vendor shall provide a detailed list of exclusions with justifications. 6.2.4 Privileged User Training and Certification Requirements. If a vendor requires a B2B, access, etc to government networks to maintain, analyze, etc, their products, they must adhere to the following requirements: 6.2.4.1 Information Assurance Contractor Training and Certification. Contractors requiring a privileged- level account for administrative/maintenance support of systems/applications on the Army network will meet Army requirements for a privileged-level account before being granted a network account. Requirements include: 6.2.4.2 Cyber (Information assurance (IA)/information technology (IT)) certification. Per DoD 8570.01-M, DFARS 252.239.7001 and AR 25-2, the contractor employees supporting Cyber (IA/IT) functions shall be appropriately certified upon contract award. Contractors will be defined at Information Assurance Technical level I (IAT - II) and be required to meet minimum Professional Baseline certifications at the time of contract award. Contractors will be given six (6) months to meet Computer Environment (CE) and Cyber Security Fundamental training requirements. Not meeting the requirements in accordance with DoD 8570.01-M will result in the contractor account and access being ‘Disabled' or ‘Deleted' until such time as the conditions of this contract are met. 6.2.4.3 Background Investigation. NACI or above is required. Vendors should email: usarmy.jbsa.medcom.list.medcom-information-assurance@mail.mil to obtain guidance on the process 6.2.4.4. Professional Baseline Certification. The minimum Professional Baseline certification for IAT-II is CompTIA Security+. Higher certifications (GSCL, CISM, CISSP, etc.) will satisfy this requirement. 6.2.4.5. Computer Environment (CE) Certification. Computer Environment (CE) certifications are determined by the role of the contractor and must be met within six months of delivery order issuance. Contractors working on servers are encouraged to have a Microsoft 2008 Server or 2012 Server certification. Contractors working on End-User devices are encouraged to have a professional certification that coincides with the technology inherent in the system (i.e. MCSE, CCNA, RHCSE, etc.). The CompTIA A+ certification will also satisfy the CE certification requirement. 6.2.4. 6. IA Training Requirements. Contractors will meet minimum training requirements within six months of contract award. Contractors will be required to complete Cyber Security Fundamentals located at URL: https://ia.signal.army.mil/IAF/ 6.2.4.7. Training. DoD Cyber Awareness Challenge Training must be completed by all contractor employees and associated sub-contractor employees prior to issuance of network access and annually thereafter. DoD Cyber Awareness Challenge Training is available at the following website: https://ia.signal.army.mil/DoDIAA/ 6.2.4.8. Two-Factor Authentication. Contractors will authenticate using two-factor authentication. The preferred method for authenticating is the Common Access Card (CAC). 6.2.4.9. Army Training Certification Tracking System (ATCTS). Contractors with a need for elevated privileged-level access will be defined to ATCTS. https://atc.us.army.mil/iastar/regulations.php 6.2.4.10. Network Account Request Package (Authorized & Privileged). The contractor will submit a request package through either the ITC One-Stop Shop for contractors requiring on-site access or through the Information Assurance/Cyber Security Branch for contractors requiring remote access to an Army network. Remote access must be through a Defense Health Agency (DHA) Business-To-Business (B2B) solution. Vendors should email: usarmy.jbsa.medcom.list.medcom-information-assurance@mail.mil to obtain remote access through DHA, for Army requirements. 6.2.4.11. Acceptable Use Policy (AUP). All vendors/contractors will sign/acknowledge the Army Standard Acceptable Use Policy (AUP) prior to being granted a Army network account. The Army Standard AUP is available at the following website: https://atc.us.army.mil/iastar/docs/aup.pdf 6.2.5. Warranty and Post-Warranty Service Maintenance Agreement Cybersecurity Requirements. 6.2.5.1 Continuous Risk Management a. The vendor shall maintain a duplicate of the fielded device, system, or group of configurations falling under one authorization; for testing in a vendor supplied lab environment at vendor location for as long as the system is operated by the Government. b. The vendor shall maintain the duplicate system or device in operational condition with the latest security patches installed. 6.2.5.2. The vendor shall update all ATO required supporting documentation in the event of a system policy, procedural, logical or technical changes to the system. 6.2.5.3. The vendor shall maintain the authorized security configuration and notify the government within forty eight (48) hours of any major changes for review. A major upgrade such as major software or hardware revision must be reassessed for ATO. Vendor shall support reauthorizations due to major upgrades. 6.2.5.4. The vendor shall ensure the vendor's device or system is in compliance with the Department of Defense (DOD) Information Assurance Vulnerability Management (IAVM) program upon each deployment. 6.2.5.5. The vendor shall ensure any new deployment (including rebuilds) deploy with a fully patched, accredited version maintained in a lab environment. 6.2.5.6. The vendor shall make the duplicate device or system available for periodic security reviews, within forty five (45) business days of notification by Government. The vendor shall perform monthly vulnerability scans using the most recent and updated version of approved DOD scan tools. 6.2.5.7. Vendor shall maintain system and update to comply with updated STIGS as made available by the Government within three (3) months of notification by the Government. 6.2.5.8. The vendor shall provide vulnerability scan and SCAP scan results to Government on a monthly basis. Vendor shall provide raw scan results and administrative reports no later than the 10th calendar day of each month. 6.2.5.9. The vendor shall close all discovered vulnerabilities within three (3) months of discovery. 6.2.5.10. The vendor shall submit to Government detailed explanations for the inability to close discovered vulnerabilities. 6.2.5.11. The vendor shall submit to Government for approval of any mitigation that addresses any open vulnerabilities. 6.2.5.12. The vendor shall review all required policies, plans, and procedures documentation on an annual basis and submit changes to Government for approval. 6.2.5.13. The vendor shall use the Government approved method for remote access administration (DISA B2B) of system or device. 6.2.6. Appendix A: Cybersecurity Regulations and Guidance. 6.2.6.1 Cybersecurity Regulations and Guidance. The vendor shall use and comply with the most recent published versions as of the date of contractual agreement of the following references as well as all regulations or guidance referenced within those publications: a. United States Law i. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ii. The Federal Information Security Management Act (FISMA) iii. The E-Government Act of 2002 b. Office of Management and Budget (OMB) i. The following publications are located at https://www.whitehouse.gov/omb/agency/default ii. Circular A-130 iii. Guidance M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common Identification Standard for Federal Employees and Vendors c. National Institute of Standards and Technology (NIST) i. The following publications are located at http://www.nist.gov/publication-portal.cfm ii. NIST Special Publication (SP) 800-37 - Guide for Applying the Risk Management Framework (RMF) to Federal Information Systems iii. NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations d. Federal Information Processing Standards (FIPS) i. The following publications are located at http://www.nist.gov/itl/fipscurrent.cfm ii. FIPS Publication (FIPS PUB) 140-2, Security Requirements for Cryptographic Modules iii. FIPS PUB 199 - Standards for Security Categorization of Federal Information and Information Systems iv. FIPS PUB 201-2, Personal Identity Verification of Federal Employees and Vendors e. Department of Defense (DoD) i. The following publications are located at http://www.dtic.mil/whs/directives/ ii. DoD Instruction 5200.2, DoD Personnel Security Program (PSP) iii. DoD Instruction 8500.1, Cybersecurity iv. DoD Instruction 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling v. DoD Instruction 8510.01, Risk Management Framework Process (RMF) vi. DoD Instruction 8551.1, Ports, Protocols, and Services Management (PPSM) vii. DoD Instruction 8580.02, Security of Individually Identifiable Health Information in DoD Health Care Programs viii. DoD Instruction 6025.18, Privacy of Individually Identifiable Health Information in DoD Health Care Programs ix. DoD Directive 5400.11, DoD Privacy Program x. DoD Manual 5400.11-R, Department of Defense Privacy Program 6.3. SECURITY CLEARANCES. 6.3.1. Personnel to be assigned to an ADP/IT position must undergo a successful security screening before being provided access to DoD information technology resources. Prior to an employee being granted interim access to DoD sensitive information, Martin Army Community Hospital must receive notification that the Office of Personnel Management (OPM) has scheduled the employee's investigation. This requirement must be met by contractors, subcontractors and other who have access to information systems containing information protected by the Privacy Act of 1974 and protected health information under HIPAA. Background checks are required for all ADP/IT personnel who receive, store, display, or transit sensitive information. Employees must have at a minimum an ADP Sensitivity Designation of Level II to access the DoD Network. 6.3.2. All contractors that use the DoD gateways to access government systems must submit a DISA Form 41 or equivalent in accordance with Contracting Officer guidance. In addition, Form 41s are required for each system administrator responsible for each host-to-host interface. Contractors shall complete and submit to TMA one Form 41 for their organization, attached to which shall be a listing of those individuals for whom background checks have been completed, submitted to the Office of Personnel Management (OPM), and acknowledgements have been received from OPM that the applications are complete and are pending action by OPM. The request must clearly delineate the ports and protocols used for each IP address. The contractor shall complete the form and submit to the government for final processing. 6.3.3. All costs for the background investigations are the responsibility of the contractor. 6.4. BUSINESS to BUSINESS (B2B) REQUIREMENTS for CONTRACTOR. 6.4.1. General Security Requirements. 6.4.1.1. The Contractor shall establish appropriate administrative, technical, and physical safeguards to protect any and all Government data, to ensure the confidentiality, integrity, and availability of government data. As a minimum, this shall include provisions for personnel security, electronic security and physical security as listed in the sections that follow. 6.4.2. Personnel Security. 6.4.2.1. The contractor shall comply with DoD Directive 8500.1, "Information Assurance (IA)," DoD Instruction 8500.2, "Information Assurance (IA) Implementation," DoD Directive 5400.11, "DoD Privacy Program," DoD 6025.18-R, "DoD Health Information Privacy Regulation," DoD 5200.2-R, "Personnel Security Program Requirements." AR25-1, "Army Knowledge Management and Information Technology", AR 25-2 "Information Assurance." And local regulations as deemed appropriate by the activity Information Assurance personnel. 6.4.2.2. Contractor responsibilities for ensuring personnel security include, but are not limited to, meeting the following requirements: a. Follow the Army guidelines for submittal of Automated Data Processor/Information Technology (ADP/IT) background investigations and ensure all contractor personnel are designated as ADP/IT-I, ADP/IT-II, or ADP/IT-III where their duties meet the criteria of the position sensitivity designations outlined in AR25-2. b. Initiate, maintain, and document personnel security investigations appropriate to the individual's responsibilities and required access to Information Systems within the logical boundaries of the facility LAN. c. Immediately report to the Martin Army Community Hospital Personnel Security Manager Travis Butler at 762-408-0308 and deny access to any automated information system (AIS), network, or information if a contractor employee filling a sensitive position receives an unfavorable adjudication, if information that would result in an unfavorable adjudication becomes available, or if directed to do so by the appropriate government representative for any reason. d. Ensure that all contractor personnel receive information assurance (IA) training before being granted access to DoD AISs/networks and information. 6.4.3. Electronic Security. 6.4.3.1. Contractor Information Systems (IS)/networks that are involved in the operation of systems in support of BMACH shall operate in accordance with controlling laws, regulations, DoD, Army, and local policy. 6.4.3.2. Certification & Accreditation (C&A) requirements apply to all DoD and contractor's IS/networks that receive process, display, and store or transmit DoD information. The contractor shall comply with the C&A process for safeguarding IS. Certification is the determination of the appropriate level of protection required for IS/networks. Certification also includes a comprehensive evaluation of the technical and non- technical security features and countermeasures required for each system/network. 6.4.3.3. Accreditation is the formal approval by the government to operate the contractor's IS/networks in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. In addition, accreditation allows IS/networks to operate within the given operational environment with stated interconnections; and with appropriate level of protection for the specified period. 6.4.3.4. The contractor shall comply with C&A requirements, as specified by the government that meet appropriate DoD Information Assurance requirements. The C&A requirements shall be met before the contractor's system is authorized to access DoD data or interconnect with any DoD IS/network that receives, processes, stores, displays or transmits DoD data. The contractor shall ensure the proper contractor support staff is available to participate in all phases of the C&A process. They include, but are not limited to: a. Attending and supporting C&A meetings with the government. b. Supporting/conducting the vulnerability mitigation process. c. Supporting the C&A Team during system security testing. 6.4.3.5. Contractors must confirm that there is/networks are locked down prior to initiating testing. a. Conformation of system lock down shall be agreed upon during the definition of the C&A boundary and be signed and documented as part of the System Security Authorization Agreement (SSAA). b. Locking down the system means that there shall be no changes made to the configuration of the system (within the C&A boundary) during the C&A process. 6.4.3.6. Any re-configuration or change in the system during the C&A testing process will require a re- baselining of the system and documentation of system changes. 6.4.3.7. A mitigation strategies include security updates, service packs, and changes to operating procedures as physical and cyber vulnerabilities are detected. Operating system, routers, servers, development platforms and the application being delivered to the government shall be in compliance with all known applicable Department of Defense Computer Emergency Response Team (DoD-CERT) Alert, Bulletin, and Technical Advisory Notices published during the past 36 months. 6.4.3.8. Disposing of Electronic Media. Vendors shall follow the DoD standards, procedures, and use approved products to dispose of unclassified hard drives and other electronic media, as appropriate, in accordance with DoD Memorandum "Disposition of Unclassified Computer Hard Drives," June 4, 2001. Vendors are required to also follow DoD guidance on sanitization of other internal and external media components in DODI 8500.2 "Information Assurance (IA) Implementation," 6 Feb 2003 (see PECS-1 in enclosure 4 Attachment 5) and DoD 5220.22-M "Industrial Security Program Operating Manual (NISPOM)," (Chapter 8). 6.4.3.9. Information Assurance Vulnerability Management (IAVM) The contractor shall implement an information assurance vulnerability management program for all AIS and corresponding subnets that are connected to or intermittently connect to Army networks. The program shall meet the scope and intent of AR25-2 and Martin Army Community Hospital IA policies to provide protection against known threats and vulnerabilities. Compliance with Army IAVM alerts and bulleting is required for these systems, and shall be completed within the specified timeframe. 6.4.4. Information Systems (IS)/Networks Physical Security. 6.4.4.1. The contractor shall employ physical security safeguards for IS/Networks involved in processing or storage of Government Data to prevent the unauthorized access, disclosure, modification, destruction, use, etc., and to otherwise protect the confidentiality and ensure use conforms with DoD regulations. In addition, the contractor will support a Physical Security Audit performed by the Government of the contractor's internal information management infrastructure. The MHS Physical Security Audit Matrix is available at: http://www.tricare.osd.mil/tmis_new/Policy/PSA_Matrix_%20012304%200930%20clean%20version.xls. The contractor shall correct any deficiencies identified by the Government of the contractor's physical security posture. 6.4.5. Special Requirements for Protected Health Information. Whenever a contract is awarded that requires the vendor to collect, use, copy, access or store Protected Health Information (PHI) in commercial office space, the contractors must: 6.4.5.1. Notify the Martin Army Community Hospital HIPAA Security Manager, Ms. Beverly Simmons at 762-408-0032. 6.4.5.2. Follow all DUA and DoD requirements for secure disposal, destruction, and/or sanitization of all equipment that contained PHI. 6.4.6. Information Assurance Contractor Training and Certification. Contractors requiring a privileged- level account for administrative/maintenance support of systems/applications on the Army/BMACH network will meet Army requirements for a privileged-level account before being granted a BMACH network account. Requirements include - 6.4.6.1. Cyber (Information assurance (IA)/information technology (IT)) certification. Per DoD 8570.01-M, DFARS 252.239.7001 and AR 25-2, the contractor employees supporting Cyber (IA/IT) functions shall be appropriately certified upon contract award. Contractors will be defined at Information Assurance Technical level I (IAT - II) and be required to meet minimum Professional Baseline certifications at the time of contract award. Contractors will be given six (6) months to meet Computer Environment (CE) and Cyber Security Fundamental training requirements. Not meeting the requirements in accordance with DoD 8570.01-M will result in the contractor account and access being ‘Disabled' or ‘Deleted' until such time as the conditions of this contract are met. 6.4.6.2. Background Investigation. NACI or above is required. See paragraph 2a. 6.5. Information Assurance 6.5.1. Professional Baseline Certification. The minimum Professional Baseline certification for IAT-II is CompTIA Security+. Higher certifications (GSCL, CISM, CISSP, etc. will satisfy this requirement. 6.5.2. Computer Environment (CE) Certification. Computer Environment (CE) certifications are determined by the role of the contractor and must be met within six months of contract award. Contractors working on servers are encouraged to have a Microsoft 2008 Server or 2012 Server certification. Contractors working on End-User devices are encouraged to have a Microsoft Windows 7 or Microsoft Windows 10 certification. The CompTIA A+ certification will also satisfy the CE certification requirement. 6.5.3. IA Training Requirements. Contractors will meet minimum training requirements within six months of contract award. Contractors will be required to complete Cyber Security Fundamentals located at URL: https://ia.signal.army.mil/IAF/ 6.5.4. Two-Factor Authentication. Contractors will authenticate using two-factor authentication. The preferred method for authenticating is the Common Access Card (CAC). See paragraph 2a. 6.5.5. Army Training Certification Tracking System (ATCTS). Contractors with a need for elevated privileged-level access will be defined to ATCTS. https://atc.us.army.mil/iastar/regulations.php 6.5.6. BMACH Network Account Request Package (Authorized & Privileged). The contractor will submit a request package through either the ITC One-Stop Shop for contractors requiring on-site access or through the Information Assurance/Cyber Security Branch for contractors requiring remote access to the BMACH network. Remote access must be through a Defense Health Agency (DHA) Business-To- Business (B2B) solution. The package includes - 6.5.7. DD Form 2875 - System Authorization Access Request (SAAR). All contractors requiring a BMACH network account will complete the DD Form 2875 to include validation of a Security Background Investigation (9.9.1.1). Information Assurance Branch will be the sponsor for all contractors requiring elevated privileged-level access. The department chief will sign the DD2875 as the contractor supervisor. Note: contractors requiring a ‘Privileged' account will check ‘Box 14.' on the form. The DD2875 SAAR Form is available at the following website: https://atc.us.army.mil/iastar/docs/DD_Form_2875_System_Access_Agreement_Request.pdf 6.5.8. IA Training. DoD Cyber Awareness Challenge Training must be completed by all contractor employees and associated sub-contractor employees prior to issuance of network access and annually thereafter. DoD Cyber Awareness Challenge Training is available at the following website: https://ia.signal.army.mil/DoDIAA/ 6.5.9. Acceptable Use Policy (AUP). All vendors/contractors will sign/acknowledge the Army Standard Acceptable Use Policy (AUP) prior to being granted a BMACH network account. The Army Standard AUP is available at the following website: https://atc.us.army.mil/iastar/docs/aup.pdf 6.6. Anti-Terrorism and OPSEC 6.6.1. AT Level I training. This standard language is for contractor employees with an area of performance within an Army controlled installation, facility or area. All contractor employees, to include subcontractor employees, requiring access Army installations, facilities and controlled access areas shall complete AT Level I awareness training within 30 calendar days after contract start date or effective date of incorporation of this requirement into the contract, whichever is applicable and annually thereafter. The contractor shall submit certificates of completion for each affected contractor employee and subcontractor employee, to the COR or to the contracting officer, if a COR is not assigned, within 05 calendar days after completion of training by all employees and subcontractor personnel. AT level I awareness training is available at the following website: http://jko.jten.mil 6.6.2. Access and general protection/security policy and procedures. This standard language is for contractor employees with an area of performance within Army controlled installation, facility, or area. Contractor and all associated sub-contractors employees shall provide all information required for background checks to meet installation access requirements to be accomplished by installation Provost Marshal Office, Director of Emergency Services or Security Office. Contractor workforce must comply with all personal identity verification requirements (FAR clause 52.204-9, Personal Identity Verification of Contractor Personnel) as directed by DOD, HQDA and/or local policy. In addition to the changes otherwise authorized by the changes clause of this contract, should the Force Protection Condition (FPCON) at any individual facility or installation change, the Government may require changes in contractor security matters or processes. 6.6.2.1. For contractors requiring Common Access Card (CAC). Before CAC issuance, the contractor employee requires, at a minimum, a favorably adjudicated National Agency Check with Inquiries (NACI) or an equivalent or higher investigation in accordance with Army Directive 2014-05. The contractor employee will be issued a CAC only if duties involve one of the following: (1) Both physical access to a DoD facility and access, via logon, to DoD networks on-site or remotely; (2) Remote access, via logon, to a DoD network using DoD-approved remote access procedures; or (3) Physical access to multiple DoD facilities or multiple non-DoD federally controlled facilities on behalf of the DoD on a recurring basis for a period of 6 months or more. At the discretion of the sponsoring activity, an initial CAC may be issued based on a favorable review of the FBI fingerprint check and a successfully scheduled NACI at the Office of Personnel Management. 6.6.2.2. For contractors that do not require CAC, but require access to a DoD facility or installation. Contractor and all associated sub-contractors employees shall comply with adjudication standards and procedures using the National Crime Information Center Interstate Identification Index (NCIC-III) and Terrorist Screening Database (TSDB) (Army Directive 2014-05/AR 190-13), applicable installation, facility and area commander installation/facility access and local security policies and procedures (provided by government representative), or, at OCONUS locations, in accordance with status of forces agreements and other theater regulations. 6.6.3. AT Awareness Training for Contractor Personnel Traveling Overseas. This standard language required US based contractor employees and associated sub- contractor employees to make available and to receive government provided area of responsibility (AOR) specific AT awareness training as directed by AR 525-13. Specific AOR training content is directed by the combatant commander with the unit ATO being the local point of contact. 6.6.4. iWATCH Training. This standard language is for contractor employees with an area of performance within an Army controlled installation, facility or area. The contractor and all associated sub-contractors shall brief all employees on the local iWATCH program (training standards provided by the requiring activity ATO). This locally developed training will be used to inform employees of the types of behavior to watch for and instruct employees to report suspicious activity to the COR. This training shall be completed within 30 calendar days of contract award and within 05 calendar days of new employees commencing performance with the results reported to the COR NLT 30 calendar days after contract award. 6.6.5. Army Training Certification Tracking System (ATCTS) registration for contractor employees who require access to government information systems. All contractor employees with access to a government information systems must be registered in the ATCTS (Army Training Certification Tracking System) at commencement of services, and must successfully complete the DOD Information Assurance Awareness prior to access to the IS and then annually thereafter. 6.6.6. For contracts that require a formal OPSEC program. The contractor shall develop an OPSEC Standing Operating Procedure (SOP)/Plan within 90 calendar days of contract award, to be reviewed and approved by the responsible Government OPSEC officer. This plan will include a process to identify critical information, where it is located, who is responsible for it, how to protect it and why it needs to be protected. The contractor shall implement OPSEC measures as ordered by the commander. In addition, the contractor shall have an identified certified Level II OPSEC coordinator per AR 530-1. 6.6.7. For contracts that require OPSEC Training. Per AR 530-1 Operations Security, the contractor employees must complete Level I OPSEC Awareness training. New employees must be trained within 30 calendar days of their reporting for duty and annually thereafter. OPSEC Awareness for Military Members, DoD Employees and Contractors is available at the following website: http://cdsetrain.dtic.mil/opsec/index.htm 6.6.9. For Cyber (Information assurance (IA)/information technology (IT)) certification. Per DoD 8570.01- M, DFARS 252.239.7001 and AR 25-2, the contractor employees supporting Cyber (IA/IT) functions shall be appropriately certified upon contract award. 6.6.10. For contractors authorized to accompany the force. DFARS Clause 252.225-7040, Contractor Personnel Authorized to Accompany U.S. Armed Forces Deployed Outside the United States. The clause shall be used in solicitations and contracts that authorize contractor personnel to accompany US Armed Forces deployed outside the US in contingency operations; humanitarian or peacekeeping operations; or other military operations or exercises, when designated by the combatant commander. The clause discusses the following AT/OPSEC related topics: required compliance with laws and regulations, pre- deployment requirements, required training (per combatant command guidance), and personnel data required. 6.6.11. For Contract Requiring Performance or Delivery in a Foreign Country, DFARS Clause 252.225- 7043, Antiterrorism/Force Protection for Defense Contractors Outside the US. The clause shall be used in solicitations and contracts that require performance or delivery in a foreign country. This clause applies to both contingency and non-contingency support. The key AT requirement is for non-local national contractor personnel to comply with theater clearance requirements and allows the combatant commander to exercise oversight to ensure the contractor's compliance with combatant commander and subordinate task force commander policies and directives. 6.6.12. For contracts that require handling or access to classified information. Contractor shall comply with FAR 52.204-2, Security Requirements. This clause involves access to information classified "Confidential," "Secret," or "Top Secret" and requires contractors to comply with- (1) The Security Agreement (DD Form 441), including the National Industrial Security Program Operating Manual (DoD 5220.22-M); (2) any revisions to DOD 5220.22-M, notice of which has been furnished to the contractor. 6.6.13. Threat Awareness Reporting Program. For all contractors with security clearances. Per AR 381- 12 Threat Awareness and Reporting Program (TARP), contractor employees must receive annual TARP training by a CI agent or other trainer as specified in 2-4b of AR 381-12. 6.6.14. For contracts that require delivery of food and water. This standard language is for contractor employees with an area of performance delivering food and water within an Army-controlled installation, facility or area. The supplies delivered under this contract shall be transported in delivery conveyances maintained to prevent tampering with and / or adulteration or contamination of the supplies, and if applicable, equipped to maintain a prescribed temperature. All delivery vehicles will also be subject to inspection at all times and all places by the Contracting Officers Representative, Post Veterinarian, and / or Law enforcement Officials. When the sanitary conditions of the delivery conveyance have led, or may lead to product contamination, adulteration, constitute a health hazard, the delivery conveyance is not equipped to maintain prescribed temperatures or the transport results in product "unfit for intended purpose", supplies tendered for acceptance may be rejected without further inspection. As the holder of a contact with the Department of Defense, it is incumbent upon the awardee to insure that all products and/or packaging have not been tampered or contaminated. Delivery conveyances will be locked or sealed at all times, except when actively loading or unloading. Unsecured vehicles will not be left unattended. All incoming truck drivers will provide adequate identification upon request. In the event of an identified threat to an installation, or a heightened force protection/Homeland Security threat Level, the contractor may be required to adjust delivery routes to minimize vulnerability risks and enable direct delivery to DOD facilities. 7. PAYMENTS. 7.1. Contractor will create a combo invoice document using the government's Wide Area Work Flow (WAWF) electronic internet based System. WAWF is required. The website is https:// wawf.eb.mil. Contractor shall invoice in accordance with DFARS 252.232-7003. 7.2. Contractor shall ensure that when it is necessary to resubmit an invoice for payment that the same invoice number listed on the original document with a letter after the number is used and that a new invoice number will not be generated for a previous shipment. (Example: Invoice # 100473, 100473A, 100473B, etc.). 7.3. Contractor will submit invoices in WAWF within 7 days of shipping date but no later than 30 days of shipping date. 8. APPLICABLE PUBLICATIONS AND FORMS. 8.1. Quality Assurance Surveillance Plan in Technical Exhibit 1. 8.2. Delivery Schedule in Technical Exhibit 2.
 

Web Link

FBO.gov Permalink
(https://www.fbo.gov/spg/USA/MEDCOM/DADA15/W91YTZ18Q0004/listing.html)
 

Place of Performance

Address: Martin Army Community Hospital, Fort Bening, Georgia, 31905, United States

Zip Code: 31905
 

Record

SN04902038-W 20180428/180426230845-9caa371d65dcda24bda2316cf58f3a05 (fbodaily.com)
 

Source

FedBizOpps Link to This Notice
(may not be valid after Archive Date)

---

| FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |