Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JUNE 02, 2018 FBO #6035
SOLICITATION NOTICE

D -- Adverse Event Reporting System - Web Based COTS - Technical Evaluation Factors - DRAFT PWS - Combined Synopsis/Solicitation attachment

Notice Date
5/31/2018
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
511210 — Software Publishers
 
Contracting Office
Department of Health and Human Services, Indian Health Service, Division of Acquisition Policy, 5600 Fishers Lane, Rockville, Maryland, 20857, United States
 
ZIP Code
20857
 
Solicitation Number
18-236-SOL-00026
 
Archive Date
7/3/2018
 
Point of Contact
Daniel Rosenstengel, , Paul B. Premoe,
 
E-Mail Address
Daniel.Rosenstengel@ihs.gov, paul.premoe@ihs.gov
(Daniel.Rosenstengel@ihs.gov, paul.premoe@ihs.gov)
 
Small Business Set-Aside
N/A
 
Description
Combined Synopsis/Solicitation attachment DRAFT Performance Work Statement for COTS Adverse Event Reporting System Technical Evaluation Factors attachment Base Notice: Indian Health Service Agency-wide Adverse Event Reporting System (Patient and Occupational Safety) 18-236-SOL-00026 Note: Intent is to procure a commercially available off-the-shelf (COTS) software solution that has verifiable and relevant past performance references within Government or Commercial Medical Facilities. ________________________________________ Notice Type: Combined Synopsis/Solicitation Posted Date: May 31, 2018 Last Date to submit questions: June 11, 2018 12:00 pm Eastern Response Date: June 18, 2018 2:00 pm Eastern Archiving Policy: Automatic, 15 days after response date Archive Date: July 3, 2018 Classification Code: D - Information Technology and Telecommunications NAICS Code: 737: Computer Programming, Data Processing, And Other Computer Related Services 511210 - Software Publishers ________________________________________ NOTICE INFORMATION Solicitation: 18-236-SOL-00026 Agency/Office: Indian Health Service Location: Division of Acquisition Policy Title: Indian Health Service Agency-wide Adverse Event Reporting System (Patient and Occupational Safety) Description(s): i) This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation that will be issued; proposals are hereby requested. (ii) Solicitation number 18-236-SOL-00026 applies and is issued as a request for proposal (RFP). (iii) Solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2005-95. (iv) The North American Industry Classification System (NAICS) code is 511210 and the business size standard is $38.5 Million. This acquisition is being conducted under FAR - Part 12 Acquisition of Commercial Items. The Indian Health Service intends to award a firm fixed-price contract. (v) CLIN 0001: Implementation of Adverse Event Reporting System. All implementation is anticipated to be completed during the base year. CLIN 0002: Software License and support for base year. CLIN 1002: Software License and support for Option Year One. CLIN 2002: Software License and support for Option Year Two. CLIN 3002: Software License and support for Option Year Three. CLIN 4002: Software License and support for Option Year Four. (vi) See attached Performance Work Statement - Attachment 1: Adverse Event Reporting System PWS. (vii) 5600 Fishers Lane, Mail Stop: 09E70, Rockville, MD 20857 (viii) The following FAR clauses apply to this solicitation. Offerors may obtain full text versions of these clauses electronically at http://www.arnet.gov/far. FAR 52.212-1 Instructions to Offerors-Commercial Items (JAN 2017). 1. Parties responding to this solicitation may submit their offer in accordance with their standard commercial practices (e.g. on company letterhead, formal quote form, etc.) but must include the following information: 1) company's complete mailing and remittance addresses, 2) discounts for prompt payment if applicable 3) cage code, 4) Dun & Bradstreet number, 5) Taxpayer ID number and 6) Pricing and verification that the offeror can meet the location requirements in accordance with FAR 52.212-2, Evaluation-Commercial Items, paragraph (ix) below. (ix) 52.212-2 Evaluation-Commercial Items (Oct 2014). - This is a best value decision and award may be made to other than the lowest priced offeror. (a) The Government intends to award a firm fixed-price contract resulting from this solicitation to the responsible offeror whose offer, conforming to the solicitation, will be most advantageous to the Government, price and other factors considered. The following factors will be used to evaluate offers: (1) Technical Capability (2) Management Approach/Key Personnel (3) Relevant Past Performance (4) Price **All proposals are to be submitted electronically following the instructions below: Electronic submission of Proposals: Proposals shall be submitted electronically by email to Daniel.Rosenstengel@ihs.gov. The submitter should confirm receipt of email submissions. Please provide pricing for base year as well as the four (4) one-year option years separately from the technical proposal documents. (x) FAR 52.212-3 Offeror Representations and Certifications-Commercial Items (JAN 2017) An offeror shall complete only paragraphs (b) of this provision if the offeror has completed the annual representations and certificates electronically via https://www.acquisition.gov. If an offeror has not completed the annual representations and certifications electronically at the System for Award Management (SAM) Website, the offeror shall complete only paragraphs (c) through (p) of this provision and return it with their offer. (xi) FAR 52.212-4 Contract Terms and Conditions-Commercial Items (JAN 2017) applies to this acquisition. (xii) FAR 52.212-5 Contract Terms and Conditions Required to Implement Statues or Executive Orders, Commercial Items (JAN 2017), to include the following clauses listed at paragraph (b): 52.204-10, Reporting Executive compensation and First-Tier Subcontract Awards; 52.209-6, Protecting the Government's Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment 52.217-8 - Option to Extend Services - The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 30 days from the date of contract expiration. 52.217-9 Option to Extend the Term of the Contract (MAR 2000): (a) The Government may extend the term of this contract by written notice to the Contractor within 15 days; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 60 days before the contract expires. The preliminary notice does not commit the Government to an extension. (b) If the Government exercises this option, the extended contract shall be considered to include this option clause. (c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 66 months. 52.222-3 Convict labor; 52.222-21, Prohibition of Segregated Facilities; 52.222-26 Equal Opportunity (E.O. 11246); 52.222-36, Equal Opportunity for Workers with Disabilities 52.222-50, Combating Trafficking in Persons 52.223-18, Encouraging Contractor Policy to Ban Text Messaging while Driving 52.225-13 Restrictions on Certain Foreign Purchases; 52.232-33 Payment by Electronic Funds Transfer System for Award Management; 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services--Requirements (May 2014) FAR 52.227-14 - Rights in Data -- General (May 2014) 12.505 Applicability of certain laws to contracts for the acquisition of COTS items. COTS items are a subset of commercial items. Therefore, any laws listed in sections 12.503 and 12.504 are also inapplicable or modified in their applicability to contracts or subcontracts for the acquisition of COTS items. In addition, the following laws are not applicable to contracts for the acquisition of COTS items: (a)(1) The portion of 41 U.S.C. 8302(a)(1), that reads "substantially all from articles, materials, or supplies mined, produced, or manufactured, in the United States," Buy American- Supplies, component test (see 52.225-1 and 52.225-3). (2) The portion of 41 U.S.C. 8303(a)(2), that reads "substantially all from articles, materials, or supplies mined, produced, or manufactured in the United States," Buy American- Construction Materials, component test (see 52.225-9 and 52.225-11). (b) 42 U.S.C. 6962(c)(3)(A), Certification and Estimate of Percentage of Recovered Material. (c) Compliance Plan and Certification Requirement, section 1703 of the National Defense Authorization Act for Fiscal Year 2013 (Pub. L. 112-239), Title XVII, Ending trafficking in Government Contracting (see 52.222-50(h) and 52.222-56). (xiii) n/a (xiv) n/a (xv) Due date for submissions is April 16, 2018 12:00 p.m. Eastern. Due to possible email transmission problems it is the contractor's responsibility to verify receipt of proposal. (xvi) IHS Point of Contact, Contract Specialist, Daniel.Rosenstengel@ihs.gov, 301-443-0234. NUMBER TITLE DATE HHSAR 352.202-1 Definitions (JAN 2006) HHSAR 52.223-70 Safety and Health (JAN 2006) HHSAR 352.224-70 Privacy (JAN 2006) HHSAR 352.227-70 Publications and Publicity (JAN 2006) Department of Health and Human Services Acquisition Regulation (HHSAR) (48 CFR Chapter 3) Clauses (Incorporated by Reference): http://farsite.hill.af.mil/vfhhsara.htm 352.202-1 Definitions JAN 2006 352.222-70 Contractor Cooperation in Equal Opportunity Investigations JAN 2010 352.223-70 Safety and Health JAN 2006 352.224-70 Privacy Act JAN 2006 352.227-70 Publications and Publicity JAN 2006 352.237-70 Pro-Children Act JAN 2006 352.237-71 Crime Control Act-reporting of child abuse JAN 2006 352.237-72 Crime Control Act-requirement for background checks JAN 2006 352.242-71 Tobacco-Free Facilities JAN 2006 HHSAR 352.239-73 ELECTRONIC INFORMATION AND TECHNOLOGY ACCESSIBILITY NOTICE (DEC 2015) (a) Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998 and the Architectural and Transportation Barriers Compliance Board Electronic and Information (EIT) Accessibility Standards (36 CFR part 1194), require that when Federal agencies develop, procure, maintain, or use electronic and information technology, Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who are not individuals with disabilities, unless an undue burden would be imposed on the agency. Section 508 also requires that individuals with disabilities, who are members of the public seeking information or services from a Federal agency, have access to and use of information and data that is comparable to that provided to the public who are not individuals with disabilities, unless an undue burden would be imposed on the agency. (b) Accordingly, any offeror responding to this solicitation must comply with established HHS EIT accessibility standards. Information about Section 508 is available at http://www.hhs.gov/web/508. The complete text of the Section 508 Final Provisions can be accessed at http://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-section-508-standards. (c) The Section 508 accessibility standards applicable to this solicitation are stated in the clause at 352.239-74, Electronic and Information Technology Accessibility. In order to facilitate the Government's determination whether proposed EIT supplies meet applicable Section 508 accessibility standards, offerors must submit an HHS Section 508 Product Assessment Template, in accordance with its completion instructions. The purpose of the template is to assist HHS acquisition and program officials in determining whether proposed EIT supplies conform to applicable Section 508 accessibility standards. The template allows offerors or developers to self-evaluate their supplies and document-in detail-whether they conform to a specific Section 508 accessibility standard, and any underway remediation efforts addressing conformance issues. Instructions for preparing the HHS Section 508 Evaluation Template are available under Section 508 policy on the HHS Web site http://www.hhs.gov/web/508. In order to facilitate the Government's determination whether proposed EIT services meet applicable Section 508 accessibility standards, offerors must provide enough information to assist the Government in determining that the EIT services conform to Section 508 accessibility standards, including any underway remediation efforts addressing conformance issues. (d) Respondents to this solicitation must identify any exception to Section 508 requirements. If a offeror claims its supplies or services meet applicable Section 508 accessibility standards, and it is later determined by the Government, i.e., after award of a contract or order, that supplies or services delivered do not conform to the described accessibility standards, remediation of the supplies or services to the level of conformance specified in the contract will be the responsibility of the Contractor at its expense. (End of provision) Element 12. IAW HHSAR 352.239-73(b) ELECTRONIC INFORMATION AND TECHNOLOGY ACCESSIBILITY NOTICE (DEC 2015), offeror shall submit its methodology to meet Section 508 requirement. Offers shall not be considered acceptable without addressing and meeting this requirement. C.1.1 Accessibility by Individuals with Disabilities Section 508 of the Rehabilitation Act of 1973 (29 U.S.C 794d), as amended by P.L. 105-220 under Title IV (Rehabilitation Act Amendments of 1988) and the Transportation Barriers Compliance Board Electronic and Technology (EIT) Accessibility Standards (36CFR part 1194s) require that all EIT acquired must ensure that: • Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who are not individuals with disabilities; and • Members of the public with disabilities seeking information or services from an agency have access to and use of information and data that is comparable to the access to and use of information and data by members of the public who are not individuals with disabilities. This requirement includes the development, procurement, maintenance, and/or use of EIT products/services. Therefore, any proposal submitted in response to this solicitation must demonstrate compliance with the established EIT Accessibility Standards. Further information about Section 508 is available via the Internet at http://www.section508.gov. A. Indian Health Service (IHS) Federal Risk and Authorization Management Program (FedRAMP) Privacy and Security Requirements The Contractor (and/or any subcontractor) will be responsible for the following privacy and security requirements: 1) FedRAMP Compliant Authority to Operate (ATO). Comply with FedRAMP Security Assessment and Authorization (SA&A) requirements and ensure the information system/service under this contract has a valid FedRAMP compliant (approved) ATO in accordance with Federal Information Processing Standard (FIPS) Publication 199 defined security categorization. If a FedRAMP compliant ATO has not been granted, the Contractor must submit a plan to obtain a FedRAMP compliant ATO within 30 days of the contract-award date. a. Implement applicable FedRAMP baseline controls commensurate with the IHS-defined security categorization and the applicable FedRAMP security control baseline (www.FedRAMP.gov). The US Department of Health and Human Services (HHS) Information Security and Privacy Policy (IS2P) and HHS Cloud Computing and Federal Risk and Authorization Management Program (FedRAMP) Guidance further define the baseline policies as well as roles and responsibilities. The Contractor will also implement a set of additional controls identified by the agency when applicable. b. A security control assessment must be conducted by a FedRAMP third-party assessment organization (3PAO) for the initial ATO and annually thereafter or whenever there is a significant change to the system's security posture in accordance with the FedRAMP Continuous Monitoring Plan. 2) Data Jurisdiction. The contractor must store all information within the security authorization boundary, data at rest or data backup, within the United States (US). 3) Service Level Agreements. The Contractor must understand the terms of the service agreements that define the legal relationships between cloud customers and cloud providers and work with IHS to develop and maintain an SLA. 4) Interconnection/Information Sharing Agreements. The Contractor must establish and maintain Interconnection Agreements/Information Sharing Agreements in accordance with IHS and HHS policies. B. Protection of Information in a Cloud Environment 1) If contractor (and/or any subcontractor) personnel must remove any information from the primary work area, they must protect it to the same extent they would the proprietary data and/or company trade secrets and in accordance with IHS/HHS policies. 2) IHS will retain unrestricted rights to federal data handled under this contract. Specifically, IHS retains ownership of any user created/loaded data and applications collected, maintained, used, or operated on behalf of IHS and hosted on contractor's infrastructure, as well as maintains the right to request full copies of these at any time. If requested, data must be available to IHS within one (1) business day from the request date. In addition, the data must be provided at no additional cost to IHS. 3) The Contractor (and/or any subcontractor) must ensure that the facilities that house the network infrastructure are physically and logically secure in accordance with FedRAMP requirements and IHS and HHS policies. 4) The contractor must support a system of records in accordance with National Archives and Records Administration (NARA) approved records schedule(s) and protection requirements for federal agencies to manage their electronic records in accordance with 36 CFR § 1236.20 & 1236.22 (ref. a), including but not limited to the following: a. Maintenance of links between records and metadata, and b. Categorization of records to manage retention and disposal, either through transfer of permanent records to NARA or deletion of temporary records in accordance with NARA- approved retention schedules. 5) The disposition of all IHS data will be at the written direction of IHS. This may include documents returned to IHS control; destroyed; or held as specified until otherwise directed. Items returned to the Government must be hand carried or sent by certified mail to the Contracting Officer's Representative (COR). 6) If the system involves the design, development, or operation of a system of records on individuals, the Contractor must comply with the Privacy Act requirements. C. Security Assessment and Authorization (SA&A) Process 1) The Contractor (and/or any subcontractor) must comply with IHS/HHS and FedRAMP requirements as mandated by federal laws, regulations, and IHS/HHS policies, including making available any documentation, physical access, and logical access needed to support the SA&A requirement. The level of effort for the SA&A is based on the system's FIPS 199 security categorization and IHS/HHS security policies. The Contractor must obtain a FedRAMP certification within 30 days of the contract-award date. a. In addition to FedRAMP certification, the contractor must develop and complete an agency SA&A package to obtain an agency ATO prior to system deployment/service implementation. The agency ATO must be approved by the IHS Authorizing Official (AO) prior to implementation of system and/or service being acquired. b. CSP systems must leverage a FedRAMP accredited third-party assessment organization (3PAO). c. For all acquired cloud services, the SA&A package must contain the following documentation (IHS SA&A deliverables): System Security Plan (SSP), Security Assessment Plan (SAP), Plan of Action and Milestones (POA&M), Security Test and Evaluation (ST&E), and Security Assessment Report (SAR). Following the initial ATO, the Contractor must review and maintain the ATO in accordance with IHS/HHS policies. The Contractor must use IHS-provided templates. 2) IHS reserves the right to perform penetration testing on all systems operated on behalf of the agency. If IHS exercises this right, the Contractor (and/or any subcontractor) must allow IHS employees (and/or designated third parties) to conduct Security Assessment activities to include control reviews in accordance with IHS requirements. Review activities include, but are not limited to, scanning operating systems, web applications, wireless scanning; network device scanning to include routers, switches, and firewall, and IDS/IPS; databases and other applicable systems, including general support structure, that support the processing, transportation, storage, or security of Government information for vulnerabilities. 3) The Contractor must identify any gaps between required FedRAMP Security Control Baseline/Continuous Monitoring controls and the contractor's implementation status as documented in the Security Assessment Report and related Continuous Monitoring artifacts. In addition, all gaps must be documented and tracked by the contractor for mitigation in a POA&M document. Depending on the severity of the risks, IHS may require remediation at the contractor's expense before issuing an ATO. 4) The Contractor (and/or any subcontractor) must mitigate security risks for which they are responsible, including those identified during SA&A, and continuous monitoring activities. All vulnerabilities and other risk findings must be remediated by the prescribed timelines from discovery: (1) critical vulnerabilities no later than thirty (30) days and (2) high, medium and low vulnerabilities no later than sixty (60) days. In the event a vulnerability or other risk finding cannot be mitigated within the prescribed timelines above, they must be added to the designated POA&M and mitigated within IHS-designated timelines. IHS will determine the risk rating of vulnerabilities. 5) Revocation of a Cloud Service. IHS has the right to take action in response to the CSP's lack of compliance and/or increased level of risk. In the event the CSP fails to meet IHS and FedRAMP security and privacy requirements and/or there is an incident involving sensitive information, may suspend or revoke an existing agency ATO (either in part or in whole) and/or cease operations. If an ATO is suspended or revoked in accordance with this provision, the CO and/or COR may direct the CSP to take additional security measures to secure sensitive information. These measures may include restricting access to sensitive information on the Contractor information system under this contract. Restricting access may include disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. D. Reporting and Continuous Monitoring Following the initial IHS ATO, the Contractor (and/or any subcontractor) must perform the minimum ongoing continuous monitoring activities specified below, submit required deliverables by the specified due dates, and meet with the system/service owner and other relevant stakeholders to discuss the ongoing continuous monitoring activities, findings, and other relevant matters. The CSP will work with the agency to schedule ongoing continuous monitoring activities. Continuous Monitoring activities should be in alignment with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137 and the FedRAMP Continuous Monitoring Strategy Guide. 1) At a minimum, the Contractor must provide the following artifacts/deliverables on a monthly basis: a. Operating system, database, web application, and network vulnerability scan results; b. Updated POA&Ms; c. Any updated authorization package documentation as required by the annual attestation/assessment/review or as requested by the IHS System Owner or AO; and d. Prior to any configuration changes to the system and/or system components or CSP's cloud environment that may impact IHS's security posture. Changes to the configuration of the system, its components, or environment that may impact the security posture of the system under this contract must be IHS approved. E. Configuration Baseline 1) The contractor must certify that applications are fully functional and operate correctly as intended on systems using the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) configuration baseline. The standard installation, operation, maintenance, updates, and/or patching of software must not alter the configuration settings from the approved IHS configuration baseline. 2) The contractor must use Security Content Automation Protocol (SCAP)-validated tools with configuration baseline scanner capability to certify their products operate correctly with IHS-defined configurations and do not alter these settings. F. Incident Reporting The Contractor (and/or any subcontractor) must respond to all alerts/Indicators of Compromise (IOCs) provided by HHS Computer Security Incident Response Center (CSIRC)/IHS CSIRT teams within 24 hours, whether the response is positive or negative. FISMA defines an incident as "an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines incidents as events involving cybersecurity and privacy threats, such as viruses, malicious user activity, loss of, unauthorized disclosure or destruction of data, and so on. A privacy breach is a type of incident and is defined by Federal Information Security Modernization Act (FISMA) as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose. The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines a breach as "a suspected or confirmed incident involving Personally Identifiable Information (PII)." In the event of a suspected or confirmed incident or breach, the Contractor (and/or any subcontractor) must: 1) Protect all sensitive information, including any PII created, stored, or transmitted in the performance of this contract so as to avoid a secondary sensitive information incident with FIPS 140-2 validated encryption. 2) NOT notify affected individuals unless so instructed by the CO or designated representative. If so instructed by the CO or representative, the Contractor must send IHS approved notifications to affected individuals in accordance with IHS-specific timelines, processes, and formats. 3) Report all suspected and confirmed information security and privacy incidents and breaches to the IHS Cybersecurity Incident Response Team (CSIRT), COR, Contracting Officer (CO), IHS Senior Official for Privacy (SOP) (or his or her designee), and other stakeholders, including incidents involving PII/Protected Health Information (PHI), in any medium or form, including paper, oral, or electronic, as soon as possible and without unreasonable delay, no later than one (1) hour, and consistent with the applicable IHS and HHS policy and procedures, NIST standards and guidelines, as well as US-CERT notification guidelines. The types of information required in an incident report must include at a minimum: company and point of contact information, contract information, impact classifications/threat vector, and the type of information compromised. In addition, the Contractor must: a. cooperate and exchange any information, as determined by the Agency, necessary to effectively manage or mitigate a suspected or confirmed breach; b. not include any sensitive information in the subject or body of any reporting e-mail; and c. encrypt sensitive information in attachments to email, media, etc. 4) Comply with OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information and IHS/HHS incident response policies when handling PII breaches. 5) Provide full access and cooperate on all activities as determined by the Government to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. This may involve disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. This may also involve physical access to contractor facilities during a breach/incident investigation IHS-specified timeline if required. 6) The Contractor (and/or any Subcontractor) must provide an Incident Response Plan (IRP) in accordance with IHS, OMB, and US-CERT requirements and obtain IHS approval. In addition, the Contractor must follow the incident response and US-CERT reporting guidance contained in the FedRAMP Incident Communications. The Contractor must include IHS CSIRT, COR, and System Information System Security Officer (ISSO) in any communications with US-CERT. 7) The Contractor (and/or any Subcontractor) must implement a program of inspection to safeguard against threats and hazards to the security, confidentiality, integrity, and availability of federal data, afford IHS access to its facilities, installations, technical capabilities, operations, documentation, records, and databases within two business days of notification. The program of inspection will include, but is not limited to: a. Conduct authenticated and unauthenticated operating system/network/database/Web application vulnerability scans. IHS/HHS personnel or agents acting on behalf of IHS/HHS, can perform automated scans using IHS-operated equipment and/or specified tools. The Contractor may choose to run its own automated scans or audits provided the scanning tools and configuration settings are compliant with NIST Security Content Automation Protocol (SCAP) standards and have been approved by the IHS CISO. IHS may request the Contractor's scanning results and, at IHS's discretion, accept those in lieu of IHS-performed vulnerability scans. b. In the event an incident involving sensitive information occurs, cooperate on all required activities determined by the agency to ensure an effective incident or breach response and provide all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. In addition, the Contractor must follow the agency reporting procedures and document the steps it takes to contain and eradicate the incident, recover from the incident, and provide a post-incident report that includes at a minimum the following: • Company and point of contact name; • Contract information; • Impact classifications/threat vector; • Type of information compromised; • A summary of lessons learned; and • Explanation of the mitigation steps of exploited vulnerabilities to prevent similar incidents in the future. G. Media Transport 1) The Contractor and its employees will be accountable and document all activities associated with the transport of government information, devices, and media transported outside controlled areas and/or facilities. These include information stored on digital and non-digital media (e.g., CD- ROM, tapes, etc.), mobile/portable devices (e.g., USB flash drives, external hard drives, and SD cards). 2) All information, devices, and media must be encrypted with IHS-approved encryption mechanisms to protect the confidentiality, integrity, and availability of all government information transported outside of controlled facilities. H. Boundary Protection 1) The contractor must ensure that restricted government information being transmitted from federal government entities to external entities using cloud services is inspected by Trusted Internet Connection (TIC) or other IHS-approved equivalent processes. 2) The contractor must route all external connections through a TIC or other IHS-approved equivalent processes. 3) Non-Repudiation. The contractor must provide a system that implements FIPS 140-2 validated encryption that provides for origin authentication, data integrity, and signer non-repudiation. This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. The full text of a clause may be accessed electronically at this address: http://farsite.hill.af.mil/VFFARa.htm (End of clause) Primary Point of Contact: Daniel Rosenstengel Contract Specialist Daniel.Rosenstengel@ihs.gov Secondary Point of Contact: Paul Premoe Contracting Officer Paul.Premoe@ihs.gov Contracting Office Address: 5600 Fishers Lane Mail Stop: 09E70 Rockville, Maryland 20857 United States Place of Contract Performance: 5600 Fishers Lane Rockville, Maryland 20857 United States Allow Vendors To Add/Remove From Interested Vendors: Yes Allow Vendors To View Interested Vendors List: No Recovery and Reinvestment Act Action: No TECHNICAL EVALUATION CRITERIA GENERAL The major evaluation factors for this solicitation include Technical Capability, Management Approach/Key Personnel, Relevant Past Performance, and Price. Although technical, management, and past performance factors are of paramount consideration in the award of the contract, price is also important to the overall contract award decision. All evaluation factors other than price, when combined, are more important than price. In any case, the Government reserves the right to make award to that offeror whose proposal provides the best overall value to the Government. The evaluation will be based on the demonstrated capabilities of the prospective Contractors in relation to the needs of the project as set forth in the RFP. The merits of each proposal will be evaluated carefully. Each proposal must document the feasibility of successful implementation of requirements of the RFP. Offerors must submit information sufficient to evaluate their proposals based on the detailed criteria below. TECHNICAL EVALUATION CRITERIA I. Technical Capability 1. Offerors shall submit its corporate resume that evidences the company's prior experience with demonstrable past performance in the following areas: a. development, b. marketing, c. implementing, d. supporting a COTS solution for adverse event reporting, and e. experience with customer Change Control Boards 2. System must already be a developed Commercially Available Off-the-Shelf (COTS) product requiring no more than 10% customization. Offerors shall provide its methodology to best meet the agency's customization needs in most efficient and cost-effective manner. 3. The offer must show how the product will support patient, visitor, and staff adverse event reporting in compliance with AHRQ Common Formats and OSHA requirements. 4. The offer must delineate how the product can support the range of account holders and distributed locations with incident type permission limitations. 5. The offer shall clearly describe the product's enhanced capability for analytics and ease of report generation (beyond use of pivot tables), such as: a. facility/service unit incident history by month b. ability for facilities to customize reports 6. Describe the product's automated user management feature for not only password renewal but changing user management accounts. 7. Offerors shall provide examples of the past achievements that reflects its timely primary, specialty, and emergency care capability through lower-cost settings. 8. Offeror's demonstrated and documented examples of quality assurance, quality control, data protection, and user account management. 9. Degree of learning curve that the COTS system and contractor provided documentation / instruction require and System usability for end-users 10. Describe its plan to become FedRAMP Compliant for the IHS environment. 11. IAW HHSAR 352.239-73(b) ELECTRONIC INFORMATION AND TECHNOLOGY ACCESSIBILITY NOTICE (DEC 2015), offeror shall submit its methodology to meet Section 508 requirement. Offers shall not be considered acceptable without addressing and meeting this requirement. 12. Transition Plan to make COTS software fully operational for all IHS Areas. 13. Software demonstration in-person at IHS Headquarters in Rockville, MD will be requested. Technical Capability Section above is limited to 25 pages. II. Management Approach/Key Personnel 1. Vendor must have dedicated permanent staff to facilitate implementation and support of the product over its lifetime. The Offeror shall submit resumes for all Key Personnel to be utilized in the performance of these requirements. The contractor is to determine and provide a list of 4 to 8 key personnel and their proposed role leading significant areas of the operation. Offeror shall clearly note which requirements section that the individual being proposed would work in. Also, the Offeror shall certify that the information on each key personnel submitted is true and complete. Each resume shall be limited to three (3) pages. 2. Management Approach/Enhanced support - Ability of the contractor to provide enhanced support using key methods, techniques, processes, procedures, etc. to provide additional support to monitor and measure complex processes, identify and mitigate potential risks, ensure the accuracy and timeliness of critical data and reports and communicate effectively to meet the needs of the IHS customers and users. This Section, except resumes for Key Personnel, is limited to 7 pages. III. Relevant Past Performance Offerors will be evaluated on performance under existing contracts and performance on prior contracts. Offerors should note the difference between past performance and past experience. Past performance relates to quality and how well a Contractor performed, while past experience is about the type and amount of work previously performed by a Contractor. The Offeror will be evaluated to assess the demonstrated quality of performance on similar work, to include the ability to control the quality and cost of work, timeliness of performance, and effectiveness at accomplishing the goals of previous work. Offerors are required to provide the evidences of three (3) contracts performed during the past seven years or currently in process for the relevant services as are being solicited under this solicitation. Relevant contracts are those contracts that are of similar scope, magnitude, nature, and work. A representative of IHS may contact the offeror's previous customer(s) for a phone interview to help rate the offeror's performance. The Federal Government uses the Contractor Performance Assessment Reporting System (CPARS) to document contractor performance information that is required by Federal Regulations. Past performance information entered to CPARS is available to federal agencies through a separate system called the Past Performance Information Retrieval System (PPIRS) for source selection purposes. The Government may supplement the information offerors provide with performance information it may obtain from any source including its own experience with the offeror. 1. The Past Performance Volume shall include the following information for each contract:  points of contact (Contracting Officer, Contracting Officer's Representative and any other pertinent officials that can verify performance) - name, agency/company, address, phone number and email address  Contract title  Contract number (and task order number when applicable)  Total original, present and/or final contract dollar value  Project description and size information  Relevancy to the SOW for the subject solicitation  Did the contract include small business subcontract goals and monetary targets for small disadvantaged business (SDB) participation? If so, were the goals and/or targets met?  Provide an explanation of problems, delays, cost overruns and corrective actions taken  Contract holder status (prime or sub-contractor) 2. All Concerns shall submit a short narrative that describes their experience in working with communities and organizations that represent a broad range of American Indian and Alaska Native People. Also, offeror shall demonstrate their understanding of IHS mission, goals and customers. This submission shall be limited to 10 pages, excluding the questionnaires. COST/PRICE FACTORS Offeror(s) cost/price proposal will be evaluated for reasonableness. For a price to be reasonable, it must represent a price to the Government that a prudent person would pay when consideration is given to prices in the market. Normally, price reasonableness is established through adequate price competition, but may also be determined through cost and price analysis techniques as described in FAR 15.404. EVALUATION OF OPTIONS It is anticipated that any contract awarded from this solicitation will contain option provision(s) and periods(s). In accordance with FAR clause 52.217-5 Evaluation of Options, (July 1990) the Government will evaluate offers for award purposes by adding the total price for all options to the total price of the basic requirement, except when it is determined in accordance with FAR 17.206(b) not to be in the Government's best interests. Evaluation of options will not obligate the Government to exercise the option(s).
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/IHS/AMB/18-236-SOL-00026/listing.html)
 
Place of Performance
Address: 5600 Fishers Lane, Rockville, Maryland, 20857, United States
Zip Code: 20857
 
Record
SN04938354-W 20180602/180531230906-61f8aec7ed164041b4f993d658763679 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.