Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JUNE 08, 2019 FBO #6406
SOURCES SOUGHT

C -- 589A7-19-406 Conduct Physical Security Assessment

Notice Date
6/6/2019
 
Notice Type
Synopsis
 
NAICS
541990 — All Other Professional, Scientific, and Technical Services
 
Contracting Office
Department of Veterans Affairs;Network Contracting Office (NCO) 15;3450 S 4th Street Trafficway;Leavenworth KS 66048
 
ZIP Code
66048
 
Solicitation Number
36C25519R0098
 
Archive Date
7/6/2019
 
Point of Contact
913-946-1126
 
Small Business Set-Aside
Service-Disabled Veteran-Owned Small Business
 
Description
36C25519R0098 1 Synopsis: CONTRACT INFORMATION This A-E Services requirement is being procured in accordance with the Brooks Act (Public Law (PL0582) and implemented in accordance with the Federal Acquisition Regulation (FAR) Subpart 36. Firms will be selected based on demonstrated competence and qualifications for the required work. This procurement is restricted to Service Disabled Veteran Owned Small Business (SDVOSB) firms This requirement is being procured in accordance with the VAAR 836.606-73 as implemented in FAR Subpart 36.6. This is not a Request for Proposal and an award will not be made with this announcement. This announcement is a request for SF 330 s from qualified contractors that meet the professional requirements. The selection criteria for this acquisition will be in accordance with FAR 36.602-1 and VAAR 836.602-1 and are listed below in descending order of importance. The completed SF 330 will be evaluated by the Wichita VA Health Care System Evaluation Board in accordance with FAR 36.602-5(a) and the selection report shall serve as the final selection list, which will be provided directly to the Contracting Officer. The Government will not pay nor reimburse any costs associated with responding to this request. The Government is under no obligation to award a contract as a result of this announcement. Award of any resultant contract is contingent upon the availability of funds. No solicitation document is available and no other information pertaining to project scope, etc. is available at this time. Any request for assistance with submission or other procedural matters shall be submitted via email only to Sean.Jackson@va.gov and Jennifer.Sotomayor@va.gov. Personal visits to discuss this announcement will not be allowed. Site visits will not be allowed. The NAICS Codes for this procurement is 541990 All Other Professional, Scientific and Technical Services and small business size standard of $15.0M. Award of a Firm Fixed Price contract is anticipated. Anticipated time for completion of design is approximately 180 calendar days including time for VA reviews. DATABASE REGISTRATION INFORMATION: VERIFICATION OF STATUS OF APPARENTLY SUCCESSFUL OFFEROR THIS ACQUISITION IS 100% SET-ASIDE FOR QUALIFIED SERVICE DISABLED VETERAN OWNED SMALL BUSINESS AE FIRMS INCOMPLIANCE WITH VAAR 852.219-10. ONLY BUSINESSES VERIFIED AND LISTED IN THE VENDOR INFORMATION PAGES DATABASE, (http://www.Vetbiz.gov), SHALL BE CONSIDERED. SYSTEM FOR AWARD MANAGEMENT (SAM): Federal Acquisition Registrations require that federal contractors register in the System for Award Management (SAM) database at www.sam.gov and enter all mandatory information into the system. Award cannot be made until the contractor has registered. Offerors are encouraged to ensure that they are registered in SAM prior to submitting their qualifications package. THE EXCLUDED PARTIES LIST SYSTEM (EPLS): To ensure that the individuals providing services under the contract have not engaged in fraud or abuse regarding Sections 1128 and1128A of the Social Security Act regarding federal health care programs, the contractor is required to check the Excluded Parties List System (EPLS) located at www.sam.gov for each person providing services under this contract. Further the contractor is required to certify that all persons listed in the qualifications package have been compared against the EPLS list and are NOT listed. During the performance of this contract the Contractor is prohibited from using any individual or business listed on the List of Excluded Individuals/Entities. E-VERIFY SYSTEM: Companies awarded a contract with the federal government shall be required to enroll in E-Verify within 30 days of the contract award date. They shall also need to begin using the E-Verify system to confirm that all of their new hires and their employees directly working on federal contracts are authorized to legally work in the United States. E-Verify is an Internet-based system that allows an employer, using information reported on an employee's Form I-9, to determine the eligibility of that employee to work in the United States. There is no charge to employers to use E-Verify. (FAR 52.222-54) A-E firms are required to respond if interested by submitting one (1) completed Standard Form 330 qualification package Parts I and II to include all consultants (form available on-line at: http://www.gsa.gov/portal/forms/download/116486) Must include in Part I Section H an organizational chart of the firm (excludes consultants) and a design quality management plan. Submission information incorporated by reference is not allowed. All submissions shall be made electronically. Completed package shall be delivered electronically on or before Thursday 27, 2019 at 2:00PM Central Standard Time to the NCO 15 Contracting Office, Attn: Sean Jackson, Contracting Officer: Sean.Jackson@va.gov and Jennifer Sotomayor, Contracting Officer: Jennifer.Sotomayor@va.gov. A/E CONTRACT SUPPLEMENT B PROJECT NUMBER: 589A7-19-406 PROJECT TITLE: Conduct Physical Security Assessment of Facilities Owned and Leased by the Robert J. Dole VA Medical Center, Wichita, Kansas B1 SCHEDULE OF SERVICES: INTRODUCTION The mission of the Department of Veterans Affairs is to provide the highest quality health care to our nation s veterans. In order to accomplish this mission, we must protect the health and safety of patients, employees, and visitors. All VA facilities must follow the Mission Critical and Life Safety Physical Security Design Manuals (PSDM s) for security design guidelines. In addition, the VA Office of Construction & Facilities Management (OCFM) has published recent updated guidance on security requirements for leased facilities. The Veterans Health Administration (VHA) physical security design manuals are located at: Mission Critical Facilities: https://www.cfm.va.gov/til/PhysicalSecurity/dmPhySecMC.pdf Life Safety Protected Facilities: https://www.cfm.va.gov/til/PhysicalSecurity/dmPhySecLS.pdf The summary of changes to the PSDM s in the Technical Information Library (TIL) dated January 2015 and all relevant appendices as well as the Security System Application Matrix below. http://www.cfm.va.gov/til/PhysicalSecurity/dmPhySecAppB.xlsx Real Property Policy Memorandum 2018-02 Physical Security Standards for Leased Facilities are attached. GENERAL SCOPE OF WORK The PSDM s contain the physical security standards for improving the protection of mission critical and life safety facilities of the U.S. Department of Veterans Affairs (VA). Mission Critical facilities are those required to continue operation during a natural or manmade extreme event. Life-safety protected facilities shall include all VA facilities designated as not mission critical. Guidance found on Real Property Policy Memorandum 2018-02 applies to all leased facilities. This assessment will include both owned and leased facilities of the Robert J. Dole Veterans Administration Medical Center as identified on Attachment A, List of VA Leased/Licensed Facilities and Attachment B, List of VA Owned Buildings. The physical security of facilities requires the use of concentric levels of control and protection to provide progressively enhanced levels of security to deter, prevent, detect, delay, and respond to threats in the protection of assets. The concept of concentric levels of control is to protect the central asset behind layers of security measures such that it is least exposed to the threats. Where a single line of defense might be easily breached, the concentric levels approach offers redundancy in lines of defense that is less likely to be breached. VA also follows the principles of Crime Prevention Through Environmental Design (CPTED, see www.cpted.net). CPTED strategies include elements of natural surveillance, natural access control, and natural territorial reinforcement. CPTED strategies are to be considered by the contractor in the development of recommendations tasked below to create and enhance the concentric circles or layers of security protection. The SOW for this task order organizes the VA PSDM concepts for existing campus/buildings into 3 tasks based on the Point of Control level and applicable PSDM concept chapters 3-10 for existing buildings. General Scope Tasks: Task 1 PSDM Point of Control levels 1 and 2: The first objective of the physical security assessment is to compare and develop a gap analysis of existing building and site conditions as they relate to the VA s PSDM s first and second level points of control. The assessment will be made through document review and data gathering, owner interviews, and guided walkthrough non-invasive visual inspections addressing each of the applicable PSDM concepts. The document review will be based on VA provided Facilities Condition Assessments (FCA s), existing building data, past security assessments, current Capital Plans (SCIP and Master Plans), existing as-built building drawings, Site Plans, and Google Earth building visual analyses. Interviews will be scheduled and coordinated with required VA staff to obtain compliance knowledge prior to visual inspections. The contractor s visual inspection team will be accompanied by appropriate VA staff such as engineering and police. This task will apply to both owned and leased facilities identified in Attachment A & B. Task 2 PSDM Point of Control levels 3-5: The second objective of the physical security assessment is to compare and develop a gap analysis of existing building conditions as they relate to the VA s PSDM s third through fifth points of control. This assessment will be conducted through document review, data gathering, and owner interviews. A physical inspection is not required for these PSDM concepts. The document review will be based on VA provided Facilities Condition Assessments (FCA s), existing building data, past security assessments, current Capital Plans (SCIP and Master Plans), existing as-built building drawings, Site Plans, and Google Earth building visual analyses. Interviews will be scheduled and coordinated with required VA staff to obtain compliance knowledge. If as part of the document review and interview process, its determined sufficient information does not exist to determine a gap with the PSDM concepts, the contractor will flag the applicable PSDM concept for the need of a future assessment. This task will apply only to owned buildings identified in Attachment B. Task 3 Structural Analysis: There are sections of the VA PSDM requiring certain existing building or site components meet specified test levels, blast and or structural calculations. The VA is not requesting anti-ram testing, deflection calculations or testing, blast load calculations, or any other required structural system calculations. Where such items are specified in the VA PSDM, the risk assessments specified under Task 1 and Task 2 above will be based on a desk top audit of any related VA provided information; and the limits of the non-invasive visual walkthrough specified under Task 1. Structural Analysis by a qualified structural engineer will be limited to providing high level input into the recommendations associated with Task 1 only which focuses on protection of the building exteriors from blast and vehicular ramming threats. The PSDM has been interpreted such that Progressive Collapse review is not required for existing buildings. To address potential risk associated with the VA s PSDM Progressive Collapse requirements, analysis to be performed under Task 3 of this SOW will be limited to the development of a list of high risk owned and leased buildings based on a VA provided list of buildings that are more than one floor. The contractor will develop a list of these buildings and develop recommendations in the summary report limited to those that would enhance building perimeter protection. Specific Scope Tasks: Members of the A/E Analysis Team: The contractor shall form a project team to work with VA representatives to create the VA/A-E Analysis Team, which shall include, at a minimum, Risk Analyst, Architect, Physical Security expert, and VA Police, Planning and Engineering representatives. The Plan shall include their titles, roles, and contact information. Gap Analysis and Recommendations: In support of Task 1 and 2 above, Contractor shall record and identify gaps and vulnerabilities between existing conditions and the PSDM concepts. The contractor shall establish corrective action recommendations to be taken when buildings are deemed to be at risk or non-compliant with current PSDM s. Risk Analysis Summaries: Contractor shall develop a Risk Analysis Summary integrating assessment findings that includes building numbers, risk elements related to the specified PSDM s concepts, and the corrective action recommendations to alleviate the risks for each building analyzed. The summaries shall also indicate whether the contractor team judges the risk to be significant and briefly state the basis for that decision. The risk summaries and preferred corrective recommendations shall be organized into a spreadsheet report that can also be placed as a legend on the campus site diagram. Develop Rough Order of Magnitude Budget Estimates and Service Implications: Contractor shall develop high level cost and budget estimates, on a rough order of magnitude, to implement the recommended corrective actions for each building and portray the implications of the recommendations in terms of costs and interruption of services. Campus Site Diagram: The contractor will develop a campus based site diagram to identify out of compliance deficiencies. The site diagram shall provide call-out symbols for each identified Task 1 and Task 2 deficiency placed at or near the location of the deficiency, crossed referenced to a summary legend placed on the diagram. The diagram should also include a graphical representation of non-compliant facility standoff distances to roads and parking. The diagram will color code mission critical and life safety buildings. To accommodate the data to be placed on the diagram, a standard 30X42 drawing size is acceptable. Review shall include proposed parking and road changes for the main campus. Assessment Schedules: Contractor shall review Scope of Work, and then develop a work plan/process (work breakdown structure - WBS) as well as a schedule of facility and building survey/analyses to be submitted to the Contracting Officer (CO) and Contracting Officer Representative (COR) for approval prior to start of the assessments. Contractor shall ensure the schedules include the dates, hours, and tasks to be applied to the assessments. Master Plan Updates: Contractor shall create an Annex to the facility Master Plan incorporating the findings of the risk assessment into the plan. The Contractor shall compare all recommended corrective actions to the most recent SCIP Action plan and existing Master Plan and develop a report demonstrating additional projects that need to be added in SCIP Master Plans. The facility will be responsible for entering any needed projects into their Master Plans and SCIP plans. The annex will be a hard copy binder that includes the Campus Site Diagram, risk assessment findings, Task 3 high risk list of buildings for Progressive Collapse, recommended corrective actions, summary report, and list of projects to be added into the SCIP action plan. The A/E shall make recommendations to the VA representatives as to which deficiencies should be corrected through capital initiatives and which should be submitted for a waiver or exception. The A/E shall be solely responsible for the Task Order management, including all associated labor, equipment, materials, mailing costs, and inspections, to meet the requirements of the study project. The A/E shall further provide meeting minutes for all meetings held under this study project. Data Gathering and Kickoff Meetings: The VA Contracting Officer (CO), VA Contracting Officer Representative (COR), and Contractor shall conduct a post award Kickoff meeting at the facility to discuss and develop a process and checklist for data gathering, collection of existing materials, and drawings. The statement of work will be reviewed and the Contractor shall identify any questions or other issues which need to be addressed in the Task Order before contractor begins the study. The Facility Team shall work collaboratively with the Contractor to provide data required with sufficient detail, in an appropriate format, and in a timely manner to complete the studies, surveys, and analyses. The Contractor will be expected to collect any additional data and information, as available, from both VA corporate and local VA sources that would enhance the survey. SPECIFIC WORK PROCESS The work processes for the data analyses, buildings assessments, corrective recommendations, Master Plan implementation of recommendations, and risk reviews shall be in accordance with the general schedule below. Period of performance shall not exceed 180 calendar days. Facility Requirements: The following shall be provided by the facility to Contractor: The facility shall determine who will make key decisions in support of the discrepancies, risk areas, and corrective action plans. These team members shall participate in the kickoff meeting before the onsite risk assessments and the final review summary. At a minimum this team shall include representation from Facility leadership, Engineering, Planning, Police, and Emergency Management & Safety. Each facility shall provide a knowledgeable site engineer, familiar with the existing buildings and structures, to accompany the contractor during any onsite risk assessment site reviews of main and leased facilities. Available architectural schematic drawings to review existing buildings on facilities as well as any other visual photos, schemata, and drawings necessary to ascertain risk assessments for at risk buildings. EVALUATION FACTORS: Selection Criteria are in accordance with Federal Acquisition Regulation (FAR) Part 36.602-5 and VA Acquisition Regulation (VAAR) Part 836.602-1. Prospective firms are required to address all selection criteria within submitted SF330 packages using additional pages as necessary. SF 330 submissions including any additional pages are not to exceed fifty (50) pages. Each page cannot exceed 81/2 x 11 in size. Prospective firms are required to address all selection criteria within submitted SF330 packages using additional pages as required and SF 330 submissions including any additional pages are not to exceed fifty (50) pages. Qualifications (SF330) submitted by each firm for Project #589A7-19-406 for the Wichita VA Medical Center will be reviewed and evaluated based on the following evaluation criteria listed below in descending order of importance: PROFESSIONAL QUALIFICATIONS: The qualifications of the individuals which will be used for these services will be examined for experience and education and their record of working together as a team. A&E firms shall have licensed professional architects/engineers currently registered in the state of Kansas or in a state of which Missouri has recognized the engineering license. The specific disciplines which will be evaluated are Risk Analyst, Architect, Physical Security expert, Civil Engineer, Structural Engineer, Estimator, CAD operator, and Project Manager. SPECIALIZED EXPERIENCE AND TECHNICAL COMPETENCE: Specific experience and technical skill in the type and scope of work required to conduct a Physical Security Assessment for existing medical facilities and leased facilities, including, where appropriate, experience in conducting Physical Security Assessments in accordance with the Physical Security Design Manual (PSDM) which includes gap analysis, risk analysis, budget estimates, site diagrams, and structural analysis, will be examined. Experience and qualifications of personnel proposed for assignment to the project and their record of working together as a team. CAPACITY TO ACCOMPLISH WORK: The general work load and staffing capacity of the design office which will be responsible for the majority of the design and the ability to accomplish the work in the required time. In accordance with VAAR 852.219-10(c)(1), prime contractors shall clearly demonstrate how they will meet the requirement that at least 50 percent of the design work be accomplished by employees of the concern or employees of eligible service-disabled veteran owned small business subcontractor/consultant. PAST PERFORMANCE: The VA will consider at a minimum three past performance projects related to the Physical Security Assessments and/or design and construction that has met the current Physical Security Design Manual requirements that are complete and that the firm has completed relevant in scope to the advertised project that were accomplished with the Department of Veterans Affairs, other Government agencies, and private industry in terms of cost control, quality of work, and compliance with performance schedules will be examined. Project past performances that are older than 3 years will receive a lesser score than those references for projects accomplished within the past 3 years. (5) CLAIMS AND TERMINATIONS: Provide documentation of significant claims against the firm or terminated contracts because of improper or incomplete architectural and engineering services. They will be examined. B2 INDUSTRIAL HYGIENE SERVICES: NA B3 GOVERNMENT FURNISHED DESIGN CRITERIA: NA B4 DESIGN DELIVERABLES: A single tabbed binder to include the Campus diagram, final Building Assessment Analyses, Recommended Corrective Actions, Cost Estimates Reports. The binders shall be comprised of both written and electronic documentation (CD s) 2 complete copies for the medical center, one CD copy for the Contracting Officer (no binder), and one copy (binder and CD) for the CAM office. The CD for the Contracting Officer shall be mailed directly to Sean Jackson, Contracting Officer, 3450 S. 4th Street, Leavenworth, Kansas 66048. B5 DESIGN REVIEW AND COMPLETION SCHEDULE: The A/E shall perform the work required by this contract within 180 calendar days reflective of schedule below. The A/E shall provide Professional Architects and Engineers as directed by the Contracting Officer or designee who are familiar with the work to attend the Design Reviews on the following days: Milestones Timeline Kickoff Meeting/NTP Within 20 days of Notice to Proceed (NTP); Contractor presents Draft Plan for facility analyses and draft survey schedules VA Review of Draft facility survey schedules Within 10 calendar days of receipt of Contractor s schedule plan Contractor submits Final work plan and schedule plan for Approval Within 10 calendar days after receiving VA comments Complete onsite building risk assessments Within 90 days of approved survey schedule for all applicable sites and locations VA and Contractor meeting to verify recommended corrective strategies identified in plans/reports, as well as recommendations for waiver requests for each facility Within 30 days of assessments Submit Draft Final Report and Deliverables Within 30 days of recommended corrective strategies meeting VA and Contractor joint review of draft report (teleconference) Within 15 days of draft report Submit Final Report Deliverables and presentation Within 20 days of teleconference joint review The Contracting Officer (CO) may schedule additional Design Reviews as necessary when it is determined by the CO that such reviews are required for satisfactory completion of A/E contract requirements. The A/E will be reimbursed for additional review meetings in accordance with the rate sheet, unless it is solely determined by the CO that such additional reviews were requested by the A/E or were required due to the A/E s failure to meet contract requirements. The A/E is responsible for recording the minutes of all meetings. The format of the meeting minutes shall be subject to prior approval from the VA COR. The draft meeting minutes shall be distributed for review and comment within one working day to the CO and COR following the meeting to the COR, who will in turn distribute the same to each invited VA-attendee as required. Notification by email to the CO and COR that the draft documents are available on an A/E or as an attachment, is the preferred method. The VA shall have two working days upon receipt of the meeting draft documents to make any additional comments or corrections. The final meeting minutes shall be issued within three working days after the meeting to the VA CO and the COR. Milestone review minutes shall comply with the requirements for meeting minutes, except that two days shall be added to each response period. In addition, the submitted milestone review drawing mark-ups by the VA and any review meeting comments shall be described in a tabular form with the comment (listed by discipline), comment originator, partly responsible for responding to comment, and a column indicating whether comment was incorporated into design documents. If comment was not incorporated or only partially incorporated, provide an explanation for the action. The interim and final documents from this Task Order will be subject to review and approval (by signature) of all members of an Integrated Project Team ( IPT ) consisting of Medical Center personnel.   These individuals will be identified by the COR by the first design review meeting. The A/E shall prepare a title sheet for each submission and phase as appropriate to receive approval signatures from members of the IPT. The COR will provide A/E with a copy of the Memorandum identifying IPT members. A complete and final copy of the documents shall be provided by the A/E directly to the Contracting Officer located in Leavenworth, Kansas and the COR located in Wichita, Kansas before final payment will be approved. See B4 Design Deliverables above. B7 ATTENDANCE AT CONFERENCES: Attendance at Construction Pre-Bid conference IS NOT required with regard to this task order. B8 STRUCTURAL ECONOMIC ANALYSIS: A structural economic analysis IS NOT required with regard to this task order. B9 STRUCTURAL/SEISMIC ANALYSIS: A structural/seismic analysis IS NOT required with regard to this task order. B10 CONSTRUCTION PERIOD SERVICES: NA B11 SITE VISITS: See Schedule above. VA INFORMATION CUSTODIAL LANGUAGE Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor s rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on- site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization, attachments found in Section D. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party orterminate the contract for default or terminate for cause tinder Federal Acquisition Regulation (FAR) part 12. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1605.05, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. i. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term data breach means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access); Description of the event, including: Date of occurrence; Data elements involved, including any PH, such as full name, social security number, date of birth, home address, account number, disability code; Number of individuals affected or potentially affected; Names of individuals or groups affected or potentially affected; Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; Amount of time the data has been out of VA control; The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); Known misuses of data containing sensitive personal information, if any; Assessment of the potential harm to the affected individuals; Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: Notification; One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; Data breach analysis; Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; One year of identity theft insurance with $20,000.00 coverage at -$0 deductible; and Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. Attachment A - List of VA Leased/Licensed Facilities Attachment B - List of VA Owned Buildings Station 589A7 5500 East Kellogg, Wichita, KS, 67218 NOTE: THIS NOTICE WAS NOT POSTED TO FEDBIZOPPS ON THE DATE INDICATED IN THE NOTICE ITSELF (06-JUN-2019); HOWEVER, IT DID APPEAR IN THE FEDBIZOPPS FTP FEED ON THIS DATE. PLEASE CONTACT 877-472-3779 or fbo.support@gsa.gov REGARDING THIS ISSUE.
 
Web Link
Link To Document
(https://www.fbo.gov/spg/VA/LeVAMC/VAMCKS/36C25519R0098/listing.html)
 
Record
SN05333364-F 20190608/190606230023 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.