SOURCES SOUGHT
65 -- Cardiopulmonary Stress Test (VA-22-00020245)
- Notice Date
- 12/9/2021 9:51:17 AM
- Notice Type
- Sources Sought
- NAICS
- 334510
— Electromedical and Electrotherapeutic Apparatus Manufacturing
- Contracting Office
- 257-NETWORK CONTRACT OFFICE 17 (36C257) ARLINGTON TX 76006 USA
- ZIP Code
- 76006
- Solicitation Number
- 36C25722Q0135
- Response Due
- 12/15/2021 2:00:00 PM
- Archive Date
- 12/30/2021
- Point of Contact
- Alexander Koshy, Contract Specialist, Phone: 972-708-0899
- E-Mail Address
-
Alexander.Koshy@va.gov
(Alexander.Koshy@va.gov)
- Awardee
- null
- Description
- Cardiopulmonary Exercise Test (CPX) B.1 Statement of Work (SOW) General: This statement of work defines the effort required for VA North Texas Healthcare System (VANTHCS), Cardiology Section of Medicine Service to procure Cardiopulmonary Exercise Test (CPX). Contractor shall provide equipment as well as training personnel. Description of Work: Justification: Cardiopulmonary Exercise Test machine needed to replace end of life machine currently in use in Cardiology. Hours of Performance: Work shall occur Monday Friday during normal duty hours unless authorized by Cardiology. Check in Requirements: The Vendor Rep must report to the Biomedical Engineering Department to obtain a badge and sign in with the Biomedical Engineering Service before work begins. Upon completion of work, the Rep must report to the Biomedical Engineering Service to sign out. Period of Performance: Period of performance shall be done in a reasonable time frame (no longer than one 90 days after receipt of order) unless unseen circumstances arise which need to be discussed with Biomed representative. Place of Performance: Dallas VA Medical Center at 4500 S. Lancaster Rd. Dallas TX 75216. Documentation: Contractor shall furnish a detailed field service report upon completion of work to Cardiology Staff. Payment will not be processed until a properly completed service report is received. The service report shall contain, at a minimum, the following information: Date and time of contractor s arrival on station Type, model and serial number (s) of all equipment on which maintenance was performed Total time spent performing maintenance and travel time Detailed narrative description of the services required Copies of all test reports Complete list of parts replaced Date and time the repair was completed Cost Estimate of all labor (including travel), parts/supplies, and shipping charges The service report shall itemize every item in the specification. Each item shall state the ""as found"" condition or values, the ""calibrated to"" or ""adjusted to"" values, the factory design tolerances, and a complete description of all work performed concerning the items Contracting Officer Technical Representatives: All work coordination shall be made through the Purchasing agent. The Contractor shall be provided a copy of the letter of delegation authorizing the purchasing agent at the commencement of the term of the contract. No other person shall be authorized to act in such capacity unless appointed in writing by the Contracting Officer. Information technology security requirements: The contractor, their personnel, and their subcontractors shall be subject to the Federal laws, regulations, standards, and VA Directives and Handbooks regarding information and information system security as delineated in this contract. The contractor shall comply with all Federal laws and regulations the VA has developed when VA sensitive information is accessed, used, stored, generated, transmitted, or exchanged by and between VA and a contractor. The information made available to the contractor by VA for the performance of this contract will be used only for the purposes of performance under this contract. The certification and accreditation requirements do not apply to this requirement and a security accreditation package is not required. As prescribed in 839.201, insert the following clause: The contractor, their personnel, and their subcontractors shall be subject to the Federal laws, regulations, standards, and VA Directives and Handbooks regarding information and information system security as delineated in this contract. 1. GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS Information Technology Security & Privacy Requirements. a. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. d. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. e. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. 3. VA INFORMATION CUSTODIAL LANGUAGE a. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data- General, FAR 52.227-14(d) (1). b. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. c. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. d. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. e. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. f. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. g. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. h. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. i. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. j. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. k. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above-mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. l. For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR. GENERAL RULES OF BEHAVIOR a. Rules of Behavior are part of a comprehensive program to provide complete information security. These rules establish standards of behavior in recognition of the fact that knowledgeable users are the foundation of a successful security program. Users must understand that taking personal responsibility for the security of their computer and the information it contains is an essential part of their job. b. The following rules apply to all VA contractors. I agree to: (1) Follow established procedures for requesting, accessing, and closing user accounts and access. I will not request or obtain access beyond what is normally granted to users or by what is outlined in the contract. (2) Use only systems, software, databases, and data which I am authorized to use, including any copyright restrictions. (3) I will not use other equipment (OE) (non-contractor owned) for the storage, transfer, or processing of VA sensitive information without a VA CIO approved waiver, unless it has been reviewed and approved by local management and is included in the language of the contract. If authorized to use OE IT equipment, I must ensure that the system meets all applicable 6500 Handbook requirements for OE. (4) Not use my position of trust and access rights to exploit system controls or access information for any reason other than in the performance of the contract. (5) Not attempt to override or disable security, technical, or management controls unless expressly permitted to do so as an explicit requirement under the contract or at the direction of the COTR or ISO. If I am allowed or required to have a local administrator account on a government-owned computer, that local administrative account does not confer me unrestricted access or use, nor the authority to bypass security or other controls except as expressly permitted by the VA CIO or CIO's designee. (6) Contractors use of systems, information, or sites is strictly limited to fulfill the terms of the contract. I understand no personal use is authorized. I will only use other Federal government information systems as expressly authorized by the terms of those systems. I accept that the restrictions under ethics regulations and criminal law still apply. (7) Grant access to systems and information only to those who have an official need to know. (8) Protect passwords from access by other individuals. (9) Create and change passwords in accordance with VA Handbook 6500 on systems and any devices protecting VA information as well as the rules of behavior and security settings for the particular system in question. (10) Protect information and systems from unauthorized disclosure, use, modification, or destruction. I will only use encryption that is FIPS 140-2 validated to safeguard VA sensitive information, both safeguarding VA sensitive information in storage and in transit regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA. (11) Follow VA Handbook 6500.1, Electronic Media Sanitization to protect VA information. I will contact the COTR for policies and guidance on complying with this requirement and will follow the COTR's orders. (12) Ensure that the COTR has previously approved VA information for public dissemination, including e-mail communications outside of the VA as appropriate. I will not make any unauthorized disclosure of any VA sensitive information through the use of any means of communication including but not limited to e-mail, instant messaging, online chat, and web bulletin boards or logs. (13) Not host, set up, administer, or run an Internet server related to my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA unless explicitly authorized under the contract or in writing by the COTR. (14) Protect government property from theft, destruction, or misuse. I will follow VA directives and handbooks on handling Federal government IT equipment, information, and systems. I will not take VA sensitive information from the workplace without authorization from the COTR. (15) Only use anti-virus software, antispyware, and firewall/intrusion detection software authorized by VA. I will contact the COTR for policies and guidance on complying with this requirement and will follow the COTR's orders regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with VA. (16) Not disable or degrade the standard anti-virus software, antispyware, and/or firewall/intrusion detection software on the computer I use to access and use information assets or resources associated with my performance of services under the contract terms with VA. I will report anti-virus, antispyware, firewall or intrusion detection software errors, or significant alert messages to the COTR. (17) Understand that restoration of service of any VA system is a concern of all users of the system. (18) Complete required information security and privacy training, and complete required training for the particular systems to which I require access. Security Statement: The CO and the Contractor will assure that- No other information except what is in this contract will be shared with the contractor in any follow up communication. Biomedical Engineering shall perform virus scans on all removable media prior to use on VA medical equipment. This includes all types of removable media, including media (e.g., USB devices, CDs, dongles, etc.) that has been issued by VA, media not issued by VA, and media brought in by Contractors or independent service organizations. Within accordance of VA Directive 6500, Information Security Program, September 2007 Sensitive VA information is contained within the systems covered by this contract. The Contractor will not transfer any VA information to a location outside the VA and only to VA locations determined by the VA System Administrator. The information in these systems may be covered by the Privacy Act 1974 which contains criminal penalties of abuse of information. During onsite service, the Contractor shall be chaperoned by VA Personnel. However, the Contractor shall not be issued a User ID/Password. Non-volatile memory devices, working or non-working, shall NOT be re-deployed until data has been destroyed according NIST SP 800-88 guidelines. For magnetic devices and media, the data destruction will be by degaussing. Other forms of cleansing will be used for non-magnetic media. All PHI can be downloaded at the request of the Facility for records keeping and archival purposes. Vendor will perform product patch, bug fix, service pack installation and upgrades to the current installed version through remote access to complete the repair(s) and preventive maintenance. The COR is responsible for the actions of the Contractor during the repair. Because the Contractor is chaperoned, the Contractor does not need to take VA Privacy or Information Security training. A background investigation is not required. The Contractor and all VA employees are required to immediately report any security violations to the Information Security Officer (214-857-0512). No other security statements are required. NARA Records Management Language for Contracts (May 2017): Contractor shall comply with all applicable records management laws and regulations, as well as National Archives and Records Administration (NARA) records policies, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), NARA regulations at 36 CFR Chapter XII Subchapter B, and those policies associated with the safeguarding of records covered by the Privacy Act of 1974 (5 U.S.C. 552a). These policies include the preservation of all records, regardless of form or characteristics, mode of transmission, or state of completion. In accordance with 36 CFR 1222.32, all data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records subject to the provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as amended and must be managed and scheduled for disposition only as permitted by statute or regulation. In accordance with 36 CFR 1222.32, Contractor shall maintain all records created for Government use or created in the course of performing the contract and/or delivered to, or under the legal control of the Government and must be managed in accordance with Federal law. Electronic records and associated metadata must be accompanied by sufficient technical documentation to permit understanding and use of the records and data. Facility and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Records may not be removed from the legal custody of Facility or destroyed except for in accordance with the provisions of the agency records schedules and with the written concurrence of the Head of the Contracting Activity. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. In the event of any unlawful or accidental removal, defacing, alteration, or destruction of records, Contractor must report to Facility. The agency must report promptly to NARA in accordance with 36 CFR 1230. The Contractor shall immediately notify the appropriate Contracting Officer upon discovery of any inadvertent or unauthorized disclosures of information, data, documentary materials, records or equipment. Disclosure of non-public information is limited to authorized personnel with a need-to-know as described in the [contract vehicle]. The Contractor shall ensure that the appropriate personnel, administrative, technical, and physical safeguards are established to ensure the security and confidentiality of this information, data, documentary material, records and/or equipment is properly protected. The Contractor shall not remove material from Government facilities or systems, or facilities or systems operated or maintained on the Government s behalf, without the express written permission of the Head of the Contracting Activity. When information, data, documentary material, records and/or equipment is no longer required, it shall be returned to Facility control or the Contractor must hold it until otherwise directed. Items returned to the Government shall be hand carried, mailed, emailed, or securely electronically transmitted to the Contracting Officer or address prescribed in the [contract vehicle]. Destruction of records is EXPRESSLY PROHIBITED unless in accordance with Paragraph (4). The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, contracts. The Contractor (and any sub-contractor) is required to abide by Government and Facility guidance for protecting sensitive, proprietary information, classified, and controlled unclassified information. The Contractor shall only use Government IT equipment for purposes specifically tied to or authorized by the contract and in accordance with Facility policy. The Contractor shall not create or maintain any records containing any non-public Facility information that are not specifically tied to or authorized by the contract. The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected from public disclosure by an exemption to the Freedom of Information Act. The Facility owns the rights to all data and records produced as part of this contract. All deliverables under the contract are the property of the U.S. Government for which Facility shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Any Contractor rights in the data or deliverables must be identified as required by FAR 52.227-11 through FAR 52.227-20. Training. All Contractor employees assigned to this contract who create, work with, or otherwise handle records are required to take VHA-provided records management training, Talent Management System (TMS) Item #3873736, Records Management for Records Officers and Liaisons. The Contractor is responsible for confirming training has been completed according to agency policies, including initial training and any annual or refresher training. Safety Requirements: In the performance of this contract, the Contractor shall take such safety precautions as the Contracting Officer may determine to be reasonably necessary to protect the lives and health of occupants of the building. The Contracting Officer Representative shall notify the Contractor of any safety issues and the action necessary to correct these issues. Such notice, when served to the Contractor or his representative at the work site shall be deemed sufficient for the corrective actions to be taken. If the Contractor fails or refuses to comply promptly, the Contracting Officer may issue an order stopping all or part of the work and hold the Contractor in default. Invoicing: Payment to be made monthly in arrears by certified invoices and must contain the contract number in addition to the requirements detailed in 52.212-4 (G) to be considered valid. All invoices shall be submitted to the VA Financial Service Center and emailed to the CO. All invoices will reference the purchase order number assigned to the contract. Billing address: VA FSC, PO Box 149971, Austin, TX 78714
- Web Link
-
SAM.gov Permalink
(https://beta.sam.gov/opp/5d08969931964db59fd76bbfe8b0f0df/view)
- Place of Performance
- Address: North Texas Veterans Health Care Center 4500 S. Lancaster Road, Dallas 75216
- Zip Code: 75216
- Zip Code: 75216
- Record
- SN06195394-F 20211211/211210201447 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |