SOURCES SOUGHT
65 -- Copy of ScriptPro Maintenance FY22 - Dallas
- Notice Date
- 12/29/2021 11:25:25 AM
- Notice Type
- Sources Sought
- NAICS
- 339112
— Surgical and Medical Instrument Manufacturing
- Contracting Office
- 257-NETWORK CONTRACT OFFICE 17 (36C257) ARLINGTON TX 76006 USA
- ZIP Code
- 76006
- Solicitation Number
- 36C25722Q0193
- Response Due
- 12/30/2021 9:00:00 AM
- Archive Date
- 01/14/2022
- Point of Contact
- David Simmons, Contract Specialist, Phone: 210-694-6344
- E-Mail Address
-
david.simmons@va.gov
(david.simmons@va.gov)
- Awardee
- null
- Description
- Statement of Work (SOW) GENERAL The contractor shall comply with Federal, State, local laws and regulations applicable to the performance of this contract. ScriptPro shall provide remote support via VPN connection. This support is to assist with any user questions, or issues that are software in nature. ScriptPro shall also offer hardware support for physical equipment. This shall include repair and maintenance, and shall require a qualified technician to be on site. The contractor shall provide all labor, equipment, supervision and expertise, to provide maintenance services for the equipment list within the Statement of Work. DESCRIPTION OF WORK The contractor shall provide all required service and parts for the VA equipment in accordance with the original equipment manufacturer specifications. Reference below for equipment type and the required service. Equipment: ScriptPro Prescription Dispensing System Equipment Manufacturer: ScriptPro Equipment Model: Model SP 200/CCC (12 slots) Location: Dallas VA Medical Center 2.1 Maintenance of the ScriptPro Robot is on an as needed basis. There is no required maintenance monthly, annually or semi-annually. Because we are a 24 hour/7 day per week operation, we are always covered for maintenance. Reference below for equipment type and the required service. Maintenance is needed outside of business hours due to equipment repairs that are unexpected. 2.2 The Contractor is expected to respond with 24 hours of the maintenance call. No reports or documentation is required to be submitted after repairs. WORK HOURS: 1. Normal Work Hours: The service schedule shall be developed between the contractor and Contractor s Representative (COR) prior to any service being performed. The following is a list of U.S. Government holidays. If the holiday falls on a Saturday, the proceeding Friday is observed as the holiday; if the holiday falls on a Sunday, the following Monday is observed as the holiday and any other day specifically declared by the President of the United States to be a national holiday. HOLIDAY DATE New Year s Day Jan 1 Martin Luther King s Birthday 3rd Monday in Jan President s Day 3rd Monday in Feb Memorial Day Last Monday in May Independence Day July 4 Labor Day 1st Monday in Sep Columbus Day 2nd Monday in Oct Veterans Day Nov 11 Thanksgiving Day 4th Thursday in November Christmas Day December 25 PERSONNEL Program Manager. The contractor shall provide in writing the name and phone number of a Program Manager within (10) ten calendar days of the award of the contract. The Program Manager shall be a qualified and experienced manager to oversee the personnel assigned to perform the installation and maintenance services. The contractor s Program Manager shall correspond with the COR on a regular basis to discuss any problems that the contractor or contractor s personnel may be experiencing during the performance of this contract. Unresolved problems shall be referred to the Contracting Officer for resolution. Contractor Service Personnel (CSP). All subcontractors performing work for primary contractor shall meet all specifications and standards that apply to CSP under this agreement. CSP shall maintain clean and neat appearance and shall wear an identification badge at all times when performing services at the Government site. Identification badges shall be worn in a clearly visible area of the outer garment. The COR shall furnish this badge. Due to conflict of interest, the contractor shall not employ a current DOD employee, military or civilian to provide services under this contract. Government point of contact (POC). The COR shall be the Government s POC. If required, the COR shall be designated in writing to the Contractor and the scope of authority shall be set forth therein. Contractor shall respond only to calls from COR or a designated representative from the Medical Center. 3.4 SPECIFICATIONS: ScriptPro shall provide remote support via VPN connection. This support is to assist with any user questions, or issues that are software in nature. ScriptPro shall also offer hardware support for physical equipment. This shall include repair and maintenance, and shall require a qualified technician to be on site. The contractor shall provide all labor, equipment, supervision and expertise, to provide maintenance services for the equipment list within the Statement of Work. 3.5 SECURITY STATEMENT: The Vendor shall not transfer any VA information to a location outside the VA and only to VA locations determined by the VA System Administrator. The information in these systems may be covered by the Privacy Act 1974 which contains criminal penalties of abuse of information. The vendor shall have remove access to this system. The vendor shall have remote Access to the system. This is a continuation of a contract already in place the vendor has complied with all the necessary requirements to gain access. During onsite service, the Vendor shall be chaperoned by a VA System Administrator. The vendor shall not be issued a UserID/Password. The chaperon shall log the vendor onto the system and be accountable for the actions of the vendor. The Vendor shall not enter or shall immediately leave the computer room if the chaperon is not in the computer room. Non-volatile memory devices, working or non-working, shall NOT be removed from the VA facility until the ISO has certified that the data has been destroyed. For magnetic devices and media, the data destruction shall be by degaussing. Other forms of cleansing shall be used for non-magnetic media. For Remote access the vendor shall not be issued a userID/Password to the systems covered under this contract. A VA IT system administrator shall initiate a collaborative software utility (for example Net Meetings) and invite the vendor to join. The VA system administrator shall log into the systems using their credentials and allow vendor to watch the results as the system administrator follows the directions of the vendor. In some situations, the system administrator may give control of the system administrator s desktop to the vendor. The system administrator shall supervise and BE RESPONSIBLE for the actions of the vendor. The COTR is responsible for the actions of the system administrator. The Vendor and all VA employees are required to immediately report any security violations to the Information Security Officer. No other security statements are required. ACRONYMS AND DEFINITIONS Contracting Officer (CO). A person duly appointed with the authority to enter into and administer contracts on behalf of the U.S. Government. Contracting Officer s Representative (COR). An individual designated in writing by the Contracting Officer to act as an authorized representative of the Contracting Officer to perform specific contract administrative functions within the scope and limitations as defined by the Contracting Officer. EQUIPMENT OWNERSHIP. Title to equipment shall remain with the contractor until installed and established. After completion, a satisfactory inventory and inspection is completed by Contractor, COR and Maintenance personnel. Upon approved inspection, title, equipment, accessories and ownership shall be released to VA North Texas Healthcare system (VANTHCS). LIMITED WARRANTY. All equipment listed on Schedule B and pursuant to the attached quote, shall be fit and sufficient for the purpose intended as set forth in the user manuals; and merchantable, of good quality and free from defects in materials or workmanship; for a period of one (1) year from the date of the first invoice under this agreement. 6.2 All records (administrative and program specific) created during the period of the contract belong to VA North Texas Health Care System (VANTXHCS) and shall be returned to VANTXHCS at the end of the contract or destroyed in accordance to the VHA Record Control Schedule (RCS)10-1. 6.3 All records (administrative and program specific) created during the period of the contract belong to VA North Texas Health Care System (VANTXHCS) and must be returned to VANTXHCS at the end of the contract or destroyed in accordance to the VHA Record Control Schedule (RCS)10-1. PRIVACY STATEMENT Contractors and any subcontractors must adhere to the provisions of Public Law 104-191, Health Insurance Portability and Accountability Act (HIPAA) of 1996. This includes both the Privacy and Security Rules published by the Department of Health and Human Services (HHS). As required by HIPAA, HHS has promulgated rules governing the use and disclosure of protected health information by covered entities, Veterans Health Administration (VHA). In accordance with HIPAA, the contractor may be required to enter into a Business Associate Agreement (BAA) with VHA. Business associates must follow VHA privacy policies and practices when applicable. All contractors and business associates must receive privacy training annually. For contractors and business associates who do not have access to VHA computer systems, this requirement is met by completing VHA National Privacy Policy training, other VHA approved privacy training or contractor furnished training that meets the requirements of the HHS Standards for Privacy of Individually Identifiable Health Information as determined by VHA. For contractors and business associates who are granted access to VHA computer systems, this requirement is met by completing VHA National Privacy Policy training or other VHA approved privacy training. Proof of training is required upon request. Information Technology Security requirements section As prescribed in 839.201, insert the following clause: The contractor, their personnel, and their subcontractors shall be subject to the Federal laws, regulations, standards, and VA Directives and Handbooks regarding information and information system security as delineated in this contract. GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS a. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. d. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/ subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. e. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. 3. VA INFORMATION CUSTODIAL LANGUAGE a.Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). b. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. c. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. d. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. e. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. f. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. g. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. h. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. i. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. j. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/ subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. k. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. l. For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR. GENERAL RULES OF BEHAVIOR a. Rules of Behavior are part of a comprehensive program to provide complete information security. These rules establish standards of behavior in recognition of the fact that knowledgeable users are the foundation of a successful security program. Users must understand that taking personal responsibility for the security of their computer and the information it contains is an essential part of their job. b. The following rules apply to all VA contractors. I agree to: (1) Follow established procedures for requesting, accessing, and closing user accounts and access. I will not request or obtain access beyond what is normally granted to users or by what is outlined in the contract. (2) Use only systems, software, databases, and data which I am authorized to use, including any copyright restrictions. (3) I will not use other equipment (OE) (non-contractor owned) for the storage, transfer, or processing of VA sensitive information without a VA CIO approved waiver, unless it has been reviewed and approved by local management and is included in the language of the contract. If authorized to use OE IT equipment, I must ensure that the system meets all applicable 6500 Handbook requirements for OE. (4) Not use my position of trust and access rights to exploit system controls or access information for any reason other than in the performance of the contract. (5) Not attempt to override or disable security, technical, or management controls unless expressly permitted to do so as an explicit requirement under the contract or at the direction of the COTR or ISO. If I am allowed or required to have a local administrator account on a government-owned computer, that local administrative account does not confer me unrestricted access or use, nor the authority to bypass security or other controls except as expressly permitted by the VA CIO or CIO's designee. (6) Contractors use of systems, information, or sites is strictly limited to fulfill the terms of the contract. I understand no personal use is authorized. I will only use other Federal government information systems as expressly authorized by the terms of those systems. I accept that the restrictions under ethics regulations and criminal law still apply. (7) Grant access to systems and information only to those who have an official need to know. (8) Protect passwords from access by other individuals. (9) Create and change passwords in accordance with VA Handbook 6500 on systems and any devices protecting VA information as well as the rules of behavior and security settings for the particular system in question. (10) Protect information and systems from unauthorized disclosure, use, modification, or destruction. I will only use encryption that is FIPS 140-2 validated to safeguard VA sensitive information, both safeguarding VA sensitive information in storage and in transit regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA. (11) Follow VA Handbook 6500.1, Electronic Media Sanitization to protect VA information. I will contact the COTR for policies and guidance on complying with this requirement and will follow the COTR's orders. (12) Ensure that the COTR has previously approved VA information for public dissemination, including e-mail communications outside of the VA as appropriate. I will not make any unauthorized disclosure of any VA sensitive information through the use of any means of communication including but not limited to e-mail, instant messaging, online chat, and web bulletin boards or logs. (13) Not host, set up, administer, or run an Internet server related to my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA unless explicitly authorized under the contract or in writing by the COTR. (14) Protect government property from theft, destruction, or misuse. I will follow VA directives and handbooks on handling Federal government IT equipment, information, and systems. I will not take VA sensitive information from the workplace without authorization from the COTR. (15) Only use anti-virus software, antispyware, and firewall/intrusion detection software authorized by VA. I will contact the COTR for policies and guidance on complying with this requirement and will follow the COTR's orders regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with VA. (16) Not disable or degrade the standard anti-virus software, antispyware, and/or firewall/intrusion detection software on the computer I use to access and use information assets or resources associated with my performance of services under the contract terms with VA. I will report anti-virus, antispyware, firewall or intrusion detection software errors, or significant alert messages to the COTR. (17) Understand that restoration of service of any VA system is a concern of all users of the system. (18) Complete required information security and privacy training, and complete required training for the particular systems to which I require access. NARA Records Management Language for Contracts (May 2017) 1. Contractor shall comply with all applicable records management laws and regulations, as well as National Archives and Records Administration (NARA) records policies, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), NARA regulations at 36 CFR Chapter XII Subchapter B, and those policies associated with the safeguarding of records covered by the Privacy Act of 1974 (5 U.S.C. 552a). These policies include the preservation of all records, regardless of form or characteristics, mode of transmission, or state of completion. 2. In accordance with 36 CFR 1222.32, all data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records subject to the provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as amended and must be managed and scheduled for disposition only as permitted by statute or regulation. 3. In accordance with 36 CFR 1222.32, Contractor shall maintain all records created for Government use or created in the course of performing the contract and/or delivered to, or under the legal control of the Government and must be managed in accordance with Federal law. Electronic records and associated metadata must be accompanied by sufficient technical documentation to permit understanding and use of the records and data. 4. Dallas and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Records may not be removed from the legal custody of Dallas or destroyed except for in accordance with the provisions of the agency records schedules and with the written concurrence of the Head of the Contracting Activity. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. In the event of any unlawful or accidental removal, defacing, alteration, or destruction of records, Contractor must report to Dallas. The agency must report promptly to NARA in accordance with 36 CFR 1230. 5. The Contractor shall immediately notify the appropriate Contracting Officer upon discovery of any inadvertent or unauthorized disclosures of information, data, documentary materials, records or equipment. Disclosure of non-public information is limited to authorized personnel with a need-to-know as described in the [contract vehicle]. The Contractor shall ensure that the appropriate personnel, administrative, technical, and physical safeguards are established to ensure the security and confidentiality of this information, data, documentary material, records and/or equipment is properly protected. The Contractor shall not remove material from Government facilities or systems, or facilities or systems operated or maintained on the Government s behalf, without the express written permission of the Head of the Contracting Activity. When information, data, documentary material, records and/or equipment is no longer required, it shall be returned to Dallas control or the Contractor must hold it until otherwise directed. Items returned to the Government shall be hand carried, mailed, emailed, or securely electronically transmitted to the Contracting Officer or address prescribed in the [contract vehicle]. Destruction of records is EXPRESSLY PROHIBITED unless in accordance with Paragraph (4). 6. The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, contracts. The Contractor (and any sub-contractor) is required to abide by Government and Dallas guidance for protecting sensitive, proprietary information, classified, and controlled unclassified information. 7. The Contractor shall only use Government IT equipment for purposes specifically tied to or authorized by the contract and in accordance with Dallas policy. 8. The Contractor shall not create or maintain any records containing any non-public Dallas information that are not specifically tied to or authorized by the contract. 9. The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected from public disclosure by an exemption to the Freedom of Information Act. 10. The Dallas owns the rights to all data and records produced as part of this contract. All deliverables under the contract are the property of the U.S. Government for which Dallas shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Any Contractor rights in the data or deliverables must be identified as required by FAR 52.227-11 through FAR 52.227-20. 11. Training. All Contractor employees assigned to this contract who create, work with, or otherwise handle records are required to take VHA-provided records management training, Talent Management System (TMS) Item #3873736, Records Management for Records Officers and Liaisons. The Contractor is responsible for confirming training has been completed according to agency policies, including initial training and any annual or refresher training. TERMINATION The Agreement is terminated at the completion of the inspection and satisfactory evaluation.
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/7ded956b0c3247d8bcb3e0c2795d432b/view)
- Place of Performance
- Address: DEPARTMENT OF VETERANS AFFAIRS Dallas VA Medical Center Attn: ENGINEERING,BIOMED 4500 S. Lancaster Rd, Dallas TX
- Zip Code: TX
- Zip Code: TX
- Record
- SN06206700-F 20211231/211229230110 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |