R -- PRIVACY EXPERTS

Notice Date

August 29, 2001

Contracting Office

Social Security Administration, Office of Acquisition and Grants, 1710 Gwynn Oak Avenue, Baltimore, MD 21207

ZIP Code

21207

Solicitation Number

SSA-RFQ-01-0447

Response Due

September 4, 2001

Point of Contact

Dawn Caracci 410-965-9465

E-Mail Address

contract specialist (dawn.caracci@ssa.gov)

Description

The Social Security Administration (SSA) has a need for Privacy Expert services. This is a combined synopsis/solicitation for commercial items (FAR 2.101) prepared in accordance with the format in FAR Subpart 12.6, and supplemented with additional information included in this notice. This Request for Quotation (RFQ) SSA-RFQ-01-0447, constitutes the only solicitation. A separate request for quotation (RFQ) will not be issued. This acquisition is subject to FAR Subpart 13.5 regarding the application of simplified acquisition procedures. The provisions and clauses incorporated herein are those in effect through the latest Federal Acquisition Circular. Proposals shall be submitted by 11:00 a.m. local prevailing time, September 4, 2001. The government intends to make multiple awards. This is an Indefinite Delivery/Indefinite Quantity (IDIQ) Labor Hour type purchase order. The minimum number of hours to be procured is 24 and the maximum is 56 for the base year. Additional hours beyond the maximum may be procured through the exercise of option years one and two. BACKGROUND: In order to process claims for disability, SSA solicits medical information from doctors and other health care providers. SSA has legal and regulatory requirements to share payment and eligibility information with other federal, state and local agencies. SSA's records are subject to the rules of confidentiality of the Federal Privacy Act. Many of these records are sensitive in nature. In spite of the safeguards for personal data guaranteed by the Privacy Act and other statutes, public concern for the security of personal data continues. As a result, SSA has developed Internet services as an alternate service delivery channel. Further legal drivers such as the Government Paperwork Elimination Act has made it necessary to offer services electronically as well. Such Internet services magnify the issues of confidentiality and privacy. OBJECTIVE: Development of the Internet as an alternate service delivery channel raises challenges regarding how SSA will continue to shape and affect privacy and disclosure policy to ensure that it continues to make sound decisions regarding the Agency's internal and external electronic business applications that have privacy and disclosure policy implications, and reflects a continued commitment to the public trust SSA holds as unique guardians of highly sensitive and personal information. Several issues must be resolved in order to effectively offer Internet services to the public: 1) Authentication: many of the electronic transactions being developed will allow access to personal information found in SSA records (e.g. access to MBR information in the Check Your Social Security Benefit service). These records are protected by the Privacy Act, which requires written consent for disclosure. SSA must ensure that it has built in effective user authentication to safeguard users from potential harm due to improper disclosure; 2) Program Integrity: other transactions will allow users direct access to SSA records which will result in changes that could redirect payments (e.g., COA service, Direct Deposit service) or post-entitlement reports that could change the amount of payments. Authentication is key in this area as well, as SSA needs to ensure that it controls risk and prevents loss of program dollars or liability for furnishing incorrect data; and 3) Image: SSA has earned the reputation for protecting the confidentiality of the information it collects and for providing efficient, accurate service to the public. As such, it is therefore necessary for SSA to consult with experts in the field of privacy to ensure that it is taking all privacy issues into consideration. STATEMENT OF WORK: The contractor shall have knowledge of Privacy Act rules and regulations and shall be in touch with current privacy matters as well as ideas, movements, and trends so that he/she can help SSA develop its thinking in the following privacy related areas. These are not all-inclusive: 1) SSA's Identity Database and our Potential Role as Authenticator: Although SSA collects and retains much unique information that could be used in a general authentication scheme, it is aware of the public's intolerance to any type of national identity system and has therefore resisted many attempts to use such data in this manner. SSA seeks continuous input from experts as it monitors public reactions in this area; 2) Conversion of Agency Paper Business Processes to Electronic Platforms: While individual applications often share common authentication issues, it has been SSA's experience that each also raises unique concerns about privacy protections. SSA seeks input from experts about these unique concerns; 3) Data Sharing: In order to streamline the development of program requirements, SSA seeks to establish online data access to information maintained by other federal, state and local agencies. This results in similar requests for access to the information SSA holds. As such, SSA needs to cautiously consider the ramifications of data sharing and seeks input from experts in this area; 4) Employee Privacy: Monitoring of employee use of Internet, voice mail, email, etc. creates implications about systems of records for collection of personal data and public notice of these records. SSA seeks expert opinion of these issues; 5) Medical Privacy: The HIPAA Privacy Regulations established certain privacy standards that impact on the agency's collaboration with the medical industry towards adjudicating disability applications. Even though SSA is not a covered entity under the privacy regulations, it is obligated to ensure the integrity and privacy of the medical information that is transmitted electronically to it to achieve program goals. SSA seeks expert opinion on this topic as we move forward; 6) Privatization/Personal Savings Accounts: Although SSA does not know at this time what form such a modification would take, it believes that there will be a need to set up a public/private sector partnership for the exchange of financial information in an investment process. SSA seeks expert opinion in the financial privacy community to ensure that it address the new categories of personal information created and how the Privacy Act applies; 7) Consent Based Release to Third Parties: SSA is facing increasing demands by third parties for beneficiaries' personal information from its program records. (Examples: insurance companies, pension plans, etc.). As such, SSA needs to anticipate the political and business pressure that may surface as this type of demand increases, and seeks expert opinion to assist in developing the best strategies; and 8) Collection, Maintenance and Use of Biometric Identifying Information: Some individuals believe that the only sure method of authentication is based on biometric identifiers such as fingerprints or retinal imaging. If SSA were to undertake this type of data collection and storage, it would need to address all the issues inherent in this process. SSA seeks expert opinion about this subject area. All of the issues above challenge SSA to anticipate how and where the public's privacy concerns will develop in the next few years so that it can position itself to respond to the American public in an acceptable manner. Specifically, the contractor shall provide advice and consultation on an as needed basis. SSA will initiate contact when issues need to be considered. Most of this contact will be in the form of a conference call, with some face-to-face meetings. Background material will be sent out in advance to allow preparation for the discussion. The contractor will provide its thoughts and guidance based on this material during the conference call or meeting. The frequency of these discussions cannot be fully predicted at this time, as it depends on what issues surface as we develop Internet services. However, it is expected that conference calls or meetings would be held no more than once per quarter and only when a specific set of concerns need to be addressed. The contractor will be notified prior to the conference call or meeting if a written record of the discussions is needed. Occasionally SSA may send a document to the contractor requesting a written opinion. SSA will explain the issues involved and provide a due date for the response. The contractor will review the areas of concern outlined in the document and prepare a written analysis. If the contractor thinks there are additional items to be addressed beyond what is included it this document, the contractor shall submit them to the Project Officer for pre-approval. PERIOD OF PERFORMANCE: One year from date of award with 2 one-year option periods. TERMS AND CONDITIONS: The provisions of FAR 52.212-4 Contract Terms and Conditions -- Commercial Items (May 2001) and FAR 52.212-5 Contract Terms and Conditions Required to Implement Statues or Executive Orders -- Commercial Items (MAY 2001) are incorporated by reference. FAR clause 52.217-9 Option to Extend the Term of the Contract (MAR 2000) is also applicable to this solicitation. Special attention is directed to the following paragraphs: (a) 12 months; 30 days; and (c) 36 months. A Key Personnel clause will be inserted into a resulting award, which states in part that no personnel substitutions will be permitted without prior approval of the contracting officer. INSTRUCTIONS FOR SUBMITTING OFFERS: Proposals must be limited to no more than 25 pages. Offerors shall submit the following: SF 1449; pricing page; representations and certifications; experience, and past performance information, as specified herein. Offers which fail to include all required information may be rejected without further consideration. The provisions at FAR 52.212-1 Instructions to Offerors -- Commercial Items (Oct 2000) are incorporated by reference. Offerors shall follow the instructions set forth therein. Special attention is directed to the following paragraphs: (b)(4) a technical description/approach is not required; however, the offeror should include all relevant information in accordance with the Evaluation Criteria below; (b)(6) pricing should include loaded hourly labor rates, which include such items as overhead, fringe benefits, general and administration (G&A), or any other elements of cost. The offeror should NOT budget for travel; a $2,000 ceiling amount will be included in the purchase order; (b)(10) All information required by this paragraph shall be submitted. Experience and Past performance information should be limited to current projects and/or projects completed within the past 3 years; (b)(11) All information required by this paragraph MUST be submitted; paragraphs (e), (h), and( i) do not apply; and (j) The information required by this paragraph shall be submitted. Completed Representations and Certifications as required by FAR 52.212-3 Offeror Representations and Certifications -- Commercial Items (Jan 2001) Alternate III (October 2000) shall be submitted with the offer. The offeror should submit its proposal in 3 parts: I. Pricing Page, Representations and Certifications, Experience, and Past Performance documentation; II. Response to mandatory evaluation criteria; and III. Response to non-mandatory evaluation criteria. EVALUATION CRITERIA: The following are mandatory evaluation factors for award. If the offeror does not meet these requirements, its proposal will not be evaluated any further: Demonstrated recognition as an expert, renowned by others in the privacy field, as shown by: (a) Providing testimony to Congressional committees or presentations to high level decision-making or policy-determining bodies; (b) Serving on or consulting with governmental committees and/or task forces developing privacy policies and related topics; (c) Publication on topics concerning privacy, disclosure and authentication in respected journals (such as law reviews, scientific journals, public policy journals, etc.); and (d) Speaker at symposia studying privacy issues for policy recommendation to governmental bodies. The offeror must provide proof of these factors in the form of copies of such testimony or publications within the last 3 years; proof of appointment to government committee or task force; proof of prior appointment as consultant to a Federal agency. If the offeror meets the above mandatory criteria, it will then be evaluated on the following other evaluation factors for award: (a) Knowledge of Federal laws and regulations concerning privacy, systems security, management of information technology, including the Privacy Act, the Paperwork Reduction Act, the Government Paperwork Elimination Act, the Computer Security Act, and OMB Circular A-130; (b) Knowledge of SSA's systems' security practices for Internet customer services accessible via ssa.gov; (c) Knowledge of electronic user authentication methods, including digital signatures, digitized signatures, biometrics, smart cards, public key infrastructure, PINs and passwords, etc.; (d) Knowledge of and affiliation with leading organizations, educational institutions and/or councils engaged in legal and policy discussions and proceedings on the topic of privacy rights and responsibilities; (e) Being quoted in major newspapers and journals, such as The Washington Post, NY Times, Wall Street Journal; and (f) Author of book on topic of privacy and/or authentication. The offeror will be evaluated on its demonstrated experience (above) and past performance (how well relevant experience was performed). Experience is more important is more important than past performance; however, price is also important. Award will be made to the offeror who offers the best value to the government, price and other factors considered. AWARD: Awardees will be notified immediately and shall result in a binding agreement without further action by either party. ATTACHMENTS: SF 1449, Pricing page, and Representations and Certifications. All are available at www.fedbizopps.gov. If you are reading this in the CBD, you must download the attachments from fedbizopps.gov.

Web Link

FedBizOpps website for solicitation and attachments (www.fedbizopps.gov)

Record

Loren Data Corp. 20010831/RSOL004.HTM (W-241 SN50W1Z2)