Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF OCTOBER 19, 2011 FBO #3616
SOURCES SOUGHT

D -- Telephone Service for St. John Parish Outpatient Clinic

Notice Date
10/17/2011
 
Notice Type
Sources Sought
 
NAICS
561421 — Telephone Answering Services
 
Contracting Office
Department of Veterans Affairs;Southeast Louisiana Veterans HCS;1555 Poydras Street;New Orleans LA 70114
 
ZIP Code
70114
 
Solicitation Number
VA25612Q0066
 
Response Due
10/20/2011
 
Archive Date
12/19/2011
 
Point of Contact
Winston Graber
 
Small Business Set-Aside
N/A
 
Description
STATEMENT OF WORK TEMPLATE A. GENERAL INFORMATION Title of Project:FY12 Telecommunication Recurring Voice and Data Services 1.Scope of Work:. The contractor shall provide all resources necessary to accomplish (voice and data lines as appropriate to include local, ISDN, PRI services) the deliverables described in the Statement of Work (SOW), except as may otherwise be specified. Contractor to provide services to perform (Oct 1, 2011 - Sept 30, 2012). The contractor shall provide all resources necessary to accomplish (voice and data lines as appropriate to include local, ISDN, PRI services. the deliverables described in the Statement of Work (SOW), except as may otherwise be pecified. Telephone service accounts listed below: 2. Company'Act #Area VOICE. LOCAL: RTC )985-479-6700St. John CBOC 985-479-2850 TheC&A requirements do not apply, and a Security Accreditation Package is not required. VA Staff will be onsite and monitoring the contractors performance and ensure that VA sensitive information is protected. Services include 2417 and 2 - 4 hour response time. Contractor's work and performance will be monitored and evaluated for compliance while onsite. 3.Background: This contract (Oct, 2011 - Sept, 2012) is to insure that SLVHCS has recurring voice and data services to include all of the proposed services as indicated in the full annual statement of work for contract award. The contractor must possess the expertise, security, support desk functions, and knowledge of the VA infrastructure and architecture. The need for a prompt response for recurring voice and data services due to an outage or scheduled activation is critical to support quality patient care. 4.Performance Period: The period of performance for this SOW is 9011111 - 09130112. Work at the government site shall not take place on Federal holidays or weekends unless directed by the Contracting Officer (CO). 5.Type of Contract: Firm-Fixed-Price 6.Place of Performance: The service area of the Southeast Louisiana Healthcare System, includes the following locations: St. John Community Based Outpatient Clinic 247 Veterans Blvd. Reserve, LA 70084 7.Performance Based Contract: NIA This contract requires the application of an Earned Value Management System that is compliant with the American National Standards Institute /Electronics Industries Alliance (ANSI/EIA) Standard-748, Earned Value Management Systems. [See paragraph Q.] NIA B.CONTRACT AWARD MEETING The contractor shall not commence performance on the tasks in this SOW until the CO has conducted a kick off meeting or has advised the contractor that a kick off meeting is waived. C.GENERAL REQUIREMENTS 1.For every task, the contractor shall identify in writing all necessary subtasks (if any), associated costs by task, together with associated submilestone dates. The contractor's subtask structure shall be reflected in the technical proposal and detailed project management plan (PMP). 2.All written deliverables will be phrased in layperson language. Statistical and other technical terminology will not be used without providing a glossary of terms. 3.Where a written milestone deliverable is required in draft form, SLVHCS will complete their review of the draft deliverable within 10 calendar days from date of receipt. The contractor shall have 30 calendar days to deliver the final deliverable from date of receipt of the government's comments. D. SPECIFIC MANDATORY TASKS AND ASSOCIATED DELIVERABLES Description of Tasks and Associated Deliverables: The contractor shall provide the specific deliverables described below within the performance period stated in Section A.4 of this SOW. Task One: Voice and Data Telecom Services Overview This Statement of Work (SOW) sets forth the roles and responsibilities of the Parties for the Voice and Data telecommunications services ("Voice and Data Services") provided under as part of the Services. Voice and Data Telecom Services are the Services and activities, as further detailed in this SOW, required to provide and support the Southeast Louisiana Veterans Health Care System (SLVHCS) and all supported tenant areas. Contractor is responsible for the full provisioning, engineering, operations and administration of current and emerging Voice and Data Telecom Services including existing contracts, but not limited to the following Services: -Voice Network: -Local Service (dial tone) -Long Distance Data(e.g. private line, public switched) 1.Service Objectives The following are the key high-level Service objectives Contractor shall ensure the SLVHCS and all supported tenant areas achieves through Voice and Data Telecom Services: §Meet SLVHCS and all supported tenant areas business needs for highly available, scalable, reliable, and secure Voice and Data Telecom Services nProvide Voice Telecom Services with features and functions that meet End-User needs and meet SLVHCS and all supported tenant areas business requirements nProvide Services that can leverage operational scale and best practices to achieve optimum commercial price performance nProvide administrative, operational and management support 2.Scope of the Infrastructure to be Supported This paragraph describes the scope of Services. This includes assets, facilities and locations, personnel, policies and procedures, licenses and agreements and work-in-process. Schedules and attachments are associated with each section to allow for quarterly updates and changes. The following sub-sections and related SOW Addenda further describe and scope a number of Voice and Data Telecom Services elements to be supported andlor with which Contractor shall comply. Service Environment Addenda are to be maintained by Contractor, reviewed with CO, updated by Contractor and made available to CO on a quarterly basis. Deliverable One: A monthly detailed listing of all work performed. Task Two: IT Security Contract Documentation Deliverable Two: One (1) completed and signed copy of VA Privacy and Information Security Awareness and Rules of Behavior Training E.SCHEDULE FOR DELIVERABLES 1.The contractor shall complete the Delivery Date column in Attachment A for each deliverable specified. 2.Unless otherwise specified, the number of draft copies and the number of final copies shall be the same.. 3.If for any reason the scheduled time for a deliverable cannot be met, the contractor is required to explain why (include the original deliverable due date) in writing to the CO, including a firm commitment of when the work shall be completed. This notice to the CO shall cite the reasons for the delay, and the impact on the overall project. The CO will then review the facts and issue a response in accordance with applicable regulations. F.CHANGES TO STATEMENT OF WORK Any changes to this SOW shall be authorized and approved only through written correspondence from the CO. A copy of each change will be kept in a project folder along with all other products of the project. Costs incurred by the contractor through the actions of parties other than the CO shall be borne by the contractor. G. TRAVEL Travel and per diem shall be reimbursed and included in the contractors proposal. Travel may be required to any of the locations listed in the place of performance. Round trip travel to any of these locations can be easily made within one duty day. Travel required beyond the initial pricing schedule must be pre-approved by the COTR. J.GOVERNMENT RESPONSIBILITIES SLVHCS will provide controlled access to the areas and other resources as required to perform the services. Technicians will be escorted into areas by SLVHCS staff on an as needed basis. A SLVHCS CIMIIT Project Manager will be assigned as a primary POC, and to provide information and resources in a manner to maintain contract continuity. Additionally, this person will receive deliverables as a result of this contract. K.CONTRACTOR EXPERIENCE REQUIREMENTS -- KEY PERSONNEL These skilled experienced professional and/or technical personnel are. essential for successful contractor accomplishment of the work to be performed under this contract and subsequent task orders and option. These are defined as key personnel and are those persons whose resumes were submitted. The contractor agrees that the key personnel shall not be removed, diverted, or replaced from work without approval of the CO and COTR. Any personnel the contractor offers as substitutes shall have the ability and qualifications equal to or better than the key personnel being replaced. Requests to substitute personnel shall be approved by the COTR and the CO. All requests for approval of substitutions in personnel shall be submitted to the COTR and the CO within 30 calendar days prior to making any change in key personnel. The request shall be written and provide a detailed explanation of the circumstances necessitating the proposed substitution. The contractor shall submit a complete resume for the proposed substitute, any changes to the rate specified in the order (as applicable) and any other information requested by the CO needed to approve or disapprove the proposed substitution. The CO will evaluate such requests and promptly notify the contractor of approval or disapproval thereof in writing. L.CAPABILITY MATURITY MODEL FOR SOFTWARE INTEGRATION [If applicable] NIA The organizational entity, within the contractor organization, that will be performing the work required by the SOW shall have been assessed at CMMI Level 2 or higher by an external assessment team led by a Software Engineering Institute (SE!) certified Lead Assessor. The Level 2 Key Process Areas of the S-CMMI are: *Requirements Management, *Software Project Planning, *Software Project Tracking and Oversight, *Software Subcontract Management, *Software Quality Assurance, and *Software Configuration Management. M.ARCHITECTURAL GUIDELINES The contractor shall develop all desktop and MS 2003 Server software deliverables to be functional on both the current VHA client/server environment and a Windows XP client environment. Specifically, software shall be developed to be operational on the Windows 2003 Enterprise Server. N.SECURITY 1. INFORMATION SYSTEM SECURITY The contractor shall ensure adequate LAN/Internet, data, information, and system security in accordance with VA standard operating procedures and standard contract language, conditions laws, and regulations. The contractor's firewall and web server shall meet or exceed the government minimum requirements for security. All government data shall be protected behind an approved firewall. Any security violations or attempted violations shall be reported to the VA Project Manager, COTR, Contracting Officer and the Information Security Officer as soon as possible. The contractor shall follow all applicable VA policies and procedures governing information security, especially those that pertain to certification accreditation. The Veterans Affair Acquisition Regulation (VAAR) security clause (cited below) must be included in all contracts: VAAR- 852.273-75 "SECURITY REQUIREMENTS FOR UNCLASSIFIED rr \ j Y INFORMATION TECHNOLOGY RESOURCES" http:llchecklists.nist.gov (b) To ensure that appropriate security controls are in place, Contractors must follow the procedures set forth in "VA Information and Information System Security/Privacy Requirements for IT Contracts" located at the following Web site: http:llvvww.iprm.oit.va.gov." 2. TRAINING a.All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: 1.Successfully complete the VA Privacy and Information Security Awareness and Rules of Behavior training and annually complete required security training; 2.Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document - e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] b.The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. c.Failure to complete the mandatory annual training within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. d.VA training site is located at https:/lwww.ees-learninq.net There is only one course the contractor needs to complete and print the certificate at the end. A copy of the completed certificate must be submitted before work begins. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Instructions to qet to the Courses in External EES https:/l.ees-learning.net "My Courses".Search for your course by typing in "FY11" and click "Search" button. You will be taken to the search results page. Click on the "Sign Me Up" link on the right side of the screen and you will be taken back to the "My Courses" screen, where your new course will now be listed. Click on your course name link to go to the course. VA Learning University (VALU) Help Desk: 1-866-496-0463 valmshelp(a~va.gov -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Examples Course CatalogL. Content Area:Accreditation: IT All Accreditation s -- J AI I Content Area - Topic Area: --All Topic Area - Doperlmenl of Veterans AffairsFrivsw Ststem_rt I A.*ibiliiv I piresimr I Contset EE$ 0sts el Is;t IJr4: htsy t 9.2003 GOUri4,t~1Dk~ Getting Started Avatlabte Courses My Courses Mu liar Pmfitsa VA Privacy and Information Security Awareness and Rules of Behavior FY11Keyword = FY11 3. CONTRACTOR PERSONNEL SECURITY All contractor employees who require access to the Department of Veterans Affairs' computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Security and Investigations Center (07C). _The level of background security investigation will be in accordance with VA Directive 0710 dated September 10, 2004 and is available at: http:/1www.va.gov/pubs/asp/edsdirec.asp (VA Handbook 0710, Appendix A, Tables 1 - 3). Appropriate Background Investigation (Bl) forms will be provided upon contract (or task order) award, and are to be completed and returned to the VA Security and Investigations Center (07C) within 30 days for processing. Contractors will be notified by 07C when the BI has been completed and adjudicated. These requirements are applicable to all subcontractor personnel requiring the same access. If the security clearance investigation is not completed prior to the start date of the contract, the employee may work on the contract while the security clearance is being processed, but the contractor will be responsible for the actions of those individuals they provide to perform work for the VA. In the event that damage arises from work performed by contractor personnel, under the auspices of the contract, the contractor will be responsible for resources necessary to remedy the incident. The investigative history for contractor personnel working under this contract must be maintained in the databases of either the Office of Personnel Management (OPM) or the Defense Industrial Security Clearance Organization (DISCO). Should the contractor use a vendor other than OPM or Defense Security Service (DSS) to conduct investigations, the investigative company must be certified by OPMIDSS to conduct contractor investigations. 1. Background Investigation The position sensitivity impact for this effort has been designated as [Low] Risk and the level of background investigation is [NACI]. 2. Contractor Responsibilities a.The contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the Office of Personnel Management (OPM) through the VA, the contractor shall reimburse the VA within 30 days. b.Background investigations from investigating agencies other than OPM are permitted if the agencies possess an OPM and Defense Security Service certification. The Vendor Cage Code number must be provided to the Security and Investigations Center (07C), which will verify the information and advise the contracting officer whether access to the computer systems can be authorized. c.The contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship and are able to read, write, speak and understand the English language. d. After contract award and prior to contract performance, the contractor shall provide the following information, using Attachment _B, to the CO: (1)List of names of contractor personnel. (2)Social Security Number of contractor personnel. (3)Home address of contractor personnel or the contractor's address. e. The contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract. f. Failure to comply with the contractor personnel security requirements may result in termination of the contract for default. g. Further, the contractor will be responsible for the actions of all individuals provided to work for the VA under this contract. In the event that damages arise from work performed by contractor provided personnel, under the auspices of this contract, the contractor will be responsible for all resources necessary to remedy the incident. 3. Government Responsibilities a.The VA Security and Investigations Center (07C) will provide the necessary forms to the contractor or to the contractor's employees after receiving a list of names and addresses. b.Upon receipt, the VA Security and Investigations Center (07C) will review the completed forms for accuracy and forward the forms to OPM to conduct the background investigation. c.The VA facility will pay for investigations conducted by the OPM in advance. In these instances, the contractor will reimburse the VA facility within 30 days. d.The VA Security and Investigations Center (07C) will notify the contracting officer and contractor after adjudicating the results of the background investigations received from OPM. e.The contracting officer will ensure that the contractor provides evidence that investigations have been completed or are in the process of being requested. O. ELECTRONIC AND INFORMATION TECHNOLOGY STANDARDS INTERNET/INTRANET The contractor shall comply with Department of Veterans Affairs (VA) Directive 6102 and VA Handbook 6102 (InternetlIntranet Services). VA Directive 6102 sets forth policies and responsibilities for the planning, design, maintenance support, and any other functions related to the administration of a VA Internet/Intranet Service Site or related service (hereinafter referred to as Internet). This directive applies to all organizational elements in the Department. This policy applies to all individuals designing and/or maintaining VA Internet Service Sites; including but not limited to full time and part time employees, contractors, interns, and volunteers. This policy applies to all VA InternetlIntranet domains and servers that utilize VA resources. This includes but is not limited to va.gov and other extensions such as, ".com,.edu,.mil,.net,.org," and personal Internet service pages managed from individual workstations. VA Handbook 6102 establishes Department-wide procedures for managing, maintaining, establishing, and presenting VA InternetlIntranet Service Sites or related services (hereafter referred to as "Internet"). The handbook implements the policies contained in VA Directive 6102, InternetlIntranet Services. This includes, but is not limited to, File Transfer Protocol (FTP), Hypertext Markup Language (HTML), Simple Mail Transfer Protocol (SMTP), Web pages, Active Server Pages (ASP), e-mail forums, and list servers. VA Directive 6102 and VA Handbook 6102 are available at: InternetlIntranet Services Directive 6102 http://www.va.gov/pubs/d irectives/l nformation-Resources-Manacaement-(IRM)/6102d.doc InternetlIntranet Services Handbook 6102 http://www.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)I6102h.doc InternetlIntranet Services Handbook 6102 Change 1 - updates VA's cookie use policy, Section 508 guidelines, guidance on posting of Hot Topics, approved warning notices, and minor editorial errors. http:/lwww.va.gov/pubs/handbooks/Information-Resources-Management-(IRM)/61021 h.doc In addition, any technologies that enable a Network Delivered Application (NDA) to access or modify resources of the local machine that are outside of the browser's "sand box" are strictly prohibited. Specifically, this prohibition includes signed-applets or any ActiveX controls delivered through a browser's session. ActiveX is expressly forbidden within the VA while.NET is allowed only when granted a waiver by the VA CIO *PRIOR* to use. JavaScript is the preferred language standard for developing relatively simple interactions (i.e., forms validation, interactive menus, etc.) and Applets (J2SE APIs and Java Language) for complex network delivered applications. SECTION 508 The contractor shall comply with Section 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998. In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board), pursuant to Section 508(2)(A) of the Rehabilitation Act Amendments of 1998, established Information Technology accessibility standards for the Federal Government. Section 508(a)(1) requires that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology (EIT), they shall ensure that the EIT allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. The Section 508 requirement also applies to members of the public seeking information or services from a Federal department or agency. Section 508 text is available at: http:llwww.or m.gov/HTML1508-textOfLaw.htm http://www.section508.gov/index.cfm? FuseAction=Content&I D=14 P.CONFIDENTIALITY AND NONDISCLOSURE It is agreed that: 1. The preliminary and final deliverables and all associated working papers, application source code, and other material deemed relevant by the VA which have been generated by the contractor in the performance of this task order are the exclusive property of the U.S. Government and shall be submitted to the CO at the conclusion of the task order. 2.The CO will be the sole authorized official to release verbally or in writing, any data, the draft deliverables, the final deliverables, or any other written or printed materials pertaining to this task order. No information shall be released by the contractor. Any request for information relating to this task order presented to the contractor shall be submitted to the CO for response. 3.Press releases, marketing material or any other printed or electronic documentation related to this project, shall not be publicized without the written approval of the CO. Q.Earned Value Management System - NIA 1.An Earned Value Management System (EVMS) is required for major acquisitions for development, in accordance with OMB Circular A-11. The Government may also require an EVMS for other acquisitions, in accordance with agency policy contained in VA Directive 6061. Contractors that are required to have their own EVMS shall follow procedures contained in the VA EVMS Application Guide. 2.The following paragraphs reflect EVMS requirements and may be modified as necessary for selected use. a. Contractor Independent Deliverables. This contract requires the contractor to operate as a distinct entity to produce a deliverable(s). The contractor is required to have its own compliant EVMS, per VA Directive 6061, Table B-1, and provide EVM reports to the VA. (1).Non-Compliant EVMS. If the offeror proposes to use a system that has not been determined to be in compliance with the American National Standards Institute /Electronics Industries Alliance (ANSI/EIA) Standard-748, Earned Value Management Systems, the offeror shall submit a comprehensive plan for compliance with these EVMS standards. Offerors shall not be eliminated from consideration for contract award because they do not have an EVMS that complies with these standards. (2).EVMS Reports. As a minimum, contracting officers shall require contractors to submit EVMS monthly reports for those contracts for which an EVMS applies. (3).Subcontractors. EVMS requirements will be applied to subcontractors using the same rules as applied to the prime contractor. VA will decide the flow down of the EVM requirement to subcontractors. In all cases, the prime contractor is responsible for reporting EVM data. (4).EVMS Plan. When an offeror is required to provide an EVMS plan as parfi of its proposal, the contracting officer will determine the adequacy of the proposed EVMS plan prior to contract award. (5).Performance Measurement Baseline. Contractors are required to resource load schedules in order to set a performance measurement baseline. Resources do not have to be specifically named. (6).Program Management Reviews. The Contractor shall conduct Program Management Review (PMR) meetings at mutually agreed upon dates and locations. During these reviews, the contractor shall present integrated cost, schedule, and technical performance status. Government Integrated Product Team (IPT) leads or functional managers shall include cost information in discussions of schedule status, technical performance, and risk using earned value as an integrating tool. The following shall be addressed: Costlschedule trends, significant costlschedule/technical variances, projected impacts, quantified risk assessments, and corrective action plans. (7).Contractor Earned Value Management. The Cost Performance Report Description (VA-DI-MGMT-81466A), and Integrated Master Schedule Description (VA-DI-MGMT-81650) shall be developed, maintained, updated/statused and reported on a monthly basis per deliverable requirements, respectively. The contractor shall establish, maintain, and use in the performance of this contract, an integrated management system compliant with the Industry Guidelines for Earned Value Management Systems (EVMS) ANSI/EIA-748 as determined by the Government. An EVMS that has been formally validated and accepted by the cognizant contracting officer is required for all (fixed price, cost, or incentive) contracts, subcontracts, and other agreements valued at or greater than $50 million in then-year dollars. The application of these concepts shall provide for early indicators of contract cost and schedule problems. For contracts valued at or greater than $20 million but less than $50 million then-year dollars, the following statement applies: The contractor is required to have an Earned Value Management System that complies with ANSI/EIA-748; however, the government will not formally validate/accept the contractor's management system (no formal review). The contractor will submit an EVMS description and proof of prior certification with its bid. (8).Integrated Baseline Review (IBR). The contractor shall review its performance measurement baseline plan with the Government within six months of contract award or initiation of an Undefinitized Contract Action, and subsequently, when required, following major changes to the baseline. The Government will verify during the IBR, and follow-on 1BRs when required that the contractor has established and maintains a reliable performance measurement baseline. The contractor will ensure that the baseline includes the entire contract technical scope of work consistent with contract schedule requirements, and has adequate resources assigned. The contractor will assure the Government that effective earned value methodologies are used to accurately measure work accomplished and determine contract cost, schedule, and technical performance. The IBR will be used to achieve a mutual understanding of the baseline plan, cost and schedule risk, and the underlying management processes used for planning and controlling the project. (9).Subcontract Cost/Schedule Management and Reporting. Subcontracts exceeding $20M in then-year dollars will apply the requirements of the Integrated Master Schedule Description (VA-DI ¬MGMT-81650) and the Cost Performance Report Description (VA-DI ¬MGMT-81466). For contracts valued at or greater than $20 million but less than $50 million, the following statement applies: The contractor is required to have an Earned Value Management System that complies with ANSI/EIA-748; howeyer, the Government will not formally validate/accept the contractor's management system (no formal review). EVMS flow down to contracts of less than $20M in then-year dollars or Firm Fixed Price contracts that exceed 12 months duration is a risk-based decision and will be as mutually agreed between the contractor and the Government. (10).Contract Work Breakdown Structure (CWBS)_ The contractor shall develop and maintain the CWBS and CWBS dictionary. (11).over Target Baseline (OTB)/Restructure. The contractor may conclude the baseline no longer represents a realistic plan in terms of budgetlschedule execution. In the event the contractor determines an OTB/Restructuring action is necessary, the contractor must obtain Government approval prior to implementing an OTB/Restructuring action. The request should also include detailed implementation procedures as well as an implementation timeframe. The contractor will not implement the OTB/Restructuring prior to receiving written approval from the Contracting Officer. (12).Award Fee Criteria. For contracts that include an award fee, the contractor will demonstrate the use of Earned Value Management (EVM) as a tool for cost and schedule control and as a basis for communicating with the Government. The Government will determine the eligibility for of and amount of any award fee granted. In addition to demonstrating the use of EVM award fee criteria for the contractor will include the following: (a).Maintain timely detail planning as far in advance as practical; (b).Ensure the system provides' accurate costlschedule performance status, reliable and timely cost/schedule projections, and quantified risk assessments; (c).Provide clear and comprehensive explanations of performance problems and associated impacts, and establish and carry out effective recovery plans; (d).Control and minimize changes to the baseline particularly in the near term; (e).Ensure all subcontractor-authorized effort is detail planned into measurable objective work packages to the extent possible; (f).Provide program-level Estimate at Completion (EAC) assessments that include consideration of potential risks and cost containment plans; and (g).Demonstrate responsiveness regarding management system and costlschedule performance questions and issues/concerns raised by the Government. VA INFORMATION AND INFORMATION SYSTEM SECURITYIPRIVACY LANGUAGE FOR INCLUSION INTO CONTRACTS, AS APPROPRIATE 1.GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 2.ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS e.A contractorlsubcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. f.All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. g.Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. h.Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. i.The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor's employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. 3. VA INFORMATION CUSTODIAL LANGUAGE j.Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractorlsubcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). k.VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor's information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA's information is returned to the VA or destroyed in accordance with VA's sanitization requirements. VA reserves the right to conduct on site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. I. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gatheredlcreated by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. m. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NEST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. n.The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractorlsubcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. o.If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. p.If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. q.The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. r.The contractor/subcontractor's firewall and Web services security controls, if applicable, shall meet or exceed VA's minimum requirements. VA Configuration Guidelines are available upon request. s.Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA's prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. t.Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. u.For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU ¬ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR. v."The C&A requirements do not apply, and a Security Accreditation Package is not required. 4. SECURITY INCIDENT INVESTIGATION w.The term "security incident" means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in'system(s) to which the contractor/subcontractor has access. x.To the extent known by the contractor/subcontractor, the contractor/subcontractor's notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. y.With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. z.In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. 5. LIQUIDATED DAMAGES FOR DATA BREACH aa. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. bb. The contractor/subcontractor shall provide notice to VA of a "security incident" as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. cc. Each risk analysis shall address all relevant information concerning the data breach, including the following: (1)Nature of the event (loss, theft, unauthorized access); (2)Description of the event, including: (a)date of occurrence; (b)data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; (3)Number of individuals affected or potentially affected; (4)Names of individuals or groups affected or potentially affected; (5)Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; (6)Amount of time the data has been out of VA control; (7)The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); (8)Known misuses of data containing sensitive personal information, if any; (9)Assessment of the potential harm to the affected individuals; (10)Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and (11)Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. dd. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $_TBDper affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1)Notification; (2)One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3)Data breach analysis; (4)Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5)One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6)Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. 6. SECURITY CONTROLS COMPLIANCE TESTING On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-day's notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. Attachment A Schedule of Deliverables DeliverableItemQuantityDelivery Date No. A monthly detailedOneUpon completion Onelisting of all work performed TwoOne (1) completed and signed copy of VA Privacy and Information Security Awareness and Rules of Behavior TrainingOneWithin _5 calendar days after award Attachment B SECURITY BACKGROUND INVESTIGATION INFORMATION (Submit after award and prior to contract performance) Complete this form after contract award if contractor employee does not possess a NACI clearance. The completed form must be sent directly to the Contracting Officer within ten days of award. Vendor Name: Cage Code No. Address: City, State, and Zip Code: 1.Was the employee prescreened? yes orno 2.Is the employee a U.S. Citizen? yes orno 3.Can the employee read, write, speak and understand English language? yes orno Information From Employee Requiring a Clearance (Do not complete SSN, Contact Contracting Officer) NameSocial Security No. Address CityStateZip Code
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/VA/NOrVAMC/VAMCCO80220/VA25612Q0066/listing.html)
 
Place of Performance
Address: 247 Veterans Blvd.;Reserve, LA.70084
Zip Code: 70084
 
Record
SN02608214-W 20111019/111017234054-7a3438aaf73c3c6b3c912a602d107c02 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.