COMBINED SYNOPSIS SOLICITATION This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; proposals are being requested and a written solicitation will not be issued. 36C10E22Q0161 The solicitation incorporates provisions and clauses in effect through Federal Acquisition Circular 2022-07, dated 08-10-2022. This solicitation is set-aside exclusively for Service-Disabled Veteran-Owned Small Business concerns. To be considered for award prospective offerors must be System for Award Registered Active and Veterans a verified SDVOB concern in the VA Center for Verification and Evaluation (CVE) Veteran Information Pages (VIP) verified at the date and time set for receipt of offers. An Offeror, who is not SAM, registered or a VIP verified SDVOB concern at the date and time set for receipt of offers will have their offer rejected as non-responsive and will not be considered for award. The applicable NAICS Code for this solicitation is 561621, Small Business Size Standard $22M. Applicable wage determination 2015-4572 Revision 19 dated 29 July 2022 is incorporated. Contractor shall provide quote to replace ES3 PACS System. ITEM NO. DESCRIPTION QTY UNIT Monthly Job , Total Job 0001 Replacement of and configuration of the existing PACS system currently installed at the Department of Veterans Affairs, VARO317, Electronic Security Surveillance System ( ES3) St. Petersburg, Florida. The contractor shall provide all required supervision, labor, transportation, tools, parts, diagnostics, inspection and testing to ensure system installed is fully functional and operating. See enclosed SOW. Estimated Period of Performance: 120 Days ARO 1 JB $___________ $___________ Description of Requirement : Migration and configuration of the St. Petersburg Regional Office Electronic Security Surveillance System (ES3) Scope Of Work (SOW) Electronic Security Surveillance System (ES3) 08/15/2022 Introduction: In accordance with VA Directive 0730 (12 December 2012) the Bay Pines Veterans Administration Regional Office is responsible for protecting the lives and property within VA s jurisdiction to which includes the safety and security of its employees and visitors as well as the security and access of the facility, equipment, supplies, and personal service records within the Bay Pines Regional Office. Bay Pines Regional Office is therefore requesting an upgrade to its existing Personnel Access Control System (PACS), Security camera monitoring and recording system, Duress and Alarm system to an Electronic Security Surveillance System (ES3). Background: Homeland Security Presidential Directive 12 (HSPD-12) requires federal agencies to issue secure and reliable identification to all employees and contractors. Federal Information Processing Standards (FIPS) Publication 201-1 Personal Identify Verification (PIV) of Federal Employees and Contractors, issued by the National Institute of Standards and Technology (NIST), establishes the technical specifications for the smart cards that respond to this requirement. HSPD-12 requires Federal agencies to provide a common identity (ID) credential system for all federal employees and contractors. PIV badges are electronically verifiable and protected by digital certificates, biometric data, and a Personal Identification Number (PIN) code. These credentials are issued, tracked, and revoked from a central management system and require applicant background checks. On February 3, 2011, the Office of Management and Budget (OMB) released Memorandum 11- 11, Continued Identification of HSPD 12 that requires all federal agency systems be enabled to use PIV credentials in accordance with NIST guidelines. OMB directs agencies to use PIV badges in daily operations and integrate centrally managed PIV badge systems with Physical Access Control Systems (PACS). PACS readers must, at a minimum, extract unique token identifier information from the PIV badge and, by FY 2022, existing federal physical and logical access control systems must be upgraded to use PIV credentials. In accordance with VA Directive 0730 (12 December 2012) the Bay Pines Veterans Administration Regional Office (VARO) is responsible for protecting the lives and property within VA s jurisdiction which includes the safety and security of its employees and visitors as well as the security and access to the facility, equipment, supplies, and personal service records within the Bay Pines VA Regional Office. Bay Pines VARO therefore has a requirement for a Physical Access Control System. The PACS will encompass an electronic employee identification system that will assign identity, monitor, and grant or restrict access to all offices and parking throughout the VARO facility by use of a PIV badge that will open approved exterior, interior, elevator, and stairwell doors. Graphical User Interface software system will integrate the currently installed HID Readers, surveillance security cameras, physical and duress buttons, servers, and current and archived data sets. Objective: The objective of this Statement of Work is to specify the deliverables the contractor is required to accomplish to replace the PACS, surveillance, and duress systems at the Bay Pines VARO to bring the Bay Pines VARO into compliance with the guidelines and regulations annotated above. The contractor will identify the equipment, software, surveillance security cameras, camera software, and data requirements that are required to install a replacement PACS software, duress monitoring/reporting system, and a security camera system or equivalent that carries all required licensing and that meets all requirements stated herein. Currently the Bay Pines VARO s PACS s ethernet devices are physically connected to the VA network and also logically separated by a Virtual Local Area Network (VLAN) (designated as VBABADGE 1 and VBACAMERA for the Bay Pines Regional Office). This has enabled circumvention of secure baseline configurations and has made the current PACS devices susceptible to vulnerability attacks. Having the PACS on the VLAN network does not meet VA security requirements and hampers necessary mitigations of security risks to the Bay Pines VARO Network. The contractor will alleviate this issue by ensuring the Electronic Security Surveillance System (ES3) Server is implemented and configured on its own closed network utilizing up to date industry security standards. The contractor will ensure the server is a standalone system with accompanying training and support. The contractor will install a non-proprietary software that monitors and controls all aspects of the system under a single Graphical User Interface (GUI). The contractor will determine and submit a detailed report of all necessary equipment to be acquired or upgraded with justifications prior to implementation. The contractor will use existing equipment and materials when able. All additions, repairs or upgrades to equipment and material must be documented and a justification provided to the CO and COR via a standardized template. Scope: Contractor will be responsible for providing all tools, supplies, equipment, transportation, and labor to Migrate the existing Electronic Security Surveillance System (ES3) onto a stand-alone network which includes but is not limited to, i-star control panels, switches, Nonproprietary software, cameras, electronic door locking systems, gates, Data Migration, HID PIV integration software and electronic PIV recognition devices (wall mounts outside office spaces) required at the Bay Pines VA Regional Office. Software will seamlessly import PIV data from active PIV cards to create or update security profiles via PIV and PIN authentication. The Software will be in a single graphical user interface that integrates administration, monitoring, cameras, recording, alarms, duress, and security information. Software will have automated diagnostic capabilities that identifies and reports malfunctioning devices. The existent servers will be removed from the VBA network and be setup as a stand-alone network. The Contractor shall provide all supervision, labor, administrative support, materials, tools, parts, supplies, equipment, software, hardware, and transportation necessary to fulfill all the requirements of this Statement of Work (SOW) effectively and efficiently. The migration will preserve the current remote monitoring stations at the Police Services desk, remote monitoring stations in the Support Services Division and Directors office or include the ability to securely remote access all monitoring and administration functions. All stations shall be configured with Windows 10 enterprise or equivalent. Migration and configuration to operational functionality will be completed within 45 days of the Notice to Proceed. Contractor will provide initial familiarization training in the preceding week to the go live date as well as a quarterly refresher for all users. The scope of services includes standard warranty service to the entire ES3 including all Camera, Duress system components, i.e., control panel, electronic door locks, cameras, and electronic PIV recognition devices (wall mounted card readers) etc., within the Regional Office; immediate response to service calls; system administrative functions; and software installation to include maintaining current updates to the new software system. Initial training and online training resources along with on-call technical support is to be available by both telephone and/or email request. The contractor that receives the award will conduct a complete site validation assessment within 10 days of the Notice to Proceed to confirm the quantities and types of readers (contactless, contactless plus keypad, etc.), servers, surveillance security cameras, network video recorder (NVR), Server Software and System Boards called for in the System Detail Document as well as the reader mounts (mullion, gang box, outdoor, etc.) and their locations. Two (2) workdays are allotted for site validation assessments at the facilities and must not interfere with normal facility operations. The site validation assessment will also cover the working rules, site access, equipment staging, special access area requirements, and other facility specific conditions under which the removal and replacement of readers, switches, server, server software and system boards will be performed. A planned date for commencement of necessary PACS system components change outs will also be established with the facility during the visit. 1. General Requirements: This section describes the general requirements for this effort. The following sub-sections provide details of various considerations on this effort. Non-Personal Services: The Government shall neither supervise contractor employees nor control the method by which the contractor performs the required tasks. Under no circumstances shall the Government assign tasks to, or prepare work schedules for, individual contractor employees. It shall be the responsibility of the contractor to manage its employees and to guard against any actions that are of the nature of personal services or give the perception of personal services. If the contractor believes that any actions constitute, or are perceived to constitute personal services, it shall be the contractor's responsibility to notify the Contracting Officer (CO) immediately. 1.2 Business Relations The contractor shall successfully integrate and coordinate all activity needed to execute the requirement. The contractor shall manage the timeliness, completeness, and quality of problem identification. The contractor shall provide corrective action plans, proposal submittals, timely identification of issues, and effective management of subcontractors. The contractor shall seek to ensure customer satisfaction and professional and ethical behavior of all contractor personnel. Contractor will ensure daily/weekly communication with the project manager or COR ( if one is available and or appointed by the Contracting Officer) 1.3 Contract Administration and Management. The following subsections specify requirements for contract, management, and personnel administration. 1.4 Subcontract Management Accomplishment of the results contained in this SOW requires work at the Bay Pines VA Regional Office, 9500 Bay Pines Blvd, Bay Pines FL, 33744. Normal workdays for the contractor will be Monday through Friday except US Federal Holidays from 6am until 6pm. Weekends and overnight work is expected in all cases that work my interfere with daily operations. 1.5 Location and Hours of Work: Accomplishment of the results contained in this SOW requires work at the Bay Pines VA Regional Office, 9500 Bay Pines Blvd, Bay Pines FL, 33744. Normal workdays for the contractor will be Monday through Friday except US Federal Holidays from 6am until 6pm. Weekends and overnight work is expected in all cases that work my interfere with daily operations. 1.6 Business and Professional Aesthetic Appearance: The contractor shall be responsible for always maintaining the business professional appearance of the facility. Any area visible to the public or regularly visible to employees will be returned to a business professional appearance prior to the end of work each day. 2. Requirements: The following section specifies the deliverables for the contract. 2.1 The contractor will conduct a full site validation and document existing hardware and capabilities within 10 days of the Notice to Proceed. 2.2 The contractor will provide a written report of the results of the site validation 2.2.3 Details of any additional readers, servers, NVR, server software and system boards and/or systems discovered by location, type, and form factor and will include a justification for review. 2.2.4 Initial schedule for execution readers, server, server software and system boards change out work. 2.2.5 Listing of surveillance security cameras, camera software and NVR. 2.2.6 This report will be submitted electronically to the Contracting Officer (CO), project and statin project manager. System will be maintained during the warranty period and updated as needed with service tickets during warranty period. A sperate contract after the warranty expires will be solicited for maintenance and repair services. 2.2.7 This report will be included in the Post Change Out Report. 2.3 Remove physical server from VBA Network and implement stand-alone network. Within 45 days of acceptance of the site validation and schedule. 2.4 Server will remain physically located in its current location. 2.5 Confirm data integrity and access of all monitoring stations on stand-alone network. 2.6 Confirm connectivity to all hardware, cameras, physical duress buttons, gates, doors, elevators, and all other component devices. 2.7 Configure diagnostic reports and set schedule for periodic maintenance checks. 2.8 Replace VBA network linked equipment with stand-alone equipment. 2.9 Software implementation and configuration of single Graphical User Interface with 2.9.1. access to migrated data and current connectivity that meets or exceeds current capabilities. Within 60 days of the Notice to Proceed. 2.9.2 all labor required to install, implement, train, and demonstrate functionality to stakeholders. Contractor will be responsible for procuring support from existent service providers or manufactures. 2.9.3 Technical Service Desk Support: Unlimited, Monday- Sunday, 6:00 am 6:00 pm EST. 2.9.4 Priority support service: 4 business hour service technician response. 2.10 The contractor shall ensure and demonstrate all current capabilities and functionalities are improved or maintained without exception. The Contractor will conduct any required preventative maintenance checks and diagnostic reports with corrective actions during the warranty period after final inspection and acceptance of this this system replacement project. 2.11 The contractor will maintain current device inventory and a spare parts inventory onsite with sufficient inventory for standard repair requirements to keep the system continuously operating. The contractor will verify and notify the project manager with cc to the assigned contracting officer of any changes duing the warranty period in both n both inventory as well as supply chain delays and interruptions in parts availability if applicable. 3. Special Requirements This section describes the special requirements for this effort. The following sub-sections provide details of various considerations on this effort. 3.1 Security and Safety 3.1.1 SECURITY - The Contractor is required to enter and exit through the front entrance. Entering or exiting the building through any other door will require VARO approval and an escort will be required. Upon entering the building, the contractor and/or contractor employees will be required to show proof of identity (must have a valid photo ID) as well as pass through a security screening. Contractor will maintain positive control over and provide a daily report via email the names and roles of every employee and/or subcontractor onsite to the COR. Any area that is not public access will require an escort. 3.1.2 SAFETY - The Contractor shall comply with all applicable Federal, State, and local legal requirements regarding workers health and safety. The requirements include but are not limited to, those found in Federal and State Occupational Safety and Health Act (OSHA) statutes and regulations, such as applicable provisions of Title 29, Code of Federal Regulations (CFR) Parts 1910 and 1926. Contractor is solely responsible for determining the legal requirements that apply to activities and shall ensure safe and healthful working conditions for its employees. Contractor shall comply with all applicable codes, laws, rules, regulations, and safety requirements. Erect safety barriers, signs, flagging, and devices as appropriate to warn and protect the workmen and the public. Protect the existing site and other property. Remove all demolished materials, debris, waste, and scraps. The waste materials will be disposed of in accordance with the environmental guidelines and standards of Florida. No construction materials to include packaging materials will be left on site. 3.2 Government Furnished Materials The government will provide access to the CCURE 9000 PACS, Avigilon camera system, Lynx Duress system to all contracted employees once Non-Disclosure Agreement is in place. The government shall provide at no cost parking space and access to the VARO loading docks as necessary. 3.3 Quality This section describes the Quality Control components for this effort. The following sub-sections provide details of various considerations on this effort. 3.3.1 The Contractor shall be responsible during the testing diagnostic, reporting , trouble shooting of the new system to ensure services are performed in accordance with the resultant contract form this RFQ. The Contractor shall develop and implement procedures to identify, prevent, and ensure non-recurrence of defective services. The Contractors is responsibility includes the assurance that all work complies with the requirement of the contract. 4. VA information and information system security/privacy VA Handbook 6500.6 Appendix A Checklist 4.1 General: Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 4.2. Access to VA information and VA information Systems 4.2.1. Technical Physical Access A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract. 4.2.2. Contractors Subcontractors and Third-Party Servicers All contractors, subcontractors, and third-party servicer and associates working with VA information is subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. 4.2.3. Security Clearance Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. 4.2.4 CONCustom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. US and UNCONUS Software: 4.2.5. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractors employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. 4.2.5 Contractor Employee Notifications 4.3. VA information custodial language 4.3.1 Limits Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the Contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d)(1). 4.3.2. Information Lifecycle VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VAs information is returned to the VA or destroyed in accordance with VAs sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. 4.3.3. Close-out Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. 4.3.4. Storage The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations, and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations, and policies in this contract. 4.3.5. Replication The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. 4.3.6. Violation If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. g. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. 4.3.7. FIPS 140-2 The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. 4.3.8. Minimum requirements The contractor/subcontractors firewall and Web services security controls, if applicable, shall meet or exceed VAs minimum requirements. VA Configuration Guidelines are available upon request. 4.3.9. Authorizations Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: 4.3.9.1. in response to a qualifying order of a court of competent jurisdiction, or 4.3.9.2. With VAs prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. 4.3.10. Title 38 Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above-mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. 4.3.11 For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the Contracting Officer and project manager/Representative (COR). 5. Information system hosting, operation, maintenance, or use VA Handbook 5.1 Information Systems For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors/subcontractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The contractor s security control procedures must be equivalent to those procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also be provided to the COR and approved by VA Privacy Service prior to operational approval. All external Internet connections to VAs network involving VA information must be reviewed and approved by VA prior to implementation. 5.2 Adequate security controls for collecting, processing, transmitting, and storing of Personally Identifiable Information (PII), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls are to be assessed and stated within the PIA and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII. 5.3 Outsourcing Outsourcing (contractor facility, contractor equipment or contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (authorization) (C&A) of the contractors systems in accordance with VA Handbook 6500.3, Certification and Accreditation and/or the VA OCS Certification Program Office. Government-owned (government facility or government equipment) contractor-operated systems, third party or business partner networks require memorandums of understanding and interconnection agreements (MOU-ISA) which detail what data types are shared, who has access, and the appropriate level of security controls for all systems connected to VA networks. 5.4. The contractor/subcontractor s system Must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the ISO for entry into VAs POA&M management process. The contractor/subcontractor must use VAs POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the government. Contractor/subcontractor procedures are subject to periodic, unannounced assessments by VA officials, including the VA Office of Inspector General. The physical security aspects associated with contractor/subcontractor activities must also be subject to such assessments. If major changes to the system occur that may affect the privacy or security of the data or the system, the C&A of the system may need to be reviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewing and updating all of the documentation (PIA, System Security Plan, Contingency Plan). The Certification Program Office can provide guidance on whether a new C&A would be necessary. 5.5 The contractor/subcontractor must conduct a self-assessment on all systems and outsourced services as required. Both hard copy and electronic copies of the assessment must be provided to the COR. The government reserves the right to conduct such an assessment using government personnel or another contractor/subcontractor. The contractor/subcontractor must take appropriate and timely action (this can be specified in the contract) to correct or mitigate any weaknesses discovered during such testing, generally at no additional cost. VA prohibits the installation and use of personally owned or contractor/subcontractor owned equipment or software on VAs network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW, or contract. All the security controls required for government furnished equipment (GFE) must be utilized in approved other equipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and a personal (host-based or enclave based) firewall that is configured with a VA approved configuration. Software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE. 5.6 VA prohibits the installation and use of personally owned or contractor/subcontractor owned equipment or software on VAs network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW, or contract. All the security controls required for government furnished equipment (GFE) must be utilized in approved other equipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and a personal (host-based or enclave based) firewall that is configured with a VA approved configuration. Software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE. 5.7 All electronic storage media used on non-VA leased or non-VA owned IT equipment that is used to store, process, or access VA information must be handled in adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of the contract or (ii) disposal or return of the IT equipment by the contractor/subcontractor or any person acting on behalf of the contractor/subcontractor, whichever is earlier. Media (hard drives, optical disks, CDs, back-up tapes, etc.) used by the contractors/subcontractors that contain VA information must be returned to the VA for sanitization or destruction or the contractor/subcontractor must self-certify that the media has been disposed of per 6500.1 requirements. This must be completed within 30 days of termination of the contract. 6. Security incident investigation VA Handbook 6500.6 Appendix A Checklist 6.1. The term "security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. 6.2 To the extent known by the contractor/subcontractor, the contractor/subcontractors notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. 6.3 With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. 6.4 In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. 7. Liquidated Damages for data breach 7.1. Consistent with the requirements of 38 U.S.C. 5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. 7.2 The contractor/subcontractor shall provide notice to VA of a "security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. 7.3 Each risk analysis shall address all relevant information concerning the data breach, including the following: 7.3.1. Nature of the event (loss, theft, unauthorized access) 7.3.2. Description of the event, including: 7.3.2.1. date of occurrence: 7.3.2.2. data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; 7.3.3. Number of individuals affected or potentially affected; 7.3.4. Names of individuals or groups affected or potentially affected: 7.3.5. Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; 7.3.6. Amount of time the data has been out of VA control; 7.3.7. The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); 7.3.8. Known misuses of data containing sensitive personal information, if any; 7.3.9. Assessment of the potential harm to the affected individuals. 7.3.10. Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; 7.3.11. Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. 7.4 Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: 7.4.1. Notification. 7.4.2. One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; 7.4.3. Data breach analysis; 7.4.4. Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; 7.4.5. One year of identity theft insurance with $20,000.00 coverage at $0 deductible; 7.4.6. Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories or financial 8. SECURITY CONTROLS COMPLIANCE TESTING On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. Period of Performance: 120 Days ARO. FOB Destination. FAR 52.212-1, Instructions to Offerors Commercial Items (NOV 2021), applies to this solicitation. The following provisions and clauses are added as addenda: FAR 52.252-1 Solicitation Provisions Incorporated By Reference (FEB 1998) FAR 52.212-2 Evaluation Commercial Items (NOV 2021), applies to this solicitation. Offers will be evaluated on Technical 2. Past Performance 3. Price. Technical & Past Performance when combined is more important than price. FAR 52.212-3 Offeror Representations and Certifications Commercial Items (MAY 2022) applies to this solicitation. Offerors shall submit a completed copy of FAR 52.212-3 with its Offer. FAR 52.212-4, Contract Terms and Conditions Commercial Items (NOV 2021) applies to this solicitation. The following provisions and clauses are added as addenda: FAR 52.252-2, Clauses Incorporated By Reference (FEB 1998) This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): https://www.acquisition.gov/browse/index/far https://www.va.gov/oal/library/vaam/index.asp https://www.va.gov/oal/library/vaam/index.asp 52.204-9 Personal Identity Verification of Contractor Personnel (JAN 2011) 52.204-13 SYSTEM FOR AWARD MANAGEMENT MAINTENANCE ( OCT 2018) 52.209-6 Protecting the Government s Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment (NOV 2021) 52.222-19 Child Labor-Cooperation with Authorities & Remedies ( Jan 2022 ) The Government will take no action to enforce the clause implementing requirements of Executive Order 14042, absent further written notice from the contracting officer, where the place of performance identified in the contract is in a U.S. state or outlying area subject to a court order prohibiting the application of requirements pursuant to the Executive Order (hereinafter, Excluded State or Outlying Area ). In all other circumstances, the Government will enforce the clause, except for contractor employees who perform substantial work on or in connection with a covered contract in an Excluded State or Outlying Area, or in a covered contractor workplace located in an Excluded State or Outlying Area. A current list of such Excluded States and Outlying Areas is maintained at Safer Federal Workforce for Federal Contractors. For Federal Contractors | Safer Federal Workforce Guidance documents issued by the Safer Federal Workforce Task Force or OMB, related to the Task Force s mission 52.225-3 Buy American-Free Trade agreements-Israeli Trade Act Alternate II (NOV 2021) 52.228-5 Insurance Work on a Government Installation (JAN 1997)   (a) The Contractor shall, at its own expense, provide and maintain during the entire performance of this contract, at least the kinds and minimum amounts of insurance required in the Schedule or elsewhere in the contract.       (b) Before commencing work under this contract, the Contractor shall notify the Contracting Officer in writing that the required insurance has been obtained. The policies evidencing required insurance shall contain an endorsement to the effect that any cancellation or any material change adversely affecting the Government s interest shall not be effective-            (1) For such period as the laws of the State in which this contract is to be performed prescribe; or            (2) Until 30 days after the insurer or the Contractor gives written notice to the Contracting Officer, whichever period is longer.       (c) The Contractor shall insert the substance of this clause, including this paragraph (c), in subcontracts under this contract that require work on a Government installation and shall require subcontractors to provide and maintain the insurance required in the Schedule or elsewhere in the contract. The Contractor shall maintain a copy of all subcontractors proofs of required insurance, and shall make copies available to the Contracting Officer upon request. (End of clause) 52.232-18 Availability of Funds ( APR1984)JUN 2020) 52.232-39 Unenforceability of Unauthorized Obligations (JUN 2013) 52.232.40 Providing Accelerated Payments to Small Business Subcontractors (NOV 2021) 52.232-23 Assignment of Claims (MAY 2014) 52.232-39 Unenforceability of Unauthorized Obligations (JUN 2013) 52.232-40 Providing Accelerated Payments to Small Business Subcontractors (NOV 2021) 52.233-1 Disputes (MAY 2014) 52.233-4 Applicable Law for Breach of Contract Claims (OCT 2004) 52.237-2 Protection of Government Buildings, Equipment and Vegetation (APR 1984) VAAR 852.212-70 Provisions and Clauses Applicable to VA Acquisition of Commercial Items (APR 2020) (a) The Contractor agrees to comply with any provision or clause that is incorporated herein by reference to implement agency policy applicable to acquisition of commercial items or components. The following provisions and clauses that have been checked by the Contracting Officer are incorporated by reference. _X_ 852.203-70, Commercial Advertising. ___ 852.209-70, Organizational Conflicts of Interest. _X_852.211-70, Equipment Operation and Maintenance Manuals. ___ 852.214-71, Restrictions on Alternate Item(s). ___ 852.214-72, Alternate Item(s). [Note: this is a fillable clause.] ___ 852.214-73, Alternate Packaging and Packing. ___ 852.214-74, Marking of Bid Samples. __ 852.215-70, Service-Disabled Veteran-Owned and Veteran-Owned Small Business Evaluation Factors. ___ 852.215-71, Evaluation Factor Commitments. ___ 852.216-71, Economic Price Adjustment of Contract Price(s) Based on a Price Index. ___ 852.216-72, Proportional Economic Price Adjustment of Contract Price(s) Based on a Price Index. ___ 852.216-73, Economic Price Adjustment State Nursing Home Care for Veterans. ___ 852.216-74, Economic Price Adjustment Medicaid Labor Rates. ___ 852.216-75, Economic Price Adjustment Fuel Surcharge. ___ 852.219-9, VA Small Business Subcontracting Plan Minimum Requirements. _X_ 852.219-10, VA Notice of Total Service-Disabled Veteran-Owned Small Business Set-Aside. ___ 852.219-11, VA Notice of Total Veteran-Owned Small Business Set-Aside. _X_ 852.219-77, VA Notice of Limitation on Subcontracting- Certificate of Compliance for Services and Construction ( SEP 2021) (Deviation) ___ 852.222-70, Contract Work Hours and Safety Standards Nursing Home Care for Veterans. ___ 852.228-70, Bond Premium Adjustment. ___ 852.228-71, Indemnification and Insurance. ___ 852.228-72, Assisting Service-Disabled Veteran-Owned and Veteran-Owned Small Businesses in Obtaining Bonds. _X_ 852.232-72, Electronic Submission of Payment Requests. ___ 852.233-70, Protest Content/Alternative Dispute Resolution. ___ 852.233-71, Alternate Protest Procedure. ___ 852.237-70, Indemnification and Medical Liability Insurance. ___ 852.246-71, Rejected Goods. ___ 852.246-72, Frozen Processed Foods. ___ 852.246-73, Noncompliance with Packaging, Packing, and/or Marking Requirements. _X_ 852.270-1, Representatives of Contracting Officers. ___ 852.271-72, Time Spent by Counselee in Counseling Process. ___ 852.271-73, Use and Publication of Counseling Results. ___ 852.271-74, Inspection. ___ 852.271-75, Extension of Contract Period. ___ 852.273-70, Late Offers. ___ 852.273-71, Alternative Negotiation Techniques. ___ 852.273-72, Alternative Evaluation. ___ 852.273-73, Evaluation Health-Care Resources. _X_ 852.273-74, Award without Exchanges. (End of clause) VAAR 852.273-74 Award Without Exchanges (NOV 2021) The Government intends to evaluate proposals and award a contract without exchanges with offerors. Therefore, each initial offer should contain the offeror s best terms from a cost or price and technical standpoint. However, the Government reserves the right to conduct exchanges if later determined by the contracting officer to be necessary. (End of provision) VAAR 852.219-74 Limitations on Subcontracting (JUL 2018) (DEVIATION) This solicitation includes VAAR 852.219-10 VA Notice of Total Service-Disabled Veteran-Owned Small Business Set-Aside (b) Accordingly, any contract resulting from this solicitation is subject to the limitation on subcontracting requirements in 13 CFR 125.6. The Contractor is advised that in performing contract administration functions, the Contracting Officer may use the services of a support contractor(s) retained by VA to assist in assessing the Contractor s compliance with the limitations on subcontracting or percentage of work performance requirements specified in the clause. To that end, the support contractor(s) may require access to Contractor s offices where the Contractor s business records, or other proprietary data are retained and to review such business records regarding the Contractor s compliance with this requirement. (c) All support contractors conducting this review on behalf of VA will be required to sign an Information Protection and Non-Disclosure and Disclosure of Conflicts of Interest Agreement to ensure the Contractor s business records or other proprietary data reviewed or obtained in the course of assisting the Contracting Officer in assessing the Contractor for compliance are protected to ensure information or data is not improperly disclosed or other impropriety occurs. (d) Furthermore, if VA determines any services the support contractor(s) will perform in assessing compliance are advisory and assistance services as defined in FAR 2.101, Definitions, the support contractor(s) must also enter into an agreement with the Contractor to protect proprietary information as required by FAR 9.505-4, Obtaining access to proprietary information, paragraph (b). The Contractor is required to cooperate fully and make available any records as may be required to enable the Contracting Officer to assess the Contractor s compliance with the limitations on subcontracting or percentage of work performance requirement. (End of clause) VAAR 852.219-77 VA NOTICE OF LIMITATIONS ON SUBCONTRACTING CERTIFICATE OF COMPLIANCE FOR SERVICES AND CONSTRUCTION (SEP 2021) (DEVIATION) (a) Pursuant to 38 U.S.C. 8127(k)(2), the offeror certifies that (1) If awarded a contract (see FAR 2.101 definition), it will comply with the limitations on subcontracting requirement as provided in the solicitation and the resultant contract, as follows: [Contracting Officer check the appropriate box below based on the predominant NAICS code assigned to the instant acquisition as set forth in FAR 19.102.] (i) [ ] Services. In the case of a contract for services (except construction), the contractor will not pay more than 50% of the amount paid by the government to it to firms that are not VIP-listed SDVOSBs as set forth in 852.219-10 or VOSBs as set forth in 852.219-11. Any work that a similarly situated VIP-listed subcontractor further subcontracts will count towards the 50% subcontract amount that cannot be exceeded. Other direct costs may be excluded to the extent they are not the principal purpose of the acquisition and small business concerns do not provide the service as set forth in 13 CFR 125.6. (ii) [ ] General construction. In the case of a contract for general construction, the contractor will not pay more than 85% of the amount paid by the government to it to firms that are not VIP-listed SDVOSBs as set forth in 852.219-10 or VOSBs as set forth in 852.219-11. Any work that a similarly situated VIP-listed subcontractor further subcontracts will count towards the 85% subcontract amount that cannot be exceeded. Cost of materials are excluded and not considered to be subcontracted. (iii) Special trade construction contractors. In the case of a contract for special trade contractors, the contractor will not pay more than 75% of the amount paid by the government to it to firms that are not VIP-listed SDVOSBs as set forth in 852.219-10 or VOSBs as set forth in 852.219-11. Any work that a similarly situated subcontractor further subcontracts will count towards the 75% subcontract amount that cannot be exceeded. Cost of materials are excluded and not considered to be subcontracted. (2) The offeror acknowledges that this certification concerns a matter within the jurisdiction of an Agency of the United States. The offeror further acknowledges that this certification is subject to Title 18, United States Code, Section 1001, and, as such, a false, fictitious, or fraudulent certification may render the offeror subject to criminal, civil, or administrative penalties, including prosecution. (3) If VA determines that an SDVOSB/VOSB awarded a contract pursuant to 38 U.S.C. 8127 did not act in good faith, such SDVOSB/VOSB shall be subject to any or all of the following: (i) Referral to the VA Suspension and Debarment Committee; (ii) A fine under section 16(g)(1) of the Small Business Act (15 U.S.C. 645(g)(1)); and (iii) Prosecution for violating section 1001 of title 18. (b) The offeror represents and understands that by submission of its offer and award of a contract it may be required to provide copies of documents or records to VA that VA may review to determine whether the offeror complied with the limitations on subcontracting requirement specified in the contract. The Contracting Officer may, at their discretion, require the Contractor to demonstrate its compliance with the limitations on subcontracting at any time during performance and upon completion of a contract if the information regarding such compliance is not already available to the Contracting Officer. Evidence of compliance includes, but is not limited to, invoices, copies of subcontracts, or a list of the value of tasks performed. (c) The offeror further agrees to cooperate fully and make available any documents or records as may be required to enable VA to determine compliance with the limitations on subcontracting requirement. The offeror understands that failure to provide documents as requested by VA may result in remedial action as the Government deems appropriate. (d) Offeror completed certification/fill-in required. The formal certification must be completed, signed, and returned with the offeror s bid, quotation, or proposal. The Government will not consider offers for award from offerors that do not provide the certification, and all such responses will be deemed ineligible for evaluation and award. Certification: I hereby certify that if awarded the contract, [insert name of offeror] will comply with the limitations on subcontracting specified in this clause and in the resultant contract. I further certify that I am authorized to execute this certification on behalf of [insert name of offeror]. Printed Name of Signee: _________________________________ Printed Title of Signee: ________________________________ Signature: ______________________________________________ Date: ___________________________________________________ Company Name and Address: _______________________________ _________________________________________________________ (End of clause) 52.212-5, Terms and Conditions Required to Implement Executive Orders Commercial Items (MAY 2022), applies to this solicitation. The following provisions and clauses are selected as appropriate to this solicitation: Paragraph b clauses applicable: (4) 52.204-10 Reporting Executive Compensation & First Tier Subcontracting Awards (JUN 2020) (8) 52.209-6 Protecting the Government s Interest When Subcontracting With Contractors Debarred, Suspended, or Proposed for Debarment (NOV 2021) 31 USC 6101) (9) 52.209-9 Update of Publicly Available Information Regarding Responsibility Matters ( OCT 2018) (41USC.2313) (22) 52.219-28 Post-Award Small Business Program Representation (SEP 2021) (27) 52.222-3 Convict Labor (JUN 2003) (E.O. 11755) (28) 52.222-19 Child Labor-Cooperation with Authorities & Remedies ( Jan 2022 ) (29) 52.222-21 Prohibition of Segregated Facilities (APR 2015) (30) 52.222-26 Equal Opportunity (SEP 2016) (E.O. 11246) (32) 52.222-36 Equal Opportunity for Workers with Disabilities (JUN 2020) (35) 52.222-50 Combating Trafficking in Persons (NOV 2021) (44) 52.223-18 Encouraging Contractor Policies to Ban Text Messaging While Driving (JUN 2020) (51) 52.225-13 Restrictions on Certain Foreign Purchases (JUN 2008) (58) 52.232-33 Payment by Electronic Funds Transfer System for Award Management (OCT 2018) (1) 52.222-41 Service Contract Labor Standards (AUG 2018) (2) 52.222-42 Statement of Equivalent Rates for Federal Hires (MAY 2014FARFAR) (THIS IS NOT A WAGE DETERMINATION) EMPLOYEE CLASS WAGE + FRINGE BENEFITS 23160 Electrician maintenance $23.05 23370 General Maintenance Worker $17.91 (8) 52.222-55 Minimum Wages Under Executive Order 13658 (JAN 2022) (9) 52.222-62 Paid Sick Leave Under Executive Order 13706 (JAN 2022) N/A N/A Offers are due not later than 16 September 2022 5:00 PM Eastern Offers must be submitted electronically ( email) to raymond.tracey@va.gov. For additional information, please contact the Contracting Officer, Raymond S.Tracey, by e-mail to raymond.tracey@va.gov.
