This Sources Sought Notice is for planning purposes only and shall not be considered as an invitation for bid, request for quotation, request for proposal, or as an obligation on the part of the Government to acquire any products or services. Your response to this Sources Sought Notice will be treated as information only. No entitlement to payment of direct or indirect costs or charges by the Government will arise because of contractor submission of responses to this announcement or the Government use of such information. This request does not constitute a solicitation for proposals or the authority to enter negotiations to award a contract. No funds have been authorized, appropriated, or received for this effort. The information provided may be used by the Department of Veterans Affairs in developing its acquisition approach, statement of work/statement of objectives and performance specifications. Interested parties are responsible for adequately marking proprietary or competition sensitive information contained in their response. The Government does not intend to award a contract based on this Sources Sought Notice or to otherwise pay for the information submitted in response to this Sources Sought Notice. The purpose of this sources sought announcement is for market research to make appropriate acquisition decisions and to gain knowledge of potential qualified Service-Disabled Veteran Owned Small Businesses, Veteran Owned Small Businesses, 8(a), HubZone and other Small Businesses interested and capable of providing the services described below. Documentation of technical expertise must be presented in sufficient detail for the Government to determine that your company possesses the necessary functional area expertise and experience to compete for this acquisition. Responses to this notice shall include the following responses for all the questions or requests (a) thru (s) in order to be considered for this acquisition: (a) Company Name _______________________________________________ (b) Address_______________________________________________________ (c) Point of Contact ________________________________________________ (d) Phone, Fax, and Email____________________________________________ (e) UEI number ____________________________________________________ (f) Cage Code_________________________________________________________ (g) Tax ID Number ________________________________________________________ (h) Please indicate the size status and representations of your business, such as but not limited to: Service-Disabled Veteran Owned Small Business (SDVOSB)_____________________ Veteran Owned Small Business (VOSB)_______________________ Hubzone________________________________ Woman Owned Small Business (WOSB)___________________________ Large Business___________________________________ Is your company considered small under the NAICS code identified under this SSN/RFI? Yes______ No________ (j) Are you the manufacturer, distributor, or an equivalent solution to the items being referenced above? Yes______ No________ (k) If you are a large business, do you have any designated distributors? If so, please provide their company name, telephone, point of contact. Designated Distributors Company POC Phone Email (l) If you re a small business and you are an authorized distributor/reseller for the items identified above or an equivalent solution, do you alter; assemble; modify; the items requested in any way? Yes______ No________ If you do, state how and what is altered; assembled; modified? Response:_____________________________________________________________________ (m) If you intend to subcontract any work on this contract, what portion of the total cost will be self-performed/will be performed by your organization? Subcontract Yes______ No________ Portion of Total Cost:_______________________ Please provide estimated detailed percentage breakdowns related to subcontracted work. Response:_________________________________________________________________ __________________________________________________________________________ (n) Does your company have an FSS contract with GSA or the NAC or are you a contract holder with NASA SEWP or any other federal contract? If so, please provide the contract number. Yes______ No________ Contract #_________________________________ (o) If you are an FSS GSA/NAC or NASA SEWP contract holder or other federal contract holder, are the items/solution you are providing information for available on your schedule/contract? Yes______ No________ (p) Please provide general pricing of your products/service for market research purposes. Product/Service Unit Unit Price Amount Important (s) Must provide a statement of capability that clearly addresses the organization s qualifications and ability to perform as a contractor for the work described below. STATEMENT OF WORK VISN 15 Lenalidomide Procurement December 2025 REQUIREMENT The VA Heartland Health Care Network (VISN15) VAMC facilities listed below require procurement of generic Lenalidomide. This medication is necessary to provide treatments to Veterans diagnosed with specific medical conditions. This contract will be a firm-fixed price, Indefinite Delivery Indefinite Quantity (IDIQ) contract. BACKGROUND: The VISN 15 facilities pharmacies requires services for procurement of generic lenalidomide manufactured by Exelan and dispensed by Biologics by McKesson. Lenalidomide is an antineoplastic agent commonly used to treat types of leukemia, lymphoma, and myeloma. Additionally, lenalidomide is part of the Risk Evaluation and Mitigation Strategies (REMS) drug safety program due to the embryo-fetal risk associated with its use. Due to the nature of use of lenalidomide and requirements of the REMS program, the medication is generally dispensed monthly as prescribed for each patient s 28-day treatment cycle by a REMS certified specialty pharmacy. Therefore, management of monthly therapy is a closely monitored collaborative effort between the VISN 15 facilities Oncology teams and Pharmacies Procurement teams who currently manage around 55-97 patients per month. Previously, VISN 15 patients received brand name lenalidomide (Revlimid) therapy through McKesson s specialty pharmacy, CoverMyMeds, as part of the VA specialty distribution medication process. Specifically, the specialty distribution medication process allowed for treatment management and prescribing by the VISN 15 Oncology teams, but REMS requirements and medication dispensing were completed by the REMS certified specialty pharmacy, CoverMyMeds. Additionally, billing for each prescription occurred through each facilities McKesson Specialty Distribution Accounts and McKesson Fast Pay system. However, the branded product, Revlimid, dispensed by CoverMyMeds, will no longer be billed through the McKesson Fast Pay system at some point during January 2026, although the exact date is unknown. Additionally, the use of Exelan s generic lenalidomide was expanded for use to all VISNs effective 10/1/25 for dispensing by Biologics by McKesson, a different REMS certified specialty pharmacy. Exelan is the only supplier of the more cost-effective generic version of the medication. PERIOD OF PERFORMANCE This contract is an emergent request for a one base year. The period of performance shall begin January 1, 2026 and continue until December 31, 2026 with no option years. PLACES OF PERFORMANCE Facility Name Address VISN 15 589 Kansas City, MO 4801 E. Linwood Blvd. Kansas City, MO 64128 VISN 15 589A4 Columbia, MO 800 Hospital Drive Columbia, MO 65201 VISN 15 589A5 Topeka, KS 2200 SW Gage Blvd. Topeka, KS 66622 VISN 15 589A6 Leavenworth, KS 4101 4th St. Trafficway Leavenworth, KS 66048 VISN 15 589A7 Wichita, KS 5500 E. Kellogg Drive Wichita, KS 67218 VISN 15 657 St. Louis, MO J. Cochran 915 N. Grand Blvd. St. Louis, MO 63106 VISN 15 657A0 St. Louis, MO J. Barracks 1 Jefferson Barracks Dr. St. Louis, MO 63125 VISN 15 657A4 Poplar Bluff, MO 1500 N. Westwood Blvd. Poplar Bluff, MO 63901 VISN 15 657GH Cape Girardeau, MO 711 S. Mount Auburn Rd. Cape Girardeau, MO 63701 VISN 15 657A5 Marion, IL 2401 West Main Street Marion, IL 62959 VISN 15 657GJ Evansville IN 6211 East Waterford Blvd. Evansville, IN 47715 PERFORMANCE REQUIREMENTS: The VA Heartland Health Care Network (VISN 15) requires a VISN-wide IDIQ contract for procurement of generic lenalidomide. All orders will be supplied by a REMS certified specialty clinic and based on patient specific orders, in accordance with federal, state and local laws and any regulatory and accrediting bodies. Additionally, the vendor shall provide all delivery and handling of materials and supplies to ensure appropriate storage conditions are maintained during shipment. Vendor shall provide lenalidomide therapy per prescription, manage all REMS requirements as the authorized specialty pharmacy, and dispense the medication directly to the patient or the VISN 15 facility pharmacy as requested on the prescription on a patient-to-patient basis. PRESCRIPTION ORDERS: VA Prescription orders and REMS documentation will be submitted via secure network or encrypted fax. Once submitted, VA staff will confirm receipt of order with vendor by phone or email. Each order will include the following patient information: Patient name Patient address Patient phone number Patient email address Patient preferred language Gender Date of birth Diagnosis Allergies Current medications Check box for direct delivery to patient (preferred). If unable to ship to patient, product will be shipped to the VA Pharmacy. Each order will include the following VA pharmacy information: Pharmacy name Purchase order number Address DEA number VISN number Method of payments Primary clinical contact name and contact information Secondary clinical contact name and contact information Primary purchasing contact name and contact information Secondary purchasing contact name and contact information Each order will include the following prescriber information: Prescriber name Prescriber s license number Prescriber s NPI number Supervising physician s name (if applicable) Supervising physician s license number (if applicable) Supervising physician s NPI number (if applicable) Address Each order will include the following Patient Type From the Patient-Physician Agreement Form (PPAF): Check box for Adult Female Not of Reproductive Potential Check box for Female Child Not of Reproductive Potential Check box for Adult Female Reproductive Potential Check box for Female Child Reproductive Potential Check box for Adult Male Check box for Male Child Each order will include the following prescription information: Check box for strength of lenalidomide capsule (i.e., 2.5mg, 5mg, 10mg, 15mg, 20mg, or 25mg) Directions for use (i.e., Sig), which must include frequency (e.g., once daily, every other day, etc.) and complete cycle (e.g., 21 day on, 7 days off OR days 1-21 for a 28-day cycle) Quantity (i.e., number of capsules to be dispensed) Max quantity 28 day supply No refills permitted Authorization number Date Prescriber signature (dispense as written) with date OR Prescriber signature (substitution permissible) with date Revlimid cannot be written and signed as dispense as written (DAW) or else the pharmacy cannot dispense generic lenalidomide. Completed VA Patient Prescription Forms for Lenalidomide (Exelan Pharma Product Only) will be sent by VISN 15 facilities Oncology Nurse Navigators or Outpatient Pharmacy Staff (i.e., for community care authorized patients) to VISN 15 Pharmacy Procurement teams by encrypted email or Pharmacy Leaf Request. Once submitted, Vendor will contact the patient and schedule delivery. VA Pharmacy Staff will receive confirmation of shipping from the Vendor via encrypted fax. VA Pharmacy Procurement Staff will release the prescription in VISTA upon receipt of patient delivery. DELIVERY Standard orders submitted by the facilities by 3:00pm CST will be delivered by the vendor within 3 business days. Urgent or emergent orders will be delivered within 2 business days. The vendor will ensure appropriate storage conditions are maintained during shipment for all materials and supplies. Orders shall be transported via Courier, expedited mail service, or any other means necessary to ensure receipt by established timeframes. Orders specifying delivery to VISN 15 facilities pharmacies will be delivered to the following locations. Pharmacy Room # Address VISN 15 589 Kansas City, MO V1-726 4801 E. Linwood Blvd. Kansas City, MO 64128 VISN 15 589A4 Columbia, MO E001 800 Hospital Drive Columbia, MO 65201 VISN 15 589A5 Topeka, KS sent IM 1- A10 2200 SW Gage Blvd. Topeka, KS 66622 VISN 15 589A6 Leavenworth, KS sent IM B237 4101 4th St. Trafficway Leavenworth, KS 66048 VISN 15 589A7 Wichita, KS 001-3 5500 E. Kellogg Drive Wichita, KS 67218 VISN 15 657 St. Louis, MO J. Cochran sent IM Bldg 1, 4th Floor B405 915 N. Grand Blvd. St. Louis, MO 63106 VISN 15 657A0 St. Louis, MO J. Barracks sent IM JB 55 1st Floor,1c100 1 Jefferson Barracks Dr. St. Louis, MO 63125 VISN 15 657A4 Poplar Bluff, MO Bldg 1 Ground Floor, GB-007 1500 N. Westwood Blvd. Poplar Bluff, MO 63901 VISN 15 657GH Cape Girardeau, MO Rm 1106 711 S. Mount Auburn Rd. Cape Girardeau, MO 63701 VISN 15 657A5 Marion, IL Rm D109 2401 West Main Street Marion, IL 62959 VISN 15 657GJ Evansville IN Rm 1110.1 6211 East Waterford Blvd. Evansville, IN 47715 TECHNICAL INDUSTRY STANDARDS The Contractor shall conform to the standards established by Federal Drug Administration for Risk Evaluation and Mitigation Strategies (REMS). The Contractor shall submit proof of conformance to the standard by providing a copy of their certification and copy of the employee training log. DESCRIPTION OF WORK: The VA Heartland Health Care Network (VISN 15) requires a VISN-wide IDIQ contract for procurement of generic lenalidomide. All orders will be supplied by a REMS certified specialty clinic and based on patient specific orders, in accordance with federal, state and local laws and any regulatory and accrediting bodies. Additionally, the vendor shall provide all delivery and handling of materials and supplies to ensure appropriate storage conditions are maintained during shipment. Vendor shall provide lenalidomide therapy per prescription, manage all REMS requirements as the authorized specialty pharmacy, and dispense the medication directly to the patient or the VISN 15 facility pharmacy as requested on the prescription on a patient-to-patient basis. DELIVERABLES: The vendor shall furnish all necessary materials, supplies, equipment and personnel to complete required tasks. CONTRACTOR FURNISHED MATERIALS. The vendor will provide the tracking information and be based on Drug Supply Chain Security Act (DSCSA) and federal law. All lenalidomide doses and supplies are to be supplied by the Contractor. Vendor shall email or encrypted fax proof of delivery documentation to ordering VISN 15 pharmacy within 3 business days of delivery. Contractor shall invoice for billable units for the amount of medication utilized for each individual patient. Contractor shall provide current and past certification reports. In the case of any failures, contractor shall provide action plans for corrections of deficiencies and testing results showing the failures have been corrected. All reports shall be submitted to facilities within 5 days of result/receipt. Reports will be submitted to VHAV15PharmacyInventoryProcurementCOP@va.gov Shipping fees are included with the order and there is no additional cost for any items delivered for the weekend. All shipments for weekend delivery will be arranged as needed to ensure delivery can be successfully completed. Contractor shall invoice the billable units for the amount of medication utilized for each individual patient to Tungsten Network (OB10). b. GOVERNMENT FURNISHED MATERIALS AND SERVICES. The Government will include all patient information listed above with each order. The Government will submit all orders via secure network or encrypted fax. The Government will confirm receipt of order with vendor by phone or email. VISN 15 facilities Fiscal departments will match the invoice processed by the Vendor to the purchase order in the Invoice Payment Processing System (IPPS). WORK HOURS Facility Name Work Hours VISN 15 589 Kansas City, MO Rm V1-726 is open to receive medications 8:00a-4:30p Rm V2-710 is open to receive medication after hours VISN 15 589A4 Columbia, MO Rm E001 is open to receive medications 24/7 VISN 15 589A5 Topeka, KS Rm 1, Basement A10 is open to receive medications 8:00a-3:30p VISN 15 589A6 Leavenworth, KS Bldg 89, Floor 2, B237 is open to receive medications 8:00a-3:30p VISN 15 589A7 Wichita, KS Rm 001-3 is open to receive medications 24/7 VISN 15 657 St. Louis, MO J. Cochran Bldg 1, 4th Floor, Rm. B405 is open to receive medications 24/7 VISN 15 657A0 St. Louis, MO J. Barracks JB 55, 1st Floor, Rm 1c-100 is open to receive medications 24/7 (however, the building has restricted access after business hours) VISN 15 657A4 Poplar Bluff, MO Bldg 1, Ground Floor, Rm GB-007 is open to receive medications M-F 0800-1800 and Sat, Sun & holidays 0800-1630 VISN 15 657GH Cape Girardeau, MO Rm. 1106 is open to receive medications M-F 0730-1630 VISN 15 657A5 Marion, IL Bldg 42, Room D109 is open to receive medications 24/7 VISN 15 657GJ Evansville IN 1st Floor Pharmacy Room 1110.1 is open to receive medications M-F 0800-1630 CONTIGENCY PLANNING: The Vendor shall have a contingency backup plan in the event that REMS specialty pharmacy facility is affected by any certification discrepancies, equipment malfunctions, natural disasters, or other matters affecting performance of the contract. Contingency locations must meet the same criteria as stated herein. VISN 15 facilities must be notified prior to dispensing any medications from contingency location, and daily until contingency is no longer required. COMPLIANCE WITH APPLICABLE LAWS AND REGULATIONS: The Vendor will ensure that services provided to the Government under this contract comply with all REMS requirements and other applicable laws, statutes, regulations and guidelines for fulfillment of generic lenalidomide. The Vendor shall also ensure that all services provided under this contract comply with all Government mandated procedures, standards, and requirements. QUALITY ASSURANCE SURVEILLANCE PROGRAM The Government will monitor the Vendor s performance under this contract with these performance objectives. REMS certifications will be submitted to VHAV15PharmacyInventoryProcurementCOP@va.gov. Proof of delivery documentation will be submitted to the ordering pharmacy s POC within 3 business days of delivery. Task ID Indicator Standard Acceptable Quality Level Method of Surveillance Incentive General 1 Orders processed accurately Contractor shall ensure all orders are processed per prescription order 100% Review of invoicing documents Positive Past Performance 2 Orders received by patients or VISN 15 pharmacies within 3 business days of submission Contractor shall comply with all REMS safety requirements 100% Review of faxed or emailed shipping confirmation Positive Past Performance 3 Contractor maintains certifications required for REMS specialty pharmacies, Contractor shall furnish copies of REMS certifications, proof of delivery (POD) and invoice documents 100% Validated receipt of certificates and/or documents Positive Past Performance SECURITY REQUIREMENTS Information Systems Officer, Information Protection: The contractor will not have access to VA desktop or laptop computers, nor will they have access to online resources belonging to the government while conducting services or providing products. If removal of equipment from the VA is required, any memory storage devices, such as hard drives, solid state drives and non-volatile memory units will remain in VA control and will not be removed from VA custody. PRIVACY OFFICER: The contractor will have access to protected Patient Health Information (PHI), but it will not have the capability of accessing patient information during the services provided to the VA. Any questions from either party about the medication order will use two patient identifiers to confirm the correct patient for that medication prior to any conversation taking place. If removal of equipment from the VA is required, any memory storage devices, such as hard drives, solid state drives and non-volatile memory units will remain in VA control and will not be removed from VA custody. All research data available for Contractor analyses is de-identified. INVOICES: Payment will be made upon receipt of a properly prepared detailed invoice, prepared by the Contractor and submitted through Tungsten Network (formerly known as OB10) http://www.tungsten-network.com/us/en/. A properly prepared invoice shall contain: Invoice Number and Date Contractor s Name and Address Accurate Purchase Order Number Supply or Service provided (including billable units for the amount of medication utilized for each individual patient) Period Supply or Service Provided Total Amount Due Please begin submitting your electronic invoices through the Tungsten Network for payment processing, free of charge. If you have questions about the e-invoicing program or Tungsten Network, contact information is as follows: Tungsten e-Invoice Setup Information: 1-877-489-6135 Tungsten e-Invoice email: VA.Registration@Tungsten-Network.com FSC e-Invoice Contact Information: 1-877-353-9791 FSC e-invoice email: vafsccshd@va.gov Web Address: HTTP://WWW.FSC.VA.GOV/EINVOICE.ASP Payment will be completed by invoicing from each facility by assigned PO# on awarded DO for base year and every exercised option year. TERMINATION FOR CONVENIENCE In accordance with FAR 52.212-4 (l) The Government reserves the right to terminate this contract, or any part hereof, for its sole convenience. 11. RECORDS MANAGEMENT LANGUAGE FOR CONTRACTS The following standard items relate to records generated in executing the contract and should be included in a typical Electronic Information Systems (EIS) procurement contract: Citations to pertinent laws, codes and regulations such as 44 U.S.C chapters 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228. Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records. Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act. Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract. The Government Agency owns the rights to all data/records produced as part of this contract. The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract. Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data. Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.] or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.]. No disposition of documents will be allowed without the prior written consent of the Contracting Officer. The Agency and its Contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records may not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules. GENERAL ADMINISTRATION POINTS OF CONTACT (POCs). The vendor will contact the POC to schedule delivery of medication identified for delivery to a VISN 15 facility pharmacy; upon arrival, the vendor will contact the POC. The vendor will send proof of delivery to the ordering pharmacy s POC listed below within 3 business days of delivery. Facility Name POC E-Mail Address VISN 15 589 Kansas City, MO VHAKANPHARMPROCUREMENT@VA.GOV VISN 15 589A4 Columbia, MO Jennifer.Luebbering@va.gov VISN 15 589A5 Topeka, KS Cody.Pierce@va.gov Taylor.Lee1@va.gov VISN 15 589A6 Leavenworth, KS Danielle.Bullock@va.gov Heather.Kermashek@va.gov VISN 15 589A7 Wichita, KS Beonca.Young@va.gov VISN 15 657 St. Louis, MO J. Cochran Jeffrey.Baumann2@va.gov VISN 15 657 St. Louis, MO J. Barracks Bailey.Weber@va.gov VISN 15 657A4 Poplar Bluff, MO Alicia.Heuiser@va.gov Ashley.Cochran5@va.gov VISN 15 657GH Cape Girardeau, MO Alicia.Heuiser@va.gov Ashley.Cochran5@va.gov VISN 15 657A5 Marion, IL Timothy.Barton2@va.gov John.Hays@va.gov Karlie.Williams1@va.gov VISN 15 657GJ Evansville IN Timothy.Barton2@va.gov John.Hays@va.gov Sharon.Lamb@va.gov CONTRACTING OFFICERS OF RECORD (CORs). Facility Name COR E-Mail Address VISN 15 589 Kansas City, MO Stephen.LaCerte@va.gov VISN 15 589A4 Columbia, MO Carlton.Foust@va.gov VISN 15 589A5 Topeka, KS sent IM Gregory.Burger@va.gov VISN 15 589A6 Leavenworth, KS sent IM Gregory.Burger@va.gov VISN 15 589A7 Wichita, KS Anna.Johnson1@va.gov VISN 15 657 St. Louis, MO J. Cochran Jerry.Flowers1@va.gov VISN 15 657A0 St. Louis, MO J. Barracks Jerry.Flowers1@va.gov VISN 15 657A4 Poplar Bluff, MO Jeanne.Schoonover@va.gov VISN 15 657GH Cape Girardeau, MO Jeanne.Schoonover@va.gov VISN 15 657A5 Marion, IL Timothy.Barton2@va.gov VISN 15 657GJ Evansville IN Timothy.Barton2@va.gov CONTRACT ADMINISTRATION DATA. All contract administration functions will be retained by the Department of Veterans Affairs. The Contracting Officer will be the only person authorized to approve changes or modify any of the requirements under this contract. The Contractor shall communicate with the Contracting Officer on all matters pertaining to contract administration. Only the Contracting Officer will be authorized to make commitments or issue changes that affect price, or quality of performance of this contract. In the event the Contractor effects any such change at the direction of any person other than the Contracting Officer, the change shall be considered unauthorized and no adjustment will be made in the contract price to cover any increase in costs incurred as a result thereof. NON-PERSONAL SERVICES. This is a non-personal services contract. Personnel rendering services under this contract are not subject either by the contract s terms or by the manner of its administration, to the supervision and control usually prevailing in relationships between the government and its employees. The Government shall not exercise any supervision or control over the contract service providers performing services herein. Such contract service providers shall be accountable solely to the Contractor who, in turn, is responsible to the Government. HOURS OF OPERATIONS. Business hours: Monday through Friday, 8:00 a.m. 4:30 p.m. National Holidays: The holidays observed by the Federal Government are: New Year s Day; Martin Luther King s Birthday; Presidents Day; Memorial Day; Juneteenth National Independence Day; Independence Day; Labor Day; Columbus Day; Veterans Day; Thanksgiving; Christmas; and Any other observed Federal holiday. CONTRACT PERFORMANCE MONITORING. The COR(s) and Subject Matter Experts (SMEs) may perform surveillance of services by any of the methods listed below: Observing actual performance Inspecting the services to determine whether the performance meets the performance standards Review of any other appropriate records When unacceptable performance occurs, the POC shall inform the Contractor and the Contracting Officer. This will normally be in writing unless circumstances necessitate verbal communication. In any case, the POC shall document the discussion and place it in the POC file. When the POC determines that formal written communication is required, the POC shall prepare a Contract Discrepancy Report (CDR) and present it to the contractor program manager. The Contractor shall acknowledge receipt of the CDR in writing. The CDR will specify if the Contractor is required to prepare a corrective action plan to document how the Contractor shall correct the unacceptable performance and avoid a recurrence. The CDR will also state how long after receipt the Contractor must present this corrective action plan to the POC. The Government shall review the Contractor corrective action plan to determine acceptability. Any CDRs may become a part of the supporting documentation for any contractual action deemed necessary by the Contracting Officer. Pursuant to VAAR Provision 852.270-1, Representatives of Contracting Officer representative(s); The Government shall periodically evaluate the Contractor performance by appointing a POC to monitor performance to ensure services are received. The Government representative(s) shall evaluate the Contractor performance through inspections of observations, inspection of services or any other form of documentation and all complaints from VA personnel. The Government may inspect as each task is completed or increase the number of quality assurance inspections if deemed appropriate because of repeated failures or because of repeated customer complaints. Likewise, the Government may decrease the number of quality assurance inspections if performance dictates. The Government Contracting Officer shall make final determination of the validity of customer complaint(s). If any of the services do not conform to contract requirements, the Government may require the Contractor to perform the services again in conformity with contract requirements, at no increase in contract amount. When the defects in services cannot be corrected by re-performance, the Government may require the Contractor to take necessary action to ensure that future performance conforms to contract requirements at no additional cost to the Government. Require the Contractor to take necessary action to ensure that future performance conforms to contract requirements at no additional cost to the Government. CONTRACT SECURITY. Contractors are limited in their request for logical or physical access to VA information or VA information systems for their employees, subcontractors, third parties and business associates to the extent necessary to perform the services or provide the goods as specified in the contracts, agreements, task, delivery or purchase orders. All Contractors, subcontractors, third parties, and business associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors to access VA information and VA information systems shall be in accordance with VA Directive and Handbook 0710, Personnel Security and Suitability Program. Contractors, subcontractors, third parties, and business associates who require access to national security programs must have a valid security clearance. HIPAA Business Associate Agreement requirement. Contractors shall enter into a Business Associate Agreement (BAA) with VHA, VA s Covered Entity, when contract requirements and access to protected health information is required and when requested by the Contracting Officer, or the Contracting Officer s Representative (COR) (see VAAR 824.103 70). Under the HIPAA Privacy and Security Rules, a Covered Entity (VHA) must have a satisfactory assurance that its PHI will be safeguarded from misuse. To do so, a Covered Entity enters into a BAA with a contractor (now the business associate), which obligates the Business associate to only use the Covered Entity s PHI for the purposes for which it was engaged, provide the same protections and safeguards as is required from the Covered Entity, and agree to the same disclosure restrictions to PHI that is required of the Covered Entity in situations where a contractor Creates, receives, maintains, or transmits VHA PHI or that will store, generate, access, exchange, process, or utilize such PHI in order to perform certain health care operations activities or functions on behalf of the Covered Entity; or Provides one or more of the services specified in the Privacy Rule to or for the Covered Entity. Contractors or entities required to execute BAAs for contracts and other agreements Become VHA business associates. BAAs are issued by VHA or may be issued by other VA programs in support of VHA. The HIPAA Privacy Rule requires VHA to execute compliant BAAs with persons or entities that create, receive, maintain, or transmit VHA PHI or that will store, generate, access, exchange, process, or utilize such PHI in order to perform certain activities, functions or services to, for, or on behalf of VHA. There may be other VA components or staff offices which also provide certain services and support to VHA and must receive PHI in order to do so. If these components award contracts or enter into other agreements, purchase/delivery orders, modifications and issue governmentwide purchase card transactions to help in the delivery of these services to VHA, they will also fall within the requirement to obtain a satisfactory assurance from these contractors by executing a BAA. BAA requirement flow down to subcontractors. A prime Contractor required to execute a BAA shall also obtain a satisfactory assurance, in the form of a BAA, that any of its subcontractors who will also create, receive, maintain, or transmit VHA PHI or that will store, generate, access, exchange, process, or utilize such PHI will comply with HIPAA requirements to the same degree as the Contractor. Contractors employing a Subcontractor who creates, receives, maintains, or transmits VHA PHI or that will store, generate, access, exchange, process, or utilize such VHA PHI under a contract or agreement is required to execute a BAA with each of its subcontractors which also obligates the subcontractor (i.e., also a business associate) to provide the same protections and safeguards and agree to the same disclosure restrictions to VHA s PHI that is required of the Covered Entity and the prime Contractor. Contractor operations are required to be in the United States. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practicable. If such services are proposed to be performed outside the continental United States, and are not otherwise disallowed by other Federal law, regulations or policy, or other VA policy or other mandates as stated in the contract, specifications, statement of work or performance work statement (including applicable Business Associate Agreements), the Contractor/subcontractor must state in its proposal where all non-U.S. services are provided. At a minimum, the Contractor/ subcontractor must include a detailed Information Technology Security Plan, for review and approval by the Contracting Officer, specifically to address mitigation of the resulting problems of communication, control, and data protection. Contractor/subcontractor employee reassignment and termination notification. Contractors and subcontractors shall provide written notification to the Contracting Officer and Contracting Officer s Representative (COR) immediately, and not later than four (4) hours, when an employee working on a VA information system or with access to VA information is reassigned or leaves the Contractor or subcontractor s employment on the cognizant VA contract. The Contracting Officer and COR must also be notified immediately by the Contractor or subcontractor prior to an unfriendly termination. VA information custodial requirements. Release, publication, and use of data. Information made available to a Contractor or subcontractor by VA for the performance or administration of a contract or information developed by the Contractor/subcontractor in performance or administration of a contract shall be used only for the stated contract purpose and shall not be used in any other way without VA s prior written approval. This clause expressly limits the Contractor s/ subcontractor s rights to use data as described in Rights in Data General, FAR 52.227 14(d). Media sanitization. VA information shall not be co-mingled with any other data on the Contractors/subcontractor s information systems or media storage systems in order to ensure federal and VA requirements related to data protection, information segregation, classification requirements, and media sanitization can be met (see VA Directive 6500, VA Cybersecurity Program). VA reserves the right to conduct scheduled or unscheduled on-site inspections, assessments, or audits of Contractor and subcontractor IT resources, information systems and assets to ensure data security and privacy controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with Federal and VA requirements. The Contractor and subcontractor will provide all necessary access and support to VA and/or GAO staff during periodic control assessments or audits. Data retention, destruction, and contractor self-certification. The Contactor and its subcontractors are responsible for collecting and destroying any VA data provided, created, or stored under the terms of this contract, to a point where VA data or materials are no longer readable or reconstructable to any degree, in accordance with VA Directive 6371, Destruction of Temporary Paper Records, or subsequent issue. Prior to termination or completion of this contract, the Contractor/subcontractor must provide its plan for destruction of all VA data in its possession according to VA Handbook 6500, and VA Cybersecurity Program, including compliance with National Institute of Standards and Technology (NIST) 800 88, Guidelines for Media Sanitization, for the purposes of media sanitization on all IT equipment. The Contractor must certify in writing to the Contracting Officer within 30 days of termination of the contract that the data destruction requirements in this paragraph have been met. Return of VA data and information. When information, data, documentary material, records and/or equipment is no longer required, it shall be returned to the VA (as stipulated by the Contracting Officer or the COR) or the Contractor/subcontractor must hold it until otherwise directed. Items returned will be hand carried, securely mailed, emailed, or securely electronically transmitted to the Contracting Officer or to the address as provided in the contract or by the assigned COR, and/or accompanying BAA. Depending on the method of return, Contractor/subcontractor must store, transport, or transmit VA sensitive information, when permitted by the contract using VA-approved encryption tools that are, at a minimum, validated under Federal Information Processing Standards (FIPS) 140 3 (or its successor). If mailed, Contractor/subcontractor must send via a trackable method (USPS, UPS, Federal Express, etc.) and immediately provide the Contracting Officer with the tracking information. No information, data, documentary material, records or equipment will be destroyed unless done in accordance with the terms of this contract and the VHA Records Control Schedule 10 1. Use of VA data and information. The Contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if the National NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies for this contract as a result of any updates, if required. Copying VA data or information. The Contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the contract or to preserve electronic information stored on Contractor/ subcontractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. Violation of information custodial requirements. If VA determines that the Contractor has violated any of VA s information confidentiality, privacy, or security provisions, it shall be sufficient grounds for VA to withhold payment to the Contractor or third-party or terminate the contract for default in accordance with FAR part 49 or terminate for cause in accordance with FAR 12.403. Encryption. The Contractor/ subcontractor must store, transport, or transmit VA sensitive information, when permitted by the contract, using cryptography, and VA-approved encryption tools that are, at a minimum, validated under FIPS 140 3 (or its successor). Firewall and web services security controls. The Contractor/subcontractor s firewall and web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. Disclosure of VA data and information. Except for uses and disclosures of VA information authorized in a cognizant contract for performance of the contract, the Contractor/subcontractor may use and disclose VA information only in two other situations: subject to paragraph (f)(10) of this section, in response to a court order from a court of competent jurisdiction, or with VA s prior written approval. The Contractor/ subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the Contracting Officer for response. If the contractor/subcontractor is in receipt of a court order or other request or believes it has a legal requirement to disclose VA information, that Contractor/subcontractor shall immediately refer such court order or other request to the Contracting Officer for response. If the Contractor or subcontractor discloses information on behalf of VHA, the Contractor and/or subcontractor must maintain an accounting of disclosures. Accounting of Disclosures documentation maintained by the Contractor/subcontractor will include the name of the individual to whom the information pertains, the date of each disclosure, the nature or description of the information disclosed, a brief statement of the purpose of each disclosure or, in lieu of such statement, a copy of a written request for a disclosure, and the name and address of the person or agency to whom the disclosure was made. The Contractor/subcontractor will provide its Accounting of Disclosures upon request and within 15 calendar days to the assigned COR and Privacy Officer. Accounting of disclosures should be provided electronically via encrypted email to the COR and designated VA facility Privacy Officer as provided in the contract, BAA, or by the Contracting Officer. If providing the Accounting of Disclosures electronically cannot be done securely, the Contractor/subcontractor will provide copies via trackable methods (UPS, USPS, Federal Express, etc.) immediately, providing the designated COR and Privacy Officer with the tracking information. Compliance with privacy statutes and applicable regulations. The vendor and/or subcontractor shall not disclose VA information protected by any of VA s privacy statutes or applicable regulations including but not limited to: the Privacy Act of 1974, 38 U.S.C. 5701, confidential nature of claims, 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus or the HIPAA Privacy Rule. If the Contractor/subcontractor is in receipt of a court order or other requests for VA information or has questions if it can disclose information protected under the abovementioned confidentiality statutes because it is required by law, that Contractor/subcontractor shall immediately refer such court order or other request to the Contracting Officer for response. Report of known or suspected security/ privacy incident. The Contractor, subcontractor, third-party affiliate or business associate, and its employees shall notify VA immediately via the Contracting Officer and the COR or within one (1) hour of an incident which is an occurrence (including the discovery or disclosure of successful exploits of system vulnerability) that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or the availability of its data and operations, or of its information or information system(s); or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. The initial notification may first be made verbally but must be followed up in writing within one (1) hour. See VA Data Breach Response Service at https://www.oprm.va.gov/dbrs/ about_dbrs.aspx. Report all actual or suspected security/privacy incidents and report the information to the Contracting Officer and the COR as identified in the contract or as directed in the contract, within one hour of discovery or suspicion. Such issues shall be remediated as quickly as is practical, but in no event longer than 1 day. The Contractor shall notify the Contracting Officer in writing. When the security fixes involve installing third party patches (e.g., Microsoft OS patches or Adobe Acrobat), the Contractor will provide written notice to VA that the patch has been validated as not affecting the systems within 10 working days. When the Contractor is responsible for operations or maintenance of the systems, they shall apply the security fixes within 1 day. All other vulnerabilities shall be remediated in a timely manner based on risk, but within 60 days of discovery or disclosure. Contractors shall notify the Contracting Officer, and COR within 2 business days after remediation of the identified vulnerability. Exceptions to this paragraph (e.g., for the convenience of VA) must be requested by the Contractor through the COR and shall only be granted with approval of the Contracting Officer and the VA Assistant Secretary for Office of Information and Technology. These exceptions will be tracked by the Contractor in concert with the Government in accordance with VA Directive 6500.6 and related VA Handbooks. vii. Security and privacy incident investigation. The term privacy incident means the unauthorized disclosure or use of VA information protected under a confidentiality statute or regulation. The term security incident means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information systems; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable policies. The Contractor/subcontractor shall immediately notify the Contracting Officer and COR for the contract of any known or suspected security or privacy incident, or any other unauthorized disclosure of sensitive information, including that contained in system(s) to which the Contractor/subcontractor has access. To the extent known by the Contractor/ subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the Contractor/subcontractor considers relevant. With respect to unsecured PHI, the Business Associate is deemed to have discovered a security incident as defined above when the Business Associate either knew, or by exercising reasonable diligence should have been known to an employee of the Business Associate. Upon discovery, the Business Associate must notify VHA of the security incident immediately within one hour of discovery or suspicion as agreed to in the BAA. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and the VA Office of Security and Law Enforcement. The Contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. viii. Data breach notification requirements. This contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach involving any VA sensitive personal information the Contractor/Subcontractor processes or maintains under the contract as set forth in clause 852.211 76, Liquidated Damages Reimbursement for Data Breach Costs. The Contractor/subcontractor shall provide notice to VA of a privacy or security incident as set forth in the Security and Privacy Incident Investigation section of this clause. The term data breach means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. The Contractor shall fully cooperate with VA or third-party entity performing an independent risk analysis on behalf of VA. Failure to cooperate may be deemed a material breach and grounds for contract termination. The Contractor/subcontractor shall fully cooperate with VA or any Government agency conducting an analysis regarding any notice of a data breach or potential data breach or security incident which may require the Contractor to provide information to the Government or third-party performing a risk analysis for VA, and shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access). Description of the event, including Date of occurrence; Date of incident detection; Data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code. Number of individuals affected or potentially affected. Names of individuals or groups affected or potentially affected. Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text. Amount of time the data has been out of VA control. The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons). Known misuses of data containing sensitive personal information, if any. Assessment of the potential harm to the affected individuals. Data breach analysis as outlined in 6500.2 Handbook, Management of Breaches Involving Sensitive Personal Information, as appropriate. Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. Steps taken in response to mitigate or prevent a repetition of the incident. ix. Training. All Contractor employees and subcontractor employees requiring access to VA information or VA information systems shall complete the following before being granted access to VA information and its systems: On an annual basis, successfully complete the VA Privacy and Information Security Awareness and VA Information Security Rules of Behavior training. On an annual basis, sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the VA Information Security Rules of Behavior for Organizational Users, relating to access to VA information and information systems. Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access. The Contractor shall provide to the Contracting Officer and/or the COR a copy of the training certificates and affirmation that VA Information Security Rules of Behavior for Organizational Users signed by each applicable employee have been completed and submitted within five (5) days of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training and acknowledgement of the VA Information Security Rules of Behavior, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. x. Subcontract flow down. The Contractor shall include the substance of this clause, including this paragraph (k), in subcontracts, third-party agreements, and BAAs, of any amount and in which subcontractor employees, third-party servicers/employees, and business associates will perform functions where they will have access to VA information (including VA sensitive information, i.e., sensitive personal information and protected health information), information systems, information technology (IT) or providing and accessing information technology-related contract services, support services, and related resources (see VAAR 802.101 definition of information technology-related contracts). h. LIQUIDATED DAMAGES REMIBURSEMENT FOR DATA BREACH COSTS Definition. As used in this clause, contract means any contract, agreement, order or other instrument and encompasses the definition set forth in FAR 2.101. Non-disclosure requirements. As a condition of performance under a contract, order, agreement, or other instrument that requires access to sensitive personal information as defined in VAAR 802.101, the following is expressly required The Contractor, subcontractor, their employees or business associates shall not, directly or through an affiliate or employee of the Contractor, subcontractor, or business associate, disclose sensitive personal information to any other person unless the disclosure is lawful and is expressly permitted under the contract; and The Contractor, subcontractor, their employees or business associates shall immediately notify the Contracting Officer and the Contracting Officer s Representative (COR) of any security incident that occurs involving sensitive personal information. Liquidated damages. If the Contractor or any of its agents fails to protect VA sensitive personal information or otherwise engages in conduct which results in a data breach, the Contractor shall, in place of actual damages, pay to the Government liquidated damages of [$37.50] per affected individual in order to cover costs related to the notification, data breach analysis and credit monitoring. In the event the Contractor provides payment of actual damages in an amount determined to be adequate by the Contracting Officer, the Contracting Officer may forgo collection of liquidated damages. Purpose of liquidated damages. Based on the results from VA s determination that there was a data breach caused by Contractor s or any of its agents failure to protect or otherwise engaging in conduct to cause a data breach of VA sensitive personal information, and as directed by the Contracting Officer, the Contractor shall be responsible for paying to the VA liquidated damages in the amount of [$37.50] per affected individual to cover the cost of the following: Notification related costs. Credit monitoring reports. Data breach analysis and impact. Fraud alerts. Identity theft insurance. Relationship to termination clause, if applicable. If the Government terminates this contract in whole or in part under the Termination for cause paragraph, FAR 52.212 4(m), Contract Terms and Conditions Commercial Products and Commercial Services, the Contractor is liable for damages accruing until the Government reasonably obtains delivery or performance of similar supplies or services. These damages are in addition to costs of repurchase as may be required under the Termination clause. Important information: The Government is not obligated to, nor will it pay for or reimburse any costs associated with responding to this source sought synopsis request. This notice shall not be construed as a commitment by the Government to issue a solicitation or ultimately award a contract, nor does it restrict the Government to an acquisition approach. The Government will in no way be bound to this information if any solicitation is issued. Currently a total set-aside for Service-Disabled Veteran Owned Small Business firms is anticipated based on the Veterans Administration requirement with Public Law 109-461, Section 8127 Veterans Benefit Act. However, if response by Service-Disabled Veteran Owned Small Business firms proves inadequate, an alternate set-aside or full and open. Any response to this source selection from Interested parties must be received NLT 12/23/2025, 1500 PM CST. Attention: Michael Murphy, Contracting Specialist. Email: Michael.murphy7@va.gov Offerors shall reference 36C25526Q0127 Lenalidomide in the subject line of all emails. Please provide your Unique Entity ID so that your organization can be identified in SAM.GOV and VetBiz if organization is claiming SDVOSB preference. Only organizations with an active SAM.GOV account can be considered. Utilize this link to either start a new registration or to renew the organization s registration. https://sam.gov/content/home
