Request for Information (RFI) Pharmacy On Source-Simplifi w Academy (VA-26-00015198) 36C10B26Q0039 Introduction This RFI is for planning purposes only and shall not be considered an Invitation for Bid, Request for Quotation or a Request for Proposal. DO NOT SUBMIT A PROPOSAL. Additionally, there is no obligation on the part of the Government to acquire any products or services described in this RFI. Your response to this RFI will be treated only as information for the Government to consider. You will not be entitled to payment for direct or indirect costs that you incur in responding to this RFI. This request does not constitute a solicitation for proposals or the authority to enter into negotiations to award a contract. No funds have been authorized, appropriated, or received for this effort. Interested parties are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. The Government does not intend to pay for the information submitted in response to this RFI. Be advised that the set-aside decisions may be made based on the information provided in response to this RFI. Responses shall be as complete and informative as possible. The North American Industry Classification System (NAICS) that is being contemplated for this requirement is 513210 " Software Publishers.". Please ensure your response indicates your size status under this NAICS. 2. Submittal Information: All responsible sources may submit a response in accordance with the below information. There is a page limitation for this RFI of 12 pages and shall be in 12 Arial font. The Government will not review any other information or attachments included, that are in excess of the 12 page limit. NO MARKETING MATERIALS ARE ALLOWED AS PART OF THIS RFI. Generic capability statements will not be accepted or reviewed. Your response must address capabilities specific to the Item required in the attached PD and must include the following: Interested Vendors shall at a minimum, provide the following information in the initial paragraph of the submission: Name of Company Address Point of Contact Phone Number Fax Number Email address NAICS code(s) Company Business Size and Status For VOSB and SDVOSBs, proof of verification in VIP. Socioeconomic data Unique Equipment Identifier (UEI) Number Existing Contractual Vehicles (GWAC, FSS, or MAC) B. Provide a summary of your capability to meet the requirements contained within the draft PD for the following areas: 1. Provide a summary of your technical capability to meet the PD requirements. 2. Provide an explanation of any additional technologies and/or best practices that should be considered for inclusion within the PD and why? 3. What additional information would be beneficial in creating proposal for this statement of work? 4. Are there any sections in the PD where the intent of the government is unclear? C. Corporate experience or expertise in performing these services and specific examples or references. Specific examples or references provided must include the agency, point of contact, dollar value, and contract number. D. Small Businesses should also include information as to: Your company s intent and ability to meet the set aside requirement in accordance with VAAR 852.219-73 (JAN 2023) (DEVIATION) VA Notice of Total Set-Aside For Certified SDVOSBs and 13 CFR §125.6, which states the contractor will not pay more than 50% of the amount paid by the government to the prime for contract performance to firms that are not certified SDVOSBs listed in the SBA certification database (excluding direct costs to the extent they are not the principal purpose of the acquisition and the SDVOSB/VOSB does not provide the service, such as airline travel, cloud computing services, or mass media purchases). When a contract includes both services and supplies, the 50 percent limitation shall apply only to the service portion of the contract. Your response shall include information as to available personnel and financial resources; full names of proposed team members and the PD requirements planned to be subcontracted to them, which must include the prime planned percentage or the names of the potential team members that may be used to fulfill the set aside requirement. Has the draft PD provided sufficient detail to describe the technical requirements that encompass the software development and production operations support services to be performed under this effort. _____________ (if No, answer question c) If NO , please provide your technical comments/recommendations on elements of the draft PD that may contribute to a more accurate proposal submission and efficient, cost-effective effort. Responses are due no later October 30, 2025 at 12:00AM EST, via email to Contract Specialist Harold Nice at Harold.Nice@va.gov. Please note Sources Sought # 36C10B26Q0039, Pharmacy OneSource Simplifi Software Licenses and Maintenance Support in the subject line of your response. Mark your response as Proprietary Information if the information is considered business sensitive. The email file size shall not exceed 5 MB. See attached document: Product Description (PD) Pharmacy OneSource Simplifi Software Licenses and Maintenance Support Draft PD Version Number: 1. 0 PRODUCT DESCRIPTION (PD) DEPARTMENT OF VETERANS AFFAIRS Office of Information & Technology VA VISN 17 Heart of Texas Healthcare Network Pharmacy OneSource Simplifi 797 w/ Sole Source Academy Date: October 17, 2025 VA-26-00015198 PD Version Number: 1.0 1.0 PRODUCT REQUIREMENTS The Department of Veterans Affairs (VA), Office of Information & Technology (OIT), VA Veterans Integrated Services Networks (VISN) 17, Heart of Texas Healthcare Network, has a brand name requirement for Pharmacy One Source Simplifi 797 w/Sole Source Academy (with add-on modules United States Pharmacopeia (USP) 800 & 795, Compounding Module), for renewal of eight (5) sites; (CTX) Central TX Veterans Healthcare System-Olin E. Teague Veterans Center, 1901 Veterans Memorial Dr, Temple, TX 76504; (STX) Audie L. Murphy Memorial Veterans Hospital, 7400 Merton Minter, San Antonio, TX 78229; (NTX) VA North Texas Health Care System-Dallas VAMC, 4500 S Lancaster Rd, Dallas, TX 75216; (WTX) West Texas VA Health Care System-George H. O'Brian, Jr. VAMC, 300 Veterans Blvd, Big Spring, TX 79720; (WTX) Amarillo VA Health Care System-Thomas E. Creek VAMC, 6010 Amarillo Blvd, West, Amarillo, TX 79106 VAMC sites. Simplifi 797 is a turnkey web-based quality management system that simplifies and automates ongoing compliance with essential USP Chapter 797 (with add-on modules, to include 800 & 795) requirements for safety and risk mitigation including comprehensive policies, procedures, staff training, competency evaluations, risk management, quality assurance practices necessary for a safe and efficient sterile compounding environment. The Compounding module in Simplifi 797 allows for digital storage of master formulation records for sterile and non-sterile preparations. It also provides an integrated workflow for both compounding and pharmacy checks and approvals, along with a robust activity tracker. In addition, labels can be easily printed from any network printer. Additional features include: facility ad hoc report generation; access to all staff involved in compounding sterile products and facility as designated using unique usernames and passwords; ability to follow up continuously on reports and findings as needed; capability of sending e-mail notifications to staff when desired actions are not taken by specified timelines; ability to attach files to the documentation forms in the system so that they can be opened and reviewed by other system users; e-mail notification feature that will send e-mail copies of documentation to those requesting the notification; Standard Operating Procedures and policy templates which are in compliance with USP 797, 795, and 800 standards; and incorporates both USP 797, 795, and 800 standards in Standard Operating Procedures and training modules. The system shall be capable of integrating with gravimetric compounding tools, such as Omnicell IVX. Simplifi also provides Sole Source Academy-Pharmacy Compounding Collection, USP 800 & 795, Compounding Module training for staff including ACPE-accredited Continuing Education for staff after the training is completed. The Contractor Shall provide full-service setup and ongoing support throughout the period of performance. The period of performance for the base requirement is from December 14, 2025, through December 13, 2026. This effort includes four (4) 12-month option periods for continued access to the Simplifi web-based portal. 1.1 TECHNICAL SUPPORT AND SUPPORT SERVICES The Contractor shall provide Customizable Pharmacy Sterile Compounding Electronic Quality Management System: Customizable report values and parameters Ad hoc report generation Customizable user access with unique usernames and passwords Continuous report follow-up with email notifications File attachment and review capability in documentation forms Email notification feature for documentation Standard Operating Procedures (SOP) and policy templates in compliance with USP standards Sole Source Academy-Pharmacy Compounding Collection, USP 800 & 795, Compounding Module training for competency evaluations ACPE-accredited Continuing Education after training Scheduling of ACPE CE courses for staff, integrated into the system Integration with gravimetric compounding tools Full-service setup and ongoing support 2.0 NOTICE OF THE FEDERAL ACCESSIBILITY LAW AFFECTING ALL INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) PROCUREMENTS (SECTION 508) On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508 and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018. The revisions and updates to the Section 508-based standards and Section 255-based guidelines are intended to ensure that information and communication technology (ICT) covered by the respective statutes is accessible to and usable by individuals with disabilities. 2.1 SECTION 508 INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) STANDARDS The Section 508 standards established by the Access Board are incorporated into, and made part of all VA orders, solicitations and purchase orders developed to procure ICT. These standards are found in their entirety at: Revised 508 Standards and 255 Guidelines (access-board.gov). A single PDF file version of the Revised Section 508 Standards and 255 Guidelines will be supplied upon request, or can be obtained from the Access Board website. Federal agencies must comply with the Rehabilitation Act of 1973, as amended. The Contractor shall comply with 508 Chapter 2: Scoping Requirements for all electronic ICT and content delivered under this contract. Specifically, as appropriate for the technology and its functionality, the Contractor shall comply with the technical standards marked here: E205 Electronic Content (Accessibility Standard -WCAG 2.0 Level A and AA Guidelines) E204 Functional Performance Criteria E206 Hardware Requirements E207 Software Requirements E208 Support Documentation and Services Requirements 2.2 COMPATABILITY WITH ASSISTIVE TECHNOLOGY The standards do not require installation of specific accessibility-related software or attachment of an assistive technology device. Section 508 requires that ICT be compatible with such software and devices so that ICT can be accessible to and usable by individuals using assistive technology, including but not limited to screen readers, screen magnifiers, and speech recognition software. 2.3 ACCEPTANCE AND ACCEPTANCE TESTING Deliverables resulting from this solicitation will be accepted based in part on satisfaction of Section 508 Chapter 2: Scoping Requirements standards identified above. The Government reserves the right to test for Section 508 Compliance before delivery. The Contractor shall be able to demonstrate Section 508 Compliance upon delivery. 3.0 SHIPMENT OF SOFTWARE Inspection: Destination Acceptance: Destination Free on Board (FOB): Destination All licenses and maintenance shall be provided through: https://apps.pharmacyonesource.com/ Ship To and Mark For: Name: Name: Address: Address: Voice: Voice: Email: Email: POINTS OF CONTACT VA Program Manager: Name: Email: Contracting Officer s Representative Name: Email: Contracting Officer: Name: Kimberly Geran Email: Kimberly.Geran@va.gov Contract Specialist: Name: Harold Nice Email: Harold.nice@va.gov 5.0 INFORMATION SECURITY CONSIDERATIONS: The Assessment and Authorization (A&A) requirements do not apply, and a Security Accreditation Package is not required. All VA sensitive information shall be protected at all times in accordance with local security field office System Security Plans (SSP s) and Authority to Operate (ATO) s for all systems/LAN s accessed while performing the tasks detailed in this Product Description. A prohibition on unauthorized disclosure: Information made available to the Contractor or Subcontractor by VA for the performance or administration of this contract or information developed by the Contractor/Subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the Contractor/Subcontractor s rights to use data as described in Rights in Data General, FAR 52.227-14(d).(1). A requirement for data breach notification: Upon discovery of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the Contractor/Subcontractor has access, the Contractor/Subcontractor shall immediately notify the COR and simultaneously, the designated ISO, and Privacy Officer for the contract. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. See VA Handbook 6500.6, Appendix C, paragraph 6.a. A requirement to pay liquidated damages in the event of a data breach: In the event of a data breach or privacy incident involving SPI the contractor processes or maintains under this contract, the contractor shall be liable to VA for liquidated damages for a specified amount per affected individual to cover the cost of providing credit protection services to those individuals. However, it is the policy of VA to forgo collection of liquidated damages in the event the Contractor provides payment of actual damages in an amount determined to be adequate by the agency. Based on the determinations of the independent risk analysis, the Contractor shall be responsible for paying to VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: Notification. One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; Data breach analysis; Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs A requirement for annual security/privacy awareness training: Before being granted access to VA information or information systems, all Contractor employees and Subcontractor employees requiring such access shall complete on an annual basis either: (i) the VA security/privacy awareness training (contains VA security/privacy requirements) within 1 week of the initiation of the contract, or (ii) security awareness training provided or arranged by the contractor that conforms to VA s security/privacy requirements as delineated in the hard copy of the VA security awareness training provided to the Contractor. If the Contractor provides their own training that conforms to VA s requirements, they will provide the COR or CO, a yearly report (due annually on the date of the contract initiation) stating that all applicable employees involved in VA s contract have received their annual security/privacy training that meets VA s requirements, and the total number of employees trained. See VA Handbook 6500.6, Appendix C, paragraph 9. A requirement to sign VA s Rules of Behavior: Before being granted access to VA information or information systems, all Contractor employees and Subcontractor employees requiring such access shall sign on annual basis an acknowledgement that they have read, understand, and agree to abide by VA s Contractor Rules of Behavior which is attached to this contract. See VA Handbook 6500.6, Appendix C, paragraph 9, and Appendix D. Note: If a medical device vendor anticipates that the services under the contract will be performed by 10 or more individuals, the Contractor Rules of Behavior may be signed by the vendor s designated representative. The contract must reflect by signing the Rules of Behavior on behalf of the vendor that the designated representative agrees to ensure that all such individuals review and understand the Contractor Rules of Behavior when accessing VA s information and information systems. 5.1 GENERAL REQUIREMENTS 5.2 VA TECHNICAL REFERENCE MODEL The Contractor shall comply with the VA OIT Technical Reference Model (VA TRM). Compliance with the VA TRM is achieved by using only technologies and standards that are listed as approved for use in the VA TRM. The Contractor shall provide all necessary information requested by VA to ensure TRM approval is obtained prior to use on VA s network. 5.3 ZERO TRUST VA CRITICAL SECURITY CONTROLS VA has established minimum mandatory security requirements and requires that any network connected software system or service must meet the VA Critical Security Controls as outlined in the VA Memorandum, VA Security Controls , https://www.voa.va.gov/DocumentView.aspx?DocumentID=5010. VA Critical Security Controls identify the minimum mandatory requirements that must be implemented across all VA enterprise infrastructure, cloud computing environments, information systems, networks, and specialized devices (medical devices/systems, special-purpose systems, and research scientific computing devices) that process, store, and/or transmit VA data. Effective July 1, 2025, the Contractor shall implement these VA Critical Security Controls, within any network connected software system or service prior to being authorized for use in the VA. This functional requirement is not negotiable, and Plan of Action & Milestones (POAM) will not be accepted in the event these controls cannot be implemented for new systems. Critical Security Controls are intended to increase VA s security posture and provide security and privacy risk visibility into the VA network and is not a new requirement. The Contractor s failure to maintain these VA Critical Controls after implementation will result in VA discontinuing the use of the system. 5.4 SOCIAL SECURITY NUMBER (SSN) REDUCTION The Contractor solution shall support the Social Security Number (SSN) Fraud Prevention Act (FPA) of 2017 which prohibits the inclusion of SSNs on any document sent by mail. The Contractor support shall also be performed in accordance with Section 240 of the Consolidated Appropriations Act (CAA) 2018, enacted March 23, 2018, which mandates VA to discontinue using SSNs to identify individuals in all VA information systems as the Primary Identifier. The Contractor shall ensure that any new IT solution discontinues the use of SSN as the Primary Identifier to replace the SSN with the Integrated Control Number (ICN) in all VA information systems for all individuals. The Contractor shall ensure that all Contractor delivered applications and systems integrate with the VA Master Person Index (MPI) for identity traits to include the use of the ICN as the Primary Identifier. The Contractor solution may only use a Social Security Number to identify an individual in an information system if and only if the use of such number is required to obtain information VA requires from an information system that is not under the jurisdiction of VA. 5.5 INTERNET PROTOCOL VERSION 6 (IPV6) The Contractor solution shall support IPv6-Only based upon the memo issued by the Office of Management and Budget (OMB) on November 19, 2020 (https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-07.pdf). Which defines IPv6-only as the state of an operational system or service when IPv4 protocol functions (addressing, packet forwarding) are not in use. The NIST USGv6 profile defines technical requirements for a product to be capable of operating in IPv6-Only environments. IPv6-Only technology, in accordance with the USGv6 Program (https://www.nist.gov/programs-projects/usgv6-program/usgv6-revision-1), NIST Special Publication (SP) 500-267B Revision 1 USGv6 Profile (https://doi.org/10.6028/NIST.SP.500-267Br1), and NIST SP 800-119 Guidelines for the Secure Deployment of IPv6 (https://doi.org/10.6028/NIST.SP.800-119), compliance shall be included in all IT infrastructures, application designs, application development, operational systems and sub-systems, and their integration. In addition to the above requirements, all devices, applications, and systems shall support all applicable functionality on native IPv6-Only as well as dual stack (IPv6 / IPv4) connectivity without additional memory or other resources being provided by the Government, so that they can function in a mixed environment. All public/external facing servers and services (e.g., web, email, DNS, ISP services, etc.) shall support native IPv6-Only and dual stack (IPv6 / IPv4) users and all internal infrastructure and applications shall support using native IPv6-Only and dual stack (IPv6 / IPv4) for all functionality and operations. SOFTWARE AND LICENSING REQUIREMENTS The Contractor shall be responsible for the provision of all software licenses and any associated licensing maintenance required for any development, delivery, integration, operation, and/or maintenance associated with its proposed application(s), software products, software solution, and/or system including, but not limited to, any and all application(s), software and/or software products that comprise, are a part of, or integrate with the Contractor s proposed application(s), software products, software solution, and/or system for the life of any resulting contract. 5.6 TRUSTED INTERNET CONNECTION (TIC) The Contractor solution shall meet the requirements outlined in Office of Management and Budget Memorandum M-19-26, Update to the Trusted Internet Connections (TIC) Initiative (https://www.whitehouse.gov/wp-content/uploads/2019/09/M-19-26.pdf), VA Directive 6513 Secure External Connections , and shall comply with the TIC 3.0 Core Guidance Documents, including all Volumes and TIC Use Cases, found at the Cybersecurity & Infrastructure Security Agency (CISA) (https://www.cisa.gov/publication/tic-30-core-guidance-documents.) 6.0 ADDENDUM B VA INFORMATION AND INFORMATION SYSTEM SECURITY/ PRIVACY LANGUAGE APPLICABLE SECTIONS FROM: VA NOTICE 24-12, APRIL 22, 2024, UPDATE TO VA HANDBOOK 6500.6, CONTRACT SECURITY, APPENDIX C VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE, FOR INCLUSION INTO CONTRACTS, AS APPROPRIATE GENERAL This entire section applies to all acquisitions requiring any Information Security and Privacy language. Contractors, contractor personnel, Subcontractors and subcontractor personnel will be subject to the same federal laws, regulations, standards, VA directives and handbooks, as VA personnel regarding information and information system security and privacy. PRODUCT INTEGRITY, AUTHENTICITY, PROVENANCE, ANTI-COUNTERFEIT AND ANTI-TAMPERING The Contractor shall comply with Code of Federal Regulations (CFR) Title 15 Part 7, Securing the Information and Communications Technology and Services (ICTS) Supply Chain , which prohibits ICTS Transactions from foreign adversaries. ICTS Transactions are defined as any acquisition, importation, transfer, installation, dealing in or use of any information and communications technology or service, including ongoing activities, such as managed services, data transmission, software updates, repairs or the platforming or data hosting of applications for consumer download. When contracting terms require the Contractor to procure equipment, the Contractor shall purchase or acquire the equipment from an Original Equipment Manufacturer (OEM) or an authorized reseller of the OEM. The Contractor shall attest that equipment procured from an OEM or authorized reseller or distributor are authentic. If procurement is unavailable from an OEM or authorized reseller, the Contractor shall submit in writing, details of the circumstances prohibiting this from happening and procure a product waiver from the VA COR/CO. All Contractors shall establish, implement, and provide documentation for risk management practices for supply chain delivery of hardware, software (to include patches) and firmware provided under this agreement. Documentation will include chain of custody practices, inventory management program, information protection practices, integrity management program for sub-supplier provided components, and replacement parts requests. The Contractor shall make spare parts available. All Contractor(s) shall specify how digital delivery for procured products, including patches, will be validated and monitored to ensure consistent delivery. The Contractor shall apply encryption technology to protect procured products throughout the delivery process. If a Contractor provides software or patches to VA, the Contractor shall publish or provide a hash conforming to the FIPS Security Requirements for Cryptographic Modules (FIPS 140-2 or successor). The Contractor shall provide a software bill of materials (SBOM) for procured (to include licensed products) and consist of a list of components and associated metadata which make up the product. SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report The Minimum Elements for a Software Bill of Materials (SBOM). Contractors shall use or arrange for the use of trusted channels to ship procured products, such as U.S. registered mail and/or tamper-evident packaging for physical deliveries. Throughout the delivery process, the Contractor shall demonstrate a capability for detecting unauthorized access (tampering). The Contractor shall demonstrate chain-of-custody documentation for procured products and require tamper-evident packaging for the delivery of this hardware. VIRUSES, FIRMWARE, AND MALWARE The Contractor shall execute due diligence to ensure all provided software and patches, including third-party patches, are free of viruses and/or malware before releasing them to or installing them on VA information systems. The Contractor warrants it has no knowledge of and did not insert, any malicious virus and/or malware code into any software or patches provided to VA which could potentially harm or disrupt VA information systems. The Contractor shall use due diligence, if supplying third-party software or patches, to ensure the third-party has not inserted any malicious code and/or virus which could damage or disrupt VA information systems. The Contractor shall provide or arrange for the provision of technical justification as to why any false positive hit has taken place to ensure their code s supply chain has not been compromised. Justification may be required, but is not limited to, when install files, scripts, firmware, or other Contractor-delivered software solutions (including third-party install files, scripts, firmware, or other software) are flagged as malicious, infected, or suspicious by an anti-virus vendor. The Contractor shall not upload (intentionally or negligently) any virus, worm, malware or any harmful or malicious content, component and/or corrupted data/source code (hereinafter virus or other malware ) onto VA computer and information systems and/or networks. If introduced (and this clause is violated), upon written request from the VA CO, the Contractor shall: Take all necessary action to correct the incident, to include any and all assistance to VA to eliminate the virus or other malware throughout VA s information networks, computer systems and information systems; and Use commercially reasonable efforts to restore operational efficiency and remediate damages due to data loss or data integrity damage, if the virus or other malware causes a loss of operational efficiency, data loss, or damage to data integrity. LIQUIDATED DAMAGES FOR DATA BREACH Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the Contractor/Subcontractor processes or maintains under this contract. However, it is the policy of VA to forgo collection of liquidated damages in the event the Contractor provides payment of actual damages in an amount determined to be adequate by the agency. The Contractor/Subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access); Description of the event, including: date of occurrence; data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; Number of individuals affected or potentially affected; Names of individuals or groups affected or potentially affected; Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; Amount of time the data has been out of VA control; The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); Known misuses of data containing sensitive personal information, if any; Assessment of the potential harm to the affected individuals; Data breach analysis as outlined in 6500.2 Handbook, Management of Breaches Involving Sensitive Personal Information, as appropriate; and Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. Based on the determinations of the independent risk analysis, the Contractor shall be responsible for paying to VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: Notification; One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; Data breach analysis; Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. SECURITY CONTROLS COMPLIANCE TESTING On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the Contractor under the clauses contained within the contract. With 10 working days notice, at the request of the Government, the Contractor must fully cooperate and assist in a Government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The Government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. TRAINING All Contractor employees and Subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Information Security Rules of Behavior, updated version located at https://www.voa.va.gov/DocumentView.aspx?DocumentID=4848, relating to access to VA information and information systems; Successfully complete the VA Privacy and Information Security Awareness and Rules of Behavior course (TMS #10176) and complete this required privacy and information security training annually; Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the CO for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] The Contractor shall provide to the CO and/or the COR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 2 days of the initiation of the contract and annually thereafter, as required. It has been determined that protected health information (PHI) may be used, disclosed, accessed, transmitted, created, stored/maintained, and/or destroyed (providing appropriate proof of destruction in compliance with VA Directive 6371) by the Contractor, and a signed Business Associate Agreement (BAA) shall be required. The Contractor shall adhere to the requirements set forth within the BAA, referenced in the solicitation, and shall comply with all applicable VA/VHA Directives. Once awarded, Contractor and Contracting Officer will collaborate with the appropriate Facility Privacy Officer or the VHA Privacy Office BAA team (VHABAAIssues@va.gov) to implement the appropriate BA
