SOURCES SOUGHT This is a Sources Sought Synopsis (SSS) ONLY. The U.S. Government is conducting market research only to determine the availability of qualified sources capable of providing Food Service Software. Potential Contractors are invited to provide a response via e-mail to Contract Specialist at ross.byrne@va.gov by Nov 30, 2021 12:00 pm (PT). Responses will be used to determine the appropriate strategy for a potential acquisition. Please clearly identify any information your company considers sensitive or proprietary. This notice is issued solely for information and planning purposes - it does not constitute a Request for Quotation (RFQ), or a promise to issue an RFQ in the future. This notice does not commit the U.S. Government to contract for any supply or service. Further, the U.S. Government is not seeking quotes, or proposals at this time and will not accept unsolicited quotes in response to this sources sought synopsis. The U.S. Government will not pay for any information or administrative costs incurred in response to this notice. Submittals will not be returned to the responder. Not responding to this notice does not preclude participation in any future RFQ, if any is issued. BACKGROUND: The VA Puget Sound Healthcare System, Seattle Washington, has a requirement for a Contractor to provide Housing Placement Services. Please see draft Performance Work Statement for requirements. NAICS: 511210 Interested potential Contractors please provide the following. 1) Company Name, address, point of contact, phone number, email address, and DUNS Please indicate business size: Small Disadvantage Business (SDB)____ 8(a)____ Historically Underutilized Business Zone (HUBZone)____ Service-Disabled Veteran-Owned Small Business (SDVOSB)____ Veteran-Owned Small Business (VOSB)_____ Economically Disadvantaged Women-Owned Small Business (EDWOSB)_____ Women-Owned Small Business concerns (WOSB)_____ Small Business_____ Large Business_____ Federal Supply Schedule______ 2) Please submit a brief capability statement (maximum three (3) pages) with enough information to demonstrate to the Veterans Affairs that you have the resources, personnel, software, and qualifications as required in the Draft Performance Work Statement to provide the required food services software. **Draft Performance Work Statement PERFORMANCE WORK STATEMENT (PWS) DEPARTMENT OF VETERANS AFFAIRS VISN 20 Nutrition and Food Services VISN 20 Food Services Software Date: 11/2/2021 PWS Version Number: 2.0 Contents 1.0 BACKGROUND 3 2.0 APPLICABLE DOCUMENTS 3 3.0 SCOPE OF WORK 4 4.0 PERFORMANCE DETAILS 5 4.1 PERFORMANCE PERIOD 5 4.2 PLACE OF PERFORMANCE 5 4.3 SPECIFIC TASKS AND DELIVERABLES 5 5.0 SECURITY REQUIREMENTS 7 5.1 ENTERPRISE AND IT FRAMEWORK 7 5.1.1 VA TECHNICAL REFERENCE MODEL 7 5.1.2 FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT (FICAM) 8 5.1.3 INTERNET PROTOCOL VERSION 6 (IPV6) 9 5.1.4 TRUSTED INTERNET CONNECTION (TIC) 10 5.1.5 STANDARD COMPUTER CONFIGURATION 10 5.1.6 VETERAN FOCUSED INTEGRATION PROCESS (VIP) 10 5.1.7 PROCESS ASSET LIBRARY (PAL) 11 5.2 METHOD AND DISTRIBUTION OF DELIVERABLES 11 5.3 FACILITY/RESOURCE PROVISIONS 11 5.4 GOVERNMENT FURNISHED PROPERTY 12 6.0 PERFORMANCE METRICS 13 ADDENDUM A ADDITIONAL VA REQUIREMENTS, CONSOLIDATED 14 ADDENDUM B VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE 19 BACKGROUND Food services software is used for the efficient management of inventory, man-power, costs, menus, ticket generation, and nutrition tracking. There is an operational need for food services software at multiple facilities in VISN 20. APPLICABLE DOCUMENTS In the performance of the tasks associated with this Performance Work Statement, the Contractor shall comply with the following as required by this contract: 44 U.S.C. § 3541-3549, Federal Information Security Management Act (FISMA) of 2002 Federal Information Security Modernization Act of 2014 Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements For Cryptographic Modules FIPS Pub 199. Standards for Security Categorization of Federal Information and Information Systems, February 2004 FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2016 FIPS Pub 201-2, Personal Identity Verification of Federal Employees and Contractors, August 2013 VA Directive 0710, Personnel Security and Suitability Program, June 4, 2010, https://www.va.gov/vapubs/index.cfm VA Handbook 0710, Personnel Security and Suitability Program, May 2, 2016, https://www.va.gov/vapubs/index.cfm VA Directive and Handbook 6102, Internet/Intranet Services, August 5, 2019 36 C.F.R. Part 1194 Information and Communication Technology Standards and Guidelines, January 18, 2017 Office of Management and Budget (OMB) Circular A-130, Managing Federal Information as a Strategic Resource, July 28, 2016 32 C.F.R. Part 199, Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) NIST SP 800-66 Rev. 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, October 2008 VA Directive 6500, VA Cybersecurity Program, January 24, 2019 VA Handbook 6500, Risk Management Framework for VA Information Systems Tier 3: VA Information Security Program, March 10, 2015 VA Handbook 6500.2, Management of Breaches Involving Sensitive Personal Information (SPI) , July 28, 2016 VA Handbook 6500.3, Assessment, Authorization, And Continuous Monitoring Of VA Information Systems, February 3, 2014 VA Handbook 6500.5, Incorporating Security and Privacy into the System Development Lifecycle , March 22, 2010 VA Handbook 6500.6, Contract Security, March 12, 2010 VA Handbook 6500.8, Information System Contingency Planning , April 6, 2011 VA Handbook 6500.11, VA Firewall Configuration , August 22, 2017 OI&T Process Asset Library (PAL), https://www.va.gov/process/ . Reference Process Maps at https://www.va.gov/process/maps.asp and Artifact templates at https://www.va.gov/process/artifacts.asp One-VA Technical Reference Model (TRM) (reference at https://www.va.gov/trm/TRMHomePage.aspx) VA Directive 6508, Implementation of Privacy Threshold Analysis and Privacy Impact Assessment, October 15, 2014 VA Handbook 6508.1, Procedures for Privacy Threshold Analysis and Privacy Impact Assessment, July 30, 2015 VA Handbook 6510, VA Identity and Access Management , January 15, 2016 VA Directive 6300, Records and Information Management, September 21, 2018 VA Handbook, 6300.1, Records Management Procedures, March 24, 2010 NIST SP 800-37 Rev 1, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, December 2018 NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, January 22, 2015 SCOPE OF WORK The Contractor shall supply off the shelf Nutrition and Food Services Software for the medical centers within VISN 20. VISN 20 currently needs ongoing user-friendly software program to meet the needs of the Nutrition and Food Services Departments. The contractor shall provide both food service and clinical nutrition software using HL7 interface to connect to the CP3S system already in use within VISN 20, using Oracle database users and an application server to be centrally located. The database server accommodates multiple VISN 20 sites along with full autonomy of standardized data among several sites. If connection to the VA Network is required, it must first meet the approval of VISN 20 technical staff and be compliant with national VA regulations. This includes wireless equipment. Wireless equipment connecting to the VA Network must also be compatible with existing facility wireless technology. All wireless equipment and technology must be tested for security of information and interference with existing VA wireless systems. Set up activities as well as support services will be provided by Contractor initially and as needed for an annual fee. The Contractor subject matter expert (SME) will serve as a trusted advisor and an extension to the VISN 20 team with regards to Contractor software solutions as described in the task deliverables below. Vendor will agree to provide customized start up support in accordance with VISN 20 requirements. Support will include flow analysis, on-site days, and telephone support. The vendor will provide the minimum number of training days as outlined below. This can be increased if mutually agreed upon by VISN 20 and the vendor. Initiation or start-up support will also include file building of all files required to bring up the Nutrition and Food Service software package. VISN 20 will have the ability to customize the program to their needs and receive all future updates. PERFORMANCE DETAILS PERFORMANCE PERIOD The PoP shall be February 1, 2022 thru January 31, 2027. Each facility can exercise contracts as needed within this period. Standard contract will be base year, plus 4 option years. Base year may be partial year to account for start date to end of fiscal year (Sept 30). All option years will be consistent with federal government fiscal year, October 1 through September 30. PLACE OF PERFORMANCE Tasks under this PWS shall be performed in VA facilities located in VISN 20. Work may be performed at remote locations with prior concurrence from the Contracting Officer s Representative (COR). Electronic citrixaccess.va.gov at the following VISN sites: VA Puget Sound Health Care System | Seattle Division | 1660 S. Columbian Way | Seattle, WA 98108 VA Puget Sound Health Care System | American Lake Division | 9400 Veterans Drive | Tacoma, WA 98493 VA Portland Health Care System | Portland Division | 3710 SW US Veterans Hospital RD | Portland, OR 97239 VA Portland Sound Health Care System | Vancouver Division | 1601 E. 4th Plain Blvd | Vancouver, WA 98661 Jonathan M Wainwright VAMC | 77 Wainwright Drive | Walla Walla, WA 99362 Mann-Grandstaff VAMC | 4815 N Assembly St | Spokane, WA 99205 White City Rehabilitation Center and Clinics | 8495 Crater Lake Hwy | White City, OR 97503 Roseburg VA Medical Center | 913 Northwest Garden Valley Blvd | Roseburg, OR 97471 Boise VA Medical Center | 500 W Fort Street | Boise, ID 83702 Specific Tasks and Deliverables The Contractor will provide application software, support, oracle DBA Support (24x7x365), and extended (24x7) interface support services for all VISN 20 medical centers. The Contractor shall perform the following: Provide Programs and Modules Consistent with and as Requested by each VISN Location Individually. Each program and module will include delivery, training and implementation of the software. Program and modules available will include (but are not limited to): Food Service Operations Management (FOM) [Select + Pro] Nutrition Care Management (NCM) [Select + Pro] NCM/FOM Platinum Bedside Connect Room Service Connect Meal Choice Connect Multi-Site HL7 ADT/DO Interface HS Single Sign-On (Module) EMR Conversion Package Room Service (Module) EasyTouch Menu Selection (Module) Tray inMotion(Module + Elite) Nutrition Food Labeling (Module) TouchPoint Dining (Module) Video Display Board (Module) Merge (Module) Accounting (Module) Automated Menu Planning System (Module) Tube Feeding Interface Label Elite (Module) KDS Interface Standard Application Support and Subscription Service Food Services Software Product Updates for currently supported products Telephone Support during standard support hours for direct primary support regarding the use and operation of the software shall be provided via a toll-free 800 telephone number to customers from 3:00 a.m. to 6:00 p.m. (Pacific Time) for Nutrition Care Management and 6:00 a.m. to 6:00 p.m. (Pacific Time) for Foodservice Operations Management, Monday thru Friday, except for Thanksgiving Day (USA), Christmas Day, New Year s Day and July 4th. Web-based Customer Support Website Remote Support Accessibility via VPN Customer will call the support line #: 800-222-4458 option 1, during the hours of 3:00 a.m. 6:00 p.m. M-F / Pacific Time. Oracle DBA Remote Administration Veteran Administration (VA): This service provides remote Oracle database administration needs for food services software operations and includes 24x7x365 access to our staff of Certified Oracle DBAs. The following are offered as part of this service: Periodic performance analysis (upon request) Oracle emergency support Resolving all serious Oracle alert log messages Team Support from Professional DBAs Oracle software upgrades and migrations Backup and Recovery support Immediate response to any database emergency Same Day response to any database non-emergency Performance tuning and space optimization available on an as needed basis Access to My Oracle Support (upon request) Extensive HS Admin and HS Auto Maintenance Support Our Requirements Access to local help desk (per region) Current Oracle Technical Support Contract WebEx connection to Oracle database servers (upon request) In regard to Oracle licensing, this service can still be provided with the caveat that Contractor will not be able to contact Oracle directly. It is the responsibility of the license holder to contact Oracle, open any support tickets, and communicate any relevant information to Contractors DBA s to resolve issue Customer will call support line #: To Be Provided Enhanced 24x7 Interface Support: Interface Application Support is related to the specific features and functionality of food services software interface applications. This support level covers the actual use of the food services software application and remediation of problems that arise within the software. Update installation support is covered under this support level, as are data problem identification, and general system use. Telephone Break/Fix Support 24x7 Remote Support Accessibility via VPN Customer will call support line #: To Be Provided SECURITY REQUIREMENTS ENTERPRISE AND IT FRAMEWORK VA TECHNICAL REFERENCE MODEL The Contractor shall support the VA enterprise management framework. In association with the framework, the Contractor shall comply with OI&T Technical Reference Model (VA TRM). The VA TRM is one component within the overall Enterprise Architecture (EA) that establishes a common vocabulary and structure for describing the information technology used to develop, operate, and maintain enterprise applications. Moreover, the VA TRM, which includes the Standards Profile and Product List, serves as a technology roadmap and tool for supporting OI&T. Architecture & Engineering Services (AES) has overall responsibility for the VA TRM. FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT (FICAM) The Contractor shall ensure Commercial Off-The-Shelf (COTS) product(s), software configuration and customization, and/or new software are Personal Identity Verification (PIV) card-enabled by accepting HSPD-12 PIV credentials using VA Enterprise Technical Architecture (ETA), https://www.ea.oit.va.gov/EAOIT/VA_EA/Enterprise_Technical_Architecture.asp, and VA Identity and Access Management (IAM) approved enterprise design and integration patterns, https://www.oit.va.gov/library/recurring/edp/index.cfm. The Contractor shall ensure all Contractor delivered applications and systems comply with the VA Identity, Credential, and Access Management policies and guidelines set forth in the VA Handbook 6510 and align with the Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance v2.0. The Contractor shall ensure all Contractor delivered applications and systems provide user authentication services compliant with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, VA Handbook 6500 Appendix F, VA System Security Controls , and VA IAM enterprise requirements for direct, assertion based authentication, and/or trust based authentication, as determined by the design and integration patterns. Direct authentication at a minimum must include Public Key Infrastructure (PKI) based authentication supportive of PIV card and/or Common Access Card (CAC), as determined by the business need. The Contractor shall ensure all Contractor delivered applications and systems conform to the specific Identity and Access Management PIV requirements set forth in the Office of Management and Budget (OMB) Memoranda M-04-04, M-05-24, M-11-11, and NIST Federal Information Processing Standard (FIPS) 201-2. OMB Memoranda M-04-04, M-05-24, and M-11-11 can be found at: https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy04/m04-04.pdf, https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-24.pdf, and https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf respectively. Contractor delivered applications and systems shall be on the FIPS 201-2 Approved Product List (APL). If the Contractor delivered application and system is not on the APL, the Contractor shall be responsible for taking the application and system through the FIPS 201 Evaluation Program. The Contractor shall ensure all Contractor delivered applications and systems support: Automated provisioning and are able to use enterprise provisioning service. Interfacing with VA s Master Veteran Index (MVI) to provision identity attributes, if the solution relies on VA user identities. MVI is the authoritative source for VA user identity data. The VA defined unique identity (Secure Identifier [SEC ID] / Integrated Control Number [ICN]). Multiple authenticators for a given identity and authenticators at every Authenticator Assurance Level (AAL) appropriate for the solution. Identity proofing for each Identity Assurance Level (IAL) appropriate for the solution. Federation for each Federation Assurance Level (FAL) appropriate for the solution, if applicable. Two-factor authentication (2FA) through an applicable design pattern as outlined in VA Enterprise Design Patterns. A Security Assertion Markup Language (SAML) implementation if the solution relies on assertion based authentication. Additional assertion implementations, besides the required SAML assertion, may be provided as long as they are compliant with NIST SP 800-63-3 guidelines. Authentication/account binding based on trusted Hypertext Transfer Protocol (HTTP) headers if the solution relies on Trust based authentication. Role Based Access Control. Auditing and reporting capabilities. Compliance with VIEWS 00155984, PIV Logical Access Policy Clarification https://www.voa.va.gov/DocumentView.aspx?DocumentID=4896. The required Assurance Levels for this specific effort are Identity Assurance Level 3, Authenticator Assurance Level 3, and Federation Assurance Level 3. INTERNET PROTOCOL VERSION 6 (IPV6) The Contractor solution shall support the latest Internet Protocol Version 6 (IPv6) based upon the directives issued by the Office of Management and Budget (OMB) on August 2, 2005 (https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2005/m05-22.pdf) and September 28, 2010 (https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/transition-to-ipv6.pdf). IPv6 technology, in accordance with the USGv6 Profile, NIST Special Publication (SP) 500-267 (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication500-267.pdf), the Technical Infrastructure for USGv6 Adoption (https://www.nist.gov/programs-projects/usgv6-program), and the NIST SP 800 series applicable compliance (https://csrc.nist.gov/publications/sp) shall be included in all IT infrastructures, application designs, application development, operational systems and sub-systems, and their integration. In addition to the above requirements, all devices shall support native IPv6 and/or dual stack (IPv6 / IPv4) connectivity without additional memory or other resources being provided by the Government, so that they can function in a mixed environment. All public/external facing servers and services (e.g. web, email, DNS, ISP services, etc.) shall support native IPv6 and/or dual stack (IPv6/ IPv4) users and all internal infrastructure and applications shall communicate using native IPv6 and/or dual stack (IPv6/ IPv4) operations. Guidance and support of improved methodologies which ensure interoperability with legacy protocol and services in dual stack solutions, in addition to OMB/VA memoranda, can be found at: https://www.voa.va.gov/documentlistpublic.aspx?NodeID=282. TRUSTED INTERNET CONNECTION (TIC) The Contractor solution shall meet the requirements outlined in Office of Management and Budget Memorandum M08-05 mandating Trusted Internet Connections (TIC) (https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-05.pdf), M08-23 mandating Domain Name System Security (NSSEC) (https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf), and shall comply with the Trusted Internet Connections (TIC) Reference Architecture Document, Version 2.0 https://www.dhs.gov/sites/default/files/publications/TIC_Ref_Arch_v2.2_2017.pdf. STANDARD COMPUTER CONFIGURATION The Contractor IT end user solution that is developed for use on standard VA computers shall be compatible with and be supported on the standard VA operating system, currently Windows 10 (64bit), Internet Explorer 11 and Office 365 ProPlus. Applications delivered to VA and intended to be deployed to Windows 10 workstations shall be delivered as a signed .msi package with switches for silent and unattended installation and updates shall be delivered in signed .msp file formats for easy deployment using System Center Configuration Manager (SCCM) VA s current desktop application deployment tool. Signing of the software code shall be through a vendor provided certificate that is trusted by VA using a code signing authority such as Verizon/Cybertrust or Symantec/VeriSign. The Contractor shall also ensure and certify that their solution functions as expected when used from a standard VA computer, with non-admin, standard user rights that have been configured using the United States Government Configuration Baseline (USGCB) and Defense Information Systems Agency (DISA) Secure Technical Implementation Guide (STIG) specific to the particular client operating system being used. VETERAN FOCUSED INTEGRATION PROCESS (VIP) The Contractor shall support VA efforts IAW the Veteran Focused Integration Process (VIP). VIP is a Lean-Agile framework that services the interest of Veterans through the efficient streamlining of activities that occur within the enterprise. The VIP Guide can be found at https://www.voa.va.gov/DocumentView.aspx?DocumentID=4371. The VIP framework creates an environment delivering more frequent releases through a deeper application of Agile practices. In parallel with a single integrated release process, VIP will increase cross-organizational and business stakeholder engagement, provide greater visibility into projects, increase Agile adoption and institute a predictive delivery cadence. VIP is now the single authoritative process that IT projects must follow to ensure development and delivery of IT products PROCESS ASSET LIBRARY (PAL) The Contractor shall perform their duties consistent with the processes defined in the OIT Process Asset Library (PAL).  The PAL scope includes the full spectrum of OIT functions and activities, such as VIP project management, operations, service delivery, communications, acquisition, and resource management. PAL serves as an authoritative and informative repository of searchable processes, activities or tasks, roles, artifacts, tools and applicable standards and guides to assist the OIT workforce, Government and Contractor personnel. The Contractor shall follow the PAL processes to ensure compliance with policies and regulations and to meet VA quality standards.  The PAL includes the contractor onboarding process consistent with Section 6.2.2 and can be found at https://www.va.gov/PROCESS/artifacts/maps/process_CONB_ext.pdf. The main PAL can be accessed at www.va.gov/process. METHOD AND DISTRIBUTION OF DELIVERABLES The Contractor shall deliver documentation in electronic format, unless otherwise directed in Section B of the solicitation/contract FACILITY/RESOURCE PROVISIONS The Government will provide office space, telephone service and system access when authorized contract staff work at a Government location as required in order to accomplish the Tasks associated with this PWS. All procedural guides, reference materials, and program documentation for the project and other Government applications will also be provided on an as-needed basis. The Contractor shall request other Government documentation deemed pertinent to the work accomplishment directly from the Government officials with whom the Contractor has contact. The Contractor shall consider the COR as the final source for needed Government documentation when the Contractor fails to secure the documents by other means. The Contractor is expected to use common knowledge and resourcefulness in securing all other reference materials, standard industry publications, and related materials that are pertinent to the work. VA may provide remote access to VA specific systems/network in accordance with VA Handbook 6500, which requires the use of a VA approved method to connect external equipment/systems to VA s network. Citrix Access Gateway (CAG) is the current and only VA approved method for remote access users when using or manipulating VA information for official VA Business. VA permits CAG remote access through approved Personally Owned Equipment (POE) and Other Equipment (OE) provided the equipment meets all applicable 6500 Handbook requirements for POE/OE. All of the security controls required for Government furnished equipment (GFE) must be utilized in approved POE or OE. The Contractor shall provide proof to the COR for review and approval that their POE or OE meets the VA Handbook 6500 requirements and VA Handbook 6500.6 Appendix C, herein incorporated as Addendum B, before use. CAG authorized users shall not be permitted to copy, print or save any VA information accessed via CAG at any time. VA prohibits remote access to VA s network from non-North Atlantic Treaty Organization (NATO) countries. The exception to this are countries where VA has approved operations established (e.g. Philippines and South Korea). Exceptions are determined by the COR in coordination with the Information Security Officer (ISO) and Privacy Officer (PO). This remote access may provide access to VA specific software such as Veterans Health Information System and Technology Architecture (VistA), ClearQuest, PAL, Primavera, and Remedy, including appropriate seat management and user licenses, depending upon the level of access granted. The Contractor shall utilize government-provided software development and test accounts, document and requirements repositories, etc. as required for the development, storage, maintenance and delivery of products within the scope of this effort. The Contractor shall not transmit, store or otherwise maintain sensitive data or products in Contractor systems (or media) within the VA firewall IAW VA Handbook 6500.6 dated March 12, 2010. All VA sensitive information shall be protected at all times in accordance with VA Handbook 6500, local security field office System Security Plans (SSP s) and Authority to Operate (ATO) s for all systems/LAN s accessed while performing the tasks detailed in this PWS. The Contractor shall ensure all work is performed in countries deemed not to pose a significant security risk. For detailed Security and Privacy Requirements (additional requirements of the contract consolidated into an addendum for easy reference) refer to ADDENDUM A ADDITIONAL VA REQUIREMENTS, CONSOLIDATED and ADDENDUM B - VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE. GOVERNMENT FURNISHED PROPERTY The Government has multiple remote access solutions available to include Citrix Access Gateway (CAG), Site-to-Site Virtual Private Network (VPN), and RESCUE VPN. The Government provides all existing hardware Application / database servers, Workstations (PCs) and peripheral devices. PERFORMANCE METRICS The table below defines the Performance Standards and Acceptable Levels of Performance associated with this effort. Performance Objective Performance Standard Acceptable Levels of Performance Technical / Quality of Product or Service Demonstrates understanding of requirements Efficient and effective in meeting requirements Meets technical needs and mission requirements Provides quality services/products Satisfactory or higher Project Milestones and Schedule Established milestones and project dates are met Products completed, reviewed, delivered in accordance with the established schedule Notifies customer in advance of potential problems Satisfactory or higher Cost & Staffing Currency of expertise and staffing levels appropriate to perform tasks required Personnel possess necessary knowledge, skills and abilities to perform tasks Satisfactory or higher Management Integration and coordination of all activities to execute effort Satisfactory or higher The COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the contract to ensure that the Contractor is performing the services required by this PWS in an acceptable level of performance. The Government reserves the right to alter or change the surveillance methods in the QASP at its own discretion. ADDENDUM A ADDITIONAL VA REQUIREMENTS, CONSOLIDATED Cyber and Information Security Requirements for VA IT Services The Contractor shall ensure adequate LAN/Internet, data, information, and system security in accordance with VA standard operating procedures and standard PWS language, conditions, laws, and regulations. The Contractor s firewall and web server shall meet or exceed VA minimum requirements for security. All VA data shall be protected behind an approved firewall. Any security violations or attempted violations shall be reported to the VA Program Manager and VA Information Security Officer as soon as possible. The Contractor shall follow all applicable VA policies and procedures governing information security, especially those that pertain to certification and accreditation. Contractor supplied equipment, PCs of all types, equipment with hard drives, etc. for contract services must meet all security requirements that apply to Government Furnished Equipment (GFE) and Government Owned Equipment (GOE). Security Requirements include: a) VA Approved Encryption Software must be installed on all laptops or mobile devices before placed into operation, b) Bluetooth equipped devices are prohibited within VA; Bluetooth must be permanently disabled or removed from the device, unless the connection uses FIPS 140-2 (or its successor) validated encryption, c) VA approved anti-virus and firewall software, d) Equipment must meet all VA sanitization requirements and procedures before disposal. The COR, CO, the PM, and the Information Security Officer (ISO) must be notified and verify all security requirements have been adhered to. Each documented initiative under this contract incorporates VA Handbook 6500.6, Contract Security, March 12, 2010 by reference as though fully set forth therein. The VA Handbook 6500.6, Contract Security shall also be included in every related agreement, contract or order. The VA Handbook 6500.6, Appendix C, is included in this document as Addendum B. Training requirements: The Contractor shall complete all mandatory training courses on the current VA training site, the VA Talent Management System (TMS) 2.0, and will be tracked therein. The TMS 2.0 may be accessed at https://www.tms.va.gov/SecureAuth35/ . If you do not have a TMS 2.0 profile, go to https://www.tms.va.gov/SecureAuth35/ and click on the Create New User link on the TMS 2.0 to gain access. Contractor employees shall complete a VA Systems Access Agreement if they are provided access privileges as an authorized user of the computer system of VA. VA Enterprise Architecture Compliance The applications, supplies, and services furnished under this contract must comply with VA Enterprise Architecture (EA), available at http://www.ea.oit.va.gov/index.asp in force at the time of issuance of this contract, including the Program Management Plan and VA's rules, standards, and guidelines in the Technical Reference Model/Standards Profile (TRMSP). VA reserves the right to assess contract deliverables for EA compliance prior to acceptance. VA Internet and Intranet Standards The Contractor shall adhere to and comply with VA Directive 6102 and VA Handbook 6102, Internet/Intranet Services, including applicable amendments and changes, if the Contractor s work includes managing, maintaining, establishing and presenting information on VA s Internet/Intranet Service Sites. This pertains, but is not limited to: creating announcements; collecting information; databases to be accessed, graphics and links to external sites. Internet/Intranet Services Directive 6102 is posted at (copy and paste the following URL to browser): https://www.va.gov/vapubs/viewPublication.asp?Pub_ID=1056&FType=2 Internet/Intranet Services Handbook 6102 is posted at (copy and paste following URL to browser): https://www.va.gov/vapubs/viewPublication.asp?Pub_ID=1055&FType=2 Notice of the Federal Accessibility Law Affecting All Information and Communication Technology (ICT) Procurements (Section 508) On January 18, 2017, the Architectural and Transportation Barriers Compliance Board (Access Board) revised and updated, in a single rulemaking, standards for electronic and information technology developed, procured, maintained, or used by Federal agencies covered by Section 508 of the Rehabilitation Act of 1973, as well as our guidelines for telecommunications equipment and customer premises equipment covered by Section 255 of the Communications Act of 1934. The revisions and updates to the Section 508-based standards and Section 255-based guidelines are intended to ensure that information and communication technology (ICT) covered by the respective statutes is accessible to and usable by individuals with disabilities. Section 508 Information and Communication Technology (ICT) Standards The Section 508 standards established by the Access Board are incorporated into, and made part of all VA orders, solicitations and purchase orders developed to procure ICT. These standards are found in their entirety at: https://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-ict-refresh/final-rule/text-of-the-standards-and-guidelines. A printed copy of the standards will be supplied upon request. Federal agencies must comply with the updated Section 508 Standards beginning on January 18, 2018. The Final Rule as published in the Federal Register is available from the Access Board: https://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-ict-refresh/final-rule. The Contractor shall comply with 508 Chapter 2: Scoping Requirements for all electronic ICT and content delivered under this contract. Specifically, as appropriate for the technology and its functionality, the Contractor shall comply with the technical standards marked here: E205 Electronic Content (Accessibility Standard -WCAG 2.0 Level A and AA Guidelines) E204 Functional Performance Criteria E206 Hardware Requirements E207 Software Requirements E208 Support Documentation and Services Requirements Compatibility with Assistive Technology The standards do not require installation of specific accessibility-related software or attachment of an assistive technology device. Section 508 requires that ICT be compatible with such software and devices so that ICT can be accessible to and usable by individuals using assistive technology, including but not limited to screen readers, screen magnifiers, and speech recognition software. Acceptance and Acceptance Testing Deliverables resulting from this solicitation will be accepted based in part on satisfaction of the Section 508 Chapter 2: Scoping Requirements standards identified above. The Government reserves the right to test for Section 508 Compliance before delivery. The Contractor shall be able to demonstrate Section 508 Compliance upon delivery. Physical Security & Safety Requirements: The Contractor and their personnel shall follow all VA policies, standard operating procedures, applicable laws and regulations while on VA property. Violations of VA regulations and policies may result in citation and disciplinary measures for persons violating the law. The Contractor and their personnel shall wear visible identification at all times while they are on the premises. VA does not provide parking spaces at the work site; the Contractor must obtain parking at the work site if needed. It is the responsibility of the Contractor to park in the appropriate designated parking areas. VA will not invalidate or make reimbursement for parking violations of the Contractor under any conditions. Smoking is prohibited inside/outside any building other than the designated smoking areas. Possession of weapons is prohibited. The Contractor shall obtain all necessary licenses and/or permits required to perform the work, with the exception of software licenses that need to be procured from a Contractor or vendor in accordance with the requirements document. The Contractor shall take all reasonable precautions necessary to protect persons and property from injury or damage during the performance of this contract. Confidentiality and Non-Disclosure The Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations. The Contractor may have access to Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) that is subject to protection under the regulations issued by the Department of Health and Human Services, as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 CFR Parts 160 and 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information ( Privacy Rule ); and 45 CFR Parts 160 and 164, Subparts A and C, the Security Standard ( Security Rule ). Pursuant to the Privacy and Security Rules, the Contractor must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI and EPHI.  The Contractor will have access to some privileged and confidential materials of VA. These printed and electronic documents are for internal use only, are not to be copied or released without permission, and remain the sole property of VA. Some of these materials are protected by the Privacy Act of 1974 (revised by PL 93-5791) and Title 38. Unauthorized disclosure of Privacy Act or Title 38 covered materials is a criminal offense. The VA CO will be the sole authorized official to release in writing, any data, draft deliverables, final deliverables, or any other written or printed materials pertaining to this contract. The Contractor shall release no information. Any request for information relating to this contract presented to the Contractor shall be submitted to the VA CO for response. Contractor personnel recognize that in the performance of this effort, Contractor personnel may receive or have access to sensitive information, including information provided on a proprietary basis by carriers, equipment manufacturers and other private or public entities. Contractor personnel agree to safeguard such information and use the information exclusively in the performance of this contract. Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations as enumerated in this section and elsewhere in this Contract and its subparts and appendices. Contractor shall limit access to the minimum number of personnel necessary for contract performance for all information considered sensitive or proprietary in nature. If the Contractor is uncertain of the sensitivity of any information obtained during the performance this contract, the Contractor has a responsibility to ask the VA CO. Contractor shall train all of their employees involved in the performance of this contract on their roles and responsibilities for proper handling and nondisclosure of sensitive VA or proprietary information. Contractor personnel shall not engage in any other action, venture or employment wherein sensitive information shall be used for the profit of any party other than those furnishing the information. The sensitive information transferred, generated, transmitted, or stored herein is for VA benefit and ownership alone. Contractor shall maintain physical security at all facilities housing the activities performed under this contract, including any Contractor facilities according to VA-approved guidelines and directives. The Contractor shall ensure that security procedures are defined and enforced to ensure all personnel who are provided access to patient data must comply with published procedures to protect the privacy and confidentiality of such information as required by VA. Contractor must adhere to the following: The use of thumb drives or any other medium for transport of information is expressly prohibited. Controlled access to system and security software and documentation. Recording, monitoring, and control of passwords and privileges. All terminated personnel are denied physical and electronic access to all data, program listings, data processing equipment and systems. VA, as well as any Contractor (or Subcontractor) systems used to support development, provide the capability to cancel immediately all access privileges and authorizations upon employee termination. Contractor PM and VA PM are informed within twenty-four (24) hours of any employee termination. Acquisition sensitive information shall be marked "Acquisition Sensitive" and shall be handled as "For Official Use Only (FOUO)". Contractor does not require access to classified data. Regulatory standard of conduct governs all personnel directly and indirectly involved in procurements. All personnel engaged in procurement and related activities shall conduct business in a manner above reproach and, except as authorized by statute or regulation, with complete impartiality and with preferential treatment for none. The general rule is to strictly avoid any conflict of interest or even the appearance of a conflict of interest in VA/Contractor relationships. VA Form 0752 shall be completed by all Contractor employees working on this contract, and shall be provided to the CO before any work is performed. In the case that Contractor personnel are replaced in the future, their replacements shall complete VA Form 0752 prior to beginning work. ADDENDUM B VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE APPLICABLE PARAGRAPHS TAILORED FROM: THE VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE, VA HANDBOOK 6500.6, APPENDIX C, MARCH 12, 2010 GENERAL Contractors, Contractor personnel, Subcontractors, and Subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS A Contractor/Subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, Subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. All Contractors, Subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for Contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates (e.g. Business Associate Agreement, Section 3G), the Contractor/Subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. The Contractor or Subcontractor must notify the CO immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the Contractor or Subcontractor s employ. The CO must also be notified immediately by the Contractor or Subcontractor prior to an unfriendly termination. VA INFORMATION CUSTODIAL LANGUAGE Information made available to the Contractor or Subcontractor by VA for the performance or administration of this contract or information developed by the Contractor/Subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of VA. This clause expressly limits the Contractor/Subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). VA information should not be co-mingled, if possible, with any other data on the Contractors/Subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the Contractor must ensure that VA information is returned to VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on site inspections of Contractor and Subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. Prior to termination or completion of this contract, Contractor/Subcontractor must not destroy information received from VA, or gathered/created by the Contractor in the course of performing this contract without prior written approval by VA. Any data destruction done on behalf of VA by a Contractor/Subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the Contractor that the data destruction requirements above have been met must be sent to the VA CO within 30 days of termination of the contract. The Contractor/Subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. The Contractor/Subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on Contractor/Subcontractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/Subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. If VA determines that the Contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the Contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. If a VHA contract is terminated for cause, the associated Business Associate Agreement (BAA) must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.05, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. The Contractor/Subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. The Contractor/Subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA minimum requirements. VA Configuration Guidelines are available upon request. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the Contractor/Subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA prior written approval. The Contractor/Subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA CO for response. Notwithstanding the provision above, the Contractor/Subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the Contractor/Subcontractor is in receipt of a court order or other requests for the above mentioned information, that Contractor/Subcontractor shall immediately refer such court orders or other requests to the VA CO for response. For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require Assessment and Authorization (A&A) or a Memorandum of Understanding-Interconnection Security Agreement (MOU-ISA) for system interconnection, the Contractor/Subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COR. INFORMATION SYSTEM DESIGN AND DEVELOPMENT N/A INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE N/A SECURITY INCIDENT INVESTIGATION The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The Contractor/Subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the Contractor/Subcontractor has access. To the extent known by the Contractor/Subcontractor, the Contractor/Subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the Contractor/Subcontractor considers relevant. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. In instances of theft or break-in or other criminal activity, the Contractor/Subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The Contractor, its employees, and its Subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor/Subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. LIQUIDATED DAMAGES FOR DATA BREACH Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the Contractor/Subcontractor processes or maintains under this contract. However, it is the policy of VA to forgo collection of liquidated damages in the event the Contractor provides payment of actual damages in an amount determined to be adequate by the agency. The Contractor/Subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access); Description of the event, including: date of occurrence; data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; Number of individuals affected or potentially affected; Names of individuals or groups affected or potentially affected; Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; Amount of time the data has been out of VA control; The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); Known misuses of data containing sensitive personal information, if any; Assessment of the potential harm to the affected individuals; Data breach analysis as outlined in 6500.2 Handbook, Management of Breaches Involving Sensitive Personal Information, as appropriate; and Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. Based on the determinations of the independent risk analysis, the Contractor shall be responsible for paying to VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: Notification; One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; Data breach analysis; Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. SECURITY CONTROLS COMPLIANCE TESTING N/A
