This is a SOURCES SOUGHT for the Asheville VA Medical Center. Information collected during this Sources Sought may be used in a set aside. If a solicitation is issued, the Government will do so in accordance with Federal Acquisition Circular (FAC) 2022-04. The North American Industry Classification System (NAICS) number is 339112. The NAICS size is 1,000 employees. Any contractor that believes they are capable and desires to claim preference for small business status must be registered with the SBA at http://web.sba.gov/pro-net/ and meet the requirements of FAR 19.102. Any contractor that believes they are capable and desires to claim preference for veteran owned small business status must be registered with the VIP at https://vetbiz.va.gov/ as an SDVOSB or VOSB. A Contractor that proposes to provide a supply that is not manufactured by their organization (nonmanufacturer) shall meet the requirements of FAR 19.102(f). Contractors that deem themselves capable of meeting the requirement shall provide the below information to, Contract Specialist John Harmsen at john.harmsen@va.gov no-later-than Friday, July 15, 2022, at 2:00PM, EST, referencing 36C24622Q0798. Responses shall include: (1) Business Name and Address, (2) GSA/FSS/NAC Contract Number, if applicable (3) Point of Contact Name, Phone Number and E-mail Address (4) SAM # and NAICS code (5) Business Size SMALL or LARGE (6) Type of Business: service disabled veteran owned, veteran owned small business, 8a, HUBZone, woman-owned, etc. (7) A concern that is not a manufacturer of the supply shall provide the manufacturers name and size standard. If the concern is the manufacturer and the sole distributor, please provide documentation to that effect. Contractor must be registered with https://www.sam.gov. To be considered SDVOSB/VOSB, must be registered in VIP http://web.sba.gov/pro-net/ Supplies are to include only a Trade Agreements Act, Free Trade Agreement Act or other covered trades act and Buy America Act compliant items. Items that are not TAA/BAA compliant must be clearly identified by the Contractor should the contractor choose to offer a quote if a RFQ is published. FOB is Destination. Delivery is to: Asheville VAMC, 1100 Tunnel Rd, Asheville, NC 28805. PAR Excellence Weight-Based Inventory Management System WESTER NORTH CAROLINA VA HEALTHCARE SYSTEM CHARLES GEORGE VA MEDICAL CENTER STATEMENT OF WORK 1.0 Background Veterans Health Administration (VHA) directive 1761(1), dated October 24, 2016, provides policy, mandatory procedures, and operational requirements for implementing an effective Supply Chain Management (SCM) program at Department of Veterans Affairs (VA) medical facilities, Community Based Outpatient Clinics (CBOCs)/Outpatient Clinics (OPCs), Health Care Centers (HHCs) and Consolidated Mail Outpatient Pharmacies (CMOPs). The Generic Inventory Package (GIP) is the current software being utilized for inventory management of expendable supplies. It is used to manage the receipt, distribution, and maintenance of stock items received for the supply warehouse from outside vendors and distributed to primary inventory points. SCM staff are tasked with ensuring the physical inventory count of stocked supplies matches the inventory system on hand value, eliminating excess inventory, and purchasing supplies in appropriate quantities and at appropriate intervals to avoid shortages. Considerable time and effort are required to monitor the distribution of expendable supplies in primary and secondary inventory/distribution points. Current processes require a SCM staff member to physically report to primary and secondary inventory/distribution points, count/scan expendable supplies and enter a distribution order to replenish stocks. Staffing levels, space constraints and rate of use determine frequency of visits to the primary secondary inventory/distribution points. Human error is the leading cause inventory mismatches, inaccurate data, and stock outs. Stock outs can cause medical procedures to be delayed or canceled. The Charles George VA Medical Center (CGVAMC) intends to acquire a weight-based automated inventory management system to alleviate inventory overages, shortages, and other issues caused by an unautomated process. System is needed to assist Supply Chain Management (SCM) staff with the management of expendable supplies in all primary and secondary distribution points. The CGVAMC lacks the appropriate SCM personnel to operate other types of inventory management systems other than weight based. Because the weight-based system, once established, requires the least amount of human inventory management it is the correct solution for the facility s need based on staffing levels and the volume of commodity items passing through the system. A weight-based system shall seamlessly log the inflow and outflow of supplies and disposables to maximize supply readiness, eliminate double ordering and ensure demand satisfaction. The implementation of such a system will reduce waste and increase the efficiency of the supply chain at all CGVAMC facilities. 1.0 SCOPE Deliver a turn-key weight based automated inventory management system to the CGVAMC facilities to assist SCM staff with the management of expendable supplies in all primary and secondary distribution points. Therefore, the Government will establish a firm, fixed-price, contract for a turn-key weight based automated inventory management system. OBJECTIVE The objective of this contract is to acquire, install, setup & configure the system, and provide operator training for SCM staff. 2.1 This contract is all-inclusive. Prospective offerors should read the requirements carefully to ensure a complete understanding of the contract requirements to ensure their proposal includes all expenses and costs associated with performance related to the contract, including but not limited to travel, per diem, tools & equipment required for installation, transportation, and incidentals. The Government will not reimburse offerors due to a failure on the offeror s part to consider all costs associated with performance on this requirement. 2.2 All tasks associated with this order shall be completed during the CGVAMC s normal business hours, Monday through Friday from 8:00am 4:30pm excluding Federal holidays unless otherwise coordinated with the Contracting Officer s Representative (COR) or SCM staff. The remaining Federal Holidays for calendar year 2022 are as follows: Memorial Day Monday, May 30, 2022 Independence Day Monday, July 4, 2022 Labor Day Monday, September 5, 2022 Columbus Day Monday, October 10, 2022 Veterans Day Friday, November 11, 2022 Thanksgiving Day Thursday, November 24, 2022 Christmas Day Monday, December 26, 2022 Any other day determined by the President of the United States as a Federal Holiday. 2.3 Management & Supervision of Contract Personnel The Contractor shall be responsible for supervising the daily services provided under this contract. The Contractor shall provide the name and contact information for a person designated to manage and supervise performance under this contract to the Contracting Officer (CO) upon award of the contract. The Contractor shall use reasonable care to avoid damaging to the facility and the grounds. If the Contractor s failure to use reasonable care causes damage to any Government, private or personal property, the Contractor shall replace or repair the damage at no expense to the Government or other private parties as directed by the CO. If the Contractor fails or refuses to make such repair or replacement, the Contractor shall be liable for the cost, which may be deducted from the contract price. 3.0 COVID-19 Contractor employees who work in or travel to VHA locations must comply with the following: 3.1 Documentation Requirements: If fully vaccinated contractor employees shall show proof of vaccination. Acceptable proof of vaccination includes a signed record of immunization from a health care provider or pharmacy, a copy of the COVID-19 Vaccination Record Card (CDC Form MLS-319813_r, published on September 3, 2020), or a copy of medical records documenting the vaccination. 3.1.1 If unvaccinated and granted a medical or religious exception, contract employees shall show negative COVID-19 test results dated within three calendar days prior to desired entry date. Test must be approved by the Food and Drug Administration (FDA) for emergency use or full approval. This includes tests available by a doctor s order or an FDA approved over-the-counter test. 3.1.2 Documentation cited in this section shall be digitally or physically maintained on each contractor employee while in a VA facility and is subject to inspection prior to entry to VA facilities and after entry for spot inspections by Contracting Officer Representatives (CORs) or other hospital personnel. 3.1.3 Documentation will not be collected by the VA; contractors shall, at all times, adhere to and ensure compliance with federal laws designed to protect contractor employee health information and personally identifiable information. 3.1.4 Contractor employees are subject to daily screening for COVID-19 and may be denied entry to VA facilities if they fail to pass screening protocols. As part of the screening process contractors may be asked screening questions found on the following website: COVID-19 Screening Tool. Regularly check the website for updates. 3.1.4.1 Contractor employees who work away from VA locations, but who will have direct patient contact with VA patients shall self-screen utilizing the COVID-19 Screening Tool, in advance each day that they will have direct patient contact and in accordance with their person or persons who coordinate COVID-19 workplace safety efforts at covered contractor workplaces. Contractors shall, at all times, adhere to and ensure compliance with federal laws designed to protect contractor employee health information and personally identifiable information. 3.2 Contractor must immediately notify their COR or Contracting Officer if contract performance is jeopardized due to contractor employees being denied entry into VA Facilities. 3.3 In addition, contractor employees shall comply with the following at all times while on CGVAMC property, regardless of their vaccine status: Wear protective face coverings at all times while inside the CGVAMC facility to include all outbuildings and outdoors when social distancing can t be maintained. Maintaining social distancing of at least six(6) feet from other individuals. Maintaining good handwashing practices. 3.4 Contract employees found in violation of COVID-19 Pandemic safety precautions and practices will be asked to leave the CGVAMC property immediately, not to return. In the event contractor employees are removed from the facility, the Contractor may replace that employee(s) or continue the task. 3.5 Personnel Policy The Contractor shall be responsible for protecting the personnel furnishing products and/or services under this contract. To carry out this responsibility, the contractor shall provide the following for these personnel: - Workers compensation - Professional liability insurance - Health examinations - Income tax withholding, and - Social security payments. 3.5.1 Smoking Policy Smoking is strictly prohibited while on the CGVAMC campus. Violations can result in a fine of $50.00 or more. 3.6 Inspection & Acceptance The Contracting Officer s Representative (COR) for the Task Order is a Government official who has been delegated specific technical, functional, and oversight responsibilities for this task order. The COR is designated in the COR appointment letter, issued by the Contracting Officer, and is responsible for inspection and acceptance of all services and documents. 4.0 Requirements 4.1 The contractor shall provide all labor, software licenses, interface development, solution products, storage options (cabinets, storage bins, louvers, shelving, bridges, etc.), 3rd party Information Technology (IT) support and 3rd party general site preparation support required for installation and deployment of an inventory control system in all primary and secondary distribution stock points. 4.1.1 The contractor shall provide a system that is approved for use on the VA network in accordance with VA Technical Reference Model v19.3 4.1.2 The contractor shall ensure the solution is consistent with VA policies and standards, including, but not limited to, VA Handbooks 6102 and 6500; VA Directives 6004, 6513, 6550, and 6517; and National Institute of Standards and Technology (NIST) standards, including current Federal Information Processing Standards (FIPS). 4.1.3 The contractor shall provide turn-key installation and comprehensive training to SCM staff. 4.1.4 The contractor shall, to the maximum extent possible, use existing equipment previously installed in primary or secondary distribution points, provided the equipment is compatible, serviceable, and functioning. 4.2 System Capabilities 4.2.1 The system shall be capable of producing automatic inventories without staff intervention. 4.2.2 The system shall be capable of automatically determining the use of a single item, an each (EA), without staff input or intervention for any expendable supply. 4.2.3 The system shall be a commercial off-the-shelf combination of software and hardware with demonstrated capabilities in a healthcare medical supply environment to perform the data capture, tracking, and search capabilities. 4.2.4 The system shall be a stand-alone, computerized, inventory tracking system utilizing the latest hardware and software technology to record supply issues (removal) and supply receipts (additions) to the inventory point. 4.2.5 The system shall automatically identify inventory changes caused by user or staff removal of items and when warranted, create critical alerts. 4.2.6 The system shall be capable of continually communicating system status and notify staff personnel of specific system failures or errors. 4.2.7 The system shall be capable of updating and reporting open orders, emergency/critical item levels, and negative quantities on hand. 4.2.8 The system shall be capable of reporting average monthly usage, consumption analysis, and consumption deviation. 4.2.9 The system shall be able to produce enterprise reports providing days of stock on hand, value on hand, transactions, and item history reports. 4.2.10 The system shall be accessible by multiple users simultaneously. 4.2.11 The system shall operate as a stand-alone system not reliant on any VA, VHA or VAMC/HCC/CBOC assets other than Internet connectivity and space. 4.2.12 The system shall have a push/pull interface with GIP. The primary purpose of the interface is to identify out of balance on hand quantities and values between GIP and the system. 4.2.13 The system shall identify any out of balance on hand quantities and values, accounting for any due-outs and due-ins. If the out of balance condition is caused by a pending due-in or due-out it will be displayed separately to easily identify. 4.2.14 The system due-ins and due-outs will automatically be removed when the GIP due-in and due-out are "cleared". 4.2.15 The system shall be capable of producing reports in Excel and, CSV or other text delimited formats using commercially available software. 4.2.16 Contractor employees shall be fully trained, qualified, and licensed (if applicable) to install this system. 4.2.17 The client license shall operate on existing VA PCs and support all inpatient and outpatient operations. 4.2.18 The solution(s) proposed for each facility shall include a Commercial Off-the-Shelf (COTS) integrator functionality that shall allow various devices to communicate with each other and other systems. 4.2.18.1 The integrator shall allow management of data from a variety of devices through a single management source. 5.0 Specific Tasks 5.1 Site Survey and Assessment. 5.1.1 The Contractor shall perform a site survey and assessment prior to the award of a task order for each location. The assessment shall collect the necessary information for successful implementation, integration, and training of the system. 5.1.2 The site survey and assessment shall be completed within fourteen (14) days upon direction of the CO. 5.1.3 The task order shall not be awarded until the site survey and assessment is complete. 5.1.4 Upon completion of a site assessment, the Contractor shall report findings, listed, and priced by facility, building, and room, in an Assessment Report for approval by the CO and the COR. 5.2 Assessment Reports shall include inspection results, equipment condition, and recommendations regarding use of current assets in conjunction with proposed solutions, propose new assets with recommended placement and usage, identify applicable facility infrastructure requirements, a timeline, road map, costs, training and travel costs, a contractor equipment plan, a Contractor Implementation Plan, and associated risks. 5.2.1 The report shall detail equipment requirements to include components to retrofit existing equipment and any new components to completely implement recommended solution(s). 5.2.3 Assessment Reports shall focus on POU solution(s) standardization to the maximum extent possible. All solution(s) recommendations shall require written approval by the CO and the COR. 5.2.4 The assessment shall support the final quantities and dollar value for the associated work for the tasked location(s). 5.3 Delivery of Equipment. 5.3.1 The contractor shall furnish all equipment, supplies, and software to achieve a functional, turn-key system. 5.3.2 The contractor shall coordinate with VAMC SCM staff to ensure adequate warehouse storage space is available before equipment and/or supplies are shipped. 5.3.3 All parts supplied shall be compatible with existing Government equipment. 5.3.4 Contracted parts coverage shall include all system options, third party pass thru devices, such as compact disk devices, remote workstations, etc. and will include all manufacturer supplied software including that used by third party devices. 5.3.5 The contractor shall use Original Equipment Manufacturer (OEM) new or rebuilt parts. All parts shall perform identically to the original equipment specifications. 5.4 System Installation and Implementation. 5.4.1 The contractor shall be responsible for the installation of the system on-site in each primary and/or secondary distribution point as required by an individual task/delivery order. 5.4.2 The Contractor shall provide an Assessment Implementation Manager to be a single point of contact and oversee the overall installation and implementation for the facilities. 5.4.2.1 The Assessment Implementation Manager shall be responsible for: 5.4.2.2 Effective communication of the project progress to the CO, COR, SCM staff and Contractor team members, 5.4.2.3 Ensuring proper documentation is delivered to COR, 5.4.2.4 Coordination, escalation, and resolution of project issues, 5.4.3.5 Representing the Contractor in status meetings and providing timely status reports. 5.4.3 The contractor shall create a Contractor Implementation Plan associated with the assessment solution developed in Section 5.1. At a minimum, the Plan shall include: A complete list of all primary and/or secondary locations where contractor equipment will be installed Itemized list of equipment to be installed, by primary and/or secondary location A proposed implementation schedule, by primary and/or secondary location Facility-specific testing plan A facility/VHA requirements punch list (as required). 5.4.3.1 The Contractor Implementation Plan shall be approved by the CO, COR, and facility SCM staff prior to work commencement. 5.4.4 Upon completion of the installation and implementation, each facility shall have a fully installed and operationally tested system that includes supporting, operational, and maintenance documentation (turnkey). 5.4.4.1 Full installation shall be the completion of all required tasks necessary for the installation and implementation of all equipment outlined in the Contractor Implementation Plan 5.4.4.2 Operationally tested shall mean the system operates as intended and the government can rely on the system for normal SCM operations. 5.5 Test Equipment. 5.5.1 The contractor shall provide the government with a copy of the current calibration certification of all test equipment to be used by the contractor on VAMC equipment. 5.5.1.1 This certification shall also be provided on a periodic basis when requested by the CO or COR. 5.5.1.2Test equipment calibration shall be traceable to a national standard. 5.5.2 The Contractor shall execute assessment installation and implementation Test Plans to create facility-specific user acceptance test reports. 5.5.2.1 At a minimum, the contractor shall conduct periodic tests, as determined by the contractor and government, to ensure the system is properly configured and functioning 5.5.2.2 Periodic testing shall be accomplished with partial completion of equipment installation in a primary or secondary location 5.5.3 The Contractor shall demonstrate the results of a test to the COR or their designated point of contact for approval. 5.5.4 Upon completion and approval of all tests for each facility, the Contractor shall aggregate the results of the tests and prepare a facility-specific User Acceptance Test Report. 5.5.5 The facility-specific User Acceptance Test Report shall include the outcome of the user functionality test to include: overall performance of the tests, assessment of issues encountered, and lessons learned . 5.6 Maintenance and Support. 5.6.1 The contractor shall provide, as an additional CLIN, a complete end-to-end maintenance and support for the system at any location. 5.6.2 The maintenance and support shall be in accordance with the contractor s OEM specifications. 5.6.3 The maintenance and support shall be accomplished by OEM certified technicians. 5.6.4 The maintenance and support shall include the following: All parts, to restore a system to full operational capability when inoperable Trade-out parts to minimize downtime Parts available from factory next day/overnight A technician or call-center on a 24/7 basis for software and hardware support New software patches and upgrades enhancements 6-hour on-site response time upon notification 5.7 Spare Parts and Equipment. 5.7.1 The contractor shall provision for and cost spare parts and equipment in the site survey and assessment in Section 5.1. 5.7.2 The contractor shall maintain adequate quantities of parts including unique and/or high mortality replacement parts in such a manner as to be available for shipment within 24 hours of request. 5.8 Warranty. 5.8.1 The contractor shall include a one (1) year warranty on all parts and labor. 5.8.2 The warranty shall include all travel and associated costs associated with any warranty repair. 5.8.3 The warranty period shall begin from date of final owner acceptance at each installed location. 5.8.4 The warranty shall cover all parts and equipment installed by the contractor. 5.9 Equipment Modifications/Updates Equipment modifications are divided into two kinds: normal functional improvements that assure that the equipment is operating at the peak of performance and enhancing improvements - optional improvements that change the equipment s original design to allow for supplementary or additional functions. 5.9.1 Normal functional improvements shall be provided at no cost to VA within six (6) months after each version is released. Installation shall be done at no additional cost to the government during normal working hours, unless requested by the Acquisition Program Specialist (APS). 5.9.2 Enhancing improvements are optional to VA. If the APS has determined that VA requires such enhancing improvements. Enhancing improvements shall be considered outside of the scope of this contract and processed as a separate procurement. All modifications, upgrades, updates, enhancements, etc., must be scheduled in advance with the COR. the contractor shall notify the CO and COR five (5) business days prior to any equipment updates, upgrades, enhancements, and modifications along with justification, estimated costs (if applicable), probable effect on equipment operation, and needs for new or additional in-service training. 5.10 Operator Training. 5.10.1 The Contractor shall provide initial end-user, super-user, supervisor, and leadership training for the installed system at each location. The Contractor shall provide materials designed to facilitate continued internal training by VHA personnel throughout the lifecycle of the system (i.e., train-the-trainer). 5.10.2 The training shall be tailored (as required) for each location(s) installation and implementation. 5.10.3 A training plan shall be submitted by the contractor no later than ten (10) days after date of award. Training shall include, but not be limited to: Adding items to an inventory Removing items from an inventory Assigning items Editing items Troubleshooting Reporting functions Future/upcoming enhancements 5.11 Acceptance Timeline. 5.11.1The contractor shall have 180 days from the notice to proceed to complete all work necessary for the set-up, installation, implementation, and final acceptance of the system at the required location. 6.0 Performance Monitoring: An APS will monitor contractor performance daily via routine inspection of their work to assure it is completed in accordance with the awarded contract. An APS will be available to the contractor during their period of installation and will assist with their needs, providing a liaison between the contractor and CO. 7.0 Contract Security Language 7.1 Contractor Requirements, Confidentiality, and Non-Disclosure The Contractor and their employees shall adhere to all VA Information Security requirements and practices to guard against the disclosure of sensitive information to unauthorized individuals or organizations, the Privacy Act of 1974, and the HIPPA act as described in subsequent paragraphs to this order. 7.1.1 Contractors are advised that all printed and electronic documents are for Government internal use only. They are not to be copied or released without written permission from the Contracting Officer and remain the sole property of the United States Government. All or portions of these materials may be protected by the Privacy Act of 1974 (revised by PL 93-5791) and Title 38, United States Code. Unauthorized disclosure of Privacy Act or Title 38 covered materials is a criminal offense. 7.2 Privacy Act Notification Privacy Act Notification and the Privacy Act apply to this contract. 8.0 Security Requirements 8.1 General 8.1.1 All information and records provided to the Contractor by the VA, in whatever medium, as well as all information and documents, including drafts, emails, back-up copies, hand-written notes and copies that contain such information and records gathered or created by the Contractor (collectively referred to as VA information ) in the performance of this contract, regardless of storage media, are the exclusive property of VA. The Contractor does not retain any property interest in these materials and shall not use them for any purpose other than performance of this contract. 8.1.2 Upon completion or termination of the contract, Contractor shall either provide all copies of all VA information to VA or certify that it has destroyed all copies of all VA information as required by VA in a method specified by VA, at VA s option. The Contractor shall not retain any copies of VA information. Where immediate return or destruction of the information is not practicable, Contractor shall return or destroy the information within 30 days of completion or termination of the contract. All provisions of this contract concerning the security and protection of the VA information that is the subject of this contract will continue to apply to the VA information for as long as the Contractor retains it, regardless of whether the contract has been completed or terminated. 8.1.3 Prior to termination or completion of this contract, Contractor shall not destroy VA information received from VA or gathered or created by Contractor in the course of performing this contract without prior written approval by VA. 8.1.4 Contractor shall receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in accordance with the terms of this contract and applicable Federal and VA information confidentiality and security laws, regulations, and policies. 8.1.5 The Contractor shall not make copies of VA information, electronic or hard copy, except as necessary to perform this agreement or to preserve electronic information stored on Contractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor needs to be restored to an operating state. 8.1.6 Contractor shall provide access to VA information only to employees, Subcontractors, and affiliates only to the extent necessary to perform the services specified in this Contract; to perform necessary maintenance functions for electronic storage or transmission media necessary for performance of this contract; and only to individuals who first satisfy the same conditions, requirements and restrictions that comparable VA employees shall meet in order to have access to the same VA information. These restrictions include the same level of background investigations, where applicable. 8.1.7 Contractor shall store, transport, or transmit VA information only in an encrypted form, using an encryption application that meets the requirements of Federal Information Processing Standard (FIPS) 140-2, and is approved for use by VA. 8.1.8 Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the Contractor may use and disclose VA information only in two other situations: in response to an order of a court of competent jurisdiction, or with VA s prior written authorization. The Contractor shall refer all requests for, demands for production of, or inquiries about, VA information to VA for response. Contractor shall not release information protected by Title 38, United States Code (USC), Section 5705 or either Section 7332 in response to a court order and shall immediately refer such court orders to VA for response. 8.1.9 Prior to any disclosure pursuant to a court order, the Contractor shall promptly notify VA of the court order upon its receipt by the Contractor, provide VA with a copy by fax or email, whichever is faster, and notify by telephone the VA individual designated in advance to receive such notices. If the Contractor cannot notify VA before being compelled to produce the information under court order, the Contractor shall notify VA of the disclosure as soon as practical and provide a copy of the court order, including a description of the records provided pursuant to the court order, and to whom the Contractor provided the records under the court order. The notice shall include the following information to the extent that the Contractor knows it, if it does not show on the face of the court order: the records disclosed pursuant to the order, to whom, where, when, and for what purpose, and any other information that the Contractor reasonably believes is relevant to the disclosure. If VA determines that it is appropriate to seek retrieval of information released pursuant to a court order before Contractor notified VA of the court order, Contractor shall assist VA in attempting to retrieve the VA information involved. 8.1.10 The Contractor shall inform VA by the most expeditious method available to Contractor of any incident of suspected or actual access to, or disclosure, disposition, alteration, or destruction of, VA information not authorized under this Contract ( incident ) within one hour of learning of the incident. An incident includes the transmission, storage, or access of VA information by Contractor or Subcontractor employees in violation of applicable VA confidentiality and security requirements. To the extent known by the Contractor, the Contractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information was placed at risk or compromised), and any other information that the Contractor considers relevant. 8.1.11 Contractor shall simultaneously report the incident to the appropriate law enforcement entity(ies) of jurisdiction. The Contractor, its employees, and its Subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor shall also cooperate with VA in any civil litigation to recover VA information, to obtain monetary or other compensation from a third party for damages arising from any incident, or to obtain injunctive relief against any third party arising from, or related to, the incident. 8.1.12 VA will provide the Contractor with the name, title, telephone number, fax number and email address of the VA official to whom the Contractor shall provide all notices required by this Contract. This information will be provided upon implementation of the contract. 8.1.13 VA has the right during normal business hours to inspect the Contractor s facility, information technology systems and storage and transmission equipment, and software utilized to perform the contract to ensure that the Contractor is providing for the security of VA data and computer systems in accordance with the terms of this Contract. 8.1.14 Contractor shall receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with all applicable FIPS and Special Publications (SP) issued by the National Institute of Standards and Technology (NIST) concerning VA information that is the subject of this contract. If NIST issues or updates an applicable FIPS or SP after execution of this contract, the parties agree to negotiate in good faith to implement the FIPS or SP in this contract. 8.1.15 A determination by VA that the Contractor has violated any of the information confidentiality and security provisions of this contract, including a violation of any applicable FIPS or SP, shall be a basis for VA to terminate the contract for cause. 8.1.16 Anyone performing under the terms of this contract, including employees of Subcontractors, accesses VA computer systems or data in the performance of the contract, VA may monitor and record all such access activity. If VA monitoring reveals any information of suspected or potential criminal law violations, VA will refer the matter to the appropriate law enforcement authorities for investigation. 8.1.17 The Contractor shall inform its employees and other individuals performing any part of this contract that VA may monitor their actions in accessing or attempting to access VA computer systems and the possible consequences to them for improper access, whether successful or not. The Contractor shall ensure that any Subcontractors or others acting on behalf of or for the Contractor, in performing any part of this contract inform their employees, associates or others acting on their behalf, that VA may monitor their access activities. Execution of this contract and any subcontract or agreement constitutes consent to VA monitoring. 8.1.18 The Contractor shall ensure that all individuals who will access VA data or systems in performing the contract are appropriately trained in the applicable VA confidentiality and security requirements. Contractor may do this by requiring and documenting that these individuals have completed the VA training for its employees. The Contractor shall provide documentation of required training to the COR prior to the Contractor staff accessing VA records. 8.1.19 Contractor shall mitigate any harmful effect on individuals whose VA information was accessed or disclosed in an incident to the extent practicable. 8.1.20 Contractor shall require Subcontractors, agents, affiliates, or others to whom Contractor provides access to VA information for the performance of this contract to agree to the same VA information confidentiality and security restrictions and conditions that apply to the Contractor before providing access. 8.2. The Contractor shall utilize only employees, Subcontractors or agents who are physically located within a jurisdiction subject to the laws of the United States. Contractor shall ensure that it does not use or disclose Protected Health Information (PHI) received from Covered Entity in any way that will remove the PHI from such jurisdiction. 9.0 Liquidated Damages for Data Breach 9.1 Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any security and privacy incidents (SPI) the Contractor/Subcontractor processes or maintains under this contract. 9.2 The Contractor/Subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. 9.3 Each risk analysis shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access). Description of the event, including: date of occurrence; data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; number of individuals affected or potentially affected; names of individuals or groups affected or potentially affected; ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; amount of time the data has been out of VA control; the likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); known misuses of data containing sensitive personal information, if any; assessment of the potential harm to the affected individuals; a data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. 9.3.1 Based on the determinations of the independent risk analysis, the Contractor shall be responsible for paying to the VA liquidated damages per each affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: notification; one (1) year of credit monitoring services consisting of automatic daily monitoring of at least three (3) relevant credit bureau reports; data breach analysis; fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; one (1) year of identity theft insurance with $20,000.00 coverage at $0 deductible; and associated legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. 10.0 Contractor Personnel Security Requirements All Contractor employees who require access to the Department of Veterans Affairs computer systems or data shall be the subject of a background investigation and shall receive a favorable adjudication from the VA Office of Security and Law Enforcement prior to contract performance. This requirement is applicable to Subcontractor personnel requiring the same access. If Contractor staff will require access to detailed Veteran data for the purpose of completing the tasks described in this statement of work, they shall adhere to the following Contractor personnel security requirements: Position Sensitivity The position sensitivity has been designated as Low Risk. Background Investigation The level of background investigation Commensurate with the required level of access is Minimum Background Investigation. 10.1 Contractor responsibilities 10.1.1 The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship, and are able to read, write, speak, and understand the English language. 10.1.2 The Contractor shall submit the required forms (SF 86 or SF 85P, SF 85P-S, FD 258, Contractor Fingerprint Chart, VA Form 0710, Authority for Release of Information Form, and Optional Forms 306 and 612) to the VA Office of Security and Law Enforcement within 30 days of receipt. 10.1.3 The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract. Failure to comply with the Contractor personnel security requirements may result in termination of the contract for default. 10.1.4 The Contractor shall notify the COR in advance of any Contractor staff that will require access to the Department of Veterans Affairs computer systems or data for the COR to request the background investigation. The notification shall include the following: full name of the individual, justification for the request which includes the task number, the date and place of birth, email address, social security number, and occupation. In addition, the Contractor shall provide the COR with its point of contact s email address, business address, and phone number. 10.2 Government Responsibilities 10.2.1 The VA Office of Security and Law Enforcement will provide the necessary forms to the Contractor, or to the Contractor s employees, after receiving a list of names and addresses. 10.2.2 Upon receipt, the VA Office of Security and Law Enforcement will review completed forms for accuracy and forward the forms to the office of Personnel Management (OPM) to conduct background investigations. 10.2.3 The VA Office of Security and Law Enforcement will notify the CO, and Contractor, of adjudication results received from OMB. 10.2.4 Upon being notified about a favorable determination, the CO may issue a notice to proceed to the Contractor. 10.2.5 The Department of Veterans Affairs will specify and/or provide, in some cases at the Contractors expense, the necessary guidance and training, necessary to support the specific work. 10.3 Contractor Information Security Training Requirements Prior to beginning work on this contract, all contractor employees performing work under this contract shall complete the following Information Security Training in VA s Talent Management System at: https://hcm03.ns2cloud.com Privacy and HIPAA Training - Department of Veterans Affairs Course #10203 VA Privacy and Information Security Awareness and Rules of Behavior - Department of Veterans Affairs Course #10176 10.3.1 The Contractor shall forward copies of training completion certificates to the CO prior to any work beginning under this contract. 11.0 INVOICING / PAYMENT: The Contractor shall submit invoices in arrears covering the services performed under this contract. All invoices shall be submitted electronically in OB10 and shall contain the following information: Contract Number and Purchase Order Number Name of Provider Hourly Rate Number of Hours Worked Total Price
