U--Laboratory Web Training
Department of Veterans Affairs, Fayetteville (NC) CPAC | Published July 27, 2015 - Deadline July 31, 2015
This is a REQUEST FOR INFORMATION (RFI) ONLY. In accordance with FAR 15.201(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Requests for a solicitation will not receive a response. Responses to this RFI must be in writing. The purpose of this RFI announcement is for market research to make appropriate acquisition decisions and to gain knowledge for budgetary planning. Documentation of technical expertise must be presented in sufficient detail for the Government to determine that your company possesses the necessary functional area expertise and experience to compete for this acquisition. Responses to this notice shall include the following: (a) company name (b) address (c) point of contact (d) phone, fax, and email (e) DUNS number (f) Cage Code (g) Tax ID Number and Small Business Status (SDVOSB/VOSB/8A/HubZone/Minority Owned/etc) (h) must provide a capability statement that addresses the organizations qualifications and ability to perform as a contractor for the laboratory web based training and competency assessments as described below:
TITLE OF PROJECT: LABORATORY WEB-BASED TRAINING
1. PURPOSE. To obtain a firm fixed price contract to provide laboratory training and competency assessments modules for VHA Pathology and Laboratory Medicine Services (P&LMS). Base period of performance is September 2015 to September 2016.
2. BACKGROUND. Training and competency assessments modules have been used in VHA to augment local training and enables laboratory and point of care testing personnel to meet training and competency requirements as dictated by accreditation and regulatory agencies. Training and assessments shall be accessible online, anywhere, 24/7 to provide additional training flexibility. Components core to training and assessment program are:
1. Clinical Laboratory training and competence assessments of staff involved in all phases of laboratory testing: specimen collection, transportation processing and analysis.
2. Point of Care training and tracking of competency assessments for staff using microscopes, waived test kits, and instruments in point of care settings.
3. Flexibility for site specific development and documentation of training and assessment protocols.
Securing the training modules would allow P&LMS to comply with the mandatory requirements of VHA handbook 1106. It also gives Laboratory professionals the tools they need to obtain the 45 CEU's required to maintain their certifications in order to practice in VA laboratories.
3. OBJECTIVES. To secure a national contract to provide VHA Pathology & Laboratory Medicine Services and Point of Care testing personnel access to an online training and competence assessments platform. The contractor's library shall contain training and assessments for the most current, commonly used laboratory testing kits and methodologies.
4. SCOPE. The Contractor shall provide real-time access to the full training platform (training modules, competency assessment, and webinars) via the internet for VHA P&LMS and point of care testing personnel. In addition to access, users will have the ability to manage and document their training, view, and track and print all documents. Access shall be seven days a week/24 hours a day. CEU will be provided, as appropriate.
5. MANDATORY TASKS AND DELIVERABLES. The Contractor will provide enrolled users online access to the trainers portfolio (training, competency assessment, webinar) seven days a week/24 hours a day. The contractor shall provide designated administrator(s) the ability to set up and manage user accounts. The contractor shall provide CEUs for training, as appropriate. The contactor will provide a semiannual report of usage activity to the P&LMS Program Office and/or COR. If for any reason, a deliverable cannot be delivered on time according to the below schedule, the contractor shall provide a written explanation three days prior to the due date to the Contracting Officer Representative (COR). This written transmittal shall include a firm commitment of when the work shall be completed. This transmittal to the COR shall cite reasons for the delay, and the impact on the overall project. The COR will review collaboratively with the Program Office (may be same as the COR) and issue a response in accordance with the contract terms and conditions. Unless otherwise specified an electronic copy shall be placed in the designated CBO SharePoint site or other CBO-designated site. Specifically, the contractor shall:
5.1 Task One.
Service Agreement: The contractor shall provide system support for online training, competency assessments, and webinars to VHA P&LMS and point of care testing personnel. This includes:
1. Provide VHA P&LMS users with phone and email technical support from 7:30 AM to 4:30PM PT
2. Provide system monitoring and maintenance to prevent access interruptions
3. Notify VACO P&LMS Program Office of changes throughout contract period.
5.2 Schedules for Mandatory Deliverables.
5.2.1 Table of Base Period Mandatory Deliverables Due Dates
REFERENCE DELIVERABLE DUE DATE
Deliverable 1 Detailed user and access information and instructions Within 15 days after contract award
Deliverable 2 Administrator access (facility level) and instructions for end-user and training management Within 5 days after access request from P&LMS Program Office official
Deliverable 3 Award of continuing education unit(s), as appropriate Within 3 days of completed training
Deliverable 4 Semiannual usage reports
Report elements to be defined and agreed upon by both parties End of February and July following award
1. PERIOD OF PERFORMANCE. The period of performance shall be from the date of award for a one (1) year base period of 09/15 to 09/16.
There is ten (10) Federal holidays set by law (U.S.C. Title 5 Section 6103):
Under current definitions, four are set by date:
New Year's Day January 1
Independence Day July 4
Veteran's Day November 11
Christmas Day December 25
If any of the above falls on a Saturday, then Friday shall be observed as a holiday. Similarly, if one falls on a Sunday, then Monday shall be observed as a holiday.
The other six are set by a day of the week and month:
Martin Luther King Day Third Monday in January
Washington's Birthday Third Monday in February
Memorial Day Last Monday in May
Labor Day First Monday in September
Columbus Day Second Monday in October
Thanksgiving Fourth Thursday in November
2. PLACE OF PERFORMANCE. The Contractor shall support this effort at the Department of Veterans Affairs
3. KEY PERSONNEL. Certain skilled experience professional and/or technical personnel are essential for accomplishing the work to be performed. These individuals are defines as "Key personnel" and are those persons whose resumes were submitted and marked by the vendor as "Key Personnel". Substitutions shall only be accepted if in compliance with "Substitutions shall only be accepted if in compliance with "Substitution of Key Personnel" provision identified below.
The Contracting Officer may notify the Contractor and request immediate removal of any personnel assigned to the task order by the Contractor that are deemed to have a conflict of interest with the government or if the performance is deemed to be unsatisfactory. The reason for removal will be documented and replacement personnel shall be identified within three business days of the notification. Employment and staffing difficulties shall not be justification for failure to meet established schedules.
8.1 Substitution of Key Personnel. All Contractor requests for approval of substitutions hereunder shall be submitted in writing to the COTR and the Contracting Officer at least thirty (30) calendar days in advance of the effective date, whenever possible, and shall provide a detailed explanation of the circumstances necessitating the proposed substitution, a complete resume for the proposed substitute, and any other information requested by the Contracting Officer necessary to approve or disapprove the proposed substitution. New personnel shall not commence work until all necessary security requirements, as defined in Section J, have been fulfilled and resumes provided and accepted. The COTR and the Contracting Officer will evaluate such requests and promptly notify the Contractor of approval or disapproval in writing.
8.2 The Contractor shall be responsible for managing and overseeing the activities of all Contractor personnel, as well as subcontractor efforts used in performance of this effort. The Contractor's management responsibilities shall include all activities necessary to ensure the Accomplishment of timely and effective support, performed in accordance with the Requirements contained in the statement of work.
8.3 Domain Knowledge. NA
Contractor Personnel Requirements. NA.
8.4 Staff Qualifications. NA
4. TRAVEL. NA
5. TYPE OF CONTRACT. A Firm- Fixed Price Task Order/Contract will be issued for this effort.
11. CHANGES TO THE SOW. Any changes to this SOW shall be authorized and approved only through written correspondence from the Contracting Officer. A copy of each change will be kept in a project folder along with all other products of the project. Costs incurred by the contractor through the actions of parties other than the Contracting Officer shall be borne by the contractor.
12. GOVERNMENT AND CONTRACTOR RESPONSIBILITIES.
a. The CBO shall provide the contractor with copies of documents that the VA is required to provide.
b. The contractor shall request other VA documentation deemed pertinent to the work accomplishment directly from the COTR. The contractor is expected to use common knowledge and resourcefulness in securing all other reference materials, standard industry publications, and related materials that are pertinent to the work.
a. The contractor shall maintain frequent communications with the Program Office and the COTR to conduct work in progress reviews. Progress reports shall be delivered electronically to the COTR, with an electronic courtesy copy to the Program Office.
13. FORMAL ACCEPTANCE OR REJECTION OF DELIVERABLES. The VA shall have 15 business days to review each document and provide feedback and comments. The contractor shall have five business days to incorporate comments. A final review shall be conducted with the COTR and the P&LMS Program Office. Delivery of the post-final review document with incorporated comments from the final review meeting shall constitute acceptance by the VA with COTR's written approval.
14. QUALITY STANDARDS FOR DELIVERABLES - PERFORMANCE MEASURES:
14.1 Review of relevant materials. Deliverables shall be timely, comprehensive, thoughtful, relevant presentation of alternatives, pros and cons, and feasible recommendations.
14.2 CBO Presentations. Presentations shall be clear, concise, executive-focused, and written in such a way as to be understood by lay persons. Quality of deliverable directly correlates with effectiveness of CBO communications.
14.3 Project Plan. Project Plan shall be timely and comprehensive; recognize and address authority, perceptions, and concerns of stakeholders; incorporate scope of requisite contract requirements across the CBO.
14.4 Reports. Reports are submitted on time and include those topics described in the SOW, agreed to in the master plan and as requested for special reports; necessary clearances are obtained as needed in a timely manner.
14.5 Publications and other documents. Deliverables are timely submission in formats appropriate to target audiences; consideration of best dissemination mechanisms; user friendly, clear, thorough and comprehensive documentation and publications.
14.6 Meeting support. Timely and thoughtful pre-meeting preparations and logistics; smooth meeting operations; timely and comprehensive post-meeting summaries.
14.7 Coordination. Contractor collaboration with CBO is timely, appropriate and demonstrates cooperative support to VHA Executives and staff.
14.8 Analyses and Assessments. Analyses and assessments are performed with accuracy, comprehensiveness and adherence to industry best practices.
14.9 Modifications. Timely, comprehensive, high quality covering all functional, performance, and physical areas as delineated in the SOW; final plan incorporates VA feedback in a timely manner.
14.10 Obtain relevant stakeholder input. Deliverables are innovative, timely implementation of input mechanisms; accurate and comprehensive synthesis of results and recommendations. Integration of relevant stakeholder input documented for deliverable.
15. SECURITY - PRIVACY REQUIREMENTS
General - All contractors and contractor personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA, and VA personnel, regarding information and information system security. Contractors must follow policies and procedures outlined in VA Directive 6500, Information Security Program and its handbooks to ensure appropriate security controls are in place.
15.1 Access to VA Information and VA Information Systems
15.1.1 A contractor shall request logical (technical) and/or physical access to VA information and VA information systems for employees, subcontractors, and affiliates only to the extent necessary: (1) to perform the services specified in the contract, (2) to perform necessary maintenance functions for electronic storage or transmission media necessary for performance of the contract, and (3) for individuals who first satisfy the same conditions, requirements and restrictions that comparable VA employees must meet in order to have access to the same type of VA information.
15.1.2 All contractors and subcontractors working with VA Sensitive Information are subject to the same investigative requirements as those of regular VA appointees or employees who have access to the same types of information. The level of background security investigation will be in accordance with VA Directive 0710, Handbook 0710, which are available at: http://www1.va.gov/vapubs/ and VHA Directive 0710 and implementing Handbook 0710.01 which are available at.: http://www1.va.gov/vhapublications/index.cfm Contractors are responsible for screening their employees. The following are VA's approved policy exceptions for meeting VA's background screenings/investigative requirements for certain types of contractors:
15.1.3 Contract personnel not accessing VA information resources such as personnel hired to maintain the medical facility grounds, construction contracts, utility system contractors, etc.,
15.1.4 Contract personnel with limited and intermittent access to equipment connected to facility networks on which no VA sensitive information is available, including contractors who install, maintain, and repair networked building equipment such as fire alarm; heating, ventilation, and air conditioning equipment; elevator control systems, etc. If equipment to be repaired is located within sensitive areas (e.g. computer room/communications closets) VA IT staff must escort contractors while on site.
15.1.5 Contract personnel with limited and intermittent access to equipment connected to facility networks on which limited VA sensitive information may reside, including medical equipment contractors who install, maintain, and repair networked medical equipment such as CT scanners, EKG systems, ICU monitoring, etc. In this case, Veterans Health Administration facilities must have a duly executed VA business associate agreement (BAA) in place with the vendor in accordance with VHA Handbook 1600.01, Business Associates, to assure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in addition to the contract. Contract personnel, if on site, should be escorted by VA IT staff.
15.1.6 Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. Defense Security Service (DSS) administers the NISP on behalf of the Department of Defense and 23 other federal agencies within the Executive Branch. VA will verify clearance through DSS.
15.2 VA Information Custodial Requirements
15.2.1 Information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the contracting officer. This clause expressly limits the contractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).
15.2.2 Information generated by a Contractor as a part of the contractor's normal business operations, such as medical records created in the course of providing treatment, is subject to a review by the Office of General Counsel (OGC) to determine if the information is the property of VA and subject to VA policy. If the information is determined by OGC to not be the property of VA, the restrictions required for VA information will not apply.
15.2.3 VA information will not be co-mingled with any other data on the contractors and, or subcontractors information systems/media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. VA also reserves the right to conduct IT resource inspections to ensure data separation and on-site inspection of information destruction/media sanitization procedures to ensure they are in compliance with VA policy requirements.
15.2.4 Prior to termination or completion of this contract, contractor will not destroy information received from VA or gathered or created by the contractor in the course of performing this contract without prior written approval by the VA contracting officer. Any data destruction done on behalf of VA by a contractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, and applicable VA Records Control Schedules.
15.2.5 The contractor will receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. Applicable Federal information security regulations include all Federal Information Processing Standards (FIPS) and Special Publications (SP) issued by the National Institute of Standards and Technology (NIST). If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies, including FIPS or SP, in this contract.
15.2.6 Contractors collecting, storing, or disseminating personal identifiable information (PII) or protected health information (PHI) data must conform to all pertinent regulations, laws, and VA directives related to privacy. Contractors must provide access for VA privacy reviews and assessments and provide appropriate documentation as directed.
15.2.7 The contractor shall not make copies of VA information except as necessary to perform the terms of the agreement or to preserve electronic information stored on contractor electronic storage media for restoration in case any electronic equipment or data used by the contractor needs to be restored to an operating state.
15.2.8 If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to terminate the contract for default or terminate for cause under Federal Acquisition Regulation ("FAR") part 12.
15.2.9 If a VHA contract is terminated for cause, the associated business associate agreement (BAA) will also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01 Business Associates.
15.2.10 Contractor will store, transport or transmit VA sensitive information in an encrypted form, using a VA-approved encryption application that meets the requirements of NIST's FIPS 140-2 standard.
15.2.11 The contractor's firewall and Web services security controls, if applicable, shall meet or exceed VA's minimum requirements. VA directives are available on the VA directives Web site at http://www1.va.gov/vapubs/.
15.2.12 Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA's prior written approval. The contractor will refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response.
15.2.13 Notwithstanding the provision above, the contractor shall not release medical quality assurance records protected by 38 U.S.C. 5705 or records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus protected under 38 U.S.C. 7332 under any circumstances, including in response to a court order, and shall immediately refer such court orders or other inquiries to the VA contracting officer for response.
15.2.14 The contractor will not use technologies banned in VA in meeting the requirements of the contract (e.g., Bluetooth enabled devices).
15.3 Information System Design and Development
15.3.1 Information systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA policies developed in accordance with Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle a privacy impact assessment will be completed, provided to the COTR, and approved by the VA Privacy Service in accordance with VA Privacy Impact Assessment Handbook 6500.3.
15.3.2 The security controls must be designed, developed, approved by VA, and implemented in accordance with the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37 and VA Handbook 6500.
15.3.3 The contractor will be required to design, develop, or operate a System of Records on individuals to accomplish an agency function subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C.552a) and applicable agency regulations. Violation of the Privacy Act may involve the imposition of criminal and civil penalties.
15.3.4 The contractor agrees to -
18.104.22.168 Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies --
" The systems of records; and
" The design, development, or operation work that the contractor is to perform;
22.214.171.124 Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and,
15.3.5 Include this Privacy Act clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records.
15.3.6 In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the contractor is considered to be an employee of the agency.
15.3.7 Operation of a system of records" means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.
15.3.8 "Record" means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint, or a photograph.
15.3.9 "System of records on individuals" means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
15.4 Information System Hosting, Operation, Maintenance or Use
15.4.1 For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. The contractor security control procedures must be identical, not equivalent, to those procedures used to secure VA systems. A privacy impact assessment (PIA) must also be provided to the COTR and approved by VA Privacy Service prior to operational approval. All external Internet connections involving VA information must be reviewed and approved by VA prior to implementation.
15.4.2. Adequate security controls for collecting, processing, transmitting, and storing of personally identifiable information, as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls need to be stated within the PIA and supported by a risk assessment. If these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII.
15.4.3 Outsourcing (contractor facility/contractor equipment/contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (C&A) of the contractor's systems in accordance with NIST Special Publication 800-37 and VA Handbook 6500 and a privacy impact assessment of the contractor's systems prior to operation of the systems. Government-owned (government facility/government equipment) contractor-operated systems, third party or business partner networks require a system interconnection agreement and a memorandum of understanding (MOU) which detail what data types will be shared, who will have access, and the appropriate level of security controls for all systems connected to VA networks.
15.4.4 The contractor must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the information security officer (ISO) for entry into VA's Plan of Action and Milestone (POA&M) management process. The contractor will use VA's POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the Government. Contractor procedures will be subject to periodic, unannounced assessments by VA officials. The physical security aspects associated with contractor activities will also be subject to such assessments. As updates to the system occur, an updated PIA must be submitted to the VA Privacy Service through the COTR for approval.
15.4.5 All electronic storage media used on non-VA leased or owned IT equipment that is used to store, process, or access VA sensitive information must have all VA sensitive information removed, cleared, sanitized, or destroyed in accordance with VA policies and procedures upon: (1) completion or termination of the contract or (2) disposal or return of the IT equipment by the contractor or any person acting on behalf of the contractor, whichever is earlier.
15.5 Security Incident Investigation
15.5.1 The term "security incident" means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor shall immediately notify the Contracting Officer Technical Representative (COTR) and simultaneously, the designated ISO/Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor has access.
15.5.2 To the extent known by the contractor, the contractor's notice to VA will identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information/assets were placed at risk or compromised), and any other information that the contractor considers relevant.
15.5.3 The contractor will simultaneously report the incident to the appropriate law enforcement entity(ies) of jurisdiction, including the VA Offices of the Inspector General and Security and Law Enforcement, in instances of theft or break-in or other criminal activity. The contractor, its employees, and its subcontractors and their employees will cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor will cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.
15.5.4 To the extent practicable, the contractor shall mitigate any harmful effects on individuals whose VA information was accessed or disclosed in a security incident. In the event of a data breach with respect to any VA Sensitive Information processed or maintained by the contractor or subcontractor under the contract, the contractor is responsible for liquidated damages to be paid to VA.
15.6 Security Controls Compliance Testing
On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days' notice, at the request of the Government, the contractor will fully cooperate and assist in a Government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The Government may conduct a security control assessment on shorter notice (to include unannounced assessments) determined by VA in the event of a security incident or at any other time.
15.7 Security Training
15.7.1 All Contractor employees and Sub-Contractor employees requiring access to VA sensitive information and/or VA information systems shall complete the following before being granted access to VA networks or sensitive information:
" Sign and acknowledge understanding of and responsibilities for compliance with the attached National Rules of Behavior relating to access to VA information and information systems;
" Successfully complete VA Cyber Security Awareness training and annual refresher training as required;
" Successfully complete VA General Privacy training and annual refresher training as required; and
" Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document - e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]
15.7.2 The Contractor shall provide to the contracting officer a copy of the training certificates for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. These online courses are located at the following web site: https://www.ees-learning.net/.
15.7.3 Failure to complete this mandatory training within the timeframe required will be grounds for suspension or termination of all physical and/or electronic access privileges and removal from work on the contract until such time as the training is completed.
15.8 Contractor Personnel Security
15.8.1 All Contractor employees who require access to the Department of Veterans Affairs' computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Security and Investigations Center (07C). The level of background security investigation shall be in accordance with VA Directive 0710 dated September 10, 2004 and is available at: http://www.va.gov/pubs/asp/edsdirec.asp (VA Handbook 0710, Appendix A, and Tables 1 - 3). Appropriate Background Investigation (BI) forms shall be provided upon contract (or task order) award (Attachment 3 of SOW), and are to be completed and returned to the VA Security and Investigations Center (07C) within 3 days for processing. Contractors shall be notified by 07C when the BI has been completed and adjudicated. These requirements are applicable to all Sub-Contractor personnel requiring the same access. If the security clearance investigation is not completed prior to the start date of the contract, the employee shall not work on the contract while the security clearance is being processed. Work will commence as soon as the Contractor and Contractor employee receives and email message that states the following: We show that background investigation request on the individual listed below has been completed and the case has been initiated by the Security Investigations Center. When the case is completed, all adjudicative paperwork will be returned to the requesting office. You can provide this email to the Station ISO as proof the investigation has been initiated and access can be granted. This notice does not ensure completion of VetPro or other required security training. Those individuals that require VetPro Credentialing or additional security training must receive those completion notifications from the proper authority prior to start date.
15.8.2 The investigative history for Contractor personnel working under this contract must be maintained in the databases of either the Office of Personnel Management (OPM) or the Defense Industrial Security Clearance Organization (DISCO). Should the Contractor use a vendor other than OPM or Defense Security Service (DSS) to conduct investigations, the investigative company must be certified by OPM/DSS to conduct Contractor investigations.
15.9 Background Investigation
The position sensitivity impact for this effort has been designated as Low Risk and the level of background investigation is NACI.
15.9.1 Contractor Responsibilities
126.96.36.199 The Contractor shall bear the expense ($230.00 per individual) of obtaining background investigations. If the investigation is conducted by the Office of Personnel Management (OPM) through the VA, the Contractor shall reimburse the VA within 30 days.
188.8.131.52 Background investigations from investigating agencies other than OPM are permitted if the agencies possess an OPM and Defense Security Service certification. The Vendor Cage Code number must be provided to the Security and Investigations Center (07C), which shall verify the information and advise the contracting officer whether access to the computer systems can be authorized.
184.108.40.206 The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship and are able to read, write, speak and understand the English language.
220.127.116.11 After contract award and prior to contract performance, the Contractor shall provide the following information, using Attachment B, to the CO or designated COTR:
" List of names of Contractor personnel.
" Social Security Number of Contractor personnel.
" Home address of Contractor personnel or the Contractor's address.
18.104.22.168 The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract.
22.214.171.124 Failure to comply with the Contractor personnel security requirements may result in termination of the contract for default.
126.96.36.199 Further, the Contractor shall be responsible for the actions of all individuals provided to work for the VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor shall be responsible for all resources necessary to remedy the incident."
15.10 Government Responsibilities
15.10.1 The VA Security and Investigations Center (07C) shall provide the necessary forms to the Contractor or to the Contractor's employees after receiving a list of names and addresses.
15.10.2 Upon receipt, the VA Security and Investigations Center (07C) shall review the completed forms for accuracy and forward the forms to OPM to conduct the background investigation. The VA facility shall pay for investigations conducted by the OPM in advance. In these instances, the Contractor shall reimburse the VA facility within 30 days.
15.10.3 The VA Security and Investigations Center (07C) shall notify the contracting officer and Contractor after adjudicating the results of the background investigations received from OPM.
15.10.4 The COTR will ensure that the Contractor provides evidence that investigations have been completed or are in the process of being requested.
16 ELECTRONIC AND INFORMATION TECHNOLOGY STANDARDS
16.1 The Contractor shall comply with Department of Veterans Affairs (VA) Directive 6102 and VA Handbook 6102 (Internet/Intranet Services).
16.2 VA Directive 6102 sets forth policies and responsibilities for the planning, design, maintenance support, and any other functions related to the administration of a VA Internet/Intranet Service Site or related service (hereinafter referred to as Internet). This directive applies to all organizational elements in the Department. This policy applies to all individuals designing and/or maintaining VA Internet Service Sites; including but not limited to full time and part time employees, Contractors, interns, and volunteers. This policy applies to all VA Internet/Intranet domains and servers that utilize VA resources. This includes but is not limited to va.gov and other extensions such as, ".com, .eddo, .mil, .net, .org," and personal Internet service pages managed from individual workstations.
16.3 VA Handbook 6102 establishes Department-wide procedures for managing, maintaining, establishing, and presenting VA Internet/Intranet Service Sites or related services (hereafter referred to as "Internet"). The handbook implements the policies contained in VA Directive 6102, Internet/Intranet Services. This includes, but is not limited to, File Transfer Protocol (FTP), Hypertext Markup Language (HTML), Simple Mail Transfer Protocol (SMTP), Web pages, Active Server Pages (ASP), e-mail forums, and list servers.
16.4 VA Directive 6102 and VA Handbook 6102 are available at:
Internet/Intranet Services Directive 6102
Internet/Intranet Services Handbook 6102
16.5 Internet/Intranet Services Handbook 6102 Change 1 - updates VA's cookie use policy, Section 508 guidelines, guidance on posting of Hot Topics, approved warning notices, and minor editorial errors.
16.6 In addition, any technologies that enable a Network Delivered Application (NDA) to access or modify resources of the local machine that are outside of the browser's "sand box" are strictly prohibited. Specifically, this prohibition includes signed-applets or any ActiveX controls delivered through a browser's session. ActiveX is expressly forbidden within the VA while .NET is allowed only when granted a waiver by the VA CIO *PRIOR* to use.
17 SECTION 508 COMPLIANCE
17.1 The Contractor shall comply with Section 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998.
17.2 In December 2000, the Architectural and Transportation Barriers Compliance Board (Access Board), pursuant to Section 508(2) (A) of the Rehabilitation Act Amendments of 1998, established Information Technology accessibility standards for the Federal Government. Section 508(a)(1) requires that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology (EIT), they shall ensure that the EIT allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. The Section 508 requirement also applies to members of the public seeking information or services from a Federal department or agency.
17.3 Section 508 text is available at:
Attachment A : Not applicable
Security Background Investigation Information
(Submit after award and prior to contract performance)
Complete this form after contract award if Contractor employee does not possess a VA - NACI clearance. The completed form must be sent directly to the Contracting Officer or designated COTR within three days of award.
Vendor Business Information
Vendor Name: ____
DUNNS Number: ________________________
Cage Code Number: _______________________
Complete Address: __________________________
City, State, and Zip Code: ____________________________
Vendor POC Name:
Applicant Name: _______________________________________________
Last First Middle
Applicant SSN: _______________________
Applicant DOB: ______________________ Place of Birth: ________________
Applicant Email: _______________________
Applicant Occupation: _______________________
1. Was the employee prescreened? _____ yes or _____ no
2. Is the employee a U.S. Citizen? _____ yes or _____ no
3. Can the employee read, write, speak and understand English language?
_____ yes or ______ no
Attachment B - Not Applicable
Progress Report Format
Cover Sheet: (Project title; Contractor name and address; Contract Number/Purchase Order number; Agency Name)
Purchase Order Number:
Reporting Period: (xx,xx 20xx, - xx xx, 20xx)
Prepared By: (insert name and title of person preparing report)
Executive Summary: (Abstract of progress for each deliverable of contractor activity)
1. The Contractor shall provide a status report each month during the contract period:
a. Identifying progress on tasks
b. Relevant issues regarding the performance of the other tasks
c. Expected due dates of deliverables
d. Accomplishment of performance metrics
e. Performance issues and or concerns
2. Report shall include but not limited to the items listed above, but should encompass any aspects of the work effort.
3. Meetings and Conferences - list the meetings and conferences attended during the report period and provide a brief explanation (i.e., meeting name, date, location, purpose, and who attended) for each. Attach all meeting minutes to the respective report.
4. List major activities planned for the next month.
5. Other Information - additional discussion and conclusion(s) as needed.
The contractor shall send the report via e-mail to the COTR on the 5th day of each month
Attachment C - Not applicable
Contractor Personnel Change Request Form
Contractor/Vendor: Purchase Order # /Contract #: Project:
Vendor POC: Vendor POC Phone No: Date Submitted:
Personnel to be Added New Personnel Work Address and Phone Number (If working remote, state remote address and telephone number) Personnel to be Replaced Proposed Effective Date Project Role Labor Category Hourly Labor Rate Hour Cap (amount) Resume Meets Quals?
Vendor Acceptance Government Acceptance
Vendor Signature/Date: Project Manager Signature/Date:
Name of Person Signing: Project Manager Name:
Title of Person Signing: Project/Division:
The contractor is responsible for updating the background investigation template as personnel are added to the contract. The contractor must submit the updated roster to the contracting officer within five business days after the added personnel are approved by the COTR. The background investigation forms and fingerprinting must be completed within three business days of the personnel being added to the contract.