1 NOTICE OF INTENT TO SOLE SOURCE 36C249-21-AP-3183 On behalf of the James H. Quillen VA Medical Center, Network Contracting Office (NCO) 9 is issuing this Intent to Sole Source. THIS IS NOT A REQUEST FOR QUOTE (RFQ) AND NO SOLICITATION IS AVAILABLE. The Department of Veterans Affairs intends to award a Firm Fixed Price award to a single source under the authority of FAR 6.302-1(a)(2)(ii), Only One Responsible Source and No Other Supplies or Services will Satisfy Agency Requirements, to Philips Healthcare, a division of Philips North America, LLC. The prospective contractor shall provide annual service/maintenance of the Philips Big Bore CT and Ultrasound equipment The service contract will be on the EPIQ CVx Value_UL A Service Plan, US920B0114, Site ID 86921928, EPIQ CVx Value_UL Configuration Option, EPIQ CVx Value_UL A Service Plan, USD20B1311, Site ID 89248721, EPIQ CVx Value_UL Configuration Option, X8-2t TEE Transducer, F00WX3, Site ID 89445202, X8-2t TEE Transducer, F00XJR, Side ID 89445203, Big Bore RT CT, Big Bore RT Primary Service Plan, Site ID 86320957, Big Bore RT Primary, Tube Coverage Brilliance CT Big Bore Low, which shall provide routine preventative and corrective maintenance in order to ensure optimal working condition and lessen the likelihood of down time. This requirement includes weekday standard Hours from 8AM-5PM, excluding Philips Published Holidays, 95% Uptime guarantee, 30-minute phone response, 4-hour on-site response time, and Philips remote services. Periodic Maintenance Inspections (PMI) in accordance with Philips specifications. PMI will be performed on weekdays, M-F during standard hours, at mutually agreed upon dates and times. NCO 9 intends to award this requirement as a sole source purchase order under the provision of Federal Acquisition Regulation (FAR) 6.302-1 to Philips Healthcare. Based on market research, the required service can only be purchased from Philips Healthcare. Only Philips Healthcare can provide and install software upgrades and firmware to their equipment, and only Philips authorized technicians can directly escalate to Philips product specialists, support engineering, and engineers for service issues. Therefore the sole source award to Philips Healthcare is in the best interest of the Government. The North American Industry Classification System (NAICS) code for this requirement is 811219 with the size standard of $20.5 million. This notice of intent is not a request for proposals or quotes. Any vendor who believes it can meet the requirement as stated herein may submit a response, which will be considered only if received by August 27, 2021 at 8:00 am CT. Responses to this posting must be in writing and submitted to
[email protected]. A determination not to compete the proposed order based upon the responses to this notice is solely within the discretion of the government. SAM: Interested parties shall be register in the System for Award Management (SAM) as prescribed in FAR Clause 52.232-33. SAM information can be obtained by accessing the internet at www.sam.gov or by calling 1-866-606-8220. STATEMENT OF WORK Reference # 621-22-1-096-0006 Schedule: Item Number Description of Supplies/Services 0001 EPIQ CVx Value_UL A Service Plan, US920B0114, Site ID 86921928, Warranty Ends 10/19/2021 EPIQ CVx Value_UL Configuration Option, Warranty Ends 10/19/2021 EPIQ CVx Value_UL A Service Plan, USD20B1311, Site ID 89248721, Warranty Ends 1/27/2022 EPIQ CVx Value_UL Configuration Option, Warranty Ends 1/27/2022 X8-2t TEE Transducer, F00WX3, Site ID 89445202, Warranty Ends 3/25/2022 X8-2t TEE Transducer, F00XJR, Side ID 89445203, Warranty Ends 3/25/2022 Big Bore RT CT, Big Bore RT Primary Service Plan, Site ID 86320957, Warranty Ends 2/18/2022 Big Bore RT Primary, Tube Coverage Brilliance CT Big Bore Low, Warranty Expires 2/18/2022 Contract Period: Base Period of Performance (POP) Begin: 10/19/2021 POP End: 09/30/2022 1001 EPIQ CVx Value_UL A Service Plan, US920B0114, Site ID 86921928 EPIQ CVx Value_UL Configuration Option EPIQ CVx Value_UL A Service Plan, USD20B1311, Site ID 89248721 EPIQ CVx Value_UL Configuration Option X8-2t TEE Transducer, F00WX3, Site ID 89445202 X8-2t TEE Transducer, F00XJR, Side ID 89445203 Big Bore RT CT, Big Bore RT Primary Service Plan, Site ID 86320957 Big Bore RT Primary, Tube Coverage Brilliance CT Big Bore Low Contract Period: Base Period of Performance (POP) Begin: 10/1/202 POP End: 09/30/2022 SCOPE OF WORK: The James H. Quillen Veterans Administration Medical Center (VAMC), Corner of Lamont and Veterans Way, Mountain Home, TN 37684, has a requirement for a service contract on the, EPIQ CVx Value_UL A Service Plan, US920B0114, Site ID 86921928, EPIQ CVx Value_UL Configuration Option, EPIQ CVx Value_UL A Service Plan, USD20B1311, Site ID 89248721, EPIQ CVx Value_UL Configuration Option, X8-2t TEE Transducer, F00WX3, Site ID 89445202, X8-2t TEE Transducer, F00XJR, Side ID 89445203, Big Bore RT CT, Big Bore RT Primary Service Plan, Site ID 86320957, Big Bore RT Primary, Tube Coverage Brilliance CT Big Bore Low, which shall provide routine preventative and corrective maintenance in order to ensure optimal working condition and lessen the likelihood of down time. This requirement includes weekday standard Hours from 8AM-5PM, excluding Philips Published Holidays, 95% Uptime guarantee, 30-minute phone response, 4-hour on-site response time, and Philips remote services. Periodic Maintenance Inspections (PMI) in accordance with Philips specifications. PMI will be performed on weekdays, M-F during standard hours, at mutually agreed upon dates and times. This contract is to be in effect no later than October 1, 2021 and will expire September 30, 2022. This contract is Base plus One Option year. It is required that service personnel are factory trained and certified on the Philips equipment listed below in the 1. EQUIPMENT section. Training and certification documentation must be provided to the Contracting Officer s Representative (COR), listed in section 2. DEFINITIONS/ACRONYMS, upon execution of the contract, if requested. This documentation is to remain on file with the COR. 1. EQUIPMENT: Equipment to be serviced and/or maintained includes, but is not limited to: (Equipment is located at the James H. Quillen VA Medical Center, Mountain Home, TN) Functional Location Description 86921928 EPIQ CVx Value_UL A Service Plan EPIQ CVx Value_UL Configuration Option 89248721 EPIQ CVx Value_UL A Service Plan EPIQ CVx Value_UL Configuration Option 89445202 X8-2t TEE Transducer 89445203 X8-2t TEE Transducer 86320957 Big Bore RT CT Tube Coverage Brilliance CT Big Bore Low 2. DEFINITIONS/ACRONYMS: A. Biomedical Engineering - Supervisor or designee, Room # Biomed A001, Building #200, telephone #423-926-1171 ext. 2416. B. CO - Contracting Officer C. COR - Contracting Officer s Representative: Terry Brlecic, 423-926-1171 ext.2538,
[email protected] D. PM - Preventive Maintenance Inspection. Services which are periodic in nature and are required to maintain the equipment in such condition that it may be operated in accordance with its intended design and functional capacity with minimal incidence of malfunction or inoperative conditions. E. FSE - Field Service Engineer. A person who is authorized by the contractor to perform maintenance (corrective and/or preventive) services on the VAMC premises. F. FSR Field Service Report. Documentation of the services rendered for each incidence of work performance under the terms and condition of the contract. G. Acceptance Signature - VA employee who indicates FSE demonstrated service conclusion/status and User has accepted work as complete/pending as stated in FSR. H. Authorization Signature - COR's signature; indicates COR accepts work status as stated in FSR. I. NFPA - National Fire Protection Association J. CDRH - Center for Devices and Radiological Health K. VAMC - Department of Veterans Affairs Medical Center L. HASP A parallel port security system or dongle that is used exclusively by VMS OSCS to secure service documentation and tools. Provides secure access to proprietary documentation and troubleshooting tools on the TrueBeam. 3. CONFORMANCE STANDARDS: Contract service shall ensure that the equipment functions in conformance with the latest published edition of NFPA-99, OSHA, CDRH, and includes performance standards and specifications. 4. UNSCHEDULED MAINTENANCE: A. Contractor shall maintain the equipment in accordance with the Conformance Standards Section. The Contractor will provide repair service which may consist of calibration, cleaning, oiling, adjusting, replacing parts, (without additional cost to the Government), and maintaining the equipment, including all intervening calls necessary between regular services and calibrations. The contractor shall furnish all required parts. B. The Contracting Officer (CO), COR, or designated alternate has the authority to approve/request a service call from the contractor. 5. SCHEDULED MAINTENANCE: A. The Contractor shall perform Preventive Maintenance (PM) service to ensure that equipment listed in the schedule performs in accordance with Section 3. CONFORMANCE STANDARDS. The contractor shall provide and utilize procedures and checklists with worksheet originals indicating work performed and actual values obtained (as applicable) provided to the COR at the completion of the PM. PM services shall include, but need not be limited to, the following: 1. Cleaning of equipment. 2. Reviewing operating system software diagnostics to ensure that the system is operating to the manufacturer s specifications. 3. Calibrating and lubricating the equipment. 4. Performing remedial maintenance of non-emergent nature. 5. Testing and replacing faulty and worn parts and/or parts which are likely to become faulty, fail or become worn. 6. Measuring and adjusting and calibrating as necessary for optimal image quality. 7. Inspecting, and replacing where indicated, electrical wiring and cables for wear and fraying. 8. Inspecting and replacing where indicated, all mechanical components including, but not limited to: patient restraints and support devices, cables and mounting hardware, chains, belts, bearings and tracks, interlocks, clutches, motors, keyboards, and patient couches for mechanical integrity, safety, and performance. 9. Returning the equipment to the operating condition defined in Section 3. CONFORMANCE STANDARDS. 10. Providing documentation of services performed. 11. Inspecting and calibrating the hard copy image device. PM services shall be performed in accordance with, and during the hours defined in, the preventive maintenance schedule established herein. All exceptions to the PM schedule shall be arranged and approved in advance with the COR. Any charges for parts, services, manuals, tools, or software required to successfully complete scheduled PM are included within this contract, and it s agreed upon price, unless specifically stated in writing otherwise. B. The contractor shall furnish all backup documentation, including photographs of all measurements and calibrations, to ensure that the system is performing in accordance with the Conformance Standards. The following specific system operation parameters shall be surveyed and documentation provided to the COR during the first (1st) and sixth (6th) month of the contract base period and annually thereafter during the eleventh (11th) month of each subsequent option period. 1. Completion of logs of same content as PM logs. 6. PARTS: The contractor shall furnish and replace parts to meet the uptime requirements. The contractor has ready access to unique and/or high mortality replacement parts. All parts supplied shall be compatible with existing equipment. The contract invoice shall include all parts. The contractor shall use new or re-built parts. The contractor shall not install used parts; without approval. 7. DOCUMENTATION/REPORTS The documentation will include detailed descriptions of the scheduled and unscheduled maintenance procedures performed, including replaced parts and prices (for outside normal working hour services) required to maintain the equipment in accordance with conformance standards. Such documentation shall meet the guidelines as set forth in the Conformance Standards Section. In addition, each FSR must at a minimum document the following data legibly and in complete detail: A. Name of Contractor. B. Name of FSE who performed services. C. Contractor Service FSR Number/Log Number. D. Date, Time, (starting and ending), Equipment Downtime and ours-On-Site for Service call. E. VA PO#(s) covering the call, if outside normal working hours. F. Description of Problem Reported by COR/User. G. Identification of Equipment to be serviced: INV. ID# Manufacturer s Name, Device Name, Model #, Serial #, and any other Manufacturer s identification #s. H. Itemized Description of Service Performed (including Costs associated with after normal working hour services), including: Labor and Travel, Parts (with part #s) and Materials and Circuit location of problem/corrective action. I. Total Cost to be billed. J. Signatures: 1. FSE performing services described. 2. VA Employee who witnessed service described. K. Equipment downtime NOTE: ANY ADDITIONAL CHARGES CLAIMED MUST BE APPROVED BY THE COR BEFORE SERVICE IS COMPLETED. 8. REPORTING REQUIREMENTS: The contractor shall be required to report to Biomedical Engineering to log in. This check in is mandatory. When the service is completed, the FSE shall document services rendered on a legible FSR(s). The FSE shall be required to log out with Biomedical Engineering and submit the FSR(s) to the COR. All FSRs shall be submitted to the equipment user for an acceptance signature and to the COR for an authorization signature . If the COR is unavailable, a signed, authorized copy of the FSR will be sent to the COR after the work which can be reviewed (if requested or noted on the FSR). 9. LIQUIDATED DAMAGES: A. Contractor shall be liable to the Government for losses of production due to significant equipment downtime. Significant equipment downtime is that which exceeds ten (10) hours/month. Records regarding downtime will be kept by the COR and the maintenance contractor. B. Equipment downtime is calculated only from those normal hours of coverage that the scheduled equipment is not fully operational. Downtime will begin when the contractor is required to be on site (see Unscheduled Maintenance Section response time definition), after notification by the CO, COR, or designated alternate. Downtime will accumulate until the scheduled equipment is returned to full and usual operation and accepted as such by the CO, COR or designated alternate. This does not include scheduled maintenance for PM purposes. Refusal of access to the equipment indicates that the unit is up and running and this time will not be considered when determining downtime. Refusal of access to the equipment voids the service call. C. If downtime exceeds Sixteen (16) consecutive hours, the CO may exercise the option to hire an alternate source to resolve the problem. The decision to exercise this alternative will reside exclusively with the CO. All fees generated by the alternate Contractor(s) will be handled in accordance with the Default clause. D. Monies will be subtracted from the contract if the contractor fails to meet the up-time requirements using the following formula: MONTHLY MONIES DOWNTIME 10-11 HOURS/MONTH 0% 12-13 HOURS/MONTH 20% 14-15 HOURS/MONTH 40% 16-17 HOURS/MONTH 60% 18-19 HOURS/MONTH 80% 20+ HOURS/MONTH 100% These will be computed for monthly dollar totals. 10. PAYMENT: Invoices will be paid in arrears on a monthly basis. Invoices will be uploaded electronically via Tungsten Network per VA requirements The paying office is: VA Finance Service Center (FSC), P.O. Box 149971, Austin, TX 78714. https://www.tungsten-network.com/customer-campaigns/veteransaffairs/ INVOICE REQUIREMENTS. Payments will be made by the VA, paid directly to the contractor, in accordance with the Prompt Payment Act. Invoices shall be submitted electronically to the FSC in Austin, Texas. To constitute a proper invoice, the invoice must include the following information and/or attached documentation: Name of business concern and invoice date. Contract number. Purchase Order number. Price, payment terms and any discounts, rebates or concessions that apply. Delivery terms (FOB Destination). 11. ADDITIONAL CHARGES: There will be no additional charge for time spent on the site during or after the normal hours of coverage awaiting the arrival of additional FSE and/or delivery of parts. 12. REPORTING REQUIRED SERVICES BEYOND THE CONTRACT SCOPE: The Contractor shall immediately, but not later than 24 consecutive hours after discovery notify the CO and COR, (in writing), of the existence or the development of any defects in, or repairs required to the scheduled equipment which the Contractor considers he/she is not responsible for under the terms of the contract. The contractor shall furnish the CO and COR with a written estimate of the cost to make necessary repairs. 13. CONDITION OF EQUIPMENT: A. The Contractor accepts responsibility for the equipment described in Section 1. EQUIPMENT, in as is condition. Failure to inspect the equipment prior to contract award will not relieve the contractor from performance of the requirements of this contract. 14. COMPETENCY OF PERSONNEL SERVICING EQUIPMENT: A. Each respondent must have an established business, with an office and full time staff. The staff includes a fully qualified FSE and a fully qualified FSE who will serve as the backup. B. Fully Qualified is based upon training and on experience in the field. For training, the FSE(s) has successfully completed a formalized training program, for the equipment identified in the Section 1. EQUIPMENT Schedule. For field experience, the FSE(s) has a minimum for two (2) years experience, with respect to scheduled and unscheduled preventive and remedial maintenance. C. The FSEs, shall be authorized by the contractor to perform the maintenance services. Fully Qualified competent FSEs shall perform all work. The contractor shall provide written assurance of the competency of their personnel and a list of credentials of approved FSEs for each make and model the contractor services at the VAMC. The CO may authenticate the training requirements, request training certificates or credentials from the contractor at any time for any personnel who are servicing or installing any VAMC equipment. The CO and/or the COR specifically reserve the right to reject any of the contractor s personnel and refuse them permission to work on the VAMC equipment. D. If subcontractor(s) are used, they must be approved by the CO; the contractor shall submit any proposed changed in subcontractor(s) to the CO for approval/disapproval. 15. TEST EQUIPMENT: Prior to commencement of work on this contract, the contractor shall provide the VAMC with a copy of the current calibration certification of all test equipment, which is to be used by the contractor on VAMC s equipment. This certification shall also be provided on a periodic basis when requested by the VAMC. Test equipment calibration shall be traceable to a national standard. 16. INSURANCE: A. Worker compensation and employer s liability. Contractors are required to comply with applicable Federal and State Worker Compensation and occupational disease statutes. B. General Liability. Contractors are required to have Bodily Injury liability insurance coverage written on the comprehensive form of policy of at least $500,000 per occurrence. C. Property Damage Liability. Contractors are required to have Property Damage Liability insurance coverage of at least $500,000. 17. CONTRACTOR PERSONNEL SECURITY REQUIREMENTS: All Contractor employees who require access to the Department of Veterans Affairs computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Office of Security and Law Enforcement prior to contract performance. This requirement is applicable to all subcontractor personnel requiring the same access. If the investigation is not completed prior to the start date of the contract, the Contractor will be responsible for the actions of those individuals they provide to perform work for VA. VAAR 852.273-75 SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (Interim - October 2008) (a) The contractor and their personnel shall be subject to the same Federal laws, regulations, standards, and Veterans Affairs (VA) policies as VA personnel, regarding information and information system security. These include, but are not limited to Federal Information Security Management Act (FISMA), Appendix III of OMB Circular A-130, and guidance and standards, available from the Department of Commerce's National Institute of Standards and Technology (NIST). This also includes the use of common security configurations available from NIST's Web site at: http://checklists.nist.gov (b) To ensure that appropriate security controls are in place, Contractors must follow the procedures set forth in "VA Information and Information System Security/Privacy Requirements for IT Contracts" located at the following Web site: http://www.iprm.oit.va.gov Position Sensitivity The position sensitivity has been designated as Low Risk. Background Investigation The level of background investigation commensurate with the required level of access is National Agency Check with Written Inquiries (NACI). Non-citizen contract personnel appointed to Low Risk or No sensitive positions will be subject to a National Agency Check with Law Enforcement and Credit Check (NACLC). Contractor Responsibilities: The Contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the Office of Personnel Management (OPM), the Contractor shall reimburse VA within 30 days after receipt of a Bill of Collection. The estimated cost of the NACI or NACLC is $200.00 per person. The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they are able to read, write, speak, and understand the English language. The Contractor employees shall download, complete, and mail the documents required for a Low Risk Position within twenty (20) calendar days of receipt of e-mail notification from the VA Security Investigations Center (SIC). Documents shall be downloaded from the following website: http://www.va.gov/vabackground_investigations Electronic fingerprinting can be performed at the Human Resources Office (See COR for assistance). The Contractor, when notified of an unfavorable determination by the Government, will withdraw the employee from consideration from working under the contract. Failure to comply with the Contractor personnel security requirements may result in termination of the contract for default. Government Responsibilities: Upon receipt, the VA Office of Security and Law Enforcement will review the completed forms for accuracy and forward the forms to OPM to conduct the background investigation. The VA facility will pay for investigations conducted by the Office of Personnel Management (OPM) in advance. In these instances, the Contractor will reimburse the VA facility within 30 days after receipt of a Bill of Collection. The VA Office of Security and Law Enforcement will notify the Contracting Officer (CO) and Contractor after adjudicating the results of the background investigations received from OPM. The CO will ensure that the Contractor provides evidence that investigations have been completed or are in the process of being requested. Contractor personnel performing work under this contract shall satisfy all requirements for appropriate security eligibility in dealing with access to sensitive information and information systems belonging to or being used on behalf of the Department of Veterans Affairs. The Contractor will be responsible for the actions of those individuals they provide to perform work for the VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor will be responsible for all resources necessary to remedy the incident. Printed output containing sensitive VHA data will be stored in a secured area, and disposed of properly by shredding or similar methods. Under the provisions of the Privacy Act of 1974 as amended, personnel performing work under this contract have an obligation to protect VA information indefinitely. Furthermore, it is the Contractor's responsibility to notify the Information Management staff when access to Information Management systems is no longer needed by personnel performing work under this contract. Contractor employees are required to complete the online training classes entitled VA Cyber Security Awareness and VHA Privacy Policy. The necessary link and instructions to gain access are found at http://www.vcampus.com/cciivv/valo/index.html. A Certificate of successful completion will be generated. The certificate shall be mailed to Judy Buccini, Information Security Officer, internal mail routing symbol 003I-H or faxed to 412-365-4614. The Contractor will provide health care to patients seeking such care from or through VA. As such, the Contractor is considered part of the Department health activity for purposes of the following statutes and the VA regulations implementing these statutes: the Privacy Act, 5 U.S.C. § 552a, and 38 U.S.C. §§ 5701, 7705 and 7332. Contractor and its employees may have access to patient medical records to the extent necessary for the contract or to perform this contract. Notwithstanding any other provision of this agreement, the Contractor and its employees may disclose patient treatment records only pursuant to explicit disclosure authority from VA. Contractor and its employees are subject to the penalties and liabilities provided under statutes and regulations for unauthorized disclosures of such records and contents. The VA may provide Contractor and subcontractor employees with access to VA automated patient records maintained on VA computer systems only to the extent and under the same conditions and requirements as VA provides access to these records to its own employees. All Contractor personnel and any subcontracted employees, if applicable, accessing the VISTA system will be required to sign and abide by all VA security policies, and applicable VA confidentiality statutes, 38 U.S.C. §5701, 38 U.S.C. §7332, and the Privacy Act, 5 U.S.C. §552a. The VA will provide access applications and security agreements. Contractor shall ensure the confidentiality of all patient information and shall be held liable in the event of the breach of confidentiality. Due to the confidential nature of medical reports, all transcription must be completed in areas that provide reasonable security. All documents are confidential and are protected under the Privacy Act of 1974, as amended. All vendor personnel shall be required to observe the requirements imposed on sensitive data by law, federal regulations, VA statutes and policy, DM&S policy and the associated requirements to insure appropriate screening of personnel. The database utilized by the Contractor under this agreement, the adverse drug event reports provided to the Contractor by VA, and documents created from analyzing this database, the adverse drug event reports, and patient medical records are medical quality assurance records protected by 38 U.S.C. § 5705, its implementing regulations at 38 U.S.C. §§ 17.500-.511 and VHA Directive 2002-043, Quality Management (QM) And Patient Safety Activities That Can Generate Confidential Documents. These records may be disclosed only as authorized by § 5705 and the VA regulations. Disclosure of these records in violation of § 5705 is a criminal offense under 38 U.S.C. § 5705(e). The treatment and administrative patient records created by, or provided to, the Contractor under this agreement are covered by the VA system of records entitled "Patient Medical Records - VA (24VA136). Records created by the Contractor in the course of treating VA patients under this agreement are the property of the VA and shall not be accessed, released, transferred or destroyed except in accordance with applicable federal law and regulations. Upon expiration of this contract or termination of the contract, the Contractor will promptly provide the VA with any individually identified VA patient treatment records. All portable media (including but not limited to thumb-drives, CD-ROMs, etc.) utilized by the Contractor under this contract must be encrypted in accordance with the security requirements identified in Federal Information Processing Standards (FIPS) Publication (PUB)140-2. Only thumb drives and encryption software explicitly approved by the VA may be used. No VA data is permitted to be stored on a desktop or laptop computer hard drive. Any portable computer used under this contract must have the hard drive encrypted in accordance with FIPS 140-2. PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL All personnel employed by the Contractor must comply with Homeland Security Presidential Directive 12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24 and FIPS PUB Number 201, which requires all federal employees, Contractors and affiliates to have a Personal Identity Verification (PIV) identification card. The PIV process will be initiated and completed by the VA Medical Center. The Contractor will be responsible for all costs associated with transportation of the employee to the VA Medical Center to initiate the fingerprinting and overall process. The COR will ensure all Contractor employees are informed of procedures for obtaining proper Identification cards. Supplemental Agreement Contract is modified to include the VA Information and Information System Security/Privacy Requirements for IT Contracts dated Aug 2008 (provided) and following statement and clause VAAR 852.273-75: "To monitor and enforce these media sanitization requirements the VA will require the vendor to maintain an active inventory of all media used to store VA information including hard drives in workstations, servers, or RAID sets; CD/optical drives; USB Flash drives; backup tapes; or any other device used for storage of VA information.   Each storage device must be specified by description (for example: Quantity 8: HP 72.8 GB Hard drive 320 MBps or  Quantity 75: Sony LTX-200G Ultrium backup tapes ). If feasible the serial number physically attached or marked on  the device by the manufacturer must also be included in the inventory.  The inventory will be continuously updated as new storage media is added. Disposal of any media used to store VA information without prior approval from the VA is prohibited. "   A.1 VAAR 852.273-75 SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (Interim - October 2008) (a) The contractor and their personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA personnel, regarding information and information system security. These include, but are not limited to Federal Information Security Management Act (FISMA), Appendix III of OMB Circular A-130, and guidance and standards, available from the Department of Commerce's National Institute of Standards and Technology (NIST). This also includes the use of common security configurations available from NIST's Web site at: http://checklists.nist.gov (b) To ensure that appropriate security controls are in place, Contractors must follow the procedures set forth in "VA Information and Information System Security/Privacy Requirements for IT Contracts" located at the following Web site: http://www.iprm.oit.va.gov (End of Clause) VA Information and Information System Security/Privacy Requirements for IT Contracts General All contractors and contractor personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA, and VA personnel, regarding information and information system security. Contractors must follow policies and procedures outlined in VA Directive 6500, Information Security Program and its handbooks to ensure appropriate security controls are in place. Access to VA Information and VA Information Systems A contractor shall request logical (technical) and/or physical access to VA information and VA information systems for employees, subcontractors, and affiliates only to the extent necessary: (1) to perform the services specified in the contract, (2) to perform necessary maintenance functions for electronic storage or transmission media necessary for performance of the contract, and (3) for individuals who first satisfy the same conditions, requirements and restrictions that comparable VA employees must meet in order to have access to the same type of VA information. All contractors and subcontractors working with VA Sensitive Information are subject to the same investigative requirements as those of regular VA appointees or employees who have access to the same types of information. The level of background security investigation will be in accordance with VA Directive 0710, Handbook 0710, which are available at: http://www1.va.gov/vapubs/ and VHA Directive 0710 and implementing Handbook 0710.01 which are available at: http://www1.va.gov/vhapublications/index.cfm. Contractors are responsible for screening their employees. The following are VA s approved policy exceptions for meeting VA s background screenings/investigative requirements for certain types of contractors: Contract personnel not accessing VA information resources such as personnel hired to maintain the medical facility grounds, construction contracts, utility system contractors, etc., Contract personnel with limited and intermittent access to equipment connected to facility networks on which no VA sensitive information is available, including contractors who install, maintain, and repair networked building equipment such as fire alarm; heating, ventilation, and air conditioning equipment; elevator control systems, etc. If equipment to be repaired is located within sensitive areas (e.g. computer room/communications closets) VA IT staff must escort contractors while on site. Contract personnel with limited and intermittent access to equipment connected to facility networks on which limited VA sensitive information may reside, including medical equipment contractors who install, maintain, and repair networked medical equipment such as CT scanners, EKG systems, ICU monitoring, etc. In this case, Veterans Health Administration facilities must have a duly executed VA business associate agreement (BAA) in place with the vendor in accordance with VHA Handbook 1600.01, Business Associates, to assure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in addition to the contract. Contract personnel, if on site, should be escorted by VA IT staff. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. Defense Security Service (DSS) administers the NISP on behalf of the Department of Defense and 23 other federal agencies within the Executive Branch. VA will verify clearance through DSS. VA Information Custodial Requirements Information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the CO. This clause expressly limits the contractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d)(1). Information generated by a Contractor as a part of the contractor s normal business operations, such as medical records created in the course of providing treatment, is subject to a review by the Office of General Counsel (OGC) to determine if the information is the property of VA and subject to VA policy. If the information is determined by OGC to not be the property of VA, the restrictions required for VA information will not apply. VA information will not be co-mingled with any other data on the contractors/subcontractors information systems/media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. VA also reserves the right to conduct IT resource inspections to ensure data separation and on-site inspection of information destruction/media sanitization procedures to ensure they are in compliance with VA policy requirements. Prior to termination or completion of this contract, contractor will not destroy information received from VA or gathered or created by the contractor in the course of performing this contract without prior written approval by the VA CO. Any data destruction done on behalf of VA by a contractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, and applicable VA Records Control Schedules. The contractor will receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. Applicable Federal information security regulations include all Federal Information Processing Standards (FIPS) and Special Publications (SP) issued by the National Institute of Standards and Technology (NIST). If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies, including FIPS or SP, in this contract. Contractors collecting, storing, or disseminating personal identifiable information (PII) or protected health information (PHI) data must conform to all pertinent regulations, laws, and VA directives related to privacy. Contractors must provide access for VA privacy reviews and assessments and provide appropriate documentation as directed. The contractor shall not make copies of VA information except as necessary to perform the terms of the agreement or to preserve electronic information stored on contractor electronic storage media for restoration in case any electronic equipment or data used by the contractor needs to be restored to an operating state. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to terminate the contract for default or terminate for cause under Federal Acquisition Regulation ( FAR ) part 12. If a VHA contract is terminated for cause, the associated business associate agreement (BAA) will also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01 Business Associates. Contractor will store, transport or transmit VA sensitive information in an encrypted form, using a VA-approved encryption application that meets the requirements of NIST s FIPS 140-2 standard. The contractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA directives are available on the VA directives Web site at http://www1.va.gov/vapubs/. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor will refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA CO for response. Notwithstanding the provision above, the contractor shall not release medical quality assurance records protected by 38 U.S.C. 5705 or records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus protected under 38 U.S.C. 7332 under any circumstances, including in response to a court order, and shall immediately refer such court orders or other inquiries to the VA CO for response. The contractor will not use technologies banned in VA in meeting the requirements of the contract (e.g., Bluetooth enabled devices). Information System Design and Development Information systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA policies developed in accordance with Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle a privacy impact assessment will be completed, provided to the COR, and approved by the VA Privacy Service in accordance with VA Privacy Impact Assessment Handbook 6500.3. The security controls must be designed, developed, approved by VA, and implemented in accordance with the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37 and VA Handbook 6500. The contractor will be required to design, develop, or operate a System of Records on individuals to accomplish an agency function subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C.552a) and applicable agency regulations. Violation of the Privacy Act may involve the imposition of criminal and civil penalties. The contractor agrees to - (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies -- (i) The systems of records; and (ii) The design, development, or operation work that the contractor is to perform; (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and, (3) Include this Privacy Act clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the contractor is considered to be an employee of the agency. (1) Operation of a system of records means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and contains the person s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint, or a photograph. (3) System of records on individuals means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Information System Hosting, Operation, Maintenance or Use For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. The contractor security control procedures must be identical, not equivalent, to those procedures used to secure VA systems. A privacy impact assessment (PIA) must also be provided to the COR and approved by VA Privacy Service prior to operational approval. All external Internet connections involving VA information must be reviewed and approved by VA prior to implementation. Adequate security controls for collecting, processing, transmitting, and storing of personally identifiable information, as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls need to be stated within the PIA and supported by a risk assessment. If these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII. Outsourcing (contractor facility/contractor equipment/contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (C&A) of the contractor s systems in accordance with NIST Special Publication 800-37 and VA Handbook 6500 and a privacy impact assessment of the contractor s systems prior to operation of the systems. Government-owned (government facility/government equipment) contractor-operated systems, third party or business partner networks require a system interconnection agreement and a memorandum of understanding (MOU) which detail what data types will be shared, who will have access, and the appropriate level of security controls for all systems connected to VA networks. The contractor must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA CO and the information security officer (ISO) for entry into VA s Plan of Action and Milestone (POA&M) management process. The contractor will use VA s POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the Government. Contractor procedures will be subject to periodic, unannounced assessments by VA officials. The physical security aspects associated with contractor activities will also be subject to such assessments. As updates to the system occur, an updated PIA must be submitted to the VA Privacy Service through the COR for approval. All electronic storage media used on non-VA leased or owned IT equipment that is used to store, process, or access VA sensitive information must have all VA sensitive information removed, cleared, sanitized, or destroyed in accordance with VA policies and procedures upon: (1) completion or termination of the contract or (2) disposal or return of the IT equipment by the contractor or any person acting on behalf of the contractor, whichever is earlier. Security Incident Investigation The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor shall immediately notify the Contracting Officer Technical Representative (COR) and simultaneously, the designated ISO/Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor has access. To the extent known by the contractor, the contractor s notice to VA will identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information/assets were placed at risk or compromised), and any other information that the contractor considers relevant. The contractor will simultaneously report the incident to the appropriate law enforcement entity(ies) of jurisdiction, including the VA Offices of the Inspector General and Security and Law Enforcement, in instances of theft or break-in or other criminal activity. The contractor, its employees, and its subcontractors and their employees will cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor will cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. To the extent practicable, the contractor shall mitigate any harmful effects on individuals whose VA information was accessed or disclosed in a security incident. In the event of a data breach with respect to any VA Sensitive Information processed or maintained by the contractor or subcontractor under the contract, the contractor is responsible for liquidated damages to be paid to VA. Security Controls Compliance Testing On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days notice, at the request of the Government, the contractor will fully cooperate and assist in a Government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The Government may conduct a security control assessment on shorter notice (to include unannounced assessments) determined by VA in the event of a security incident or at any other time. Training All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA networks: Sign and acknowledge understanding of and responsibilities for compliance with the attached National Rules of Behavior relating to access to VA information and information systems; Successfully complete VA Cyber Security Awareness training and annual refresher training as required; Successfully complete VA General Privacy training and annual refresher training as required; and Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the CO for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] The contractor shall provide to the COF a copy of the training certificates for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. These online courses are located at the following web site: https://www.ees-learning.net/. Failure to complete this mandatory training within the timeframe required will be grounds for suspension or termination of all physical and/or electronic access privileges and removal from work on the contract until such time as the training is completed.