Loren Data's SAM Daily™

fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF NOVEMBER 20, 2010 FBO #3283
SOURCES SOUGHT

D -- IT Services

Notice Date
11/18/2010
 
Notice Type
Sources Sought
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, Clinical Center/Office of Purchasing & Contracts, 6707 Democracy Blvd, Suite 106, MSC 5480, Bethesda, Maryland, 20892-5480
 
ZIP Code
20892-5480
 
Solicitation Number
184024
 
Point of Contact
Lynda Johnson, Phone: 301-496-2342
 
E-Mail Address
lynda_johnson@nih.gov
(lynda_johnson@nih.gov)
 
Small Business Set-Aside
N/A
 
Description
Statement of Work Security Evaluation and Preparation of Documents for C & A Certification NIH Biomedical Translational Research Information System Background The Clinical Center of the National Institutes of Health (NIH) is located in Bethesda, Maryland. The NIH Clinical Center provides patient care and research support for over 1300 active clinical research protocols of the intramural program. These clinical protocols represent a wide variety of research questions posed by investigators from each of the institutes and centers comprising the National Institutes of Health. In August of 2004, the Clinical Center implemented a new hospital information system for orders, results and documentation. Entitled the Clinical Research Information System (CRIS); this large enterprise system supports all patient care activities within the NIH Clinical Center. Ancillary systems supporting radiology, surgery, lab, nutrition and admissions provide a suite of tools to provide electronic support for all aspects of patient care. All data through the CRIS system is organized by patient. Each patient is assigned to one or more protocols and all data collected is assigned to a specific protocol. The current CRIS system provides information on a patient basis. The Biomedical Translational Research Information System or BTRIS is an NIH enterprise project and is designed to provide researchers access to all patient data from CRIS as well as other NIH intramural systems. This allows researchers access to data across one protocol, or multiple protocols. Access to larger data sets are possible allowing for data mining and hypothesis generation. Ultimately, BTRIS will enable the NIH intramural program to share data with outside organizations such as FDA, CTSA partners and other extramural collaborators. BTRIS received a full security clearance and authority to operate on 7/30/2010. Therefore, BTRIS is a mixed lifecycle system requiring attention to ongoing security concerns based on NIH requirements as well as new security issues related to development activities. As an NIH enterprise system containing personally identifiable information, BTRIS must continue to meet all security requirements as stipulated by the Privacy Act as well a meet regulatory rules for clinical research. As an NIH enterprise system, BTRIS needs to actively maintain system security certification and accreditation (C&A) including BTRIS security controls, documentation of security vulnerabilities, and documentation for use by the system's Certifying Authority (CA) and Designated Approving Authority (DAA). 1 Tasks BTRIS is a fully certified system as of July 30, 2009. The contractor shall maintain the current C & A package including timely updates in the SPORT system. 1. Determine any new system boundaries and impact level and document 2. Update the security requirements (BLSR)-based security assessment 3. Update the plan of action to mitigate identified vulnerabilities based on new system functionality. 4. Update all documentation to ensure that NIH, DHHS and OMB requirements are met. 5. Provide yearly update to C&A package 1.1 Determine System Boundaries and Impact Level Offeror will update the scope of certification activities. Offer will ensure that the system's impact level and system's boundaries remain correctly classified. The offeror will review the current privacy impact assessment. This task includes the following subtasks: 1. Determine system boundaries 2. Evaluate BTRIS system logical and technical architecture based on updates since 7/30/2009 3. Update BTRIS Security Categorization 4. Update BTRIS Security Plan (SP) 5. Update BTRIS Privacy Impact Assessment (PIA) 6. Solicit CC comments prior to finalizing documents. Conduct a BLSR-Based Security Assessment Offeror will assess risks to the BTRIS based on established baseline security requirements (BLSR). This task includes the following subtasks: 1. Update BTRIS Security Assessment Plan (SAP) 2. Conduct interviews to ensure plan reflects new and anticipated functionality. 3. Conduct site survey 4. Conduct security tests 5. Update BTRIS Security Assessment Report (SAR) 6. Update BTRIS Risk Assessment (RA) 7. Solicit CC comments prior to finalizing. 1.2 Develop a Plan of Action to Mitigate Identified Vulnerabilities Offeror will develop a plan of action and milestones (POA&M) to mitigate vulnerabilities identified by the security and risk assessments. This task includes the following subtasks: 1. Update BTRIS POA&M 2. Ensure action plans and tasks they are expected to complete are communicated to BTRIS staff. 3. Provide follow-up to ensure each task is completed and documented in the SPORT system. 1.3 Complete Documentation of Certification Evaluation This task includes the following subtasks: 1. Update BTRIS Security Plan (SP) 2. Update BTRIS Security Assessment Report (SAR) 3. Update BTRIS Risk Assessment (RA) 4. Ensure closure of BTRIS POA&M 5. Complete yearly certification update for 2010 and 2011 1.4 Prepare Update for C&A Package Offeror will prepare all required updates BTRIS C&A Package using the documents gathered and developed in previous tasks. This task includes the following subtasks: 1. FINAL FY 2011 BTRIS SP, SAR, RA, and POA&M 2. Develop necessary documentation for BTRIS OMB 300 security and risk responses 3. Assemble BTRIS C&A Package 4. Provide additional documents as necessary for EPLC and OA processes requiring security updates. 2 C&A Package Contents The BTRIS C&A Package will comprise the following final deliverables: • BTRIS CA Certification Statement • BTRIS DAA Accreditation Statement • BTRIS Plan of Action and Milestones (POA&M) • BTRIS Privacy Impact Assessment (PIA) • BTRIS Risk Assessment (RA) • BTRIS Security Assessment Plan (SAP) • BTRIS Security Assessment Report (SAR) • BTRIS Security Categorization • BTRIS Security Plan (SP) 3 Cost The tasks described in Section 2 will be performed on a time and materials (T&M) basis. 4 Government Furnished Property The offeror will be provided with a desk, computer and phone at the BTRIS offices. 5 Start Date/Period of Performance December 1, 2010 - November 30, 2012 Estimated 200 hours 6 Experience and Qualifications 1. Demonstrated experience with creating federal C & A plans 2. Demonstrated track record of C & A approval prior to system implementation 3. Demonstrated experience in a clinical research environment 4. Demonstrated ability to work under tight timelines The following security information is included: NIH INFORMATION SECURITY THE FOLLOWING MATERIAL IS APPLICABLE TO DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) TASK ORDERS FOR WHICH CONTRACTOR/SUBCONTRACTOR PERSONNEL WILL (1) DEVELOP, (2) HAVE THE ABILITY TO ACCESS, OR (3) HOST AND/OR MAINTAIN A FEDERAL INFORMATION SYSTEM(S). For more information, see HHS Information Security Program Policy at: http://www.hhs.gov/ocio/policy/2004-0002.001.html#intro. IMPORTANT NOTE TO OFFERORS: The requirements in this section shall be addressed in a separate section of the Technical Proposal entitled, "INFORMATION SECURITY This Statement of Work (SOW) requires the Contractor to perform one or more of the following: (1) (1) Develop, (2) have the ability to access, or (3) host and/or maintain a Federal Information system(s). (2) Include when contractor/subcontractor personnel will have access to, or use of, Personally Identifiable Information (PII), including instances of remote access to or physical removal of such information beyond agency premises or control (3) Include when contractor/subcontractor personnel will have regular or prolonged physical access to a Federally-controlled facility. Include Sections A through G in all contracts A. INFORMATION TYPE **** (NOTE: Based on information provided by the ISSO, PO, and Privacy Officer, select the appropriate general information type(s) below, and provide the specific type of information.) **** [ X ] Administrative, Management and Support Information: **** (NOTE: If the above box is checked, the specific type(s) of information from NIST SP 800-60, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems To Security Categories, APPENDIX C, Table 3, at http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf D.14.5 Health Care Research and Practitioner Education Information Type Health Care Research and Practitioner Education fosters advancement in health discovery and knowledge. This includes developing new strategies to handle diseases; promoting health knowledge advancement; identifying new means for delivery of services, methods, decision models and practices; making strides in quality improvement; managing clinical trials and research quality; and providing for practitioner education. [ ] Mission Based Information: **** (NOTE: If the above box is checked, the specific type(s) of information from NIST SP 800-60, Volume II: Appendices to Guide For Mapping Types Of Information and Information Systems To Security Categories, APPENDIX D, Table 5, at http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf must be inserted here. This information will be provided by the IC ISSO and/or Project Officer) **** B. SECURITY CATEGORIES AND LEVELS **** (NOTE: Based on information provided by the ISSO and Project Officer, select the Security Level for each Security Category. Select the Overall Security Level which is the highest level of the three factors (Confidentiality, Integrity and Availability). NIST SP 800-60, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, Appendices C and D contain suggested Security Levels for Each Information Type at http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf For additional information and assistance for completion of this item, see Table 1, Security Categorization of Federal Information and Information Systems at: http://irm.cit.nih.gov/security/table1.htm )**** Confidentiality Level: [ X ] Low [ ] Moderate [ ] High Integrity Level: [ ] Low [ X ] Moderate [ ] High Availability Level: [ X ] Low [ ] Moderate [ ] High Overall Level: [ ] Low [ X ] Moderate [ ] High C. POSITION SENSITIVITY DESIGNATIONS 1. The following position sensitivity designation(s) and associated suitability determination(s) and background investigation requirements apply to this acquisition. **** (NOTE: Check all that apply. Additional Note: Levels 2, 3, and 4 are reserved for National Security positions which are generally not applicable to NIH. For additional information and assistance for completion of this item, see Table 2, Position Sensitivity Designations for Individuals Accessing Agency Information at: http://irm.cit.nih.gov/security/table2.htm )**** [ ] Level 6: Public Trust -High Risk (Requires Suitability Determination with a BI). Contractor/subcontractor employees assigned to a Level 6 position are subject to a Background Investigation (BI). [ ] Level 5: Public Trust - Moderate Risk (Requires Suitability Determination with NACIC, MBI or BI). Contractor/subcontractor employees assigned to a Level 5 position with no previous investigation and approval shall undergo a National Agency Check and Inquiry Investigation plus a Credit Check (NACIC), a Minimum Background Investigation (MBI), or a Limited Background Investigation (LBI). [X ] Level 1: Non Sensitive (Requires Suitability Determination with an NACI). Contractor/subcontractor employees assigned to a Level 1 position are subject to a National Agency Check and Inquiry Investigation (NACI). 2. The Contractor shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff (including subcontractor staff) working under this acquisition where the contractor will develop, have the ability to access, or host and/or maintain a federal information system(s). The roster shall be submitted to the Project Officer, with a copy to the Contracting Officer, within 14 calendar days of the effective date of this acquisition. Any revisions to the roster as a result of staffing changes shall be submitted within 15 calendar days of the change. The Contracting Officer will notify the Contractor of the appropriate level of suitability investigation required for each staff member. An electronic template, "Roster of Employees Requiring Suitability Investigations," is available for contractor use at: http://ais.nci.nih.gov/forms/Suitability-roster.xls Upon receipt of the Government's notification of applicable, required Suitability Investigations, the Contractor shall complete and submit the required forms within 30 days of the notification. Contractor/subcontractor employees who have met investigative requirements within the past five years may only require an updated or upgraded investigation. 3. Contractor/subcontractor employees shall be required to comply with the HHS criteria for the assigned position sensitivity designations prior to performing any work under this acquisition. The following exceptions apply: Levels 5 and 1: Contractor/subcontractor employees may begin work under this acquisition after the contractor has submitted the name, position and responsibility of the employee to the Project Officer, as described in subparagraph 2 above. Level 6: In special circumstances the Project Officer may request a waiver of the pre-appointment investigation. If the waiver is granted, the Project Officer will provide written authorization for the contractor/subcontractor employee to work under this acquisition. D. INFORMATION SECURITY and PRIVACY TRAINING HHS Policy requires contractors/subcontractors to receive security and privacy training commensurate with their responsibilities for performing work under the terms and conditions of their contractual agreements. The Contractor shall ensure that each contractor/subcontractor employee has completed the NIH Computer Security Awareness Training and the NIH Privacy Awareness course at: http://irtsectraining.nih.gov/ or an equivalent training course specified by NIH prior to performing any work under this acquisition, and thereafter completing the NIH-specified fiscal year refresher course during the period of performance of this acquisition. The Contractor shall maintain a list by name and title of each Contractor/Subcontractor employee working under this acquisition who has completed the NIH required training. The list (along with any subsequent updates to the list) shall be provided to the Project Officer. Any additional security training completed by Contractor/Subcontractor staff shall be included on this list. [The list of completed training shall be included in the first technical progress report. (See Article C.2. Reporting Requirements). Any revisions to this list as a result of staffing changes shall be submitted with the next required technical progress report.] Additional security training requirements commensurate with the position may be required as defined in NIST Special Publication 800-16, Information Technology Security Training Requirements ( http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf ). This document provides information about information security training that may be useful to the Contractor. Contractor/subcontractor staff shall be required to complete the following additional training prior to performing any work under this acquisition: **** [List the required training courses here] **** This would be for HHS/NIH required Role based Training or other department required training E. RULES OF BEHAVIOR The Contractor/subcontractor employees shall be required to comply with and sign the NIH Information Technology General Rules of Behavior at: http://irm.cit.nih.gov/security/nihitrob.html F. PERSONNEL SECURITY RESPONSIBILITIES The Contractor shall perform and document the following actions: Contractor Notification of New and Departing Employees Requiring Background Investigations (1) The Contractor shall notify the Contracting Officer, the Project Officer, and the Security Investigation Reviewer within five working days before a new employee assumes a position that requires a suitability determination or when an employee with a security clearance stops working under the contract. The Government will initiate a background investigation on new employees requiring security clearances and will stop pending background investigations for employees that no longer work under the contract. (2) New employees: Provide the name, position title, e-mail address, and phone number of the new employee. Provide the name, position title and suitability level held by the former incumbent. If the employee is filling a new position, provide a description of the position and the Government will determine the appropriate security level. (3) Departing employees: • Provide the name, position title, and security clearance level held by or pending for the individual. • Perform and document the actions identified in the "Employee Separation Checklist" (http://ais.nci.nih.gov/forms/ITsecurity-seperation-checklist.rtf) when a Contractor/Subcontractor employee terminates work under this contract. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request. G. (COMMITMENT TO PROTECT NON-PUBLIC DEPARTMENTAL INFORMATION SYSTEMS AND DATA 1. Contractor Agreement The Contractor and its subcontractors performing under this SOW shall not release, publish, or disclose non-public Departmental information to unauthorized personnel, and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: _18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) _18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) _Public Law 96-511 (Paperwork Reduction Act) 2. Contractor Employee Non-Disclosure Agreement Each Contractor/subcontractor employee who may have access to non-public Department information under this acquisition shall complete the Commitment to Protect Non-Public Information - Contractor Employee Agreement http://ocio/docs/public/Nondisclosure.pdf. A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer prior to performing any work under this acquisition. 3. System Interconnection Security Agreement (ISA) and Memorandum of Understanding (MOU) Systems that interconnect exchange or share sensitive information need to meet the OMB A-130 requirement that "written management authorization (often in the form of a Memorandum of Understanding or Agreement,) be obtained prior to connecting with other systems and/or sharing sensitive data/information. The written authorization shall detail the rules of behavior and controls that must be maintained by the interconnecting systems." To meet this requirement it is required a System Interconnection Security Agreement (ISA) and Memorandum of Understanding (MOU) focused on protecting the data exchanged. An MOU and/or ISA will be required for any remote vendor access the NIHnet in order to ensure adequate security and the protection of the NIHNet. NIH ISA Template NIH MOU Template INCLUDE SECTION J, BELOW, ONLY IF A PROSPECTIVE OFFEROR WILL REQUIRE ACCESS TO SENSITIVE FEDERAL INFORMATION IN ORDER TO PREPARE AN OFFER, E.G. AN OFFEROR MUST ACCESS AN NIH COMPUTER ROOM FLOOR PLAN. If this paragraph is not applicable to the solicitation, delete it in its entirety. Make sure to appropriately designate the subparagraph below. H. Prospect Offeror Non-Disclosure Agreement The Government has determined that prospective offers will require access to sensitive Federal information described below in order to prepare an offer. NOTE: Provide a description of the sensitive Federal Information and select the appropriate Position Sensitivity Designation below. Any individual having access to this information must possess a valid and current suitability determination at the following level: [ ] Level 6: Public Trust - High Risk [ ] Level 5: Public Trust - Moderate Risk To be considered for access to sensitive Federal information, a prospective offeror must: (a) Submit a written request to the Contracting Officer identified in the solicitation; (b) Complete and submit the "Prospective Offeror Non-Disclosure Agreement"(http://nitaac.nih.gov/downloads/ciosp2/Prospective_Offeror_Non-Disclosure.doc); and (c) Receive written approval from the Contracting Officer. Prospective offerors are required to process their requests for access, receive Government approval, and then access the sensitive Federal information within the period of time provided in the solicitation for the preparation of offers. Nothing in this provision shall be construed, in any manner, by a prospective offeror as an extension to the stated date, time, and location in the solicitation for the submission of offers. INCLUDE SECTION K BELOW, ONLY IF CONTRACT WILL HAVE: 1) ACCESS TO SENSITIVE INFORMATION, 2) ACCESS TO FEDERAL INFORMATION SYSTEMS, 3) REQUIRE REGULAR OR PROLONGER PHYSICAL ACCESS TO A FEDERALLY-CONTROLLED FACILITY I. NIH PHYSICAL ACCESS SECURITY In accordance with OMB Memorandum M-05-24, background investigations must be completed for all contractor/subcontractor personnel who have (1) access to sensitive information, (2) access to Federal information systems, (3) regular or prolonged physical access to Federally-controlled facilities, or (4) any combination thereof. [Reference: Definition of "Federally-controlled facilities" at Federal Acquisition Regulation (FAR) Subpart 2.1, Definitions] The Statement of Work (SOW) requires the Contractor to have regular or prolonged physical access to a Federally-controlled facility, thereby requiring compliance with the following regulations/policies: Homeland Security Presidential Directive/HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors (08-27-04): http://www.whitehouse.gov/news/releases/2004/08/print/20040827-8.html OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 - Policy for a Common Identification Standard for Federal Employees and Contractors (08-05-05): http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf HHS Interim Policy: Contractual Implementation of Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors [Draft] HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook (02-01-05): http://www.knownet.hhs.gov/acquisition/pssh.pdf INCLUDE SECTION L AND M WHEN CONTRACTOR/SUBCONTRACTOR PERSONNEL WILL HAVE ACCESS TO, OR USE OF, PERSONALLY IDENTIFIABLE INFORMATION (PII), INCLUDING INSTANCES OF REMOTE ACCESS TO OR PHYSICAL REMOVAL OF SUCH INFORMATION BEYOND AGENCY PREMISES OR CONTROL. FOR ADDITIONAL INFORMATION, SEE: OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information (05-22-06): http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf. OMB Memorandum M-06-16, Protection of Sensitive Agency Information (06-23-06): http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf. OMB Memorandum M-06-19, Safeguarding Against and Responding to the Breach of Personally Identifiable Information: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-19.pdf. Guide for Identifying Sensitive Information, including Information in Identifiable Form, at the NIH: http://irm.cit.nih.gov/security/NIH_Sensitive_Info_Guide.doc.) **** J. Personally Identifiable Information (PII) Security Plan 1) Security and Privacy Clause for Personally Identifiable Information Information security and privacy, including the protection of sensitive/confidential information whether in verbal, written or electronic form, are a high priority of the National Institutes of Health (NIH). Therefore, all contractors and the subcontractors, who may have access to any personally identifiable information, are subject to the rules, regulations and procedures established by the Privacy Act of 1974 (PA) and implementing regulations, as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As such, all contractors and subcontractors shall only collect, maintain and use sensitive/confidential, personally identifiable information as necessary within the scope of the services to be provided to the NIH. In addition, all contractor staff shall use sensitive/confidential information only in the performance of their assigned duties as related to the delivery of those services. Information provided by the NIH may not be shared with any third-party without the express written permission of the Project and Contract Officers and may not be used for any purpose other than for the delivery of specific services to be provided to the NIH. The unauthorized disclosure of any information protected by the PA or HIPAA may be punishable by administrative sanction or by fine and purposeful disclosure may result in criminal charges. The contractor and subcontractors are required to submit a company security/confidentiality policy and related procedures, which are to include the requirement for a signed employee confidentiality agreement. Link to the NIH NDA http://irm.cit.nih.gov/docs/public/Nondisclosure.pdf The Offeror shall submit a PII Security Plan with its technical proposal that addresses each of the following items: 1. Verify the information categorization to ensure the identification of the PII requiring protection. 2. Verify the existing risk assessment. 3. Identify the Contractor's existing internal corporate policy that addresses the information protection requirements of the SOW. 4. Verify the adequacy of the Contractor's existing internal corporate policy that addresses the information protection requirements of the SOW. 5. Identify any revisions, or development, of an internal corporate policy to adequately address the information protection requirements of the SOW. 6. For PII to be physically transported to or stored at a remote site, verify that the security controls of NIST Special Publication 800-53 involving the encryption of transported information will be implemented. [http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf] 7. When applicable, verify how the NIST Special Publication 800-53 security controls requiring authentication, virtual private network (VPN) connections will be implemented. 8. When applicable, verify how the NIST Special Publication 800-53 security controls enforcing allowed downloading of PII will be implemented. 9. Identify measures to ensure subcontractor compliance with safeguarding PII. The details contained in the Offeror's PII Security Plan must be commensurate with the size and complexity of the contract requirements based on the System Categorization specified above in the subparagraph entitled Security Categories and Levels. The Offeror's PII Security Plan will be evaluated by the Government for appropriateness and adequacy. K. LOSS AND/OR DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION (PII) - NOTIFICATION OF DATA BREACH The Contractor shall be responsible for reporting all incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH Incident Response Team IRT@mail.nih.gov via email within one hour of discovering the incident. The contractor shall follow-up with the IRT by completing and submitting one of the following two forms: NIH PII Spillage Report [ http://irm.cit.nih.gov/security/PII_Spillage_Report.doc ] NIH Lost or Stolen Assets Report [ http://irm.cit.nih.gov/security/Lost_or_Stolen.doc] The notification requirements do not distinguish between suspected and confirmed breaches. NIH Breach Notification Remote storage of CC data is applicable to this acquisition. In accordance with the Interim final rule about Breach Notification for Unsecured Protected Health Information in Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, published in the Federal Register on or about August 13, 2009. 1) The Clinical Center requires that all contractors/subcontractors with access to unsecured protected health information from CC Information Systems provide notice of a breach to the Clinical Center without unreasonable delay and in no case later than 60 days following the discovery of a breach. 2) In the event of a breach, the Clinical Center requires that all contractors/subcontractors to the extent possible, provide the Clinical Center with the identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been breached and any other information related to the breach. The required information must be provided when available but without unreasonable delay and within 60 days in order for the Government to provide notice to affected individuals. INCLUDE SECTION N WHEN THE SOW REQUIRES THE CONTRACTOR/SUBCONTRACTOR TO (1) DEVELOP A FEDERAL INFORMATION SYSTEM(S) AT THE CONTRACTOR'S/SUBCONTRACTOR'S FACILITY, OR (2) HOST AND/OR MAINTAIN A FEDERAL INFORMATION SYSTEM(S) AT THE CONTRACTOR'S/SUBCONTRACTOR'S FACILITY, AND/OR CONTRACTORS/SUBCONTRACTORS WILL HAVE ACCESS, OR USE OF, PERSONALLY IDENTIFIABLE INFORMATION (PII), INCLUDING INSTANCES OF REMOTE ACCESS T OR PHYSICAL REMOVAL OF SUCH INFORMATION BEYOND AGENCY PREMISE OR CONTROL. L. DATA ENCRYPTION The following applies to all Contractor/subcontractor laptop computers containing HHS data at rest and/or HHS data in transit. (1) All laptop computers used on behalf of the government shall be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval. (2) All mobile devices, including non-HHS laptops and portable media, that contain sensitive HHS information shall be encrypted using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored. (3) A FIPS 140-2 compliant key recovery mechanism shall be used so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited. Key recovery is required by "OMB Guidance to Federal Agencies on Data Availability and Encryption", November 26, 2001, http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf Encryption key management shall comply with all HHS and NIH policies and shall provide adequate protection to prevent unauthorized decryption of the information. All media used to store information shall be encrypted until it is sanitized or destroyed in accordance with HHS policy and NIH procedures. **** (INCLUDE THE FOLLOWING WHEN THE CONTRACTOR/SUBCONTRACTOR WILL BE ACCESSING FEDERAL INFORMATION BUT WILL NOT BE REQUIRED TO INSTALL, OPERATE, MAINTAIN, UPDATE, AND/OR PATCH SOFTWARE.) **** M. Using Secure Computers to Access Federal Information 1. The Contractor shall use an FDCC compliant computer when accessing information on behalf of the Federal government. 2. The Contractor shall install computer virus detection software on all computers used to access information on behalf of the Federal government. Virus detection software and virus detection signatures shall be kept current. **** (INCLUDE THE FOLLOWING WHEN THE CONTRACTOR/SUBCONTRACTOR WILL BE ACCESSING INFORMATION AND WILL BE REQUIRED TO INSTALL, OPERATE, MAINTAIN, UPDATE, AND/OR PATCH SOFTWARE.) **** N. IMPLEMENTATION OF COMMONLY ACCEPTED SECURITY CONFIGURATIONS FOR WINDOWS OPERATING SYSTEMS OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations http://www.whitehouse.gov/omb/assets/omb/memoranda/fy2007/m07-18.pdf (1) For all Information Technology provided under this acquisition, the Contractor shall certify that installed applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration (FDCC). This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in Protected Mode on Vista). For Windows XP settings, see: http://csrc.nist.gov/itsec/guidance_WinXP.html, and for Windows Vista settings, see: http://csrc.nist.gov/itsec/guidance_vista.html. (2) The standard installation, operation, maintenance, updates, and/or patching of software shall not alter the configuration settings from the approved FDCC configuration. For software operating in a Microsoft Windows environment, information technology shall also use the Windows Installer Service for installation to the default "program files" directory and shall be able to silently install and uninstall. (3) Applications designed for normal end users shall run in the standard user context without elevated system administration privileges. Include sections R through T in all contracts O. SPECIAL INFORMATION SECURITY REQUIREMENTS FOR FOREIGN CONTRACTORS/SUBCONTRACTORS When foreign contractors/subcontractors perform work under this acquisition at non-US Federal Government facilities, provisions of HSPD-12 do NOT apply. P. REFERENCES: INFORMATION SECURITY INCLUDING PERSONALLY IDENTIFIABLE INFORMATION (1) Federal Information Security Management Act of 2002 (FISMA), Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002); http://csrc.nist.gov/drivers/documents/FISMA-final.pdf (2) DHHS Personnel Security/Suitability Handbook: http://www.knownet.hhs.gov/acquisition/pssh.pdf (3) NIH Computer Security Awareness Course: http://irtsectraining.nih.gov/ (4) NIST Special Publication 800-16, Information Technology Security Training Requirements: http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf Appendix A-D: http://csrc.nist.gov/publications/nistpubs/800-16/AppendixA-D.pdf (5) NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems: http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf (6) NIST SP 800-53, Revision 1, Recommended Security Controls for Federal Information Systems: http://www.csrc.nist.gov/publications/drafts/800-53-rev1-ipd-clean.pdf (7) NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume I: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V1-final.pdf; Volume II, Appendices to Guide For Mapping Types of Information and Information Systems To Security Categories, Appendix C at: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf and Appendix D at: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf. (8) NIST SP 800-64, Security Considerations in the Information System Development Life Cycle: http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf (9) FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf (10) FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf (11) OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information (05-22-06): http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf (12) OMB Memorandum M-06-16, Protection of Sensitive Agency Information (06-23-06): http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf (13) OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (07-12-06) http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf (14) OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification (09-20-06) http://www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf (15) OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (05-22-07) http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf (16) OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations (06-01-07) http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf (17) Guide for Identifying Sensitive Information, including Information in Identifiable Form, at the NIH ( 04-18-2008) (http://irm.cit.nih.gov/security/NIH_Sensitive_Info_Guide.doc (18) HHS OCIO Policies http://www.hhs.gov/ocio/policy/index.html#Security (19) NIH Privacy Awareness Course: http://irtsectraining.nih.gov/ Q. REFERENCES: PHYSICAL ACCESS SECURITY (1) HHS Information Security Program Policy: http://intranet.hhs.gov/infosec/docs/policies_guides/ISPP/Information_Security_Program_Policy.pdf (2) Homeland Security Presidential Directive/HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors (08-27-04): http://www.whitehouse.gov/news/releases/2004/08/print/20040827-8.html (3) OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 - Policy for a Common Identification Standard for Federal Employees and Contractors (08-05-05): http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf (4) OMB Memorandum M-07-06, Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials (01-11-07): http://www.whitehouse.gov/omb/memoranda/fy2007/m07-06.pdf (5) Federal Information Processing Standards Publication (FIPS PUB) 201-1 (Updated June 26, 2006): http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf (6) HHS Interim Policy: Contractual Implementation of Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors [Draft] http://www.hhs.gov/oamp/policies/hspd12contractguide.doc (7) HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook (02-01-05): http://www.hhs.gov/oamp/policies/personnel_security_suitability_handbook.html (8) HHSAR 307.7106, Statement of Work (SOW); HHSAR 307.7108 in new coverage as of 02-01-07: http://knownet.hhs.gov/acquisition/hhsar/Default.htm (9) Federal Acquisition Regulation (FAR) 37.602, Performance Work Statement (PWS): http://acquisition.gov/far/current/html/Subpart%2037_6.html#wp1074648 (10) FAR Subpart 4.13, Personal Identity Verification of Contractor Personnel: http://acquisition.gov/far/current/html/Subpart%204_13.html#wp1074125 (11) FAR 52.204-9, Personal Identity Verification of Contractor Personnel [clause]: http://acquisition.gov/far/current/html/52_200_206.html#wp1139617 Include Section V in all acquisitions that require Hardware purchases R. Federal Desktop Core Configuration (FDCC) and Federal Information Processing 201 Security Requirements • The Contractor shall ensure new systems are configured with the applicable Federal Desktop Core Configuration (FDCC) (http://nvd.nist.gov/fdcc/download_fdcc.cfm)[1][1] and applicable configurations from http://checklists.nist.gov, as jointly identified by the OPDIV/STAFFDIV Contracting Officer's Technical Representative (COTR) and the CISO. • The Contractor shall ensure hardware and software installation, operation, maintenance, update, and/or patching will not alter the configuration settings specified in: (a) the FDCC (http://nvd.nist.gov/fdcc/index.cfm); and (b) other applicable configuration checklists as referenced above. • The Contractor shall ensure applications are fully functional and operate correctly on systems configured in accordance with the above configuration requirements. • The Contractor shall ensure applications designed for end users run in the standard user context without requiring elevated administrative privileges. • FIPS 201-compliant, Homeland Security Presidential Directive 12 (HSPD-12) card readers shall: (a) be included with the purchase of servers, desktops, and laptops; and (b) comply with FAR Subpart 4.13, Personal Identity Verification. In accordance with HHS-OCIO-2008-0004.001S "Standard Security Language Configuration in HHS Contracts", all NIH purchases of servers, desktops, and laptops shall include a Federal Information Processing Standard 201 (FIPS-201)-compliant smartcard reader. A list of approved FIPS-201 compliant devices may be found at http://www.idmanagement.gov/drilldown.cfm?action=gov_app_products. As standards-compliant smartcard readers may not be available from all sources, or may be more cheaply acquired and provisioned separately, IC information technology staff must review the status of emerging NIH standards for compliant peripheral devices, keyboards, card readers, etc. before making purchases. By 01/01/2011, all systems joined to the NIH network or otherwise brought into production use must be provisioned with a FIPS-201 compliant PIV card reader. • The Contractor shall ensure that all of its subcontractors (at all tiers) comply with the above requirements Include Section X in all IT contracts S. ELECTRONIC AND INFORMATION TECHNOLOGY ACCESSIBILITY (January2008) Pursuant to Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998, all electronic and information technology (EIT) products and services developed, acquired, maintained, and/or used under this contract/order must comply with the "Electronic and Information Technology Accessibility Provisions" set forth by the Architectural and Transportation Barriers Compliance Board (also referred to as the "Access Board") in 36 CFR part 1194. Information about Section 508 provisions is available at http://www.section508.gov The complete text of Section 508 Final provisions can be accessed at http://www.accessboard.gov/sec508/provisions.htm. The Section 508 standards applicable to this contract/order are identified in the Statement of Work. The contractor must provide a written Section 508 conformance certification due at the end of each order/contract exceeding $100,000 when the order/contract duration is one year or less. If it is determined By the Government that EIT products and services provided by the Contractor do not conform to the described accessibility in the Product Assessment Template, remediation of the products and/or services to the level of conformance specified in the vendor's Product Assessment Template will be the responsibility of the Contractor at its own expense. In the event of a modification(s) to the contract/order, which adds new EIT products and services or revised the type of, or specifications for, products and services the Contractor is to provide, including EIT deliverables such as electronic documents and reports, the Contracting Officer may require that the contractor submit a completed HHS Section 508 Product Assessment Template to assist the Government in determining that the EIT products and services support Section 508 accessibility requirements. Instructions for documenting accessibility via the HHS Section 508 Product Assessment Template may be found at http://508.hhs.gov. [(End of HHSAR 352.270-19(b)] Prior to the Contracting Officer exercising an option for a subsequent performance period/additional quantity or adding increment funding for a subsequent performance period under this contract, as applicable, the Contractor must provide a Section 508 Annual Report to the Contracting Officer and Contracting Officer's Technical Representative (also known as Project Officer or Contracting Officer's Representative). Unless otherwise directed by the Contracting Officer in writing, the Contractor shall provide the cited report in accordance with the following schedule. Instructions for completing the report are available at: http://508.hhs.gov. under the heading Vendor Information and Documents. The Contractor's failure to submit a timely and properly completed report may jeopardize the Contracting Officer's exercising an option or adding incremental funding, as applicable. Schedule for Contractor Submission of Section 508 Annual Report: [End of HHSAR 352.270-19(c)] 2) PRIVACY ACT- FAR 52.224-1 Privacy Act Notification (Apr 1984) The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties. FAR 52.224-2 Privacy Act (April 1984) (a) The Contractor agrees to- (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies- (i) The systems of records; and (ii) The design, development, or operation work that the contractor is to perform; (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and (3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency. (c)(1) "Operation of a system of records," as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) "Record," as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. (3) "System of records on individuals," as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 3) Personal Identity Verification of Contractor Personnel FAR 52.204-9 (SEPT 2007) (a) The Contractor shall comply with agency personal identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24 and Federal Information Processing Standards Publication (FIPS PUB) Number 201. (b) The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have routine physical access to a Federally-controlled facility and/or routine access to a Federally- controlled information system. 4) EMPLOYMENT ELIGIBILITY VERIFICATION FAR 52.222-54 (JAN 2009) (a) Definitions. As used in this clause- "Commercially available off-the-shelf (COTS) item"- (1) Means any item of supply that is- (i) A commercial item (as defined in paragraph (1) of the definition at 2.101); (ii) Sold in substantial quantities in the commercial marketplace; and (iii) Offered to the Government, without modification, in the same form in which it is sold in the commercial marketplace; and (2) Does not include bulk cargo, as defined in section 3 of the Shipping Act of 1984 (46 U.S.C. App. 1702), such as agricultural products and petroleum products. Per 46 CFR 525.1 (c)(2), "bulk cargo" means cargo that is loaded and carried in bulk onboard ship without mark or count, in a loose unpackaged form, having homogenous characteristics. Bulk cargo loaded into intermodal equipment, except LASH or Seabee barges, is subject to mark and count and, therefore, ceases to be bulk cargo. "Employee assigned to the contract" means an employee who was hired after November 6, 1986, who is directly performing work, in the United States, under a contract that is required to include the clause prescribed at 22.1803. An employee is not considered to be directly performing work under a contract if the employee- (1) Normally performs support work, such as indirect or overhead functions; and (2) Does not perform any substantial duties applicable to the contract. "Subcontract" means any contract, as defined in 2.101, entered into by a subcontractor to furnish supplies or services for performance of a prime contract or a subcontract. It includes but is not limited to purchase orders, and changes and modifications to purchase orders. "Subcontractor" means any supplier, distributor, vendor, or firm that furnishes supplies or services to or for a prime Contractor or another subcontractor. "United States", as defined in 8 U.S.C. 1101(a)(38), means the 50 States, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. (b) Enrollment and verification requirements. (1) If the Contractor is not enrolled as a Federal Contractor in E-Verify at time of contract award, the Contractor shall- (i) Enroll. Enroll as a Federal Contractor in the E-Verify program within 30 calendar days of contract award; (ii) Verify all new employees. Within 90 calendar days of enrollment in the E-Verify program, begin to use E-Verify to initiate verification of employment eligibility of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); and (iii) Verify employees assigned to the contract. For each employee assigned to the contract, initiate verification within 90 calendar days after date of enrollment or within 30 calendar days of the employee's assignment to the contract, whichever date is later (but see paragraph (b)(4) of this section). (2) If the Contractor is enrolled as a Federal Contractor in E-Verify at time of contract award, the Contractor shall use E-Verify to initiate verification of employment eligibility of- (i) All new employees. (A) Enrolled 90 calendar days or more. The Contractor shall initiate verification of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); or (B) Enrolled less than 90 calendar days. Within 90 calendar days after enrollment as a Federal Contractor in E-Verify, the Contractor shall initiate verification of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); or (ii) Employees assigned to the contract. For each employee assigned to the contract, the Contractor shall initiate verification within 90 calendar days after date of contract award or within 30 days after assignment to the contract, whichever date is later (but see paragraph (b)(4) of this section). (3) If the Contractor is an institution of higher education (as defined at 20 U.S.C. 1001(a)); a State or local government or the government of a Federally recognized Indian tribe; or a surety performing under a takeover agreement entered into with a Federal agency pursuant to a performance bond, the Contractor may choose to verify only employees assigned to the contract, whether existing employees or new hires. The Contractor shall follow the applicable verification requirements at (b)(1) or (b)(2) respectively, except that any requirement for verification of new employees applies only to new employees assigned to the contract. (4) Option to verify employment eligibility of all employees. The Contractor may elect to verify all existing employees hired after November 6, 1986, rather than just those employees assigned to the contract. The Contractor shall initiate verification for each existing employee working in the United States who was hired after November 6, 1986, within 180 calendar days of- (i) Enrollment in the E-Verify program; or (ii) Notification to E-Verify Operations of the Contractor's decision to exercise this option, using the contact information provided in the E-Verify program Memorandum of Understanding (MOU). (5) The Contractor shall comply, for the period of performance of this contract, with the requirements of the E-Verify program MOU. (i) The Department of Homeland Security (DHS) or the Social Security Administration (SSA) may terminate the Contractor's MOU and deny access to the E-Verify system in accordance with the terms of the MOU. In such case, the Contractor will be referred to a suspension or debarment official. (ii) During the period between termination of the MOU and a decision by the suspension or debarment official whether to suspend or debar, the Contractor is excused from its obligations under paragraph (b) of this clause. If the suspension or debarment official determines not to suspend or debar the Contractor, then the Contractor must reenroll in E-Verify. (c) Web site. Information on registration for and use of the E-Verify program can be obtained via the Internet at the Department of Homeland Security Web site: http://www.dhs.gov/E-Verify. (d) Individuals previously verified. The Contractor is not required by this clause to perform additional employment verification using E-Verify for any employee- (1) Whose employment eligibility was previously verified by the Contractor through the E-Verify program; (2) Who has been granted and holds an active U.S. Government security clearance for access to confidential, secret, or top secret information in accordance with the National Industrial Security Program Operating Manual; or (3) Who has undergone a completed background investigation and been issued credentials pursuant to Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors. (e) Subcontracts. The Contractor shall include the requirements of this clause, including this paragraph (e) (appropriately modified for identification of the parties), in each subcontract that- (1) Is for- (i) Commercial or noncommercial services (except for commercial services that are part of the purchase of a COTS item (or an item that would be a COTS item, but for minor modifications), performed by the COTS provider, and are normally provided for that COTS item); or (ii) Construction; (2) Has a value of more than $3,000; and (3) Includes work performed in the United States.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/CCOPC/184024/listing.html)
 
Record
SN02329853-W 20101120/101118234209-5f19c3000c8b441ca76c65fb21004f24 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)

FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.