Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JANUARY 29, 2017 FBO #5546
SOURCES SOUGHT

D -- IT Security Support Services - National Center for Complementary and Integrative Health (NCCIH) - Draft Statement of Work

Notice Date
1/27/2017
 
Notice Type
Sources Sought
 
NAICS
541990 — All Other Professional, Scientific, and Technical Services
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, National Cancer Institute, Office of Acquisitions, 9609 Medical Center Drive, Room 1E128, Rockville, Maryland, 20852, United States
 
ZIP Code
20852
 
Solicitation Number
HHS-NIH-NCI-SBSS-TSB-77002-16
 
Archive Date
2/25/2017
 
Point of Contact
Mary E. Muir, Phone: 3016248764, C. Timothy Crilley, Phone: 301-624-8743
 
E-Mail Address
mary.muir@nih.gov, tcrilley@mail.nih.gov
(mary.muir@nih.gov, tcrilley@mail.nih.gov)
 
Small Business Set-Aside
N/A
 
Description
Draft Statement of Work Notice Number: HHS-NIH-NCI-SBSS-TSB-77002-16 Title: IT Security Support Services - National Center for Complementary and Integrative Health (NCCIH) This is a Small Business Sources Sought notice. This is NOT a solicitation for proposals, proposal abstracts, or quotations. The purpose of this notice is to obtain information regarding: (1) the availability and capability of qualified small business sources; (2) whether they are small businesses; HUBZone small businesses; service-disabled, veteran-owned small businesses; 8(a) small businesses; veteran-owned small businesses; woman-owned small businesses; or small disadvantaged businesses; and (3) their size classification relative to the North American Industry Classification System (NAICS) code for the proposed acquisition. Your response to the information requested will assist the Government in determining the appropriate acquisition method, including whether a set-aside is possible. An organization that is not considered a small business under the applicable NAICS code should not submit a response to this notice. A determination by the Government not to compete this requirement as a set-aside based upon responses to this Notice is solely within the discretion of the Government. Interested parties are expected to review this Notice and the draft Statement of Work to familiarize themselves with the requirements of this project; failure to do so will be at your firm's own risk. Background Legislative History The National Center for Complementary and Integrative Health (NCCIH) is the Federal Government's lead agency for scientific research on complementary and integrative health approaches. The U.S. Congress originally established NCCIH as the National Center for Complementary and Alternative Medicine (NCCAM) in 1998. The U.S. Congress changed the agency name to National Center for Complementary and Integrative Health (NCCIH) in 2014. The NCCIH mission is to define, through rigorous scientific investigation, the usefulness and safety of complementary and integrative health interventions and their roles in improving health and health care. Research Priorities NCCIH is 1 of the 27 institutes and centers (ICs) that make up the National Institutes of Health (NIH) within the U.S. Department of Health and Human Services. In June 2016, the Center released its fourth strategic plan. The year-long planning process engaged the full range of NCCIH's diverse community of professional and public stakeholders. Given the Center's finite budget and small size, the goal of this effort was to explicitly target elements in the research agenda. The process identified three scientific objectives:  Advance Fundamental Science and Methods Development  Improve Care for Hard-To-Manage Symptoms  Foster Health Promotion and Disease Prevention The plan also delineated two cross-cutting objectives:  Enhance the Complementary and Integrative Health Research Workforce  Disseminate Objective Evidence-Based Information on Complementary and Integrative Health Interventions Technical Background NIH consists of 27 semi-autonomous ICs. The NIH-wide information technology (IT) environment consists of multiple operating platforms, networks, systems, and facilities with such types of software as Unix, Mac, Windows, iOS, Linux, and VMWare, and such hardware as supercomputers, mainframes, Windows PCs, Apple PCs, and Sun PCs, with the overall NIH Network (NIHnet) as the backbone. The network provides firewalls, proxies, filters, servers, and LANs (local area networks) supporting campuses in the Bethesda, Rockville, and Frederick, Maryland areas. The typical NIH user is either a medical scientist or part of the administrative support staff. Requirements and ability to implement solutions vary greatly from one NIH IC to the next, with each having its own Director, Executive Officer (EO), Scientific Director, Chief Information Officer (CIO) or equivalent, and Information Systems Security Officer (ISSO) and alternate, as well as Systems Administrators (SAs) and LAN Administrators, each of whom may influence and impact any given IT security problem and solution. NCCIH is one of the NIH centers. NCCIH works cooperatively with the Department of Veterans Affairs (VA) and other Federal agencies that provide or fund research into complementary health care and self-care practices. NCCIH is responsible for continuing to improve the efficiency and effectiveness of its computer services. The NCCIH IT services program, security program, and software support program, with their internal and external presences, formalize and automate NCCIH work practices. Together they represent a value-added computer service. Purpose and Objectives The purpose of this Small Business Sources Sought Notice (SBSS) is to identify qualified small business concerns including HUBZone small businesses; service-disabled, veteran-owned small businesses; 8(a) small businesses, veteran-owned small businesses; woman-owned small businesses; or small disadvantaged businesses that are interested in and capable of performing the work described herein. On behalf of NCCIH, the NCI does not intend to award a contract on the basis of responses received nor otherwise pay for the preparation of any information submitted. As a result of this SBSS Notice, the NCI may issue a Request for Proposal (RFP). THERE IS NO SOLICITATION AVAILABLE AT THIS TIME. However, should such a requirement materialize, no basis for claims against NCI shall arise as a result of a response to this Small Business Sources Sought Notice or the NCI's use of such information as either part of our evaluation process or in developing specifications for any subsequent requirement. It is the purpose of NCCIH to acquire Information Technology (IT) security professional services to provide certification and accreditation annual assessment support for the NCCIH general support systems (GSS) and minor applications. The NCCIH GSS, like other logical reporting structures and federal minor systems, needs review of its technical controls (one third of them per year) and adjustment to the changing federal reporting standards and tools. The NIH reporting tool is NIH Security Authorization Tool (NSAT), formerly the NIH Certification and Accreditation Tool. The scope accounts for the full security reporting cycle of a GSS including the NCCIH minor systems and programs. Therefore, it must provide IT security services in support of NCCIH, including security program management support, system certification and accreditation review, annual assessment of system controls, and testing. The annual assessments will be the largest part of this work due to the past SA&As conducted by NCCIH. One third of NCCIH's security controls must be reviewed yearly. The Contractor shall perform tasks in accordance with the guidelines contained in the latest versions of the following references:  FIPS 200  FIPS 199  NIST Special Publication 800-37  NIST Special Publication 800-53  NIST Special Publication 800-53a  NIST Special Publication 800-60  NIST Special Publication 800-18  NIST Special Publication 800-30  NIST Special Publication 800-64  OMB guidance  HHS and NIH policies and guidance  Federal Information Security Management Act (FISMA)  Other federal laws, regulations and guidelines related to security Project Requirements The Contractor shall perform the following tasks: Task 1 -System Assessment and Authorization Support The Contractor shall provide technical controls review and documentation of assessment and authorization services to the National Institutes of Health (NIH) NCCIH to support the NCCIH LAN GSS and its sub-systems. Current systems include:  NCCIH Intranet Website (rated low impact)  NCCIH Internet Website (rated low impact)  NCCIH External SharePoint (rated moderate impact)  NCCIH SharePoint (rated moderate impact) The NCCIH LAN GSS is rated as a moderate security impact system. Please note that the minor systems in the GSS are constantly in flux depending on the needs of the agency. This list can be added to or deleted from during the course of this task and is only included as reference for quoting purposes. Cloud-based and/or Third Party hosted applications and websites may also need to receive assessment or to process the inheritance from DHHS or other federal agencies of their formal security assessments. Such assessment work is normal for all federal agencies and therefore is assumed in the required tasks. Support shall include: review and testing for Annual Assessments based on Security Assessment & Authorization (SA&A) security controls, updates to GSS POA&Ms, coordination of annual renewals of authority to operate, system security categorization, system baseline security requirements, performing system tests and evaluations (ST&E), developing risk assessments, developing system security plans, developing system plans of action and milestones (POA&M), developing self-assessments, certification memos, accreditation letters, and system SA&A overview documents. In addition, the contractor shall be required to review SA&A documentation prepared outside of NCCIH for accuracy and quality. The contractor shall meet via teleconference or in-person as agreed upon by the Contracting Officer's Representative (COR) and contractor with the NCCIH COR on a bi-weekly to discuss the status of all activities performed, including problems and delays. Additional meetings at the COR's request not to exceed two (2) additional meetings per month. A bi-weekly progress report shall be prepared outlining the activities planned and performed for the month; activities planned for the next month, associated costs, problems encountered, resolution of problems, delays, and resolution of delays. Anticipated Period of Performance The period of performance for this requirement is five (5) years, consisting of a one-year base period, plus four (4) one-year options. The anticipated start date is on or about September 12, 2017. Other Important Considerations Draft Statement of Work A copy of the draft Statement of Work (SOW), which is subject to revisions, is attached. Please refer to the SOW for additional information pertinent to this requirement. NAICS Code and Size Standard In the event an RFP is issued, North American Industry Classification System (NAICS) code 541990 with a size standard of $7.0 million is being considered. Capability Statement/Information Sought Sources are expected to have the expertise, personnel, protocols, systems, and technology to meet requirements of the draft SOW. Tailored Capability Statements shall demonstrate a clear understanding of all tasks specified in the draft SOW. Tailored Capability Statements for this requirement shall also address the following areas: Information Technology Systems Security Specifications Information Security is applicable to this requirement. All contractor personnel assigned to work on this Task Order shall have completed the NIH Computer Security Awareness Training, have appropriate background investigations, and have signed a non-disclosure agreement. The COR for the contract maintains copies of proof of training, proof of clearance, and signed non-disclosure agreements either electronically in NIH systems or on hard copies. This acquisition requires the Contractor to: • Develop, have the ability to access, or host and/or maintain Federal information and/or Federal information system(s). • Have regular or prolonged physical access to a "Federally-controlled facility," as defined in FAR Subpart 2.1. The Contractor and all subcontractors performing under this acquisition shall comply with the following requirements for NCCIH systems, which include information types for NCCIH's mission and for administration, management, and support information for the mission: a. Security Categories and Levels Confidentiality Level: [ ] Low [X] Moderate [ ] High Integrity Level: [X] Low [ ] Moderate [ ] High Availability Level: [X] Low [ ] Moderate [ ] High Overall Level: [ ] Low [X] Moderate [ ] High b. Position Sensitivity Designations The following sensitivity level(s), clearance type(s), and investigation requirements apply to this contract: [X] Level 5: Public Trust - Moderate Risk. Contractor/subcontractor employees assigned to Level 5 positions with no previous investigation and approval shall undergo a Suitability Determination and a Minimum Background Investigation (MBI) or a Limited Background Investigation (LBI). The Contractor shall submit a roster by name, position, e-mail address, phone number, and responsibility of all staff (including subcontractor staff) working under this acquisition where the Contractor will develop, have the ability to access, or host and/or maintain a federal information system(s). The roster shall be submitted to the COR, with a copy to the Contracting Officer, within 14 calendar days of the effective date of this contract. Any revisions to the roster as a result of staffing changes shall be submitted within 15 calendar days of the change. The Contracting Officer will notify the Contractor of the appropriate level of investigation required for each staff member. An electronic template, "Roster of Employees Requiring Suitability Investigations," is available for contractor use at http://ocio.nih.gov/docs/public/Suitability-roster.xls Suitability investigations are required for contractors who will need access to NIH information systems and/or to NIH physical space. Each contract employee needing a suitability investigation will be contacted via e-mail by the NIH Office of Personnel Security and Access Control (DPSAC) within 30 days. The DPSAC e-mail message will contain instructions regarding fingerprinting as well as links to the electronic forms contract employees must complete. The NIH uses HPSD-12 PIV smartcards for authentication as specified by the federal government. Contract employees must use their 2-factor authentication credentials granted by NIH DPSAC in order to access the NSAT system remotely by VPN. The same NIH ID cards should be expected to be used for NIH building access and for access to government funded equipment. Additional information can be found at the following website: http://idbadge.nih.gov/background/index.asp All contractor and subcontractor employees shall comply with the conditions established for their designated position sensitivity level prior to performing any work under this contract. Contractors may begin work after the fingerprint check has been completed. Contractor Minimum Requirements The Contractor must demonstrate expert knowledge of federal IT systems SA&A. Expert knowledge shall be defined as having at least 4 years of experience assisting federal agencies with their Security Assessment and Authorization (SA&A) planning to comply with government regulations and guidance, including guidance such as OMB A-130 and the National Information Assurance Certification and Accreditation Process (NIACAP). The Contractor should have at least one year of experience working specifically with NIH systems. The Contractor shall ensure that all employees, including subcontractor employees, comply with the NIH Information Technology General Rules of Behavior, which are available at https://ocio.nih.gov/aboutus/publicinfosecurity/securitytraining/Pages/NIH_IT_GeneralRulesofBehavior.aspx. The Contractor must commit to protecting non-public Departmental information and data. The Contractor and any subcontractors performing under this contract shall not release, publish, or disclose non-public Departmental information to unauthorized personnel and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: - 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) - 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) - Public Law 96-511 (Paperwork Reduction Act) Data Encryption The Contractor shall secure all computers used on behalf of the government using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/groups/STM/cmvp/. The Contractor shall secure all mobile devices, including non-HHS laptops and portable media that contain sensitive HHS information by using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored. The Contractor shall use a FIPS 140-2 compliant key recovery mechanism so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited. Key recovery is required by "OMB Guidance to Federal Agencies on Data Availability and Encryption", November 26, 2001, http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf. Encryption key management shall comply with all HHS and NIH policies (http://intranet.hhs.gov/infosec/docs/guidance/hhs_standard_2007.pdf) and shall provide adequate protection to prevent unauthorized decryption of the information. All media used to store information shall be encrypted until sanitized or destroyed in accordance with NIH procedures. Contact the NIH Center for Information Technology for assistance at http://cit.nih.gov/ProductsAndServices/ServiceCatalog/Services.htm?Service=Media+Sanitization+Service. Submission All capability Statement sent in response to this SMALL BUSINESS SOURCES SOUGHT notice must be submitted electronically (via e-mail) to Mary Muir, Contracting Officer, at mary.muir@nih.gov in MS Word, or Adobe Portable Document Format (PDF) The e-mail subject line must specify HHS-NIH-NCI-SBSS-TSB-77002-16. Facsimile responses or phone calls will not be accepted. Common Cut-off Date Electronically submitted tailored capability statements are due no later than 12:00PM (Eastern Prevailing Time) on February 10, 2017. CAPABILITY STATEMENTS RECEIVED AFTER THIS DATE AND TIME WILL NOT BE CONSIDERED. DISCLAIMER AND IMPORTANT NOTES This notice does not obligate the Government to award a contract or otherwise pay for the information provided in this response. The Government reserves the right to use information provided by respondents for any purpose deemed necessary and legally appropriate. Any organization responding to this notice should ensure that its response is complete and sufficiently detailed to allow the Government to determine the organization's qualifications to perform the work. Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted. After a review of the responses received, a pre-solicitation synopsis and solicitation may be published in Federal Business Opportunities. However, responses to this notice will not be considered adequate responses to a solicitation. CONFIDENTIALITY No proprietary, classified, confidential, or sensitive information should be included in your response. The Government reserves the right to use any non-proprietary technical information in any resultant solicitation(s).
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/RCB/HHS-NIH-NCI-SBSS-TSB-77002-16/listing.html)
 
Place of Performance
Address: 31 Center Drive, Rm 2B11, Bethesda, Maryland, 20892, United States
Zip Code: 20892
 
Record
SN04383621-W 20170129/170127234325-f6a3212342b63c4caa274e64fe406353 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.