Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF AUGUST 15, 2018 FBO #6109
SOLICITATION NOTICE

R -- IDENTIFYING TRIBAL TOBACCO RETAILERS AND MANUFACTURERS - FDASOL1199697

Notice Date
8/13/2018
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
541690 — Other Scientific and Technical Consulting Services
 
Contracting Office
Department of Health and Human Services, Food and Drug Administration, Office of Acquisitions and Grants Services - Rockville, 5630 Fishers Lane, Room 2129, Rockville, Maryland, 20857-0001, United States
 
ZIP Code
20857-0001
 
Solicitation Number
FDASOL1199697
 
Point of Contact
Telisha Wilson, Phone: 2404027572
 
E-Mail Address
telisha.wilson@fda.hhs.gov
(telisha.wilson@fda.hhs.gov)
 
Small Business Set-Aside
N/A
 
Description
IDENTIFYING TRIBAL TOBACCO RETAILERS AND MANUFACTURERS PROJECT TITLE: IDENTIFYING TRIBAL TOBACCO RETAILERS AND MANUFACTURERS BACKGROUND The Food and Drug Administration (FDA), Center for Tobacco Products (CTP) was established by the Family Smoking Prevention and Tobacco Control Act (Tobacco Control Act) (Public Law 111-31). The Tobacco Control Act amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by, among other things, adding a new chapter granting the FDA authority to regulate the manufacturing, marketing, and distribution of tobacco products to protect the public health and to reduce tobacco use by minors. The Tobacco Control Act authorizes FDA, where feasible, to contract with U.S. States, Tribes, and Territories to carry out inspections of tobacco product retailers on behalf of FDA. The American Indian and Alaska Native population has the highest prevalence of cigarette smoking (about 40%) compared to any other population group in the United States. Through a collaborative partnership, we can protect the health of Native communities, especially youth, by ensuring compliance with the Tobacco Control Act. This solicitation is a Request for Quote (RFQ) using FAR Parts 12 and 13 procedures. The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular (FAC) 2005-95. The North American Industry Classification System (NAICS) code for the proposed acquisition is 541690, Other Scientific and Technical Consulting Services. The solicitation is intended for full and open. PRICING TABLE Task Price Quantity Price 2 $ 1 $ 3 $ 1 $ Total Price $ OBJECTIVES The overall objective of this project is to identify tobacco retailers and tobacco manufacturers that are physically located in Federally recognized Indian Country (as defined in 18 U.S.C. §1151). This will include updating FDA's pre-existing list of retailers located in Indian Country. Requirements: Task 1. Kick-off meeting Following award, the Contractor shall participate in a kick-off meeting with the Contracting Officer's Representative (COR), and other FDA representatives, as identified by CTP, to discuss the proposed work plan. The meeting will be held via teleconference. During the meeting, the Contractor shall present any clarifying questions about the scope of work and related issues. This meeting shall occur within fifteen (15) business days following award. Task 2. Verify and update retailer list Within ten (10) business days following award, FDA will provide the contractor with a list of previously identified tobacco retail establishments located within Indian Country. For proposal purposes, the contractor can assume approximately 2,500 retail establishments. This list will include the retail establishment's name, address, and the name of the tribe where they are located (if available). The contractor shall verify and update the existing retail establishment list as follows: 1. Confirm whether the retail establishment is in Indian Country; 2. Identify or update the associated federally-recognized tribe; 3. Confirm the name and address of each establishment and specify any corrections that are necessary for the name or address of the identified establishment; 4. Identify the legal owner for each establishment; and 5. Identify retailers that are no longer in operation. The contractor shall also clearly identify any tobacco retail establishments located in Indian Country that are not on the list provided by FDA. "Retail establishment" means any person who sells tobacco products to individuals for personal consumption, or who operates a facility where vending machines or self-service displays of tobacco are permitted. The contractor shall provide the name, address, associated federally-recognized tribe, and legal owner for all newly identified retail establishments. When researching and identifying ownership of the establishments, the contractor shall provide a comprehensive ownership recommendation that includes the documentation that the contractor used to make the recommendation. For each of the elements listed above, provide reliable evidence confirming the information provided. This evidence must include legible electronic copies of all source material relied upon to reach the conclusion. This should include documentation showing that the retailer is located in Indian Country. Task 3. Verify and update manufacturer list Within ten (10) business days following award, FDA will provide the contractor with a list of previously-identified tobacco product manufacturers. For proposal purposes, the contractor can assume approximately 100 manufacturers. This list will include the manufacturer's name and address. Identify any manufacturers not listed on the list provided by FDA. "Manufacturer" means any person, including any re-packer and/or re-labeler, who manufactures, fabricates, assembles, processes, or labels a finished tobacco product. The contractor shall verify and update the existing manufacturer list as follows: 1. Confirm whether the manufacturer is in Indian Country; 2. Identify or update the associated federally-recognized tribe; 3. Confirm the name and address of each manufacturer and specify any corrections that are necessary for the name or address of the identified manufacturer; 4. Identify the legal owner for each manufacturer; 5. Identify the nature of the manufacturer's activities, if needed; and 6. Identify manufacturers that are no longer in operation. For each of the elements listed above, provide reliable evidence confirming the information provided. This evidence must include legible electronic copies of all source material relied upon to reach the conclusion. Task 4. Status update calls and follow-up reports Following award, the Contractor shall participate in up to three (3) status update meetings with the Contracting Officer's Representative (COR), and other FDA representatives, as identified by CTP, to discuss the Contractor's progress. The meetings will be held via teleconference. During the meetings, the Contractor shall present its work to date for FDA's feedback. These meetings shall occur on an ad hoc basis at FDA's discretion, approximately once per quarter. Within three (3) business days following each status update meeting, the Contractor shall send FDA a written report via email to the Contracting Officer's Representative (COR). The report shall summarize the Contractor's progress to date, and shall include the following information at a minimum: • Number of retail establishments verified (Task 2) • Number of manufacturers verified (Task 3) • Any outstanding questions for FDA regarding Tasks 2 and 3 DELIVERABLES The Contractor shall adhere to the following performance requirements: REFERENCE # DESCRIPTION ESTIMATED QUANTITY FREQUENCY DUE DATES Task 1 Kickoff Meeting 1 Once Within fifteen (15) business days following award Task 2 Retailer List 1 Once At least sixty (60) days prior to contract expiration date Task 3 Manufacturer List 1 Once At least sixty (60) days prior to contract expiration date Task 4 Status update meetings Up to 3 Approximately quarterly Ad hoc Task 4 Status update reports Up to 3 Approximately quarterly Three (3) business days following status update meeting PLACE OF PERFORMANCE Work shall be performed at the Contractor's site. PERIOD OF PERFORMANCE Twelve (12) months following date of award. CONTRACT TYPE Firm fixed price INSPECTION AND ACCEPTANCE CRITERIA Deliverables must meet all the following criteria to be considered acceptable: 1. Complete and accurate name and address of the retail establishment/manufacturer. 2. The complete and accurate address of each owner of the retail establishment/manufacturer. 3. Documentation supporting all ownership and address information that is provided. 4. Documentation for Tasks 2 and 3 must include legible electronic copies of all documents relied upon to reach the conclusion and at a minimum must include licensing records, corporate registrations/filings, other relevant documents from state or local government entities; and the Secretary of State (or equivalent) record confirming business registration status if requested. Further, documentation must include the records used to determine that the retail establishment/manufacturer is located in Indian Country. 5. Conclusions provided by the contractor must be free from spelling and punctuation errors and must be provided in the format specified by FDA. The COR will review and communicate acceptance or rejection of deliverables to the Contractor no later than ten (10) business days prior to the end of the quarter. Acceptance or rejection may be communicated more frequently depending upon FDA's need. The contractor will have five (5) business days to correct and resubmit the rejected deliverables. CONFLICT OF INTEREST The Contractor shall warrant that, to the best of its knowledge and belief, and except as otherwise disclosed in its proposal, it does not have any actual, potential, or apparent conflict of interests pertaining to the subject procurement, as described in FAR Subpart 9.5 and U.S. Health and Human Services (HHS) and FDA policies, for its organization, employees, or subcontractors proposed to be working under the procurement. After award of an order for this procurement, if the Contractor discovers an actual, potential, or apparent conflict of interest with respect to this procurement, it shall make an immediate and full disclosure in writing to the FDA Contracting Officer and COR for this order, including a description of any actions the Contractor has taken or proposes to take to avoid, neutralize, or mitigate any conflict of interest. The Contractor shall act impartially and objectively and must avoid actions that would cause a reasonable person to question their impartiality or engage in activities that may result in an unfair competitive advantage. The Government reserves the right to exercise any remedy available at law or equity, including termination of the order for cause or convenience, should the Government determine remedial action is necessary to address any actual, potential, or apparent conflict of interest. The Contractor shall include a clause substantially similar to this conflicts of interest clause in any subcontract. PROCUREMENTS REQUIRING INFORMATION SECURITY AND/OR PHYSICAL SECURITY A. Baseline Security Requirements 1) Applicability. The requirements herein apply whether the entire contract or order (hereafter "contract"), or portion thereof, includes either or both of the following: 2) Access (Physical or Logical) to Government Information: A Contractor (and/or any subcontractor) employee will have or will be given the ability to have, routine physical (entry) or logical (electronic) access to government information. a. Operate a Federal System Containing Information: A Contractor (and/or any subcontractor) will operate a federal system and information technology containing data that supports the HHS mission. In addition to the Federal Acquisition Regulation (FAR) Subpart 2.1 definition of "information technology" (IT), the term as used in this section includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. 3) Safeguarding Information and Information Systems. In accordance with the Federal Information Processing Standards Publication (FIPS)199, Standards for Security Categorization of Federal Information and Information Systems, the Contractor (and/or any subcontractor) shall: a. Protect government information and information systems in order to ensure: • Confidentiality, which means preserving authorized restrictions on access and disclosure, based on the security terms found in this contract, including means for protecting personal privacy and proprietary information; • Integrity, which means guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity; and • Availability, which means ensuring timely and reliable access to and use of information. b. Provide security for any Contractor systems, and information contained therein, connected to an FDA network or operated by the Contractor on behalf of FDA regardless of location. In addition, if new or unanticipated threats or hazards are discovered by either the agency or contractor, or if existing safeguards have ceased to function, the discoverer shall immediately, within one (1) hour or less, bring the situation to the attention of the other party. This includes notifying the FDA Systems Management Center (SMC) within one (1) hour of discovery/detection in the event of an information security incident. c. Adopt and implement the policies, procedures, controls, and standards required by the HHS/FDA Information Security Program to ensure the confidentiality, integrity, and availability of government information and government information systems for which the Contractor is responsible under this contract or to which the Contractor may otherwise have access under this contract. Obtain the FDA Information Security Program security requirements, outlined in the FDA Information Security and Privacy Policy (IS2P), by contacting the CO/COR or emailing your ISSO. d. Comply with the Privacy Act requirements and tailor FAR clauses as needed. 4) Information Security Categorization. In accordance with FIPS 199 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, Appendix C, and based on information provided by the ISSO or other security representative, the risk level for each Security Objective and the Overall Risk Level, which is the highest watermark of the three factors (Confidentiality, Integrity, and Availability) of the information or information system are the following: Confidentiality: [ ] Low [x ] Moderate [ ] High Integrity: [ ] Low [ x] Moderate [ ] High Availability: [ ] Low [x ] Moderate [ ] High Overall Risk Level: [ ] Low [x ] Moderate [ ] High Based on information provided by the Privacy Office, system/data owner, or other privacy representative, it has been determined that this solicitation/contract involves: [ ] No PII [ x] Yes PII 5) Controlled Unclassified Information (CUI). CUI is defined as "information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information." The Contractor (and/or any subcontractor) must comply with Executive Order 13556, Controlled Unclassified Information, (implemented at 3 CFR, part 2002) when handling CUI. 32 C.F.R. 2002.4(aa). As implemented the term "handling" refers to "...any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re- using, and disposing of the information." 81 Fed. Reg. 63323. All sensitive information that has been identified as CUI by a regulation or statute, handled by this solicitation/contract, shall be: a. marked appropriately; b. disclosed to authorized personnel on a Need-To-Know basis; c. protected in accordance with NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations applicable baseline if handled by a Contractor system operated on behalf of the agency, or NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations if handled by internal Contractor system; and d. returned to FDA control, destroyed when no longer needed, or held until otherwise directed. 6) Protection of Sensitive Information. For security purposes, information is or may be sensitive because it requires security to protect its confidentiality, integrity, and/or availability. The Contractor (and/or any subcontractor) shall protect all government information that is or may be sensitive in accordance with OMB Memorandum M-06-16, Protection of Sensitive Agency Information by securing it with a FIPS 140-2 validated solution. Personally Identifiable Information (PII). Per the OMB Circular A-130, "PII is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual." Examples of PII include, but are not limited to the following: Social Security number, date and place of birth, mother's maiden name, biometric records, etc. PII Confidentiality Impact Level has been determined to be: [ ] Low [x ] Moderate [ ] High Destruction of information and/or data shall be accomplished in accordance with NIST SP 800-88, Guidelines for Media Sanitization and the FDA IS2P Appendix T: Sanitization of Computer-Related Storage Media. Confidentiality and Nondisclosure of Information. Any information provided to the contractor (and/or any subcontractor) by FDA or collected by the contractor on behalf of FDA shall be used only for the purpose of carrying out the provisions of this contract and shall not be disclosed or made known in any manner to any persons except as may be necessary in the performance of the contract. The Contractor assumes responsibility for protection of the confidentiality of Government records and shall ensure that all work performed by its employees and subcontractors shall be under the supervision of the Contractor. Each Contractor employee or any of its subcontractors to whom any FDA records may be made available or disclosed shall be notified in writing by the Contractor that information disclosed to such employee or subcontractor can be used only for that purpose and to the extent authorized herein. The confidentiality, integrity, and availability of such information shall be protected in accordance with HHS and FDA policies. Unauthorized disclosure of information will be subject to the HHS/FDA sanction policies and/or governed by the following laws and regulations: a. 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records); b. 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information); and c. 44 U.S.C. Chapter 35, Subchapter I (Paperwork Reduction Act). 7) Internet Protocol Version 6 (IPv6). All procurements using Internet Protocol shall comply with OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6). 8) Government Websites. All new and existing public-facing government websites must be securely configured with Hypertext Transfer Protocol Secure (HTTPS) using the most recent version of Transport Layer Security (TLS). In addition, HTTPS shall enable HTTP Strict Transport Security (HSTS) to instruct compliant browsers to assume HTTPS at all times to reduce the number of insecure redirects and protect against attacks that attempt to downgrade connections to plain HTTP. For internal-facing websites, the HTTPS is not required, but it is highly recommended. 9) Contract Documentation. The Contractor shall use FDA-provided templates, policies, forms and other agency documents to comply with contract deliverables as appropriate. 10) Standard for Encryption. The Contractor (and/or any subcontractor) shall: a. Comply with the HHS Standard for Encryption of Computing Devices and Information to prevent unauthorized access to government information. b. Encrypt all sensitive federal data and information (i.e., PII, protected health information [PHI], proprietary information, etc.) in transit (i.e., email, network connections, etc.) and at rest (i.e., servers, storage devices, mobile devices, backup media, etc.) with FIPS 140-2 validated encryption solution. c. All devices (i.e.: desktops, laptops, mobile devices, etc.) that store, transmit, or process non-public FDA information should utilize FDA-provided or FDA information security authorized devices that meet HHS and FDA-specific encryption standard requirements. Maintain a complete and current inventory of all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive government information (including PII). d. Verify that the encryption solutions in use are compliant with FIPS 140-2. The Contractor shall provide a written copy of the validation documentation to the COR. e. Use the Key Management system on the HHS Personal Identification Verification (PIV) card or establish and use a key recovery mechanism to ensure the ability for authorized personnel to encrypt/decrypt information and recover encryption keys. Encryption keys (PIV card) shall be provided to the COR upon request and at the conclusion of the contract. Upon completion of contract, contractor ensures that COR is able to access and read any encrypted data. 11) Contractor Non-Disclosure Agreement (NDA). Each Contractor (and/or any subcontractor) employee having access to non-public government information under this contract shall complete the FDA non-disclosure agreement (3398 Form), as applicable. A copy of each signed and witnessed NDA shall be submitted to the CO and/or COR prior to performing any work under this acquisition. 12) Privacy Threshold Analysis (PTA)/Privacy Impact Assessment (PIA) - The Contractor shall assist the procuring activity representative, program office and the FDA SOP or designee with conducting a PTA for the information system and/or information handled under this contract to determine whether or not a full PIA needs to be completed. 1. If the results of the PTA show that a full PIA is needed, the Contractor shall assist procuring activity representative, program office and the FDA SOP or designee with completing a PIA for the system or information after completion of the PTA and in accordance with HHS and FDA policy and OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. The PTA/PIA must be completed and approved prior to active use and/or collection or processing of PII and is a prerequisite to agency issuance of an authorization to operate (ATO). 2. The Contractor shall assist the procuring activity representative, program office and the FDA SOP or designee in reviewing and updating the PIA at least every three years throughout the Enterprise Performance Life Cycle (EPLC) /information lifecycle, or when determined by the agency that a review is required based on a major change to the system, or when new types of PII are collected that introduces new or increased privacy risks, whichever comes first. B. Training 1) Mandatory Training for All Contractor Staff. All Contractor (and/or any subcontractor) employees assigned to work on this contract shall complete the applicable FDA Contractor Information Security Awareness, Privacy, and Records Management training (provided upon contract award) before performing any work under this contract. Thereafter, the employees shall complete FDA Information Security Awareness, Privacy, and Records Management training at least annually, during the life of this contract. All provided training shall be compliant with HHS and FDA training policies. 2) Role-based Training. All Contractor (and/or any subcontractor) employees with significant security responsibilities (as determined by the program manager) must complete role-based training annually commensurate with their role and responsibilities in accordance with HHS and FDA policy and FDA Role-Based Training (RBT) of Personnel with Significant Security Responsibilities Standard Operating Procedures (SOP). 3) Training Records. The Contractor (and/or any subcontractor) shall maintain training records for all its employees working under this contract in accordance with HHS and FDA policy. A copy of the training records shall be provided to the CO and/or COR within 30 days after contract award and annually thereafter or upon request. C. Rules of Behavior 1) The Contractor (and/or any subcontractor) shall ensure that all employees performing on the contract comply with the HHS Information Technology General Rules of Behavior. 2) All Contractor employees performing on the contract must read and adhere to the Rules of Behavior (ROB) before accessing HHS and FDA data or other information, systems, and/or networks that store/process government information, initially at the beginning of the contract and at least annually thereafter, which may be done as part of annual FDA Information Security Awareness Training. If the training is provided by the contractor, the signed ROB must be provided as a separate deliverable to the CO and/or COR per defined timelines. D. Incident Response The Contractor (and/or any subcontractor) shall respond to all alerts/Indicators of Compromise (IOCs) provided by HHS Computer Security Incident Response Center (CSIRC)/FDA SMC /Incident Response Team (IRT) teams within 24 hours, whether the response is positive or negative. FISMA defines an incident as "an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies." The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines incidents as events involving cybersecurity and privacy threats, such as viruses, malicious user activity, loss of, unauthorized disclosure or destruction of data, and so on. A privacy breach is a type of incident and is defined by FISMA as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose. The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines a breach as "a suspected or confirmed incident involving PII." In the event of a suspected or confirmed incident or breach, the Contractor (and/or any subcontractor) shall: 1) Protect all sensitive information, including any PII created, stored, or transmitted in the performance of this contract to avoid a secondary sensitive information incident with FIPS 140-2 validated encryption. 2) NOT notify affected individuals unless so instructed by the Contracting Officer or designated representative. If so instructed by the Contracting Officer or representative, the Contractor shall send FDA approved notifications to affected individuals as directed by FDA's SOP. 3) Report all suspected and confirmed information security and privacy incidents and breaches to the FDA Systems Management Center, COR, CO, and other stakeholders, (Recommend adding the FDA Senior Official for Privacy with contact information and either defining or deleting "other stakeholders.") including incidents involving PII, in any medium or form, including paper, oral, or electronic, as soon as possible and without unreasonable delay, no later than one (1) hour of discovery/detection, and consistent with the applicable FDA and HHS policy and procedures, NIST standards and guidelines, as well as US-CERT notification guidelines. The types of information required in an incident report must include at a minimum: company and point of contact information, contract information, impact impact classifications/threat vector, and the type of information compromised. In addition, the Contractor shall: a. cooperate and exchange any information, as determined by the Agency, necessary to effectively manage or mitigate a suspected or confirmed breach; b. not include any sensitive information in the subject or body of any reporting e-mail; and c. encrypt sensitive information in attachments to email, media, etc. 4) Comply with OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information and HHS and FDA incident response policies when handling PII breaches. 5) Provide full access and cooperate on all activities as determined by the Government to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. This may involve disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. This may also involve physical access to contractor facilities during a breach/incident investigation demand. E. Position Sensitivity Designations All Contractor (and/or any subcontractor) employees must obtain a background investigation commensurate with their position sensitivity designation that complies with Parts 1400 and 731 of Title 5, Code of Federal Regulations (CFR). The following position sensitivity designation levels apply to this solicitation/contract: Tier 2 F. Homeland Security Presidential Directive (HSPD)-12 The Contractor (and/or any subcontractor) and its employees shall comply with Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors; OMB M-05-24; FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors; HHS HSPD-12 policy; and Executive Order 13467, Part 1 §1.2. Roster. The Contractor (and/or any subcontractor) shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff working under this acquisition where the Contractor will develop, have the ability to access, or host and/or maintain a government information system(s). The roster and any revisions to the roster as a result of staffing changes shall be submitted to the COR and/or CO per the COR or CO's direction. Any revisions to the roster as a result of staffing changes shall be submitted within a timeline as directed by the COR and/or CO. The COR will notify the Contractor of the appropriate level of investigation required for each staff member. If the employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate suitability level. G. Contract Initiation and Expiration 1) General Security Requirements. The Contractor (and/or any subcontractor) shall comply with information security and privacy requirements, Enterprise Performance Life Cycle (EPLC) processes, HHS Enterprise Architecture requirements to ensure information is appropriately protected from initiation to expiration of the contract. All information systems development or enhancement tasks supported by the contractor shall follow the FDA EPLC framework and methodology in accordance with the FDA EPLC Project documentation, located here: http://sharepoint.fda.gov/orgs/DelMgmtSupport/IntakeProc/EPLCv2/SitePages/v2/EPLCHome.aspx HHS EA requirements may be located here: https://www.hhs.gov/about/agencies/asa/ocio/index.html 2) System Documentation. Contractors (and/or any subcontractors) must follow and adhere to NIST SP 800-64, Security Considerations in the System Development Life Cycle, at a minimum, for system development and provide system documentation at designated intervals (specifically, at the expiration of the contract) within the EPLC that require artifact review and approval. 3) Sanitization of Government Files and Information. As part of contract closeout and at expiration of the contract, the Contractor (and/or any subcontractor) shall provide all required documentation in accordance with FDA OAGS SMGs to the CO and/or COR to certify that, at the government's direction, all electronic and paper records are appropriately disposed of and all devices and media are sanitized in accordance with NIST SP 800-88, Guidelines for Media Sanitization and FDA IS2P Appendix T: Sanitization of Computer-Related Storage Media 4) Notification. The Contractor (and/or any subcontractor) shall notify the CO and/or COR as soon as it is known that an employee will stop working under this contract. 5) Contractor Responsibilities Upon Physical Completion of the Contract. The contractor (and/or any subcontractors) shall return all government information and IT resources (i.e., government information in non-government-owned systems, media, and backup systems) acquired during the term of this contract to the CO and/or COR. Additionally, the Contractor shall provide a certification that all government information has been properly sanitized and purged from Contractor-owned systems, including backup systems and media used during contract performance, in accordance with HHS and/or FDA policies. 6) The Contractor (and/or any subcontractor) shall coordinate with the COR via email, copying the Contract Specialist, to ensure that the appropriate person performs and documents the actions identified in the FDA eDepart system http://inside.fda.gov:9003/EmployeeResources/NewEmployee/eDepartDepartureSystem/default.htm as soon as it is known that an employee will terminate work under this contract within days of the employee's exit from the contract. All documentation shall be made available to the CO and/or COR upon request. H. Records Management and Retention The Contractor (and/or any subcontractor) shall maintain all information in accordance with Executive Order 13556 -- Controlled Unclassified Information, National Archives and Records Administration (NARA) records retention policies and schedules and HHS/FDA policies and shall not dispose of any records unless authorized by HHS/FDA. In the event that a contractor (and/or any subcontractor) accidentally disposes of or destroys a record without proper authorization, it shall be documented and reported as an incident in accordance with HHS/FDA policies. INSTRUCTIONS TO PROPOSERS Response Dates Question shall be submitted via email to Telisha.Wilson@fda.hhs.gov by 10AM EST, xx/xx/2018. Proposals shall be submitted via email to Telisha.Wilson@fda.hhs.gov by 10AM EST, 08/xx/2018. PROPOSAL INSTRUCTIONS Offeror's proposal shall consist of two (2) separate parts. Part 1 shall consist of the Technical Proposal. Part 2 shall include the Price Proposal. Volume 1: Technical Proposal The Offeror shall provide a technical proposal to demonstrate a thorough, sound, and comprehensive technical approach to perform the tasks described in the scope of work. Volume 2: Price Proposal The Offeror shall submit a price proposal that includes a breakdown of proposed hours and wages for labor categories along with a total price for the overall project. Additional price information may be requested by the contract specialist if needed. The Government is not responsible for locating or securing any information which is not identified in the proposal. To ensure information is available offerors shall furnish as part of their quote, all descriptive material necessary for the Government to unequivocally determine the services offered meets the technical requirements described in the statement of work. AWARD DECISION The Government will award this order to the lowest priced technically acceptable quote. Offerors are advised that it is possible that only the lowest-priced, timely submitted quote may be evaluated. Specifically, after obtaining price quotes and ensuring submission compliance, the Government shall prioritize the remaining price quotes from lowest to highest price. Evaluators will then evaluate the lowest price quote first. If the lowest price quote is technically acceptable, there will be no need to evaluate the higher price quote.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/FDA/DCASC/FDASOL1199697/listing.html)
 
Record
SN05033809-W 20180815/180813231125-8f10e92a69e933d9fea2c9b184ddbc83 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.