Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JULY 13, 2019 FBO #6441
SOURCES SOUGHT

L -- BRAND NAME OR EQUAL: Lynx Duress Systems Department of Veterans Affairs Pittsburgh Healthcare System Market Research Purposes ONLY

Notice Date
7/11/2019
 
Notice Type
Synopsis
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Department of Veterans Affairs;Network Contracting Office 4;Lebanon VA Medical Center;1700 South Lincoln Avenue;Lebanon, PA 17042
 
ZIP Code
17042
 
Solicitation Number
36C24419Q0902
 
Response Due
7/16/2019
 
Archive Date
9/14/2019
 
Point of Contact
daniel.johnson44@va.gov
 
Small Business Set-Aside
N/A
 
Description
28 Purpose and Objectives: The intent of this Sources Sought Notice is to identify potential offerors capable of providing Lynx Duress System, or something similar. These are for the Pittsburgh Healthcare System for multiple sites within the Pittsburgh, PA area. Responses to this Sources Sought Notice should demonstrate the firm's ability, capability, and responsibility to provide the principal components of supplies listed in the attached document. Responses should include the following information: Verify that the business is under 541519 of the North American Industry Classification System (NAICS), V1erification of Size Standard under the NAICS, Business name, address, Point-of-Contact, if in possession of a Federal Supply Schedule contract, and if the business has verification as a Service Disabled Veteran Owned Small Business or Veteran Owned Small Business. All information is to be submitted via e-mail at Daniel.Johnson44@va.gov. Information provided will not be returned. All responses shall be in the English Language. Responses are due by 12:00 P.M. (EST) on Tuesday, July 16, 2019. No submissions will be accepted after this date and time. Questions can be submitted electronically to Daniel.Johnson44@va.gov. This is a Sources Sought Notice and submissions will be used for informational and planning purposes only. This notice does not constitute a formal Request for Proposal (RFP), Information for Bid (IFB), or Request for Quote (RFQ), nor is the government obligated to issue an RFP, IFB, or RFQ. In addition, the Government does not intend to pay for any information provided under this notice. The Government is not obligated to notify respondents of the results of this survey. Statement of Work VA Pittsburgh Healthcare System Staff Duress and Emergency Notification System General: The Contractor shall furnish all software and software licensing to provide a Staff Duress and Emergency Notification application in accordance with the Terms, Conditions and Specifications of the contract. The Firm-Fixed contract shall be for one (1) year and contain four (4), one-year options periods. Required Work Location: VA Pittsburgh Healthcare System (VAPHS), University Drive and Heinz Campuses: Period of Performance: 1. BASE YEAR: 09/01/2019 08/31/2020 2. OPTION YEAR ONE (1): 09/01/2020 08/31/2021 3. OPTION YEAR TWO (2): 09/01/2021 08/31/2022 4. OPTION YEAR THREE (3): 09/01/2022 08/31/2023 5. OPTION YEAR FOUR (4): 09/01/2023 08/31/2024 Purpose: The VA Pittsburgh Healthcare System (VAPHS) has a requirement for all software, software licensing and software support to provide a Staff Duress and Emergency Notification application. The application must be deployable on up to 5,000 computer workstations located at two campus locations in the Pittsburgh area. The project shall include all system software, licensing, software support and application training. The application shall reside on a VA virtual server. Training services shall be scheduled with the COR no less than one (1) month in advance. Network Work Locations: VAPHS Main Hospital, University Drive Campus University Drive C Pittsburgh, PA 15240 VAPHS, Heinz Campus Community Living Heinz Center, Ambulatory Care Center 1010 Delafield Road Pittsburgh, PA 15216 Working Hours: If Contractor is required to be onsite, it must be between the hours of 8:00 A.M. EST 4:00 P.M. EST on Monday Friday (EXCLUDING FEDERAL HOLIDAYS). If one of the planned days were to overlap onto a holiday, it is on the Contractor to reschedule another day/time with the COR, at no additional cost to the Government. General Requirements: The Contractor s application shall be installed on a VA provided virtual server. The Contractor shall provide software support services for the application for the life of the contract. The Contractor shall provide VA Police Service and other designated VA personnel with application training. Technical Requirements: The application shall provide users with a PC workstation keyboard combination duress signal initiation feature and the ability to send emergency notifications to all users by designated VAPHS personnel. Additionally, the application shall: Utilize TLS encryption. Provide duress capability when workstation is logged on/off, or locked. Provide a built-in test and reporting feature. Load automatically and run in the background when a workstation is booted. Display alert messages on user s screens regardless of what other applications are open at the time. Possess the ability to send alerts to some or all users based on user groups or profiles. Allow alert messages to be displayed across the entire workstation screen, top or bottom of screen, or a corner of the screen (for non-emergency alerts). The duress panic feature shall allow users to initiate a discrete (silent) key combination alert advising of the existence of a current threat. The Contractor gaining award of this Contract shall provide the name, address, telephone number, facsimile number, and email address of authorized Contractor representative(s) who have the binding authority to act on behalf of the Contractor on administrative and/or performance matters pertaining to this Contract. The Contractor shall maintain this list and submit any changes thereof to the COR and CO when changes occur. Contractor Personnel Security Requirements: All contractor employees and subcontractor employees requiring unescorted access to VA facilities and/or access to VA Technology resources (network and/or protected data) must complete a Special Agreement Check (SAC) investigation conducted by the FBI National Criminal History Check (NCHC). The following forms are required for a SAC: Fingerprints and OF306 Declaration For Federal Employment. The employee must be fingerprinted as part of the investigation. Electronic fingerprinting can be performed at the VA Pittsburgh Medical Center and will be coordinated through the COR and Human Resources Office. The Contractor shall bear the expense of the background investigation(s), regardless of the final adjudication determination. A Bill of Collections shall be generated by the VA after final adjudication determination has been received. Access to VA Information and VA Information Systems: A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. VA Information Custodial Language: Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/ subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (I) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/ subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above-mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. Security Incident Investigation: The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/ subcontractor considers relevant. Liquidated Damages For Data Breach: Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: (1) Nature of the event (loss, theft, unauthorized access); (2) Description of the event, including: (a) date of occurrence; (b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; (3) Number of individuals affected or potentially affected; (4) Names of individuals or groups affected or potentially affected; (5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; (6) Amount of time the data has been out of VA control; (7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); (8) Known misuses of data containing sensitive personal information, if any; (9) Assessment of the potential harm to the affected individuals; (10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and (11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. d. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. Training: All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: (1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems; (2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training; (3) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and (4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements]. The contractor shall provide to the Contracting Officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within one (1) week of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. The Contractor may use the VA Talent Management System (TMS) Managed Self Enrollment (https://www.tms.va.gov/SecureAuth35/) method to complete the training in TMS. The Contracting Officer Representative shall ensure that all contractors are validated in the PIH domain. Contractor Rules Of Behavior: This User Agreement contains rights and authorizations regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with the Department of Veterans Affairs (VA). This User Agreement covers my access to all VA data whether electronic or hard copy ("Data"), VA information systems and resources ("Systems"), and VA sites ("Sites"). This User Agreement incorporates Rules of Behavior for using VA, and other information systems and resources under the contract. General Terms and Conditions For All Actions And Activities Under The Contract: a. I understand and agree that I have no reasonable expectation of privacy in accessing or using any VA, or other Federal Government information systems. b. I consent to reviews and actions by the Office of Information & Technology (OI&T) staff designated and authorized by the VA Chief Information Officer (CIO) and to the VA OIG regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA. These actions may include monitoring, recording, copying, inspecting, restricting access, blocking, tracking, and disclosing to all authorized OI&T, VA, and law enforcement personnel as directed by the VA CIO without my prior consent or notification. c. I consent to reviews and actions by authorized VA systems administrators and Information Security Officers solely for protection of the VA infrastructure, including, but not limited to monitoring, recording, auditing, inspecting, investigating, restricting access, blocking, tracking, disclosing to authorized personnel, or any other authorized actions by all authorized OI&T, VA, and law enforcement personnel. d. I understand and accept that unauthorized attempts or acts to access, upload, change, or delete information on Federal Government systems; modify Federal government systems; deny access to Federal government systems; accrue resources for unauthorized use on Federal government systems; or otherwise misuse Federal government systems or resources are prohibited. e. I understand that such unauthorized attempts or acts are subject to action that may result in criminal, civil, or administrative penalties. This includes penalties for violations of Federal laws including, but not limited to, 18 U.S.C. §1030 (fraud and related activity in connection with computers) and 18 U.S.C. §2701 (unlawful access to stored communications). f. I agree that OI&T staff, in the course of obtaining access to information or systems on my behalf for performance under the contract, may provide information about me including, but not limited to, appropriate unique personal identifiers such as date of birth and social security number to other system administrators, Information Security Officers (ISOs), or other authorized staff without further notifying me or obtaining additional written or verbal permission from me. g. I understand I must comply with VA s security and data privacy directives and handbooks. I understand that copies of those directives and handbooks can be obtained from the Contracting Officer's Technical Representative (COTR). If the contractor believes the policies and guidance provided by the COTR is a material unilateral change to the contract, the contractor must elevate such concerns to the Contracting Officer for resolution. h. I will report suspected or identified information security/privacy incidents to the COTR and to the local ISO or Privacy Officer as appropriate. GENERAL RULES OF BEHAVIOR: a. Rules of Behavior are part of a comprehensive program to provide complete information security. These rules establish standards of behavior in recognition of the fact that knowledgeable users are the foundation of a successful security program. Users must understand that taking personal responsibility for the security of their computer and the information it contains is an essential part of their job. b. The following rules apply to all VA contractors. I agree to: (1) Follow established procedures for requesting, accessing, and closing user accounts and access. I will not request or obtain access beyond what is normally granted to users or by what is outlined in the contract. (2) Use only systems, software, databases, and data which I am authorized to use, including any copyright restrictions. (3) I will not use other equipment (OE) (non-contractor owned) for the storage, transfer, or processing of VA sensitive information without a VA CIO approved waiver, unless it has been reviewed and approved by local management and is included in the language of the contract. If authorized to use OE IT equipment. I must ensure that the system meets all applicable 6500 Handbook requirements for OE. (4) Not use my position of trust and access rights to exploit system controls or access information for any reason other than in the performance of the contract. (5) Not attempt to override or disable security, technical, or management controls unless expressly permitted to do so as an explicit requirement under the contract or at the direction of the COR or ISO. If I am allowed or required to have a local administrator account on a government-owned computer, that local administrative account does not confer me unrestricted access or use, nor the authority to bypass security or other controls except as expressly permitted by the VA CIO or CIO's designee. (6) Contractors use of systems, information, or sites is strictly limited to fulfill the terms of the contract. I understand no personal use is authorized. I will only use other Federal government information systems as expressly authorized by the terms of those systems. I accept that the restrictions under ethics regulations and criminal law still apply. (7) Grant access to systems and information only to those who have an official need to know. (8) Protect passwords from access by other individuals. (9) Create and change passwords in accordance with VA Handbook 6500 on systems and any devices protecting VA information as well as the rules of behavior and security settings for the particular system in question. (10) Protect information and systems from unauthorized disclosure, use, modification, or destruction. I will only use encryption that is FIPS 140-2 validated to safeguard VA sensitive information, both safeguarding VA sensitive information in storage and in transit regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA. (11) Follow VA Handbook 6500.1, Electronic Media Sanitization to protect VA information. I will contact the COR for policies and guidance on complying with this requirement and will follow the COR s orders. (12) Ensure that the COR has previously approved VA information for public dissemination, including e-mail communications outside of the VA as appropriate. I will not make any unauthorized disclosure of any VA sensitive information through the use of any means of communication including but not limited to e-mail, instant messaging, online chat, and web bulletin boards or logs. (13) Not host, set up, administer, or run an Internet server related to my access to and use of any information assets or resources associated with my performance of services under the contract terms with the VA unless explicitly authorized under the contract or in writing by the COR. (14) Protect government property from theft, destruction, or misuse. I will follow VA directives and handbooks on handling Federal government IT equipment, information, and systems. I will not take VA sensitive information from the workplace without authorization from the COR. (15) Only use anti-virus software, antispyware, and firewall/intrusion detection software authorized by VA. I will contact the COR for policies and guidance on complying with this requirement and will follow the COR's orders regarding my access to and use of any information assets or resources associated with my performance of services under the contract terms with VA. (16) Not disable or degrade the standard anti-virus software, antispyware, and/or firewall/intrusion detection software on the computer I use to access and use information assets or resources associated with my performance of services under the contract terms with VA. I will report anti-virus, antispyware, firewall or intrusion detection software errors, or significant alert messages to the COR. (17) Understand that restoration of service of any VA system is a concern of all users of the system. (18) Complete required information security and privacy training, and complete required training for the particular systems to which I require access. ADDITIONAL CONDITIONS FOR USE OF NON- VA INFORMATION TECHNOLOGY RESOURCES a. When required to complete work under the contract, I will directly connect to the VA network whenever possible. If a direct connection to the VA network is not possible, then I will use VA approved remote access software and services. b. Remote access to non-public VA information technology resources is prohibited from publicly-available IT computers, such as remotely connecting to the internal VA network from computers in a public library. c. I will not have both a VA network line and any kind of non-VA network line including a wireless network card, modem with phone line, or other network device physically connected to my computer at the same time, unless the dual connection is explicitly authorized by the COR. d. I understand that I may not obviate or evade my responsibility to adhere to VA security requirements by subcontracting any work under any given contract or agreement with VA, and that any subcontractor(s) I engage shall likewise be bound by the same security requirements and penalties for violating the same. COMPLETE AT TIME OF AWARD STATEMENT ON LITIGATION: This User Agreement does not and should not be relied upon to create any other right or benefit, substantive or procedural, enforceable by law, by a party to litigation with the United States Government. ACKNOWLEDGEMENT AND ACCEPTANCE: I acknowledge receipt of this User Agreement. I understand and accept all terms and conditions of this User Agreement, and I will comply with the terms and conditions of this agreement and any additional VA warning banners, directives, handbooks, notices, or directions regarding access to or use of information systems or information. The terms and conditions of this document do not supersede the terms and conditions of the signatory s employer and VA. __________________________________ ________________________ Print or type your full name Signature __________________________________ ________________________ Last 4 digits of SSN Date __________________________________ _________________________ Office Phone Position Title __________________________________ Contractor s Company Name Please complete and return the original signed document to the COR within the timeframe stated in the terms of the contract. Additional Security Requirement: HIPAA focused training prior to the performance of the contract and annually thereafter. Training must be completed in VA s TMS system (https://www.tms.va.gov/) or via hard copy training documents. Point-of-Contact: Name: TBD Title: TBD Phone Number: TBD Email: TBD NOTE: THIS NOTICE WAS NOT POSTED TO FEDBIZOPPS ON THE DATE INDICATED IN THE NOTICE ITSELF (11-JUL-2019); HOWEVER, IT DID APPEAR IN THE FEDBIZOPPS FTP FEED ON THIS DATE. PLEASE CONTACT 877-472-3779 or fbo.support@gsa.gov REGARDING THIS ISSUE.
 
Web Link
Link To Document
(https://www.fbo.gov/spg/VA/PiVAMC646/PiVAMC646/36C24419Q0902/listing.html)
 
Record
SN05366650-F 20190713/190711230021 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.