MODIFICATION
65 -- Extend Close Date & Add CLIN# 24
- Notice Date
- 7/31/2019
- Notice Type
- Modification
- NAICS
- 339112
— Surgical and Medical Instrument Manufacturing
- Contracting Office
- Department of Veterans Affairs;Network Contracting Office 8 (248);Room 315, Bldg. 2;10,000 Bay Pines Blvd;Bay Pines FL 33744
- ZIP Code
- 33744
- Solicitation Number
- 36C24819Q1107
- Response Due
- 8/9/2019
- Archive Date
- 10/8/2019
- Point of Contact
- janice.fornaro@va.gov
- Small Business Set-Aside
- Service-Disabled Veteran-Owned Small Business
- Description
- 5. PROJECT NUMBER (if applicable) CODE 7. ADMINISTERED BY 2. AMENDMENT/MODIFICATION NUMBER CODE 6. ISSUED BY 8. NAME AND ADDRESS OF CONTRACTOR 4. REQUISITION/PURCHASE REQ. NUMBER 3. EFFECTIVE DATE 9A. AMENDMENT OF SOLICITATION NUMBER 9B. DATED PAGE OF PAGES 10A. MODIFICATION OF CONTRACT/ORDER NUMBER 10B. DATED BPA NO. 1. CONTRACT ID CODE FACILITY CODE CODE Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods: The above numbered solicitation is amended as set forth in Item 14. The hour and date specified for receipt of Offers E. IMPORTANT: is extended, (a) By completing Items 8 and 15, and returning __________ copies of the amendment; (b) By acknowledging receipt of this amendment on each copy of the offer submitted; or (c) By separate letter or electronic communication which includes a reference to the solicitation and amendment numbers. FAILURE OF YOUR ACKNOWLEDGMENT TO BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY is not extended. 12. ACCOUNTING AND APPROPRIATION DATA (REV. 11/2016) is required to sign this document and return ___________ copies to the issuing office. is not, A. THIS CHANGE ORDER IS ISSUED PURSUANT TO: (Specify authority) THE CHANGES SET FORTH IN ITEM 14 ARE MADE IN THE CONTRACT ORDER NO. IN ITEM 10A. 15C. DATE SIGNED B. THE ABOVE NUMBERED CONTRACT/ORDER IS MODIFIED TO REFLECT THE ADMINISTRATIVE CHANGES SET FORTH IN ITEM 14, PURSUANT TO THE AUTHORITY OF FAR 43.103(b). RESULT IN REJECTION OF YOUR OFFER. If by virtue of this amendment you desire to change an offer already submitted, such change may be made by letter or electronic communication, provided each letter or electronic communication makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified. C. THIS SUPPLEMENTAL AGREEMENT IS ENTERED INTO PURSUANT TO AUTHORITY OF: D. OTHER Contractor 16C. DATE SIGNED 14. DESCRIPTION OF AMENDMENT/MODIFICATION 16B. UNITED STATES OF AMERICA Except as provided herein, all terms and conditions of the document referenced in Item 9A or 10A, as heretofore changed, remains unchanged and in full force and effect. 15A. NAME AND TITLE OF SIGNER 16A. NAME AND TITLE OF CONTRACTING OFFICER 15B. CONTRACTOR/OFFEROR STANDARD FORM 30 PREVIOUS EDITION NOT USABLE Prescribed by GSA - FAR (48 CFR) 53.243 (Type or print) (Type or print) (Organized by UCF section headings, including solicitation/contract subject matter where feasible.) (Number, street, county, State and ZIP Code) (If other than Item 6) (Specify type of modification and authority) (such as changes in paying office, appropriation date, etc.) (If required) (SEE ITEM 11) (SEE ITEM 13) (X) CHECK ONE 13. THIS ITEM APPLIES ONLY TO MODIFICATIONS OF CONTRACTS/ORDERS, IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14. 11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONS AMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT (Signature of person authorized to sign) (Signature of Contracting Officer) 1 1 0002 07-31-2019 516-19-3-213-0197 None Department of Veterans Affairs Network Contracting Office 8 (248) Room 315, Bldg. 2 10,000 Bay Pines Blvd Bay Pines FL 33744 00516 Department of Veterans Affairs Network Contracting Office 8 (NCO 8) C.W. Bill Young VA Medical Center 10000 Bay Pines Blvd. Room 315, Bldg. 2 Bay Pines FL 33744 To all Offerors/Bidders 36C24819Q1107 07-30-2019 X 516-3690160-213-822400-3131 010040175 X The purpose of this amendment is to change the solicitation response date and add CLIN#24 as follows: 1) Change solicitation close date from 08/02/19 at 2 p.m. eastern standard time (EST) to 08/09/19 at 2 p.m. EST. 2) Add CLIN# 24. Add QTY = 2 Full Disk Encrypition for Lee County location (see attached revised salient characteristics). Janice Fornaro CONTINUATION PAGE Attachment A 36C24819Q1107 Page 21 of 21 Page 21 of 21 STATEMENT OF NEED/SALIENT CHARACTERISTICS Brand Name or Equal Referenced Manufacturer: ScriptPro USA, Inc. Introduction Bay Pines VA Healthcare System (BPVAHCS) and Lee County Healthcare Center (LCHCC) has a requirement to purchase Pharmacy System Equipment from ScriptPro (brand name or equal) identified in Table 1 below. Item(s) are to be delivered and installed to Bay Pines VAHCS and Lee County HCC. This requirement is for a Scriptpro Automated Medication Distribution (Pharmacy) System (or equal) to replace rented ScriptPro systems at Bay pines VAHCS and Lee County HCC. This system will be used by Pharmacy workers to enter, fill, verify, dispense, and track prescriptions for Veterans. All Items requested in this procurement are to be networked and have the ability to be approved for VA use. Unique Qualifications General Salient Characteristics Must have a central workflow system Must offer multiple control stations that integrate with an operator management tool Must support Oupatient, Inpatient, and Controlled Substance(s) Pharmacy that can track and limit user access Must have the ability to interface/communicate with Veterans Health Information Systems & Technology Architecture (VistA) currently in use At minimum software must be compatible with Windows 10 Table 1 Package Items Summary Item Number Item Description QTY SP 200/CCC (6 slot) Bay Pines: Robotic Prescription Dispensing System w/ 6 Slots Collating Control Center 2 SP Central Expanded Platform Bay Pines: SP Central Expanded Platform (w/ 1 SP Central Expanded Server, 1 SP Datapoint) 1 SP Datapoint Bay Pines: Pharmacy Data Terminal 25 SP Printer Bay Pines: Pharmacy Printer 20 Notice Board Bay Pines: Prescription Notification Board 2 Scanner Bay Pines: Wireless Bar Code Scanner 7 Electronic Signature Bay Pines: Electronic Signature Device 7 Robotic Cell Multiplexor Bay Pines: Robotic Cell Multiplexor for SPx00 Robots 4 Virus Protection Bay Pines: Virus Protection (Platform System) 1 Full Disk Encryption Bay Pines: Full Disk Encryption (per covered Server Computer) 2 Eyecon Bay Pines: Eyecon Model 9420 4 Standard Interface Bay Pines: Standard Interface (Eyecon) 1 SP Dual Series Interface Controller Bay Pines: SP Dual Series Interface Controller 3 SP 200/CCC LCHCC: Robotic Prescription Dispensing System w/ Collating Control Center 1 SP Central Expanded Platform LCHCC: SP Central Expanded Platform (w/ 1 SP central Expanded Server, 1 SP Datapoint) 1 SP Datapoint LCHCC: Pharmacy Data Terminal 13 SP Printer LCHCC: Pharmacy Printer 11 Notice Board LCHCC: Prescription Notification Board 1 Notice Board XL LCHCC: Prescription Notification Board XL 1 Scanner LCHCC: Wireless Bar Code Scanner 3 Electronic Signature LCHCC: Electronic Signature Device 3 Virus Protection LCHCC: Virus Protection Interface Upgrade (Platform System) 1 Full Disk Encryption LCHCC: Full Disk Encryption (per covered Server Computer) 2 All Installation 1 General Conditions Site Address The address of the BPVAHCS and LCHCC are provided below. Further information on delivery is located in section 2.4. Bay Pines VA Healthcare System 10000 Bay Pines Bvld. Bldg. 110 Warehouse Bay Pines, FL 33744 Lee County Healthcare Center 2489 Diplomat Pkwy E Cape Coral, FL 33909 Delivery Schedule Table 2 Anticipated Building Outfitting Schedule Building Name Building # Est. Delivery Start Date Bay Pines VAHCS Various 11/15/2019 Bay Pines VAHCS Various 11/15/2019 Lee County HCC Various 11/15/2019 Schedule and Order Management The vendor shall not increase prices for a change in delivery date. The awardees actual delivery dates will be confirmed by VA upon award. Post-award the vendor will coordinate delivery prior to beginning any work (see section 2.4). Once the dates have been confirmed, modifications to the schedule are subject to written approval by the Point of Contact (POC) and the vendor. Schedule changes that are beyond the dates specified in the contract will require approval by the Contracting Officer and a contract modification. Delivery and Receiving Delivery and acceptance is to be F.O.B. Destination (FAR 52.247-37). Delivery and receipt of the proposed items is anticipated to be directed to the location identified below. Confirmation of delivery location will be provided post-award. To coordinate delivery, contact Government POC Kokkheang Lim at (727) 398-6661 x10011, Kokkheang.Lim2@va.gov and Jacob Bartush at (727) 398-6661 x10590, Jacob.Bartush@va.gov. Bay Pines VA Heatlhcare System (Direct Delivery to address detailed in paragraph 2.1.1) Lee County Healthcare Center (Direct Delivery to address detailed in paragraph 2.1.1) The delivery of items identified in this document shall take place during normal business hours which are defined as: 0800 to 1630 (i.e.: 8:00am to 4:30pm), Monday through Friday, and excluding Federal Holidays. Delivery trucks will not be permitted to remain at the loading dock. Trucks shall be unloaded, moved from the dock, and then brought back to the dock if required to haul out any waste, tools, or excess materials. Labeling of delivered items shall include the VA facilities contract number and VA purchase order number for identification and reference upon receipt of product. Use of Warehouse If the vendor requires the use of the Government s warehouse to meet the requirements of this contract the vendor must provide a certificate of insurance prior to the delivery and offloading of the item(s). This insurance certificate must be completed and presented to the Contracting Officer Representative prior to delivery. The vendor shall communicate through the VA POC for any coordination requirements. Clean Up and Disposal There are no dumpsters available for vendor use. The removal of waste and/or excess material shall be conducted through the loading dock area. Deliverables The vendor shall provide a completed 6550 form with submittal documents for any and all item(s) that may connect to the VA network and medical devices that store sensitive patient information. Assembly and Installation The vendor is required to manage and coordinate installation at the Bay Pines VAHCS and Lee County HCC with the POC. On-site assembly and installation of items, and performance of services identified in this document shall take place during normal business hours which are defined as: 0800 to 1630 (i.e.: 8:00am to 4:30pm), Monday through Friday, and excluding Federal Holidays. The vendor is required to define the need for a staging area to accommodate item assembly and installation, if needed. Post-award, this information will be confirmed with the vendor. The vendor is required to provide tools, labor and materials to complete assembly and installation of the items detailed in this document. The vendor shall protect all finished spaces and surfaces as required from delivery and installation damage. The vendor shall use covering and protection to the extent necessary to prevent damage to finished spaces. Any damage occurred during delivery and installation is the responsibility of the vendor. The vendor will be responsible for paying for and repairing any damage or noted deficiencies to finished spaces and surfaces that occur as a result of the vendor s (or associated sub-contractors) installation. During the entire duration of assembly and installation, the vendor will have a competent representative on-site as the vendor s contact, and to serve as the interface between the vendor and BPVAHCS and LCHCC. On-site representative can be the installer. All instructions provided from the POC to the representative will be binding as if given to the vendor s main contact. The POC may provide specific instructions, however, only the Contracting Officer may change the terms or conditions of the contract. Training The vendor shall provide end-user training for routine operation and maintenance, fault/alarm identification and response, and basic trouble-shooting, at a minimum. Training format may be hands-on, pre-recorded, internet based and/or O&M manual based. Training must be coordinated with the VA POC prior to installation or first use of equipment. For on-site, vendor conducted training, the vendor will document the training and provide a copy of all training materials to the VA POC. Documentation may be up to and including video of training session conducted on site. The vendor shall provide service training, if required by item, up to and including preventive maintenance, diagnostics and repair. Training shall be completed within 45 days after final installation of equipment or as directed by the VA. The vendor will document the training and provide a copy of the training materials to the VA POC. Bay Pines VA Healthcare System SP 200/CCC (6 slot) 10000 Bay Pines Blvd. Bay Pines, FL 33744 Project: Bay Pines VAHCS Total Quantity: 2 (BP) & 1 (LC) Finish Sample Required if Checked Manufacturer Certified Installation Required if Checked BMET Training Required if Checked End User Training Required if Checked Item Name: Dispenser, Medication, Robotic (6 slot) Salient Characteristics: System must support up to at least 200 medication dispensing cells Must have the ability to fill up to at least 150 multiple sized vials per hour Must have the ability to dispense tablets and capsules of all shapes and sizes into pharmacy vials No drug cross-contamination during vial filling or cell replenishment medication travels from dispensing cell to vial System must use a computer controlled robotic arm to fill vials directly from medication dispensing cells Must be a floor standing unit Must have four (4) Robotic Cell Multiplexor Must have an Ethernet connection Must provide virus protection (platform system) Must have full disk encryption (per covered server computer) Prescription vials must not be capped after being dispensed to allow Pharmacists to check medications before they can be signed off in order to catch technical errors that could result in medication errors Bay Pines VA Healthcare System SP Central Expanded Platform 10000 Bay Pines Blvd. Bay Pines FL, 33744 Project: Bay Pines VAHCS & Lee County HCC Total Quantity: 1 (BP) & 1 (LC) Finish Sample Required if Checked Manufacturer Certified Installation Required if Checked BMET Training Required if Checked End User Training Required if Checked Item Name: Sp Central Exapnded Platform Salient Characteristics: 1 SP Central Expanded Server 1 SP Datapoint Bay Pines VA Healthcare System SP Datapoint 10000 Bay Pines Blvd. Bay Pines, FL 33744 Project: Bay Pines VAHCS & Lee County HCC Total Quantity: 25 (BP) & 13 (LC) Finish Sample Required if Checked Manufacturer Certified Installation Required if Checked BMET Training Required if Checked End User Training Required if Checked Item Name: SP Datapoint Pharmacy Data Terminal (Data Management Workstation for Pharmacy Robot System) Salient Characteristics: Must be a compact, interactive countertop unit Must allow pharmacy workers to enter, fill, verify, dispense and track prescriptions Must provide touchscreen monitor, keyboard, mouse and Charge Coupled Device (CCD) barcode scanner included Must have the capability to print Federal Food and Drug Administration (FDA) required medication guides quickly; essential for VA pharmacy compliance Bay Pines VA Healthcare System SP Printer 10000 Bay Pines Blvd. Bay Pines, FL 33744 Project: Bay Pines VAHCS & Lee County HCC Total Quantity: 20 (BP) & 11 (LC) Finish Sample Required if Checked Manufacturer Certified Installation Required if Checked BMET Training Required if Checked End User Training Required if Checked Item Name: Printer, Label, Barcode (SP Printer- Pharmacy Printer) Salient Characteristics: Must produce high quality direct thermal prescription labels Must Interface with software to ensure the user scans the correct product code before printing the prescription label Must integrate with United Parcel Service (UPS) Model 2D barcode. Bay Pines VA Healthcare System Notice Board and Notice Board XL 10000 Bay Pines Blvd. Bay Pines, FL 33744 Project: Bay Pines VAHCS & Lee County HCC Total Quantity: 2 (BP) & 2 (LC) Finish Sample Required if Checked Manufacturer Certified Installation Required if Checked BMET Training Required if Checked End User Training Required if Checked Item Name: Board, Notification, Electronic Salient Characteristics: Must provide monitors (message boards) displaying patient name and status located in lobby areas to alert patients that prescriptions are ready for pickup 30 42 flat panel Monitors must come with wall mounts The monitor must be connected to VA current software system which automatically updates board once final step in prescription filling is completed Bay Pines VA Healthcare System Scanner 10000 Bay Pines Blvd. Bay Pines, FL 33744 Project: Bay Pines VAHCS & Lee County HCC Total Quantity: 7 (BP) & 3 (LC) Finish Sample Required if Checked Manufacturer Certified Installation Required if Checked BMET Training Required if Checked End User Training Required if Checked Item Name: Reader, Bar Code, Hand Held, with Interface Salient Characteristics: Wireless scanner shall interface with manufacturers system Must have the ability to scan all pharmaceutical drugs and supply items or consumables such as catheters, syringes, tubing, etc. Must capture patients signature when drug is released. Must capture VA patient ID card to identify patient Bay Pines VA Healthcare System Electric Signature 10000 Bay Pines Blvd. Bay Pines, FL 33744 Project: Bay Pines VAHCS & Lee County HCC Total Quantity: 7 (BP) & 3 (LC) Finish Sample Required if Checked Manufacturer Certified Installation Required if Checked BMET Training Required if Checked End User Training Required if Checked Item Name: Signature Pad, Electronic Salient Characteristics: Must have an electronic signature pad with attached stylus Must electronically capture the signature of anyone picking up a prescription Must interface with central system to store and track who was the receiver of medications Shall plug into a computer via USB Bay Pines VA Healthcare System Eyecon 10000 Bay Pines Blvd. Bay Pines, FL 33744 Project: Bay Pines VAHCS Total Quantity: 4 Finish Sample Required if Checked Manufacturer Certified Installation Required if Checked BMET Training Required if Checked End User Training Required if Checked Item Name: 9420, Eyecon Salient Characteristics: (1) Standard Interface (3) SP Dual Series Interface Controller Must have the ability to physically and visually view controlled substance medications (capsules or tablets) to decrease errors and improve accuracy and to recognize broken medications or foreign matter Must not have hidden compartments so Pharmacists can visually see medications at all times Must provide a method of cleaning that elimates cross-contamination VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE Records Management Language for Contracts (NARA) The following standard items relate to records generated in executing the contract and should be included in a typical Electronic Information Systems (EIS) procurement contract: 1. Citations to pertinent laws, codes and regulations such as 44 U.S.C chapters 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228. 2. Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. 3. Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records. 4. Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act. 5. Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract. 6. The Government Agency owns the rights to all data/records produced as part of this contract. 7. The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract. Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data. 8. Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.] or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.]. 9. No disposition of documents will be allowed without the prior written consent of the Contracting Officer. The Agency and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records may not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules. 10. Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, this contract. The Contractor (and any sub-contractor) is required to abide by Government and Agency guidance for protecting sensitive and proprietary information. GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS a. A contractor/subcontrator shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. d. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. e. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. VA INFORMATION CUSTODIAL LANGUAGE Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). b. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. c. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. d. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. e. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. f. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above-mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. 4. INFORMATION SYSTEM DESIGN AND DEVELOPMENT a. Information systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA directives developed in accordance with FISMA, HIPAA, NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle a Privacy Impact Assessment (PIA) must be completed, provided to the COTR, and approved by the VA Privacy Service in accordance with Directive 6507, VA Privacy Impact Assessment. 6. SECURITY INCIDENT INVESTIGATION a. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. c. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. d. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. 7. LIQUIDATED DAMAGES FOR DATA BREACH a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. b. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. c. Each risk analysis shall address all relevant information concerning the data breach, including the following: (1) Nature of the event (loss, theft, unauthorized access); (2) Description of the event, including: (a) date of occurrence; (b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; (3) Number of individuals affected or potentially affected; (4) Names of individuals or groups affected or potentially affected; (5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; (6) Amount of time the data has been out of VA control; (7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); (8) Known misuses of data containing sensitive personal information, if any; (9) Assessment of the potential harm to the affected individuals; (10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and (11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. d. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $31.95 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. 9. TRAINING a. All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: (1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems; (2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training; (3) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and (4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] b. The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. NOTE: THIS NOTICE WAS NOT POSTED TO FEDBIZOPPS ON THE DATE INDICATED IN THE NOTICE ITSELF (31-JUL-2019); HOWEVER, IT DID APPEAR IN THE FEDBIZOPPS FTP FEED ON THIS DATE. PLEASE CONTACT 877-472-3779 or fbo.support@gsa.gov REGARDING THIS ISSUE.
- Web Link
-
Link To Document
(https://www.fbo.gov/spg/VA/BPVAMC/VAMCCO80220/36C24819Q1107/listing.html)
- Place of Performance
- Address: C.W. Bill yound VA Medical Center;10,000 Bay Pines Boulevard;Bay Pines, FL
- Zip Code: 33744
- Country: USA
- Zip Code: 33744
- Record
- SN05388201-F 20190802/190731230111 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |