Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF JUNE 04, 2020 SAM #6762
SOLICITATION NOTICE

R -- NEW - Medication Data Surveillance Project

Notice Date
6/2/2020 9:22:33 AM
 
Notice Type
Presolicitation
 
NAICS
54171 — Research and Development in the Physical, Engineering, and Life SciencesT
 
Contracting Office
CDC Office of Financial Resources Atlanta GA 30329 USA
 
ZIP Code
30329
 
Solicitation Number
75D301-20-Q-71898
 
Response Due
6/10/2020 10:00:00 AM
 
Archive Date
06/25/2020
 
Point of Contact
Violet Crawford, Phone: 7704881906, Jerry Outley, Phone: 770-488-2831
 
E-Mail Address
ycf1@cdc.gov, jmo4@cdc.gov
(ycf1@cdc.gov, jmo4@cdc.gov)
 
Description
The objective of this work is to provide the most recent data available from the Integrated Dataverse (IDV�) to allow the continued surveillance of CVD prescription medication fills. Data will be shared with the American Medical Association (AMA) after a data use agreement between AMA and Source Healthcare Analytics is approved and signed by both parties. SCOPE of Work The contractor shall provide the following data from the Integrated Dataverse� (IDV) for 2019. The contractor shall provide stratified national, 50 state and District of Columbia, and 10 Core Based Statistical Area (CBSA�s) antihypertensive, statin and cardiovascular prescription fill trend data for the full year of 2019 as outlined in the parameters below. Parameters: Data Source The services will be provided from the Integrated Dataverse� (IDV) repository. Time Period January 2019 through December 2019. Channel Retail projected Mail order projected Mail order unprojected Patient Gender Male Female Patient Age Groups Age groups segmented as follows: <8 8-11 12-17 18-34 35-44 45-54 55-64 65-74 75+ Unknown Prescriber Specialty Results segmented by prescriber specialty (including by SPECIALTY_DESC and SPECIALTY_CODE) Brand/Generic Segmentation Branded Generic Prescription Type New Refill Total Payment Type Commercial Medicare Managed Medicaid Assistance Cash Medicaid National, State & CBSA Data: # USC5_CODE USC5_NAME 1 11131 CYCLOOXYGENASE INHIBITORS, ALONE/COMB 2 11132 DENOSINE RECEPTOR ANT AG, ALONE/COMB 3 11133 GLYCOPROTEIN INHIBITORS, ALONE/COMB 4 11134 PAR-1 ANTAGONISTS, ALONE/COMBINATIONS 5 11139 PLATELET INHIBITORS, OTHER 6 31110 ANGIOTENSIN CONVERTING ENZYME INHIBITORS 7 31111 ACE INHIBITORS, ALONE 8 31112 ACE INHIBITORS WITH DIURETICS 9 31118 ACE INHIBITORS OTHER 10 31120 ANGIOTENSIN II ANTAGONIST 11 31121 ANGIOTENSIN II ANTAGONIST, ALONE 12 31122 ANGIOTENSIN II ANTAGONIST, WITH DIURETIC 13 31123 ANGIOTENSIN II ANTAGONIST, WITH CCB 14 31124 ANGIOTENSIN II ANTAG,WITH CCB & DIURETIC 15 31129 ANGIOTENSIN II ANTAGONIST, WITH OTHER 16 31130 SELECTIVE ALDOSTERONE RECEPTOR INHIBITOR 17 31141 DIRECT RENIN INHIBITORS, ALONE 18 31142 DIRECT RENIN INHIBITORS WITH DIURETIC 19 31149 DIRECT RENIN INHIBITORS,OTHER 20 31200 PERIPHERAL V ASODILATORS 21 31300 CALCIUM CHANNEL BLOCKERS 22 31410 BETA BLOCKERS 23 31420 ALPHA-BETA BLOCKERS 24 31430 BETA/ALPHA-BETA BLOCKER WITH DIURETICS 25 31440 ALPHA BLOCKERS ALONE OR COMBINATIONS 26 31450 CENTRALLY ACTING AGENTS, ALONE OR COMBOS 27 31800 VASCULAR/ ANTIHYPERLIPIDEMIC COMBINATION 28 31900 ANTIHYPERTENSIVE, OTHER 29 32110 HMG-COA REDUCT ASE INHIBITORS 30 32112 CHOLESTEROL REDUCERS, OTHERS 31 32120 BILE ACID SEQUESTRANTS 32 32130 FIBRIC ACID DERIVATIVES 33 32140 CHOLESTEROL ABSORPTION INHIBITORS 34 32150 PCSK9 INHIBITORS 35 32180 CHOLESTEROL REDUCER COMBINATIONS 36 32190 CHOLESTEROL REDUCERS, OTHER 37 32200 LIPOTROPICS 38 32900 ANTIHYPERLIPIDEMIC AGENTS? OTHER 39 39269 DPP-4 INHIBITOR COMBINATION, OTHER 40 41100 DIURETICS 41 41110 DIURETICS, THIAZIDE AND RELATED 42 41120 DIURETICS, LOOP 43 41130 DIURETICS, POTASSIUM SPARING 44 41140 DIURETICS, COMBINATIONS 45 41190 DIURETICS, OTHER 46 69000 SMOKING DETERRENTS 47 69200 SMOKING DETERRENTS,OTC � Market Definition Reported at the Blue Book USC Level for National, State and CBSA Data. Reported at the select molecule level for Ambiguous and Sentinel Data. Sentinel Medication List Molecule AMLODIPINE ATENOLOL CHLORTHALIDONE HYDROCHLOROTHIAZIDE LISINOPRIL LOSARTAN SIMVASTATIN SPIRONOLACTONE Geography National, State and CBSA Level for 10 select CBSA's # CBSA Description 1 Atlanta-Sandy Springs-Marietta, GA 2 Baltimore-Towson, MD 3 Chicago-Joliet-Naperville, IL-IN-WI 4 Dallas-Fort Worth- Arlington, TX 5 Denver-Aurora-Broomfield, CO 6 Memphis, TN-MS-AR 7 Minneapolis-St. Paul-Bloomington, MN-WI 8 New York-Northern New Jersey-Long Island, NV-NJ 9 Philadelphia-Camden-Wilmington, PA-NJ-DE-MD 10 San Diego-Carlsbad-San Marcos, CA SECTION 4 � TASKS TO BE PERFORMED � Data is provided for CY 2019 below: 1. Drug Dimension/ Crosswalk file (drug and molecule levels) Field Name NDC USC2_CODE USC2_NAME USC3_CODE USC3_NAME USC4_CODE USC4_NAME USC5_CODE USC5_NAME PRODUCT MOLECULE STRENGTH FORM INGREDIENT_NBR INGREDIENT PACKAGE BRAND_GENERIC RX_STATUS PRODUCT_DATE PRODUCT_END_ DATE ACTIVITY_IND CORPORATION MANUFACTURER ATC1 ID ATC1 NAME ATC2 ID ATC2 NAME ATC3 ID ATC3 NAME ATC4 ID ATC4 NAME 2. ������� State level fill rates by medication class and sub-class that can be aggregated at the US national level. 3.�������� Select CBSA geography medication fill rates by medication class and sub-class Layout for Items (2-3) above: COLUMN NAME NOTE STATE/CBSA _CODE State or CBSA Code or National CBSA_DESC ONLY in CBSA Table USC_CODE BLUE BOOK USC CODE USC_NAME BLUE BOOK USC NAME CHANNEL Retail/Mail Order Proj/Mail Order UnProj SPECIALTY_CODE Specialty Code, w/ NP: or PA: prefix for Nurse Practitioners or Physicians Assistance SPECIALTY_DESC Specialty Description PATIENT_GENDER Female/Male PATIENT_AGE <8/8-11/12-17/18-34/35-44/45-54/55-64/65- 74/75+/UNK BRAND_GENERIC Generic/Brand PAY_TYPE COMMERCIAL/MEDICARE PAYMENT/MANAGED MEDICAID PAYMENT/ASSISTANCE PROGRAMS/CASH PAYMENT/MEDICAID PAYMENT YEAR 2019 QUARTER 1/2/3/4 VALID_RX_PRICE 1/0, 1 ifTOTAL_RX_PRICE consists of both PLAN_PAY and PATIENT_PA Y being not null, for improved calculation of averages NEW_FILLS New Claim Count REFILLS Refill Claim Count TOTAL_FILLS Total Claim Count TOTAL_PTNT_PAY Total Price paid by PATIENT TOTAL_FILLS_PTNT_PAY_UNK Claim Count where PTNT PAY is NULL TOTAL_FILLS_PTNT_PAY_ZERO Claim Count where PTNT PAY = 0 TOTAL_FILLS_PTNT_PAY_LOW Claim Count where PTNT _PAY greater than 0 and less than or equal to 5 TOTAL_RX_AMOUNT Total Pill Quantity TOTAL_RX_PRICE Total Price paid by Final Plan+ Patient Pay TOTAL_FILLS_PLAN_AND_PTNT_UNK Claim Count where PLAN PAY AND PTNT PAY is NULL TOTAL_FILLS_PLAN_OR_PTNT_UNK Claim Count where PLAN PAY OR PTNT PAY is NULL TOTAL_FILLS_PLAN_UNK Claim Count where PLAN PAY is NULL TOTAL_FILLS_PTNT_UNK Claim Count where PTNT PAY is NULL THERAPY_DAYS Total Days' Supply Perc_Max_Dose Percentage of maximum dosage (the mean percentage of the maximum dosage for each medication filled within the USC5 classification (e.g., 10 mg fill within a medication type having a maximum dosage of 50 mg would equate to 20% of max dosage) 4. Sentinel medication fill rates COLUMN NAME NOTE GENERIC_NAME List of eight sentinel medications STRENGTH Categorical variable with multiple groupings. Categories depend on the medication and will be determined after the final crosswalk file is provided. Total number of fills in each dosage category. FORM Drug Form COMBINATION Fixed dose pill (combination) or single medication (plain) STATE State Code USC_CODE BLUE BOOK USC CODE USC_NAME BLUE BOOK USC NAME CHANNEL Retail/Mail Order Proi/Mail Order UnProi SPECIALTY_CODE Specialty Code, w/ NP: or PA: prefix for Nurse Practitioners or Physicians Assistance SPECIALTY_DESC Specialty Description PATIENT_GENDER Female/Male PATIENT_AGE <8/8-11/12-17/18-34/35-44/45-54/55-64/65- 74/75+/UNK BRAND_GENERIC Generic/Brand PAY_TYPE COMMERCIAL/MEDICARE PAYMENT/MANAGED MEDICAID PAYMENT/ASSISTANCE PROGRAMS/CASH PAYMENT/MEDICAID PAYMENT YEAR 2019 QUARTER 1/2/3/4 VALID_RX_PRICE 1/0, 1 ifTOTAL_RX_PRICE consists of both PLAN_ PAY and PATIENT_ PAY being not null, for improved calculation of averages NEW_FILLS New Claim Count REFILLS Refill Claim Count TOTAL_FILLS Total Claim Count TOTAL_PTNT_PAY Total Price paid by PATIENT TOTAL_FILLS_PTNT_PAY_UNK Claim Count where PTNT PAY is NULL TOTAL_FILLS_PTNT_PAY_ZERO Claim Count where PTNT PAY = 0 TOT AL_FILLS_PTNT_PAY_LOW Claim Count where PTNT_PAY greater than O and less than or equal to 5 TOTAL_RX_AMOUNT Total Pill Quantity TOTAL_RX_PRICE Total Price paid by Final Plan+ Patient Pay TOTAL_FILLS_PLAN_AND_TNT_UNK Claim Count where PLAN PAY AND PTNT -PAY is Null TOTAL_FILLS_PLAN_OR_PTNT_UNK Claim Count where PLAN PAY OR PTNT -PAY is Null TOTAL_FILLS_PLAN_UNK Claim Count where PLAN PAY is NULL TOTAL_FILLS_PTNT_UNK Claim Count where PTNT PAY is NULL THERAPY_DAYS Total Days' Supply SECTION 5 � GOVERNMENT FURNISHED MATERIALS � Not Applicable. � � SECTION 6 � PERIOD OF PERFORMANCE � Contract Period of Performance is as follows: September 1, 2020 � January 31, 2021. The Services will be a one-time deliverable delivered to the Client contact (COR) via SFTP. � SECTION 7 � DELIVERABLES/REPORTING SCHEDULE Task No. Milestone/ Deliverable Deliverable Deliverable Due Date Deliver to 1 Drug Dimension I Crosswalk file (drug and molecule levels) SAS Dataset/Excel Spreadsheet October 1, 2020 COR 2 State level fill rates by medication class and sub-class that can be aggregated at the national level. SAS Dataset/Excel Spreadsheet October 1, 2020 COR 3 Select CBSA geography medication fill rates by medication class and sub-class SAS Dataset/Excel Spreadsheet October 1, 2020 COR 4 Sentinel medication fill rates SAS Dataset/Excel Spreadsheet November 1, 2020 SECTION 8 � REFERENCE MATERIALS �Not Applicable. SECTION 9 � POINT OF CONTACT INFORMATION The Point of Contact (POC) for this procurement is:� SECTION 10 � PAYMENT TERMS �Contract will be a firm, fixed price contract. �Task Milestone/ Deliverable Deliverable Due Date DHDSP Initial Review DHDSP Secondary Review (if needed) 1 Drug Dimension I Crosswalk file (drug and molecule levels) October 1, 2020 November 1, 2020* December 14, 2021** 2 State level fill rates by medication class and sub-class that can be aggregated at the national level. October 1, 2020 November 1, 2020*8 December 14, 2021** 3 Select CBSA geography medication fill rates by medication class and sub-class October 1, 2020 November 1, 2020*8 December 14, 2021** 4 Sentinel medication fill rates November 1, 2021 December 1, 2021* January 14, 2021** � Quality Standards: DHDSP will have thirty days to review all the deliverables and provide feedback to the contractor. If the contractor does not receive any feedback within thirty days of delivery, then the deliverable is deemed approved by DHDSP.* If DHDSP identifies and communicates to the contractor potential issues with the material provided within these thirty days, the contractor shall provide a response to those concerns within fourteen days. DHDSP will have an additional thirty days from the date the contractor response was communicated to provide any additional feedback.** � SECTION 11 � MINIMUM VENDOR QUALIFICATIONS AND LEVEL OF EFFORT The contractor shall provide the aggregate, de-identified data described above. The USC crosswalk, class and sub-class level AHM data, and ambiguous class data files will be provided in CSV files that will be sent via secure electronic delivery system. The detailed national, state, and MSA data files stratified by medication class and the other specified variables will be provided in SAS table files via a web portal or similar secure process. Information Security Requirements Baseline Security Requirements Applicability. The requirements herein apply whether the entire contract or order (hereafter �contract�), or portion thereof, includes either or both of the following: Access (Physical or Logical) to Government Information:� A Contractor (and/or any subcontractor) employee will have or will be given the ability to have, routine physical (entry) or logical (electronic) access to government information. Operate a Federal System Containing Information: �A Contractor (and/or any subcontractor) will operate a federal system and information technology containing data that supports the HHS mission.� In addition to the Federal Acquisition Regulation (FAR) Subpart 2.1 definition of �information technology� (IT), the term as used in this section includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.� Safeguarding Information and Information Systems. In accordance with the Federal Information Processing Standards Publication (FIPS)199, Standards for Security Categorization of Federal Information and Information Systems, the Contractor (and/or any subcontractor) shall: Protect government information and information systems in order to ensure: Confidentiality, which means preserving authorized restrictions on access and disclosure, based on the security terms found in this contract, including means for protecting personal privacy and proprietary information; Integrity, which means guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity; and Availability, which means ensuring timely and reliable access to and use of information. Provide security for any Contractor systems, and information contained therein, connected to an HHS network or operated by the Contractor on behalf of HHS regardless of location.� In addition, if new or unanticipated threats or hazards are discovered by either the agency or contractor, or if existing safeguards have ceased to function, the discoverer shall immediately, within one (1) hour or less, bring the situation to the attention of the other party.� Adopt and implement the policies, procedures, controls, and standards required by the HHS Information Security Program to ensure the confidentiality, integrity, and availability of government information and government information systems for which the Contractor is responsible under this contract or to which the Contractor may otherwise have access under this contract. Obtain the HHS Information Security Program security requirements, outlined in the HHS Information Security and Privacy Policy (IS2P), by contacting the CO/COR or emailing fisma@hhs.gov. Comply with the Privacy Act requirements and tailor FAR clauses as needed.. Information Security Categorization.� In accordance with FIPS 199 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, Appendix C, and based on information provided by the ISSO, CISO, or other security representative, the risk level for each Security Objective and the Overall Risk Level, which is the highest watermark of the three factors (Confidentiality, Integrity, and Availability) of the information or information system are the following: Confidentiality: ���������������� ��������������� [X] Low [� ] Moderate [� ] High Integrity:��������������������������������������������� [X] Low [� ] Moderate [� ] High Availability:��������������������������������������� [X] Low [� ] Moderate [� ] High Overall Risk Level:�������������������������� [X] Low [� ] Moderate [� ] High Based on information provided by the ISSO, Privacy Office, system/data owner, or other security or privacy representative, it has been determined that this solicitation/contract involves: [X] No PII������������ [� ] Yes PII Personally Identifiable Information (PII). Per the Office of Management and Budget (OMB) Circular A-130, �PII is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.�� Examples of PII include, but are not limited to the following:� social security number, date and place of birth, mother�s maiden name, biometric records, etc. PII Confidentiality Impact Level has been determined to be: [X] Low [� ] Moderate [� ] High Controlled Unclassified Information (CUI). CUI is defined as �information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.� The Contractor (and/or any subcontractor) must comply with Executive Order 13556, Controlled Unclassified Information, (implemented at 3 CFR, part 2002) when handling CUI. 32 C.F.R. 2002.4(aa) As implemented the term �handling� refers to ��any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.� 81 Fed. Reg. 63323.�� All sensitive information that has been identified as CUI by a regulation or statute, handled by this solicitation/contract, shall be: marked appropriately; disclosed to authorized personnel on a Need-To-Know basis; protected in accordance with NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations applicable baseline if handled by a Contractor system operated on behalf of the agency, or NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations if handled by internal Contractor system; and returned to HHS control, destroyed when no longer needed, or held until otherwise directed. Destruction of information and/or data shall be accomplished in accordance with NIST SP 800-88, Guidelines for Media Sanitization. Protection of Sensitive Information. For security purposes, information is or may be sensitive because it requires security to protect its confidentiality, integrity, and/or availability. The Contractor (and/or any subcontractor) shall protect all government information that is or may be sensitive in accordance with OMB Memorandum M-06-16, Protection of Sensitive Agency Information by securing it with a FIPS 140-2 validated solution. Confidentiality and Nondisclosure of Information.� Any information provided to the contractor (and/or any subcontractor) by HHS or collected by the contractor on behalf of HHS shall be used only for the purpose of carrying out the provisions of this contract and shall not be disclosed or made known in any manner to any persons except as may be necessary in the performance of the contract. The Contractor assumes responsibility for protection of the confidentiality of Government records and shall ensure that all work performed by its employees and subcontractors shall be under the supervision of the Contractor.� Each Contractor employee or any of its subcontractors to whom any HHS records may be made available or disclosed shall be notified in writing by the Contractor that information disclosed to such employee or subcontractor can be used only for that purpose and to the extent authorized herein.� The confidentiality, integrity, and availability of such information shall be protected in accordance with HHS and CDC policies. Unauthorized disclosure of information will be subject to the HHS/CDC sanction policies and/or governed by the following laws and regulations: 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records); 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information); and 44 U.S.C. Chapter 35, Subchapter I (Paperwork Reduction Act). Internet Protocol Version 6 (IPv6). All procurements using Internet Protocol shall comply with OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6). Government Websites. All new and existing public-facing government websites must be securely configured with Hypertext Transfer Protocol Secure (HTTPS) using the most recent version of Transport Layer Security (TLS). In addition, HTTPS shall enable HTTP Strict Transport Security (HSTS) to instruct compliant browsers to assume HTTPS at all times to reduce the number of insecure redirects and protect against attacks that attempt to downgrade connections to plain HTTP. For internal-facing websites, the HTTPS is not required, but it is highly recommended. Contract Documentation. The Contractor shall use provided templates, policies, forms and other agency documents to comply with contract deliverables as appropriate. Standard for Encryption. The Contractor (and/or any subcontractor) shall:� Comply with the HHS Standard for Encryption of Computing Devices and Information to prevent unauthorized access to government information. Encrypt all sensitive federal data and information (i.e., PII, protected health information [PHI], proprietary information, etc.) in transit (i.e., email, network connections, etc.) and at rest (i.e., servers, storage devices, mobile devices, backup media, etc.) with FIPS 140-2 validated encryption solution. Secure all devices (i.e.: desktops, laptops, mobile devices, etc.) that store and process government information and ensure devices meet HHS and CDC-specific encryption standard requirements. Maintain a complete and current inventory of all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive government information (including PII). Verify that the encryption solutions in use have been validated under the Cryptographic Module Validation Program to confirm compliance with FIPS 140-2. The Contractor shall provide a written copy of the validation documentation to the COR and ISSO within 30 days of contract award. Use the Key Management system on the HHS personal identification verification (PIV) card or establish and use a key recovery mechanism to ensure the ability for authorized personnel to encrypt/decrypt information and recover encryption keys.� Encryption keys shall be provided to the COR upon request and at the conclusion of the contract. Contractor Non-Disclosure Agreement (NDA).� Each Contractor (and/or any subcontractor) employee having access to non-public government information under this contract shall complete the CDC non-disclosure agreement. A copy of each signed and witnessed NDA shall be submitted to the Contracting Officer (CO) and/or CO Representative (COR) prior to performing any work under this acquisition. Privacy Threshold Analysis (PTA)/Privacy Impact Assessment (PIA) � The Contractor shall assist the CDC Senior Official for Privacy (SOP) or designee with conducting a PTA for the information system and/or information handled under this contract to determine whether or not a full PIA needs to be completed. If the results of the PTA show that a full PIA is needed, the Contractor shall assist the CDC SOP or designee with completing a PIA for the system or information within 30 days after completion of the PTA and in accordance with HHS policy and OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. The Contractor shall assist the CDC SOP or designee in reviewing the PIA at least every three years throughout the system development lifecycle (SDLC)/information lifecycle, or when determined by the agency that a review is required based on a major change to the system, or when new types of PII are collected that introduces new or increased privacy risks, whichever comes first. � Training Mandatory Training for All Contractor Staff. All Contractor (and/or any subcontractor) employees assigned to work on this contract shall complete the applicable HHS/CDC Contractor Information Security Awareness, Privacy, and Records Management training (provided upon contract award) before performing any work under this contract.� Thereafter, the employees shall complete CDC specific Information Security Awareness, Privacy, and Records Management training at least annually, during the life of this contract.� All provided training shall be compliant with HHS training policies. Role-based Training.� All Contractor (and/or any subcontractor) employees with significant security responsibilities (as determined by the program manager) must complete role-based training annually commensurate with their role and responsibilities in accordance with HHS policy and the HHS Role-Based Training (RBT) of Personnel with Significant Security Responsibilities Memorandum. Training Records.�� The Contractor (and/or any subcontractor) shall maintain training records for all its employees working under this contract in accordance with HHS policy. A copy of the training records shall be provided to the CO and/or COR within 30 days after contract award and annually thereafter or upon request. Rules of Behavior The Contractor (and/or any subcontractor) shall ensure that all employees performing on the contract comply with the HHS Information Technology General Rules of Behavior, and any CDC-specific rules, as applicable. All Contractor employees performing on the contract must read and adhere to the Rules of Behavior before accessing Department data or other information, systems, and/or networks that store/process government information, initially at the beginning of the contract and at least annually thereafter, which may be done as part of annual CDC Information Security Awareness Training. If the training is provided by the contractor, the signed ROB must be provided as a separate deliverable to the CO and/or COR per defined timelines above. Incident Response The Contractor (and/or any subcontractor) shall respond to all alerts/Indicators of Compromise (IOCs) provided by HHS Computer Security Incident Response Center (CSIRC)/CDC CSIRT teams within 24 hours, whether the response is positive or negative. FISMA defines an� incident as �an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.. The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines incidents as events involving cybersecurity and privacy threats, such as viruses, malicious user activity, loss of, unauthorized disclosure or destruction of data, and so on. A privacy breach is a type of incident and is defined by Federal Information Security Modernization Act (FISMA) as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.� The HHS Policy for IT Security and Privacy Incident Reporting and Response �further defines a breach as �a suspected or confirmed incident involving PII� .� In the event of a suspected or confirmed incident or breach, the Contractor (and/or any subcontractor) shall: Protect all sensitive information, including any PII created, stored, or transmitted in the performance of this contract so as to avoid a secondary sensitive information incident with FIPS 140-2 validated encryption. NOT notify affected individuals unless so instructed by the Contracting Officer or designated representative. If so instructed by the Contracting Officer or representative, the Contractor shall send CDC approved notifications to affected individuals following CDC�s designated process. Report all suspected and confirmed information security and privacy incidents and breaches to the CDC�s Computer Security Incident Response Team (CSIRT) [CSIRT@CDC.gov], COR, CO, CDC SOP (or his or her designee), and other stakeholders, including incidents involving PII, in any medium or form, including paper, oral, or electronic, as soon as possible and without unreasonable delay, no later than one (1) hour, and consistent with the applicable CDC and HHS policy and procedures, NIST standards and guidelines, as well as US-CERT notification guidelines. The types of information required in an incident report must include at a minimum: company and point of contact information, contract information, impact classifications/threat vector, and the type of information compromised. In addition, the Contractor shall: cooperate and exchange any information, as determined by the Agency, necessary to effectively manage or mitigate a suspected or confirmed breach; not include any sensitive information in the subject or body of any reporting e-mail; and encrypt sensitive information in attachments to email, media, etc. Comply with OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information HHS and CDC�s �incident response policies when handling PII breaches. Provide full access and cooperate on all activities as determined by the Government to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. This may involve disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. This may also involve physical access to contractor facilities during a breach/incident investigation. � � Position Sensitivity Designations All Contractor (and/or any subcontractor) employees must obtain a background investigation commensurate with their position sensitivity designation that complies with Parts 1400 and 731 of Title 5, Code of Federal Regulations (CFR). The following position sensitivity designation levels apply to this solicitation/contract: Level 1 Homeland Security Presidential Directive (HSPD)-12 The Contractor (and/or any subcontractor) and its employees shall comply with Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors; OMB� M-05-24; FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors; HHS HSPD-12 policy; and Executive Order 13467, Part 1 �1.2. For additional information, see HSPD-12 policy at: https://www.dhs.gov/homeland-security-presidential-directive-12) Roster.� The Contractor (and/or any subcontractor) shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff working under this acquisition where the Contractor will develop, have the ability to access, or host and/or maintain a government information system(s). The roster shall be submitted to the COR and/or CO within the CDC Specified timeline of the effective date of this contract. Any revisions to the roster as a result of staffing changes shall be submitted within 7 days of the change.� The COR will notify the Contractor of the appropriate level of investigation required for each staff member.� If the employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate suitability level. Contract Initiation and Expiration General Security Requirements. The Contractor (and/or any subcontractor) shall comply with information security and privacy requirements, Enterprise Performance Life Cycle (EPLC) processes, HHS Enterprise Architecture requirements to ensure information is appropriately protected from initiation to expiration of the contract. All information systems development or enhancement tasks supported by the contractor shall follow the CDC EPLC framework and methodology and in accordance with the HHS Contract Closeout Guide (2012).� CDC EPLC requirements may be located here: https://www2a.CDC.gov/CDCup/library/other/eplc.htm. System Documentation. Contractors (and/or any subcontractors) must follow and adhere to NIST SP 800-64, Security Considerations in the System Development Life Cycle, at a minimum, for system development and provide system documentation at designated intervals (specifically, at the expiration of the contract) within the EPLC that require artifact review and approval. Sanitization of Government Files and Information. As part of contract closeout and at expiration of the contract, the Contractor (and/or any subcontractor) shall provide all required documentation to the CO and/or COR to certify that, at the government�s direction, all electronic and paper records are appropriately disposed of and all devices and media are sanitized in accordance with NIST...
 
Web Link
SAM.gov Permalink
(https://beta.sam.gov/opp/319477e12f7544909b22a7e92dd52f2d/view)
 
Place of Performance
Address: USA
Country: USA
 
Record
SN05677158-F 20200604/200602230207 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.