SOLICITATION NOTICE
J -- MRI New Base Plus Three
- Notice Date
- 1/5/2024 11:20:42 AM
- Notice Type
- Presolicitation
- NAICS
- 423450
— Medical, Dental, and Hospital Equipment and Supplies Merchant Wholesalers
- Contracting Office
- 247-NETWORK CONTRACT OFFICE 7 (36C247) AUGUSTA GA 30904 USA
- ZIP Code
- 30904
- Solicitation Number
- 36C24724Q0216
- Response Due
- 1/12/2024 9:00:00 AM
- Archive Date
- 02/11/2024
- Point of Contact
- Thomas J Deppa, Contracting Officer, Phone: 803-776-4000
- E-Mail Address
-
Thomas.Deppa@va.gov
(Thomas.Deppa@va.gov)
- Awardee
- null
- Description
- STATEMENT OF WORK for MRI B.1 EQUIPMENT: Equipment and options/accessories serviced and maintained for the Department of Veterans Affairs Medical Center, Central Alabama Veterans Health Care System, 215 Perry Hill Road, Montgomery, Alabama, 36109. Equipment: Toshiba MRI, model: VANTAGE ATLAS-X 1.5T, S/N: S2A1782014, and accessories (coils packages, VRDU, Glassware, Cryogens, Magnet Maintenance, Heat Exchanger, Voltage Regulator, Computers, Monitors, Software, Detectors, helium refrigerator, etc.), Location: GB119-001-MO, EE#: MX1675422 with extended afterhours repairs and afterhours PM service. Afterhours include during the week and weekends. B.1.2 DEFINITIONS/ACRONYMS: HTM Staff Engineer (William Piper) or designee, Bldg. 7, Room 216, Telephone 334-273-6258, 215 Perry Hill Road, Montgomery, Alabama 36109, CO - Contracting Officer, COR - Contracting Officer Representative, PM - Preventive Maintenance Inspection. Services which are periodic in nature and are required to maintain the equipment in such condition that it may be operated in accordance with its intended design and functional capacity with minimal incidence of malfunction or inoperative conditions, FSE - Field Service Engineer. This is a person who is authorized by the OEM and the contractor to perform maintenance (corrective and/or preventive) services on the Department of Veterans Affairs Medical Center premises, ESR - Vendor Engineering Service Report. A documentation of the services rendered for each incidence of work performance under the terms and condition of the contract, Acceptance Signature. VA employee who indicates FSE demonstrated service conclusion/status and user has accepted work as complete/pending as stated in ESR, Authorization Signature. COR's signature; indicates COR accept work status as stated in ESR, NFPA - National Fire Protection Association, CDRH - Center for Devices and Radiological Health, OSHA - Occupational Safety and Health Administration, JCAHO - Joint Commission on Accreditation of Healthcare Organizations, FDA - Food and Drug Administration, DVAMC - Department of Veterans Affairs Medical Center, ISO 9001 International Organization for Standardization standard. Normal Working Hours - Monday through Friday, 8:00 a.m. - 5 p.m., excluding weekends and Federal Holidays, Afterhours after normal working hours, weekends, and Federal Holidays. B.1.3 CONFORMANCE STANDARDS: Contract service shall ensure that the equipment functions in conformance with the latest published edition of NFPA-99, OSHA, CDRH, JCAHO, FDA, ISO 9001, and manufacturer specifications. B.1.4 HOURS OF COVERAGE: Normal hours of coverage shall be Monday through Friday from 8:00 a.m. to 5p.m., excluding weekends and federal holidays. All routine service/repairs will be performed during normal hours of coverage unless requested or approved by CO/COR. Preventive maintenance will be performed after hours and emergency repairs will be performed 24 x 7. Preventive maintenance inspections are to be scheduled at least five days in advance with Contracting Officer Representative (COR) or designee and with Imaging Service. Coordination may be done by telephone. Preventive maintenance inspections will be performed quarterly in the months of November, February, May and August. Preventive Maintenance will be performed after hours and/or on the weekends. Schedule Preventive Maintenance Inspections with the HTM Staff Engineer or designee and Imaging Service supervisor. Federal Holidays observed by the DVAMC are: New Year s Day, Labor Day, Martin Luther King Day, Columbus Day, President's Day, Veterans Day, Memorial Day, Juneteenth, Thanksgiving Day, Independence Day, Christmas Day. Coverage Period (Base Year): 2/14/2024 2/13/2025 B.1.5 UNSCHEDULED MAINTENANCE: The contractor shall maintain the equipment in accordance with Section B.1.3; Conformance Standards. The contractor shall provide repair service which may consist of calibration, cleaning, oiling, adjusting, replacing parts, and maintaining the equipment, including all intervening calls necessary between regular services and calibrations. All required parts shall be furnished. The CO, COR or designated alternate has the authority to approve/request a service call from the contractor. Response Time: Contractor's FSE must respond with a telephone call to the COR and his/her designee within 30 minutes after receipt of telephoned notification 24 hours per day. If the problem can not be corrected by phone, the FSE will commence work (on-site physical response) within two (2) hours after receipt of notification and will proceed progressively to completion without undue delay. For example, if hours of coverage are 8:00 a.m. to 5p.m., a two (2) hours response means, if a call is placed at 3:45 p.m. Monday, August 10, the FSE must start on-site service before 8:45 a.m. Tuesday, August 11, except when outside hours of coverage is authorized by the COTR. Emergency Repairs performed 24 x 7. Preventive maintenance performed afterhours during the week and/or weekends. B.1.6 SCHEDULED MAINTENANCE: A. The contractor shall perform MRI s PM Service in the months of November, February, May and August, and to ensure that equipment listed in the schedule performs in accordance with Section B.1.3; Conformance Standards. The contractor shall provide and utilize procedures and checklists, with worksheet originals indicating work performed and actual values obtained (as applicable) and shall provide said documentation to the COR at the completion of the PM. PM services shall include, but may not be limited to, the following: Cleaning of equipment, Reviewing operating system software diagnostics to ensure that the system is operating to the manufacturer's specifications, Calibrating and lubricating the equipment, Performing remedial maintenance of non-emergent nature, Testing and replacing faulty and worn parts and/or parts which are likely to become faulty, fail or become worn, Inspecting, and replacing where indicated, cabling/connectoions for wear and fraying, Measuring, adjusting and calibrating as necessary, Inspecting, and replacing where indicated, electrical wiring and cables for wear and fraying, Inspecting and replacing where indicated, all mechanical components including, for mechanical integrity, safety, and performance, Inspecting Cryogens and filling Cryogens when indicating, Inspecting and performing Magnet maintenance, Inspecting and performing coil maintenance, Inspecting the Options (Cardiac Gating Unit, Peripheral Gating Package, & Respiratory Gating Package) and performing maintenance on the Options, Inspect all accessories, (VRDU, etc.) Quarterly Maintenance to include but not limited to: Back-ups, O2 Sensor: test O2 sensor operation, replace O2 sensor, check battery life, replace battery, calibrate sensor(s), Gradient Coil: check water manifold connections, record delta water pressure (in/out), record input water temperature, check operation of flow switch, check water clarity, Magnet Gantry (scan room): check all port connectors, check gantry lighting, check gantry fans, cooling and patient, check patient projector operation, check operator panel buttons and abort buttons, check gradient terminal board connections, clean air flow waveguide screens on filter panel, replace fan box filters, Magnet: check Lhe level, check magnet pressure, OR76 Magnet: measure shield temperatures, Patient Couch: check operation, in/out, up/down, check free movement, check hydraulic hose and connections, clean table inside and out, grease the up/down hardware, check table bolts for tightness, check in/out table limits, check up/down table limits, check and clean all coil port connectors, check all coils and connections to table ports, check patient call operation, Transformer Cabinet: check all output voltages, operational check of the emergency switch, check for water in vacuum output container. ECO Control Cabinet: clean inside and out, check power supply RM chassis voltages, fans check RM, back door, RXM, check power LED, check connections, PC Cabinet: clean inside and out, fans check, check connections, Gradient Power Supply Cabinet: clean inside and out, check connections (input and output), check all fans, check water connections, check water flow rate, replace water filter, replace power fuses, Refrigerator: check water connections, check water input temp, check water flow, record compressor hours, check He gas pressure Dynamic (on), check He gas pressure Static (off), record average heater power, supervisor, replace compressor water filter, RF Coils: tune QDWB coil, QA one coil, System Checks: check f0, check system CF, record gradient waveform (heat X, Y, Z), check SEP waveform, record T2*, QDWB image test S/N, QDWB uniformity test, record temperature values with the appropriate Giftemp command, check lines in voltages, check for magnet field signs are properly posted, replace Gradient fuses, recharge helium refrigerator. Provide checklist with results and what & how faults were corrected on each repair and preventive maintenance. Apply gummed label, dated & signed, certifying performance and safety to meet MFG'S published specifications as of that date, Returning the equipment to the operating condition defined in Section B-1.3; Conformance Standards, Providing documentation (worksheet) of services performed on each machine tested. Provide separate service ticket for each device, packages, VRDU, and any other device. List all the test equipment used on the device on each service ticket to meet ISO 9001 standard. PM services shall be performed in accordance with, and during the hours defined in, the preventive maintenance schedule established herein. All exceptions to the PM schedule shall be arranged and approved in advance with the COR or designee, and the Imaging Service supervisor. Any charges for parts, services, manuals, tools, or software required to successfully complete scheduled PM are included within this contract, and it s agreed upon price, unless specifically stated in writing otherwise. The contractor shall furnish documentation, including all measurements and calibration data, The contractor shall furnish all backup documentation to ensure that the system is performing in accordance with B.1.3; Conformance Standards. B.1.7 PARTS: The contractor shall furnish and replace parts to meet up-time requirements (consumables are not covered). The contractor has ready access to unique and/or high mortality replacement parts. All parts supplied shall be compatible with existing equipment. The contract shall include all parts and software. The contractor shall use new parts. Re-built parts or used parts, those removed from other equipment, shall not be installed without written approval by the CO and the COR. B.1.8 SERVICE MANUALS: The DVAMC shall not provide services manuals or service diagnostic software to the contractor. The contractor shall obtain, have on file, and make available to its FSE's all operational and technical documentation, (such as; operational and service manuals, schematics, and parts list), which are necessary to meet the performance requirements of this contract. The location and listing of the service data manuals, by name, and/or the manuals themselves shall be provided to the CO or COR upon request. B.1.9 DOCUMENTATION/REPORTS: The documentation will include detailed descriptions of the scheduled and unscheduled maintenance procedures performed, including replaced parts required to maintain the equipment in accordance with conformance standards. Such documentation shall meet the guidelines as set forth in Section B.1.3; Conformance Standards. In addition, each ESR shall, at a minimum, document the following data legibly and in complete detail: Name of Contractor, Name of FSE who performed services, Contractor Service ESR Number/Log Number, Date, Time (starting and ending), and Hours-On-Site for service call, Description of Problem Reported by COR/User, Identification of Equipment to be serviced: INV. ID number, Manufacture's name, Device Name, Model number, Serial number, and any other Manufacturer's identification numbers, Itemized Description of Service Performed, including: Labor and Travel, Parts (with part numbers), Materials and Circuit Location of problem/corrective action, Total Cost to be billed, Signatures: FSE performing services described, VA Employee who witnessed service described may initial said ESR, but only the COR has the authority to sign the ESR Equipment downtime, VA Purchase Order Number. Provide separate service ticket for each device, packages, VRDU, and any other device. List all the test equipment used on the device on each service ticket to meet ISO 9001 standard. NOTE: ANY ADDITIONAL CHARGES CLAIMED MUST BE APPROVED BY THE COTR BEFORE SERVICE IS COMPLETED! B.1.10 REPORTING REQUIREMENTS: The contractor shall be required to report to the Biomedical Section Manager or designee. This check in is mandatory. When the service is completed, the FSE shall document services rendered on a legible ESR (s). The FSE shall be required to log out with the HTM Staff Engineer or designee, and submit the ESR (s) to the COR. ALL ESRs shall be submitted to the equipment user for an ""acceptance signature"" and to the COR for an ""authorization signature"". If the COR is unavailable a signed, authorized, copy of the ESR will be sent to the contractor after the work can be reviewed (if request or noted on the ESR). B.1.11 PAYMENT: Invoices will be paid in arrears on a quarterly basis. Invoices shall be line itemized. B.1.12 ADDITIONAL CHARGES: There will be no additional charge for time spent at the site during, or after the normal hours of coverage awaiting the arrival of additional FSE and/or delivery of parts. B.1.13 REPORTING REQUIRED SERVICES BEYOND THE CONTRACT SCOPE: The Contractor shall immediately, but not later than 24 consecutive hours after discovery notify the CO and COR, in writing, of the existence or the development of any defects in, or repairs required to the scheduled equipment which the Contractor considers he/she is not responsible for under the terms of the contract. The contractor shall furnish the CO and COR with a written estimate of the cost to make necessary repairs. B.1.14 CONDITION OF EQUIPMENT: The contractor accepts responsibility for the equipment described in the schedule ""as is"" condition. Failure to inspect the equipment prior to contract award shall not relieve the contractor from performance of the requirements of this contract. B.1.15 COMPETENCY OF PERSONNELSERVICING EQUIPMENT: Each respondent shall have an established business, with an office and full time staff. The staff includes a ""fully qualified"" FSE and a ""fully qualified"" FSE who will serve as the backup. ""Fully Qualified"" is based upon OEM training and on experience in the field. For training, the FSE(s) has successfully completed a formalized OEM manufacturer training programs within the last two years, for the equipment identified in the equipment schedule, and annual refresher course. For field experience, the FSE(s) has a minimum of two years of experience, with respect to scheduled and unscheduled preventive and remedial maintenance, on equipment listed. The FSEs shall be authorized by the contractor to perform the maintenance services. All work shall be performed by ""Fully Qualified"" competent FSEs. The contractor shall provide written assurance of the competency of their personnel and a list of credentials of approved FSEs for each make and model the contractor services at the DVAMC. The CO may authenticate the training requirements, request training certificates or credentials from the contractor at any time for any personnel who are servicing or installing any DVAMC equipment. The CO and/or the COR specifically reserve the right to reject any of the contractor's personnel and refuse them permission to work on the DVAMC equipment. Subcontractor will not be used under this contract unless authorized and approved by the CO and the COR. B.1.16 TEST EQUIPMENT: Test equipment shall meet ISO 9001 standards. Prior to commencement of work on this contract, the contractor shall provide the DVAMC with a copy of the current calibration certification of all test equipment which is to be used by the contractor on DVAMC's equipment. This certification shall also be provided on a periodic basis when requested by the DVAMC. Test equipment calibration shall be traceable to a national standard. B.1.17 IDENTIFICATION, PARKING, SMOKING, AND VA REGULATIONS: The Contractor's FSE shall wear visible identification at all times while on the premises of the DVAMC. It is the responsibility of the contractor to park in the appropriate designated parking areas. Information on parking is available from the DVAMC Police Section. The DVAMC will not invalidate or make reimbursement for parking violations of the contractor under any conditions. Smoking is prohibited inside any buildings at the DVAMC. Possession of weapons is prohibited. Enclosed containers, including tool kits, shall be subject to search. Violations of VA regulations may result in citation answerable in the United States (Federal) District Court, not a local district, state, or municipal court. B.1.18 Obtaining a VA IDENTIFICATION Badge: Within the first month of the service contract, the contractor s service technician(s) to arrange with the HTM Staff Engineer to obtain identification badge. The process requires contractor s service technician(s) to bring two (2) valid forms of identification, completion of VA Form 0711, finger prints, photograph, and possible background check. The process of receiving the Identification badge takes 2-4 weeks. B.1.19 INSURANCE: Worker compensation and employer's liability. Contractors are required to comply with applicable Federal and State Worker Compensation and Occupational Disease Statutes. General Liability. Contractors are required to have Bodily Injury Liability insurance coverage written on the comprehensive form of policy of at least $500,000 per occurrence. Property Damage Liability. Contractors are required to have Property Damage Liability insurance coverage of at least $500,000. Medical Liability. Contractors are required to have Indemnification and Medical Liability insurance coverage of at least $1,000,000. B-1.21 VA HANDBOOK 6500.6 APPENDIX CLAUSE: BAA is required under the C&A requirement. Appendix C: MARCH 12, 2010 VA HANDBOOK 6500.6 APPENDIX C C-1 VA INFORMATION AND INFORMATION SYSTEMS SECURITY/PRIVACY LANGUAGE 1. GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS a. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. d. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. e. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. VA HANDBOOK 6500.6 MARCH 12, 2010 APPENDIX C C-2 1. VA INFORMATION CUSTODIAL LANGUAGE a. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). b. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. c. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. d. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. e. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. f. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. g. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. h. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. i. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. j. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. k. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. l. For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR. 2. SECURITY INCIDENT INVESTIGATION a. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. c. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. d. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. 3. LIQUIDATED DAMAGES FOR DATA BREACH a. Consistent with the requirements of 38 U.S.C. ยง5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SP/ the contractor/subcontractor processes or maintains under this contract. However, it is the policy of VA to forgo collection of liquidated damages in the event the contractor provides payment of actual damages in an amount determined to be adequate by the agency. b. The contractor/subcontractor shall provide notice to VA ofa security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. c. Each risk analysis shall address all relevant information concerning the data breach, including the following: (1) Nature of the event (loss, theft, unauthorized access); (2) Description of the event, including: (a) date of occurrence; (b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; (3) Number of individuals affected or potentially affected; (4) Names of individuals or groups affected or potentially affected; (5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; (6) Amount of time the data has been out of VA control; (7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); (8) Known misuses of data containing sensitive personal information, if any; (9) Assessment of the potential harm to the affected individuals; (10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and ...
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/fffb5da697da4faab347db6f4b08e0be/view)
- Record
- SN06928148-F 20240107/240105230043 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |