SOLICITATION NOTICE
R -- Temporary Pharmacy and Radiology Staffing - Solicitation Amendments
- Notice Date
- 4/1/2010
- Notice Type
- Combined Synopsis/Solicitation
- NAICS
- 561320
— Temporary Help Services
- Contracting Office
- Department of Health and Human Services, National Institutes of Health, Clinical Center/Office of Purchasing & Contracts, 6707 Democracy Blvd, Suite 106, MSC 5480, Bethesda, Maryland, 20892-5480
- ZIP Code
- 20892-5480
- Solicitation Number
- NIHCL2010054i
- Archive Date
- 4/30/2010
- Point of Contact
- Brian J. Lind, Phone: 301-402-0735
- E-Mail Address
-
LindBJ@cc.nih.gov
(LindBJ@cc.nih.gov)
- Small Business Set-Aside
- Total Small Business
- Description
- Attachment No 10 - Sample Task Order Attachment No 9 - FAR 52.212-3 Representations and Certififcations Attachment No 8 - SF 1449 Attachment No 7 - Proposal Packaging and Delivery Instructions Attachment No 6 - Invoicing Instructions Attachment No 5 - Technical Evaluation Criteria Attachment No 4 - Past Performance Questionaire Attachment No 3 - Proposal Preperation Instructions Attachment No 2 - Section B Description of Supplies/Services - Pricing Attachment No 1 - Statement of Work The Clinical Center at National Institutes of Health proposes to procure temporary staffing services for the Pharmacy and Radiology Departments, in accordance with the procedures for acquiring commercial items/services authorized in FAR Part 12. The staffing services will be required on an as needed basis within the specific departments. This is a Combined Synopsis for Commercial Services prepared in accordance with FAR Subpart 12.6 as supplemented with additional information included in this notice. This notice constitutes the only solicitation; a separate solicitation will not be issued. This solicitation NIHCL2010054 includes all provisions and clauses in effect through Federal Acquisition Circular 2005-38 with amendments dated February 1, 2010. The acquisition will be made pursuant to the authority in FAR 13.5 to use simplified procedures for commercial requirements. The acquisition is set aside for small businesses. The standard North American Industry Classification System (NAICS) code is 561320 and the size standard is 13.5 million dollars. This solicitation is being issued as a Request for Proposal and is a total small business set-aside. NIH is soliciting offers for temporary staffing services for the Pharmacy and Radiology Departments. These departments have a need to fill the following positions on an as needed basis; 1. Pharmacist 2. Pharmacy Technician (certified) 3. Radiology Technologist i) CT - Computer Tomography ii) General Diagnostic iii) IR - Interventional Radiology iv) MRI - Magnetic Resonance Imaging v) US - Ultrasound vi) Multi- Modality Radiology Technologist The detailed Statement of Work which list specific requirements for each position can be found in Attachment No. 1 to this synopsis. The requirements stated in the Statement of Work and your response to them will be a critical part of the evaluation process. The base period of performance is for a period of twelve (12) months to be determined at time of award, with four (4) twelve (12) month option periods; to be determined at time of award. Please refer to the following attachments in preparing your proposal responding to this solicitation. Attachment No. 1: Statement of Work Attachment No. 2: Section B - Description of Supplies/Services and Prices/Costs: This Attachment must be completed with your pricing and submitted along with your technical/business proposals. Attachment No. 3: Proposal Preparation Instructions (see information regarding page limitations) Attachment No. 4: Past Performance Questionnaire Attachment No. 5: Technical Evaluation Criteria Attachment No. 6: Invoice Instructions Attachment No. 7: Proposal Packaging and Delivery Requirements Attachment No. 8: SF 1449 (should be signed and submitted with technical/business proposals) Attachment No. 9: FAR 52.212-3-Representations and Certifications (must be completed and submitted with your business proposal) Attachment No 10: Sample Task Order Number 1 - This Attachment must be completed with your pricing and submitted along with your business proposals. The following Provisions and Clauses apply: FAR 52.212-1 Instruction to Offerors/Commercial Items (see Attachment No. 3 for additional proposal preparation instructions) (June 2008), FAR 52.212-2 Evaluation - Commercial Items (Evaluation criteria set forth in Attachment 5) (Jan 1999), FAR 52.212-4 Contract Terms and Conditions Commercial Items (Aug 2009), FAR 52.223-6 Drug Free Workplace (May 2001), FAR Clause 52.227-14 RIGHTS IN DATA - General (Dec 2007), The following FAR clauses cited in paragraph (b) of the clause at FAR 52.212-5 are also applicable to this acquisition: 52.212-5 -- Contract Terms and Conditions Required to Implement Statutes or Executive Orders -- Commercial Items. As prescribed in 12.301(b) (4), insert the following clause: Contract Terms and Conditions Required to Implement Statutes or Executive Orders - Commercial Items (Feb 2010) (a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (1) 52.222-50, Combating Trafficking in Persons (FEB 2009) (22 U.S.C. 7104(g)). ____ Alternate I (AUG 2007) of 52.222-50 (22 U.S.C. 7104(g)). (2) 52.233-3, Protest After Award (AUG 1996) (31 U.S.C. 3553). (3) 52.233-4, Applicable Law for Breach of Contract Claim (OCT 2004) (Pub. L. 108-77, 108-78). (b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the contracting officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: ___ (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (Sept 2006), with Alternate I (Oct 1995) (41 U.S.C. 253g and 10 U.S.C. 2402). X (2) 52.203-13, Contractor Code of Business Ethics and Conduct (Dec 2008) (Pub. L. 110-252, Title VI, Chapter 1 (41 U.S.C. 251 note)). ___ (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment Act of 2009 (Mar 2009) (Section 1553 of Pub L. 111-5) (Applies to contracts funded by the American Recovery and Reinvestment Act of 2009). ___ (4) 52.204-11, American Recovery and Reinvestment Act-Reporting Requirements (Mar 2009) (Pub. L. 111-5). ___ (5) 52.219-3, Notice of Total HUBZone Set-Aside (Jan 1999) (15 U.S.C. 657a). ___ (6) 52.219-4, Notice of Price Evaluation Preference for HUBZone Small Business Concerns (Jul 2005) (if the offeror elects to waive the preference, it shall so indicate in its offer) (15 U.S.C. 657a). ___ (7) [Reserved] X (8) (i) 52.219-6, Notice of Total Small Business Aside (June 2003) (15 U.S.C. 644). ___ (ii) Alternate I (Oct 1995) of 52.219-6. ___ (iii) Alternate II (Mar 2004) of 52.219-6. ___ (9) (i) 52.219-7, Notice of Partial Small Business Set-Aside (June 2003) (15 U.S.C. 644). ___ (ii) Alternate I (Oct 1995) of 52.219-7. ___ (iii) Alternate II (Mar 2004) of 52.219-7. ___ (10) 52.219-8, Utilization of Small Business Concerns (May 2004) (15 U.S.C. 637(d) (2) and (3)). ___ (11) (i) 52.219-9, Small Business Subcontracting Plan (Apr 2008) (15 U.S.C. 637 (d) (4).) ___ (ii) Alternate I (Oct 2001) of 52.219-9. ___ (iii) Alternate II (Oct 2001) of 52.219-9. ___ (12) 52.219-14, Limitations on Subcontracting (Dec 1996) (15 U.S.C. 637(a) (14)). ___ (13) 52.219-16, Liquidated Damages-Subcontracting Plan (Jan 1999) (15 U.S.C. 637(d) (4) (F) (i)). ___ (14) (i) 52.219-23, Notice of Price Evaluation Adjustment for Small Disadvantaged Business Concerns (Oct 2008) (10 U.S.C. 2323) (if the offeror elects to waive the adjustment, it shall so indicate in its offer). ___ (ii) Alternate I (June 2003) of 52.219-23. ___ (15) 52.219-25, Small Disadvantaged Business Participation Program-Disadvantaged Status and Reporting (Apr 2008) (Pub. L. 103-355, section 7102, and 10 U.S.C. 2323). ___ (16) 52.219-26, Small Disadvantaged Business Participation Program-Incentive Subcontracting (Oct 2000) (Pub. L. 103-355, section 7102, and 10 U.S.C. 2323). ___ (17) 52.219-27, Notice of Total Service-Disabled Veteran-Owned Small Business Set-Aside (May 2004) (15 U.S.C. 657 f). X (18) 52.219-28, Post Award Small Business Program Re-representation (Apr 2009) (15 U.S.C. 632(a) (2)). X (19) 52.222-3, Convict Labor (June 2003) (E.O. 11755). X (20) 52.222-19, Child Labor-Cooperation with Authorities and Remedies (Aug 2009) (E.O. 13126). X (21) 52.222-21, Prohibition of Segregated Facilities (Feb 1999). X (22) 52.222-26, Equal Opportunity (Mar 2007) (E.O. 11246). X (23) 52.222-35, Equal Opportunity for Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans (Sep 2006) (38 U.S.C. 4212). X (24) 52.222-36, Affirmative Action for Workers with Disabilities (Jun 1998) (29 U.S.C. 793). ___ (25) 52.222-37, Employment Reports on Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans (Sep 2006) (38 U.S.C. 4212). ___ (26) 52.222-54, Employment Eligibility Verification (Jan 2009). (Executive Order 12989). (Not applicable to the acquisition of commercially available off-the-shelf items or certain other types of commercial items as prescribed in 22.1803.) ___ (27) (i) 52.223-9, Estimate of Percentage of Recovered Material Content for EPA-Designated Items (May 2008) (42 U.S.C. 6962(c) (3) (A) (ii)). (Not applicable to the acquisition of commercially available off-the-shelf items.) ___ (ii) Alternate I (May 2008) of 52.223-9 (42 U.S.C. 6962(i) (2) (C)). (Not applicable to the acquisition of commercially available off-the-shelf items.) ___ (28) 52.223-15, Energy Efficiency in Energy-Consuming Products (Dec 2007) (42 U.S.C. 8259b). ___ (29) (i) 52.223-16, IEEE 1680 Standard for the Environmental Assessment of Personal Computer Products (Dec 2007) (E.O. 13423). ___ (ii) Alternate I (Dec 2007) of 52.223-16. X (30) 52.225-1, Buy American Act--Supplies (Feb 2009) (41 U.S.C. 10a-10d). ___ (31) (i) 52.225-3, Buy American Act -Free Trade Agreements - Israeli Trade Act (Jun 2009) (41 U.S.C. 10a-10d, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, Pub. L. 108-77, 108-78, 108-286, 108-301, 109-53, 109-169, 109-283, and 110-138). ___ (ii) Alternate I (Jan 2004) of 52.225-3. ___ (iii) Alternate II (Jan 2004) of 52.225-3. ___ (32) 52.225-5, Trade Agreements (Aug 2009) (19 U.S.C. 2501, et seq., 19 U.S.C. 3301 note). ___ (33) 52.225-13, Restrictions on Certain Foreign Purchases (Jun 2008) (E.O.'s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury). ___ (34) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (Nov 2007) (42 U.S.C. 5150). ___ (35) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (Nov 2007) (42 U.S.C. 5150). ___ (36) 52.232-29, Terms for Financing of Purchases of Commercial Items (Feb 2002) (41 U.S.C. 255(f), 10 U.S.C. 2307(f)). ___ (37) 52.232.30, Installment Payments for Commercial Items (Oct 1995) (41 U.S.C. 255(f), 10 U.S.C. 2307(f)). X (38) 52.232-33, Payment by Electronic Funds Transfer-Central Contractor Registration (Oct. 2003) (31 U.S.C. 3332). ___ (39) 52.232-34, Payment by Electronic Funds Transfer-Other Than Central Contractor Registration (May 1999) (31 U.S.C. 3332). ___ (40) 52.232-36, Payment by Third Party (Feb 2010) (31 U.S.C. 3332). ___ (41) 52.239-1, Privacy or Security Safeguards (Aug 1996) (5 U.S.C. 552a). ___ (42) (i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx 1241(b) and 10 U.S.C. 2631). ___ (ii) Alternate I (Apr 2003) of 52.247-64. (c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or executive orders applicable to acquisitions of commercial items: ___ (1) 52.222-41, Service Contract Act of 1965 (Nov 2007) (41 U.S.C. 351, et seq.). ___ (2) 52.222-42, Statement of Equivalent Rates for Federal Hires (May 1989) (29 U.S.C. 206 and 41 U.S.C. 351, et seq.). ___ (3) 52.222-43, Fair Labor Standards Act and Service Contract Act -- Price Adjustment (Multiple Year and Option Contracts) (Sep 2009) (29 U.S.C.206 and 41 U.S.C. 351, et seq.). ___ (4) 52.222-44, Fair Labor Standards Act and Service Contract Act -- Price Adjustment (Sep 2009) (29 U.S.C. 206 and 41 U.S.C. 351, et seq.). X (5) 52.222-51, Exemption from Application of the Service Contract Act to Contracts for Maintenance, Calibration, or Repair of Certain Equipment--Requirements (Nov 2007) (41 U.S.C. 351, et seq.). ___ (6) 52.222-53, Exemption from Application of the Service Contract Act to Contracts for Certain Services--Requirements (Feb 2009) (41 U.S.C. 351, et seq.). ___ (7) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations. (Mar 2009) (Pub. L. 110-247). ___ (8) 52.237-11, Accepting and Dispensing of $1 Coin (Sep 2008) (31 U.S.C. 5112(p)(1)). (d) Comptroller General Examination of Record The Contractor shall comply with the provisions of this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, and does not contain the clause at 52.215-2, Audit and Records -- Negotiation. (1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor's directly pertinent records involving transactions related to this contract. (2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR Subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved. (3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law. (1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c) and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1) in a subcontract for commercial items. Unless otherwise indicated below, the extent of the flow down shall be as required by the clause- (i) 52.203-13, Contractor Code of Business Ethics and Conduct (Dec 2008) (Pub. L. 110-252, Title VI, Chapter 1 (41 U.S.C. 251 note)). (ii) 52.219-8, Utilization of Small Business Concerns (May 2004) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds $550,000 ($1,000,000 for construction of any public facility), the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities. (iii) [Reserved] (iv) 52.222-26, Equal Opportunity (Mar 2007) (E.O. 11246). (v) 52.222-35, Equal Opportunity for Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans (Sep 2006) (38 U.S.C. 4212). (vi) 52.222-36, Affirmative Action for Workers with Disabilities (June 1998) (29 U.S.C. 793). (vii) [Reserved] (viii) 52.222-41, Service Contract Act of 1965, (Nov 2007), (41 U.S.C. 351, et seq.) (ix) 52.222-50, Combating Trafficking in Persons (Feb 2009) (22 U.S.C. 7104(g)). ___ Alternate I (Aug 2007) of 52.222-50 (22 U.S.C. 7104(g)). (x) 52.222-51, Exemption from Application of the Service Contract Act to Contracts for Maintenance, Calibration, or Repair of Certain Equipment--Requirements (Nov 2007) (41 U.S.C. 351, et seq.) (xi) 52.222-53, Exemption from Application of the Service Contract Act to Contracts for Certain Services--Requirements (Feb 2009) (41 U.S.C. 351, et seq.) (xii) 52.222-54, Employment Eligibility Verification (Jan 2009). (xiii) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations. (Mar 2009) (Pub. L. 110-247). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6. (xiv) 52.247-64, Preference for Privately-Owned U.S. Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx 1241(b) and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64. (2) While not required, the contractor may include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations. (End of Clause) FAR 52.216-18 Ordering (Oct 1995) (a) Any supplies and services to be furnished under this contract shall be ordered by issuance of delivery orders or task orders by the individuals or activities designated in the Schedule. (b) All delivery orders or task orders are subject to the terms and conditions of this contract. In the event of conflict between a delivery order or task order and this contract, the contract shall control. (c) If mailed, a delivery order or task order is considered "issued" when the Government deposits the order in the mail. Orders may be issued orally, by facsimile, or by electronic commerce methods only if authorized in the Schedule. FAR 52.216-19 Order Limitations (Oct 1995) (a) Minimum Order. When the government requires supplies or services covered by this contract in an amount of less than $100, the Government is not obligated to purchase, nor is the Contractor obligated to furnish those supplies or services under the contract. (b) Maximum order. The Contractor is not obligated to honor; (1) Any order for a single item in excess of the yearly estimated contract ceiling; (2) Ant order for a combination of items in excess of the yearly contract ceiling; or (3) A series of orders from the same ordering office within N/A days that together call for quantities exceeding the limitation in paragraph (b)(1) or (2) of this section. (c) If this is a requirements contract (i.e., includes the Requirements clause at subsection 52.216-21 of the Federal Acquisition Regulation (FAR), the Government is not required to order a part of any one requirement from the Contractor if the requirement exceeds the maximum-order limitations in paragraph (b) of this section. (d) Notwithstanding paragraphs 9B0 and © of this section, the Contractor shall honor any order exceeding the maximum order limitations in paragraph (b), unless that order (or orders) is returned to the ordering department within 2 days of issuance, with written notice stating the Contractor's intent not to ship the item ( or items) called for and the reasons. Upon receiving this notice, the Government may require the supplies or services from another source. FAR 52.216-21 Requirements (Oct 1995) (a) This is a requirements contract for the supplies or services specified, and effective for the period stated, in the Schedule. The quantities of supplies or services specified in the Schedule are estimates only and are not purchased by this contract. Except as this contract may otherwise provide, if the Government's requirements do not result in orders in the quantities described as "estimates" or "maximum" in the Schedule, that fact shall not constitute the basis for an equitable price adjustment. (b) Delivery or performance shall be made only as authorized by orders issued in accordance with the Ordering clause. Subject to any limitations in the Order Limitations clause or elsewhere in this contract, the Contractor shall furnish to the Government all supplies or services specified in the Schedule and called for by orders issued in accordance with the Ordering clause. The Government may issue orders requiring delivery to multiple destinations or performance at multiple locations. (c) Except as this contract otherwise provides, the Government shall order from the Contractor all the supplies or services specified in the Schedule that are required to be purchased by the Government activity or activities specified in the Schedule. (d) The Government is not required to purchase from the Contractor requirements in excess of any limit on total orders under this contract. (e) If the Government urgently requires delivery of any quantity of an item before the earliest date that the delivery may be specified under this contract, and if the Contractor will not accept the order providing for the accelerated delivery, the Government may acquire the urgently required goods or services from another source. (f) Any order issued during the effective period of this contract and not completed within that period shall be completed by the Contractor within the time specified in the order. The contract shall govern the Contractor's and Government's rights and obligations with respect to that order to the same extent as if the order were being completed during the contract's effective period; provided that the Contractor shall not be required to make any deliveries under this contract after the contract expiration date. FAR 52.217-8 Option to Extend Services (Nov 1999) The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The options provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The contracting officer may exercise the option by written notice to the Contractor within 30 days prior to the expiration of the contract. (End of Clause) FAR 52.217-9 Option to Extend the term of the Contract (Mar 2000) a) The Government may extend the term of this contract by written notice to the Contractor within the contract period of performance; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 30 days before the contract expires. The preliminary notice does not commit the Government to an extension. b) If the Government exercises this option, the extended contract shall be considered to include this option clause. c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 5 years (60 months) (End of Clause) FAR 52.232-19 Availability of Funds for the Next Fiscal Year (Apr 1994) Funds are not presently available for performance under this contract beyond the September 30, 2010. The Government's obligation for performance of this contract beyond that date is contingent upon the availability of appropriated funds from which payment for contract purposes can be made. No legal liability on the part of the Government for any payment may arise for performance under this contract beyond September 30, 2010, until funds are made available to the Contracting officer for performance and until the Contractor receives notice of availability, to the confirmed in writing by the Contracting Officer. (End of Clause) FAR 52.245-1 Government Property(June 2007) If this RFP will result in the acquisition or use of Government Property provided by the contracting agency or if the Contracting Officer authorizes in the pre-award negotiation process, the acquisition of property (other than real property), this ARTICLE will include applicable provisions and incorporate the HHS publication entitled "Contractor's Guide for Control of Government Property," which can be found at:http://knownet.hhs.gov/log/AgencyPolicy/HHSLogPolicy/contractorsguide.htm. PRIVACY ACT FAR 52.224-1 Privacy Act Notification (Apr 1984) The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties. FAR 52.224-2 Privacy Act (April 1984) (a) The Contractor agrees to- (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies- (i) The systems of records; and (ii) The design, development, or operation work that the contractor is to perform; (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and (3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency. (c)(1) "Operation of a system of records," as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) "Record," as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. (3) "System of records on individuals," as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. FAR 52.204-9 (SEPT 2007) Personal Identity Verification of Contractor Personnel (a) The Contractor shall comply with agency personal identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24 and Federal Information Processing Standards Publication (FIPS PUB) Number 201. (b) The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have routine physical access to a Federally-controlled facility and/or routine access to a Federally- controlled information system. FAR 52.222-54 (JAN 2009) EMPLOYMENT ELIGIBILITY VERIFICATION (a) Definitions. As used in this clause- "Commercially available off-the-shelf (COTS) item"- (1) Means any item of supply that is- (i) A commercial item (as defined in paragraph (1) of the definition at 2.101); (ii) Sold in substantial quantities in the commercial marketplace; and (iii) Offered to the Government, without modification, in the same form in which it is sold in the commercial marketplace; and (2) Does not include bulk cargo, as defined in section 3 of the Shipping Act of 1984 (46 U.S.C. App. 1702), such as agricultural products and petroleum products. Per 46 CFR 525.1 (c)(2), "bulk cargo" means cargo that is loaded and carried in bulk onboard ship without mark or count, in a loose unpackaged form, having homogenous characteristics. Bulk cargo loaded into intermodal equipment, except LASH or Seabee barges, is subject to mark and count and, therefore, ceases to be bulk cargo. "Employee assigned to the contract" means an employee who was hired after November 6, 1986, who is directly performing work, in the United States, under a contract that is required to include the clause prescribed at 22.1803. An employee is not considered to be directly performing work under a contract if the employee- (1) Normally performs support work, such as indirect or overhead functions; and (2) Does not perform any substantial duties applicable to the contract. "Subcontract" means any contract, as defined in 2.101, entered into by a subcontractor to furnish supplies or services for performance of a prime contract or a subcontract. It includes but is not limited to purchase orders, and changes and modifications to purchase orders. "Subcontractor" means any supplier, distributor, vendor, or firm that furnishes supplies or services to or for a prime Contractor or another subcontractor. "United States", as defined in 8 U.S.C. 1101(a)(38), means the 50 States, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. (b) Enrollment and verification requirements. (1) If the Contractor is not enrolled as a Federal Contractor in E-Verify at time of contract award, the Contractor shall- (i) Enroll. Enroll as a Federal Contractor in the E-Verify program within 30 calendar days of contract award; (ii) Verify all new employees. Within 90 calendar days of enrollment in the E-Verify program, begin to use E-Verify to initiate verification of employment eligibility of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); and (iii) Verify employees assigned to the contract. For each employee assigned to the contract, initiate verification within 90 calendar days after date of enrollment or within 30 calendar days of the employee's assignment to the contract, whichever date is later (but see paragraph (b)(4) of this section). (2) If the Contractor is enrolled as a Federal Contractor in E-Verify at time of contract award, the Contractor shall use E-Verify to initiate verification of employment eligibility of- (i) All new employees. (A) Enrolled 90 calendar days or more. The Contractor shall initiate verification of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); or (B) Enrolled less than 90 calendar days. Within 90 calendar days after enrollment as a Federal Contractor in E-Verify, the Contractor shall initiate verification of all new hires of the Contractor, who are working in the United States, whether or not assigned to the contract, within 3 business days after the date of hire (but see paragraph (b)(3) of this section); or (ii) Employees assigned to the contract. For each employee assigned to the contract, the Contractor shall initiate verification within 90 calendar days after date of contract award or within 30 days after assignment to the contract, whichever date is later (but see paragraph (b)(4) of this section). (3) If the Contractor is an institution of higher education (as defined at 20 U.S.C. 1001(a)); a State or local government or the government of a Federally recognized Indian tribe; or a surety performing under a takeover agreement entered into with a Federal agency pursuant to a performance bond, the Contractor may choose to verify only employees assigned to the contract, whether existing employees or new hires. The Contractor shall follow the applicable verification requirements at (b)(1) or (b)(2) respectively, except that any requirement for verification of new employees applies only to new employees assigned to the contract. (4) Option to verify employment eligibility of all employees. The Contractor may elect to verify all existing employees hired after November 6, 1986, rather than just those employees assigned to the contract. The Contractor shall initiate verification for each existing employee working in the United States who was hired after November 6, 1986, within 180 calendar days of- (i) Enrollment in the E-Verify program; or (ii) Notification to E-Verify Operations of the Contractor's decision to exercise this option, using the contact information provided in the E-Verify program Memorandum of Understanding (MOU). (5) The Contractor shall comply, for the period of performance of this contract, with the requirements of the E-Verify program MOU. (i) The Department of Homeland Security (DHS) or the Social Security Administration (SSA) may terminate the Contractor's MOU and deny access to the E-Verify system in accordance with the terms of the MOU. In such case, the Contractor will be referred to a suspension or debarment official. (ii) During the period between termination of the MOU and a decision by the suspension or debarment official whether to suspend or debar, the Contractor is excused from its obligations under paragraph (b) of this clause. If the suspension or debarment official determines not to suspend or debar the Contractor, then the Contractor must reenroll in E-Verify. (c) Web site. Information on registration for and use of the E-Verify program can be obtained via the Internet at the Department of Homeland Security Web site: http://www.dhs.gov/E-Verify. (d) Individuals previously verified. The Contractor is not required by this clause to perform additional employment verification using E-Verify for any employee- (1) Whose employment eligibility was previously verified by the Contractor through the E-Verify program; (2) Who has been granted and holds an active U.S. Government security clearance for access to confidential, secret, or top secret information in accordance with the National Industrial Security Program Operating Manual; or (3) Who has undergone a completed background investigation and been issued credentials pursuant to Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors. (e) Subcontracts. The Contractor shall include the requirements of this clause, including this paragraph (e) (appropriately modified for identification of the parties), in each subcontract that- (1) Is for- (i) Commercial or noncommercial services (except for commercial services that are part of the purchase of a COTS item (or an item that would be a COTS item, but for minor modifications), performed by the COTS provider, and are normally provided for that COTS item); or (ii) Construction; (2) Has a value of more than $3,000; and (3) Includes work performed in the United States. (End of clause) FAR Clause 52.249-4 (Apr 1984) Termination for Convenience of the Government (Services)(Short Form), FAR Clause 52.217-5 Evaluation of options (July 1990), FAR Clause 52.228-5 Insurance - Work on a Government Installation (Jan 1997), FAR Clause 52.237-2 Protection of Government Buildings, equipment and Vegetation (April 1984), HHSAR 352.270.5 Key Personnel (January 2006) The key personnel specified in this contract are considered essential to the work performance. At least 30 days prior to diverting any of the specified individuals to other programs or contracts(or as soon as possible if an individual must be replaced, for example, as a result of leaving the employ of the contractor), the Contractor shall notify the Contracting Officer and shall submit comprehensive justification for the diversion or replacement request (including proposed substitutions for the key personnel) to permit evaluation by the Government of the impact on performance under this contract. The Contractor shall not divert or otherwise replace any key individuals without the written consent of the Contracting Officer. The Government may modify the contract to add or delete key personnel at the request of the contractor or the Government. Additional Key Personnel Provisions During the first ninety (90) days of performance, the Contractor shall make no substitution of key personnel unless the substitution is necessitated by illness, death or termination of the employment. The Contractor shall notify the Contracting officer within fifteen (15) calendar days after the occurrence of any of these events and shall provide the information required by paragraph b below. After the initial ninety (90) day period, the Contractor shall submit the information provided in paragraph b. to the Contracting Officer at least fifteen (15) days prior to making any permanent substitutions. b. - The Contractor shall provide a detailed explanation of the circumstances necessitating the proposed substitutions, complete resumes for the proposed substitutes, and any additional information requested by the Contracting Officer. Proposed substitutes should have comparable qualifications to those of the persons being replaced. The Contracting officer will notify the Contractor within 15 calendar days after the receipt of all required information of the decision on substitutions; the contract will be modified to reflect any approved changes of key personnel. HHSAR Clause 352.224-70 Confidentiality of Information (Jan 2006), HHSAR Clause 352.270-7 Paperwork Reduction Act (Jan 2006), HHSAR Clause 352.270-13 Tobacco-Free Facilities (Jan 2006) Contracting Officer's Technical Representative The following Contracting Officer Technical Representative (COTR) will represent the Government for the purpose of this contract: To be completed at the time of award. The COTR is responsible for: (1) monitoring the Contractor's technical progress, including the surveillance and assessment of performance and recommending to the Contracting Officer changes in requirements; (2) interpreting the statement of work and any other technical performance requirements; (3) performing technical evaluation as required; (4) performing technical inspections and acceptances required by this contract; and (5) assisting in the resolution of technical problems encountered during performance. The Contracting Officer is the only person with authority to act as agent of the Government under this contract. Only the Contracting Officer has authority to: (1) direct or negotiate any changes in the statement of work; (2) modify or extend the period of performance; (3) change the delivery schedule; (4) authorize reimbursement to the Contractor for any costs incurred during the performance of this contract; or (5) otherwise change any terms and conditions of this contract. The Government may unilaterally change its COTR designation. Post Award evaluation of Contractor Performance a) Contractor Performance Evaluations Interim and final evaluations of Contractor performance will be prepared on this contract in accordance with FAR 42.15. The final performance evaluation will be prepared at the time of completion of work. In addition to the final evaluation, interim evaluation(s) shall be submitted at the time of the annual evaluation. Interim and final evaluations will be provided to the Contractor as soon as practicable after completion of the evaluation. The Contractor will be permitted thirty days to review the document and to submit additional information or a rebutting statement. If agreement cannot be reached between the parties, the matter will be referred to an individual one level above the Contracting Officer, whose decision will be final. Copies of the evaluations Contractor responses and review comments, if any, will be retained as part of the contract file, and may be used to support future award decisions. b) Electronic Access to Contractor Performance evaluations Contractors that have internet capability may access evaluations through a secure Web site for review and comment by completing the registration form that can be obtained at the following address: hhtp://oamp.od.nih./OD/CPS/cps.asp. The registration process requires the Contractor to identify an individual that will serve as a primary point of contact and who will be authorized access to the evaluations for review and comment. In addition, the Contractor will be required to identify an alternate contact that will be responsible for notifying the cognizant contracting official in the event the primary contact is unavailable to process the evaluation within the required 30-day time frame. Reporting Matters Involving Fraud, Waste and Abuse Anyone who becomes aware of the existence or apparent fraud, waste and abuse in NIH funded programs is encouraged to report such matters to the HHS Inspector general's Office in writing or the Inspector general's hotline. The toll free number is 1-800-HHS-TIPS (1-800-447-8477). All telephone calls will be handled confidentially. The email address is Htips@os.dhhs.gov and the mailing address is: Office of the Inspector general Department of Health and Human Services TIPS HOTLINE PO Box 23489 Washington, DC 20026 Access to National Institutes of Health (NIH) Electronic Mail All Contractor staff that have access to and use of NIH electronic mail (e-mail) must identify themselves as contractors on all outgoing e-mail messages, including those that are sent in reply or are forwarded to another user. To best comply with this requirement, the Contractor staff shall set-up an e-mail signature (AutoSignature) or an electronic business card ("V Card") on each of the contractor employee's computer system and/or Personal Digital Assistant (PDA) that will automatically display "Contractor" in the signature area of all e-mails sent. NIH SECURITY (a) NIH INFORMATION SECURITY Information Security is applicable to this acquisition. The Statement of Work (SOW) requires the Contractor to perform one, or any combination, of the following on behalf of the Government: 1. Develop, have the ability to access or host and/or maintain a Federal information system(s). 2. Access or use of sensitive information or Personally Identifiable Information (PII). 3. Remotely access federal information or physically remove sensitive federal information or PII beyond agency premises or control. 4. All IT equipment procurement requests (servers, desktops, laptops, Blackberries, PDAs, data storage devices, and all information processing equipment) Pursuant to Federal and HHS Information Security Program Policies the following requirements apply to this acquisition: Federal Information Security Management Act of 2002 (FISMA), Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002); http://csrc.nist.gov/drivers/documents/FISMA-final.pdf (b) NIH PHYSICAL ACCESS SECURITY Physical Access Security is applicable to this acquisition. In accordance with OMB Memorandum M-05-24, background investigations must be completed for all contractor/subcontractor personnel who have (1) access to sensitive information, (2) access to Federal information systems, (3) regular or prolonged physical access to Federally-controlled facilities, or (4) any combination thereof. [Reference: Definition of "Federally-controlled facilities" at Federal Acquisition Regulation (FAR) Subpart 2.1, Definitions] The Statement of Work (SOW) requires the Contractor to have regular or prolonged physical access to a Federally-controlled facility, thereby requiring compliance with the following regulations/policies: Homeland Security Presidential Directive/HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors (08-27-04): http://www.whitehouse.gov/news/releases/2004/08/print/20040827-8.html OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 - Policy for a Common Identification Standard for Federal Employees and Contractors (08-05-05): http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf HHS Interim Policy: Contractual Implementation of Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors [Draft] HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook (02-01-05): http://www.knownet.hhs.gov/acquisition/pssh.pdf (e) POSITION SENSITIVITY DESIGNATIONS The following position sensitivity designation(s) and associated suitability determination(s) and background investigation requirements apply to this acquisition. **** (NOTE: Check all that apply. Additional Note: Levels 2, 3, and 4 are reserved for National Security positions which are generally not applicable to NIH. For additional information and assistance for completion of this item, see Table 2, Position Sensitivity Designations for Individuals Accessing Agency Information at: http://irm.cit.nih.gov/security/table2.htm )**** [ ] Level 6: Public Trust -High Risk (Requires Suitability Determination with a BI). Contractor/subcontractor employees assigned to a Level 6 position are subject to a Background Investigation (BI). [x] Level 5: Public Trust - Moderate Risk (Requires Suitability Determination with NACIC, MBI or BI). Contractor/subcontractor employees assigned to a Level 5 position with no previous investigation and approval shall undergo a National Agency Check and Inquiry Investigation plus a Credit Check (NACIC), a Minimum Background Investigation (MBI), or a Limited Background Investigation (LBI). [ ] Level 1: Non Sensitive (Requires Suitability Determination with an NACI). Contractor/subcontractor employees assigned to a Level 1 position are subject to a National Agency Check and Inquiry Investigation (NACI). The Contractor shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff (including subcontractor staff) working under this acquisition where the contractor will develop, have the ability to access, or host and/or maintain a federal information system(s). The roster shall be submitted to the Project Officer, with a copy to the Contracting Officer, within 14 calendar days of the effective date of this acquisition. Any revisions to the roster as a result of staffing changes shall be submitted within 15 calendar days of the change. The Contracting Officer will notify the Contractor of the appropriate level of suitability investigation required for each staff member. An electronic template, "Roster of Employees Requiring Suitability Investigations," is available for contractor use at: http://ais.nci.nih.gov/forms/Suitability-roster.xls Upon receipt of the Government's notification of applicable, required Suitability Investigations, the Contractor shall complete and submit the required forms within 30 days of the notification. Contractor/subcontractor employees who have met investigative requirements within the past five years may only require an updated or upgraded investigation. Contractor/subcontractor employees shall be required to comply with the HHS criteria for the assigned position sensitivity designations prior to performing any work under this acquisition. The following exceptions apply: Levels 5 and 1: Contractor/subcontractor employees may begin work under this acquisition after the contractor has submitted the name, position and responsibility of the employee to the Project Officer. Level 6: In special circumstances the Project Officer may request a waiver of the pre-appointment investigation. If the waiver is granted, the Project Officer will provide written authorization for the contractor/subcontractor employee to work under this acquisition. (f) INFORMATION SECURITY and PRIVACY TRAINING Contractors/subcontractors shall receive security and privacy training commensurate with their responsibilities for performing work under the terms and conditions of their contractual agreements. The Contractor shall ensure that each contractor/subcontractor employee has completed the NIH Computer Security Awareness Training and the NIH Privacy Awareness course at: http://irtsectraining.nih.gov/ or an equivalent training course specified by NIH prior to performing any work under this acquisition, and thereafter completing the NIH-specified fiscal year refresher course during the period of performance of this acquisition. The Contractor shall maintain a list by name and title of each Contractor/Subcontractor employee working under this acquisition who has completed the NIH required training. The list (along with any subsequent updates to the list) shall be provided to the Project Officer. Any additional security training completed by Contractor/Subcontractor staff shall be included on this list. [The list of completed training shall be included in the first technical progress report. (See Article C.2. Reporting Requirements). Any revisions to this list as a result of staffing changes shall be submitted with the next required technical progress report.] Additional security training requirements commensurate with the position may be required as defined in NIST Special Publication 800-16, Information Technology Security Training Requirements (http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf ). This document provides information about information security training that may be useful to the Contractor. Contractor/subcontractor staff shall be required to complete the following additional training prior to performing any work under this acquisition: (g) RULES OF BEHAVIOR The Contractor/subcontractor employees shall be required to comply with and sign the NIH Information Technology General Rules of Behavior at: http://irm.cit.nih.gov/security/nihitrob.html (h) PERSONNEL SECURITY RESPONSIBILITIES The Contractor shall perform and document the following actions: Contractor Notification of New and Departing Employees Requiring Background Investigations (1) The Contractor shall notify the Contracting Officer, the Project Officer, and the Security Investigation Reviewer within five working days before a new employee assumes a position that requires a suitability determination or when an employee with a suitability determination or security clearance stops working under this acquisition. The Government will initiate a background investigation on new employees requiring suitability determination and will stop pending background investigations for employees that no longer work under this acquisition. (2) New employees: Provide the name, position title, e-mail address, and phone number of the new employee. Provide the name, position title and suitability determination level held by the former incumbent. If the employee is filling a new position, provide a description of the position and the Government will determine the appropriate suitability level. (3) Departing employees: Provide the name, position title, and suitability determination level held by or pending for the individual. Perform and document the actions identified in the Contractor Employee Separation Checklist (attached) when a Contractor/subcontractor employee terminates work under this acquisition. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request. (i) COMMITMENT TO PROTECT NON-PUBLIC DEPARTMENTAL INFORMATION SYSTEMS AND DATA (1) Contractor Agreement The Contractor and its subcontractors performing under this SOW shall not release, publish, or disclose non-public Departmental information to unauthorized personnel, and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: _18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) _18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) _Public Law 96-511 (Paperwork Reduction Act) (2) Contractor Employee Non-Disclosure Agreement Each Contractor/subcontractor employee who may have access to non-public Department information under this acquisition shall complete the Commitment to Protect Non-Public Information - Contractor Employee Agreement http://ocio/docs/public/Nondisclosure.pdf. A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer prior to performing any work under this acquisition. (m) LOSS AND/OR DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION (PII) NOTIFICATION OF DATA BREACH The Contractor shall be responsible for reporting all incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH Incident Response Team IRT@mail.nih.gov via email within one hour of discovering the incident. The contractor shall follow-up with the IRT by completing and submitting one of the following two forms: NIH PII Spillage Report [http://irm.cit.nih.gov/security/PII_Spillage_Report.doc ] NIH Lost or Stolen Assets Report [http://irm.cit.nih.gov/security/Lost_or_Stolen.doc] The notification requirements do not distinguish between suspected and confirmed breaches. (n) DATA ENCRYPTION The following applies to all Contractor/subcontractor laptop computers containing HHS data at rest and/or HHS data in transit. All laptop computers used on behalf of the government shall be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product must be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval. All mobile devices, including non-HHS laptops and portable media, that contain sensitive HHS information shall be encrypted using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored. A FIPS 140-2 compliant key recovery mechanism shall be used so that encrypted information can be decrypted and accessed by authorized personnel. Use of encryption keys which are not recoverable by authorized personnel is prohibited. Key recovery is required by "OMB Guidance to Federal Agencies on Data Availability and Encryption", November 26, 2001, http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf Encryption key management shall comply with all HHS and NIH policies and shall provide adequate protection to prevent unauthorized decryption of the information. All media used to store information shall be encrypted until it is sanitized or destroyed in accordance with HHS policy and NIH procedures. (o) VULNERABILITY SCANNING REQUIREMENTS This SOW requires the Contractor/subcontractor to host an NIH webpage or database. The Contractor/subcontractor shall conduct periodic and special vulnerability scans, and install software/hardware patches and upgrades to protect automated federal information assets. The minimum requirement shall be to protect against vulnerabilities identified on the SANS Top-20 Internet Security Attack Targets list (http://www.sans.org/top20/?ref=3706#w1 ). The Contractor shall provide the results of these scans to the Government on a monthly basis. (p) USING SECURE COMPUTERS TO ACCESS FEDERAL INFORMATION The contractor shall use an FDCC compliant computer when accessing information on behalf of the federal government. The contractor shall install computer virus detection software on all computers used to access information on behalf of the federal government. Virus detection software and virus detection signatures shall be kept current (q) IMPLEMENTATION OF COMMONLY ACCEPTED SECURITY CONFIGURATIONS FOR WINDOWS OPERATING SYSTEMS OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations http://www.whitehouse.gov/omb/assets/omb/memoranda/fy2007/m07-18.pdf (1) For all Information Technology provided under this acquisition, the Contractor shall certify that installed applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration (FDCC). This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in Protected Mode on Vista). For Windows XP settings, see: http://csrc.nist.gov/itsec/guidance_WinXP.html, and for Windows Vista settings, see: http://csrc.nist.gov/itsec/guidance_vista.html. (2) The standard installation, operation, maintenance, updates, and/or patching of software shall not alter the configuration settings from the approved FDCC configuration. For software operating in a Microsoft Windows environment, information technology shall also use the Windows Installer Service for installation to the default "program files" directory and shall be able to silently install and uninstall. (3) Applications designed for normal end users shall run in the standard user context without elevated system administration privileges. (r) SPECIAL INFORMATION SECURITY REQUIREMENTS FOR FOREIGN CONTRACTORS/SUBCONTRACTORS When foreign contractors/subcontractors perform work under this acquisition at non-US Federal Government facilities, provisions of HSPD-12 do NOT apply. (s) REFERENCES: INFORMATION SECURITY INCLUDING PERSONALLY IDENTIFIABLE INFORMATION (1) Federal Information Security Management Act of 2002 (FISMA), Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002); http://csrc.nist.gov/drivers/documents/FISMA-final.pdf (2) DHHS Personnel Security/Suitability Handbook: http://www.knownet.hhs.gov/acquisition/pssh.pdf (3) NIH Computer Security Awareness Training Course: http://irtsectraining.nih.gov/ (4) NIST Special Publication 800-16, Information Technology Security Training Requirements: http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf Appendix A-D: http://csrc.nist.gov/publications/nistpubs/800-16/AppendixA-D.pdf (5) NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems: http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf (6) NIST SP 800-53, Revision 1, Recommended Security Controls for Federal Information Systems: http://www.csrc.nist.gov/publications/drafts/800-53-rev1-ipd-clean.pdf (7) NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume I: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V1-final.pdf; Volume II, Appendices to Guide For Mapping Types of Information and Information Systems To Security Categories, Appendix C at: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf and Appendix D at: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf. (8) NIST SP 800-64, Security Considerations in the Information System Development Life Cycle: http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf (9) FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf (10) FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf (11) OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information (05-22-06): http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf (12) OMB Memorandum M-06-16, Protection of Sensitive Agency Information (06-23-06): http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf (13) OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (07-12-06) http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-19.pdf (14) OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification (09-20-06) http://www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf (15) OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (05-22-07) http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf (16) OMB Memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations (06-01-07) http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf (17) Guide for Identifying Sensitive Information, including Information in Identifiable Form, at the NIH (Draft: 10-04-06) (Available from the ISSO) (18) HHS OCIO Policies http://www.hhs.gov/ocio/policy/index.html#Security (t) REFERENCES: PHYSICAL ACCESS SECURITY (1) HHS Information Security Program Policy: http://intranet.hhs.gov/infosec/docs/policies_guides/ISPP/Information_Security_Program_Policy.pdf (2) Homeland Security Presidential Directive/HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors (08-27-04): http://www.whitehouse.gov/news/releases/2004/08/print/20040827-8.html (3) OMB Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 - Policy for a Common Identification Standard for Federal Employees and Contractors (08-05-05): http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf OMB Memorandum M-07-06, Validating and Monitoring Agency Issuance of Personal Identity Verification Credentials (01-11-07): http://www.whitehouse.gov/omb/memoranda/fy2007/m07-06.pdf (5) Federal Information Processing Standards Publication (FIPS PUB) 201-1 (Updated June 26, 2006): http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf (6) HHS Interim Policy: Contractual Implementation of Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors [Draft] (7) HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook (02-01-05): http://www.knownet.hhs.gov/acquisition/pssh.pdf (8) HHSAR 307.7106, Statement of Work (SOW); HHSAR 307.7108 in new coverage as of 02-01-07: http://knownet.hhs.gov/acquisition/hhsar/Default.htm (9) Federal Acquisition Regulation (FAR) 37.602, Performance Work Statement (PWS): http://acquisition.gov/far/current/html/Subpart%2037_6.html#wp1074648 (10) FAR Subpart 4.13, Personal Identity Verification of Contractor Personnel: http://acquisition.gov/far/current/html/Subpart%204_13.html#wp1074125 (11) FAR 52.204-9, Personal Identity Verification of Contractor Personnel [clause]: http://acquisition.gov/far/current/html/52_200_206.html#wp1139617 Federal Desktop Core Configuration (FDCC) and Federal Information Processing 201 Security Requirements • The Contractor shall ensure new systems are configured with the applicable Federal Desktop Core Configuration (FDCC) (http://nvd.nist.gov/fdcc/download_fdcc.cfm)[1][1] and applicable configurations from http://checklists.nist.gov, as jointly identified by the OPDIV/STAFFDIV Contracting Officer's Technical Representative (COTR) and the CISO. • The Contractor shall ensure hardware and software installation, operation, maintenance, update, and/or patching will not alter the configuration settings specified in: (a) the FDCC (http://nvd.nist.gov/fdcc/index.cfm); and (b) other applicable configuration checklists as referenced above. • The Contractor shall ensure applications are fully functional and operate correctly on systems configured in accordance with the above configuration requirements. • The Contractor shall ensure applications designed for end users run in the standard user context without requiring elevated administrative privileges. • FIPS 201-compliant, Homeland Security Presidential Directive 12 (HSPD-12) card readers shall: (a) be included with the purchase of servers, desktops, and laptops; and (b) comply with FAR Subpart 4.13, Personal Identity Verification. In accordance with HHS-OCIO-2008-0004.001S "Standard Security Language Configuration in HHS Contracts", all NIH purchases of servers, desktops, and laptops shall include a Federal Information Processing Standard 201 (FIPS-201)-compliant smartcard reader. A list of approved FIPS-201 compliant devices may be found at http://fips201ep.cio.gov/apl.php. As standards-compliant smartcard readers may not be available from all sources, or may be more cheaply acquired and provisioned separately, IC information technology staff must review the status of emerging NIH standards for compliant peripheral devices, keyboards, card readers, etc. before making purchases. By 01/01/2011, all systems joined to the NIH network or otherwise brought into production use must be provisioned with a FIPS-201 compliant PIV card reader. • The Contractor shall ensure that all of its subcontractors (at all tiers) comply with the above requirements. Security and Privacy Clause for Personally Identifiable Information Information security and privacy, including the protection of sensitive/confidential information whether in verbal, written or electronic form, are a high priority of the National Institutes of Health (NIH). Therefore, all contractors and the subcontractors, who may have access to any personally identifiable information, are subject to the rules, regulations and procedures established by the Privacy Act of 1974 (PA) and implementing regulations, as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As such, all contractors and subcontractors shall only collect, maintain and use sensitive/confidential, personally identifiable information as necessary within the scope of the services to be provided to the NIH. In addition, all contractor staff shall use sensitive/confidential information only in the performance of their assigned duties as related to the delivery of those services. Information provided by the NIH may not be shared with any third-party without the express written permission of the Project and Contract Officers and may not be used for any purpose other than for the delivery of specific services to be provided to the NIH. The unauthorized disclosure of any information protected by the PA or HIPAA may be punishable by administrative sanction or by fine and purposeful disclosure may result in criminal charges. The contractor and subcontractors are required to submit a company security/confidentiality policy and related procedures, which are to include the requirement for a signed employee confidentiality agreement. Link to the NIH NDA http://irm.cit.nih.gov/docs/public/Nondisclosure.pdf Data and System Interoperability Compliance Standards Executive Order 13410 - Promoting Quality and Efficient Health Care in Federal Government Administered or Sponsored Health Care Programs http://www.whitehouse.gov/news/releases/2006/08/20060822.html requires that any system that is used in patient care or that are used in the patient care setting must comply with the CCHIT certification and that those standards are located at http://www.cchit.org. Full text copies of the representations and certifications for the other cited provisions and clauses may be obtained online at the NCI website at http://amb.nci.nih.gov or from Brian Lind Contract Specialist at LindBJ@cc.nih.gov. Offers must be submitted on a SF 1449 that is signed by an authorized representative of the offeror and include a completed Schedule of Offered Supplies/Services. ADDITIONAL PROPOSAL INSTRUCTIONS: Detailed proposal preparation instructions are delineated in Attachment No. 3 to this combined synopsis/solicitation. Please note that Offerors must also complete FAR 52.212-3, Representation and Certifications and provide a copy of the valid certifications registrations of the Offerors Central Contractor Registrations (CCR) and Online Representation and Certifications Applications (ORCA) with their technical/business proposal submission. Questions regarding this combined synopsis/solicitation must be received in this office by April 12, 2010. Offers must be received by 3:30 p.m. local time on April 15,, 2010. Facsimile submissions are not authorized and collect calls will not be accepted. Submit offers to Mr. Brian Lind at the address listed in this solicitation. Please reference the solicitation number NIHCL000054 on your offer.
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/CCOPC/NIHCL2010054i/listing.html)
- Place of Performance
- Address: National Institutes of Health, 10 Center Drive, Various locations in the facility, Bethesda, Maryland, 20892, United States
- Zip Code: 20892
- Zip Code: 20892
- Record
- SN02110773-W 20100403/100402000226-5719c4a796dd174668d1ad1c45ec960c (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |