Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF FEBRUARY 20, 2016 FBO #5202
SOLICITATION NOTICE

B -- Web Programming and Database Maintenance on the Healthy Aging in Neighborhoods of Diversity across the Life Span (HANDLS) Study - Attachments

Notice Date
2/18/2016
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
541511 — Custom Computer Programming Services
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, National Institute on Drug Abuse, 6001 Executive Boulevard, Room 3155, MSC 9593, Bethesda, Maryland, 20892, United States
 
ZIP Code
20892
 
Solicitation Number
HHS-NIH-NIDA-SSSA-2016-167
 
Archive Date
3/11/2016
 
Point of Contact
Samantha A. Kelly, Phone: 3014028855
 
E-Mail Address
samantha.kelly2@nih.gov
(samantha.kelly2@nih.gov)
 
Small Business Set-Aside
Total Small Business
 
Description
SF 1449 Copy of Solicitation Terms and Conditions Invoicing Instructions Evaluation Criteria SOW COMPETITIVE SOLICITATION Title: Web Programming and Database Maintenance on the Healthy Aging in Neighborhoods of Diversity across the Life Span (HANDLS) Study INTRODUCTION: (1)This is a solicitation for commercial items prepared in accordance with the format in FAR Part 12 as supplemented with additional information included in this notice. This announcement constitutes the only written solicitation; proposals are being requested and a separate solicitation will not be issued. (2)The solicitation number is HHS-NIH-NIDA-SSSA-2016-167 and the solicitation is issued as a request for proposal (RFP). The Government intends to issue a firm fixed price purchase order for this requirement. ACQUISITION AUTHORITY: This acquisition is for a commercial service and is conducted under the authority of the Federal Acquisition Regulation (FAR) Part 13-Simplified Acquisition Procedures; FAR Subpart 13.5-Test Program for Certain Commercial Items; and FAR Part 12-Acquisition of Commercial Items, and is not expected to exceed the simplified acquisition threshold. (3)The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2005-86-2 dated February 1, 2016. NORTH AMERICAN INDUSTRY CLASSIFICATION SYSTEM (NAICS) CODE: (4)The associated NAICS code is 541511 and the small business size standard is $27.5 Million. BACKGROUND: (5)The National Institute on Aging Intramural Research Program has embarked on a longitudinal study of the effects of race and socioeconomic status on healthy aging in a representative sample of community-dwelling residents from the Baltimore metropolitan region. This study, Healthy Aging in Neighborhoods of Diversity across the Life Span (HANDLS), requires expertise in database management, web design, the connection between web interfaces and data as well as the application of life-time development techniques. DESCRIPTION OF REQUIREMENT: (6)Project Purpose and Objectives: The Healthy Aging in Neighborhoods of Diversity across the Life Span (HANDLS) study requires a Perl-CGI programmer, which is a high-level, general-purpose, interpreted and dynamic programming language for programming Common Gateway Interface (CGI) web applications, to write dynamic web-based applications for collecting, summarizing and reporting medical, physiological and psychological data. The services provided will be writing novel applications as well as upgrading and management of existing applications facilitating electronic collection, review, and distribution of clinical data for the HANDLS study. Additional services include design, testing, and implementation of applications to enhance functionality of existing applications described in the scope of work section below; expertise with existing technologies should combine with knowledge of emerging state-of-the-art practices, languages, databases, and management procedures. Applications include a dynamic web user interface with logic for consistency checking connected with existing databases and tables as required. Web-based applications include but are not limited to a structured medical history with options for updating existing information, physical performance battery, participant contact and status information, physical examination, participant scheduling, participant and participant's primary care physician letters and results reports (packets), field tracking and tracing notes and contacts, phone contacts tracking, home visit versions of these applications, scheduling for examinations on the mobile research vehicles, and scheduling and eligibility for HANDLS scan, nutritional interview, experience with diabetes study, home visits, and other ancillary studies as they arise. Maintenance, support, and extension of all deliverables are expected. Project Requirements: An individual web user-interface and database programmer is required and shall be responsible for providing database management services, web-design, establishing the connection between web interfaces and data, as well as the application of life-time development techniques without resorting to formal business practice models. Specific techniques required are Perl/CGI and other web interface languages as required to supply specific study requirements as they arise. Consistency with existing approaches is paramount for ease and simplicity of management and maintenance. All changes in approach require approval of the Contracting Officer's Representative (COR). 1.Web Application: At present, the web application is written in HTML, Perl/CGI, Perl/CGI-, Python, and Ruby on Rails, with some existing PHP code and PDFlib that is under conversion to Perl/CGI as time permits; database servers running Linux and deploying MySQL are currently used. Additional facilities required by these applications include ImageMagick, and Perl with template toolkit, Moose, CGI application toolkit, and Git server deployment, management, and use. Web application programmer shall have expertise in installing, managing, and maintaining Apache web server and MySQL server on production server and in a development environment. HANDLS plans to study the advisability of migrating to Maria or PostgreSQL; the current webserver is Apache on Linux. In addition, the web user interface database programmer shall be responsible for modifying existing web applications. Expertise is required to complete the development of web-based data collection tools to support the clinical research conducted by the HANDLS study. The web programs provide the facility to collect the clinical data in the mobile research vehicles and synchronize data with servers located in the Biomedical Research Center (BRC). In addition, study management modules for scheduling participants, tracing and tracking participants, recording notes about participant contacts, preparing results packets after participants are examined, and sending various mailings to participants are required at the Biomedical Research Center. 2.Database Management: The integrated web­ based system requires ongoing maintenance and enhancements, as well as tools for monitoring performance, particularly disconnections. Moreover, these applications must account for security and confidentiality of the information and data collected, clinical informatics and database design that can be supported with open-source tools, and web applications that meet current design standards and accessibility requirements, including Section 508 for accessibility by individuals with disabilities. The website also requires continued architecture of a system to replace the current authentication systems on the HANDLS servers to meet NIH standard. Existing web user interface and database follow general LAMP principles using the Linux operating systems, Apache webserver, MySQL database, and Perl/CGI as the dynamic web programming language. Modifications or adjustments to these principles require evidence of particular strengths and advantages to different technology plus estimates of costs and benefits. Any changes in LAMP principles shall require the approval of the COR. Specifically, the database programmer shall provide database management, web design, the connection between web interfaces and data, and application life-time development techniques and shall provide, but is not limited to, the following services below: 1.Re-usable application design such that programs written for the present wave of data collection can be modified easily for data collection in subsequent waves. Contractor will support existing web applications and add functionality as required by study requirements, security considerations, or by changes and upgrades to the Linux operating system. Contractor must have a complete view of how all the parts of web site work together, including database synchronization and the function of the server at the field site. 2.The design of the program must accommodate several goals, including comprehensive data collection, ease of navigation, and the capacity for direct transfer to other tools for statistical analyses. A variety of statistical programming tools are used to analyze these data (e.g., SAS, Stata, SPSS, R). However, there are no specific data formats required by these tools so long as all data are stored in well-designed SQL tables with data types that are interpretable by these programs. 3.Development of web-based data collection tools to support the clinical research conducted by the HANDLS study. The web-tool provides the ability to collect the clinical data in the mobile research vehicles (MRV) and subsequently to upload the data to servers located in the Biomedical Research Center (BRC). The web application has multiple facets all of which work together. The data format for uploading, when necessary, depends on the device or instrument that produces the data. The format is determined by the device manufacturer. Often the format is CSV, but not always. As equipment is upgraded or revised, data requirements may change necessitated revisions to the upload procedures. The MRVs have a separate database and webserver so they can function independently and completely when there's a lapse in internet services. Therefore, special consideration is made in programming the website to insure that it works independently at both sites. In addition, the databases maintain a synchronization feature to insure (a) a backup of information is maintained throughout the day and (b) there's no confusion introduced between the field site (MRVs) and headquarters. Thus data entered at either site is replicated to the other site. This process requires careful monitoring and careful consideration during programming so as not to disrupt either site. Devices used on the MRVs are laptops and iPads to access the MRV website. 4.The integrated web-based system requires ongoing maintenance and enhancements, as well as tools for monitoring performance, particularly disconnections. Familiarity with clinical type data is required to perform this task. 5.These applications must account for security and confidentiality of the information and data collected clinical informatics and database design that can be supported with open­ source tools, and web applications that meet current design standards and accessibility requirements, including Section 508 for accessibility by individuals with disabilities. HANDLS data and webserver are built on Linux, Apache, MySQL and PHP (LAMP) principles with the Linux operating system using Apache webserver and MySQL database with Perl/CGI as the primary language for dynamic web pages. NIH deploys other open source facilities by drawing from the Comprehensive Perl Archive Network (CPAN); by deploying Python and Ruby on Rails where those languages provide uniquely advantageous features; by deploying various tools such as jQuery to standardize the AJAX environment. NIH's underlying policy is to avoid proprietary tools and languages in favor of tools and languages for which there a broad community of public users. 6.The website requires continued architecture of a system to replace the current authentication systems on the HANDLS servers to meet NIH standards. NOTE: Proprietary software development is NOT accepted. HANDLS will own all of the products produced by the Contractor and thus open-source software is required. Other Important Considerations: Level of Effort: A Perl-CGI Web Programmer is required for a total of 500 hours and must have a Bachelor's degree or equivalent in engineering, science, or any liberal arts. Deliverables: 1.Description of Tasks and Associated Deliverables: Timely submission of deliverables is essential to successful completing this requirement. Tasks performed under this contract and their schedules are determined by the COR based on study requirements. 2.Reporting Requirements: The contractor shall provide in-progress demonstrations of work performed, beta-versions for testing, and all programming code and program libraries required to operationalize requirements specified by COR. The contractor shall enumerate the program files and processes on which work was performed, strategies for changing the code, implementing it, and training staff in its use. Weekly meetings are required in person at NIH to discuss coordinating work on the web site; to display progress on work; to insure consistency in approaches, particularly for the user interface; to insure identical versions of open-source software are used; and to work through policies and procedures for maintaining the web service and databases. Occasional demonstrations of work in progress are required as interim reports to insure that work is proceeding in the correct direction. Key Personnel: 1.The proposed key personnel will become subject to the provisions of Health and Human Services Acquisition Regulation (HHSAR) Clause HHSAR 352.242-70 KEY PERSONNEL, HHSAR 352.242-70 (January 2006) a.The key personnel specified in this contract are considered to be essential to work performance. At least 30 days prior to diverting any of the specified individuals to other programs or contracts (or as soon as possible, if an individual must be replaced, for example, as a result of leaving the employ of the Contractor), the Contractor shall notify the Contracting Officer and shall submit comprehensive justification for the diversion or replacement request (including proposed substitutions for key personnel) to permit evaluation by the Government of the impact on performance under this contract. The Contractor shall not divert or otherwise replace any key personnel without the written consent of the Contracting Officer. The Government may modify the contract to add or delete key personnel at the request of the Contractor or Government. (End of Clause) b. The following positions are considered "Key Personnel" in support of this contract initiative: NameTitle To be determined at the time of awardPeri-CGI Web Developer, designer and database programmer 1.Minimum Bachelor's degree or equivalent in engineering, science, or any liberal arts. 2.Minimum ten years experience in programming and at least five years experience web programming and managing data from clinical field studies using open-source languages in conjunction with Perl/CGI, Perl/Templates, MySQL database management and synchronization. Experience with clinical data are crucial because the HANDLS clinical management system is a real-time data entry and medical record database. Changes to one part of the system may have far­reaching consequences in other parts of the system and on the accuracy of the data. ANTICIPATED PERIOD OF PERFORMANCE: (7)The anticipated period of performance is: Base Year: March 1, 2016 to February 28, 2017 Optional Renewal Years: Option Year 1: March 1, 2017 to February 28, 2018 Option Year 2: March 1, 2018 to February 28, 2019 Option Year 3: March 1, 2019 to February 28, 2020 Option Year 4: March 1, 2020 to February 28, 2021 The anticipated place of performance is a combination of the Contractor's site as well as weekly in person meetings at the following location below: NIH Biomedical Research Center (BRC) 251 Bayview Blvd Baltimore, MD, 21224 TECHNICAL APPROACH/PLAN: (8) Instructions The Contractor must submit a technical plan and price quote for this requirement to the Contract Specialist / Contracting Officer cited herein. The total number of pages, (combination of technical plan and price quote) is not expected to exceed 25 pages in length, excluding resumes. The Contractor shall submit its quote electronically in a "read only" format. A detailed work plan must be submitted indicating how each aspect of the statement of work is to be accomplished. Your technical approach should be in as much detail as you consider necessary to fully explain your proposed technical approach or method. The technical plan should reflect a clear understanding of the nature of the work being undertaken. The technical plan must include information on how the project is to be organized, staffed, and managed. Information should be provided which will demonstrate your understanding and management of important events or tasks. Plans which merely state that the tasks will be conducted in accordance with the requirements of the Government's scope of work will not be eligible for further consideration. The schedule contractor must submit an explanation of the proposed technical approach in conjunction with the tasks to be performed in achieving the project objectives. The technical plan shall include: Resumes of all professional individuals proposed for the contract. Resumes should be no longer than 2 pages in length Project Management Summary Technical Approach of how the work will be performed An outline of quality control procedures A milestones and time lines for the project, indicating the estimated period of performance for each task Facilities and /or resources used The suggested outline for the technical plan is as follows: a.Work Scope b.Objectives. State the overall objectives and the specific accomplishments you hope to achieve. Indicate the rationale for your plan, and relationship to comparable work in progress elsewhere. Review pertinent work already published which is relevant to this project and your proposed approach. This should support the scope of the project as you perceive it. c.Approach. Discuss the possible or probable outcome of approaches proposed. d.Methods. Describe in detail the methodologies you will use for the project, indicating your level of experience with each, areas of anticipated difficulties, and any unusual expenses you anticipate. e.Schedule. Provide a schedule for completion of the work and delivery of items specified in the statement of work. Performance or delivery schedules shall be indicated for phases or segments, as applicable, as well as for the overall program. Schedules shall be shown in terms of calendar months from the date of authorization to proceed or, where applicable, from the date of a stated event, as for example, receipt of a required approval by the Contracting Officer. Unless the request for quotes indicates that the stipulated schedules are mandatory, they shall be treated as desired or recommended schedules. In this event, Plans based upon the schedule contractor's best alternative schedule, involving no overtime, extra shift or other premium, will be accepted for consideration. f.Personnel. Describe the experience and qualifications of personnel who will be assigned for direct work on this project. Information is required which will show the composition of the task or work group, its general qualifications, and recent experience with similar equipment or programs. APPLICABLE CLAUSES AND PROVISIONS: (9)The provision at FAR clause 52.212-1 (Oct 2015), Instructions to Offerors - Commercial Items, applies to this acquisition. (10)The provision at FAR clause 52.212-2 (Oct 2014), Evaluation - Commercial Items, applies to this acquisition. (a)The Government will award a contract resulting from this solicitation to the responsible offeror whose offer conforming to the solicitation will be most advantageous to the Government, price and other factors considered. Technical and past performance when combined is more important when compared to price. The Government intends to issue a firm fixed price Contract for this requirement. Section 1: Mandatory Criteria The mandatory criteria requirements will be evaluated on a pass/fail basis. Documented evidence shall be provided. Only those proposals passing each of the mandatory criteria will then be evaluated under Section 2. 1.Bachelor's degree or equivalent in engineering, science, or any liberal arts. 2.Minimum ten years experience in programming. 3.Minimum ftwo ive years experience web programming and managing data from clinical field studies using open-source languages in conjunction with Perl/CGI, Perl/Templates, MySQL database management and synchronization, Apache web server management.years experience web programming clinical data. Experience with clinical data are crucial because the HANDLS clinical management system is a real-time data entry and medical record database. Changes to one part of the system may have far­ reaching consequences in other parts of the system and on the accuracy of the data. Section 2: Technical Evaluation Criteria: 1.Technical Capability(ASSIGN POINTS15 points) The proposal should address each of the components in the scope of work of the statement of work (SOW), in sufficient detail to demonstrate a clear understanding of the statement of work and compliance with requirements. The Offeror should provide evidence of sufficient planning to show that work will be accomplished and how it will be accomplished as required and on schedule, utilizing all available resources as well as controlling the execution of assigned activities, tasks, sub-tasks, monitoring progress, status reporting, resolving critical issues and mitigating risks. The proposal should demonstrate a firm understanding of the requirements and goals set forth in the scope of work. 2.Key Personnel Qualifications(ASSIGN POINTS50 points) The proposal shall be evaluated to ensure that all key personnel qualifications identified in this statement of work are met, to include, but not limited to the following: •Documented evidence of the offeror's successful performance at a minimum ten (10) years of experience programming and; •Documented evidence of the offeror's successful performance at a minimum two five years experience web programming and managing data from clinical field studies using open-source languages in conjunction with Perl/CGI, Perl/Templates, Perl CGI application toolkit, Perl template toolkit, Moose, MySQL database management and synchronization, Apache web server management, Ruby on Rails, PHP, PHP PDFlib, and Git server deployment, management, and use. (2) years of experience web programming clinical data 3.Past Performance (ASSIGN POINTS35 points) • Documented evidence of the offeror's successful performance for a minimum of three (3) recent contracts or employment assignments, similar to requirements specified in the statement of work. Total possible points Add up Total100 Points (b) Award Criteria Selection of an Offeror for award will be on the basis of best value, technical factors and price considered. Technical acceptability includes an evaluation on technical factors (which encompasses experience/capability and past performance factors), and cost/price factors. Evaluation of technical acceptability will be made in accordance with the prospective Contractor's demonstrated capabilities of meeting each of the requirements as set forth in this solicitation and all applicable attachments. The merits of each proposal will be evaluated carefully. The offeror must include all specifications and services, detailed in this solicitation, in its proposal and must also include delivery lead times and well as shipping costs. Offeror(s) cost/price proposal will be evaluated for reasonableness. For a price to be reasonable, it must represent a price to the Government that a prudent person would pay when consideration is given to prices in the market. Normally, price reasonableness is established through adequate price competition, but may also be determined through cost and price analysis techniques as described in FAR 15.404. A recent (12 month period) redacted invoice showing the date of the invoice and the similar or identical product description and the price that was billed, and/or a published price listing should be supplied with the quotation for price reasonableness determinations. The price quoted will be evaluated taking into consideration any price reductions. A best value analysis will be performed taking into consideration the results of the technical evaluation and price evaluation. (11)Offerors should include a completed copy of the provision at FAR clause 52.212-3 (Nov 2015), Offeror Representations and Certifications - Commercial Items, with its offer. (12)The provision at FAR clause at 52.212-4 (May 2015), Contract Terms and Conditions - Commercial Items, applies to this acquisition. Refer to Attachment No. 2 for applicable Terms and Conditions. (13)The provision at FAR clause at 52.212-5 (JAN 2016), Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items, applies to this acquisition. (14)The provision at FAR clause at FAR 52.227-14 (Dec 2007) Rights in Data-General applies to this acquisition. (15) 1.Security Requirements: Contractor personnel performing work under this contract shall satisfy all requirements for appropriate security eligibility as specified in the solicitation, in dealing with access to sensitive information and information systems belonging to or being used on behalf of the NIA. To satisfy those requirements, a level 5 Risk Background Investigation shall be conducted prior to performing work under this contract. Appropriate background investigation forms will be provided upon contract award and are to be completed and returned to NIA within 30 days for processing. Contractors will be notified when the investigation has been completed and adjudicated. All costs associated with obtaining clearances for contractor-provided personnel will be the responsibility of the contractor. Further, the contractor will be responsible for the actions of all individuals provided to work under this contract. If damages arise from work performed by contractor-provided personnel under the auspices of this contract, the contractor will be responsible for all resources necessary to remedy the incident. This acquisition requires the Contractor to; •develop, have the ability to access, or host and/or maintain Federal information and/or Federal information system(s). •access, or use, Personally Identifiable Information (PII), including instances of remote access to or physical removal of such information beyond agency premises or control. The Contractor and all subcontractors performing under this acquisition shall comply with the following requirements: HHS-Controlled Facilities and Information Systems Security Standard for Security Configurations, HHSAR 352.239-70 Standard for Encryption language, HHSAR 352.239-71 Security Requirements for Federal Information Technology Resources, HHSAR 352.239-72 Security Categorization of Federal Information and Information Systems (FIPS 199 Assessment) Information Security Training Personnel Security Responsibilities A.INFORMATION TYPE [ ]Administrative, Management and Support Information [ x ]Mission Based Information: Research and Development Information Scientific and Technological Research and Innovation B.SECURITY CATEGORIES AND LEVELS (SCL): Confidentiality:[x] Low[ ] Moderate[ ] High Integrity:[ ] Low[x] Moderate[ ] High Availability:[x] Low[ ] Moderate[ ] High Overall:[ ] Low[x] Moderate[ ] High The Contractor shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff (including subcontractor staff) working under this acquisition where the Contractor will develop, have the ability to access, or host and/or maintain a federal information system(s). The roster shall be submitted to the Project Officer, with a copy to the Contracting Officer, within 14 calendar days of the effective date of this contract. Any revisions to the roster as a result of staffing changes shall be submitted within 15 calendar days of the change. The Contracting Officer will notify the Contractor of the appropriate level of investigation required for each staff member. An electronic template, "Roster of Employees Requiring Suitability Investigations," is available for contractor use at https://ocio.nih.gov/aboutus/publicinfosecurity/acquisition/Documents/SuitabilityRoster_10-15-12.xlsx All contractor and subcontractor employees shall comply with the conditions established for their designated position sensitivity level prior to performing any work under this contract. Contractors may begin work after the fingerprint check has been completed. C.POSITION SENSITIVITY DESIGNATIONS (PSD): The following position sensitivity designations and associated clearance and investigation requirements apply under this contract: [ ]Level 6: Public Trust - High Risk (Requires Suitability Determination with a BI). Contractor employees assigned to a Level 6 position are subject to a Background Investigation (BI). [ x ]Level 5: Public Trust - Moderate Risk (Requires Suitability Determination with MBI or LBI). Contractor employees assigned to a Level 5 position with no previous investigation and approval shall undergo a Minimum Background Investigation (MBI), or a Limited Background Investigation (LBI). [ ]Level 1: Non Sensitive (Requires Suitability Determination with an NACI). Contractor employees assigned to a Level 1 position are subject to a National Agency Check and Inquiry Investigation (NACI). D.PROSPECTIVE OFFEROR NON-DISCLOSURE AGREEMENT [x]Offerors WILL NOT require access to sensitive information in order to prepare an offer. [ ]Offerors WILL require access to sensitive information in order to prepare an offer. INFORMATION SECURITY AND PHYSICAL ACCESS REPORTING REQUIREMENTS: The Contractor shall submit the following reports as required by the INFORMATION AND PHYSICAL ACCESS SECURITY Article in SECTION H of this contract. Note: Each report listed below includes a reference to the appropriate subparagraph of this article. Reporting of New and Departing Employees The Contractor shall notify the Contracting Officer's Representative (COR) and Contracting Officer within five working days of staffing changes for positions that require suitability determinations as follows: 1. New Employees who have or will have access to HHS Information systems or data: Provide the name, position title, e-mail address, and phone number of the new employee. Provide the name, position title and suitability level held by the former incumbent. If the employee is filling a new position, provide a description of the position and the Government will determine the appropriate security level. 2. Departing Employees: 1) Provide the name, position title, and security clearance level held by or pending for the individual; and 2) Perform and document the actions identified in the "Employee Separation Checklist", attached in Section J, ATTACHMENTS of this contract, when a Contractor/Subcontractor employee terminates work under this contract. All documentation shall be made available to the COR and/or Contracting Officer upon request. 2.Contractor - Employee Non-Disclosure Agreement(s) The contractor shall complete and submit a signed and witnessed "Commitment to Protect Non-Public Information - Contractor Agreement" form for each contractor and subcontractor employee who may have access to non-public Department information under this contract. This form is located at: https://ocio.nih.gov/aboutus/publicinfosecurity/acquisition/Documents/Nondisclosure.pdf. 3.HHS-Controlled Facilities and Information Systems Security a. To perform the work specified herein, Contractor personnel are expected to have routine (1) physical access to an HHS-controlled facility; (2) physical access to an HHS-controlled information system; (3) access to sensitive HHS data or information, whether in an HHS-controlled information system or in hard copy; or (4) any combination of circumstances (1) through (3). b. To gain routine physical access to an HHS-controlled information system, and/or access to sensitive data or information, the Contractor and its employees shall comply with Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors; Office of Management and Budget Memorandum (M-05-24); and Federal Information Processing Standards Publication (FIPS PUB) Number 201; and with the personal identity verification and investigations procedures contained in the following documents: 1. HHS-OCIO Information Systems Security and Privacy Policy ( http://www.hhs.gov/ocio/policy/ #Security) 2. HHS HSPD-12 Policy Document, v. 2.0 ( http://www.whitehouse.gov/sites/default/files/omb/assets/ omb/memoranda/fy2005/m05-24.pdf) Information regarding background checks/badges(http://idbadge.nih.gov/background/index.asp) Clauses and Provisions: [ x ]Standard for Security Configurations, HHSAR 352.239-70, (January 2010) a.The Contractor shall configure its computers that contain HHS data with the applicable Federal Desktop Core Configuration (FDCC) (see http://nvd.nist.gov/fdcc/index.cfm ) and ensure that its computers have and maintain the latest operating system patch level and anti-virus software level. Note: FDCC is applicable to all computing systems using Windows XPTM and Windows VistaTM, including desktops and laptops - regardless of function - but not including servers. b.The Contractor shall apply approved security configurations to information technology (IT) that is used to process information on behalf of HHS. The following security configuration requirements apply: c.The Contractor shall ensure IT applications operated on behalf of HHS are fully functional and operate correctly on systems configured in accordance with the above configuration requirements. The Contractor shall use Security Content Automation Protocol (SCAP)-validated tools with FDCC Scanner capability to ensure its products operate correctly with FDCC configurations and do not alter FDCC settings - see http://scap.nist.gov/validation. The Contractor shall test applicable product versions with all relevant and current updates and patches installed. The Contractor shall ensure currently supported versions of information technology products met the latest FDCC major version and subsequent major versions. d.The Contractor shall ensure IT applications designed for end users run in the standard user context without requiring elevated administrative privileges. e.The Contractor shall ensure hardware and software installation, operation, maintenance, update, and patching will not alter the configuration settings or requirements specified above. f.The Contractor shall (1) include Federal Information Processing Standard (FIPS) 201-compliant ( http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf ), Homeland Security Presidential Directive 12 (HSPD-12) card readers with the purchase of servers, desktops, and laptops; and (2) comply with FAR Subpart 4.13, Personal Identity Verification. g.The Contractor shall ensure that its subcontractors (at all tiers) which perform work under this contract comply with the requirements contained in this clause. [ x ]Standard for Encryption language, HHSAR 352.239-71, (January 2010) a.The Contractor shall use Federal Information processing Standard (FIPS) 140-2-compliant encryption (Security) Requirements for Cryptographic Module, as amended) to protect all instances of HHS sensitive information during storage and transmission. (Note: The Government has determined that HHS information under this contract is considered "sensitive" in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, dated February 2004). b.The Contractor shall verify that the selected encryption product has been validated under the Cryptographic Module Validation Program (see http://csrc.nist.gov/cryptval/ ) to confirm compliance with FIPS 140-2 (as amended). The Contractor shall provide a written copy of the validation documentation to the Contracting Officer and the Contracting Officer's Technical Representative. c.The Contractor shall use the Key Management Key (see FIPS 201, Chapter 4, as amended) on the HHS personal identification verification (PIV) card; or alternatively, the Contractor shall establish and use a key recovery mechanism to ensure the ability for authorized personnel to decrypt and recover all encrypted information (see http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf ). The Contractor shall notify the Contracting Officer and the Contracting Officer's Technical Representative of personnel authorized to decrypt and recover all encrypted information. d.The Contractor shall securely generate and manage encryption keys to prevent unauthorized decryption of information in accordance with FIPS 140-2 (as amended). e.The Contractor shall ensure that this standard is incorporated into the Contractor's property management/control system or establish a separate procedure to account for all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive HHS information. f.The Contractor shall ensure that its subcontractors (all tiers) which perform work under this contract comply with the requirements contained in this clause. [ x ]Security Requirements For Federal Information Technology Resources, HHSAR 352.239-72, (January 2010) a. Applicability. This clause applies whether the entire contract or order (hereafter "contract"), or portion thereof, includes information technology resources or services in which the Contractor has physical or logical (electronic) access to, or operates a Department of Health and Human Services (HHS) system containing, information that directly supports HHS' mission. The term "information technology (IT)", as used in this clause, includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services) and related resources. This clause does not apply to national security systems as defined in FISMA. b. Contractor responsibilities. The Contractor is responsible for the following: 1.Protecting Federal information and Federal information systems in order to ensure their - a.Integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; b.Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and c.Availability, which means ensuring timely and reliable access to and use of information. 2.Providing security of any Contractor systems, and information contained therein, connected to an HHS network or operated by the Contractor, regardless of location, on behalf of HHS. 3.Adopting, and implementing, at a minimum, the policies, procedures, controls and standards of the HHS Information Security Program to ensure the integrity, confidentiality, and availability of Federal information and Federal information systems for which the Contractor is responsible under this contract or to which it may otherwise have access under this contract. The HHS Information Security Program is outlined in the HHS Information Security Program Policy, which is available on the HHS Office of the Chief Information Officer's (OCIO) Web site. c. Contractor security deliverables. In accordance with the timeframes specified, the Contractor shall prepare and submit the following security documents to the Contracting Officer for review, comment, and acceptance: 1. IT Security Plan (IT-SP) - due within 30 days after contract award. The IT-SP shall be consistent with, and further detail the approach to, IT security contained in the Contractor's bid or proposal that resulted in the award of this contract. The IT-SP shall describe the processes and procedures that the Contractor will follow to ensure appropriate security of IT resources that are developed, processed, or used under this contract. If the IT-SP only applies to a portion of the contract, the Contractor shall specify those parts of the contract to which the IT-SP applies. a.The Contractor's IT-SP shall comply with applicable Federal laws that include, but are not limited to, the Federal Information Security Management Act (FISMA) of 2002 (Title III of the E-Government Act of 2002, Public Law 107-347), and the following Federal and HHS policies and procedures: i.Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automation Information Resources. ii.National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Systems, in form and content, and with any pertinent contract Statement of Work/Performance Work Statement (SOW/PWS) requirements. The IT-SP shall identify and document appropriate IT security controls consistent with the sensitivity of the information and the requirements of Federal Information Processing Standard (FIPS) 200, Recommend Security Controls for Federal Information Systems. The Contractor shall review and update the IT-SP in accordance with NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems and FIPS 200, on an annual basis. iii.HHS-OCIO Information Systems Security and Privacy Policy. 2. IT Risk Assessment (IT-RA) - due within 30 days after contract award. The IT-RA shall be consistent, in form and content, with NIST SP 800-30, Risk Management Guide for Information Technology Systems, and any additions or augmentations described in the HHS-OCIO Information Systems Security and Privacy Policy. After resolution of any comments provided by the Government on the draft IT-RA, the Contracting Officer shall accept the IT-RA and incorporate the Contractor's final version into the contract for Contractor implementation and maintenance. The Contractor shall update the IT-RA on an annual basis. 3. FIPS 199 Standards for Security Categorization of Federal Information and Information Systems Assessment (FIPS 199 Assessment) - due within 30 days after contract award. The FIPS 199 Assessment shall be consistent with the cited NIST standard. After resolution of any comments by the Government on the draft FIPS 199 Assessment, the Contracting Officer shall accept the FIPS 199 Assessment and incorporate the Contractor's final version into the contract. 4. IT Security Certification and Accreditation (IT-SC&A) - due within 3 months after contract award. The Contractor shall submit written proof to the Contracting Officer that an IT-SC&A was performed for applicable information systems - see paragraph (a) of this clause. The Contractor shall perform the IT-SC&A in accordance with the HHS Chief Information Security Officer's Certification and Accreditation Checklist; NIST SP 800-37, Guide for the Security, Certification and Accreditation of Federal Information Systems; and NIST 800-53, Recommended Security Controls for Federal Information Systems. An authorized senior management official shall sign the draft IT-SC&A and provided it to the Contracting Officer for review, comment, and acceptance. a.After resolution of any comments provided by the Government on the draft IT SC&A, the Contracting Officer shall accept the IT-SC&A and incorporate the Contractor's final version into the contract as a compliance requirement. b.The Contractor shall also perform an annual security control assessment and provide to the Contracting Officer verification that the IT-SC&A remains valid. Evidence of a valid system accreditation includes written results of: i.Annual testing of the system contingency plan; and ii.The performance of security control testing and evaluation. d. Personal identity verification. The Contractor shall identify its employees with access to systems operated by the Contractor for HHS or connected to HHS systems and networks. The Contracting Officer's Representative (COR) shall identify, for those identified employees, position sensitivity levels that are commensurate with the responsibilities and risks associated with their assigned positions. The Contractor shall comply with the HSPD-12 requirements contained in "HHS-Controlled Facilities and Information Systems Security" requirements specified in the SOW/PWS of this contract. e. Contractor and subcontractor employee training. The Contractor shall ensure that its employees, and those of its subcontractors, performing under this contract complete HHS-furnished initial and refresher security and privacy education and awareness training before being granted access to systems operated by the Contractor on behalf of HHS or access to HHS systems and networks. The Contractor shall provide documentation to the COR evidencing that Contractor employees have completed the required training. f. Government access for IT inspection. The Contractor shall afford the Government access to the Contractor's and subcontractors' facilities, installations, operations, documentation, databases, and personnel used in performance of this contract to the extent required to carry out a program of IT inspection (to include vulnerability testing), investigation, and audit to safeguard against threats and hazards to the integrity, confidentiality, and availability, of HHS data or to the protection of information systems operated on behalf of HHS. g. Subcontracts. The Contractor shall incorporate the substance of this clause in all subcontracts that require protection of Federal information and Federal information systems as described in paragraph (a) of this clause, including those subcontracts that - a.Have physical or electronic access to HHS' computer systems, networks, or IT infrastructure; or b.Use information systems to generate, store, process, or exchange data with HHS or on behalf of HHS, regardless of whether the data resides on a HHS or the Contractor's information system. h. Contractor employment notice. The Contractor shall immediately notify the Contracting Officer when an employee either begins or terminates employment (or is no longer assigned to the HHS project under this contract), if that employee has, or had, access to HHS information systems or data. i. Document information. The Contractor shall contact the Contracting Officer for any documents, information, or forms necessary to comply with the requirements of this clause. j. Contractor responsibilities upon physical completion of the contract. The Contractor shall return all HHS information and IT resources provided to the Contractor during contract performance and certify that all HHS information has been purged from Contractor-owned systems used in contract performance. k. Failure to comply. Failure on the part of the Contractor or its subcontractors to comply with the terms of this clause shall be grounds for the Contracting Officer to terminate this contract. (End of Clause) [ x ]PERSONNEL SECURITY RESPONSIBILITIES In addition to any personnel security responsibilities covered under HHSAR 352.239-72, the contractor shall comply with the below personnel security responsibilities: a.In accordance with Paragraph (h) of HHSAR 352.239-72, the Contractor shall notify the Contracting officer and the COR within five working days before a new employee assumes a position that requires access to HHS information systems or data, or when an employee with such access stops working on this contract. The Government will initiate a background investigation on new employees assuming a position that requires access to HHS information systems or data, and will stop pending background investigations for employees that no longer work under the contract or no longer have such access. b.New contractor employees who have or will have access to HHS information systems or data: The Contractor shall provide the COR with the name, position title, e-mail address, and phone number of all new contract employees working under the contract and provide the name, position title and position sensitivity level held by the former incumbent. If an employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate position sensitivity level. c. Departing contractor employees: The Contractor shall provide the COR with the name, position title, and position sensitivity level held by or pending for departing employees. The Contractor shall perform and document the actions identified in the Contractor Employee Separation Checklist (https://ocio.nih.gov/aboutus/publicinfosecurity/acquisition/Documents/Emp-sep-checklist.pdf ) when a Contractor/subcontractor employee terminates work under this contract. All documentation shall be made available to the COR upon request. d. Commitment to Protect Non-Public Departmental Information and Data: The Contractor, and any subcontractors performing under this contract, shall not release, publish, or disclose non-public Departmental information to unauthorized personnel, and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: - 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) - 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) - Public Law 96-511 (Paperwork Reduction Act) Each employee, including subcontractors, having access to non-public Department information under this acquisition shall complete the "Commitment to Protect Non-Public Information - Contractor Employee Agreement" located at: https://ocio.nih.gov/aboutus/publicinfosecurity/acquisition/Documents/Nondisclosure.pdf. A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer/COR prior to performing any work under this acquisition. [ x ]Loss and/or Disclosure of Personally Identifiable Information (PII) - Notification of Data Breach The Contractor shall report all suspected or confirmed incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH Incident Response Team (IRT) via email ( IRT@mail.nih.gov ) within one hour of discovering the incident. The Contractor shall follow up with IRT by completing and submitting one of the applicable two forms below within three (3) work days of incident discovery: NIH PII Spillage Report at: https://ocio.nih.gov/InfoSecurity/Policy/Documents/NIH_PII_Spillage_Proced.doc NIH Lost or Stolen Assets Report at: https://ocio.nih.gov/InfoSecurity/Policy/Documents/ISSO_Stolen_Device-Media_Handling_Procedures.doc [ x ]INFORMATION SECURITY TRAINING In addition to any training covered under paragraph (e) of HHSAR 352.239-72, the contractor shall comply with the below training: a.Mandatory Training i.All Contractor employees having access to (1) Federal information or a Federal information system or (2) sensitive data/information as defined at HHSAR 304.1300(a)(4), shall complete the NIH Computer Security Awareness Training course at http://irtsectraining.nih.gov/ before performing any work under this contract. Thereafter, Contractor employees having access to the information identified above shall complete an annual NIH-specified refresher course during the life of this contract. The Contractor shall also ensure subcontractor compliance with this training requirement. ii.The Contractor shall maintain a listing by name and title of each Contractor/Subcontractor employee working on this contract and having access of the kind in paragraph 1.a(1) above, who has completed the NIH required training. Any additional security training completed by the Contractor/Subcontractor staff shall be included on this listing. The list shall be provided to the COR and/or Contracting Officer upon request. b.Role-based Training HHS requires role-based training when responsibilities associated with a given role or position, could, upon execution, have the potential to adversely impact the security posture of one or more HHS systems. Read further guidance about "NIH Information Security Awareness and Training Policy," at: https://ocio.nih.gov/InfoSecurity/Policy/Documents/Final-InfoSecAwarenessTrainPol.doc. The Contractor shall maintain a list of all information security training completed by each contractor/subcontractor employee working under this contract. The list shall be provided to the COR and/or Contracting Officer upon request. c.Rules of Behavior The Contractor shall ensure that all employees, including subcontractor employees, comply with the NIH Information Technology General Rules of Behavior ( https://ocio.nih.gov/InfoSecurity/training/Pages/nihitrob.aspx ), which are contained in the NIH Information Security Awareness Training Course http://irtsectraining.nih.gov. [ x ]PERSONNEL SECURITY RESPONSIBILITIES 1.In addition to any personnel security responsibilities covered under HHSAR 352.239-72, the contractor shall comply with the below personnel security responsibilities: d.In accordance with Paragraph (h) of HHSAR 352.239-72, the Contractor shall notify the Contracting officer and the COR within five working days before a new employee assumes a position that requires access to HHS information systems or data, or when an employee with such access stops working on this contract. The Government will initiate a background investigation on new employees assuming a position that requires access to HHS information systems or data, and will stop pending background investigations for employees that no longer work under the contract or no longer have such access. e.New contractor employees who have or will have access to HHS information systems or data: The Contractor shall provide the COR with the name, position title, e-mail address, and phone number of all new contract employees working under the contract and provide the name, position title and position sensitivity level held by the former incumbent. If an employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate position sensitivity level. f. Departing contractor employees: The Contractor shall provide the COR with the name, position title, and position sensitivity level held by or pending for departing employees. The Contractor shall perform and document the actions identified in the Contractor Employee Separation Checklist ( https://ocio.nih.gov/aboutus/publicinfosecurity/acquisition/Documents/Emp-sep-checklist.pdf ) when a Contractor/subcontractor employee terminates work under this contract. All documentation shall be made available to the COR upon request. g.Commitment to Protect Non-Public Departmental Information and Data. The Contractor, and any subcontractors performing under this contract, shall not release, publish, or disclose non-public Departmental information to unauthorized personnel, and shall protect such information in accordance with provisions of the following laws and any other pertinent laws and regulations governing the confidentiality of such information: - 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) - 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information) - Public Law 96-511 (Paperwork Reduction Act) Each employee, including subcontractors, having access to non-public Department information under this acquisition shall complete the "Commitment to Protect Non-Public Information - Contractor Employee Agreement" located at: https://ocio.nih.gov/aboutus/publicinfosecurity/acquisition/Documents/Nondisclosure.pdf. A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer/COR prior to performing any work under this acquisition. Section 508-Electronic and Information Technology Standards: The contractor shall comply with Section 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998. Electronic and Information Technology Accessibility, HHSAR 352.239-73(b) Access to National Institutes of Health (NIH) Electronic Mail All Contractor staff that have access to and use of NIH electronic mail (e-mail) must identify themselves as contractors on all outgoing e-mail messages, including those that are sent in reply or are forwarded to another user. To best comply with this requirement, the Contractor staff shall set up an e-mail signature ("AutoSignature") or an electronic business card ("V-card") on each Contractor employee's computer system and/or Personal Digital Assistant (PDA) that will automatically display "Contractor" in the signature area of all e-mails sent. Other Clauses and Provisions: 1.Confidentiality of Information a.Confidential information, as used in this article, means information or data of a personal nature about individual, or proprietary information or data submitted by or pertaining to an institution or organization. b.The Contracting Officer and the Contractor may, by mutual consent, identify elsewhere in this contract specific information and/or categories of information which the Government will furnish to the Contractor or that the Contractor is expected to generate which is confidential. Similarly, the Contracting Officer and the Contractor may, by mutual consent, identify such confidential information from time to time during the performance of the contract. Failure to agree will be settled pursuant to the "Disputes" clause. c.If it is established elsewhere in this contract that information to be utilized under this contract, or a portion thereof, is subject to the Privacy Act, the Contractor will follow the rules and procedures of disclosure set forth in the Privacy Act of 1974, 5 U.S.C. 552a, and implementing regulations and policies, with respect to systems of records determined to be subject to the Privacy Act. d.Confidential information, as defined in paragraph (a) of this article, shall not be disclosed without the prior written consent of the individual, institution, or organization. e.Whenever the Contractor is uncertain with regard to the proper handling of material under the contract, or if the material in question is subject to the Privacy Act or is confidential information subject to the provisions of this article, the Contractor should obtain a written determination from the Contracting Officer prior to any release, disclosure, dissemination, or publication. f.Contracting Officer's determination will reflect the result of internal coordination with appropriate program and legal officials. The provisions of paragraph (d) of this article shall not apply to conflicting or overlapping provisions in other Federal, State or local laws. 1. The provision at FAR clause at FAR 52.213-4 (Feb 2016), Terms and Conditions-Simplified Acquisitions (Other Than Commercial Items), applies to this acquisition. 2. The provision at FAR clause at FAR 52.227-14 (Dec 2007) Rights in Data-General applies to this acquisition. The National Institute on Aging shall have unlimited rights to and ownership of all deliverables provided under this contract, including collected data, reports, recommendations, briefings, work plans and all other deliverables. This includes the deliverables provided under the basic contract and any optional task deliverables exercised by the contracting officer. In addition, it includes any additional deliverables required by contract change. The definition of "unlimited rights" is contained in Federal Acquisition Regulation (FAR) 27.401, "Definitions." FAR clause 52.227-14, "Rights in Data-General," is hereby incorporated by reference and made a part of this contract/order. (16)The Defense Priorities and Allocations System (DPAS) are not applicable to this requirement. RESPONSE FORMAT: (17)Please refer to the following attachments in preparing your proposal responding to this solicitation. Attachment No. 1: Invoice Instructions Attachment No. 2: Terms and Conditions Responses to this solicitation must include sufficient information to establish the interested parties' bona-fide capabilities of providing the product or service. The price quote shall include: unit price, list price, shipping and handling costs, delivery days after contract award, delivery terms, prompt payment discount terms, F.O.B. Point (Destination or Origin), product or catalog number(s); product description; and any other information or factors that may be considered in the award decision. Such factors may include: past performance; special features required for effective program performance; trade-in considerations; probable life of the item selected as compared with that of a comparable item; warranty considerations; maintenance availability; and environmental and energy efficiency considerations. Responses to this solicitation must include clear and convincing evidence of the offeror's capability of fulfilling EACH of the requirements described in this solicitation. The price proposal must include the labor categories, an estimate of the number of hours required for each labor category, fully loaded fixed hourly rate or each labor category, breakdown and rationale for other direct costs or materials, and the total amount. A redacted invoice which is an edited version of an invoice issued within 12 months of this solicitation, with details of similar or identical items should be supplied and or a published price listing should be supplied for price reasonableness determinations. In addition the Dun & Bradstreet Number (DUNS), the Taxpayer Identification Number (TIN), and the certification of business size must be included in the response. All offerors must have an active registration in the System for Award Management (SAM) www.sam.gov." Questions regarding this solicitation must be received in this office, to the email address supplied below, by 8:00AM (EST) on February 22, 2016. All offers must be received by 8:00AM (EST) on February 25, 2016 and must reference number HHS-NIH-NIDA-SSSA-2016-167. Responses must be submitted electronically to Samantha Kelly, Contract Specialist at Samantha.Kelly2@nih.gov.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/NIDA-01/HHS-NIH-NIDA-SSSA-2016-167/listing.html)
 
Record
SN04024003-W 20160220/160218235000-ad3cc8a9f71e259cac05d2e8fa6dfde0 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.