Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF APRIL 14, 2017 FBO #5621
DOCUMENT

R -- Investment Knowledge Management Data Management - Attachment

Notice Date
4/12/2017
 
Notice Type
Attachment
 
NAICS
541611 — Administrative Management and General Management Consulting Services
 
Contracting Office
Department of Veterans Affairs;Program Contracting Activity Central;6150 Oak Tree Blvd, Suite 300;Independence OH 44131
 
ZIP Code
44131
 
Solicitation Number
VA70117N0095
 
Response Due
4/24/2017
 
Archive Date
6/23/2017
 
Point of Contact
Bernadette Bodzenta, Contract Specialislt
 
Small Business Set-Aside
N/A
 
Description
Investment Knowledge Management Page 22 of 23 PERFORMANCE WORK STATEMENT (PWS) DEPARTMENT OF VETERANS AFFAIRS Veterans Health Administration Office of Informatics and Investment Governance Strategic Investment Management (SIM) Investment Governance Services (IGS) Investment Knowledge Management (IKM) Date: 2/8/17 PWS Version Number: 1.0 Contents 1.0 BACKGROUND 18 2.0 APPLICABLE DOCUMENTS 18 3.0 SCOPE OF WORK 21 4.0 PERFORMANCE DETAILS 21 4.1 PERFORMANCE PERIOD 21 4.2 PLACE OF PERFORMANCE 22 4.3 TRAVEL 22 5.0 SPECIFIC TASKS AND DELIVERABLES 23 5.1 PROJECT MANAGEMENT 24 5.1.1 CONTRACTOR PROJECT MANAGEMENT PLAN 24 5.1.2 REPORTING REQUIREMENTS 24 5.2 25 6.0 GENERAL REQUIREMENTS 25 6.1 ENTERPRISE AND IT FRAMEWORK 25 6.2 SECURITY AND PRIVACY REQUIREMENTS 27 6.2.1 POSITION/TASK RISK DESIGNATION LEVEL(S) 28 6.2.2 CONTRACTOR PERSONNEL SECURITY REQUIREMENTS 29 6.3 METHOD AND DISTRIBUTION OF DELIVERABLES 31 6.4 PERFORMANCE METRICS 31 6.5 FACILITY/RESOURCE PROVISIONS 32 6.6 GOVERNMENT FURNISHED PROPERTY 34 6.7 SHIPMENT OF HARDWARE OR EQUIPMENT 35 ADDENDUM A ADDITIONAL VA REQUIREMENTS, CONSOLIDATED 38 ADDENDUM B VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE 45 BACKGROUND The mission of the Department of Veterans Affairs (VA), Veterans Health Administration (VHA), Office if Informatics and Information Governance (OIIG), Strategic Investment Management (SIM), Investment Governance Services (IGS) is to ensure that strategic requirements are identified, prioritized, organized, communicated, understood, and translated into Information Technology (IT) investment decisions that meet clinical, administrative, and Veteran s needs. IGS works collaboratively with OIIG, VHA, and VA Program Offices to conduct business analysis and investment governance/oversight to improve those IT investments and services provided to Veterans. To perform this role effectively, IGS relies on the Investment Knowledge Management (IKM) team to gather, process, and communicate data associated with IT investments needed by VHA business lines culminating in briefings and reports to senior leadership. IKM serves as the authoritative information resource center for VHA IT investments and provides a comprehensive view of VHA s IT needs across the System Development Lifecycle (SDLC) by gathering pertinent information and conducting all-source analyses, information and process management, and assessments of delivery and value to the customer. Key activities include: Planning, organizing, and carrying out major projects concerned with providing current and detailed information related to all IT initiatives of concern to VHA Developing analytical reports for Strategic Investment Management (SIM) leadership and VHA IT governance Capability Management Boards (CMB) containing information about VHA IT needs and integrating data pertaining to prioritization, funding, and project status Processing VHA IT governance requests to include receipt, management and disposition of requests in support of VHA senior leadership and the integrated governance entities (e.g., Information Technology Committee (ITC), Integration Board (IB), Architectural Requirements and Investments Working Group (ARIWG), CMBs, other) Assessing VHA business capabilities achieved through IT efforts and effectiveness of IT investment decisions Monitoring funded programs and identification and tracking of related issues Conducting Customer Satisfaction Questionnaires to obtain feedback regarding the value and quality of delivered VHA IT investments APPLICABLE DOCUMENTS In the performance of the tasks associated with this Performance Work Statement, the Contractor shall comply with the following: 44 U.S.C. § 3541,   Federal Information Security Management Act (FISMA) of 2002 Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements For Cryptographic Modules FIPS Pub 201-2, Personal Identity Verification of Federal Employees and Contractors, August 2013 10 U.S.C. § 2224, "Defense Information Assurance Program" Carnegie Mellon Software Engineering Institute, Capability Maturity Model ® Integration for Development (CMMI-DEV), Version 1.3 November 2010; and Carnegie Mellon Software Engineering Institute, Capability Maturity Model ® Integration for Acquisition (CMMI-ACQ), Version 1.3 November 2010 5 U.S.C. § 552a, as amended, The Privacy Act of 1974 42 U.S.C. § 2000d Title VI of the Civil Rights Act of 1964 VA Directive 0710, Personnel Security and Suitability Program, June 4, 2010, http://www.va.gov/vapubs/ VA Handbook 0710, Personnel Security and Suitability Security Program, May 2, 2016, http://www.va.gov/vapubs VA Directive and Handbook 6102, Internet/Intranet Services, July 15, 2008 36 C.F.R. Part 1194 Electronic and Information Technology Accessibility Standards, July 1, 2003 Office of Management and Budget (OMB) Circular A-130, Managing Federal Information as a Strategic Resource, July 28, 2016 32 C.F.R. Part 199, Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, October 2008 Sections 504 and 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998 Homeland Security Presidential Directive (12) (HSPD-12), August 27, 2004 VA Directive 6500, Managing Information Security Risk: VA Information Security Program, September 20, 2012 VA Handbook 6500, Risk Management Framework for VA Information Systems Tier 3: VA Information Security Program, March 10, 2015 VA Handbook 6500.1, Electronic Media Sanitization, November 03, 2008 VA Handbook 6500.2, Management of Breaches Involving Sensitive Personal Information (SPI), October, 28, 2015 VA Handbook 6500.3, Assessment, Authorization, And Continuous Monitoring Of VA Information Systems, February 3, 2014 VA Handbook 6500.5, Incorporating Security and Privacy in System Development Lifecycle, March 22, 2010 VA Handbook 6500.6, Contract Security, March 12, 2010 VA Handbook 6500.8, Information System Contingency Planning, April 6, 2011 OI&T ProPath Process Methodology (reference process maps at http://www.va.gov/PROPATH/Maps.asp and templates at http://www.va.gov/PROPATH/Templates.asp One-VA Technical Reference Model (TRM) (reference at http://www.va.gov/trm/TRMHomePage.asp) National Institute Standards and Technology (NIST) Special Publications (SP) VA Directive 6508, Implementation of Privacy Threshold Analysis and Privacy Impact Assessment, October 15, 2014 VA Handbook 6508.1, Procedures for Privacy Threshold Analysis and Privacy Impact Assessment, July 30, 2015 VA Directive 6300, Records and Information Management, February 26, 2009 VA Handbook, 6300.1, Records Management Procedures, March 24, 2010 OMB Memorandum, Transition to IPv6, September 28, 2010 VA Directive 0735, Homeland Security Presidential Directive 12 (HSPD-12) Program, October 26, 2015 VA Handbook 0735, Homeland Security Presidential Directive 12 (HSPD-12) Program, March 24, 2014 OMB Memorandum M-06-18, Acquisition of Products and Services for Implementation of HSPD-12, June 30, 2006 OMB Memorandum 05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors, August 5, 2005 OMB memorandum M-11-11, Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors, February 3, 2011 OMB Memorandum, Guidance for Homeland Security Presidential Directive (HSPD) 12 Implementation, May 23, 2008 Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance, December 2, 2011 NIST SP 800-116, A Recommendation for the Use of Personal Identity Verification (PIV) Credentials in Physical Access Control Systems, November 20, 2008 OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007 NIST SP 800-63-2, Electronic Authentication Guideline, August 2013 NIST SP 800-157, Guidelines for Derived PIV Credentials, December 2014 NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices (Draft), October 2012 Draft National Institute of Standards and Technology Interagency Report (NISTIR) 7981 Mobile, PIV, and Authentication, March 2014 VA Memorandum, VAIQ #7100147, Continued Implementation of Homeland Security Presidential Directive 12 (HSPD-12), April 29, 2011 (reference https://www.voa.va.gov/documentlistpublic.aspx?NodeID=514) VA Memorandum, VAIQ # 7011145, VA Identity Management Policy, June 28, 2010 (reference Enterprise Architecture Section, PIV/IAM (reference https://www.voa.va.gov/documentlistpublic.aspx?NodeID=514) IAM Identity Management Business Requirements Guidance document, May 2013, (reference Enterprise Architecture Section, PIV/IAM (reference https://www.voa.va.gov/documentlistpublic.aspx?NodeID=514) Trusted Internet Connections (TIC) Reference Architecture Document, Version 2.0, Federal Interagency Technical Reference Architectures, Department of Homeland Security, October 1, 2013, https://www.fedramp.gov/files/2015/04/TIC_Ref_Arch_v2-0_2013.pdf OMB Memorandum M-08-05, Implementation of Trusted Internet Connections (TIC), November 20, 2007 OMB Memorandum M-08-23, Securing the Federal Government s Domain Name System Infrastructure, August 22, 2008 VA Memorandum, VAIQ #7497987, Compliance Electronic Product Environmental Assessment Tool (EPEAT) IT Electronic Equipment, August 11, 2014 (reference Document Libraries, EPEAT/Green Purchasing Section, https://www.voa.va.gov/documentlistpublic.aspx?NodeID=552) Sections 524 and 525 of the Energy Independence and Security Act of 2007, (Public Law 110 140), December 19, 2007 Section 104 of the Energy Policy Act of 2005, (Public Law 109 58), August 8, 2005 Executive Order 13693, Planning for Federal Sustainability in the Next Decade, dated March 19, 2015 Executive Order 13221, Energy-Efficient Standby Power Devices, August 2, 2001 VA Directive 0058, VA Green Purchasing Program, July 19, 2013 VA Handbook 0058, VA Green Purchasing Program, July 19, 2013 Office of Information Security (OIS) VAIQ #7424808 Memorandum, Remote Access, January 15, 2014, https://www.voa.va.gov/DocumentListPublic.aspx?NodeId=28 Clinger-Cohen Act of 1996, 40 U.S.C. §11101 and §11103 VA Memorandum, Implementation of Federal Personal Identity Verification (PIV) Credentials for Federal and Contractor Access to VA IT Systems, (VAIQ# 7614373) July 9, 2015, https://www.voa.va.gov/DocumentListPublic.aspx?NodeId=28 VA Memorandum Mandatory Use of PIV Multifactor Authentication to VA Information System (VAIQ# 7613595), June 30, 2015, https://www.voa.va.gov/DocumentListPublic.aspx?NodeId=28 VA Memorandum Mandatory Use of PIV Multifactor Authentication for Users with Elevated Privileges (VAIQ# 7613597), June 30, 2015; https://www.voa.va.gov/DocumentListPublic.aspx?NodeId=28 Veteran Focused Integration Process (VIP) Guide 1.0, December, 2015, https://www.voa.va.gov/DocumentView.aspx?DocumentID=4371 VIP Release Process Guide, Version 1.4, May 2016, https://www.voa.va.gov/DocumentView.aspx?DocumentID=4411 POLARIS User Guide, Version 1.2, February 2016, https://www.voa.va.gov/DocumentView.aspx?DocumentID=4412 SCOPE OF WORK The Contractor shall provide the following service: IT Investment Governance Tracking, Analysis, and Reporting Data Management The Investment Governance Services (IGS), Investment Knowledge Management (IKM) team performs tracking, analysis, and reporting services for VA and VHA IT investments (includes portfolios, programs, projects, and products) across the life cycle of these investments (includes initiation through closeout/termination of an investment). IKM objectives include the following; Conduct tracking, data analysis, and reporting activities for VA and VHA IT investments Manage investment data There are hundreds of VA and VHA IT investments. A subset of these (on average 150 projects/products) is approved for funding each fiscal year. Fiscal year funded projects/products are tracked and monitored. The processes that support IT Governance tracking, analysis, reporting, and data management and related inputs and outputs (examples include forms, worksheets, briefs, reports, and databases) are established and relatively stable; processes, inputs, and outputs may be modified periodically as a result of review recommendations based on continuous improvement activities. VA and VHA IT Investments are largely proprietary. The Contractor shall provide personnel with extensive knowledge regarding the following areas: VA organizational structures, VHA medical centers and health care systems, VHA software applications, Veterans Information Systems Technical Architecture (VistA), VA ProPath processes, Office of Information & Technology (OI&T) Project Management Accountability System (PMAS) and Veteran-focused Integration Process (VIP), and OI&T Enterprise Program Manage Office (ePMO). IKM currently uses FileMaker Pro to manage investment data. VA is in the process of standardizing tools and OIT has determined that end users must transition from Desktop Database Management Systems (DBMS) such as FileMaker. VA has Enterprise License Agreements in place for preferred Relational Database Management Systems (RDBMS) technologies: Microsoft SQL Server and Oracle DB. As of July of 2016, desktop DBMS technologies may no longer be used to support line of business operations requiring data durability/persistence. IKM anticipates being required to transition to SQL Server in the near future. A waiver request has been submitted to continue to operate with FileMaker while transitioning to a SQL based data management and reporting system. The Contractor shall provide personnel with knowledge and experience in successfully changing database tools and data migration. Additionally, the Contractor shall provide personnel experienced in using the following software products: Microsoft Office; FileMaker Pro version 12, 14, and 15; SQL Server 2012; SharePoint and the Rational Tool Suite. PERFORMANCE DETAILS PERFORMANCE PERIOD The period of performance shall be one (1) year from date of award, with four (4) options for one (1) year each. Any work at the Government site shall not take place on Federal holidays or weekends unless directed by the Contracting Officer (CO). There are ten (10) Federal holidays set by law (USC Title 5 Section 6103) that VA follows: Under current definitions, four are set by date: New Year's Day January 1 Independence Day July 4 Veterans Day November 11 Christmas Day December 25 If any of the above falls on a Saturday, then Friday shall be observed as a holiday. Similarly, if one falls on a Sunday, then Monday shall be observed as a holiday. The other six are set by a day of the week and month: Martin Luther King's Birthday Third Monday in January Washington's Birthday Third Monday in February Memorial Day Last Monday in May Labor Day First Monday in September Columbus Day Second Monday in October Thanksgiving Fourth Thursday in November PLACE OF PERFORMANCE Tasks under this PWS shall be performed in VA facilities; the current location is: Strategic Investment Management 490 L Enfant Plaza East, Suite 3202 Washington D.C. 20024-2135 Work may be performed at remote locations with prior approval of the Contracting Officer s Representative (COR). TRAVEL The Government anticipates travel under this PWS to perform the tasks associated with the effort, as well as to attend program-related meetings or conferences throughout the period of performance.   The Contractor may be required to attend meetings in Washington, D.C., and/or other VA facilities. Local travel within a 50-mile radius from the VA Facility or an alternative approved remote location is considered the cost of doing business and will not be reimbursed. This includes travel, subsistence, and associated labor charges for travel time. Travel performed for personal convenience and daily travel to and from work at the Contractor s facility will not be reimbursed. Travel, subsistence, and associated labor charges for travel time for travel beyond a 50-mile radius of the Contractor s approved work location are authorized for reimbursement on a case-by-case basis and must be pre-approved by the Contracting Officer s Representative (COR). Travel costs will be a cost-reimbursable, not to exceed line item. The Government estimates the following travel for the one (1) year period of performance and four (4) option years. Base Year Estimated Destinations Approximate Number of trips Approximate Number of Contractor Personnel required per trip Approximate Number of days per trip Tampa, FL 1 3 4 Option Year 1 Estimated Destinations Approximate Number of trips Approximate Number of Contractor Personnel required per trip Approximate Number of days per trip Tampa, FL 1 3 4 Option Year 2 Estimated Destinations Approximate Number of trips Approximate Number of Contractor Personnel required per trip Approximate Number of days per trip Tampa, FL 1 3 4 Option Year 3 Estimated Destinations Approximate Number of trips Approximate Number of Contractor Personnel required per trip Approximate Number of days per trip Tampa, FL 1 3 4 Option Year 4 Estimated Destinations Approximate Number of trips Approximate Number of Contractor Personnel required per trip Approximate Number of days per trip Tampa, FL 1 3 4 Travel shall be in accordance with the Federal Travel Regulations (FTR) and requires advanced concurrence by the COR.   Contractor travel within the local commuting area will not be reimbursed. SPECIFIC TASKS AND DELIVERABLES The Contractor shall perform the following: PROJECT MANAGEMENT CONTRACTOR PROJECT MANAGEMENT PLAN The Contractor shall deliver a Contractor Project Management Plan (CPMP) that lays out the Contractor s approach, timeline and tools to be used in execution of the contract.  The CPMP should take the form of both a narrative and graphic format that displays the schedule, milestones, risks and resource support.    The CPMP shall also include how the Contractor shall coordinate and execute planned, routine, and ad hoc data collection reporting requests as identified within the PWS. The initial baseline CPMP shall be concurred upon and updated in accordance with Section B of the contract. The Contractor shall update and maintain the VA PM approved CPMP throughout the PoP. Deliverable: Contractor Project Management Plan REPORTING REQUIREMENTS The Contractor shall provide the Contracting Officer s Representative (COR) with monthly Progress Reports in electronic form in Microsoft Word and Project formats.   The report shall include detailed instructions/explanations for each required data element, to ensure that data is accurate and consistent. These reports shall reflect data as of the last day of the preceding month.   The monthly Progress Reports shall cover all work completed during the reporting period and work planned for the subsequent reporting period.   The report shall also identify any problems that arose and a description of how the problems were resolved.   If problems have not been completely resolved, the Contractor shall provide an explanation including their plan and timeframe for resolving the issue. The Contractor shall monitor performance and report any deviations. It is expected that the Contractor will keep in communication with VA accordingly so that issues that arise are transparent to both parties to prevent escalation of outstanding issues. Deliverable:   Monthly Progress Report 5.2 TRACK, ANALYZE, AND REPORT ON VHA IT INVESTMENTS: On a daily basis the contractor shall implement the IKM Standard Operating Procedures (SOP)(see attachment 1); perform tracking, analysis, and reporting activities; participate in continuous improvement activities that support processes (includes inputs and outputs); Examples of IKM tracking, analysis, and reporting activities and related outcomes/deliverables include the following: VA and VHA IT Investment Tracking, Analysis, and Reporting Monitor and compare sources and identify the real and potential implications of those changes to VA and VHA IT Investments as described in the SOP (sources are subject to change but currently include: OI&T Quad Charts (focus on cost, performance, and risk); Budget Tracking Tool exports and Budget Operating Plans; Enterprise Project Structure (EPS) under VIP; Technical Systems Project Repository (TSPR); Multi-year Programming worksheets/data calls; VA and VHA IT Prioritization Lists; portfolio, program, project, and product information in Rational Tools; Health Systems Information Suite (HSIS) (contains investment data and is maintained by IKM) and Requirements and Development Management (RDM)/New Service Request Database (NSRD) Capture content and changes in appropriate media (examples: forms, worksheets, reports, briefings, and databases) Participate in prioritization activities (prioritization criteria are frequently impacted by changes to VA and VHA strategic goals and objectives) for VA and VHA IT Investments and incorporate prioritization results in HSIS Prepare and deliver various reports (current examples include: Everything List (includes info on all portfolios, programs, projects, and products); Stakeholder Lists (Chief Officers, Business Owners, Capability Management Boards, or other as requested); VHA IT Business Needs Bar Charts; Simple List and Active Project Report (both are subsets of Everything List); Continuous Prioritization Review (CPR) (also known as Unfunded Request (UFR)) List; VIP Interpretive Report; Fiscal Year Project Planning Reports; RDM/ NSRD Reports; Multi-year Program (MYP) planning worksheets/data calls, workbooks) as a result of tracking and analysis activities (See attachments 2-5) Coordinate input to Government Accountability Office (GAO) and/or Office of Inspector General (OIG) responses Attend meetings (estimate twice weekly team meetings of 1 hour duration and twice weekly customer meetings of one hour duration) Execute, maintain, and update the IKM SOP (includes continuous improvement activities) Log details and statuses of changes and actions in an Action Item List Deliverable: Weekly Tracking and Reporting Action Item List: The weekly Tracking and Reporting Action Item List shall reflect completion of all activities for Task 5.2 for each week and is due every Tuesday morning by 0900 am Eastern (or the following workday at 0900 am Eastern if Tuesday should be a holiday). 5.3 MANAGE DATA: On a daily basis, perform activities to maintain, update, transition, and support data (includes multiple databases [FileMaker Pro 12, 14, and 15; SQL Server 2012], share drives, and SharePoint sites). Examples of daily activities and related outcomes/deliverables include the following: VHA IT Investment Data Management Maintain, modify (includes defect repairs and enhancements), and update databases (HSIS and related forms and reports (includes routine imports and exports of data to and from data sources and/or databases) Update databases with information and changes collected daily from VHA IT Investment tracking, analysis, and reporting activities Develop and deliver new scripts, queries, forms, and reports as required Provide help desk support to HSIS and Release Management (RM) database users {estimate number of users at 50 and frequency of requests at less than 5 weekly} Attend meetings (estimate twice weekly team meetings of 1 hour duration and twice weekly customer meetings of one hour duration) Maintain, modify, and update share drive Maintain, modify, and update mail groups and/or mail boxes and distribution lists Maintain, modify, and update 2 SharePoint sites (IKM and related areas on IGS) Log details and statuses of changes and actions regarding data management in an Action Item List Deliverable: Weekly Data Management Action Item List: The weekly Data Management Action Item List shall reflect completion of all activities under Task 5.3 for each week and is due every Tuesday morning by 0900 am Eastern (or the following workday at 0900 am Eastern if Tuesday should be a holiday). 5.4 TRANSITION TO SQL DATABASE: (BASE AND OPTION YEAR 1 ONLY) Perform activities necessary to transition data and reports from FileMaker Pro 12 to a database on Microsoft SQL Server 2012. The level of effort to perform this task is expected to be 24 months. Examples of activities and related outcomes/deliverables include the following: Identify opportunities for streamlining database to improve efficiency. Create necessary tables in the new database (Microsoft SQL Server 2012) to replace 211 tables in from the existing tables in the FileMaker Pro database. Migrate data from Filemaker Pro database tables to the new database tables in Microsoft SQL Server 2012 (See attachment 6) Prepare data for import into SQL solution Perform any data clean up/errors in the SQL solution Create necessary queries, forms, and reports in the new database and intranet user interface. Deliverable: Weekly Database Transition Action Item List: The weekly Database Transition Action Item List shall reflect completion of all activities under Task 5.4 for each week and is due every Tuesday morning by 0900 am Eastern (or the following workday at 0900 am Eastern if Tuesday should be a holiday). GENERAL REQUIREMENTS ENTERPRISE AND IT FRAMEWORK The Contractor shall support the VA enterprise management framework. In association with the framework, the Contractor shall comply with OI&T Technical Reference Model (One-VA TRM). One-VA TRM is one component within the overall Enterprise Architecture (EA) that establishes a common vocabulary and structure for describing the information technology used to develop, operate, and maintain enterprise applications. One-VA TRM includes the Standards Profile and Product List that collectively serves as a VA technology roadmap. Architecture, Strategy, and Design (ASD) has overall responsibility for the One-VA TRM. (For applications, software, or hardware that cannot support PIV authentication in accordance with the below language, the Requiring Activity must obtain a Risk Based Decision Memorandum, approved by the Deputy Assistant Secretary for Information Security, before this language can be removed or modified, in accordance with the approved Risk Based Decision.   The RBD Standard Operating Procedures and the OIS RBD Template for a RBD can be found on the OIS website, and is located at https://vaww.portal2.va.gov/sites/infosecurity/ca/VA_6500_Waiver.aspx?RootFolder=%2Fsites%2Finfosecurity%2Fca%2FVA%206500%20Waiver%20Process%20Templates%20Approved%20Waivers%2FOIS%20Risk%2Dbased%20Decision%20Information&FolderCTID=0x0120006BB145E9AADE234EA16516CF539A30E3&View={A172AFB9-D135-4F51-8587-9A789F292058}.   Any questions shall be directed to Tom Napier, HSPD-12 Director at Thomas.Napier@va.gov) The Contractor shall ensure Commercial Off-The-Shelf (COTS) product(s), software configuration and customization, and/or new software are PIV-enabled by accepting HSPD-12 PIV credentials using VA Enterprise Technical Architecture (ETA), http://www.ea.oit.va.gov/VA_EA/VAEA_TechnicalArchitecture.asp, and VA Identity and Access Management (IAM) approved enterprise design and integration patterns, http://www.techstrategies.oit.va.gov/enterprise_dp.asp.  The Contractor shall ensure all Contractor delivered applications and systems are compliant with VA Identity Management Policy (VAIQ# 7011145), Continued Implementation of Homeland Security Presidential Directive 12 (VAIQ#7100147), and VA IAM enterprise identity management requirements (IAM Identity Management Business Requirements Guidance document), located at https://www.voa.va.gov/documentlistpublic.aspx?NodeID=514.   The Contractor shall ensure all Contractor delivered applications and systems provide user authentication services compliant with NIST Special Publication 800-63, VA Handbook 6500 Appendix F, VA System Security Controls, and VA IAM enterprise requirements for direct, assertion based authentication, and/or trust based authentication, as determined by the design and integration patterns.   Direct authentication at a minimum must include Public Key Infrastructure (PKI) based authentication supportive of Personal Identity Verification (PIV) and/or Common Access Card (CAC), as determined by the business need.   Assertion based authentication must include a SAML implementation. Additional assertion implementations, besides the required SAML assertion, may be provided as long as they are compliant with NIST 800-63 guidelines. Trust based authentication must include authentication/account binding based on trusted HTTP headers.   The Contractor solution shall conform to the specific Identity and Access Management PIV requirements are set forth in OMB Memoranda M-04-04 (http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf), M-05-24 (http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf), M-11-11 (http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf), National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201-2,  and supporting NIST Special Publications. (Section 6.1, paragraph 3, below contains the requirement that all Contractor Solutions must support Internet Protocol Version 6 (IPv6)). If the requiring activity has obtained a signed waiver from the VA OI&T CIO office that the IPv6 requirement cannot be met due to patient safety, patient care, or other exception, then the following language ( A signed waiver has been obtained from the VA OI&T CIO Office that the IPv6 requirement cannot be met, and as a result, IPv6 is not a requirement for this effort. ), or similar, must replace the IPv6 paragraph 3below. The requiring activity can modify the language above as necessary, in accordance with their specific requirements.) The Contractor solution shall support the latest Internet Protocol Version 6 (IPv6) based upon the directive issued by the Office of Management and Budget (OMB) on September 28, 2010 (https://cio.gov/wp-content/uploads/downloads/2012/09/Transition-to-IPv6.pdf) & (http://www.cybertelecom.org/dns/ipv6usg.htm). IPv6 technology, in accordance with the USGv6: A Technical Infrastructure for USGv6 Adoption (http://www.nist.gov/itl/antd/usgv6.cfm) and the NIST SP 800 series applicable compliance (http://csrc.nist.gov/publications/PubsSPs.html), shall be included in all IT infrastructures, application designs, application development, operational systems and sub-systems, and their integration. All public/external facing servers and services (e.g. web, email, DNS, ISP services, etc.) shall support native IPv6 users, including all internal infrastructure and applications shall communicate using native IPv6 operations. Guidance and support of improved methodologies which ensure interoperability with legacy protocol and services, in addition to OMB/VA memoranda, can be found at https://www.voa.va.gov/documentlistpublic.aspx?NodeID=282. The Contractor solution shall meet the requirements outlined in Office of Management and Budget Memorandum M08-05 mandating Trusted Internet Connections (TIC) (http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-05.pdf), M08-23 mandating Domain Name System Security (NSSEC) (http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-23.pdf), and shall comply with the Trusted Internet Connections (TIC) Reference Architecture Document, Version 2.0 https://www.fedramp.gov/files/2015/04/TIC_Ref_Arch_v2-0_2013.pdf. The Contractor IT end user solution that is developed for use on standard VA computers shall be compatible with and be supported on the standard VA operating system, currently Windows 7 (64bit), Internet Explorer 11 and Microsoft Office 2010. In preparation for the future VA standard configuration update, end user solutions shall also be compatible with Office 2013 and Windows 8.1. However, Office 2013 and Windows 8.1 are not the VA standard yet and are currently not approved for use on the VA Network, but are in-process for future approval by OI&T. Upon the release approval of Office 2013 and Windows 8.1 individually as the VA standard, Office 2013 and Windows 8.1 will supersede Office 2010 and Windows 7 respectively. Applications delivered to the VA and intended to be deployed to Windows 7 workstations shall be delivered as a signed.msi package and updates shall be delivered in signed.msp file formats for easy deployment using System Center Configuration Manager (SCCM) VA s current desktop application deployment tool. Signing of the software code shall be through a vendor provided certificate that is trusted by the VA using a code signing authority such as Verizon/Cybertrust or Symantec/VeriSign. The Contractor shall also ensure and certify that their solution functions as expected when used from a standard VA computer, with non-admin, standard user rights that have been configured using the United States Government Configuration Baseline (USGCB) specific to the particular client operating system being used. The Contractor shall support VA efforts IAW the Veteran Focused Integration Process (VIP). VIP is a Lean-Agile framework that services the interest of Veterans through the efficient streamlining of activities that occur within the enterprise. The VIP Guide can be found at https://www.voa.va.gov/DocumentView.aspx?DocumentID=4371. The VIP framework creates an environment delivering more frequent releases through a deeper application of Agile practices. In parallel with a single integrated release process, VIP will increase cross-organizational and business stakeholder engagement, provide greater visibility into projects, increase Agile adoption and institute a predictive delivery cadence. VIP is now the single authoritative process that IT projects must follow to ensure development and delivery of IT products The Contractor shall utilize ProPath, the OI&T-wide process management tool that assists in the execution of an IT project (including adherence to VIP standards). It is a one-stop shop providing critical links to the formal approved processes, artifacts, and templates to assist project teams in facilitating their VIP compliant work. SECURITY AND PRIVACY REQUIREMENTS POSITION/TASK RISK DESIGNATION LEVEL(S) Position Sensitivity Background Investigation (in accordance with Department of Veterans Affairs 0710 Handbook, Personnel Suitability and Security Program, Appendix A) Low / Tier 1 Tier 1 / National Agency Check with Written Inquiries (NACI) A Tier 1/NACI is conducted by OPM and covers a 5-year period. It consists of a review of records contained in the OPM Security Investigations Index (SII) and the DOD Defense Central Investigations Index (DCII), Federal Bureau of Investigation (FBI) name check, FBI fingerprint check, and written inquiries to previous employers and references listed on the application for employment. In VA it is used for Non-sensitive or Low Risk positions. Moderate / Tier 2 Tier 2 / Moderate Background Investigation (MBI) A Tier 2/MBI is conducted by OPM and covers a 5-year period. It consists of a review of National Agency Check (NAC) records [OPM Security Investigations Index (SII), DOD Defense Central Investigations Index (DCII), FBI name check, and a FBI fingerprint check], a credit report covering a period of 5 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, law enforcement check; and a verification of the educational degree. High / Tier 4 Tier 4 / Background Investigation (BI) A Tier 4/BI is conducted by OPM and covers a 10-year period. It consists of a review of National Agency Check (NAC) records [OPM Security Investigations Index (SII), DOD Defense Central Investigations Index (DCII), FBI name check, and a FBI fingerprint check report], a credit report covering a period of 10 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, spouse, neighbors, supervisor, co-workers; court records, law enforcement check, and a verification of the educational degree. The position sensitivity and the level of background investigation commensurate with the required level of access for the following tasks within the PWS are: Position Sensitivity and Background Investigation Requirements by Task Task Number Tier1 / Low / NACI Tier 2 / Moderate / MBI Tier 4 / High / BI 5.1 5.2 5.3 5.4 The Tasks identified above and the resulting Position Sensitivity and Background Investigation requirements identify, in effect, the Background Investigation requirements for Contractor individuals, based upon the tasks the particular Contractor individual will be working. The submitted Contractor Staff Roster must indicate the required Background Investigation Level for each Contractor individual based upon the tasks the Contractor individual will be working, in accordance with their submitted proposal. CONTRACTOR PERSONNEL SECURITY REQUIREMENTS Contractor Responsibilities: The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain the appropriate Background Investigation, and are able to read, write, speak and understand the English language. The Contractor shall bear the expense of obtaining background investigations. Within 3 business days after award, the Contractor shall provide a roster of Contractor and Subcontractor employees to the COR to begin their background investigations in accordance with the ProPath template. The Contractor Staff Roster shall contain the Contractor s Full Name, Date of Birth, Place of Birth, individual background investigation level requirement (based upon Section 6.2 Tasks), etc. The Contractor shall submit full Social Security Numbers either within the Contractor Staff Roster or under separate cover to the COR. The Contractor Staff Roster shall be updated and provided to VA within 1 day of any changes in employee status, training certification completion status, Background Investigation level status, additions/removal of employees, etc. throughout the Period of Performance. The Contractor Staff Roster shall remain a historical document indicating all past information and the Contractor shall indicate in the Comment field, employees no longer supporting this contract. The preferred method to send the Contractor Staff Roster or Social Security Number is by encrypted e-mail. If unable to send encrypted e-mail, other methods which comply with FIPS 140-2 are to encrypt the file, use a secure fax, or use a traceable mail service. The Contractor should coordinate the location of the nearest VA fingerprinting office through the COR. Only electronic fingerprints are authorized. The Contractor shall ensure the following required forms are submitted to the COR within 5 days after contract award: Optional Form 306 Self-Certification of Continuous Service VA Form 0710 Completed Security and Investigations Center (SIC) Fingerprint Request Form The Contractor personnel shall submit all required information related to their background investigations (completion of the investigation documents (SF85, SF85P, or SF 86) utilizing the Office of Personnel Management s (OPM) Electronic Questionnaire for Investigations Processing (e-QIP) after receiving an email notification from the Security and Investigation Center (SIC). The Contractor employee shall certify and release the e-QIP document, print and sign the signature pages, and send them encrypted to the COR for electronic submission to the SIC. These documents shall be submitted to the COR within 3 business days of receipt of the e-QIP notification email. (Note: OPM is moving towards a click to sign process. If click to sign is used, the Contractor employee should notify the COR within 3 business days that documents were signed via eQIP). The Contractor shall be responsible for the actions of all personnel provided to work for VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor shall be responsible for all resources necessary to remedy the incident. A Contractor may be granted unescorted access to VA facilities and/or access to VA Information Technology resources (network and/or protected data) with a favorably adjudicated Special Agreement Check (SAC), training delineated in VA Handbook 6500.6 (Appendix C, Section 9), and, the signed Contractor Rules of Behavior. However, the Contractor will be responsible for the actions of the Contractor personnel they provide to perform work for VA. The investigative history for Contractor personnel working under this contract must be maintained in the database of the Office of Personnel Management (OPM). The Contractor, when notified of an unfavorably adjudicated background investigation on a Contractor employee as determined by the Government, shall withdraw the employee from consideration in working under the contract. Failure to comply with the Contractor personnel security investigative requirements may result in loss of physical and/or logical access to VA facilities and systems by Contractor and Subcontractor employees and/or termination of the contract for default. Identity Credential Holders must follow all HSPD-12 policies and procedures as well as use and protect their assigned identity credentials in accordance with VA policies and procedures, displaying their badges at all times, and returning the identity credentials upon termination of their relationship with VA. Deliverable: Contractor Staff Roster METHOD AND DISTRIBUTION OF DELIVERABLES The Contractor shall deliver documentation in electronic format, unless otherwise directed in Section B of the solicitation/contract. Acceptable electronic media include: MS Word 2000/2003/2007/2010, MS Excel 2000/2003/2007/2010, MS PowerPoint 2000/2003/2007/2010, MS Project 2000/2003/2007/2010, MS Access 2000/2003/2007/2010, MS Visio 2000/2002/2003/2007/2010, AutoCAD 2002/2004/2007/2010, and Adobe Postscript Data Format (PDF). PERFORMANCE METRICS The table below defines the Performance Standards and Acceptable Levels of Performance associated with this effort. Required Service/Task Performance Standard Acceptable Quality Level Method of Surveillance Incentive(positive and /or Negative) Project Management Plan (See PWS Section 5.1.1) The Contractor shall deliver a Contractor Project Management Plan (CPMP) that lays out the Contractor s approach, timeline and tools to be used in execution of the contract.  The CPMP should take the form of both a narrative and graphic format that displays the schedule, milestones, risks and resource support.    The CPMP shall also include how the Contractor shall coordinate and execute planned, routine, and ad hoc data collection reporting requests as identified within the PWS. Zero instances where significant errors or omissions were identified (See Note 1) 100% Inspection Firm-Fixed Price (FFP) TO. The PM and COR will review and accept deliverables. Contractor shall re-accomplish products found to be unacceptable or not meeting the intent of the task and the work within (3) business days. Contractor will receive payment once deliverable is accepted by the Government See note 2. Monthly Progress Report (See PWS Section 5.1.2) The monthly Progress Reports shall cover all work completed during the reporting period and work planned for the subsequent reporting period.   The report shall also identify any problems that arose and a description of how the problems were resolved.   If problems have not been completely resolved, the Contractor shall provide an explanation including their plan and timeframe for resolving the issue. The Contractor shall monitor performance and report any deviations. It is expected that the Contractor will keep in communication with VA accordingly so that issues that arise are transparent to both parties to prevent escalation of outstanding issues. Zero instances where significant errors or omissions were identified (See Note 1) 100% Inspection FFP TO. The PM and COR will review and accept deliverables. Contractor shall re-accomplish products found to be unacceptable or not meeting the intent of the task and the work within (3) business days. Contractor will receive payment once deliverable is accepted by the Government See note 2. Track, Analyze and Report on VHA IT Investments (see PWS Section 5.2 On a daily basis the contractor shall implement the IKM Standard Operating Procedures (SOP; perform tracking, analysis, and reporting activities; participate in continuous improvement activities that support processes (includes inputs and outputs). Zero instances where significant errors or omissions were identified (See Note 1) 100% Inspection FFP TO. The PM and COR will review and accept deliverables. Contractor shall re-accomplish products found to be unacceptable or not meeting the intent of the task and the work within (3) business days. Contractor will receive payment once deliverable is accepted by the Government See note 2. Manage Data (see PWS Section 5.3 On a daily basis, perform activities to maintain, update, transition, and support data (includes multiple databases [FileMaker Pro 12, 14, and 15; SQL Server 2012], share drives, and SharePoint sites). Examples of daily activities and related outcomes/deliverables Zero instances where significant errors or omissions were identified (See Note 1) 100% Inspection FFP TO. The PM and COR will review and accept deliverables. Contractor shall re-accomplish products found to be unacceptable or not meeting the intent of the task and the work within (3) business days. Contractor will receive payment once deliverable is accepted by the Government See note 2. Transition to SQL Database (see PWS Section 5.4 Perform activities necessary to transition data and reports from FileMaker Pro 12 to a database on Microsoft SQL Server 2012. Zero instances where significant errors or omissions were identified (See Note 1) 100% Inspection FFP TO. The PM and COR will review and accept deliverables. Contractor shall re-accomplish products found to be unacceptable or not meeting the intent of the task and the work within (3) business days. Contractor will receive payment once deliverable is accepted by the Government See note 2. Note 1: Significant errors or omissions are defined as deliverables not meeting the intent of the task and the work considered to be within scope of this order. Note 2: Continued repetitive errors may result in an unacceptable rating on performance report to be used as part of the evaluation criteria on future order competitions. The COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the contract to ensure that the Contractor is performing the services required by this PWS in an acceptable level of performance. The Government reserves the right to alter or change the surveillance methods in the QASP at its own discretion. A Performance Based Service Assessment will be used by the COR in accordance with the QASP to assess Contractor performance. FACILITY/RESOURCE PROVISIONS The Government will provide office space, telephone service and system access when authorized contract staff work at a Government location as required in order to accomplish the Tasks associated with this PWS. All procedural guides, reference materials, and program documentation for the project and other Government applications will also be provided on an as-needed basis. The Contractor shall request other Government documentation deemed pertinent to the work accomplishment directly from the Government officials with whom the Contractor has contact. The Contractor shall consider the COR as the final source for needed Government documentation when the Contractor fails to secure the documents by other means. The Contractor is expected to use common knowledge and resourcefulness in securing all other reference materials, standard industry publications, and related materials that are pertinent to the work. VA may provide remote access to VA specific systems/network in accordance with VA Handbook 6500, which requires the use of a VA approved method to connect external equipment/systems to VA s network. Citrix Access Gateway (CAG) is the current and only VA approved method for remote access users when using or manipulating VA information for official VA Business. VA permits CAG remote access through approved Personally Owned Equipment (POE) and Other Equipment (OE) provided the equipment meets all applicable 6500 Handbook requirements for POE/OE. All of the security controls required for Government furnished equipment (GFE) must be utilized in approved POE or OE. The Contractor shall provide proof to the COR for review and approval that their POE or OE meets the VA Handbook 6500 requirements and VA Handbook 6500.6 Appendix C, herein incorporated as Addendum B, before use. CAG authorized users shall not be permitted to copy, print or save any VA information accessed via CAG at any time. VA prohibits remote access to VA s network from non-North Atlantic Treaty Organization (NATO) countries. The exception to this are countries where VA has approved operations established (e.g. Philippines and South Korea). Exceptions are determined by the COR in coordination with the Information Security Officer (ISO) and Privacy Officer (PO). This remote access may provide access to VA specific software such as Veterans Health Information System and Technology Architecture (VistA), ClearQuest, ProPath, Primavera, and Remedy, including appropriate seat management and user licenses, depending upon the level of access granted. The Contractor shall utilize government-provided software development and test accounts, document and requirements repositories, etc. as required for the development, storage, maintenance and delivery of products within the scope of this effort.   The Contractor shall not transmit, store or otherwise maintain sensitive data or products in Contractor systems (or media) within the VA firewall IAW VA Handbook 6500.6 dated March 12, 2010. All VA sensitive information shall be protected at all times in accordance with VA Handbook 6500, local security field office System Security Plans (SSP s) and Authority to Operate (ATO) s for all systems/LAN s accessed while performing the tasks detailed in this PWS. The Contractor shall ensure all work is performed in countries deemed not to pose a significant security risk. For detailed Security and Privacy Requirements (additional requirements of the contract consolidated into an addendum for easy reference) refer to ADDENDUM A ADDITIONAL VA REQUIREMENTS, CONSOLIDATED and ADDENDUM B - VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/VA/ISC/OISC/VA70117N0095/listing.html)
 
Document(s)
Attachment
 
File Name: VA701-17-N-0095 VA701-17-N-0095.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3411588&FileName=VA701-17-N-0095-000.docx)
Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3411588&FileName=VA701-17-N-0095-000.docx

 
File Name: VA701-17-N-0095 Attachment A- PWS.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3411589&FileName=VA701-17-N-0095-001.docx)
Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3411589&FileName=VA701-17-N-0095-001.docx

 
Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 
Record
SN04469908-W 20170414/170412234711-f9147f377c03fc5fb05924541e71aca9 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.