Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF SEPTEMBER 26, 2018 FBO #6151
SOLICITATION NOTICE

70 -- iMEDCONSENT Software and Software Maintenance

Notice Date
9/24/2018
 
Notice Type
Presolicitation
 
NAICS
511210 — Software Publishers
 
Contracting Office
Department of the Army, Army Contracting Command, CSBs, 413th CSB (W912CN) RCO Hawaii, 742 Santos Dumont Ave., BLDG 108, Wheeler Army Air Field (WAAF), Schofield Barracks, Hawaii, 96857, United States
 
ZIP Code
96857
 
Solicitation Number
W912CN-18-Q-IMED
 
Archive Date
10/11/2018
 
Point of Contact
Stephanie A. Hunter, Phone: 8086560995
 
E-Mail Address
Stephanie.a.hunter20.civ@mail.mil
(Stephanie.a.hunter20.civ@mail.mil)
 
Small Business Set-Aside
N/A
 
Description
(1) Action Code.- Synopsis- W912CN (2) Date. 09/24/2018 (3) Year. 2018 (4) Contracting Office Zip Code. 96854 (5) Product or Service Code. 7030 (6) Contracting Office Address. 413th Contracting Support Brigade (CSB) Regional Contracting Office-Hawaii (RCO-HI) Bldg 108, 3rd Floor (Located on Wheeler Army Airfield (WAAF)) Schofield Barracks, HI 96857 (7) Subject. iMEDCONSENT Software and Software Maintenance (8) Proposed Solicitation Number. W912CN-18-Q-IMED (9) Closing Response Date.09/26/2018 (10) Contact Point or Contracting Officer. Contract Specialist- Stephanie Hunter - Stephanie.a.hunter20.civ@mail.mil (12) Line Item Number. N/A (13) Description: INFORMED CONSENT SOFTWARE 1. Introduction. The Tripler Army Medical Center (TAMC), Office of the Center Judge Advocate, requires a software product that will allow TAMC to meet requirements for informed consent which insures that patients have received and signed an informed consent form for procedures, anesthesia, and treatments. 2. Scope of Work. The Contractor shall address the need to enable the patient and the provider to digitally sign an informed consent form that clearly identifies the procedure and associated risks. Informed consent documents shall be stored electronically and meet legal and Joint Commission requirements for informed consent of the patient. Software will require connectivity and integration with existing TAMC systems. 3. Deliverables. The Contractor shall provide the following: 3.1. Provide the required specifications for patient demographics and provider information that will be used by the informed consent software. 3.2. Perform the server setup and system installation on a Government furnished server. 3.3. Test the software to insure proper functionality. 3.4. Establish redundancy of the server. 3.5. Provide software application manuals and training. Training shall include four train the trainer application training sessions. In addition, provide over the shoulder support to end users as the application goes live in each clinical area. Trainer for over the shoulder training shall be on call and available 24 hours per day for three days during each clinic deployment. 3.6. Provide software updates, patches, and new releases at no additional charge. Interfaces with Government systems (e.g. Essentris or AHLTA) shall be considered a software update. 3.7. Provide application technical support via remote access 24 hours per day, 7 days per week. 4. Information Assurance Requirements. 4.1. Contractor shall agree with the U.S. Army Medical Information Technology Center (USAMITC) Business to Business (B2B) approved method for remote access. 4.2. Assist the TAMC system analyst with completion of a Certificate of Networthiness (CON). 4.3. General Security Requirements. The Contractor shall establish appropriate administrative, technical, and physical safeguards to protect any and all Army data, to ensure the confidentiality, integrity, and availability of Army data. As a minimum, this shall include provisions for personnel security, electronic security and physical security as listed in the sections that follow: 4.3.1. Health Insurance Portability and Accountability Act (HIPAA). The contractor shall: 4.3.1.1. Implement administrative, physical, and technical safeguards that will protect the confidentiality, integrity, and availability of the PHI. 4.3.1.2. Ensure all agents or subcontractors to whom the business associate provides PHI will also implement reasonable and appropriate safeguards to protect the information 4.3.1.3. Report all security incidents. 4.3.1.4. The Government shall terminate the contract if the Contractor violates the terms of the contract. 4.4. Personnel Security. 4.4.1. The contractor shall comply with Army Regulation 25-2, "Information Assurance" (IA), Army Regulation 25-1, "Army Knowledge Management and Information Technology," and " DoD Health Information Privacy Regulation." 4.4.2. Contractor responsibilities for ensuring personnel security include, but are not limited to, meeting the following requirements: 4.4.2.1. Follow the Army guidelines for submittal of Information Technology (IT) security background checks and ensure all contractor personnel are designated as IT-I, IT-II, or IT-III where their duties meet the criteria of the position sensitivity designations. Contact the TAMC Information Assurance Manager (IAM) for guidance on the appropriate IT levels for personnel on the contract. 4.4.2.2. Initiate, maintain, and document personnel security investigations appropriate to the individual's responsibilities and required access to MEDCOM Sensitive Information (SI). 4.4.2.3. Immediately report to the TAMC IAM and deny access to any automated information system (AIS), network, or MEDCOM SI information if a contractor employee filling a sensitive position receives an unfavorable adjudication, if information that would result in an unfavorable adjudication becomes available, or if directed to do so by the appropriate Army representative for security reasons. 4.4.2.4. Ensure that all contractor personnel receive information assurance (IA) training before being granted access to Army AISs/networks, and/or MEDCOM SI information. 4.5. Electronic Security. 4.5.1. Contractor Information Systems (IS)/networks that are involved in the operation of systems in support of the Army's Health System shall operate in accordance with controlling laws, regulations, and Army policy. 4.5.2. Certification & Accreditation (C&A) requirements apply to all Army and contractor's IS/networks that receive, process, display, store or transmit Army information. The contractor shall comply with the C&A process for safeguarding SI. Certification is the determination of the appropriate level of protection required for IS/networks. Certification also includes a comprehensive evaluation of the technical and non-technical security features and countermeasures required for each system/network. 4.5.3. Accreditation is the formal approval by the Army to operate the contractor's IS/networks in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. In addition, accreditation allows IS/networks to operate within the given operational environment with stated interconnections; and with appropriate level of protection for the specified period. 4.5.4. The contractor shall comply with C&A requirements, as specified by the Army that meet appropriate Army Information Assurance requirements. The C&A requirements shall be met before the contractor's system is authorized to access Army data or interconnect with any Army. IS/network that receives, processes, stores, displays or transmits Army data. The contractor shall initiate the C&A process by providing the Contracting Officer, within 60 days following contract award, the required documentation necessary to receive an Approval to Operate (ATO). The contractor shall make their IS/networks available for testing, and initiate the C&A testing four months (120 days) in advance of accessing Army data or interconnecting with Army IS/networks. The contractor shall ensure the proper contractor support staff is available to participate in all phases of the C&A process. They include, but are not limited to: 4.5.4.1. Attending and supporting C&A meetings with the Army 4.5.4.2. Supporting/conducting the vulnerability mitigation process 4.5.4.3. Supporting the C&A Team during system security testing 4.5.5. Contractors must confirm that their IS/networks are locked down prior to initiating testing. 4.5.6. Conformation of system lock down shall be agreed upon during the definition of the C&A boundary and be signed and documented as part of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). 4.5.7. Locking down the system means that there shall be no changes made to the configuration of the system (within the C&A boundary) during the C&A process. 4.5.8. Any re-configuration or change in the system during the C&A testing process will require a re-baselining of the system and documentation of system changes. 4.5.9. Vulnerabilities that have been identified by the Army as "must-fix" issues during C&A process must be mitigated according to the timeline identified by the Army Representative. C&A Checklists are provided for complying Army C&A requirements. Reference material and C&A tools may be obtained at the USAMITC IA Document Library (Portal): https://mitc.amedd.army.mil/IA. 4.5.10. A request for a waiver to the C&A requirements may be submitted for temporary testing and other usual circumstances. A waiver request must be submitted, in writing, to the Designated Approving Authority (DAA). The request must include mitigation strategies that ensure adequate protection measures and security controls are in place (for example: air gapping a testing network). 4.5.11. Information Assurance Vulnerability Management (IAVM). The contractor shall implement an information assurance vulnerability management program. The Army IAVM program provides electronic security protections against known threats and vulnerabilities. The IAVM program requires the registration of AIS system assets, which then allows for the timely dissemination of critical vulnerability information. It also assists in the documentation and tracking of compliance, providing increased electronic security to MEDCOM systems. As part of the program, the contractor shall provide a primary and secondary point of contact in the Asset & Vulnerability Tracking Resource (A&VTR). The point of contact shall provide, upon receipt of a vulnerability message, an acknowledgment of receipt via the A&VTR. The contactor shall thoroughly test all mitigations for the vulnerability, and upon applying the mitigation to the system, report compliance in the A&VTR. Receipt and compliance messages to the Army shall occur within the stipulated time window, as stated in the vulnerability message or in the A&VTR. 4.5.12. The contractor shall ensure AIS assets that are under development are registered in the A&VTR and have all applicable electronic patches installed for the system (1) when the system is delivered to MEDCOM, or (2) if the AIS assets are used to store or process Army data prior to delivery (such as when being used in testing and development). 4.5.13. Guidance regarding the requirement for IAVM is contained in the Army Regulation 25-2, "Information Assurance" and Army Regulation 25-1, "Army Knowledge Management and Information Technology." An asset is defined as any hardware device, such as a router, firewall, server, or an operating system image accessed by more than one user. Primary servers and the workstations that they support are assets that must be registered in the A&VTR. The " Army IAVM Community" website: URL: https://www.us.army.mil/suite/personalization/grouppage.do?groupid=16822 ) is used to disseminate IAVAs, Information Assurance Vulnerability Bulletins (IAVBs), and Information Assurance Technical Advisories down to the System Administrator (SA) and applicable personnel throughout the chain of command. 4.5.14. The contractor shall maintain any development environments in accordance with MEDCOM Information Assurance (IA) best practices and operational requirements. During product development for the Army, the contractor shall ensure that all IA mitigation strategies have been applied to the development environment prior to any Army data being loaded onto any assets or software for testing or delivery. 4.5.15. IA mitigation strategies include security updates, service packs, and changes to operating procedures as physical and cyber vulnerabilities are detected. Operating system, routers, servers, development platforms and the application being delivered to the Army shall be in compliance with all known applicable Army Computer Emergency Response Team (ACERT) Alert, Bulletin, and Technical Advisory Notices published during the past 36 months. 4.5.16. Disposing of Electronic Media. Vendors shall follow the Army standards, procedures, and use approved products to dispose of unclassified hard drives and other electronic media, as appropriate, in accordance with Army Regulation 25-2, "Information Assurance" and Army Best Business Practices (BBP), "Reuse of Computer Hard Drives." 4.5.17. Ports Protocols and Services. Vendors shall follow all current Army standards and requirements for acceptable Ports, Protocols, and Services. Any requests for exception to using the current Army Ports, Protocols, and Services standards requires an request for exception sent through the Program Manager to the DAA. 4.5.18. Public Key Infrastructure and Encryption. Vendors shall follow the Army standards, policies, and procedures related to the use of Public Key Infrastructure (PKI) certificates and biometrics for positive authentication. Where interoperable PKI is required for the exchange of unclassified information between the Army and its vendors and contractors, industry partners shall obtain all necessary certificates. Vendors must turn over to the Army all encryption keys for deployed systems, backdoor algorithms, and procedures for their use in remote support. The Vendor must provide a written report detailing all of the above, prior to task order expiration, regardless of modifications or extensions. 4.6. Information Systems (IS)/Networks Physical Security. 4.6.1. The contractor shall employ physical security safeguards for IS/Networks involved in processing or storage of Army Data to prevent the unauthorized access, disclosure, modification, destruction, use, etc., and to otherwise protect the confidentiality and ensure use conforms with Army regulations. In addition, the contractor will support a Physical Security Audit performed by the Army of the contractor's internal information management infrastructure. The MHS Physical Security Audit Matrix is available at: http://www.tricare.mil/tmis_new/Policy/PSA_Matrix_%20012304%200930%20clean%20version.xls. 4.6.2. The contractor shall correct any deficiencies identified by the Army of the contractor's physical security posture. The contractor shall be required to follow all requirements in the Army's Information Assurance Policy. New Army policies will be posted to the following website: http://www.apd.army.mil/. 4.6.3. The contractor shall ensure that data which contains PHI is continuously protected from unauthorized access, use, modification, or disclosure. The contractor shall comply with all previously stated requirements for HIPAA, Personnel Security, Electronic Security, and Physical Security. (14) Place of Contract Performance. Tripler Army Medical center, Hawaii (15) Set-aside Status. - SOLE SOURCE The 413 th RCO Hawaii intends to sole source award IAW FAR 13.106-1(b)(1) to: Taylor Communications, Inc 1725 Roe Crest Drive North Mankato, MN 56003 For iMedConsent Clinical Content library for use on iMedConsent Enterprise Software Program. Includes content updates throughout the license term. iMedconsent Software Program Maintenance includes maintenance and updates throughout the term for a base and two option years. This is being sole sourced as Taylor communications is the sole seller of the iMedConsent and it is proprietary to the company. All responsible sources may submit a capability statement, quote which shall be considered by the agency by 26 September, 2018.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/notices/fd74edcb637f018ad32a8310adbf0184)
 
Place of Performance
Address: TRIPLER ARMY MEDICAL CENTER, Hawaii, United States
 
Record
SN05102376-W 20180926/180924230941-fd74edcb637f018ad32a8310adbf0184 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.