SPECIAL NOTICE
H -- PlanCheck for the Louis Stokes Cleveland VA Medical Center Radiation Oncology Service
- Notice Date
- 4/15/2020 6:47:38 AM
- Notice Type
- Special Notice
- NAICS
- 334519
— Other Measuring and Controlling Device Manufacturing
- Contracting Office
- 250-NETWORK CONTRACT OFFICE 10 (36C250) DAYTON OH 45428 USA
- ZIP Code
- 45428
- Solicitation Number
- 36C25020Q0533
- Archive Date
- 07/14/2020
- Point of Contact
- Gina P. Crank (614) 625-1236
- E-Mail Address
-
gina.crank@va.gov
(gina.crank@va.gov)
- Awardee
- null
- Description
- The Department of Veterans Affairs, Louis Stokes Cleveland VA Medical Center, intends to negotiate a sole source contract with Sun Nuclear Corporation to purchase specialized QA measurement devices. In the Radiation Oncology Service, Medical Linear Accelerator equipment is used to provide radiation treatment for patients with cancer. The equipment needs to undergo quality assurance (QA) testing to align with national mandates. Sun Nuclear Corporation is the only manufacturer of quality assurance devices that are compatible with our existing Varian Linear Accelerator equipment; the American Association of Physicists in Medicine Task Group 142 report on QA specifications. The North American Industry Classification System Code (NAICS) is 334519. The Government believes that Sun Nuclear Corporation is the only provider that can satisfy the agency requirements. Therefore, the Government intends to proceed with a sole source for the required specialized QA measurement devices. This procurement is being conducted in accordance with FAR 6.302 only one responsible source and no other vendor will satisfy agency requirements. To the best of our knowledge, Sun Nuclear Corporation is the only source that provides the above indicated services/supplies. This notice of intent is not a request for competitive quotes. No solicitation document is available; however, any firm that believes it can meet these requirements may give written notification to the Contracting Officer within three (3) business days from the date of publication of this synopsis. Supporting evidence must be furnished in sufficient detail to demonstrate the ability to comply with the above requirements. Information can be sent to the Contracting Officer, VA Ambulatory Care Center, 420 N. James Road, Columbus, Ohio 43219-1834, faxed to 614.388.7500 or emailed to gina.crank@va.gov. Responses received will be evaluated, however a determination by the Government not to compete the proposed procurement based upon responses to this notice is solely within the discretion of the Government. If no responses are received, the Louis Stokes VA Medical Center will proceed with the sole source negotiation with Sun Nuclear Corporation. 7. Security Requirements Service & Maintenance will follow the security requirements as per VA s Medical Device Protection Program (MDPP) which protects VA s medical devices through a comprehensive security initiative that encompasses pre-procurement assessments, medical device isolation architecture (MDIA), communication, validation, scanning, access control list remediation, patching, and secure remote connectivity. 7.1 General Security Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 7.2 Access to VA Information and VA Information Systems a. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. A BI is not required per VA Information and Information System Security/Privacy Requirements for IT Contracts dated August 2008 if the following exception applies: Contract Personnel with limited and intermittent access to equipment connected to facility networks on which limited VA sensitive information may reside, including medical equipment contractors who install, maintain, and repair networked medical equipment such as CT scanners, EKG systems, ICU monitoring, etc. In this case, Veterans Health Administration facilities must have a duly executed VA Business Associate Agreement (BAA) in place with the vendor in accordance with VHA Handbook 1600.1, Business Associates, to assure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in addition to the contract. Contract personnel, if on site, should be escorted by VA IT Staff. 7.3 Training a. All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: (1) Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems; (2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training; (3) Successfully complete the appropriate VA privacy training and annually complete required privacy training; and (4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] b. The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. 7.4 VA Information Custodial Language a. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). b. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. 7.5 Information Systems Hosting, Operations, Maintenance, or Use a. Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are: (1) Vendor must accept the system without the drive; (2) VA s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or (3) VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase. (4) Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for the VA to retain the hard drive, then; (a) The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and (b) Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order or contract. (c) A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (a) and (b) controls above are in place and completed. The ISO needs to maintain the documentation. 7.6 SECURITY INCIDENT INVESTIGATION a. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. 7.7 LIQUIDATED DAMAGES FOR DATA BREACH a. Consistent with the requirements of 38 U.S.C. �5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. However, it is the policy of VA to forgo collection of liquidated damages in the event the contractor provides payment of actual damages in an amount determined to be adequate by the agency. b. Based on the determinations of the independent risk analysis; the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: (1) Notification; (2) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; (3) Data breach analysis; (4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; (5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and (6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. 7.8 SYSTEM INTERCONNECTIONS a. Computer System interconnections between VA Systems on the VA Network and VA Business Partner Systems residing outside the VA Network will require a signed Memorandum of Understanding (MOU) and Interconnection Security Agreement (ISA) collectively known as MOU ISA between the VA and the VA Business Partner.
- Web Link
-
SAM.gov Permalink
(https://beta.sam.gov/opp/5093e5524aa042d1b6891323592bb5d8/view)
- Record
- SN05621578-F 20200417/200415230154 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |