Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF SEPTEMBER 22, 2023 SAM #7969
SOLICITATION NOTICE

D -- RFQ - MediaLab Document Control System (VA-24-00004861)

Notice Date
9/20/2023 5:12:01 AM
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
256-NETWORK CONTRACT OFFICE 16 (36C256) RIDGELAND MS 39157 USA
 
ZIP Code
39157
 
Solicitation Number
36C25623Q1542
 
Response Due
9/26/2023 12:00:00 PM
 
Archive Date
10/10/2023
 
Point of Contact
Justin Clark, Contract Specialist
 
E-Mail Address
justin.clark2@va.gov
(justin.clark2@va.gov)
 
Awardee
null
 
Description
General Information Document Type: Combined Solicitation/Synopsis Solicitation Number: 36C25623Q1542 Posted Date: September 20, 2023 Response Due Date/Time: September 26, 2023 / 12:00 PM (CST) Product or Service Code: DA10 Set Aside: None (Sole Source) NAICS Code: 541519 Size Standard: $34.0 Million Point of Contact: Justin Clark- Email: Justin.clark2@va.gov Contracting Office Address Department of Veterans Affairs Galleria Financial Center Network Contracting Office 16 5075 Westheimer Rd., Ste. 750 Houston, TX 77056 Description: This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Federal Acquisition Regulation (FAR) subpart 12.6, Streamlined Procedures for Evaluation and Solicitation for Commercial Items, in conjunction with FAR Part 13.5 for Certain Commercial Items, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; quotations are being requested, and a written solicitation document will not be issued. This solicitation is a Request for Quotation (RFQ). The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular (FAC) 2023-05 (effective 09/07/2023). This solicitation is being issued as a Sole Source requirement. The associated North American Industrial Classification System (NAICS) code for this procurement is 541519, with a small business size standard of $34 Million. Contractor is required to be actively registered in the System for Award Management (SAM). Quote may be considered non-compliant and rejected if the Contracting Officer is unable to verify active registration status. PRICE/COST SCHEDULE: Item # Description of Supplies Qty Unit Unit Price Amount 1 Document Control: 250 users [Federal] 1 EA 2 InspectionProof - up to ten CLIA numbers [Federal] 1 EA 3 Compliance & CE: 250 users [Federal] 1 EA 4 Personnel Documentation: 250 users [Federal] 1 EA 5 Compass: 250 users [Federal] 1 EA 6 Histology Compliance & CE: 25 users [Federal] 1 EA 7 IQE - CAPA: 10-14 CLIA Licenses, 30 forms [Federal] 1 EA 8 Exam Simulator (Group price) 125 EA 9 Phlebotomy Exam Simulator (Group price) 60 EA 10 NSH + LabCE Histology Exam Simulator 14 EA 11 White Blood Cell Differential Simulator: 25 users 1 EA 12 Advanced White Blood Cell Differential Simulator: 25 users 1 EA 13 Red Blood Cell Morphology Case Simulator: 25 users 1 EA 14 Body Fluid Case Simulator: 25 users 1 EA 15 Urinalysis Case Simulator: 25 users 1 EA 16 Single sign-on connection 1 EA 17 Premium Support 1 EA GRAND TOTAL $ STATEMENT OF WORK SCOPE: The Pathology and Laboratory Medicine Service Line (PLMS) at the Michael E DeBakey VA Medical Center (MEDVAMC) is procuring a Cloud-Based Laboratory network software platform and the associated laboratories located within the MEDVAMC s Community Based Outpatient Clinics (CBOCs) requires a document control system to warehouse, catalog, manage, as well as provide employee access to standard operating procedures and related documents. This procurement will be a base year (1 12-month period) with four (12-month option periods). The vendor shall provide all labor, personnel, equipment, tools, materials, supervision, and other items necessary to provide installation and training within 30 days of award. BACKGROUND: Joint Commission (JC) regulations state that all Pathology & Laboratory policies and procedures used by PLMS and associated CBOC Laboratories must be continually updated, easy to access, capable of maintaining staff competencies, laboratory inspection preparedness, continuing education for laboratory personnel, link policies and procedures and be able to be reviewed by laboratory staff, at all locations, on an ongoing basis. The MediaLab system shall have at least five (5) permission levels, personnel documents file, capable of creating forms for action reports, and keep track of corrective actions reports. The new document control package shall replace the current outdated manual systems as electronic document control is critical and necessary for maintaining effective compliance with industry standards. This will ensure that all laboratory testing sites that perform Veteran testing, within the MEDVAMC PLMS and associated CBOCs are in compliance with Association for the Advancement of Blood Biotherapies (AABB), College of American Pathologists (CAP), Food and Drug Administration (FDA), Environmental Protection Agency (EPA), ISO 15189, 21 CFR Part 11 standard, VHA Handbook 1106.01, Clinical Laboratory Improvement Amendments (CLIA) regulations, and JC accreditation standards, as well as meeting VHA Patient Safety and Quality initiatives. REQUIREMENTS: The vendor shall install to manufacturer s specifications maintaining Federal, and local safety standards. The installation must be completed within 90 days after contract is awarded. All work shall be completed between 7:30a.m. and 4 p.m. Monday Friday. All federal holidays, excluded. Federal holidays are available at the Federal Holiday OPM Site. If there is an operational conflict with installation, night or weekend installation can be an option. Government will provide a 72 hours' notice of change of installation hours. Vendor shall provide an implementation plan, with timelines, and coordinate the initial conversion of all documents into the system. The vendor shall provide initial training via WebEx or any form of online training and continued support for all system users at different levels. A. General 1. Internet/Cloud-based laboratory network document control system with single sign-on connection. 2. Unlimited access for any computer 24/7/365; production environment 15 minutes to 2 hours maximum time to acknowledge for Priority 1 severity, and for mean time to resolve. 3. 99% Annual operational uptime and complete data retrieval capability, and backup solution in case of catastrophic failure. Provide system server backup and contingency to ensure access to documents during planned or unplanned downtime. 4. Simple and intuitive, menu-driven, customizable portal or user interface. 5. Multiple roles or group-based permission levels that enable different levels of user access. 6. The system should enable easy addition and removal of user and level of access. 7. Total traceability tracks who performed what steps of task or approval. 8. Easy management of the entire life cycle of a document (create, edit, approve, issue and archive). 9. Set priority tasks and reminders. Assign to self or other users. 10. Customizable workflows based on department or level of importance. 11. Document Viewer module or capability 12. Ability to create customizable reports. 13. Ability to download full back-ups on demand 14. Generates site usage reports allowing some determination of system effectiveness. 15. Fast supported implementation 16. Modular software that components can be added or removed without requiring major upgrades or changing the functionality of the system. 17. Upgrade/Updates: a. provides updates to the service software in order to maintain the integrity of the system and the state-of the art technology, at no additional charge to the Government. These shall be provided as they become commercially available and at the same time as they are being provided to commercial customers. b. system updates that enhance the model of service being offered, i.e., new version of software, correction of software defect, update offered to commercial customers at no additional charge, upgrade to replace model of service no longer vendor supported, etc. This does not refer to replacing the original piece of service provided under the contract; however, it does refer to significant changes in the hardware operational capability. 18. Secure documents, passwords and personal information using encryption and Secure Sockets Layer (SSL). System has the compatible with PIV card. 19. Middleware system must be compliant with all Office of Information and Technology and information Security Directive. Must be SaaS compliance with all VA security. 20. If required, any vendor selected must undergo One-VA Technical Reference Model (TRM) approval. It is also expected that the selected vendor would assist in creating and agree to a Memorandum of Understanding MOU-ISA. 21. Key Features Required: a. Document Control The document control system must: 1) Allow documents to be uploaded as Word Docs, Excel files, Power Point files, or PDF files 2) Track all changes made to uploaded documents. 3) Allow the creation of approval processes. 4) Send automatic notifications to approving officials and to employees when documents need to be signed. 5) Send notifications to supervisors if employees do not sign documents within established timelines. 6) Record annual or biennial review with electronic signatures. 7) Allow users to flag documents that need revision. 8) Use hashing, encryption, and SSL so that documents, passwords, and personal information stays secure. 9) Have the ability to archive or retire old versions of documents. b. Inspection Proof The Inspection Preparedness system must: 1) Allow users to upload inspection checklists. 2) Allow users to link policies and procedures to checklist items. 3) Allow administrators to delegate checklists or items to other users. 4) Allow for on-site, self-inspections, mock inspections. 5) Allow administrators to approve or reject checklist responses. 6) Allow capture and respond to identified deficiencies 7) Allow checklists responses to copied to the next year s checklists. c. Compliance & Continuing Education (CE) The compliance and CE system must: 1) User Friendly 2) 24/7 Availability for employees 3) Include OHSA safety courses covering bloodborne pathogens, chemical hygiene, electrical and fire safety, and formaldehyde. 4) Include continuing education courses in hematology, chemistry, phlebotomy, and quality control. 5) Allow users to print certificates of completion. 6) Allow users to print reports of training history. 7) Allow administrators to create custom continuing education courses. 8) Allow administrators to assign courses with due dates. d. Personnel Documentation The personnel documentation file system must: 1) Allow administrators to assign, store, and retrieve employee information and documentation. 2) Allow administrators review and audit readiness of employee s documentations. 3) Allow administrators to track CLIA requirement for employees. e. Compass The competency assessment system must: 1) Allow administrators to build custom competency assessments and customize templates 2) Allow administrators to track competency with online quizzes, observation checklists, document reviews, repeat sample activities. 3) Allow administrators to delegate functions to leaders. 4) Allow administrators to assign six-month and annual assessments automatically. 5) Allow to send customized email notifications for new and incomplete training. f. Histology Compliance & CE The histology must: 1) Include continuing education course in histology and cover special stains, Immunohistochemistry, and Fluorescence in Situ Hybridization (FISH). 2) Include formaldehyde safety and ergonomics courses. 3) Allow users to print certificates of completion. 4) Allow users to print reports of training history. 5) Allow administrators to create custom continuing education courses 6) Allow administrators to assign courses with due dates. 7) User Friendly 8) 24/7 Availability for employees g. Intelligent Quality Engine (IQE) Corrective Action and Preventive Action (CAPA) The IQE and CAPA must: 1) Eliminate paper-based, manual investigation 2) Allow to follow corrective and preventive actions standard online. 3) Allow to create forms, customize workflows, collaborations, approve request, and reports. 4) Allow administrators to assign roles to employees based on job title and description (Intelligent Access Control). 5) Allow reporting for tracking and trending of event statuses. 6) Allow the laboratory to monitor their metrics in real-time reports. 7) Allow for the integration across management platform (document control, inspectionProof, and compliance & CE systems) to annotate changes to Standard Operating Procedures (SOP) and policies and provide training updates to employees. h. Exam Simulators The Exam simulator must: 1) Include medical laboratory scientist (MLS) and medical laboratory technician (MLT) exams 2) Include histotechnology (NSH) + LabCE Histology exams 3) Include Phlebotomy exam i. Case Simulators The Case simulator must: 1) Red Blood Cell Morphology Case simulator 2) White Blood Cell Differential Case Simulator 3) Advanced White Blood Cell Differential Case Simulator 4) Body Fluid Case Simulator 5) Urinalysis Case Simulator j. System Support and Maintenance 1) Support (phone, email) must be available weekdays during normal business hours. 2) Minimal server maintenance. 3) Document backups available to staff during downtimes. 4) Advance notification during server updates or down times. 5) Storage capacity to archive all document types and workflow histories for at least 5 years after removal from use to meet the more stringent transfusion medicine and quality documents requirement is preferred. Alternatively, a minimal storage capacity is needed for archiving transfusion service documents and review/approval histories for 5 years, and other laboratory section records for 2 years. The MEDVAMC PLMS is modernizing and standardizing service to improve efficiencies and patient safety. Brand name only is being requested in order to standardize across main lab (MEDVAMC PLMS) and associated labs (CBOCs). B. Assessment, Authorization, and Continuous Monitoring 1. The information system solution selected by the Vendor shall comply with the Federal Information Security Management Act (FISMA) and have a current VA authorization. 2. MediaLab shall comply with Federal Risk and Authorization Management Program (FedRAMP) requirements as mandated by Federal laws and policies, including making available any documentation, physical access, and logical access needed to support this requirement. 3. MediaLab shall, where applicable, assist with the VA Authority to Operate (ATO) Sustainment Process to help maintain health and quality of agency authorization of the cloud service or migrated application. 4. MediaLab shall provide access to FedRAMP authorized and VA authorized environment. 5. MediaLab shall afford VA access to the MediaLab and Cloud Service Provider s (CSP) facilities, installations, technical capabilities, operations, documentation, records, and databases. 6. If new or unanticipated threats or hazards are discovered by either VA or the MediaLab, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party in accordance with the security addendum B. 7. MediaLab shall not release any data without the consent of VA in writing. All requests for release must be submitted in writing to the Contracting Officer s Representative (COR)/Contracting Officer (CO). 8. In order for live VA data to be used in this system, access must be provided to the FedRAMP Authorized and Agency Authorized environment. 9. Under the existing ATO, the MediaLab shall only allow VA customers to purchase MediaLab Federal Licenses. 10. MediaLab shall restrict VA customers from purchasing licenses that are not MediaLab Federal unless there is sign-off from VA Executive Leadership or DTC modifies the current ATO use case. Deliverables: A. Dates for current ATO expiration, due before award B. Monthly POAM (Plan of Action and Milestones) finding reports C. Participation in monthly Agency and FedRAMP Sustainment meetings D. Participation in continuous monitoring and reoccurring security artifacts C. Security Requirement for Cloud Services 1. Per the Office of Management Budget (OMB), any cloud services that hold federal data must be authorized by the Federal Risk and Authorization Management Program (FedRAMP). All Federal data must be stored on a FedRAMP authorized systems, and loss of FedRAMP authorization is equivalent to the inability to house federal data via a cloud service. FedRAMP authorization applies to all third parties and sub-vendors that the vendor uses to store federal data. Proof of FedRAMP authorization must be provided, and the vendor must disclose where all data is stored. If any data is stored by a third party and/or sub-vendor, the vendor must provide proof of FedRAMP authorization for these third parties and sub-vendors. FedRAMP authorization must always be maintained by the vendor and all third parties and subcontractors the vendor uses to store federal data. 2. All cryptographic modules and hardware security modules (HSMs) must be FIPS 140-2 certified. The vendor must provide proof of FIPS 140-2 certification via a NIST approved validator. The operating platform upon which the FIP 140-2 certification was obtain must be maintained. D. VA Information and Information System Security/Privacy 1. General Information: Vendors, vendor personnel, sub-vendors, and sub- vendor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 2. Access to VA Information and VA Information Systems: a) A vendor/sub-vendor shall request logical (technical) or physical access to VA information and VA information systems for their employees, sub-vendors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. b) All vendors, sub-vendors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for vendors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. c) Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. d) Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the vendor/sub-vendor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Additionally, the Contracting Officer Representative will consult with the Information Security Officer regarding any software development and/or outsourced operations considered for utilization that are not within the continental U.S. The Contracting Officer Representative will get approval from the Information Security Officer prior to utilization of any software, product, and outsourced operation outside the continental U.S. Prior approval from the Information Security Officer must be Location within the U.S. may be an evaluation factor. e) The vendor or sub-vendor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the vendor or sub-vendor's employ. The Contracting Officer must also be notified immediately by the vendor or sub-vendor prior to an unfriendly termination. 3. VA Information Custodial Language: a) Information made available to the vendor or sub-vendor by VA for the performance or administration of this contract or information developed by the vendor/sub-vendor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the vendor/sub-vendor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). b) VA information should not be co-mingled, if possible, with any other data on the vendors/sub-vendor's information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the vendor must ensure that VA's information is returned to the VA or destroyed in accordance with VA's sanitization requirements. VA reserves the right to conduct onsite inspections of vendor and sub-vendor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. c) Prior to termination or completion of this contract, vendor/ sub-vendor must not destroy information received from VA, or gathered/ created by the vendor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a vendor/sub-vendor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the vendor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. d) The vendor/sub-vendor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations, and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations, and policies in this contract. e) The vendor/sub-vendor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on vendor/sub-vendor electronic storage media for restoration in case any electronic equipment or data used by the vendor/sub-vendor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. f) If VA determines that the vendor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the vendor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. g) If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. h) The vendor/sub-vendor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. i) The vendor/sub-vendor's firewall and Web services security controls, if applicable, shall meet or exceed VA's minimum requirements. VA Configuration Guidelines are available upon request. j) Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the vendor/sub-vendor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA's prior written approval. The vendor/sub-vendor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response. k) Notwithstanding the provision above, the vendor/sub-vendor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the vendor/sub-vendor is in receipt of a court order or other requests for the above-mentioned information, that vendor/sub-vendor shall immediately refer such court orders or other requests to the VA contracting officer for response. l) For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the vendor/sub-vendor must complete a Vendor Security Control Assessment (CSCA) on a yearly basis and provide it to the COR. 4. Information System Design and Development: a) Information systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA directives developed in accordance with FISMA, HIPAA, NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information, and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle a Privacy Impact Assessment (PIA) must be completed, provided to the COR, and approved by the VA Privacy Service in accordance with Directive 6507, VA Privacy Impact Assessment. b) The vendor/sub-vendor shall certify to the COR that applications are fully functional and operate correctly as intended on systems using the VA Federal Desktop Core Configuration (FDCC), and the common security configuration guidelines provided by NIST or the VA. This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in Protected Mode on Vista) and future versions, as required. c) The standard installation, operation, maintenance, updating, and patching of software shall not alter the configuration settings from the VA approved and FDCC configuration. Information technology staff must also use the Windows Installer Service for installation to the default ""program files"" directory and silently install and uninstall. d) Applications designed for normal end users shall run in the standard user context without elevated system administration privileges. e) The security controls must be designed, developed, approved by VA, and implemented in accordance with the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, VA Handbook 6500, Information Security Program and VA Handbook 6500.5, Incorporating Security and Privacy in System Development Lifecycle. f) The vendor/sub-vendor is required to design, develop, or operate a System of Records Notice (SOR) on individuals to accomplish an agency function subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Privacy Act may involve the imposition of criminal and civil penalties. g) The vendor/sub-vendor agrees to: (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies: (a)The Systems of Records (SOR); and (b)The design, development, or operation work that the vendor/sub-vendor is to perform. (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a SOR on individuals that is subject to the Privacy Act; and (3) Include this Privacy Act clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a SOR. h) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a SOR on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a SOR on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a SOR on individuals to accomplish an agency function, the vendor/sub-vendor is considered to be an employee of the agency. (1) ""Operation of a System of Records"" means performance of any of the activities associated with maintaining the SOR, including the collection, use, maintenance, and dissemination of records. (2) ""Record"" means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and contains the person's name, or identifying number, symbol, or any other identifying particular assigned to the individual, such as a fingerprint or voiceprint, or a photograph. (3) ""System of Records"" means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. i) The vendor shall ensure the security of all procured or developed systems and technologies, including their subcomponents (hereinafter referred to as ""Systems""), throughout the life of this contract and any extension, warranty, or maintenance periods. This includes, but is not limited to workarounds, patches, hotfixes, upgrades, and any physical components (hereafter referred to as Security Fixes) which may be necessary to fix all security vulnerabilities published or known to the vendor anywhere in the Systems, including Operating Systems and firmware. The vendor shall ensure that Security Fixes shall not negatively impact the Systems. j) The vendor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, but in no event l...
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/6f027b407b794d9a8535eea93bea2d69/view)
 
Place of Performance
Address: Michael E. DeBakey VA Medical Center (MEDVAMC) 2002 Holcombe Blvd, Houston, TX 77030, USA
Zip Code: 77030
Country: USA
 
Record
SN06838567-F 20230922/230920230802 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.