Data Center Tenders

Details: 1.0 Procuring & Administrative Contracting Office air Force District Of Washington (afdw) Contracting Directorate (pk) Headquarters Air Force (haf) - Enterprise Support Division (pkh), Dodaac: Fa7014 2.0 Introduction this Is A Sources Sought Notice (ssn) Which Is Being Released To Industry For Information Gathering And Planning Purposes Only Pursuant To Far Part 10 Market Research. This Ssn Is Not A Solicitation Nor Shall This Ssn Constitute A Request For Proposal (rfp), Invitation For Bid (ifb), Or Request For Quote (rfq). The Government Shall Not Award Any Contract Solely On The Basis Of This Ssn Nor Shall The Government Reimburse Any Contractor For Any Associated Costs They Incur To Submit A Capability Package To The Government In Response To This Ssn. This Market Research Notice Is Being Deployed To Bring Forth Qualified, Capable Sources And In No Way Shall Restrict The Government’s Final Acquisition Strategy, Planning, Or Requirements Refinement. *note: Recipients Of This Ssn Are Hereby Advised That The Government Shall Not Accept Any Capability Package Submitted In Response To This Ssn Containing Extraneous, Unsolicited Material Or Content Which Does Not Conform To The Government’s Specific Questions And Request For Certain Procurement/contracting Data As Expressed Below. Additional Company Literature, Presentations, Pamphlets, Papers, Etc. Must Not Be Submitted In Response To This Ssn And Any Such Unsolicited Artifacts Shall Not Be Accepted Nor Reviewed By The Government. Recipients Of This Ssn Should Not Request An Extension Or More Time To Respond To This Ssn Regardless Of Circumstance. 3.0 Naics Code the North American Industrial Classification System (naics) Code For This Ssn Is 518210 - Computing Infrastructure Providers, Data Processing, Web Hosting, And Related Services. *note: A Small Business Firm Competing As A Prime Contractor Would Need To Perform At Least 50% Of The Total Requirement Form Within Its Own Company (see Far 52.219-14, Limitations On Subcontracting). 4.0 Background & Description Of Government’s Requirements the Government Has A Potential Requirement To Provide Professional Support, Sustainment, And Modernization Of The Current A1 Virtual Data Center (a1 Vdc) Which Is A Fully Functioning Commercial Cloud Environment Capable Of Supporting Applications In The Air Force A1 And A1 Dta Portfolios, And For Building Out The A1 Multi-cloud Ecosystem (a1 Mce) Landing Zone. Commercial Professional Services Would Be Performed To Ensure Continued Operations Of The Existing Environment, Execution And Management Of Multi-cloud Ecosystems, Modernization/optimization (i.e. Enhancing Common Shared Services, Streamlining Processes, And Achieving Cost Efficiencies), Execution And Management Of Big Data And Ai Initiatives, Execution Of Emerging Technologies Across A Multi-cloud Ecosystem, And Increase Capabilities Of The Cloud Environment Per Applicable Information Technology (it) Guidance, As Well As, Dod And Air Force Directives/policies Across Multiple Impact Levels Including Il6. 5.0 Government Questions For Industry Response 1. Experience In Multi-cloud Ecosystems: a. Does Your Company Have Experience Architecting, Implementing, Managing, And Optimizing A Multi-cloud Landing Zone Ecosystem Across Dod Impact Levels (il), Especially Il6, Within Dod Rmf And Cloud Computing Srg Standards? b. If So, Is That Multi-cloud Ecosystems Experience From Performing As A Prime Contractor, Subcontractor, Integrator, Commercial Business Partner, Etc.? c. If So, Describe Your Approach To Governance, Change Management, And Incident Response In Each Of Those Environments. d. If So, Provide Examples Of The Dod And/or Air Force Contracts Or Agreements That Required This Level Of Engagement. 2. Optimization Of Common Shared Services: a. Does Your Company Have Experience Delivering And Optimizing Common Shared Services (such As A Centrally Managed Devsecops Ci/cd Pipeline And Development Tools), Streamlining Processes, And Achieving Cost Savings Or Efficiencies Within A Multi-cloud Landing Zone Ecosystem? b. If So, Include Your Methods For Integrating Governance Structures And Managing Change To Support Continuous Improvement. c. If So, Provide Examples Of The Dod And/or Air Force Contracts Or Agreements That Required This Level Of Engagement. 3. Artificial Intelligence Initiatives: a. Does Your Company Have Experience Executing And Managing Artificial Intelligence (ai) Initiatives Across A Hybrid Multi-cloud Landing Zone Ecosystem? b. If So, Explain Your Process/methodology, Including How You Architect And Implement Monitoring Guiderails Within That Hybrid Multi-cloud Landing Zone. c. If So, Provide Examples Of The Dod And/or Air Force Contracts Or Agreements That Required This Level Of Engagement. 4. Big Data Initiatives: a. Does Your Company Have Experience Executing Big Data Initiatives And Architecting Zero Trust Framework Architectures Across A Multi-cloud Landing Zone Ecosystem? b. If So, How Did Your Company Incorporate Governance, Change Management, And Incident Response Strategies In Such Initiatives Across A Multi-cloud Landing Zone Ecosystem (explain Your Process And Methodology)? c. If So, Provide Examples Of The Dod And/or Air Force Contracts Or Agreements That Required This Level Of Engagement. 5. Multi-cloud Management Technologies: a. Does Your Company Have Experience With Emerging Technology Tools And Services Unique To Multi-cloud Landing Zone Ecosystems (e.g., Palo Alto Sase, Splunk, Elastic, Hashicorp, Aqua Security, Etc.)? b. If So, Describe Your Company’s Experience/expertise In Implementing Microservices And Containerization Technologies Within The Environments Of Those Multi-cloud Landing Zone Ecosystems. c. If So, Describe The Exact Technology Tools And Services That Your Company Used In Those Multi-cloud Landing Zone Ecosystems. d. If So, Does Your Company Suggest Any New Technology Tools/services Or Recommend Any Proven Technology Tools/services That Can Facilitate Additional Value To The Environments Of Those Multi-cloud Landing Zone Ecosystems? 6. Subcontracting Dependencies: a. If Your Company Has Experience Managing And/or Performing Requirements For A Multi-cloud Landing Zone Ecosystem, What Percentage Of That Work Was Performed By Your Company As A Subcontractor Versus By Your Company As The Prime Contractor (also, Explain Whether That Work Was Related To Managing And/or Performing)? b. Would Your Company Need To Subcontract Significantly To Perform Most Of The Subject Requirements Identified Above And If So, Identify Each Of Those Requirements Where Subcontractors Would Need To Be Assigned? c. Explain How Governance, Change Management, And Incident Response Processes Are Maintained Across Your Subcontractor Teams As Both The Prime Contractor Managing Assigned Subcontractors And As A Subcontractor Performing On Behalf Of The Prime Contractor. d. Provide Examples Of Subcontracting Sources, Business Partnerships/relationships, Goals, And Plans Your Company Would Utilize To Ensure Performance Of All Subject Requirements. 6.0 Additional Information For Capability Packages as Part Of The Capability Packages Submitted In Response To This Ssn, All Respondents Must Fully Address The Government’s Requested Related Procurement And Contracting Data Expressed Below Which Will Help During Other Pre-award Activities In The Future. respondents Must Identify/provide The Contractor’s: a. Company Name (full Legal Name And D.b.a., If Applicable); b. Company Address; c. Company Pre-award/proposal Team/business Development Point Of Contact (poc) By Name (first And Last); d. Company Poc Email Address; e. Company Poc Telephone Number; f. Cognizant Dcma Office Code And Info (if Applicable); g. Cognizant Dcaa Office Code And Info (if Applicable); h. Cognizant Defense Security Office Code And Info (if Applicable); i. Current Facility Classification Level (fcl); j. Federal Cage Code And Unique Entity Id (sam.gov); *note: A Company Must Be Registered In The System For Award Management (sam) To Be Considered Responsible For A Federal Contract Award. To Register Your Company, Go To Https://www.sam.gov. k. Business Size (large Or Small) And Applicable Socioeconomic Categories (vosb, 8a, Hubzone, Sdb, Wosb, Etc.) For The Established Naics Code Established Above For This Ssn And For The Contractor’s Other Similar Naics Codes; l. General Services Administration (gsa) Federal Supply Schedules (fss), Multiple Award Contracts (macs), Government-wide Acquisition Contracts (gwacs), Dod Enterprise Service Initiatives (esi), Indefinite-delivery Indefinite Quantity (idiq) Contracts, Agreements, And/or Blanket Purchase Agreements (bpas) That The Contractor Currently Holds And Authorizes Ordering From The Respective Air Force Contracting Office (provide The Respective Contract/agreement Numbers, Identify The Source Of The Procurement Vehicle, And Any Other Relevant Information); *note: Some Examples Are….air Force Enterprise Sbeas Idiqs; Stars3, Alliant2, Vets2, And Oasis+ Gsa Gwacs; Nasa Sewp Gwac; National Institute Of Health (nih) Gwacs; Veterans Administration (va) Gwacs; Gsa Af 2git Bpas; Etc. m. Examples/references/samples (no More Than 3) Of Recent And Relevant Performance (recent, Meaning Within The Last 3 Years And Relevant, Meaning The Same Or Similar Requirements Based On The Subject Requirements Identified Above); And *note: For Each Example/reference/sample, Provide The Federal Contract/agreement Numbers, Commercial Company-to-company Purchase Order Numbers, Dates/pops, Total Dollars, Description Of Work/requirements, Significance Of Work, Percent Of Work Performed As Prime And Sub, Project Poc Name, Project Poc Email Address, And Project Poc Phone Number. n. Company’s History, Capabilities, Experience, Strengths, And Weaknesses In Providing Professional Services Which Are Similar To And/or Consistent With The Government’s Requirements Detailed Above. 7.0 Mandatory Capability Package Instructions, Formatting & Deadline interested Parties Shall Submit Capability Packages To The Government Which Meet All Formatting, Instructions, Limitations, And The Submittal Deadline As Expressed Below. capability Packages Must Be Submitted To The Government: a. Within The Confines Of 8 Total Pages; b. Electronically Via One (1) Email Before The Established Ssn Deadline; c. In Adobe Portable Document Format (.pdf) Format Only; d. In A Digital File Size That Does Not Exceed 5mb; *note1: If File Size Is 5mb Or Larger, The Government Will Not Receive The Respondent’s Email And Attached Document Due To Internal Dod And Air Force Message System Limits And Restrictions. *note2: Respondent’s Must Not Submit A Zip File Because The Government Email System Does Not Allow Transmittal Of Zip Files. e. Containing Unclassified Data/information/content Only; *note: Capability Packages A Submitted To The Government In Response To This Ssn Shall Not And Must Not Contain Any Controlled Unclassified Information (cui), Classified, Secret, Or Top Secret Data/information/contents. f. And Received At The Identified Government Office On Or Before 4:30 Pm (central Time Zone) On Thursday, 30 January 2025; And g. Air Force Contracting Office Electronically Via Email To Ms. Brittney Devallon, Afdw/pkh Contract Specialist, At Brittney.devallon@us.af.mil. 8.0 Organizational Conflict Of Interest the Government Would Also Like To Remind Companies Of Their Responsibility To Avoid And/or Mitigate Any Potential Organizational Conflict Of Interest (oci). Guidance Is Found In Federal Acquisition Regulation (far) Part 9.5. If A Company Has A Potential Oci Situation, They Must Submit And Have An Approved Mitigation Plan Prior To The Government’s Consideration Of Any Proposal For Award. Since The Approval Process Can Be Lengthy And Approval Of Any Plan Is Not Assured, It Is Highly Recommended That Potential Oci Identification And Resolution Processes Begin During The Planning Phase If Possible. An Oci Could Result In The Canceling Of A Contract Or Determining An Offeror To Be Ineligible For Award. Potential Oci Issues, And Mitigation Plans If Developed, Shall Be Included As An Attachment To Capability Package. Such Oci Attachment Shall Not Be Considered In The Capability Package Total Page Count.

Details: Description Republic Of The Philippines Province Of Quezon Municipality Of Polillo ***** Invitation To Bid For Supply, Delivery And Installation Of Public Address System- Lgu Polillo, Quezon 1. The Municipality Of Polillo, Through The 5% Calamity Fund 2025 Approved By The Sangguniang Bayan Of Lgu Polillo Intends To Apply The Sum Of One Million Seven Hundred Ninety-six Thousand Seven Hundred Twenty Pesos Only (₱1,796,720.00) Being The Abc To Payments Under The Contract For Supply, Delivery And Installation Of Public Adress System- Lgu Polillo Quezon. Bids Received In Excess Of The Abc Shall Be Automatically Rejected At Bid Opening. 2. The Municipality Of Polillo Now Invites Bids For The Above Procurement Project. Delivery Of The Goods Is Required By 30 Calendar Days. Bidders Should Have Completed, Within Three (3) Years From The Date Of Submission And Receipt Of Bids, A Contract Similar To The Project. The Description Of An Eligible Bidder Is Contained In The Bidding Documents, Particularly, In Section Ii (instructions To Bidders). 3. Bidding Will Be Conducted Through Open Competitive Bidding Procedures Using A Non-discretionary “pass/fail” Criterion As Specified In The 2016 Revised Implementing Rules And Regulations (irr) Of Republic Act (ra) No. 9184. A. Bidding Is Restricted To Filipino Citizens/sole Proprietorships, Partnerships, Or Organizations With At Least Seventy Five Percent (75%) Interest Or Outstanding Capital Stock Belonging To Citizens Of The Philippines, And To Citizens Or Organizations Of A Country The Laws Or Regulations Of Which Grant Similar Rights Or Privileges To Filipino Citizens, Pursuant To Ra No. 5183. 4. Prospective Bidders May Obtain Further Information From Municipality Of Polillo And Inspect The Bidding Documents At The Address Given Below During Monday To Friday, 8:00am To 5:00pm. 5. A Complete Set Of Bidding Documents May Be Acquired By Interested Bidders On January 27, 2025 To February 17, 2025 The Given Address And Website(s) Below And Upon Payment Of The Applicable Fee For The Bidding Documents, Pursuant To The Latest Guidelines Issued By The Gppb, In The Amount Of Five Thousand Pesos Only (₱ 5000.00). The Procuring Entity Shall Allow The Bidder To Present Its Proof Of Payment For The Fees In Person, By Facsimile, Or Through Electronic Means. 6. Bids Must Be Duly Received By The Bac Secretariat Through: (i) Manual Submission At The Office Address Indicated Below Or (ii) Online Or Electronic Submission As Indicated Below On Or Before February 17,2025 2:30pm. Late Bids Shall Not Be Accepted. 7. The Municipality Of Polillo Will Hold A Pre-bid Conference On February 3, 2025 2:30pm At Mpdc Office, 2nd Floor Municipal Annex Building, Mabini St., Brgy. Poblacion, Polillo, Quezon And/or Through Video Conferencing Or Webcasting Via Messenger, Which Shall Be Open To Prospective Bidders. 8. All Bids Must Be Accompanied By A Bid Security In Any Of The Acceptable Forms And In The Amount Stated In Itb Clause 14. 9. Bid Opening Shall Be On February 17, 2025 2:30pm At The Given Address Below And/or Messenger. Bids Will Be Opened In The Presence Of The Bidders’ Representatives Who Choose To Attend The Activity. 10. The Municipality Of Polillo Reserves The Right To Reject Any And All Bids, Declare A Failure Of Bidding, Or Not Award The Contract At Any Time Prior To Contract Award In Accordance With Sections 35.6 And 41 Of The 2016 Revised Irr Of Ra No. 9184, Without Thereby Incurring Any Liability To The Affected Bidder Or Bidders. 11. For Further Information, Please Refer To: Deborah B. Marasigan Bac Chairperson And Bac Secretariat Mabini St. Brgy. Poblacion, Polillo, Quezon, 4339 Bac.polillo@gmail.com Deborah B. Marasigan Bac Chairperson 1 Lot 8-core Hybrid Fiber Optic Outdoor Armored Cable With Tight Buffered Fibers For Aerial Mounting To Electric Posts. Accessories Included: Hooks, Pulleys & Fiber Drop Wires. 15 Pieces Ip67 Terminal/utility Box 400mm X 300mm X 180mm With Key Lock, Ce/rohs/iso9001 Type Approved, Bundled With Complete Mounting Screws And Stainless Metal Belts & Locks. 15 Units Fiber Optic Media Converter-gigabit, High Density Hot-swappable Media Converter Redundant Hot-swappable Ac And 12v Dc Power Supplies With Built-in 4-ports Switch 10x1000 Plus Hybrid A-b Tx/rx In One Device. 15 Pieces Fiber Optic Patch Cords (sm) Compatible, Sc/sc Connector. 15 Units Fiber Optic Splice Box Fiber Capacity 8-sc Output Ports 8x6mm+1x Up To 10mm (full Assembly) 8-core Ip65//66/67 1 Piece 16u Network Data Cabinet 1 Unit 1200 Core Switch Fully Managed Aggregation Switch, 1200 Sfp+ Ports; (8) Plus Rj45 Ports; (2) Rj45 Serial Console Port, L3 Static Routing, 1200 Switching Capacity, 1.2gbps Non-blocking Throughput, Forwarding Rate 1.2gbps. 8 Units Gigabit Ethernet Sm Sfp Sc 20km 1200 Transceivers Module. 1 Unit 4k Led Monitor 55″ Inch 3840×2160 (uhd) Cctv Monitor- Industrial 1 Lot Network Cat-6e Pure Copper Outdoor Type Cable, 305m/box Bare Copper Shielded 15 Units 10/15amps Circuit Breaker 240vac 1 Unit Computer System Unit (amd) Specification: Intel Core I5-12th Generation System Unit, 16gb System Memory, 4gb Video Card, 2x 1tb Hdd, 500gb M.2. Ssd, 22” Led Monitor, Windows 11 Professional Operating System & Microsoft Office 2021 Professional. (to Be Installed At Mdrrmo Eoc For Configuration & Maintenance Use Plus Data Backup And Paging System Server)" 15 Units Network Horn Speaker Paging System Audible Distance 40-50m Supports Poe, 50w, Ip65. 1 Unit Network Public Address Software It Can Work Within Lan Network Including Fiber Links And Wireless Ptp/ptmp. Support Up To 1000 Zones User Can Set Up The Whole Network System Using The Main Software Features: Grouping / Zoning, Paging, Music Playback, Schedule Recorded Playback, One Button Alarm To All Speakers 1 Unit Public Address Condenser Mic Desktop With Chime Ac220vplug & Play Function Output Voltage Selectable Turn On & Off Chime Function Adjustable Chime Volume 1 Lot Vrght-8c-sm 8 Core Fiber Optic Cable Single Mode 15 Pieces 48v Power Adaptor 1000mah 1 Lot Fiber Optic Laying, Wired-fiber Cabling/stringing And Mounting Of Network Devices/peripherals, Ip Cameras & Utility Boxes. Fiber Setup, Configuration, Fine Tuning And Synchronization Of Pa System Equipment Installed At Mdrrmo Eoc. Testing For Full Functionality As A Whole Of The System. 1 Lot Installation Materials & Peripherals: Cable Tie, Metal Clamps, G.i. Wires, 4-gang Outlets, Electrical Wires, Rj45 Connectors, Fiber Sleeve’s, High Pressure Nails, Silicon Sealant, Plastic Molding, Fiber S-clamps, Metal Straps, Metal Straps Lock, Double Sided Tapes, Electrical Tapes, Led Wall Mount Brackets, Hdmi Cables, Woods Screws, Metal Screws, Etc. Technical Requirements And Conditions 1.bidder/supplier Requirement. Interested Contractor/system Integrator Must Present The Following: A. A List Of Accredited Or Authorized Service Providers For The Preventive Maintenance Of The System To Ensure The Quality And Fast After Sales Services Response For The Maintenance Of The Project, During And Within The Coverage Of The Warranty Period, The Contractor Shall Act To Repair Any Reported Problem Of The Entire. B. This Project's Complexity And Utmost Need To Rely On The Contractor’s Professionalism, Qualifications, And Integrity. To Exhibit The Knowledge And Experience Necessary To Ensure Optimal Customer Satisfaction, The Bidder/supplier Must Be In The Industry For At Least Eight (8) Years.; C. The Service Provider: Must Have The Capacity And Ability To Provide Maintenance Services And Technical Support In The Next Business Day. D. Has Implemented At Least 3 Similar Projects In The Deployment Of A Fiber Optics Backbone Cabling E. Service Provider Must Submit Detailed Work Plan Specifying Installation Design. F. Installation Shall Be Supervised By Professional Electronics Engineer And Safety Officer G. Service Provider Shall Submit Original Copy Of Design Proposal, Brochures And Other Publications That Supports Compliance To The Requirements. H. Service Provider Is Reachable Through Phone Or Email For Technical Support I. Complete The Delivery Of The Functional Network Within 30 Days From The Receipt Of The Notice To Proceed. J. Upon Installation, The Network Shall Be Tested For Continuity And Speed Together With All Conditions And Parameters Identified. K. The Bidder Shall Provide The Following Requirements: Note: All Certifications Mentioned In This Section Must Be Submitted With Your Eligibility Documents Under Technical Specification.  Certificate Of Offered Brand Distributorship/dealership From The Local Distributor With The Exact Address Of The Bidder’s Showroom Or Warehouse Must Also Provide.  Training Certificate Of Fiber Optic & Splicing From The Distributor Of Brand Offered, At Least 4 Persons, And Must Be Indicated At Manpower Requirements.  Certification From The Bidder That The Products/items To Be Delivered Are Brand-new And Latest Model Of Its Kind.  Unconditional Statement That The Bidder Will Comply With The Provision On The Complete Installation, Calibration, Testing And Commissioning Of Entire System.  Unconditional Statement That The Bidder Will Comply With The Provision That The Contractor Shall Provide The Wiring Layout Plan Indicating All Equipment Locations With Its Corresponding Serial Numbers And End-to-end Connectivity Of Inputs To Outputs.  Unconditional Statement That The Bidder Will Comply With The Provision That All Other Equipment And Materials Not Mention Under Technical Specification That Are Necessary For The Complete Installation And Commissioning Of The Whole System Shall Be Provided By The Winning Bidder.  Unconditional Statement From The Bidder Reflecting That During And Within The Coverage Of The Warranty Period, The Contractor Shall Act To The Repair Any Reported Problem Of The Entire System Upon Receipt Of Notice From The Municipality Of Polillo.  Unconditional Statements That The Bidder Will Comply With The Above Mentioned (installation, Configuration And Testing) Of The Technical Specifications. Note: All Certifications/documents Mention In This Section Must Be Submitted During The Bid Opening. 2. Resources/utilities. The Winning Contractor Or System Integrator Must Have The Appropriate Personnel, Tools, Resources, Equipment Specially Fiber Optic Fusion Machine, (fiber Optic Fusion Machine Is A Device That Uses An Electric Arc To Melt Two Optical Fibers Together At Their End Faces, To Form A Single Long Fiber.) And Accreditations For The Efficient Implementation Of The Project; 3. Fiber Type Classification. The Wired-fiber Network Infrastructure Backbone Requirement Must Be Single-mode 8-core For Node-1 And Node-2, (1 X 5km) Each Node, Total Equivalent To 10,000 Meters (10km) Outdoor Hybrid Type, Aerial Deployment Strategy Utilizing The Quezelco/barangay Posts To Hold And Suspend The Fiber-wire That Will Comprise The Network Backbone Covering 2 Separate Areas; 4. Speaker Installation Standards. All Network Speaker Mounted/installed In Identified Posts By End-user Must Be Supported With The Appropriate Ip67-steel/stainless Boxes With Standard 400mm Diameter Size And Standard Length Of 300x180mm 5. Standard Height Speaker & Utility Box. Standard Height Of Network Cameras From The Base Of The Quezelco Posts Is 10-feet Min, 15-feet Max. The Standard Height Of The Utility Box From The Base Of The Quezelco/barangay Posts Must Be 10-feet For Easy Technical Access And Maintenance; 6. Powering Standards. Powering Of Ip Cameras Must Be Surge Protected With Lightning Suppressor. Digital Molded Type Circuit Breakers With Min 10amperes To 15amperes Maximum Must Be Utilized Including 4gang Power Outlet. With #14 Wire As The Standard For Power Tapping To Quezelco/barangay Live Electrical Ac Source; 7. Proper Tagging, Marking And Labeling. Fiber Wire Nodes In The Data Cabinet Including Main I.t Equipment And Network Devices Must Be Properly Tagged, Labeled And Provided Identification; 8. Testing And Commissioning. Professional Testing That Includes Laser Light Penetration Test On All The Fiber Nodes Must Be Done By The System Integrator/contractor To Ensure Integrity And Quality Of The 2 Nodes As Main Wired-fiber Network Backbone To Secure And Enhance Connections Of Ip Cameras And Network Peripherals; 9. Coordination. The Contractor Is Responsible In Coordinating With Quezelco/barangay Relative To The Implementation Of Node 1 And 2 Wired-fiber Network Infrastructure Including The Power Tapping For Any Electrical Standards/precaution Requirements And Standards. Submit Power Consumption Ratings Of All Cameras And Network Devices; 10. Basis Of Inspection/implementation. The Program Of Work Will Be The Sole Basis Of The Contractor/system Integrator In Implementing The Project. This Will Also Serve As The Sole Basis Of Final Inspection Upon The Completion Of The Project By Authorized Agency Inspectors; 11. Change Variation Order. In Cases Of Needed Changes Of Deliveries Adjustments Necessary For The Project, The Contractor Or System Integrator Must Immediately Inform The Municipality Of Polillo, Quezon Province In Writing For Approval Prior To Delivery Of Items And/or Services; 12. Wiring Standards. Global Standards Fiber-wired Cabling And Well-organized Wiring And Proper Placement Of I.t Equipment And Network Devices At The Municipality Of Polillo Of The Command Center Must Be Observed By The Winning Contractor. Further, All I.t Peripherals And Network Devices Mounted Inside Utility/terminal Boxes In All The Locations Must Be Well Organized Properly Mounted Not Mess Up; And 13. Data Center Standards: All Existing Network Wirings/cablings Inside The Data Cabinet Should Be Included To Be Organize By The Winning Contractor For Wiring And Cabling Standards.

Details: Air Force Life Cycle Management Center/enterprise It And Cyber Infrastructure Division (aflcmc/hni) user Experience Monitoring (uxm) Program Management Office (pmo) request For Information (rfi), Revision 1 To (notice Id: Uxm_rfi), System Integration For Network, Systems, And Application Performance Visibility 1. Background: the Department Of The Air Force (daf), Air Force Life Cycle Management Center (aflcmc), Cyber And Networks Directorate (hn), Enterprise Information Technology And Cyber Infrastructure Division (hni), Program Management Office (pmo) Is Seeking A Vendor To Act As A System Integrator For Current Systems Of Record. The Goal Is To Combine Data Sources Into A Unified View, Incorporating Infrastructure, Network Capability, And Endpoint Performance Data Into A Single View. the Primary Change Between The Initial Rfi (sam.gov Notice Id: Uxm_rfi) And This Revised Rfi Is The Shift In Focus From Seeking A Comprehensive Monitoring Solution To Emphasizing System Integration Using Existing Pilot Tools Already Deployed Across The Department Of The Air Force (daf). The Initial Rfi Aimed To Gather Information On Solutions That Provide Real-time Visibility Into It Network, Systems, And Application Performance, With Capabilities Such As Service Dependency Mapping, Network Modeling, And Application Performance Monitoring. In Contrast, The Revised Rfi Seeks A Vendor To Act As A System Integrator To Combine Data Sources Into A Unified View, Incorporating Infrastructure, Network Capability, And Endpoint Performance Data. The Goal Is To Enable Real-time Visibility And Proactive Issue Resolution By Integrating Existing Monitoring Tools And Systems To Achieve A Comprehensive Understanding Of The Traffic And Infrastructure Within Daf Networks. the Uxm Pmo Is Responsible For Monitoring A Complex Network, Systems, And Application Infrastructure That Supports Critical Operations Within The Department Of The Air Force (daf). This Infrastructure Includes Base Networking Equipment, Multiple Data Centers, Cloud Environments, Vpns, And A Wide Range Of Applications Serving Internal Daf Users. The Pmo Is Seeking A Vendor To Provide System Integration Services That Can Enable Real-time Visibility Into The Performance Of The It Network, Systems, And Applications. The Goal Is To Proactively Identify And Resolve Issues By Integrating Existing Monitoring Tools And Systems To Achieve A Comprehensive, Holistic, And Integrated Understanding Of The Traffic And Infrastructure Within Daf Networks. The System Integrator Deliverable Should Facilitate Root-cause Analysis, Automated Predictive Problem Detection, Suggest Solutions And Fixes, And Support Planning And Modeling For Network Improvements. currently, Network Operators Are Using Fragmented, Piece-wise Approaches To Problem Discovery And Root Cause Analysis. We Are Looking For A System Integrator Who Can Improve Problem-solving Throughput And Issue Discovery By Tracing Problems From Endpoints Through The Network To The Underlying Services, Utilizing New And Existing Telemetry Sources. the Monitoring Solution Should Include The Ability To Perform The Following Requirements: service Dependency Mapping:integrate Tools To Automatically Map Interdependencies Between Applications And Alert On Unexpected Communication And Bottlenecks. network Modeling Capabilities:integrate Solutions To Provide A Dynamic Network Map, Simulate Network Changes, Compare Configurations, Support Distributed Tracing, And Correlate With Network Events And Metrics From Logging. application Performance Monitoring:integrate Tools For Agent-based And Synthetic Testing For Application Performance Monitoring, Real-time Transaction Visibility, And User Performance Tracking. customizable & Extensible:support Integration Of Tools For Creating Custom Tests By Non-expert Programmers, Ingesting And Correlating Data From Other Vendors, And Integrating With Existing Daf And Disa Networking Modeling Investments. standards:ensure Integration With Industry Standards Supported, Such As Export And Ingest Of Open Telemetry Data And Compliance With Semantic Conventions For Attributes. accreditation And Approval:all Integrated Items Must Be Trade Agreements Act (taa) Compliant And Approved For Use Within The Department Of Defense (dod). 2. Response Format: administrative Information: company Name, Address, And Point Of Contact cage Code naics Code, Size Of Pursuant Business large Business Or Small Business Designation company Ownership: Domestic Or Foreign (indicate Country Of Ownership) gsa Schedule(s)/gwac(s)/other Ordering Vehicles Held That Could Be Applicable To This Requirement solution Overview: key Features And Capabilities Of Your System Integration Services how Your Services Address The Specified Requirements For Service Dependency Mapping, Network Modeling, Application Performance Monitoring, Customization, And Standards Compliance technical Specifications: hardware And Software Requirements For Integration approach To Integrating With Existing Daf And Disa Networking Modeling Investments hosting: Is This A Commercial Saas Approach, Or Can It Be Hosted On Afnet Cloud Assets With Il5 Level Security (highly Preferred)? does All/part Of The Software Already Have Ato Certification On The Afnet? how Do You Decompose Rum (application Telemetry) Into Underlying Network Traces (tcp, Ssl, Dns, Etc.)? how Do You Correlate Synthetic Network Traces (tcp, Ssl, Dns) With Application Performance? how Are Metrics And Log Data From Network Gear (routers, Firewalls) Correlated With Network Traces? can Detailed Application Network Traces Be Captured Without Modification Of The Applications? How Does Your Approach Do This? does Your Solution Support Integration With Itsm Systems Such As Servicenow? If So, What Integration Features Are Supported Out Of The Box? how Will You Automate Data Cataloging So That Our Air Force Data Analysis Can Have A Clear Understanding Of The Data On Their Own Without Your Support? does The System Support Automated Aging Of Data Into Hot, Warm, Cold, And Frozen Tiers? what Tuning And Customization Is Possible For Doing Ai/ml Assisted Anomaly Detection And Forecasting? how Will You Automate Schema Drift And Automated Schema Evolution As Incoming Telemetry Changes Based On Decisions Beyond The Control Of This Program Office? what Technical Mechanism Do You Have For Data Synchronization With Powerbi To Allow Our Air Force Powerbi Users To Analyze And Create Workflows For Team Collaboration And Problem Analyses? what Application Rum Stats Do You Collect? And At What Cadence? How Do You Handle Computers That Go Offline, Or Move Between Bases Or Are Occasionally On Vpn Networks? data Resilience: What Rollback, Snap Shotting, Geo-replication, Etc. Is Supported? health Monitoring: What Tool-ware Is Provided For Monitoring The Health Of The Application Rum Clients And Synthetic Monitors? solarwinds: We Have Npm, Ntm And Ncm Data From Solarwinds Orion Servers, How Would You Incorporate That Into Our Performance Solution And What Benefits Would Accrue? please Describe Any Native Tool-ware For Visualization And Eda (exploratory Data Analysis), Charting, Cross-filtering, Matrix Scatterplots, Correlation Matrices, Etc. we Currently Have 24tb Of Telemetry Data Covering 2 Years, Describe Tools For Live Interactive Aggregation And Plotting For Interactive Exploration. implementation Approach: deployment And Configuration Steps For System Integration estimated Timeline For Integration how Would You Manage Collaboration With Our Afnet Operators Who Are Currently Collecting Application, Network, Synthetic Test, And Infrastructure Logs That Need To Be Integrated Into Your Solution? vulnerability Handling To Include Notifications, Patches, And Test Plan Prior To Implementation would The Implementation Include Import Of Historical Data (training Data)? If Yes, Can You Explain The Migration Mechanism? is There Any 3rd Party Software Being Used? If Yes, How Are Vulnerabilities Being Handled For 3rd Party Software (i.e., Notifications, Patches Tested Before Implementation)? is It Possible To Have A Model/reference Architecture For A Similar System That Has Been Put In Place? pricing Model: licensing Type Or Subscription Fees any Additional Costs For Implementation, Training, Or Support training & Support: type Of Training Provided For System Integration estimated Timelines And Manpower Resources Needed For Integration types Of Technical Support And Response Times Available During And Post-integration after Deployment, How Many Fte Are Required To Manage The Operation And Health Of The System On A Continuing Basis? references: provide 2-3 Examples Of Successful System Integration Projects In Similar Environments (government Or Non-government), Including The Following Information For Each Example: organization Name contract Number, If A Government Customer point Of Contact (poc) And Contact Information 3. Questions And Submission Information: any Questions Regarding This Rfi Must Be Submitted Via Email On The Q&a Template Within 10 Days Of This Posting To The Contracting Officer Atdiana.tien@us.af.mil And The Contracts Specialist Atveronica.schoultz@us.af.mil. All Questions And Their Answers Will Be Posted With This Rfi For All Interested Parties To Access. if You Provided A Prior Submittal, You Can Reply “no Change” If The Revisions To The Rfi Do Not Necessitate A Change To Your Original Submittal, Or You Can Submit A Red-lined Version With Changes. the Government Requests Submission Of Rfi Responses No Later Than 15:00 Eastern Time On 30 January 2025. 4. Disclaimer: this Is An Rfi, As Defined In Federal Acquisition Regulation (far) 15.201(e). Any Information Submitted By Respondents To This Request Is Strictly Voluntary. This Is Not A Request For Proposal (rfp), Request For Quotation (rfq), Or Invitation For Bid (ifb); Nor Does Its Issuance Obligate Or Restrict The U.s. Government To Issue An Rfp, Rfq, Or Ifb In The Future. The U.s. Government Does Not Intend To Award A Contract Or Order Based On Responses From This Rfi. not Responding To This Rfi Does Not Preclude Participation In Any Future Rfp, Rfq, Or Ifb, If Any Are Issued. respondents Are Advised The U.s. Government Shall Not Pay For Any Information Provided, The Use Of Such Information, The Preparation Of Such Information, Travel Expenses, Nor Any Administrative Costs Incurred In Response To This Rfi. All Costs Associated With Responding To This Rfi Will Be Solely At The Interested Parties’ Expense. information Received From This Rfi Will Be Used For Acquisition Planning And Market Research Purposes; An Acquisition Strategy Has Not Yet Been Approved For This Requirement. As Such, Any Response Submitted To This Rfi Constitutes Consent For That Submission To Be Reviewed By Military Personnel, Government Civilians, And Government Support Contractors. any Proprietary Information Submitted Should Be Identified As Such And Will Be Properly Protected From Disclosure. All Dod Contractor Personnel Reviewing Rfi Responses Will Have Signed Non-disclosure Agreements And Understand Their Responsibility For Proper Use And Protection From Unauthorized Disclosure Of Proprietary Information. The U.s. Government Shall Not Be Liable For Damages Related To Proprietary Information That Is Not Properly Identified. Proprietary Information Will Be Safeguarded In Accordance With The Applicable U.s. Government Regulations. respondents Are Advised That The Government Is Under No Obligation To Provide Feedback With Respect To Any Information Submitted. issuance Of This Rfi Does Not Obligate Or Restrict The U.s. Government To An Eventual Acquisition Approach.

Details: The Potsdam-Mittelmark district intends to implement an e-learning platform for the area of information security and data protection. This contract is to be awarded by way of a negotiated award without a prior competition. An e-learning platform for the subject area of information security and data protection is to be made available, the training content of which is to be regularly supplemented and updated. In addition to training our employees, the focus is also on raising their awareness. Current security measures, vulnerabilities and attack patterns, including phishing and social engineering, are to be taught in a learning environment prepared according to learning psychology aspects. Phishing campaigns are also to be sent out by email on a regular basis. Optionally, the platform should be expanded to include the subject areas of occupational safety, equal opportunities and anti-corruption. As part of the application management of the e-learning platform, it should be possible to activate different modules simultaneously and at different times. The activation of individual modules should be possible in the classification according to the corresponding fields of activity. Heterogeneous learning formats should guarantee that different learning types are addressed and that individual knowledge transfer takes place. A corresponding platform should therefore enable the following learning forms: gamification, videos, reading texts, voice notes (audios) and multiple-choice questions. The system should be compatible with AD connections and mobile use. The system must be able to transfer and update/synchronize the required data from the district administration's directory service via a secure interface in accordance with the state of the art. The system must also offer the option of implementing your own training units. The e-learning platform should either be operated "on premise" in the district administration's data center or as a cloud solution by the provider or a hosting service provider, whereby in the latter case the servers must be hosted within the European Union or the European Economic Area. In addition, it should be guaranteed that with a cloud solution there is a very high level of system availability (at least 99%) on the part of the provider. In addition, the provider should take technical and organizational measures appropriate to the risk to ensure the confidentiality, integrity and availability of the processed data.

Details: This Is Not A Request For Proposal. This Is A Request For Standard Form (sf) 330 Architect-engineer Qualifications Packages Only. All Information Needed To Submit Sf 330 Documents Is Contained Herein. No Solicitation Package, Technical Information, Or Bidder/plan Holder List Will Be Issued. The Government Will Not Pay, Nor Reimburse, Any Costs Associated With Responding To This Request. The Government Is Under No Obligation To Award A Contract As A Result Of This Announcement. 1. General Information Veterans Health Administration (vha) Program Contracting Activity Central (pcac) Is Seeking Sources And Intends To Award A Firm Fixed Price Design Contract For Architect-engineering (a-e) Services For The Development Of Complete Construction Documents, Which Include Working Drawings, Specifications, And Reports, And Construction Period Services For Project #676-336 Fire Station Design-tomah Va Medical Center. The A-e Services Contract That Is Anticipated To Be Awarded Will Be Procured In Accordance With The Selection Of Architects And Engineers Statute [formerly Known As The Brooks Architect Engineer Act], Federal Acquisition Regulation (far) Subpart 36.6 Architectural And Engineering Services, Va Acquisition Regulation (vaar) 836.6, And Va Acquisition Manual (vaam) M836.6 Architect-engineer Services. In Accordance With Far 36.209, Construction Contracts With Architect-engineer Firms, No Contract For The Construction Of A Project Shall Be Awarded To The Firm That Designed The Project Or Its Subsidiaries Or Affiliates, Except With The Approval Of The Head Of The Agency Or Authorized Representative. 2. Project Information This Project Is A 100% Set-aside For Service-disabled Veteran-owned Small Business (sdvosb) Concerns. The Naics Code For This Procurement Is 541330 Engineering Services And The Annual Small Business Size Standard Is $25.5m. A Full Design Team Is Required To Complete This Project. The Va Expects To Award The Anticipated A-e Contract By Late March 2025. The Anticipated Period Of Performance For Completion Of Design Is 160 Calendar Days After Notice Of Award (noa). The Vaar Magnitude Of Construction Is Between $5,000,000 And $10,000,000. Please Note That The 160-calendar-day Period Of Performance For The Design Completion Begins With The Issuance Of The Noa And That A Notice To Proceed (ntp) Will Not Be Issued For The Completion Of A Design Project. 3. A-e Selection Process Firms Submitting Sf 330s In Response To This Announcement, Not Later Than The Closing Date And Time Specified Herein And In Accordance With Submission Requirements, Will Be Considered For Evaluation. The Selection Will Be Made As Follows: Sf 330s Will Be Evaluated In Accordance With The Primary Selection Criteria As Stated In This Pre-solicitation Notice. These Evaluations Will Determine The Most Highly Qualified Firms For This Particular Requirement. In Accordance With Far 36.602-3(c), At Least Three Of The Most Highly Qualified Firms Will Then Be Notified Of The Government S Intent To Hold Discussions. All Firms Not Invited To Participate In Discussions Will Be Notified At This Time. In Accordance With Far 36.607(b), Any Requested Debriefings Of Successful And Unsuccessful Firms Will Be Held After Final Selection Has Taken Place And Will Be Conducted, To The Extent Practicable, In Accordance With 15.503, 15.506(b) Through (f), And 15.507(c). Note That 15.506(d)(2) Through (d)(5) Do Not Apply To Architect-engineer Contracts. Discussions Will Be Held With The Most Highly Qualified Firms In The Form Of Written Responses. The Firms Invited To Participate In Discussions Will Be Notified By Email And Provided Further Instructions, Including Any Questions Or Topics To Address. Following The Completion Of Discussions, The Firms Will Be Evaluated And Ranked Based On The Primary And (if Necessary) Secondary Selection Criteria. The Final Evaluation And Ranking Will Consider The Sf 330 Submission For Each Firm, As Well As Additional Information Obtained Via Discussions. The Highest Rated Firm Will Be Selected To Receive The Solicitation And Engage In Negotiations. The Solicitation Will Be Issued To The Highest Rated Firm As A Request For Fee Proposal (rfp). All Sow Attachments And Site-specific Documentation Will Be Provided To The Highest Rated Firm With The Rfp. A Site Visit Will Be Authorized During The Negotiation Process. An Award Will Then Be Made As Long As The Negotiation Of Rates And Hours Leads To A Fair And Reasonable Determination Of The Final Contract Price. If Negotiations With The Highest Rated Firm Are Unsuccessful, The Firm Will Be Notified That Negotiations Have Been Terminated. Negotiations Will Then Be Initiated With The Next Highest Rated Firm, And So On Until Award Can Be Made. 4. Selection Criteria: Firms Responding To This Notice Will Be Evaluated And Ranked Using The Primary And Secondary Selection Criteria Listed Below. The Factors Are Listed In Descending Order Of Importance. The Evaluation Will Consider How Each Factor Is Addressed And How It Is Formatted To Coincide With The Selection Criteria. Primary Selection Criteria: Professional Qualifications: Professional Qualifications Necessary For Satisfactory Performance Of Required Service. The A-e Shall Demonstrate They Are Able To Sign And Stamp Each Drawing By Individuals Licensed In Any State In The United States For The Key Positions Listed Below. Provide Professional License Numbers And/or Proof Of Licensure. The Evaluation Shall Consider The Specific Experience (minimum Of Five Years) And Qualifications (i.e., Education, Training, Registration, Certifications, Overall Relevant Experience, And Longevity With The Firm As Full-time Employees) Of Personnel Proposed For Assignment To The Project. The Lead Designer In Each Discipline Must Be Registered But Does Not Have To Be Registered In The Particular State Where The Project Is Located. Disciplines Requiring A Florida License Include Civil/structural And Hazardous Material Abatement/industrial Hygiene. A Resume For Each Of These Key Positions Must Be Provided In Section E Of The Sf330. Key Positions And Disciplines Required For This Project Include, But Are Not Limited To: Architect (leed Certification/us Green Build Council Certification) Cost Estimator Civil Engineer Electrical Engineer Environmental Engineer Fire Protection Engineer Mechanical Engineer Plumbing Engineer Project Manager Quality Assurance Manager Structural Engineer Physical Security Specialists Commissioning Agent Offeror Must Include The Following Statement Of Sdvosb Compliance When Submitting The Personnel Proposed To Perform The Work Under This Requirement: I, [signatory Authority], Of [company Name], Certify That The Sdvosb Prime Contractor Will Not Pay More Than 50% Of The Amount Paid By The Government To The Prime For Contract Performance To Firms That Are Not Certified Sdvosbs Listed In The Sba Certification Database In Compliance With Vaar 852.219-73. The Information Provided In Sections C Through E Of The Sf 330 Will Be Used To Evaluate This Factor. Do Not Include This Information In Section H Unless It Is Pertinent To Support The Information Listed In The Other Sections. Specialized Experience And Technical Competence: Specialized Experience And Technical Competence In The Design And Construction Period Services Shall Be Provided For Network Infrastructure Installation, Renovations, Or Upgrades. Projects Experience Should Include Upgrading Large Scale (multi-building With Multiple Generational Oit Systems) Fiber Optics, Data Cable, Structured Cabling, Electrical Distribution Design, Electrical Upgrades, Uninterruptable Power Systems (ups), Electrical Bonding, Building Management Systems/building Automation Systems (bms/bas), Hvac, It Room Renovations/expansion/relocations, Data Centers/server Rooms Reconfiguration, And Physical Security Upgrades, Duct Bank And Direct Boring Operations. Other Specialized Experience To Provide Should Include Experience In Critical Path Scheduling, Fire Protection, Construction Infection Control Protocols, Energy Conservation, Transition, And Sustainable Design Practices. Submissions Shall Include No More And No Less Than Five (5) Recent And Relevant Government And Private Experience Projects Similar In Size, Scope, And Complexity, And Experience With The Type Of Projects/competence Above. Relevant Is Defined As Those Task Requirements Identified In The Statement Of Work. Recent Is Defined As Services Provided Within The Past Five (5) Years. Include The Following For Each Submitted Project: Project Title And Location Detailed Narrative Describing The Scope Of Services Provided, Including The Type Of Work Performed By The Offeror And Its Role In The Project (i.e., Prime Contractor, Teaming Partner, Or Subcontractor) Project Owner, Owner S Point Of Contact Including Telephone Number And Email Address. Services & Deliverables Provided Under The Contract/task Order. Period Of Performance, Including Start And Completion Dates Total Dollar Value Of The Project Ae Cost Estimate Vs. Actual Construction Cost Contract Number Associated With The Project. The Information Provided In Section F Of The Sf 330 Will Be Used To Evaluate Relevant Specialized Experience And Technical Competence. Any Projects Submitted By An Offeror That Exceed The Limit Will Not Be Considered During The Evaluation. The Information Provided In Section G Of The Sf 330 Will Be Used To Evaluate The Prior Experience Of The Prime Firm And Any Key Subcontractors Working Together On The Provided Relevant Projects. The Offeror Must Include Narratives Of How The Firm Addresses Each Of The Following Topics In Section H. Simply Restating This List In Section H Will Not Be Sufficient. The Management Approaches. The Coordination Of Disciplines And Subcontractors Quality Control Procedures, And Familiarity With Va Design Guides/manuals, Master Specifications, And Other Applicable Standards. Capacity: The Evaluation Will Consider The Firm S Ability To Meet The Schedule Of The Overall Project, As Well As The Available Capacity Of Key Disciplines To Perform The Work In The Required Time. Provide The Available Capacity Of Key Disciplines By Providing Current Project Workload, Inclusive Of All Projects Awarded By The Va, Any Federal Agency, And Private Sector, During The Previous Twelve (12) Months Or Any Active Projects At Pcac. Include The Full Potential Value Of Any Current Indefinite Delivery Contracts The Prime Firm Has Been Awarded From Any Source. Offeror Shall Clearly State Their Available Capacity Presenting Workload Percentages For The Key Disciplines And/or Team Members. Also, The Offeror Must Provide The Award Date, Completion Percentages, And Expected Completion Date For The Va Projects Awarded In The Previous Twelve (12) Months Or Active At Pcac. The Information For This Factor Must Be Provided In Section H Of The Sf 330. Please Ensure The Capacity Applies Toward The Proposed Team/personnel Provided In The Sf 330. Past Performance: Past Performance Will Be Evaluated On Contracts With Government Agencies And Private Industry In Terms Of Cost Control, Quality Of Work, And Compliance With Performance Schedules. Past Performance Will Be Evaluated For All Projects Provided In Section F. The Contractor Performance Assessment Reporting System (cpars) Database Will Be Reviewed To Evaluate The Projects That Have A Va Cpars Entry. Va Cpars Are Not Required To Be Submitted With The Sf330 Submission. The Contract Number For The Project Must Be Submitted For Each Project Provided In Section F So Cpars Can Be Reviewed In The Database. Please Note We Are Unable To Review Any Cpars From Other Federal Agencies Outside Of The Va. For Any Project That Does Not Have Va Cpars Data Available, A Past Performance Questionnaire (ppq) Is Required To Be Submitted With The Sf330. If The Firm (prime Or Subcontractor) Was Not The Prime Contractor On Any Project Submitted In The Sf330, A Ppq Must Be Submitted Listing Their Specific Role (key Disciplines) As A Subcontractor. The Ppq Should Be Rated And Signed By The Evaluator. In The Event That A Firm Does Not Receive A Completed Ppq Requested From An Evaluator Prior To The Time For Submission, The Firm Shall Submit The Partially Completed Ppq With Section 1 And The Evaluator Information In Section 2 Completed. Ensure A Poc Is Listed With The Project Title/contract Number. The Va Will Make Reasonable Attempts To Contact The Poc Upon Submission For Ppq Completion. The Government May Consider Additional Performance Related Information Regarding The Firm, To Include Customer Inquiries, Government Databases, Publicly Available Sources, And Additional Projects In Cpars. The Government Reserves The Right To Contact Any Poc Listed On A Cpars Report Or Ppq. If Appropriate, The Record Of Significant Claims Against The Firm Because Of Improper Or Incomplete Architectural And Engineering Services May Be Evaluated. Failure To Provide Requested Data, Accessible Points Of Contact, Or Valid Phone Numbers Will Result In A Firm Being Considered Less Qualified. The Information For This Factor Must Be Provided In Section H Of The Sf 330. For Ppqs, Please Utilize The Attached Ppq Document. Completed Ppqs Should Be Incorporated Into The Sf 330. Ppqs Should Not Be Submitted To Vha Pcac Directly. Any Ppqs Will Not Be Counted Towards The Page Limitation For This Submission. However, Any Narratives Provided For Past Performance In Section H Will Be Counted Toward The Page Limit. Knowledge Of Locality: Demonstrate And Describe Experience In The Local Area And The Specific Knowledge Of Certain Local Conditions Or Project Site Features The Experience Provided. This Description May Include (if Applicable): Any Prime Firm Or Subcontractor Experience Within The Visn Or At The Vamc State Or Local Construction Codes, Laws, Or Regulations Climate And Seismic Related Conditions Or Features The Information For This Factor Must Be Provided In Section H Of The Sf 330. Note That The Intent Of This Factor Is To Showcase A Firm S Understanding Of The Site And Locality, And Not Where The Firm Is Located, How Far Away The Firm/branch Office Is From The Site, And How They Would Travel To The Site. Information Related To The Firm S Location Shall Instead Be Provided In Section H Under Secondary Selection Criterion Factor 1, Geographic Location. See Below. Experience In Construction Period Services: Experience In Construction Period Services Must Be Demonstrated Via Project Experience. These May Be The Same Projects Identified Above In Factor 1; However, The Firm Shall Clearly Delineate The Types Of Construction Period Services Performed For Each. Refer To The Statement Of Work For Review Timeline Expectations. Project Descriptions Must Include Experience With: Solicitation Support Services, Professional Field Inspections During The Construction Period Coordination With Commissioning Requirements Review Of Construction Submittals Support In Answering Requests For Information During The Construction Period. Support Of Construction Contract Changes To Include Drafting Statements Of Work And Cost Estimates. Attendance At Weekly Conference Calls Providing Minutes Of Meetings Between The Ae, Va, And Contractors Pre-final Inspection Site Visits Generation Of Punch-list Reports, And Production Of As-built Documentation. The Firm Shall Provide A Detailed Description Of Projects Worked That Illustrate Experience In These Areas. Projects Must Be Within The Last Ten (10) Years. In Addition, The Firm Must Include A Description Of Experience Addressing Unforeseen Conditions And Emergent Situations, Conducting Situation Evaluations, And Making Midcourse Corrections. Include Description On How The Firm Can Be Proactive Or Responsive In These Situations. The Information For This Factor Must Be Provided In Section H Of The Sf 330. Secondary Selection Criterion*: Geographic Location. Location Of The Firm, As Measured By The Driving Distance (miles) Between The Offeror S Principal Business Location And The Tomah Va Medical Center 500 E Veterans Street, Tomah, Wi. 54660. . Determination Of The Mileage Will Be Based On Google Maps (https://www.google.com/maps/dir/). *the Secondary Selection Criterion Is Used As A Tiebreaker, If Necessary, In Ranking The Most Highly Qualified Firms Following The Completion Of Discussions. The Secondary Selection Criterion Will Not Be Applied When Determining A Firm S Sf 330 Submission Highly Qualified Or Not Highly Qualified. 5. Submission Requirements: The Below Information Contains The Instructions And Format That Must Be Followed For The Submission Of The Sf 330 Statement Of Qualifications: Submit One (1) Sf 330 Statement Of Qualifications To Contract Specialist Johnna Mcgraw At Johnna.mcgraw@va.gov . This Must Include Parts I And Ii And Any Applicable Attachments. The Submission Must Include The Sf 330, Architect-engineer Qualifications (form Is Available Online At Https://www.gsa.gov/reference/forms/architectengineer-qualifications). The Sf 330 Submission Is Due By January 10th 2025 At 1pm Est. The Sf 330 Must Be Submitted In One Email And Have A File Size No Larger Than 5 Mb. No Hard Copies Will Be Accepted. The Subject Line Of The Email Must Read: Sf 330 Submission Fire Station Design- Tomah Wi. The Sf 330 Submission Must Not Exceed A Total Of 50 Pages. This Includes Title Page, Table Of Contents, And Any Other Relevant Information. Any Pages Submitted By An Offeror That Exceed The Limit Will Not Be Considered During The Evaluation. Each Page Must Be In Arial Size 12 Font, Single Spaced. Part Ii Of The Sf 330 And Any Cpars Or Ppqs Will Not Count Toward The Page Limitation. A Ppq Obtained For Another Sf 330 Submission May Be Submitted For This Project. However, If Significant Portions Of The Project Have Been Completed Since The Ppq Was Filled Out, A New Ppq Should Be Submitted To Accurately Assess The Project. Firms Must Include The Following Information In Section B Of The Sf 330 Submission: 1) Sam Unique Entity Identifier 2) Tax Id Number 3) Cage Code 4) Primary Point Of Contact S Email Address And Phone Number. All Questions Must Be Submitted To Johnna Mcgraw With The Subject Line Sf 330 Questions Fire Station Design-tomah Wi. The Cutoff For Question Submission Is 1:00 Pm Est On December 16th, 2024. Questions Will Be Answered Through Modification To The Pre-sol Notice Posted To Contract Opportunities At Sam.gov. This Procurement Is A 100% Set-aside For Sdvosb Concerns. Offers Received From Other Than Sdvosbs Will Not Be Considered. Offerors Must Be Certified As Sdvosbs By The U.s. Small Business Administration (sba) And Visible In The Veteran Small Business Certification (vetcert) Database (https://veterans.certify.sba.gov/) At The Time Of Sf 330 Submission, Written Response Submission, And Award. Failure To Be Certified In The Vetcert Database At These Times Will Result In The Offeror Being Deemed Ineligible For Award. All Joint Ventures Must Be Sba Certified At The Time Of Sf 330 Submission, Written Response Submission, And Award And Must Submit Agreements That Comply With 13 Cfr 128.402 Prior To Contract Award. All Prime Firms Must Meet The Naics Code Requirement Specified In This Notice. The Contracting Officer Will Verify The Naics Code In Vetcert. Failure To Meet The Naics Code Requirement May Result In The Rejection Of The Sf 330 Submission. Sf 330 Submissions Received After The Date And Time Specified Will Not Be Considered. Late Proposal Rules Per Far 15.208 Will Be Followed For Late Submittals. Firms Not Providing The Required Information May Not Be Evaluated. All Information Must Be Included In The Sf 330 Submission Package. It Is The Offeror S Responsibility To Check The Contract Opportunities Website At Sam.gov For Any Revisions To This Announcement Prior To Submitting Their Sf 330.

Description: This Sources Sought Notice Is For Planning Purposes Only And Shall Not Be Considered As An Invitation For Bid, Request For Quotation, Request For Proposal, Or As An Obligation On The Part Of The Government To Acquire Any Products And/or Services. Your Response To This Sources Sought Notice Will Be Treated As Information Only. No Entitlement To Payment Of Direct Or Indirect Costs Or Charges By The Government Will Arise Because Of Contractor Submission Of Responses To This Announcement Or The Government Use Of Such Information. This Request Does Not Constitute A Solicitation For Proposals Or The Authority To Enter Negotiations To Award A Contract. No Funds Have Been Authorized, Appropriated, Or Received For This Effort. the Information Provided May Be Used By The Department Of Veterans Affairs In Developing Its Acquisition Approach, Statement Of Work/statement Of Objectives And Performance Specifications. Interested Parties Are Responsible For Adequately Marking Proprietary Or Competition Sensitive Information Contained In Their Response. The Government Does Not Intend To Award A Contract Based On This Sources Sought Notice Or To Otherwise Pay For The Information Submitted In Response To This Sources Sought Notice. the Submission Of Pricing, Capabilities For Planning Purposes, And Other Market Information Is Highly Encouraged And Allowed Under This Sources Sought Notice In Accordance With (iaw) Far Part 15.201(e) the Purpose Of This Sources Sought Notice Announcement Is For Market Research To Make Appropriate Acquisition Decisions And To Gain Knowledge Of Potential Qualified Service-disabled Veteran Owned Small Businesses, Veteran Owned Small Businesses, 8(a), Hubzone And Other Small Businesses Interested And Capable Of Providing The Products And/or Services Described Below. documentation Of Technical Expertise Must Be Presented In Sufficient Detail For The Government To Determine That Your Company Possesses The Necessary Functional Area Expertise And Experience To Compete For This Acquisition. Responses To This Notice Shall Include The Following: (a) Company Name; (b) Address; (c) Point Of Contact; (d) Phone, Fax, And Email; (e) Uei Number; (f) Cage Code; (g) Tax Id Number; (h) Type Of Small Business, E.g., Services Disabled Veteran Owned Small Business, Veteran Owned Small Business, 8(a), Hubzone, Women Owned Small Business, Small Disadvantaged Business, Or Small Business Hubzone Business, Etc (i) State If Your Business Has An Fss Contract With Gsa, Va Nac, Nasa Sewp, Or Any Other Federal Contract, That Can Be Utilized To Procure The Requirement Listed Below And Provide The Contract Number; And (j) Must Provide A Capability Statement That Addresses The Organization S Qualifications And Ability To Perform As A Contractor For The Work Described Below. requirement: the Va Heartland Network 15 Contracting Office Located At 3450 South 4th Street, Leavenworth, Ks, 66048-5055 Is Seeking A Potential Qualified Contractor To Provide Eyecon 9430 Pill Dispensing System For The Marion Va Medical Center, Located In Marion, Illinois, And The Evansville Health Care Center, Located In Evansville, Indiana. This Is A Brand Name Or Equal Requirement. Please See The Statement Of Work For More Specifics And Details. The North American Industry Classification System Code (naics Code) Is 339112 Surgical And Medical Instrument Manufacturing, Size Standard 1,000 Employees. Based On This Information, Please Indicate Whether Your Company Would Be A Large Or Small Business And Have A Socio-economic Designation As A Small Business, Vosb Or Sdvosb. statement Of Work: Eyecon 9430 description: Provide Eyecon 9430 And Eyecon Interface Controller With Installation And One (1) Year Of Support To Be Used At The Marion, Il Va Medical Center Pharmacy And In The Evansville, In Outpatient Clinic this Solicitation Uses A Brand Name Or Equal Description Of The Product Required. This Permits Prospective Contractors To Offer Products Other Than Those Specifically Referenced By Brand Name. All Offers Must Work With Existing Equipment That Has Already Been Purchased And Is Currently In Use At The Station. minimum Technical Specifications: the Eyecon 9430 Must Be Assembled Within The Manufactured Country Or Show Significant Proof Of An Internationally Recognized Quality Assurance Program. scriptpro Is A Distributor Of The Eyecon 9430. certificate Of Authenticity Will Need To Be Provided the Dispensing System Must Have The Following: safety must Use Barcode Verification To Ensure Accuracy Of Dispensing And Must Work With Scriptpro Label Barcode unit Must Have Means To Track Dispensed Drug Quantities And Contain Image Verification Of Quantities Dispensed. must Come Equipped With Database Of Drug Images For Dispensing Verification. must Include Additional Counting Platters For Penicillin And Sulfa To Avoid Cross Contamination. workflow must Allow For Integration With Scriptpro/vista To Verify Correct Dispensing Quantities. must Fit In Existing Space With A Footprint Of 28 H X 11 W X 17.5 D. must Count With A Count Accuracy Of At Least 99.9%. verification Should Include Easy Work Flow Optics Such As Color Touch Screen. must Include Large Counting Area Of 48 Sq Inches For Larger Quantity Verification. information Technology must Integrate With Current Equipment, Including Scriptpro Dispensing/filling Stations must Interface With Current Scriptpro Equipment. all Equipment Must Be New description quantity eyecon 9430 eyecon Interface Controller 2 2 optional/value Added Features: N/a required Interfaces: Must Interface With Current Scriptpro Equipment. delivery Location(s): department Of Veterans Affairs marion Va Medical Center 2401 West Main Street marion, Il 62959-1188 department Of Veterans Affairs evansville Va Healthcare Center 6211 E Waterford Blvd evansville, In 47715 records Management Obligations applicability this Clause Applies To All Contractors Whose Employees Create, Work With, Or Otherwise Handle Federal Records, As Defined In Section B, Regardless Of The Medium In Which The Record Exists.   definitions Federal Record As Defined In 44 U.s.c. § 3301, Includes All Recorded Information, Regardless Of Form Or Characteristics, Made Or Received By A Federal Agency Under Federal Law Or In Connection With The Transaction Of Public Business And Preserved Or Appropriate For Preservation By That Agency Or Its Legitimate Successor As Evidence Of The Organization, Functions, Policies, Decisions, Procedures, Operations, Or Other Activities Of The United States Government Or Because Of The Informational Value Of Data In Them.   the Term Federal Record: includes [agency] Records.â  does Not Include Personal Materials. applies To Records Created, Received, Or Maintained By Contractors Pursuant To Their [agency] Contract. may Include Deliverables And Documentation Associated With Deliverables. requirements contractor Shall Comply With All Applicable Records Management Laws And Regulations, As Well As National Archives And Records Administration (nara) Records Policies, Including But Not Limited To The Federal Records Act (44 U.s.c. Chs. 21, 29, 31, 33), Nara Regulations At 36 Cfr Chapter Xii Subchapter B, And Those Policies Associated With The Safeguarding Of Records Covered By The Privacy Act Of 1974 (5 U.s.c. 552a). These Policies Include The Preservation Of All Records, Regardless Of Form Or Characteristics, Mode Of Transmission, Or State Of Completion.â  in Accordance With 36 Cfr 1222.32, All Data Created For Government Use And Delivered To, Or Falling Under The Legal Control Of, The Government Are Federal Records Subject To The Provisions Of 44 U.s.c. Chapters 21, 29, 31, And 33, The Freedom Of Information Act (foia) (5 U.s.c. 552), As Amended, And The Privacy Act Of 1974 (5 U.s.c. 552a), As Amended And Must Be Managed And Scheduled For Disposition Only As Permitted By Statute Or Regulation.â  in Accordance With 36 Cfr 1222.32, Contractor Shall Maintain All Records Created For Government Use Or Created In The Course Of Performing The Contract And/or Delivered To, Or Under The Legal Control Of The Government And Must Be Managed In Accordance With Federal Law. Electronic Records And Associated Metadata Must Be Accompanied By Sufficient Technical Documentation To Permit Understanding And Use Of The Records And Data.â  [agency] And Its Contractors Are Responsible For Preventing The Alienation Or Unauthorized Destruction Of Records, Including All Forms Of Mutilation. Records May Not Be Removed From The Legal Custody Of [agency] Or Destroyed Except For In Accordance With The Provisions Of The Agency Records Schedules And With The Written Concurrence Of The Head Of The Contracting Activity. Willful And Unlawful Destruction, Damage Or Alienation Of Federal Records Is Subject To The Fines And Penalties Imposed By 18 U.s.c. 2701. In The Event Of Any Unlawful Or Accidental Removal, Defacing, Alteration, Or Destruction Of Records, Contractor Must Report To [agency]. The Agency Must Report Promptly To Nara In Accordance With 36 Cfr 1230. the Contractor Shall Immediately Notify The Appropriate Contracting Officer Upon Discovery Of Any Inadvertent Or Unauthorized Disclosures Of Information, Data, Documentary Materials, Records, Or Equipment. Disclosure Of Non-public Information Is Limited To Authorized Personnel With A Need-to-know As Described In The [contract Vehicle]. The Contractor Shall Ensure That The Appropriate Personnel, Administrative, Technical, And Physical Safeguards Are Established To Ensure The Security And Confidentiality Of This Information, Data, Documentary Material, Records And/or Equipment Is Properly Protected. The Contractor Shall Not Remove Material From Government Facilities Or Systems, Or Facilities Or Systems Operated Or Maintained On The Government S Behalf, Without The Express Written Permission Of The Head Of The Contracting Activity. When Information, Data, Documentary Material, Records And/or Equipment Is No Longer Required, It Shall Be Returned To [agency] Control Or The Contractor Must Hold It Until Otherwise Directed. Items Returned To The Government Shall Be Hand Carried, Mailed, Emailed, Or Securely Electronically Transmitted To The Contracting Officer Or Address Prescribed In The [contract Vehicle]. Destruction Of Records Is Expressly Prohibited Unless In Accordance With Paragraph (4). the Contractor Is Required To Obtain The Contracting Officer's Approval Prior To Engaging In Any Contractual Relationship (sub-contractor) In Support Of This Contract Requiring The Disclosure Of Information, Documentary Material And/or Records Generated Under, Or Relating To, Contracts. The Contractor (and Any Sub-contractor) Is Required To Abide By Government And [agency] Guidance For Protecting Sensitive, Proprietary Information, Classified, And Controlled Unclassified Information. the Contractor Shall Only Use Government It Equipment For Purposes Specifically Tied To Or Authorized By The Contract And In Accordance With [agency] Policy.â  the Contractor Shall Not Create Or Maintain Any Records Containing Any Non-public [agency] Information That Are Not Specifically Tied To Or Authorized By The Contract.â  the Contractor Shall Not Retain, Use, Sell, Or Disseminate Copies Of Any Deliverable That Contains Information Covered By The Privacy Act Of 1974 Or That Which Is Generally Protected From Public Disclosure By An Exemption To The Freedom Of Information Act.â  the [agency] Owns The Rights To All Data And Records Produced As Part Of This Contract. All Deliverables Under The Contract Are The Property Of The U.s. Government For Which [agency] Shall Have Unlimited Rights To Use, Dispose Of, Or Disclose Such Data Contained Therein As It Determines To Be In The Public Interest. Any Contractor Rights In The Data Or Deliverables Must Be Identified As Required By Far 52.227-11 Through Far 52.227-20. training.  all Contractor Employees Assigned To This Contract Who Create, Work With, Or Otherwise Handle Records Are Required To Take [agency]-provided Records Management Training. The Contractor Is Responsible For Confirming Training Has Been Completed According To Agency Policies, Including Initial Training And Any Annual Or Refresher Training.â  [note: To The Extent An Agency Requires Contractors To Complete Records Management Training, The Agency Must Provide The Training To The Contractor.]â  flow Down Of Requirements To Subcontractors the Contractor Shall Incorporate The Substance Of This Clause, Its Terms And Requirements Including This Paragraph, In All Subcontracts Under This [contract Vehicle], And Require Written Subcontractor Acknowledgment Of Same.â  violation By A Subcontractor Of Any Provision Set Forth In This Clause Will Be Attributed To The Contractor. general. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. Contractors, Contractor Personnel, Subcontractors And Subcontractor Personnel Will Be Subject To The Same Federal Laws, Regulations, Standards, Va Directives And Handbooks, As Va Personnel Regarding Information And Information System Security And Privacy. va Information Custodial Language. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. the Government Shall Receive Unlimited Rights To Data/intellectual Property First Produced And Delivered In The Performance Of This Contract Or Order (hereinafter Contract ) Unless Expressly Stated Otherwise In This Contract. This Includes All Rights To Source Code And All Documentation Created In Support Thereof. The Primary Clause Used To Define Government And Contractor Data Rights Is Far 52.227-14 Rights In Data General. The Primary Clause Used To Define Computer Software License (not Data/intellectual Property First Produced Under This Contractor Or Order) Is Far 52.227-19, Commercial Computer Software License. information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Will Be Used Only For The Purposes Specified In The Service Agreement, Sow, Pws, Pd, And/or Contract. The Contractor Shall Not Use Va Information In Any Other Manner Without Prior Written Approval From A Va Contracting Officer (co). The Primary Clause Used To Define Government And Contractor Data Rights Is Far 52.227-14 Rights In Data General. va Information Will Not Be Co-mingled With Any Other Data On The Contractor S Information Systems Or Media Storage Systems. The Contractor Shall Ensure Compliance With Federal And Va Requirements Related To Data Protection, Data Encryption, Physical Data Segregation, Logical Data Segregation, Classification Requirements And Media Sanitization. va Reserves The Right To Conduct Scheduled Or Unscheduled Audits, Assessments, Or Investigations Of Contractor Information Technology (it) Resources To Ensure Information Security Is Compliant With Federal And Va Requirements. The Contractor Shall Provide All Necessary Access To Records (including Electronic And Documentary Materials Related To The Contracts And Subcontracts) And Support (including Access To Contractor And Subcontractor Staff Associated With The Contract) To Va, Va's Office Inspector General (oig),and/or Government Accountability Office (gao) Staff During Periodic Control Assessments, Audits, Or Investigations. the Contractor May Only Use Va Information Within The Terms Of The Contract And Applicable Federal Law, Regulations, And Va Policies. If New Federal Information Security Laws, Regulations Or Va Policies Become Applicable After Execution Of The Contract, The Parties Agree To Negotiate Contract Modification And Adjustment Necessary To Implement The New Laws, Regulations, And/or Policies. the Contractor Shall Not Make Copies Of Va Information Except As Specifically Authorized And Necessary To Perform The Terms Of The Contract. If Copies Are Made For Restoration Purposes, After The Restoration Is Complete, The Copies Shall Be Destroyed In Accordance With Va Directive 6500, Va Cybersecurity Program And Va Information Security Knowledge Service. if A Veterans Health Administration (vha) Contract Is Terminated For Default Or Cause With A Business Associate, The Related Local Business Associate Agreement (baa) Shall Also Be Terminated And Actions Taken In Accordance With Vha Directive 1605.05, Business Associate Agreements. If There Is An Executed National Baa Associated With The Contract, Va Will Determine What Actions Are Appropriate And Notify The Contactor. the Contractor Shall Store And Transmit Va Sensitive Information In An Encrypted Form, Using Va-approved Encryption Tools Which Are, At A Minimum, Federal Information Processing Standards (fips) 140-2, Security Requirements For Cryptographic Modules (or Its Successor) Validated And In Conformance With Va Information Security Knowledge Service Requirements. The Contractor Shall Transmit Va Sensitive Information Using Va Approved Transport Layer Security (tls) Configured With Fips Based Cipher Suites In Conformance With National Institute Of Standards And Technology (nist) 800-52, Guidelines For The Selection, Configuration And Use Of Transport Layer Security (tls) Implementations. the Contractor S Firewall And Web Services Security Controls, As Applicable, Shall Meet Or Exceed Va S Minimum Requirements. except For Uses And Disclosures Of Va Information Authorized By This Contract For Performance Of The Contract, The Contractor May Use And Disclose Va Information Only In Two Situations: (i) In Response To A Qualifying Order Of A Court Of Competent Jurisdiction After Notification To Va Co (ii) With Written Approval From The Va Co. The Contractor Shall Refer All Requests For, Demands For Production Of Or Inquiries About, Va Information And Information Systems To The Va Co For Response. notwithstanding The Provision Above, The Contractor Shall Not Release Va Records Protected By Title 38 U.s.c. § 5705, Confidentiality Of Medical Quality- Assurance Records And/or Title 38 U.s.c. § 7332, Confidentiality Of Certain Medical Records Pertaining To Drug Addiction, Sickle Cell Anemia, Alcoholism Or Alcohol Abuse Or Infection With Human Immunodeficiency Virus (hiv). If The Contractor Is In Receipt Of A Court Order Or Other Requests For The Above- Mentioned Information, The Contractor Shall Immediately Refer Such Court Order Or Other Requests To The Va Co For Response. information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor In Performance Or Administration Of The Contract Will Be Protected And Secured In Accordance With Va Directive 6500 And Identity And Access Management (iam) Security Processes Specified In The Va Information Security Knowledge Service. any Data Destruction Done On Behalf Of Va By A Contractor Shall Be Done In Accordance With National Archives And Records Administration (nara) Requirements As Outlined In Va Directive 6300, Records And Information Management, Va Handbook 6300.1, Records Management Procedures, And Applicable Va Records Control Schedules. the Contractor Shall Provide Its Plan For Destruction Of All Va Data In Its Possession According To Va Directive 6500 And Nist 800-88, Guidelines For Media Sanitization Prior To Termination Or Completion Of This Contract. If Directed By The Cor/co, The Contractor Shall Return All Federal Records To Va For Disposition. any Media, Such As Paper, Magnetic Tape, Magnetic Disks, Solid State Devices Or Optical Discs That Is Used To Store, Process, Or Access Va Information That Cannot Be Destroyed Shall Be Returned To Va.the Contractor Shall Hold The Appropriate Material Until Otherwise Directed By The Contracting Officer S Representative (cor) Or Co. Items Shall Be Returned Securely Via Va-approved Methods. Va Sensitive Information Must Be Transmitted Utilizing Va-approved Encryption Tools Which Are Validated Under Fips 140-2 (or Its Successor) And Nist 800-52. If Mailed, The Contractor Shall Send Via A Trackable Method (usps, Ups, Fedex, Etc.) And Immediately Provide The Cor/co With The Tracking Information. Self-certification By The Contractor That The Data Destruction Requirements Above Have Been Met Shall Be Sent To The Cor/co Within 30 Business Days Of Termination Of The Contract. all Electronic Storage Media (hard Drives, Optical Disks, Cds, Back-up Tapes, Etc.) Used To Store, Process Or Access Va Information Will Not Be Returned To The Contractor At The End Of Lease, Loan, Or Trade-in. Exceptions To This Paragraph Will Only Be Granted With The Written Approval Of The Va Co. access To Va Information And Va Information Systems. This Section applies When Any Person Requires Access To Information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor In Performance Or Administration Of The Contract. a Contractor/subcontractor Shall Request Logical (technical) Or Physical Access To Va Information And Va Information Systems For Their Employees And Subcontractors Only To The Extent Necessary To Perform The Services Specified In The Solicitation Or Contract. This Includes Indirect Entities, Both Affiliate Of Contractor/subcontractor And Agent Of Contractor/subcontractor. contractors And Subcontractors Shall Sign The Va Information Security Rule Of Behavior (rob) Before Access Is Provided To Va Information And Information Systems (see Section 4, Training, Below). The Rob Contains The Minimum User Compliance Requirements And Does Not Supersede Any Policies Of Va Facilities Or Other Agency Components Which Provide Higher Levels Of Protection To Va S Information Or Information Systems. Users Who Require Privileged Access Shall Complete The Va Elevated Privilege Access Request Processes Before Privileged Access Is Granted. all Contractors And Subcontractors Working With Va Information Are Subject To The Same Security Investigative And Clearance Requirements As Those Of Va Appointees Or Employees Who Have Access To The Same Types Of Information, At No Cost To Scriptpro. The Level And Process Of Background Security Investigations For Contractors Shall Be In Accordance With Va Directive And Handbook 0710, Personnel Suitability And Security Program. The Office Of Human Resources And Administration/operations, Security And Preparedness (hra/osp) Is Responsible For These Policies And Procedures. Contract Personnel Who Require Access To Classified Information Or Information Systems Shall Have An Appropriate Security Clearance. Verification Of A Security Clearance Shall Be Processed Through The Special Security Officer Located In Hra/osp. Contractors Shall Conform To All Requirements Stated In The National Industrial Security Program Operating Manual (nispom). all Contractors And Subcontractors Shall Comply With Conditions Specified In Vaar 852.204-71(d); Contractor Operations Required To Be In United States. All Contractors And Subcontractors Working With Va Information Must Be Permanently Located Within A Jurisdiction Subject To The Law Of The United States Or Its Territories To The Maximum Extent Feasible. If Services Are Proposed To Be Performed Abroad The Contractor Must State Where All Non-u.s. Services Are Provided. The Contractor Shall Deliver To Va A Detailed Plan Specifically Addressing Communications, Personnel Control, Data Protection And Potential Legal Issues. The Plan Shall Be Approved By The Cor/co In Writing Prior To Access Being Granted. the Contractor Shall Notify The Cor/co In Writing Immediately (no Later Than 24 Hours) After Personnel Separation Or Occurrence Of Other Causes. Causes May Include The Following: contractor/subcontractor Personnel No Longer Has A Need For Access To Va Information Or Va Information Systems. contractor/subcontractor Personnel Are Terminated, Suspended, Or Otherwise Has Their Work On A Va Project Discontinued For Any Reason. contractor Believes Their Own Personnel Or Subcontractor Personnel May Pose A Threat To Their Company S Working Environment Or To Any Company- Owned Property. This Includes Contractor-owned Assets, Buildings, Confidential Data, Customers, Employees, Networks, Systems, Trade Secrets And/or Va Data. any Previously Undisclosed Changes To Contractor/subcontractor Background History Are Brought To Light, Including But Not Limited To Changes To Background Investigation Or Employee Record. contractor/subcontractor Personnel Have Their Authorization To Work In The United States Revoked. agreement By Which Contractor Provides Products And Services To Va Has Either Been Fulfilled Or Terminated, Such That Va Can Cut Off Electronic And/or Physical Access For Contractor Personnel. in Such Cases Of Contract Fulfillment, Termination, Or Other Causes; The Contractor Shall Take The Necessary Measures To Immediately Revoke Access To Va Network, Property, Information, And Information Systems (logical And Physical) By Contractor/subcontractor Personnel. These Measures Include (but Are Not Limited To): Removing And Then Securing Personal Identity Verification (piv) Badges And Piv Interoperable (piv-i) Access Badges, Va-issued Photo Badges, Credentials For Va Facilities And Devices, Va-issued Laptops, And Authentication Tokens. Contractors Shall Notify The Appropriate Va Cor/co Immediately To Initiate Access Removal. contractors/subcontractors Who No Longer Require Va Accesses Will Return Va- Issued Property To Va. This Property Includes (but Is Not Limited To): Documents, Electronic Equipment, Keys, And Parking Passes. Piv And Piv-i Access Badges Shall Be Returned To The Nearest Va Piv Badge Issuance Office. Once They Have Had Access To Va Information, Information Systems, Networks And Va Property In Their Possessions Removed, Contractors Shall Notify The Appropriate Va Cor/co. training. This Entire Section Applies To All Acquisitions Which Include Section 3. all Contractors And Subcontractors Requiring Access To Va Information And Va Information Systems Shall Successfully Complete The Following Before Being Granted Access To Va Information And Its Systems: va Privacy And Information Security Awareness And Rules Of Behavior Course (talent Management System (tms) #10176) Initially And Annually Thereafter. sign And Acknowledge (electronically Through Tms #10176) Understanding Of And Responsibilities For Compliance With The Organizational Rules Of Behavior, Relating To Access To Va Information And Information Systems Initially And Annually Thereafter; And successfully Complete Any Additional Cyber Security Or Privacy Training, As Required For Va Personnel With Equivalent Information System Or Information Access [to Be Defined By The Va Program Official And Provided To The Va Co For Inclusion In The Solicitation Document I.e., Any Role- Based Information Security Training]. the Contractor Shall Provide To The Cor/co A Copy Of The Training Certificates And Certification Of Signing The Organizational Rules Of Behavior For Each Applicable Employee Within Five Days Of The Initiation Of The Contract And Annually Thereafter, As Required. failure To Complete The Mandatory Annual Training Is Grounds For Suspension Or Termination Of All Physical Or Electronic Access Privileges And Removal From Work On The Contract Until Such Time As The Required Training Is Complete. security Incident Investigation. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. the Contractor, Subcontractor, Their Employees, Or Business Associates Shall Immediately (within One Hour) Report Suspected Security / Privacy Incidents To The Va Oit S Enterprise Service Desk (esd) By Calling (855) 673-4357 (tty: 711). The Esd Is Oit S 24/7/365 Single Point Of Contact For It-related Issues. After Reporting To The Esd, The Contractor, Subcontractor, Their Employees, Or Business Associates Shall, Within One Hour, Provide The Cor/co The Incident Number Received From The Esd. to The Extent Known By The Contractor/subcontractor, The Contractor/ Subcontractor's Notice To Va Shall Identify The Information Involved And The Circumstances Surrounding The Incident, Including The Following: the Date And Time (or Approximation Of) The Security Incident Occurred. the Names Of Individuals Involved (when Applicable). the Physical And Logical (if Applicable) Location Of The Incident. why The Security Incident Took Place (i.e., Catalyst For The Failure). the Amount Of Data Belonging To Va Believed To Have Been Compromised. the Remediation Measures The Contractor Is Taking To Ensure No Future Incidents Of A Similar Nature. after The Contractor Has Provided The Initial Detailed Incident Summary To Va, They Will Continue To Provide Written Updates On Any New And Relevant Circumstances Or Facts They Discover. The Contractor, Subcontractor, And Their Employes Shall Fully Cooperate With Va Or Third-party Entity Performing An Independent Risk Analysis On Behalf Of Va. Failure To Cooperate May Be Deemed A Material Breach And Grounds For Contract Termination. va It Contractors Shall Follow Va Handbook 6500, Risk Management Framework For Va Information Systems Va Information Security Program, And Va Information Security Knowledge Service Guidance For Implementing An Incident Response Plan Or Integrating With An Existing Va Implementation. in Instances Of Theft Or Break-in Or Other Criminal Activity, The Contractor/subcontractor Must Concurrently Report The Incident To The Appropriate Law Enforcement Entity (or Entities) Of Jurisdiction, Including The Va Oig, And The Va Office Of Security And Law Enforcement. The Contractor, Its Employees, And Its Subcontractors And Their Employees Shall Cooperate With Va And Any Law Enforcement Authority Responsible For The Investigation And Prosecution Of Any Possible Criminal Law Violation(s) Associated With Any Incident. The Contractor/subcontractor Shall Cooperate With Va In Any Civil Litigation To Recover Va Information, Obtain Monetary Or Other Compensation From A Third Party For Damages Arising From Any Incident, Or Obtain Injunctive Relief Against Any Third Party Arising From, Or Related To, The Incident. the Contractor Shall Comply With Va Handbook 6500.2, Management Of Breaches Involving Sensitive Personal Information, Which Establishes The Breach Management Policies And Assigns Responsibilities For The Oversight, Management And Reporting Procedures Associated With Managing Of Breaches. with Respect To Unsecured Protected Health Information (phi), The Contractor Is Deemed To Have Discovered A Data Breach When The Contractor Knew Or Should Have Known Of Breach Of Such Information. When A Business Associate Is Part Of Vha Contract, Notification To The Covered Entity (vha) Shall Be Made In Accordance With The Executed Baa. if The Contractor Or Any Of Its Agents Fails To Protect Va Sensitive Personal Information Or Otherwise Engages In Conduct Which Results In A Data Breach Involving Any Va Sensitive Personal Information The Contractor/subcontractor Processes Or Maintains Under The Contract; The Contractor Shall Pay Liquidated Damages To The Va As Set Forth In Clause 852.211-76, Liquidated Damages Reimbursement For Data Breach Costs. information System Design And Development. This Entire Section applies To Information Systems, Systems, Major Applications, Minor Applications, Enclaves, And Platform Information Technologies (to Include The Subcomponents Of Each) Designed Or Developed For Or On Behalf Of Va By Any Non-va Entity. information Systems Designed Or Developed On Behalf Of Va At Non-va Facilities Shall Comply With All Applicable Federal Law, Regulations, And Va Policies. This Includes Standards For The Protection Of Electronic Protected Health Information (phi), Outlined In 45 C.f.r. Part 164, Subpart C And Information And System Security Categorization Level Designations In Accordance With Fips 199, Standards For Security Categorization Of Federal Information And Information Systems And Fips 200, Minimum Security Requirements For Federal Information Systems. Baseline Security Controls Shall Be Implemented Commensurate With The Fips 199 System Security Categorization (reference Va Handbook 6500 And Va Trusted Internet Connections (tic) Architecture). contracted New Developments Require Creation, Testing, Evaluation, And Authorization In Compliance With Va Assessment And Authorization (a&a) Processes In Va Handbook 6500 And Va Information Security Knowledge Service To Obtain An Authority To Operate (ato). Va Directive 6517, Risk Management Framework For Cloud Computing Services, Provides The Security And Privacy Requirements For Cloud Environments. va It Contractors, Subcontractors And Third-party Service Providers Shall Address And/or Integrate Applicable Va Handbook 6500, Va Handbook 6517, Risk Management Framework For Cloud Computing Services And Information Security Knowledge Service Specifications In Delivered It Systems/solutions, Products And/or Services. If Systems/solutions, Products And/or Services Do Not Directly Match Va Security Requirements, The Contractor Shall Work Though The Cor/co To Identify The Va Organization Responsible For Governance Or Resolution. Contractors Shall Comply With Far 39.1, Specifically The Prohibitions Referenced. the Contractor (including Producers And Resellers) Shall Comply With Office Of Management And Budget (omb) M-22-18 And M-23-16 When Using Third-party Software On Va Information Systems Or Otherwise Affecting The Va Information. This Includes New Software Purchases And Software Renewals For Software Developed Or Modified By Major Version Change After The Issuance Date Of M- 22-18 (september 14, 2022). The Term Software Includes Firmware, Operating Systems, Applications And Application Services (e.g., Cloud-based Software), As Well As Products Containing Software. The Contractor Shall Provide A Self- Attestation That Secure Software Development Practices Are Utilized As Outlined By Executive Order (eo)14028 And Nist Guidance. A Third-party Assessment Provided By Either A Certified Federal Risk And Authorization Management Program (fedramp) Third Party Assessor Organization (3pao) Or One Approved By The Agency Will Be Acceptable In Lieu Of A Software Producer's Self- Attestation. the Contractor Shall Ensure All Delivered Applications, Systems And Information Systems Are Compliant With Homeland Security Presidential Directive (hspd) 12 And Va Identity And Access Management (iam) Enterprise Identity Management Requirements As Set Forth In Omb M-19-17, M-05-24, Fips 201-3, Personal Identity Verification (piv) Of Federal Employees And Contractors (or Its Successor), M-21-31 And Supporting Nist Guidance. This Applies To Commercial Off-the-shelf (cots) Product(s) That The Contractor Did Not Develop, All Software Configurations And All Customizations. the Contractor Shall Ensure All Contractor Delivered Applications And Systems Provide User Authentication Services Compliant With Va Handbook 6500, Va Information Security Knowledge Service, Iam Enterprise Requirements And Nist 800-63, Digital Identity Guidelines, For Direct, Assertion-based Authentication And/or Trust-based Authentication, As Determined By The Design And Integration Patterns. Direct Authentication At A Minimum Must Include Public Key Infrastructure (pki) Based Authentication Supportive Of Piv And/or Common Access Card (cac), As Determined By The Business Need And Compliance With Va Information Security Knowledge Service Specifications. the Contractor Shall Use Va Authorized Technical Security Baseline Configurations And Certify To The Cor That Applications Are Fully Functional And Operate Correctly As Intended On Systems In Compliance With Va Baselines Prior To Acceptance Or Connection Into An Authorized Va Computing Environment. If The Defense Information Systems Agency (disa) Has Created A Security Technical Implementation Guide (stig) For The Technology, The Contractor May Configure To Comply With That Stig. If Va Determines A New Or Updated Va Configuration Baseline Needs To Be Created, The Contractor Shall Provide Required Technical Support To Develop The Configuration Settings. Far 39.1 Requires The Population Of Operating Systems And Applications Includes All Listed On The Nist National Checklist Program Checklist Repository. the Standard Installation, Operation, Maintenance, Updating And Patching Of Software Shall Not Alter The Configuration Settings From Va Approved Baseline Configuration. Software Developed For Va Must Be Compatible With Va Enterprise Installer Services And Install To The Default Program Files Directory With Silently Install And Uninstall. The Contractor Shall Perform Testing Of All Updates And Patching Prior To Implementation On Va Systems. applications Designed For Normal End Users Will Run In The Standard User Context Without Elevated System Administration Privileges. the Contractor-delivered Solutions Shall Reside On Va Approved Operating Systems. Exceptions To This Will Only Be Granted With The Written Approval Of The Cor/co. the Contractor Shall Design, Develop, And Implement Security And Privacy Controls In Accordance With The Provisions Of Va Security System Development Life Cycle Outlined In Nist 800-37, Risk Management Framework For Information Systems And Organizations: A System Life Cycle Approach For Security And Privacy, Va Directive And Handbook 6500, And Va Handbook 6517. the Contractor Shall Comply With The Privacy Act Of1974 (the Act), Far 52.224- 2 Privacy Act, And Va Rules And Regulations Issued Under The Act In The Design, Development, Or Operation Of Any System Of Records On Individuals To Accomplish A Va Function. the Contractor Shall Ensure The Security Of All Procured Or Developed Information Systems, Systems, Major Applications, Minor Applications, Enclaves And Platform Information Technologies, Including Their Subcomponents (hereinafter Referred To As Information Systems ) Throughout The Life Of This Contract And Any Extension, Warranty, Or Maintenance Periods. This Includes Security Configurations, Workarounds, Patches, Hotfixes, Upgrades, Replacements And Any Physical Components Which May Be Necessary To Remediate All Security Vulnerabilities Published Or Known To The Contractor Anywhere In The Information Systems (including Systems, Operating Systems, Products, Hardware, Software, Applications And Firmware). The Contractor Shall Ensure Security Fixes Do Not Negatively Impact The Information Systems. when The Contractor Is Responsible For Operations Or Maintenance Of The Systems, The Contractor Shall Apply The Security Fixes Within The Timeframe Specified By The Associated Controls On The Va Information Security Knowledge Service. When Security Fixes Involve Installing Third Party Patches (such As Microsoft Os Patches Or Adobe Acrobat), The Contractor Shall Provide Written Notice To The Va Cor/co That The Patch Has Been Validated As To Not Affecting The Systems Within 10 Business Days. information System Hosting, Operation, Maintenance Or Use. this Entire Section Applies To Information Systems, Systems, Major Applications, Minor Applications, Enclaves, And Platform Information Technologies (cloud And Non- Cloud) Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities. the Contractor Shall Comply With All Federal Laws, Regulations, And Va Policies For Information Systems (cloud And Non-cloud) That Are Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities. Security Controls For Collecting, Processing, Transmitting, And Storing Of Va Sensitive Information, Must Be In Place. The Controls Will Be Tested By Va Or A Va Sanctioned 3pao And Approved By Va Prior To Hosting, Operation, Maintenance Or Use Of The Information System Or Systems By Or On Behalf Of Va. This Includes Conducting Compliance Risk Assessments, Security Architecture Analysis, Routine Vulnerability Scanning, System Patching, Change Management Procedures And The Completion Of An Acceptable Contingency Plan For Each System. The Contractor S Security Control Procedures Shall Be The Same As Procedures Used To Secure Va-operated Information Systems. outsourcing (contractor Facility, Equipment, Or Staff) Of Systems Or Network Operations, Telecommunications Services Or Other Managed Services Require Assessment And Authorization (a&a) Of The Contractor S Systems In Accordance With Va Handbook 6500 As Specified In Va Information Security Knowledge Service. Major Changes To The A&a Package May Require Reviewing And Updating All The Documentation Associated With The Change. The Contractor S Cloud Computing Systems Shall Comply With Fedramp And Va Directive 6517 Requirements. the Contractor Shall Return All Electronic Storage Media (hard Drives, Optical Disks, Cds, Back-up Tapes, Etc.) On Non-va Leased Or Non-va Owned It Equipment Used To Store, Process Or Access Va Information To Va In Accordance With A&a Package Requirements. This Applies When The Contract Is Terminated Or Completed And Prior To Disposal Of Media. The Contractor Shall Provide Its Plan For Destruction Of All Va Data In Its Possession According To Va Information Security Knowledge Service Requirements And Nist 800-88. The Contractor Shall Send A Self-certification That The Data Destruction Requirements Above Have Been Met To The Cor/co Within 30 Business Days Of Termination Of The Contract. all External Internet Connections To Va Network Involving Va Information Must Be In Accordance With Va Trusted Internet Connection (tic) Reference Architecture And Va Directive And Handbook 6513, Secure External Connections And Reviewed And Approved By Va Prior To Implementation. Government-owned Contractor-operated Systems, Third Party Or Business Partner Networks Require A Memorandum Of Understanding (mou) And Interconnection Security Agreements (isa). contractor Procedures Shall Be Subject To Periodic, Announced, Or Unannounced Assessments By Va Officials, The Oig Or A 3pao. The Physical Security Aspects Associated With Contractor Activities Are Also Subject To Such Assessments. The Contractor Shall Report, In Writing, Any Deficiencies Noted During The Above Assessment To The Va Cor/co. The Contractor Shall Use Va S Defined Processes To Document Planned Remedial Actions That Address Identified Deficiencies In Information Security Policies, Procedures, And Practices. The Contractor Shall Correct Security Deficiencies Within The Timeframes Specified In The Va Information Security Knowledge Service. all Major Information System Changes Which Occur In The Production Environment Shall Be Reviewed By The Va To Determine The Impact On Privacy And Security Of The System. Based On The Review Results, Updates To The Authority To Operate (ato) Documentation And Parameters May Be Required To Remain In Compliance With Va Handbook 6500 And Va Information Security Knowledge Service Requirements. the Contractor Shall Conduct An Annual Privacy And Security Self-assessment On All Information Systems And Outsourced Services As Required. Copies Of The Assessment Shall Be Provided To The Cor/co. The Va/government Reserves The Right To Conduct Assessment Using Government Personnel Or A Third-party If Deemed Necessary. The Contractor Shall Correct Or Mitigate Any Weaknesses Discovered During The Assessment. va Prohibits The Installation And Use Of Personally Owned Or Contractor-owned Equipment Or Software On Va Information Systems. If Non-va Owned Equipment Must Be Used To Fulfill The Requirements Of A Contract, It Must Be Stated In The Service Agreement, Sow, Pws, Pd Or Contract. All Security Controls Required For Government Furnished Equipment Must Be Utilized In Va Approved Other Equipment (oe). Configuration Changes To The Contractor Oe, Must Be Funded By The Owner Of The Equipment. All Remote Systems Must Use A Va-approved Antivirus Software And A Personal (host-based Or Enclave Based) Firewall With A Va-approved Configuration. The Contractor Shall Ensure Software On Oe Is Kept Current With All Critical Updates And Patches. Owners Of Approved Oe Are Responsible For Providing And Maintaining The Anti-virus Software And The Firewall On The Non-va Owned Oe. Approved Contractor Oe Will Be Subject To Technical Inspection At Any Time. the Contractor Shall Notify The Cor/co Within One Hour Of Disclosure Or Successful Exploits Of Any Vulnerability Which Can Compromise The Confidentiality, Integrity, Or Availability Of The Information Systems. The System Or Effected Component(s) Need(s) To Be Isolated From The Network. A Forensic Analysis Needs To Be Conducted Jointly With Va. Such Issues Will Be Remediated As Quickly As Practicable, But In No Event Longer Than The Timeframe Specified By Va Information Security Knowledge Service. If Sensitive Personal Information Is Compromised Reference Va Handbook 6500.2 And Section 5, Security Incident Investigation. for Cases Wherein The Contractor Discovers Material Defects Or Vulnerabilities Impacting Products And Services They Provide To Va, The Contractor Shall Develop And Implement Policies And Procedures For Disclosure To Va, As Well As Remediation. The Contractor Shall, Within 30 Business Days Of Discovery, Document A Summary Of These Vulnerabilities Or Defects. The Documentation Will Include A Description Of The Potential Impact Of Each Vulnerability And Material Defect, Compensating Security Controls, Mitigations, Recommended Corrective Actions, Fbonotice Cause Analysis And/or Workarounds (i.e., Monitoring). Should There Exist Any Backdoors In The Products Or Services They Provide To Va (referring To Methods For Bypassing Computer Authentication), The Contractor Shall Provide The Va Co/co Written Assurance They Have Permanently Remediated These Backdoors. all Other Vulnerabilities, Including Those Discovered Through Routine Scans Or Other Assessments, Will Be Remediated Based On Risk, In Accordance With The Remediation Timelines Specified By The Va Information Security Knowledge Service And/or The Applicable Timeframe Mandated By Cybersecurity & Infrastructure Security Agency (cisa) Binding Operational Directive (bod) 22- 01 And Bod 19-02 For Internet-accessible Systems. Exceptions To This Paragraph Will Only Be Granted With The Approval Of The Cor/co. security And Privacy Controls Compliance Testing, Assessment and Auditing. This Entire Section Applies Whenever Section 6 Or 7 Is Included. should Va Request It, The Contractor Shall Provide A Copy Of Their (corporation S, Sole Proprietorship S, Partnership S, Limited Liability Company (llc), Or Other Business Structure Entity S) Policies, Procedures, Evidence And Independent Report Summaries Related To Specified Cybersecurity Frameworks (international Organization For Standardization (iso), Nist Cybersecurity Framework (csf), Etc.). Va Or Its Third-party/partner Designee (if Applicable) Are Further Entitled To Perform Their Own Audits And Security/penetration Tests Of The Contractor S It Or Systems And Controls, To Ascertain Whether The Contractor Is Complying With The Information Security, Network Or System Requirements Mandated In The Agreement Between Va And The Contractor. any Audits Or Tests Of The Contractor Or Third-party Designees/partner Va Elects To Carry Out Will Commence Within 30 Business Days Of Va Notification. Such Audits, Tests And Assessments May Include The Following: (a): Security/penetration Tests Which Both Sides Agree Will Not Unduly Impact Contractor Operations; (b): Interviews With Pertinent Stakeholders And Practitioners; (c): Document Review; And (d): Technical Inspections Of Networks And Systems The Contractor Uses To Destroy, Maintain, Receive, Retain, Or Use Va Information. as Part Of These Audits, Tests And Assessments, The Contractor Shall Provide All Information Requested By Va. This Information Includes, But Is Not Limited To, The Following: Equipment Lists, Network Or Infrastructure Diagrams, Relevant Policy Documents, System Logs Or Details On Information Systems Accessing, Transporting, Or Processing Va Data. the Contractor And At Its Own Expense, Shall Comply With Any Recommendations Resulting From Va Audits, Inspections And Tests. Va Further Retains The Right To View Any Related Security Reports The Contractor Has Generated As Part Of Its Own Security Assessment. The Contractor Shall Also Notify Va Of The Existence Of Any Such Security Reports Or Other Related Assessments, Upon Completion And Validation. va Appointed Auditors Or Other Government Agency Partners May Be Granted Access To Such Documentation On A Need-to-know Basis And Coordinated Through The Cor/co. The Contractor Shall Comply With Recommendations Which Result From These Regulatory Assessments On The Part Of Va Regulators And Associated Government Agency Partners. product Integrity, Authenticity, Provenance, Anti-counterfeit and Anti-tampering. This Entire Section Applies When The Acquisition Involves Any Product (application, Hardware, Or Software) Or When Section 6 Or 7 Is Included. the Contractor Shall Comply With Code Of Federal Regulations (cfr) Title 15 Part 7, Securing The Information And Communications Technology And Services (icts) Supply Chain , Which Prohibits Icts Transactions From Foreign Adversaries. Icts Transactions Are Defined As Any Acquisition, Importation, Transfer, Installation, Dealing In Or Use Of Any Information And Communications Technology Or Service, Including Ongoing Activities, Such As Managed Services, Data Transmission, Software Updates, Repairs Or The Platforming Or Data Hosting Of Applications For Consumer Download. when Contracting Terms Require The Contractor To Procure Equipment, The Contractor Shall Purchase Or Acquire The Equipment From An Original Equipment Manufacturer (oem) Or An Authorized Reseller Of The Oem. The Contractor Shall Attest That Equipment Procured From An Oem Or Authorized Reseller Or Distributor Are Authentic. If Procurement Is Unavailable From An Oem Or Authorized Reseller, The Contractor Shall Submit In Writing, Details Of The Circumstances Prohibiting This From Happening And Procure A Product Waiver From The Va Cor/co. all Contractors Shall Establish, Implement, And Provide Documentation For Risk Management Practices For Supply Chain Delivery Of Hardware, Software (to Include Patches) And Firmware Provided Under This Agreement. Documentation Will Include Chain Of Custody Practices, Inventory Management Program, Information Protection Practices, Integrity Management Program For Sub-supplier Provided Components, And Replacement Parts Requests. The Contractor Shall Make Spare Parts Available. All Contractor(s) Shall Specify How Digital Delivery For Procured Products, Including Patches, Will Be Validated And Monitored To Ensure Consistent Delivery. The Contractor Shall Apply Encryption Technology To Protect Procured Products Throughout The Delivery Process. if A Contractor Provides Software Or Patches To Va, The Contractor Shall Publish Or Provide A Hash Conforming To The Fips Security Requirements For Cryptographic Modules (fips 140-2 Or Successor). the Contractor Shall Provide A Software Bill Of Materials (sbom) For Procured (to Include Licensed Products) And Consist Of A List Of Components And Associated Metadata Which Make Up The Product. Sboms Must Be Generated In One Of The Data Formats Defined In The National Telecommunications And Information Administration (ntia) Report The Minimum Elements For A Software Bill Of Materials (sbom). contractors Shall Use Or Arrange For The Use Of Trusted Channels To Ship Procured Products, Such As U.s. Registered Mail And/or Tamper-evident Packaging For Physical Deliveries. throughout The Delivery Process, The Contractor Shall Demonstrate A Capability For Detecting Unauthorized Access (tampering). the Contractor Shall Demonstrate Chain-of-custody Documentation For Procured Products And Require Tamper-evident Packaging For The Delivery Of This Hardware. viruses, Firmware And Malware. This Entire Section Applies When The Acquisition Involves Any Product (application, Hardware, Or Software) Or When Section 6 Or 7 Is Included. the Contractor Shall Execute Due Diligence To Ensure All Provided Software And Patches, Including Third-party Patches, Are Free Of Viruses And/or Malware Before Releasing Them To Or Installing Them On Va Information Systems. the Contractor Warrants It Has No Knowledge Of And Did Not Insert, Any Malicious Virus And/or Malware Code Into Any Software Or Patches Provided To Va Which Could Potentially Harm Or Disrupt Va Information Systems. The Contractor Shall Use Due Diligence, If Supplying Third-party Software Or Patches, To Ensure The Third-party Has Not Inserted Any Malicious Code And/or Virus Which Could Damage Or Disrupt Va Information Systems. the Contractor Shall Provide Or Arrange For The Provision Of Technical Justification As To Why Any False Positive Hit Has Taken Place To Ensure Their Code S Supply Chain Has Not Been Compromised. Justification May Be Required, But Is Not Limited To, When Install Files, Scripts, Firmware, Or Other Contractor-delivered Software Solutions (including Third-party Install Files, Scripts, Firmware, Or Other Software) Are Flagged As Malicious, Infected, Or Suspicious By An Anti-virus Vendor. the Contractor Shall Not Upload (intentionally Or Negligently) Any Virus, Worm, Malware Or Any Harmful Or Malicious Content, Component And/or Corrupted Data/source Code (hereinafter Virus Or Other Malware ) Onto Va Computer And Information Systems And/or Networks. If Introduced (and This Clause Is Violated), Upon Written Request From The Va Co, The Contractor Shall: take All Necessary Action To Correct The Incident, To Include Any And All Assistance To Va To Eliminate The Virus Or Other Malware Throughout Va S Information Networks, Computer Systems And Information Systems; And use Commercially Reasonable Efforts To Restore Operational Efficiency And Remediate Damages Due To Data Loss Or Data Integrity Damage, If The Virus Or Other Malware Causes A Loss Of Operational Efficiency, Data Loss, Or Damage To Data Integrity. cryptographic Requirement. This Entire Section Applies Whenever The Acquisition Includes Section 6 Or 7 Is Included. the Contractor Shall Document How The Cryptographic System Supporting The Contractor S Products And/or Services Protect The Confidentiality, Data Integrity, Authentication And Non-repudiation Of Devices And Data Flows In The Underlying System. the Contractor Shall Use Only Approved Cryptographic Methods As Defined In Fips 140-2 (or Its Successor) And Nist 800-52 Standards When Enabling Encryption On Its Products. the Contractor Shall Provide Or Arrange For The Provision Of An Automated Remote Key-establishment Method Which Protects The Confidentiality And Integrity Of The Cryptographic Keys. the Contractor Shall Ensure Emergency Re-keying Of All Devices Can Be Remotely Performed Within 30 Business Days. the Contractor Shall Provide Or Arrange For The Provision Of A Method For Updating Cryptographic Primitives Or Algorithms. patching Governance. This Entire Section Applies Whenever The Acquisition Includes Section 7 Is Included the Contractor Shall Provide Documentation Detailing The Patch Management, Vulnerability Management, Mitigation And Update Processes (to Include Third- Party) Prior To The Connection Of Electronic Devices, Assets Or Equipment To Va S Assets. This Documentation Will Include Information Regarding The Follow: the Resources And Technical Capabilities To Sustain The Program Or Process (e.g., How The Integrity Of A Patch Is Validated By Va); And the Approach And Capability To Remediate Newly Reported Zero-day Vulnerabilities For Contractor Products. the Contractor Shall Verify And Provide Documentation All Procured Products (including Third-party Applications, Hardware, Software, Operating Systems, And Firmware) Have Appropriate Updates And Patches Installed Prior To Delivery To Va. the Contractor Shall Provide Or Arrange The Provision Of Appropriate Software And Firmware Updates To Remediate Newly Discovered Vulnerabilities Or Weaknesses For Their Products And Services Within 30 Days Of Discovery. Updates To Remediate Critical Or Emergent Vulnerabilities Will Be Provided Within Seven Business Days Of Discovery. If Updates Cannot Be Made Available By Contractor Within These Time Periods, The Contractor Shall Submit Mitigations, Methods Of Exploit Detection And/or Workarounds To The Cor/co Prior To The Above Deadlines. the Contractor Shall Provide Or Arrange For The Provision Of Appropriate Hardware, Software And/or Firmware Updates, When Those Products, Including Open-source Software, Are Provided To The Va, To Remediate Newly Discovered Vulnerabilities Or Weaknesses. Remediations Of Products Or Services Provided To The Va S System Environment Must Be Provided Within 30 Business Days Of Availability From The Original Supplier And/or Patching Source. Updates Toremediate Critical Vulnerabilities Applicable To The Contractor S Use Of The Third- Party Product In Its System Environment Will Be Provided Within Seven Business Days Of Availability From The Original Supplier And/or Patching Source. If Applicable Third-party Updates Cannot Be Integrated, Tested And Made Available By Contractor Within These Time Periods, Mitigations And/or Workarounds Will Be Provided To The Cor/co Before The Above Deadlines. specialized Devices/systems (medical Devices, Special Purpose systems, Research Scientific Computing). This Entire Section Applies When The Acquisition Includes One Or More Medical Device, Special Purpose System Or Research Scientific Computing Device. If Appropriate, Ensure Selected Clauses From Section 6 Or 7 And 8 Through 12 Are Included. contractor Supplies/delivered Medical Devices, Special Purpose Systems- Operational Technology (sps-ot) And Research Scientific Computing Devices Shall Comply With All Applicable Federal Law, Regulations, And Va Policies. New Developments Require Creation, Testing, Evaluation, And Authorization In Compliance With Processes Specified On The Specialized Device Cybersecurity Department Enterprise Risk Management (sdcd-erm) Portal, Va Directive 6550, Pre-procurement Assessment And Implementation Of Medical Devices/systems, Va Handbook 6500, And The Va Information Security Knowledge Service. Deviations From Federal Law, Regulations, And Va Policy Are Identified And Documented As Part Of Va Directive 6550 And/or The Va Enterprise Risk Analysis (era) Processes For Specialized Devices/systems Processes. all Contractors And Third-party Service Providers Shall Address And/or Integrate Applicable Va Handbook 6500 And Information Security Knowledge Service Specifications In Delivered It Systems/solutions, Products And/or Services. If Systems/solutions, Products And/or Services Do Not Directly Match Va Security Requirements, The Contractor Shall Work Though The Cor/co For Governance Or Resolution. the Contractor Shall Certify To The Cor/co That Devices/systems That Have Completed The Va Enterprise Risk Analysis (era) Process For Specialized Devices/systems Are Fully Functional And Operate Correctly As Intended. Devices/systems Must Follow The Va Era Authorized Configuration Prior To Acquisition And Connection To The Va Computing Environment. If Va Determines A New Va Era Needs To Be Created, The Contractor Shall Provide Required Technical Support To Develop The Configuration Settings. Major Changes To A Previously Approved Device/system Will Require A New Era. the Contractor Shall Comply With All Practices Documented By The Food Drug And Administration (fda) Premarket Submission For Management Of Cybersecurity In Medical Devices And Postmarket Management Of Cybersecurity In Medical Devices. the Contractor Shall Design Devices Capable Of Accepting All Applicable Security Patches With Or Without The Support Of The Contractor Personnel. If Patching Can Only Be Completed By The Contractor, The Contractor Shall Commit The Resources Needed To Patch All Applicable Devices At All Va Locations. If Unique Patching Instructions Or Packaging Is Needed, The Contractor Shall Provide The Necessary Information In Conjunction With The Validation/testing Of The Patch. The Contractor Shall Apply Security Patches Within 30 Business Days Of The Patch Release And Have A Formal Tracking Process For Any Security Patches Not Implemented To Include Explanation When A Device Cannot Be Patched. the Contractor Shall Provide Devices Able To Install And Maintain Va-approved Antivirus Capabilities With The Capability To Quarantine Files And Be Updated As Needed In Response To Incidents. Alternatively, A Va-approved Whitelisting Application May Be Used When The Contractor Cannot Install An Anti-virus / Anti- Malware Application. the Contractor Shall Verify And Document All Software Embedded Within The Device Does Not Contain Any Known Viruses Or Malware Before Delivery To Or Installation At A Va Location. devices And Other Equipment Or Systems Containing Media (hard Drives, Optical Disks, Solid State, And Storage Via Chips/firmware) With Va Sensitive information Will Be Returned To The Contractor With Media Removed. When The Contract Requires Return Of Equipment, The Options Available To The Contractor Are The Following: the Contractor Shall Accept The System Without The Drive, Firmware And Solid State. va S Initial Device Purchase Includes A Spare Drive Or Other Replacement Media Which Must Be Installed In Place Of The Original Drive At Time Of Turn- In; Or due To The Highly Specialized And Sometimes Proprietary Hardware And Software Associated With The Device, If It Is Not Possible For Va To Retain The Hard Drive, Firmware, And Solid State, Then: the Equipment Contractor Shall Have An Existing Baa If The Device Being Traded In Has Sensitive Information Stored On It And Hard Drive(s) From The System Are Being Returned Physically Intact. any Fixed Hard Drive, Complementary Metal-oxide-semiconductor (cmos), Programmable Read-only Memory (prom), Solid State And Firmware On The Device Must Be Non-destructively Sanitized To The Greatest Extent Possible Without Negatively Impacting System Operation. Selective Clearing Down To Patient Data Folder Level Is Recommended Using Va Approved And Validated Overwriting Technologies/methods/tools. Applicable Media Sanitization Specifications Need To Be Pre-approved And Described In The Solicitation, Contract, Or Order. data Center Provisions. This Entire Section Applies Whenever The Acquisition Requires An Interconnection To/from The Va Network To/from A Non-va Location. the Contractor Shall Ensure The Va Network Is Accessed By In Accordance With Va Directive 6500 And Iam Security Processes Specified In The Va Information Security Knowledge Service. the Contractor Shall Ensure Network Infrastructure And Data Availability In Accordance With Va Information System Business Continuity Procedures Specified In The Va Information Security Knowledge Service. the Contractor Shall Ensure Any Connections To The Internet Or Other External Networks For Information Systems Occur Through Managed Interfaces Utilizing Va Approved Boundary Protection Devices (e.g., Internet Proxies, Gateways, Routers, Firewalls, Guards Or Encrypted Tunnels). the Contractor Shall Encrypt All Traffic Across The Segment Of The Wide Area Network (wan) It Manages And No Unencrypted Out Of Band (oob) Internet Protocol (ip) Traffic Will Traverse The Network. the Contractor Shall Ensure Tunnel Endpoints Are Routable Addresses At Each Va Operating Site. the Contractor Shall Secure Access From Local Area Networks (lans) At Co- Located Sites In Accordance With Va Tic Reference Architecture, Va Directive And Handbook 6513, And Mou/isa Process Specified In The Va Information Security Knowledge Service.

Details: Advance Contract Award Notice (acan) Title: Support To The Canadian Surveillance System For Poison Information (csspi) Solicitation Number: 1000262309 1. The Purpose And Explanation Of An Acan An Advance Contract Award Notice (acan) Allows Health Canada To Post A Notice For No Less Than Fifteen (15) Calendar Days, Indicating To The Supplier Community That A Goods, Services Or Construction Contract Will Be Awarded To A Pre-identified Contractor. If No Other Supplier Submits, On Or Before The Closing Date, A Statement Of Capabilities That Meets The Minimum Requirements Identified In The Acan, The Contracting Authority May Then Proceed To Award A Contract To The Pre-identified Contractor. 2. Rights Of Suppliers Suppliers Who Consider Themselves Fully Qualified And Available To Provide The Services Or Goods Described In This Acan May Submit A Statement Of Capabilities Demonstrating How They Meet The Advertised Requirement. This Statement Of Capabilities Must Be Provided Via E-mail Only To The Contact Person Identified In Section 12 Of The Notice On Or Before The Closing Date And Time Of The Notice. If The Bidder Can Clearly Demonstrate They Possess The Required Capabilities, The Requirement Will Be Opened To Electronic Or Traditional Bidding Processes. 3. Proposed Contractor Parachute 300-150 Eglinton Ave E. Toronto Ontario M4p 1e8 4. Definition Of Requirements Or Expected Results Unintentional Poisonings Are A Leading Cause Of Preventable Injury And Death In Canada, Particularly Among Children And Other Vulnerable Populations. Canada’s Five Regional Poison Centres Serve As Vital Resources For Both The Public And Medical Professionals Seeking Guidance On The Treatment Of Poisoning And Adverse Drug Reactions. Together, These Centres Manage Approximately 200,000 Cases Annually, Providing Valuable, Evidence–based Information On Exposures To A Wide Variety Of Products And Substances Regulated By Health Canada. Canada Did Not Have A National Poison Centre Surveillance System Until The Need Was Identified In 2013 And 2014 By Various Authorities. In Response, A Pan-canadian Task Force Was Established, Bringing Together The Canadian Association Of Poison Centres And Clinical Toxicology (capcct), Poison Centres, And Provincial, Territorial, And Federal Health Authorities, Along With Other Key Partners, To Collaborate On The Development Of The Canadian Surveillance System For Poison Information (csspi). In 2016, A Business Case Was Completed Outlining A Multi-year Implementation Plan For The Csspi Program, Including The Technical Development Of An Automated Surveillance Application On The Canadian Network For Public Health Intelligence (cnphi). Alongside The Csspi’s Implementation And Technical Development, Health Canada And Its Partners Have Been Nurturing And Expanding The Toxicovigilance Canada Network, While Also Conducting Public Outreach And Communication Activities With The Support Of Partners Such As Parachute, Canada’s Leading Injury Prevention Organization. Toxicovigilance Canada, Led By Health Canada, Is A Collaborative Network Of Various Disciplines And Jurisdictions That Strengthens The Capacity For The Timely Detection, Analysis, And Response To Poisonings, Substance-related Harms, And Toxic Chemical Exposures. With The Anticipated Rollout Of The Csspi Application On Cnphi In 2025-2026, The Program Will Achieve A Key Milestone: The Ability To Conduct Near Real-time Surveillance And Generate National Statistics On Poisonings. The Csspi Program Will Provide Critical Evidence To Support Core Departmental Responsibilities, Pan-canadian Toxicovigilance Initiatives, And Public Health Efforts Aimed At Poison Prevention, Through Knowledge Translation And Outreach Activities. The Objective Of This Contract Is To Support Public Outreach And Knowledge Translation To Enhance The Impact Of The Csspi Program And Strengthen The Toxicovigilance Canada Network. Over The Next Five Years, Health Canada Requires The Services Of A Contractor To Coordinate Pan-canadian Outreach And Communication Activities, Build Professional Capacity And Facilitate Knowledge Exchange Across A Broad Network In Canada, Support And Coordinate Csspi Face-to-face Meetings And Toxicovigilance Workshops With Key Stakeholders, And Lead The Publication Of The Pan-canadian Annual Data Reports. This Work Aligns With Health Canada’s Mandate To Help Canadians Maintain And Protect Their Health, As Well As With Commitments Outlined In The Minister Of Health’s Mandate Letter To Protect Canadians From Harmful Chemicals. 5. Minimum Requirements Any Interested Supplier Must Demonstrate By Way Of A Statement Of Capabilities That It Meets The Following Minimum Requirements: 1. The Bidder’s Home Organization Must Have A Pan-canadian Mandate As Well As Significant And Recent Experience In Point Prevention And Harm Reduction Activities. 2. The Bidder’s Home Organization Must Have Significant Knowledge And Experience In Knowledge Translation And Public Outreach At The Pan-canadian Level. 3. The Bidder’s Home Organization Must Have Significant And Recent Experience Working With Canadian Poison Center Data And Medical Toxicology And Or Specialist In Poison Information. 4. The Bidder’s Home Organization Must Have An Established Pan-canadian Network That Includes Partners And Stakeholders Spanning Federal/provincial/territorial (f/p/t) Health Authorities As Well As Ngos, Academia And International Partners Involved In Toxicovigilance, All-hazards Prevention And Harm Reduction Efforts. *please Note – Significant And Recent Experience Is Defined As Minimum Five (5) Years Of Experience Within The Last Seven (7) Years* 6. Reason For Non-competitive Award Section 6 Of The Government Contracts Regulations Contains Four Exceptions That Permit The Contracting Authority To Set Aside The Requirement To Solicit Bids. For The Proposed Procurement, The Following Exception Applies: (d) Only One Person Or Firm Is Capable Of Performing The Contract 7. Applicable Trade Agreements And Justification For Limited Tendering This Procurement Is Subject To The Following: • Canadian Free Trade Agreement • Canada-chile Free Trade Agreement • Comprehensive And Progressive Agreement For Trans-pacific Partnership • Canada-colombia Free Trade Agreement • Canada-european Union Comprehensive Economic And Trade Agreement • Canada-honduras Free Trade Agreement • Canada-korea Free Trade Agreement • Canada-panama Free Trade Agreement • Canada-peru Free Trade Agreement • Canada-ukraine Free Trade Agreement • Canada-united Kingdom Trade Continuity Agreement • World Trade Organization-agreement On /government Procurement 8. Ownership Of Intellectual Property Contractor Will Own The Intellectual Property. 9. Period Of The Proposed Contract The Contract Period Shall Be From The 1st Of April 2025 Until The 31st Of March 2026, With Four (4) Option Periods. 10. Estimated Value Of The Proposed Contract The Estimated Value Of The Proposed Contract Is $300,000.00, Including All Applicable Taxes Plus Four (4) Option Years: Option Year 1 (2026/2027): $300,000.00 Option Year 2 (2027/2028): $350,000.00 Option Year 3 (2028/2029): $300,000.00 Option Year 4 (2029/2030): $300,000.00 The Estimated Total Of The Contract Including All Option Years Is $1,600,000.00 11. Closing Date And Time The Closing Date And Time For Accepting Statements Of Capabilities Is The 23th Of January, 2025 At 2 P.m. Est). 12. Contact Person All Enquiries Must Be Addressed By E-mail To: Name: Eryn Mathers E-mail: Eryn.mathers@hc-sc.gc.ca

Details: This Sources Sought Notice Is For Planning Purposes Only And Shall Not Be Considered As An Invitation For Bid, Request For Quotation, Request For Proposal, Or As An Obligation On The Part Of The Government To Acquire Any Products And/or Services. Your Response To This Sources Sought Notice Will Be Treated As Information Only. No Entitlement To Payment Of Direct Or Indirect Costs Or Charges By The Government Will Arise Because Of Contractor Submission Of Responses To This Announcement Or The Government Use Of Such Information. This Request Does Not Constitute A Solicitation For Proposals Or The Authority To Enter Negotiations To Award A Contract. No Funds Have Been Authorized, Appropriated, Or Received For This Effort. The Information Provided May Be Used By The Department Of Veterans Affairs In Developing Its Acquisition Approach, Statement Of Work/statement Of Objectives And Performance Specifications. Interested Parties Are Responsible For Adequately Marking Proprietary Or Competition Sensitive Information Contained In Their Response. The Government Does Not Intend To Award A Contract Based On This Sources Sought Notice Or To Otherwise Pay For The Information Submitted In Response To This Sources Sought Notice. The Submission Of Pricing, Capabilities For Planning Purposes, And Other Market Information Is Highly Encouraged And Allowed Under This Sources Sought Notice In Accordance With (iaw) Far Part 15.201(e) The Purpose Of This Sources Sought Notice Announcement Is For Market Research To Make Appropriate Acquisition Decisions And To Gain Knowledge Of Potential Qualified Service-disabled Veteran Owned Small Businesses, Veteran Owned Small Businesses, 8(a), Hubzone And Other Small Businesses Interested And Capable Of Providing The Products And/or Services Described Below. Documentation Of Technical Expertise Must Be Presented In Sufficient Detail For The Government To Determine That Your Company Possesses The Necessary Functional Area Expertise And Experience To Compete For This Acquisition. Responses To This Notice Shall Include The Following: (a) Company Name; (b) Address; (c) Point Of Contact; (d) Phone, Fax, And Email; (e) Uei Number; (f) Cage Code; (g) Tax Id Number; (h) Type Of Small Business, E.g., Services Disabled Veteran Owned Small Business, Veteran Owned Small Business, 8(a), Hubzone, Women Owned Small Business, Small Disadvantaged Business, Or Small Business Hubzone Business, Etc (i) State If Your Business Has An Fss Contract With Gsa, Va Nac, Nasa Sewp, Or Any Other Federal Contract, That Can Be Utilized To Procure The Requirement Listed Below And Provide The Contract Number; And (j) Must Provide A Capability Statement That Addresses The Organization S Qualifications And Ability To Perform As A Contractor For The Work Described Below. Requirement: The Va Heartland Network 15 Contracting Office Located At 3450 South 4th Street, Leavenworth, Ks, 66048-5055 Is Seeking A Potential Qualified Contractor To Provide Scriptpro Eyecon 9430 Pill Dispensing System For The Marion Va Medical Center, Located In Marion, Illinois, And The Evansville Health Care Center, Located In Evansville, Indiana. This Is A Brand Name Or Equal Requirement. Please See The Statement Of Work For More Specifics And Details. The North American Industry Classification System Code (naics Code) Is 339112 Surgical And Medical Instrument Manufacturing, Size Standard 1,000 Employees. Based On This Information, Please Indicate Whether Your Company Would Be A Large Or Small Business And Have A Socio-economic Designation As A Small Business, Vosb Or Sdvosb. Important Information: The Government Is Not Obligated To, Nor Will It Pay For Or Reimburse Any Costs Associated With Responding To This Source Sought Synopsis Request. This Notice Shall Not Be Construed As A Commitment By The Government To Issue A Solicitation Or Ultimately Award A Contract, Nor Does It Restrict The Government To An Acquisition Approach. The Government Will In No Way Be Bound To This Information If Any Solicitation Is Issued. Currently A Total Set-aside For Service-disabled Veteran Owned Small Business Firms Is Anticipated Based On The Veterans Administration Requirement With Public Law 109-461, Section 8127 Veterans Benefit Act. However, If Response By Service-disabled Veteran Owned Small Business Firms Proves Inadequate, An Alternate Set-aside Or Full And Open May Be Used. Responses To This Notice Shall Be Submitted Via Email To Erika Kobulnicky At Erika.kobulnicky@va.gov. Telephone Responses Will Not Be Accepted. Responses Must Be Received No Later Than Wednesday, February 19, 2025, At 10:00am Cst. If A Solicitation Is Issued It Shall Be Announced At A Later Date, And All Interested Parties Must Respond To That Solicitation Announcement Separately From The Responses To This Sources Sought. Responses To This Sources Sought Notice Are Not A Request To Be Added To A Prospective Bidders List Or To Receive A Copy Of The Solicit. Marion, Il Vamc And Ehcc Outpatient Clinic Statement Of Work: Scriptpro Eyecon Description Of Use: To Be Used At The Marion Va Medical Center Pharmacy And In The Evansville, In Outpatient Clinic This Solicitation Uses A Brand Name Or Equal Description Of The Product Required. This Permits Prospective Contractors To Offer Products Other Than Those Specifically Referenced By Brand Name. All Offers Must Work With Existing Equipment That Has Already Been Purchased And Is Currently In Use At The Station. Minimum Technical Specifications: The Scriptpro Dispensing System Must Also Be Assembled Within The Manufactured Country Or Show Significant Proof Of An Internationally Recognized Quality Assurance Program Certificate Of Authenticity Will Need To Be Provided The Dispensing System Must Have The Following: Safety Must Use Barcode Verification To Ensure Accuracy Of Dispensing And Must Work With Scriptpro Label Barcode Unit Must Have Means To Track Dispensed Drug Quantities And Contain Image Verification Of Quantities Dispensed. Must Come Equipped With Database Of Drug Images For Dispensing Verification. Must Include Additional Counting Platters For Penicillin And Sulfa To Avoid Cross Contamination. Workflow Must Allow For Integration With Scriptpro/vista To Verify Correct Dispensing Quantities. Must Fit In Existing Space With A Footprint Of 28 H X 11 W X 17.5 D. Must Count With A Count Accuracy Of At Least 99.9%. Verification Should Include Easy Work Flow Optics Such As Color Touch Screen. Must Include Large Counting Area Of 48 Sq Inches For Larger Quantity Verification. Information Technology Must Integrate With Current Equipment, Including Scriptpro Dispensing/filling Stations Must Interface With Vista, Ups Worldship, And Usps Sendsuite System Platforms. All Equipment Must Be New Description Quantity Sp Eyecon 9430 2 Optional/value Added Features: N/a Required Interfaces: Must Interface With Current Sp Equipment. Must Also Interface With Vista/cprs. Delivery Location(s): Department Of Veterans Affairs Marion Va Medical Center 2401 West Main Street Marion, Il 62959-1188 Department Of Veterans Affairs Evansville Va Healthcare Center 6211 E Waterford Blvd Evansville, In 47715 Records Management Obligations Applicability This Clause Applies To All Contractors Whose Employees Create, Work With, Or Otherwise Handle Federal Records, As Defined In Section B, Regardless Of The Medium In Which The Record Exists. â Definitions Federal Record As Defined In 44 U.s.c. ⧠3301, Includes All Recorded Information, Regardless Of Form Or Characteristics, Made Or Received By A Federal Agency Under Federal Law Or In Connection With The Transaction Of Public Business And Preserved Or Appropriate For Preservation By That Agency Or Its Legitimate Successor As Evidence Of The Organization, Functions, Policies, Decisions, Procedures, Operations, Or Other Activities Of The United States Government Or Because Of The Informational Value Of Data In Them. â The Term Federal Record: Includes [agency] Records.â Does Not Include Personal Materials. Applies To Records Created, Received, Or Maintained By Contractors Pursuant To Their [agency] Contract. May Include Deliverables And Documentation Associated With Deliverables. Requirements Contractor Shall Comply With All Applicable Records Management Laws And Regulations, As Well As National Archives And Records Administration (nara) Records Policies, Including But Not Limited To The Federal Records Act (44 U.s.c. Chs. 21, 29, 31, 33), Nara Regulations At 36 Cfr Chapter Xii Subchapter B, And Those Policies Associated With The Safeguarding Of Records Covered By The Privacy Act Of 1974 (5 U.s.c. 552a). These Policies Include The Preservation Of All Records, Regardless Of Form Or Characteristics, Mode Of Transmission, Or State Of Completion.â In Accordance With 36 Cfr 1222.32, All Data Created For Government Use And Delivered To, Or Falling Under The Legal Control Of, The Government Are Federal Records Subject To The Provisions Of 44 U.s.c. Chapters 21, 29, 31, And 33, The Freedom Of Information Act (foia) (5 U.s.c. 552), As Amended, And The Privacy Act Of 1974 (5 U.s.c. 552a), As Amended And Must Be Managed And Scheduled For Disposition Only As Permitted By Statute Or Regulation.â In Accordance With 36 Cfr 1222.32, Contractor Shall Maintain All Records Created For Government Use Or Created In The Course Of Performing The Contract And/or Delivered To, Or Under The Legal Control Of The Government And Must Be Managed In Accordance With Federal Law. Electronic Records And Associated Metadata Must Be Accompanied By Sufficient Technical Documentation To Permit Understanding And Use Of The Records And Data.â [agency] And Its Contractors Are Responsible For Preventing The Alienation Or Unauthorized Destruction Of Records, Including All Forms Of Mutilation. Records May Not Be Removed From The Legal Custody Of [agency] Or Destroyed Except For In Accordance With The Provisions Of The Agency Records Schedules And With The Written Concurrence Of The Head Of The Contracting Activity. Willful And Unlawful Destruction, Damage Or Alienation Of Federal Records Is Subject To The Fines And Penalties Imposed By 18 U.s.c. 2701. In The Event Of Any Unlawful Or Accidental Removal, Defacing, Alteration, Or Destruction Of Records, Contractor Must Report To [agency]. The Agency Must Report Promptly To Nara In Accordance With 36 Cfr 1230. The Contractor Shall Immediately Notify The Appropriate Contracting Officer Upon Discovery Of Any Inadvertent Or Unauthorized Disclosures Of Information, Data, Documentary Materials, Records, Or Equipment. Disclosure Of Non-public Information Is Limited To Authorized Personnel With A Need-to-know As Described In The [contract Vehicle]. The Contractor Shall Ensure That The Appropriate Personnel, Administrative, Technical, And Physical Safeguards Are Established To Ensure The Security And Confidentiality Of This Information, Data, Documentary Material, Records And/or Equipment Is Properly Protected. The Contractor Shall Not Remove Material From Government Facilities Or Systems, Or Facilities Or Systems Operated Or Maintained On The Government S Behalf, Without The Express Written Permission Of The Head Of The Contracting Activity. When Information, Data, Documentary Material, Records And/or Equipment Is No Longer Required, It Shall Be Returned To [agency] Control Or The Contractor Must Hold It Until Otherwise Directed. Items Returned To The Government Shall Be Hand Carried, Mailed, Emailed, Or Securely Electronically Transmitted To The Contracting Officer Or Address Prescribed In The [contract Vehicle]. Destruction Of Records Is Expressly Prohibited Unless In Accordance With Paragraph (4). The Contractor Is Required To Obtain The Contracting Officer's Approval Prior To Engaging In Any Contractual Relationship (sub-contractor) In Support Of This Contract Requiring The Disclosure Of Information, Documentary Material And/or Records Generated Under, Or Relating To, Contracts. The Contractor (and Any Sub-contractor) Is Required To Abide By Government And [agency] Guidance For Protecting Sensitive, Proprietary Information, Classified, And Controlled Unclassified Information. The Contractor Shall Only Use Government It Equipment For Purposes Specifically Tied To Or Authorized By The Contract And In Accordance With [agency] Policy.â The Contractor Shall Not Create Or Maintain Any Records Containing Any Non-public [agency] Information That Are Not Specifically Tied To Or Authorized By The Contract.â The Contractor Shall Not Retain, Use, Sell, Or Disseminate Copies Of Any Deliverable That Contains Information Covered By The Privacy Act Of 1974 Or That Which Is Generally Protected From Public Disclosure By An Exemption To The Freedom Of Information Act.â The [agency] Owns The Rights To All Data And Records Produced As Part Of This Contract. All Deliverables Under The Contract Are The Property Of The U.s. Government For Which [agency] Shall Have Unlimited Rights To Use, Dispose Of, Or Disclose Such Data Contained Therein As It Determines To Be In The Public Interest. Any Contractor Rights In The Data Or Deliverables Must Be Identified As Required By Far 52.227-11 Through Far 52.227-20. Training. âall Contractor Employees Assigned To This Contract Who Create, Work With, Or Otherwise Handle Records Are Required To Take [agency]-provided Records Management Training. The Contractor Is Responsible For Confirming Training Has Been Completed According To Agency Policies, Including Initial Training And Any Annual Or Refresher Training.â [note: To The Extent An Agency Requires Contractors To Complete Records Management Training, The Agency Must Provide The Training To The Contractor.]â Flow Down Of Requirements To Subcontractors The Contractor Shall Incorporate The Substance Of This Clause, Its Terms And Requirements Including This Paragraph, In All Subcontracts Under This [contract Vehicle], And Require Written Subcontractor Acknowledgment Of Same.â Violation By A Subcontractor Of Any Provision Set Forth In This Clause Will Be Attributed To The Contractor. General. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. Contractors, Contractor Personnel, Subcontractors And Subcontractor Personnel Will Be Subject To The Same Federal Laws, Regulations, Standards, Va Directives And Handbooks, As Va Personnel Regarding Information And Information System Security And Privacy. Va Information Custodial Language. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. The Government Shall Receive Unlimited Rights To Data/intellectual Property First Produced And Delivered In The Performance Of This Contract Or Order (hereinafter Contract ) Unless Expressly Stated Otherwise In This Contract. This Includes All Rights To Source Code And All Documentation Created In Support Thereof. The Primary Clause Used To Define Government And Contractor Data Rights Is Far 52.227-14 Rights In Data General. The Primary Clause Used To Define Computer Software License (not Data/intellectual Property First Produced Under This Contractor Or Order) Is Far 52.227-19, Commercial Computer Software License. Information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Will Be Used Only For The Purposes Specified In The Service Agreement, Sow, Pws, Pd, And/or Contract. The Contractor Shall Not Use Va Information In Any Other Manner Without Prior Written Approval From A Va Contracting Officer (co). The Primary Clause Used To Define Government And Contractor Data Rights Is Far 52.227-14 Rights In Data General. Va Information Will Not Be Co-mingled With Any Other Data On The Contractor S Information Systems Or Media Storage Systems. The Contractor Shall Ensure Compliance With Federal And Va Requirements Related To Data Protection, Data Encryption, Physical Data Segregation, Logical Data Segregation, Classification Requirements And Media Sanitization. Va Reserves The Right To Conduct Scheduled Or Unscheduled Audits, Assessments, Or Investigations Of Contractor Information Technology (it) Resources To Ensure Information Security Is Compliant With Federal And Va Requirements. The Contractor Shall Provide All Necessary Access To Records (including Electronic And Documentary Materials Related To The Contracts And Subcontracts) And Support (including Access To Contractor And Subcontractor Staff Associated With The Contract) To Va, Va's Office Inspector General (oig),and/or Government Accountability Office (gao) Staff During Periodic Control Assessments, Audits, Or Investigations. The Contractor May Only Use Va Information Within The Terms Of The Contract And Applicable Federal Law, Regulations, And Va Policies. If New Federal Information Security Laws, Regulations Or Va Policies Become Applicable After Execution Of The Contract, The Parties Agree To Negotiate Contract Modification And Adjustment Necessary To Implement The New Laws, Regulations, And/or Policies. The Contractor Shall Not Make Copies Of Va Information Except As Specifically Authorized And Necessary To Perform The Terms Of The Contract. If Copies Are Made For Restoration Purposes, After The Restoration Is Complete, The Copies Shall Be Destroyed In Accordance With Va Directive 6500, Va Cybersecurity Program And Va Information Security Knowledge Service. If A Veterans Health Administration (vha) Contract Is Terminated For Default Or Cause With A Business Associate, The Related Local Business Associate Agreement (baa) Shall Also Be Terminated And Actions Taken In Accordance With Vha Directive 1605.05, Business Associate Agreements. If There Is An Executed National Baa Associated With The Contract, Va Will Determine What Actions Are Appropriate And Notify The Contactor. The Contractor Shall Store And Transmit Va Sensitive Information In An Encrypted Form, Using Va-approved Encryption Tools Which Are, At A Minimum, Federal Information Processing Standards (fips) 140-2, Security Requirements For Cryptographic Modules (or Its Successor) Validated And In Conformance With Va Information Security Knowledge Service Requirements. The Contractor Shall Transmit Va Sensitive Information Using Va Approved Transport Layer Security (tls) Configured With Fips Based Cipher Suites In Conformance With National Institute Of Standards And Technology (nist) 800-52, Guidelines For The Selection, Configuration And Use Of Transport Layer Security (tls) Implementations. The Contractor S Firewall And Web Services Security Controls, As Applicable, Shall Meet Or Exceed Va S Minimum Requirements. Except For Uses And Disclosures Of Va Information Authorized By This Contract For Performance Of The Contract, The Contractor May Use And Disclose Va Information Only In Two Situations: (i) In Response To A Qualifying Order Of A Court Of Competent Jurisdiction After Notification To Va Co (ii) With Written Approval From The Va Co. The Contractor Shall Refer All Requests For, Demands For Production Of Or Inquiries About, Va Information And Information Systems To The Va Co For Response. Notwithstanding The Provision Above, The Contractor Shall Not Release Va Records Protected By Title 38 U.s.c. ⧠5705, Confidentiality Of Medical Quality- Assurance Records And/or Title 38 U.s.c. ⧠7332, Confidentiality Of Certain Medical Records Pertaining To Drug Addiction, Sickle Cell Anemia, Alcoholism Or Alcohol Abuse Or Infection With Human Immunodeficiency Virus (hiv). If The Contractor Is In Receipt Of A Court Order Or Other Requests For The Above- Mentioned Information, The Contractor Shall Immediately Refer Such Court Order Or Other Requests To The Va Co For Response. Information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor In Performance Or Administration Of The Contract Will Be Protected And Secured In Accordance With Va Directive 6500 And Identity And Access Management (iam) Security Processes Specified In The Va Information Security Knowledge Service. Any Data Destruction Done On Behalf Of Va By A Contractor Shall Be Done In Accordance With National Archives And Records Administration (nara) Requirements As Outlined In Va Directive 6300, Records And Information Management, Va Handbook 6300.1, Records Management Procedures, And Applicable Va Records Control Schedules. The Contractor Shall Provide Its Plan For Destruction Of All Va Data In Its Possession According To Va Directive 6500 And Nist 800-88, Guidelines For Media Sanitization Prior To Termination Or Completion Of This Contract. If Directed By The Cor/co, The Contractor Shall Return All Federal Records To Va For Disposition. Any Media, Such As Paper, Magnetic Tape, Magnetic Disks, Solid State Devices Or Optical Discs That Is Used To Store, Process, Or Access Va Information That Cannot Be Destroyed Shall Be Returned To Va.the Contractor Shall Hold The Appropriate Material Until Otherwise Directed By The Contracting Officer S Representative (cor) Or Co. Items Shall Be Returned Securely Via Va-approved Methods. Va Sensitive Information Must Be Transmitted Utilizing Va-approved Encryption Tools Which Are Validated Under Fips 140-2 (or Its Successor) And Nist 800-52. If Mailed, The Contractor Shall Send Via A Trackable Method (usps, Ups, Fedex, Etc.) And Immediately Provide The Cor/co With The Tracking Information. Self-certification By The Contractor That The Data Destruction Requirements Above Have Been Met Shall Be Sent To The Cor/co Within 30 Business Days Of Termination Of The Contract. All Electronic Storage Media (hard Drives, Optical Disks, Cds, Back-up Tapes, Etc.) Used To Store, Process Or Access Va Information Will Not Be Returned To The Contractor At The End Of Lease, Loan, Or Trade-in. Exceptions To This Paragraph Will Only Be Granted With The Written Approval Of The Va Co. Access To Va Information And Va Information Systems. This Section Applies When Any Person Requires Access To Information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor In Performance Or Administration Of The Contract. A Contractor/subcontractor Shall Request Logical (technical) Or Physical Access To Va Information And Va Information Systems For Their Employees And Subcontractors Only To The Extent Necessary To Perform The Services Specified In The Solicitation Or Contract. This Includes Indirect Entities, Both Affiliate Of Contractor/subcontractor And Agent Of Contractor/subcontractor. Contractors And Subcontractors Shall Sign The Va Information Security Rule Of Behavior (rob) Before Access Is Provided To Va Information And Information Systems (see Section 4, Training, Below). The Rob Contains The Minimum User Compliance Requirements And Does Not Supersede Any Policies Of Va Facilities Or Other Agency Components Which Provide Higher Levels Of Protection To Va S Information Or Information Systems. Users Who Require Privileged Access Shall Complete The Va Elevated Privilege Access Request Processes Before Privileged Access Is Granted. All Contractors And Subcontractors Working With Va Information Are Subject To The Same Security Investigative And Clearance Requirements As Those Of Va Appointees Or Employees Who Have Access To The Same Types Of Information. The Level And Process Of Background Security Investigations For Contractors Shall Be In Accordance With Va Directive And Handbook 0710, Personnel Suitability And Security Program. The Office Of Human Resources And Administration/operations, Security And Preparedness (hra/osp) Is Responsible For These Policies And Procedures. Contract Personnel Who Require Access To Classified Information Or Information Systems Shall Have An Appropriate Security Clearance. Verification Of A Security Clearance Shall Be Processed Through The Special Security Officer Located In Hra/osp. Contractors Shall Conform To All Requirements Stated In The National Industrial Security Program Operating Manual (nispom). All Contractors And Subcontractors Shall Comply With Conditions Specified In Vaar 852.204-71(d); Contractor Operations Required To Be In United States. All Contractors And Subcontractors Working With Va Information Must Be Permanently Located Within A Jurisdiction Subject To The Law Of The United States Or Its Territories To The Maximum Extent Feasible. If Services Are Proposed To Be Performed Abroad The Contractor Must State Where All Non-u.s. Services Are Provided. The Contractor Shall Deliver To Va A Detailed Plan Specifically Addressing Communications, Personnel Control, Data Protection And Potential Legal Issues. The Plan Shall Be Approved By The Cor/co In Writing Prior To Access Being Granted. The Contractor Shall Notify The Cor/co In Writing Immediately (no Later Than 24 Hours) After Personnel Separation Or Occurrence Of Other Causes. Causes May Include The Following: Contractor/subcontractor Personnel No Longer Has A Need For Access To Va Information Or Va Information Systems. Contractor/subcontractor Personnel Are Terminated, Suspended, Or Otherwise Has Their Work On A Va Project Discontinued For Any Reason. Contractor Believes Their Own Personnel Or Subcontractor Personnel May Pose A Threat To Their Company S Working Environment Or To Any Company- Owned Property. This Includes Contractor-owned Assets, Buildings, Confidential Data, Customers, Employees, Networks, Systems, Trade Secrets And/or Va Data. Any Previously Undisclosed Changes To Contractor/subcontractor Background History Are Brought To Light, Including But Not Limited To Changes To Background Investigation Or Employee Record. Contractor/subcontractor Personnel Have Their Authorization To Work In The United States Revoked. Agreement By Which Contractor Provides Products And Services To Va Has Either Been Fulfilled Or Terminated, Such That Va Can Cut Off Electronic And/or Physical Access For Contractor Personnel. In Such Cases Of Contract Fulfillment, Termination, Or Other Causes; The Contractor Shall Take The Necessary Measures To Immediately Revoke Access To Va Network, Property, Information, And Information Systems (logical And Physical) By Contractor/subcontractor Personnel. These Measures Include (but Are Not Limited To): Removing And Then Securing Personal Identity Verification (piv) Badges And Piv Interoperable (piv-i) Access Badges, Va-issued Photo Badges, Credentials For Va Facilities And Devices, Va-issued Laptops, And Authentication Tokens. Contractors Shall Notify The Appropriate Va Cor/co Immediately To Initiate Access Removal. Contractors/subcontractors Who No Longer Require Va Accesses Will Return Va- Issued Property To Va. This Property Includes (but Is Not Limited To): Documents, Electronic Equipment, Keys, And Parking Passes. Piv And Piv-i Access Badges Shall Be Returned To The Nearest Va Piv Badge Issuance Office. Once They Have Had Access To Va Information, Information Systems, Networks And Va Property In Their Possessions Removed, Contractors Shall Notify The Appropriate Va Cor/co. Training. This Entire Section Applies To All Acquisitions Which Include Section 3. All Contractors And Subcontractors Requiring Access To Va Information And Va Information Systems Shall Successfully Complete The Following Before Being Granted Access To Va Information And Its Systems: Va Privacy And Information Security Awareness And Rules Of Behavior Course (talent Management System (tms) #10176) Initially And Annually Thereafter. Sign And Acknowledge (electronically Through Tms #10176) Understanding Of And Responsibilities For Compliance With The Organizational Rules Of Behavior, Relating To Access To Va Information And Information Systems Initially And Annually Thereafter; And Successfully Complete Any Additional Cyber Security Or Privacy Training, As Required For Va Personnel With Equivalent Information System Or Information Access [to Be Defined By The Va Program Official And Provided To The Va Co For Inclusion In The Solicitation Document I.e., Any Role- Based Information Security Training]. The Contractor Shall Provide To The Cor/co A Copy Of The Training Certificates And Certification Of Signing The Organizational Rules Of Behavior For Each Applicable Employee Within Five Days Of The Initiation Of The Contract And Annually Thereafter, As Required. Failure To Complete The Mandatory Annual Training Is Grounds For Suspension Or Termination Of All Physical Or Electronic Access Privileges And Removal From Work On The Contract Until Such Time As The Required Training Is Complete. Security Incident Investigation. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. The Contractor, Subcontractor, Their Employees, Or Business Associates Shall Immediately (within One Hour) Report Suspected Security / Privacy Incidents To The Va Oit S Enterprise Service Desk (esd) By Calling (855) 673-4357 (tty: 711). The Esd Is Oit S 24/7/365 Single Point Of Contact For It-related Issues. After Reporting To The Esd, The Contractor, Subcontractor, Their Employees, Or Business Associates Shall, Within One Hour, Provide The Cor/co The Incident Number Received From The Esd. To The Extent Known By The Contractor/subcontractor, The Contractor/ Subcontractor's Notice To Va Shall Identify The Information Involved And The Circumstances Surrounding The Incident, Including The Following: The Date And Time (or Approximation Of) The Security Incident Occurred. The Names Of Individuals Involved (when Applicable). The Physical And Logical (if Applicable) Location Of The Incident. Why The Security Incident Took Place (i.e., Catalyst For The Failure). The Amount Of Data Belonging To Va Believed To Have Been Compromised. The Remediation Measures The Contractor Is Taking To Ensure No Future Incidents Of A Similar Nature. After The Contractor Has Provided The Initial Detailed Incident Summary To Va, They Will Continue To Provide Written Updates On Any New And Relevant Circumstances Or Facts They Discover. The Contractor, Subcontractor, And Their Employes Shall Fully Cooperate With Va Or Third-party Entity Performing An Independent Risk Analysis On Behalf Of Va. Failure To Cooperate May Be Deemed A Material Breach And Grounds For Contract Termination. Va It Contractors Shall Follow Va Handbook 6500, Risk Management Framework For Va Information Systems Va Information Security Program, And Va Information Security Knowledge Service Guidance For Implementing An Incident Response Plan Or Integrating With An Existing Va Implementation. In Instances Of Theft Or Break-in Or Other Criminal Activity, The Contractor/subcontractor Must Concurrently Report The Incident To The Appropriate Law Enforcement Entity (or Entities) Of Jurisdiction, Including The Va Oig, And The Va Office Of Security And Law Enforcement. The Contractor, Its Employees, And Its Subcontractors And Their Employees Shall Cooperate With Va And Any Law Enforcement Authority Responsible For The Investigation And Prosecution Of Any Possible Criminal Law Violation(s) Associated With Any Incident. The Contractor/subcontractor Shall Cooperate With Va In Any Civil Litigation To Recover Va Information, Obtain Monetary Or Other Compensation From A Third Party For Damages Arising From Any Incident, Or Obtain Injunctive Relief Against Any Third Party Arising From, Or Related To, The Incident. The Contractor Shall Comply With Va Handbook 6500.2, Management Of Breaches Involving Sensitive Personal Information, Which Establishes The Breach Management Policies And Assigns Responsibilities For The Oversight, Management And Reporting Procedures Associated With Managing Of Breaches. With Respect To Unsecured Protected Health Information (phi), The Contractor Is Deemed To Have Discovered A Data Breach When The Contractor Knew Or Should Have Known Of Breach Of Such Information. When A Business Associate Is Part Of Vha Contract, Notification To The Covered Entity (vha) Shall Be Made In Accordance With The Executed Baa. If The Contractor Or Any Of Its Agents Fails To Protect Va Sensitive Personal Information Or Otherwise Engages In Conduct Which Results In A Data Breach Involving Any Va Sensitive Personal Information The Contractor/subcontractor Processes Or Maintains Under The Contract; The Contractor Shall Pay Liquidated Damages To The Va As Set Forth In Clause 852.211-76, Liquidated Damages Reimbursement For Data Breach Costs. Information System Design And Development. This Entire Section Applies To Information Systems, Systems, Major Applications, Minor Applications, Enclaves, And Platform Information Technologies (to Include The Subcomponents Of Each) Designed Or Developed For Or On Behalf Of Va By Any Non-va Entity. Information Systems Designed Or Developed On Behalf Of Va At Non-va Facilities Shall Comply With All Applicable Federal Law, Regulations, And Va Policies. This Includes Standards For The Protection Of Electronic Protected Health Information (phi), Outlined In 45 C.f.r. Part 164, Subpart C And Information And System Security Categorization Level Designations In Accordance With Fips 199, Standards For Security Categorization Of Federal Information And Information Systems And Fips 200, Minimum Security Requirements For Federal Information Systems. Baseline Security Controls Shall Be Implemented Commensurate With The Fips 199 System Security Categorization (reference Va Handbook 6500 And Va Trusted Internet Connections (tic) Architecture). Contracted New Developments Require Creation, Testing, Evaluation, And Authorization In Compliance With Va Assessment And Authorization (a&a) Processes In Va Handbook 6500 And Va Information Security Knowledge Service To Obtain An Authority To Operate (ato). Va Directive 6517, Risk Management Framework For Cloud Computing Services, Provides The Security And Privacy Requirements For Cloud Environments. Va It Contractors, Subcontractors And Third-party Service Providers Shall Address And/or Integrate Applicable Va Handbook 6500, Va Handbook 6517, Risk Management Framework For Cloud Computing Services And Information Security Knowledge Service Specifications In Delivered It Systems/solutions, Products And/or Services. If Systems/solutions, Products And/or Services Do Not Directly Match Va Security Requirements, The Contractor Shall Work Though The Cor/co To Identify The Va Organization Responsible For Governance Or Resolution. Contractors Shall Comply With Far 39.1, Specifically The Prohibitions Referenced. The Contractor (including Producers And Resellers) Shall Comply With Office Of Management And Budget (omb) M-22-18 And M-23-16 When Using Third-party Software On Va Information Systems Or Otherwise Affecting The Va Information. This Includes New Software Purchases And Software Renewals For Software Developed Or Modified By Major Version Change After The Issuance Date Of M- 22-18 (september 14, 2022). The Term Software Includes Firmware, Operating Systems, Applications And Application Services (e.g., Cloud-based Software), As Well As Products Containing Software. The Contractor Shall Provide A Self- Attestation That Secure Software Development Practices Are Utilized As Outlined By Executive Order (eo)14028 And Nist Guidance. A Third-party Assessment Provided By Either A Certified Federal Risk And Authorization Management Program (fedramp) Third Party Assessor Organization (3pao) Or One Approved By The Agency Will Be Acceptable In Lieu Of A Software Producer's Self- Attestation. The Contractor Shall Ensure All Delivered Applications, Systems And Information Systems Are Compliant With Homeland Security Presidential Directive (hspd) 12 And Va Identity And Access Management (iam) Enterprise Identity Management Requirements As Set Forth In Omb M-19-17, M-05-24, Fips 201-3, Personal Identity Verification (piv) Of Federal Employees And Contractors (or Its Successor), M-21-31 And Supporting Nist Guidance. This Applies To Commercial Off-the-shelf (cots) Product(s) That The Contractor Did Not Develop, All Software Configurations And All Customizations. The Contractor Shall Ensure All Contractor Delivered Applications And Systems Provide User Authentication Services Compliant With Va Handbook 6500, Va Information Security Knowledge Service, Iam Enterprise Requirements And Nist 800-63, Digital Identity Guidelines, For Direct, Assertion-based Authentication And/or Trust-based Authentication, As Determined By The Design And Integration Patterns. Direct Authentication At A Minimum Must Include Public Key Infrastructure (pki) Based Authentication Supportive Of Piv And/or Common Access Card (cac), As Determined By The Business Need And Compliance With Va Information Security Knowledge Service Specifications. The Contractor Shall Use Va Authorized Technical Security Baseline Configurations And Certify To The Cor That Applications Are Fully Functional And Operate Correctly As Intended On Systems In Compliance With Va Baselines Prior To Acceptance Or Connection Into An Authorized Va Computing Environment. If The Defense Information Systems Agency (disa) Has Created A Security Technical Implementation Guide (stig) For The Technology, The Contractor May Configure To Comply With That Stig. If Va Determines A New Or Updated Va Configuration Baseline Needs To Be Created, The Contractor Shall Provide Required Technical Support To Develop The Configuration Settings. Far 39.1 Requires The Population Of Operating Systems And Applications Includes All Listed On The Nist National Checklist Program Checklist Repository. The Standard Installation, Operation, Maintenance, Updating And Patching Of Software Shall Not Alter The Configuration Settings From Va Approved Baseline Configuration. Software Developed For Va Must Be Compatible With Va Enterprise Installer Services And Install To The Default Program Files Directory With Silently Install And Uninstall. The Contractor Shall Perform Testing Of All Updates And Patching Prior To Implementation On Va Systems. Applications Designed For Normal End Users Will Run In The Standard User Context Without Elevated System Administration Privileges. The Contractor-delivered Solutions Shall Reside On Va Approved Operating Systems. Exceptions To This Will Only Be Granted With The Written Approval Of The Cor/co. The Contractor Shall Design, Develop, And Implement Security And Privacy Controls In Accordance With The Provisions Of Va Security System Development Life Cycle Outlined In Nist 800-37, Risk Management Framework For Information Systems And Organizations: A System Life Cycle Approach For Security And Privacy, Va Directive And Handbook 6500, And Va Handbook 6517. The Contractor Shall Comply With The Privacy Act Of1974 (the Act), Far 52.224- 2 Privacy Act, And Va Rules And Regulations Issued Under The Act In The Design, Development, Or Operation Of Any System Of Records On Individuals To Accomplish A Va Function. The Contractor Shall Ensure The Security Of All Procured Or Developed Information Systems, Systems, Major Applications, Minor Applications, Enclaves And Platform Information Technologies, Including Their Subcomponents (hereinafter Referred To As Information Systems ) Throughout The Life Of This Contract And Any Extension, Warranty, Or Maintenance Periods. This Includes Security Configurations, Workarounds, Patches, Hotfixes, Upgrades, Replacements And Any Physical Components Which May Be Necessary To Remediate All Security Vulnerabilities Published Or Known To The Contractor Anywhere In The Information Systems (including Systems, Operating Systems, Products, Hardware, Software, Applications And Firmware). The Contractor Shall Ensure Security Fixes Do Not Negatively Impact The Information Systems. When The Contractor Is Responsible For Operations Or Maintenance Of The Systems, The Contractor Shall Apply The Security Fixes Within The Timeframe Specified By The Associated Controls On The Va Information Security Knowledge Service. When Security Fixes Involve Installing Third Party Patches (such As Microsoft Os Patches Or Adobe Acrobat), The Contractor Shall Provide Written Notice To The Va Cor/co That The Patch Has Been Validated As To Not Affecting The Systems Within 10 Business Days. Information System Hosting, Operation, Maintenance Or Use. This Entire Section Applies To Information Systems, Systems, Major Applications, Minor Applications, Enclaves, And Platform Information Technologies (cloud And Non- Cloud) Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities. The Contractor Shall Comply With All Federal Laws, Regulations, And Va Policies For Information Systems (cloud And Non-cloud) That Are Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities. Security Controls For Collecting, Processing, Transmitting, And Storing Of Va Sensitive Information, Must Be In Place. The Controls Will Be Tested By Va Or A Va Sanctioned 3pao And Approved By Va Prior To Hosting, Operation, Maintenance Or Use Of The Information System Or Systems By Or On Behalf Of Va. This Includes Conducting Compliance Risk Assessments, Security Architecture Analysis, Routine Vulnerability Scanning, System Patching, Change Management Procedures And The Completion Of An Acceptable Contingency Plan For Each System. The Contractor S Security Control Procedures Shall Be The Same As Procedures Used To Secure Va-operated Information Systems. Outsourcing (contractor Facility, Equipment, Or Staff) Of Systems Or Network Operations, Telecommunications Services Or Other Managed Services Require Assessment And Authorization (a&a) Of The Contractor S Systems In Accordance With Va Handbook 6500 As Specified In Va Information Security Knowledge Service. Major Changes To The A&a Package May Require Reviewing And Updating All The Documentation Associated With The Change. The Contractor S Cloud Computing Systems Shall Comply With Fedramp And Va Directive 6517 Requirements. The Contractor Shall Return All Electronic Storage Media (hard Drives, Optical Disks, Cds, Back-up Tapes, Etc.) On Non-va Leased Or Non-va Owned It Equipment Used To Store, Process Or Access Va Information To Va In Accordance With A&a Package Requirements. This Applies When The Contract Is Terminated Or Completed And Prior To Disposal Of Media. The Contractor Shall Provide Its Plan For Destruction Of All Va Data In Its Possession According To Va Information Security Knowledge Service Requirements And Nist 800-88. The Contractor Shall Send A Self-certification That The Data Destruction Requirements Above Have Been Met To The Cor/co Within 30 Business Days Of Termination Of The Contract. All External Internet Connections To Va Network Involving Va Information Must Be In Accordance With Va Trusted Internet Connection (tic) Reference Architecture And Va Directive And Handbook 6513, Secure External Connections And Reviewed And Approved By Va Prior To Implementation. Government-owned Contractor-operated Systems, Third Party Or Business Partner Networks Require A Memorandum Of Understanding (mou) And Interconnection Security Agreements (isa). Contractor Procedures Shall Be Subject To Periodic, Announced, Or Unannounced Assessments By Va Officials, The Oig Or A 3pao. The Physical Security Aspects Associated With Contractor Activities Are Also Subject To Such Assessments. The Contractor Shall Report, In Writing, Any Deficiencies Noted During The Above Assessment To The Va Cor/co. The Contractor Shall Use Va S Defined Processes To Document Planned Remedial Actions That Address Identified Deficiencies In Information Security Policies, Procedures, And Practices. The Contractor Shall Correct Security Deficiencies Within The Timeframes Specified In The Va Information Security Knowledge Service. All Major Information System Changes Which Occur In The Production Environment Shall Be Reviewed By The Va To Determine The Impact On Privacy And Security Of The System. Based On The Review Results, Updates To The Authority To Operate (ato) Documentation And Parameters May Be Required To Remain In Compliance With Va Handbook 6500 And Va Information Security Knowledge Service Requirements. The Contractor Shall Conduct An Annual Privacy And Security Self-assessment On All Information Systems And Outsourced Services As Required. Copies Of The Assessment Shall Be Provided To The Cor/co. The Va/government Reserves The Right To Conduct Assessment Using Government Personnel Or A Third-party If Deemed Necessary. The Contractor Shall Correct Or Mitigate Any Weaknesses Discovered During The Assessment. Va Prohibits The Installation And Use Of Personally Owned Or Contractor-owned Equipment Or Software On Va Information Systems. If Non-va Owned Equipment Must Be Used To Fulfill The Requirements Of A Contract, It Must Be Stated In The Service Agreement, Sow, Pws, Pd Or Contract. All Security Controls Required For Government Furnished Equipment Must Be Utilized In Va Approved Other Equipment (oe). Configuration Changes To The Contractor Oe, Must Be Funded By The Owner Of The Equipment. All Remote Systems Must Use A Va-approved Antivirus Software And A Personal (host-based Or Enclave Based) Firewall With A Va-approved Configuration. The Contractor Shall Ensure Software On Oe Is Kept Current With All Critical Updates And Patches. Owners Of Approved Oe Are Responsible For Providing And Maintaining The Anti-virus Software And The Firewall On The Non-va Owned Oe. Approved Contractor Oe Will Be Subject To Technical Inspection At Any Time. The Contractor Shall Notify The Cor/co Within One Hour Of Disclosure Or Successful Exploits Of Any Vulnerability Which Can Compromise The Confidentiality, Integrity, Or Availability Of The Information Systems. The System Or Effected Component(s) Need(s) To Be Isolated From The Network. A Forensic Analysis Needs To Be Conducted Jointly With Va. Such Issues Will Be Remediated As Quickly As Practicable, But In No Event Longer Than The Timeframe Specified By Va Information Security Knowledge Service. If Sensitive Personal Information Is Compromised Reference Va Handbook 6500.2 And Section 5, Security Incident Investigation. For Cases Wherein The Contractor Discovers Material Defects Or Vulnerabilities Impacting Products And Services They Provide To Va, The Contractor Shall Develop And Implement Policies And Procedures For Disclosure To Va, As Well As Remediation. The Contractor Shall, Within 30 Business Days Of Discovery, Document A Summary Of These Vulnerabilities Or Defects. The Documentation Will Include A Description Of The Potential Impact Of Each Vulnerability And Material Defect, Compensating Security Controls, Mitigations, Recommended Corrective Actions, Fbonotice Cause Analysis And/or Workarounds (i.e., Monitoring). Should There Exist Any Backdoors In The Products Or Services They Provide To Va (referring To Methods For Bypassing Computer Authentication), The Contractor Shall Provide The Va Co/co Written Assurance They Have Permanently Remediated These Backdoors. All Other Vulnerabilities, Including Those Discovered Through Routine Scans Or Other Assessments, Will Be Remediated Based On Risk, In Accordance With The Remediation Timelines Specified By The Va Information Security Knowledge Service And/or The Applicable Timeframe Mandated By Cybersecurity & Infrastructure Security Agency (cisa) Binding Operational Directive (bod) 22- 01 And Bod 19-02 For Internet-accessible Systems. Exceptions To This Paragraph Will Only Be Granted With The Approval Of The Cor/co. Security And Privacy Controls Compliance Testing, Assessment And Auditing. This Entire Section Applies Whenever Section 6 Or 7 Is Included. Should Va Request It, The Contractor Shall Provide A Copy Of Their (corporation S, Sole Proprietorship S, Partnership S, Limited Liability Company (llc), Or Other Business Structure Entity S) Policies, Procedures, Evidence And Independent Report Summaries Related To Specified Cybersecurity Frameworks (international Organization For Standardization (iso), Nist Cybersecurity Framework (csf), Etc.). Va Or Its Third-party/partner Designee (if Applicable) Are Further Entitled To Perform Their Own Audits And Security/penetration Tests Of The Contractor S It Or Systems And Controls, To Ascertain Whether The Contractor Is Complying With The Information Security, Network Or System Requirements Mandated In The Agreement Between Va And The Contractor. Any Audits Or Tests Of The Contractor Or Third-party Designees/partner Va Elects To Carry Out Will Commence Within 30 Business Days Of Va Notification. Such Audits, Tests And Assessments May Include The Following: (a): Security/penetration Tests Which Both Sides Agree Will Not Unduly Impact Contractor Operations; (b): Interviews With Pertinent Stakeholders And Practitioners; (c): Document Review; And (d): Technical Inspections Of Networks And Systems The Contractor Uses To Destroy, Maintain, Receive, Retain, Or Use Va Information. As Part Of These Audits, Tests And Assessments, The Contractor Shall Provide All Information Requested By Va. This Information Includes, But Is Not Limited To, The Following: Equipment Lists, Network Or Infrastructure Diagrams, Relevant Policy Documents, System Logs Or Details On Information Systems Accessing, Transporting, Or Processing Va Data. The Contractor And At Its Own Expense, Shall Comply With Any Recommendations Resulting From Va Audits, Inspections And Tests. Va Further Retains The Right To View Any Related Security Reports The Contractor Has Generated As Part Of Its Own Security Assessment. The Contractor Shall Also Notify Va Of The Existence Of Any Such Security Reports Or Other Related Assessments, Upon Completion And Validation. Va Appointed Auditors Or Other Government Agency Partners May Be Granted Access To Such Documentation On A Need-to-know Basis And Coordinated Through The Cor/co. The Contractor Shall Comply With Recommendations Which Result From These Regulatory Assessments On The Part Of Va Regulators And Associated Government Agency Partners. Product Integrity, Authenticity, Provenance, Anti-counterfeit And Anti-tampering. This Entire Section Applies When The Acquisition Involves Any Product (application, Hardware, Or Software) Or When Section 6 Or 7 Is Included. The Contractor Shall Comply With Code Of Federal Regulations (cfr) Title 15 Part 7, Securing The Information And Communications Technology And Services (icts) Supply Chain , Which Prohibits Icts Transactions From Foreign Adversaries. Icts Transactions Are Defined As Any Acquisition, Importation, Transfer, Installation, Dealing In Or Use Of Any Information And Communications Technology Or Service, Including Ongoing Activities, Such As Managed Services, Data Transmission, Software Updates, Repairs Or The Platforming Or Data Hosting Of Applications For Consumer Download. When Contracting Terms Require The Contractor To Procure Equipment, The Contractor Shall Purchase Or Acquire The Equipment From An Original Equipment Manufacturer (oem) Or An Authorized Reseller Of The Oem. The Contractor Shall Attest That Equipment Procured From An Oem Or Authorized Reseller Or Distributor Are Authentic. If Procurement Is Unavailable From An Oem Or Authorized Reseller, The Contractor Shall Submit In Writing, Details Of The Circumstances Prohibiting This From Happening And Procure A Product Waiver From The Va Cor/co. All Contractors Shall Establish, Implement, And Provide Documentation For Risk Management Practices For Supply Chain Delivery Of Hardware, Software (to Include Patches) And Firmware Provided Under This Agreement. Documentation Will Include Chain Of Custody Practices, Inventory Management Program, Information Protection Practices, Integrity Management Program For Sub-supplier Provided Components, And Replacement Parts Requests. The Contractor Shall Make Spare Parts Available. All Contractor(s) Shall Specify How Digital Delivery For Procured Products, Including Patches, Will Be Validated And Monitored To Ensure Consistent Delivery. The Contractor Shall Apply Encryption Technology To Protect Procured Products Throughout The Delivery Process. If A Contractor Provides Software Or Patches To Va, The Contractor Shall Publish Or Provide A Hash Conforming To The Fips Security Requirements For Cryptographic Modules (fips 140-2 Or Successor). The Contractor Shall Provide A Software Bill Of Materials (sbom) For Procured (to Include Licensed Products) And Consist Of A List Of Components And Associated Metadata Which Make Up The Product. Sboms Must Be Generated In One Of The Data Formats Defined In The National Telecommunications And Information Administration (ntia) Report The Minimum Elements For A Software Bill Of Materials (sbom). Contractors Shall Use Or Arrange For The Use Of Trusted Channels To Ship Procured Products, Such As U.s. Registered Mail And/or Tamper-evident Packaging For Physical Deliveries. Throughout The Delivery Process, The Contractor Shall Demonstrate A Capability For Detecting Unauthorized Access (tampering). The Contractor Shall Demonstrate Chain-of-custody Documentation For Procured Products And Require Tamper-evident Packaging For The Delivery Of This Hardware. Viruses, Firmware And Malware. This Entire Section Applies When The Acquisition Involves Any Product (application, Hardware, Or Software) Or When Section 6 Or 7 Is Included. The Contractor Shall Execute Due Diligence To Ensure All Provided Software And Patches, Including Third-party Patches, Are Free Of Viruses And/or Malware Before Releasing Them To Or Installing Them On Va Information Systems. The Contractor Warrants It Has No Knowledge Of And Did Not Insert, Any Malicious Virus And/or Malware Code Into Any Software Or Patches Provided To Va Which Could Potentially Harm Or Disrupt Va Information Systems. The Contractor Shall Use Due Diligence, If Supplying Third-party Software Or Patches, To Ensure The Third-party Has Not Inserted Any Malicious Code And/or Virus Which Could Damage Or Disrupt Va Information Systems. The Contractor Shall Provide Or Arrange For The Provision Of Technical Justification As To Why Any False Positive Hit Has Taken Place To Ensure Their Code S Supply Chain Has Not Been Compromised. Justification May Be Required, But Is Not Limited To, When Install Files, Scripts, Firmware, Or Other Contractor-delivered Software Solutions (including Third-party Install Files, Scripts, Firmware, Or Other Software) Are Flagged As Malicious, Infected, Or Suspicious By An Anti-virus Vendor. The Contractor Shall Not Upload (intentionally Or Negligently) Any Virus, Worm, Malware Or Any Harmful Or Malicious Content, Component And/or Corrupted Data/source Code (hereinafter Virus Or Other Malware ) Onto Va Computer And Information Systems And/or Networks. If Introduced (and This Clause Is Violated), Upon Written Request From The Va Co, The Contractor Shall: Take All Necessary Action To Correct The Incident, To Include Any And All Assistance To Va To Eliminate The Virus Or Other Malware Throughout Va S Information Networks, Computer Systems And Information Systems; And Use Commercially Reasonable Efforts To Restore Operational Efficiency And Remediate Damages Due To Data Loss Or Data Integrity Damage, If The Virus Or Other Malware Causes A Loss Of Operational Efficiency, Data Loss, Or Damage To Data Integrity. Cryptographic Requirement. This Entire Section Applies Whenever The Acquisition Includes Section 6 Or 7 Is Included. The Contractor Shall Document How The Cryptographic System Supporting The Contractor S Products And/or Services Protect The Confidentiality, Data Integrity, Authentication And Non-repudiation Of Devices And Data Flows In The Underlying System. The Contractor Shall Use Only Approved Cryptographic Methods As Defined In Fips 140-2 (or Its Successor) And Nist 800-52 Standards When Enabling Encryption On Its Products. The Contractor Shall Provide Or Arrange For The Provision Of An Automated Remote Key-establishment Method Which Protects The Confidentiality And Integrity Of The Cryptographic Keys. The Contractor Shall Ensure Emergency Re-keying Of All Devices Can Be Remotely Performed Within 30 Business Days. The Contractor Shall Provide Or Arrange For The Provision Of A Method For Updating Cryptographic Primitives Or Algorithms. Patching Governance. This Entire Section Applies Whenever The Acquisition Includes Section 7 Is Included The Contractor Shall Provide Documentation Detailing The Patch Management, Vulnerability Management, Mitigation And Update Processes (to Include Third- Party) Prior To The Connection Of Electronic Devices, Assets Or Equipment To Va S Assets. This Documentation Will Include Information Regarding The Follow: The Resources And Technical Capabilities To Sustain The Program Or Process (e.g., How The Integrity Of A Patch Is Validated By Va); And The Approach And Capability To Remediate Newly Reported Zero-day Vulnerabilities For Contractor Products. The Contractor Shall Verify And Provide Documentation All Procured Products (including Third-party Applications, Hardware, Software, Operating Systems, And Firmware) Have Appropriate Updates And Patches Installed Prior To Delivery To Va. The Contractor Shall Provide Or Arrange The Provision Of Appropriate Software And Firmware Updates To Remediate Newly Discovered Vulnerabilities Or Weaknesses For Their Products And Services Within 30 Days Of Discovery. Updates To Remediate Critical Or Emergent Vulnerabilities Will Be Provided Within Seven Business Days Of Discovery. If Updates Cannot Be Made Available By Contractor Within These Time Periods, The Contractor Shall Submit Mitigations, Methods Of Exploit Detection And/or Workarounds To The Cor/co Prior To The Above Deadlines. The Contractor Shall Provide Or Arrange For The Provision Of Appropriate Hardware, Software And/or Firmware Updates, When Those Products, Including Open-source Software, Are Provided To The Va, To Remediate Newly Discovered Vulnerabilities Or Weaknesses. Remediations Of Products Or Services Provided To The Va S System Environment Must Be Provided Within 30 Business Days Of Availability From The Original Supplier And/or Patching Source. Updates Toremediate Critical Vulnerabilities Applicable To The Contractor S Use Of The Third- Party Product In Its System Environment Will Be Provided Within Seven Business Days Of Availability From The Original Supplier And/or Patching Source. If Applicable Third-party Updates Cannot Be Integrated, Tested And Made Available By Contractor Within These Time Periods, Mitigations And/or Workarounds Will Be Provided To The Cor/co Before The Above Deadlines. Specialized Devices/systems (medical Devices, Special Purpose Systems, Research Scientific Computing). This Entire Section Applies When The Acquisition Includes One Or More Medical Device, Special Purpose System Or Research Scientific Computing Device. If Appropriate, Ensure Selected Clauses From Section 6 Or 7 And 8 Through 12 Are Included. Contractor Supplies/delivered Medical Devices, Special Purpose Systems- Operational Technology (sps-ot) And Research Scientific Computing Devices Shall Comply With All Applicable Federal Law, Regulations, And Va Policies. New Developments Require Creation, Testing, Evaluation, And Authorization In Compliance With Processes Specified On The Specialized Device Cybersecurity Department Enterprise Risk Management (sdcd-erm) Portal, Va Directive 6550, Pre-procurement Assessment And Implementation Of Medical Devices/systems, Va Handbook 6500, And The Va Information Security Knowledge Service. Deviations From Federal Law, Regulations, And Va Policy Are Identified And Documented As Part Of Va Directive 6550 And/or The Va Enterprise Risk Analysis (era) Processes For Specialized Devices/systems Processes. All Contractors And Third-party Service Providers Shall Address And/or Integrate Applicable Va Handbook 6500 And Information Security Knowledge Service Specifications In Delivered It Systems/solutions, Products And/or Services. If Systems/solutions, Products And/or Services Do Not Directly Match Va Security Requirements, The Contractor Shall Work Though The Cor/co For Governance Or Resolution. The Contractor Shall Certify To The Cor/co That Devices/systems That Have Completed The Va Enterprise Risk Analysis (era) Process For Specialized Devices/systems Are Fully Functional And Operate Correctly As Intended. Devices/systems Must Follow The Va Era Authorized Configuration Prior To Acquisition And Connection To The Va Computing Environment. If Va Determines A New Va Era Needs To Be Created, The Contractor Shall Provide Required Technical Support To Develop The Configuration Settings. Major Changes To A Previously Approved Device/system Will Require A New Era. The Contractor Shall Comply With All Practices Documented By The Food Drug And Administration (fda) Premarket Submission For Management Of Cybersecurity In Medical Devices And Postmarket Management Of Cybersecurity In Medical Devices. The Contractor Shall Design Devices Capable Of Accepting All Applicable Security Patches With Or Without The Support Of The Contractor Personnel. If Patching Can Only Be Completed By The Contractor, The Contractor Shall Commit The Resources Needed To Patch All Applicable Devices At All Va Locations. If Unique Patching Instructions Or Packaging Is Needed, The Contractor Shall Provide The Necessary Information In Conjunction With The Validation/testing Of The Patch. The Contractor Shall Apply Security Patches Within 30 Business Days Of The Patch Release And Have A Formal Tracking Process For Any Security Patches Not Implemented To Include Explanation When A Device Cannot Be Patched. The Contractor Shall Provide Devices Able To Install And Maintain Va-approved Antivirus Capabilities With The Capability To Quarantine Files And Be Updated As Needed In Response To Incidents. Alternatively, A Va-approved Whitelisting Application May Be Used When The Contractor Cannot Install An Anti-virus / Anti- Malware Application. The Contractor Shall Verify And Document All Software Embedded Within The Device Does Not Contain Any Known Viruses Or Malware Before Delivery To Or Installation At A Va Location. Devices And Other Equipment Or Systems Containing Media (hard Drives, Optical Disks, Solid State, And Storage Via Chips/firmware) With Va Sensitive Information Will Be Returned To The Contractor With Media Removed. When The Contract Requires Return Of Equipment, The Options Available To The Contractor Are The Following: The Contractor Shall Accept The System Without The Drive, Firmware And Solid State. Va S Initial Device Purchase Includes A Spare Drive Or Other Replacement Media Which Must Be Installed In Place Of The Original Drive At Time Of Turn- In; Or Due To The Highly Specialized And Sometimes Proprietary Hardware And Software Associated With The Device, If It Is Not Possible For Va To Retain The Hard Drive, Firmware, And Solid State, Then: The Equipment Contractor Shall Have An Existing Baa If The Device Being Traded In Has Sensitive Information Stored On It And Hard Drive(s) From The System Are Being Returned Physically Intact. Any Fixed Hard Drive, Complementary Metal-oxide-semiconductor (cmos), Programmable Read-only Memory (prom), Solid State And Firmware On The Device Must Be Non-destructively Sanitized To The Greatest Extent Possible Without Negatively Impacting System Operation. Selective Clearing Down To Patient Data Folder Level Is Recommended Using Va Approved And Validated Overwriting Technologies/methods/tools. Applicable Media Sanitization Specifications Need To Be Pre-approved And Described In The Solicitation, Contract, Or Order. Data Center Provisions. This Entire Section Applies Whenever The Acquisition Requires An Interconnection To/from The Va Network To/from A Non-va Location. The Contractor Shall Ensure The Va Network Is Accessed By In Accordance With Va Directive 6500 And Iam Security Processes Specified In The Va Information Security Knowledge Service. The Contractor Shall Ensure Network Infrastructure And Data Availability In Accordance With Va Information System Business Continuity Procedures Specified In The Va Information Security Knowledge Service. The Contractor Shall Ensure Any Connections To The Internet Or Other External Networks For Information Systems Occur Through Managed Interfaces Utilizing Va Approved Boundary Protection Devices (e.g., Internet Proxies, Gateways, Routers, Firewalls, Guards Or Encrypted Tunnels). The Contractor Shall Encrypt All Traffic Across The Segment Of The Wide Area Network (wan) It Manages And No Unencrypted Out Of Band (oob) Internet Protocol (ip) Traffic Will Traverse The Network. The Contractor Shall Ensure Tunnel Endpoints Are Routable Addresses At Each Va Operating Site. The Contractor Shall Secure Access From Local Area Networks (lans) At Co- Located Sites In Accordance With Va Tic Reference Architecture, Va Directive And Handbook 6513, And Mou/isa Process Specified In The Va Information Security Knowledge Service.

Details: This Sources Sought Notice Is For Planning Purposes Only And Shall Not Be Considered As An Invitation For Bid, Request For Quotation, Request For Proposal, Or As An Obligation On The Part Of The Government To Acquire Any Products And/or Services. Your Response To This Sources Sought Notice Will Be Treated As Information Only. No Entitlement To Payment Of Direct Or Indirect Costs Or Charges By The Government Will Arise Because Of Contractor Submission Of Responses To This Announcement Or The Government Use Of Such Information. This Request Does Not Constitute A Solicitation For Proposals Or The Authority To Enter Negotiations To Award A Contract. No Funds Have Been Authorized, Appropriated, Or Received For This Effort. The Information Provided May Be Used By The Department Of Veterans Affairs In Developing Its Acquisition Approach, Statement Of Work/statement Of Objectives And Performance Specifications. Interested Parties Are Responsible For Adequately Marking Proprietary Or Competition Sensitive Information Contained In Their Response. The Government Does Not Intend To Award A Contract Based On This Sources Sought Notice Or To Otherwise Pay For The Information Submitted In Response To This Sources Sought Notice. The Submission Of Pricing, Capabilities For Planning Purposes, And Other Market Information Is Highly Encouraged And Allowed Under This Sources Sought Notice In Accordance With (iaw) Far Part 15.201(e) The Purpose Of This Sources Sought Notice Announcement Is For Market Research To Make Appropriate Acquisition Decisions And To Gain Knowledge Of Potential Qualified Service-disabled Veteran Owned Small Businesses, Veteran Owned Small Businesses, 8(a), Hubzone And Other Small Businesses Interested And Capable Of Providing The Products And/or Services Described Below. Documentation Of Technical Expertise Must Be Presented In Sufficient Detail For The Government To Determine That Your Company Possesses The Necessary Functional Area Expertise And Experience To Compete For This Acquisition. Responses To This Notice Shall Include The Following: (a) Company Name; (b) Address; (c) Point Of Contact; (d) Phone, Fax, And Email; (e) Uei Number; (f) Cage Code; (g) Tax Id Number; (h) Type Of Small Business, E.g., Services Disabled Veteran Owned Small Business, Veteran Owned Small Business, 8(a), Hubzone, Women Owned Small Business, Small Disadvantaged Business, Or Small Business Hubzone Business, Etc (i) State If Your Business Has An Fss Contract With Gsa, Va Nac, Nasa Sewp, Or Any Other Federal Contract, That Can Be Utilized To Procure The Requirement Listed Below And Provide The Contract Number; And (j) Must Provide A Capability Statement That Addresses The Organization S Qualifications And Ability To Perform As A Contractor For The Work Described Below. Requirement: The Va Heartland Network 15 Contracting Office Located At 3450 South 4th Street, Leavenworth, Ks, 66048-5055 Is Seeking A Potential Qualified Contractor To Provide Scriptpro Eyecon 9430 Pill Dispensing System For The Marion Va Medical Center, Located In Marion, Illinois, And The Evansville Health Care Center, Located In Evansville, Indiana. This Is A Brand Name Or Equal Requirement. Please See The Statement Of Work For More Specifics And Details. The North American Industry Classification System Code (naics Code) Is 339112 Surgical And Medical Instrument Manufacturing, Size Standard 1,000 Employees. Based On This Information, Please Indicate Whether Your Company Would Be A Large Or Small Business And Have A Socio-economic Designation As A Small Business, Vosb Or Sdvosb. Important Information: The Government Is Not Obligated To, Nor Will It Pay For Or Reimburse Any Costs Associated With Responding To This Source Sought Synopsis Request. This Notice Shall Not Be Construed As A Commitment By The Government To Issue A Solicitation Or Ultimately Award A Contract, Nor Does It Restrict The Government To An Acquisition Approach. The Government Will In No Way Be Bound To This Information If Any Solicitation Is Issued. Currently A Total Set-aside For Service-disabled Veteran Owned Small Business Firms Is Anticipated Based On The Veterans Administration Requirement With Public Law 109-461, Section 8127 Veterans Benefit Act. However, If Response By Service-disabled Veteran Owned Small Business Firms Proves Inadequate, An Alternate Set-aside Or Full And Open May Be Used. Responses To This Notice Shall Be Submitted Via Email To Erika Kobulnicky At Erika.kobulnicky@va.gov. Telephone Responses Will Not Be Accepted. Responses Must Be Received No Later Than Wednesday, February 19, 2025, At 10:00am Cst. If A Solicitation Is Issued It Shall Be Announced At A Later Date, And All Interested Parties Must Respond To That Solicitation Announcement Separately From The Responses To This Sources Sought. Responses To This Sources Sought Notice Are Not A Request To Be Added To A Prospective Bidders List Or To Receive A Copy Of The Solicit. Marion, Il Vamc And Ehcc Outpatient Clinic Statement Of Work: Scriptpro Eyecon Description Of Use: To Be Used At The Marion Va Medical Center Pharmacy And In The Evansville, In Outpatient Clinic This Solicitation Uses A Brand Name Or Equal Description Of The Product Required. This Permits Prospective Contractors To Offer Products Other Than Those Specifically Referenced By Brand Name. All Offers Must Work With Existing Equipment That Has Already Been Purchased And Is Currently In Use At The Station. Minimum Technical Specifications: The Scriptpro Dispensing System Must Also Be Assembled Within The Manufactured Country Or Show Significant Proof Of An Internationally Recognized Quality Assurance Program Certificate Of Authenticity Will Need To Be Provided The Dispensing System Must Have The Following: Safety Must Use Barcode Verification To Ensure Accuracy Of Dispensing And Must Work With Scriptpro Label Barcode Unit Must Have Means To Track Dispensed Drug Quantities And Contain Image Verification Of Quantities Dispensed. Must Come Equipped With Database Of Drug Images For Dispensing Verification. Must Include Additional Counting Platters For Penicillin And Sulfa To Avoid Cross Contamination. Workflow Must Allow For Integration With Scriptpro/vista To Verify Correct Dispensing Quantities. Must Fit In Existing Space With A Footprint Of 28 H X 11 W X 17.5 D. Must Count With A Count Accuracy Of At Least 99.9%. Verification Should Include Easy Work Flow Optics Such As Color Touch Screen. Must Include Large Counting Area Of 48 Sq Inches For Larger Quantity Verification. Information Technology Must Integrate With Current Equipment, Including Scriptpro Dispensing/filling Stations Must Interface With Vista, Ups Worldship, And Usps Sendsuite System Platforms. All Equipment Must Be New Description Quantity Sp Eyecon 9430 2 Optional/value Added Features: N/a Required Interfaces: Must Interface With Current Sp Equipment. Must Also Interface With Vista/cprs. Delivery Location(s): Department Of Veterans Affairs Marion Va Medical Center 2401 West Main Street Marion, Il 62959-1188 Department Of Veterans Affairs Evansville Va Healthcare Center 6211 E Waterford Blvd Evansville, In 47715 Records Management Obligations Applicability This Clause Applies To All Contractors Whose Employees Create, Work With, Or Otherwise Handle Federal Records, As Defined In Section B, Regardless Of The Medium In Which The Record Exists. â Definitions Federal Record As Defined In 44 U.s.c. ⧠3301, Includes All Recorded Information, Regardless Of Form Or Characteristics, Made Or Received By A Federal Agency Under Federal Law Or In Connection With The Transaction Of Public Business And Preserved Or Appropriate For Preservation By That Agency Or Its Legitimate Successor As Evidence Of The Organization, Functions, Policies, Decisions, Procedures, Operations, Or Other Activities Of The United States Government Or Because Of The Informational Value Of Data In Them. â The Term Federal Record: Includes [agency] Records.â Does Not Include Personal Materials. Applies To Records Created, Received, Or Maintained By Contractors Pursuant To Their [agency] Contract. May Include Deliverables And Documentation Associated With Deliverables. Requirements Contractor Shall Comply With All Applicable Records Management Laws And Regulations, As Well As National Archives And Records Administration (nara) Records Policies, Including But Not Limited To The Federal Records Act (44 U.s.c. Chs. 21, 29, 31, 33), Nara Regulations At 36 Cfr Chapter Xii Subchapter B, And Those Policies Associated With The Safeguarding Of Records Covered By The Privacy Act Of 1974 (5 U.s.c. 552a). These Policies Include The Preservation Of All Records, Regardless Of Form Or Characteristics, Mode Of Transmission, Or State Of Completion.â In Accordance With 36 Cfr 1222.32, All Data Created For Government Use And Delivered To, Or Falling Under The Legal Control Of, The Government Are Federal Records Subject To The Provisions Of 44 U.s.c. Chapters 21, 29, 31, And 33, The Freedom Of Information Act (foia) (5 U.s.c. 552), As Amended, And The Privacy Act Of 1974 (5 U.s.c. 552a), As Amended And Must Be Managed And Scheduled For Disposition Only As Permitted By Statute Or Regulation.â In Accordance With 36 Cfr 1222.32, Contractor Shall Maintain All Records Created For Government Use Or Created In The Course Of Performing The Contract And/or Delivered To, Or Under The Legal Control Of The Government And Must Be Managed In Accordance With Federal Law. Electronic Records And Associated Metadata Must Be Accompanied By Sufficient Technical Documentation To Permit Understanding And Use Of The Records And Data.â [agency] And Its Contractors Are Responsible For Preventing The Alienation Or Unauthorized Destruction Of Records, Including All Forms Of Mutilation. Records May Not Be Removed From The Legal Custody Of [agency] Or Destroyed Except For In Accordance With The Provisions Of The Agency Records Schedules And With The Written Concurrence Of The Head Of The Contracting Activity. Willful And Unlawful Destruction, Damage Or Alienation Of Federal Records Is Subject To The Fines And Penalties Imposed By 18 U.s.c. 2701. In The Event Of Any Unlawful Or Accidental Removal, Defacing, Alteration, Or Destruction Of Records, Contractor Must Report To [agency]. The Agency Must Report Promptly To Nara In Accordance With 36 Cfr 1230. The Contractor Shall Immediately Notify The Appropriate Contracting Officer Upon Discovery Of Any Inadvertent Or Unauthorized Disclosures Of Information, Data, Documentary Materials, Records, Or Equipment. Disclosure Of Non-public Information Is Limited To Authorized Personnel With A Need-to-know As Described In The [contract Vehicle]. The Contractor Shall Ensure That The Appropriate Personnel, Administrative, Technical, And Physical Safeguards Are Established To Ensure The Security And Confidentiality Of This Information, Data, Documentary Material, Records And/or Equipment Is Properly Protected. The Contractor Shall Not Remove Material From Government Facilities Or Systems, Or Facilities Or Systems Operated Or Maintained On The Government S Behalf, Without The Express Written Permission Of The Head Of The Contracting Activity. When Information, Data, Documentary Material, Records And/or Equipment Is No Longer Required, It Shall Be Returned To [agency] Control Or The Contractor Must Hold It Until Otherwise Directed. Items Returned To The Government Shall Be Hand Carried, Mailed, Emailed, Or Securely Electronically Transmitted To The Contracting Officer Or Address Prescribed In The [contract Vehicle]. Destruction Of Records Is Expressly Prohibited Unless In Accordance With Paragraph (4). The Contractor Is Required To Obtain The Contracting Officer's Approval Prior To Engaging In Any Contractual Relationship (sub-contractor) In Support Of This Contract Requiring The Disclosure Of Information, Documentary Material And/or Records Generated Under, Or Relating To, Contracts. The Contractor (and Any Sub-contractor) Is Required To Abide By Government And [agency] Guidance For Protecting Sensitive, Proprietary Information, Classified, And Controlled Unclassified Information. The Contractor Shall Only Use Government It Equipment For Purposes Specifically Tied To Or Authorized By The Contract And In Accordance With [agency] Policy.â The Contractor Shall Not Create Or Maintain Any Records Containing Any Non-public [agency] Information That Are Not Specifically Tied To Or Authorized By The Contract.â The Contractor Shall Not Retain, Use, Sell, Or Disseminate Copies Of Any Deliverable That Contains Information Covered By The Privacy Act Of 1974 Or That Which Is Generally Protected From Public Disclosure By An Exemption To The Freedom Of Information Act.â The [agency] Owns The Rights To All Data And Records Produced As Part Of This Contract. All Deliverables Under The Contract Are The Property Of The U.s. Government For Which [agency] Shall Have Unlimited Rights To Use, Dispose Of, Or Disclose Such Data Contained Therein As It Determines To Be In The Public Interest. Any Contractor Rights In The Data Or Deliverables Must Be Identified As Required By Far 52.227-11 Through Far 52.227-20. Training. âall Contractor Employees Assigned To This Contract Who Create, Work With, Or Otherwise Handle Records Are Required To Take [agency]-provided Records Management Training. The Contractor Is Responsible For Confirming Training Has Been Completed According To Agency Policies, Including Initial Training And Any Annual Or Refresher Training.â [note: To The Extent An Agency Requires Contractors To Complete Records Management Training, The Agency Must Provide The Training To The Contractor.]â Flow Down Of Requirements To Subcontractors The Contractor Shall Incorporate The Substance Of This Clause, Its Terms And Requirements Including This Paragraph, In All Subcontracts Under This [contract Vehicle], And Require Written Subcontractor Acknowledgment Of Same.â Violation By A Subcontractor Of Any Provision Set Forth In This Clause Will Be Attributed To The Contractor. General. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. Contractors, Contractor Personnel, Subcontractors And Subcontractor Personnel Will Be Subject To The Same Federal Laws, Regulations, Standards, Va Directives And Handbooks, As Va Personnel Regarding Information And Information System Security And Privacy. Va Information Custodial Language. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. The Government Shall Receive Unlimited Rights To Data/intellectual Property First Produced And Delivered In The Performance Of This Contract Or Order (hereinafter Contract ) Unless Expressly Stated Otherwise In This Contract. This Includes All Rights To Source Code And All Documentation Created In Support Thereof. The Primary Clause Used To Define Government And Contractor Data Rights Is Far 52.227-14 Rights In Data General. The Primary Clause Used To Define Computer Software License (not Data/intellectual Property First Produced Under This Contractor Or Order) Is Far 52.227-19, Commercial Computer Software License. Information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Will Be Used Only For The Purposes Specified In The Service Agreement, Sow, Pws, Pd, And/or Contract. The Contractor Shall Not Use Va Information In Any Other Manner Without Prior Written Approval From A Va Contracting Officer (co). The Primary Clause Used To Define Government And Contractor Data Rights Is Far 52.227-14 Rights In Data General. Va Information Will Not Be Co-mingled With Any Other Data On The Contractor S Information Systems Or Media Storage Systems. The Contractor Shall Ensure Compliance With Federal And Va Requirements Related To Data Protection, Data Encryption, Physical Data Segregation, Logical Data Segregation, Classification Requirements And Media Sanitization. Va Reserves The Right To Conduct Scheduled Or Unscheduled Audits, Assessments, Or Investigations Of Contractor Information Technology (it) Resources To Ensure Information Security Is Compliant With Federal And Va Requirements. The Contractor Shall Provide All Necessary Access To Records (including Electronic And Documentary Materials Related To The Contracts And Subcontracts) And Support (including Access To Contractor And Subcontractor Staff Associated With The Contract) To Va, Va's Office Inspector General (oig),and/or Government Accountability Office (gao) Staff During Periodic Control Assessments, Audits, Or Investigations. The Contractor May Only Use Va Information Within The Terms Of The Contract And Applicable Federal Law, Regulations, And Va Policies. If New Federal Information Security Laws, Regulations Or Va Policies Become Applicable After Execution Of The Contract, The Parties Agree To Negotiate Contract Modification And Adjustment Necessary To Implement The New Laws, Regulations, And/or Policies. The Contractor Shall Not Make Copies Of Va Information Except As Specifically Authorized And Necessary To Perform The Terms Of The Contract. If Copies Are Made For Restoration Purposes, After The Restoration Is Complete, The Copies Shall Be Destroyed In Accordance With Va Directive 6500, Va Cybersecurity Program And Va Information Security Knowledge Service. If A Veterans Health Administration (vha) Contract Is Terminated For Default Or Cause With A Business Associate, The Related Local Business Associate Agreement (baa) Shall Also Be Terminated And Actions Taken In Accordance With Vha Directive 1605.05, Business Associate Agreements. If There Is An Executed National Baa Associated With The Contract, Va Will Determine What Actions Are Appropriate And Notify The Contactor. The Contractor Shall Store And Transmit Va Sensitive Information In An Encrypted Form, Using Va-approved Encryption Tools Which Are, At A Minimum, Federal Information Processing Standards (fips) 140-2, Security Requirements For Cryptographic Modules (or Its Successor) Validated And In Conformance With Va Information Security Knowledge Service Requirements. The Contractor Shall Transmit Va Sensitive Information Using Va Approved Transport Layer Security (tls) Configured With Fips Based Cipher Suites In Conformance With National Institute Of Standards And Technology (nist) 800-52, Guidelines For The Selection, Configuration And Use Of Transport Layer Security (tls) Implementations. The Contractor S Firewall And Web Services Security Controls, As Applicable, Shall Meet Or Exceed Va S Minimum Requirements. Except For Uses And Disclosures Of Va Information Authorized By This Contract For Performance Of The Contract, The Contractor May Use And Disclose Va Information Only In Two Situations: (i) In Response To A Qualifying Order Of A Court Of Competent Jurisdiction After Notification To Va Co (ii) With Written Approval From The Va Co. The Contractor Shall Refer All Requests For, Demands For Production Of Or Inquiries About, Va Information And Information Systems To The Va Co For Response. Notwithstanding The Provision Above, The Contractor Shall Not Release Va Records Protected By Title 38 U.s.c. ⧠5705, Confidentiality Of Medical Quality- Assurance Records And/or Title 38 U.s.c. ⧠7332, Confidentiality Of Certain Medical Records Pertaining To Drug Addiction, Sickle Cell Anemia, Alcoholism Or Alcohol Abuse Or Infection With Human Immunodeficiency Virus (hiv). If The Contractor Is In Receipt Of A Court Order Or Other Requests For The Above- Mentioned Information, The Contractor Shall Immediately Refer Such Court Order Or Other Requests To The Va Co For Response. Information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor In Performance Or Administration Of The Contract Will Be Protected And Secured In Accordance With Va Directive 6500 And Identity And Access Management (iam) Security Processes Specified In The Va Information Security Knowledge Service. Any Data Destruction Done On Behalf Of Va By A Contractor Shall Be Done In Accordance With National Archives And Records Administration (nara) Requirements As Outlined In Va Directive 6300, Records And Information Management, Va Handbook 6300.1, Records Management Procedures, And Applicable Va Records Control Schedules. The Contractor Shall Provide Its Plan For Destruction Of All Va Data In Its Possession According To Va Directive 6500 And Nist 800-88, Guidelines For Media Sanitization Prior To Termination Or Completion Of This Contract. If Directed By The Cor/co, The Contractor Shall Return All Federal Records To Va For Disposition. Any Media, Such As Paper, Magnetic Tape, Magnetic Disks, Solid State Devices Or Optical Discs That Is Used To Store, Process, Or Access Va Information That Cannot Be Destroyed Shall Be Returned To Va.the Contractor Shall Hold The Appropriate Material Until Otherwise Directed By The Contracting Officer S Representative (cor) Or Co. Items Shall Be Returned Securely Via Va-approved Methods. Va Sensitive Information Must Be Transmitted Utilizing Va-approved Encryption Tools Which Are Validated Under Fips 140-2 (or Its Successor) And Nist 800-52. If Mailed, The Contractor Shall Send Via A Trackable Method (usps, Ups, Fedex, Etc.) And Immediately Provide The Cor/co With The Tracking Information. Self-certification By The Contractor That The Data Destruction Requirements Above Have Been Met Shall Be Sent To The Cor/co Within 30 Business Days Of Termination Of The Contract. All Electronic Storage Media (hard Drives, Optical Disks, Cds, Back-up Tapes, Etc.) Used To Store, Process Or Access Va Information Will Not Be Returned To The Contractor At The End Of Lease, Loan, Or Trade-in. Exceptions To This Paragraph Will Only Be Granted With The Written Approval Of The Va Co. Access To Va Information And Va Information Systems. This Section Applies When Any Person Requires Access To Information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor In Performance Or Administration Of The Contract. A Contractor/subcontractor Shall Request Logical (technical) Or Physical Access To Va Information And Va Information Systems For Their Employees And Subcontractors Only To The Extent Necessary To Perform The Services Specified In The Solicitation Or Contract. This Includes Indirect Entities, Both Affiliate Of Contractor/subcontractor And Agent Of Contractor/subcontractor. Contractors And Subcontractors Shall Sign The Va Information Security Rule Of Behavior (rob) Before Access Is Provided To Va Information And Information Systems (see Section 4, Training, Below). The Rob Contains The Minimum User Compliance Requirements And Does Not Supersede Any Policies Of Va Facilities Or Other Agency Components Which Provide Higher Levels Of Protection To Va S Information Or Information Systems. Users Who Require Privileged Access Shall Complete The Va Elevated Privilege Access Request Processes Before Privileged Access Is Granted. All Contractors And Subcontractors Working With Va Information Are Subject To The Same Security Investigative And Clearance Requirements As Those Of Va Appointees Or Employees Who Have Access To The Same Types Of Information. The Level And Process Of Background Security Investigations For Contractors Shall Be In Accordance With Va Directive And Handbook 0710, Personnel Suitability And Security Program. The Office Of Human Resources And Administration/operations, Security And Preparedness (hra/osp) Is Responsible For These Policies And Procedures. Contract Personnel Who Require Access To Classified Information Or Information Systems Shall Have An Appropriate Security Clearance. Verification Of A Security Clearance Shall Be Processed Through The Special Security Officer Located In Hra/osp. Contractors Shall Conform To All Requirements Stated In The National Industrial Security Program Operating Manual (nispom). All Contractors And Subcontractors Shall Comply With Conditions Specified In Vaar 852.204-71(d); Contractor Operations Required To Be In United States. All Contractors And Subcontractors Working With Va Information Must Be Permanently Located Within A Jurisdiction Subject To The Law Of The United States Or Its Territories To The Maximum Extent Feasible. If Services Are Proposed To Be Performed Abroad The Contractor Must State Where All Non-u.s. Services Are Provided. The Contractor Shall Deliver To Va A Detailed Plan Specifically Addressing Communications, Personnel Control, Data Protection And Potential Legal Issues. The Plan Shall Be Approved By The Cor/co In Writing Prior To Access Being Granted. The Contractor Shall Notify The Cor/co In Writing Immediately (no Later Than 24 Hours) After Personnel Separation Or Occurrence Of Other Causes. Causes May Include The Following: Contractor/subcontractor Personnel No Longer Has A Need For Access To Va Information Or Va Information Systems. Contractor/subcontractor Personnel Are Terminated, Suspended, Or Otherwise Has Their Work On A Va Project Discontinued For Any Reason. Contractor Believes Their Own Personnel Or Subcontractor Personnel May Pose A Threat To Their Company S Working Environment Or To Any Company- Owned Property. This Includes Contractor-owned Assets, Buildings, Confidential Data, Customers, Employees, Networks, Systems, Trade Secrets And/or Va Data. Any Previously Undisclosed Changes To Contractor/subcontractor Background History Are Brought To Light, Including But Not Limited To Changes To Background Investigation Or Employee Record. Contractor/subcontractor Personnel Have Their Authorization To Work In The United States Revoked. Agreement By Which Contractor Provides Products And Services To Va Has Either Been Fulfilled Or Terminated, Such That Va Can Cut Off Electronic And/or Physical Access For Contractor Personnel. In Such Cases Of Contract Fulfillment, Termination, Or Other Causes; The Contractor Shall Take The Necessary Measures To Immediately Revoke Access To Va Network, Property, Information, And Information Systems (logical And Physical) By Contractor/subcontractor Personnel. These Measures Include (but Are Not Limited To): Removing And Then Securing Personal Identity Verification (piv) Badges And Piv Interoperable (piv-i) Access Badges, Va-issued Photo Badges, Credentials For Va Facilities And Devices, Va-issued Laptops, And Authentication Tokens. Contractors Shall Notify The Appropriate Va Cor/co Immediately To Initiate Access Removal. Contractors/subcontractors Who No Longer Require Va Accesses Will Return Va- Issued Property To Va. This Property Includes (but Is Not Limited To): Documents, Electronic Equipment, Keys, And Parking Passes. Piv And Piv-i Access Badges Shall Be Returned To The Nearest Va Piv Badge Issuance Office. Once They Have Had Access To Va Information, Information Systems, Networks And Va Property In Their Possessions Removed, Contractors Shall Notify The Appropriate Va Cor/co. Training. This Entire Section Applies To All Acquisitions Which Include Section 3. All Contractors And Subcontractors Requiring Access To Va Information And Va Information Systems Shall Successfully Complete The Following Before Being Granted Access To Va Information And Its Systems: Va Privacy And Information Security Awareness And Rules Of Behavior Course (talent Management System (tms) #10176) Initially And Annually Thereafter. Sign And Acknowledge (electronically Through Tms #10176) Understanding Of And Responsibilities For Compliance With The Organizational Rules Of Behavior, Relating To Access To Va Information And Information Systems Initially And Annually Thereafter; And Successfully Complete Any Additional Cyber Security Or Privacy Training, As Required For Va Personnel With Equivalent Information System Or Information Access [to Be Defined By The Va Program Official And Provided To The Va Co For Inclusion In The Solicitation Document I.e., Any Role- Based Information Security Training]. The Contractor Shall Provide To The Cor/co A Copy Of The Training Certificates And Certification Of Signing The Organizational Rules Of Behavior For Each Applicable Employee Within Five Days Of The Initiation Of The Contract And Annually Thereafter, As Required. Failure To Complete The Mandatory Annual Training Is Grounds For Suspension Or Termination Of All Physical Or Electronic Access Privileges And Removal From Work On The Contract Until Such Time As The Required Training Is Complete. Security Incident Investigation. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. The Contractor, Subcontractor, Their Employees, Or Business Associates Shall Immediately (within One Hour) Report Suspected Security / Privacy Incidents To The Va Oit S Enterprise Service Desk (esd) By Calling (855) 673-4357 (tty: 711). The Esd Is Oit S 24/7/365 Single Point Of Contact For It-related Issues. After Reporting To The Esd, The Contractor, Subcontractor, Their Employees, Or Business Associates Shall, Within One Hour, Provide The Cor/co The Incident Number Received From The Esd. To The Extent Known By The Contractor/subcontractor, The Contractor/ Subcontractor's Notice To Va Shall Identify The Information Involved And The Circumstances Surrounding The Incident, Including The Following: The Date And Time (or Approximation Of) The Security Incident Occurred. The Names Of Individuals Involved (when Applicable). The Physical And Logical (if Applicable) Location Of The Incident. Why The Security Incident Took Place (i.e., Catalyst For The Failure). The Amount Of Data Belonging To Va Believed To Have Been Compromised. The Remediation Measures The Contractor Is Taking To Ensure No Future Incidents Of A Similar Nature. After The Contractor Has Provided The Initial Detailed Incident Summary To Va, They Will Continue To Provide Written Updates On Any New And Relevant Circumstances Or Facts They Discover. The Contractor, Subcontractor, And Their Employes Shall Fully Cooperate With Va Or Third-party Entity Performing An Independent Risk Analysis On Behalf Of Va. Failure To Cooperate May Be Deemed A Material Breach And Grounds For Contract Termination. Va It Contractors Shall Follow Va Handbook 6500, Risk Management Framework For Va Information Systems Va Information Security Program, And Va Information Security Knowledge Service Guidance For Implementing An Incident Response Plan Or Integrating With An Existing Va Implementation. In Instances Of Theft Or Break-in Or Other Criminal Activity, The Contractor/subcontractor Must Concurrently Report The Incident To The Appropriate Law Enforcement Entity (or Entities) Of Jurisdiction, Including The Va Oig, And The Va Office Of Security And Law Enforcement. The Contractor, Its Employees, And Its Subcontractors And Their Employees Shall Cooperate With Va And Any Law Enforcement Authority Responsible For The Investigation And Prosecution Of Any Possible Criminal Law Violation(s) Associated With Any Incident. The Contractor/subcontractor Shall Cooperate With Va In Any Civil Litigation To Recover Va Information, Obtain Monetary Or Other Compensation From A Third Party For Damages Arising From Any Incident, Or Obtain Injunctive Relief Against Any Third Party Arising From, Or Related To, The Incident. The Contractor Shall Comply With Va Handbook 6500.2, Management Of Breaches Involving Sensitive Personal Information, Which Establishes The Breach Management Policies And Assigns Responsibilities For The Oversight, Management And Reporting Procedures Associated With Managing Of Breaches. With Respect To Unsecured Protected Health Information (phi), The Contractor Is Deemed To Have Discovered A Data Breach When The Contractor Knew Or Should Have Known Of Breach Of Such Information. When A Business Associate Is Part Of Vha Contract, Notification To The Covered Entity (vha) Shall Be Made In Accordance With The Executed Baa. If The Contractor Or Any Of Its Agents Fails To Protect Va Sensitive Personal Information Or Otherwise Engages In Conduct Which Results In A Data Breach Involving Any Va Sensitive Personal Information The Contractor/subcontractor Processes Or Maintains Under The Contract; The Contractor Shall Pay Liquidated Damages To The Va As Set Forth In Clause 852.211-76, Liquidated Damages Reimbursement For Data Breach Costs. Information System Design And Development. This Entire Section Applies To Information Systems, Systems, Major Applications, Minor Applications, Enclaves, And Platform Information Technologies (to Include The Subcomponents Of Each) Designed Or Developed For Or On Behalf Of Va By Any Non-va Entity. Information Systems Designed Or Developed On Behalf Of Va At Non-va Facilities Shall Comply With All Applicable Federal Law, Regulations, And Va Policies. This Includes Standards For The Protection Of Electronic Protected Health Information (phi), Outlined In 45 C.f.r. Part 164, Subpart C And Information And System Security Categorization Level Designations In Accordance With Fips 199, Standards For Security Categorization Of Federal Information And Information Systems And Fips 200, Minimum Security Requirements For Federal Information Systems. Baseline Security Controls Shall Be Implemented Commensurate With The Fips 199 System Security Categorization (reference Va Handbook 6500 And Va Trusted Internet Connections (tic) Architecture). Contracted New Developments Require Creation, Testing, Evaluation, And Authorization In Compliance With Va Assessment And Authorization (a&a) Processes In Va Handbook 6500 And Va Information Security Knowledge Service To Obtain An Authority To Operate (ato). Va Directive 6517, Risk Management Framework For Cloud Computing Services, Provides The Security And Privacy Requirements For Cloud Environments. Va It Contractors, Subcontractors And Third-party Service Providers Shall Address And/or Integrate Applicable Va Handbook 6500, Va Handbook 6517, Risk Management Framework For Cloud Computing Services And Information Security Knowledge Service Specifications In Delivered It Systems/solutions, Products And/or Services. If Systems/solutions, Products And/or Services Do Not Directly Match Va Security Requirements, The Contractor Shall Work Though The Cor/co To Identify The Va Organization Responsible For Governance Or Resolution. Contractors Shall Comply With Far 39.1, Specifically The Prohibitions Referenced. The Contractor (including Producers And Resellers) Shall Comply With Office Of Management And Budget (omb) M-22-18 And M-23-16 When Using Third-party Software On Va Information Systems Or Otherwise Affecting The Va Information. This Includes New Software Purchases And Software Renewals For Software Developed Or Modified By Major Version Change After The Issuance Date Of M- 22-18 (september 14, 2022). The Term Software Includes Firmware, Operating Systems, Applications And Application Services (e.g., Cloud-based Software), As Well As Products Containing Software. The Contractor Shall Provide A Self- Attestation That Secure Software Development Practices Are Utilized As Outlined By Executive Order (eo)14028 And Nist Guidance. A Third-party Assessment Provided By Either A Certified Federal Risk And Authorization Management Program (fedramp) Third Party Assessor Organization (3pao) Or One Approved By The Agency Will Be Acceptable In Lieu Of A Software Producer's Self- Attestation. The Contractor Shall Ensure All Delivered Applications, Systems And Information Systems Are Compliant With Homeland Security Presidential Directive (hspd) 12 And Va Identity And Access Management (iam) Enterprise Identity Management Requirements As Set Forth In Omb M-19-17, M-05-24, Fips 201-3, Personal Identity Verification (piv) Of Federal Employees And Contractors (or Its Successor), M-21-31 And Supporting Nist Guidance. This Applies To Commercial Off-the-shelf (cots) Product(s) That The Contractor Did Not Develop, All Software Configurations And All Customizations. The Contractor Shall Ensure All Contractor Delivered Applications And Systems Provide User Authentication Services Compliant With Va Handbook 6500, Va Information Security Knowledge Service, Iam Enterprise Requirements And Nist 800-63, Digital Identity Guidelines, For Direct, Assertion-based Authentication And/or Trust-based Authentication, As Determined By The Design And Integration Patterns. Direct Authentication At A Minimum Must Include Public Key Infrastructure (pki) Based Authentication Supportive Of Piv And/or Common Access Card (cac), As Determined By The Business Need And Compliance With Va Information Security Knowledge Service Specifications. The Contractor Shall Use Va Authorized Technical Security Baseline Configurations And Certify To The Cor That Applications Are Fully Functional And Operate Correctly As Intended On Systems In Compliance With Va Baselines Prior To Acceptance Or Connection Into An Authorized Va Computing Environment. If The Defense Information Systems Agency (disa) Has Created A Security Technical Implementation Guide (stig) For The Technology, The Contractor May Configure To Comply With That Stig. If Va Determines A New Or Updated Va Configuration Baseline Needs To Be Created, The Contractor Shall Provide Required Technical Support To Develop The Configuration Settings. Far 39.1 Requires The Population Of Operating Systems And Applications Includes All Listed On The Nist National Checklist Program Checklist Repository. The Standard Installation, Operation, Maintenance, Updating And Patching Of Software Shall Not Alter The Configuration Settings From Va Approved Baseline Configuration. Software Developed For Va Must Be Compatible With Va Enterprise Installer Services And Install To The Default Program Files Directory With Silently Install And Uninstall. The Contractor Shall Perform Testing Of All Updates And Patching Prior To Implementation On Va Systems. Applications Designed For Normal End Users Will Run In The Standard User Context Without Elevated System Administration Privileges. The Contractor-delivered Solutions Shall Reside On Va Approved Operating Systems. Exceptions To This Will Only Be Granted With The Written Approval Of The Cor/co. The Contractor Shall Design, Develop, And Implement Security And Privacy Controls In Accordance With The Provisions Of Va Security System Development Life Cycle Outlined In Nist 800-37, Risk Management Framework For Information Systems And Organizations: A System Life Cycle Approach For Security And Privacy, Va Directive And Handbook 6500, And Va Handbook 6517. The Contractor Shall Comply With The Privacy Act Of1974 (the Act), Far 52.224- 2 Privacy Act, And Va Rules And Regulations Issued Under The Act In The Design, Development, Or Operation Of Any System Of Records On Individuals To Accomplish A Va Function. The Contractor Shall Ensure The Security Of All Procured Or Developed Information Systems, Systems, Major Applications, Minor Applications, Enclaves And Platform Information Technologies, Including Their Subcomponents (hereinafter Referred To As Information Systems ) Throughout The Life Of This Contract And Any Extension, Warranty, Or Maintenance Periods. This Includes Security Configurations, Workarounds, Patches, Hotfixes, Upgrades, Replacements And Any Physical Components Which May Be Necessary To Remediate All Security Vulnerabilities Published Or Known To The Contractor Anywhere In The Information Systems (including Systems, Operating Systems, Products, Hardware, Software, Applications And Firmware). The Contractor Shall Ensure Security Fixes Do Not Negatively Impact The Information Systems. When The Contractor Is Responsible For Operations Or Maintenance Of The Systems, The Contractor Shall Apply The Security Fixes Within The Timeframe Specified By The Associated Controls On The Va Information Security Knowledge Service. When Security Fixes Involve Installing Third Party Patches (such As Microsoft Os Patches Or Adobe Acrobat), The Contractor Shall Provide Written Notice To The Va Cor/co That The Patch Has Been Validated As To Not Affecting The Systems Within 10 Business Days. Information System Hosting, Operation, Maintenance Or Use. This Entire Section Applies To Information Systems, Systems, Major Applications, Minor Applications, Enclaves, And Platform Information Technologies (cloud And Non- Cloud) Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities. The Contractor Shall Comply With All Federal Laws, Regulations, And Va Policies For Information Systems (cloud And Non-cloud) That Are Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities. Security Controls For Collecting, Processing, Transmitting, And Storing Of Va Sensitive Information, Must Be In Place. The Controls Will Be Tested By Va Or A Va Sanctioned 3pao And Approved By Va Prior To Hosting, Operation, Maintenance Or Use Of The Information System Or Systems By Or On Behalf Of Va. This Includes Conducting Compliance Risk Assessments, Security Architecture Analysis, Routine Vulnerability Scanning, System Patching, Change Management Procedures And The Completion Of An Acceptable Contingency Plan For Each System. The Contractor S Security Control Procedures Shall Be The Same As Procedures Used To Secure Va-operated Information Systems. Outsourcing (contractor Facility, Equipment, Or Staff) Of Systems Or Network Operations, Telecommunications Services Or Other Managed Services Require Assessment And Authorization (a&a) Of The Contractor S Systems In Accordance With Va Handbook 6500 As Specified In Va Information Security Knowledge Service. Major Changes To The A&a Package May Require Reviewing And Updating All The Documentation Associated With The Change. The Contractor S Cloud Computing Systems Shall Comply With Fedramp And Va Directive 6517 Requirements. The Contractor Shall Return All Electronic Storage Media (hard Drives, Optical Disks, Cds, Back-up Tapes, Etc.) On Non-va Leased Or Non-va Owned It Equipment Used To Store, Process Or Access Va Information To Va In Accordance With A&a Package Requirements. This Applies When The Contract Is Terminated Or Completed And Prior To Disposal Of Media. The Contractor Shall Provide Its Plan For Destruction Of All Va Data In Its Possession According To Va Information Security Knowledge Service Requirements And Nist 800-88. The Contractor Shall Send A Self-certification That The Data Destruction Requirements Above Have Been Met To The Cor/co Within 30 Business Days Of Termination Of The Contract. All External Internet Connections To Va Network Involving Va Information Must Be In Accordance With Va Trusted Internet Connection (tic) Reference Architecture And Va Directive And Handbook 6513, Secure External Connections And Reviewed And Approved By Va Prior To Implementation. Government-owned Contractor-operated Systems, Third Party Or Business Partner Networks Require A Memorandum Of Understanding (mou) And Interconnection Security Agreements (isa). Contractor Procedures Shall Be Subject To Periodic, Announced, Or Unannounced Assessments By Va Officials, The Oig Or A 3pao. The Physical Security Aspects Associated With Contractor Activities Are Also Subject To Such Assessments. The Contractor Shall Report, In Writing, Any Deficiencies Noted During The Above Assessment To The Va Cor/co. The Contractor Shall Use Va S Defined Processes To Document Planned Remedial Actions That Address Identified Deficiencies In Information Security Policies, Procedures, And Practices. The Contractor Shall Correct Security Deficiencies Within The Timeframes Specified In The Va Information Security Knowledge Service. All Major Information System Changes Which Occur In The Production Environment Shall Be Reviewed By The Va To Determine The Impact On Privacy And Security Of The System. Based On The Review Results, Updates To The Authority To Operate (ato) Documentation And Parameters May Be Required To Remain In Compliance With Va Handbook 6500 And Va Information Security Knowledge Service Requirements. The Contractor Shall Conduct An Annual Privacy And Security Self-assessment On All Information Systems And Outsourced Services As Required. Copies Of The Assessment Shall Be Provided To The Cor/co. The Va/government Reserves The Right To Conduct Assessment Using Government Personnel Or A Third-party If Deemed Necessary. The Contractor Shall Correct Or Mitigate Any Weaknesses Discovered During The Assessment. Va Prohibits The Installation And Use Of Personally Owned Or Contractor-owned Equipment Or Software On Va Information Systems. If Non-va Owned Equipment Must Be Used To Fulfill The Requirements Of A Contract, It Must Be Stated In The Service Agreement, Sow, Pws, Pd Or Contract. All Security Controls Required For Government Furnished Equipment Must Be Utilized In Va Approved Other Equipment (oe). Configuration Changes To The Contractor Oe, Must Be Funded By The Owner Of The Equipment. All Remote Systems Must Use A Va-approved Antivirus Software And A Personal (host-based Or Enclave Based) Firewall With A Va-approved Configuration. The Contractor Shall Ensure Software On Oe Is Kept Current With All Critical Updates And Patches. Owners Of Approved Oe Are Responsible For Providing And Maintaining The Anti-virus Software And The Firewall On The Non-va Owned Oe. Approved Contractor Oe Will Be Subject To Technical Inspection At Any Time. The Contractor Shall Notify The Cor/co Within One Hour Of Disclosure Or Successful Exploits Of Any Vulnerability Which Can Compromise The Confidentiality, Integrity, Or Availability Of The Information Systems. The System Or Effected Component(s) Need(s) To Be Isolated From The Network. A Forensic Analysis Needs To Be Conducted Jointly With Va. Such Issues Will Be Remediated As Quickly As Practicable, But In No Event Longer Than The Timeframe Specified By Va Information Security Knowledge Service. If Sensitive Personal Information Is Compromised Reference Va Handbook 6500.2 And Section 5, Security Incident Investigation. For Cases Wherein The Contractor Discovers Material Defects Or Vulnerabilities Impacting Products And Services They Provide To Va, The Contractor Shall Develop And Implement Policies And Procedures For Disclosure To Va, As Well As Remediation. The Contractor Shall, Within 30 Business Days Of Discovery, Document A Summary Of These Vulnerabilities Or Defects. The Documentation Will Include A Description Of The Potential Impact Of Each Vulnerability And Material Defect, Compensating Security Controls, Mitigations, Recommended Corrective Actions, Fbonotice Cause Analysis And/or Workarounds (i.e., Monitoring). Should There Exist Any Backdoors In The Products Or Services They Provide To Va (referring To Methods For Bypassing Computer Authentication), The Contractor Shall Provide The Va Co/co Written Assurance They Have Permanently Remediated These Backdoors. All Other Vulnerabilities, Including Those Discovered Through Routine Scans Or Other Assessments, Will Be Remediated Based On Risk, In Accordance With The Remediation Timelines Specified By The Va Information Security Knowledge Service And/or The Applicable Timeframe Mandated By Cybersecurity & Infrastructure Security Agency (cisa) Binding Operational Directive (bod) 22- 01 And Bod 19-02 For Internet-accessible Systems. Exceptions To This Paragraph Will Only Be Granted With The Approval Of The Cor/co. Security And Privacy Controls Compliance Testing, Assessment And Auditing. This Entire Section Applies Whenever Section 6 Or 7 Is Included. Should Va Request It, The Contractor Shall Provide A Copy Of Their (corporation S, Sole Proprietorship S, Partnership S, Limited Liability Company (llc), Or Other Business Structure Entity S) Policies, Procedures, Evidence And Independent Report Summaries Related To Specified Cybersecurity Frameworks (international Organization For Standardization (iso), Nist Cybersecurity Framework (csf), Etc.). Va Or Its Third-party/partner Designee (if Applicable) Are Further Entitled To Perform Their Own Audits And Security/penetration Tests Of The Contractor S It Or Systems And Controls, To Ascertain Whether The Contractor Is Complying With The Information Security, Network Or System Requirements Mandated In The Agreement Between Va And The Contractor. Any Audits Or Tests Of The Contractor Or Third-party Designees/partner Va Elects To Carry Out Will Commence Within 30 Business Days Of Va Notification. Such Audits, Tests And Assessments May Include The Following: (a): Security/penetration Tests Which Both Sides Agree Will Not Unduly Impact Contractor Operations; (b): Interviews With Pertinent Stakeholders And Practitioners; (c): Document Review; And (d): Technical Inspections Of Networks And Systems The Contractor Uses To Destroy, Maintain, Receive, Retain, Or Use Va Information. As Part Of These Audits, Tests And Assessments, The Contractor Shall Provide All Information Requested By Va. This Information Includes, But Is Not Limited To, The Following: Equipment Lists, Network Or Infrastructure Diagrams, Relevant Policy Documents, System Logs Or Details On Information Systems Accessing, Transporting, Or Processing Va Data. The Contractor And At Its Own Expense, Shall Comply With Any Recommendations Resulting From Va Audits, Inspections And Tests. Va Further Retains The Right To View Any Related Security Reports The Contractor Has Generated As Part Of Its Own Security Assessment. The Contractor Shall Also Notify Va Of The Existence Of Any Such Security Reports Or Other Related Assessments, Upon Completion And Validation. Va Appointed Auditors Or Other Government Agency Partners May Be Granted Access To Such Documentation On A Need-to-know Basis And Coordinated Through The Cor/co. The Contractor Shall Comply With Recommendations Which Result From These Regulatory Assessments On The Part Of Va Regulators And Associated Government Agency Partners. Product Integrity, Authenticity, Provenance, Anti-counterfeit And Anti-tampering. This Entire Section Applies When The Acquisition Involves Any Product (application, Hardware, Or Software) Or When Section 6 Or 7 Is Included. The Contractor Shall Comply With Code Of Federal Regulations (cfr) Title 15 Part 7, Securing The Information And Communications Technology And Services (icts) Supply Chain , Which Prohibits Icts Transactions From Foreign Adversaries. Icts Transactions Are Defined As Any Acquisition, Importation, Transfer, Installation, Dealing In Or Use Of Any Information And Communications Technology Or Service, Including Ongoing Activities, Such As Managed Services, Data Transmission, Software Updates, Repairs Or The Platforming Or Data Hosting Of Applications For Consumer Download. When Contracting Terms Require The Contractor To Procure Equipment, The Contractor Shall Purchase Or Acquire The Equipment From An Original Equipment Manufacturer (oem) Or An Authorized Reseller Of The Oem. The Contractor Shall Attest That Equipment Procured From An Oem Or Authorized Reseller Or Distributor Are Authentic. If Procurement Is Unavailable From An Oem Or Authorized Reseller, The Contractor Shall Submit In Writing, Details Of The Circumstances Prohibiting This From Happening And Procure A Product Waiver From The Va Cor/co. All Contractors Shall Establish, Implement, And Provide Documentation For Risk Management Practices For Supply Chain Delivery Of Hardware, Software (to Include Patches) And Firmware Provided Under This Agreement. Documentation Will Include Chain Of Custody Practices, Inventory Management Program, Information Protection Practices, Integrity Management Program For Sub-supplier Provided Components, And Replacement Parts Requests. The Contractor Shall Make Spare Parts Available. All Contractor(s) Shall Specify How Digital Delivery For Procured Products, Including Patches, Will Be Validated And Monitored To Ensure Consistent Delivery. The Contractor Shall Apply Encryption Technology To Protect Procured Products Throughout The Delivery Process. If A Contractor Provides Software Or Patches To Va, The Contractor Shall Publish Or Provide A Hash Conforming To The Fips Security Requirements For Cryptographic Modules (fips 140-2 Or Successor). The Contractor Shall Provide A Software Bill Of Materials (sbom) For Procured (to Include Licensed Products) And Consist Of A List Of Components And Associated Metadata Which Make Up The Product. Sboms Must Be Generated In One Of The Data Formats Defined In The National Telecommunications And Information Administration (ntia) Report The Minimum Elements For A Software Bill Of Materials (sbom). Contractors Shall Use Or Arrange For The Use Of Trusted Channels To Ship Procured Products, Such As U.s. Registered Mail And/or Tamper-evident Packaging For Physical Deliveries. Throughout The Delivery Process, The Contractor Shall Demonstrate A Capability For Detecting Unauthorized Access (tampering). The Contractor Shall Demonstrate Chain-of-custody Documentation For Procured Products And Require Tamper-evident Packaging For The Delivery Of This Hardware. Viruses, Firmware And Malware. This Entire Section Applies When The Acquisition Involves Any Product (application, Hardware, Or Software) Or When Section 6 Or 7 Is Included. The Contractor Shall Execute Due Diligence To Ensure All Provided Software And Patches, Including Third-party Patches, Are Free Of Viruses And/or Malware Before Releasing Them To Or Installing Them On Va Information Systems. The Contractor Warrants It Has No Knowledge Of And Did Not Insert, Any Malicious Virus And/or Malware Code Into Any Software Or Patches Provided To Va Which Could Potentially Harm Or Disrupt Va Information Systems. The Contractor Shall Use Due Diligence, If Supplying Third-party Software Or Patches, To Ensure The Third-party Has Not Inserted Any Malicious Code And/or Virus Which Could Damage Or Disrupt Va Information Systems. The Contractor Shall Provide Or Arrange For The Provision Of Technical Justification As To Why Any False Positive Hit Has Taken Place To Ensure Their Code S Supply Chain Has Not Been Compromised. Justification May Be Required, But Is Not Limited To, When Install Files, Scripts, Firmware, Or Other Contractor-delivered Software Solutions (including Third-party Install Files, Scripts, Firmware, Or Other Software) Are Flagged As Malicious, Infected, Or Suspicious By An Anti-virus Vendor. The Contractor Shall Not Upload (intentionally Or Negligently) Any Virus, Worm, Malware Or Any Harmful Or Malicious Content, Component And/or Corrupted Data/source Code (hereinafter Virus Or Other Malware ) Onto Va Computer And Information Systems And/or Networks. If Introduced (and This Clause Is Violated), Upon Written Request From The Va Co, The Contractor Shall: Take All Necessary Action To Correct The Incident, To Include Any And All Assistance To Va To Eliminate The Virus Or Other Malware Throughout Va S Information Networks, Computer Systems And Information Systems; And Use Commercially Reasonable Efforts To Restore Operational Efficiency And Remediate Damages Due To Data Loss Or Data Integrity Damage, If The Virus Or Other Malware Causes A Loss Of Operational Efficiency, Data Loss, Or Damage To Data Integrity. Cryptographic Requirement. This Entire Section Applies Whenever The Acquisition Includes Section 6 Or 7 Is Included. The Contractor Shall Document How The Cryptographic System Supporting The Contractor S Products And/or Services Protect The Confidentiality, Data Integrity, Authentication And Non-repudiation Of Devices And Data Flows In The Underlying System. The Contractor Shall Use Only Approved Cryptographic Methods As Defined In Fips 140-2 (or Its Successor) And Nist 800-52 Standards When Enabling Encryption On Its Products. The Contractor Shall Provide Or Arrange For The Provision Of An Automated Remote Key-establishment Method Which Protects The Confidentiality And Integrity Of The Cryptographic Keys. The Contractor Shall Ensure Emergency Re-keying Of All Devices Can Be Remotely Performed Within 30 Business Days. The Contractor Shall Provide Or Arrange For The Provision Of A Method For Updating Cryptographic Primitives Or Algorithms. Patching Governance. This Entire Section Applies Whenever The Acquisition Includes Section 7 Is Included The Contractor Shall Provide Documentation Detailing The Patch Management, Vulnerability Management, Mitigation And Update Processes (to Include Third- Party) Prior To The Connection Of Electronic Devices, Assets Or Equipment To Va S Assets. This Documentation Will Include Information Regarding The Follow: The Resources And Technical Capabilities To Sustain The Program Or Process (e.g., How The Integrity Of A Patch Is Validated By Va); And The Approach And Capability To Remediate Newly Reported Zero-day Vulnerabilities For Contractor Products. The Contractor Shall Verify And Provide Documentation All Procured Products (including Third-party Applications, Hardware, Software, Operating Systems, And Firmware) Have Appropriate Updates And Patches Installed Prior To Delivery To Va. The Contractor Shall Provide Or Arrange The Provision Of Appropriate Software And Firmware Updates To Remediate Newly Discovered Vulnerabilities Or Weaknesses For Their Products And Services Within 30 Days Of Discovery. Updates To Remediate Critical Or Emergent Vulnerabilities Will Be Provided Within Seven Business Days Of Discovery. If Updates Cannot Be Made Available By Contractor Within These Time Periods, The Contractor Shall Submit Mitigations, Methods Of Exploit Detection And/or Workarounds To The Cor/co Prior To The Above Deadlines. The Contractor Shall Provide Or Arrange For The Provision Of Appropriate Hardware, Software And/or Firmware Updates, When Those Products, Including Open-source Software, Are Provided To The Va, To Remediate Newly Discovered Vulnerabilities Or Weaknesses. Remediations Of Products Or Services Provided To The Va S System Environment Must Be Provided Within 30 Business Days Of Availability From The Original Supplier And/or Patching Source. Updates Toremediate Critical Vulnerabilities Applicable To The Contractor S Use Of The Third- Party Product In Its System Environment Will Be Provided Within Seven Business Days Of Availability From The Original Supplier And/or Patching Source. If Applicable Third-party Updates Cannot Be Integrated, Tested And Made Available By Contractor Within These Time Periods, Mitigations And/or Workarounds Will Be Provided To The Cor/co Before The Above Deadlines. Specialized Devices/systems (medical Devices, Special Purpose Systems, Research Scientific Computing). This Entire Section Applies When The Acquisition Includes One Or More Medical Device, Special Purpose System Or Research Scientific Computing Device. If Appropriate, Ensure Selected Clauses From Section 6 Or 7 And 8 Through 12 Are Included. Contractor Supplies/delivered Medical Devices, Special Purpose Systems- Operational Technology (sps-ot) And Research Scientific Computing Devices Shall Comply With All Applicable Federal Law, Regulations, And Va Policies. New Developments Require Creation, Testing, Evaluation, And Authorization In Compliance With Processes Specified On The Specialized Device Cybersecurity Department Enterprise Risk Management (sdcd-erm) Portal, Va Directive 6550, Pre-procurement Assessment And Implementation Of Medical Devices/systems, Va Handbook 6500, And The Va Information Security Knowledge Service. Deviations From Federal Law, Regulations, And Va Policy Are Identified And Documented As Part Of Va Directive 6550 And/or The Va Enterprise Risk Analysis (era) Processes For Specialized Devices/systems Processes. All Contractors And Third-party Service Providers Shall Address And/or Integrate Applicable Va Handbook 6500 And Information Security Knowledge Service Specifications In Delivered It Systems/solutions, Products And/or Services. If Systems/solutions, Products And/or Services Do Not Directly Match Va Security Requirements, The Contractor Shall Work Though The Cor/co For Governance Or Resolution. The Contractor Shall Certify To The Cor/co That Devices/systems That Have Completed The Va Enterprise Risk Analysis (era) Process For Specialized Devices/systems Are Fully Functional And Operate Correctly As Intended. Devices/systems Must Follow The Va Era Authorized Configuration Prior To Acquisition And Connection To The Va Computing Environment. If Va Determines A New Va Era Needs To Be Created, The Contractor Shall Provide Required Technical Support To Develop The Configuration Settings. Major Changes To A Previously Approved Device/system Will Require A New Era. The Contractor Shall Comply With All Practices Documented By The Food Drug And Administration (fda) Premarket Submission For Management Of Cybersecurity In Medical Devices And Postmarket Management Of Cybersecurity In Medical Devices. The Contractor Shall Design Devices Capable Of Accepting All Applicable Security Patches With Or Without The Support Of The Contractor Personnel. If Patching Can Only Be Completed By The Contractor, The Contractor Shall Commit The Resources Needed To Patch All Applicable Devices At All Va Locations. If Unique Patching Instructions Or Packaging Is Needed, The Contractor Shall Provide The Necessary Information In Conjunction With The Validation/testing Of The Patch. The Contractor Shall Apply Security Patches Within 30 Business Days Of The Patch Release And Have A Formal Tracking Process For Any Security Patches Not Implemented To Include Explanation When A Device Cannot Be Patched. The Contractor Shall Provide Devices Able To Install And Maintain Va-approved Antivirus Capabilities With The Capability To Quarantine Files And Be Updated As Needed In Response To Incidents. Alternatively, A Va-approved Whitelisting Application May Be Used When The Contractor Cannot Install An Anti-virus / Anti- Malware Application. The Contractor Shall Verify And Document All Software Embedded Within The Device Does Not Contain Any Known Viruses Or Malware Before Delivery To Or Installation At A Va Location. Devices And Other Equipment Or Systems Containing Media (hard Drives, Optical Disks, Solid State, And Storage Via Chips/firmware) With Va Sensitive Information Will Be Returned To The Contractor With Media Removed. When The Contract Requires Return Of Equipment, The Options Available To The Contractor Are The Following: The Contractor Shall Accept The System Without The Drive, Firmware And Solid State. Va S Initial Device Purchase Includes A Spare Drive Or Other Replacement Media Which Must Be Installed In Place Of The Original Drive At Time Of Turn- In; Or Due To The Highly Specialized And Sometimes Proprietary Hardware And Software Associated With The Device, If It Is Not Possible For Va To Retain The Hard Drive, Firmware, And Solid State, Then: The Equipment Contractor Shall Have An Existing Baa If The Device Being Traded In Has Sensitive Information Stored On It And Hard Drive(s) From The System Are Being Returned Physically Intact. Any Fixed Hard Drive, Complementary Metal-oxide-semiconductor (cmos), Programmable Read-only Memory (prom), Solid State And Firmware On The Device Must Be Non-destructively Sanitized To The Greatest Extent Possible Without Negatively Impacting System Operation. Selective Clearing Down To Patient Data Folder Level Is Recommended Using Va Approved And Validated Overwriting Technologies/methods/tools. Applicable Media Sanitization Specifications Need To Be Pre-approved And Described In The Solicitation, Contract, Or Order. Data Center Provisions. This Entire Section Applies Whenever The Acquisition Requires An Interconnection To/from The Va Network To/from A Non-va Location. The Contractor Shall Ensure The Va Network Is Accessed By In Accordance With Va Directive 6500 And Iam Security Processes Specified In The Va Information Security Knowledge Service. The Contractor Shall Ensure Network Infrastructure And Data Availability In Accordance With Va Information System Business Continuity Procedures Specified In The Va Information Security Knowledge Service. The Contractor Shall Ensure Any Connections To The Internet Or Other External Networks For Information Systems Occur Through Managed Interfaces Utilizing Va Approved Boundary Protection Devices (e.g., Internet Proxies, Gateways, Routers, Firewalls, Guards Or Encrypted Tunnels). The Contractor Shall Encrypt All Traffic Across The Segment Of The Wide Area Network (wan) It Manages And No Unencrypted Out Of Band (oob) Internet Protocol (ip) Traffic Will Traverse The Network. The Contractor Shall Ensure Tunnel Endpoints Are Routable Addresses At Each Va Operating Site. The Contractor Shall Secure Access From Local Area Networks (lans) At Co- Located Sites In Accordance With Va Tic Reference Architecture, Va Directive And Handbook 6513, And Mou/isa Process Specified In The Va Information Security Knowledge Service.

Details: This Sources Sought Notice Is For Planning Purposes Only And Shall Not Be Considered As An Invitation For Bid, Request For Quotation, Request For Proposal, Or As An Obligation On The Part Of The Government To Acquire Any Products And/or Services. Your Response To This Sources Sought Notice Will Be Treated As Information Only. No Entitlement To Payment Of Direct Or Indirect Costs Or Charges By The Government Will Arise Because Of Contractor Submission Of Responses To This Announcement Or The Government Use Of Such Information. This Request Does Not Constitute A Solicitation For Proposals Or The Authority To Enter Negotiations To Award A Contract. No Funds Have Been Authorized, Appropriated, Or Received For This Effort. the Information Provided May Be Used By The Department Of Veterans Affairs In Developing Its Acquisition Approach, Statement Of Work/statement Of Objectives And Performance Specifications. Interested Parties Are Responsible For Adequately Marking Proprietary Or Competition Sensitive Information Contained In Their Response. The Government Does Not Intend To Award A Contract Based On This Sources Sought Notice Or To Otherwise Pay For The Information Submitted In Response To This Sources Sought Notice. the Submission Of Pricing, Capabilities For Planning Purposes, And Other Market Information Is Highly Encouraged And Allowed Under This Sources Sought Notice In Accordance With (iaw) Far Part 15.201(e) the Purpose Of This Sources Sought Notice Announcement Is For Market Research To Make Appropriate Acquisition Decisions And To Gain Knowledge Of Potential Qualified Service-disabled Veteran Owned Small Businesses, Veteran Owned Small Businesses, 8(a), Hubzone And Other Small Businesses Interested And Capable Of Providing The Products And/or Services Described Below. documentation Of Technical Expertise Must Be Presented In Sufficient Detail For The Government To Determine That Your Company Possesses The Necessary Functional Area Expertise And Experience To Compete For This Acquisition. Responses To This Notice Shall Include The Following: (a) Company Name; (b) Address; (c) Point Of Contact; (d) Phone, Fax, And Email; (e) Uei Number; (f) Cage Code; (g) Tax Id Number; (h) Type Of Small Business, E.g., Services Disabled Veteran Owned Small Business, Veteran Owned Small Business, 8(a), Hubzone, Women Owned Small Business, Small Disadvantaged Business, Or Small Business Hubzone Business, Etc (i) State If Your Business Has An Fss Contract With Gsa, Va Nac, Nasa Sewp, Or Any Other Federal Contract, That Can Be Utilized To Procure The Requirement Listed Below And Provide The Contract Number; And (j) Must Provide A Capability Statement That Addresses The Organization S Qualifications And Ability To Perform As A Contractor For The Work Described Below. requirement: the Va Heartland Network 15 Contracting Office Located At 3450 South 4th Street, Leavenworth, Ks, 66048-5055 Is Seeking A Potential Qualified Contractor To Provide An Automated Special Staining Instrumentation Lease & Bulk Reagent Purchase (i.e.: Artisan Link Pro Special Staining System & Artisan Reagents) For The Kansas City Va Medical Center, Located In Kansas City, Missouri, And The John J. Cochran Veterans Hospital, Located In St. Louis, Missouri. This Is A Brand Name Or Equal Requirement. Please See The Statement Of Work For More Specifics And Details. the North American Industry Classification System Code (naics Code) Is 334516 (analytical Laboratory Instrument Manufacturing), Size Standard 1,000 Employees. Based On This Information, Please Indicate Whether Your Company Would Be A Large Or Small Business And Have A Socio-economic Designation As A Small Business, Vosb Or Sdvosb. important Information: the Government Is Not Obligated To, Nor Will It Pay For Or Reimburse Any Costs Associated With Responding To This Source Sought Synopsis Request. This Notice Shall Not Be Construed As A Commitment By The Government To Issue A Solicitation Or Ultimately Award A Contract, Nor Does It Restrict The Government To An Acquisition Approach. The Government Will In No Way Be Bound To This Information If Any Solicitation Is Issued. Currently A Total Set-aside For Service-disabled Veteran Owned Small Business Firms Is Anticipated Based On The Veterans Administration Requirement With Public Law 109-461, Section 8127 Veterans Benefit Act. However, If Response By Service-disabled Veteran Owned Small Business Firms Proves Inadequate, An Alternate Set-aside Or Full And Open May Be Used. responses To This Notice Shall Be Submitted Via Email To Erika Kobulnicky At Erika.kobulnicky@va.gov. Telephone Responses Will Not Be Accepted. Responses Must Be Received No Later Than Wednesday, February 19, 2025, At 10:00am Cst. If A Solicitation Is Issued It Shall Be Announced At A Later Date, And All Interested Parties Must Respond To That Solicitation Announcement Separately From The Responses To This Sources Sought. Responses To This Sources Sought Notice Are Not A Request To Be Added To A Prospective Bidders List Or To Receive A Copy Of The Solicit. marion, Il Vamc And Ehcc Outpatient Clinic statement Of Work: Scriptpro Eyecon description Of Use: To Be Used At The Marion Va Medical Center Pharmacy And In The Evansville, In Outpatient Clinic this Solicitation Uses A Brand Name Or Equal Description Of The Product Required. This Permits Prospective Contractors To Offer Products Other Than Those Specifically Referenced By Brand Name. All Offers Must Work With Existing Equipment That Has Already Been Purchased And Is Currently In Use At The Station. minimum Technical Specifications: the Scriptpro Dispensing System Must Also Be Assembled Within The Manufactured Country Or Show Significant Proof Of An Internationally Recognized Quality Assurance Program certificate Of Authenticity Will Need To Be Provided the Dispensing System Must Have The Following: safety must Use Barcode Verification To Ensure Accuracy Of Dispensing And Must Work With Scriptpro Label Barcode unit Must Have Means To Track Dispensed Drug Quantities And Contain Image Verification Of Quantities Dispensed. must Come Equipped With Database Of Drug Images For Dispensing Verification. must Include Additional Counting Platters For Penicillin And Sulfa To Avoid Cross Contamination. workflow must Allow For Integration With Scriptpro/vista To Verify Correct Dispensing Quantities. must Fit In Existing Space With A Footprint Of 28 H X 11 W X 17.5 D. must Count With A Count Accuracy Of At Least 99.9%. verification Should Include Easy Work Flow Optics Such As Color Touch Screen. must Include Large Counting Area Of 48 Sq Inches For Larger Quantity Verification. information Technology must Integrate With Current Equipment, Including Scriptpro Dispensing/filling Stations must Interface With Vista, Ups Worldship, And Usps Sendsuite System Platforms. all Equipment Must Be New description quantity sp Eyecon 9430 2 optional/value Added Features: n/a required Interfaces: must Interface With Current Sp Equipment. Must Also Interface With Vista/cprs. delivery Location(s): department Of Veterans Affairs marion Va Medical Center 2401 West Main Street marion, Il 62959-1188 department Of Veterans Affairs evansville Va Healthcare Center 6211 E Waterford Blvd evansville, In 47715 records Management Obligations applicability this Clause Applies To All Contractors Whose Employees Create, Work With, Or Otherwise Handle Federal Records, As Defined In Section B, Regardless Of The Medium In Which The Record Exists.   definitions Federal Record As Defined In 44 U.s.c. § 3301, Includes All Recorded Information, Regardless Of Form Or Characteristics, Made Or Received By A Federal Agency Under Federal Law Or In Connection With The Transaction Of Public Business And Preserved Or Appropriate For Preservation By That Agency Or Its Legitimate Successor As Evidence Of The Organization, Functions, Policies, Decisions, Procedures, Operations, Or Other Activities Of The United States Government Or Because Of The Informational Value Of Data In Them.   the Term Federal Record: includes [agency] Records.â  does Not Include Personal Materials. applies To Records Created, Received, Or Maintained By Contractors Pursuant To Their [agency] Contract. may Include Deliverables And Documentation Associated With Deliverables. requirements contractor Shall Comply With All Applicable Records Management Laws And Regulations, As Well As National Archives And Records Administration (nara) Records Policies, Including But Not Limited To The Federal Records Act (44 U.s.c. Chs. 21, 29, 31, 33), Nara Regulations At 36 Cfr Chapter Xii Subchapter B, And Those Policies Associated With The Safeguarding Of Records Covered By The Privacy Act Of 1974 (5 U.s.c. 552a). These Policies Include The Preservation Of All Records, Regardless Of Form Or Characteristics, Mode Of Transmission, Or State Of Completion.â  in Accordance With 36 Cfr 1222.32, All Data Created For Government Use And Delivered To, Or Falling Under The Legal Control Of, The Government Are Federal Records Subject To The Provisions Of 44 U.s.c. Chapters 21, 29, 31, And 33, The Freedom Of Information Act (foia) (5 U.s.c. 552), As Amended, And The Privacy Act Of 1974 (5 U.s.c. 552a), As Amended And Must Be Managed And Scheduled For Disposition Only As Permitted By Statute Or Regulation.â  in Accordance With 36 Cfr 1222.32, Contractor Shall Maintain All Records Created For Government Use Or Created In The Course Of Performing The Contract And/or Delivered To, Or Under The Legal Control Of The Government And Must Be Managed In Accordance With Federal Law. Electronic Records And Associated Metadata Must Be Accompanied By Sufficient Technical Documentation To Permit Understanding And Use Of The Records And Data.â  [agency] And Its Contractors Are Responsible For Preventing The Alienation Or Unauthorized Destruction Of Records, Including All Forms Of Mutilation. Records May Not Be Removed From The Legal Custody Of [agency] Or Destroyed Except For In Accordance With The Provisions Of The Agency Records Schedules And With The Written Concurrence Of The Head Of The Contracting Activity. Willful And Unlawful Destruction, Damage Or Alienation Of Federal Records Is Subject To The Fines And Penalties Imposed By 18 U.s.c. 2701. In The Event Of Any Unlawful Or Accidental Removal, Defacing, Alteration, Or Destruction Of Records, Contractor Must Report To [agency]. The Agency Must Report Promptly To Nara In Accordance With 36 Cfr 1230. the Contractor Shall Immediately Notify The Appropriate Contracting Officer Upon Discovery Of Any Inadvertent Or Unauthorized Disclosures Of Information, Data, Documentary Materials, Records, Or Equipment. Disclosure Of Non-public Information Is Limited To Authorized Personnel With A Need-to-know As Described In The [contract Vehicle]. The Contractor Shall Ensure That The Appropriate Personnel, Administrative, Technical, And Physical Safeguards Are Established To Ensure The Security And Confidentiality Of This Information, Data, Documentary Material, Records And/or Equipment Is Properly Protected. The Contractor Shall Not Remove Material From Government Facilities Or Systems, Or Facilities Or Systems Operated Or Maintained On The Government S Behalf, Without The Express Written Permission Of The Head Of The Contracting Activity. When Information, Data, Documentary Material, Records And/or Equipment Is No Longer Required, It Shall Be Returned To [agency] Control Or The Contractor Must Hold It Until Otherwise Directed. Items Returned To The Government Shall Be Hand Carried, Mailed, Emailed, Or Securely Electronically Transmitted To The Contracting Officer Or Address Prescribed In The [contract Vehicle]. Destruction Of Records Is Expressly Prohibited Unless In Accordance With Paragraph (4). the Contractor Is Required To Obtain The Contracting Officer's Approval Prior To Engaging In Any Contractual Relationship (sub-contractor) In Support Of This Contract Requiring The Disclosure Of Information, Documentary Material And/or Records Generated Under, Or Relating To, Contracts. The Contractor (and Any Sub-contractor) Is Required To Abide By Government And [agency] Guidance For Protecting Sensitive, Proprietary Information, Classified, And Controlled Unclassified Information. the Contractor Shall Only Use Government It Equipment For Purposes Specifically Tied To Or Authorized By The Contract And In Accordance With [agency] Policy.â  the Contractor Shall Not Create Or Maintain Any Records Containing Any Non-public [agency] Information That Are Not Specifically Tied To Or Authorized By The Contract.â  the Contractor Shall Not Retain, Use, Sell, Or Disseminate Copies Of Any Deliverable That Contains Information Covered By The Privacy Act Of 1974 Or That Which Is Generally Protected From Public Disclosure By An Exemption To The Freedom Of Information Act.â  the [agency] Owns The Rights To All Data And Records Produced As Part Of This Contract. All Deliverables Under The Contract Are The Property Of The U.s. Government For Which [agency] Shall Have Unlimited Rights To Use, Dispose Of, Or Disclose Such Data Contained Therein As It Determines To Be In The Public Interest. Any Contractor Rights In The Data Or Deliverables Must Be Identified As Required By Far 52.227-11 Through Far 52.227-20. training.  all Contractor Employees Assigned To This Contract Who Create, Work With, Or Otherwise Handle Records Are Required To Take [agency]-provided Records Management Training. The Contractor Is Responsible For Confirming Training Has Been Completed According To Agency Policies, Including Initial Training And Any Annual Or Refresher Training.â  [note: To The Extent An Agency Requires Contractors To Complete Records Management Training, The Agency Must Provide The Training To The Contractor.]â  flow Down Of Requirements To Subcontractors the Contractor Shall Incorporate The Substance Of This Clause, Its Terms And Requirements Including This Paragraph, In All Subcontracts Under This [contract Vehicle], And Require Written Subcontractor Acknowledgment Of Same.â  violation By A Subcontractor Of Any Provision Set Forth In This Clause Will Be Attributed To The Contractor. general. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. Contractors, Contractor Personnel, Subcontractors And Subcontractor Personnel Will Be Subject To The Same Federal Laws, Regulations, Standards, Va Directives And Handbooks, As Va Personnel Regarding Information And Information System Security And Privacy. va Information Custodial Language. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. the Government Shall Receive Unlimited Rights To Data/intellectual Property First Produced And Delivered In The Performance Of This Contract Or Order (hereinafter Contract ) Unless Expressly Stated Otherwise In This Contract. This Includes All Rights To Source Code And All Documentation Created In Support Thereof. The Primary Clause Used To Define Government And Contractor Data Rights Is Far 52.227-14 Rights In Data General. The Primary Clause Used To Define Computer Software License (not Data/intellectual Property First Produced Under This Contractor Or Order) Is Far 52.227-19, Commercial Computer Software License. information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Will Be Used Only For The Purposes Specified In The Service Agreement, Sow, Pws, Pd, And/or Contract. The Contractor Shall Not Use Va Information In Any Other Manner Without Prior Written Approval From A Va Contracting Officer (co). The Primary Clause Used To Define Government And Contractor Data Rights Is Far 52.227-14 Rights In Data General. va Information Will Not Be Co-mingled With Any Other Data On The Contractor S Information Systems Or Media Storage Systems. The Contractor Shall Ensure Compliance With Federal And Va Requirements Related To Data Protection, Data Encryption, Physical Data Segregation, Logical Data Segregation, Classification Requirements And Media Sanitization. va Reserves The Right To Conduct Scheduled Or Unscheduled Audits, Assessments, Or Investigations Of Contractor Information Technology (it) Resources To Ensure Information Security Is Compliant With Federal And Va Requirements. The Contractor Shall Provide All Necessary Access To Records (including Electronic And Documentary Materials Related To The Contracts And Subcontracts) And Support (including Access To Contractor And Subcontractor Staff Associated With The Contract) To Va, Va's Office Inspector General (oig),and/or Government Accountability Office (gao) Staff During Periodic Control Assessments, Audits, Or Investigations. the Contractor May Only Use Va Information Within The Terms Of The Contract And Applicable Federal Law, Regulations, And Va Policies. If New Federal Information Security Laws, Regulations Or Va Policies Become Applicable After Execution Of The Contract, The Parties Agree To Negotiate Contract Modification And Adjustment Necessary To Implement The New Laws, Regulations, And/or Policies. the Contractor Shall Not Make Copies Of Va Information Except As Specifically Authorized And Necessary To Perform The Terms Of The Contract. If Copies Are Made For Restoration Purposes, After The Restoration Is Complete, The Copies Shall Be Destroyed In Accordance With Va Directive 6500, Va Cybersecurity Program And Va Information Security Knowledge Service. if A Veterans Health Administration (vha) Contract Is Terminated For Default Or Cause With A Business Associate, The Related Local Business Associate Agreement (baa) Shall Also Be Terminated And Actions Taken In Accordance With Vha Directive 1605.05, Business Associate Agreements. If There Is An Executed National Baa Associated With The Contract, Va Will Determine What Actions Are Appropriate And Notify The Contactor. the Contractor Shall Store And Transmit Va Sensitive Information In An Encrypted Form, Using Va-approved Encryption Tools Which Are, At A Minimum, Federal Information Processing Standards (fips) 140-2, Security Requirements For Cryptographic Modules (or Its Successor) Validated And In Conformance With Va Information Security Knowledge Service Requirements. The Contractor Shall Transmit Va Sensitive Information Using Va Approved Transport Layer Security (tls) Configured With Fips Based Cipher Suites In Conformance With National Institute Of Standards And Technology (nist) 800-52, Guidelines For The Selection, Configuration And Use Of Transport Layer Security (tls) Implementations. the Contractor S Firewall And Web Services Security Controls, As Applicable, Shall Meet Or Exceed Va S Minimum Requirements. except For Uses And Disclosures Of Va Information Authorized By This Contract For Performance Of The Contract, The Contractor May Use And Disclose Va Information Only In Two Situations: (i) In Response To A Qualifying Order Of A Court Of Competent Jurisdiction After Notification To Va Co (ii) With Written Approval From The Va Co. The Contractor Shall Refer All Requests For, Demands For Production Of Or Inquiries About, Va Information And Information Systems To The Va Co For Response. notwithstanding The Provision Above, The Contractor Shall Not Release Va Records Protected By Title 38 U.s.c. § 5705, Confidentiality Of Medical Quality- Assurance Records And/or Title 38 U.s.c. § 7332, Confidentiality Of Certain Medical Records Pertaining To Drug Addiction, Sickle Cell Anemia, Alcoholism Or Alcohol Abuse Or Infection With Human Immunodeficiency Virus (hiv). If The Contractor Is In Receipt Of A Court Order Or Other Requests For The Above- Mentioned Information, The Contractor Shall Immediately Refer Such Court Order Or Other Requests To The Va Co For Response. information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor In Performance Or Administration Of The Contract Will Be Protected And Secured In Accordance With Va Directive 6500 And Identity And Access Management (iam) Security Processes Specified In The Va Information Security Knowledge Service. any Data Destruction Done On Behalf Of Va By A Contractor Shall Be Done In Accordance With National Archives And Records Administration (nara) Requirements As Outlined In Va Directive 6300, Records And Information Management, Va Handbook 6300.1, Records Management Procedures, And Applicable Va Records Control Schedules. the Contractor Shall Provide Its Plan For Destruction Of All Va Data In Its Possession According To Va Directive 6500 And Nist 800-88, Guidelines For Media Sanitization Prior To Termination Or Completion Of This Contract. If Directed By The Cor/co, The Contractor Shall Return All Federal Records To Va For Disposition. any Media, Such As Paper, Magnetic Tape, Magnetic Disks, Solid State Devices Or Optical Discs That Is Used To Store, Process, Or Access Va Information That Cannot Be Destroyed Shall Be Returned To Va.the Contractor Shall Hold The Appropriate Material Until Otherwise Directed By The Contracting Officer S Representative (cor) Or Co. Items Shall Be Returned Securely Via Va-approved Methods. Va Sensitive Information Must Be Transmitted Utilizing Va-approved Encryption Tools Which Are Validated Under Fips 140-2 (or Its Successor) And Nist 800-52. If Mailed, The Contractor Shall Send Via A Trackable Method (usps, Ups, Fedex, Etc.) And Immediately Provide The Cor/co With The Tracking Information. Self-certification By The Contractor That The Data Destruction Requirements Above Have Been Met Shall Be Sent To The Cor/co Within 30 Business Days Of Termination Of The Contract. all Electronic Storage Media (hard Drives, Optical Disks, Cds, Back-up Tapes, Etc.) Used To Store, Process Or Access Va Information Will Not Be Returned To The Contractor At The End Of Lease, Loan, Or Trade-in. Exceptions To This Paragraph Will Only Be Granted With The Written Approval Of The Va Co. access To Va Information And Va Information Systems. This Section applies When Any Person Requires Access To Information Made Available To The Contractor By Va For The Performance Or Administration Of This Contract Or Information Developed By The Contractor In Performance Or Administration Of The Contract. a Contractor/subcontractor Shall Request Logical (technical) Or Physical Access To Va Information And Va Information Systems For Their Employees And Subcontractors Only To The Extent Necessary To Perform The Services Specified In The Solicitation Or Contract. This Includes Indirect Entities, Both Affiliate Of Contractor/subcontractor And Agent Of Contractor/subcontractor. contractors And Subcontractors Shall Sign The Va Information Security Rule Of Behavior (rob) Before Access Is Provided To Va Information And Information Systems (see Section 4, Training, Below). The Rob Contains The Minimum User Compliance Requirements And Does Not Supersede Any Policies Of Va Facilities Or Other Agency Components Which Provide Higher Levels Of Protection To Va S Information Or Information Systems. Users Who Require Privileged Access Shall Complete The Va Elevated Privilege Access Request Processes Before Privileged Access Is Granted. all Contractors And Subcontractors Working With Va Information Are Subject To The Same Security Investigative And Clearance Requirements As Those Of Va Appointees Or Employees Who Have Access To The Same Types Of Information. The Level And Process Of Background Security Investigations For Contractors Shall Be In Accordance With Va Directive And Handbook 0710, Personnel Suitability And Security Program. The Office Of Human Resources And Administration/operations, Security And Preparedness (hra/osp) Is Responsible For These Policies And Procedures. Contract Personnel Who Require Access To Classified Information Or Information Systems Shall Have An Appropriate Security Clearance. Verification Of A Security Clearance Shall Be Processed Through The Special Security Officer Located In Hra/osp. Contractors Shall Conform To All Requirements Stated In The National Industrial Security Program Operating Manual (nispom). all Contractors And Subcontractors Shall Comply With Conditions Specified In Vaar 852.204-71(d); Contractor Operations Required To Be In United States. All Contractors And Subcontractors Working With Va Information Must Be Permanently Located Within A Jurisdiction Subject To The Law Of The United States Or Its Territories To The Maximum Extent Feasible. If Services Are Proposed To Be Performed Abroad The Contractor Must State Where All Non-u.s. Services Are Provided. The Contractor Shall Deliver To Va A Detailed Plan Specifically Addressing Communications, Personnel Control, Data Protection And Potential Legal Issues. The Plan Shall Be Approved By The Cor/co In Writing Prior To Access Being Granted. the Contractor Shall Notify The Cor/co In Writing Immediately (no Later Than 24 Hours) After Personnel Separation Or Occurrence Of Other Causes. Causes May Include The Following: contractor/subcontractor Personnel No Longer Has A Need For Access To Va Information Or Va Information Systems. contractor/subcontractor Personnel Are Terminated, Suspended, Or Otherwise Has Their Work On A Va Project Discontinued For Any Reason. contractor Believes Their Own Personnel Or Subcontractor Personnel May Pose A Threat To Their Company S Working Environment Or To Any Company- Owned Property. This Includes Contractor-owned Assets, Buildings, Confidential Data, Customers, Employees, Networks, Systems, Trade Secrets And/or Va Data. any Previously Undisclosed Changes To Contractor/subcontractor Background History Are Brought To Light, Including But Not Limited To Changes To Background Investigation Or Employee Record. contractor/subcontractor Personnel Have Their Authorization To Work In The United States Revoked. agreement By Which Contractor Provides Products And Services To Va Has Either Been Fulfilled Or Terminated, Such That Va Can Cut Off Electronic And/or Physical Access For Contractor Personnel. in Such Cases Of Contract Fulfillment, Termination, Or Other Causes; The Contractor Shall Take The Necessary Measures To Immediately Revoke Access To Va Network, Property, Information, And Information Systems (logical And Physical) By Contractor/subcontractor Personnel. These Measures Include (but Are Not Limited To): Removing And Then Securing Personal Identity Verification (piv) Badges And Piv Interoperable (piv-i) Access Badges, Va-issued Photo Badges, Credentials For Va Facilities And Devices, Va-issued Laptops, And Authentication Tokens. Contractors Shall Notify The Appropriate Va Cor/co Immediately To Initiate Access Removal. contractors/subcontractors Who No Longer Require Va Accesses Will Return Va- Issued Property To Va. This Property Includes (but Is Not Limited To): Documents, Electronic Equipment, Keys, And Parking Passes. Piv And Piv-i Access Badges Shall Be Returned To The Nearest Va Piv Badge Issuance Office. Once They Have Had Access To Va Information, Information Systems, Networks And Va Property In Their Possessions Removed, Contractors Shall Notify The Appropriate Va Cor/co. training. This Entire Section Applies To All Acquisitions Which Include Section 3. all Contractors And Subcontractors Requiring Access To Va Information And Va Information Systems Shall Successfully Complete The Following Before Being Granted Access To Va Information And Its Systems: va Privacy And Information Security Awareness And Rules Of Behavior Course (talent Management System (tms) #10176) Initially And Annually Thereafter. sign And Acknowledge (electronically Through Tms #10176) Understanding Of And Responsibilities For Compliance With The Organizational Rules Of Behavior, Relating To Access To Va Information And Information Systems Initially And Annually Thereafter; And successfully Complete Any Additional Cyber Security Or Privacy Training, As Required For Va Personnel With Equivalent Information System Or Information Access [to Be Defined By The Va Program Official And Provided To The Va Co For Inclusion In The Solicitation Document I.e., Any Role- Based Information Security Training]. the Contractor Shall Provide To The Cor/co A Copy Of The Training Certificates And Certification Of Signing The Organizational Rules Of Behavior For Each Applicable Employee Within Five Days Of The Initiation Of The Contract And Annually Thereafter, As Required. failure To Complete The Mandatory Annual Training Is Grounds For Suspension Or Termination Of All Physical Or Electronic Access Privileges And Removal From Work On The Contract Until Such Time As The Required Training Is Complete. security Incident Investigation. This Entire Section Applies To All Acquisitions Requiring Any Information Security And Privacy Language. the Contractor, Subcontractor, Their Employees, Or Business Associates Shall Immediately (within One Hour) Report Suspected Security / Privacy Incidents To The Va Oit S Enterprise Service Desk (esd) By Calling (855) 673-4357 (tty: 711). The Esd Is Oit S 24/7/365 Single Point Of Contact For It-related Issues. After Reporting To The Esd, The Contractor, Subcontractor, Their Employees, Or Business Associates Shall, Within One Hour, Provide The Cor/co The Incident Number Received From The Esd. to The Extent Known By The Contractor/subcontractor, The Contractor/ Subcontractor's Notice To Va Shall Identify The Information Involved And The Circumstances Surrounding The Incident, Including The Following: the Date And Time (or Approximation Of) The Security Incident Occurred. the Names Of Individuals Involved (when Applicable). the Physical And Logical (if Applicable) Location Of The Incident. why The Security Incident Took Place (i.e., Catalyst For The Failure). the Amount Of Data Belonging To Va Believed To Have Been Compromised. the Remediation Measures The Contractor Is Taking To Ensure No Future Incidents Of A Similar Nature. after The Contractor Has Provided The Initial Detailed Incident Summary To Va, They Will Continue To Provide Written Updates On Any New And Relevant Circumstances Or Facts They Discover. The Contractor, Subcontractor, And Their Employes Shall Fully Cooperate With Va Or Third-party Entity Performing An Independent Risk Analysis On Behalf Of Va. Failure To Cooperate May Be Deemed A Material Breach And Grounds For Contract Termination. va It Contractors Shall Follow Va Handbook 6500, Risk Management Framework For Va Information Systems Va Information Security Program, And Va Information Security Knowledge Service Guidance For Implementing An Incident Response Plan Or Integrating With An Existing Va Implementation. in Instances Of Theft Or Break-in Or Other Criminal Activity, The Contractor/subcontractor Must Concurrently Report The Incident To The Appropriate Law Enforcement Entity (or Entities) Of Jurisdiction, Including The Va Oig, And The Va Office Of Security And Law Enforcement. The Contractor, Its Employees, And Its Subcontractors And Their Employees Shall Cooperate With Va And Any Law Enforcement Authority Responsible For The Investigation And Prosecution Of Any Possible Criminal Law Violation(s) Associated With Any Incident. The Contractor/subcontractor Shall Cooperate With Va In Any Civil Litigation To Recover Va Information, Obtain Monetary Or Other Compensation From A Third Party For Damages Arising From Any Incident, Or Obtain Injunctive Relief Against Any Third Party Arising From, Or Related To, The Incident. the Contractor Shall Comply With Va Handbook 6500.2, Management Of Breaches Involving Sensitive Personal Information, Which Establishes The Breach Management Policies And Assigns Responsibilities For The Oversight, Management And Reporting Procedures Associated With Managing Of Breaches. with Respect To Unsecured Protected Health Information (phi), The Contractor Is Deemed To Have Discovered A Data Breach When The Contractor Knew Or Should Have Known Of Breach Of Such Information. When A Business Associate Is Part Of Vha Contract, Notification To The Covered Entity (vha) Shall Be Made In Accordance With The Executed Baa. if The Contractor Or Any Of Its Agents Fails To Protect Va Sensitive Personal Information Or Otherwise Engages In Conduct Which Results In A Data Breach Involving Any Va Sensitive Personal Information The Contractor/subcontractor Processes Or Maintains Under The Contract; The Contractor Shall Pay Liquidated Damages To The Va As Set Forth In Clause 852.211-76, Liquidated Damages Reimbursement For Data Breach Costs. information System Design And Development. This Entire Section applies To Information Systems, Systems, Major Applications, Minor Applications, Enclaves, And Platform Information Technologies (to Include The Subcomponents Of Each) Designed Or Developed For Or On Behalf Of Va By Any Non-va Entity. information Systems Designed Or Developed On Behalf Of Va At Non-va Facilities Shall Comply With All Applicable Federal Law, Regulations, And Va Policies. This Includes Standards For The Protection Of Electronic Protected Health Information (phi), Outlined In 45 C.f.r. Part 164, Subpart C And Information And System Security Categorization Level Designations In Accordance With Fips 199, Standards For Security Categorization Of Federal Information And Information Systems And Fips 200, Minimum Security Requirements For Federal Information Systems. Baseline Security Controls Shall Be Implemented Commensurate With The Fips 199 System Security Categorization (reference Va Handbook 6500 And Va Trusted Internet Connections (tic) Architecture). contracted New Developments Require Creation, Testing, Evaluation, And Authorization In Compliance With Va Assessment And Authorization (a&a) Processes In Va Handbook 6500 And Va Information Security Knowledge Service To Obtain An Authority To Operate (ato). Va Directive 6517, Risk Management Framework For Cloud Computing Services, Provides The Security And Privacy Requirements For Cloud Environments. va It Contractors, Subcontractors And Third-party Service Providers Shall Address And/or Integrate Applicable Va Handbook 6500, Va Handbook 6517, Risk Management Framework For Cloud Computing Services And Information Security Knowledge Service Specifications In Delivered It Systems/solutions, Products And/or Services. If Systems/solutions, Products And/or Services Do Not Directly Match Va Security Requirements, The Contractor Shall Work Though The Cor/co To Identify The Va Organization Responsible For Governance Or Resolution. Contractors Shall Comply With Far 39.1, Specifically The Prohibitions Referenced. the Contractor (including Producers And Resellers) Shall Comply With Office Of Management And Budget (omb) M-22-18 And M-23-16 When Using Third-party Software On Va Information Systems Or Otherwise Affecting The Va Information. This Includes New Software Purchases And Software Renewals For Software Developed Or Modified By Major Version Change After The Issuance Date Of M- 22-18 (september 14, 2022). The Term Software Includes Firmware, Operating Systems, Applications And Application Services (e.g., Cloud-based Software), As Well As Products Containing Software. The Contractor Shall Provide A Self- Attestation That Secure Software Development Practices Are Utilized As Outlined By Executive Order (eo)14028 And Nist Guidance. A Third-party Assessment Provided By Either A Certified Federal Risk And Authorization Management Program (fedramp) Third Party Assessor Organization (3pao) Or One Approved By The Agency Will Be Acceptable In Lieu Of A Software Producer's Self- Attestation. the Contractor Shall Ensure All Delivered Applications, Systems And Information Systems Are Compliant With Homeland Security Presidential Directive (hspd) 12 And Va Identity And Access Management (iam) Enterprise Identity Management Requirements As Set Forth In Omb M-19-17, M-05-24, Fips 201-3, Personal Identity Verification (piv) Of Federal Employees And Contractors (or Its Successor), M-21-31 And Supporting Nist Guidance. This Applies To Commercial Off-the-shelf (cots) Product(s) That The Contractor Did Not Develop, All Software Configurations And All Customizations. the Contractor Shall Ensure All Contractor Delivered Applications And Systems Provide User Authentication Services Compliant With Va Handbook 6500, Va Information Security Knowledge Service, Iam Enterprise Requirements And Nist 800-63, Digital Identity Guidelines, For Direct, Assertion-based Authentication And/or Trust-based Authentication, As Determined By The Design And Integration Patterns. Direct Authentication At A Minimum Must Include Public Key Infrastructure (pki) Based Authentication Supportive Of Piv And/or Common Access Card (cac), As Determined By The Business Need And Compliance With Va Information Security Knowledge Service Specifications. the Contractor Shall Use Va Authorized Technical Security Baseline Configurations And Certify To The Cor That Applications Are Fully Functional And Operate Correctly As Intended On Systems In Compliance With Va Baselines Prior To Acceptance Or Connection Into An Authorized Va Computing Environment. If The Defense Information Systems Agency (disa) Has Created A Security Technical Implementation Guide (stig) For The Technology, The Contractor May Configure To Comply With That Stig. If Va Determines A New Or Updated Va Configuration Baseline Needs To Be Created, The Contractor Shall Provide Required Technical Support To Develop The Configuration Settings. Far 39.1 Requires The Population Of Operating Systems And Applications Includes All Listed On The Nist National Checklist Program Checklist Repository. the Standard Installation, Operation, Maintenance, Updating And Patching Of Software Shall Not Alter The Configuration Settings From Va Approved Baseline Configuration. Software Developed For Va Must Be Compatible With Va Enterprise Installer Services And Install To The Default Program Files Directory With Silently Install And Uninstall. The Contractor Shall Perform Testing Of All Updates And Patching Prior To Implementation On Va Systems. applications Designed For Normal End Users Will Run In The Standard User Context Without Elevated System Administration Privileges. the Contractor-delivered Solutions Shall Reside On Va Approved Operating Systems. Exceptions To This Will Only Be Granted With The Written Approval Of The Cor/co. the Contractor Shall Design, Develop, And Implement Security And Privacy Controls In Accordance With The Provisions Of Va Security System Development Life Cycle Outlined In Nist 800-37, Risk Management Framework For Information Systems And Organizations: A System Life Cycle Approach For Security And Privacy, Va Directive And Handbook 6500, And Va Handbook 6517. the Contractor Shall Comply With The Privacy Act Of1974 (the Act), Far 52.224- 2 Privacy Act, And Va Rules And Regulations Issued Under The Act In The Design, Development, Or Operation Of Any System Of Records On Individuals To Accomplish A Va Function. the Contractor Shall Ensure The Security Of All Procured Or Developed Information Systems, Systems, Major Applications, Minor Applications, Enclaves And Platform Information Technologies, Including Their Subcomponents (hereinafter Referred To As Information Systems ) Throughout The Life Of This Contract And Any Extension, Warranty, Or Maintenance Periods. This Includes Security Configurations, Workarounds, Patches, Hotfixes, Upgrades, Replacements And Any Physical Components Which May Be Necessary To Remediate All Security Vulnerabilities Published Or Known To The Contractor Anywhere In The Information Systems (including Systems, Operating Systems, Products, Hardware, Software, Applications And Firmware). The Contractor Shall Ensure Security Fixes Do Not Negatively Impact The Information Systems. when The Contractor Is Responsible For Operations Or Maintenance Of The Systems, The Contractor Shall Apply The Security Fixes Within The Timeframe Specified By The Associated Controls On The Va Information Security Knowledge Service. When Security Fixes Involve Installing Third Party Patches (such As Microsoft Os Patches Or Adobe Acrobat), The Contractor Shall Provide Written Notice To The Va Cor/co That The Patch Has Been Validated As To Not Affecting The Systems Within 10 Business Days. information System Hosting, Operation, Maintenance Or Use. this Entire Section Applies To Information Systems, Systems, Major Applications, Minor Applications, Enclaves, And Platform Information Technologies (cloud And Non- Cloud) Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities. the Contractor Shall Comply With All Federal Laws, Regulations, And Va Policies For Information Systems (cloud And Non-cloud) That Are Hosted, Operated, Maintained, Or Used On Behalf Of Va At Non-va Facilities. Security Controls For Collecting, Processing, Transmitting, And Storing Of Va Sensitive Information, Must Be In Place. The Controls Will Be Tested By Va Or A Va Sanctioned 3pao And Approved By Va Prior To Hosting, Operation, Maintenance Or Use Of The Information System Or Systems By Or On Behalf Of Va. This Includes Conducting Compliance Risk Assessments, Security Architecture Analysis, Routine Vulnerability Scanning, System Patching, Change Management Procedures And The Completion Of An Acceptable Contingency Plan For Each System. The Contractor S Security Control Procedures Shall Be The Same As Procedures Used To Secure Va-operated Information Systems. outsourcing (contractor Facility, Equipment, Or Staff) Of Systems Or Network Operations, Telecommunications Services Or Other Managed Services Require Assessment And Authorization (a&a) Of The Contractor S Systems In Accordance With Va Handbook 6500 As Specified In Va Information Security Knowledge Service. Major Changes To The A&a Package May Require Reviewing And Updating All The Documentation Associated With The Change. The Contractor S Cloud Computing Systems Shall Comply With Fedramp And Va Directive 6517 Requirements. the Contractor Shall Return All Electronic Storage Media (hard Drives, Optical Disks, Cds, Back-up Tapes, Etc.) On Non-va Leased Or Non-va Owned It Equipment Used To Store, Process Or Access Va Information To Va In Accordance With A&a Package Requirements. This Applies When The Contract Is Terminated Or Completed And Prior To Disposal Of Media. The Contractor Shall Provide Its Plan For Destruction Of All Va Data In Its Possession According To Va Information Security Knowledge Service Requirements And Nist 800-88. The Contractor Shall Send A Self-certification That The Data Destruction Requirements Above Have Been Met To The Cor/co Within 30 Business Days Of Termination Of The Contract. all External Internet Connections To Va Network Involving Va Information Must Be In Accordance With Va Trusted Internet Connection (tic) Reference Architecture And Va Directive And Handbook 6513, Secure External Connections And Reviewed And Approved By Va Prior To Implementation. Government-owned Contractor-operated Systems, Third Party Or Business Partner Networks Require A Memorandum Of Understanding (mou) And Interconnection Security Agreements (isa). contractor Procedures Shall Be Subject To Periodic, Announced, Or Unannounced Assessments By Va Officials, The Oig Or A 3pao. The Physical Security Aspects Associated With Contractor Activities Are Also Subject To Such Assessments. The Contractor Shall Report, In Writing, Any Deficiencies Noted During The Above Assessment To The Va Cor/co. The Contractor Shall Use Va S Defined Processes To Document Planned Remedial Actions That Address Identified Deficiencies In Information Security Policies, Procedures, And Practices. The Contractor Shall Correct Security Deficiencies Within The Timeframes Specified In The Va Information Security Knowledge Service. all Major Information System Changes Which Occur In The Production Environment Shall Be Reviewed By The Va To Determine The Impact On Privacy And Security Of The System. Based On The Review Results, Updates To The Authority To Operate (ato) Documentation And Parameters May Be Required To Remain In Compliance With Va Handbook 6500 And Va Information Security Knowledge Service Requirements. the Contractor Shall Conduct An Annual Privacy And Security Self-assessment On All Information Systems And Outsourced Services As Required. Copies Of The Assessment Shall Be Provided To The Cor/co. The Va/government Reserves The Right To Conduct Assessment Using Government Personnel Or A Third-party If Deemed Necessary. The Contractor Shall Correct Or Mitigate Any Weaknesses Discovered During The Assessment. va Prohibits The Installation And Use Of Personally Owned Or Contractor-owned Equipment Or Software On Va Information Systems. If Non-va Owned Equipment Must Be Used To Fulfill The Requirements Of A Contract, It Must Be Stated In The Service Agreement, Sow, Pws, Pd Or Contract. All Security Controls Required For Government Furnished Equipment Must Be Utilized In Va Approved Other Equipment (oe). Configuration Changes To The Contractor Oe, Must Be Funded By The Owner Of The Equipment. All Remote Systems Must Use A Va-approved Antivirus Software And A Personal (host-based Or Enclave Based) Firewall With A Va-approved Configuration. The Contractor Shall Ensure Software On Oe Is Kept Current With All Critical Updates And Patches. Owners Of Approved Oe Are Responsible For Providing And Maintaining The Anti-virus Software And The Firewall On The Non-va Owned Oe. Approved Contractor Oe Will Be Subject To Technical Inspection At Any Time. the Contractor Shall Notify The Cor/co Within One Hour Of Disclosure Or Successful Exploits Of Any Vulnerability Which Can Compromise The Confidentiality, Integrity, Or Availability Of The Information Systems. The System Or Effected Component(s) Need(s) To Be Isolated From The Network. A Forensic Analysis Needs To Be Conducted Jointly With Va. Such Issues Will Be Remediated As Quickly As Practicable, But In No Event Longer Than The Timeframe Specified By Va Information Security Knowledge Service. If Sensitive Personal Information Is Compromised Reference Va Handbook 6500.2 And Section 5, Security Incident Investigation. for Cases Wherein The Contractor Discovers Material Defects Or Vulnerabilities Impacting Products And Services They Provide To Va, The Contractor Shall Develop And Implement Policies And Procedures For Disclosure To Va, As Well As Remediation. The Contractor Shall, Within 30 Business Days Of Discovery, Document A Summary Of These Vulnerabilities Or Defects. The Documentation Will Include A Description Of The Potential Impact Of Each Vulnerability And Material Defect, Compensating Security Controls, Mitigations, Recommended Corrective Actions, Fbonotice Cause Analysis And/or Workarounds (i.e., Monitoring). Should There Exist Any Backdoors In The Products Or Services They Provide To Va (referring To Methods For Bypassing Computer Authentication), The Contractor Shall Provide The Va Co/co Written Assurance They Have Permanently Remediated These Backdoors. all Other Vulnerabilities, Including Those Discovered Through Routine Scans Or Other Assessments, Will Be Remediated Based On Risk, In Accordance With The Remediation Timelines Specified By The Va Information Security Knowledge Service And/or The Applicable Timeframe Mandated By Cybersecurity & Infrastructure Security Agency (cisa) Binding Operational Directive (bod) 22- 01 And Bod 19-02 For Internet-accessible Systems. Exceptions To This Paragraph Will Only Be Granted With The Approval Of The Cor/co. security And Privacy Controls Compliance Testing, Assessment and Auditing. This Entire Section Applies Whenever Section 6 Or 7 Is Included. should Va Request It, The Contractor Shall Provide A Copy Of Their (corporation S, Sole Proprietorship S, Partnership S, Limited Liability Company (llc), Or Other Business Structure Entity S) Policies, Procedures, Evidence And Independent Report Summaries Related To Specified Cybersecurity Frameworks (international Organization For Standardization (iso), Nist Cybersecurity Framework (csf), Etc.). Va Or Its Third-party/partner Designee (if Applicable) Are Further Entitled To Perform Their Own Audits And Security/penetration Tests Of The Contractor S It Or Systems And Controls, To Ascertain Whether The Contractor Is Complying With The Information Security, Network Or System Requirements Mandated In The Agreement Between Va And The Contractor. any Audits Or Tests Of The Contractor Or Third-party Designees/partner Va Elects To Carry Out Will Commence Within 30 Business Days Of Va Notification. Such Audits, Tests And Assessments May Include The Following: (a): Security/penetration Tests Which Both Sides Agree Will Not Unduly Impact Contractor Operations; (b): Interviews With Pertinent Stakeholders And Practitioners; (c): Document Review; And (d): Technical Inspections Of Networks And Systems The Contractor Uses To Destroy, Maintain, Receive, Retain, Or Use Va Information. as Part Of These Audits, Tests And Assessments, The Contractor Shall Provide All Information Requested By Va. This Information Includes, But Is Not Limited To, The Following: Equipment Lists, Network Or Infrastructure Diagrams, Relevant Policy Documents, System Logs Or Details On Information Systems Accessing, Transporting, Or Processing Va Data. the Contractor And At Its Own Expense, Shall Comply With Any Recommendations Resulting From Va Audits, Inspections And Tests. Va Further Retains The Right To View Any Related Security Reports The Contractor Has Generated As Part Of Its Own Security Assessment. The Contractor Shall Also Notify Va Of The Existence Of Any Such Security Reports Or Other Related Assessments, Upon Completion And Validation. va Appointed Auditors Or Other Government Agency Partners May Be Granted Access To Such Documentation On A Need-to-know Basis And Coordinated Through The Cor/co. The Contractor Shall Comply With Recommendations Which Result From These Regulatory Assessments On The Part Of Va Regulators And Associated Government Agency Partners. product Integrity, Authenticity, Provenance, Anti-counterfeit and Anti-tampering. This Entire Section Applies When The Acquisition Involves Any Product (application, Hardware, Or Software) Or When Section 6 Or 7 Is Included. the Contractor Shall Comply With Code Of Federal Regulations (cfr) Title 15 Part 7, Securing The Information And Communications Technology And Services (icts) Supply Chain , Which Prohibits Icts Transactions From Foreign Adversaries. Icts Transactions Are Defined As Any Acquisition, Importation, Transfer, Installation, Dealing In Or Use Of Any Information And Communications Technology Or Service, Including Ongoing Activities, Such As Managed Services, Data Transmission, Software Updates, Repairs Or The Platforming Or Data Hosting Of Applications For Consumer Download. when Contracting Terms Require The Contractor To Procure Equipment, The Contractor Shall Purchase Or Acquire The Equipment From An Original Equipment Manufacturer (oem) Or An Authorized Reseller Of The Oem. The Contractor Shall Attest That Equipment Procured From An Oem Or Authorized Reseller Or Distributor Are Authentic. If Procurement Is Unavailable From An Oem Or Authorized Reseller, The Contractor Shall Submit In Writing, Details Of The Circumstances Prohibiting This From Happening And Procure A Product Waiver From The Va Cor/co. all Contractors Shall Establish, Implement, And Provide Documentation For Risk Management Practices For Supply Chain Delivery Of Hardware, Software (to Include Patches) And Firmware Provided Under This Agreement. Documentation Will Include Chain Of Custody Practices, Inventory Management Program, Information Protection Practices, Integrity Management Program For Sub-supplier Provided Components, And Replacement Parts Requests. The Contractor Shall Make Spare Parts Available. All Contractor(s) Shall Specify How Digital Delivery For Procured Products, Including Patches, Will Be Validated And Monitored To Ensure Consistent Delivery. The Contractor Shall Apply Encryption Technology To Protect Procured Products Throughout The Delivery Process. if A Contractor Provides Software Or Patches To Va, The Contractor Shall Publish Or Provide A Hash Conforming To The Fips Security Requirements For Cryptographic Modules (fips 140-2 Or Successor). the Contractor Shall Provide A Software Bill Of Materials (sbom) For Procured (to Include Licensed Products) And Consist Of A List Of Components And Associated Metadata Which Make Up The Product. Sboms Must Be Generated In One Of The Data Formats Defined In The National Telecommunications And Information Administration (ntia) Report The Minimum Elements For A Software Bill Of Materials (sbom). contractors Shall Use Or Arrange For The Use Of Trusted Channels To Ship Procured Products, Such As U.s. Registered Mail And/or Tamper-evident Packaging For Physical Deliveries. throughout The Delivery Process, The Contractor Shall Demonstrate A Capability For Detecting Unauthorized Access (tampering). the Contractor Shall Demonstrate Chain-of-custody Documentation For Procured Products And Require Tamper-evident Packaging For The Delivery Of This Hardware. viruses, Firmware And Malware. This Entire Section Applies When The Acquisition Involves Any Product (application, Hardware, Or Software) Or When Section 6 Or 7 Is Included. the Contractor Shall Execute Due Diligence To Ensure All Provided Software And Patches, Including Third-party Patches, Are Free Of Viruses And/or Malware Before Releasing Them To Or Installing Them On Va Information Systems. the Contractor Warrants It Has No Knowledge Of And Did Not Insert, Any Malicious Virus And/or Malware Code Into Any Software Or Patches Provided To Va Which Could Potentially Harm Or Disrupt Va Information Systems. The Contractor Shall Use Due Diligence, If Supplying Third-party Software Or Patches, To Ensure The Third-party Has Not Inserted Any Malicious Code And/or Virus Which Could Damage Or Disrupt Va Information Systems. the Contractor Shall Provide Or Arrange For The Provision Of Technical Justification As To Why Any False Positive Hit Has Taken Place To Ensure Their Code S Supply Chain Has Not Been Compromised. Justification May Be Required, But Is Not Limited To, When Install Files, Scripts, Firmware, Or Other Contractor-delivered Software Solutions (including Third-party Install Files, Scripts, Firmware, Or Other Software) Are Flagged As Malicious, Infected, Or Suspicious By An Anti-virus Vendor. the Contractor Shall Not Upload (intentionally Or Negligently) Any Virus, Worm, Malware Or Any Harmful Or Malicious Content, Component And/or Corrupted Data/source Code (hereinafter Virus Or Other Malware ) Onto Va Computer And Information Systems And/or Networks. If Introduced (and This Clause Is Violated), Upon Written Request From The Va Co, The Contractor Shall: take All Necessary Action To Correct The Incident, To Include Any And All Assistance To Va To Eliminate The Virus Or Other Malware Throughout Va S Information Networks, Computer Systems And Information Systems; And use Commercially Reasonable Efforts To Restore Operational Efficiency And Remediate Damages Due To Data Loss Or Data Integrity Damage, If The Virus Or Other Malware Causes A Loss Of Operational Efficiency, Data Loss, Or Damage To Data Integrity. cryptographic Requirement. This Entire Section Applies Whenever The Acquisition Includes Section 6 Or 7 Is Included. the Contractor Shall Document How The Cryptographic System Supporting The Contractor S Products And/or Services Protect The Confidentiality, Data Integrity, Authentication And Non-repudiation Of Devices And Data Flows In The Underlying System. the Contractor Shall Use Only Approved Cryptographic Methods As Defined In Fips 140-2 (or Its Successor) And Nist 800-52 Standards When Enabling Encryption On Its Products. the Contractor Shall Provide Or Arrange For The Provision Of An Automated Remote Key-establishment Method Which Protects The Confidentiality And Integrity Of The Cryptographic Keys. the Contractor Shall Ensure Emergency Re-keying Of All Devices Can Be Remotely Performed Within 30 Business Days. the Contractor Shall Provide Or Arrange For The Provision Of A Method For Updating Cryptographic Primitives Or Algorithms. patching Governance. This Entire Section Applies Whenever The Acquisition Includes Section 7 Is Included the Contractor Shall Provide Documentation Detailing The Patch Management, Vulnerability Management, Mitigation And Update Processes (to Include Third- Party) Prior To The Connection Of Electronic Devices, Assets Or Equipment To Va S Assets. This Documentation Will Include Information Regarding The Follow: the Resources And Technical Capabilities To Sustain The Program Or Process (e.g., How The Integrity Of A Patch Is Validated By Va); And the Approach And Capability To Remediate Newly Reported Zero-day Vulnerabilities For Contractor Products. the Contractor Shall Verify And Provide Documentation All Procured Products (including Third-party Applications, Hardware, Software, Operating Systems, And Firmware) Have Appropriate Updates And Patches Installed Prior To Delivery To Va. the Contractor Shall Provide Or Arrange The Provision Of Appropriate Software And Firmware Updates To Remediate Newly Discovered Vulnerabilities Or Weaknesses For Their Products And Services Within 30 Days Of Discovery. Updates To Remediate Critical Or Emergent Vulnerabilities Will Be Provided Within Seven Business Days Of Discovery. If Updates Cannot Be Made Available By Contractor Within These Time Periods, The Contractor Shall Submit Mitigations, Methods Of Exploit Detection And/or Workarounds To The Cor/co Prior To The Above Deadlines. the Contractor Shall Provide Or Arrange For The Provision Of Appropriate Hardware, Software And/or Firmware Updates, When Those Products, Including Open-source Software, Are Provided To The Va, To Remediate Newly Discovered Vulnerabilities Or Weaknesses. Remediations Of Products Or Services Provided To The Va S System Environment Must Be Provided Within 30 Business Days Of Availability From The Original Supplier And/or Patching Source. Updates Toremediate Critical Vulnerabilities Applicable To The Contractor S Use Of The Third- Party Product In Its System Environment Will Be Provided Within Seven Business Days Of Availability From The Original Supplier And/or Patching Source. If Applicable Third-party Updates Cannot Be Integrated, Tested And Made Available By Contractor Within These Time Periods, Mitigations And/or Workarounds Will Be Provided To The Cor/co Before The Above Deadlines. specialized Devices/systems (medical Devices, Special Purpose systems, Research Scientific Computing). This Entire Section Applies When The Acquisition Includes One Or More Medical Device, Special Purpose System Or Research Scientific Computing Device. If Appropriate, Ensure Selected Clauses From Section 6 Or 7 And 8 Through 12 Are Included. contractor Supplies/delivered Medical Devices, Special Purpose Systems- Operational Technology (sps-ot) And Research Scientific Computing Devices Shall Comply With All Applicable Federal Law, Regulations, And Va Policies. New Developments Require Creation, Testing, Evaluation, And Authorization In Compliance With Processes Specified On The Specialized Device Cybersecurity Department Enterprise Risk Management (sdcd-erm) Portal, Va Directive 6550, Pre-procurement Assessment And Implementation Of Medical Devices/systems, Va Handbook 6500, And The Va Information Security Knowledge Service. Deviations From Federal Law, Regulations, And Va Policy Are Identified And Documented As Part Of Va Directive 6550 And/or The Va Enterprise Risk Analysis (era) Processes For Specialized Devices/systems Processes. all Contractors And Third-party Service Providers Shall Address And/or Integrate Applicable Va Handbook 6500 And Information Security Knowledge Service Specifications In Delivered It Systems/solutions, Products And/or Services. If Systems/solutions, Products And/or Services Do Not Directly Match Va Security Requirements, The Contractor Shall Work Though The Cor/co For Governance Or Resolution. the Contractor Shall Certify To The Cor/co That Devices/systems That Have Completed The Va Enterprise Risk Analysis (era) Process For Specialized Devices/systems Are Fully Functional And Operate Correctly As Intended. Devices/systems Must Follow The Va Era Authorized Configuration Prior To Acquisition And Connection To The Va Computing Environment. If Va Determines A New Va Era Needs To Be Created, The Contractor Shall Provide Required Technical Support To Develop The Configuration Settings. Major Changes To A Previously Approved Device/system Will Require A New Era. the Contractor Shall Comply With All Practices Documented By The Food Drug And Administration (fda) Premarket Submission For Management Of Cybersecurity In Medical Devices And Postmarket Management Of Cybersecurity In Medical Devices. the Contractor Shall Design Devices Capable Of Accepting All Applicable Security Patches With Or Without The Support Of The Contractor Personnel. If Patching Can Only Be Completed By The Contractor, The Contractor Shall Commit The Resources Needed To Patch All Applicable Devices At All Va Locations. If Unique Patching Instructions Or Packaging Is Needed, The Contractor Shall Provide The Necessary Information In Conjunction With The Validation/testing Of The Patch. The Contractor Shall Apply Security Patches Within 30 Business Days Of The Patch Release And Have A Formal Tracking Process For Any Security Patches Not Implemented To Include Explanation When A Device Cannot Be Patched. the Contractor Shall Provide Devices Able To Install And Maintain Va-approved Antivirus Capabilities With The Capability To Quarantine Files And Be Updated As Needed In Response To Incidents. Alternatively, A Va-approved Whitelisting Application May Be Used When The Contractor Cannot Install An Anti-virus / Anti- Malware Application. the Contractor Shall Verify And Document All Software Embedded Within The Device Does Not Contain Any Known Viruses Or Malware Before Delivery To Or Installation At A Va Location. devices And Other Equipment Or Systems Containing Media (hard Drives, Optical Disks, Solid State, And Storage Via Chips/firmware) With Va Sensitive information Will Be Returned To The Contractor With Media Removed. When The Contract Requires Return Of Equipment, The Options Available To The Contractor Are The Following: the Contractor Shall Accept The System Without The Drive, Firmware And Solid State. va S Initial Device Purchase Includes A Spare Drive Or Other Replacement Media Which Must Be Installed In Place Of The Original Drive At Time Of Turn- In; Or due To The Highly Specialized And Sometimes Proprietary Hardware And Software Associated With The Device, If It Is Not Possible For Va To Retain The Hard Drive, Firmware, And Solid State, Then: the Equipment Contractor Shall Have An Existing Baa If The Device Being Traded In Has Sensitive Information Stored On It And Hard Drive(s) From The System Are Being Returned Physically Intact. any Fixed Hard Drive, Complementary Metal-oxide-semiconductor (cmos), Programmable Read-only Memory (prom), Solid State And Firmware On The Device Must Be Non-destructively Sanitized To The Greatest Extent Possible Without Negatively Impacting System Operation. Selective Clearing Down To Patient Data Folder Level Is Recommended Using Va Approved And Validated Overwriting Technologies/methods/tools. Applicable Media Sanitization Specifications Need To Be Pre-approved And Described In The Solicitation, Contract, Or Order. data Center Provisions. This Entire Section Applies Whenever The Acquisition Requires An Interconnection To/from The Va Network To/from A Non-va Location. the Contractor Shall Ensure The Va Network Is Accessed By In Accordance With Va Directive 6500 And Iam Security Processes Specified In The Va Information Security Knowledge Service. the Contractor Shall Ensure Network Infrastructure And Data Availability In Accordance With Va Information System Business Continuity Procedures Specified In The Va Information Security Knowledge Service. the Contractor Shall Ensure Any Connections To The Internet Or Other External Networks For Information Systems Occur Through Managed Interfaces Utilizing Va Approved Boundary Protection Devices (e.g., Internet Proxies, Gateways, Routers, Firewalls, Guards Or Encrypted Tunnels). the Contractor Shall Encrypt All Traffic Across The Segment Of The Wide Area Network (wan) It Manages And No Unencrypted Out Of Band (oob) Internet Protocol (ip) Traffic Will Traverse The Network. the Contractor Shall Ensure Tunnel Endpoints Are Routable Addresses At Each Va Operating Site. the Contractor Shall Secure Access From Local Area Networks (lans) At Co- Located Sites In Accordance With Va Tic Reference Architecture, Va Directive And Handbook 6513, And Mou/isa Process Specified In The Va Information Security Knowledge Service.