J– Service Maintenance Agreement for Cannon OCE Machine. West Haven VAMC
Notice Type: Sources Sought Notice
Posted Date:
Office Address:
Subject: J-- Service Maintenance Agreement for Cannon OCE Machine. West Haven VAMC
Classification Code: J - Maintenance, repair & rebuilding of equipment
Solicitation Number: 36C24118Q0041
Contact: Stacy S DionContracting Specialist 802-296-5105 mailto:[email protected] [Contracting Officer]
Setaside: N/AN/A
Place of Performance (address): VA CONNECTIVUT HEALTHCARE SYSTEM;950 CAMPBELL AVE;WEST HAVEN
Place of Performance (zipcode): 06516
Place of Performance Country:
Description:
White River Junction VAMROC
9
DESCRIPTION/SPECIFICATIONS/STATEMENT OF WORK
I. WEST HAVEN VAMC Service Maintenance Agreement for Cannon/OCE Copiers
GENERAL INFORMATION
Scope of Work: The Contractor shall provide all service and maintenance to include all parts, labor and toner for the leased Copy. Copy machines are networked by the West Haven VAMC IT Staff only.
Performance Period: The period of performance is
Place of Performance:
Service Maintenance for Model VP4120 OCE machine, Serial # 400101124 for period of performance. Fixed Copy allowance 200,000 per month Equipment Location: VAMC Center 950 Campbell Ave. West Haven CT. 06516 and excess copy allotment
Excess copies allotment for Model VP4120 West Haven Campus OCE Machine Serial # 400101124.
ORDERING
The authorized ordering office will ensure that compliance is met for all Purchase Agreement orders.
2. CONTRACTOR REQUIREMENTS
Awarded contractor shall have the ability to provide Digital Multifunction Devices (MFD), onsite maintenance, Document Imaging conversion services, Managed Print assessment and associated services that may be required by the West Haven VAMC under this Custom Use Purchase Agreement.
3. CONTRACTOR PERSONNEL
All contractor personnel who are repair personnel shall possess the skills, knowledge and ability to perform the services required by this contract must be
All personnel employed by the contractor in the performance of this contract, or any representative of the contractor entering West Haven VAMC, shall abide by all the regulations of the installation which may be in effect during the contract period. The contractor shall perform work requirements in a manner to protect building occupants from any harm or injury. Work shall be scheduled to afford this protection.
4. TECHNICAL/MAINTENACE SUPPORT
4.1 RESPONSE TO SERVICE CALLS
The contractors will respond to service calls during normal working hours Monday through Friday. Excluding holidays observed by the Federal Government. The vendor must respond to verbal service calls within four (4) working hours after notification of malfunction. Service calls for machines identified as critical shall be responded to within (2) working hours. The response time on a service call starts when the authorized personnel of West Haven VAMC places a service call to the vendor. The service technician will report to the agency/activity requesting service and notify them of his/her arrival and verify the problem for which the service call was made. After the call is completed, the service technician will contact the service requester and identify whether or not the service has been completed satisfactory. In the event a service call is not been completed, the service technician shall indicate the anticipated date of final completion. A copy of the service report shall be furnished to the COTR within two days.
The contractor must provide a toll-free telephone number for service calls which must be answered during at least eight working hours,
The vendor must have sufficient management and qualified dedicated technicians to service the copier. The vendor must have a crew of qualified and trained service and delivery personnel in sufficient numbers to service and support the requirements under contract within the specified response time.
4.2 CONSUMABLE SUPPLIES
All consumable supplies are to be furnished by the contractor, including toner, and staples (for Copiers equipped with automatic stapling capability) for Black and White. Excludes; paper and transparencies.
4.3 CONTRACTOR REPORTS
4.3.1 MONTHLY REPORTS.
The
4.3.2 QUARTERLY REPORT.
The contractor shall meet with the Contracting Officer and the COTR regarding the quarterly report no later than the 15th workday of the month for the preceding three months. These reports should also provide quarterly/monthly meters; total calls; average volume between calls, average response time; call type; technician name, symptom and description of repair. The contractor shall make available the use of these reports for the purpose of providing meter readings and maintenance calls by the customers. Contractor will provide all service reports upon request within 24 hours of request.
4.3.3 MAINTENANCE REPORTS.
The contractor shall complete a maintenance report upon the completion of each maintenance service/repair call. Report shall include time or arrival on-site, date and time of service completed; and a description of service(s) rendered. A copy of the reports shall be emailed to the COTR within 2 working days.
5.1 PROPERTY
The contractor shall be responsible for safeguarding all property provided for contractor use at the close of each work period, facilities, equipment and materials shall be secured. The contractor shall maintain sufficient insurance to protect itself against loss or damage as a result of fire, theft or acts of nature. Negligence is defined as, but not limited to, using other than contractor provided supplies and parts that are defective, or not acceptable for use on contractor government owned equipment.
5.3 SECURITY REQUIRMENTS
All contractor personnel shall obtain a short-term identification badge issued by the Project Manager. Such badge shall be worn by the individual and prominently displayed at all times while on
All contractor personnel are subject to inspection of personal effects when entering or leaving the project site.
VA Sensitive Information the contractor shall review the attached documents with signatures required in accordance to the instructions provided in the following:
VHA Handbook 6500.6 Appendix C & D VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE FOR INCLUSION INTO CONTRACTS, AS APPROPRIATE, SHALL TAKE THE TRAINING OUTLINED IN SECTION 9
VHA Privacy PowerPoint
The C& A Requirements do not apply and a Security Accreditation Package is not required.
Background Investigations and Special Agreement Checks
All contractor employees are subject to the same level of investigation as
The contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the
6. VEHICLE REQUIREMENTS
Vehicle Registration. The Contractor shall fully comply with the vehicle registration requirements regarding Contractor-owned and Contractor employee privacy owned vehicles (POV).
Contractor vehicles and Contractor employee POV's will be searched if the appropriate passes/decals are not displayed when entering West Haven VAMC Access Control Points (ACPs). All vehicles, including those with passes/decals, are subject to random search at any time.
8. TECHNICAL REQUIREMENTS
8.1 CONTRACTOR RESPONSIBILITIES
In addition the contractor shall provide security measures to protect VAMC West Haven MFDs from unauthorized usage. Make available an electronic fax and scan solution capable of integrating with the
8.2 SURRENDER OF HDD
Upon de-installation of MFD or replacement of
1. SUBPART 839.2 INFORMATION AND INFORMATION TECHNOLOGY SECURITYREQUIREMENTS
839.201 Contract clause for Information and Information Technology Security:
a. Due to the threat of data breach, compromise or loss of information that resides on
either
regulations,
b. In solicitations and contracts where VA Sensitive Information or Information Technology will be accessed or utilized, the CO shall insert the clause found at 852.273-75, Security
Requirements for Unclassified Information Technology Resources.
2. 852.273-75 - SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION
TECHNOLOGY RESOURCES (INTERIM-
As prescribed in 839.201, insert the following clause:
The contractor, their personnel, and their subcontractors shall be subject to the Federal laws, regulations, standards, and VA Directives and Handbooks regarding information and information system security as delineated in this contract.
3. COTR and Contractor Open and read enclosed VA HANDBOOK 6500.6 CONTRACT SECURITY Appendix C
VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE FOR INCLUSION INTO CONTRACTS, AS APPROPRIATE.
GENERAL
Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as
ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS
A contractor/subcontractor shall request logical (technical) or physical access to
All contractors, subcontractors, and third-party servicers and associates working with
Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared
Custom software development and outsourced operations must be located in the
The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a
3. VA INFORMATION CUSTODIAL LANGUAGE
Information made available to the contractor or subcontractor by
Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from
The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of
The contractor/subcontractor shall not make copies of
f. If
If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship.
The contractor/subcontractor must store, transport, or transmit
The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed
Except for uses and disclosures of
Notwithstanding the provision above, the contractor/subcontractor shall not release
For service that involves the storage, generating, transmitting, or exchanging of
5. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE
f.
g. All electronic storage media used on non-
h. Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with
Vendor must accept the system without the drive;
6. SECURITY INCIDENT INVESTIGATION
The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to
To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to
With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.
In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with
7. LIQUIDATED DAMAGES FOR DATA BREACH
a, Consistent with the requirements of 38 U.S.C. --5725, a contract may require access to sensitive personal information. If so, the contractor is liable to
b. The contractor/subcontractor shall provide notice to
a. Each risk analysis shall address all relevant information concerning the data breach, including the following:
(1) Nature of the event (loss, theft, unauthorized access);
(2) Description of the event, including:
(b).date of occurrence;
(c).data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;
(3) Number of individuals affected or potentially affected;
(4) Names of individuals or groups affected or potentially affected;
(5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;
(6) Amount of time the data has been out of
(7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);
Known misuses of data containing sensitive personal information, if any;
Assessment of the potential harm to the affected individuals;
Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and
(11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.
d. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the
Notification;
One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;
Data breach analysis;
(4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;
One year of identity theft insurance with
Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.
8. SECURITY CONTROLS COMPLIANCE TESTING
On a periodic basis,
(a). Since the Technician is only in the building for an hour and is escorted a NACI is not necessary, a SAC is all that is required.
9. TRAINING
a. All contractor employees and subcontractor employees requiring access to
Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to
Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training;
Successfully complete the appropriate
Successfully complete any additional cyber security or privacy training, as required for
b. The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required.
c. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.
VA HANDBOOK 6500.6 MARCH 12, 2010 APPENDIX C
VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE FOR
INCLUSION INTO CONTRACTS, AS APPROPRIATE
1. GENERAL
Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be
subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks
as
2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS
a. A contractor/subcontrator shall request logical (technical) or physical access to
information and
to the extent necessary to perform the services specified in the contract, agreement, or task
order.
b. All contractors, subcontractors, and third-party servicers and associates working with
or employees who have access to the same types of information. The level and process of
background security investigations for contractors must be in accordance with VA Directive
and Handbook 0710, Personnel Suitability and Security Program.
Security, and Preparedness is responsible for these policies and procedures.
c. Contract personnel who require access to national security programs must have a valid
security clearance. National Industrial Security Program (NISP) was established by Executive
Order 12829 to ensure that cleared
classified information in their possession while performing work on contracts, programs, bids,
or research and development efforts. The
Memorandum of Agreement with
Clearance must be processed through the Special Security Officer located in the Planning and
d. Custom software development and outsourced operations must be located in the
to the maximum extent practical. If such services are proposed to be performed abroad and
are not disallowed by other
where all non-
by
data protection, and so forth. Location within the
e. The contractor or subcontractor must notify the Contracting Officer immediately when
an employee working on a
the contractor or subcontractor s employ. The Contracting Officer must also be notified
immediately by the contractor or subcontractor prior to an unfriendly termination.
3. VA INFORMATION CUSTODIAL LANGUAGE
a. Information made available to the contractor or subcontractor by
or administration of this contract or information developed by the contractor/subcontractor in
performance or administration of the contract shall be used only for those purposes and shall
not be used in any other way without the prior written agreement of the
expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data
- General, FAR 52.227-14(d) (1).
b.
contractors/subcontractor s information systems or media storage systems in order to ensure
must be allowed to meet the requirements of the business need, the contractor must ensure
that
requirements.
subcontractor IT resources to ensure data security controls, separation of data and job duties,
and destruction/media sanitization procedures are in compliance with
requirements.
c. Prior to termination or completion of this contract, contractor/subcontractor must not
destroy information received from
performing this contract without prior written approval by the
behalf of
and
and Information Management and its Handbook 6300.1 Records Management Procedures,
applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media
Sanitization. Self-certification by the contractor that the data destruction requirements above
have been met must be sent to the VA Contracting Officer within 30 days of termination of the
contract.
d. The contractor/subcontractor must receive, gather, store, back up, maintain, use,
disclose and dispose of
applicable Federal and
policies. If Federal or
become applicable to the
contract, or if NIST issues or updates applicable FIPS or
execution of this contract, the parties agree to negotiate in good faith to implement the
information confidentiality and security laws, regulations and policies in this contract.
e. The contractor/subcontractor shall not make copies of
authorized and necessary to perform the terms of the agreement or to preserve electronic
information stored on contractor/subcontractor electronic storage media for restoration in case
any electronic equipment or data used by the contractor/subcontractor needs to be restored to
an operating state. If copies are made for restoration purposes, after the restoration is
complete, the copies must be appropriately destroyed.
f. If
privacy, and security provisions of the contract, it shall be sufficient grounds for
payment to the contractor or third party or terminate the contract for default or terminate for
cause under Federal Acquisition Regulation (FAR) part 12.
g. If a VHA contract is terminated for cause, the associated BAA must also be terminated
and appropriate actions taken in accordance with VHA Handbook 1600.01, Business
Associate Agreements. Absent an agreement to use or disclose protected health information,
there is no business associate relationship.
h. The contractor/subcontractor must store, transport, or transmit
in an encrypted form, using
validated.
i. The contractor/subcontractor s firewall and Web services security controls, if applicable,
shall meet or exceed
upon request.
j. Except for uses and disclosures of
performance of the contract, the contractor/subcontractor may use and disclose
only in two other situations: (i) in response to a qualifying order of a court of competent
jurisdiction, or (ii) with
requests for, demands for production of, or inquiries about,
systems to the
k. Notwithstanding the provision above, the contractor/subcontractor shall not release
records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records
and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug
addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human
immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other
requests for the above mentioned information, that contractor/subcontractor shall immediately
refer such court orders or other requests to the
l. For service that involves the storage, generating, transmitting, or exchanging of
sensitive information but does not require C&A or an MOU-ISA for system interconnection, the
contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on
a yearly basis and provide it to the COTR.
6. SECURITY INCIDENT INVESTIGATION
a. The term security incident means an event that has, or could have, resulted in
unauthorized access to, loss or damage to
that breaches
the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any
known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive
information, including that contained in system(s) to which the contractor/subcontractor has
access.
b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s
notice to
(including to whom, how, when, and where the
compromised), and any other information that the contractor/subcontractor considers relevant.
c. With respect to unsecured protected health information, the business associate is
deemed to have discovered a data breach when the business associate knew or should have
known of a breach of such information. Upon discovery, the business associate must notify
the covered entity of the breach. Notifications need to be made in accordance with the
executed business associate agreement.
d. In instances of theft or break-in or other criminal activity, the contractor/subcontractor
must concurrently report the incident to the appropriate law enforcement entity (or entities) of
jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its
employees, and its subcontractors and their employees shall cooperate with
enforcement authority responsible for the investigation and prosecution of any possible
criminal law violation(s) associated with any incident. The contractor/subcontractor shall
cooperate with
compensation from a third party for damages arising from any incident, or obtain injunctive
relief against any third party arising from, or related to, the incident.
7. LIQUIDATED DAMAGES FOR DATA BREACH
a. Consistent with the requirements of 38 U.S.C. --5725, a contract may require access to
sensitive personal information. If so, the contractor is liable to
the event of a data breach or privacy incident involving any SPI the contractor/subcontractor
processes or maintains under this contract.
b. The contractor/subcontractor shall provide notice to
forth in the Security Incident Investigation section above. Upon such notification,
secure from a non-Department entity or the
analysis of the data breach to determine the level of risk associated with the data breach for
the potential misuse of any sensitive personal information involved in the data breach. The
term 'data breach' means the loss, theft, or other unauthorized access, or any access other
than that incidental to the scope of employment, to data containing sensitive personal
information, in electronic or printed form, that results in the potential compromise of the
confidentiality or integrity of the data. Contractor shall fully cooperate with the entity
performing the risk analysis. Failure to cooperate may be deemed a material breach and
grounds for contract termination.
c. Each risk analysis shall address all relevant information concerning the data breach,
including the following:
(1) Nature of the event (loss, theft, unauthorized access);
(2) Description of the event, including:
(a) date of occurrence;
(b) data elements involved, including any PII, such as full name, social security number,
date of birth, home address, account number, disability code;
(3) Number of individuals affected or potentially affected;
(4) Names of individuals or groups affected or potentially affected;
(5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the
degree of protection for the data, e.g., unencrypted, plain text;
(6) Amount of time the data has been out of
(7) The likelihood that the sensitive personal information will or has been compromised
(made accessible to and usable by unauthorized persons);
(8) Known misuses of data containing sensitive personal information, if any;
(9) Assessment of the potential harm to the affected individuals;
(10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and
Privacy Incidents, as appropriate; and
(11) Whether credit protection services may assist record subjects in avoiding or mitigating
the results of identity theft based on the sensitive personal information that may have been
compromised.
d. Based on the determinations of the independent risk analysis, the contractor shall be
responsible for paying to the
individual to cover the cost of providing credit protection services to affected individuals
consisting of the following:
(1) Notification;
(2) One year of credit monitoring services consisting of automatic daily monitoring of at least
3 relevant credit bureau reports;
(3) Data breach analysis;
(4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and
credit freezes, to assist affected individuals to bring matters to resolution;
(5) One year of identity theft insurance with
(6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit
records, histories, or financial affairs.
8. SECURITY CONTROLS COMPLIANCE TESTING
On a periodic basis,
evaluate any or all of the security controls and privacy practices implemented by the contractor
under the clauses contained within the contract. With 10 working-day s notice, at the request
of the government, the contractor must fully cooperate and assist in a government-sponsored
security controls assessment at each location wherein
or information systems are developed, operated, maintained, or used on behalf of
including those initiated by the
security control assessment on shorter notice (to include unannounced assessments) as
determined by
9. TRAINING
a. All contractor employees and subcontractor employees requiring access to
information and
access to
(1) Sign and acknowledge (either manually or electronically) understanding of and
responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to
access to
(2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior
training and annually complete required security training;
(3) Successfully complete the appropriate
required privacy training; and
(4) Successfully complete any additional cyber security or privacy training, as required for
official and provided to the contracting officer for inclusion in the solicitation document e.g.,
any role-based information security training required in accordance with NIST Special
Publication 800-16, Information Technology Security Training Requirements.]
b. The contractor shall provide to the contracting officer and/or the COTR a copy of the
training certificates and certification of signing the Contractor Rules of Behavior for each
applicable employee within 1 week of the initiation of the contract and annually thereafter, as
required.
c. Failure to complete the mandatory annual training and sign the Rules of Behavior
annually, within the timeframe required, is grounds for suspension or termination of all physical
or electronic access privileges and removal from work on the contract until such time as the
training and documents are complete.
CONTRACTOR RULES OF BEHAVIOR
This User Agreement contains rights and authorizations regarding my access to and use
of any information assets or resources associated with my performance of services under
the contract terms with the
covers my access to all
systems and resources ("Systems"), and
incorporates Rules of Behavior for using
resources under the contract.
1. GENERAL TERMS AND CONDITIONS FOR ALL ACTIONS AND ACTIVITIES UNDER
THE CONTRACT:
a. I understand and agree that I have no reasonable expectation of privacy in
accessing or using any
b. I consent to reviews and actions by the
staff designated and authorized by the
OIG regarding my access to and use of any information assets or resources associated
with my performance of services under the contract terms with the
may include monitoring, recording, copying, inspecting, restricting access, blocking,
tracking, and disclosing to all authorized OI&T,
directed by the VA CIO without my prior consent or notification.
c. I consent to reviews and actions by authorized
Information Security Officers solely for protection of the
not limited to monitoring, recording, auditing, inspecting, investigating, restricting access,
blocking, tracking, disclosing to authorized personnel, or any other authorized actions by
all authorized OI&T,
d. I understand and accept that unauthorized attempts or acts to access, upload,
change, or delete information on Federal Government systems; modify Federal
government systems; deny access to Federal government systems; accrue resources for
unauthorized use on Federal government systems; or otherwise misuse Federal
government systems or resources are prohibited.
e. I understand that such unauthorized attempts or acts are subject to action that may
result in criminal, civil, or administrative penalties. This includes penalties for violations
of Federal laws including, but not limited to, 18 U.S.C. --1030 (fraud and related activity in
connection with computers) and 18 U.S.C. --2701 (unlawful access to stored
communications).
f. I agree that OI&T staff, in the course of obtaining access to information or systems
on my behalf for performance under the contract, may provide information about me
including, but not limited to, appropriate unique personal identifiers such as date of birth
and social security number to other system administrators, Information Security Officers
(ISOs), or other authorized staff without further notifying me or obtaining additional written
or verbal permission from me.
g. I understand I must comply with
handbooks. I understand that copies of those directives and handbooks can be obtained
from the Contracting Officer's Technical Representative (COTR). If the contractor
believes the policies and guidance provided by the COTR is a material unilateral change
to the contract, the contractor must elevate such concerns to the Contracting Officer for
resolution.
h. I will report suspected or identified information security/privacy incidents to the COTR
and to the local ISO or Privacy Officer as appropriate.
2. GENERAL RULES OF BEHAVIOR
a. Rules of Behavior are part of a comprehensive program to provide complete
information security. These rules establish standards of behavior in recognition of the fact that
knowledgeable users are the foundation of a successful security program. Users must
understand that taking personal responsibility for the security of their computer and the
information it contains is an essential part of their job.
b. The following rules apply to all
(1) Follow established procedures for requesting, accessing, and closing user accounts
and access. I will not request or obtain access beyond what is normally granted to users or
by what is outlined in the contract.
(2) Use only systems, software, databases, and data which I am authorized to use,
including any copyright restrictions.
(3) I will not use other equipment (OE) (non-contractor owned) for the storage, transfer,
or processing of
been reviewed and approved by local management and is included in the language of the
contract. If authorized to use OE IT equipment, I must ensure that the system meets all
applicable 6500 Handbook requirements for OE.
(4) Not use my position of trust and access rights to exploit system controls or access
information for any reason other than in the performance of the contract.
(5) Not attempt to override or disable security, technical, or management controls
unless expressly permitted to do so as an explicit requirement under the contract or at the
direction of the COTR or ISO. If I am allowed or required to have a local administrator
account on a government-owned computer, that local administrative account does not
confer me unrestricted access or use, nor the authority to bypass security or other controls
except as expressly permitted by the VA CIO or CIO's designee.
(6) Contractors use of systems, information, or sites is strictly limited to fulfill the terms
of the contract. I understand no personal use is authorized. I will only use other Federal
government information systems as expressly authorized by the terms of those systems. I
accept that the restrictions under ethics regulations and criminal law still apply.
(7) Grant access to systems and information only to those who have an official need to
know.
(8) Protect passwords from access by other individuals.
(9) Create and change passwords in accordance with VA Handbook 6500 on systems
and any devices protecting
security settings for the particular system in question.
(10) Protect information and systems from unauthorized disclosure, use, modification, or
destruction. I will only use encryption that is FIPS 140-2 validated to safeguard
information, both safeguarding
my access to and use of any information assets or resources associated with my
performance of services under the contract terms with the
(11) Follow VA Handbook 6500.1, Electronic Media Sanitization to protect
information. I will contact the COTR for policies and guidance on complying with this
requirement and will follow the COTR's orders.
(12) Ensure that the COTR has previously approved
dissemination, including e-mail communications outside of the
make any unauthorized disclosure of any
means of communication including but not limited to e-mail, instant messaging, online chat,
and web bulletin boards or logs.
(13) Not host, set up, administer, or run an Internet server related to my access to and
use of any information assets or resources associated with my performance of services
under the contract terms with the
writing by the COTR.
(14) Protect government property from theft, destruction, or misuse. I will follow
directives and handbooks on handling Federal government IT equipment, information, and
systems. I will not take
from the COTR.
(15) Only use anti-virus software, antispyware, and firewall/intrusion detection software
authorized by
requirement and will follow the COTR's orders regarding my access to and use of any
information assets or resources associated with my performance of services under the
contract terms with
(16) Not disable or degrade the standard anti-virus software, antispyware, and/or
firewall/intrusion detection software on the computer I use to access and use information
assets or resources associated with my performance of services under the contract terms
with
significant alert messages to the COTR.
(17) Understand that restoration of service of any
the system.
(18) Complete required information security and privacy training, and complete required
training for the particular systems to which I require access.
3. ADDITIONAL CONDITIONS FOR USE OF NON- VA INFORMATION TECHNOLOGY
RESOURCES
a. When required to complete work under the contract, I will directly connect to the
network whenever possible. If a direct connection to the
will use
b. Remote access to non-public
publicly-available IT computers, such as remotely connecting to the internal
from computers in a public library.
c. I will not have both a
wireless network card, modem with phone line, or other network device physically
connected to my computer at the same time, unless the dual connection is explicitly
authorized by the COTR.
d. I understand that I may not obviate or evade my responsibility to adhere to
requirements by subcontracting any work under any given contract or agreement with
that any subcontractor(s) I engage shall likewise be bound by the same security requirements
and penalties for violating the same.
CONTRACTOR SIGNS AND RETURNS
5. ACKNOWLEDGEMENT AND ACCEPTANCE
I acknowledge receipt of this User Agreement. I understand and accept all terms and
conditions of this User Agreement, and I will comply with the terms and conditions of this agreement and any additional
______________________________ _____________________
Print or type your full name Signature
______________________________ _____________________
Last 4 digits of SSN Date
______________________________ _____________________
Office Phone Position Title
Contractor s Company
Please complete and return the original signed
document to the COTR within the timeframe
stated in the terms of the contract
Link/URL: https://www.fbo.gov/spg/VA/WRJVAMROC/DVAMROC/36C24118Q0041/listing.html
Robert Klein Proposes Tax Credit Longevity Annuity Plan
Event Focuses on Evolving Women’s Health Issues
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News