R– On-Site Shredding/ Document Destruction Service

Notice Type: Sources Sought Notice

Posted Date: 01-JUN-18

Office Address: Department of Veterans Affairs;VISN 7 Network Contracting Activity;501 Greene Street;Hatcher Building - Suite 2;Augusta GA 30901

Subject: R-- On-Site Shredding/ Document Destruction Service

Classification Code: R - Professional, administrative, and management support services

Contact: Jacquetta O WhiteContract Specialist 706-733-0188 x1104 mailto:[email protected]

Description: Department of Veterans Affairs

Augusta VAMC

Department of Veterans Affairs Medical Center

This is a SOURCES SOUGHT request for informational and planning purposes only and shall not be construed as a solicitation or as an obligation or commitment by the Government at this time. This notice is intended strictly for market research. The purpose of this Sources Sought notice is to determine the following:

The interest and capability of Veteran Owned Small Business;

Whether the business source can perform 50% of total work required for this requirement if utilizing a sub-contractor;

Whether the business source can demonstrate the ability to destroy articles as cited in paragraphs 10.1 and 10.2 of the Statement of Work; and

Possesses the size classification relative to the North American Industry Classification System (NAICS) code 561990 for the proposed acquisition.

The Department of Veterans Affairs, Network Contracting Office 07 is seeking potential sources for On-site Shredding/ Document Destruction Services:

STATEMENT OF WORK (SOW)

Charlie Norwood VA Medical Center (CNVAMC)

Augusta, Georgia

ON-SITE SHREDDING/DOCUMENT DESTRUCTION SERVICES

GENERAL:

The contractor shall provide all labor, supervision; secure collection containers, equipment, and transportation necessary to perform on-site document destruction and disposal of confidential documents at the Department of Veteran s Affairs (VA) locations listed in paragraph 2 below and in accordance with performance requirements in paragraph 10 below, NIST Special Publication 800-88 (Revision 1) Guidelines for Media Sanitization and VA Directive 6371, Destruction of Temporary Paper Records.

PLACES OF PERFORMANCE: Services shall be performed at Augusta VA Medical Center and locations submitted below.

A

Charlie Norwood VA Medical Center (CNVAMC), (Uptown Division)

1 Freedom Way, Augusta, Georgia 30904

B

Charlie Norwood VA Medical Center (Downtown Division)

800 Bailie Dr., Augusta, GA 30901

C

Athens Community-Based Outpatient Clinic (CBOC)

9249 Hwy 29S Suite A Athens, Georgia 30601

D

Aiken Community-Based Outpatient Clinic (CBOC)

951 Millbrook Ave., Aiken, South Carolina 29803

E

VA Southeast Network Central Accounting Office VISN7-CAO

3154 Perimeter Parkway Suite 200 Augusta, Georgia 30904

F

VISN7 Hatcher Building, 500 Greene Street, Augusta, GA 30901

G.

Statesboro Community Base Outpatient Clinic (CBOC)

412 Northside Drive East, Suite 400 Statesboro, GA 30458-4804

H

Vet Center 2050 Walton Way #100 Augusta, GA 30904

The government reserves the right to modify the contract as needed to add or delete VA Locations.

ACRONYMS & Definitions:

BAA Business Associate Agreement

CBOC Community Based Outpatient Clinic

CFR Code of Federal Regulations

CNVAMC - Charlie Norwood Veterans Affairs Medical Center

COR Contracting Officer s Representative

FAX Facsimile

FIPS PUB Federal Information Processing Standards Publication

FISMA Federal Information Security Management Act

FSC Financial Services Center

HIPAA Health Insurance Portability and Accountability Act

ID Identification

ISO Information Security Officer

LMS Learning Management System

MO Magneto-Optical

NACI National Agency Check and Inquiries

NAID National Association for Information Destruction

NIST National Institute of Standards and Technology

OI&T Office of Information & Technology

OMB Office of Management and Budget

OPM Office of Personnel Management

PC Personal Computer

PII Personally Identifiable Information

SOW Statement of Work

SPI Sensitive Personal Information

U.S.C. United States Code

VA Veteran Affairs

VHA Veterans Health Administration

VISN7 Veterans Integrated Service Network 7

VISN7-CAO Veterans Integrated Service Network 7 Centralized Accounting Office

Publications and Forms:

Publications

Federal Information Processing standards Publication (FIPS PUB) Number 201

Federal Investigations Notices (FIN 01-01)

Health Insurance Portability and Accountability Act of 1996

Homeland Security Presidential Directive-12 (HSPD-12)

NIST 800-16 Information Technology Security Training Requirements

NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

Office of Management and Budget (OMB) guidance M-05-24

VA Directive 6300, Records and Information Management

VA Directive 6371, Destruction of Temporary Paper Records

VA Directive and Handbook 0710 Personnel Suitability and Security Program

VA Handbook 6300, Records and Information Management. (An electronic version will be provided to the Contractor by the Contracting Officer at time of award.)

VA Handbook 6500.2, Management of Security and Privacy Incidents

Forms

FD 258, U.S. Department of Justice Fingerprint Application Chart

Optional Form 306, Declaration for Federal Employment

Optional Form 612, Optional Application for Federal Employment.

Standard Form 85P, Questionnaire for Public Trust Positions

Standard Form 85P-S, Supplemental Questionnaire for Selected Positions.

VA Form 0710, Authority for Release of Information Form

VA Form 0752 Confidentiality of Sensitive Information Non-Disclosure Agreement

BACKGROUND:

The Charlie Norwood VA Medical Center is a two division multi-bed facility, encompassing acute medical, surgical, psychiatric, and long-term care. The hospital is located in Augusta, Georgia and provides primary, secondary, and some tertiary care. Annually, the medical center serves thousands of patients. Satellite Community Based Outpatient Clinics (CBOC s) are located in Athens, GA and Aiken, SC. Additionally the VISN7 Procurement and Accounting functional areas and the Seamless Transition Center are serviced by CNVAMC.

PERSONNEL:

Qualification:

Contractor shall have a current National Association Information Destruction (NAID) Certificate.

Contractor s personnel, whose tasks involve operation of any vehicles, shall possess a valid U.S. state driver s license, certificates and permits, applicable for the type and class of vehicle being operated.

Contractor shall be a legally registered business in the state of South Carolina and Georgia.

Contractor Vehicles: All vehicles used in the performance of this contract for the destruction of documents shall have the applicable government licensing and inspections for road worthiness on file.

6.3. Key Personnel:

Name

Position

Wage Determination Skill No.

Percentage of Work Under Contract

DAYS AND HOURS OF OPERATION:

Monday Friday, 8:00 a.m. to 4:30 p.m. excluding Federal Holidays.

Federal Holidays

New Year s Day January 1st

Martin Luther King s Birthday 3rd Monday in January

President s Day 3rd Monday in February

Memorial Day Last Monday in May

Independence Day July 4th

Labor Day 1st Monday in September

Columbus Day 2nd Monday in October

Veteran s Day November 11th

Thanksgiving Day Last Thursday in November

Christmas Day December 25th

The contractor shall provide a written schedule of the days and times service shall be performed at each facility. The contractor shall perform services on day agreed upon by both VA facility point of contact (POC) and the Contractor. Strict adherence to the schedule is expected. Any changes to the schedule shall be approved in advance by the Contracting Officer s Representative (COR).

The contractor shall provide a contingency plan for instances where (1) equipment malfunction occurs during the shredding process and (2) when a Mobile Shredding Vehicle breaks down en-route to a VA Location for scheduled services or en-route to a pulping and recycling site. Upon arrival at each facility, the contractor shall report to the meeting location designated by the COR prior to the performance of scheduled pick-up/shredding service.

PERIOD OF PERFORMANCE:

Base Year

01 October 2018 30 September 2019

Option Year 1

01 October 2019 30 September 2020

Option Year 2

01 October 2020 30 September 2021

Option Year 3

01 October 2021 30 September 2022

Option Year 4

01 October 2022 30 September 2023

Contractor Responsibility

The contractor shall bear the expense of obtaining background investigations.

The web site which provides information on the cost of the security investigation is: https://www.opm.gov/investigations/background-investigations/federal-investigations-notices/ Select Federal Investigations Notices (FIN 01-01)

The Office of Security and Law Enforcement adds an administrative fee. Sherri Jennings, 202-273-5555 can be contacted to obtain information on the current amount of the fee.

The contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain a U.S. citizenship and are able to read, write, speak, and understand the English language. The contractor shall provide the screening results to the VA Contracting Officer prior to award and anytime new employees are hired.

The contractor shall provide to the Contracting Officer prior to award the following: (1) List of names of contract personnel. (2) Social security numbers of contractor personnel. (3) Home address of contractor personnel or the contractor address.

The contractor shall submit or have their employees submit the following required forms to the VA Office of Security and Law Enforcement within 30 days of receipt:

(i) Standard From 85P, Questionnaire for Public Trust Positions

(ii) Standard Form 85P-S, Supplemental Questionnaire for Selected Positions

(iii) FD 258, U.S. Department of Justice Fingerprint Applicant Chart

(iv) VA Form 0710, Authority for Release of Information Form

The contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract.

Failure to comply with the contractor personnel security requirements may result in termination of the contract for default.

Specific Task:

Paper Destruction:

The contractor shall provide secured lockable collection containers in a variety of sizes and quantities specific to each designated location throughout the hospital, clinic, or facility for collection and storage of confidential documents until such time the shredding takes place.

10.1.2 Container sizes shall be 32 gallons or less for Healthcare Unit Areas and average 64-96 gallon for all other areas as shown on Attachment 1 where estimated quantities and sizes are specified per location.

10.1.3 Containers shall have locking mechanisms that are keyed alike with a master key that shall open all containers. A set of keys shall be provided to the Contracting Officer s Representative (COR) and the Privacy Officer.

10.1.4 The contractor shall provide sufficient labor and equipment necessary to transport collection containers from the indoor designated location to an outdoor designated location where shredding shall take place. A replacement container shall be placed at each designated location before the containers are removed for shredding.

10.1.5 The contractor shall ensure each locked container remains locked until it arrives at the on-site shredding location. The containers shall not be unlocked to transfer confidential documents into another container for transport purposes. The contractor shall ensure confidential documents are protected from loss by gusts of wind or other atmospheric conditions.

10.1.6 The contractor shall provide sufficient labor and sufficient state-of-the art mobile shredding vehicles capable of performing on-site shredding and destruction of approximately 565,620 pounds of confidential documents per year utilizing mobile shredding vehicles at government facilities where the confidential documents are collected.

10.1.7 The contractor shall ensure the task of document destruction for all containers is conducted from start to finish on-site at each facility on the scheduled service day. A sample pick-up log is shown at Attachment 2.

10.1.8 The contractor shall provide equipment that has the capability of shredding large volumes of documents per hour to reduce the time the contractor s equipment utilizes government facilities limited parking spaces.

10.1.9 The contractor shall provide equipment that is capable of shredding large volumes of documents per hour that shall produce cross cut shred articles within a 1 mm x 5 mm (0.04 in. x 0.2 in.), pulped for recycling and prepare a certificate of destruction per the National Association for Information Destruction (NAID) standards for mobile units. A sample of the Certificate of Destruction is shown at Attachment 3.

10.1.10 The contractor shall provide sufficient labor, equipment, and transportation necessary to transport the shredded materials in locked vehicles to paper mills for pulping and recycling.

10.1.11 All shredding shall be witnessed by a VA government employee authorized to witness destruction of confidential documents. The contractor shall complete a Certificate of Destruction in the presence of the employee authorized at each facility authorized to witness destruction upon completion of each shredding service.

10.1.12 All shredding shall be performed in accordance with, NIST Special Publication 800-88 (Revision 1) Guidelines for Media Sanitization and VA Directive 6371, Destruction of Temporary Paper Records.

10.1.13 Upon arrival at each facility, the contractor shall report to the meeting location designated by the COR prior to the performance of scheduled pick-up/shredding service.

NOTE: Types of paper that can be expected are office paper and computer paper of a variety of color or type. Limited quantities of incidentals such as paper clips, staples, rubber bands, patient plastic armbands and other similar items can be expected.

The quantities listed are estimated poundage based on past performance. There is no minimum or maximum guarantee of poundage due to fluctuating requirements.

Hard Drive and Electronic Media Destruction:

Destruction of material: All PII, sensitive data, PC hard drives and electronic-media material collected shall be destroyed by shredding of records to a degree that they cannot be read or reconstructed without extraordinary efforts and shall allow for secure transport of records until such time as their final destruction by pulverization. Since final destruction is to be carried out off station, a VA representative shall be allowed to inspect, upon request the contractor s facilities where the records are processed and where the final destruction takes place. PC hard drives as well as all other electronic media shall be shredded beyond use. Optical mass storage media, including compact disks (CD, CD_R, CD-RW, and CD-ROM), DVDs, and magneto-optic (MO) disks shall be destroyed by pulverizing, crosscut shredding or burning. When material is disintegrated or shredded, all residues shall be reduced to nominal edge dimensions of five millimeters (5 mm) and surface area of twenty-five square millimeters (25 mm2). The shredding of hard drives shall be witnessed by the Information Security Officer as well as OI&T s hardware custodian. Upon completion of destruction of PII and hard drives the contractor shall provide a Certificate of Destruction which identifies the means of destruction. Contractor certificate is also to include shredding location, date, time, quantity/cost and the names of personnel responsible for shredding the contents. Contractor shall have adequate equipment and personnel to collect, shred and dispose of shredded material.

Special Contract Requirements:

Background Investigations: Upon contract the successful offeror shall be required to accomplish the following background investigation task. All contractor employees who require access to PII and sensitive data shall be the subject of a background investigation and shall receive a favorable adjudication from the VA Office of Security and Law Enforcement prior to contract performance. The requirement is applicable to all subcontractor personnel requiring the same access. If the investigation is not completed prior to the start date of the contract, the contractor shall be responsible for the actions of those individuals they provide to perform work for VA.

Position Sensitivity the position sensitivity has been designed as low risk.

Background investigation the level of background investigation commensurate with the required level of access National Agency Check with Written inquiries.

The contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the Office of Personnel management (OPM), the contractor shall reimburse VA within 30 days.

The contractor shall prescreen all personnel requiring access to sensitive data to ensure they maintain a U.S. citizenship and are able to read, write, speak and understand the English language.

The contractor shall submit or have their employees submit the following require forms to the VA Office of Security and Law Enforcement. These forms can be obtained by contacting, 2200 Fort Roots Blvd, Bldg. 104, North Little Rock, AR 72114. Contractor shall provide verification of document submission. Background investigation documents shall be submitted within 30 days of receipt of documents from the VA Office of Security and Law Enforcement:

Standard Form 85P, Questionnaire for Public Trust Positions

Standard Form 85P-S, Supplemental Questionnaire for Selected Positions.

FD 258, U.S. Department of Justice Fingerprint Application Chart

VA Form 0710, Authority for Release of Information Form

Optional Form 306, Declaration for Federal Employment

Optional Form 612, Optional Application for Federal Employment

A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.

All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors shall be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.

VA Form 0752 Confidentiality of Sensitive Information Non-Disclosure Agreement (a copy should be sent to the Accountable Officer and the ISO of the facility maintains the original)

The contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration from working under the contract.

The contractor is responsible to ensure that their employee is to comply with Augusta VA Medical Security ID badge requirement. Their employees are to report to the Security Police to get an ID Badge every time they are on the Augusta VA Medical Center site, with a picture ID Card.

Failure to comply with the contractor personnel security requirements may result in termination of the contract for default.

Offeror shall provide the name and phone number of the company s point of contact for background investigations.

Safety Briefing and Privacy Training: Contractor shall receive a safety briefing and privacy training on the first day of work by the Information Security Officer, Privacy Officer and Security Police. contact information will be provided upon award of contract.

INVOICE:

Invoices shall be submitted electronically in arrears to the address indicated VA FSC P.O. Box 149971 Austin Texas 78714. Please reference the Purchase Order Number (i.e. 509-A0000 or 509-C75 )

Payment will be made upon receipt of a properly prepared, itemized invoice, validated by the COR, and submitted electronically.

A properly prepared invoice will contain:

Invoice Number and Date

Contractor s Name and Address

Accurate Purchase Order Number

Itemization of pounds shredded and disposed

Price per pound

Dates service performed

Location of service performed

Total amount due

A separate invoice shall be prepared for each facility.

Government Responsibility

Oversight of service/ Performance Monitoring

An initial orientation of the facilities will be conducted by the COR at the start of the contract. The contractor shall be responsible for conducting orientation for new employees thereafter.

Safety Briefing and Privacy Training

Contractor shall receive a safety briefing and privacy training on the first day of work by the Information Security Officer, Privacy Officer and Security Police. contact information will be provided upon award of contract.

ADMINISTRATION

Accident Reporting

In the event an accident occurs on the Department of Veterans Affairs property or involving Government personnel or property, the contractor shall contact the VA Police immediately. A report shall be provided to the Contracting Officer and COR in writing that shall include the following: (1) the time and date of occurrence; (2) the place of occurrence; (3) a list of personnel directly involved; and (4) a narrative or description of the accident to include chronological order of the accident and circumstances; (5) corrective action to prevent future occurrences.

Training

All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems:

Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems;

Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training;

Successfully complete the appropriate VA privacy training and annually complete required privacy training; and

Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]

The contractor shall provide to the contracting officer and/or the COR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required.

Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.

Quality Assurance Surveillance Plan:

Performance Based Matrix

PERFORMANCE BASED TASK

INDICATOR

STANDARD

QUALITY ASSURANCE

INCENTIVES

Contractor shall provide services for paper destruction on-site at the Charlie Norwood VA Medical Center, Augusta, GA. (Para. #10.1)

100% Compliance

100%

Surveillance will include observation by authorized individuals.

Positive - Exercise of option years(s)

Contractor shall maintain National Association Information Destruction Certification (NAID). (Para. #10.1.7)

100% Compliance

100%

A copy of the certification must be provided to the COR

Positive - Exercise of option year(s). Negative response i.e. non-certification will cause for termination of the contract.

Liquidated Damages for Data Breach:

The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.

To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.

With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.

In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.

Consistent with the requirements of 38 U.S.C. --5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.

The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.

Each risk analysis shall address all relevant information concerning the data breach, including the following:

Nature of the event (loss, theft, unauthorized access);

Description of the event, including:

date of occurrence;

data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;

Number of individuals affected or potentially affected;

Names of individuals or groups affected or potentially affected;

Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;

Amount of time the data has been out of VA control;

The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);

Known misuses of data containing sensitive personal information, if any;

Assessment of the potential harm to the affected individuals

Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and

Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.

Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:

Notification;

One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;

Data breach analysis;

Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;

One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and

Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.

Contractor Personnel Security Requirements:

Contractor employees shall be pre-authorized to witness destruction of confidential documents, i.e., Low Level Background Investigations.

Contractor employees found reading any of the VA materials shall be promptly removed from the premises where the document destruction is being performed and the person(s) involved shall not be allowed to return for any future document destruction services.

The contractor shall adhere to the VA policies applicable to all record destruction as outlined in VA Handbook 6300. These guidelines are designed to protect sensitive and private information from being disclosed to unauthorized parties and adhere to the Privacy Act and the HIPAA Privacy Rules and regulations. Examples of sensitive information include but are not limited to: Individually identifiable medical, benefits, and personnel information; financial, budgetary, research, quality assurance, confidential commercial, critical infrastructure, investigatory, and law enforcement information.

Subject to criminal prosecution, contractor employees shall comply with all manner of confidentiality when engaging in the destruction of any and all Department of Veterans Affairs records.

Contractor employees shall wear a uniform with the company name and logo and wear a badge in plain view above the waist bearing the company name, logo and employees name.

The contractor shall maintain a current listing of employees performing services under this contract. The list shall include the employee s name, address, phone number, social security number, level of security and position. The list shall be validated and signed by the company Facility Security Officer and provided to the Contracting Office and Contracting Officer s Representative (COR). An updated listing shall be provided when an employee s status or information changes. The Contractor has 24 hours to inform the Contracting Office and COR that an employee s status has changed unless it is a pick-up day. On pick up days the contractor shall immediately inform the Contracting Office by FAX at 706-731-7172 or the COR by email: available at time of award.

The contractor and employees shall comply with Homeland Security Presidential Directive-12 (HSPD-12), NIST 800-53, Office of Management and Budget (OMB) guidance M-05-24, as amended, and Federal Information Processing standards Publication (FIPS PUB) Number 201, as amended. Contractor and Staff shall comply with the Privacy Act, VA Security requirements and HIPAA.

The contractor shall report to the Contracting Officer and the COR any information or circumstances which they are aware of that may pose a threat to the security of the Department of Veterans Affairs personnel, contractor employees, resources and classified and unclassified information.

Contractor employees are prohibited from possessing weapons, firearms, or ammunition, on themselves or their contractor-owned or privately-owned vehicle while on the property of the designated VA Locations listed in paragraph 2.

If the Contracting Officer finds it in the best interest of the Government he/she may at any time during the performance of this contract order the Contractor to remove any of his/her personnel from further performance under this contract for reasons of their moral character, unethical conduct, security reasons and violation of on-site building rules. In the event it is necessary to replace any contractor employee for any of the above reasons, all costs, including the costs of removal and replacement of the employee shall be borne by the contractor.

The contractor shall not hold any discussions or release any information relating to the contents of this contract to anyone not having a direct interest in performance of this contract, without written consent of the Contracting Officer. All inquiries shall be directed to the Public Affairs Officer.

The contractor shall not advertise information about projects performed for this contract without Government review and approval. Advertisement is considered but not limited to promotional brochures, posters, tradeshow handouts, world-wide-web-pages, magazines, newspapers and similar promotions.

The contractor shall ensure the electronic access badge provided under this contract for building access is kept securely so as not to compromise building access. The contractor shall immediately report to the Contracting Officer and the COR if the badge is lost.

The contractor is required to comply with all security and personnel identification procedures at each facility.

Special Requirements:

HIPAA Responsibility: Contractor agrees to comply with the requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Notwithstanding anything to the contrary in this contract, all individually identifiable health information shall be treated as confidential by the parties in accordance with all applicable federal, state, or local laws and regulations governing the confidentiality and privacy of individually identifiable health information, including but without limitation, HIPAA and any regulations and official guidance promulgated there under, and the parties agree to take such additional steps and/or to negotiate such amendments to this contract as may be required to ensure that the parties are and remain in compliance with the HIPAA regulations and official guidance.

HIPAA Compliance - Health Insurance Portability and Accountability Act of 1996:

The successful Contractor shall be required to be in compliance with HIPAA requirements and shall be required to sign a Business Associate Agreement with the VA. A copy will be maintained in the contract file and with the Privacy Officer.

Security Requirements. The contractor and their personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA personnel, regarding information and information system security. These include, but are not limited to Federal Information Security Management Act (FISMA), Appendix III of OMB Circular A-130, and guidance and standards, available from the Department of Commerce s National Institute of Standards and Technology (NIST). This also includes the use of common security configurations available from NIST s Web site at:

http://checklists.nist.gov

To ensure that appropriate security controls are in place, Contractors must follow the procedures set forth in VA Information and Information System Security/Privacy Requirements for IT Contracts located at the following Web site:

http://www.iprm.oit.va.gov

Contractor Employee Security and HIPAA Training: Contractor must certify that all employees working on this contract have received VA Information Security Awareness and VHA Privacy Policy Training. This training can be accessed on line through the VA External Education System found at https://www.ees-learning.net/. Proof of training is required via printed certification of completion and must be provided to the CO/COTR. The Contracting Officer or COTR will provide the details required for obtaining the VHA Privacy Policy Training.

In accordance to VHA Directive 6500, Appendix G, Department of Veteran s Affairs (VA) National Rules of Behavior, each contractor must read and sign the VA National Rules of Behavior prior to gaining any access to VA information and/or information systems. Contractors must initial and date each page of the copy of the VA National Rules of Behavior; they must also provide the information requested on the last page, sign and date it.

These requirements will be maintained in a contractor employee file by the CO/COR for each contractor employee working on the contract.

Contractor Personnel Security Requirements: All contractor employees who require access to the Department of Veterans Affairs computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Office of Security and Law Enforcement prior to contract performance. This requirement is applicable to all subcontractor personnel requiring the same access. If the investigation is not completed prior to the start date of the contract the contractor will be responsible for the actions of those individuals that provide or perform work for the VA.

Position Sensitivity The position sensitivity has been designated as low risk.

Background Investigation The level of background investigation commensurate with the required level of access is National Agency Check and Inquiries (NACI) with written inquiries.

Records Management Clause:

Citations to pertinent laws, codes and regulations such as 44 U.S.C Chapter 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228.

Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest.

Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records.

Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act.

Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract.

The Government Agency owns the rights to all data/records produced as part of this contract.

The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract.

Contractor shall deliver sufficient technical documentation with all data deliverables to permit the agency to use the data.

Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of formal [paper, electronic, etc.] or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.]

No disposition of documents shall be allowed without the prior written consent of the Contracting Officer.

The Agency and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records shall not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules.

Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under or relating to this contract. The Contractor (and any sub-contractor) is required to abide by Government and Agency guidance for protecting sensitive and proprietary information.

Attachment 1 Bin Locations (3 pages)

DOWNTOWN - AUGUSTA VA HOSPITAL

Room

Title

Bin

Room

Title

Bin

1B102

Spinal Cord

32

7C138

HR Recruit & Plmnt (CARBON)

32

1B105

Spinal Cord Rehab

32

7C138

HR Recruit & Plmnt

32

1B173

Facility Mngt Ex Ofc

32

7C138

HR Recruit & Plmnt

32

1B189

Dietetics Ofc

32

7C133

Executive Office

32

1B209

Prosthetic

32

7C133

Executive Office

32

1C103

Pharmacy (Use double doors)

32

7C107

Ofc across from HR

32

1C103

Pharmacy (when servicing)

32

7C107

Ofc across from HR

32

1C104

Pharmacy (Pharmacy on)

32

7A106

Quality Management

32

1C104

Pharmacy (Fridays. )

32

7A163

Employee Labor Relations

32

1C114

Pharmacy

32

7A144

Dental Clinic

32

1C114

Pharmacy

32

7A109

Health Info Rev Admin

32

1C116

Medical Records

32

6C110

Endocrin / Infec Dis / Nephro

32

1D110

Chaplain Svc

32

6C158

PULMON/CRITCARE

32

1D114

Chief Amb Care & P

32

6C137

Secretary Hem / Onc / Pulmonary

32

1D142

Audiology Clinic

32

6A155

Nurses Workroom

32

1D152

Ent / Audiology / Speech

32

6A155

Nurses Workroom

32

1D187A

Triage / ER Check in

32

6A128

Doctors Workroom

32

1D189

Nourishment Kit (in triage)

32

5D105

Nurses Station Wkrm

32

1D203

Evaluation Area

32

5D118

Nurses Station Wkrm

32

1D209

VA Police

32

5D

Nurses Station

32

1D224

Compensation and Pension

32

5D132

Cardiology Res Ofc

32

1D224

Compensation and Pension

32

5D132

Cardiology Res Ofc

32

1D270

Agent Cashier

32

5C149

Hallway Desk

32

1D279

Agent Orange

32

5C147

Copy Room

32

1D284

Fec Basics / NVCV

32

5C140

Copy Room

32

1E115

Dr's Office

32

5B144

Research Serv Admin Off

32

1E134

32

5A148

Nurses Break Rm

32

1E139

SCI Cystology (in F hallway)

32

5A148

Nurses Break Rm

32

1F123

SCI homecare (in bathroom

32

5A106

Neurosciences Ofc

32

1F104

SCI Clinic

32

5A106

Neurosciences Ofc

32

1G108

NCC

32

4D153

Specialty Care Svc Line

32

1G122

Nurses Com Center

32

4D118

4D Clinic

32

1H

Nurses Station

32

4C143

Nurses Station

32

2A141

Physicians Assist Ofc

32

4C131

Ofc

32

2A114

Eye Clinic Nurses Station

32

4C125

Surgery Svc Line

32

2B122

Vascular Access

32

4A116

Workroom

32

2B124

Physical Therapy

32

4A116

Workroom

32

2C100

PVA

32

4A112

Plastic Surgery Res Ofc

32

2D101

Lab Central Receiving

32

3D142

Recovery Room

32

2D101

Lab Central Receiving

32

3D142

Recovery Room

32

2D106

Library

32

3D110 I

Coordinating Officer

32

2D106

Library

32

3D110

Ambulatory Surgery Ctr.

32

2D140

Lab Administration

32

3D103

Pre-Screening / OP

32

2D179

X-ray File Rm

32

3C156

Computer Room

32

2D179

X-ray File Rm

32

3A108

OR Suite

32

2D201

Transcription

32

3B

Crital Car (Nurse Station)

32

2D201

Transcription

32

3B

Critical Care (Nurse Station)

32

2D229

X-ray Reading Rm

32

Totals

Bldg 803

Coding Rec Trl Bldg 803

95 Gal

32 Gal

95

64 Gal

0

Whse on loading dock (Spare)

64

95 Gal

1

Whse on loading dock (Spare)

64

Total

96

Whse on loading dock (Spare)

95

Attachment 1 Bin Locations (cont)

UPTOWN - AUGUSTA VA HOSPITAL

Room

Title

Bin

Room

Title

Bin

2A189

Copy Room - Hallway

95gal

4D131

Conf/Training Room

95gal

2A116

Pharmacy

32

4E126

Mailroom

95GAL

2A161

Audiology & Speech

32

4E135

Pre-Registration

32

2A195

Dental Clinic (2A2210)

32

4E135

Pre-Registration

32

2B119A

Nurses Station

32

4D153

First hall on left on E wing

32

2A103

Primary Care Exec - By C entrance

32

3E140

Copy Room

32

2C139

Domicillary

32

3E140

Copy Room

32

3B128

Education

32

3F114B

Nurses Communication Center

32

3B156

Chaplain Svc - Located on C wing, first hallway on left

32

3F125

Mental Health Medical

32

3C140

Nursing Home Care - Wrk Rm

32

3G

Nurses Station

32

3A133

Library

32

3D

Active Duty Rehab

32

GA121

Across from DAV Svc Ofc

32

3D

Active Duty Rehab

32

GA116

Health Information Mngt

32

2E106

Payroll

32

GA104

Medical Records File Room

95gal

2E111

HR - Carbon Box

32

GA104

Medical Records File Room

95gal

2E139

In Hallway

32

GB110

Executive Suite (By I.T.)

64gal

2E139

In Hallway

32

GB133

IT Infor

32

2E116

Quality Management

32

GB158

Blood Lab

32

2F

Psychiatry Nurses Station

32

GC151

Health Administration

32

2G

Nurses Station

32

GC125

Nurses Communication Center

32

2D102

Voc Rehab

32

GC125

Nurses Communication Center

32

2D117

Nurses Workroom

32

1B110

Work Room

64gal

1F114

Pt Ed Room

32

1B118A

Blind Rehab Nurse Stn

32

1F114

Pt Ed Room

32

1B118A

Blind Rehab Nurse Stn

32

1F177

Hallway

32

1A237

Pharmacy-double door in main hallway

32

1F177

Hallway

32

1A237

Pharmacy-double door in main hallway

32

1F147

Out Pt Psy

32

1A238

Diabetics

32

1E127

Utility Room-key at desk

32

1A212

Radiology (locked)

32

1D115

Work room hallway

32

1A212

Radiology (locked)

32

1G123

RM &RS Office

32

1A256

Police and Security - by main entrance

32

1G126A

Prosthetics

32

1A105

Agent Cashier Carbon

32

GF101

Call Center- door in west elevator foyer

32

1A105

Agent Cashier

32

GF101

Call Center- door in west elevator foyer

32

1A111

Health Administrator

32

1C144

Nursing Home Care Unit - Between east and west wings.

32

1A120

Triage Nurse Station -Uptown Triage Center - must knock

32

Totals

1A101A

HAS Team A

32

32 Gal

63

1A144A

PCTD Hall

32

64 Gal

7

1A209

Check-in Team D

32

95 Gal

8

1A173F

Mail Room - 1st hallway by loading dock.

95gal

Total

78

Bldg 82

Dietetics Office 1A130

64GAL

Bldg 111

Warehouse-Floor

95gal

Bldg 111

Warehouse-Floor

64gal

Bldg 111

Warehouse-office copy room

64gal

Bldg 111

Spares

64

Bldg 111

Spares

64

Bldg 111

Spares

95

Attachment 1 Bin Locations (cont.)

All Other Locations

Location

32 Gal

64 Gal

Aiken CBOC

1

Athens CBOC

3

1

Statesboro CBOC

4

Vet Center

1

Network Contracting - Hatcher Building

4

1

Network Accounting - Phoenix Building

4

1

Total

17

3

ATTACHMENT 2 -Pick-Up Log

Room

Title

Bin Size in Gallons

Number of Bins

Pick up per week

*-

Pharmacy Back Door

32 Gal

2

2

1B102

Spinal Cord

32 Gal

1

2

1B105

Spinal Cord Rehab

32 Gal

1

2

1B173

Facility Mngt Ex Ofc

32 Gal

1

2

1B189

Dietetics Ofc

32 Gal

1

2

1B209

Prosthetic

32 Gal

1

2

1C103

Pharmacy

32 Gal

2

2

1C114

Pharmacy

32 Gal

2

2

1C116

Medical Records

32 Gal

1

2

1D110

Chaplain Svc

32 Gal

1

2

1D114

Chief Amb Care & P

32 Gal

1

2

1D142

Audiology Clinic

32 Gal

1

2

1D152

Ent / Audiology / Speech

32 Gal

1

2

1D187A

Triage

32 Gal

1

2

1D189

Nourishment Kit (in triage)

32 Gal

1

2

1D203

Evaluation Area

32 Gal

1

2

1D209

VA Police

32 Gal

1

2

1D224

Compensation and Pension

32 Gal

3

2

1D270

Agent Cashier

32 Gal

1

2

1D279

Agent Orange

32 Gal

1

2

1D284

Fec Basics / NVCV

32 Gal

1

2

1E115

*-

32 Gal

1

2

1E139

SCI Cystology

32 Gal

1

2

1F123

*-

32 Gal

1

2

1F104

SCI Clinic

32 Gal

1

2

1G108

NCC

32 Gal

1

2

1G122

Nurses Com Center

32 Gal

1

2

1H

Nurses Station

32 Gal

1

2

2A141

Physicians Assist Ofc

32 Gal

1

2

2A114

Eye Clinic Nurses Station

32 Gal

1

2

2B122

Vascular Access

32 Gal

1

2

2B124

Physical Therapy

32 Gal

1

2

2C100

PVA

32 Gal

1

2

2D101

Lab Central Receiving

32 Gal

3

2

2D106

Library

32 Gal

3

2

2D140

Lab Administration

32 Gal

1

2

2D179

X-ray File Rm

32 Gal

3

2

2D201

Transcription

32 Gal

2

2

2D229

X-ray Reading Rm

32 Gal

1

2

Bldg 803

Coding Rec Trl Bldg 803

32 Gal

3

2

7C138

HR Recruit & Plmnt (CARBON)

32 Gal

1

2

7C138

HR Recruit & Plmnt

32 Gal

3

2

7C133

Executive Office

32 Gal

2

2

7C107

Ofc across from HR

32 Gal

2

2

7C104

Systems Redesign

32 Gal

2

2

7A106

Quality Management

32 Gal

1

2

7A163

Employee Labor Relations

32 Gal

1

2

7A144

Dental Clinic

32 Gal

1

2

7A109

Health Info Rev Admin

32 Gal

1

2

6D105

Endocrin / Infec Dis / Nephro

32 Gal

1

2

6C158

PULMON/CRITCARE

32 Gal

1

2

6C137

Secretary Hem / Onc / Pulmonary

32 Gal

1

2

6A155

Nurses Workroom

32 Gal

3

2

6A128

Doctors Workroom

32 Gal

1

2

5D 118

Nurses Station Wkrm

32 Gal

3

2

5D

Nurses Station

32 Gal

2

2

5D132

Cardiology Res Ofc

32 Gal

1

2

5C149

Mail Room

32 Gal

1

2

5B144

Research Serv Admin Off

32 Gal

1

2

5A148

Nurses Break Rm

32 Gal

2

2

5A106

Neurosciences Ofc

32 Gal

2

2

4D153

Specialty Care Svc Line

32 Gal

1

2

4D118

4D Clinic

32 Gal

1

2

4C143

Nurses Station

32 Gal

1

2

4C131

Ofc

32 Gal

1

2

4C125

Surgery Svc Line

32 Gal

1

2

4A150

Workroom

32 Gal

3

2

4A112

Plastic Surgery Res Ofc

32 Gal

1

2

3D142

Recovery Room

32 Gal

3

2

3D110 I

Coordinating Officer

32 Gal

1

2

3D110

Ambulatory Surgery Ctr.

32 Gal

1

2

3D103

Pre-Screening / OP

32 Gal

1

2

3C156

Computer Room

32 Gal

1

2

3A108

OR Suite

32 Gal

1

2

3B

Critical Care Unit

32 Gal

1

2

3B

Critical Care Unit

32 Gal

1

2

ATTACHMENT 3

CERTIFICATE OF DESTRUCTION

Company Name: _____________________________________________

Location: ___________________________________________________

All paper materials are recycled

Type of Service: Scheduled ________ Unscheduled ______Boxes__________

No. of Containers: Cabinets _______ Gallon bins ____ Gallon bins _______

Time In: _____ Time Out: _______

Total Recyclable Shred Weight: ___________________________________

Comments: ___________________________________________________________________________________________________________________________________________________________________________________________________

___________________________________________________________________

This Certificate of Destruction should be retained for future reference as documentation that all materials submitted to _____________________ were destroyed according to local, state and federal laws.

Rep: __________________________________ Date: ____________________

Customer Signature: _____________________ Print: _____________

Link/URL: https://www.fbo.gov/spg/VA/AuVAMC/VAMCCO80220/36C24718R0673/listing.html