Sources Sought Notice – B– This request for information/Sources Sought notice is for “RDM 17-2 TO12”

Notice Type: Sources Sought Notice

Posted Date: 21-MAY-17

Office Address: Department of Veterans Affairs;Program Contracting Activity Central;6150 Oak Tree Blvd, Suite 300;Independence OH 44131

Subject: B-- This request for information/Sources Sought notice is for "RDM 17-2 TO12"

Classification Code: B - Special studies and analysis - not R&D

Solicitation Number: VA70117N0158

Contact: [email protected] [email protected] mailto:[email protected]

Description: Department of Veterans Affairs

VA Office of Information Service Center

Department of Veterans Affairs Office of Information Service Center

STATEMENT OF WORK

DEPARTMENT OF VETERANS AFFAIRS

VETERANS HEALTH ADMINISTRATION

OFFICE OF INFORMATICS AND INFORMATION GOVERNANCE

STRATEGIC INVESTMENT MANAGEMENT

REQUIREMENTS DEVELOPMENT AND MANAGEMENT

REQUIREMENTS ANALYSIS COMPREHENSIVE SERVICES

TASK ORDER 12

Date:

PWS Version Number: 0.5

PWS TABLE OF CONTENTS:

1.0 Background 3

2.0 Applicable Documents 5

3.0 Scope of Work 6

3.1 Changes to the PWS 6

4.0 Peformance Details 6

4.1 Performance Period 7

4.2 Place of Performance 8

4.3 Travel 8

5.0 Tasks and Deliverables 9

5.1 Project Management of Contractor Activities 10

5.2 Level 1: Assessment and Validation of a Business Need or Opportunity 11

5.3 Level 2: Generation of BRD 12

5.5 Level 3: Generation of RED 12

5.6 Technical Writing 13

5.7 FDS 13

5.8 Tooling Support & Reporting 14

6.0 General Requirements 15

6.1 Contractor Personnel Security Requirements 15

6.2 Method and Distribution of Deliverables 18

6.3 Performance Meterics: 18

7.0 SCHEDULE FOR DELIVERABLES 18

BACKGROUND

Requirements Development and Management (RDM) Service, under Strategic Investment Management (SIM), Office of Informatics and Analytics (OIA) has a primary responsibility to gather, evaluate, analyze and document clinical and business requirements in support of VHA business users. RDM provides four (4) functional support roles to SIM, which are described in further detail below: Requirements Analysis, Requirements Elaboration, Field Developed Software, and Tooling Support & Reporting. Technical writing and technical writing reviews of documents, executive-level briefs and communications are also performed in support of these four (4) areas. The technical writing review process for business requirements documentation follows a scorecard methodology that utilizes a separate portion for each level of review. Once updates to the document have been accepted, it moves on to the next level of review.

RDM supports Veterans Health Administration (VHA) Program Offices and Veterans Affairs (VA) Offices in the development of business requirements for IT solutions and the management of their requirements. RDM works collaboratively with other Office of Informatics and Analytics (OIA) offices, including Applied Informatics Management (AIM) staff, AIM acts as an advocate, liaison and facilitator organization that represents VHA in the identification and acquisition of technology enhancements to improve Veteran services. AIM consists of functional groups that work together to organize current and future business knowledge and provide facilitation/oversight for business users throughout the Information Technology (IT) system s lifecycle.

A high-level description of the processes and outputs for each of the four (4) functional support areas is described below:

Requirements Analysis Elicits and guides VHA stakeholders in the definition and documentation of high-level business requirements. Requests for software or software enhancements are received through the RDM New Service Request (NSR) website portal and are reviewed for completeness by RDM. The request is then assigned to a Business Analyst, who schedules conference calls with the requester for the purpose of understanding the business needs, and associated risks of not addressing those needs through an IT solution. All information obtained through requester interviews are documented within the New Service Request Database (NSRD). The NSRD is a tool used by VHA Program Offices and field staff to enter enhancement requests for current and future IT systems and to obtain up to date status information for requests previously submitted. This information is then shared with SIM, OIA and Program Office staff, so that they may determine the validity and priority of the request as it relates to VHA and VA Operating Plans, Patient Safety and/or support of core application processes. The database also includes linkages to databases maintained and supported outside of RDM, such as Business Architecture Repositories. Business needs are then documented within the requirements repository, IBM Rational Requirements Composer (RRC), and attributes are assigned to each business need, including the level of Program Office support and associated Operating Plans (Level 1). RRC is a tool that allows analysts to document and track IT business requirements in support of software development. The tool provides an Enterprise-wide view, strategic traceability, visibility into reuse of existing requirements and dependencies of VHA IT requirements. Periodically, the AIM Portfolio Managers will work with the Program Offices to evaluate the business needs in the requirements repository RRC, and a decision will be made to further the analysis for a set of business needs. In those instances, the selected business needs will be refined into owner requirements through a series of stakeholder meetings. Likewise, owner requirements are populated into the requirements repository (RRC) and are associated to the business need to allow for traceability of requirements. RDM staff aggregate the business and owner requirements into a Business Requirements Document (BRD). BRDs are used to guide and support business decisions to fund IT projects (Level 2). SIM is currently offering Business Case Analysis (BCA) services to support VHA Program Offices as they perform their analysis and documentation of potential investments related to VHA IT systems and portfolios. RDM Business Case Analyses do not contemplate the cost of the work effort, but more the potential benefit to the Government should the decision be made by VA to fund the solution. Therefore, the RDM BCA template follows industry standards, but will require specialized tailoring in terms of cost.

Requirements Elaboration Develops detailed business requirements for approved/funded IT solutions. During Requirements Elaboration, the Business Analysts (typically a facilitator and note taker) conduct a series of meetings with the stakeholders defined within the BRD, as well as other Subject Matter Experts (SMEs) that the stakeholders may identify. Through these stakeholder meetings, the Business Analysts begin the process of refining the business needs and owner requirements identified within the BRD. The Business Analysts develop Business Use Cases and detailed business requirements ( System Shall statements/capabilities) and work collaboratively with the VHA OIA SIM Business Architecture Analysts who provide oversight and support for associated architectural modeling.

Once the Business Analysts have stakeholder approval of the Business Use Cases, all system shall statements/capabilities are documented in the requirements repository (currently RRC) and are associated with the higher-level owner requirements to allow for continued traceability (Level 3). A Requirements Elaboration Document (RED) is created in Rational ClearCase by the Business Analyst that contains the detailed business requirements, Business Use Cases, architectural models and the traceability matrix.

RDM is also supporting the requirements development efforts for the VistA Evolution (VE) project. The requirements for these efforts are being captured in an integrated Business Requirements Document (iBRD), which includes high level and detailed business requirements.

Field Developed Software (FDS) Supports business assessments of VHA innovation efforts by enabling the field to promote locally developed, innovative, value-add products for national use which has made the Veterans Health Information System and Technology Architecture (VistA) so successful.

VHA innovation efforts in the field have resulted in the development of locally developed and deployed software products, herein called Class III. Often the benefit of the local solution is one that is desired on a more global basis. Previously, local Medical Centers have had the ability to directly export their products to other facilities. Recently, the process for sharing Class III products has become more restrictive in order to ensure the integrity and reliability of the VistA databases. Therefore, when a Class III product is desired to be released and supported on a national basis (herein referred to as Class I), the product must be evaluated and certified through an open source certifying agent that it will do no harm. The FDS Business Analyst is responsible for the business assessment of the product that will aid the Program Office and business owners in determining the value of the Class III product for national deployment. A BRD is completed as an output of the analysis. An inventory of Class III products has been developed to store information on the multiple products maintained in the field and is updated by the FDS team members.

Tooling Support & Reporting Supports the NSRD (and RRC) tool.

The NSRD is a series of interconnected web forms that allow the Business Analysts to enter data that supports the processing of requests entered through the NSR webportal. The NSRD provides reports to SIM and AIM on each of the requests submitted and provides the customer-base with a single portal to review past requests and obtain information about the status of open requests. The database also includes linkages to databases maintained and supported outside of RDM, such as Business Architecture Repositories.

APPLICABLE DOCUMENTS

Documents referenced or germane to this Performance Work Statement (PWS) are listed below. The Contractor shall be guided by the information contained in the documents in performance of this PWS.

Office of Management and Budget (OMB) Circular A-123

Federal Information Security Management Act (FISMA) of 2002

Federal Information Processing Standards (FIPS) Pub 201, Personal Identity Verification for Federal Employees and Contractors, February 25, 2005

Privacy Act of 1974

Title VI of the Civil Rights Act of 1964

VA Directive 0710 dated September 10, 2004

VA Directive 6500VA Handbook 6102, Internet/Intranet Services

Health Insurance Portability and Accountability Act (HIPAA); 45 Code of Federal Records (CFR) Part 160, 162, and 164; Health Insurance Reform: Security Standards; Final Rule dated February 20, 2003

Electronic and IT Accessibility Standards (36 CFR 1194)

OMB Circular A-130

United States Code (U.S.C.) '' 552a, as amended

32 CFR 199

An Introductory Resource Guide for Implementing the HIPAA Security Rule, March 2005

Sections 504 and 508 of the Rehabilitation Act (29 U.S.C. '' 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998

Homeland Security Presidential Directive 12 (HSPD-12): Policies for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004.

VA Handbook 6500, Information Security Program

National Bureau of Standards and Technology (NBST) SP500-153, Guide to Auditing for Controls and Security: A System Development Life-Cycle Approach, April 1988

Federal Travel Regulation (FTR) (www.gsa.gov/federaltravelregulation)

National Institute of Standards and Technology (NIST) Special Publications

Guiding Principles for RDM and Business Architecture Process Modeling

SCOPE OF WORK

The contractor shall provide business requirements analysis services for the VHA, OIA SIM RDM Service to VHA stakeholders for Health Care IT systems. Tasks involve eliciting and documenting stakeholder business requirements, which are utilized by VHA to support funding determinations and as a source for development activities. Essential to this work is maintaining accurate and reliable records of the requirements in a requirements repository (currently RRC) maintained by RDM. The scope of the work and the work products are inclusive of requirements management planning activities that support governance processes, as well as detailed requirements elicitation that are the foundation of the design and development phases for funded projects. The specific tasks and deliverables are discussed in the following sections of this Performance Work Statement (PWS):

FUNCTIONAL AREAS

SOW SECTION

Project Management of Contractor Activities

5.1

Level 3: Generation of RED

5.5

Technical Writing

5.6

FDS

5.7

Tooling Support and Reporting

5.8

CHANGES TO THE PWS

Any changes to this PWS shall be authorized and approved only through written correspondence from the Contracting Officer (CO). A copy of each change will be kept in a project folder along with all other products of the project. Costs incurred by the Contractor through the actions or authorizations of parties other than the CO shall be borne by the Contractor.

PEFORMANCE DETAILS

The following describes the performance details associated with this Performance Work Statement (PWS) and RDM Blanket Purchase Agreement (BPA) PWS is hereby incorporated by reference.

PERFORMANCE PERIOD

The performance period for this task order is four (4) months after receipt of security clearance application of personnel. Security Applications shall be completed and submitted within 10 business days after award of this task order. The RDM BPA Performance Work Statement in hereby incorporated by reference. Paragraphs 5.1, 5,5, 5.6, 5.7, and 5.8 referenced below describe the tasks which result in the above deliverables.

The following information is solely an estimate to provide guidance on workload levels during the period of performance. The programs identified are subject to change.

5.1 Project Management Plan (PMP) in accordance with RDM BPA PWS paragraph 5.1.A.

5.5.A Low Complexity RED in accordance with RDM BPA PWS paragraph 5.5.A, deliverable is due Ninety (90) calendar days days after assignment. The programs identified for Low Complexity RED s are as follows: Six (6) work efforts yet to be determined.

5.6.A Technical Review Monthly Report in accordance with RDM BPA PWS paragraphs 5.6.A.

5.7 Class III Quarterly Status Report in accordance with RDM BPA PWS paragraph 5.7.A.

The specific focus of this task is for software waiver requests received by the Open Source office within Strategic Investment Management. These waiver requests are entered by VistA sites for Class III software changes to basic VistA code. The waiver request is to allow the sites to continue using the Class III code after VistA Standardization is executed at the site. The work will require assessment and analysis of the requests to provide information necessary for the software waiver review board to determine the need for the waiver. There is a remaining backlog of 300 waiver requests that need to be processed as quickly as possible, as VHA tries to complete VistA Standardization. Our goal is to complete these by the end of the fiscal year, and in order to do so, we need to assign more than one task within the period of performance. Due to these circumstances, the FDS task for Task Order 12 will be dedicated solely to the processing of waivers.

5.8.C/5.8.D Tool CM Implementation, and Tool CM Maintenance and Minor Enhancements in accordance with RDM BPA PWS paragraphs 5.8.C, and 5.8.D.

PLACE OF PERFORMANCE

The Contractor shall support this effort at Contractor facilities. The Contractor shall provide all equipment needed. On occasion, the Contractor shall be required to work on-site to attend meetings, conduct interviews, etc.; this will be specified in each TO.

The Contractor shall provide all facilities required to support staff assigned to this contract including network connectivity, office space, furniture, personnel support accommodations, etc. The Contractor shall provide contract staff with end user computing equipment including common desktop computing software and hardware to perform the required services. --The VA shall provide VA-specific software such as Virtual Private Network (VPN) and SharePoint access.----

TRAVEL

There is no travel is expected during the course of performance of this TO.

4.4 TYPE OF ORDER

This is a Firm Fixed Price (FFP) Task Order.

TASKS AND DELIVERABLES

The Contractor shall provide all Tasks and Deliverables described within this document. All deliverables shall be submitted to the COR with a copy to the Post Award CO in accordance with this task order. Unless otherwise stipulated, written deliverables shall be phrased in layperson language. Statistical and other technical terminology shall not be used without providing a glossary of terms. The Contractor shall be responsible for providing the number of copies in the media required by the COTR for each deliverable. Written deliverables shall be submitted in soft copy using Microsoft Office products.

If for any reason, any deliverable cannot be submitted on time, the Contractor shall provide a written explanation to the CO and COR as soon as is known but no later than three (3) business days prior to the deliverable due date. This written transmittal shall include a firm commitment of when the work shall be completed. This transmittal to the CO and COR shall cite the reasons for the delay and the impact on the overall project. Submittal of the impact statement as such does not alleviate the contractor of their responsibility to provide the deliverable on time, nor does submitting the statement constitute an excusable delay. The Contractor shall be responsible for adhering to all pertinent VA standards including, but not limited to, ensuring that all documentation and deliverables are stored on appropriate VA servers within one (1) week of their completion. The Contractor shall use the VA Nationwide Teleconferencing System for all pertinent conference calls, and the VA Exchange server for all pertinent email. Upon assignment of VA email accounts, use of external email accounts for the purpose of VA communications and business shall be limited to emergent use only. The Contractor shall be responsible for adhering to all pertinent VA policies and procedures.

Task

Task Description

PROJECT MANAGEMENT OF CONTRACTOR ACTIVITIES

The Contractor shall assign a PM to provide oversight of all contracted efforts. The PM shall be responsible for ensuring project success, minimizing risk, managing cost and schedule to ensure goals are met throughout the lifecycle of the project and adhering to all Government standards. The PM shall communicate with the COTR on all issues related to project outcomes. Upon issuance of each TO, the Contractor shall present their plan for completing each TO via a Post Award Orientation conference call and webinar including the project approach, schedule, milestones and points of contact. The Post Award Orientation conference call shall be held within five (5) business days after task order award.

The Contractor shall submit one (1) Monthly Progress Report addressing the status of all active TOs. This report shall include, but not be limited to, the following:

Status Summary

Risks, Issues and Action Status (new, open, closed since last report)

Deliverables Schedule status

Contractor staff roster (providing updates as they occur, including personnel and security requirements)

Status of required background investigations

Deliverable

Deliverable Description

Quantity

A

Monthly Progress Report

Monthly Progress Report and updates to PMP

4 each

Task

Task Description

5.5 LEVEL 3: GENERATION OF RED

In support of innovation and continued process quality improvement, the Contractor shall provide elective methodologies and approaches such as requirements visualization and model-driven requirements. Elective approaches should focus on process efficiency, reduced timelines and seek to improve the customer experience.

The Contractor shall elicit detailed business requirements for assigned work efforts. Through facilitated sessions, the Contractor shall elicit and document detailed business requirements. The elicitation process includes identification of detailed business needs, development of business use cases, and documentation of architectural models. Architectural models shall include at least three levels of decomposition for as-is and to-be processes, and Logical-level information models for related information and data. All information gathered through the elicitation process shall be documented within the appropriate SIM repository. In accordance with established guidelines and procedures, the Contractor shall generate a RED or iBRD and use that document to refine requirements and obtain stakeholder concurrence. The Contractor shall provide a final version of the RED or iBRD for review, validation, and approval by AIM and Program Office leadership.

Deliverable

Deliverable Description

Quantity

A

RED for Low Complexity Work Effort

The Contractor shall provide a signed RED including all architectural models for low complexity work efforts. The RED shall be generated using export utilities from within the requirements repository (ReqPro) when the capability exists. If the capability does not yet exist within the requirements repository (RRC), the Contractor shall build the RED using the current RDM-supplied template only after all requirements have been entered into the requirements repository (RRC).

6 each

5.6 TECHNICAL WRITING

The Contractor shall provide technical writing expertise to ensure that all Government initiated requirements documents conform with standard template formats (Attachments 2 &5), are grammatically correct and support a standard level of quality between analysts. The Contractor shall resolve all minor issues and return actionable items to the author by utilizing Track Changes. The Contractor shall complete the technical writing portion of the RDM Scorecard (Attachment 2H) for each document reviewed. The Contractor shall also utilize their expertise in developing Executive-Level Communcations using tools, such as PowerPoint and Microsoft Word, after receiving content from RDM staff.

Deliverable

Deliverable Description

Quantity

A

Technical Review Monthly Status Report

The Contractor shall deliver a monthly status report to include all listing of all documents reviewed with requestor for the month and any issues related to the review process with recommendations for improvements.

4 each

FDS

The specific focus of this task is for software waiver requests received by the Open Source office within Strategic Investment Management. These waiver requests are entered by VistA sites for Class III software changes to basic VistA code. The waiver request is to allow the sites to continue using the Class III code after VistA Standardization is executed at the site. The work will require assessment and analysis of the requests to provide information necessary for the software waiver review board to determine the need for the waiver. There is a remaining backlog of 300 waiver requests that need to be processed as quickly as possible, as VHA tries to complete VistA Standardization. Our goal is to complete these by the end of the fiscal year, and in order to do so, we need to assign more than one task within the period of performance. Due to these circumstances, the FDS task for Task Order 12 will be dedicated solely to the processing of waivers.

Deliverable

Deliverable Description

Quantity

A

Class III Quarterly Status Report

The Contractor shall deliver a Class III NSR quarterly status report to include progress, current status, and any open issues.

3 each

TOOLING SUPPORT & REPORTING

The Contractor shall provide RDM maintenance support of the NSRD (Microsoft SQL Server database, active server pages (ASP), Micrsoft FrontPage or SP Designer), which facilitates tracking of the requests management process.

The Contractor shall complete a comprehensive report of the activities completed in the preceding month including, but not limited to: troubleshooting access/connectivity issues; solutions implemented to address identified bugs; granting access privileges and modifying the web pages to permit access as appropriate; adding or subtracting data fields to forms and reports to support business process changes based on senior management feedback; modifying the customer Submission Form; promoting the database platforms as dictated by VA Web Operations; maintaining current registry integrations with the other linked databases; identifying future risks to the integrity and/or stability of the database and web site functions.

The Contractor shall extract and coordinate data from various tools for the purpose of providing consolidated views of information for RDM to make decisions. The types of tools accessed to develop reports include, but are not limited to, time reporting and tracking, requirements management, project tracking, request tracking, etc. Activities involve running predefined reports as well as creating new reports to support RDM needs.

The Contractor shall use engineering processes and procedures to implement formal Tool Configuration Management (CM) for IBM Rational Jazz Suite to include reports, schemas, and custom utility capabilities and perform tasks associated with supporting CM activities. The implementation phase includes routine maintenance.-- The Contractor shall work in accordance with the established Change Management process and provide Tier One support to users of Rational Jazz Suite tools (RRC and Team Concert).-- The Contractor shall coordinate activities associated with Change Control Boards, facilitate negotiation of scope changes and determine how each change request/order and action item should be handled.-- The Contractor shall author, perform and instruct others on CM activities for change control, configuration identification and configuration status accounting, and appropriate management and support of the system repositories. Post-implementation, the Contractor shall provide CM maintenance and minor enhancements.

Deliverable

Deliverable Description

Quantity

C

Tool CM Implementation

The Contractor shall deliver a comprehensive monthly report describing all activities completed.

4 each

D

Tool CM Maintenance and Minor Enhancements

The Contractor shall deliver a comprehensive monthly report illustrating all activities completed.

4 each

GENERAL REQUIREMENTS

CONTRACTOR PERSONNEL SECURITY REQUIREMENTS

The following security requirements must be addressed regarding Contractor supplied equipment: Contractor supplied equipment, PCs of all types, equipment with hard drives, and so forth for contract services must meet all security requirements that apply to Government Furnished Equipment (GFE) and Government Owned Equipment (GOE).-- Security Requirements include:-- a) VA Approved Encryption Software must be installed on all laptops or mobile devices before placed into operation, b) Bluetooth equipped devices are prohibited within the VA; Bluetooth must be permanently disabled or removed from the device, and c) Equipment must meet all sanitization requirements and procedures before disposal.-- The COTR, CO, PM and the Information Security Officer (ISO) must be notified and verify all security requirements have been adhered to.

Information made available to the Contractor/Sub-Contractor by VA for the performance or administration of this TO or information developed by the Contractor/Sub-Contractor in performance or administration of the TO shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the Contractor/Sub-Contractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).

VA information should not be co-mingled, if possible, with any other data on the Contractors/Sub-Contractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the Contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on-site inspections of Contractor and Sub-Contractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.

Prior to termination or completion of this TO, the Contractor/Sub-Contractor must not destroy information received from VA, or gathered/created by the Contractor in the course of performing this TO without prior written approval by the VA. Any data destruction done on behalf of VA by a Contractor/Sub-Contractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and the VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the Contractor that the data destruction requirements above have been met must be sent to the VA CO within 30 days of termination of the TO.

The Contractor/Sub-Contractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the TO and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the TO, or if NIST issues or updates applicable FIPS or Special Publications after execution of this TO, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this TO.

The Contractor/Sub-Contractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on Contractor/Sub-Contractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/Sub-Contractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.

If VA determines that the Contractor has violated any of the information confidentiality, privacy and security provisions of the TO, it shall be sufficient grounds for VA to withhold payment to the Contractor or third party terminate the TO for default or terminate for cause under FAR part 12.

The Contractor/Sub-Contractor must store, transport or transmit VA sensitive information in an encrypted form using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.

The Contractor/Sub-Contractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request.

Except for uses and disclosures of VA information authorized by this TO for performance of the TO, the Contractor/Sub-Contractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The Contractor/Sub-Contractor must refer all requests for, demands for production of, or inquiries about VA information and information systems to the VA CO for response.

Notwithstanding the provision above, the Contractor/Sub-Contractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the Contractor/Sub-Contractor is in receipt of a court order or other requests for the above mentioned information, that Contractor/Sub-Contractor shall immediately refer such court orders or other requests to the VA CO for response.

For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require Certification and Accreditation (C&A) or a Memorandum of Understanding-Interconnection Service Agreement (MOU-ISA) for system interconnection, the Contractor/Sub-Contractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR.

Position Sensitivity and Background Investigation - The position sensitivity and the level of background investigation commensurate with the required level of access is:

Low/National Agency Check with Written Inquiries (NACI)

Moderate/Minimum Background Investigation (MBI)

High/Background Investigation

Position Sensitivity

Background Investigation (in accordance with 7010 Handbook Appendix A)

Low

A NACI is conducted by the Office of Personnel Management (OPM) and covers a five-year period. It consists of a review of records contained in the OPM Security Investigations Index (SII) and the Department of Defense (DOD) Defense Central Investigations Index (DCII), Federal Bureau of Investigation (FBI) name check, FBI fingerprint check, and written inquiries to previous employers and references listed on the application for employment. In VA it is used for non-sensitive or Low Risk positions.

Moderate

A MBI is conducted by OPM and covers a five-year period. It consists of a review of National Agency Check records [OPM (SII), DOD DCII, FBI name check, and a FBI fingerprint check], a credit report covering a period of five years; written inquiries to previous employers, references listed on the application for employment; an interview with the subject, spouse, neighbors, supervisor, and co-workers; and a verification of the educational degree.

High

Background Investigation. A background investigation is conducted by OPM and covers a 10 year period. It consists of a review of National Agency Check records [OPM SII, DOD DCII, FBI name check, and a FBI fingerprint check report], a credit report covering a period of 10 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, spouse, neighbors, supervisor, and co-workers; and a verification of the educational degree.

Contractor Responsibilities:

The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain the appropriate Background Investigation, and are able to read, write, speak and understand the English language. The Contractor shall provide the name, address, date of birth, Social Security Number and any other pertinent and relevant information of the Contractor personnel assigned to this project to the COTR and CO prior to Project Kickoff Meeting.

The Contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the OPM, the Contractor shall reimburse VA within 30 calendar days.

The Contractor shall submit or have their personnel submit the required forms (Standard Form (SF) 85P - Questionnaire for Public Trust Positions, SF 85P-S Supplemental Questionnaire for Selected Positions, FD 258, U.S. Department of Justice Fingerprint Applicant Chart, VA Form 0710, Authority for Release of Information Form, Optional Form 306, Declaration for Federal Employment, and Optional Form 612, Optional Application for Federal Employment) to the VA Office of Security and Law Enforcement (OSLE) within 30 calendar days of receipt.

All costs associated with obtaining clearances for Contractor provided personnel shall be the responsibility of the Contractor. Further, the Contractor shall be responsible for the actions of all individuals provided to work for VA under this TO. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this TO, the Contractor shall be responsible for all resources necessary to remedy the incident.

The Contractor(s) and Contractor Point of contact (POC) will receive an email notification from the Security and Investigation Center (SIC) identifying the website link that includes detailed instructions regarding completion of the background clearance application process and what level of background clearance was requested. Reminder notifications will be sent if the complete package is not submitted by the due date.

If the security clearance investigation is not completed prior to the start date of the TO, the contract employee may work on the TO with an initiated status while the security clearance is being processed. However, the Contractor shall be responsible for the actions of the Contractor personnel they provide to perform work for the VA. In the event damage arises from work performed by Contractor personnel, under the auspices of the TO, the Contractor shall be responsible for resources necessary to remedy the incident.

The investigative history for Contractor personnel working under this TO must be maintained in the databases of either the OPM or the Defense Industrial Security Clearance Organization.

The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration in working under the TO.

Failure to comply with the Contractor personnel security requirements may result in termination of the TO for default.

METHOD AND DISTRIBUTION OF DELIVERABLES

The Contractor shall deliver documentation in electronic format, unless otherwise directed in Section B of the solicitation/TO. Acceptable electronic media include: MS Word 2000/2003/2007, MS Excel 2000/2003/2007, MS PowerPoint 2000/2003/2007, MS Project 2000/2003/2007, MS Access 2000/2003/2007, MS Visio 2000/2002/2003/2007, CAD 2002, and Adobe Postscript Data Format (PDF).

PERFORMANCE METRICS:

The Government will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of each order to ensure that the Contractor is performing the services required by the PWS in an acceptable manner. The government reserves the right to alter or change the QASP at its own discretion. A Performance Based Service Assessment Survey will be used in combination with the QASP to assist the government in determining acceptable performance levels. See attachment titled ATTACHMENT B: RDM 1 Task Order 1 QASP , pages 1- 11 of 11.

SCHEDULE FOR DELIVERABLES

Task

ID

Deliverable Description

Due Date

5.1

A

Monthly Progress Report

5th calendar day of the month after task order award

5.5

A

RED for Low Complexity Work Effort

Ninety (90) calendar days after assignment

5.6

A

Technical Writing Monthly Status Report

5th calendar day of the month after task order award

5.7

A

Class III Quarterly Status Report

Quarterly, beginning ninety (90) calendar days after task order award

5.8

C

Tool CM Implementation

5th calendar day of the month after task order award

D

Tool CM Maintenance and Minor Enhancements

5th calendar day of the month after task order award

Acronyms

Acronym

Definition

AIM

Applied Informatics Management

BAA

Business Associate Agreements

BCA

Business Case Analysis

BPA

Blanket Purchase Agreement

BRD

Business Requirements Document

C&A

Certification and Accreditation

CFR

Code of Federal Records

CO

Contracting Officer

COTR

Contracting Officer s Technical Representative

CSCA

Contractor Security Control Assessment

DCII

Defense Central Investigations Index

DoD

Department of Defense

EA

Enterprise Architecture

EIT

Electronic and Information Technology

EPHI

Electronic Protected Health Information

ESM

Enterprise Systems Management

FAR

Federal Acquisition Regulation

FBI

Federal Bureau of Investigation

FDCC

Federal Desktop Core Configuration

FDS

Field Developed Software

FIPS

Federal Information Processing Standards

FISMA

Federal Information Security Management Act

FTR

Federal Travel Regulation

GFE

Government Furnished Equipment

GOE

Government Owned Equipment

HI

Health Informatics

HIPAA

Health Insurance Portability and Accountability Act

HSPD

Homeland Security Presidential Directive

ISO

Information Security Officer

IT

Information Technology

LAN

Local Area Network

LMS

Learning Management System

MBI

Minimum Background Investigation

MOU-ISA

Memorandum of Understanding Interconnection Service Agreement

NACI

National Agency Check with Inquiries

NARA

National Archives and Records Administration

NBST

National Bureau of Standards and Technology

NIST

National Institute of Standards and Technology

NSR

New Service Request

NSRT

New Service Request Database

OCS

Office of Citizen Services

OGC

Office of General Counsel

OIA

Office of Informatics and Analytics

OI&T

Office of Information and Technology

OIG

Office of the Inspector General

OMB

Office of Management and Budget

One-VA TRM

OI&T Technical Reference Model

OPM

Office of Personnel Management

OSLE

Office of Security and Law Enforcement

PHI

Protected Health Information

PIA

Privacy Impact Assessment

PII

Personally Identifiable Information

PM

Program Manager

PMAS

Program Management Accountability System

PMP

Project Management Plan

PO

Privacy Officer

POA&M

Plan of Action and Milestones

POC

Point of contact

PSF

Product Summary Form

QC

Quality Control

QMP

Quality Management Plan

RDM

Requirements Analysis and Engineering Management

RDM

Requirements Development and Management (formerly RDM)

RRC

Rational Requirements Composer

ReqPro

Requisite Pro

RED

Requirements Elaboration Document

SF

Standard Form

SIC

Security Investigation Center

SII

Security Investigations Index

SIM

Strategic Investment Management

SMART

Security Management and Reporting Tool

SOR

System of Records

SOW

Statement of Work

SPI

Sensitive Personal Information

SSP

System Security Plan

TO

Task Order

U.S.

United States

U.S.C

United States Code

VA

Department of Veterans Affairs

VAAR

Veterans Affairs Acquisition Regulation

VHA

Veterans Health Administration

VistA

Veterans Health Information System and Technology Architecture

VPN

Virtual Private Network

Task Order 10

Task

Deliverable Ref

Description

QTY

Unit

Unit Price

Amount

*-1

*-Project Management of Contractor Activities--

5.1.A

Monthly Progress Report

4

*-EA

*-

*-

5

Level 3: Generation of RED

5.5.A

RED for Low Complexity Work Effort

6

EA

6

Scorecard for Technical Review of Business Requirements Artifacts

5.6.A

Technical Review Monthly Status Report

4

EA

7

Field Developed Software (FDS)

5.7.A

Class III Quarterly Status Report

3

EA

*-8

*--- Tooling Support & Reporting

5.8.C

Tool CM Implementation

4

EA

5.8.D

Tool CM Maintenance and Minor Enhancements

4

EA

Total

Link/URL: https://www.fbo.gov/spg/VA/ISC/OISC/VA70117N0158/listing.html