Amendment 1 - Newborn Screening Clearinghouse

Maryland

08/21/2023 05:26 PM EDT

08/29/2023 10:00 AM EDT

Attachment A
STATEMENT OF WORK

August 21, 2023

Project Title:  Content Development for the Newborn Screening Information Center (MCHB62 C 4669) 

1. BACKGROUND

The Health Resources and Services Administration (HRSA), an agency of the U.S. Department of Health and Human Services (HHS), is the primary federal agency for improving access to health care for the tens of millions of Americans who, for a variety of reasons, are medically underserved or face barriers to needed care.  HRSA’s mission is to improve health and achieve health equity through access to quality services, a skilled health workforce and innovative programs.

Newborn Screening (NBS) is a successful public health program implemented at the state level that saves and/or improves the lives of thousands of babies each year in the United States. Four million newborns each year are screened for conditions that are included on state’s NBS panels as recommended by the HHS Secretary. These conditions may not be apparent at birth but require early intervention and treatment. Early detection mitigates brain and organ damage, may attenuate disease severity, and prevent life-threatening complications associated with these conditions.  MCHB has administered various NBS and other heritable disorders programs, which were authorized by the Newborn Screening Saves Lives Act of 2007 (P.L. 110-204) and reauthorized by the Newborn Screening Saves Lives Reauthorization Act of 2014 (P.L. 113-240).  These programs collectively aim to enhance, improve, or expand the ability of states and local public health agencies to provide screening, counseling, and health care services to newborns and children having or at risk for having heritable disorders.

The Maternal and Child Health Bureau of HRSA is providing this contract in support of the Newborn Screening Saves Lives Reauthorization Act of 2015 (Public Health Service Act § 1112 (42 U.S.C. 300b-11)). The statute requires HRSA to establish and maintain a central clearinghouse of current educational and family support and services information, materials, resources, research, and data on NBS.  The Newborn Screening Information Center (NBSIC) is a trusted resources for NBS and is an objective, impartial website.

The HRSA Office of Communications (OC), within the Office of the Administrator, directs all web and social media outreach efforts of the agency.  This includes creating, publishing, managing, deleting, maintaining, and ensuring Section 508 compliance, usability and plain-language writing of the content for www.hrsa.gov and its sub-domains to host content developed through this requirement. The HRSA OC team will be uploading the content to https://newbornscreening.hrsa.gov/ and https://newbornscreening.hrsa.gov/es.

The purpose of the NBSIC website is to:

• Enable parents and family members of newborns, health professionals, industry representatives, and other members of the public to increase their awareness, knowledge and understanding of NBS.
• Increase awareness, knowledge, and understanding of NBS for expectant individuals and families.

Per the legislation, the NBSIC website shall:

1. Be available on the Internet.
2. Include an interactive forum.
3. Be updated on a regular basis, but not less than quarterly.
4. Provide the following:
   1. links to Government-sponsored, non-profit, and other Internet websites of laboratories that have demonstrated expertise in NBS that supply research-based information on NBS tests currently available throughout the United States.
   2. information about newborn conditions and screening services available in each State from laboratories certified under the Clinical Laboratory Improvement Amendments, including information about supplemental screening that is available but not required, in the State where the infant is born.
   3. current research on both treatable and not-yet treatable conditions for which NBS tests are available.
   4. the availability of Federal funding for newborn and child screening for heritable disorders including grants authorized under the Newborn Screening Saves Lives Reauthorization Act of 2014; and
   5. other relevant information as determined appropriate by the Secretary and HRSA.

1. PURPOSE/GENERAL DESCRIPTION

The purpose of this contract is to develop new materials and maintain current educational materials in English and Spanish for a central clearinghouse of NBS information that is located at https://newbornscreening.hrsa.gov/ and https://newbornscreening.hrsa.gov/es.

III.        PERIOD OF PERFORMANCE / PLACE OF PERFORMANCE

The period of performance shall be for one base year and four (4) option years.

The place of performance will primarily be at the contractor’s facility.

Federal Holidays

• New Year’s Day January 1
• Martin Luther King’s Birthday 3rd Monday in January
• Washington’s Birthday 3rd Monday in February
• Memorial Day last Monday in May
• Juneteenth National Independence Day June 19
• Independence Day July 4
• Labor Day 1st Monday in September
• Columbus Day 2nd Monday in October
• Veterans’ Day November 11
• Thanksgiving Day 4th Thursday in November
• Christmas Day December 25

Federal law (5 U.S.C. 6103) establishes the public holidays listed in these pages for Federal employees. Please note that most Federal employees work on a Monday through Friday schedule. For these employees, when a holiday falls on a nonwork day -- Saturday or Sunday -- the holiday usually is observed on Monday (if the holiday falls on Sunday) or Friday (if the holiday falls on Saturday).

IV.       TASKS

Task 1 - Records Management Training

The Contractor shall:

1. 1. Records and Information Regulation Guidelines: In accordance with 36 CFR 1222.32, all data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records subject to the provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as amended and must be managed and scheduled for disposition only as permitted by statute or regulation.

The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected from public disclosure by an exemption to the Freedom of Information Act. 

1. 1. Records and Information Management: The contractor shall manage and maintain Federal records and/or information, including electronic records and/or information, ensuing from this contract in accordance with all applicable records management laws and regulations, including but not limited to the Federal Records Act (44 U.S.C. Chapters. 21, 29, 31, 33); 36 CFR § 1236.20 What are appropriate record keeping systems for electronic records? & 1236.22 What are the additional requirements for managing electronic mail records? https://www.ecfr.gov/current/title-36/part-1236; NARA Bulletin 2013-02, August 29, 2013, Guidance on a New Approach to Managing Email Records (https://www.archives.gov/records-mgmt/bulletins/2013/2013-02.html); and NARA Bulletin 2010-05 September 08, 2010 (http://www.archives.gov/records-mgmt/bulletins/2010/2010-05.html), Guidance on Managing Records in Cloud Computing Environments.

Managing the records includes, maintaining records to retain functionality and integrity throughout the records' full lifecycle including: (1) maintenance of links between records and metadata, and (2) categorization of records to manage retention and disposal, either through transfer of permanent records to NARA or deletion of temporary records in accordance with NARA-approved retention schedules.

1. 1. Records Management Training: The contractor (and/or subcontractor) shall ensure that all employees having access to (1) Federal information or a Federal information system, or (2) personally identifiable information (PII), complete the HHS Records Management Training before performing work under this contract, and thereafter completing the annual refresher training during the life of the contract.  The training is located at https://humancapital.learning.hhs.gov/courses/2022recordsmanagement/01_index.html​. At the end of the Records Management training, please send the "Certificate of Completion" to the Contracting Officer Representative (COR) of the contract. The listing of completed training shall be included in the first progress report. Any revisions to this listing as a result of staffing changes shall be submitted with next required progress report.

Task 2: Kickoff Meeting

The Contractor shall:

2.1       Meet with the Contracting Officer’s Representative (COR) and other HRSA staff invited

by the COR within two (2) weeks of Effective Date of Contract (EDOC) using a web-based meeting platform (such as WebEx or Zoom) to introduce key task participants and their roles in the project, discuss the draft work plan and timeline for all phases of the project, scope of work, schedule of deliverables, priorities, and identify any potential challenges.

2.2       Electronically submit via email a draft meeting agenda and any materials within five (5) business days of EDOC to the COR. The draft agenda and materials will be reviewed by the COR prior to the meeting.

2.3       Take meeting minutes and electronically submit to the COR within

three (3) business days after the Kickoff Meeting. The meeting minutes shall reflect any

changes to the project timeline and include a list of anticipated deadlines reflecting all

agreed upon outcomes of the discussion.

2.4       Revise the meeting minutes as directed by the COR and electronically submit the revised

meeting minutes to the COR within two (2) business days after receipt

of comments from the COR.

Task 3: Project Management

Task 3.1 – Monthly Meetings

The Contractor Shall:

a.         Meet with the COR and other members as indicated by the COR monthly using a web-based meeting platform (such as WebEx or Zoom) to discuss the status of contract and other pertinent issues. These meetings shall include the following discussion items:

• Progress on activities that have occurred since the EDOC or date of last call, including problems encountered and potential future problems, solutions or steps taken to resolve challenges, actual and possible delays in deliverables, etc.;

• Progress and plans for upcoming activities, for review and acceptance by the COR;
• Technical direction based on any questions or problems the contractor has to achieve the desired outcomes on the project plan.

b.         Develop an agenda for the meeting and electronically submit to the COR in Microsoft Outlook for review and acceptance no less than three (3) business days before each meeting. 

c.         Take meeting minutes of each meeting and electronically submit the draft minutes to the COR within two (2) business days of each meeting. The minutes shall include a list of any decisions made during the meeting and action items due by the COR and the Contractor until the next meeting.

Task 3.2 – Quarterly Meetings

The Contractor Shall:

a.         Each quarter, conduct quarterly meetings using a web-based meeting platform (such as WebEx or Zoom) with the COR and designated HRSA staff, including management, project officers of other grants related to NBS, the HRSA website team, and other members as indicated by the COR. The meeting will discuss new updates to the NBSIC website since the last quarterly meeting, challenges, and resolutions to complex task assignments, allow for HRSA staff feedback, and follow-up action items.

b.         Develop an agenda for the meeting and electronically submit to the COR in Microsoft Outlook for review and acceptance no less than three (3) business days before each meeting. 

c.         Take meeting minutes of each meeting and electronically submit the draft minutes to the COR in Microsoft Word within two (2) business days of each meeting. The minutes shall include a list of any decisions made during the meeting and action items due by the COR and the Contractor until the next meeting.

Task 3.3 – Quarterly Progress Report

The Contractor Shall:

            Electronically submit a quarterly progress report to the COR outlining activities and issues affecting contract performance. The quarterly report shall be submitted five (5) business days after the end of each quarter. Specifically provide the following in the quarterly progress report:

• Status of Work – In a narrative and table, highlight the status of activities by task, including any significant events, trends, or problems that occurred along with suggestions for resolution and/or recommendations for improving performance.
• Planned Activities for Next Three Months – Include a discussion of the work to be performed, by task, during the subsequent month and estimated completion date of each task.  

Task 4: Work Plan

The Contractor Shall:

4.1       Submit a revised work plan that was submitted in the proposal to the COR twenty (20) business days after the kickoff meeting.  The revised workplan will refine priorities for inclusion in the work plan; to incorporate HRSA’s input; and reflect discussions from the project kickoff meeting. The revised work plan shall include updated objectives and deliverables associated with timelines and milestones. 

4.2       The work plan shall be updated annually within one-month after the start of each exercised option period.

4.3       Complete all activities from the technical work plan within five (5) business days before the end of each period of performance.

Task 5: Development of Web Content for the NBSIC Websites

The Contractor Shall:

5.1       Provide expertise and update content on the following topics related to NBS: newborn and child medical/genetic conditions including presenting phenotype, diagnosis, treatment, genetic etiology and implications for family members; family education; screening practices; laboratories methods; public health impact; information technology; health education; medical home; health literacy; cultural competency and patient/family-centered care experts that have served the needs of diverse populations and stakeholders.
 

5.2       Content shall be submitted to the COR in the Quarterly Updates of Content for the Newborn Screening Information Center for the following:

1. 1. Update all currently posted pages on the website with updated information.
   2. Contact the states on a yearly basis to confirm the information for the state NBS panels. Review quarterly the 56 state and territories website pages to confirm what is on the NBSIC website is the same as the state pages for NBS panels.
   3. Provide updated information, as needed, on conditions on the RUSP or other conditions for parents and caregivers. This shall include information on the NBS test, follow up needed to establish a diagnosis, clinical history, management and treatment and services needed by the family. 
   4. Provide maps or other graphics that show national information on NBS (average of 5 maps of the US and the territories [e.g., number of conditions screened in each state and territory)
   5. Provide fact sheets, education tools, infographics, etc. from other groups that are vetted by the contractor (average of 10 items total per year) that will be useful to the stakeholders.
   6. Develop emerging NBS and genetics issues summaries (average of 2 pages each year).
   7. Develop summaries that highlight challenges faced by parents, caregivers, and other stakeholders in the newborn screening community (average of 5 pages each year) and, if appropriate, solutions or mechanisms to address those challenges.
   8. Provide latest NBS technologies information about supplemental screening that is available but not required, in each State (1 page).

5.3       All content must be vetted by NBS experts, as identified by the contractor, and approved by the COR to include that the latest information on the NBSIC website is up to date.  

5.4       Incorporate recommendations from HRSA to develop accurate, up-to-date web page content that executes on the findings from the evaluation of the site and the ability to reach the intended audience. The recommendations provided by HRSA are from reviewing the NBSIC website to evaluate the content and the usability of the website. Information will be forthcoming from HRSA of strategies to operationalize the website to maximize its reach and impact.  

5.5       Provide one-page summaries, if requested (up to 6 pages per year) and links to:

• • • authoritative and/or evidence-based information.
    • community training initiatives.
    • health care provider educational materials.
    • NBS best practices and guidelines.
    • information and tools that promote culturally sensitive education and decision-making regarding NBS for heritable disorders; and
    • quality indicators to measure performance of NBSs, such as false-positive rates and other quality indicators.
  •  The draft summary shall be submitted 35 business days after the request need from an email from the COR.
  • The final 508 compliant summary in a PDF document shall be submitted to the COR within ten (10) business days after receipt of comments from COR.

5.6       Coordinate with the HRSA grantees for the Family Engagement and Leadership in Systems of Care, the NBS Excel, NBS Propel, and other HHS grantees as identified by the COR, to identify educational needs. The contractor will not recreate items but will provide emphasis and/or links to established materials.

5.7       Provide links to the COR, quarterly, for websites and other sources of credible information regarding NBS, including Government-sponsored, nonprofit, advocacy, NBS laboratories, and other online websites that have demonstrated expertise in NBS, and that supply research-based information on NBS tests currently available throughout the United States.     

5.8       Participate in the steering committees that guide the activities of the project awardee for the Family Engagement and Leadership in Systems of Care and the NBS Excel Program. The COR will provide dates for the steering committees to the Contractor when dates become available. The contractor shall attend two (2) in-person, two-day Steering Committee meeting each year in Washington D.C.  

5.9       Vet all non-government websites using the vetting strategy approved by HRSA at the kickoff meeting.  See sample guideline https://medlineplus.gov/criteria.html. Also, submit a Quarterly Vetting Report to the COR for all new and revised content at the same time as submitting the Quarterly Updates of Content for the Newborn Screening Information Center. The Vetting Report shall include list of requests for inclusions on the NBSIC website; vetting strategy analysis of each vetting request, and; reason for including/excluding websites. 

The COR will forward vetting requests from organizations to the contractor.

All non-government websites shall be approved by the COR before posting on the NBSIC website.  

             

5.10     Provide current links to the COR, quarterly, to state NBS programs for information including the number of conditions for which each State screens.

5.11     Provide content to the COR, quarterly, for the NBSIC websites on current research on both treatable and not-yet treatable conditions for which NBS tests are available.

5.12     Summarize and provide links to the COR, quarterly, to established evidenced-based guidelines related to diagnosis, counseling and treatment with respect to conditions detected by NBS.

5.13     Coordinate website content, under the guidance of the COR with organizations that work on NBS including: the Advisory Committee on Heritable Disorders in Newborns and Children, HRSA-funded programs such as the NBS Excel, NBS Propel, Family Engagement and Leadership in Systems of Care, Sickle Cell Disease Follow Up programs, the Parent-to-Parent Health Information Centers, the Thalassemia program, Healthy Start Programs, and Maternal, Infant and Early Childhood Home Visiting Programs, Title V Maternal and Child Health (MCH) Block Grant Program, and any other federally funded program as identified by the COR.  The COR will provide point of contact information for the organizations with the contractor to ensure that program content is appropriately reflected on the NBSIC websites. The purpose is to ensure complimentary and not duplicative information.

5.14     Research information about the availability of Federal funding for newborn and child screening authorized under the Newborn Screening Save Live Reauthorization Act of 2014 for inclusion on the NBSICwebsite.

5.15     Provide up to five (5) graphic designs, including digital assets for use in print materials, HRSA’s webpages, social media channel, to the COR, within six (6) months of each contract year. Also, provide graphics elements in .gif, .png or .jpg as appropriate for web, as well as the original source file in .ai or other HRSA-approved software. HRSA will provide a style guide. See an additional sample of another HRSA webpage at https://poisonhelp.hrsa.gov/  

5.16     Analyze the website analytics every three months and provide recommendations to the COR on updates and improvements electronically submitted via Microsoft Word.  Access will be coordinated by the COR.

5.17     Search Engine Optimization (SEO)

1. Optimize new and existing pages, content, and metadata for external search performance for NBS-related keywords and phrases every three months.
   • Ensure page headers, title, keywords, other metadata, and URL path accurately reflect page content.
   • Ensure content is optimally structured for findability.
2. Make adjustments and changes as needed to ensure findability of NBS content.
    

Task 6:  Quarterly Updates of Content for the Newborn Screening Information Center Websites

The Contractor Shall:

6.1       Update the website content in English and Spanish quarterly to keep materials current and accurate.  Also, submit updated content to the COR by December 1st, March 1st, June 1st, and September 1st of each contract period.

6.2       The Spanish NBSIC content shall be customized to the needs of Spanish-speaking communities – not simply a direct translation of the English website.  To ensure an accurate and comprehensive review, Spanish quarterly updates will be completed in sequence to the English quarterly reviews. Spanish reviews will be completed one (1) quarter after an English quarterly review is completed, to ensure that the Spanish review is applied to the most up-to-date English content (i.e., English review completed December 1st, will have a Spanish quarterly review completed by March 1st).

Take 7: Promote the NBSIC website

The Contractor Shall:

7.1.      Create and promote a workplan for the NBSIC websites to promote to other Federal agencies, state and

territories websites, and other groups as appropriate and approved by the COR.

For Base period

1. 1. 1. 1. 1. Electronically submit to the COR a draft promotion workplan in Microsoft Word within nine (9) months of EDOC. 
            2. Electronically submit the final submit workplan to the COR in Microsoft Word within one (1) week receipt of comments from COR.

For Option Periods 01 through 04

1. 1. 1. 1. 1. Electronically submit to the COR an updated draft promotion plan in Microsoft Word within one (1) month of EDOC. 
            2. Electronically submit to the COR the updated final plan to the COR in Microsoft Word within one (1) week receipt of comments from COR.

7.2       Submit abstracts and/or posters to at least 3 conferences (Association of Public Health Laboratories NBS Symposium, American Public Health Association annual meeting, and others as identified and approved by the COR).

7.3       For Option Periods 01 through 04, provide an exhibiting presence at the APHL NBS Symposium, and/or other national meetings promoting the NBSIC website as an educational tool and resource for multiple audiences including the public, providers, public health agencies, and others. 

Task 8 - Use of Plain Language Guidelines and Other Government Laws and Regulations for all Products

The Contractor shall:

8.1       Follow the federal Plain Language Guidelines when developing products.  The Plain

Language Act of 2010 requires federal agencies to create communications that are clear and understandable to the public.

8.2       Produce content that follows federal plain language guidelines. All text content must aim

for a Flesch-Kinkaid Reading Ease score of at least 60. HRSA’s Office of

Communications’ liaisons use Readable to review, update, and score content. Contractor

shall work with the COR and program communications liaisons and use Readable to

review, score and enhance the content.

8.3       Use PlainLanguage.gov’s Checklist for Plain Language and HHS’s Plain Writing Checklist as guidelines.

8.4       Ensure that all materials adhere to federal copyright laws including the citation of sources

in endnotes or footnotes, obtaining written permission to reproduce, reprint, or adapt

existing materials used in the creation of materials under this contract; and including

credits for images, which include photographs, pictures, illustrations, tables, charts,

figures, and graphs.

8.5       Ensure that all materials adhere to the Government Printing and Binding Regulations,

including the prohibition on commercial advertising which says, “No Government

publication or other Government printed matter, prepared, or produced with either

appropriated or nonappropriated funds or identified with an activity of the Government,

shall contain any advertisement inserted by or for any private individual, firm, or

corporation; or contain material which implies in any manner that the Government

endorses or favors any specific commercial product, commodity, or service.” -- (Title

III--General Provisions, 13. Advertisements, Commercial.)

8.6       Ensure that all materials do not contain any non-federal logos (since logos are a form of

institutional advertising); that materials do not contain contact information for non-

federal organizations, except the website address for informational purposes; and that all

materials do not contain any contact information for individuals.

8.7       Ensure that all materials do not contain the name of the contractor or subcontractors since

this is also a form of advertising.

8.8       Ensure that all materials adhere to the prohibition against referring to lobbying in

materials produced with appropriated funds.  The prohibition against lobbying also

includes grassroots lobbying, which is advocating for a change in legislation at the

federal, state, or community level.

Task 9:  HHS Policy for Information Technology Procurements - Security and Privacy Language

Procurements Requiring Information Security and/or Physical Access Security

1. Baseline Security Requirements
   1. Applicability. The requirements herein apply whether the entire contract or modification (hereafter "contract"), or portion thereof, includes either or both of the following:
      1. Access (Physical or Logical) to Government Information: A Contractor (and/or any subcontractor) will have or will be given the ability to have, routine physical (entry) or logical (electronic) access to government information.
      2. Operate a Federal System Containing Information: A Contractor (and/or any subcontractor) will operate a federal system and information technology containing data that supports the HHS mission. In addition to the Federal Acquisition Regulation (FAR) Subpart 2.1 definition of "information technology" (IT), the term as used in this section includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.
   2. Safeguarding Information and Information Systems. All government information and information systems must be protected in accordance with HHS/HRSA policies and level of risk. At a minimum, the Contractor (and/or any subcontractor) must:
      1. Protect the:
         • Confidentiality, which means preserving authorized restrictions on access and disclosure, based on the security terms found in this contract, including means for protecting personal privacy and proprietary information.
         • Integrity, which means guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity; and
         • Availability, which means ensuring timely and reliable access to and use of information.
      2. Report any discovered or unanticipated threats or hazards by either the agency or contractor, or if existing safeguards have ceased to function immediately after discovery, within one (1) hour or less, to the government representative(s).
      3. Adopt and implement all applicable policies, procedures, controls, and standards required by the HHS/HRSA Information Security Program to ensure the confidentiality, integrity, and availability of government information and government information systems for which the Contractor is responsible under this contract or to which the Contractor may otherwise have access under this contract. Obtain all applicable security and privacy policies by contacting the CO/COR or HHS/HRSA security and/or privacy officials.
   3. Privacy Act. Comply with the Privacy Act requirements (when applicable), and tailor FAR and HHSAR clauses as needed.
   4. Privacy Compliance. Comply with the E-Government Act of 2002, NIST SP 800-53, and applicable HHS/OpDiv privacy policies, and complete all the requirements below:
      1. Per the Office of Management and Budget (OMB) Circular A-130, Personally Identifiable Information (PII), is "information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual." Examples of PII include, but are not limited to the following: Social Security number, date and place of birth, mother's maiden name, biometric records, etc.
   5. Controlled Unclassified Information (CUI). Executive Order 13556 defines CUI as "information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information." The Contractor (and/or any subcontractor) must comply with Executive Order 13556, Controlled Unclassified Information, (implemented at 3 CFR, part 2002) when handling CUI. 32 C.F.R. 2002.4(aa) As implemented the term "handling" refers to "…any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information." 81 Fed. Reg. 63323.  The requirements below apply only to nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. All sensitive information that has been identified as CUI by a regulation or statute, handled by this solicitation/contract, must be:
      1. Marked appropriately.
      2. Disclosed to authorized personnel on a Need-To-Know basis.
      3. Protected in accordance with NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations applicable baseline if handled by a Contractor system operated on behalf of the agency, or NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations if handled by internal Contractor system; and
      4. Returned to HHS control, destroyed when no longer needed, or held until otherwise directed. Information and/or data must be disposed of in accordance with NIST SP 800-88, Guidelines for Media Sanitization.
   6. Protection of Sensitive Information. For security purposes, information is or may be sensitive because it requires security to protect its confidentiality, integrity, and/or availability. The Contractor (and/or any subcontractor) must protect all government information that is or may be sensitive by securing it with a solution that is validated with current FIPS 140 validation certificate from the NIST CMVP.
   7. Confidentiality and Nondisclosure of Information. Any information provided to the contractor (and/or any subcontractor) by HHS or collected by the contractor on behalf of HHS must be used only for the purpose of carrying out the provisions of this contract and must not be disclosed or made known in any manner to any persons except as may be necessary in the performance of the contract. The Contractor assumes responsibility for protection of the confidentiality of Government records and must ensure that all work performed by its employees and subcontractors must be under the supervision of the Contractor. Each Contractor employee or any of its subcontractors to whom any HHS records may be made available or disclosed must be notified in writing by the Contractor that information disclosed to such employee or subcontractor can be used only for that purpose and to the extent authorized herein.
      
      The confidentiality, integrity, and availability of such information must be protected in accordance with HHS and HRSA policies. Unauthorized disclosure of information will be subject to the HHS/HRSA sanction policies and/or governed by the following laws and regulations:
      1. 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records);
      2. 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information); and
      3. 44 U.S.C. Chapter 35, Subchapter I (Paperwork Reduction Act).
   8. Contract Documentation. The Contractor must use provided templates, policies, forms and other agency documents to comply with contract deliverables as appropriate.  See Appendix A for baseline deliverables.

1. 1. Standard for Encryption. The Contractor (and/or any subcontractor) must:
      1. Comply with the HHS Standard for Encryption of Computing Devices and Information to prevent unauthorized access to government information.

1. 1. 1. Encrypt all sensitive federal data and information (i.e., PII, protected health information [PHI], proprietary information, etc.) in transit (i.e., email, network connections, etc.) and at rest (i.e., servers, storage devices, mobile devices, backup media, etc.) with encryption solution that is validated with current FIPS 140 validation certificate from the NIST CMVP.
      2. Secure all devices (i.e.: desktops, laptops, mobile devices, etc.) that store and process government information and ensure devices meet HHS and HRSA-specific encryption standard requirements. Maintain a complete and current inventory of all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive government information (including PII).
      3. Verify that the encryption solutions in use have been validated under the Cryptographic Module Validation Program to confirm compliance with current FIPS 140 validation certificate from the NIST CMVP. The Contractor must provide a written copy of the validation documentation to the COR.
      4. Use the Key Management system on the HHS personal identification verification (PIV) card or establish and use a key recovery mechanism to ensure the ability for authorized personnel to encrypt/decrypt information and recover encryption keys http://csrc.nist.gov/publications/. Encryption keys must be provided to the COR upon request and at the conclusion of the contract.
2. Incident Response
   1. The Contractor (and/or any subcontractor) must respond to all alerts/Indicators of Compromise (IOCs) provided by HHS Computer Security Incident Response Center (CSIRC)/HRSA Computer Security Incident Response Team (hrsacsirt@hrsa.gov) within 24 hours, whether the response is positive or negative. In accordance with FISMA and OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (PII), an incident is "an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies" and a privacy breach is "the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose." For additional information on the HHS breach response process, please see the HHS Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)."
   2. In the event of a suspected or confirmed incident or breach, the Contractor (and/or any subcontractor) must:
      1. Protect all sensitive information, including any PII created, stored, or transmitted in the performance of this contract, with encryption solution that is validated with current FIPS 140 validation certificate from the NIST CMVP.

1. 1. 1. NOT notify affected individuals unless so instructed by the Contracting Officer or designated representative. If so instructed by the Contracting Officer or representative, the Contractor must send HRSA approved notifications to affected individuals following specific instructions from the HHS Privacy Incident Response Team (PIRT).
      2. Report all suspected and confirmed information security and privacy incidents and breaches to the HRSA Computer Security Incident Response Team (hrsacsirt@hrsa.gov) or 301-443-3333, COR, CO, HRSA SOP (or his or her designee), and other stakeholders, including breaches involving PII, in any medium or form, including paper, oral, or electronic, as soon as possible and without unreasonable delay, no later than one (1) hour, and consistent with the applicable HRSA and HHS policy and procedures, NIST standards and guidelines, as well as US-CERT notification guidelines. The types of information required in an incident report must include at a minimum: company and point of contact information, contact information, impact classifications/threat vector, and the type of information compromised. In addition, the Contractor must:
         • Cooperate and exchange any information, as determined by the Agency, necessary to effectively manage or mitigate a suspected or confirmed breach;
         • Not include any sensitive information in the subject or body of any reporting e-mail; and
         • Encrypt sensitive information in attachments to email, media, etc.
      3. Comply with OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and HHS and HRSA privacy breach response policies when handling PII breaches.
      4. Provide full access and cooperate on all activities as determined by the Government to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. This may involve disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. This may also involve physical access to contractor facilities during a breach/incident investigation.
2. Contract Initiation and Expiration
   1. General Security Requirements. The Contractor (and/or any subcontractor) must comply with information security and privacy requirements, Enterprise Performance Life Cycle (EPLC) processes, HHS Enterprise Architecture requirements to ensure information is appropriately protected from initiation to expiration of the contract. All information systems development or enhancement tasks supported by the contractor must follow the HHS EPLC framework and methodology and in accordance with the HHS Contract Closeout Guide (2012).
   2. System Documentation. Contractors (and/or any subcontractors) must follow and adhere to HHS System Development Life Cycle requirements, at a minimum, for system development and provide system documentation at designated intervals (specifically, at the expiration of the contract) within the EPLC that require artifact review and approval.
   3. Sanitization of Government Files and Information. As part of contract closeout and at expiration of the contract, the Contractor (and/or any subcontractor) must provide all required documentation, including HRSA Disposition Plan to the CO and/or COR to certify that, at the government's direction, all electronic and paper records are appropriately disposed of and all devices and media are sanitized in accordance with NIST SP 800-88, Guidelines for Media Sanitization.
   4. Notification. The Contractor (and/or any subcontractor) must notify the CO and/or COR and system ISSO within 14 days before an employee stops working under this contract.
   5. Contractor Responsibilities upon Physical Completion of the Contract. The contractor (and/or any subcontractors) must return all government information and IT resources (i.e., government information in non-government-owned systems, media, and backup systems) acquired during the term of this contract to the CO and/or COR. Additionally, the Contractor must provide a certification that all government information has been properly sanitized and purged from Contractor-owned systems, including backup systems and media used during contract performance, in accordance with HHS and/or HRSA policies.

Appendix A: Deliverables

Policy Section

Deliverable Title/Description

Due Date

Incident Response

Incident Report (as incidents or breaches occur)

As soon as possible and without reasonable delay and no later than 1 hour of discovery

Incident Response

Incident and Breach Response Plan

Upon request from government

Incident Response

• Incident reports (as needed)
• Incident Response Plan

Incident Reports – must respond to all alerts/Indicators of Compromise (IOCs) provided by HHS Computer Security Incident Response Center (CSIRC)/HRSA Computer Security Incident Response Team (hrsacsirt@hrsa.gov) within 24 hours.

Report all suspected and confirmed information security and privacy incidents and breaches to the HRSA Computer Security Incident Response Team as soon as possible and without unreasonable delay, no later than one (1) hour.

Incident Response Plan – Upon request from government

              OPTIONAL TASKS FOR ALL CONTRACT PERIODS:

Optional Task 1 (may be exercised once during each contract year):
The Contractor Shall:

• Create draft content in Microsoft Word to the COR five (5) months after the task is exercised for an app or mobile optimization plan for the English NBSIC website to enable easy, mobile access. Electronically submit the final content to the COR in Microsoft Word within one (1) month upon receipt of comments from COR. The actual app will be created by HRSA’s Office of Communications, not be created by the contractor.      

Optional Task 2 (may be exercised once during each contract year):

The Contractor Shall:

• Create draft content in Microsoft Word to the COR five (5) months after the task in exercised for an app or mobile optimization plan for the Spanish NBSIC website to enable easy, mobile access.  Electronically submit the final content to the COR in Microsoft Word within one (1) month upon receipt of comments from COR. The actual app will be created by HRSA’s Office of Communications, not the contractor. 
   

Optional Task 3 (may be exercised once during each contract year):

The Contractor Shall:

• Develop a draft plan in Microsoft Word with text and corresponding pictures to the COR one (1) month after the task in exercised for using social media to disseminate information from the NBSIC website. Electronically submit the final plan to the COR in Microsoft Word and pictures within two (2) weeks upon receipt of comments from COR. The social media content shall be disseminated though an HRSA media account. No new accounts shall be created.

Optional Task 4 (may be exercised up to five times during each contract year):
The Contractor Shall:

• Provide a one-page information brief on a NBS topic. The one-page information brief may include information for a NBS topic for parents and caregivers of an infant/child who has a positive screen. Condition information could include information on a NBS test, follow up needed to establish a diagnosis, clinical history, management, treatment and services needed by the family.  Information shall be created for medically underserved populations.  Medically underserved populations are populations that have too few primary care providers, high infant mortality, high poverty or a high elderly population (https://bhw.hrsa.gov/shortage-designation/muap).  Materials shall be written culturally and linguistically appropriate and in plain language. 
  • The draft brief shall be submitted 35 business days after the task is exercised to the COR.
  • The final 508 compliant brief in a PDF document shall be submitted to the COR within ten (10) business days after receipt of comments from COR.

Optional Task 5 (may be exercised once during each contract year):

The Contractor Shall:

• Convene a one-day in-person meeting to bring national NBS experts to review and assess the content of the NBSIC websites and provide updates on the latest emerging research, implementation of NBS conditions by states, technological developments, and other topics as identified by the Advisory Committee on Heritable Disorders in Newborns and Children.  The results of this meeting will be utilized to improve and enhance the NBSIC websites.  There will be 15 participants for each meeting. All logistics for the meeting (travel, hotel rooms, registration, meeting materials, etc.) will be handled by the contractor. The meeting space will be at HRSA headquarters.
• Provide a ten-page summary of the meeting, including future action items needed for NBISC websites. to the COR two (2) weeks after the meeting.  

Optional Task 6 (may be exercised up to five times during each contract year):

The Contractor Shall:

• Provide a 15-page report on a NBS topic. The report will include information on a NBS topic. Information shall be created for medically underserved populations.  Medically underserved populations are populations that have too few primary care providers, high infant mortality, high poverty or a high elderly population (https://bhw.hrsa.gov/shortage-designation/muap).  Materials shall be written culturally and linguistically appropriate and in plain language. 
  • The draft report shall be submitted to the COR sixty (60) business days after the task is exercised.
  • The final 508 compliant report in a PDF document shall be submitted to the COR within ten (10) business days after receipt of comments from COR.

V.        SCHEDULE OF DELIVERABLES

Section 508 requires that all external public facing content and non-public facing official agency communications be accessible. Regardless of format, all digital content or communications materials produced as deliverables under this contract must conform to applicable Section 508 standards to allow federal employees and members of the public with disabilities to access information that is comparable to information provided to persons without disabilities.

The contractor shall complete and submit the applicable HHS Section 508 Accessibility Compliance Checklist per Section 508 deliverable. The checklist will serve as an artifact declaration of the Section 508 deliverable's compliance. Remediation of any Section 508 deliverables that do not comply with the applicable requirements as set forth below shall be the contractor's responsibility.

HHS guidance and checklists regarding accessibility of documents can be found at https://www.hhs.gov/web/section-508/accessibility-checklists/index.html.

Item #

Task # / Description

Qty / format

Due Date

1

Task 1.3: Provide Records Management training completion certificates

Completion certificates

Within 30 days after contract award and upon new staff onboarding and thereafter completing the annual refresher course during the life of the contract.

2

Task 2.2: Kickoff meeting agenda

One (1); electronic

Five (5) business days of EDOC

3

Task 2.3: Kickoff meeting minutes

One (1); electronic

Three (3) business days after the meeting

4

Task 2.4: Final Kickoff meeting minutes

One (1); electronic

Two (2) business days after receipt

of comments from the COR.

5

Task 3.1b: Routine agenda for monthly meetings

Twelve (12) monthly; Outlook

Three (3) business days before each meeting. 

6

Task 3.1c: Routine monthly meetings minutes

Twelve (12) monthly; electronic.

Two (2) business days after each meeting

7

Task 3.1b: Routine agenda for quarterly meetings

Four (4); Outlook

Three (3) business days before each meeting. 

8

Task 3.2c: Quarterly meeting report with follow-up action items

Four (4); electronic

Two (2) business days after each meeting

9

Task 3.3: Quarterly progress report

Four (4); electronic

Five (5) business days after the end of each quarter

10

Task 4.1: Revised work plan (Base year)

One (1); electronic

Twenty (20) business days after the kickoff meeting

11

Task 4.2: Revised work plan (option period 1-4)

One (1) annually; electronic

Annual update within one-month after the start of each exercised option period.

12

Task 4.3: Final completion of work from the technical work plan

One (1) electronic

Within five days before the end of each period of performance

13

Task 5.15: Graphic designs, including digital assets for use in print materials, HRSA’s webpages, social media channel,

Five (5) electronic

Within six (6) months of each contract year.

14

Task 6.1: English Content for Quarterly Updates 

Four (4) quarterly; electronic

December 1, March 1, June 1, September 1 of each contract year

15

Task 6.1: Spanish Content for Quarterly Updates 

Four (4) quarterly; electronic

December 1, March 1, June 1, September 1 of each contract year

16

Task 7.1a: Draft promotion workplan (Base year)

One (1); electronic

Within nine (9) months of EDOC

17

Task 7.1b: Final promotion workplan (Base year)

One (1); electronic

Within one (1) week receipt of comments from COR.

18

Task 7.1c: Updated draft promotion workplan (Base year)

One (1); electronic

Within one-month after the start of each exercised option period.

19

Task 7.1d: Updated final promotion workplan (Option period 1-4)

One (1); electronic

Within one (1) week receipt of comments from COR.

20

Optional Task 1: Draft content for English NBSIC website

One (1); electronic

Within five (5) months after the task is exercised

21

Optional Task 1: Final content for English NBSIC website

One (1); electronic

Within one (1) month upon receipt of comments from COR

22

Optional Task 2: Draft content for Spanish NBSIC website

One (1); electronic

Within five (5) months after the task is exercised

23

Optional Task 2: Final content for Spanish NBSIC website

One (1); electronic

Within one (1) month upon receipt of comments from COR

24

Optional Task 3: Draft plan with text and corresponding pictures

One (1); electronic

Within one (1) month after the task in exercised

25

Optional Task 3: Final plan with text and corresponding pictures

One (1); electronic

Within two (2) weeks upon receipt of comments from COR.

26

Optional Task 4: Draft information brief

One (1); electronic

Within 35 business days after the task is exercised

27

Optional Task 4: Final information brief

One (1); electronic

Within ten (10) business days upon receipt of comments from COR.

28

Optional Task 5: Summary of the meeting

One (1); electronic

Within two (2) weeks after the meeting

29

Optional Task 6: Draft report

One (1); electronic

Within sixty (60) business days after the task is exercised

30

Optional Task 6: Final report

One (1); electronic

Within ten (10) business days after receipt of comments from COR.

VI.       PAYMENT SCHEDULE

Description

Payment Percentage

Revised technical work plan (Task 4)

25% of Contract award

Final completion of work from the technical work plan (Task 4)

10% of Contract award

Content for Quarterly update due by December 1st (Task 6)

20% of Contract award

Content for Quarterly update March 1st (Task 6)

15% of Contract award

Content for Quarterly update June 1st (Task 6)

15% of Contract award

Content for Quarterly update September 1st (Task 6)

15% of Contract award

Total:

100%

BASE YEAR OPTIONAL TASKS

Description

Payment Percentage

Optional Task 1 – Draft

TBD

Optional Task 1 – Final

TBD

Optional Task 2 – Draft

TBD

Optional Task 2 – Final

TBD

Optional Task 3 – Draft

TBD

Optional Task 3 – Final

TBD

Optional Task 4 - Draft

TBD

Optional Task 5 – Summary

TBD

Optional Task 6 – Draft

TBD

Optional Task 6 – Final

TBD

OPTIONAL PERIOD 1 – Optional Tasks

Description

Payment Percentage

Optional Task 1 – Draft

TBD

Optional Task 1 – Final

TBD

Optional Task 2 – Draft

TBD

Optional Task 2 - Final

TBD

Optional Task 3 – Draft

TBD

Optional Task 3 – Final

TBD

Optional Task 4 - Draft

TBD

Optional Task 5 – Summary

TBD

Optional Task 6 – Draft

TBD

Optional Task 6 – Final

TBD

OPTIONAL PERIOD 2 – Optional Tasks

Description

Payment Percentage

Optional Task 1 – Draft

TBD

Optional Task 1 – Final

TBD

Optional Task 2 – Draft

TBD

Optional Task 2 - Final

TBD

Optional Task 3 – Draft

TBD

Optional Task 3 – Final

TBD

Optional Task 4 - Draft

TBD

Optional Task 5 – Summary

TBD

Optional Task 6 – Draft

TBD

Optional Task 6 – Final

TBD

OPTIONAL PERIOD 3 – Optional Tasks

Description

Payment Percentage

Optional Task 1 – Draft

TBD

Optional Task 1 – Final

TBD

Optional Task 2 – Draft

TBD

Optional Task 2 - Final

TBD

Optional Task 3 – Draft

TBD

Optional Task 3 – Final

TBD

Optional Task 4 - Draft

TBD

Optional Task 5 – Summary

TBD

Optional Task 6 – Draft

TBD

Optional Task 6 – Final

TBD

OPTIONAL PERIOD 4 – Optional Tasks

Description

Payment Percentage

Optional Task 1 – Draft

TBD

Optional Task 1 – Final

TBD

Optional Task 2 – Draft

TBD

Optional Task 2 - Final

TBD

Optional Task 3 – Draft

TBD

Optional Task 3 – Final

TBD

Optional Task 4 - Draft

TBD

Optional Task 5 – Summary

TBD

Optional Task 6 – Draft

TBD

Optional Task 6 – Final

TBD