Department of Veterans Affairs, Harry S Truman VA Medical Center Stenography and Transcription Services Statement of Work Software: A Computer Aided Transcription Machine (CAT) to provide court reporting services for an Administrative Board of Investigation (ABI) tentatively, Equal Employment Opportunity Hearings, and Oral Replies. Services provided to Harry S. Truman Memorial Veterans Hospital, room location to be determined, 800 Hospital Drive, Columbia, Missouri 65201. Qualification requirement: State Certified Court Reporter. Purpose: This service is being requested to provide confidential court reporting services for Administrative Board of Investigations (ABI), Equal Employment Opportunity Hearings, and Oral Replies. Services provided to Harry S. Truman Memorial Veterans Hospital 800 Hospital Drive, Columbia, Missouri 65201. Scope of Work: Contractor shall furnish the necessary personnel, materials, and services, including all things necessary for and incidental to the verbatim reporting and transcription of proceedings conducted by or pursuant to orders of the Chairperson, ABI. Reporting shall be by Computer Aided Transcription machine (CAT). The Contractor shall utilize a backup system. If testimony must be retaken because of mechanical breakdown of the Computer Aided Transcription machine (CAT), transcribing, or stenographic equipment, or as a result of negligence by the Contractor or any subcontractor, the Contractor shall provide the services necessary to retake the testimony, at no additional charge to the Department of Veterans Affairs or to any party to the litigation. The Contractor agrees the assigned reporter shall perform all work in a professional business manner and according to the best standards of the reporting profession. The Contractor, at all times, shall promptly provide competent state certified reporters and stenographers at the requested time, date, and place designated. The Contractor will provide stated staff and equipment as many times necessary for the prompt recording of proceedings. The Contractor shall provide satisfactory transcripts which shall conform to the requirements of this contract. To the maximum extent practical, when requested by the Chairperson, ABI, the Contractor shall assign the same reporter to a proceeding lasting more than one (1) day or, in the case of a lengthy proceeding, the same group of reporters. The Contractor agrees the assigned reporter(s) shall: Present themselves too the presiding official at designated location at least fifteen (15) minutes prior to the requested time of the designated hearings, or in no case later than the time required to set up all required equipment and be able to begin verbatim reporting at the designated time; or, in the case of a telephonic investigation shall make telephone contact to the presiding official at least fifteen (15) minutes prior to the start time; At all times be governed by the instructions of the presiding official in matters affecting the composition of the record, adjournment to other times or places, the hours of hearing, etc. Report everything spoken while a hearing is in session unless the presiding official directs an off-the-record discussion. Do not omit from the record any part of a proceeding for which notes have been taken as required unless the presiding official so directs. Mark and number letter exhibit and arrange them in numerical or alphabetical order if directed to do so by the presiding official. Each reporter is fully aware of the assigned work situation, including the occasional need for extending a hearing session beyond the normal workday. Each reporter is aware of the additional compensation available to them when such services are required and used. The Contractor shall furnish complete transcripts, which accurately reflect the full and complete verbatim record of the proceedings. When the presiding official determines that there are errors in the transcript, they may require the Contractor to correct the errors and furnish the corrected transcript within five (5) calendar days after receipt of notification and without additional cost to the Government for the same, regardless of the delivery time the original order specified. The Contractor shall furnish transcripts, which are legible. In the event the presiding official finds one or more copies of transcripts to be illegible, including copies sold to parties to the proceedings or the public, the Contractor shall correct and replace the same with acceptable copies within one (1) business day after receipt of notification from the presiding official and without additional cost for such replacement. Format Requirements Transcripts shall be prepared on 8 1/2" x 11" paper. In the original and each copy of the transcript, the title page showing name, place and date of proceeding, appearances, location, etc., shall be preceded by a page or pages of distinctive color, indexing the witnesses and exhibits to the testimony. Each transcript shall include one complete cumulative index of witnesses and exhibits. The index shall indicate the page devoted to the testimony of each witness and shall identify the exhibits by number or letter (as marked) and show which party introduced each exhibit; give a brief description of the nature of the exhibit; and state the page on which the exhibit was marked for identification and the page on which the exhibit was admitted into evidence or rejected or withdrawn. Typing shall be nine (9) characters to the inch, double-spaced, and with twenty- four (24) lines per page. Whenever testimony is continuous requiring more than one line, the typing shall begin as close as possible to the left ruled margin line, with words to be hyphenated properly when necessary. Numbers indicating each line of transcript on each page, i.e., 1 to 24, inclusive, shall be printed at the left margin line of the original transcript. Pagination of the transcript shall be in a single series of consecutive numbers regardless of the number of days of the proceeding. Pagination of the transcript of a continuation of the proceeding shall follow consecutively the paging of the previous session in the same proceeding unless otherwise directed by the presiding official. Page numbers are to be placed at the bottom center of each page. The transcripts for the ABI will be sent to the Chairperson, ABI. A CDROM of the transcript will also be sent to the Chairperson, ABI, when the ABI is complete. If hard copies of the transcripts are required, then it will be prepared as stated above. Type of Proceeding All proceedings shall be designated as confidential. The Contractor or any subcontractor shall hold inviolate and in the strictest confidence any and all information which they may gain in the performance of duties under this contract. The Contractor or any subcontractor shall not divulge, sell, or distribute, any information gained at a confidential proceeding unless in writing by the presiding official. Oaths and Notary Services The Reporter shall be competent to administer oaths. Depositions shall be transcribed by a duly authorized notary. No separate fee is to be charged for notary services, administering oath, or affixing seal. Conflict of Interest A conflict of interest is defined as the existence of financial or other relationship between the Contractor, including any of their employees, agents, subcontractors, or representatives, and a party to or an attorney involved or representatives, and a party to or an attorney involved in a proceeding to be transcribed under this contract. The Contractor shall promptly notify the presiding official whenever there is a potential or actual conflict of interest between the Contractor including any of their employees, agents, subcontractors, or representatives, and such party or attorney. If a potential or actual conflict of interest is reported by the Contractor, the Contracting Officer reserves the right to have the transcript of that proceeding produced by another court reporter at no cost to the Contractor, notwithstanding any other provision of this contract. Should a new proceeding be required because a conflict of interest exists which the Contractor failed to bring to the attention of the presiding official, the Contractor shall bear the full cost of the new proceeding. Delivery Schedule/Third Party Copy An original and three copies of all transcripts ordered, shall be delivered to the Chairperson, ABI. Mailing information will be provided at the hearing, with postage or other transportation charges fully prepaid by the Contractor as follows: Whenever a hearing or deposition is continued, recessed, or adjourned for a period of five (5) or more calendar days, that portion of the transcript of the hearing held prior to such continuance, recess, or adjournment shall be considered a complete hearing for the purpose of computing time for delivery of the transcript. Requests for services will be made in writing by the Contracting Officer Representative (COR) or Contracting Officer Representative (COR) designated staff member. The Contractor will determine within 24 hours during normal Federal business operation hours from the time the request for services was made, whether a reporter will be available. If this determination is not received, the Department of Veterans Affairs (VA) reserves the right to obtain the service from another source and to charge the Contractor with any excess cost which may result there from. The Department of Veterans Affairs will be the sole judge in determining when to order service from another source. Regardless of whether the delivery ordered is regular or accelerated copies, if the contractor fails to deliver the transcript to the Government within the applicable period prescribed, a reduction in price will be made as liquidated damages. The amount to be paid for the transcript will be reduced by two percent (2%) of the price for the transcript, computed at the rates set forth in this contract, for each Government business day or fraction thereof that delivery is delayed beyond the time limit prescribed depending on which has been ordered by the presiding official, up to a total of fifty percent (50%) of the transcript price. Computation of price reductions shall commence on the day following the date on which transcripts were to be delivered to the Chief, Human Resources Management. Failure to furnish a reporting service or delinquency in the delivery of a transcript is a default and subjects the Contractor to the default provision of this agreement. Guaranteed Minimum The Contractor shall be paid a minimum of $100.00 per day for attending proceedings. This minimum fee will not be paid when transcripts ordered at the contract rates herein equal or exceed the above figure. In the event the Agency elects to dispense with the furnishing by the Contractor or transcripts of proceedings, the Government shall pay the $100.00 daily minimum for such day, or fraction thereof, of such proceedings. The guaranteed minimum of $100.00 will also apply, if after presenting themselves to the presiding official, or other person in charge, at the time and place of a scheduled proceeding, a notice is given to the reporter that the proceedings have been canceled or postponed to a subsequent date. Special Contract Requirements Under the authority of Public Law 104-262 and 38 USC 8153, the Contractor agrees to provide Health Care Resources in accordance with the terms and conditions stated herein, to furnish to and at the Department of Veterans Affairs (VA) Medical Facility, the services and prices specified in the Section entitled Schedule of Supplies/Services of this contract. Services The services specified in the sections entitled Schedule of Supplies/Services and Special Contract Requirements may be changed by written modification to this contract. The VA Contracting Officer will prepare the modification. Other necessary personnel for the operation of the services contracted for at the Department of Veterans Affairs (VA) Medical Facility will be provided by the Department of Veterans Affairs (VA) at levels mutually agreed upon which are compatible with the safety of the patient and personnel and with quality medical care programming. The services to be performed by the contractor will be performed in accordance with the Department of Veterans Affairs (VA) policies and procedures and the regulations of the medical staff by laws of the Department of Veterans Affairs (VA)Medical Facility. There is no employer-employee relationship between the Department of Veterans Affairs (VA) and the contractor or the Contractor s employee(s). Qualifications Personnel assigned by the Contractor to perform the services covered by this contract shall have a full and unrestricted license in a State, Territory, or Commonwealth of the United States or the District of Columbia. Personnel Policy The Contractor shall be responsible for protecting the personnel furnishing services under this contract. To carry out this responsibility, the contractor shall provide the following for these personnel: Workers Compensation Professional Liability Insurance Income tax withholdings Social security payments. Health examinations as stated below. Annual TB Skin Test and recent (within the last year) chest X-ray if there is a history of positive TB skin test. Evidence of Hepatitis B immunity (hepatitis immune titer, if provider has had the series of shots; if no immunity, evidence that provider has started the Hepatitis B vaccination series). Evidence of a Hepatitis C titer. Varicella titer if provider has not had chicken pox. The parties agree that the Contractor, its employees, agents, and subcontractors shall not be considered Department of Veterans Affairs (VA) employees for any purpose. Record Keeping The Department of Veterans Affairs (VA) shall establish and maintain a record keeping system that will record the hours worked by the Contractor s employee(s). Department of Veterans Affairs (VA) staff shall contact the Contracting Officer Representative (COR) when services are needed by email 30-60 days in advance. Service Request shall have the following information. Date and time of when the service is required. Location of requested service. Type of service requested. Chairpersons name and title. Chairpersons contact information. Any other pertinent information that would be required for the request of service. Emergent request for service email notification shall include attached emergent documentation of why the request is emergent. Contractor's employee(s) shall report to the Contracting Officer Representative (COR) or Contracting Officer Representative (COR) designated staff member upon arrival to and departure from the Department of Veterans Affairs (VA) Medical Center or designated location. Monitoring of Contractor' s time shall be demonstrated through a sign-in/sign-out sheet. The sign-in/sign-out sheet shall be sent by email to the Contracting Officer Representative (COR) if the location is not at the Medical Facility. After contract award, any incidents of Contractor noncompliance as evidenced by the monitoring procedures shall be forwarded by email immediately to the Contracting Officer and Contracting Officer Representative. The Contractor shall provide to the Contracting Officer (CO) and the Contracting Officer Representative (COR) a copy of all training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. The Contractor will be responsible to ensure that Contractor employees coming to the work site will receive the information required and confirm this through email to the Contracting Officer Representative (COR). Fire and Safety Infection Control Disaster Procedures Personnel and Temporary Emergency Substitutions Key The Contractor shall assign to this contract the following key personnel: State Certified Court Reporter. During the first ninety (90) days of performance, the Contractor shall make NO substitutions of key personnel unless the substitution is necessitated by illness, death, or termination of employment. The Contractor shall notify the Contracting Officer and the Contracting Officer Representative (COR) in writing, within fifteen (15) calendar days of any of these events and provide the information required below. The Contractor shall provide a detailed explanation of the circumstances necessitating the proposed substitutions, complete resumes for the proposed substitutes, training certificates, and any additional information requested by the Contracting Officer (CO) or Contracting Officer Representative (COR). Proposed substitutes shall have comparable qualifications to those of the persons being replaced. The Contracting Officer will notify the Contractor within 15 calendar days after receipt of all required information of the decision on the proposed substitutes. The contract will be modified to reflect any approved changes of key personnel. For temporary substitutions where the key person will not be reporting to work for three (3) consecutive workdays or more, the Contractor will provide a qualified replacement for the key person. This substitute shall have comparable qualifications to the key person. Any period exceeding two weeks will require the procedure stated above. After the initial 90-day period of the contract, the Contractor shall submit the information required to the Contracting Officer and Contracting Officer Representative (COR) at least fifteen (15) days prior to making any permanent substitutions. HHS/OIG To ensure that the individuals providing services under the contract have not engaged in fraud or abuse regarding Sections 1128 and 1128A of the Social Security Act regarding Federal Healthcare Programs, the Contractor is required to check the Health and Human Services - Office of Inspector General (NHS/01G), List of Excluded Individuals/Entities on the OIG Website (www.hhs.gov) for each person providing services under this contract. Furthermore, the Contractor is required to certify in its proposal that all persons listed in the Contractor's proposal have been compared against the OIG list and are NOT listed. During the performance of this contract the Contractor is prohibited from using any individual or business listed on the List of Excluded Individuals/Entities. Confidentiality of Patient Records When Department of Veterans Affairs (VA) is providing services involving patient records to Non-Federal entities, the records maintained by the Department of Veterans Affairs (VA) in providing those services are subject to the Privacy Act, FOIA, and other Department of Veterans Affairs (VA) specific laws regarding the confidentiality of patient records. The party to whom the Department of Veterans Affairs (VA) is providing the services will want to review those records in order to ensure that Department of Veterans Affairs (VA) is providing quality care in accordance with the contract. In order for the Department of Veterans Affairs (VA) to be able to release those records the following language applies: The Sharing Partner is a Department of Veterans Affairs (VA) Contractor and will assist in the provision of healthcare to patients seeking such care from or through the Department of Veterans Affairs (VA). As such, the Sharing Partner is considered as being part of the healthcare activity. The Sharing Partner is considered to be a Department of Veterans Affairs (VA) Contractor for purposes of the Privacy Act, Title 5 U.S.C. 552a. Further, for the purpose of the Department of Veterans Affairs (VA) records access and patient confidentiality, the Sharing Partner is considered to be a Department of Veterans Affairs (VA) Contractor for the following provisions: Title 38 U.S.C. 5701, 5705, and 7362. Therefore, the Sharing Partner may have access, as would other appropriate components of the Department of Veterans Affairs (VA), to patient medical records including patient treatment records pertaining to drug and alcohol abuse, HIV, and sickle cell anemia, to the extent necessary to perform its contractual responsibilities. However, like other components of the Department, and not withstanding any other provisions of the sharing agreement, the Sharing Partner is restricted from making disclosures of the Department of Veterans Affairs (VA) records, or information contained in such records, to which it may have access, except to the extent that explicit disclosure authority from the Department of Veterans Affairs (VA) has been received. The Sharing Partner is subject to the same penalties and liabilities for unauthorized disclosures of such records as the Department of Veterans Affairs (VA). The records referred to above shall be and remain the property of the Department of Veterans Affairs (VA) and shall not be removed or transferred from Department of Veterans Affairs (VA) except in accordance with U.S.C.551a (Privacy Act), 38 U.S.C. 5701 (Confidentiality of claimants records), 5 U.S.C.552 (FOIA), 38 U.S.C. 5705 (Confidentiality of Medical Quality Assurance Records) 38 U.S.C. 7332 (Confidentiality of certain medical records) and federal laws, rules and regulations. Subject to applicable federal confidentiality or privacy laws, the Sharing Partner, or their designated representatives, and designated representatives of Federal Regulatory Agencies having jurisdiction over the Sharing Partner, may have access to the Department of Veterans Affairs (VA) records, at the Department of Veterans Affairs (VA) place of business on request during normal business hours, to inspect, review and make copies of such records. Joint Commission on Accreditation of HealthCare Organizations (Non-Clinical) Contractor will attend a pre-work orientation meeting prior to the commencement of work on site. The Department of Veterans Affairs (VA) will schedule this meeting and it will include discussion of the following topic (Department of Veterans Affairs (VA) will provide information to the contractor regarding these topics and will document the meeting): Fire and Safety Infection Control Disaster Procedures The Contractor will be responsible to ensure that Contractor employees coming to the work site will receive the information required above. The Contractor will be responsible to ensure Contractor employees providing work on this contract are fully trained and completely competent to perform the required work. Contract Administration All contract administration functions will be retained by the Department of Veterans Affairs (VA). The Contractor shall communicate with the Contracting Officer and the Contracting Officer Representative (COR) on all matters pertaining to contract administration. Only the Contracting Officer will be authorized to make commitments or issue changes that affect price, quantity, or quality of performance of this contract. In the event the Contractor effects any such change at the direction of any person other than the Contracting Officer, the change shall be considered unauthorized, and no adjustment will be made in the contract price to cover any increase in costs incurred as a result thereof. Contracting Officer s Representative (COR) (Pursuant to VAAR Provision 852.270-1, Representatives of Contracting Officer, the designated representative for this contract will be determined at award. Acronyms and Definitions CDR: Contract Discrepancy Report. Report issued by the Government to the contractor to document a supply or service found to be unacceptable during contract performance. CLIN: Contract Line-Item Number. Unit of work (or service) to be performed (or delivered) by the contractor as a pay item. CO: Contracting Officer. A person with the authority to enter into, administer, and/or terminate contracts and make related determinations and findings. COR: Contracting Officer s Representative. An individual, including a Contracting Officer s Representative (COR), designated and authorized in writing by the contracting officer to perform specific technical or administrative functions. QA: Quality Assurance. Actions taken by the government to assure contracted services meet PWS requirements. Non-Personal Services This is a Non-Personal Services Contract. Personnel rendering services under this contract are not subject either by the contract s terms or by the manner of its administration, to the supervision and control usually prevailing in relationships between the government and its employees. The Government shall not exercise any supervision or control over the contract service s performing services herein. Such contract services shall be accountable solely to the Contractor who, in turn, is responsible to the Government. Contractor Compliance with the Immigration and Nationality Act of 1952 The Contractor shall comply with any and all legal provisions contained in the Immigration and Nationality Act of 1952, As Amended; it s related laws and regulations that are enforced by Homeland Security, Immigration and Customs Enforcement and the U.S Department of Labor as these may relate to non-immigrant foreign nationals working under contract or subcontract for the Contractor while providing services to Department of Veterans Affairs (VA) patient referrals. Hours of Operations Business hours for the VAMC follow: Administrative hours: Monday through Friday, 8:00 a.m. - 4:30 p.m. during regular Federal business working days unless noted below. National Holidays: Holidays observed by the Federal Government are: New Year s Day. Martin Luther King s Birthday. Presidents Day. Memorial Day. Juneteenth. Independence Day. Labor Day. Columbus Day. Veterans Day. Thanksgiving. Christmas. Any other day specifically declared by the President of the United States to be a national holiday. Off-Duty hours: Monday through Friday, 4:30 pm 8:00 am this include being closed on Saturday and Sunday. Quality Control Contract Performance Monitoring: The Contracting Officer s Representative (COR) may perform surveillance of services by any of the methods listed below: Observing actual performance. Inspecting the services to determine whether the performance meets the performance standards. Review of any other appropriate records. When unacceptable performance occurs, the Contracting Officer s Representative (COR) shall inform the Contracting Officer. This will normally be in writing unless circumstances necessitate verbal communication. In any case the Contracting Officer s Representative (COR) shall document the discussion and place it in the file. Pursuant to VAAR Provision 852.270-1, Representatives of Contracting Officer representative(s); The Government shall periodically evaluate the Contractor performance by appointing a Contracting Officers Representative (COR) to monitor performance to ensure services are received. The Government representative(s) shall evaluate the Contractor performance through inspections of observations, inspection of services or any other form of documentation and all complaints from Department of Veterans Affairs (VA) personnel. The Government may inspect as each task is completed or increase the number of quality assurance inspections if deemed appropriate because of repeated failures or because of repeated customer complaints. Likewise, the Government may decrease the number of quality assurance inspections if performance dictates. The Government Contracting Officer shall make final determination of the validity of customer complaint(s). (4) If any of the services do not conform to contract requirements, the Government may require the Contractor to perform the services again in conformity with contract requirements, at no increase in contract amount. When the defects in services cannot be corrected by re-performance, the Government may require the Contractor to take necessary action to ensure that future performance conforms to contract requirements at no additional cost to the Government. Contract Security Records Management Statement Prior to termination or completion of this contract, the Contractor, including any of their employees, agents, subcontractors, or representatives, must not destroy information received from the Department of Veterans Affairs (VA), or gathered/ created by the contractor in the course of performing this contract without prior written approval by the Department of Veterans Affairs (VA). Any data destruction done on behalf of the Department of Veterans Affairs (VA) by a Contractor, including any of their employees, agents, subcontractors, or representatives must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in Department of Veterans Affairs (VA) Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the Department of Veterans Affairs (VA) Contracting Officer within 30 days of termination of the contract. Access to Department of Veterans Affairs (VA) and Department of Veterans Affairs (VA) Information Systems A contractor/subcontractor shall request logical (technical) or physical access to Department of Veterans Affairs (VA) information and information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. All contractors, subcontractors, and third-party servicers and associates working with Department of Veterans Affairs (VA) information are subject to the same investigative requirements as those of Department of Veterans Affairs (VA) appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs (VA) does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other Department of Veterans Affairs (VA) policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by the Department of Veterans Affairs (VA), specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a Department of Veterans Affairs (VA) system or with access to Department of Veterans Affairs (VA) information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. Department of Veterans Affairs (VA) Information Custodial Language Information made available to the contractor or subcontractor by Department of Veterans Affairs (VA) for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data General, FAR 52.227-14(d) (1). Department of Veterans Affairs (VA) information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure Department of Veterans Affairs (VA) requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that Department of Veterans Affairs (VA) information is returned to the Department of Veterans Affairs (VA) or destroyed in accordance with the Department of Veterans Affairs (VA) sanitization requirements. The Department of Veterans Affairs (VA) reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from the Department of Veterans Affairs (VA) or gathered/created by the contractor in the course of performing this contract without prior written approval by the Department of Veterans Affairs (VA). Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of the Department of Veterans Affairs (VA) information only in compliance with the terms of the contract and applicable Federal and Department of Veterans Affairs (VA) information confidentiality and security laws, regulations, and policies. If Federal or Department of Veterans Affairs (VA) information confidentiality and security laws, regulations and policies become applicable to the Department of Veterans Affairs (VA) information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. The contractor/subcontractor shall not make copies of Department of Veterans Affairs (VA) information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. Security Incident Investigation The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to Department of Veterans Affairs (VA) assets, or sensitive information, or an action that breaches Department of Veterans Affairs (VA) security procedures. The contractor/subcontractor shall immediately notify the Contracting Officer and Contracting Officer Representative (COR) and simultaneously, the designated ISO and Privacy Officer (PO) in writing for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. To the extent known by the contractor/subcontractor, the contractor/subcontractors notice to Department of Veterans Affairs (VA) shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the Department of Veterans Affairs (VA) information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the Department of Veterans Affairs (VA) OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with Department of Veterans Affairs (VA) and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. Liquidated Damages for Data Breach Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to Department of Veterans Affairs (VA) for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. The contractor/subcontractor shall provide notice to Department of Veterans Affairs (VA) of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, Department of Veterans Affairs (VA) must secure from a non-Department entity or the Department of Veterans Affairs (VA) Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access). Description of the event, including date of occurrence and data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code. Number of individuals affected or potentially affected. Names of individuals or groups affected or potentially affected. Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text. Amount of time the data has been out of Department of Veterans Affairs (VA) control. The likelihood that the sensitive personal information will or has been compromised. Known misuses of data containing sensitive personal information, if any. Assessment of the potential harm to the affected individuals Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate. Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. Based on the determinations of the independent risk analysis; the contractor shall be responsible for paying to the Department of Veterans Affairs (VA) liquidated damages per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: Notification. One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports. Data breach analysis. Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution. One year of identity theft insurance with $20,000.00 coverage at $0 deductible. Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. Training All Contractor employees and subcontractor employees requiring access to Department of Veterans Affairs (VA) information and information systems shall complete the following before being granted access to VA information and its systems: Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to Department of Veterans Affairs (VA) information and information systems. Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training. Successfully complete the appropriate Department of Veterans Affairs (VA) privacy training and annually complete required privacy training. Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the Department of Veterans Affairs (VA) program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] The Contractor shall provide to the Contracting Officer (CO) and the Contracting Officer Representative (COR) a copy of all required training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. **Certification and Accreditation (C&A) requirements do not apply, and a security package is not required. Records Management Citations to pertinent laws, codes, and regulations such as 44 U.S.C chapters 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228. Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records. Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act. Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract. The Government Agency owns the rights to all data/records produced as part of this contract. The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract. Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data. Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.] or mode of transmission [email, fax, etc.] or state of completion [draft, final, etc.]. No disposition of documents will be allowed without the prior written consent of the Contracting Officer. The Agency and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage, or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records may not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules. Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, this contract. The Contractor (and any sub-contractor) is required to abide by Government and Agency guidance for protecting sensitive and proprietary information.
