Statement of Work CLIA Assays Introduction and Scope of Work and Requirements The Special Reference Lab (SRL) is seeking a fully automated, walk away, fully integrated, random access, continuous feed platform capable of high throughput. In order to provide higher throughput and increased sensitivity for lower analytic concentrations, the VAMC SRL requires Chemiluminescent Immunoassay (CLIA) technology. The VAMC SRL is seeking an Indefinite Delivery Indefinite Quantity (IDIQ) contract with 5 ordering periods for instrumentation, reagents, consumables, and support to perform on a single platform. Currently, we have 3 Liaison XL instruments ranging in age from 5 to 10 years old, each with its own UPS and connected to a floor drain. It is our intent to replace the current instrumentation with new, latest models of equipment. The instruments must be connected to a floor drain, plumbed to a deionized water system (currently in place) and each must have its own UPS, maintained by the contractor. The instrumentation must be capable of running all of our current menu of CLIA tests at one time for improved patient result turnaround times. Our current menu includes the following tests: Calprotectin Measles IgG Mumps IgG Varicella Zoster Virus (VZV) IgG Rubella IgG Borrelia IgG and IgM Herpes Simplex Virus 1 (HSV 1) IgG Herpes Simplex Virus 2 (HSV 2) IgG Epstein Barr Virus(EBV) IgM Viral Capsid Antigen (VCA) IgG Epstein Barr Nuclear Antigen (EBNA) IgG Early Antigen (EA) IgG Cytomegalovirus (CMV) IgG Cytomegalovirus (CMV) IgM Toxoplasma (Toxo) IgG Toxoplasma (Toxo) IgM and Helicobacter pylori (H. Pylori) IgG In order to add new testing to our current menu, the instrument must also be capable of Elastase stool antigen using CLIA technology with random access, and continuous feed. Requirements In order to perform the tests in a timely manner, the contractor must provide a fully automated, random access, continuous feed instrument. To maximize incubator efficiency, test cuvettes must be individual, not linked together. The analyzer must sample directly from the primary patient tube. The analyzer must detect if the primary patient sample has inadequate volume for required testing and automatic clot detection. The equipment includes an automated processor and reader. The system must have an FDA-cleared chemiluminescence (CLIA) assay for the detection of latent Tuberculosis as well as the following assays: Measles IgG Mumps IgG Rubella IgG Varicella IgG Lyme combined IgG & IgM screening test; Herpes Simplex Virus (HSV) 1 Herpes Simplex Virus (HSV) 2 glycoprotein g antibody tests Epstein-Barr Virus (EBV) test panels including EBV Viral Capsid Antibody (VCA) IgG EBV VCA IgM EBV Early antibody EBV Nuclear antibody Toxoplasma IgG Toxoplasma IgM Fecal Calprotectin Fecal Pancreatic Elastase Cytomegalovirus (CMV) IgG Cytomegalovirus (CMV) IgM and Helicobacter Pylori (H. Pylori) in human serum Contractor must comply with American Gastroenterological Association (AGA) guidelines for fecal pancreatic elastase and fecal Calprotectin. Traceability: All results, samples, calibrations, and quality controls are traced by (RFID) Radio Frequency Identification instead of barcoding for integrals. On-board tracking of the number of tests and calibrations, lot number, and integral stability on the instrument. System Monitoring: All the activities planned and scheduled are continuously monitored as well as the completion time of the run. Instrument Status: The software informs the user about the status of the instrument (Stand-By; Ready; Running). Consumable Estimation: The software gives the user upfront estimation of the consumable needed to perform a run and during a run. On Board User Manual: The instrument has a built-in help feature icon that offers an Operator Guide. The instrument must use disposable tips to help ensure there is no carry over. The system must be pre-programmed and bi-directionally interfaceable with both Veterans Information System and Technology Architecture (VistA) and Cerner. Quantiferon (QFT) Software package that will allow for the following features: management of different workflows, sample monitoring via barcode labels, automated interpretation of labs data, retesting capabilities for single or multiple patient tubes. Primary QFT®-Plus Blood Collection Tubes can be loaded on and sampled from random access automated platform. The system must be fully automated to handle bar-coded specimens from the beginning of the test until results are available. Offered models of clinical laboratory analyzers shall be capable of producing accurate and reproducible assays on blood by established in vitro diagnostic methods. Models shall provide accurate test assay result for sample specimens up to the manufacturer s defined maximum test per hour without excessive malfunctions, breakdowns, or service calls. Offered equipment shall be current state-of-the art equipment. Discontinued and/or used models or equipment will not be accepted. Contractor must be capable of integrating with our automation line at the contractor s expense. The awarded contractor shall provide all upgrades to the equipment hardware and operating system software, at no additional cost to the Government. The contractor shall provide technical support for the software programs required for data management and interfacing results into VISTA/Cerner. These enhancements shall be delivered and installed within 60 days of issuance to the commercial market. Only instruments, reagent cartridges, and supplies, which are FDA approved, will be considered. Upon request, sufficient reagents shall be provided by the contractor for in-house evaluation of each analyte at the contractor s expense. Reagents, supplies, and disposables shall be of the highest quality ensuring sensitivity, specificity and tested to assure precision and accuracy. The quality of the products shall be high enough to satisfy proficiency testing standards of the College of American Pathologists (CAP) and Joint Commission (JC). The prices quoted shall include shipping, handling and any other fees. Contractor agrees to ship reagents and consumables with a minimum of 90-day expiration. A printed and bound copy of the operator s manual shall be furnished with each instrument supplied to the VA and updates to the manual shall be provided within 60 days of issuance to the commercial market. In the event that the consumables are found to be defective and/or unsuitable for use with the Contractor s equipment, or the Contractor has failed to comply with the requirements for routing delivery of supplies, the Contractor is required to make commercially reasonable efforts to deliver the consumable supplies within 24 hours of receipt of a verbal order for priority delivery from authorized ordering personnel (see section 8b of this document). If either circumstance has occurred, the Contractor will deliver to the government site, in the most sufficient quantity as required to allow operation of the Contractor s equipment for one week (under normal government test lead volume). If additional requests for emergency supply delivery are required by the government, they will be honored by the Contractor until the supplies are once again on a normal delivery schedule. Failure to reserve adequate inventory may result in default/termination for cause, depending on the FSS contractual terms. Site Preparation Requirements: Site preparation specifications shall be furnished in writing by the Contractor as a part of the equipment proposal. These specifications shall be in such detail as to ensure that the equipment to be installed shall operate efficiently and conform to the manufacturer s claimed specifications. The Contractor shall be responsible for assessing the site to determine the adequacy of electrical, plumbing, ventilation as well as the dimensions of the physical space available to optimize functionality and ensure a proper operating environment. Maintenance and Repairs Requirements: Maintenance, including preventative maintenance and all repairs are included in the calculated costs of this contract. This lab is open seven days per week from 7:00 am to 3:30 pm EST. The contractor will perform emergency repairs within 24 hours of time of notification of the malfunction by the facility. Emergency repairs will be made at a minimum Monday through Friday 8am to 5pm EST; to include weekend emergency repairs. The contractor will provide all parts and labor needed to repair the malfunction. Travel, per diem and other expenses associated with the repair will be covered by the contractor. The contractor shall furnish a service report to the facility upon completion of each service/maintenance call. The report shall include, as a minimum, the following: (a) date and time of notification (b) date and time of arrival (c) serial number type and model numbers(s) of equipment (d) time spent for repair/maintenance (e) description of any malfunction and (f) proof of repair. Parts (e) and (f) shall be written verification of quality control of the sample run. Training and Technical Service Training Requirements The contractor, without additional charge to the government, shall provide in depth technical training for Key operator technologists. There will 1 Key operator slot for each analyzer (i.e. If 3 analyzers are included in this contract, there will be 3 key operator technologists training slots). Standardized on-site technical training for all SRL personnel regarding routine operations and maintenance of instrumentation will be provided at no extra cost to the government. Training must be conducted to individuals or in small groups to provide hands-on experience. The contractor will provide competency assessment protocols for use at the Troy Bowling VAMC, SRL that will be consistent with federal regulations and current Joint Commission and CAP standards. On-site technical training must be provided within 30 days of installation. Contractor shall provide supplemental operating training to above government personnel, without additional charge to the government, upon installation of the upgrade in equipment hardware or operating system software connected with the operation of an instrument already furnished. General Requirements of Connectivity Solution The contractor s unit shall have software/middleware that is fully VISTA and Cerner compatible, capable of simultaneous data transfer from the unit to the VISTA and Cerner system (without upgrade or other software modification to VISTA), and all hardware/software necessary to transfer data into patient files in VISTA and Cerner shall be provided at no additional cost to the VA. The middleware uses direct device connectivity. The instruments should connect directly to the middleware which will connect directly to the laboratory information system (LIS). All connection costs will be included in offer including the Data Innovations connection. If an upgrade to a data manager is required for improved test system management, the middleware connectivity should be able to accommodate these upgrades at no extra charge to the facility. The middleware system should be able to produce standard laboratory reports; which may include statistics. The middleware system must be compliant with all Office of Information and Technology regulations. The program should provide secure email function within its program. Annual support fees shall be a set all-inclusive cost and shall not be modified due to additional testing locations. No annual device or location license fee. Must be able to provide historical quality control data without loss of lot specific information. Implementation Period Requirements The Contractor shall provide with its quotation a transitioning plan for the complete transition of all services under the awarded agreement including installation, training of personnel, transition of all testing materials, reagents and supplies, etc., and performance of all correlations and validations. This transition shall be completed no later than 60 days after the award of the agreement. This timeline is based on a reasonable attempt of the Contractor to complete all of the necessary implementation requirements within the stated timeframe. Contractor s submitted implementation plan shall not exceed the required 60-day period contained herein. Failure of the contractor to conform to the transition period shall be considered as sufficient cause to terminate contract under the Termination for Cause clause of the contract. The VA shall have sole discretion in the decision to terminate for failure to comply. Orders Requirements This is an Indefinite Delivery, Indefinite Quantity (IDIQ) request. Orders for supplies will be placed as needed and charges will be accrued as orders are placed. The Government estimates the volumes listed but does not guarantee volumes as listed; they are ESTIMATES ONLY. Estimated number of tests performed per year are listed below: Calprotectin 287 Elastase 30 Measles IgG 8842 Mumps IgG 8986 VZV IgG 7274 Rubella IgG 7457 Borrelia 4165 HSV 1 IgG 8594 HSV 2 IgG 10,000 EBV IgM 394 VCA IgG 411 EBNA IgG 78 EA IgG 377 CMV IgG 1902 CMV IgM 2187 Toxo IgG 621 Toxo IgM 679 H. Pylori IgG 981 QuantiFERON 5400 The Lexington VAMC will order products via telephone, facsimile or other written communication, identifying the products by number, quantity, address for delivery, and any special instructions. The following personnel are authorized to telephone, fax, or e-mail orders: SRL Supervisory Medical Technologist SRL Lead Medical Technologist Line Item Manager Other SRL Medical Technologists, as designated Delivery Requirements: The analyzer and all reagents will be delivered to the CDD division of the Lexington, KY VAMC, using the address below: VA Medical Center Special Reference Laboratory, Room A 139 1101 Veterans Drive Lexington, KY 40502 Delivery Tickets Requirements: Unless otherwise agreed to, all deliveries under this agreement shall be accompanied by delivery tickets or sales slips that shall contain the following information as a minimum: Name of contractor Contract number Model number or National Stock Number (NSN) Purchase order number Date of purchase Quantity, unit price and extension of each item (unit prices and extensions need not be shown when incompatible with the use of automated systems, provided that the invoice is itemized to show information) Date of shipment Comparison and Validation of Analyzer Requirements: The Contractor shall assist, to the satisfaction of the Government, at no cost to the Government, all comparison and validation studies to include any materials and reagents needed for such correlation. The Contractor shall perform all the statistical analyses and report data in an organized, clearly comprehensible format. This process shall be completed within 30 days of installation of the analyzer and shall be consistent with current CLSI (formerly NCCLS) and related documents, CAP Standards and Federal Regulations. The Contractor will print, organize and place all comparison and validation studies to include package inserts in a binder to be presented to the SRL Supervisor and Chief of Pathology for approval and signing. CLSI Procedure Manual Requirements: The contractor shall provide a copy of operating procedures in Clinical and Laboratory Standards Institute (CLSI) digital format at time of installation using software compatible with VA (Microsoft Office WORD). Progress and Compliance Requirements: The system must perform assays as advertised and meet the performance characteristics for accuracy and precision as defined by the 1988 Clinical Laboratory Improvement Act (CLIA) and the Clinical and Laboratory Standards Institute (CLSI). Record Management Requirements Citations to pertinent laws, codes and regulations such as 44 U.S.C. chapters 21, 29, 31 and 33; Freedom of Information Act (5 U.S.C. 552); Privacy Act (5 U.S.C. 552a); 36 CFR Part 1222 and Part 1228. Contractor shall treat all deliverables under the contract as the property of the U.S. Government for which the Government Agency shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Contractor shall not create or maintain any records that are not specifically tied to or authorized by the contract using Government IT equipment and/or Government records. Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected by the Freedom of Information Act. Contractor shall not create or maintain any records containing any Government Agency records that are not specifically tied to or authorized by the contract. The Government Agency owns the rights to all data/records produced as part of this contract. The Government Agency owns the rights to all electronic information (electronic data, electronic information systems, electronic databases, etc.) and all supporting documentation created as part of this contract. Contractor must deliver sufficient technical documentation with all data deliverables to permit the agency to use the data. Contractor agrees to comply with Federal and Agency records management policies, including those policies associated with the safeguarding of records covered by the Privacy Act of 1974. These policies include the preservation of all records created or received regardless of format [paper, electronic, etc.) or mode of transmission [e-mail, fax, etc.] or state of completion [draft, final, etc.] No disposition of documents will be allowed without the prior written consent of the Contracting Officer. The Agency and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. Records may not be removed from the legal custody of the Agency or destroyed without regard to the provisions of the agency records schedules. Contractor is required to obtain the Contracting Officer s approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, this contract. The Contractor (and any sub-contractor) is required to abide by Government and Agency guidance for protecting sensitive and proprietary information. Characterization of Waste Requirements The Contractor shall provide documentation that it has characterized the hazardous nature of all wastes produced by all equipment, devices, reagents, and discharges in accordance with the requirements of the Code of Federal Regulations Title 40 Protection of the Environment Part 261 et seq. and applicable state and local requirements. Documentation shall include a description of the characteristics of the hazardous waste produced as a byproduct of the instrument operations Safety Data Sheets (SDS) meeting the requirements of the Occupational Safety and Health Administration (OSHA) and Environmental Protection Agency (EPA), the analytical process used to determine the hazardous nature and characteristics of the waste, and the analytical test results. Testing of hazardous waste is to be done in accordance with testing protocol specified for each individual waste as described in the Code of Federal Regulations Title 40 to make a determination if the waste is a hazardous waste or otherwise regulated. The determination and description shall address the following: Waste toxicity (Reference 40 CFR §261.11 and 40 CFR § 261.24) Waste ignitability (Reference 40 CFR §261.21) Waste corrosivity (Reference 40 CFR § 261.22) Waste reactivity (Reference 40 CFR § 261.23 Hazardous waste from non-specific sources (F-listed) (Reference 40 CFR § 261.31) Discarded commercial products (acutely toxic or P-listed and toxic or U-listed) (Reference 40 CFR § 261.33) Solid Waste (Reference 40 CFR § 261.2) Exclusions (Reference 40 CFR § 261.4) The Contractor will provide written instructions and training material to ensure VHA laboratory staff are trained as needed to properly operate devices with special emphasis to managing and disposing of hazardous waste in accordance with EPA and state requirements. Additionally, the training provided by the contractor must fulfill Resource Conservation and Recovery Act (RCRA) requirements for training as applicable to devices. Contractor shall provide a description of all wastes the process or equipment may discharge so that the facility can determine whether the discharge meets Local Publicity Owned Treatment Works (POTW), State and Federal discharge requirements. At a minimum the characteristics of ignitability, corrosivity, reactivity and toxicity as defined in 40 CFR § 261 must be determined and documented. Any mercury containing reagents must be identified in any concentrations. All test results shall be provided. All listed chemicals (F, U, K and P) found in 40 CFR § 261 shall be provided in product information and their concentrations documented. For those materials with a positive hazardous waste determination, a mechanism for the laboratory to meet local discharge requirements (i.e. mercury, thimersol and formaldehyde) must be developed and SDS sheets must be provided in advance for review. At a minimum, documentation shall include, but not be limited to the concentration/measures of the elements and parameters listed below and must be included with contractor response: Barium (Total) Cadmium (Total) Chromium (Total) Copper (Total) Cyanide (Total) Lead (Total) Mercury (Total) Nickel (Total) Silver (Total) Zinc (Total) Arsenic (Total) Selenium (Total) Tin (Total) pH Flash Point (To be higher than 200 F) BOD: Biochemical Oxygen Demand The documentation the contractor provides will be used to work with the VAMC and the public and/or private organization (e.g. POTW) to determine whether or not the waste form each device can legally be disposed of via the sewerage system. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Requirements: Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The HIPAA Privacy Rule promulgates rules governing the security, use and disclosure of Protected Health Information (PHI) by covered entities, including Federal agencies such as the Department of Veterans Affairs (VA). A covered agency must obtain satisfactory written assurances from its business associates that they will appropriately safeguard PHI that is received from or created on behalf of the agency. If the VA contracting officer determines that HIPAA is applicable to an offer that is submitted under this schedule, the offeror will be required to enter into a Business Associate Agreement (BAA) with the agency prior to the effective date of the contract. The BAA will describe the permitted and required uses of PHI by the offeror; provide that the offeror will not use or further disclose the PHI other than as permitted or required by the contract or by law; and require the offeror to use appropriate safeguards to prevent unauthorized disclosure of the PHI. VA Information and Information System Security and Privacy Requirements All contractor employees working on VA property must wear badges that are issued by the Police and Security Department. Contractor employees are required to wear the badges at all times while on VA property and must turn them into the Police and Security Department prior to leaving VA property. When contractor employees are working in an area where there is highly sensitive information, there must be a VA employee present at all times during this period. The Contractor must have remote monitoring of analyzers. The Contractor must have a fully functional VPN (Virtual Private Network) based bi-directional interface account established with the federal government. Contractor shall provide VISTA/LEDI (Laboratory Electronic Data Exchange) laboratory interface system as approved by the VA National Security Operation Center. A copy of the VPN must be included in your response. A. GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. B. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS 1. A contractor/subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. 2. All contractors, subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures. 3. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness. 4. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the contractor/subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. 5. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. C. VA INFORMATION CUSTODIAL LANGUAGE 1. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor s rights to use data as described in Rights in Data General, FAR 52.227-14(d) (1). 2. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct on-site inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements. 3. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract. 4. The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. 5. The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. 6. If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. 7. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclosure protected health information, there is no business associate relationship. 8. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated. 9. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request. 10. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (a) in response to a qualifying order of a court of competent jurisdiction, or (b) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contacting officer for response. 11. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above-mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response. 12. For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or an MOU-ISA for system interconnection, the contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COR. D. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE 1. For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, contractors/subcontractors are fully responsible and accountable for ensuring compliance with all HIPPA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The contractor s security control procedures must be equivalent, to those procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also be provided to the COR and approved by VA Privacy Service prior to operational approval. All external Internet connections to VA s network involving VA information must be reviewed and approved by VA prior to implementation. 2. Adequate security controls for collecting, processing, transmitting, and storing of Personally Identifiable Information (PII), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls are to be assessed and stated within the PIA and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII. 3. Outsourcing (contractor facility, contractor equipment or contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (authorization) (C&A) of the contractor s systems in accordance with VA Handbook 6500.3, Certification and Accreditation and/or the VA OCS Certification Program Office. Government-owned (government facility or government equipment) contractor-operated systems, third party or business partner networks require memorandums of understanding and interconnection agreements (MOU-ISA) which detail what data types are shared, who has access, and the appropriate level of security controls for all systems connected to VA networks. 4. The contractor/subcontractor s system must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the ISO for entry into VA s POA&M management process. The contractor/subcontractor must use VA s POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the government. Contractor/subcontractor procedures are subject to periodic, unannounced assessments by VA officials, including the VA Office of Inspector General. The physical security aspects associated with contractor/subcontractor activities must also be subject to such assessments. If major changes to the system occur that may affect the privacy or security of the data or the system, the C&A of the system may need to be reviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewing and updating all of the documentation (PIA, System Security Plan, Contingency Plan). The Certification Program Office can provide guidance on whether a new C&A would be necessary. 5. The contractor/subcontractor must conduct an annual self-assessment on all systems and outsourced services as required. Both hard copy and electronic copies of the assessment must be provided to the COR. The government reserves the right to conduct such an assessment using government personnel or another contractor/subcontractor. The contactor/subcontractor must take appropriate and timely action (this can be specified in the contract) to correct or mitigate any weaknesses discovered during such testing, generally at no additional cost. 6. VA prohibits the installation and use of personally-owned or contractor/subcontractor-owned equipment or software on VA s network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW or contract. All of the security controls required for government furnished equipment (GFE) must be utilized in approved other equipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and a personal (host-based or enclave based) firewall that is configured with a VA-approved configuration. Software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE. 7. All electronic storage media used on non-VA leased or non-VA owned IT equipment that is used to store, process, or access VA information must be handled in adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: a. completion or termination of the contract or b. disposal or return of the IT equipment by the contractor/subcontractor or any person acting on behalf of the contractor/subcontractor, whichever is earlier. Media (hard drives, optical disks, CDs, back-up tapes, etc.) used by the contractors/subcontractors that contain VA information must be returned to the VA for sanitization or destruction or the contractor/subcontractor must self-certify that the media has been disposed of per 6500.1 requirements. This must be completed within 30 days of termination of the contract. 8. Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with VA sensitive information must not be returned to the contractor at the end of lease, for trade-in, or other purposes. The options are: a. Contractor must accept the system without the drive; b. VA s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or c. VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase. d. Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for the VA to retain the hard drive, then; (1) The equipment contractor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and (2) Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be pre-approved and described in the purchase order or contract. (3) A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (1) and (2) controls above are in place and completed. The ISO needs to maintain the documentation. E. SECURITY INCIDENT INVESTIGATION 1. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. 2. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. 3. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. 4. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. F. LIQUIDATED DAMAGES FOR DATA BREACH 1. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. 2. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General as independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term data breach means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. 3. Each risk analysis shall address all relevant information concerning the data breach, including the following: a. Nature of the event (loss, theft, unauthorized access); b. Description of the event including (1) date of occurrence; (2) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; c. Number of individuals affected or potentially affected; d. Names of individuals or groups affected or potentially affected; e. Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; f. Amount of time the data has been out of VA control; g. The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); h. Known misuses of data containing sensitive personal information, if any: i. Assessment of the potential harm to the affected individuals; j. Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and k. Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. 4. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: a. Notification; b. One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; c. Data breach analysis; d. Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; e. One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and f. Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. G. SECURITY CONTROLS COMPLIANCE TESTING On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. H. TRAINING 1. All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: a. Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems. b. Successfully complete the VA Cyber Security Awareness and Rules of Behavior training and annually complete required security training. c. Successfully complete the appropriate VA privacy training and annually complete required privacy training; and d. Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] (1) The contractor shall provide to the contracting officer and/or the COR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. (2) Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.
