General Questions - Veterans Affairs



General QuestionsWhat will be the minimum background investigation level that will be required for each contractor employee? Answer: The answer is provided in the solicitationIs the Gantt chart included in the 30 page limit for the Technical Proposal? Answer: NoDoes the VA have an example of electronic signature solution for web applications in Cloud infrastructure?Answer: NoIf we are authenticating users against VA active directory is there a query for signature in the VA active directory, or will the vendor need to prompt users to type their password again?Answer: The contractor shall comply with the enterprise and IT framework in section 6.1 of the PWS.Will the VA provide ProPath Artifact Templates? Answer: The Artifacts are available in ProPath How many active MDS sites (pilot or otherwise) does the VA anticipate the vendor to implement with the base year?Answer: This is provided in the solicitationWhat type of engagement/preparation activities can be performed with the sites prior to receipt of the ATO/TATO?Answer: This would be determined by the VA ISO VA will provide 3 sites, but vendor is responsible for obtaining MOU (if I read this correctly).? Answer: There is no question here.Is the VA agreeing to the MOU for the pilot sites at award time? Will the vendor require an additional MOU to move on to national deployment of the project? Answer: The Contractor shall provide the security management services and artifacts required to meet compliance with ProPath reporting and data requirements. Does the VA have a preferred carrier for the circuits that will connect the VA network to the private cloud?Answer: Network connections to the private cloud are required to be incompliance with the security requirements in this PWS.PWS Section 5.1.4 PRIVACY TRAINING The Contractor shall submit status of VA Privacy and Information Security Awareness training for all individuals engaged on the project. The status reporting shall identify a single Contractor Security point of contact (POC), the names of all personnel engaged on the task, their initial training date for VA Privacy and Information Security training, and their next required training date. This information shall be submitted as part of the BI-Weekly PD Status Report. Will VA allow the ISO office to act as the single point of contact or should one person in the office be designated?Answer: A single POCPWS Section 5.1.5 ONBOARDING SUPPORT The Contractor shall prepare and submit access requests, including the Talent Management System (TMS) applications, PIV card applications, and Electronic Computer Access Request (ECAR) or electronic Computer Access Request Forms (eCARFs). After receipt of a favorable Special Agreement Check (SAC) determination and COR approval, the Contractor shall create Remedy tickets to request VA user accounts (for e-mail and remote access).Will VA allow us to submit an application within TMS on behalf of a contractor, with the COR notified, or will there be a specific application form to be used then submitted to the COR?Answer: Vendor will submit TMSSpecifically, the Contractor shall track and report on the status of project on-boarding of personnel.Upon COR approval, contact VA's Security Investigations Center (SIC) requesting the SAC and Office of Personnel Management (OPM) background investigation status documentation by e-mail or by telephone.With this statement, will the COR prefer that we work directly with SIC with them kept in the loop?Answer: Notify the COR that the form is ready for approval, signature, and submission.Upon COR approval, request VA network access for the subject using the intranet-based Computer Access Request site that resides inside of the VA network. Provide all information to complete the on-line version of a Computer Access Request Form (CARF) and upload the required certificates as portable document format (PDF) files: Contractor Rules of Behavior (CROB), Non-Disclosure Agreement (NDA), Training Certificates (Privacy and Information Security Awareness (PISA)/ HIPAA), and the proof of SAC approval (the SAC approval can be an e-mail from the SIC or a report from the SIC). Notify the COR that the form is ready for approval, signature, and submission.Does this statement mean approval to request access from the COR or to request access directly from the ISO?Answer: TMS access is not requested via the ISOCoordinate with the TMS so that all Contractor personnel are listed under the proper sponsor (COR) and that contract start-end dates are accurate in TMS by completing the TMS Profile Request (TMSReq).Does this statement mean to coordinate with the TMS Administrator?Answer: The statement requires you to complete the TMS profile request.PWS Section 5.2.2 RAI/MDS Custom Functionality RequirementsThe PWS indicates “approximately 11,000” total users. How many concurrent users will be on the solution at any given point in time?Answer: Required to support the users of 137 CLCsWill all users have network connectivity to one of the VA’s five primary data centers?Answer: the software will be hosted on a vendor private cloudWill all VistA instances be located at, or have network connectivity to, one of the VA’s five primary data centers?Answer: All VistA instances are not located at one of the 5 data centers.PWS Section 5.2.8The Contractor shall develop a bi-directional architecture interface design for HL7 messages currently being generated by each CLC’s VistA instance.Does each CLC have a unique VistA system/environment or does it use that of the main VA facility it’s associated with?Answer: facilities VistAPWS Section 5.3.1 Security Management“At termination of the contract, the Contractor shall provide the underlying infrastructure (private cloud) to VA within 15 business days. The underlying infrastructure shall include the software, any VA data, the queries, the database itself, and the data dictionary.”Other than the data and the database, will the government require the vendor to submit any other proprietary components upon termination of the contract? Answer: At termination of the contract any additional terms and conditions would be negotiated.PWS Section 5.4.6 Data MigrationWhat Data is expected to be migrated: 12 months of assessments, CAAs, and Care Plans? All of these or a subset? Only assessments?Answer: Assessments, CAAs. Does the VA see the need to migrate enterprise Care Plan problems, goals and approaches currently used by the VA solution?Answer: NoDoes the VA see the need to provide an automated way to import local problems, goals and approaches to ease the site implementation of the solution?Answer: NoAre there migration needs besides the above?Answer: NoWhat is contained in the Proof of Data Migration Letter?Answer: Verification that the migration is completePWS Section 5.1.4 PRIVACY TRAINING The Contractor shall submit status of VA Privacy and Information Security Awareness training for all individuals engaged on the project. The status reporting shall identify a single Contractor Security point of contact (POC), the names of all personnel engaged on the task, their initial training date for VA Privacy and Information Security training, and their next required training date. This information shall be submitted as part of the BI-Weekly PD Status Report. Will VA allow the ISO office to act as the single point of contact or should one person in the office be designated?Answer: A single point of contactPWS Section 5.1.5 ONBOARDING SUPPORT The Contractor shall prepare and submit access requests, including the Talent Management System (TMS) applications, PIV card applications, and Electronic Computer Access Request (ECAR) or electronic Computer Access Request Forms (eCARFs). After receipt of a favorable Special Agreement Check (SAC) determination and COR approval, the Contractor shall create Remedy tickets to request VA user accounts (for e-mail and remote access).Will VA allow us to submit an application within TMS on behalf of a contractor, with the COR notified, or will there be a specific application form to be used then submitted to the COR?Answer: This is addressed in the PWSSpecifically, the Contractor shall track and report on the status of project on-boarding of personnel.Upon COR approval, contact VA's Security Investigations Center (SIC) requesting the SAC and Office of Personnel Management (OPM) background investigation status documentation by e-mail or by telephone.With this statement, will the COR prefer that we work directly with SIC with them kept in the loop?Answer: This is addressed in the PWSUpon COR approval, request VA network access for the subject using the intranet-based Computer Access Request site that resides inside of the VA network. Provide all information to complete the on-line version of a Computer Access Request Form (CARF) and upload the required certificates as portable document format (PDF) files: Contractor Rules of Behavior (CROB), Non-Disclosure Agreement (NDA), Training Certificates (Privacy and Information Security Awareness (PISA)/ HIPAA), and the proof of SAC approval (the SAC approval can be an e-mail from the SIC or a report from the SIC). Notify the COR that the form is ready for approval, signature, and submission.Does this statement mean approval to request access from the COR or to request access directly from the ISO?Answer: Notify the COR that the form is ready for approval, signature, and submission.Coordinate with the TMS so that all Contractor personnel are listed under the proper sponsor (COR) and that contract start-end dates are accurate in TMS by completing the TMS Profile Request (TMSReq).Does this statement mean to coordinate with the TMS Administrator?Answer: This is addressed in the PWSPWS Section 5.2.2 Be capable of exporting RAI/MDS reports into a Microsoft Office document, version 2010 or greater.? Is there a required format (ex. Word, Excel or other Microsoft file)? Answer: Microsoft office suiteHave an interface specification/service that enables Government access to audit information.Will the vendor need to provide server access policy audits? Answer: Yes PWS Section 5.2.8The RAI/MDS Modernization software solution shall be in compliance, throughout the contract lifecycle, with VA “Gold Disk” network specifications for hardware, software, and browser requirements in order to operate on the VA network.? The Contractor’s proposal shall define all client minimum system requirements, configuration and browser capabilities/features needed to meet those requirements.? The solution shall be compatible with the Federal Desktop Core Configuration (FDCC).? Will VA provide a copy of their current Desktop Core Configuration specifications? Answer: Network information is available on the VOA site PWS Section 5.3.1The Contractor shall identify in writing a security engineer who shall be designated as the system steward and system owner “delegate” within 30 days after contract award.? The identified individual shall be responsible for obtaining and maintaining the ATO and all tasks (and sub-tasks) described in the SOP as the system steward, “system owner”, or “delegate”.? The Contractor system steward shall ensure that all requirements in the ATO document are completed and updated prior to expiration and also coordinate with VA to meet the security requirements of the expected VA Continuous Monitoring Requirement.? Once the individual referenced above is identified, are there any restrictions with regard to his/her replacement throughout the duration of the contract? Answer: PWS Section 5.4.1????? The Contractor shall remotely deploy, install, configure, and implement the RAI/MDS Modernization solution to each required VISN, and their associated facilities (CLCs).? Will this cover\allow us local install of Care plans\CNT\Launcher application to workstation? Answer: No, software will not be installed at the workstation level.The Contractor shall remotely deploy, install, configure, and implement the RAI/MDS Modernization solution to each required VISN, and their associated facilities (CLCs).? These efforts shall include all technical and operational services necessary to support the planning and implementation of an enterprise solution such as site specific requirements/architectures, site integration and set up, through operational check out to post deployment evaluations.? Automated software installation tools shall be used.? All software installations shall be scripted, automated, and have back-out capabilities.? A successful rollout will require access to VistA system KIDS files. Will VA provide access to the files to the vendor? Answer: As necessaryHow does VA plan to enforce cooperation and support for the installation of the CNT/Care Plans which will need to reside on DocStore/DocTest and be launched from the desktop or via CPRS Toolbar? A .dll file is also required to be installed and registered on each user workstation. Answer: This will be accomplished as per the projects release management and implementation plan.PWS Section 5.5.1Is the Enterprise Testing Services (ETS) the VA provided test environment? Answer: ETS and EDE guidance is available in ProPathPWS Sections 5.5.3IOC testing shall be performed in a limited production (live) environment.? The Contractor shall respond to any defects and/or errors that result from the IOC Testing, including but not limited to all Section 508 Compliance issues and Security defects.? Define limited? How many production environments? Answer: IOC testing guidance is available in PropathPWS Section 5.5.6What documentation will the vendor need to submit in order to obtain a Temporary Authority to Operate (TATO) or ATO? Answer: This guidance is available in the PWSWill each of the VA test sites have designated resources to participate in testing? Or will the vendor need to provide all of the resources to assist with onsite testing? Answer: YesThe Contractor shall propose a pilot solution software release to verify compliance with the requirements identified in this PWS.? The pilot shall be completed and accepted by VA prior to the completion of the base year.? The Contractor shall develop and provide to the Government for approval the Operational Acceptance Plan (OAP). Upon receipt of an ATO or TATO and successful IOC testing, the Contractor shall perform a small scale proof-of-concept evaluation by deploying RAI/MDS to three CLCs using one of each of the three categories of operating environments: medium, large, and integrated sites.? Sites will be identified at time of award. Will the vendor need to install and test with the “limited” IOC site first then upon receipt of approval we move on to the three CLCs? Answer: YesHow long will it take to get approval at the IOC site? Answer: This will be determined by the project schedule.For the 8 weeks of UAT, is that 8 weeks for each site or a combination totaling 8 weeks. Does the 8 weeks start with actually Test Execution? Answer: combinationPWS Section 5.6.2Upon successful development, configuration, and verification of the RAI/MDS Modernization software solution, the Contractor shall roll out the solution to the remaining 134 VA CLC locations within the first 6 months of Option Period One.? Full deployment and implementation is satisfied by the Contractor when the solution is installed, configured, tested, and operational at all locations and the software has an active ATO.It appears that the balance of the national rollout will not take place until Option Period One. With the cloud based solution being a necessity for the product, will this task already have been accomplished for the IOC and 3 beta sites? Answer: This is answered in the solicitationPWS Section 5.7Does services and associated products refer to ALL services and products proposed by the vendor for this contact? Does it also include government furnished software and tools? Answer: NoAre there any specific training tools the VA is requiring the contractor to use when delivering the virtual training? Answer: Training should be conducted in accordance with the PWS After the base period, will the contractor continue to provide training at the remaining 134 CLCs for the national rollout, or will VA users who attended “Train the Trainer” train other facilities? Answer: Training should be conducted in accordance with PWSHow many attendees will be trained at each site for T3? Will Train the Trainer be done by site or by VISN? - What is the total number of trainees to be trained all together? Answer: To be proposed by vendorWho is being trained for the national roll out? Answer: To be proposed by vendorIs Train the Trainer going to be done virtually (webex) by a DSS live Trainer or is it expected that folks are going to be utilizing electronic training? The Contractor shall provide training and knowledge transfer to technicians and other staff with regard to services and associated products delivered under any functional areas described within this PWS. Please define and provide titles for “other staff” Answer: Staff required to provide services and associated products delivered under any functional areas described within this PWS. Please define the type of training expected? Will the above referenced training be virtual only? Answer: Training should be conducted in accordance with PWS section 5.7Does services and associated products refer to ALL services and products proposed by the vendor for this contact? Does it also include government furnished software and tools? Answer: The Contractor shall conduct virtual “Train the Trainer” training for personnel to ensure proper operation, maintenance, and testing of systems, applications, and products.This indicates a Train the Trainer approach however also indicated is virtual training (video teleconferencing and CBT) – what will be the difference between the Train the Trainer Training and the virtual training? Answer: Train the trainer training will be virtualPWS Section 5.8How does the VHA define the rest Tiers of Support in the context of this Project and how do those tiers relate to the infrastructure owned and controlled by VA entities? Answer: Tier support based on the industry standard.What is considered routine maintenance support that will be 24/7 365 phone helpdesk support? Answer: This is defined in the PWSPWS Section 6.6Will there be an allotment for GFE’s (Government Furnished Equipment)? Answer: NoPWS Section 5.10 System Management and MaintenanceAre there any specific training tools the VA is requiring the contractor to use when delivering the virtual training? Answer: Training should be conducted in accordance with PWS After the base period, will the contractor continue to provide training at the remaining 134 CLCs for the national rollout, or will VA users who attended “Train the Trainer” train other facilities? Answer: Training should be conducted in accordance with PWSPWS Section 5.11 Operations and MaintenanceWhat is considered off peak hours for system maintenance if the system is to be up 24/7 365? Answer: 10:00pm to 5:00AM ET are off peak hoursIs system maintenance expected to be scheduled on weekends or after hours? Answer: YesBRD Section 4, page 2The solution shall provide encrypted bi-directional Health Level-7 (HL7) communication between the system and VistA using Enterprise Messaging Infrastructure (eMI) as the messaging interface and develop an interface from the eMI to VistA imaging Import Application Programming Interface (Import API).What specifically does the VA expect for bidirectional HL7 messaging? and VistA imaging via API? Answer: This should be proposed as part of the offer’s technical approach.The solution shall provide encrypted bi-directional Health Level-7 (HL7) communication between the system and VistA using Enterprise Messaging Infrastructure (eMI) as the messaging interface and develop an interface from the eMI to VistA imaging Import Application Programming Interface (Import API).Please provide clarification as to whether the COTS software must TRANSMIT MDS batches to Austin or only be able to create batches and save them somewhere to allow for user to browse for the batch and send to Austin via some other application? Answer: bothBRD page 13“The Contractor shall deploy a secured private cloud solution that would be purpose-built specifically for the RAI/MDS solution. The dedicated solution shall meet all FISMAHIGH, TIC v2.0, FedRAMP, and VA-specific security controls including VA Handbook 6500 while delivering a physically “air-gapped” solution that does not have shared hardware resources with other agencies or departments. The firewalls, switches, physical host servers, storage, backup resources, and management/monitoring systems shall be completely dedicated to VA for RAI/MDS. The air-gapped solution shall provide for maximum security flexibility with no risk of resource contention.”Our cloud solution will leverage dedicated single-tenant servers.? Resources such as firewalls, switches, storage, backup resources, etc., typically are logically secured and protected.? ?Physical isolation of those resources would add significant cost. Is logical isolation of the non-server resources preferred/acceptable? Answer: If the externally hosted solution is FedRAMP certified then only logical separation is required. Adherence TIC Reference Architecture v2.0 is required for all FedRAMP certified solutions.BRD Section 8.4The first bullet point states the new application must be in place by September 30, 2015.?? By this date, does the application have to be in place at the test/pilot site(s)? ? Answer: No ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download