Standard - General Services Administration

 Performance Work Statement (PWS) Privacy Program Management and Technical Execution Support*Note that this sample has been revised from the source document on the Government Point of Entry as necessary to align formatting and applicable FAR procedures.* PART 11.0 GENERAL INFORMATION1.1 This is a non-personal services contract to provide DHA Privacy Program Management and Technical Execution Support to oversee and monitor various missions of the DHA Privacy and Civil Liberties Office (Privacy Office). The Government shall not exercise any supervision or control over the contract service providers performing the services herein. Such contract service providers shall be accountable solely to the contractor who, in turn is responsible to the Government.1.2 Description of services/introduction. The contractor shall provide all personnel, equipment, supplies, facilities, transportation, tools, materials, supervision, and other items and non-personal services necessary to perform DHA Privacy Program Management and Technical Execution Support in accordance with the standards in this PWS.1.3 Background. The Privacy Office oversees the protection of Personally Identifiable Information (PII)/Protected Health Information (PHI) within the Military Health System (MHS) through the development of regulations and policies that comply with current and emerging Federal privacy and Health Insurance Portability Accountability Act (HIPAA), as amended by the Health Information Technology for Clinical Health Act (HITECH)). The Privacy Office supports MHS compliance with Federal privacy and HIPAA security laws and Department of Defense (DoD) regulations and guidelines.The Privacy Office also provides dedicated assistance to the Director of DHA, the Office of the Assistant Secretary of Defense (OASD) for Health Affairs, or other senior DoD leadership, in all requested matters including but not limited to inquiries from Congress, the Office of Management and Budget (OMB), the Department of Health and Human Services (HHS) and the Department of Veterans Affairs (VA), as well as other Federal agencies and DoD components, on matters related to privacy and HIPAA security.The Fiscal Year (FY) 2017 National Defense Authorization Act (NDAA), Section 702, directs the DHA to assume responsibility for the administration and management of healthcare delivery at all medical treatment facilities effective 1 October 2018.For the DHA, the Privacy Office is responsible for the following general mission areas: Developing a strategic approach to the operation of Privacy and a Federal Privacy Office, including responding to changes in the organizational environment.Conducting key risk management efforts to assess risk and where possible reduce risk, such as through collaboration with Information System personnel regarding the Risk Management Framework (RMF), conducting an annual HIPAA Security Risk Assessment, regular reviews of risks associated with information technology (IT) systems changes, conducting annual Compliance Risk Assessment program activities, and related projects.Federal Privacy compliance including the Privacy Act, the E-Government Act, Federal Information Security Management Act (FISMA), and related legislation and guidance, including FISMA reporting System of Record notices, Privacy Impact Assessments (PIAs), Privacy Act Reviews, and response to breaches of PII, and efforts toward ongoing monitoring and compliance. HIPAA compliance including compliance with HIPAA Privacy and Security Rules, Department of Defense Manual (DoDM) 6025.18, “Implementation of the HIPAA Privacy Rule in DoD Health Care Programs” and Department of Defense Instruction (DoDI) 8580.02, “Security of Individually Identifiable Health Information in DoD Health Care Programs” and coordinate the resolution of privacy related security issues, training development, and response to HIPAA complaints and HIPAA related breaches, and the annual HIPAA Security Risk Assessment activities. Data Sharing Compliance including a process for requesting access to DHA owned or managed data that assures it is only provided in compliance with the Privacy Act and HIPAA.Civil Liberties in compliance with the Intelligence Reform and Terrorism Prevention Act of 2004 and related guidance from DOD.Emerging Technology efforts including working on the Privacy Overlay, support for Virtual Lifetime Electronic Record and Health Information Exchange (HIE), supporting the Protected Health Information Management Tool (PHIMT) system, assistance with new requirements such as use of mobile technology, new equipment in health care, and other related activities.Review changes to Information Technology (IT) investments and systems, analyzing each such investment or system for compliance with privacy related requirements.Liaison with the Services including the Health Information Privacy and Security Compliance Committee, which is chaired by the Privacy Office and comprised of membership throughout the Services and other interested stakeholders.Development of Training in the Privacy Act, HIPAA, and related areas, including but not limited to major support for two major presentations, the annual Incident Response Team tabletop exercise, and the annual Health Information Privacy and Security multiple day training activity.Support the development of related policy and procedural issuances as needed for the above programs.Prepare and submit reports required related to the various Privacy Office programs, Section 803 Reports, FISMA reports, responses to data calls, etc.For the MHS as a whole, the Privacy Office is responsible for the following general mission areas:Serving as subject matter expert and developing, supporting, and coordinating responses to HIPAA breaches of information, including making determinations of whether a HIPAA breach has occurred, whether notification is necessary, whether reporting to the Defense Privacy, Civil Liberties, and Transparency Office (DPCLTO) and/or U.S. Department of Health and Human Services (HHS) is required, and overseeing all elements of the response when there is a HIPAA related breach.Serving as the coordinator and manager of the HIPAA complaint process, including receiving and evaluating HIPAA complaints, collaborating with Service local investigators, communicating with the complainant and when necessary with HHS, etc.Developing Privacy and HIPAA training required by the workforce of the MHS to assure a standard level of knowledge across the MHS of DoD related HIPAA and Privacy requirements. Also, develop separate role based training for HIPAA Privacy Officers and HIPAA Security Officers across the MHS, which will promote more detailed HIPAA knowledge to support proper service in these roles. Developing other new trainings as needed such as the training for Institutional Review Boards in HIPAA compliance reviews.Support HIPAA compliant policy and procedural development such as provide major support for the development of HIPAA related DoD issuances.Serve as a subject matter expert in the area of HIPAA compliance that is a resource for ongoing assistance to others.The Privacy Office ensures DHA and its subcomponents are compliant with Federal Privacy, which includes the Privacy Act, the E-Government Act of 2002, Civil Liberties provisions of the Intelligence Reform and Terrorism Prevention Act, HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and related DOD regulations and guidance.The Privacy Office is responsible for implementing and monitoring the use of PIAs for all MHS/DHA IT systems as well as making this information publicly available. As part of the E-Government Act of 2002, PIAs are the vehicle for addressing privacy issues and assuring compliance with applicable laws and regulations governing privacy for the American public.PIAs provide a means of ensuring that privacy issues in MHS/DHA IT systems that collect, access, use or disseminate beneficiary personal information are appropriately identified, addressed and integrated into the development life cycle of these systems. 1.4 Objectives. The contractor shall provide DHA Privacy Program Management and Technical Execution Support services to oversee and monitor the Privacy Office’s Privacy, HIPAA, Civil Liberties and Data Protection missions in accordance with this PWS.1.5 Scope. This requirement provides for DHA Privacy Program Management and Technical Execution Support services to manage and maintain various missions of the Privacy Office. Services include HIPAA Security, Data Protection, Civil Liberties, Risk assessment and Risk management, and Emerging Technology efforts associated with HIPAA whether from systems such as MHS Genesis or other factors such as use of mobile technology or new equipment related to health care, Privacy Overlay, RMF developments, etc. The contractor shall accomplish Program Management, Plans, Policy Development and Procedural Instructions, Policy Effectiveness Measurement, Organizational Transformation Planning, including responding to NDAA requirements, Education, Training (including development of training, assistance with delivery which may include associated graphics and media development), consultation for stakeholders, Communication Planning, and Configuration Management. These services also include providing consultative, analytical, technical, coordination, presentation, and general management analyst services to support the Privacy Office staff. Each core program and key function within the Privacy Office facilitates this mission by:Ensuring that DoD Health Affairs (HA) and DHA policies and business practices comply with Federal laws, DoD regulations, and guidelines governing the privacy and HIPAA security of PII/PHI, and developing and revising of DHA privacy-related plans, policies and procedures;Managing and evaluating potential risks and threats to the privacy and HIPAA security of MHS health data by performing critical reviews through:Evaluation of privacy and HIPAA security safeguards, including conducting annual HIPAA Security Risks Assessments;Performance of DHA Compliance Risk Assessments; andEstablishment of organizational performance metrics to identify and measure potential compliance risks.Engaging DHA stakeholders, including employees and Contractors, by developing and delivering education and awareness materials and ongoing workforce Privacy and HIPAA training; andManaging programs that are related to the protection of individuals and privacy of information, including data compliance and data sharing compliance, breach response, human research protection and civil liberties.1.6 Period of Performance (PoP). The period of performance will consist of a twelve (12) month base period, with a 30 days transition-in period inclusive of the base period, and four (4), twelve (12) month option periods. The last option period will include a 30 days transition-out period1.6.1 Transition.1.6.1.1 Transition-In Period. The period between the award date and full performance start date constitutes the Transition-In Period. Transition-In performance is defined as 30 calendar days after contract start. During the Transition-In Period, the contractor shall prepare to meet all contract requirements and ensure incoming personnel are functionally trained and qualified on the full performance start date. The remaining incoming personnel shall be trained and qualified within 30 calendar days. The Government will make all required facilities, equipment, and materials accessible to the contractor during the Transition-In Period. The contractor shall provide the Government with a Transition-In Plan (Deliverable 3) for phasing-in contractor performance. The Transition-In Plan shall include the following items:Coordination with Government representatives;Review, evaluation and transition of current support services;Transition of historic data to new contractor system;Government-approved training and certification process;Transfer of hardware warranties and software licenses;Transfer of all System/Tool documentation to include, at a minimum: user manuals, system administration manuals, training materials, disaster recovery manual, requirements traceability matrix, configuration control documents and all other documents required to operate, maintain and administer systems and tools;Transfer of compiled and uncompiled source code, to include all versions, maintenance updates and patches;Orientation phase and program to introduce Government personnel, programs, and users to the contractor's team, tools, methodologies, and business processes;Distribution of contractor purchased Government owned assets, including facilities, equipment, furniture, phone lines, computer equipment, etc.;Transfer of applicable Government Furnished Property (GFP), Government Furnished Equipment (GFE), and Government Furnished Information (GFI), and GFP/GFE inventory management assistance;Applicable DHA briefing and personnel in-processing procedures; andCoordinate with the Government to account for Government keys, ID/access cards, and security codes.1.6.1.2 Transition-Out Period. The period of time 30 calendar days prior to the end of the award date. Transition-Out performance is defined as period of performance where the incumbent contractor will orient the new contractor and/or Government entity to project status, including all standard procedures/processes and functional design capabilities. This 30 day period will run concurrently with the final days of the PoP. The contractor shall prepare a Transition-Out Plan (Deliverable 4) during the last option period to be approved by the Government no later than (NLT) 120 days before contract PoP expiration. The Transition-Out Plan shall include the following items:Coordination with Government representatives;Review, evaluation and transition of current support services;Transition of historic data to new contractor system;Government-approved training and certification process;Transfer of hardware warranties and software licenses (if applicable);Transfer of all necessary business and/or technical documentation;Transfer of compiled and uncompiled source code, to include all versions, maintenance updates and patches (if applicable);Orientation phase and program to introduce Government personnel, programs, and users to the contractor's team, tools, methodologies, and business processes;Disposition of contractor purchased Government owned assets, including facilities, equipment, furniture, phone lines, computer equipment, etc.;Transfer of applicable GFE and GFI, and GFP/GFE inventory management assistance;Applicable DHA debriefing and personnel out-processing procedures; andTurn-in of all Government keys, ID/access cards, and security codes.1.7 Administrative specifications.1.7.1 Place of performance. The work shall be performed at the contractor’s facility location with exception of the administrative staff member listed in 5.10. The contractor shall ensure their key personnel are capable of meeting with Government personnel within 1 hour after notification of a meeting by the COR, preferably in-person, at the Defense Health Headquarters at 7700 Arlington Boulevard, Falls Church, Virginia. If in-person attendance by the contractor is not possible, the contractor may attend meetings and conferences via Video Teleconference (VTC) and Virtual Private Network (VPN) or via phone conferences1.7.2 Recognized Federal holidays. New Year’s DayLabor DayMartin Luther King Jr.’s BirthdayColumbus DayPresident’s DayVeteran’s DayMemorial DayThanksgiving DayIndependence DayChristmas Day1.7.3 Hours of operation. The contractor is responsible for conducting business between the hours of 8:00 AM – 5:00 PM ET Monday thru Friday except Federal holidays or when the Government facility is closed due to local or national emergencies, administrative closings, or similar Government directed facility closings. Core work hours are 9:00 AM – 3:00 PM ET. Core hours are identified to ensure meetings, discussions and reviews are conducted with full participation. On occasion, contractor support will be required outside of the normal hours of operation to ensure uninterrupted performance and support.1.8 Contractor Travel. Arrangements for and costs of all travel, transportation, meals, lodging, and incidentals are the responsibility of the contractor. Travel costs shall be incurred and billed in accordance with FAR Part 31 and Joint Travel Regulations (JTR). Costs for these expenses will be reviewed, certified and approved by the Contracting Officer’s Representative (COR) 30 business days in writing prior to the arrangement of actual travel. All travel and transportation shall utilize commercial sources and carriers provided the method used for the appropriate geographical area results in reasonable charges to the Government. The Government will not pay for business class or first-class travel. Lodging and meals shall be reimbursed in accordance with regulations defined in FAR Part 31 and JTR. Travel cost is estimated Not to Exceed (NTE) $10,000.00.The Government will allow local travel for conferences and training within the Washington D.C. Metro area. The Government will not pay local travel for the contractor to travel from their work site to the Government work site.DescriptionFromDestination# of Days# of Travelers# of TripsHealth Information & Management Systems Society (HIMSS) Global Health ConferenceWashington, DCOrlando, FL421Health IT SummitWashington, DCOrlando, FL321San Antonio, TXWashington, DCSan Antonio, TX221Various Military Treatment Facilities (MTF) LocationsWashington, DCVarious locations within U.S.2241.9 Other Direct Costs (ODC). ODCs shall be billed on a cost reimbursable basis. Costs are defined as the purchase price of materials or service plus General and Administrative charges (G&A) or material and handling charges (M&H). The contractor is responsible for obtaining written permission from the COR 5 business days in writing before utilizing ODC funding.All ODCs shall be fully supported in accordance with the Contractor’s Order Level Materials (OLM) CLIN in compliance with all competition requirements of the FAR. All ODCs shall be reported as stated in the Monthly Progress Report (MPR) (Deliverable 2).The contractor shall be responsible for providing their own personal communication devices and service so ODCs will not be used to fund those items.1.10 Quality1.10.1 Quality Control (QC). The contractor shall develop and maintain an effective quality control program to ensure services are performed in accordance with this PWS. The contractor shall develop and implement procedures to identify, prevent, and ensure non-recurrence of defective services. The contractor’s quality control program is the means by which the work complies with stated requirements. The Quality Control Plan (QCP) (Deliverable 1) will initially be submitted with the contractor’s proposal and will be formally delivered 30 days after award. After acceptance of the QCP, the contractor shall receive the Contracting Officer’s (KO) acceptance in writing of any proposed change to his QC system. The QCP shall document how the contractor will meet and comply with the quality standards established in this PWS. The QCP shall include a self-inspection plan, an internal staffing plan, and an outline of the procedures that the contractor will use to maintain quality, timeliness, responsiveness, and customer satisfaction.1.10.2 Quality Assurance. The Government will evaluate the contractor’s performance under this contract in accordance with the Quality Assurance Surveillance Plan (QASP, Part 9, Attachment 1). This plan provides a systematic method for the Government to evaluate performance and to ensure that the contractor has performed in accordance with the performance standards. It defines how the performance standards will be applied, the frequency of surveillance, and the minimum acceptable defect rate(s).1.10.3 General Security Requirements. The contractor shall establish appropriate administrative, technical, and physical safeguards to protect any and all Government data, to ensure the confidentiality, integrity, and availability of government data. As a minimum, this shall include provisions for personnel security, electronic security and physical security as listed in the sections that follow:1.10.3.1 HIPAA Act of 1996. The contractor shall comply with the HIPAA Act of 1996 (Public Law 104-191) requirements, specifically the administrative simplification provisions of the law and the associated rules and regulations published by the Secretary, HHS and the published DHA implementation directions. It is expected that the contractor shall comply with all HIPAA-related rules and regulations as they are published and as DHA requirements are defined (including identifiers for providers, employers, health plans, and individuals, and standards for claims attachment transactions).1.11 Contractor Personnel. 1.11.1 Security and Common Access Card (CAC) requirements. All security and CAC requirements are identified in the attachment found in PWS Attachment 3 DHA CAC Request Process (Version 2.1 January 2018, or more recent when updated) and PWS Attachment 4 Defense Manpower Data Center (DMDC) Trusted Associate Sponsorship System (TASS) Application for CAC. Contractor personnel performing work shall have and maintain the appropriate security and designation required. All work under this contract is unclassified but may be designated as For Official Use Only (FOUO), may contain PII or PHI, and attendance for some meetings may be conducted in classified facilities – a DD254 form is required.The Automated Data Processing/Information Technology (ADP/IT) levels and position sensitivity designation for positions under this contract is: ? ADP/IT I: Critical sensitive position ? ADP/IT II: Non-critical sensitive position1.11.2 Cybersecurity Requirements.1.11.2.1 All work under this contract is unclassified. 1.11.2.2 The Automated Data Processing/Information Technology (ADP/IT) levels and position sensitivity designation for positions under this contract is ADP/IT I - Critical sensitive position.1.11.2.3 PII/PHI, and Federal information requirements. The contractor shall establish appropriate administrative, technical, and physical safeguards to protect any and all Government data. The contractor shall also ensure the confidentiality, integrity, and availability of Government data in compliance with all applicable laws and regulations, including data breach reporting and response requirements, in accordance with Defense Federal Acquisition Regulation Supplement Subpart (DFARS) 224.1 (Protection of Individual Privacy), which incorporates by reference current version of DoDI 5400.11, “DoD Privacy and Civil Liberties Programs.” The contractor shall also comply with Federal laws relating to freedom of information and records management. The contractor shall analyze any breach of PII/PHI for which it is responsible under the terms of this contract under both the Privacy Act and HIPAA, if applicable, to determine the appropriate course of action under each requirement, if any. 1.11.2.4 Training.1.11.2.4.1 Contractor employees performing cybersecurity/cyberspace functions shall comply with the following requirements:1.11.2.4.1.1 All contractor and associated subcontractor employees working Cybersecurity (Information Assurance (IA))/Cyberspace functions must comply with DoD training requirements in Department of Defense Directive (DoDD) 8140.01, “Cyberspace Workforce Management,” and DoD 8570.01-M, “Information Assurance Workforce Improvement Program.”1.11.2.4.1.2 Certification. Per DoDD 8140.01, Defense Federal Acquisition Regulation Supplement (DFARS) 252.239-7001, contractor employees supporting Cybersecurity (Information Assurance)/Cyberspace functions shall be appropriately certified upon contract/task order award. The baseline certification as stipulated in DoD 8570.01-M must be completed prior to the beginning of their contract support services. In addition, the contractor shall comply with Computing Environment (CE) certification requirements as specified in the contract. CE certifications shall be obtained within the timelines specified in DoD 8570.01-M.1.11.2.4.2 Privileged user requirements. All contractor employees with privileged user status must comply with the requirements of DHA-Administrative Instruction (AI) 081, Employee use of Information Technology.1.11.2.5 General cybersecurity requirements – Information Systems1.11.2.5.1 The contractor shall comply with DoDI 8582.01 "Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information" and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev 4, “Security and Privacy Controls for Federal Information Systems and Organization” and NIST SP 800-37 Rev 2, “RMF for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy,” as well as emerging DoD Cybersecurity policy designed to address evolving threats and submit requirements contain in Contract Data Requirements List (CDRL) A002.1.11.2.5.1.1 The contractor shall identify the security controls in accordance with Committee on National Security Systems (CNSS) Instruction No. 1253, “Security Categorization and Control Selection for National Security Systems” as outlined within NIST SP 800-171 Rev 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” based on the categorization of confidentiality, availability and integrity of the information type and information technology provided by the government. 1.11.2.5.1.2 The contractor shall implement security controls in accordance with NIST implementation and validation requirements specified in the NIST SP 800-37 Rev 2, “RMF for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.”1.11.2.5.1.3 The contractor shall configure the information system in accordance with Defense Information Systems Agency (DISA) Security Requirements Guides (SRGs) and security technical implementation guides (STIGs).1.11.2.5.1.4 The contractor shall ensure that the information system conforms to the requirements of DoDI 8551.01, “Ports, Protocols, and Services Management (PPSM).”1.11.2.5.1.5 The contractor shall ensure that the information system shall authenticate all entities as specified in DoDI 8520.03, “Identity Authentication for Information Systems” prior to granting access.1.11.2.5.1.6 The contractor shall Public Key enable the information system, implementing digital signature and encryption requirements specified in DoDI 8520.02, “Public Key Infrastructure (PKI) and Public Key (PK) Enabling.”1.11.2.5.1.7 The contractor will be responsible for compliance with the United States Cyber Command issuances and Information Assurance Vulnerability Management (IAVM) issuances by ensuring that the issuances are assessed, implemented and maintained throughout development and sustainment in accordance with specified timelines. 1.11.2.5.1.8. The contractor shall support reciprocity, by providing all NIST security documents directed information to the government. 1.11.2.5.1.9 The contractor shall implement system level protection and detection capabilities that are consistent with their contract for NIST Security requirements that meet DoD and DHA Cybersecurity Architectures.1.11.2.5.1.10 The contractor shall self-certify that the information system is compliant with the applicable NIST security controls annually by submission of a Security Assessment Report (SAR) and security test plan for compliance of testing IA controls.1.11.2.5.1.11 The contractor shall comply with the incident management requirements of Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510.01B, “Cyber Incident Handling Program”.1.11.2.6 Risk Management Framework (RMF) for DoD IT: Reserved. 1.11.2.7. Commercial Cloud Computing Services: Reserved1.12 Key personnel (Contractor): The contractor shall provide a Contract Manager who shall be responsible for the performance of the work. The name of this person and an alternate who shall act for the contractor when the manager is absent shall be designated in writing to the KO. The Contract Manager or alternate shall have full authority to act for the contractor on all contract matters relating to daily operation of this contract. The Contract Manager or alternate shall be available between 8:00 a.m. to 5:00 p.m., Monday thru Friday except Federal holidays or when the Government facility is closed for administrative reasons. Program Manager Senior Functional HIPAA Security AnalystSenior Functional Information Technology AnalystSenior Functional HIPAA AnalystSenior Functional Communications and Training AnalystSenior Functional Federal Privacy AnalystSenior Functional Data Analyst1.13 Reporting.1.13.1 Enterprise Contractor Manpower Reporting Application (eCMRA) or The contractor shall report ALL contractor labor hours (including subcontractor labor hours) required for performance of services provided under this contract for the DHA via a secure data collection site. Register under the "All Other Defense Components" module The DHA Unit Identification Code (UIC) is DDAFC The NAICS is 541611 and Federal Supply Code (FSC) is R408*The Office of the Secretary of Defense has issued a Memorandum dated 16 October 2019 which removes the requirement for contractors to report manpower data into the eCMRA system at , beginning 1 Oct 2019. It is anticipated, however, that contractors shall be required to report similar manpower data to beginning sometime within the next year. Currently, there is no reporting requirement or transition plan but the contractor shall propose pricing that reflects the understanding that manpower data reporting shall be required for the performance of this contract.*1.13.2 Non-Disclosure Agreement (NDA, Part 9, Attachment 2) (Deliverable 12). All DHA contractor personnel who will obtain access to proprietary, classified, or confidential information or any information release of which is protected or governed by law or regulation associated with DHA acquisitions shall be required to complete and sign a DHA contractor NDA prior to beginning ANY work on the subject contract. The contractor shall execute a NDA on behalf of the company and shall ensure that all staff assigned to, including all subcontractors and consultants, or other personnel performing on contract execute a NDA protecting the procurement sensitive information of the Government and the proprietary information of other contractors. The NDA shall be executed not later than first day of employment. Assignment of staff who has not executed this statement or failure to adhere to this statement shall constitute default on the part of the contractor. The contractor shall maintain originally signed NDAs of individual employees and provide copy to the COR.1.13.3 Contract Kick-Off Meeting/Periodic Progress Meetings. The contractor agrees to attend any post award meetings convened by the KO or the COR. The KO, COR, and other Government personnel, as appropriate, may meet periodically (but no more than on a quarterly basis) with the contractor to review the contractor's performance. At these meetings the COR will apprise the contractor of how the Government views the contractor's performance and the contractor will apprise the Government of problems, if any, being experienced. Appropriate action shall be taken to resolve outstanding issues. These meetings shall be at no additional cost to the Government.1.14 Organization Conflict of Interest (OCI). The FAR Part 9.5 prescribes responsibilities, general rules, and procedures for identifying, evaluating, and resolving OCIs, provides examples to assist contracting officers in applying these rules and procedures to individual contracting situations; and implements section 8141 of the 1989 Department of Defense Appropriation Act. The two (2) underlying principles which the FAR seeks to avoid are preventing the existence of conflicting roles that might bias a contractor's judgment and preventing unfair competitive advantage. An unfair competitive advantage exists where a contractor competing for award of any Federal contract possesses --(1) Proprietary information that was obtained from a Government official without proper authorization; or(2) Source selection information (as defined in FAR 2.101) that is relevant to the contract but is not available to all competitors, and such information would assist that contractor in obtaining the contract.The following subsections prescribe certain limitations on contracting as the means of avoiding, neutralizing or mitigating organizational conflicts of interest. It is the contractor’s responsibility to notify the Contracting Officer of any potential OCI. In the event that an OCI exists the contractor shall propose a Mitigation Plan that shall be reviewed and accepted by the Contracting Officer prior to continuance of the work that presents an OCI. Should the proposed Mitigation Plan not be accepted by the Contracting Officer, the Government may terminate this contract, disqualify the contractor from subsequent related contractual efforts, and pursue any remedies as may be permitted by the law or this contract. Contractors shall sign a NDA at the start of their performance on the contract.If, under this contract, the contractor will provide systems engineering and technical direction for a system, but does not have overall contractual responsibility for its development, integration, assembly, checkout or production, the contractor shall not be awarded a subsequent contract to supply the system or any of its major components, or to act as consultant to a supplier of any system, subsystem, or major component utilized for or in connection with any item or other matter that is (directly or indirectly) the subject of the systems engineering and technical direction. The term of this prohibition shall endure for the entire period of this contract and for two (2) years thereafter. If, under this contract, the contractor will prepare and furnish complete specifications covering non-developmental items, to be used in a competitive acquisition, the contractor shall not be permitted to furnish these items, either as a prime or subcontractor. The term of this prohibition shall endure for the entire period of this contract performance and for either two (2) years thereafter or the duration of the initial production contract whichever is longer. This rule shall not apply to contractors who furnish specifications or data at Government request or to situations in which contractors act as Government representatives to help Government agencies prepare, refine or coordinate specifications, provided this assistance is supervised and controlled by Government representatives. If, under this contract, the contractor will prepare or assist in preparing a work statement to be used in competitively acquiring a system or services, the contractor shall not supply the system, its major components, or the service unless the contractor is the sole source, the contractor has participated in the development and design work, or more than one contractor has been involved in preparing the work statement. The term of this prohibition shall endure for the length of this contract. If, under this contract, the contractor will provide technical evaluation of products or advisory and assistance services, the contractor shall not provide such services if the services relate to the contractor's own or a competitor's products or services unless proper safeguards are established to ensure objectivity. If, under this contract, the contractor gains access to proprietary or source selection information of other companies in performing advisory assistance services for the Government, the contractor agrees to protect this information from unauthorized use or disclosure and to refrain from using the information for any purpose other than that for which it was furnished. A separate agreement shall be entered into between the contractor and the company whose proprietary information is the subject of this restriction. A copy of this agreement shall be provided to the Contracting Officer.The Contracting Officer has significant discretion as to the acceptability of any mitigation plan offered. Offerors are encouraged to present their best strategy for mitigation of any potential OCI under this requirement. Offerors shall submit a mitigation plan at the Contract level and update it as often as necessary throughout the life of the Contract.The Contracting Officer (and when applicable the appropriate program office, acquisition manager, and legal counsel) will review the comparative analysis and, if provided, the Avoidance or Mitigation Plan, in accordance with the requirements of FAR Subpart 9.5 (Organizational Conflict of Interest) to determine whether award to that Offeror would be consistent with those requirements. If it is unilaterally determined by the Contracting Officer that no OCI would arise or that the OCI Avoidance or Mitigation Plan adequately protects the interests of the Government in the event of award to that Offeror, the Offeror will be determined, for purposes of this clause, to be eligible for award. If the Contracting Officer reasonably determines that a contractor has not provided either a comparative analysis or avoidance/mitigation plan, or both, or that the analyses or plan provided is inadequate, sanctions including elimination from the award process, or termination of the related contract effort already awarded, as well as other appropriate sanctions will be considered.If the contractor knows of no OCI in accepting work under this contract, it shall certify its OCI status and submit the certification at the end of this clause with its proposal and any later award, if awarded the contract. The contractor shall also obtain a similar certification of OCI status from all sub-contractors, teaming partners or consultants prior to tasking any such party under this contract. The contractor shall appropriately modify and include this clause, including this paragraph, in all consulting agreements and subcontracts of any tier to preserve the rights of the Government.For breach of any of the above restrictions or for nondisclosure or misrepresentation of any relevant facts required to be disclosed concerning this contract, the Government may terminate this contract, disqualify the contractor from subsequent related contractual efforts, and pursue any remedies as may be permitted by law or this contract.Prior to a contract modification involving a change to the PWS, or an increase in the level of effort or extension of the term of the contract, the contractor shall submit any applicable organizational conflict of interest disclosure or an update of the previously submitted disclosure or representation.1.15 Task Management. The contractor shall provide sufficient management to ensure that this task is performed efficiently, accurately, on time, and in compliance with the requirements of this document. 1.15.1 MPR – Deliverable 2 The contractor shall ensure that a MPR (Deliverable 2) is submitted outlining the expenditures, billings, progress, status, and any problems/issues encountered in the performance of this PWS.The MPR shall include the task completions submittals without labor hours and categories reported.If subcontractors are used, the contractor shall require all subcontractors to provide input to the MPR where there are critical or significant tasks related to the prime contract. Critical or significant tasks shall be defined by mutual agreement between the Government and contractor. 1.15.2 Contingency Operations Plan – Deliverable 6The contractor shall prepare and submit a Contingency Operations Plan (Deliverable 6) to the Government to specify planning for the remediation of specific systems, equipment, software, and/or operations in the event of critical impact resulting from natural, accidental, or intentional events. The Contingency Operations Plan shall document contractor plans and procedures to maintain DHA support during an emergency. The Contingency Operations Plan shall include the following:A description of the contractor’s emergency management procedures and policyA description of how the contractor will account for their employees during an emergencyPlanned temporary work locations or alternate facilitiesHow the contractor will communicate with DHA during emergenciesA list of primary and alternate contractor points of contact, each with primary and alternate:Telephone numbersE-mail addressesProcedures for protecting GFE/GFP (if any)Procedures for safeguarding sensitive and/or classified Government information (if applicable)1.15.3 Operations During Emergency SituationsIndividual contingency operation plans shall be activated immediately after determining that an emergency has occurred, shall be operational within twelve (12) hours of activation, and shall be sustainable until the emergency situation is resolved and normal conditions are restored or the contract is terminated, whichever comes first. In case of a life threatening emergency, the COR will immediately make contact with the Contract Manager to ascertain the status of any contractor personnel who were located in Government controlled space affected by the emergency. When any disruption of normal, daily operations occur, the Contract Manager shall promptly open an effective means of communication with the COR and verify:Key points of contact (Government and contractor);Temporary work locations (alternate office spaces, telework, virtual offices, etc.);Means of communication available under the circumstances (e.g. email, webmail, telephone, FAX, courier, etc.); andEssential work products expected to continue production by priority.The Contract Manager, in coordination with the COR, shall make use of the resources and tools available to continue DHA contracted functions to the maximum extent possible under emergency circumstances. The contractor shall obtain approval from the COR and Contracting Officer prior to incurring costs over and above those allowed for under the terms of this contract. Regardless of contract type, and of work location, contractors performing work in support of authorized tasks within the scope of their contract shall charge those hours accurately in accordance with the terms of this contract.1.15.4 Program Management Plan (Deliverable 5)The contractor shall develop a Program Management Plan (Deliverable 5) that shall require Government approval. It will be used to manage, track and evaluate the contractor's performance. The Program Management Plan shall consist of control policies and procedures in accordance with standard industry practices for project administration, execution and tracking. PART 22.0 DEFINITIONS, ACRONYMS, AND APPLICABLE PUBLICATIONS2.1 Definitions.2.1.1 Contracting Officer (KO). The sole Government agent with the authority to enter into, administer, and/or terminate contracts and obligate the Government and expend Government funding.2.1.2 Contracting Officer’s Representative (COR). An individual, including a Contracting Officer’s Technical Representative (COTR), designated and authorized in writing by the contracting officer to perform specific technical or administrative functions. This individual does NOT have authority to change the terms and conditions of the contract or authorize work outside the scope of the contract. 2.1.3 Non-personal services contract. A contract under which the personnel rendering the services are not subject, either by the contract’s terms or by the manner of its administration, to the supervision and control usually prevailing in relationships between the Government and its employees.2.1.4 QASP. An organized written document specifying the surveillance methodology to be used for surveillance of contractor performance.2.2 Applicable Publications (Current Editions): The following documents provide specifications, standards, or guidelines that shall be complied with in order to meet the requirements of this PWS. The contractor is responsible for obtaining and reviewing the most current versions of the documents listed below: DHA – Interim Procedures Memorandum (DHA-IPM) 18-009, MHS Enterprise Architecture, 19 September 2018Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164), December 28, 2000, with modification to the Privacy Rule, August 14, 2002Standards for the Security of Electronic Protected Health Information (45 CFR Parts 160, 162, and 164), February 20, 2003Standards for Electronic Transactions (45CFR Parts 160 and 162), August 17, 2000 with modifications, February 20, 2003Standard Unique Health Identifier for Health Care Providers (45 CFR Part 162), January 23, 2004DoDI 6025.18, HIPAA Privacy Rule Compliance in DoD Health Care Programs, 13 March 2019Freedom of Information Act of 1966, as amended (5 U.S.C. § 552)Public Law 93-579: Privacy Act of 1974 as amended through January 12, 2018 (5 U. S C 55a – PDF; 5 U. S. C. 552a – HTML)DoDI 8500.1, Cybersecurity, 7 October 2019DoDI 5400.11, DoD Privacy and Civil Liberties Programs, 29 January 2019DoDM 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017PART 33.0 GOVERNMENT FURNISHED PROPERTY, EQUIPMENT, AND SERVICES3.1 Services. Not Applicable.3.2 Facilities. For the administrative support identified under 5.10, the Government will provide the necessary workspace for the contractor staff to include desk space, telephones, computers, and other items necessary to maintain an office environment.3.3 Utilities. Not Applicable.3.4 Equipment. The contractor shall maintain a detailed inventory accounting system for GFE/GFP. This equipment will include laptops provided by the DHA IT department. The inventory accounting system must specify, as a minimum: product description (make, model), Government tag number, date of receipt, name of recipient, location of receipt, current location, and contract/order number under which the equipment is being used. The contractor shall either: a) attach an update inventory report to each MPR (Deliverable 2), or b) certify that the inventory has been updated and is available for Government review. In either case the contractor’s inventory listing must be available for Government review within one business day of COR request.3.5 Materials. Not Applicable.PART 44.0 CONTRACTOR FURNISHED ITEMS AND SERVICES4.1 General. The contractor shall specifically provide facilities, utilities, desk space, high speed internet connection, and access to telephones, printers, scanners and other equipment necessary to maintain an office environment for work performed at the contractor’s off-site facilities as required. The contractor shall furnish all supplies, equipment, facilities and services required to perform work under this contract that are not listed under Section 3 of this PWS.4.3 Materials. The contractor shall furnish materials, supplies, and equipment necessary to meet the requirements under this PWS.4.4 Equipment. The contractor shall furnish equipment required to perform work not listed under Part 3 of this PWS for contractors off-site.4.5 Facilities. The contractor shall furnish the facilities necessary to perform the tasks under this PWS.PART 55.0 SPECIFIC TASKS5.1 Specific Tasks.The contractor shall provide DHA Privacy Program Management and Technical Execution Support to oversee and monitor the Privacy Office’s Privacy, HIPAA, Civil Liberties and Data Protection mission in accordance with this PWS.The contractor shall have relevant subject matter expertise in the program areas, including Privacy Act compliance, HIPAA compliance, data sharing compliance, federal breach response, and the pliance with these statutes requires experience with the following: creation of System of Records notices, PIAs for systems, data sharing compliance efforts, associated reporting requirements, experience with HIPAA related requirements, such as Data Use Agreements for PHI under HIPAA, experience with complying with DoD and HHS breach requirements, and in addition, with HIPAA breach response requirements, such as analysis under HIPAA, and associated response and reporting requirements, and coordination both internally with DHA offices and externally. In addition, as directed by the Government, the contractor shall analyze Privacy Office issues/problems/questions and be able to communicate clearly to multiple audiences with diverse technical, budgetary, military, business and political background/experience. 5.2 Privacy Office’s Plans and Policy Development.The contractor shall provide program management support for the following areas in relation to plans and policy development:Assisting with the development of new policy and procedural documents providing a draft within a timeframe determined by the Government.Ensuring policies are enforceable, updated to meet the current legal and functional demands, and reflective of industry best practices;Interacting and collaborating with numerous functional divisions of the MHS to successfully develop Health Information Security and Data Protection policy; Serving as the Government’s liaison to the internal and external stakeholders, at the Government’s direction. As a part of the liaison function, the contractor shall attend working group meetings and provide detailed feedback and analysis to the Privacy Office;Advocating (when directed by the Government) the Privacy Office’s position at related meetings. As an outcome of these meetings and direction from the Privacy Office, the contractor shall provide the following additional support:Reviewing new and existing regulations, policies and directives or draft documents or proposed plans and actions that impact Health Information Security and Data Protection, to include issuances from DoD, DHA, military Services, Office of Management and Budget (OMB) and other Government agencies. This review shall include meetings with DHA stakeholders, completion of gap analyses and development of recommendations for new or revised policies based on identified deficiencies;Overseeing and monitoring policy interpretations and alignment with implementing activities. Assist with the development and execution of policies, procedures and other issuances for DHA that pertain to PII and PHI data protection mission and address requirements of provisions of all privacy related federal legislation and DoD regulations;Developing Methods for Monitoring, Measuring, Assessing and Reporting Effectiveness of Health Information Security and Data Protection Policy and execution; andSupporting the Privacy Office with functions of the DHA Privacy Board. Support shall include the research and analysis of research-related requests for PHI owned and/or managed by DHA comply with the HIPAA Rules. The contractor shall report all actions completed under this task on a monthly basis under MPR (Deliverable 2).5.3 Assist in Developing and Performing Organizational Transformation Plans (Deliverable 13).Information security and data protection responsibilities held by the Privacy Office are dynamic and subject to major changes in the immediate future. To respond to external drivers such as NDAA requirements, OMB guidance, HHS guidance, DoD Certification and Accreditation activities and increased Federal Government HIE initiatives support for assisting with the development of Organizational Transformation Plans is required. The contractor shall provide support for these activities and support shall include the following:Planning support to the Government to facilitate organizational transformation and external integration of information security and data protection requirements; Assistance with the preparation and updating of documents such as a Privacy Program Plan, writing policies and Procedural Instructions;Communication efforts with other stakeholders to help establish and clarify optimal solutions in collaborative mission requirements; andAssessment of the Privacy Office mission and processes in relation to organizational transformation initiatives such as the unified medical command and will develop recommendations for appropriate alignment and adjustments.5.4 HIE Initiatives.The contractor shall support the development of the health exchange platforms by providing Privacy Act and HIPAA expertise to safeguard the PII and PHI in such systems while promoting sharing where appropriate under the statutes and in the protection of individuals. Support will include supporting the Privacy Office in regular meetings such as the Data Use & Reciprocal Support Agreement workgroups, the Functional Advisory Committee meetings, the HIE meetings, and similar working group activities and meetings. Also will include assisting in the preparation of content and in the research and analysis of proposed initiatives, policies and procedures.Analyzing research of national, regional and Government/private sector partnerships for HIE and provide the subsequent analysis of how Privacy Act and HIPAA data protection requirements affect the projects and integrate those lessons learned into recommendations for the Privacy Office; Leading efforts to successfully complete the annual Compliance Risk Assessments and the annual HIPAA Security Risk Assessment for the Agency;Ensuring the Privacy Act and HIPAA Rules requirements are integrated into HIE activities with stakeholders and partners;Providing support for Office of the National Coordinator (ONC) for Health Information Technology (HIT) (formerly American Health Information Community (AHIC))/Confidentially Privacy & Security involvement and participation working group, along with all other HIE related working groups; Providing support with all requisite reporting such as the FISMA, Section 803, and all other Agency data calls; Reviewing systems changes across DHA or as required for compliance with HIPAA and Privacy Act requirements;Supporting various risk assessment and reduction; collaborating with HIT to maximize compliance and streamlining with the Privacy Overlay and RMF processes and providing guidance to HIT for meeting OMB and NIST requirements for privacy protection; andAssisting with building an effective Health Information Security and Data Protection Policy program for internal and external stakeholders that will be measured against the various policies developed to administer the program. As a part of this program, the contractor shall:Develop methods for monitoring, measuring, assessing and reporting on the effectiveness of Health Information Security and Data Protection Policy and safeguards;Meet with the points of contact for all involved processes and generate all required templates and instructional materials;Implement plans and monitor any schedule slippage and/or deviation from the plan, providing remedial actions; andProvide assessment and assistance visits for Health Information Security and Data Protection Policy.The contractor shall develop an Action Tracking Report (Deliverable 7) and shall update as required by the Government. Report shall provide all current actions, a description, action status, when the action was assigned, who it is assigned to and an estimated date of completion. The report shall also include all closed actions. Contractor shall brief the Privacy Office Director weekly utilizing the report. The contractor shall provide any updates to this task in MPR (Deliverable 2). 5.5 Privacy Reviews within RMF in the Authority to Operate (ATO) ProcessThe contractor shall monitor compliance and provide guidance to the DHA Chief Information Office (CIO) on Privacy and HIPAA Requirements for the RMF including incorporating Privacy Overlay and OMB requirements for privacy protections in the ATO process. The contractor shall collaborate and provide guidance to HIT in establishing their workflows, procedures and processes that efficiently incorporate privacy controls and privacy risk assessment into the ATO process. The contractor will support the Privacy Office in meeting Component Senior Official for Privacy responsibilities.5.6 Education, Training and Communications Program Content Updates (Deliverable 8 and 9)The contractor shall provide program management support for the following areas in relation to Education, Training and Compliance for the Privacy Office:Developing an education, training and strategic communications program to a successful Health Information Security and data protection program. The contractor shall develop, plan and implement data protection education, training and communications program for MHS personnel and business associates. The program shall include Learning Management System (LMS) Webinar sessions and MHS training sessions;Developing a Communications Plan (Deliverable 8) consisting of speaking engagements for Government staff and create appropriate presentations, as well as a communication plan for interaction with DHA workforce that provides awareness and information sharing;Developing, planning and facilitating simulation models and exercises to support annual Health Information Privacy and Security (HIPS) training, and compliance activities to be used in Table Top exercises on an as needed basis. Table Top exercises are meetings to discuss simulated situations;Developing training, webinar session content, JKO content, and Privacy Office Health Information Security website content; Initiating and coordinating the process by which DoD personnel may earn Continuing Medical Education units (CMEs) from professional organizations, and upon completion of training sponsored by the Privacy Office; The contractor shall assist with development and/or update training content and provide periodic training content updates; Education, Training, and Communications Program Content Updates (Deliverable 9); andRenew the HIPAA and Privacy Act Training for AHIMA approval for Continuing Education Unit (CEU), through the Approval Renewal Process (3).pdf.5.7 HIPAA Privacy, Breach and Security Tools The Privacy Office’s HIPAA Suite of Tools is important in meeting the requirements of the HIPAA Privacy, Breach and Security Rules and Privacy Act requirements. The Privacy Office is responsible for the content of Privacy Act and HIPAA training for the entire MHS workforce. The contractor shall assist JKO with the development, updating, maintenance and related support of the Privacy Act and HIPAA annual course. The Privacy Office is responsible for maintaining PowerPoint (PPT) slides and audio clips that address Privacy Act and HIPAA job-specific training. The contractor shall collaborate with the JKO team as needed to facilitate availability of the course and to meet MHS requirements. Other tools include role based HIPAA Privacy Officer training, role based HIPAA Security Officer training, training under development for Institutional Review Boards (IRBs) reviewing HIPAA compliance, and a self- assessment tool for MTFs to assess their HIPAA Privacy compliance. The contractor shall understand that the Privacy Office must ensure the functionality of these tools remain current with regulatory, Federal and DoD mandates and policies. As a part of this mission, the contractor shall:Assist with the Privacy Office’s approval Privacy Act and HIPAA Job Specific Refresher course content and system life cycle modifications;Adhere to 508 compliance by ensuring the Privacy Act and HIPAA Job Specific Refresher course content files and Metadata Forms, together with test exams and surveys comply with Section 508 amendment to the Rehabilitation Act of 1973 for posting to JKO (Deliverable 10); Manage the content of and recommend functional system requirement improvements for tools for which the Privacy Office is the functional proponent. These training modules may include JKO LMS, PHIMT, and data protection risk assessment tools;Facilitate periodic JKO and PHIMT calls;Examine and review new Health Information Security and Data Protection related technologies and make recommendations; Maintain a centralized Resource Center for inquiries from DHA/MHS program offices, MTFs, Services, and other DHA components related to compliance tool content; and Develop learning material, for example, PPT presentations, handouts, and webinars, disseminate this information using the MHS website, onsite training, and update HIPAA Privacy Officer training and HIPAA Security Officer training to be made available to Privacy and Security Officers throughout the MHS. This training shall contain more in depth content to support effective operations as a HIPAA compliant Privacy or Security Officer according to HIPAA legislation.5.8 DHA Civil Liberties Program Support The contractor shall support the DHA Civil Liberties Program as it creates policies for DHA, develops training materials for Civil Liberties, collaborates with DoD Civil Liberties program personnel, assists the DHA Civil Liberties Officer in the adjudication of Civil Liberties complaints received by DHA and MTFs, assists in the fulfillment of Civil Liberties reporting requirements, develops and provides training and awareness of Civil Liberties requirements, collaborates with the DoD level Civil Liberties leadership, assists with Section 803 Civil Liberties reporting requirements and other data calls, and related activities.5.9 DHA Privacy Program Execution SupportThe contractor shall support the DHA Privacy Program. The contractor shall be responsible for conducting analytical reviews (editing and collecting additional information) of PIAs on systems through the life cycle in support in compliance with the E-Government Act of 2002, Section 208, M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.The contractor shall support the Breach Response Program to include monitoring the designated breach mailbox on a daily basis tracking and maintaining documentation, drafting correspondence to DHA Leadership and submitting required reports to the Privacy Office and the Secretary of HHS.The contractor shall support the HIPAA Complaint and Privacy Act Complaint Program including monitoring of designated mailbox, tracking, analyzing, coordinating responses with the MTFs and/or Services where needed, and responding to federal requirements.The contractor shall support Data Sharing Compliance Program reviews and analysis under the Privacy Act and under HIPAA, coordinate with stakeholders, and perform tracking and processing. Also assist with the review of Memorandum of Agreements (MOAs) and Memorandum of Understandings (MOUs), and related documents for compliance with Privacy Act and HIPAA.The contractor shall provide support for System of Records/Systems of Record Notices (SORNs) related tasks, as well as other rulemaking activities related to aspects of these PWS tasks. Also included are reviews of Privacy Act Statements, Privacy Act Advisories, DHA Privacy Act regulations, and related guidance.The contractor shall provide assistance in responding to requests for privacy and related guidance from leadership, program offices, services, or others on an as needed basis.The contractor shall maintain communications including monthly newsletter, SharePoint updates, Privacy Office Web updates, communications plans for outreach, training or other efforts, serving as a liaison with the DHA Printing Office and the Services for needed publications such as the Notice of Privacy Practices, and other communications efforts as needed. To include expertise and performance with 508 Compliance of documents.The contractor shall assist with the development and maintenance of communication tools, Standard Operating Procedures (SOPs), and public outreach materials using best commercial practices and standard software tools. Public Outreach and Communications Materials (Deliverable 11) to include: product brochures, exhibit graphics, posters, story boards, press kits, executive summaries, and briefings. The contractor shall provide basic information in the use of DHA data within DoD, including contractors, and in external organizations. The contractor shall advise internal and external organizations about approved methods and requirements for obtaining approval for their usage of DHA data and the process for the receipt of these data. The contractor shall review all data requests for appropriateness and policy compliance before staffing requests to the Government.The contractor shall assist with the development of reports such as the Section 803 Report on Privacy related matters, and assisting with the annual FISMA reports, and other similar reports and data calls as needed.The contractor shall support training programs and assist in the meeting of reporting requirements, for all of the above.5.10 Privacy Administrative SupportProvide administrative support to the Chief of the Privacy Office. This support shall include, calendar support, reception duties, mailing, supplies, and other tasks as assigned as they pertain to administrative support. This support will be conducted on the Government site during Government business days. Provide mail duties to include, receiving, sorting, stamping and shipping correspondence on behalf of the Privacy Office. Also responsible for tracking all correspondence received by the Privacy Office. The contractor shall provide professional facilitation support to work groups/meetings, to include production of meeting minutes, documentation of work group/meetings results and action items, development of briefing and presentation material. Meeting minutes should be furnished upon request by the government. The contractor shall provide an accounting of all meetings supported under the MPR (Deliverable 2). 5.11 Privacy Office Process Improvement When requested, the contractor shall provide process improvement advice. The contractor shall provide assistance defining the problem; measuring the current situation; analyzing and identifying causes; improving or implementing the solution; and controlling through measurement verification to develop better programs and processes. The contractor shall use commercial best practices for process improvement in supporting this task, with a view toward advancing customer service. The contractor shall report any activities under this task under the MPR (Deliverable 2). 5.12 Surge Support According to the FY17 NDAA, Section 702, directive, the Privacy Office will need to have adequate resources to support these activities. 5.12.1 Optional Task 1 - Surge SupportThe purpose of this task is to allow for surge capacity as required for all tasks defined under the PWS except 5.2, 5.5 and 5.8 to support any Program Management support for the Privacy Office under this PWS. Deliverables for this support shall be identified by the Government and activities will be reported under the MPR (Deliverable 2).5.12.2 Optional Task 2 - Surge Support for RMF The purpose of this task is to allow for surge capacity as required for tasks defined under PWS 5.5 to support the RMF support for the Privacy Office under the PWS. Deliverables for this support shall be identified by the Government and activities will be reported under the MPR (Deliverable 2).5.12.3 Optional Task 3 – Surge Support Policies and ProceduresThe purpose of this task is to allow for surge capacity as required for tasks defined under PWS 5.2 to support the developing and performing organizational transformation plans. Deliverables for this support shall be identified by the Government and and activities will be reported under the MPR (Deliverable 2).5.12.4 Optional Task 4 - Surge Support Breach Response The purpose of this task is to allow for surge capacity as required for tasks defined under PWS 5.8 to support the Agency in the event of a large scale breach. Deliverables for this support shall be identified by the Government and activities will be reported under the MPR (Deliverable 2).5.12.5 Optional Task 5 – Surge Support PIA Review The purpose of this task is to allow for surge capacity as required for task defined under PWS 5.8 to support analytical reviews (editing and collecting additional information) of PIAs on systems through the life cycle in support in compliance with the E-Government Act of 2002, Section 208, M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. Deliverables for this support shall be identified by the Government and activities will be reported under the MPR (Deliverable 2).PART 66.0 INFORMATION TECHNOLOGY REFERENCES6.1 Reference Documents (Current Additions): The following documents may be helpful to the contractor in performing the work described in this PWS. The contractor is responsible for obtaining and reviewing the most current versions of the documents listed below: DoDI 5000.2, “Mandatory procedures for Major Defense Acquisition Programs (MDAP) and Major Automated Information System Acquisition Programs (MAISAPs),” 10 June 2001.Public Law 106-246: Rehabilitation Act of 1973 as amended (Rehab Act)Public Law 104-106: Clinger-Cohen Act of 1996, February 10, 1996Public Law 104-113: National Technology Transfer and Advancement Act of 1995. 104th Congress, March 7, 1996Federal Information Security Management Act of 2002DOD Architecture Framework, most current version, Information Grid (GIG) Capstone Requirements Document, 5 JROCM 134-01, August 30, 2001GIG Architecture Version 2.0, August 2003 CJCSI 5123.01H Charter of the Joint Requirements Oversight Council (JROC) and the Implementation of the Joint Capabilities Integration and Development System, 31 August 2018DoDD 8115.01, “IT Portfolio Management Implementation,” 30 October 2006DoD Net-Centric Data Strategy, May 9, 2003 DoDD 7045.14, The Planning, Programming, Budgeting, and Execution (PPBE) Process, 25 January 2013President’s Management Agenda, OMB Circular A-11, Preparation, Submission, and Execution of the Budget, July 2016Public Law 108-375: Ronald W. Reagan NDAA for Fiscal Year 2005PART 77.0 PERFORMANCE REQUIREMENTS SUMMARY (PRS)The contractor service requirements are summarized into performance objectives that relate directly to mission essential items. The performance threshold briefly describes the minimum acceptable levels of service required for each requirement. These thresholds are critical to mission success.Performance ObjectiveStandardPerformance ThresholdMethod of SurveillanceIncentivePRS # 1. Provide timely and accurate services and productsAll delivered services or products will be within the timelines established by the client, and of the quality directed by the client.Any service or product deficiencies will be communicated to the client and corrective actions taken if so directed.All milestones completed on time not less than 95% of the time and delivered documents are error free 98% of the time.Each product or service will include methodology documentation for inspection by Government.Positive Past Performance EvaluationPRS # 2. Complete training materials and coursesDocumentation is completed as indicated within the task list with proposed end dates and completion dates - Training will be delivered in a professional manner to achieve a rating of above satisfactory or higher.All milestones completed on time not less than 95% of the time and any delivered documents are error free 98% of the timeGovernment will review materialsPositive Past Performance EvaluationPRS # 3. Communicate status, issues and plans and receive guidanceMeet with clients at least once a week for provision of instructions and reporting of progress and issues.All milestones completed on time not less than 95% of the time and any delivered documents are error free 98% of the timeGovernment will attend meetings to evaluate accomplishmentsPositive Past Performance EvaluationPRS # 4. Complete a high level summary report that provides accomplishments of goals and objectives using prioritized task list with projected completion and end datesTask list timetable and priority periodically approved by the clientAll milestones completed on time not less than 95% of the time and any delivered documents are error free 98% of the timeGovernment will review Monthly reportPositive Past Performance EvaluationPART 88.0 DELIVERABLES SCHEDULEDeliverableFrequencyMedium/FormatSubmit ToApplicable to:Deliverable 1 – Quality Control PlanDraft due with Proposal, Final NLT 30 Days After Contract Award (DACA)ElectronicCORPWS 1.10.1Deliverable 2 – MPRMonthly, NLT the 15th of each monthElectronicCORPWS 1.9, 1.15.1, 3.4, 5.2, 5.4, 5.9, 5.10, 5.11, 5.12.1, 5.12.2, 5.12.3, 5.12.4, 5.12.5Deliverable 3– Incoming Transition PlanSubmitted with ProposalElectronicIAW RFP InstructionsPWS 1.6.1.1Deliverable 4 –Transition-Out Plan120 days prior to start of Transition Out PeriodElectronicCORPWS 1.6.1.2Deliverable 5 – Program Management PlanSubmitted with ProposalElectronicIAW RFPInstructionsPWS 1.15.5Deliverable 6– Contingency Operations Plan5 DACA; updates as requested by GovernmentElectronicCORPWS 1.15.3Deliverable 7 – Actions Tracking Report Weekly, MondayElectronicCOR PWS 5.4Deliverable 8 – Communications PlanMonthly, NLT the 10th of each monthElectronicCOR PWS 5.6Deliverable 9 – Education, Training, and Communications Program Content UpdatesAs RequiredElectronicCORPWS 5.6Deliverable 10– Documents Delivered to JKO Follows Regulatory Compliance for Section 508 of the Rehabilitation Act of 1973As RequiredElectronicCORPWS 5.7Deliverable 11 – Public Outreach and Communications MaterialsAs RequiredElectronicCORPWS 5.9Deliverable 12 – NDASigned statements are due, from each employee assigned, prior to performing ANY work on this award.ElectronicCORPWS 1.13.2Deliverable 13 –Organizational Transformation PlansAs RequiredElectronicCORPWS 5.3PART 99.0 ATTACHMENTS/TECHNICAL EXHIBIT LISTING9.1 Contractors shall provide the following forms, current edition attached or more recent when updated and provided to the contractor, at the Governments request.9.1.1 Attachment 1: QASP9.1.2 Attachment 2: DHA NDA9.1.3 Attachment 3: DHA CAC Request Process9.1.4 Attachment 4: DMDC TASS Application for CAC ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download