BACKGROUND - Veterans Affairs



TRANSFORMATION TWENTY-ONE TOTAL TECHNOLOGY NEXT GENERATION (T4NG)PERFORMANCE WORK STATEMENT (PWS)DEPARTMENT OF VETERANS AFFAIRSOffice of Information & TechnologyEnterprise Data Management OfficeEnterprise Data Management Support ServicesDate: 05/15/2017TAC- 17-44274Task Order PWS Version Number: 2.0DRAFTContents TOC \o "1-4" \h \z \u 1.0BACKGROUND PAGEREF _Toc481589991 \h 42.0APPLICABLE DOCUMENTS PAGEREF _Toc481589992 \h 53.0SCOPE OF WORK PAGEREF _Toc481589993 \h 53.1APPLICABILITY PAGEREF _Toc481589994 \h 53.2ORDER TYPE PAGEREF _Toc481589995 \h 54.0PERFORMANCE DETAILS PAGEREF _Toc481589996 \h 64.1PERFORMANCE PERIOD PAGEREF _Toc481589997 \h 64.2PLACE OF PERFORMANCE PAGEREF _Toc481589998 \h 64.3TRAVEL OR SPECIAL REQUIREMENTS PAGEREF _Toc481589999 \h 64.4CONTRACT MANAGEMENT PAGEREF _Toc481590000 \h 74.5GOVERNMENT FURNISHED PROPERTY PAGEREF _Toc481590001 \h 74.6SECURITY AND PRIVACY PAGEREF _Toc481590002 \h 84.6.1POSITION/TASK RISK DESIGNATION LEVEL(S) PAGEREF _Toc481590003 \h 85.0SPECIFIC TASKS AND DELIVERABLES PAGEREF _Toc481590004 \h 95.1PROJECT MANAGEMENT PAGEREF _Toc481590005 \h 95.1.1CONTRACTOR PROJECT MANAGEMENT PLAN PAGEREF _Toc481590006 \h 105.1.2REPORTING REQUIREMENTS PAGEREF _Toc481590007 \h 105.1.3PRIVACY & HIPAA TRAINING PAGEREF _Toc481590008 \h 115.1.4TECHNICAL KICKOFF MEETING PAGEREF _Toc481590009 \h 115.1.5ONBOARDING PAGEREF _Toc481590010 \h 125.1.6SCHEDULE MANAGEMENT PAGEREF _Toc481590011 \h 125.1.7RISK MANAGEMENT PAGEREF _Toc481590012 \h 135.1.8CONFIGURATION MANAGEMENT PAGEREF _Toc481590013 \h 135.2ENTERPRISE DATA MANAGEMENT STRATEGY AND DATA ARCHITECTURE PAGEREF _Toc481590014 \h 145.3DATA PROCESSING SERVICES PAGEREF _Toc481590015 \h 145.3.1AGILE METHODOLOGY PAGEREF _Toc481590016 \h 155.3.2AGILE REQUIREMENTS ELICITATION PAGEREF _Toc481590017 \h 155.3.3COMMON UPDATE FRAMEWORK (CUF) BASE PERIOD DEVELOPMENT PAGEREF _Toc481590018 \h 165.3.4SPRINT EXECUTION PAGEREF _Toc481590019 \h 175.3.5SECURITY PAGEREF _Toc481590020 \h 185.4CUF OPERATION AND MAINTENANCE PAGEREF _Toc481590021 \h 195.5OPTIONAL TASKS PAGEREF _Toc481590022 \h 205.5.1CUF SOLUTION DEVELOPMENT (OPTIONAL TASKS A1-A5) PAGEREF _Toc481590023 \h 206.0GENERAL REQUIREMENTS PAGEREF _Toc481590024 \h 216.1PERFORMANCE METRICS PAGEREF _Toc481590025 \h 216.2SECTION 508 – ELECTRONIC AND INFORMATION TECHNOLOGY (EIT) STANDARDS PAGEREF _Toc481590026 \h 226.2.1EQUIVALENT FACILITATION PAGEREF _Toc481590027 \h 236.2.2COMPATIBILITY WITH ASSISTIVE TECHNOLOGY PAGEREF _Toc481590028 \h 236.2.3ACCEPTANCE AND ACCEPTANCE TESTING PAGEREF _Toc481590029 \h 236.3SHIPMENT OF HARDWARE OR EQUIPMENT PAGEREF _Toc481590030 \h 236.4ORGANIZATIONAL CONFLICT OF INTEREST PAGEREF _Toc481590031 \h 24APPENDIX A PAGEREF _Toc481590032 \h 25BACKGROUNDThe mission of the Department of Veterans Affairs (VA), Office of Information & Technology (OI&T), Enterprise Data Management Office (EDMO) is to provide benefits and services to Veterans of the United States.? In meeting these goals, OI&T strives to provide high quality, effective, and efficient Information Technology (IT) services to those responsible for providing care to the Veterans at the point-of-care as well as throughout all the points of the Veterans’ health care in an effective, timely and compassionate manner.? VA depends on Information Management/Information Technology (IM/IT) systems to meet mission goals.The EDMO develops the strategy, guidance, implementation, and governance for the VA “to-be” technology environment. To support the VA’s overall mission and strategy to meet merging business needs to better serve Veterans, the EDMO creates and implements a more effective and efficient enterprise data management environment to meet business needs while maintaining a consistent approach to the system and software development lifecycles (SDLC). The EDMO provides tactical and strategic direction in the areas of information management; business intelligence analytics and analytics technologies; data management, mining, and warehousing; and assessment of data quality and consistency across platforms, products, and geographical areas.This task will provide the EDMO with the technical staff expertise to undertake its strategic and technical objects in its four (4) major areas of Enterprise Data Management (EDM) responsibility:Data GovernanceData Messaging utilizing an Enterprise Service Bus (ESB)Offline and Online Transactional Data Processing (OLTP)Offline and Online Analytical Data Processing (OLAP)These responsibilities require working with the EDMO’s business partners, both internal to the VA and external, such as the Department of Defense (DoD) to create enterprise data management systems that are 24/7 mission critical systems that directly affect VA affiliate health and safety.The EDMO mission will be enabled by the foundation established by the Common Update Framework (CUF). The CUF provides the data governance messaging infrastructure for building 3-Tier OLTP and OLAP applications. The Core concept of the CUF is to standardize the sharing of data through Business Information Objects (BIO) which are essentially logical data models represented as a JAVA class. The BIO’s are encoded into a standardize message which the CUF will route, decode, and execute to process data requests. With the long term goal of migrating all internal data interfaces through the CUF, EDMO will be able to enforce VA’s data governance policies and provide more additional layers of security for our customers’ data.This PWS is focused on the effort to develop the initial set of information the EDMO will use to set its strategy for Enterprise Data Management and establish the initial set of capabilities for the office.APPLICABLE DOCUMENTSThe Contractor shall comply with the following documents, in addition to the documents in Paragraph 2.0 in the T4NG Basic Performance Work Statement (PWS), in the performance of this effort:CUF SpecificationLogic Data Model (LDM) Enterprise Contact Information LDM SCOPE OF WORKThe Scope of this PWS is focused on three areas of work:Strategy and Data ArchitectureDevelopment of Transactional Data Processing ServicesDevelopment of Analytical Data Processing ServicesThe Contractor shall follow an Agile Methodology in the completion of these tasks.APPLICABILITYThis Task Order (TO) effort PWS is within the scope of paragraph(s) 4.2 Systems/Software Engineering, 4.2.1 Design and Development, 4.2.2 Architecture Development, 4.2.4 Enterprise Application/Services, 4.2.9 System/Software Integration, 4.2.12 Engineering and Technical Documentation, 4.3 Software Technology Demonstration and Transition, 4.4 Test & Evaluation (T&E), 4.5 Independent Verification and Validation (IV&V), and 4.8 Operations and Maintenance of the T4NG Basic PWS. This Task Order (TO) effort PWS is within the scope of paragraph(s): 4.1.6 Program Management Support, 4.1.7 Product Data, 4.2 Systems/Software Engineering, and 4.9.1 Systems Administration of the T4NG Basic PWS.ORDER TYPEThe effort shall be proposed on a Firm-Fixed-Price (FFP) and Time and Material (T&M) basis.PERFORMANCE DETAILSPERFORMANCE PERIODThe Period of Performance (PoP) shall be one 12-month base period with three (3) 12-month option periods and four (4) optional tasks. The base period tasks will continue to be performed during all option periods that are awarded. PeriodPeriod of PerformancePWS RequirementsBase Period12 months5.1-5.4Option Period 112 months, if exercised5.1-5.4Option Period 212 months, if exercised5.1-5.4Option Period 312 months, if exercised5.1-5.4Optional Tasks A1-A412 months each, if exercised5.5PLACE OF PERFORMANCEEfforts under this TO shall be performed in VA facilities located in Washington, DC and Seaside, CA. Work may be performed at remote locations with prior concurrence from the Contracting Officer’s Representative (COR).TRAVEL OR SPECIAL REQUIREMENTSThe Government anticipates travel to perform the tasks associated with the effort, as well as to attend program-related meetings or conferences throughout the PoP.? Include all estimated travel costs in your firm-fixed price line items. These costs will not be directly reimbursed by the Government.The total estimated number of trips in support of the program related meetings for this effort is shown in the following table:TravelDuration in DaysDestinationNumber of TripsNumber of PersonnelBase Period5Washington, DC445Seaside, CA24Option Period 15Washington, DC445Seaside, CA24Option Period 25Washington, DC445Seaside, CA24Option Period 35Washington, DC445Seaside, CA24CONTRACT MANAGEMENTAll requirements of Sections 7.0 and 8.0 of the T4NG Basic PWS apply to this effort. This TO shall be addressed in the Contractor’s Progress, Status and Management Report as set forth in the T4NG Basic ERNMENT FURNISHED PROPERTYGovernment Furnished Equipment (GFE) will be provided for personnel that require the Government laptops to have network domain access. However, the Government laptops shall only be utilized by technical staff including developers and testers, and requires Contracting Officer Representative (COR) pre-approval. No equipment shall be transferred into the Contractor’s control. VA may provide VA-specific software as appropriate. The Contractor shall utilize VA-provided software development and test accounts, document and requirements repositories, and others, as required for the development, storage, maintenance, and delivery of products. The Contractor shall be provided access to Government Equipment such as servers, networks, and information. The Contractor shall comply with VA information security and privacy policies and procedures as described in Section 6.0 of the Basic PWS.Contractors working at the Contractor’s facility shall utilize VA approved software to access the VA network remotely. The Government has determined that remote access solutions involving Citrix Access Gateway (CAG) have proven to be an unsatisfactory access method to complete the tasks on this specific TO. The Government also understands that GFE is limited to Contractors requiring direct access to the network to: access development environments; install, configure and run TRM-approved software and tools (e.g., Oracle, Fortify, Eclipse, SoapUI, WebLogic, LoadRunner, etc.); upload/download/ manipulate code, run scripts, apply patches, etc.; configure and change system settings; check logs, troubleshoot/debug, and test/QA.Based on the Government assessment of remote access solutions and the requirements of this TO, the Government estimates that the following GFE will be required by this TO:10 of standard laptops25 of developer-grade laptops The Government will not provide IT accessories including but not limited to Mobile Wi-Fi hotspots/wireless access points, additional or specialized keyboards or mice, laptop bags, extra charging cables, extra PIV readers, peripheral devices, additional RAM, etc. The Contractor is responsible for providing these types of IT accessories in support of the TO as necessary and any VA installation required for these IT accessories shall be coordinated with the COR.SECURITY AND PRIVACYAll requirements in Section 6.0 of the T4NG Basic PWS apply to this effort. Specific TO requirements relating to Addendum B, Section B4.0 paragraphs j and k supersede the corresponding T4NG Basic PWS paragraphs, and are as follows, The vendor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, based upon the severity of the incident. When the Security Fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the vendor will provide written notice to VA that the patch has been validated as not affecting the Systems within 10 working days. When the vendor is responsible for operations or maintenance of the Systems, they shall apply the Security Fixes based upon the requirements identified within the contract.POSITION/TASK RISK DESIGNATION LEVEL(S)Position SensitivityBackground Investigation (in accordance with Department of Veterans Affairs 0710 Handbook, “Personnel Suitability and Security Program,” Appendix A)Low / Tier 1Tier 1 / National Agency Check with Written Inquiries (NACI) A Tier 1/NACI is conducted by OPM and covers a 5-year period. It consists of a review of records contained in the OPM Security Investigations Index (SII) and the DOD Defense Central Investigations Index (DCII), Federal Bureau of Investigation (FBI) name check, FBI fingerprint check, and written inquiries to previous employers and references listed on the application for employment. In VA it is used for Non-sensitive or Low Risk positions.Moderate / Tier 2Tier 2 / Moderate Background Investigation (MBI) A Tier 2/MBI is conducted by OPM and covers a 5-year period. It consists of a review of National Agency Check (NAC) records [OPM Security Investigations Index (SII), DOD Defense Central Investigations Index (DCII), FBI name check, and a FBI fingerprint check], a credit report covering a period of 5 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, law enforcement check; and a verification of the educational degree.High / Tier 4 Tier 4 / Background Investigation (BI) A Tier 4/BI is conducted by OPM and covers a 10-year period. It consists of a review of National Agency Check (NAC) records [OPM Security Investigations Index (SII), DOD Defense Central Investigations Index (DCII), FBI name check, and a FBI fingerprint check report], a credit report covering a period of 10 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, spouse, neighbors, supervisor, co-workers; court records, law enforcement check, and a verification of the educational degree.The position sensitivity and the level of background investigation commensurate with the required level of access for the following tasks within the PWS are:Position Sensitivity and Background Investigation Requirements by TaskTask NumberTier1 / Low / NACITier 2 / Moderate / MBITier 4 / High / BI5.1 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.2 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.3 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.4 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.5 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX The Tasks identified above and the resulting Position Sensitivity and Background Investigation requirements identify, in effect, the Background Investigation requirements for Contractor individuals, based upon the tasks the particular Contractor individual will be working. The submitted Contractor Staff Roster must indicate the required Background Investigation Level for each Contractor individual based upon the tasks the Contractor individual will be working, in accordance with their submitted proposal.SPECIFIC TASKS AND DELIVERABLESThe Contractor shall perform the following:PROJECT MANAGEMENTCONTRACTOR PROJECT MANAGEMENT PLANThe Contractor shall deliver a Contractor Project Management Plan (CPMP) that lays out the Contractor’s approach, timeline and tools to be used in execution of this TO effort. ?The CPMP should take the form of both a narrative and graphic format that displays the schedule, milestones, risks and resource support.??The CPMP shall also include how the Contractor shall coordinate and execute planned, routine, and ad hoc data collection reporting requests as identified within the PWS. The initial baseline CPMP shall be concurred upon and updated in accordance with Section B of the TO. The Contractor shall update and maintain the VA Program Manager (PM) approved CPMP throughout the PoP. Deliverable: Contractor Project Management PlanREPORTING REQUIREMENTSThe Contractor shall also deliver Weekly EDMO Status Reports detailing the status of all work efforts. These reports shall provide accurate, timely, and complete project information including the following data elements: Project Name and Contract/TO NameOverview and description of the Contract/TO NameOverall high-level assessment of Contract/TO Name progressAll work in-progress and completed during the reporting periodIdentification of any Contract/TO Name-related issues uncovered during the reporting period and highlight those areas with a high probability of impacting schedule, cost, or performance goals and their likely impact on schedule, cost, or performance goalsExplanations for any unresolved issues, including possible solutions and any actions required of the Government and/or Contractor to resolve or mitigate any identified issue, including a plan and timeframe for resolutionStatus on previously identified issues, actions taken to mitigate the situation and/or progress made in rectifying the situation.Work planned for the subsequent four reporting periods, when applicableCurrent Contract/TO Name schedule overlaid on original Contract/TO Name schedule showing any delays or advancement in scheduleCurrent definition of user requirements / function points overlaid over the original function points and the last reported function points to specifically identify changes in the function points to be delivered since the previous report.Workforce staffing data showing all Contractor personnel performing on the effort during the current reporting period. After the initial labor baseline is provided, each Weekly Status Report shall identify any changes in staffing identifying each person who was added to the contract or removed from the contract. Original schedule of deliverables and the corresponding deliverables made during the current reporting period. Identification of a single, Contractor Onboarding Point of Contact (POC), the names of all personnel engaged on the task, their initial training date for VA Privacy and Information Security training, and their next required training date.Weekly status reports on all Tier 2 and Tier 3 work being performed as part of operations and maintenanceThese reports shall not be the only means of communication between the Contractor, COR, and the VA Program/Project Manager to advise of performance/schedule issues and to develop strategies for addressing the issues. The Contractor shall continuously monitor performance and report any deviation from the CPMP or previous Weekly EPMO Status Report to the COR and VA Program/Project Manager during routine, regular communications. Deliverable:Weekly EPMO Status ReportPRIVACY & HIPAA TRAININGThe Contractor shall submit TMS Training Certificates of completion for VA Privacy and Information Security Awareness, Rules of Behavior, and Health Insurance Portability and Accountability Act (HIPAA) training for each of its personnel. The Contractor shall provide signed copies of the Contractor Rules of Behavior in accordance with Section 9, Training, from Appendix C of the VA Handbook 6500.6, “Contract Security” for each of its presonnel.The Contractor shall submit status of VA Privacy and Information Security Awareness training for all individuals engaged on the task. Deliverables: VA Privacy and Information Security Awareness and Rules of Behavior Training CertificateSigned Contractor Rules of BehaviorVA HIPAA certificate of completionTECHNICAL KICKOFF MEETINGThe Contractor shall hold a technical kickoff meeting within 15 business days after TO award. The Contractor shall present, for review and approval by the Government, the details of the intended approach, work plan, and project schedule for each effort. The Contractor shall specify dates, locations (in-person preferred but can be virtual), agenda (shall be provided to all attendees at least five calendar days prior to the meeting), and meeting minutes (shall be provided to all attendees within three calendar days after the meeting). The Contractor shall invite the Contracting Officer (CO), Contract Specialist (CS), COR, and the VA PM.The Contractor shall deliver the kickoff meeting package 5 (five) days after the kickoff meeting. The package shall include a work planning and delivery approach, milestone schedule, and constraints.Deliverables:Technical Kickoff Meeting AgendaTechnical Kickoff Meeting MinutesONBOARDINGThe Contractor shall manage the onboarding of their staff. Onboarding includes steps to obtain a VA network and email account, complete training, initiate background investigations, and gain physical and logical access, which may include elevated privileges to the necessary development and test environments for the various systems to be enhanced.The Contractor shall track the onboarding status of all Contractor personnel and be responsible for accurate and timely submission of all required VA onboarding paperwork to the COR. The Contractor shall be responsible for tracking the status of all their staff’s onboarding activities and report the status at the staff level during onboarding status meetings. The Contractor shall provide an Onboarding Status Report weekly, for any staff with outstanding onboarding requests for review by the COR, VA PM, and Project Manager.Deliverable:Onboarding Status ReportSCHEDULE MANAGEMENTThe Contractor shall create, maintain, analyze, and report integrated schedules. The schedules shall have a minimum of four levels for their activities. A schedule shall be developed for each build and sprint. The Contractor shall provide schedule updates to Rational on a weekly basis. The Contractor shall also provide input to the Project Integrated Master Schedule (IMS), at a minimum once a week, which the VA maintains.The Contractor shall provide and update a product oriented Work Breakdown Structure (WBS) to track project decomposition and value delivery. The WBS shall be linked to the IMS.Deliverable: MS Project Schedule UpdatesIntegrated Master ScheduleWork Breakdown Structure RISK MANAGEMENTThe Contractor shall conduct risk management of all work performed under this TO and provide input to the product Risk Management registry within Rational maintained by VA. The Contractor shall:Report, monitor, manage, and mitigate risks for each respective product.Enter and update risks in VA’s Risk section in Rational Tool and provide an extract log. Assess the status of its risks on a weekly basis and provide them to VA for inclusion in the larger Risk Management Registry. When new risks occur which could impact the development, testing, and deployment schedule, the Contractor shall notify the COR and VA PM via email within 24 hours. Email subject line shall read “{Project Name} Risk Alert Notification.”Provide the COR and VA PM with a weekly Risk Management Status Report.Deliverable:Weekly Risk Management Status ReportCONFIGURATION MANAGEMENTThe Contractor shall:Identify the standard and unique aspects of configuration management to be performed for each product by establishing a Configuration Management (CM) Plan which meets EPMO CM plan requirements. The Contractor shall reflect all CM required activities and standards in each project-level CM plan while determining the unique aspects of the project which require individualized procedures.Deliver a List of Configuration Items to be placed under configuration and change control, which shall be documented in the Configuration Management Plan. The Contractor shall identify types of configuration items pertaining to each product to be placed under configuration management. Based on EPMO requirements and the unique needs or nature of each project, the Contractor shall determine the components within each project that must be under configuration control. Use designated GitHub repositories as the VA-approved tool and repository for all software source code and electronic artifact configuration and version management. The Contractor shall use the GitHub tool to manage change, activity, issue, action, risk, and other project data as prescribed by industry best practices. Ensure that all project software and non-software artifacts are versioned correctly and follow a build/release promotion versioning approach which identifies all major, minor, and updated changes to the components.Create Project and Product Artifacts baselined and versioned in the designated GitHub repository in order to allow the tool to show active and past histories of the check-ins and check-outs of all software components, data, and software product engineering documents. Maintain all baselines of software, software builds, and electronic artifacts in the repository, labeling updates and versions according to CM procedures.Develop, verify, and submit with all project build deliveries, a Version Description Document and a Product Operations Manual that conforms to EPMO Website standard templates and addresses the manifest of the contents of all software builds created for project releases outside the development environment.Establish and maintain status reporting on change and configuration management activity, and ensure GitHub data records and artifacts are filed and updated daily. Deliverables: Configuration Management PlanVersion Description DocumentProduct Operations ManualENTERPRISE DATA MANAGEMENT STRATEGY AND DATA ARCHITECTUREThe Contractor shall work with member of the EDMO, Data Governance Council (DGC), and other business stakeholders to propose a data management plan, including a comprehensive data architecture, based on the Now (0-6 months), Near (6-18 months), and Future (18 months +) framework to transform the way VA manages data to improve all Veterans’ experiences. To ensure a comprehensive plan, the contractor shall perform a strategic mapping of all data flows throughout the VA, prioritizing efforts based on the inputs from the DGC and Business Stakeholders. The Contractor shall create an inventory of data sources, standards, policy and processes and perform a gap analysis to determine areas that need improvement. Deliverables:EDMO Enterprise Data Management PlanStrategic mapping of all data flows throughout VAInventory and gap analysis of existing data sources, standards, policy, and processes DATA PROCESSING SERVICESThe CUF is the standardized 3-Tier messaging infrastructure through which systems will exchange data. The CUF functionality is based upon the definition of Business Information Objects (BIOs) which specify the business representation of data and its associated rules. This task is to expand and maintain the functionality of the CUF based upon the addition or amendments of BIOs. The functionality may be either transactional, analytical or both. The contractor shall manage the execution of these tasks using the AGILE SCRUM methodology.AGILE METHODOLOGYThe Contractor shall follow the AGILE SCRUM methodology. The contractor shall manage tasks and issues within the designated GitHub Repositories utilizing VA approved tools and processes. Deliverables:Product BacklogsSprint Plan for each team for each productRelease Plan for each ProductVelocity Calculation | Story Point EstimatesRetrospectives for each BuildAGILE REQUIREMENTS ELICITATIONUpon start of contract and before every release cycle for each product, the Contractor shall complete a backlog grooming session of the business user stories, features, and project roadmap with the VA team to properly understand outstanding requirements. These sessions shall include participants from the business customer, Technical Integration (TI), PMO, OIT and system Subject Matter Experts (SME). The Contactor shall provide an agenda and minutes for each requirements gathering session to the COR as well as the participants. The outcome of this session shall be a complete review of, and agreement to, the initial features to assess for build and roadmap planning, including user stories and features added as a result of backlog grooming by decomposing epics into stakeholder needs, business requirements, business rules, requirements visualizations and user story elaborations. Product backlog grooming and prioritization are continued throughout the product life cycle and shall be facilitated by the Contractor. The Contractor shall: Ensure all business and Compliance user stories, features, and products in the development pipeline are included and executed within the overall agile backlog grooming effort. Create and/or elaborate any business and Compliance user stories through stakeholder requirements elicitation sessions not already included or elaborated in the backlog.Populate the backlog during an initial planning session identifying all features that fulfill priority product user stories. The backlog serves as the primary source for all program requirements and user stories, and the team shall prioritize the contents based on the Product Owner and PM priorities.Identify and document risks, functionality/platform gaps, performance/capacity shortfalls, and opportunities for system enhancements for inclusion in the backlog.Facilitate any stakeholder briefings, meetings and/or elicitation sessions.The unit of measurement for the estimated relative complexity of user stories will be the sizes listed in the table in section 5.3.3. In preparation for future builds, participate in requirements reviews with stakeholders, reviewing and accepting completed Epics, Sub-Epics, and User Stories with Business and OIT points of contact. The Contractor shall develop the Features by service and operations defined in the Solution Architecture Package that fulfill and trace to all Epics, Sub-Epics, User Stories, non-functional requirements, Compliance Stories, and other sources of requirements information. Assign to the Features the corresponding priorities and time criticality from the inherited requirements.Review the Compliance and other non-functional Features with EDMO team, obtaining their approval or the approval of the Project Manager.Input and maintain all requirements data on GitHub, the latest VA-approved Agile tool. Ensure all requirements data are under change control The finest grain requirements for BIOs will be captured using java comments to generate JAVA DOCS following the Oracle Java Docs style guide: User Story Backlog for each product/releasePopulated Feature Backlog for each product/releaseUser Stories not already included in the BacklogBacklog Grooming Session Agenda for each product/releaseBacklog Grooming Session Minutes for each product/releaseCOMMON UPDATE FRAMEWORK (CUF) BASE PERIOD DEVELOPMENTTask SizeDescriptionNumberSmall (S)Modification or addition of 1 Business Information Object (BIOs). Only impacts a transactional or analytical process, but not both.1Medium (M)Minor to moderate enhancements, major business rule additions or rewrites, extensive database modifications or the addition of 2-3 new BIOs. Additions or modification can apply to either transactional, analytical processes or both.1Large (L)Major modifications to existing production BIOs or development of new functionality requiring 3-5 new BIOs. Additions or modification can apply to either transactional, analytical processes or both1Extra Large (XL)Significant modifications to the underlying CUF infrastructure (re-platforming, replacing technology cross-cutting components) or development of new functionality requiring 5 or more new BIOs. Additions or modification can apply to either transactional, analytical processes or both. 1SPRINT EXECUTIONAll activity executed in each sprint and backlog will be captured and have status showing all work items, changes, risks, issues, impediments, and retrospectives. All data and artifacts in GitHub shall be fully linked to requirements data and test data. All project artifacts and source code will be under change and configuration management as specified by the COR using Rational. The Contractor shall:Provide a certified Scrum Master to provide the following functions included, but not limited to: facilitate all ceremonies, ensure GitHub is updated daily, enforce scrum framework, track and assist with removing impediments. Develop the features and capabilities as work items in GitHub that were established in the Sprint plete sprint development including disciplined testing (unit, functional, regression) and reviews as a continuous process, to avoid finding issues at the end of sprint development. Initiate and conduct daily scrums (typically 15 minutes) to show the team progress, impediments and daily plans. Update GitHub daily, to include progress on tasks during sprints, blockers and dependencies.Coordinate and support demonstration of the sprint activities with the project team and Users at the end of each sprint. This is termed a Sprint Review and will result in Customer Acceptance of the Sprint. Develop and deliver automated build and automated publishing capabilities to schedule jobs and support continuous integration for every sprint. Automated build tools shall be in compliance with the approved list from the One-VA TRM and code shall be demonstrable and stable enough to be promoted to another environment without issue by evidence of the status of tests and results in GitHub.Develop Source CodeInitiate and facilitate a Sprint Retrospective at the end of the Sprint to capture team performance lessons learned. Deliverable:Source CodeSECURITYTo ensure the Common Update Framework has secured data, has minimized vulnerabilities, and to eliminate data compromise and security attacks, the Contractor shall document all information assurance, data management, and information certification activities and strategies in the System Design Document (SDD) and the Systems Security Plan (SSP).For Information Assurance, the Contractor shall:Comply with Network Security Operating Center (NSOC) guidelines (referenced in the applicable documents section), pass Web Application Security Assessments (WASA), Nessus, and Source Code Review (Fortify) related scans. Support and coordinate as required in the areas of Information Assurance, Data Management, and Information Certification. The Contractor shall support by providing availability of environments to be scanned, provide analysis of any vulnerabilities found, and fix and resolve issues as reported.Ensure that proper data encryption and data security are in place to comply with NSOC VA policy and National Institute of Standards and Technology (NIST) standards referenced in the applicable documents section. This shall include encryption of data and communications across all CUF tiers, including web, application, and database.Adhere to the Federal Information Security Management Act (FISMA) and Health Insurance Portability and Accountability Act (HIPAA) referenced in the applicable documents section of the T4NG Basic PWSEnsure all communications are designed in adherence to ASD guidelines and ETA frameworksEnsure that security of information and data handling and management, across all ES SOA layers, applications, services, and VistA application components, are in adherence to VA security policies Ensure that proper information assurance measures and techniques are in place and documented in the System Security Plan (SSP)Support Privacy Impact Assessment (PIA) and Privacy Threshold Analysis (PTA), including supporting information to be included into Risk Vision for Authority to Operate Accreditation, and data requests from the Information Assurance (IA) and Enterprise Operations (EO) teams.Adhere to protocol and communication exchanges as documented in both the SDD and Interface Control Document (ICD)Adhere to all communication encryption using Secure Socket Layer (SSL) or equivalent information assurance techniques as specified in NIST and VA policy standards listed in applicable documents sectionContractor shall comply with all VA policies and procedures in applicable documents.For Data Management, the Contractor shall:Ensure Veteran data is not compromisedDevelop deployment and installation guides, and ensure proper contingency, backup, and rollback mechanisms are in place for CUFManage all data, including test data and data in lower level environments for the CUF in test instances.The Contractor shall deprecate data and utilize techniques to dispose of data in accordance to VA policy as specified in applicable documents sectionScan data for consistency, duplicates, errors, data mismatch, data types, and other validations to ensure data consistencyFor Information Certification, the Contractor shall:Support NSOC, WASA, Nessus, Secure Code Review, and other related scans to ensure minimal data exposure and minimal data vulnerabilities and deliver a Nessus, Secure Code Review, and WASA Scan Remediation ReportProvide technical support throughout the ATO process, and remediate any findings required for ATO. Adhere to Section 508 requirements established by the Architectural and Transportation Barriers Compliance Board (Access Board). These standards are found in their entirety at: and : Update System Design Document (SDD) Security sectionNessus, Secure Code Review, and WASA Scan Remediation ReportCUF OPERATION AND MAINTENANCEThis task includes sustainment for the existing CUF software and any development done during the period of performance.O&M shall include three (3) major efforts. During the O&M phase, the CUF’s availability and performance in executing the work for which it was designed shall be maintained. The O&M effort includes:Production Operations: Defined as tasks in support of deployment, release, and configuration during sustainment of normal activities and services for the CGS Suite of Systems applications in production. Examples of functions performed by the Contractor shall include Release Management, Configuration Management, and Partner Coordination. Production Support: Defined as help desk and Tier 2 & Tier 3 support. This includes defect intake, which consists of; receiving incidents and requests from end-users, analyzing the incidents and requests, and responding to the end-user with a solution or escalation. The CUF production support tasks include support of the CUF production environment.Production Performance: Defined as tasks in support of capacity planning, optimization, maintenance, and system monitoring.The Contractor shall provide O&M support for all CUF systems and components. OPTIONAL TASKS CUF SOLUTION DEVELOPMENT (OPTIONAL TASKS A1-A5)VA may exercise these optional tasks for development during this task order. Optional Task A shall consist of the following “task size” combinations (S, M, L, XL) based on the sizing structure listed in the table below. For each release, the Contractor shall perform project management activities listed in 5.0 and 5.1 and software development activities listed in Section 5.3. The Contractor shall produce associated deliverables listed in each section and prepare software for release into production environments. Optional Task A may be executed up to maximum quantity of products of the sizes defined below throughout the task order period of performance.Optional TaskTask SizeDescriptionMaximum NumberA1Small (S)Modification or addition of 1 Business Information Object (BIOs). Only impacts a transactional or analytical process, but not both.12A2Medium (M)Minor to moderate enhancements, major business rule additions or rewrites, extensive database modifications or the addition of 2-3 new BIOs. Additions or modification can apply to either transactional, analytical processes or both.6A3Large (L)Major modifications to existing production BIOs or development of new functionality requiring 3-5 new BIOs. Additions or modification can apply to either transactional, analytical processes or both3A4Extra Large (XL)Significant modifications to the underlying CUF infrastructure (re-platforming, replacing technology cross-cutting components) or development of new functionality requiring 5 or more new BIOs. Additions or modification can apply to either transactional, analytical processes or both. 3GENERAL REQUIREMENTSPERFORMANCE METRICSThe table below defines the Performance Standards and Acceptable Levels of Performance associated with this effort.Performance ObjectivePerformance StandardAcceptable Levels of PerformanceTechnical / Quality of Product or ServiceShows understanding of requirementsEfficient and effective in meeting requirements Meets technical needs and mission requirementsProvides quality services/productsSatisfactory or higherProject Milestones and ScheduleQuick response capabilityProducts completed, reviewed, delivered in accordance with the established scheduleNotifies customer in advance of potential problemsSatisfactory or higherCost & StaffingCurrency of expertise and staffing levels appropriatePersonnel possess necessary knowledge, skills and abilities to perform tasksSatisfactory or higherManagementIntegration and coordination of all activities to execute effortSatisfactory or higherThe COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the TO to ensure that the Contractor is performing the services required by this PWS in an acceptable level of performance. The Government reserves the right to alter or change the QASP at its own discretion. A Performance Based Service Assessment will be used by the COR in accordance with the QASP to assess Contractor performance. SECTION 508 – ELECTRONIC AND INFORMATION TECHNOLOGY (EIT) STANDARDS On August 7, 1998, Section 508 of the Rehabilitation Act of 1973 was amended to require that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology, that they shall ensure it allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. Section 508 required the Architectural and Transportation Barriers Compliance Board (Access Board) to publish standards setting forth a definition of electronic and information technology and the technical and functional criteria for such technology to comply with Section 508. These standards have been developed are published with an effective date of December 21, 2000. Federal departments and agencies shall develop all Electronic and Information Technology requirements to comply with the standards found in 36 CFR 1194.The following Section 508 Requirements supersede Addendum A, Section A3 from the T4NG Basic PWS.The Section 508 standards established by the Architectural and Transportation Barriers Compliance Board (Access Board) are incorporated into, and made part of all VA orders, solicitations and purchase orders developed to procure Electronic and Information Technology (EIT). These standards are found in their entirety at: and . A printed copy of the standards will be supplied upon request.? The Contractor shall comply with the technical standards as marked: FORMCHECKBOX § 1194.21 Software applications and operating systems FORMCHECKBOX § 1194.22 Web-based intranet and internet information and applications FORMCHECKBOX § 1194.41 Information, Documentation, and SupportEQUIVALENT FACILITATIONAlternatively, offerors may propose products and services that provide equivalent facilitation, pursuant to Section 508, subpart A, §1194.5. Such offerors will be considered to have provided equivalent facilitation when the proposed deliverables result in substantially equivalent or greater access to and use of information for those with disabilities. COMPATIBILITY WITH ASSISTIVE TECHNOLOGYThe Section 508 standards do not require the installation of specific accessibility-related software or the attachment of an assistive technology device. Section 508 requires that the EIT be compatible with such software and devices so that EIT can be accessible to and usable by individuals using assistive technology, including but not limited to screen readers, screen magnifiers, and speech recognition software.ACCEPTANCE AND ACCEPTANCE TESTINGDeliverables resulting from this solicitation will be accepted based in part on satisfaction of the identified Section 508 standards’ requirements for accessibility and must include final test results demonstrating Section 508 compliance. Deliverables should meet applicable accessibility requirements and should not adversely affect accessibility features of existing EIT technologies. The Government reserves the right to independently test for Section 508 Compliance before delivery. The Contractor shall be able to demonstrate Section 508 Compliance upon delivery.Automated test tools and manual techniques are used in the VA Section 508 compliance assessment. Additional information concerning tools and resources can be found at Section 508 Compliance Test ResultsSHIPMENT OF HARDWARE OR EQUIPMENTInspection: DestinationAcceptance: DestinationFree on Board (FOB): DestinationShip To and Mark For:PrimaryAlternateName:Name:Address:Address:Voice:Voice:Email:Email:Special Shipping Instructions:Prior to shipping, Contractor shall notify Site POCs, by phone followed by email, of all incoming deliveries including line-by-line details for review of requirements.? Contractor shall not make any changes to the delivery schedule at the request of Site POC.Contractors shall coordinate deliveries with Site POCs before shipment of <hardware> hardware to ensure sites have adequate storage space.All shipments, either single or multiple container deliveries, shall bear the VA IFCAP Purchase Order number on external shipping labels and associated manifests or packing lists.? In the case of multiple container deliveries, a statement readable near the VA IFCAP PO number shall indicate total number of containers for the complete shipment (e.g. “Package 1 of 2”), clearly readable on manifests and external shipping labels.Packing Slips/Labels and Lists shall also include the following:IFCAP PO #: ____________ (e.g., 166-E11234 (the IFCAP PO number is located in block #20 of the SF 1449))Project Description: (e.g. Tier I Lifecycle Refresh)Total number of Containers:? Package ___ of ___.? (e.g., Package 1 of 3)ORGANIZATIONAL CONFLICT OF INTEREST All functions related to Acquisition Support shall be on an advisory basis only. Please be advised that since the awardee of this Task Order will provide systems engineering, technical direction, specifications, work statements, and evaluation services, some restrictions on future activities of the awardee may be required in accordance with FAR 9.5 and the clause entitled, Organizational Conflict of Interest, found in Section H of the T4NG basic contract. The Contractor and its employees, as appropriate, shall be required to sign Non-Disclosure Agreements (Appendix A).APPENDIX ACONTRACTOR NON-DISCLOSURE AGREEMENTThis Agreement refers to Contract/Order _________________ entered into between the Department of Veterans Affairs and _________________________ (Contractor).As an officer of <fill in name of Contractor>, authorized to bind the company, I understand that in connection with our participation in the <fill in program> acquisition under the subject Contract/Order, Contractor’s employees may acquire or have access to procurement sensitive or source selection information relating to any aspect of <fill in program> acquisition. Company <fill in name> hereby agrees that it will obtain Contractor - Employee Personal Financial Interest/Protection of Sensitive Information Agreements from any and all employees who will be tasked to perform work under the subject Contract/Order prior to their assignment to that Contract/Order. The Company shall provide a copy of each signed agreement to the Contracting Officer. Company <fill in name> acknowledges that the Contractor - Employee Personal Financial Interest/Protection of Sensitive Information Agreements require Contractor’s employee(s) to promptly notify Company management in the event that the employee releases any of the information covered by that agreement and/or whether during the course of their participation, the employee, his or her spouse, minor children or any member of the employee’s immediate family/household has/or acquires any holdings or interest whatsoever in any other private organization (e.g., contractors, offerors, their subcontractors, joint venture partners, or team members), identified to the employee during the course of the employee’s participation, which may have an interest in the matter the Company is supporting pursuant to the above stated Contract/Order. The Company agrees to educate its employees in regard to their conflict of interest pany <fill in name> further agrees that it will notify the Contracting Officer within 24 hours, or the next working day, whichever is later, of any employee violation. The notification will identify the business organization or other entity, or individual person, to whom the information in question was divulged and the content of that information. Company <fill in name> agrees, in the event of such notification, that, unless authorized otherwise by the Contracting Officer, it will immediately withdraw that employee from further participation in the acquisition until the Organizational Conflict of Interest issue is resolved.This agreement shall be interpreted under and in conformance with the laws of the United States.________________________________________ ________________________________________Signature and DateCompany_________________________________________ _________________________________________Printed NamePhone NumberCONTRACTOR EMPLOYEEPERSONAL FINANCIAL INTEREST/PROTECTION OF SENSITIVE INFORMATION AGREEMENTThis Agreement refers to Contract/Order _____________________ entered into between the Department of Veterans Affairs and ____________________ (Contractor).As an employee of the aforementioned Contractor, I understand that in connection with my involvement in the support of the above-referenced Contract/Order, I may receive or have access to certain “sensitive information” relating to said Contract/Order, and/or may be called upon to perform services which could have a potential impact on the financial interests of other companies, businesses or corporate entities. I hereby agree that I will not discuss or otherwise disclose (except as may be legally or contractually required) any such “sensitive information” maintained by the Department of Veterans Affairs or by others on behalf of the Department of Veterans Affairs, to any person, including personnel in my own organization, not authorized to receive such information.“Sensitive information” includes: Information provided to the Contractor or the Government that would be competitively useful on current or future related procurements; orIs considered source selection information or bid and proposal information as defined in FAR 2.101, and FAR 3.104-4; orContains (1) information about a Contractor’s pricing, rates, costs, schedule, or contract performance; or (2) the Government’s analysis of that information; orProgram information relating to current or estimated budgets, schedules or other financial information relating to the program office; or(e) Is properly marked as source selection information or any similar markings.Should “sensitive information” be provided to me under this Contract/Order, I agree not to discuss or disclose such information with/to any individual not authorized to receive such information. If there is any uncertainty as to whether the disclosed information comprises “sensitive information”, I will request my employer to request a determination in writing from the Department of Veterans Affairs Contracting Officer as to the need to protect this information from disclosure.I will promptly notify my employer if, during my participation in the subject Contract/Order, I am assigned any duties that could affect the interests of a company, business or corporate entity in which either I, my spouse or minor children, or any member of my immediate family/household has a personal financial interest. “Financial interest” is defined as compensation for employment in the form of wages, salaries, commissions, professional fees, or fees for business referrals, or any financial investments in the business in the form of direct stocks or bond ownership, or partnership interest (excluding non-directed retirement or other mutual fund investments). In the event that, at a later date, I acquire actual knowledge of such an interest or my employer becomes involved in proposing for a solicitation resulting from the work under this Contract/Order, as either an offeror, an advisor to an offeror, or as a Subcontractor to an offeror, I will promptly notify my employer. I understand this may disqualify me from any further involvement with this Contract/Order, as agreed upon between the Department of Veterans Affairs and my company. Among the possible consequences, I understand that violation of any of the above conditions/requirements may result in my immediate disqualification or termination from working on this Contract/Order pending legal and contractual review. I further understand and agree that all Confidential, Proprietary and/or Sensitive Information shall be retained, disseminated, released, and destroyed in accordance with the requirements of law and applicable Federal or Department of Veterans Affairs directives, regulations, instructions, policies and guidance.This Agreement shall be interpreted under and in conformance with the laws of the United States. I agree to the Terms of this Agreement and certify that I have read and understand the above Agreement. I further certify that the statements made herein are true and correct._________________________________________ _________________________________________Signature and DateCompany_________________________________________ _________________________________________Printed NamePhone Number ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download