BACKGROUND - Veterans Affairs



TRANSFORMATION TWENTY-ONE TOTAL TECHNOLOGY NEXT GENERATION (T4NG)PERFORMANCE WORK STATEMENT (PWS)DEPARTMENT OF VETERANS AFFAIRSOffice of Information & TechnologySupply Chain Data & Informatics Office (SCDIO)Supply Chain Healthcare Master CatalogDate: September 26, 2018TAC-19-52341Task Order PWS Version Number: 1.0Contents TOC \o "1-4" \h \z \u 1.0BACKGROUND PAGEREF _Toc525714031 \h 42.0APPLICABLE DOCUMENTS PAGEREF _Toc525714032 \h 53.0SCOPE OF WORK PAGEREF _Toc525714033 \h 53.1APPLICABILITY PAGEREF _Toc525714034 \h 63.2ORDER TYPE PAGEREF _Toc525714035 \h 64.0PERFORMANCE DETAILS PAGEREF _Toc525714036 \h 64.1PERFORMANCE PERIOD PAGEREF _Toc525714037 \h 64.2HOURS OF WORK PAGEREF _Toc525714038 \h 64.3PLACE OF PERFORMANCE PAGEREF _Toc525714039 \h 64.4TRAVEL OR SPECIAL REQUIREMENTS PAGEREF _Toc525714040 \h 64.5CONTRACT MANAGEMENT PAGEREF _Toc525714041 \h 74.6GOVERNMENT FURNISHED PROPERTY PAGEREF _Toc525714042 \h 74.7SECURITY AND PRIVACY PAGEREF _Toc525714043 \h 74.7.1POSITION/TASK RISK DESIGNATION LEVEL(S) PAGEREF _Toc525714044 \h 85.0SCHMC SPECIFIC TASKS AND DELIVERABLES PAGEREF _Toc525714045 \h 85.1PROJECT MANAGEMENT PAGEREF _Toc525714046 \h 95.1.1CONTRACTOR PROJECT MANAGEMENT PLAN PAGEREF _Toc525714047 \h 95.1.2REPORTING REQUIREMENTS PAGEREF _Toc525714048 \h 95.1.3TECHNICAL KICKOFF MEETING PAGEREF _Toc525714049 \h 105.2SCHMC REQUIREMENTS PAGEREF _Toc525714050 \h 105.2.1DATA INGESTION PAGEREF _Toc525714051 \h 105.2.2DATA HARMONIZATION PAGEREF _Toc525714052 \h 115.2.3SCHMC DASHBOARD PAGEREF _Toc525714053 \h 125.2.4DATA OUTPUT PAGEREF _Toc525714054 \h 135.2.5CLOUD INFRASTRUCTURE PAGEREF _Toc525714055 \h 135.2.5.1BUSINESS APPROACH PAGEREF _Toc525714056 \h 145.2.5.2TECHNICAL APPROACH PAGEREF _Toc525714057 \h 145.2.5.3SECURITY APPROACH PAGEREF _Toc525714058 \h 155.2.5.4MANAGEMENT APPROACH PAGEREF _Toc525714059 \h 165.3ASSESSMENT AND AUTHORIZATION PAGEREF _Toc525714060 \h 175.4TESTING PAGEREF _Toc525714061 \h 185.4.1INTEGRATION/INTERFACE TESTING PAGEREF _Toc525714062 \h 185.4.2PERFORMANCE TESTING PAGEREF _Toc525714063 \h 185.4.3USER ACCEPTANCE TESTING PAGEREF _Toc525714064 \h 185.5TRAINING PAGEREF _Toc525714065 \h 195.6RELEASE MANAGEMENT PAGEREF _Toc525714066 \h 205.7HELP DESK PAGEREF _Toc525714067 \h 205.8SOFTWARE MAINTENANCE PAGEREF _Toc525714068 \h 206.0GENERAL REQUIREMENTS PAGEREF _Toc525714069 \h 216.1PERFORMANCE METRICS PAGEREF _Toc525714070 \h 216.2SECTION 508 – ELECTRONIC AND INFORMATION TECHNOLOGY (EIT) STANDARDS PAGEREF _Toc525714071 \h 216.2.1EQUIVALENT FACILITATION PAGEREF _Toc525714072 \h 226.2.2COMPATIBILITY WITH ASSISTIVE TECHNOLOGY PAGEREF _Toc525714073 \h 226.2.3ACCEPTANCE AND ACCEPTANCE TESTING PAGEREF _Toc525714074 \h 236.3SHIPMENT OF HARDWARE OR EQUIPMENT PAGEREF _Toc525714075 \h 236.4ENTERPRISE AND IT FRAMEWORK PAGEREF _Toc525714076 \h 23BACKGROUNDThe Department of Veteran Affairs (VA), Veterans Health Administration (VHA) supply chain enables clinical care to the Veteran by managing all aspects of the flow of supplies and equipment to the end user from identification of the requirement/need through its fulfillment by provision of materiel. VA’s supply chain includes management of equipment inventories valued at approximately $12B, and supply inventories of about $161M. Throughout the last decade the Veterans Access, Choice, and Accountability Act (VACAA) of 2014 Section 201 (Appendix J), Commission on Care (Recommendation 8), General Accountability Office (GAO 11-391 and 13-336) and others have consistently found VA’s supply chain performance to be inefficient and costly due to many causes including poor quality data, and inadequate processes with many opportunities to improve. This performance results in patient safety issues including recalled product visibility, diversion of clinical resources (including staff), inefficient resource allocation, and an inability to manage strategically due to a lack of standardized data. VA’s supply chain is also not integrated with other VA data systems/processes, and is supported by multiple discrete/antiquated systems. These challenges lead to incomplete and inadequate finance, inventory, and purchasing analytics. They also lead to an inability to efficiently manage the supply chain from an integrated national perspective as part of an overarching enterprise resource planning system. Within VHA supply chain systems, there is a lack of standardized business rules and numerous workarounds. This has resulted in inconsistent/unreliable transactional data being reported by 140+ healthcare systems to the Corporate Data Warehouse (CDW), which has subsequently become unusable at the national level. Inconsistencies include but are not limited to: incomplete records, duplicate records, discrepancies in stock levels, records missing required fields, incorrect dollar values, conversion factor errors, missing mandatory sources, etc. In addition, there is a lack of data standards across the enterprise, which has made implementing and enforcing a Single Source of Truth (SSoT) difficult. These data errors/issues have drained VA resources resulting in the need for continuous correction and rework.VHA Supply Chain must track all VA and VHA medical commodity, prosthetic device (to include durable medical equipment), expendable equipment, non-expendable, and non-clinical products on contract in the VA. These products need to be accessed by VHA Supply Chain staff through a single authoritative healthcare master catalog interactive database. Currently there is no overarching catalog that exists for this purpose. Instead, there are multiple contract systems that operate across the VA and VHA that do not share product or sourcing data with each other. Utilizing multiple systems has resulted in the lack of standardization, inconsistent ordering practices, and redundant contracts for identical products. With the emerging adoption of standards and the recent move by manufacturers to meet U.S. Food and Drug Administration (FDA) requirements, VHA is seeking to take advantage of the growing availability of standardized product data in the supply chain. This project is a critical element in the oversight of product visibility and establishing best practices that can be used across the enterprise. This catalog will enhance commodity total supply support with the integration of major functions/processes in a cohesive, standardized, and high-performing supply and demand management support system. APPLICABLE DOCUMENTSThe Contractor shall comply with the following documents, in addition to the documents in Paragraph 2.0 in the T4NG Basic Performance Work Statement (PWS), in the performance of this effort:National Institute of Standards and Technology (NIST) Special Publication 800-144 – “Guidelines on Security and Privacy in Public Cloud Computing” NIST Special publication 800-53 - “Security and Privacy Controls for Federal Information Systems and Organizations.” NIST Special publication 800-53A - “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment PlansPOA&M Management GuideAuthorization Requirements SOP GuideSCOPE OF WORKThe Contractor shall provide all resources necessary to accomplish the tasks and deliverables described within this Performance Work Statement (PWS), except as may be otherwise specified. The Contractor shall build a searchable catalog solution that will contain all VA and VHA medical commodity, prosthetic device (to include durable medical equipment), expendable equipment, non-expendable, and non-clinical products that can be used by all employees. This solution will serve as the Single Source of Truth (SSoT) for all stated items by harmonizing contract information from VA, VHA, and other approved Federal contract offices. This cloud-based, Contractor built and managed solution shall be fully searchable, with unique identifiers for each item that will used to standardize, harmonize, and enrich the data at 140+ Veterans Health Information Systems and Technology Architecture (VISTA) sites’ instances of the Item Master File (IMF) in the Integrated Funds Distribution, Control Point Activity, Accounting and Procurement (IFCAP). This solution shall also provide the end user at a medical facility with catalog dashboards. The Contractor shall provide the solution, implementation, training, and maintenance (including help desk support) for this effort. The software solution shall be in compliance with industry standards. APPLICABILITYThis Task Order (TO) effort PWS is within the scope of paragraph(s) 4.1.6 Program Management Support, 4.1.8 IT Services Management Support, 4.2.5 Cloud Computing, 4.8 Operations and Maintenance, 4.8.1 Systems/Network Administration, 4.8.7 Service/Help Desk/Call Center Support, 4.8.9 License Maintenance, 4.8.10 Database and Data Warehouse Administration, 4.10 Training of the T4NG Basic PWS.ORDER TYPEThe effort shall be proposed Firm Fixed Price (FFP) basis.PERFORMANCE DETAILSPERFORMANCE PERIODThe PoP shall be a 12-month base period with four (4) 12-month option periods to be exercised at the Government’s discretion.HOURS OF WORKNormal operational hours are from 8:00 AM – 5:00 PM (local time), Monday through Friday, excluding Federal Holidays. Use of overtime is not authorized.PLACE OF PERFORMANCEEfforts under this TO shall be performed at Contractor facilities. The Contractor shall identify the Contractor’s place of performance in their Task Execution Plan submission.TRAVEL OR SPECIAL REQUIREMENTSThe Contractor may be required to travel CONUS during the performance of this effort to attend meetings, conferences, and training.??The Contractor may be required to travel to off-site training locations and to ship training aids to these locations in support of this PWS.??Costs incurred by contractor personnel on official company business are allowable, subject to the limitations contained in FAR 31.205-46 and the limitation of funds specified in this contract.??The Contractor shall submit all requests for reimbursable travel prior to commencing travel or training, to the Contracting Officer’s Representative (COR) for approval.??Travel is not authorized until written Government approval (COR or Contracting Officer (CO)) is received.Travel shall be in accordance with the Federal Travel Regulations (FTR) and requires advanced concurrence by the COR.? Contractor travel within the local commuting area will not be reimbursed.Prior to implementation, the estimated number of trips is six (6). Post implementation, the estimated number of trips is one (1).Anticipated locations may include the following:SAO West - Long Beach, CaliforniaSAO Central - Murfreesboro, TennesseeSAO East – Pittsburgh, PennsylvaniaSAC - Fredericksburg, VirginiaTAC – Eatontown, New JerseyWashington DCCONTRACT MANAGEMENTAll requirements of Sections 7.0 and 8.0 of the T4NG Basic PWS apply to this effort. This TO shall be addressed in the Contractor’s Progress, Status and Management Report as set forth in the T4NG Basic ERNMENT FURNISHED PROPERTYThe Contractor will be provided access to all available Government furnished information, facilities, material, equipment, or services as required to accomplish the efforts in the PWS.??The Government will provide the contractor with access to the VA Enterprise Cloud (VAEC) to include the credits required for all Infrastructure as a Service (IaaS) cloud development, testing and production environment requirements. SECURITY AND PRIVACY All requirements in Section 6.0 of the T4NG Basic PWS apply to this effort. Specific TO requirements relating to Addendum B, Section B4.0 paragraphs j and k supersede the corresponding T4NG Basic PWS paragraphs, and are as follows,The Contractor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, based upon the severity of the incident.When the Security Fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the Contractor shall provide written notice to VA that the patch has been validated as not affecting the Systems within 10 working days. When the Contractor is responsible for operations or maintenance of the Systems, they shall apply the Security Fixes based upon the requirements identified within the TO.POSITION/TASK RISK DESIGNATION LEVEL(S)In accordance with VA Handbook 0710, Personnel Security and Suitability Program, the position sensitivity and the level of background investigation commensurate with the required level of access for the following tasks within the PWS are:Position Sensitivity and Background Investigation Requirements by TaskTask NumberTier1 / Low RiskTier 2 / Moderate RiskTier 4 / High Risk5.1 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.2 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.3 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.4 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.5 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.6 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.7 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.8 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX The Tasks identified above and the resulting Position Sensitivity and Background Investigation requirements identify, in effect, the Background Investigation requirements for Contractor individuals, based upon the tasks the particular Contractor individual will be working. The submitted Contractor Staff Roster must indicate the required Background Investigation Level for each Contractor individual based upon the tasks the Contractor individual will be working, in accordance with their submitted proposal.SCHMC SPECIFIC TASKS AND DELIVERABLESThe Contractor shall build a searchable catalog solution that will contain all VA and VHA medical commodity, prosthetic device (to include durable medical equipment), expendable equipment, non-expendable, and non-clinical products that can be used by all employees. This solution will serve as the Single Source of Truth (SSoT) for all stated items by harmonizing contract information from VA, VHA, and other approved Federal contract offices. Please see the attached SCHMC Diagram.The Contractor shall complete the specified tasks and provide the deliverables described below:PROJECT MANAGEMENTCONTRACTOR PROJECT MANAGEMENT PLANThe Contractor shall deliver a Contractor Project Management Plan (CPMP) that lays out the Contractor’s approach, timeline and tools to be used in execution of this TO effort. ?The CPMP should take the form of both a narrative and graphic format that displays the schedule, milestones, risks and resource support.??The CPMP shall also include how the Contractor shall coordinate and execute planned, routine, and ad hoc data collection reporting requests as identified within the PWS. The initial baseline CPMP shall be concurred upon and updated in accordance with Section B of the TO. The Contractor shall update and maintain the VA Program Manager (PM) approved CPMP throughout the PoP. Deliverable: Contractor Project Management Plan (CPMP)REPORTING REQUIREMENTSThe Contractor shall provide the COR with weekly Progress Reports in electronic form in Microsoft Word, Project, or similar formats.? The report shall include detailed instructions/explanations for each required data element, to ensure that data is accurate and consistent. These reports shall reflect data as of the last day of the preceding week.The Weekly Progress Reports shall cover all work completed during the reporting period and work planned for the subsequent reporting period.? The report shall also identify any problems that arose and a description of how the problems were resolved.? If problems have not been completely resolved, the Contractor shall provide an explanation including their plan and timeframe for resolving the issue. The report shall also include an itemized list of all Electronic and Information Technology (EIT) deliverables and their current Section 508 conformance status. The Contractor shall monitor performance against the CPMP and report any deviations. It is expected that the Contractor will keep in communication with VA accordingly so that issues that arise are transparent to both parties to prevent escalation of outstanding issues.The Weekly Progress Report is designed to identify the effect of any issues on the project timeline and meeting minutes.Deliverable:? Weekly Progress Reports TECHNICAL KICKOFF MEETINGThe Contractor shall hold a technical kickoff meeting within 10 days after TO award. The Contractor shall present, for review and approval by the Government, the details of the intended approach, work plan, and project schedule for each effort. The Contractor shall specify dates, locations (can be virtual), agenda (shall be provided to all attendees at least five (5) calendar days prior to the meeting), and meeting minutes (shall be provided to all attendees within three (3) calendar days after the meeting). The Contractor shall invite the Contracting Officer (CO), Contract Specialist (CS), COR, VHA PM, OI&T PM, and any other project stakeholder deemed necessary. SCHMC REQUIREMENTSDATA INGESTIONThe Contractor shall ensure the solution provides the following functions at a minimum:Receive data from multiple Department of Veterans Affairs (VA) and Veterans Health Administration (VHA) VistA sources for cleansing and enrichment based on a master ‘Authoritative Sources’ (determined by the Contractor on behalf of VA). These authoritative sources will be a culmination of various external data sources of data standards, manufacturer information, industry groupings of like items, and other standards/naming conventions as they become available/adopted by industry. The Contractor shall ingest the following data sources, at a minimum:VA Contracting OfficesVHA Contracting OfficesNational Item File (NIF)Electronic Contract Management System (e-CMS)Item Master Files and Vendor files in IFCAP at VHA sitesOther Federal government source(s)The ability to ingest and manage various data source formats such as APIs (ex. JavaScript Object Notation (JSON), Extensible Markup Language(XML)), databases, and flat file formats (ex. Comma Separated Values (CSV), Excel, tab delimited). The information contained in these extracts will be harmonized with the data that exists in the IMF detail from each facility.The Contractor shall perform an analysis of the data ingested and shall provide a report of the findings. The analysis shall include missing data required by the VA for the data harmonization and standardization effort.Deliverable:? Analysis report for the ingested VA dataDATA HARMONIZATIONThe Contractor shall build the Supply Chain Healthcare Master Catalog and shall ensure the solution provides the following functions at a minimum:Acquires and maintains authoritative data on 100% of VA and VHA contracted products, estimated at 200,000 products on approximately 2,000 commodity-based contracts.Iteratively compiles data from existing VA and VHA contracts to the Supply Chain Healthcare Master Catalog (SCHMC), extending data visibility from local sites (over 140) to a central repository creating a single authoritative source with clear ownership/business rules.Provides a unique identifier (example Unique Device Identification (UDI) or Global Trade Item Number (GTIN)) for all items that will be used to place orders using Integrated Funds Control Point Activity, Accounting and Procurement (IFCAP) resulting in prepopulated item and vendor master data that is standardized across the enterprise for ordering.Provides product photos, standard product descriptions, and data elements required to populate an Item Master File (IMF)Contains all the available attributes to include packaging and barcode information aggregated and normalized by the data provider in a single file based on using data elements such as the manufacturer’s name, commercial part number, item specific description as keys for incorporating into government systems. The government requires all data associations, classifications, and harmonization clinically vettedProvides Continual Data Enrichment for information exchange, change control, normalization of contract data, new and expiring contracts, recalls, updates and duplicates, helping improve consistency and accuracy, and reducing product information inconsistences across the Enterprise.Continual Data Enrichment shall account for incorporating changes in the following, at a minimum; manufacturing information, item classification, vendor acquisition, and hierarchical groupings. Has the ability to source data from a Global Data Synchronization Network (GDSN), FDA Global Unique Device Identification Database (GUDID) certified data pool, Global Trade Identification Number (GTIN), Description, Unit of Measure (UOM), Quantity of Each, Ordering UOM, Next Level GTIN, and dimensioning to include the Barcode information on behalf of the VHA and correlate it to the product data and information described herein,Identifies all product data with a status such as; obsolete, validated, under review, rejected due to missing manufacturer name and/or part number, and unidentifiable or not within scope (not recognized as a commodity) and inform the user.Provide a mechanism to activate/deactivate contract items and data associated with contracts using features such as “effective date”.Has authorized user profiles with business rules and controls that are unique to role, responsibilities, and functions that will limit access to products outside of authorization, but remain visible for data and market research purposes. The Contactor shall provide the ability to ensure the following data quality criteria are met:Eliminate the duplication of entriesStandardize the data elements where appropriate Ensure appropriate categorization, grouping, pattern matchingWork with VHA to ensure data integrity among multiple Veterans Information Systems and Technology Architecture (VistA) instancesProvide required fields in any product and vendor set retrieved from the SCHMCThe Contractor shall:Provide domain expertise to all Contracting and Supply Chain Offices functional and technical staff as required.Maintain current data between the SCHMC and other VA approved system(s)Recommend additional product and/or packaging attributes if applicable that would enhance supply chain (Procurement/Distribution) efficiencies of the commodity in the catalog.Deliverable:? The Supply Chain Healthcare Master CatalogSCHMC DASHBOARDThe Contractor shall ensure the solution provides the following functions at a minimum:A dashboard interfaced to the SCHMC.The catalog interface shall provide search capability as well as drill-down by attributes that would be a searchable data element. Example of searchable/sortable/filterable attributes might be; medical supply lines (Wound Care, Surgical, Cardiology, etc.), Unique Device Identification (UDI), Global Trade Item Number (GTIN, United Nations Standard Products and Service Code (UNSPSC), Healthcare Common Procedure Coding System (HCPCS), Manufacture, Descriptions, size, color, etc.Provide a capability that will search and identify if a product is on an existing contract, and if so, display an item list with corresponding contract data.Deliverable:? The SCHMC dashboardDATA OUTPUTThe Contractor shall:Provide the ability to have the information displayed within the dashboard exported into standard formats (e.g. Excel).For Item Master File (IMF) records, Develop an Interface Control Document (ICD) for transferring the X12 832 file.From the dashboard, allow a user from a facility to select records from the catalog.Create an X12 832 transaction set representative of the items selected. Transmit the created X12 832 to VHA.In the event the IMF for the given item does not exist in a specific station’s instance, build the X12 832 catalog entry for that item and leave the IMF number blank prior to forwarding the X12 832 transactions set to the VHA for furtherProvide two (2) configurable item descriptions (short and long descriptions) using a rules-based algorithm that leverages product attributes, but allows for definition of description length, attribute order, and abbreviations.?Provided descriptions shall be consistent and normalized to ensure like items are described similarly. Preserve the IMF relationship at each facility in addition to providing an Internal Identification Number from the catalog for a given item.Deliverable:? Interface Control Document (ICD)Exported X12 832 filesCLOUD INFRASTRUCTURE The VAEC will include a secure dedicated Wide Area Network connection between VA and the VAEC Cloud Service Provider (CSP). The VA Enterprise Cloud (VAEC) is currently supported by the two FedRAMP High Certified and VA ATO approved CSPs: Amazon AWS GovCloud (VAEC-AWS) and Microsoft Azure Government Cloud (VAEC-AZC). Both VAEC environments use all of each CSP’s FedRAMP Authorized Services in their respective cloud to implement the proposed solution. In addition, each provides a set of common shared services such as security scanning, Active Directory and single sign-on (SSO), PIV integration and performance monitoring to facilitate solution implementation. Specifications for the VAEC CSPs, including access requirements, are provided at the project kick off meeting.BUSINESS APPROACHThe Contractor shall:Provide a cloud-based solution and determine most appropriate service model (Software as a Service, Platform as a Service, or Infrastructure as a Service).Host on VA Enterprise Cloud and recommend an implementation plan of how data will be shared amongst the internal and external systems involved. Provide communications plan for all affected parties of the migration(s) to ensure end-user adoption, customer satisfaction, successful organizational process changes, and alignment with VAs policies, requirements and goals. Provide cloud migration support services that accommodate considerations from an enterprise perspective including impact on VA business units, contracts, management, and technical components, including application, infrastructure, data and security. The contractor shall tie cloud migration recommendations to the purpose of the applications or services being migrated.? Recommendations should include information obtained from users, stakeholders, operations, and related input and output processes based on the role and business function of the affected VA systems.Deliverables:? Implementation PlanCommunications PlanCloud Migration RecommendationsTECHNICAL APPROACHThe Contractor shall:Provide recommendations for production, integration, test, development and sandbox purposes to support the complete systems lifecycle. Provide recommendations for open-standards based technologies whenever possible to provide interoperability.?? Provide configuration management recommendations for cloud virtual environments that integrate with the VA configuration management system. Provide recommendations for standardized backup, business continuity plans (BCPs), and disaster recovery procedures and processes in the cloud environment for the target applications and services that align with standard service offerings to make full use of commodity purchasing and the associated cost efficiency.?? Provide cloud solution requirements that maintain static, replicated, or live data at a site geographically disparate from the production site, when appropriate, such that the loss of one data center does not prohibit recovery of data within the prescribed Recovery Time Objective (RTO).?? Provide approaches for efficient usage of cloud elements such as processor, RAM and data storage tiers, network capability and availability as needed within the target applications and services. Deliverables:? Commercial Cloud Environment Systems Lifecycle RecommendationsSLA Post Deployment Evaluation ReportOpen Standards RecommendationsMigration Tools RecommendationsConfiguration Management RecommendationsBackup, BCP, and Disaster Recovery Procedures RecommendationsCloud Elements Research ReportSECURITY APPROACHThe Contractor shall:Provide recommendations for support and cloud services in compliance and alignment with Federal Risk and Authorization Management Program (FedRAMP) standardized security assessment, authorization, and continuous monitoring policies as required by the scope of the project.?Assessment and Authorization (A&A) activities shall be included as part of the migration recommendations. Provide cloud migration recommendations regarding security and privacy that are consistent with: NIST Special Publication 800-144 – “Guidelines on Security and Privacy in Public Cloud Computing” NIST Special publication 800-53 - “Security and Privacy Controls for Federal Information Systems and Organizations.”?NIST Special publication 800-53A - “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.” Provide recommendations for a trusted secure communication channel, which supports VA PIV Card authentication (or other forms of 2 factor authentication) for remote access in accordance with OMB M-11-11. Provide recommendations for security of data transfers in the course of migrating applications or services to, from, or between providers, whether internally or externally hosted.? Establish and improve upon security compliance, mitigation and remediation procedures and recommendations for the creation of the most effective cloud compliant implementation, risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for cloud service.? Provide Information Assurance (IA) expertise in the areas of assessments, monitoring, maintaining, reviewing and processing, accreditation/certification, Program Protection Plan (PPP) evaluation, and other cyber security related activities and mandates.Deliverables:? Privacy and Security Cloud Support Recommendations2 Factor Authentication RecommendationsMigration RecommendationsSecurity Compliance, Mitigation And Remediation ProceduresMANAGEMENT APPROACHThe Contractor shall:Deliver a comprehensive governance plan that, at minimum, results in effective integration and partnering of the Enterprise Cloud Service Broker (ECSB) into VA decision making processes, stake-holder communications, requirement analysis, and roles and responsibilities matrix. Manage program cost, schedule, performance, risks, warranties, contracts and subcontracts, licenses and data required to deliver effective migration services and operations.Provide a recommended cloud vendor management plan including risk analysis, evaluation, performance, auditing, and dispute resolution approaches to use with VAEC. Provide operational expertise and support for the business implementation as well as the user support required to ensure a successful implementation and rollout of the new cloud solutions.?This includes but is not limited to communications to the workforce and external stakeholders, training, and documentation. Comply with VA Change and Configuration Management plans and policies (as applicable). Such changes shall include testing and release ply with the Veteran-focused Integration Process (VIP) policies.Assist in the development of a customer responsibility matrix in a standardized format that enables clear delineation of roles and responsibilities that satisfies all aspects of a cloud implementation.Provide a draft Quality Assurance Plan (QAP) and/or Quality Control Plan (QCP) that includes details for measuring data availability, storage capacity, uptime, SLA compliance.Deliverables:? Governance PlanCloud Vendor Management PlanCustomer Responsibility MatrixQuality Assurance Plan/Quality Control PlanASSESSMENT AND AUTHORIZATIONThe Contractor shall provide A&A support required to achieve and maintain full A&A certification in compliance with the most current versions of VA Handbook 6500, VA Handbook 6500.6 (Section 3), and VA Handbook 6500.3. The Contractor shall obtain, and shall later be responsible for, maintaining, an Authority To Operate (ATO). The Assessment and Authorization process is the end to end process for ensuring new VA information systems adhere to and are in compliance with Federal Information Security Management Act (FISMA). The purpose of an ATO is to ensure the risks to VA (operations, assets, or individuals) are acceptable. The result is the issuance of an ATO. If the risk to Agency operations, assets or individuals is low, an ATO authorizes the system to be moved into production or use production data. Throughout the Assessment and Authorization process the Contractor shall work with their assigned Information Security Officer (ISO) to obtain an ATO. The process entails gaining access to the Governance, Risk and Compliance (GRC) tool, RiskVision, to serve as the management tool for the Assessment and Authorization process. The GRC tool is used to document accreditation requirements including technical testing/scans, security documentation, and actions identified during the Security Control Assessment. The completion of the required security documentation and technical tests enable the Office of Cyber Security (OCS) Certification Program Office (CPO) to determine the final risk to VA based on the vulnerabilities in the information system; assess any planned, completed, or corrective actions to reduce or eliminate those vulnerabilities; make a final determination on the acceptability of risk to VA; and prepare the final accreditation decision letter.The complete set of accreditation requirements including technical testing and security artifacts are also enumerated in the “Office of Information Security, Accreditation Requirements Guide Standard Operating Procedures” (SOP). Once the accreditation requirements are met and submitted in RiskVision, the results are reviewed and approved by the Certification Agent, Directors of CPO and OCS, Deputy Assistant Secretary Office of Information Security, and finally Assistant Secretary for Information and Technology who grants or denies the Authority to Operate.The Contractor shall ensure all security assessments are completed using VA-provided tools to include Agiliance RiskVision. RiskVision control questions shall be answered and evidence documents uploaded no later than 30 days after contract award. The Contractor shall perform the tasks (and sub-tasks) designated as the “system steward” and system owner or “delegate” in the SOP. The Contractor shall enable VA vulnerability scanning and prioritize corrective actions to mitigate identified weaknesses and vulnerabilities. The Contractor shall perform risk assessments and risk handling to include mitigating discovered vulnerabilities (See “POA&M Management Guide” for further guidance). The Contractor shall perform continuous monitoring per VA’s Continuous Readiness in Information Security Program (CRISP). The Contractor shall develop and submit all required security document artifacts in accordance with the PO&M Management Guide. The Contractor shall ensure any findings produced as a result of the security assessments are remediated in order to support A&A. The Contractor shall ensure all other security requirements are met specific to the FIPS 199 categorization documented as a result of the Risk Assessment and applicable VA policy. The Contractor shall ensure all requirements of the A&A SOP (most current version) are met throughout the project lifecycle. Deliverables:? Required ATO security artifacts TESTINGThe Contractor shall perform post implementation activities and testing.The Contractor shall provide completed implementation checklists?to validate final configuration baseline. INTEGRATION/INTERFACE TESTINGThe Contractor shall verify that all system interfaces are operational and all data istransferred to and from the appropriate system according to the business requirement.The Contractor shall also ensure that it complies with all VA security protocols. TheContractor shall provide VA with a copy of the integration test plan methodology,scenarios, test data, and test results.Deliverable:Integration Test Plan Methodology, Test Data, and ResultsPERFORMANCE TESTINGDuring the system testing, the Contractor shall verify that the system is fully operationaland meets all the performance requirements. The Contractor shall test and verify that allsystem functions and specification requirements are met and operational, and nounwanted effects are present. The Contractor shall provide VA with a copy of the performance test plan methodology and test results.Deliverable:Performance Test Plan Methodology, Test Data, and ResultsUSER ACCEPTANCE TESTINGThe Contractor shall submit the test results and certification to the TO COR. TheContractor shall schedule an acceptance test date and provide VA 30 days written notice prior to the date the acceptance test is expected to begin. The System shall be tested to certify Proof of Performance. Testing shall verify that the total system meets allrequirements of this specification. The notification of the acceptance test shall includethe expected length (in time) of the test(s). The Contractor shall providecertified/qualified personnel to assist VA with performing this testing. The Contractorshall provide VA with a copy of the acceptance test plan methodology, test cases/scripts, and test results with each TO. Deliverables:Acceptance Test Plan Methodology, Test Cases/Scripts, Test Data, and Results TRAININGThe Contractor shall:Develop a Training Plan, which shall be delivered to P&LO for approval and at a minimum shall cover how training will be completed, estimated dates for training, what materials will be provided for users, and best practices established through the period of performance.Provide initial and ongoing training, for Procurement and Logistics Office (P&LO), Veterans Integrated Service Networks (VISN), and Medical Facility staff members to ensure personnel are proficient in the use of all tools provided under this contract.The initial training shall be delivered via live web-based media (e.g. Skype). There will be five (5) training sessions.The Contractor shall provide a web-based?training?module that can be provided through a VA approved?training?system such as TMS. Web-based?training?shall cover the full scope of system capability and the management/administration of the system. Web-based?training?shall be compliant with all VA policies and processes and shall provide sufficient detail to allow a business user to become proficient utilizing the capabilitiesThe supplemental training materials shall also include written training manuals that can be accessed by all users (an estimated 6,000 Logisticians). Deliverables:? Training PlanTraining MaterialsRELEASE MANAGEMENTIn accordance with the VIP Guide, the Contractor shall complete the documents required to pass the VIP’s Critical Decision 2 (CD2) process. The Contractor shall implement/release the Catalog solution to the VA community after receiving CD2 approval and coordinating the release through the Office of Information and Technology (OI&T). Deliverables:CD2 DocumentationHELP DESKThe Contractor shall:Provide support by phone and email for consultation with the Supply Chain Data & Informatics Office (SCDIO) subject matter experts to resolve data conflict, inconsistencies, or other service issues in a timely response (24 hours or less).Be a part of the VA Enterprise Service Desk routing process for tracking all issues in the Service Now environment.SOFTWARE MAINTENANCEThe Contractor shall provide Continual Data Enrichment for information exchange, change control, normalization of contract data, new and expiring contracts, recalls, updates and duplicates, helping improve consistency and accuracy, and reducing product information inconsistences across the Enterprise. The Contractor shall also provide all software maintenance upgrades and/or patches. The Contractor shall notify VA of all upcoming maintenance upgrades within 30 (thirty) calendar days of proposed implementation. Additionally, the Contractor shall document the functionality and compatibility changes from current system.The Contractor shall provide:Maintenance and software fixes/repair of the solution.System engineering changes, updates, and functionality enhancements coordinated through the Office of Information Technology for review, test and approval to release.Perform patch management to ensure the solution continues to meet applicable security and baseline standards.Support throughout the PoP for technical issues.GENERAL REQUIREMENTSPERFORMANCE METRICSThe table below defines the Performance Standards and Acceptable Levels of Performance associated with this effort.Performance ObjectivePerformance StandardAcceptable Levels of PerformanceTechnical / Quality of Product or ServiceShows understanding of requirementsEfficient and effective in meeting requirements Meets technical needs and mission requirementsProvides quality services/productsSatisfactory or higherProject Milestones and ScheduleQuick response capabilityProducts completed, reviewed, delivered in accordance with the established scheduleNotifies customer in advance of potential problemsSatisfactory or higherCost & StaffingCurrency of expertise and staffing levels appropriatePersonnel possess necessary knowledge, skills and abilities to perform tasksSatisfactory or higherManagementIntegration and coordination of all activities to execute effortSatisfactory or higherThe COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the TO to ensure that the Contractor is performing the services required by this PWS in an acceptable level of performance. The Government reserves the right to alter or change the QASP at its own discretion. A Performance Based Service Assessment will be used by the COR in accordance with the QASP to assess Contractor performance. SECTION 508 – ELECTRONIC AND INFORMATION TECHNOLOGY (EIT) STANDARDS On August 7, 1998, Section 508 of the Rehabilitation Act of 1973 was amended to require that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology, that they shall ensure it allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. Section 508 required the Architectural and Transportation Barriers Compliance Board (Access Board) to publish standards setting forth a definition of electronic and information technology and the technical and functional criteria for such technology to comply with Section 508. These standards have been developed are published with an effective date of December 21, 2000. Federal departments and agencies shall develop all Electronic and Information Technology requirements to comply with the standards found in 36 CFR 1194.The following Section 508 Requirements supersede Addendum A, Section A3 from the T4NG Basic PWS.The Section 508 standards established by the Architectural and Transportation Barriers Compliance Board (Access Board) are incorporated into, and made part of all VA orders, solicitations and purchase orders developed to procure Electronic and Information Technology (EIT). These standards are found in their entirety at: . A printed copy of the standards will be supplied upon request.? The Contractor shall comply with the technical standards as marked: FORMCHECKBOX § 1194.21 Software applications and operating systems FORMCHECKBOX § 1194.22 Web-based intranet and internet information and applications FORMCHECKBOX § 1194.23 Telecommunications products FORMCHECKBOX § 1194.24 Video and multimedia products FORMCHECKBOX § 1194.25 Self-contained, closed products FORMCHECKBOX § 1194.26 Desktop and portable computers FORMCHECKBOX § 1194.31 Functional Performance Criteria FORMCHECKBOX § 1194.41 Information, Documentation, and SupportEQUIVALENT FACILITATIONAlternatively, offerors may propose products and services that provide equivalent facilitation, pursuant to Section 508, subpart A, §1194.5. Such offerors will be considered to have provided equivalent facilitation when the proposed deliverables result in substantially equivalent or greater access to and use of information for those with disabilities. COMPATIBILITY WITH ASSISTIVE TECHNOLOGYThe Section 508 standards do not require the installation of specific accessibility-related software or the attachment of an assistive technology device. Section 508 requires that the EIT be compatible with such software and devices so that EIT can be accessible to and usable by individuals using assistive technology, including but not limited to screen readers, screen magnifiers, and speech recognition software.ACCEPTANCE AND ACCEPTANCE TESTINGDeliverables resulting from this solicitation will be accepted based in part on satisfaction of the identified Section 508 standards’ requirements for accessibility and must include final test results demonstrating Section 508 compliance. Deliverables should meet applicable accessibility requirements and should not adversely affect accessibility features of existing EIT technologies. The Government reserves the right to independently test for Section 508 Compliance before delivery. The Contractor shall be able to demonstrate Section 508 Compliance upon delivery.Automated test tools and manual techniques are used in the VA Section 508 compliance assessment.Deliverable:Final Section 508 Compliance Test ResultsSHIPMENT OF HARDWARE OR EQUIPMENTN/AENTERPRISE AND IT FRAMEWORKAll requirements in Section 3.8 of the T4NG Basic PWS apply to this effort. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download