STATEMENT OF WORK/TASK ORDER ADMINISTRATION DATA

 STATEMENT OF WORK/TASK ORDER ADMINISTRATION DATA*Note that this sample has been revised from the source document on the Government Point of Entry as necessary to align formatting and applicable FAR procedures.* 1. INTRODUCTIONSafeguarding and preventing the unauthorized disclosure of Personally Identifiable Information (PII) is a responsibility that is shared by all IRS employees and contractors. Lost, stolen, or disclosed PII may be used to perpetrate identity theft or other forms of harm if the information falls into unauthorized hands. Governmental policy requires all federal agencies and bureaus to notify individuals when their personally identifiable information has been compromised and placed them at risk of identity theft. In May 2007, OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, instructed Federal agencies to enhance their safeguards for PII and to enact incident handling and data loss notification policies. a. BackgroundSince 2007, the IRS has offered one year of credit monitoring service/identity theft protection to those individuals determined to be at high risk for identity theft as a result of an IRS data loss/breach. Services include account monitoring, alerts of key changes to credit reports, identity theft insurance, and dedicated fraud resolution representatives available to assist victims of identity theft, and are provided to impacted individuals upon request by the impacted individual. The IRS notifies impacted individuals, via Letter 4281, of the data loss/breach. At his/her option, if the individual recipient of the data loss letter would like to receive credit monitoring/identity theft protection, he/she must request such services. The U.S. has experienced a dramatic increase in attempts of identity theft. Based on this increase, the IRS has determined that a more appropriate offer for protection is to expand beyond credit monitoring and include identify protection, and increase the period of coverage/protection from one to three years. In July 2016, the Office of Management and Budget (OMB) issued Memorandum M-16-14 which requires, with limited exceptions, Federal agencies to use the General Services Administration Government-Wide Federal Supply Schedule Identity Protection Services (IPS) Multiple-Award Blanket Purchase Agreements (BPAs) (hereafter referred to as "IPS BPAs") as a preferred source for comprehensive identity protection, identity monitoring and data breach response services, when needed, including consumer credit reports; address verification reports; credit risk assessments; and identity restoration services involving breaches of sensitive personally identifiable information.It's IRS' objective to provide quick response when individuals have been impacted by data loss to minimize the potential for harm. The IRS has determined that services under the GSA FSS IPS BPA, SIN 520-19, Data Breach Analysis, are within scope of IRS' need for identity protection services. b. ObjectiveThe Internal Revenue Service's objective is to establish a task order against a GSA IPS BPA, to offer identity protection, identity monitoring and data breach response services for three years per impacted individual who requests such services, to meet business needs and IRS goals. The task order will result in a streamlined process of ordering required services. c. PurposeThe purpose of this task order is to provide impacted taxpayers, who request services, with Data Breach Analysis services to include three years of credit monitoring to affected taxpayers, upon identification of data loss. d. ScopeThis is task order is in support of the Internal Revenue Service, Privacy, Governmental Liaison and Disclosure (PGLD) Division, for the provision of identity protection services, as outlined under the General Services Administration Federal Supply Schedule Government-Wide Identity Protection Services Blanket Purchase Agreement (GSA FSS GW IPS BPA), for Identity Protection Services (IPS), hereafter referred to as the "GSA IPS BPA," under (SIN 520-19, Data Breach Analysis), and this task order. The contractor shall provide identity protection, that is, established appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual on whom information is maintained, as outlined in its GSA IPS BPA and contained herein. The contractor shall provide high quality service with fast response time when notified that an individual would like to receive services offered herein. 2. STATEMENT OF WORK a. Description of ServicesThe contractor shall provide identity protection services to individuals impacted by a data loss/breach. As defined in OMB M-07-16, breach includes the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information whether physical or electronic. The contractor shall support an undetermined number of future data loss for the period specified in paragraph 3a, Ordering Period. These data losses occur sporadically throughout the year - and range from minor (e.g. - data losses consisting of 20 identities or fewer per month) to major losses (e.g. - data losses consisting of 100,000+ identities per month). Specifically, the contractor shall provide continuous data breach analysis services for a period of three (3) years from the date the impacted individual requests coverage. Services shall consist of: (i) Customer Support Services that include: a) A means of enrollment via internet, telephone, and live agent. b) A dedicated toll-free customer assistance line available 24 hours a day, seven days a week, for assistance with enrollment/authentication, product related questions, understanding the content of credit information, investigating information believed to be inaccurate, and identity theft resolution. The contractor shall provide qualified personnel to man the call center. Identity Theft Resolution includes:If a consumer is a victim of ID Theft, the offeror must offer assistance and “remediation”, as part of their membership service at no additional charge.1. Specifically, the offeror must provide: Access to dedicated Fraud Specialists who will work with the consumer through the process of working to clear up the damage caused by the theft of their identity. These Specialists must be available on a 24 x 7, 365 day basis.2. Specifically, the Fraud Specialists will: Review the content of the consumer’s 3-in-1 Credit Report to identify all fraudulent tradelines and information that exists on their credit files at all three credit reporting companies.Initiate disputes of content of the credit report that may be inaccurateAssist in Fraud Alert placement, if not already done by the consumer Additionally, the Fraud Specialists will provide assistance with:Completing the FTC Fraud AffidavitFiling a police reportNotifying Government AgenciesNotifying credit grantorsProvide the consumer with Identity Theft Prevention Tips and content so they are fully educated on the process they are going through to clear up the ID Theft situation and how to prevent further problems. (ii) Identity Support Services that include:a) Comprehensive daily credit file monitoring to adults (18+) b) Automated daily alerts of key changes to Equifax, Experian, and TransUnion credit files via email, wireless alert or U.S. Mail (delivery method will be at the customers’ option). Alerts of key changes must be made (or sent) to the customer within 24 hours. Customizable alerts must also be available and include: frequency of messaging and vehicle of delivery, at the enrollees/subscriber/customer choice. c) The capability to place 90-day fraud alerts with unlimited automatic renewals on a customer’s credit file at the request of the subscriber/customer. Fraud alerts to include, but not limited to: changes to or applications for credit cards, bank accounts, driver’s license, etc. based on enrollees/subscriber/customer choice. d) One 3-in-1 Credit Report. (iii) Identity Monitoring Services that include a minimum of $1 million in identity theft insurance with $0 deductible, at no additional cost to the subscriber/customer. Coverage includes, but not limited to: Legal fees and other costs directly associated with reclaiming the subscriber/customer identity (e.g. replace important documents like the subscriber/customer driver’s license or passport), coverage for lost wages due to time taken off of work to deal with an identity fraud situation, reimburse the subscriber/customer for stolen funds caused by identity theft (up to $10k), etc. When a data loss incident/breach occurs, the Program Office will notify the contractor and each impacted individual, in writing. Effective and expiration dates shall be identified with the unique identifiers. The IRS will notify impacted individuals when data loss/compromise has occurred. The notification will include an offer for data breach analysis services, comprised of customer support, identity support and monitoring services as outlined in paragraph 2a above. b. ReportsAdditionally, the contractor shall provide, to the Program Office on a monthly basis, reports listing the unique identifiers redeemed, the dates they were redeemed, and whether the identifiers were redeemed offline or online. By the end of the 7th workday of each month, the contractor must provide to the Program Office enrollment reports listing the unique identifiers redeemed, the dates they were redeemed, and how the identifiers were redeemed (offline or online, mail or telephone). More frequent report durations (e.g., weekly) must be available upon request. Monthly invoices for enrollments must include a detailed report listing each IRSsubscriber/customer’s Last Name and First Name, state of residence, activation date, and unique identifiers redeemed, at a minimum. Reports shall be provided on or before the date the contractor submits its invoice via the Internet Payment Platform (IPP). A copy of the invoices with the attached reports must be provided securely (email, secure web portal, etc.) to the IRS POC. Reports shall be provided in contractor generated format, subject to approval and feedback of Government. Reports shall clearly state the period start and end date/time of data contained in report. Reports shall include: Promo Code (full), Last Name, First Name, State, and Date of Activation. Reports shall be provided on or before the date the contractor submits its invoice via the Internet Payment Platform (IPP). All reports shall be provided via secure method such as encrypted email or by a secure web portal. c. OrderingOverall, services will be ordered via this task order by the Contracting Officer’s Representative (COR) in accordance with the terms outlined herein and will include estimated quantities of products and/or services to be provided and the ordering periods in accordance with the periods specified below in paragraph 3a, Order Period. The contractor shall provide, to the Program Office, the following number of unique identifiers (such as enrollment codes to be redeemed) for each ordering period:Base Period - 275,000 Option Period I - 275,000 Option Period II - 275,000 Grand total - 825,000 Individual unique identifiers will be included on respective notifications to individuals impacted by data loss. Impacted individuals wishing to take advantage of the offer are responsible to interact directly with the contractor to request services. Upon request from impacted individuals, the contractor shall provide services as outlined herein. In the event all unique identifiers provided for the respective period are not used, the contractor shall provide the difference in the amount (number of unique identifiers specified above minus the number remaining from the previous period) for use in the subsequent ordering period when the option is exercised. In each ordering period, funds will be obligated in an amount equal to the firm-fixed-rate applied to the Government's estimated number of redemptions during the respective period. Should there be a change in the estimated number of redemptions, the quantity will be adjusted and additional funds will be provided via modification.A "not to exceed" (NTE) amount will be established under each line item. The IRS makes no guarantee to acquire services in those amounts. The ceiling amount is merely an estimate based on historical and/or anticipated usage. However, when requested by individual impacted taxpayers, the contractor shall provide services on a firm-fixed-price basis based on the fixed rate contained in the price schedule. Also, the ceiling amount may be increased or decreased at the discretion of the Contracting Officer based on the need via bi-lateral modification. Additionally, the IRS will exercise any "option," on a unilateral basis, at the discretion of the IRS. The IRS makes no guarantee with regard to needing services or exercising options. d. Deliverables - Reports shall be provided to the Program Office on a monthly basis. Refer to paragraph A2b above. 3. TASK ORDER ADMINISTRATION DATA a. Ordering PeriodThe ordering period under the task order will consist of a 12-month base period plus one 12- month option period and one 8-month option period that may be exercised at the discretion of the Government. Unless the awardee's GSA IPS BPA is cancelled or expires, the ordering periods will be as follows: Base Period: 12/15/2017–12/14/2018 Option Period I: 12/15/2018–12/14/2019 Option Period II: 12/15/2019– 08/31/2020 Note: A BPA will expire when the Contractor’s GSA MAS contract, upon which the BPA is predicated, expires. Any orders placed during the BPA ordering period may extend beyond that period (including the right to exercise order options) and be completed in accordance with the Contractor’s Federal Supply Schedule FAR clause 52.216-22 paragraph (d). Therefore, the contractor shall continue to honor requests for services from impacted individuals who received notifications/offer for services during the ordering period prior to expiration of the task order.The Contractor shall notify the Contract Specialist/Contracting Officer no less than sixty (60) days prior to the expiration of the MAS contract that its contract is about to expire. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download