BACKGROUND - Log in to Veteran's Affairs Vendor Portal



FedBizOppsSources Sought Notice*******CLASSIFICATION CODESUBJECTCONTRACTING OFFICE'S ZIP-CODESOLICITATION NUMBERRESPONSE DATE (MM-DD-YYYY)ARCHIVE DAYS AFTER THE RESPONSE DATERECOVERY ACT FUNDSSET-ASIDENAICS CODECONTRACTING OFFICE ADDRESSPOINT OF CONTACT(POC Information Automatically Filled from User Profile Unless Entered)DESCRIPTIONSee AttachmentAGENCY'S URLURL DESCRIPTIONAGENCY CONTACT'S EMAIL ADDRESSEMAIL DESCRIPTION ADDRESSPOSTAL CODECOUNTRYADDITIONAL INFORMATIONGENERAL INFORMATIONPLACE OF PERFORMANCE* = Required FieldFedBizOpps Sources Sought NoticeRev. March 2010RVR&E Case Management Solution Service (CMSS)2000636C10E19Q017105-21-201930N14518210Department of Veterans AffairsVeterans Benefits AdministrationOffice of Administration Division -Acquisition DivisionVan Hale, Contracting OfficerEmail Address: Van.Hale@Contractors Facilities with some travel toVBA OfficesTBDUSAVan.Hale@Contracting OfficerVBA VR&E Service is responsible for administering VR&E benefits to veterans, service members and their dependents through four distinct benefit programs/chapters.VR&E employs nearly 1,000 professional vocational rehabilitation counselors and 350 administration staff and delivers services through a network of nearly 350 office locations. The service delivery model works to support Veterans where they are located (including overseas). VR&E has operations at 56 regional offices, the National Capital Region Benefits Office, approximately 142 out-based offices, 71 Integrated Disability Evaluation System (IDES) military installations, and 95 VetSuccess on Campus (VSOC) schools/sites.In FY17, VR&E issued $1.4B to over 130K beneficiaries. Modernization of the existing case management applications will impact the VBA VR&E benefit programs and implementing changes will be challenging due to the changes needed to the VBA's IT infrastructure.However, the VBA believes that there is an opportunity for identifying a Commercially Available Off-The-Shelf (COTS) solution that will preserve government oversight and accountability of the process while empowering VR&E counselors to focus on our Veterans receiving the services that they are entitled to in the most efficient manner possible.VBA is seeking a solution that meets the performance-based needs of the VBA and effectively meets the critical processing needs to accomplish business objectives within the VBA's VR&E service line.Our strategic goal is to eliminate the administrative burden of ingestion, establishment, and processing of veteran eligibility through establishment of automated capabilities so that VR&E personnel can focus on managing veteran outcomes.The purpose of this project is to acquire a comprehensive VR&E specific configurable COTS, Software as a Solution (Saas) Service that will allow Vocational Rehabilitation and Employment to manage cases and deploy the capability to production as a service hosted within the FedRAMP-certified cloud environment. This will involve internal VA IT development to integrate with systems as outlined in Appendix I of the attached Request for Information (RFI). The IT tasks will be done by the VA. This solution should provide improved business process automations while streamlining administrative and financial reporting capabilities. The solution should also alleviate multiple administrative functions assigned to the VRCs, which would allow them more time to engage with their clients. The solution should have the ability to create a participant record utilizing existing VA systems. Record creation should provide a 360-degree view of the participant, which can be leveraged by VR&E to streamline entitlement, plan development and case management processes. The solution should also track all VR&E outreach activities against the contact record. The solution should also be capable of creating multiple records against one participant, should the need arise. Overall, the goal of this solution should be to provide a holistic view of the program participant as they plot their course from outreach to employment and finally, case closure.See the attached RFI for details.TC "SECTION A" \l 1TC "A.1 SF 1449 SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS" \l 2PAGE 1 OF1. REQUISITION NO. 2. CONTRACT NO.3. AWARD/EFFECTIVE DATE4. ORDER NO.5. SOLICITATION NUMBER6. SOLICITATION ISSUE DATEa. NAMEb. TELEPHONE NO. (No Collect Calls)8. OFFER DUE DATE/LOCALTIME9. ISSUED BYCODE10. THIS ACQUISITION IS UNRESTRICTED ORSET ASIDE: % FOR:SMALL BUSINESSHUBZONE SMALLBUSINESSSERVICE-DISABLEDVETERAN-OWNEDSMALL BUSINESSWOMEN-OWNED SMALL BUSINESS(WOSB) ELIGIBLE UNDER THE WOMEN-OWNEDSMALL BUSINESS PROGRAMEDWOSB8(A)NAICS:SIZE STANDARD:11. DELIVERY FOR FOB DESTINA-TION UNLESS BLOCK ISMARKEDSEE SCHEDULE12. DISCOUNT TERMS 13a. THIS CONTRACT IS A RATED ORDER UNDERDPAS (15 CFR 700)13b. RATING14. METHOD OF SOLICITATIONRFQIFBRFP15. DELIVER TO CODE16. ADMINISTERED BYCODE17a. CONTRACTOR/OFFERORCODEFACILITY CODE18a. PAYMENT WILL BE MADE BYCODETELEPHONE NO.DUNS:DUNS+4:PHONE:FAX:17b. CHECK IF REMITTANCE IS DIFFERENT AND PUT SUCH ADDRESS IN OFFER18b. SUBMIT INVOICES TO ADDRESS SHOWN IN BLOCK 18a UNLESS BLOCK BELOW IS CHECKEDSEE ADDENDUM19.20.21.22.23.24.ITEM NO.SCHEDULE OF SUPPLIES/SERVICESQUANTITYUNITUNIT PRICEAMOUNT(Use Reverse and/or Attach Additional Sheets as Necessary)25. ACCOUNTING AND APPROPRIATION DATA26. TOTAL AWARD AMOUNT (For Govt. Use Only)27a. SOLICITATION INCORPORATES BY REFERENCE FAR 52.212-1, 52.212-4. FAR 52.212-3 AND 52.212-5 ARE ATTACHED. ADDENDAAREARE NOT ATTACHED.27b. CONTRACT/PURCHASE ORDER INCORPORATES BY REFERENCE FAR 52.212-4. FAR 52.212-5 IS ATTACHED. ADDENDAAREARE NOT ATTACHED28. CONTRACTOR IS REQUIRED TO SIGN THIS DOCUMENT AND RETURN _______________ 29. AWARD OF CONTRACT: REF. ___________________________________ OFFERCOPIES TO ISSUING OFFICE. CONTRACTOR AGREES TO FURNISH AND DATED ________________________________. YOUR OFFER ON SOLICITATION DELIVER ALL ITEMS SET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY (BLOCK 5), INCLUDING ANY ADDITIONS OR CHANGES WHICH ARE ADDITIONAL SHEETS SUBJECT TO THE TERMS AND CONDITIONS SPECIFIEDSET FORTH HEREIN IS ACCEPTED AS TO ITEMS:30a. SIGNATURE OF OFFEROR/CONTRACTOR31a. UNITED STATES OF AMERICA (SIGNATURE OF CONTRACTING OFFICER)30b. NAME AND TITLE OF SIGNER (TYPE OR PRINT)30c. DATE SIGNED31b. NAME OF CONTRACTING OFFICER (TYPE OR PRINT)31c. DATE SIGNEDAUTHORIZED FOR LOCAL REPRODUCTION(REV. 2/2012)PREVIOUS EDITION IS NOT USABLEPrescribed by GSA - FAR (48 CFR) 53.2127. FOR SOLICITATIONINFORMATION CALL:STANDARD FORM 1449OFFEROR TO COMPLETE BLOCKS 12, 17, 23, 24, & 30SOLICITATION/CONTRACT/ORDER FOR COMMERCIAL ITEMS85VA36C10E19Q0171Van Hale727-319-794005-21-20191PM00101Department of Veterans AffairsVeterans Benefits AdministrationOffice of Administration & Facilities -Acquisition Division Specialized & Commodities TeamEMAIL ADDRESS: VAN.HALE@X100X518210$32.5 MillionXN/AXDepartment of Veterans AffairsVeterans Benefits AdministrationOffice of Administration & Facilities -Acquisition Division Specialized & Commodities Team00101SAME AS BLOCK 15 See CONTINUATION PageThis Request for Information (RFI) is for market researchpurposes only and does not constitute a Request forQuotation or Proposal. It is not considered to be acommitment by the Government to award a contract norwill the Government pay for any information provided.The Government is under no obligation to acknowledgereceipt of the information received or provide feedbackto respondents with respect to any information submitted.Capability statement in response to this RFI is due onor before 1:00PM EST, Tuesday, May 21, 2019.See CONTINUATION PageXXVan Hale VBA14L2-0953Contracting OfficerThis is a REQUEST FOR INFORMATION (RFI) only. Pursuant to FAR Part 10.002(b)(2)(iii) and (viii) (Market Research), the purpose of this notice is to:1. Determine the commercial practices of companies engaged in providing the needed service;2. Determine availability of Service Disabled Veteran Owned Small Business (SDVOSB) and VOSB set aside pursuant to FAR Part 19.This notice in no way obligates the Government to any further action.Requirement:This notice is issued by the Department of Veterans Affairs (VA), Veterans Benefits Administration, Specialized & Commodities Team, Office of Administration & Facilities – Acquisition Division to identify SDVOSB and/or VOSB sources capable of providing the services described in the attached Performance Work Statement (PWS) and the Addendum to the PWS. SDVOSB and/or VOSB concerns shall be registered and certified in the Vendor Information Pages located at at the time responses to this RFI are due.Submission of Information:All responses must be submitted to Van.Hale@ by 1:00PM EST, on or before Tuesday, May 21, 2019 with a Subject line of VR&E RFI Response. Responders will receive an electronic confirmation acknowledging receipt of a response but will not receive individualized feedback on any questions. If your company has the potential capability to perform these contract services, please respond to this RFI by providing a capability statement. The number of pages is limited to a total of 20 pages; size shall be no greater than 8 1/2" x 11". The top, bottom, left and right margins shall be a minimum of one inch each. Font size shall be no smaller than 12-point. Times New Roman fonts are required. The capabilities statement must include the following information:Provide a brief corporate profile of your company. Information in this profile should include: Organization name; DUNS number; Organization's website; Contact Name; Contact Telephone; Contact E-mail address.Business Size identified as SDVOSB OR VOSB. NAICS code is 518210.Describe governance in terms of contractor oversight and management necessary to ensure quality of deliverables and contract performance expectations. Describe how you address quality management and continuous process improvement. Describe what factors would affect your pricing model based on the in-scope services for this requirement. Are the objectives clearly defined? Do you understand what the VA requires? List any questions and concerns you have regarding this notice and the PWS.Has your company currently or in the recent past provided a similar solution and service for end-to-end benefits vocational rehabilitation case management as described in the PWS, to include, but not limited to: Application intake and processing - Receipt and processing of application Automation – Reduction of time-intensive manual processes through the use of automation to include eligibility determination, automated virtual assistant integration, and automated award and payment calculationCase management – End to end case and plan, creation, implementation, and management Financial Processing – Determination and calculation of payment amount based on rules engine; Interface with financial accounting system to submit payment information and submit and receive financial institution information Integration – Integrate with ~30 existing VBA systems and services that provide either data or functional requirements Quality Assurance – Implementation of error handling, quality management, and audit functions with federal regulatory requirements. If so, please provide details on the nature of the services and/or solution provided including, at a minimum, length of time; the name(s) of the organization(s); specific contractor citation and your role (prime vs/ sub). If the role was a sub-contractor, please provide your area(s) of responsibility on the contract.How would the system/platform/service propose to transfer and exchange data between multiple government (DoD, DoE, VBA, VHA, SSA, etc.), educational, financial, and industry entities (critical capability)?Describe your experience with integrating case management systems with government products or legacy systems (e.g. financial accounting systems). Describe Service Level Agreements (SLA) and quality reporting managed and conducted on previous contracts. Describe typical staffing profile for case management solutions. Include skills and qualifications necessary to meet the VAs objectives included in the PWS. What percentage of the technical capabilities and expertise are resident in the contractor's organization? What percentage of the technical capabilities and expertise would require the aid of a subcontractor? Describe your experience and approach to responding to legislative changes/directives resulting in business process and functionality changes. Describe the aspects of the VBA VR&E Service benefits and the assumptions that might present challenges to your service delivery, why, and how you will overcome these challenges? Describe how you ensure security and privacy including compliance with applicable regulatory and security frameworks. Describe how you protect personally identifiable information (PII) and safeguard participant and beneficiary information. Describe how you have addressed challenges with disbursement processing required to be performed by third party disbursement agents. Describe how your service delivery accommodates globally located beneficiaries. Describe how your services can accommodate distinctive case management characteristics including simultaneous separate or distinctive business rules and any potential automated solutions for rules-based processing. Please provide a narrative of instances where you have tracked (e.g. customer surveys, metrics, etc.) and met customer satisfaction goals. Please provide your role with respect to tracking and meeting the customer satisfaction goals. Provide details as to the methods used and frequency at which performance against customer satisfaction goals were tracked and reported on, including number of exemptions requested/required/granted. Describe how you support data conversions and/or data transfers when transitioning a new large case workload. Describe how and whether you receive and process beneficiary submissions during conversions. Describe how you handle transaction exception processing and your quality process. Describe how you handle beneficiary case management, including how you would determine when manual intervention from VBA personnel is required. Describe your process for analyzing the current system environment to ensure that your system can meet the integration requirements. What range of concurrent users can the system/platform/service support? Can the system/platform/service scale as the user community base grows? Can capacity be added incrementally without significant architectural changes? What type of licensing/resource model exists for the system/platform/service and how would this be structured? How would the system/platform/service enable ad-hoc/customizable reporting needs due to congressionally mandated reporting requirements? How would the security model support role-based access and reporting capabilities at the group or user level? What type of security model would be employed to handle system-to-system validation and access? Will the system/platform/service be capable of providing multiple user connection modalities and device types? What type of Dev/Ops model would be employed to incorporate changes and/or additions to business services that would be required? (e.g. Changes due to Legislative Acts) Does the system/platform/service enable fully customizable work flow and/or business rules? For example: Records ManagementPayment SchedulesWhat technologies do you possess or recommend that could enable the automation of VR&E business processes and what approach would you take?Detail your experience with development of systems/solutions that are 508 compliant and integrate seamlessly with multiple assistive technologies (e.g. JAWS, Dragon, ZoomText, etc.)?Disclaimer:This Request for Information is for market research purposes only and does not constitute a Request for Quotation. It is not considered to be a commitment by the Government to award a contract nor will the Government pay for any information provided. No basis for a claim against the Government shall arise from a response to this Request for Information or Government use of any information provided. Failure to submit information in sufficient detail may result in considering a company as not a viable source and may influence competition and set-aside decisions. Regardless of the information obtained from this Request for Information, the Government reserves the right to consider any arrangement as deemed appropriated for this requirement. Respondents are advised, the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted. No proprietary, classified, confidential, or sensitive information should be included in your response to this Request for Information.PERFORMANCE WORK STATEMENT (PWS)DEPARTMENT OF VETERANS AFFAIRSVeterans Benefits AdministrationVR&E Case Management Solution Service (CMSS) Contents TOC \o "1-3" \h \z \u 1.0BACKGROUND PAGEREF _Toc256000000 \h 102.0PURPOSE OF THE PROJECT PAGEREF _Toc256000001 \h 103.0SCOPE OF WORK PAGEREF _Toc256000002 \h 103.1ORDER TYPE PAGEREF _Toc256000003 \h 124.0PERFORMANCE DETAILS PAGEREF _Toc256000004 \h 124.1PERIOD OF PERFORMANCE PAGEREF _Toc256000005 \h 124.2PLACE OF PERFORMANCE PAGEREF _Toc256000006 \h 124.3TRAVEL OR SPECIAL REQUIREMENTS PAGEREF _Toc256000007 \h 125.0SPECIFIC TASKS AND DELIVERABLES PAGEREF _Toc256000008 \h 135.1PROJECT MANAGEMENT (Non-IT) PAGEREF _Toc256000009 \h 135.1.1CONTRACTOR PROJECT MANAGEMENT PLAN PAGEREF _Toc256000010 \h 135.1.2REPORTING REQUIREMENTS PAGEREF _Toc256000011 \h 145.1.3TECHNICAL KICKOFF MEETING PAGEREF _Toc256000012 \h 145.2RECOMMEND AND IMPLEMENT CHANGES FOR PARTICIPANT ORIENTATION AND THE INITIAL DATA COLLECTION METHODOLOGY (NON-IT) PAGEREF _Toc256000013 \h 155.3RECOMMEND AND IMPLEMENT CHANGES FOR COLLECTION OF THE REHABILITATION NEEDS INVENTORY (VA FORM 28-1902W) (NON-IT) PAGEREF _Toc256000014 \h 155.4RECOMMEND AND IMPLEMENT CHANGES FOR BENEFICIARY TRAVEL PROCESSES METHODOLOGY (NON-IT) PAGEREF _Toc256000015 \h 155.5RECOMMEND AND IMPLEMENT CHANGES FOR LOGISTICS FOR PAYMENT OF SERVICES RENDERED BY TUTORS BY AN INDIVIDUAL OR THROUGH A SERVICE COMPANY (NON-IT) PAGEREF _Toc256000016 \h 165.6RECOMMEND AND IMPLEMENT CHANGES FOR VHA MEDICAL SERVICES REFERRAL PROCESS FOR VR&E PROGRAMS (NON-IT) PAGEREF _Toc256000017 \h 165.7RECOMMEND AND IMPLEMENT CHANGES FOR COLLECTION OF DATA APPLICABLE TO A PROGRAM PARTICIPANT’S STATUS (CRIMINAL HISTORY/CREDIT REPORT/EMPLOYMENT AND LOCATION) (NON-IT) PAGEREF _Toc256000018 \h 165.8RECOMMEND AND IMPLEMENT CHANGES FOR COLLECTION OF DATA FOR TUITION AND FEES FROM VARIOUS INSTITUTIONS OF HIGHER LEARNING (NON-IT) PAGEREF _Toc256000019 \h 175.9PROVIDE, IMPLEMENT, AND SUPPORT VOCATIONAL REHABILITATION AND EMPLOYMENT CASE MANAGEMENT SOLUTION AS A SERVICE (Non-IT) PAGEREF _Toc256000020 \h 175.10SERVICE LEVEL AGREEMENT (Non-IT) PAGEREF _Toc256000021 \h 175.11TRAINING (Non-IT) PAGEREF _Toc256000022 \h 185.12OPTION PERIODS PAGEREF _Toc256000023 \h 186.0GENERAL REQUIREMENTS PAGEREF _Toc256000024 \h 186.1PERFORMANCE METRICS PAGEREF _Toc256000025 \h 196.2PERFORMANCE REQUIREMENTS SUMMARY PAGEREF _Toc256000026 \h 206.3FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT (FICAM) PAGEREF _Toc256000027 \h 206.4TRUSTED INTERNET CONNECTION (TIC) PAGEREF _Toc256000028 \h 216.5SECURITY AND PRIVACY REQUIREMENTS PAGEREF _Toc256000029 \h 226.6POSITION/TASK RISK DESIGNATION LEVEL(S) PAGEREF _Toc256000030 \h 226.6.1POSITION SENSITIVITY AND BACKGROUND INVESTIGATION REQUIREMENTS PAGEREF _Toc256000031 \h 226.7CONTRACTOR PERSONNEL SECURITY REQUIREMENTS PAGEREF _Toc256000032 \h 226.8 METHOD AND DISTRIBUTION OF DELIVERABLES PAGEREF _Toc256000033 \h 247.0APPLICABLE DOCUMENTS PAGEREF _Toc256000034 \h 24APPENDIX A: REQUIREMENTS PAGEREF _Toc256000035 \h 28APPENDIX B: PERFORMANCE REQUIREMENTS SUMMARY PAGEREF _Toc256000074 \h 43APPENDIX C: ADDITIONAL VA REQUIREMENTS, CONSOLIDATED CYBER AND INFORMATION SECURITY REQUIREMENTS FOR VA IT SERVICES PAGEREF _Toc256000076 \h 46APPENDIX D: VA INFORMATION AND INFORMATION SYSTEM SECURITY / PRIVACY LANGUAGE PAGEREF _Toc256000077 \h 50APPENDIX E: EXAMPLES OF CASE STATUES PAGEREF _Toc256000078 \h 60APPENDIX F: EXAMPLE OF ONE PROCESSING RULE (TO EXEMPLIFY COMPLEXITY) PAGEREF _Toc256000080 \h 65APPENDIX G: LIST OF CURRENT LETTERS PAGEREF _Toc256000081 \h 69APPENDIX H: IMPORTANT LINKS / AWARD CALCULATION PAGEREF _Toc256000083 \h 70APPENDIX I: CURRENT STATE OF SYSTEMS PAGEREF _Toc256000084 \h 71APPENDIX J: WORKFLOW PROCESS EXAMPLES PAGEREF _Toc256000085 \h 72ADDENDUM TO VR&E PERFORMANCE WORK STATEMENT (PWS) PAGEREF _Toc256000087 \h 911.0SOFTWARE SETUP (IT) PAGEREF _Toc256000088 \h 912.0INTEGRATION SERVICES (IT) PAGEREF _Toc256000089 \h 913.0TRANSITION (IT) PAGEREF _Toc256000090 \h 913.1TRANSITION IN PAGEREF _Toc256000092 \h 913.2TRANSITION OUT (IT) PAGEREF _Toc256000094 \h 924.0CERTIFICATION AND AUTHENTICATION (IT) PAGEREF _Toc256000096 \h 93BACKGROUNDThe Department of Veterans Affairs (VA) has authority, pursuant to Title 38 USC Chapters 18, 31, 35 and 36, to provide all services and assistance necessary to enable eligible Veterans with service-connected disabilities to obtain and maintain suitable employment and, if not employable, achieve independence in daily living to the maximum extent feasible. To accomplish this responsibility, the Vocational Rehabilitation and Employment Divisions (VR&E) within each Veterans Benefit Administration (VBA) Regional Office’s (RO) jurisdiction undertakes an initial evaluation of the program participants to determine his or her entitlement for these services and assist and develops, in cooperation with the program participant, an Individualized Written Plan of Services. Rehabilitation plans include the following types: an Individualized Written Rehabilitation Plan (IWRP) that outlines training and job placement services needed to achieve an employment goal; an Individualized Employment Assistance Plan (IEAP) to provide employment services; an Individualized Extended Evaluation Plan (IEEP) to determine feasibility for employment; an Individualized Independent Living Plan (IILP) to provide services that will enhance the participant’s independence in daily living.The VA is charged with providing assistance to program participants with service-connected disabilities through VR&E services. VR&E processed over 113,792 applicants in FY18, resulting in 27,194 new written plans. At the end of FY18, there were?125,513 enrolled VR&E participants.? The VR&E program is embarking on a transformative modernization which will include a suite of technological advancements to achieve the organization’s digital and paperless goals. The Performance Work Statement (PWS) establishes the requirements necessary to provide case management services that enhance delivery of the benefits that program participants receive from Vocational Rehabilitation Counselors (VRC).PURPOSE OF THE PROJECTThe purpose of this project is to acquire a comprehensive VR&E specific configurable commercial off the shelf (COTS), Software as a Solution (Saas) Service that will allow Vocational Rehabilitation and Employment to manage cases and deploy the capability to production as a service hosted within the FedRAMP-certified cloud environment. This will involve internal VA IT development to integrate with systems as outlined in Appendix I. The IT tasks will be done by the VA. This solution should provide improved business process automations while streamlining administrative and financial reporting capabilities. The solution should also alleviate multiple administrative functions assigned to the VRCs, which would allow them more time to engage with their clients. The solution should have the ability to create a participant record utilizing existing VA systems. Record creation should provide a 360-degree view of the participant, which can be leveraged by VR&E to streamline entitlement, plan development and case management processes. The solution should also track all VR&E outreach activities against the contact record. The solution should also be capable of creating multiple records against one participant, should the need arise. Overall, the goal of this solution should be to provide a holistic view of the program participant as they plot their course from outreach to employment and finally, case closure.SCOPE OF WORKThe Contractor shall provide all resources necessary to accomplish the deliverables described in the PWS, except where otherwise specified. The Contractor shall provide a COTS/SaaS business solution that provides the VBA a Case Management Solution Service that enables Vocational Rehabilitation Counselor (VRC) engagement, data entry and documentation within a FedRAMP Certified cloud environment. The Contractor shall perform optimization and testing of all migrated content to the Case Management Solution Service by leveraging current technology and industry best practices. The Contractor shall ensure their ability to work in a collaborative environment with Government personnel and additional Contractors. The service provided shall be accessed and utilized by up to 2500 concurrent VA users located at VBA Central Office, 56 Regional Offices (RO), National Capital Region Benefits Office (NCRBO) and out-based locations throughout the Continental United States (CONUS), Alaska, Hawaii, the Philippines and Puerto Rico. The solution will be used to help manage the workload of Vocational Rehabilitation Counselors (VRC). The Contractor shall recommend improvements and implementation strategies to current VR&E processes. The Contractor shall provide the following services under the terms and conditions of this contract:Provide and configure a commercial off the shelf (COTS)/Software as a Solution (Saas) service solution with no custom development. Implement a Case Management Solution capability hosted and managed within a FedRAMP Certified cloud environment.Functionality for Case Creation and Management, Contact Management, Correspondence, Documentation, Award Management, Business Intelligence and Reporting, User Roles, Permissions and Assignment, System or Data Integration, Workflow Management and Quality Assurance. Ensure secure functionality with encryption algorithms database to handle PII data.Enable bi-directional electronic communication between the Case Management Solution Service and VR&E staff as native functionality within the provided solution.Manage VR&E cases from the beginning to the end of their life cycle. The Contractor shall provide subscriptions for 2500 VR&E employeesandgrant access to the Case Management Solution Service for the term of the contract Subscriptions shall be re-assignable to another user on a need basis.The Contractor shall provide maintenance and support for the Case Management Solution Service for the entire period of performance.The Contractor shall ensure their solution can seamlessly integrate with the defined VA systems as outlined in Appendix I. The Contractor shall plan, monitor, and control the tasks outlined in this PWS. The Contractor shall follow an accepted project management methodology such as the Project Management Body of Knowledge (PMBOK).The Contractor shall recommend improvements and implementation strategies for processes within Vocational Rehabilitation and Employment. The Contractor shall establish a Service Level Management Agreement (SLA) for the service and, in coordination with VA, provide for solution availability and reliability within the terms of the SLA.The Contractor shall develop and perform initial training via in-person or virtual sessions for an estimated two thousand five hundred (2500) VA identified users in the use of the solution.ORDER TYPEThe effort shall be proposed on a Firm Fixed Price basis as specified in the task descriptions in this PWS.PERFORMANCE DETAILSPERIOD OF PERFORMANCEThe period of performance (POP) shall be twelve (12) months from date of award, with four (4) twelve (12) month options, to be executed at the Government’s discretion.Hours of operation are defined as Monday through Friday, 7:30 AM EST - 5:30 PM EST. Any work to be performed at the Government site shall not take place on Federal holidays or weekends unless directed by the Contracting Officer (CO) or Contracting Officer Representative (COR).There are 10 Federal holidays set by law (USC Title 5 Section 6103) that VA follows.Under current definitions, four (4) are set by date:New Year's DayJanuary 1Independence DayJuly 4Veterans DayNovember 11Christmas DayDecember 25If any of the above falls on a Saturday, then Friday shall be observed as a holiday. Similarly, if one falls on a Sunday, then Monday shall be observed as a holiday.The other six (6) are set by a day of the week and month:Martin Luther King's BirthdayThird Monday in JanuaryWashington's BirthdayThird Monday in FebruaryMemorial DayLast Monday in MayLabor DayFirst Monday in SeptemberColumbus DaySecond Monday in OctoberThanksgivingFourth Thursday in November PLACE OF PERFORMANCEThe primary place of performance under this PWS shall be at the Contractor’s facility. However, some tasks may be performed at designated Government site(s). TRAVEL OR SPECIAL REQUIREMENTSThe Government anticipates travel to perform the tasks associated with this effort, as well as to attend program-related meetings and/or conferences. The estimated number of trips in support of the program related to meetings and/or conferences is three (3) five-day trips to Washington, DC and three (3) two-day trips to VR&E Regional Office locations to be determined. The Government estimates the Contractor will include up to (3) three personnel for program support on each trip. Include all estimated travel costs in your firm-fixed price line items. Travel is for the base period of performance and not anticipated for the option years. These costs will not be directly reimbursed by the Government. Anticipated location estimated at five (5) days in duration:1800 G Street, NW, Washington, DCAnticipated location(s) estimated at two (2) days in duration: TBD – based on mutual project needsTBD – based on mutual project needsTBD – based on mutual project needs SPECIFIC TASKS AND DELIVERABLESThe Contractor shall perform the following: PROJECT MANAGEMENT (Non-IT)The Contractor shall plan, monitor, and control the tasks outlined in this PWS. The Contractor shall follow an accepted project management methodology such as the Project Management Body of Knowledge (PMBOK).CONTRACTOR PROJECT MANAGEMENT PLANThe Contractor shall establish a Work Breakdown Structure (WBS) and Integrated Master Schedule (IMS) for performing these tasks. The Contractor shall identify risks the Contractor recognizes in the performance of these tasks along with the Contractor’s recommendations for managing these identified risks.After award, the Contractor shall deliver a Contractor Project Management Plan (CPMP) that includes the Contractor’s plans, timeline and tools to be used in execution of this Contract effort. ? The CPMP shall take the form of both a narrative and graphic format that displays the schedule, milestones, risks and resource support.??The CPMP shall describe, in detail, the Contractor’s plans for each aspect of the tasks as defined in the Contractor’s proposal. At minimum, the CPMP shall include the risk management plan and risk register, technical / management approach, quality management plan, communications plan, continuity of operations plan, staffing plan (including a subsection on how the Contractor intends to encourage and facilitate the hiring of Veterans for this effort), security plan, logistics plan, work breakdown structure (WBS), schedule management approach, and schedule. The CPMP shall also include how the Contractor shall coordinate and execute planned, routine, and ad-hoc data collection reporting requests as identified within the PWS. The initial baseline CPMP shall be concurred upon by VA. The Contractor shall update the CPMP on a quarterly basis and maintain the VA PM approved CPMP throughout the period(s) of performance. Deliverables: Contractor Project Management Plan (CPMP)All written deliverables will be phrased in layperson language. All technical and statistical terminology shall be omitted unless preceded with a glossary of terms.Where a written milestone deliverable is required in draft form, VBA will complete their review of the draft deliverable within 15 calendar days from date of receipt. The Contractor shall have 10 calendar days to deliver the final deliverable from date of receipt of the government’s comments.All contractor personnel requiring access to program participant claim information shall be required to complete a background investigation and sign a confidentiality agreement. The delegated VBA Contracting Officer Representative (COR) will be the contractors POC for completing these investigations. All deliverables, except where specified elsewhere, shall be provided electronically to the COR. All deliverables shall be delivered utilizing VBA compatible (type and version) software and shall become the sole property of the VBA upon receipt. B. Quarterly PMP UpdatesREPORTING REQUIREMENTS The Contractor shall provide the Contracting Officer Representative (COR) with monthly written Project Progress Reports. The Monthly Project Progress Reports shall cover all work completed during the reporting period and work planned for the subsequent reporting period. The report shall also identify any problems that arose and a description of how the problems were resolved, risks identified and detailed risk information. If problems have not been completely resolved, the Contractor shall submit an explanation including their plan and timeframe for resolving the issue. The Contractor shall remain in constant communication with VA to ensure any issues that ariseare transparent and to prevent unnecessary escalation of outstanding issues.Deliverables:A. Monthly Project Progress Report.TECHNICAL KICKOFF MEETING The Contractor shall coordinate and facilitate a technical kickoff meeting within seven calendar days following Contract award, unless otherwise specified by the VA. In addition to the introduction of its contract leadership team, the Contractor shall present, for review and approval by the Government, the details of the intended approach, work plan, and project schedule for each effort. The Contractor shall specify dates, locations (can be virtual), agenda (shall be provided to all attendees at least five (5) calendar days prior to the meeting), and meeting minutes (shall be provided to all attendees within three (3) calendar days following the meeting). The Contractor shall at a minimum; invite the Contracting Officer (CO), Contract Specialist (CS), COR, and the VA Program Managers (Vocational Rehabilitation and Employment (VR&E), Office of Business and Integration (OBPI), and Office of Information and Technology (OI&T).Deliverables:Kick-Off Meeting and Presentation.Kick-Off Meeting Minutes.RECOMMEND AND IMPLEMENT CHANGES FOR PARTICIPANT ORIENTATION AND THE INITIAL DATA COLLECTION METHODOLOGY (NON-IT)The contractor shall understand current business processes, developrecommendations and implement approved improvements. The improvements should be measurable for impact and success (See TBD for performance measures).Deliverables: Detailed gap analysis of current process and recommendations to enhance and improve service delivery. Recommended workflow.Implementation Plan.TBD performance-based deliverables.RECOMMEND AND IMPLEMENT CHANGES FOR COLLECTION OF THE REHABILITATION NEEDS INVENTORY (VA FORM 28-1902W) (NON-IT)The contractor shall understand current business processes, developrecommendations and implement approved improvements. The improvements should be measurable for impact and success (See TBD for performance measures).Deliverables: Detailed gap analysis of current process and recommendations to enhance and improve service delivery. Recommended workflow. Implementation Plan.TBD performance-based deliverables.RECOMMEND AND IMPLEMENT CHANGES FOR BENEFICIARY TRAVEL PROCESSES METHODOLOGY (NON-IT)The contractor shall understand current business processes, developrecommendations and implement approved improvements. The improvements should be measurable for impact and success (See TBD for performance measures).Deliverables: Detailed gap analysis of current process and recommendations to enhance and improve service delivery. Recommended workflow. Implementation Plan.TBD performance-based deliverables.RECOMMEND AND IMPLEMENT CHANGES FOR LOGISTICS FOR PAYMENT OF SERVICES RENDERED BY TUTORS BY AN INDIVIDUAL OR THROUGH A SERVICE COMPANY (NON-IT)The contractor shall understand current business processes, developrecommendations and implement approved improvements. The improvements should be measurable for impact and success (See TBD for performance measures).Deliverables: Detailed gap analysis of current process and recommendations to enhance and improve service delivery. Recommended workflow. Implementation Plan.TBD performance-based deliverables.RECOMMEND AND IMPLEMENT CHANGES FOR VHA MEDICAL SERVICES REFERRAL PROCESS FOR VR&E PROGRAMS (NON-IT)The contractor shall understand current business processes, developrecommendations and implement approved improvements. The improvements should be measurable for impact and success (See TBD for performance measures).Deliverables: Detailed gap analysis of current process and recommendations to enhance and improve service delivery. Recommended workflow. Implementation Plan.TBD performance-based deliverables.RECOMMEND AND IMPLEMENT CHANGES FOR COLLECTION OF DATA APPLICABLE TO A PROGRAM PARTICIPANT’S STATUS (CRIMINAL HISTORY/CREDIT REPORT/EMPLOYMENT AND LOCATION) (NON-IT)The contractor shall understand current business processes, developrecommendations and implement approved improvements. The improvements should be measurable for impact and success (See TBD for performance measures).Deliverables: Detailed gap analysis of current process and recommendations to enhance and improve service delivery. Recommended workflow. Implementation Plan.TBD performance-based deliverables.RECOMMEND AND IMPLEMENT CHANGES FOR COLLECTION OF DATA FOR TUITION AND FEES FROM VARIOUS INSTITUTIONS OF HIGHER LEARNING (NON-IT)The contractor shall understand current business processes, developrecommendations and implement approved improvements. The improvements should be measurable for impact and success (See TBD for performance measures).Deliverables: Detailed gap analysis of current process and recommendations to enhance and improve service delivery. Recommended workflow. Implementation Plan.TBD performance-based deliverables.PROVIDE, IMPLEMENT, AND SUPPORT VOCATIONAL REHABILITATION AND EMPLOYMENT CASE MANAGEMENT SOLUTION AS A SERVICE (Non-IT)The Contractor shall provide and configure a commercial off the shelf (COTS)/Software as a Solution (Saas) service that will allow Vocational Rehabilitation and Employment staff to manage cases. This solution shall be able to be configured to support implementations of recommendations in tasks 5.2 to 5.8. Deliverables: Detailed plan, including all necessary components for implementation and support of the solution.SERVICE LEVEL AGREEMENT (Non-IT)The Contractor shall establish a Service Level Management Agreement (SLA) for the service and, in coordination with VA, provide for solution availability and reliability within the terms of the SLA. The SLA shall include the following predefined requirements:The service shall be available to VBA users 99.3% of the time, 24 hours a day, 7 days a week, 365 days a year for access to all service functions and access to all images and associated metadata exclusive of planned, approved downtime for maintenance.Any planned periods of unavailability due to routine releases shall be approved by the COR at least ten (10) government business days in advance.Any planned periods of unavailability due to emergency releases shall be approved by the COR at least three (3) government business days in advance for emergency releases.The service shall leverage VA Identity Services to validate VA personnel authorized to view and update images and associated metadata in accordance with VA Common Security Services guidelines 100% of the time.Deliverables: Service Level Agreement (SLA).TRAINING (Non-IT)The Contractor shall develop and perform initial training for an estimated two thousand five hundred (2500) VA identified users in the use of the solution. The Contractor’s training shall support training delivery via in-person or virtual sessions. Training delivery may be recorded during live delivery to VA; pre-recorded initial training is not acceptable. The Contractor shall develop and submit to the Government for review Electronic User Guides, exercises, training documentation and / or training aids as required supporting training activities. The Contractor shall also develop an accompanying electronic User Manual that VA will subsequently make available to new users of the service. The electronic User Manual shall be delivered along with the training manual. All training methodology must be Section 508 of the Rehabilitation Act of 1973The Contractor shall revise the service User Guides, including the accompanying electronic User Manual, as substantial changes are made to the solution and include in their proposal the planned promulgation, distribution and implementation procedures for updated User Manuals. The Contractor shall submit a detailed training plan with timelines and schedules, sufficiently detailed to identify user training plans, and that provides for ongoing updates as the service is updated and released.?Deliverables: Training for interested VR&E parties. Detailed Training Plan.Electronic User Guides / User’s Manual.OPTION PERIODSIf the Option Period(s) are exercised by the Government, the Contractor shall continue to perform all above tasks GENERAL REQUIREMENTSVA personnel shall be able to exercise all required functionality in the solution without the need to modify the standard VA desktop configuration baseline.The Contractor shall maintain a Secure File Transfer Protocol (SFTP) service used for transmitting real time VA sensitive information between the Government and the Contractor. The use of Contractor corporate email accounts shall not be authorized for this purpose, nor shall any PII or PHI ever be transmitted via Contractor corporate or personal email accounts.The contractor is solely responsible for the quality of all work performed under this award. The contractor shall have a mature and effective Quality Management System (QMS) in accordance with ISO/ANSI/ASQ 9001 or equivalent. The contractor shall make available, for review by the Government, quality system procedures, planning and all other documentation and data that comprise the Contractor’s quality system for both hardware and software. The Government will review the documents that comprise the QMS and may perform any necessary inspections and/or evaluations to confirm conformance to requirements and adequacy of the QMS.The Government representative(s) will monitor performance by the Contractor to determine how the Contractor is performing against performance standards. The Contractor will be responsible for making required changes in processes and practices to ensure performance is managed effectively. The Contractor will be monitored and assessed throughout the period of performance of the contract as to either meeting or not meeting the performance thresholds stated in Section 6.1, Performance Metrics, and Section 6.2, Performance Requirements Summary.PERFORMANCE METRICSAt the end of each assessment period, the assessment will be reviewed by the Program Manager and CO. The COR / CO will notify the Contractor of the results no later than fifteen (15) working days after the end of the assessment period. The Contracting Officer’s Representative (COR) will perform quarterly assessments. The Performance Based Service Assessment Survey, or other method, may be used to document this assessment. The table below defines the Performance Metrics associated with this effort. Performance ObjectivePerformance StandardAcceptable Performance LevelsTechnical NeedsShows understanding of requirementsEfficient and effective in meeting requirements Meets technical needs and mission requirementsOffers quality services/productsSatisfactory or higherProject Milestones and ScheduleQuick response capabilityProducts completed, reviewed, delivered in timely mannerNotifies customer in advance of potential problemsSatisfactory or higherProject StaffingCurrency of expertisePersonnel possess necessary knowledge, skills and abilities to perform tasksSatisfactory or higherValue AddedProvided valuable service to GovernmentServices/products delivered were of desired qualitySatisfactory or higherThe Government will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the contract to ensure that the Contractor is performing the services required by this PWS in an acceptable manner. The Government reserves the right to alter or change the QASP at its own discretion. A Performance Based Service Assessment Survey will be used in combination with the QASP to assist the Government in determining acceptable performance levels. The COR will determine if the performance of the Contractor is below a metric standard and deem it unacceptable.? The COR will then notify the Contracting Officer.The Contractor will be monitored and assessed throughout the period of performance of the contract and subsequent option periods as applicable to ensure adherence to the mutually agreed upon performance thresholds stated in the Performance Metrics Section of the PWS. The Contracting Officer’s Representative (COR) will perform quarterly assessments. The Performance Based Service Assessment Survey, or other method, may be used to document this assessment. PERFORMANCE REQUIREMENTS SUMMARYSee Appendix B.FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT (FICAM) The Contractor shall ensure Commercial Off-The-Shelf (COTS)/Software as a Solution (Saas) product(s), software configuration and customization, and/or new software are Personal Identity Verification (PIV) card-enabled by accepting HSPD-12 PIV credentials using VA Enterprise Technical Architecture (ETA), , and VA Identity and Access Management (IAM) approved enterprise design and integration patterns, . The Contractor shall ensure all Contractor delivered applications and systems comply with the VA Identity, Credential, and Access Management policies and guidelines set forth in the VA Handbook 6510 and align with the Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance v2.0.The Contractor shall ensure all Contractor delivered applications and systems provide user authentication services compliant with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, VA Handbook 6500 Appendix F, “VA System Security Controls”, and VA IAM enterprise requirements for direct, assertion based authentication, and/or trust based authentication, as determined by the design and integration patterns.?Direct authentication at a minimum must include Public Key Infrastructure (PKI) based authentication supportive of PIV card and/or Common Access Card (CAC), as determined by the business need.The Contractor shall ensure all Contractor delivered applications and systems conform to the specific Identity and Access Management PIV requirements set forth in the Office of Management and Budget (OMB) Memoranda M-04-04, M-05-24, M-11-11, and NIST Federal Information Processing Standard (FIPS) 201-2. OMB Memoranda M-04-04, M-05-24, and M-11-11 can be found at: , , and respectively. Contractor delivered applications and systems shall be on the FIPS 201-2 Approved Product List (APL). If the Contractor delivered application and system is not on the APL, the Contractor shall be responsible for taking the application and system through the FIPS 201 Evaluation Program.The Contractor shall ensure all Contractor delivered applications and systems support:Automated provisioning and are able to use enterprise provisioning service.Interfacing with VA’s Master Veteran Index (MVI) to provision identity attributes, if the solution relies on VA user identities. MVI is the authoritative source for VA user identity data.The VA defined unique identity (Secure Identifier [SEC ID] / Integrated Control Number [ICN]).Multiple authenticators for a given identity and authenticators at every Authenticator Assurance Level (AAL) appropriate for the solution.Identity proofing for each Identity Assurance Level (IAL) appropriate for the solution.Federation for each Federation Assurance Level (FAL) appropriate for the solution, if applicable.Two-factor authentication (2FA) through an applicable design pattern as outlined in VA Enterprise Design Patterns.A Security Assertion Markup Language (SAML) implementation if the solution relies on assertion based authentication. Additional assertion implementations, besides the required SAML assertion, may be provided as long as they are compliant with NIST SP 800-63-3 guidelines.Authentication/account binding based on trusted Hypertext Transfer Protocol (HTTP) headers if the solution relies on Trust based authentication.Role Based Access Control.Auditing and reporting pliance with VAIQ# 7712300 Mandate to meet PIV requirements for new and existing systems. required Assurance Levels for this specific effort are Identity Assurance Level 3, Authenticator Assurance Level 3, and Federation Assurance Level 3.TRUSTED INTERNET CONNECTION (TIC)The Contractor solution shall meet the requirements outlined in Office of Management and Budget Memorandum M08-05 mandating Trusted Internet Connections (TIC) (), M08-23 mandating Domain Name System Security (NSSEC) ), and shall comply with the Trusted Internet Connections (TIC) Reference Architecture Document, Version 2.0 AND PRIVACY REQUIREMENTSThe Contractor shall provide a service that includes authentication procedures for Contractor and VA resources authorized to access, view and edit available data and associated metadata including one of the VA approved authentication methodologies as outlined by the Identity, Credential, and Access Management (ICAM) Program Management Office which allows trusted users access to VA services via their VA Personal Identity Verification (PIV) badge. The Contractor shall provide support to VA in obtaining and maintaining any ATO or, if acceptable to the Government, any IATO. For detailed Security and Privacy Requirements refer to Attachment B, Authorization Requirements Standard Operating Procedures Version 3.8.POSITION/TASK RISK DESIGNATION LEVEL(S)In accordance with VA Handbook 0710, Personnel Security and Suitability Program, the position sensitivity and the level of background investigation commensurate with the required level of access for the tasks within the PWS are:POSITION SENSITIVITY AND BACKGROUND INVESTIGATION REQUIREMENTSPosition Sensitivity and Background Investigation - The position sensitivity and the level of background investigation commensurate with the required level of access is: FORMCHECKBOX Tier 1/Low Risk FORMCHECKBOX Tier 2/Moderate Risk FORMCHECKBOX Tier 4/High RiskThe Position Sensitivity and Background Investigation requirements identify, in effect, the Background Investigation requirements for Contractor individuals, based upon the tasks the particular Contractor individual will be working. The submitted Contractor Staff Roster must indicate the required Background Investigation Level for each Contractor individual based upon the tasks the Contractor individual will be working, in accordance with their submitted proposal.CONTRACTOR PERSONNEL SECURITY REQUIREMENTSContractor Responsibilities: The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain the appropriate Background Investigation, and are able to read, write, speak and understand the English language.Within three (3) business days after award, the Contractor shall provide a roster of Contractor and Subcontractor employees to the COR to begin their background investigations. The Contractor Staff Roster shall contain the Contractor’s Full Name, Date of Birth, Place of Birth, individual background investigation level requirement (based upon Section 6.2 Tasks), etc. The Contractor shall submit full Social Security Numbers either within the Contractor Staff Roster or under separate cover to the COR. The Contractor Staff Roster shall be updated and provided to VA within one (1) day of any changes in employee status, training certification completion status, Background Investigation level status, additions/removal of employees, etc. throughout the Period of Performance. The Contractor Staff Roster shall remain a historical document indicating all past information and the Contractor shall indicate in the Comment field, employees no longer supporting this contract. The preferred method to send the Contractor Staff Roster or Social Security Number is by encrypted e-mail. If unable to send encrypted e-mail, other methods which comply with FIPS 140-2 are to encrypt the file, use a secure fax, or use a traceable mail service.The Contractor should coordinate with the location of the nearest VA fingerprinting office through the COR. Only electronic fingerprints are authorized. The Contractor shall bring their completed Security and Investigations Center (SIC) Fingerprint request form with them (see paragraph d.4. below) when getting fingerprints taken.The Contractor shall ensure the following required forms are submitted to the COR within 5 days after contract award:Optional Form 306Self-Certification of Continuous ServiceVA Form 0710 Completed SIC Fingerprint Request FormThe Contractor personnel shall submit all required information related to their background investigations (completion of the investigation documents (SF85, SF85P, or SF 86) utilizing the Office of Personnel Management’s (OPM) Electronic Questionnaire for Investigations Processing (e-QIP) after receiving an email notification from the Security and Investigation Center (SIC). The Contractor employee shall certify and release the e-QIP document, print and sign the signature pages, and send them encrypted to the COR for electronic submission to the SIC. These documents shall be submitted to the COR within three (3) business days of receipt of the e-QIP notification email. (Note: OPM is moving towards a “click to sign” process. If click to sign is used, the Contractor employee should notify the COR within three (3) business days that documents were signed via e-QIP).The Contractor shall be responsible for the actions of all personnel provided to work for VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor shall be responsible for all resources necessary to remedy the incident.A Contractor may be granted unescorted access to VA facilities and/or access to VA Information Technology resources (network and/or protected data) with a favorably adjudicated Special Agreement Check (SAC), completed training delineated in VA Handbook 6500.6 (Appendix C, Section 9), signed “Contractor Rules of Behavior”, and with a valid, operational PIV credential for PIV-only logical access to VA’s network. A PIV card credential can be issued once your SAC has been favorably adjudicated and your background investigation has been scheduled by OPM. However, the Contractor will be responsible for the actions of the Contractor personnel they provide to perform work for VA. The investigative history for Contractor personnel working under this contract must be maintained in the database of OPM.The Contractor, when notified of an unfavorably adjudicated background investigation on a Contractor employee as determined by the Government, shall withdraw the employee from consideration in working under the contract.Failure to comply with the Contractor personnel security investigative requirements may result in loss of physical and/or logical access to VA facilities and systems by Contractor and Subcontractor employees and/or termination of the contract for default.Identity Credential Holders must follow all HSPD-12 policies and procedures as well as use and protect their assigned identity credentials in accordance with VA policies and procedures, displaying their badges at all times, and returning the identity credentials upon termination of their relationship with VA.Deliverable:Contractor Staff Roster6.8 METHOD AND DISTRIBUTION OF DELIVERABLESThe Contractor shall deliver documentation in electronic format, unless otherwise directed in Section B of the solicitation/contract. Acceptable electronic media include: MS Word 2000/2003/2007/2010, MS Excel 2000/2003/2007/2010, MS PowerPoint 2000/2003/2007/2010, MS Project 2000/2003/2007/2010, MS Access 2000/2003/2007/2010, MS Visio 2000/2002/2003/2007/2010, and Adobe Postscript Data Format (PDF).APPLICABLE DOCUMENTSIn the performance of the tasks associated with this PWS, the Contractor shall comply with the following documents:44 U.S.C. § 3541-3549,?“Federal Information Security Management Act (FISMA) of 2002”“Federal Information Security Modernization Act of 2014”Federal Information Processing Standards (FIPS) Publication 140-2, “Security Requirements for Cryptographic Modules”FIPS Pub 199. Standards for Security Categorization of Federal Information and Information Systems, February 2004FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2016FIPS Pub 201-2, “Personal Identity Verification of Federal Employees and Contractors,” August 201310 U.S.C. § 2224, "Defense Information Assurance Program"Carnegie Mellon Software Engineering Institute, Capability Maturity Model? Integration for Development (CMMI-DEV), Version 1.3 November 2010; and Carnegie Mellon Software Engineering Institute, Capability Maturity Model? Integration for Acquisition (CMMI-ACQ), Version 1.3 November 20105 U.S.C. § 552a, as amended, “The Privacy Act of 1974” Public Law 109-461, Veterans Benefits, Health Care, and Information Technology Act of 2006, Title IX, Information Security Matters42 U.S.C. § 2000d “Title VI of the Civil Rights Act of 1964”VA Directive 0710, “Personnel Security and Suitability Program,” June 4, 2010, Handbook 0710, Personnel Security and Suitability Security Program, May 2, 2016, HYPERLINK "" \o "VA Publications Homepage" Directive and Handbook 6102, “Internet/Intranet Services,” July 15, 200836 C.F.R. Part 1194 “Electronic and Information Technology Accessibility Standards,” July 1, 2003Office of Management and Budget (OMB) Circular A-130, “Managing Federal Information as a Strategic Resource,” July 28, 201632 C.F.R. Part 199, “Civilian Health and Medical Program of the Uniformed Services (CHAMPUS)”An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, October 2008508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998Homeland Security Presidential Directive (12) (HSPD-12), August 27, 2004VA Directive 6500, “Managing Information Security Risk: VA Information Security Program,” September 20, 2012VA Handbook 6500, “Risk Management Framework for VA Information Systems – Tier 3: VA Information Security Program,” March 10, 2015VA Handbook 6500.1, “Electronic Media Sanitization,” November 03, 2008VA Handbook 6500.2, “Management of Breaches Involving Sensitive Personal Information (SPI)”, July 28, 2016VA Handbook 6500.3, “Assessment, Authorization, And Continuous Monitoring Of VA Information Systems,” February 3, 2014VA Handbook 6500.5, “Incorporating Security and Privacy in System Development Lifecycle”, March 22, 2010VA Handbook 6500.6, “Contract Security,” March 12, 2010VA Handbook 6500.8, “Information System Contingency Planning”, April 6, 2011One-VA Technical Reference Model (TRM) (reference at )VA Directive 6508, “Implementation of Privacy Threshold Analysis and Privacy Impact Assessment,” October 15, 2014VA Handbook 6508.1, “Procedures for Privacy Threshold Analysis and Privacy Impact Assessment,” July 30, 2015VA Handbook 6510, “VA Identity and Access Management”, January 15, 2016VA Directive 6300, Records and Information Management, February 26, 2009VA Handbook, 6300.1, Records Management Procedures, March 24, 2010NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach, June 10, 2014NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, January 22, 2015OMB Memorandum, “Transition to IPv6”, September 28, 2010VA Directive 0735, Homeland Security Presidential Directive 12 (HSPD-12) Program, October 26, 2015VA Handbook 0735, Homeland Security Presidential Directive 12 (HSPD-12) Program, March 24, 2014OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies, December 16, 2003OMB Memorandum 05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, August 5, 2005OMB memorandum M-11-11, “Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, February 3, 2011OMB Memorandum, Guidance for Homeland Security Presidential Directive (HSPD) 12 Implementation, May 23, 2008Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance, December 2, 2011NIST SP 800-116, A Recommendation for the Use of Personal Identity Verification (PIV) Credentials in Physical Access Control Systems, November 20, 2008OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007NIST SP 800-63-3, 800-63A, 800-63B, 800-63C, Digital Identity Guidelines, June 2017NIST SP 800-157, Guidelines for Derived PIV Credentials, December 2014NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices (Draft), October 2012Draft National Institute of Standards and Technology Interagency Report (NISTIR) 7981 Mobile, PIV, and Authentication, March 2014VA Memorandum, VAIQ #7100147, Continued Implementation of Homeland Security Presidential Directive 12 (HSPD-12), April 29, 2011 (reference )IAM Identity Management Business Requirements Guidance document, May 2013, (reference Enterprise Architecture Section, PIV/IAM (reference )VA Memorandum “Mandate to meet PIV Requirements for New and Existing Systems” (VAIQ# 7712300), June 30, 2015, Internet Connections (TIC) Reference Architecture Document, Version 2.0, Federal Interagency Technical Reference Architectures, Department of Homeland Security, October 1, 2013, OMB Memorandum M-08-05, “Implementation of Trusted Internet Connections (TIC), November 20, 2007OMB Memorandum M-08-23, Securing the Federal Government’s Domain Name System Infrastructure, August 22, 2008VA Memorandum, VAIQ #7497987, Compliance – Electronic Product Environmental Assessment Tool (EPEAT) – IT Electronic Equipment, August 11, 2014 (reference Document Libraries, EPEAT/Green Purchasing Section, ) Sections 524 and 525 of the Energy Independence and Security Act of 2007, (Public Law 110–140), December 19, 2007Section 104 of the Energy Policy Act of 2005, (Public Law 109–58), August 8, 2005Executive Order 13693, “Planning for Federal Sustainability in the Next Decade”, dated March 19, 2015Executive Order 13221, “Energy-Efficient Standby Power Devices,” August 2, 2001VA Directive 0058, “VA Green Purchasing Program”, July 19, 2013VA Handbook 0058, “VA Green Purchasing Program”, July 19, 2013Office of Information Security (OIS) VAIQ #7424808 Memorandum, “Remote Access”, January 15, 2014, Act of 1996, 40 U.S.C. §11101 and §11103VA Memorandum, “Implementation of Federal Personal Identity Verification (PIV) Credentials for Federal and Contractor Access to VA IT Systems”, (VAIQ# 7614373) July 9, 2015, Memorandum “Mandatory Use of PIV Multifactor Authentication to VA Information System” (VAIQ# 7613595), June 30, 2015, Memorandum “Mandatory Use of PIV Multifactor Authentication for Users with Elevated Privileges” (VAIQ# 7613597), June 30, 2015; Memorandum “Use of Personal Email (VAIQ #7581492)”, April 24, 2015, Memorandum “Updated VA Information Security Rules of Behavior (VAIQ #7823189)”, September, 15, 2017, Control Schedule VB-1; dated January 31, 2014VA Handbook 0730, Security and Law Enforcement, dated August 11, 2000 ( )VA Handbook 0730/1, Security and Law Enforcement, dated August 20, 2004 ( )VA Handbook 0730/4, Security and Law Enforcement, dated March 29, 2013 ( )Service Business Rules/Requirements (Appendix A)APPENDIX A: REQUIREMENTSCase Creation and ManagementReq IDApplication SubmissionThe system shall allow manual entry of application data. Req IDReceipt and Ingest of ApplicationThe system shall have the ability to ingest data from electronically submitted applications from the Department of Veterans Affairs authoritative source. Mandatory entries and formats shall be validated per business rules.Req IDRecord CreationThe system shall be able to create and maintain a single profile for each program participant.The system shall have the ability to update defined demographic information at any time. The system shall be able to accept foreign addresses. The system shall be able to handle and display a permanent and a temporary data field for things such as address, email address and phone numbers. Req IDEligibility DeterminationThe system shall be able to automate eligibility determinations based on established business rules.The system shall have the ability to process an automated positive eligibility determination based on established business rules.The system shall have the ability to process an automated non-positive eligibility determination based on established business rules.Req IDCase CreationSystem shall have the ability to have case statuses. System shall have the ability to assign case statuses. The system shall have the ability to add new case status as defined by the business. The system shall have within each case status a subcategory as defined by the business. Req IDRecord/Case Edit and NotesThe system shall have the ability to have free text note field based on established business rules.The system shall have spelling and grammar correction capability. The system shall have the ability to label and classify case note types.The system shall have an expanded free text field.Req IDReceipt of Supporting DocumentationThe system shall have the ability to accept applicant data from VA and external VA sources based on established business rules.The system shall be able to handle and alert users when outside information is ingested into the system. Req IDUpload and Store Supporting DocumentationThe system shall be able to receive and upload scanned receipts.The system shall be able to receive and upload vouchers.The system shall have the ability to receive class schedules and progress reports from training facilities.Req IDLifecycle ManagementThe system shall recognize timeframes for actions to take place and if action has not occurred react according to established business rules. The system shall have an automated Rehabilitation Plan with all required elements as per the business. The system shall for Rehabilitation Plans have the ability to allow standardized objectives or free text objectives as defined by the business. The system shall have an approval process to reopen closed cases based on established business rules. The system shall have the ability to control movement from one case status to another based on established business rules. The system shall have the ability to restrict actions based on established business rules. The system shall have the ability to check Independent Living criteria based on established business rules.The system shall include a home modification data field.The system shall have the ability to validate certain actions have taken place.The system shall have the ability to validate criteria has been met for a self-employment plan based on established business rules. The system shall have the ability to validate criteria has been met for special employer incentives based on established business rules.The system shall have the ability to archive cases based on established business rules.The system shall have the ability to reopen an archived case to a defined case status.The system shall have the ability to complete and document a feasibility determination.The system shall have the ability to complete and document an entitlement determination.The system shall be able to have a cap on the number individuals entering independent living case plans each year.The system shall have the ability to capture the job readiness determination.The system shall have the ability to allow the user to document job placement information as defined by the VA. The system shall allow specific cases to be marked as defined by established business rules. The system shall have the ability to identify the service details of a plan objective, to mark them as completed, or and/or to suspend themThe system shall have reason codes as defined by the business. The system shall have the ability to create, activate and inactivate/archive reason codes as needed. The system shall have a filter allowing selection by benefit type.The system shall allow the selection of chapters as a benefit type based on defined business rules.The system shall have the ability to notify VR&E employees of certain actions that need to be taken. The system shall have defined case status for each benefit program. The system shall have the ability to track timeframes. The system shall have the ability to track case status movements.The system shall capture date and time stamps based on the user’s geographical time zone.The system shall allow changes to any established business rules when needed. The system shall capture the folder location based on established business rules.The system shall have the ability to notify pending case transfers based on the business established rules. The system shall have the ability to display sortable pending approvals with data elements defined by the business. The system will have the ability to track participant milestones such as who completed a 4-year degree, graduate, or certificate program.The system will have the ability to track participant academic degree and majors attempted and completed.The system shall notify users that an approval is pending based in established business rules. The system shall be able to manage the Vocational Rehabilitation Panel based on established business rules. The systems shall be able to manage Appeals and Administrative Higher-Level Review (HLR) based on defined business rules. The system shall be able to display a Release from Active Duty (RAD) date.The system shall allow future Release from Active Duty (RAD) dates.The system shall allow dependents to be added or removed where the business defines. The system shall have the ability to transfer cases based on established business rules. The system shall have a case status workflow that can be changed in the future based on business need. The system shall perform data validation in fields based on defined business rules. The system shall provide a web Rehabilitation Needs Inventory VA Form 28-1902w functionality. The system shall have the ability to open multiple windows/tabs that users will be able to view at one time.The system shall allow changes to data based on established business rules.The system shall have the ability to delineate within each chapter and across chapters creating a clear start and stop designated by datesThe system shall have the ability to prioritize work items based on defined business rules.Req IDAssignment, Referral and SchedulingThe system shall have the ability to assign program participants to jurisdictions based on established business rules. The system shall have the ability to assign program participants to a case manager based on established business rules. The system shall allow for the setup and execution of the initial evaluation appointment for entitlement decision.Req IDWork Queue/DistributionThe system shall have a customizable area for authorized users where they can see their case load, i.e. a dashboard. Req IDHistory and AuditThe system shall maintain an audit trail of relevant case data in accordance with established business rules.The system shall allow historical data to be captured and stored. The system shall restrict deletions/changes to data based on established business rules. Contact ManagementReq IDContact Creation, Profile and TrackingThe system shall allow for scheduling of group and individual appointments.Req IDData Capture and DeduplicationThe system shall have the ability to set a required contact frequency.Req IDData Storage and RetrievalThe system shall meet all VA’s security and data storage policies. CorrespondenceReq IDLetter Generation (Auto / Manual)The system shall generate appropriate award/denial/adverse action letter when an award is authorized, changed, or terminated.The system shall have the ability to create letters in batch run.The system shall have the ability to store national letter templates.The system shall have the ability to allow for the creation of customizable local letters (with local letterhead) by selecting specific fields in addition to free text fields.The system will have the ability to restrict adding local letters according to established business rulesThe system shall have the ability to save customizable fields within letter template for future access.The system shall have the ability to capture multiple data fields across multiple screens and place into existing letter templates based on defined business rules. Req IDAlerts and NotificationThe system shall have the ability to prevent notifications from being released to program participants. The system shall have the ability to send notifications to program participants based on established business rules. The system shall have the ability to send notification that a new document has been uploaded to the VA’s electronic repository.Req IDInboundThe system shall allow the user the ability to upload letters to VA’s electronic repository as a PDF. Req IDOutboundThe system shall have the ability to take data from the system and fill out predefined forms in Word and PDF. DocumentationReq IDFile Upload and SubmissionThe system shall have the ability to upload documents to the VA’s electronic repository.Req IDStorageThe system shall have the ability to view documents in the VA’s electronic repository. The system shall be able to provide a document holding area outside the VA’s electronic repository for submitted documents for review and acceptance prior to uploadBI and ReportingReq IDData MigrationThe system shall be able to store migrated data from CWINRS and the VSOC Access database, and relevant FMBT information according to established business rules.Req IDData AnalysisThe system shall track program participants that were referred to DoL for Labor Market Information (LMI).The system shall be able to document program participant enrolled in the Foreign Medical Program for healthcare overseas.The system shall track program participants that were referred to DoL for job placement services.The system shall maintain and make reportable the data relating to an Employment Adjustment Allowance (EAA) authorization.The system shall have the ability to track and report on program participants attending a foreign school and/or has a foreign address. The system shall have the ability to track Revolving Fund Loan amounts per Regional Office based on established business rules. The system shall be able to generate and track referrals for services to contractors.The system shall have the ability to track records moving from one regional office to another.The system shall be able to report the total cost of services provided for program participants as defined by the business. The system shall have the capability to capture all positive outcomes down to the program participant levelThe system shall allow for flagging/uniquely identifying program participants as defined by the business.Req IDReport GenerationThe system shall create an ad hoc report of program participants that were referred to DoL for Labor Market Information (LMI) and employment services. The system shall make every field reportable. The system shall have reporting functionality for reports done by ad hoc or on a defined time table. The system shall have the ability to provide data needed to generate performance reports.User Roles, Permissions and AssignmentReq IDAccess ControlThe system shall have the ability to select/deselect specific rights, permissions, and functions and assign them to a user. The system shall have the ability to restrict actions based on a user. The system shall have a login for contractors that is defined by business rules. The system shall migrate current permissions from CWINRS for users. The system shall have the ability to manage sensitivity levels based on established business rules. Req IDApproval AuthorityThe system shall have the ability to have a multi-tiered approval and automated routing workflow. The system shall have the ability to use PIV access as a signature for government employees and contractors.System or Data Integration Req IDSystem IntegrationThe system shall have bidirectional communication with the Virtual Assistant. The system shall integrate with Loan Guaranty systems bidirectionally. The system shall integrate with CorpDB bidirectionally.The system shall integrate with IPPS bidirectionally.The system shall integrate with CAPRI bidirectionally.The system shall be able to have a bidirectional relationship with VA-ONCE.The system shall be able to have a bidirectional relationship with BIRLS.The system shall be able to have a bidirectional relationship with the Master Veteran Index (MVI)The system shall be able to have a bidirectional relationship with the Long Term Solution (LTS).The system shall be able to have a bidirectional relationship with the Benefits Delivery Network (BDN).The system shall integrate with Veterans Information System (VIS).The system shall have a bidirectional relationship with iFAMS.The system shall have a bidirectional relationship with FAS. The system shall integrate with Web Enabled Approval Management System (WEAMS). The system shall interface with the Benefit Gateway Services (BGS).The system shall have a bidirectional integration to the eFolder. The system shall have a bidirectional relationship with the Enterprise Data Warehouse (EDW)The system shall be able to handle interface errors as defined by established business rules.The system shall have the ability have a bidirectional relationship with other systems as it pertains to contract information. The system shall be compatible with approved web browsers. The system shall be able to communicate with the online M28R. Req IDData IntegrationThe system shall have the ability to accept and notify VRCs of dependent changes. The system shall be able to display current and historical data from CorpDB.The system shall be able to migrate from CWINRS.The system shall be able to display delimiting date of any education benefit from an education system. The system shall be able to display remaining months and days of eligibility for any education benefits.The system shall capture the fields which are currently in the VetSuccess on Campus (VSOC) Access database into the new CMSS.Req IDFile RetrievalThe system shall have the ability to amend awards previously processed in CWINRS/SAM.Award ManagementReq IDAward CalculationThe system shall calculate and process the award based on defined business rulesThe system will have defined business rules for all award types. The system shall have the ability to charge, add and track entitlement. Req IDProcessingThe system shall have the ability to capture if the program participant for a flight training program has a private or commercial pilots license.The system shall have the ability to validate Flight Training criteria are met based on established business rules.The system shall prevent the ability to place a case in Interrupted status while an award is running.The system shall have the ability to capture an Interrupted case with a planned reentry based on established business rules. The system shall automatically ingest certificate of enrollment when submitted electronically or allow user to input manually.The system shall process verification of attendance confirmation from the program participants.The system shall have the ability to amend awards based established business rulesThe system shall be able to process Revolving Fund Loans based on established business rules. The system shall have the ability to add/extend the number of months of entitlement. The system shall have the ability to convert foreign currency to USD.The system shall be able to process Government Purchase Cards with established business rules. The system shall have the ability to enter an award on multiple line items based on established business rules. The system shall prevent awards from being extended based on established business rules.System shall have the ability to specify the Standard Occupational Classification (SOC) codes. The system shall have the ability to calculate and manage entitlement for all chapters.Req IDAuthorizationThe user shall have the ability in the system to create authorizations for goods/services based on established business rules. PaymentReq IDBusiness Transaction Creation, Scheduling and SendingThe system shall have defined business rules for all financial transactions.The system shall allow business rules to be changed for financial transactions. The system shall create and send business transactions for all award types to Financial Accounting System (FAS)The system shall the ability to use Budget Object Codes. Req IDProcessingThe system shall have a financial component with defined categories. The system shall be able to communicate with IPPS bidirectionally to send and receive payment information.The system shall have the ability to link authorizations to payments within the approved period/time. The system shall be able to update award rates for the annual cost of living adjustment based on defined business rules. The system shall be able to handle Employment Adjustment Allowance awards based on established business rules. The system shall utilize automated calculation to populate required fields in the beneficiary travel form.The system shall have the ability to process beneficiary travel reimbursements based on established business rules. The system shall the ability to have free a text field to further refine Budget Object Codes. The system shall be able to assign proper payments based on established business rules.The system shall be able to adjust payments when a dependent is added or removed from an award. The system shall be able to update rate changes as well as archive previous rates for retroactive payments.Req IDDisbursalThe system shall ensure an authorized user approves travel for program participant.The system shall have the ability to make payments regardless of the case status.The system shall allow payments to be made through IPSS.The user shall have the ability in the system to view and approve/hold/reject IPPS invoices.Req IDPayment History/Audit TrailThe system shall have the ability to store and use historical financial data. The system shall, upon case closure, interact with the financial system to verify all outstanding contractor referrals are closed and cancel any outstanding open referrals. The system shall display financial transaction history from FAS.The system shall track and report financial data defined by the business line. The system shall display the current financial balances of participant record from FAS.Workflow ManagementReq IDAutomationThe system shall have the ability to determine and automate next actions based on eligibility determination as defined by established business rules.The system shall off-ramp calculations to end users when it cannot be automatically calculatedReq IDRoutingThe system shall have a workflow and approval flow for case transfers. Req IDAlerts and NotificationThe system shall have the ability to notify VR&E employees for certain actions that need to be taken based on defined timeframes. The system shall be able to notify an authorized user when an award is off-ramped from automation.Quality AssuranceReq IDQuality AssuranceThe system shall have functionality to report to interested parties the results of Quality Reviews. The systems shall be able to include a Local and National Quality Assurance functionality.The systems shall be able to manage Quality Assurance based on defined business rules. The system shall have the ability to select Quality Assurance cases for review based on agile business rules.The system needs to calculate Quality Assurance scores based on defined data per established business rules. The system shall have customizable instruments for Quality Reviews. The systems shall be able to manage Quality Assurance based on defined business rules. The system shall have the ability to select Quality Assurance cases for local review based on agile business rules.The system shall have customizable instruments for Quality Reviews. APPENDIX B: PERFORMANCE REQUIREMENTS SUMMARYApplicable PWS Paragraphs – (Paragraph #)Required Service – (Performance Requirements)Standard –(Performance Standards)Maximum Allowable Degree of Deviation Requirement – Acceptable Quality Level (AQL)Method of Surveillance(Quality Assurance)Remedies5.1.1; 5.2; 5.3; 5.4; 5.5; 5.7; 5.8.1; 5.8.2, 5.9Service deliverables: documentation adheres to standards, formats and frequency contained in the PWSDeliverables are completed in an accurate and timely manner. Deliverables were complete and accurate in most respects.No more than one (1) late document per quarter and no more than five (5) business days late. No more than two (2) sets of corrections required on any product, and all corrections must be submitted within one (1) business day of the negotiated suspense.Quarterly Performance Based Service Assessment Survey – Customer satisfaction as measured through customer comments and feedbackRework of deliverable5.6Service Level Agreement (SLA)Measures service availability to ICMHS and end-users.99.3% availability for access to all Digital Mail Handling services, images, and related metadata 24 hours per day, 7 days per week, 365 days per year exclusive of planned maintenance.100% Inspection - Operational monitoring by use of system statistics and logsNotice of non-complianceAPPENDIX C: ADDITIONAL VA REQUIREMENTS, CONSOLIDATED CYBER AND INFORMATION SECURITY REQUIREMENTS FOR VA IT SERVICESThe Contractor shall ensure adequate LAN/Internet, data, information, and system security in accordance with VA standard operating procedures and standard PWS language, conditions, laws, and regulations. The Contractor’s firewall and web server shall meet or exceed VA minimum requirements for security.?All VA data shall be protected behind an approved firewall.?Any security violations or attempted violations shall be reported to the VA Program Manager and VA Information Security Officer as soon as possible.?The Contractor shall follow all applicable VA policies and procedures governing information security, especially those that pertain to certification and accreditation.Contractor supplied equipment, PCs of all types, equipment with hard drives, etc. for contract services must meet all security requirements that apply to Government Furnished Equipment (GFE) and Government Owned Equipment (GOE). Security Requirements include:?a) VA Approved Encryption Software must be installed on all laptops or mobile devices before placed into operation, b) Bluetooth equipped devices are prohibited within VA; Bluetooth must be permanently disabled or removed from the device, unless the connection uses FIPS 140-2 (or its successor) validated encryption, c) VA approved anti-virus and firewall software, d) Equipment must meet all VA sanitization requirements and procedures before disposal.?The COR, CO, the PM, and the Information Security Officer (ISO) must be notified and verify all security requirements have been adhered to.Each documented initiative under this contract incorporates VA Handbook 6500.6, “Contract Security,” March 12, 2010 by reference as though fully set forth therein. The VA Handbook 6500.6, “Contract Security” shall also be included in every related agreement, contract or order.?The VA Handbook 6500.6, Appendix C, is included in this document as Addendum B.Training requirements: The Contractor shall complete all mandatory training courses on the current VA training site, the VA Talent Management System (TMS), and will be tracked therein. The TMS may be accessed at . If you do not have a TMS profile, go to and click on the “Create New User” link on the TMS to gain access.Contractor employees shall complete a VA Systems Access Agreement if they are provided access privileges as an authorized user of the computer system of VA.VA Enterprise Architecture ComplianceThe applications, supplies, and services furnished under this contract must comply with One-VA Enterprise Architecture (EA), available at in force at the time of issuance of this contract, including the Program Management Plan and VA's rules, standards, and guidelines in the Technical Reference Model/Standards Profile (TRMSP).?VA reserves the right to assess contract deliverables for EA compliance prior to acceptance.VA Internet and Intranet StandardsThe Contractor shall adhere to and comply with VA Directive 6102 and VA Handbook 6102, Internet/Intranet Services, including applicable amendments and changes, if the Contractor’s work includes managing, maintaining, establishing and presenting information on VA’s Internet/Intranet Service Sites. This pertains, but is not limited to: creating announcements; collecting information; databases to be accessed, graphics and links to external sites.Internet/Intranet Services Directive 6102 is posted at (copy and paste the following URL to browser): Services Handbook 6102 is posted at (copy and paste following URL to browser): of the Federal Accessibility Law Affecting All Information and Communication Technology (ICT) Procurements (Section 508) On January 18, 2017, the Architectural and Transportation Barriers Compliance Board (Access Board) revised and updated, in a single rulemaking, standards for electronic and information technology developed, procured, maintained, or used by Federal agencies covered by Section 508 of the Rehabilitation Act of 1973, as well as our guidelines for telecommunications equipment and customer premises equipment covered by Section 255 of the Communications Act of 1934. The revisions and updates to the Section 508-based standards and Section 255-based guidelines are intended to ensure that information and communication technology (ICT) covered by the respective statutes is accessible to and usable by individuals with disabilities. Section 508 – Information and Communication Technology (ICT) Standards The Section 508 standards established by the Access Board are incorporated into, and made part of all VA orders, solicitations and purchase orders developed to procure ICT. These standards are found in their entirety at: A printed copy of the standards will be supplied upon request. Federal agencies must comply with the updated Section 508 Standards beginning on January 18, 2018. The Final Rule as published in the Federal Register is available from the Access Board: The Contractor shall comply with “508 Chapter 2: Scoping Requirements” for all electronic ICT and content delivered under this contract. Specifically, as appropriate for the technology and its functionality, the Contractor shall comply with the technical standards marked here: ? E205 Electronic Content – (Accessibility Standard -WCAG 2.0 Level A and AA Guidelines) ? E204 Functional Performance Criteria ? E206 Hardware Requirements ? E207 Software Requirements ? E208 Support Documentation and Services Requirements Compatibility with Assistive Technology The standards do not require installation of specific accessibility-related software or attachment of an assistive technology device. Section 508 requires that ICT be compatible with such software and devices so that ICT can be accessible to and usable by individuals using assistive technology, including but not limited to screen readers, screen magnifiers, and speech recognition software. Acceptance and Acceptance Testing Deliverables resulting from this solicitation will be accepted based in part on satisfaction of the Section 508 Chapter 2: Scoping Requirements standards identified above. The Government reserves the right to test for Section 508 Compliance before delivery. The Contractor shall be able to demonstrate Section 508 Compliance upon delivery.Deliverables: Final Section 508 Compliance Test ResultsConfidentiality and Non-DisclosureThe Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations.The Contractor may have access to Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) that is subject to protection under the regulations issued by the Department of Health and Human Services, as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 CFR Parts 160 and 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”); and 45 CFR Parts 160 and 164, Subparts A and C, the Security Standard (“Security Rule”).?Pursuant to the Privacy and Security Rules, the Contractor must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI and EPHI. The Contractor will have access to some privileged and confidential materials of VA. These printed and electronic documents are for internal use only, are not to be copied or released without permission, and remain the sole property of VA. Some of these materials are protected by the Privacy Act of 1974 (revised by PL 93-5791) and Title 38. Unauthorized disclosure of Privacy Act or Title 38 covered materials is a criminal offense.The VA CO will be the sole authorized official to release in writing, any data, draft deliverables, final deliverables, or any other written or printed materials pertaining to this contract. The Contractor shall release no information. Any request for information relating to this contract presented to the Contractor shall be submitted to the VA CO for response.Contractor personnel recognize that in the performance of this effort, Contractor personnel may receive or have access to sensitive information, including information provided on a proprietary basis by carriers, equipment manufacturers and other private or public entities. Contractor personnel agree to safeguard such information and use the information exclusively in the performance of this contract. Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations as enumerated in this section and elsewhere in this Contract and its subparts and appendices.Contractor shall limit access to the minimum number of personnel necessary for contract performance for all information considered sensitive or proprietary in nature. If the Contractor is uncertain of the sensitivity of any information obtained during the performance this contract, the Contractor has a responsibility to ask the VA CO.Contractor shall train all of their employees involved in the performance of this contract on their roles and responsibilities for proper handling and nondisclosure of sensitive VA or proprietary information. Contractor personnel shall not engage in any other action, venture or employment wherein sensitive information shall be used for the profit of any party other than those furnishing the information. The sensitive information transferred, generated, transmitted, or stored herein is for VA benefit and ownership alone. Contractor shall maintain physical security at all facilities housing the activities performed under this contract, including any Contractor facilities according to VA-approved guidelines and directives. The Contractor shall ensure that security procedures are defined and enforced to ensure all personnel who are provided access to patient data must comply with published procedures to protect the privacy and confidentiality of such information as required by VA.Contractor must adhere to the following:The use of “thumb drives” or any other medium for transport of information is expressly prohibited.Controlled access to system and security software and documentation.Recording, monitoring, and control of passwords and privileges.All terminated personnel are denied physical and electronic access to all data, program listings, data processing equipment and systems.VA, as well as any Contractor (or SubContractor) systems used to support development, provide the capability to cancel immediately all access privileges and authorizations upon employee termination.Contractor PM and VA PM are informed within twenty-four (24) hours of any employee termination.Regulatory standard of conduct governs all personnel directly and indirectly involved in procurements. All personnel engaged in procurement and related activities shall conduct business in a manner above reproach and, except as authorized by statute or regulation, with complete impartiality and with preferential treatment for none. The general rule is to strictly avoid any conflict of interest or even the appearance of a conflict of interest in VA/Contractor relationships.VA Form 0752 shall be completed by all Contractor employees working on this contract, and shall be provided to the CO before any work is performed. In the case that Contractor personnel are replaced in the future, their replacements shall complete VA Form 0752 prior to beginning work.APPENDIX D: VA INFORMATION AND INFORMATION SYSTEM SECURITY / PRIVACY LANGUAGEVA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE, VA HANDBOOK 6500.6, APPENDIX C, MARCH 12, 2010GENERALContractors, Contractor personnel, SubContractors, and SubContractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMSA Contractor/SubContractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, SubContractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or contract.All Contractors, SubContractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for Contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness.Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates (e.g. Business Associate Agreement, Section 3G), the Contractor/SubContractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. The Contractor or SubContractor must notify the CO immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the Contractor or SubContractor’s employ. The CO must also be notified immediately by the Contractor or SubContractor prior to an unfriendly termination.VA INFORMATION CUSTODIAL LANGUAGEInformation made available to the Contractor or SubContractor by VA for the performance or administration of this contract or information developed by the Contractor/SubContractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of VA. This clause expressly limits the Contractor/SubContractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).VA information should not be co-mingled, if possible, with any other data on the Contractors/SubContractor’s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the Contractor must ensure that VA information is returned to VA or destroyed in accordance with VA’s sanitization requirements. VA reserves the right to conduct onsite inspections of Contractor and SubContractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.Prior to termination or completion of this contract, Contractor/SubContractor must not destroy information received from VA, or gathered/created by the Contractor in the course of performing this contract without prior written approval by VA. Any data destruction done on behalf of VA by a Contractor/SubContractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the Contractor that the data destruction requirements above have been met must be sent to the VA CO within 30 days of termination of the contract.The Contractor/SubContractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. The Contractor/SubContractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on Contractor/SubContractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/SubContractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. If VA determines that the Contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the Contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. If a VHA contract is terminated for cause, the associated Business Associate Agreement (BAA) must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.05, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. The Contractor/Subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.The Contractor/SubContractor’s firewall and Web services security controls, if applicable, shall meet or exceed VA minimum requirements. VA Configuration Guidelines are available upon request.Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the Contractor/SubContractor may use and disclose VA information only in two (2) other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA prior written approval. The Contractor / SubContractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA CO for response.Notwithstanding the provision above, the Contractor/SubContractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the Contractor / SubContractor is in receipt of a court order or other requests for the above mentioned information, that Contractor / SubContractor shall immediately refer such court orders or other requests to the VA CO for response.For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require Assessment and Authorization (A&A) or a Memorandum of Understanding-Interconnection Security Agreement (MOU-ISA) for system interconnection, the Contractor / SubContractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the RMATION SYSTEM DESIGN AND DEVELOPMENTInformation systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA directives developed in accordance with FISMA, HIPAA, NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations in accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference VA Handbook 6500, Risk Management Framework for VA Information Systems – Tier 3: VA Information Security Program, and the TIC Reference Architecture). During the development cycle a Privacy Impact Assessment (PIA) must be completed, provided to the COR, and approved by the VA Privacy Service in accordance with Directive 6508, Implementation of Privacy Threshold Analysis and Privacy Impact Assessment.The Contractor / Subcontractor shall certify to the COR that applications are fully functional and operate correctly as intended on systems using the VA Federal Desktop Core Configuration (FDCC), and the common security configuration guidelines provided by NIST or VA. This includes Internet Explorer 11 configured to operate on Windows 7 and future versions, as required.The standard installation, operation, maintenance, updating, and patching of software shall not alter the configuration settings from the VA approved and FDCC configuration. Information technology staff must also use the Windows Installer Service for installation to the default “program files” directory and silently install and uninstall.Applications designed for normal end users shall run in the standard user context without elevated system administration privileges.The security controls must be designed, developed, approved by VA, and implemented in accordance with the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, VA Handbook 6500, Risk Management Framework for VA Information Systems – Tier 3: VA Information Security Program and VA Handbook 6500.5, Incorporating Security and Privacy in System Development Lifecycle.The Contractor/SubContractor is required to design, develop, or operate a System of Records Notice (SOR) on individuals to accomplish an agency function subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Privacy Act may involve the imposition of criminal and civil penalties.The Contractor/SubContractor agrees to:Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies:The Systems of Records (SOR); andThe design, development, or operation work that the Contractor/SubContractor is to perform;Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a SOR on individuals that is subject to the Privacy Act; andInclude this Privacy Act clause, including this subparagraph (c), in all subcontracts awarded under this contract which requires the design, development, or operation of such a SOR.In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a SOR on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a SOR on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a SOR on individuals to accomplish an agency function, the Contractor/SubContractor is considered to be an employee of the agency.“Operation of a System of Records” means performance of any of the activities associated with maintaining the SOR, including the collection, use, maintenance, and dissemination of records.“Record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and contains the person’s name, or identifying number, symbol, or any other identifying particular assigned to the individual, such as a fingerprint or voiceprint, or a photograph.“System of Records” means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying element assigned to the individual.The vendor shall ensure the security of all procured or developed systems and technologies, including their subcomponents (hereinafter referred to as “Systems”), throughout the life of this contract and any extension, warranty, or maintenance periods. This includes, but is not limited to workarounds, patches, hot fixes, upgrades, and any physical components (hereafter referred to as Security Fixes) which may be necessary to fix all security vulnerabilities published or known to the vendor anywhere in the Systems, including Operating Systems and firmware. The vendor shall ensure that Security Fixes shall not negatively impact the Systems.The vendor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, but in no event longer than one (1) day. When the Security Fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the vendor will provide written notice to VA that the patch has been validated as not affecting the Systems within 10 working days. When the vendor is responsible for operations or maintenance of the Systems, they shall apply the Security Fixes within one (1) day.All other vulnerabilities shall be remediated as specified in this paragraph in a timely manner based on risk, but within 60 days of discovery or disclosure. Exceptions to this paragraph (e.g. for the convenience of VA) shall only be granted with approval of the CO and the VA Assistant Secretary for Office of Information and RMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USEFor information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, Contractors/SubContractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The Contractor’s security control procedures must be equivalent, to those procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also be provided to the COR and approved by VA Privacy Service prior to operational approval. All external Internet connections to VA network involving VA information must be in accordance with the TIC Reference Architecture and reviewed and approved by VA prior to implementation. For Cloud Services hosting, the Contractor shall also ensure compliance with the Federal Risk and Authorization Management Program (FedRAMP). Adequate security controls for collecting, processing, transmitting, and storing of Personally Identifiable Information (PII), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls are to be assessed and stated within the PIA and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII.Outsourcing (Contractor facility, Contractor equipment or Contractor staff) of systems or network operations, telecommunications services, or other managed services requires A&A of the Contractor’s systems in accordance with VA Handbook 6500.3, Assessment, Authorization and Continuous Monitoring of VA Information Systems and/or the VA OCS Certification Program Office. Government-owned (Government facility or Government equipment) Contractor-operated systems, third party or business partner networks require memorandums of understanding and interconnection security agreements (MOU-ISA) which detail what data types are shared, who has access, and the appropriate level of security controls for all systems connected to VA networks.The Contractor/SubContractor’s system must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA CO and the ISO for entry into the VA POA&M management process. The Contractor/SubContractor must use the VA POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the Government. Contractor/SubContractor procedures are subject to periodic, unannounced assessments by VA officials, including the VA Office of Inspector General. The physical security aspects associated with Contractor/SubContractor activities must also be subject to such assessments. If major changes to the system occur that may affect the privacy or security of the data or the system, the A&A of the system may need to be reviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewing and updating all of the documentation (PIA, System Security Plan, and Contingency Plan). The Certification Program Office can provide guidance on whether a new A&A would be necessary.The Contractor/SubContractor must conduct an annual self-assessment on all systems and outsourced services as required. Both hard copy and electronic copies of the assessment must be provided to the COR. The Government reserves the right to conduct such an assessment using Government personnel or another Contractor/SubContractor. The Contractor/SubContractor must take appropriate and timely action (this can be specified in the contract) to correct or mitigate any weaknesses discovered during such testing, generally at no additional cost.VA prohibits the installation and use of personally-owned or Contractor/SubContractor owned equipment or software on the VA network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW or contract. All of the security controls required for Government furnished equipment (GFE) must be utilized in approved other equipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and a personal (host-based or enclave based) firewall that is configured with a VA approved configuration. Software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE.All electronic storage media used on non-VA leased or non-VA owned IT equipment that is used to store, process, or access VA information must be handled in adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of the contract or (ii) disposal or return of the IT equipment by the Contractor/SubContractor or any person acting on behalf of the Contractor/SubContractor, whichever is earlier. Media (hard drives, optical disks, CDs, back-up tapes, etc.) used by the Contractors/SubContractors that contain VA information must be returned to VA for sanitization or destruction or the Contractor/SubContractor must self-certify that the media has been disposed of per 6500.1 requirements. This must be completed within 30 days of termination of the contract.Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are:Vendor must accept the system without the drive;VA’s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; orVA must reimburse the company for media at a reasonable open market replacement cost at time of purchase.Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for VA to retain the hard drive, then;The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; andAny fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order or contract.A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (a) and (b) controls above are in place and completed. The ISO needs to maintain the documentation.SECURITY INCIDENT INVESTIGATIONThe term “security incident” means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The Contractor/SubContractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the Contractor/SubContractor has access.To the extent known by the Contractor/SubContractor, the Contractor/SubContractor’s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the Contractor/SubContractor considers relevant.With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.In instances of theft or break-in or other criminal activity, the Contractor/SubContractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The Contractor, its employees, and its SubContractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor/SubContractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.LIQUIDATED DAMAGES FOR DATA BREACHConsistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the Contractor / SubContractor processes or maintains under this contract. However, it is the policy of VA to forgo collection of liquidated damages in the event the Contractor provides payment of actual damages in an amount determined to be adequate by the agency.The Contractor/SubContractor shall provide notice to VA of a “security incident” as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.Each risk analysis shall address all relevant information concerning the data breach, including the following:Nature of the event (loss, theft, unauthorized access);Description of the event, including:date of occurrence;data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;Number of individuals affected or potentially affected;Names of individuals or groups affected or potentially affected;Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;mount of time the data has been out of VA control;The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);Known misuses of data containing sensitive personal information, if any;Assessment of the potential harm to the affected individuals;Data breach analysis as outlined in 6500.2 Handbook, Management of Breaches Involving Sensitive Personal Information, as appropriate; andWhether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.Based on the determinations of the independent risk analysis, the Contractor shall be responsible for paying to VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:Notification;One (1) year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;Data breach analysis;Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;One (1) year of identity theft insurance with $20,000.00 coverage at $0 deductible; andNecessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.SECURITY CONTROLS COMPLIANCE TESTINGOn a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the Contractor under the clauses contained within the contract. With 10 working days’ notice, at the request of the Government, the Contractor must fully cooperate and assist in a Government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The Government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. TRAININGAll Contractor employees and SubContractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems:Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Information Security Rules of Behavior, updated version located at , relating to access to VA information and information systems;Successfully complete the VA Privacy and Information Security Awareness and Rules of Behavior course (TMS #10176) and complete this required privacy and information security training annually;Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the CO for inclusion in the solicitation document – e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.] The Contractor shall provide to the CO and/or the COR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 2 days of the initiation of the contract and annually thereafter, as required.Failure to complete the mandatory annual training and electronically sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.APPENDIX E: EXAMPLES OF CASE STATUESCurrent Case StatusNew Case StatusReasonsApplicantEvaluation/Planning02 - Vet exits Applicant status to Evaluation/PlanningDiscontinued01 - Disallowed by adjudication - ineligible03 - Non-pursuit from Applicant or entitled, services declined39 - Service Connected Disabilities severed (or reduced to 0% prior to plan development)99 - Death confirmedEvaluation & PlanningExtended Evaluation06 - Entitled - Individualized Extended Evaluation Plan developed or redevelopedIndependent Living08 - Entitled - Individualized Independent Living Plan - developed or redevelopedRehabilitation to the point of Employability05 - Entitled - Individualized Written Rehabilitation Plan - developed or redevelopedJob Ready Status07 - Qualifies for employment assistance under USC 3117 (prior Vocational Rehabilitation and Employment participant who is not entitled to full Chapter 31, but can receive employment services)Discontinued03 - Non- Pursuit from Applicant or Entitled, services declined09 - Entitled - not currently reasonably feasible (non-Individualized Independent Living Plan)10 - Not entitled - no employment handicap (or, prior Discontinued - reasons for Discontinued not removed)11 - Not entitled - entitlement expired & no Serious Employment Handicap 12 - Not entitled - No Serious Employment Handicap & Eligibility Termination Date expired or 10% Service Connected Disabilities rating21 - Not entitled - Reasons for Discontinued not removed39 - Service Connected Disabilities severed (or reduced to 0% prior to plan development)99 - Death confirmed?Extended EvaluationRehabilitation to The Point Of Employability05 - Entitled - Individualized Written Rehabilitation Plan - developed or redevelopedInterrupted03 - Non-pursuit from Applicant or entitled, services declined15 - Infeasible - vocational goal not feasible16 - Veteran or Veterans Affairs interrupts program39 - Service Connected Disabilities severed (or reduced to 0% prior to plan development)Discontinued99 - Death confirmedIndependent LivingExtended Evaluation06 - Entitled - Individualized Extended Evaluation Plan developed or redevelopedRehabilitation to The Point of Employability05 - Entitled - Individualized Written Rehabilitation Plan - developed or redevelopedInterrupted03 - Non-pursuit from Applicant or entitled, services declined 16 - Veteran or Veterans Affairs interrupts program39 - Service Connected Disabilities severed (or reduced to 0% prior to plan development)Rehabbed 17 - Independent Living rehabilitation achievedDiscontinued99 - Death confirmedRehabilitation to The Point of EmployabilityExtended Evaluation06 - Entitled - Individualized Extended Evaluation Plan developed or redevelopedJob Ready Status11 - Entitlement expired & no Serious Employment Handicap; (Veteran declared job ready)12 - No Serious Employment Handicap & Eligibility Termination Date expired; (Veteran declared job ready)18 - Completed goals and objectives of Individualized Written Rehabilitation Plan19 - Employable - further Individualized Written Rehabilitation Plan services not necessary20 - Employed - to Employment Assistance Service status from Rehabilitation to The Point Of EmployabilityInterrupted03 - Non-pursuit from Applicant or entitled, services declined11 - Not entitled - entitlement expired & no Serious Employment Handicap 12 - Not entitled - No Serious Employment Handicap & Eligibility Termination Date expired15 - Infeasible - vocational goal not feasible16 - Veteran or Veteran Affairs interrupts program34 - Veteran unemployed, but maximum rehab gain achieved35 - Veteran employed, but maximum rehabilitation gain achieved39 - Service Connected Disabilities severed (or reduced to 0% prior to plan development)Discontinued99 - Death confirmed?Job Ready StatusExtended Evaluation06 - Entitled - Individualized Extended Evaluation Plan developed or redevelopedRehabilitation to The Point of Employability05 - Entitled - Individualized Written Rehabilitation Plan - developed or redevelopedInterrupted03 - Non-pursuit from Applicant or entitled, services declined15 - Infeasible - vocational goal not feasible16 - Veteran or Veterans Affairs interrupts program34 - Veteran unemployed, but maximum rehabilitation gain achieved35 - Veteran employed, but maximum rehabilitation gain achieved39 - Service Connected Disabilities severed (or reduced to 0% prior to plan development)97 - 18 months of employment services expiredRehabbed 22 - Suitably employed, Individualized Written Rehabilitation Plan / Independent Employment Assistance Plan goal achieved - Rehabilitated 22 A - Achieved Goals of Rehabilitation Plan - Employed in Field 22 B - Employed in Field Other than Plan 22 C - Return to Active Duty23 - Suitably employed, Independent Employment Assistance Plan services only under USC 3117 - Rehabilitated25 - Alternative suitable employment goal achieved - Rehabilitated 25 B - Employable, but Elected to Pursue Further EducationDiscontinued99 - Death confirmedInterruptedExtended Evaluation41 - Enters Extended Evaluation from Interrupted StatusIndependent Living42 - Enters Independent Living from Interrupted StatusRehabilitation to The Point of Employability43 - Enters Rehabilitation to Employment from Interrupted StatusJob Ready Status44 - Enters Employment Services from Interrupted StatusDiscontinued03 - Non-pursuit from Applicant or entitled, services declined11 - Not entitled - entitlement expired & no Serious Employment Handicap 12 - Not entitled - No Serious Employment Handicap & Eligibility Termination Date expired or 10% Service Connected Disabilities rating31 - Conduct or cooperation is unsatisfactory34 - Veteran unemployed, but maximum rehab gain achieved35 - Veteran employed, but maximum rehabilitation gain achieved36 - Veteran elects Chapter 3339 - Service Connected Disabilities severed (or reduced to 0% prior to plan development)99 - Death confirmedRehabilitatedApplicant88 - System-generated by reapplication processingTrack application using control code 795 in Rehabilitated status. If case will be re-opened, this MUST be processed in CWINRS Auto Generated Eligibility DeterminationDiscontinuedApplicant88 - System-generated by reapplication processing All Re-Applications MUST be processed in CWINRS Auto Generated Eligibility DeterminationAPPENDIX F: EXAMPLE OF ONE PROCESSING RULE (TO EXEMPLIFY COMPLEXITY)Subject: 2019 Basic Allowance for Housing (BAH) Information for Post 9/11 Subsistence Allowance (P911SA) RatesEffective January 1, 2018, VR&E established two P911SA rates.? For ease of understanding, these rates were defined as the “uncapped” P911SA rate and the “capped” P911SA rate:The “uncapped” P911SA rate applies to VR&E participants who first used their entitlement to Chapter 31 on or before December 31, 2017.? This rate includes an additional amount that must be added to the BAH Calculator to determine the correct P911SA rate. The “capped” P911SA rate applies to VR&E participants who first used their entitlement to Chapter 31 on or after January 1, 2018.? This rate is limited to the amount provided by the BAH Calculator.? The phrase “first used their entitlement to Chapter 31” is defined as a charge to Chapter 31 entitlement, regardless of whether the charge was part of the current claim for Chapter 31 benefits and services or was part of a previous claim for Chapter 31 benefits and services.? For example, a Veteran utilized Chapter 31 entitlement to attend training in 2013, and his/her case was discontinued or rehabilitated from a plan of service.? If this Veteran reapplies for Chapter 31 on March 1, 2019, he/she would be entitled to receive the “uncapped” P911SA rate.Impact of National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2016On November 25, 2015, President Obama signed NDAA for FY 2016, Public Law 114-92.? Section 603, Phased-In Modification of Percentage of National Average Monthly Cost of Housing Usable in Computation of BAH Inside the United States, reduced the computation model used to determine BAH rates.? Impact of NDAA for FY 2015 – Uncapped P911SA RateHowever, Section 604(b) of NDAA for FY 2015, Public Law 113-291, provided a special rule that exempted the Department of Veterans Affairs (VA) from the BAH reduction computation model explained above.? As a result, the Department of Defense’s (DoD) BAH Calculator did not accurately reflect the correct amount that VR&E used to determine the P911SA.? Therefore, for the past several years, VR&E staff members have had to add an additional amount to the BAH Calculator rate to determine the correct P911SA rate.? This additional amount was $16 in calendar year (CY) 2015; $33 in CY 2016; $50 in CY 2017; and $69 in CY 2018.Since VR&E can add the additional amount to the BAH Calculator rate, this rate is defined as the “uncapped” P911SA rate.? Veterans who first used entitlement to Chapter 31 on or before December 31, 2017 are entitled to the uncapped P911SA rate.? Impact of the Harry W. Colmery Veterans Educational Assistance Act of 2017 – Capped P911SA Rate.Section 501 of the Harry W. Colmery Veterans Educational Assistance Act of 2017, Public Law 115-48, repealed Section 604(b) of NDAA for FY 2015, Public Law 113-291, which allowed VR&E to add the additional amount to the BAH Calculator rate when obtaining the P911SA rate.? As a result, Veterans who first used their entitlement to Chapter 31 on or after January 1, 2018, and elected to receive the P911SA rate, will not qualify for the additional amount.? Since VR&E may not add the additional amount to the BAH Calculator rate, this rate it referred to as the “capped” P911SA rate.? Veterans who first used entitlement to Chapter 31 on or after January 1, 2018 are entitled to the capped P911SA rate.? The additional amount must not be added to the capped P911SA rate.Calculating the Correct 2019 Uncapped P911SA RateTo determine the correct 2019 uncapped P911SA rate for VR&E participants receiving training within the United States who first used entitlement under chapter 31 on or before December 31, 2017, VR&E staff must:Access DoD’s BAH Calculator website at the zip code of the facility for training at Institutes of Higher Learning (IHL); Non-College Degree (NCD) program; the employer for On-Job Training (OJT); or of the agency for Non Paid Work Experience (NPWE).Obtain the rate for “E-5 with Dependents”.Add $89.00.? Please note, when calculating ?, ?, and ? rates, add the $89.00 first and then calculate the rate given the rate of pursuit.? See Appendix AW, Calculating Rate of Pay for P911SA, for additional guidance.Calculating the Correct 2019 Capped P911SA RateTo determine the correct 2019 capped P911SA rate for VR&E participants who first used their entitlement under Chapter 31 on or after January 1, 2018, VR&E staff must:Access DoD’s BAH Calculator website at the zip code of the facility for training at Institutes of Higher Learning (IHL)/Non-College Degree (NCD) programs, of the employer for On-Job Training (OJT), or of the agency for Non-Paid Work Experience (NPWE).Use the rate for “E-5 with Dependents”.? A reminder, the additional $89.00 is not added to these awards.? 2019 National Average BAH Rate for VR&E ParticipantsVR&E requires the use of BAH national average rates for VR&E participants who receive training on-line, in-home or in foreign institutions where there is no associated zip code.? Effective January 1, 2019:The 2019 uncapped national average BAH rate for VR&E participants who first used their entitlement under Chapter 31 on or before December 31, 2017 is $1,789.00 per month.? One half of the 2019 national average BAH rate for these VR&E participants is $894.50 per month.? These rates include the $89.00 rate adjustment.The 2019 capped national average BAH rate for VR&E participants who first used their entitlement under Chapter 31 on or after January 1, 2018 is $1,700.00 per month.? One half of the 2019 national average BAH rate for these VR&E participants is $850.00 per month.? Subsistence Allowance Module Processing – Running Awards at the Uncapped P911SA RateSubsistence allowance processed in the Subsistence Allowance Module (SAM) at the uncapped P911SA rate for a running award with a beginning date on or before December 31, 2018, and an end date on or after January 1, 2019, may need to be amended to ensure the correct rate is paid.? VR&E staff must determine whether the Veteran qualifies for rate protection, or grandfathering, of continued payment at the 2018 rate if greater than the 2019 rate, based on guidance in M28R.V.A.3.04.b.8.(c).(3).? If not, VR&E staff must amend the award to the 2019 uncapped P911SA rate.? The awards can be amended in one of two ways:Use of the SAM “rate override” feature that allows for manual entry of the correct rate.? Please note, when the “rate override” feature is used, VR&E staff must enter an override remark that this feature was used to process the award with the 2019 rate, plus $89.00. Or, Use of an automated batch process that will apply the 2019 rates.? However, this option is only appropriate if the batch process has updated the rates before the deadline of April 1, 2019.Subsistence Allowance Module Processing – New Awards at Capped P911SA RateSubsistence allowance processed in SAM at the capped 2019 P911SA rate for an award beginning on or after January 1, 2018 may need to be amended to ensure the correct rate is paid.? The awards can by amended by:First, verifying the correct amount via the BAH Calculator, as outlined in step 5.If SAM does not provide the correct rate, using the SAM “rate override” feature that allows for manual entry of the correct rate.? Please note, when the “rate override” feature is used, VR&E staff must enter an override remark that this feature was used to process the award with the 2019 rate provided by the BAH Calculator.? If SAM is updated to include the additional $89.00 amount, it will be necessary to deduct this amount for full time awards.? Please note, when calculating ?, ?, and ? rates, deduct the $89.00 first and then calculate the rate given the rate of pursuit.Please be aware all procedural guidance related to the receipt of P911SA for VR&E participants receiving training within the United States, to include eligibility, election, rate protection, rate of payment for Employment Adjustment Allowance (EAA), and award processing remains unchanged.VR&E Service allows for a 90-day grace period from the date the new 2019 rates go into effect on January 1, 2019 to amend awards.? Thus, awards must be amended prior to April 1, 2019.?? APPENDIX G: LIST OF CURRENT LETTERSVP-001VR&E Notification Letter - OverpaymentVR-01 Motivation Letter - Apply for VR&E BenefitsVR-02 Follow-up Letter - InterruptedVR-03 Appointment Letter - Initial Evaluation with VRCVR-04 Appointment Letter - Ed-Voc CounselingVR-05 Appointment Letter - Initial Evaluation with ContractorVR-06 Appointment Letter - After Initial Evaluation with ContractorVR-09 Appointment Letter - Follow-up Evaluation and PlanningVR-15 10-Day LetterVR-21 Appointment Letter - Counseling (Case Management)VR-24 Appointment Letter - Case ManagementVR-26 Missed Appointment LetterVR-29 Apportionment Letter - Original - GuardianVR-30 Apportionment Letter - Reinstatement - GuardianVR-31 Approved Tutor Contract NotificationVR-32 IEAP Development Prior Completion of TrainingVR-33 Referral - Employment ServicesVR-38 Interregional Transfer RequestVR-44 Partial Payment (Supplies) Notification - VendorVR-46 Statement of the Case NotificationVR-47 Proposed Closure for Non-Pursuit of ClaimVR-48 Proposed Discontinuance - Maximum Rehabilitation GainVR-49 Proposed Rehabilitation Letter - Further EducationVR-52 Follow Up - After DiscontinuanceVR-54 Retroactive Reimbursement LetterVR-55 Appointment Letter - Chapter 35 EvaluationVR-56 Approval - Ch31 Only Programs of Training or CoursesVR-58 Decision LetterVR-59 Disapproval - Ch31 Only Programs of Training or CoursesVR-60 Notice of Suspension - Facility (Chapter 31 Only)VR-61 Notice of Continuance - Facility (Ch31 Only)VR-62 Notice of Withdrawal - Facility (Ch31 Only)VR-63 Proposed Termination of SA - Participant (Ch31 Only)APPENDIX H: IMPORTANT LINKS / AWARD CALCULATIONVocational Rehabilitation and Employment (VR&E) Homepage: Automated Reference Material System, M28, Vocational Rehabilitation: Rehabilitation and Employment (VR&E), Subsistence Allowance Rates: 4) VA Forms: 5) Award Calculator: LINK Excel.SheetBinaryMacroEnabled.12 "C:\\Users\\VBACODUDAJO\\Desktop\\VRE AWARD Calculator v4.8.10.xlsb" "" \a \p \f 0 \* MERGEFORMAT APPENDIX I: CURRENT STATE OF SYSTEMSAPPENDIX J: WORKFLOW PROCESS EXAMPLESTYPE OF CONTRACT ANTICIPATED FORMCHECKBOX Firm Fixed Price FORMCHECKBOX Cost Reimbursement FORMCHECKBOX Labor-Hour FORMCHECKBOX Time-and-Materials FORMCHECKBOX Other __________SCHEDULE FOR DELIVERABLESNote: Days used in the table below refer to calendar days unless otherwise stated. Deliverables with due dates falling on a weekend or holiday shall be submitted the following Government work day after the weekend or holiday.TaskDeliverable ID Deliverable Description5.1ABContractor Project Management PlanDue 30 days after receipt of order (ARO) and updated monthly thereafter.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationQuarterly PMP UpdatesDue 30 days after receipt of order (ARO) and updated quarterly thereafter.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.1.2AMonthly Project Progress Report Due 30 days after receipt of order (ARO) and updated monthly thereafter.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.1.3ABKick-Off Meeting and PresentationDue 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationKick-Off Meeting MinutesDue 7 days after meeting.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5,.2AIntegration PlanDue 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.3ADetailed plan, including all necessary components for implementation and support of the serviceDue 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.4ABCDetailed gap analysis of current process and recommendations to enhance and improve service delivery. Due 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationRecommended workflow Due 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationImplementation PlanDue 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.5ABCTest StrategyDue 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationPost-implementation validation of solution installation within the cloud environmentDue five (5) days after completion of testing.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationPost-Implementation validation of integration solution Due five (5) days after completion of testing.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.6AService Level Agreement (SLA)Due 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.7ABCTraining for interested VR&E partiesDue 60 days after receipt of order (ARO). Secure Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationDetailed Training Plan Due 60 days after receipt of order (ARO). Secure Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationElectronic User Guides / User’s Manual Due 60 days after receipt of order (ARO). Secure Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.8.1ABDetailed transition planDue 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationMigrated data from legacy system into the new system Due 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.8.2ABCDDetailed transition planDue 90 days prior to end of period of performance.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationService dataDue 90 days prior to end of period of performance.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationBusiness rulesDue 90 days prior to end of period of performance.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationMigrated DataDue 90 days prior to end of period of performance.Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination5.9ABService Security Authorization Packages (SAP)Due 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationSecurity Incident ReportsDue 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: Destination6.7AContractor Staff RosterDue 30 days after receipt of order (ARO).Electronic submission to: VA PM, COR, CO.Inspection: DestinationAcceptance: DestinationADDENDUM TO VR&E PERFORMANCE WORK STATEMENT (PWS)The tasks in this addendum shall be performed in conjunction with the work in the PWS. VA IT will perform these tasks. The contractor shall provide the necessary assistance to VA IT for successful completion of these tasks.SOFTWARE SETUP (IT)The Contractor shall perform the setup of the solution. The Contractor shall support a test strategy including end-to-end plans, procedures, as well as testing scenarios.Integration work will be completed separately by OI&T but the Contractor shall support testing from their side of the connection to ensure the configuration of software is successful.Deliverables: Test Strategy, including end-to-end plans, procedures, as well as testing scenariosPost-implementation validation of solution installation within the cloud environmentPost-implementation validation of government integration solution as completed by OI&TINTEGRATION SERVICES (IT)Any development needed to integrate the solution with VA systems and services will be conducted by VA OI&T however the Contractor shall support the integration as defined in Appendix I. Integration services include those activities and requirements necessary to ensure that the Contractor’s solution properly connects to and has the necessary interfaces to support the goals of the service. Namely, the Contractor shall ensure necessary capabilities are in place to support the exchange of data between the service and the appropriate VA systems of record.Following the development of an architectural evaluation. The Contractor shall develop and provide to VA an integration plan.Deliverables: Integration PlanTRANSITION (IT)TRANSITION IN The Contractor shall support the load of the existing data into the service using an OI&T approved method. This transition plan shall accommodate the two-phased loading of existing data. The first phase shall load existing (historical) data in preparation for the service to go into production, anticipated to be on or about contract award date + 180 days. The second phase shall load data from that date through the end of the period of performance.The Contractor shall establish a detailed transition plan for implementing transition of data and operations in these two phases detailing dates, tasks, milestones, dependencies, resources, risks, and data migration procedures.The Contractor shall execute the Transition Plan to load the existing participant data into the service.Deliverables: Detailed transition plan for implementing load of metadata from existing case management systems.Migrated data from legacy system into the new system. TRANSITION OUT (IT) At the end of the period of performance, the Contractor shall support the transition from the production system to its designated agent. The Contractor shall establish a detailed transition plan for transitioning data and operations from the production system detailing dates, tasks, milestones, dependencies, resources, risks and risk management strategy, tools, data, processes, detailed specifications of all commercial-off-the-shelf products, format and methods for utilizing the Business Rules, and the configuration files or customizations that have been funded under the service to meet the requirements of this PWS. This transition plan shall accommodate two phases. The historical data through thirty (30) days prior to the end of the period of performance shall be transitioned in phase one, and the remaining data shall be transitioned at the end of the period of performance.The Contractor shall deliver all data developed within their solution to meet all requirements of this PWS in a format that will allow VA to make use of the information. This data shall be delivered using two phases. The Contractor shall deliver all VA business rules developed to aid in the operation of the service.? The exact format and nomenclature of this data varies, dependent on the system used, and is therefore not explicitly defined in this PWS. Deliverables: Detailed transition plan for transitioning data and operations from the service production systemService dataC. Business rulesD. Migrated DataCERTIFICATION AND AUTHENTICATION (IT)The service shall include security controls in accordance with VA Directive 6500 and the sensitivity level of the information to be protected and deemed necessary to control access to service features and data. In accordance with VA Handbook 6500, the Contractor shall establish, enhance and maintain the Certification and Accreditation (C&A) documentation and support the necessary activities to maintain the service Authority To Operate (ATO). The Contractor shall establish and maintain the service Security Authorization Package (SAP), which includes but is not limited to the following components:Security PlanSecurity Assessment ReportPlan of Action and MilestonesThe Contractor shall:Support the security authorization process for the initial service capabilities, at three-year intervals, and whenever significant changes to the system environment occurs.Develop and remediate security findings including outstanding findings, addressing each issue noted in accordance with the failure classification levels. Findings shall be delivered in accordance with the following schedule:Critical/High = 30 daysMedium/Moderate = 60 daysLow = 90 daysFindings not closed in accordance with the plan must be escalated for further review. Contractor personnel shall be available for interview, provide supporting documentation or allow an onsite inspection for remediation verification.Implement continuous system security monitoring.Document and resolve security incidents.Deliverables: Service Security Authorization Packages (SAP)Security Inc ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download