BACKGROUND - Veterans Affairs



FedBizOppsSources Sought Notice*******CLASSIFICATION CODESUBJECTCONTRACTING OFFICE'S ZIP-CODESOLICITATION NUMBERRESPONSE DATE (MM-DD-YYYY)ARCHIVE DAYS AFTER THE RESPONSE DATERECOVERY ACT FUNDSSET-ASIDENAICS CODECONTRACTING OFFICE ADDRESSPOINT OF CONTACT(POC Information Automatically Filled from User Profile Unless Entered)DESCRIPTIONSee AttachmentAGENCY'S URLURL DESCRIPTIONAGENCY CONTACT'S EMAIL ADDRESSEMAIL DESCRIPTION ADDRESSPOSTAL CODECOUNTRYADDITIONAL INFORMATIONGENERAL INFORMATIONPLACE OF PERFORMANCE* = Required FieldFedBizOpps Sources Sought NoticeRev. March 2010RResearch and Advisory Services Organizational Assessment07724VA118-17-N-186301-24-201760541690Department of Veterans AffairsTechnology Acquisition Center23 Christopher WayEatontown NJ 07724Request for InformationResearch and Advisory Services Organizational AssessmentTitle: Deputy Assistant Secretary, Chief Information Security Officer, Research and Advisory Services Organizational AssessmentThis is a RFI only. Do not submit a proposal. This RFI is for planning purposes only and shall not be considered an Invitation for Bid, Request for Task Execution Plan, Request for Quotation or a Request for Proposal. Additionally, there is no obligation on the part of the Government to acquire any products or services described in this RFI. Your response to this RFI will be treated only as information for the Government to consider. You will not be entitled to payment for direct or indirect costs that you incur in responding to this RFI. This request does not constitute a solicitation for proposals or the authority to enter into negotiations to award a contract. No funds have been authorized, appropriated or received for this effort. The information provided may be used by the VA in developing its acquisition strategy. Interested parties are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. The Government does not intend to pay for the information submitted in response to this RFI.The Office of Information and Technology, Office of Information Security (OIS) requires an objective organizational assessment to focus on functions, processes and gaps. This objective contractor will evaluate the OIS organizational capabilities and structure, as well as the skills and competencies of OIS staff. The contractor performing the evaluation will analyze the results of these assessments and develop recommendations for addressing any identified gaps and increasing overall OIS effectiveness in reducing VA risks and vulnerabilities.The purpose of this RFI is to request industry feedback regarding the proposed effort, as well as to gauge industry’s ability and interest in the performing the effort. To that end, VA requests vendors respond to the questions below. General capability statements and marketing material should not be submitted in place of specific answers and may not be used in VA’s market assessment. Responses should be limited to five (5) pages.Provide an overview of your ability to perform the analysis. Within this discussion, please be sure to address the following:Ability to begin the assessment imminently upon award and concluding within three months.Overview of steps to complete the assessment.Demonstration of successfully performing similar assessments.Provide VA feedback on the clarity and sufficiency of the PWS. This may include recommended changes and additions required for successful performance.Discussion towards any anticipated blockers to completing the study successfully.Discussion surrounding potential Organization Conflicts of Interest (OCI). This should include the following:Potential of how a vendor team’s current VA contracts may impact the assessment’s objectivity. Identify contracts that may present an OCI.OCI Mitigation Strategies.Provide a Rough Order of Magnitude to accomplish the tasks within the PWS.Vendors may also submit additional information not specifically requested above, which would provide value and insight to the Government. Please provide the following information specific to your company:Company NamePOC InformationCAGE/DUNSIntent to propose as the prime contractorIf proposing as a contractor within a small business socio-economic category, provide evidence to show ability to meet the requirements of FAR 52.219-14 “Limitations of Subcontracting”. Vendors may assume a NAICS of 541690 with a small business size standard of $15M.Identify appropriate contract vehicles for the procurement of these services.*Please Note: VA may elect to contact individual companies based upon the content of the submission. VA may engage these companies to gather further information through email correspondence, telephone calls, virtual or physically located meetings, or other means.Responses are due via email by the date of January 24, 2017, 12PM Noon EST, as stated in FBO. Responses, questions, or other correspondence may be emailed to Mark Junda, mark.junda@ and Dawn Eimont, dawn.eimont@. Please note, there is a 5MB size limit. If the submission exceeds this size limit, please contact Mark Junda. PERFORMANCE WORK STATEMENT (PWS)DEPARTMENT OF VETERANS AFFAIRSDeputy Assistant Secretary (DAS)Chief Information Security Officer (CISO)ForResearch and Advisory ServicesOrganizational AssessmentBACKGROUNDThe mission of the Department of Veterans Affairs (VA) is to provide benefits and services to Veterans of the United States. In meeting these goals, the three VA administrations (VHA, VBA, and NCA) and staff offices to include the Office of Information and Technology (OI&T) continually strive to provide high quality, effective, and efficient business, healthcare and technology processes and services to those responsible for providing care to the Veterans at the point-of-care as well as throughout all the points of Veterans’ care in an effective, timely and compassionate manner. In order to provide high quality, effective and efficient processes and services, it is important for any organization to conduct organizational assessments on a somewhat regular basis to help identify its strengths and weaknesses, and to ensure effective use of organizational resources.The OI&T Office of Information Security (OIS) requires an objective organizational assessment to focus on functions, processes and gaps. This objective contractor will evaluate the OIS organizational capabilities and structure, as well as the skills and competencies of OIS staff. The contractor performing the evaluation will analyze the results of these assessments and develop recommendations for addressing any identified gaps and increasing overall OIS effectiveness in reducing VA risks and vulnerabilities.2.0 APPLICABLE DOCUMENTSDocuments referenced or germane to this PWS are to be determined. 3.0 SCOPE OF WORKThe VA Chief Information Security Officer (CISO) requires an assessment of the VA Information Security Program. Specifically, OIS is requires the following analysis:A Federal security workforce assessment to determine the best approach to align with mandatory guidance and regulation. An evaluation of the OIS organizational capabilities and structure, as well as the skills and competencies of its staff. The contractor performing the evaluation will analyze the results of these assessments and develop recommendations for addressing any identified gaps and increasing overall OIS effectiveness in reducing VA risks and vulnerabilities.Evaluation of the Information Security functions’ and processes’ alignment to Government and Industry best practices, laws, and regulations.Evaluation of Organizational gaps and recommendations for remediation. This independent assessment will be used to optimize the organization’s performance over the next eight months in the short term and over the next three years for the long term. The contractor shall provide an objective assessment. Therefore, any current VA contracts supporting or related to OIS shall be identified in order to ensure no conflict of interest is present.4.0 PERFORMANCE DETAILS4.1 PERFORMANCE PERIODThe period of performance (POP) shall be three (3) months from date of award.Any work at the Government site shall not take place on Federal holidays or weekends unless directed by the Contracting Officer (CO).There are ten (10) Federal holidays set by law (USC Title 5 Section 6103) that VA follows:Under current definitions, four are set by date:New Year's DayJanuary 1 Independence Day July 4 Veterans Day November 11 Christmas Day December 25If any of the above falls on a Saturday, then Friday shall be observed as a holiday. Similarly, if one falls on a Sunday, then Monday shall be observed as a holiday. The other six are set by a day of the week and month:Martin Luther King's Birthday Third Monday in January Washington's Birthday Third Monday in February Memorial Day Last Monday in May Labor Day First Monday in September Columbus Day Second Monday in October Thanksgiving Fourth Thursday in November4.2 PLACE OF PERFORMANCETasks under this PWS shall be performed at both Government and Contractor facilities with occasional analyst/guidance meetings between Contractor and VA management.4.3 TRAVELThe Government does not anticipate travel under this contract.5.0 SPECIFIC TASKS AND DELIVERABLESThe Contractor shall perform the following:5.1 PROJECT MANAGEMENT5.1.1 CONTRACTOR PROJECT MANAGEMENT PLANThe Contractor shall provide a formal Project Management Plan (PMP) that lays out the Contractor’s approach, timeline and tools to be used in execution of the contract. The PMP should take the form of both a narrative and graphic format that displays the schedule, milestones, risks and resource support. The PMP shall also include how the Contractor shall coordinate and execute planned, routine, and ad hoc data collection reporting requests as identified within the PWS. The initial baseline PMP shall be concurred upon and updated monthly thereafter. The Contractor shall update and maintain the VA PM approved PMP throughout the period of performance. Key topics that shall be included in the PMP are:1.Develop project plan for Security Program assessment.2.Determine, gather, examine, and analyze artifacts related to Security Program assessment and external audits. 3.Document assessment activities and results in sufficient detail to enable external review of all assessment processes, activities, results, and conclusions.4.Provide recommendations and guidance for Security Program improvements and corrections.Deliverables:Project plan for Security Program AssessmentSecurity Program recommendation and guidance for improvements and correctionsFull Report Executive Presentation of recommendations and guidance5.1.2 REPORTING REQUIREMENTS The Contractor shall provide the Contracting Officer’s Representative (COR) with Monthly Progress Reports in electronic form in Microsoft Word and Project formats. The report shall include detailed instructions/explanations for each required data element, to ensure that data is accurate and consistent. These reports shall reflect data as of the last day of the preceding month.The Monthly Progress Reports shall cover all work completed during the reporting period and work planned for the subsequent reporting period. The report shall also identify any problems that arose and a description of how the problems were resolved. If problems have not been completely resolved, the Contractor shall provide an explanation including their plan and timeframe for resolving the issue. The Contractor shall monitor performance against the PMP and report any deviations. It is expected that the Contractor will keep in communication with VA accordingly so that issues that arise are transparent to both parties to prevent escalation of outstanding issues.Deliverables:A. Monthly Progress Report5.2 ORGANIZATION FUNCTIONAL CAPABILITIES ASSESSMENT SERVICESThe Contractor shall conduct a Functional Capabilities Assessment. The Contractor shall review the CISO's strategic plan, leverage independent research, and apply information security expertise to describe a target-state OIS that is consistent with best practice capabilities and functions in effective information security organizations in federal and private sectors. Then the contractor will compare the attributes of the target-state organization to the capabilities of the current organization and analyze the similarities, gaps, and differences.Deliverables: A. Functional Capabilities (as-is state) Assessment Report B. Functional Capabilities Recommendation Report5.3 ORGANIZATION STAFF ASSESSMENT SERVICESThe Contractor shall conduct a Staff Assessment to identify the skills and competencies of current OIS staff. The contractor will review and incorporate (to the extent that is practical) the competency framework defined by the Chief Learning Officer for VA’s Office of Information & Technology (OI&T) in alignment with federally mandated cyber-security policy guidance. The Staff Assessment may also incorporate other skills and competencies to assist in identifying possible gaps. The contractor will use on-line assessment survey tools to rapidly identify current state skills and competencies of OIS staff, which is mandatory for all OIS staff. Using a combination of bottom-up (staff self-assessment) and top-down (manager validation) approaches, the contractor will analyze and evaluate staff attributes to determine which individuals possess necessary security skills and demonstrate desired behaviors. This assessment will be utilized to assist managers and supervisors with developing metrics to measure performance and justify the need for more developmental training of OIS staff in the future, which is necessary to maintain a viable workforce with the core qualifications of their position descriptions matched to their skill-set.Deliverables: A. Staff Assessment Report 5.4 GAP AND RISK ANALYSIS SERVICESUpon completion of the Functional Capabilities Assessment and the Organizational Staff Assessment, the Contractor shall summarize and present actionable recommendations to close gaps and address identified risks. In particular, recommendations and conclusions should be focused on addressing known material weaknesses and assessing how effectively OIS interacts with other OI&T organizations.Deliverables: All deliverables will be submitted within 60 days to the Designated Government Representative. The contractor will have 30 days from the original submission to the DGR for final acceptance by the DGR of all deliverables outlined in the specific tasks.6.0 GENERAL REQUIREMENTS 6.1 ENTERPRISE AND IT FRAMEWORK The Contractor shall support the VA enterprise management framework. In association with the framework, the Contractor shall comply with OIT Technical Reference Model (One-VA TRM). One-VA TRM is one component within the overall Enterprise Architecture (EA) that establishes a common vocabulary and structure for describing the information technology used to develop, operate, and maintain enterprise applications. One-VA TRM includes the Standards Profile and Product List that collectively serves as a VA technology roadmap. Architecture, Strategy, and Design (ASD) has overall responsibility for the One-VA TRM. Where applicable, the Contractor solution shall support the latest Internet Protocol Version 6 (IPv6) requirements and compliance standards established by FAR and NIST for IPv6 for Federal Government Agencies. IPv6 technology must be included in all infrastructure and application design and development efforts. The Contractor shall support VA efforts in accordance with the Veteran Focused Integration Process (VIP) that mandates all new VA IT projects/programs use an incremental development approach, requiring frequent delivery milestones that deliver new capabilities for business sponsors to test and accept functionality. Implemented by the Assistant Secretary for IT, VIP is a VA-wide initiative to better empower the OIT Project Managers and teams to meet their mission: delivering world-class IT products that meet business needs on time and within budget. The Contractor shall utilize ProPath, the OIT-wide process management tool that assists in the execution of an IT project (including adherence to VIP standards). It is a one-stop shop providing critical links to the formal approved processes, artifacts, and templates to assist project teams in facilitating their VIP-compliant work. ProPath is used to build schedules to meet project requirements, regardless of the development methodology employed. 6.2 CONTRACTOR PERSONNEL SECURITY REQUIREMENTS The following security requirement must be addressed regarding Contractor supplied equipment: Contractor supplied equipment, PCs of all types, equipment with hard drives, etc. for contract services must meet all security requirements that apply to Government Furnished Equipment (GFE) and Government Owned Equipment (GOE). Security Requirements include: a) VA Approved Encryption Software must be installed on all laptops or mobile devices before placed into operation, b) Bluetooth equipped devices are prohibited within VA; Bluetooth must be permanently disabled or removed from the device, c) VA approved anti-virus and firewall software, d) Equipment must meet all VA sanitization requirements and procedures before disposal. The COTR, CO, the Project Manager, and the Information Security Officer (ISO) must be notified and verify all security requirements have been adhered to. 1. Position Sensitivity and Background Investigation - The position sensitivity and the level of background investigation commensurate with the required level of access is: Low/NACI Moderate/MBI X High/BIPosition SensitivityBackground Investigation (in accordance with Department of Veterans Affairs 0710 Handbook, “Personnel Suitability and Security Program,” Appendix A)Low / Tier 1Tier 1 / National Agency Check with Written Inquiries (NACI) A Tier 1/NACI is conducted by OPM and covers a 5-year period. It consists of a review of records contained in the OPM Security Investigations Index (SII) and the DOD Defense Central Investigations Index (DCII), Federal Bureau of Investigation (FBI) name check, FBI fingerprint check, and written inquiries to previous employers and references listed on the application for employment. In VA it is used for Non-sensitive or Low Risk positions.Moderate / Tier 2Tier 2 / Moderate Background Investigation (MBI) A Tier 2/MBI is conducted by OPM and covers a 5-year period. It consists of a review of National Agency Check (NAC) records [OPM Security Investigations Index (SII), DOD Defense Central Investigations Index (DCII), FBI name check, and a FBI fingerprint check], a credit report covering a period of 5 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, law enforcement check; and a verification of the educational degree.High / Tier 4 Tier 4 / Background Investigation (BI) A Tier 4/BI is conducted by OPM and covers a 10-year period. It consists of a review of National Agency Check (NAC) records [OPM Security Investigations Index (SII), DOD Defense Central Investigations Index (DCII), FBI name check, and a FBI fingerprint check report], a credit report covering a period of 10 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, spouse, neighbors, supervisor, co-workers; court records, law enforcement check, and a verification of the educational degree.Contractor Responsibilities: a. The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain the appropriate Background Investigation, and are able to read, write, speak and understand the English language. b. The Contractor shall bear the expense of obtaining background investigations. c. For a Low Risk designation the following forms are required: 1.OF-306 and either 2. DVA Memorandum – Electronic Fingerprints or FD-258 Fingerprint card. For Moderate or High Risk the following forms are required: 1. VA Form 0710 and either 2. DVA Memorandum – Electronic Fingerprints or FD-258 Fingerprint card. These should be submitted to the CO or COTR after award has been made. d. Within 3 days after award, the Contractor shall provide a staff roster to the CO and COTR to enable the initiation of the Electronics Questionnaire for Investigations Processes (e-QIP) to begin their background investigations. e. The Contractor personnel will receive an email notification from the Electronics Questionnaire for Investigations Processes (e-QIP) identifying the website link that includes detailed instructions regarding completion of the investigation documents (SF85 or SF85P). The Contractor personnel shall submit all required information related to their background investigations utilizing the Office of Personnel Management’s (OPM) Electronic Questionnaire for Investigations Processing (e-QIP). f. The Contractor is to sign the signature page and send to the COTR and CO for electronic submission to the Security and Investigations Center (SIC). g. The Contractor shall be responsible for the actions of all personnel provided to work for VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor shall be responsible for all resources necessary to remedy the incident. h. If the background investigation is not completed prior to the start date of the contract, the Contractor employee may work on the contract once the investigation has been initiated and sent to the OPM. However, the Contractor will be responsible for the actions of the Contractor personnel they provide to perform work for VA. The investigative history for Contractor personnel working under this contract must be maintained in the databases of either the OPM or the Defense Industrial Security Clearance Organization (DISCO). i. The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration in working under the contract. j. Failure to comply with the Contractor personnel investigative requirements may result in termination of the contract for default. 6.3 METHOD AND DISTRIBUTION OF DELIVERABLES The Contractor shall deliver documentation in electronic format, unless otherwise directed in Section B of the solicitation/contract. Acceptable electronic media include: MS Word 2000/2003/2007, MS Excel 2000/2003/2007, MS PowerPoint 2000/2003/2007, MS Project 2000/2003/2007, MS Access 2000/2003/2007, MS Visio 2000/2002/2003/2007, AutoCAD 2002/2004/2007/2010, and Adobe Postscript Data Format (PDF).6.4 PERFORMANCE METRICS The table below defines the Performance Standards and Acceptable Performance Levels for Objectives associated with this effort.Performance ObjectivePerformance StandardAcceptable Levels of PerformanceTechnical NeedsShows understanding of requirementsEfficient and effective in meeting requirementsMeets technical needs and mission requirementsOffers quality services/productsSatisfactory or higherProject Milestones and ScheduleQuick response capabilityProducts completed, reviewed, delivered in timely mannerNotifies customer in advance of potential problemsSatisfactory or higherProject StaffingCurrency of expertisePersonnel possess necessary knowledge, skills and abilities to perform tasksSatisfactory or higherValue AddedProvided valuable service to GovernmentServices/products delivered were of desired qualitySatisfactory or higherThe Government will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the contract to ensure that the Contractor is performing the services required by this PWS in an acceptable manner. The Government reserves the right to alter or change the surveillance methods in the QASP at its own discretion. A Performance Based Service Assessment Survey will be used in combination with the QASP to assist the Government in determining acceptable performance levels. 6.5 FACILITY/RESOURCE PROVISIONS The Government shall provide office space, telephone service and system access when authorized contract staff work at a Government location as required in order to accomplish the Tasks associated with this PWS. All procedural guides, reference materials, and program documentation for the project and other Government applications will also be provided on an as-needed basis. The Contractor shall request other Government documentation deemed pertinent to the work accomplishment directly from the Government officials with whom the Contractor has contact. The Contractor shall consider the COTR as the final source for needed Government documentation when the Contractor fails to secure the documents by other means. The Contractor is expected to use common knowledge and resourcefulness in securing all other reference materials, standard industry publications, and related materials that are pertinent to the work. VA shall provide access to VA specific systems/network as required for execution of the task via a site-to-site VPN or other technology, including VA specific software such as Veterans Health Information System and Technology Architecture (VistA), ClearQuest, ProPath, Primavera, and Remedy, including appropriate seat management and user licenses. The Contractor shall utilize Government-provided software development and test accounts, document and requirements repositories, etc. as required for the development, storage, maintenance and delivery of products within the scope of this effort. The Contractor shall not transmit, store or otherwise maintain sensitive data or products in Contractor systems (or media) within the VA firewall IAW VA Handbook 6500.6 dated March 12, 2010. All VA sensitive information shall be protected at all times in accordance with local security field office System Security Plans (SSP’s) and Authority to Operate (ATO)’s for all systems/LAN’s accessed while performing the tasks detailed in this PWS. For detailed Security and Privacy Requirements refer to ADDENDUM A and ADDENDUM B. 6.6 GOVERNMENT FURNISHED PROPERTY Not applicable. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download