Www.vendorportal.ecms.va.gov



5. PROJECT NO.CODE7. ADMINISTERED BY2. AMENDMENT/MODIFICATION NO.CODE6. ISSUED BY8. NAME AND ADDRESS OF CONTRACTOR4. REQUISITION/PURCHASE REQ. NO.3. EFFECTIVE DATE9A. AMENDMENT OF SOLICITATION NO.9B. DATEDPAGE OF PAGES10A. MODIFICATION OF CONTRACT/ORDER NO.10B. DATEDBPA NO.1. CONTRACT ID CODEFACILITY CODECODE Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods:The above numbered solicitation is amended as set forth in Item 14. The hour and date specified for receipt of OffersE. IMPORTANT:is extended, (a) By completing Items 8 and 15, and returning __________ copies of the amendment; (b) By acknowledging receipt of this amendment on each copy of the offer submitted; or (c) By separate letter or telegram which includes a reference to the solicitation and amendment numbers. FAILURE OF YOUR AC- KNOWLEDGMENT TO BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAYis not extended.12. ACCOUNTING AND APPROPRIATION DATA(REV. 10-83)is required to sign this document and return ___________ copies to the issuing office.is not,A. THIS CHANGE ORDER IS ISSUED PURSUANT TO: (Specify authority) THE CHANGES SET FORTH IN ITEM 14 ARE MADE IN THE CONTRACT ORDER NO. IN ITEM 10A.15C. DATE SIGNEDB. THE ABOVE NUMBERED CONTRACT/ORDER IS MODIFIED TO REFLECT THE ADMINISTRATIVE CHANGES SET FORTH IN ITEM 14, PURSUANT TO THE AUTHORITY OF FAR 43.103(b). RESULT IN REJECTION OF YOUR OFFER. If by virtue of this amendment you desire to change an offer already submitted, such change may be made by telegram or letter, provided each telegram or letter makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified.C. THIS SUPPLEMENTAL AGREEMENT IS ENTERED INTO PURSUANT TO AUTHORITY OF:D. OTHERBYContractor16C. DATE SIGNED14. DESCRIPTION OF AMENDMENT/MODIFICATION16B. UNITED STATES OF AMERICAExcept as provided herein, all terms and conditions of the document referenced in Item 9A or 10A, as heretofore changed, remains unchanged and in full force and effect.15A. NAME AND TITLE OF SIGNER16A. NAME AND TITLE OF CONTRACTING OFFICER15B. CONTRACTOR/OFFERORSTANDARD FORM 30 NSN 7540-01-152-8070PREVIOUS EDITION NOT USABLEPrescribed by GSA - FAR (48 CFR) 53.243(Type or print)(Type or print)(Organized by UCF section headings, including solicitation/contract subject matter where feasible.)(No., street, county, State and ZIP Code)(If other than Item 6)(Specify type of modification and authority)(such as changes in paying office, appropriation date, etc.)(If required)(If applicable)(SEE ITEM 11)(SEE ITEM 13)(X)(X)13. THIS ITEM APPLIES ONLY TO MODIFICATIONS OF CONTRACTS/ORDERS,IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14.11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONSAMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT(Signature of person authorized to sign)(Signature of Contracting Officer) 1 44000603188Department of Veterans AffairsTechnology Acquisition Center260 Industrial Way WestEatontown NJ 07724Department of Veterans AffairsTechnology Acquisition Center260 Industrial Way WestEatontown NJ 07724To all Offerors/BiddersVA118-12-R-0049XXXXThe purpose of this amendment is to:1. Revise the Performance Work Statement (PWS) to include follow-on services for an additional six (6) locations.Changes are reflected in paragraph 1.0, 3.0, 4.2, 5.2 and 5.3 of the PWS (see following page for description of PWSchanges).2. Provide the Historical Breakdown Data 2010 by Month.3. Post additional questions submitted by vendors as well as the Government's responses.4. Extend the Request for Proposal (RFP) due date to 4:00PM EST, 1/17/2012.All other terms, conditions and requirements remain unchanged.David NostrantContracting Officer10L3-1748 The following changes to the PWS resulted due to the addition of six (6) sites:1.0 Background – Number of sites in paragraph 2 is updated to “eleven (11)” to reflect the additional sites.3.0 Scope of Work – Table 1 was updated to reflect that sites 1-5 require PBX Maintenance and Follow-On Service. - Table 2 was added to show the six (6) additional sites and reflect the fact that they only require follow-on service. Two paragraphs were added following Table 2 to describe the follow-on work and give an idea of the historical work volume.4.2 Place of Performance – Updated to reflect the addition of the six (6) sites and provide their addresses. 5.2 Maintenance Requirement – Paragraph 2 was updated to show eleven (11) locations. The table describing locations and number of ports was also updated accordingly.5.3 Functional and Technical Requirements – The table was updated to add the six (6) additional locations and corresponding info. Questions and Answers – Round 51/11/2012During the site visit the core only mentioned maintenance on the rectifier but not the batteries and UPS, could you please clarify which is correct.A: The batteries and UPS are covered under this contract. If so, we would like you to provide the service log for each job site and date of installation.A: Batteries and rectifiers are included in the Preventative Monthly Inspections (PMIs) as part of maintenance. The following are the install dates: Palo Alto – 2011Livermore – 2011Menlo Park – 2003Modesto – N/A Since you have added the Modesto job site we would like the historical data.A: Zero MACs performed during the historical data period. Only maintenance was performed. Is the current contractor maintaining the Modesto job site?A: Yes, the incumbent is currently maintaining the Modesto Vet Center through remote monitoring, and onsite service if needed.Under the Federal Acquisition Regulation (FAR) the awarded contract amount, period of performance is releasable and is a part of the government initiation for transparency, so please release that information. We have previously asked for this information from all branches of Department of Defense and NON Department of Defense Agencies and it have always been released. If you are unable to release it, please provide us with Small Business Specialist contact information in your office or have them to contact us.A: The total contract value of the previous 12 month effort was approximately $854,000; please keep in mind this previously awarded contract had requirements that differ from those currently being solicited.Is GSA pricing required for this response?A: GSA pricing is not required for this response.Is the VA looking for vendors to respond with just CLIN pricing or is a Technical Response also required?A: A technical response is also required in accordance with E.12 and E.13 of the Request for Proposal (RFP).Are there CLINS associated with costs for onsite tech?A: Those costs should be included in the maintenance service SLINS, 0003AA, 1003AA, 2003AA, 3003AA, and 4003AA or follow-on service SLINS, 0004AA, 1004AA, 2004AA, 3004AA, and 4004AA as deemed appropriate by the Contractor.Does the VA want all of the analog and digital telephones covered (including patient phones and attendant consoles) under the extended parts warranty? For example, a digital Avaya phone stops working, the contractor would replace the phone under the fixed monthly price?A: The contractor is responsible for replacing broken phones and providing phones when necessary. CONTINUATION PAGE PERFORMANCE WORK STATEMENT (PWS)DEPARTMENT OF VETERANS AFFAIRSOFFICE OF INFORMATION & TECHNOLOGYVA PALO ALTO HEALTH CARE SYSTEM OFFICEPBX/TELEPHONE SYSTEM MAINTENANCE FORVA PALO ALTO HEALTH CARE SYSTEM (VAPAHCS)DATE: 1/12/2012TAC-FY-12-03188PWS VERSION NUMBER: 5.0Contents TOC \o "1-3" \h \z \u 1.0 BACKGROUND PAGEREF _Toc313371679 \h 72.0 APPLICABLE DOCUMENTS PAGEREF _Toc313371680 \h 73.0 SCOPE OF WORK PAGEREF _Toc313371681 \h 84.0 PERFORMANCE DETAILS PAGEREF _Toc313371682 \h 94.1PERFORMANCE PERIOD PAGEREF _Toc313371683 \h 94.2PLACE OF PERFORMANCE PAGEREF _Toc313371684 \h 104.3TRAVEL PAGEREF _Toc313371685 \h 105.0 SPECIFIC TASKS AND DELIVERABLES PAGEREF _Toc313371686 \h 105.1PROJECT MANAGEMENT PAGEREF _Toc313371687 \h 115.1.1PROJECT KICK-OFF MEETING PAGEREF _Toc313371688 \h 115.1.2REPORTING REQUIREMENTS PAGEREF _Toc313371689 \h 115.2MAINTENANCE REQUIREMENT PAGEREF _Toc313371690 \h 115.3 FUNCTIONAL AND TECHNICAL REQUIREMENTS PAGEREF _Toc313371691 \h 145.4 PBX CHARACTERISTICS AND FEATURES PAGEREF _Toc313371692 \h 155.5PBX POWER SUPPLIES: PAGEREF _Toc313371693 \h 165.6ALARMS AND TROUBLE INDICATORS PAGEREF _Toc313371694 \h 175.7 VOICE STATION CHARACTERISTICS AND FEATURES PAGEREF _Toc313371695 \h 175.8SYSTEM AND TRUNK COMPATIBILITY PAGEREF _Toc313371696 \h 185.9CABLE DISTRIBUTION SYSTEM PAGEREF _Toc313371697 \h 185.10OUTSIDE CABLE PAGEREF _Toc313371698 \h 185.11RISER CABLE PAGEREF _Toc313371699 \h 195.12OUTLET JACKS AND STATION CABLE PAGEREF _Toc313371700 \h 195.13DISTRIBUTION FRAMES PAGEREF _Toc313371701 \h 195.14FOLLOW-ON SERVICE PAGEREF _Toc313371702 \h 205.15PERFORMANCE AND QUALIFICATIONS PAGEREF _Toc313371703 \h 225.16ON SITE CONTRACTOR PERSONNEL PAGEREF _Toc313371704 \h 235.17KEY SERVICE PAGEREF _Toc313371705 \h 246.0 GENERAL REQUIREMENTS PAGEREF _Toc313371706 \h 246.1CONTRACTOR PERSONNEL SECURITY REQUIREMENTS PAGEREF _Toc313371707 \h 246.2METHOD AND DISTRIBUTION OF DELIVERABLES PAGEREF _Toc313371708 \h 266.3 PERFORMANCE METRICS: PAGEREF _Toc313371709 \h 266.4FACILITY/RESOURCE PROVISIONS PAGEREF _Toc313371710 \h 27ADDENDUM A PAGEREF _Toc313371711 \h 29ADDENDUM B PAGEREF _Toc313371712 \h 33ATTACHMENT 1 (PMI Checklist and PMI Report Template) PAGEREF _Toc313371713 \h 43ATTACHMENT 2 (Potential Follow-On Service Replacement Parts) PAGEREF _Toc313371714 \h 43ATTACHMENT 3 (Historical Data for 2010) PAGEREF _Toc313371715 \h 431.0 BACKGROUNDThe Department of Veterans Affairs (VA) Palo Alto Health Care System (VAPAHCS) is a VA health care group located in California which consists of three (3) inpatient facilities in Palo Alto, Menlo Park, and Livermore, plus seven (7) outpatient clinics in San Jose, Capitola, Monterey, Stockton, Modesto, Sonora, and Fremont. VAPAHCS operates nearly 900 beds, including three nursing homes and a 100-bed homeless domiciliary serving more than 85,000 enrolled Veterans. VAPAHCS is home to a variety of regional treatment centers, including a Polytrauma Rehabilitation Center, Spinal Cord Injury Center, a Comprehensive Rehabilitation Center, a Traumatic Brain Injury Center, the Western Blind Rehabilitation Center, a Geriatric Research Educational and Clinical Center, a Homeless Veterans Rehabilitation program, and the National Center for Post Traumatic Stress Disorder (PTSD).This Performance Work Statement (PWS) defines the requirements for Private Branch Exchange (PBX)/Telephone Maintenance and Follow-on Services for the eleven (11) VAPAHCS locations that are part of the VA Sierra Pacific Network (VISN 21).2.0 APPLICABLE DOCUMENTSDocuments referenced or germane to this Performance Work Statement (PWS) are listed below. In the performance of the tasks associated with this Performance Work Statement, the Contractor shall comply with the following:1.44 U.S.C. § 3541,?“Federal Information Security Management Act (FISMA) of 2002”2.Federal Information Processing Standards (FIPS) Publication 140-2, “Security Requirements For Cryptographic Modules”3.FIPS Pub 201, “Personal Identity Verification of Federal Employees and Contractors,” March 20064.10 U.S.C. § 2224, "Defense Information Assurance Program"5.5 U.S.C. § 552a, as amended, “The Privacy Act of 1974” 6.42 U.S.C. § 2000d “Title VI of the Civil Rights Act of 1964”7.Department of Veterans Affairs (VA) Directive 0710, “Personnel Suitability and Security Program,” September 10, 20048.36 C.F.R. Part 1194 “Electronic and Information Technology Accessibility Standards,” July 1, 20039.OMB Circular A-130, “Management of Federal Information Resources,” November 28, 200010.An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 200511.Homeland Security Presidential Directive (12) (HSPD-12)12.VA Directive 6500, “Information Security Program,” August 4, 200613.VA Handbook 6500, “Information Security Program,” September 18, 200714.VA Handbook, 6500.5, Incorporating Security and Privacy in System Development Lifecycle.15.VA Handbook 6500.6, “Contract Security,” March 12, 201016.Electronic Industries Association and Telecommunications Industry Association (EIA/TIA) 568 - Commercial Building Telecommunications Wiring Standards17.EIA/TIA 569 - Commercial Building Standards for Telecommunications Pathways and Spaces18.EIA/TIA 606 - Building Infrastructure Administration Standard19.EIA/TIA 607 - Grounding and Bonding Requirements for Telecommunications20.EIA/TIA TSB 40A - Additional Transmission Specifications for Unshielded Twisted-Pair Connecting Hardware 21.NEC code – 2011 National Electrical Codes books3.0 SCOPE OF WORKThe Contractor shall provide PBX and telecommunication maintenance support services at the five (5) VAPAHCS locations. Each location has existing Government owned PBX telephone systems installed and operating on a 24x7x365 basis (see table 1 below). Each PBX system is used to support the telephone network installed and operating throughout each location and its surrounding campus buildings. PBX Maintenance and Follow-On ServiceVAPAHCS LocationsPBX System Model1.Palo Alto Division, Palo Alto CAAvaya/Nortel Meridian 1 Option 81 C2.Menlo Park Division, Menlo Park, CAAvaya/Nortel Meridian 1 Option 61 C3.Livermore Division, Livermore, CAAvaya/Nortel Meridian 1 Option 61 C4.San Jose Outpatient Clinic, San Jose, CAAvaya/Nortel Meridian 1 Option 11 C 5. Modesto Vet Center, Modesto, CA Avaya/Nortel Norstar key systemTable 1The Contractor is required to report daily to VA staff at the main site (Palo Alto location) to monitor and maintain the five (5) existing VAPAHCS PBX systems, telephones and ancillary equipment located throughout these five (5) locations. In addition the Contractor shall provide telephone maintenance service to include all necessary labor, materials, parts, equipment, shipping and transportation for Move, Add and Change (MAC) follow-on services and full labor maintenance of the Government-owned PBX telephone systems. This includes maintenance and support of Automatic Call Distributor (ACD), Symposium and Call Pilot voicemail systems. Follow-On Service OnlyVAPAHCS LocationsPBX System Model6.Capitola Clinic and Vet Center, Capitola, CAnone7. Fremont Clinic, Fremont, CAnone8. Modesto Clinic, Modesto, CAnone9.Stockton Clinic, Stockton, CAnone 10. Monterey Clinic, Monterey, CAnone 11. Sonora Clinic, Sonora, CAnoneTable 2PBX maintenance is required at the 5 sites which have a PBX system (Palo Alto, Menlo Park, Livermore, San Jose, and Modesto Vet Center), as well as follow-on service.Follow-on service (MACs) only is also needed at the following locations (Capitola, Fremont, Modesto Clinic, Stockton, Monterey, and Sonora). The follow-on service at these facilities includes cabling support, cross-connects, punch downs, and telecom duties as requested. There are no PBX systems or digital Avaya/Nortel phones at these locations. Historically, minimal MACs have been requested at these outer lying sites. Between January of 2010 and October of 2010, the workload is as follows (Capitola 4, Fremont 0, Stockton 6, Modesto Clinic 10, Sonora 2, and Monterey 10 work orders).4.0 PERFORMANCE DETAILS4.1PERFORMANCE PERIODThe period of performance for this delivery order shall be a 12 month effort with four (4) options, each for 12 months of service. The Contractor shall continue to support the PBX/telephone system maintenance for VAPAHCS in each option period. The support shall include all tasks outlined in sections 5.1 to 5.18 (to include subsections). All contract work at the government sites is to be performed during regular business hours 7:30 am to 4:30 pm Pacific Standard Time, Monday through Friday. However, in the event when Urgent or High priority service calls are received by the help desk, contractor on-call technicians must respond to within two (2) hours for Urgent priority calls and 24 hours for High priority calls (priority definition is defined in section 5.14.2 of this PWS). Any work at the government site shall not take place on Federal holidays or weekends unless directed by the Contracting Officer (CO). If required, the CO may designate the Contractor to work during holidays and weekends. There are ten (10) Federal holidays set by law (USC Title 5 Section 6103) that the VA follows:Under current definitions, four are set by date:New Year's DayJanuary 1Independence DayJuly 4Veterans DayNovember 11Christmas DayDecember 25If any of the above falls on a Saturday, then Friday shall be observed as a holiday. Similarly, if one falls on a Sunday, then Monday shall be observed as a holiday.The other six are set by a day of the week and month:Martin Luther King's BirthdayThird Monday in JanuaryWashington's BirthdayThird Monday in FebruaryMemorial DayLast Monday in MayLabor DayFirst Monday in SeptemberColumbus DaySecond Monday in OctoberThanksgivingFourth Thursday in November 4.2PLACE OF PERFORMANCETasks under this PWS shall be performed at the eleven (11) VAPAHCS facilities located at,1.Palo Alto Division, 3801 Miranda Ave., Palo Alto CA 94304, 2.Menlo Park Division, 795 Willow Road, Menlo Park, CA 94025, 3.Livermore Division, 4951 Arroyo Rd, Livermore, CA 94550,4.San Jose Outpatient Clinic, 80 Great Oaks Blvd, San Jose, CA 95119,5.Modesto Vet Center, 1219 N. Carpenter Rd, Suite 12, Modesto, CA 95351,6.Capitola Outpatient Clinic and Vet Center, 1350 41st Avenue, Suites 102-104, Capitola, CA 95010,7.Fremont Outpatient Clinic, 39199 Liberty Street, Fremont, CA 94538,8.Modesto Outpatient Clinic, 1524 McHenry Avenue, Modesto, CA 95350,9.Monterey Outpatient Clinic, 3401 Engineer Lane, Seaside, CA 93955,10.Sonora Outpatient Clinic, 13663 Mono Way, Sonora, CA 9537011.Stockton Outpatient Clinic, 7777 South Freedom Rd, French Camp, CA 95231Work may be performed at remote locations with prior approval of the Contracting Officer Technical Representative (COTR). 4.3TRAVELThe Government anticipates local travel under this effort to perform telecommunications maintenance through the period of performance.? Include estimated local travel costs in your firm-fixed price line items. These costs will not be directly reimbursed by the Government.5.0 SPECIFIC TASKS AND DELIVERABLESThe Contractor shall perform the following: 5.1PROJECT MANAGEMENT5.1.1PROJECT KICK-OFF MEETINGThe Contractor shall conduct a project kick-off meeting within two (2) weeks of award to introduce the Government team, including the COTR and/or CO to the Contractor’s overall operating plans and approach to this work. The Contractor shall present and be prepared to discuss the Contractor’s understanding of the scope of this effort. This meeting shall be held at the Palo Alto facility and shall last no more than one (1) business day. The Contractor shall deliver Kick-Off meeting agenda prior to the meeting. The Contractor shall document the meeting minutes to identify all the discussion points, agreements and action items.Deliverables: A.Kick-off Meeting AgendaB.Kick-Off Meeting Minutes5.1.2REPORTING REQUIREMENTSThe Contractor shall provide a service report after the conclusion of each repair, schedule maintenance, software installation, or system modification. The Contractor shall provide a written service report indicating the date of service, model number, serial number (serial numbers are only required when visually obtainable without having to disassemble a unit) and location of equipment serviced, the name of the service representative, and the services performed and parts replaced. Each report shall include the Contractor’s recommendation(s) to maintain the serviced equipment according the original equipment manufacturer (OEM) specifications and without failure or service interruption. The Contractor shall use the VA Remedy electronic work order system accessible at any of the VAPAVCS locations (accessible via VPN) to document these service reports. Each report shall be filed and housed in the Palo Alto on-site COTR's office. The service files shall be accessible to appropriate VAPAHCS staff.Deliverable:? A.Service Report5.2MAINTENANCE REQUIREMENTThe Contractor shall provide PBX and telecommunication maintenance support services at the five (5) VAPAHCS locations. Each PBX system is used to support the telephone network installed and operating throughout each location and its surrounding campus buildings. The Contractor is required to report daily to VA staff at the main site (Palo Alto location) to monitor and maintain the five (5) existing VAPAHCS PBX systems, telephones and ancillary equipment located throughout these locations. At the main location the Contractor shall respond to service calls (received via Remedy troubleshooting ticketing system) and shall dispatch personnel to any of the five (5) locations to perform required maintenance. The maintenance shall include providing PBX service (i.e., PBX programming of routing table, port assignments), repair, and troubleshooting of existing equipment including telephones and line connections. The Contractor shall perform maintenance according to OEM specifications.?? The Contractor shall run monthly maintenance loads, provide monthly preventive monthly inspections (PMI), checking the status of the T1 trunk lines daily for any alarms/alerts, and ensure the time is correct on the PBX.The Contractor shall perform the following maintenance requirements in the performance of this delivery order. The number of port counts currently are as follows, the port count may vary with moves, adds, and changes (MAC):LocationPortsLivermore Division1071Menlo Park Division1890San Jose Outpatient Clinic403Palo Alto Division6289Modesto Vet Center20Remote MonitoringCapitola Outpatient Clinic0Fremont Outpatient Clinic0Modesto Outpatient Clinic0Monterey Outpatient Clinic0Sonora Outpatient Clinic0Stockton Outpatient Clinic01.The Contractor shall provide Avaya/Nortel Meridian 1 PBX and telephone maintenance service to include all necessary labor, materials, parts, equipment, shipping and transportation to provide for MAC follow-on services and full labor maintenance of the Government-owned PBX telephone systems. The follow-on services requirement is identified in section 5.14 of this PWS. This includes maintenance and support of Automatic Call Distribution (ACD), Symposium, and Call Pilot voicemail systems. Technicians must be technical experts to the current release of the PBX software, ACD software, and Call Pilot software.2.The telephone systems and voice mail systems must be maintained and serviced in accordance with (IAW) the Meridian manufacturer's commercial specifications. The Contractor must be an authorized Avaya/Nortel Distributor, and have access to contact Avaya/Nortel as needed for support. The Contractor must provide a copy of the Contractors Partner Assurance Support Service (PASS) contract number with Avaya to the COTR.3.The Contractor is responsible for providing maintenance support to the Avaya/Nortel PBX systems at each location identified in section 3.0. This includes maintaining the integration between all sites and inter-campus dialing features. Additionally there is a Cisco Voice over Internet Protocol (VOIP) solution at Menlo Park and Palo Alto. The Contractor must ensure continued functionality of the integration and routing of the VOIP system. 4.The Contractor is responsible to ensure all PBXs, telephones and auxiliary equipment covered under this contract are maintained IAW and in compliance to associated manufacturer’s maintenance specifications (these manufacturer’s maintenance specifications are readily available from the manufacturer’s web sites). Ancillary equipment is defined as any peripherals with a physical connection to the PBX, such as modems, on-hold messaging systems, etc.5. Preventative maintenance shall be performed by the Contractor IAW manufacturer's recommended practice during non-busy time agreed to by VAPAHCS and the Contractor. Non-peak hours are agreed to by VAPAHCS and the Contractor. Historically this is done on a Saturday between the hours of 10pm and 2am, and only twice a year. A preventative maintenance schedule shall be provided within 15 calendar days from date of award to the CO and COTR.6. PMI reports are due during the first week of every succeeding month. The Contractor shall complete the PMI checklist and run all maintenance loads IAW commercial manufacturer’s specifications. The PMI report shall follow the PMI checklist and template identified in Attachment 1. 7. All maintenance performed on the telephone system shall be coordinated with the COTR. There shall be no scheduled interruptions of service for system changes and upgrades without prior written approval from the Office of Information & Technology (OIT) Facility Chief Information Officer (CIO) at Palo Alto. The Contractor shall accept no service changes unless authorized by Facility CIO. This includes any MACs to the telephone system.8. The Contractor shall be responsible for all contacts and coordination with the local telephone company concerning maintenance and installation of all telephone company maintained circuits and equipment.9.The Contractor shall report all problems and service effecting issues to the COTR.?? If urgent and the COTR is not readily available, the Contractor shall report all problems to the Facility CIO.10. The Contractor shall be responsible for the cost of telephone company repair service visits when the cause of the trouble is determined to be in VAPAHCS' system(s). This applies only when the Contractor requests telephone company repair services.11. The Contractor shall provide annual traffic studies (to include call data information from PBXs) to determine trunking adequacy and efficiency.12. The Contractor shall provide consulting services for local users of the system as may be required by VAPAHCS. These services shall include assistance in meeting user requirements, operating telecommunications equipment, and with station arrangements, training or other local requirements or services as may be required by VAPAHCS.13. The Contractor is responsible for maintaining and updating the "Switch File" document. The Switch File document provides pertinent information on the switching system including the quantities of available/future ports for system expansion. The Switch File document shall include the "Bayface" layouts. The Switch File and the Bayface layouts will provide information to VAPAHCS personnel of the current utilization of the switching system and provide the exact card locations for future usage. The accuracy of the Switch File document shall be reviewed and verified immediately upon arrival on site after contract award and shall be updated any time equipment is added or deleted. The “as is” Switch File document and the Bayface layouts will be provided to the Contractor at the time of contract award. 14. The Contractor is responsible for backing up all the tapes (the tape backup shall be sufficient to cover all supported PBX systems) located in the switch room and the copy located in the lead telecommunications specialist office at a minimum once weekly.15. The Contractor is responsible for loading and maintaining cable record information to the VA Palo Alto server share.16.The Contractor shall ensure all spare parts required for proper maintenance of the system(s) are maintained in the telephone switch room or at the maintenance facility and are subject to availability inspection by a representative of VAPAHCS at any time during the period of performance. These spare parts currently exist as crash kits.Note: Only VA Nortel trained telecom personnel will be permitted to accomplish administrative database changes related to analog or digital lines. Deliverables:A.PMI ReportsB.Traffic StudyC.Switch File D.Copy of Contractor’s PASS Contract number with Avaya/Nortel5.3 FUNCTIONAL AND TECHNICAL REQUIREMENTSThe Contractor shall ensure the following functional and technical capabilities are operable and maintained throughout the period of performance. The PBX model and additional capabilities at each location are identified in the table below. VAPAHCS LocationsPBX System ModelVoicemailSymposium1.Palo Alto Division, Palo Alto CAAvaya/Nortel Meridian 1 Option 81 CYesYes2.Menlo Park Division, Menlo Park, CAAvaya/Nortel Meridian 1 Option 61 CYesNo3.Livermore Division, Livermore, CAAvaya/Nortel Meridian 1 Option 61 CYesYes4.San Jose Outpatient Clinic, San Jose, CAAvaya/Nortel Meridian 1 Option 11 C YesNo5. Modesto Vet Center, Modesto, CAAvaya/Nortel Norstar key systemNoNo6.Capitola Outpatient Clinic and Vet Center, Capitola, CANoneNoNo7. Fremont Outpatient Clinic, Fremont, CANoneNoNo8. Modesto Outpatient Clinic, Modesto, CANoneNoNo9. Monterey Outpatient Clinic, Monterey, CANoneNoNo 10. Sonora Outpatient Clinic, Sonora, CA NoneNoNo 11. Stockton Outpatient Clinic, Stockton, CANoneNoNoThe Contractor shall ensure the PBXs:1. Interoperate with the Local Exchange Network, Federal Telecommunications System (FTS) Intercity Network and Interchange Carriers.2. Provide direct access to trunk level equipment including radio paging, and audio paging.3. Maintain existing mixture of trunk types. (Information is identified in the Bayface layout, available upon request.)4.Provide all stations with the ability to direct dial other telephone stations, the commercial telephone network, tie-lines, and FTS-2001 telephone numbers without attendant assistance.5. Provide direct-in-dial (DID) service to selected stations.6. Provide dual tone multi-frequency (DTMF) telephone instruments for both intra and external calling.7. Provide universal night answer from remote points.5.4 PBX CHARACTERISTICS AND FEATURESThe Contractor shall ensure the following Meridian 1 PBX characteristics and features are operable and maintained throughout the period of performance.1.The Contractor shall ensure that each Meridian 1 switch has the capacity to handle digital and analog station lines, digital and analog trunks, and Voice Mail ports commensurate to the terminal number levels allowed in the software. Any increases to current equipped levels will be accomplished through the purchase and installation of additional cards to fill vacant card slots.2.The Contractor shall ensure an automatic central trunk connection to pre-determined stations for emergency trunk by-pass/cut-through services is provided.3.In the performance of cable plant management:a.The Contractor shall maintain the VA provided cable records to capture any changes. VA will provide at the start of the contract a list of on-premise cables by circuit number, number of pairs for each circuit, and circuit definition. b.The Contractor shall maintain the current VAPAHCS provided cable plant distribution record to identify the location (cable pair) on the Main Distributing Frame (MDF), the riser, the size cable, cable pair-in-use (main cable feeder and station cable), building and room number of the termination, and the type equipment terminated4. The Contractor shall maintain the current VAPAHCS auxiliary equipment inventory in operable condition IAW the commercial OEM specifications. The auxiliary equipment includes PBX cabinets, cards (active and spares), batteries, surge protectors, rectifiers, all peripheral equipment (i.e. radio page). The Contractor shall maintain count of inventory of single and multi-line telephones, speaker phones, and patient phones, and notify the COTR as quantities become low.5. The Contractor shall maintain the Supervisory signaling and ringing Dual solid-state signal generating devices.5.5PBX POWER SUPPLIES:The Contractor shall ensure the Meridian 1 PBX power supplies are operable and maintained throughout the period of performance.1.The Contractor shall maintain on-line and reserve power supplies used for each PBX system in operable condition as specified IAW OEM specifications. Each PBX is equipped with a complete on-line power supply. The Contractor shall ensure that the reserve battery power supply has sufficient capacity to supply the PBX and interfaced equipment for four (4) hours. 2. The Contractor shall be on the premise(s) and initiate troubleshooting and repair actions when responding to service calls pertaining to the maintenance of PBX power supplies. 3.The Contractor shall take all necessary efforts to complete or protect the PBX system within the four (4) hours reserve battery backup time. The Contractor shall be liable for all parts and labor and bear all costs for any damages sustained by the PBX systems due to failure to respond or protect the PBX within the proper timeframe.4.The Contractor shall be liable for all parts and labor and bear all costs for any damages sustained by the PBX systems due to technician’s error by subjecting incorrect voltage/current fluctuations thus resulting in equipment damage.5.6ALARMS AND TROUBLE INDICATORS The Contractor shall monitor (local and remote) and maintain all visual and audible alarms at all five (5) locations. The Contractor must provide local and 24/7 proactive remote monitoring for all five (5) locations.1.The PBX uses five-digit dialing on campus and seven-digit dialing inter-campus, with the following access codes:"0" — Operator"9" — FTS and Local Dialing"8" - Fremont "7" — San Jose (i.e. 73000)"6" — Palo Alto (i.e. 62050)"5" — TBD"4" — Modesto (i.e. 46200), Monterey (i.e. 43800),Sonora (i.e. 42600), Stockton (i.e.43400)"3" — Livermore (i.e. 36400)"2" — Menlo Park (i.e.22300)"1" — TBD2.The PBX provides emergency numbers accessible by all station users. ?The Contractor shall maintain this line, and treat it as a high priority if there is no dial tone.5.7 VOICE STATION CHARACTERISTICS AND FEATURESThe Contractor shall ensure the following Meridian 1 PBX voice station characteristics and features are operable and maintained throughout the period of performance. Station equipment must be installed and service shall be coordinated with VA official staff designated by the CO.1.The Contractor shall ensure all telephone instruments shall meet the Hearing Aid-Compatible Specifications of the FCC Part 68.316 and the 1996 Telecommunications Act.2.. The Contractor shall ensure the PBX interfaces with the Radio Paging System.5.8SYSTEM AND TRUNK COMPATIBILITYThe Contractor shall ensure the Meridian 1 PBX is completely compatible with each facility’s local commercial telephone network and the Federal Telecommunications System (FTS) throughout the period of performance.5.9CABLE DISTRIBUTION SYSTEMThe Contractor shall conform to the following cable distribution system standards:1. The Contractor shall be responsible for maintaining the cable distribution system. The Contractor shall be responsible for complete knowledge of the space and cable pathway (equipment room, telephone closets, conduits, wire-ways, etc.) of VAPAHCS.2.The Contractor shall ensure the installation of any new cable shall be IAW VAPAHCS Codes of Practice, EIA/TIA T568b, Commercial Building Telecommunications Wiring Standards, and coordinated with VA COTR. Cable to be installed (outside, inside riser, and station cabling) shall conform to EIA/TIA 568b, 569, 606, 607, and EIA/TIA TSB 40. Additionally all work must be done according to National Electric Code (NEC) code. 3. The Contractor shall ensure that all conductors are cabled so as to ensure against induction in voice or data circuits. Cross talk attenuation within the cable system shall be in excess of 80db throughout the frequency range.4.The Contractor shall ensure measures are employed to minimize the radiation of radio frequency noise voltages generated by the PBX equipment so as not to interfere with radio and television receivers.5.The Contractor shall ensure that all new cable are labeled on each end and fully tested. The cable records shall identify each cable as labeled, used cable pairs, spare cable pairs and bad cable pairs. Minimum test requirements for cables are for testing for opens, shorts, crosses, and split pairs. These tests are telecommunications continuity tests based on EIA/TIA/American National Standards Institute (ANSI) telecommunications standards. All changes shall be posted in cable records as the changes occur. All cable records shall be maintained on the VA Palo Alto server share drive.5.10OUTSIDE CABLEThe Contractor shall ensure that all outside cable contracted shall be shielded, 24 American Wire Gauge (AWG) solid Polyethylene Insulated Conductor (PIC) insulation and filled core (i.e., flexegel, waterproof) Rural Electrification Administration (REA) Listed PE 39 Code.5.11RISER CABLEThe Contractor shall conform to the following riser cable standards:1. All new inside riser communications cables shall be listed as being suitable for that purpose and marked accordingly per EIA/TIA standards.2. All inside riser communications cable shall be shielded, 24 AWG solid, thermoplastic, insulated conductors. It shall be enclosed with a thermoplastic outer jacket. The maximum direct current (DC) resistance shall be no more than 28.3 Ohms per 1000 feet.5.12OUTLET JACKS AND STATION CABLE The Contractor shall conform to the following outlet jacks and station cable standards (Only Category-6 Cabling will be installed):1. Station cabling shall terminate on 110 termination blocks. Each faceplate must be a 6-plex typeface plate, with RJ45, 568B jacks. Only four jacks per face place (two (2) voice, two (2) data).2.Where there are no existing telephone outlets installed, and the new installation point is a hollow wall, provide and install a flush mounted box with RJ45 type, 568B jacks. For surface mounted installations, the contractor shall provide outlet boxes.3.All cable distribution closets shall be wired IAW industry (EIA/TIA 568) standards. All telephone installations shall come from a terminal board via telephone cable tray and conduit to termination point in a designated room.4. All telephone cable/wiring shall be installed in conduit. Where there is no existing or available conduit, the contractor shall notify the COTR and CO of its need and VAPAHCS personnel will install the necessary conduit or raceway.5.13DISTRIBUTION FRAMESThe Contractor shall conform to the following distribution frame standards:1. The Contractor is responsible to maintain in good and stable working condition the MDF associated with each PBX. The maintenance to be performed shall be IAW the manufacturer’s maintenance specifications.2.All Distribution Frame Maintenance / Installation work shall be accomplished by skilled personnel, in a neat and orderly manner and in conformance with VA engineering and industry installation practice IAW referenced EIA/TIA/ANSI standards and NEC code.3.The Contractor shall be responsible for expanding the existing MDF if necessary.Gas protection devices are and shall be provided on all circuits and cable pairs serving building distribution frames (Building Distribution Frames (BDF) or Individualized Distribution Frames (IDF)) located in buildings other than the main building in which the PBX is located or in any area served by an unprotected distribution system (manhole, aerial, etc.).5.14FOLLOW-ON SERVICEThe Contractor shall provide telephone Follow-On services to include all necessary labor, materials, parts, equipment, shipping and transportation for MAC work orders. Service coverage shall include Telephone Instruments, cable plant (copper/fiber), battery backup systems, voice systems and Telephone Room (TR) environmental alarms and all interfaced ancillary systems i.e. Voice Mail (VMS), Automated Attendant (AA), and Telecommunications Management System (TMS).Services shall also include Voice Systems (VS) security, documentation, inventory control, a preventive maintenance schedule including battery backup system, and establishment of a seven (7) day, 24 hour contact center for emergency maintenance, routine maintenance and follow-on service. The term “follow-on service/equipment” as used in this document shall refer to the efforts required of the Contractor to accomplish all voice cable connections and additional cable requirement including MACs. The Contractor shall furnish all personnel, equipment, tools, materials, transportation, management supervision, and other items and services necessary to perform all VS maintenance tasks and functions. The Contractor shall perform to the standards identified in this PWS. The Contractor shall provide documents (training certificates) certifying their PBX system follow-on service repair personnel are manufacturer trained and certified on the type of systems installed at the time of contract award. Additionally, the Contractor is responsible for ensuring that all follow-on service repairperson dispatched for system maintenance are Avaya/Nortel manufacturer trained. 1. The Contractor shall ensure a repairperson is on the premises and initiate troubleshooting and repair actions within two (2) hours (24 hours per day) upon receipt of an Emergency maintenance/service call. An emergency maintenance call shall be deemed appropriate when failure involves more than 20 voice and/or data circuits and signal generating devices. Failures affecting operation of critical emergency health care facilities (i.e. cardiac arrest teams, intensive care units) shall also be deemed an emergency maintenance call. Emergency calls can also be applicable if system failure is detrimental to mission accomplishment. The current VAPAHCS emergency maintenance procedure begins with a user calling the Help Desk. Then the Help Desk will call the VA On-Call person if there is an urgent or high priority issue. The VA On-Call person would then notify the COTR if needed, and if appropriate the COTR would engage the contractor at this time by calling them on their designated cell phone number. All urgent work orders must be responded to within 2 hours. 2.The Contractor shall ensure a repairperson is on the premises to provide service/maintenance for Urgent, High, Medium and Low priority requirements after receipt of a request. A.Urgent (emergency) priority requirement is defined as a work order to be serviced within two (2) hours. An Urgent priority is when 20 or more phones out at the same time, major system failure or outage, high visibility areas or areas of significant importance (Auto Attendant, Telephone Care, Operator Stations).B.High priority requirement is defined as a work order to be serviced within 24 hours. A High priority is when there is no dial tone on any phone.C.Medium priority requirement is defined as a work order to be serviced within five (5) business days. A Medium priority is a routine request such as adding a phone, cable. D.Low priority requirement is define as a work order scheduled beyond the five (5) business days and is coordinated with the VA staff. A Low priority is a prescheduled task for a specific date assigned by the COTR such as moves and telecom support for specific tasks.3. The Contractor shall meet specified response times (see 5.14.1 and 5.14.2 above) to ensure the personnel capability exists for the aforementioned time requirements and their maintenance facility is within a Zone 1 radius of the Menlo Park facility. Menlo Park serves as the central location of all the VAPAHCS facilities covered under this effort and will serve as the radius to Zone 1.4.Work orders shall be assigned to the Contactor using the Remedy Work Order System. If VA deems the need to change or upgrade to a new work order system during the period of performance of this contract, the Contractor shall use the most current VA work order system.5.Each work order must have a work order number and a complete description of work requested. The Contractor shall dispatch personnel if deemed necessary based on the work order request. Selected work orders may be assigned due dates by the COTR. 6.When the work order is completed the Contractor shall provide closure information via the Remedy System. Completed work orders will be signed off by the senior VA staff personnel on duty and any additional annotation to the work order ticket thereafter must be coordinated with the COTR.7.Contractor personnel shall use the VA Outlook calendar to advise of any changes to the on call notification on a weekly basis.8.The Contractor shall maintain a log of all work orders received from VA.9. All MAC work orders performed on the telephone system shall be coordinated with the CO and the COTR. There shall be no scheduled interruptions of service for system changes and upgrades without prior written approval from the Facility CIO at Palo Alto. The Contractor shall accept no service changes unless authorized by Facility CIO. 10. The Contractor shall be responsible for all contacts and coordination with the local telephone company concerning maintenance and installation of all telephone company maintained circuits and equipment.11. Report all work order problems to the COTR.?? If urgent and the COTR is not readily available, the Contractor shall report all problems to the Facility CIO.5.15PERFORMANCE AND QUALIFICATIONSAll work assigned to the Contractor on this contract shall be performed by PBX certified personnel, who are experienced and qualified to work on the Government-owned PBX equipment. All work shall be performed to the highest quality standards and IAW best commercial practices.1. The Contractor’s site manager will have a minimum of 10 years experience in the installation and maintenance of telephone communications systems or equivalent civilian/military telecommunications network maintenance experience; at least five (5) years experience will have been in a management or supervisory position. The site manager shall be certified in Registered Communications Distribution Designer (RCDD), Nortel Certified Support Specialist (NCSS), Call Pilot, and Symposium.2.The Switch Technician shall be factory Avaya/Nortel certified with a minimum of five (5) years experience in the maintenance and repair of this system. The Switch Technician shall be familiar with periodic maintenance schedules and procedures as well as office records preparation and maintenance.3. The Installer/Repairperson shall have a minimum of five (5) years experience in civilian/military telephone equipment installation and certification of training on maintenance and installation of the telephone equipment specified in this contract. This shall also include, but not be limited to, equipment installation, equipment relocation, diagnosis, detection, verification location and repair of faults; performance of data administration; cross connecting, installation and splicing house wiring; and service performance verification. The Installer/Repairperson shall also have a minimum of five (5) years experience in the installation and maintenance of premise distribution systems. This shall include, but not be limited to, installation and testing of copper and fiber optic cable; fiber optic and copper cable splicing; staking; drawing updates; repair of cable cuts, and cable record keeping. All staff must be proficient in EIA/TIA/ANSI standards, as well as NEC 2010 codes. The Contractor staff must be qualified to work with major brands of firestop materials as well as asbestos. 4.The Contractor shall provide documents (i.e., training certificates, PBX certifications) certifying their PBX system maintenance and follow-on service in their technical response.5.16ON SITE CONTRACTOR PERSONNEL1.The Contractor personnel shall present a neat appearance and will be easily recognized. The Contractor personnel shall be required to wear a VAPAHCS identification badge on the outer clothing on the front of the body, above the waist. 2.The Contractor staff working on this contract will frequently work in secured areas. Therefore, ALL personnel must meet the contractor personnel security requirements identified in Section 6.1 of this PWS. 3.The Contractor shall provide documents (training certificates) certifying their PBX system follow-on service repair personnel are manufacturer trained and certified on the Avaya/Nortel systems. Historically VAPAHCS has used a minimum of four (4) certified Nortel/Avaya technicians assigned to this contract. 4.The Contractor personnel assigned to VAPAHCS must communicate using their VA account in MS Outlook, and by cellular phone. Each technician is required to carry a cellular phone issued by their company during normal business hours, and the scheduled on-call person is required to carry a cellular phone on 24 X 7 basis.5.In the event the Contractor must change personnel on the contract, the Contractor shall submit in writing the reason for the change, the replacement personnel’s resume and provide equivalent or exceed the qualifications of the replaced personnel for the COTR’s approval. 6.The Contractor shall factor in the badging process lead-time of up to six (6) weeks to bring on a new employee at Palo Alto Human Resource office. The new employee can expect to make multiple trips in person to the Palo Alto facility in order to complete the badging process.7.The Contractor personnel shall park in the appropriate designated parking areas. Information about parking is available from VAPAHCS Police and Security Service. VAPAHCS will not invalidate or make payment for parking violations of the Contactor under any conditions.8.The Contactor personnel shall keep all work center, equipment rooms, wire closets, cable vaults and all other contractor assigned areas neat and clean at all times. Personnel assigned to clean the switching equipment areas shall be formally instructed in the proper cleaning procedures for these sensitive equipment areas.9.The Contractor shall be responsible for the conduct of fellow employees and subcontractors, if any, to include misuse, abuse, theft, willful requisitioning of unauthorized supplies, equipment or services, and any other actions that are contrary to the provisions of this contract.10.Should any of the Contractor's personnel fail to perform their duties under this contract or should any of the Contractor's personnel be involved in misconduct or in any incident(s) that affect contract performance, the Contractor will take all necessary actions to immediately resolve the situation.11.The Contractor shall institute password control access for VA personnel to insure that only Administrative Loads can be accessed and track changes made by VA personnel. VA assumes responsibility for all changes made by VA personnel to include updating records affected by the changes.5.17KEY SERVICE The Contractor assigned to work order(s) will be issued telephone closet keys.The Contractor shall be responsible for making arrangements regarding access to various areas with individuals or alternate person placing the work order. Each arrangement will have a specified time allotted to perform the work order, if in the event the time allotted is insufficient, additional time request must be documented for consideration by the COTR. Any time in excess over fifteen (15) minutes will be reported and considered by COTR.6.0 GENERAL REQUIREMENTS6.1CONTRACTOR PERSONNEL SECURITY REQUIREMENTSThe following security requirement must be addressed regarding Contractor supplied equipment: Contractor supplied equipment, PCs of all types, equipment with hard drives, etc. for contract services must meet all security requirements that apply to Government Furnished Equipment (GFE) and Government Owned Equipment (GOE).? Security Requirements include:? a) VA Approved Encryption Software must be installed on all laptops or mobile devices before placed into operation, b) Bluetooth equipped devices are prohibited within VA; Bluetooth must be permanently disabled or removed from the device, c) VA approved anti-virus and firewall software, d) Equipment must meet all VA sanitization requirements and procedures before disposal.? The COTR, CO, the Project Manager, and the Information Security Officer (ISO) must be notified and verify all security requirements have been adhered to.1.Position Sensitivity and Background Investigation - The position sensitivity and the level of background investigation commensurate with the required level of access is: FORMCHECKBOX Low/NACI FORMCHECKBOX Moderate/MBI FORMCHECKBOX High/BIPosition SensitivityBackground Investigation (in accordance with) IAW Department of Veterans Affairs 0710 Handbook, “”Personnel Security Suitability Program,” Appendix A)LowNational Agency Check with Written Inquiries (NACI) A NACI is conducted by OPM and covers a 5-year period. It consists of a review of records contained in the OPM Security Investigations Index (SII) and the DOD Defense Central Investigations Index (DCII), FBI name check, FBI fingerprint check, and written inquiries to previous employers and references listed on the application for employment. In VA it is used for Non-sensitive or Low Risk positions.ModerateMinimum Background Investigation (MBI) A MBI is conducted by OPM and covers a 5-year period. It consists of a review of National Agency Check (NAC) records [OPM Security Investigations Index (SII), DOD Defense Central Investigations Index (DCII), FBI name check, and a FBI fingerprint check], a credit report covering a period of 5 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, law enforcement check; and a verification of the educational degree.High Background Investigation (BI) A BI is conducted by OPM and covers a 10-year period. It consists of a review of National Agency Check (NAC) records [OPM Security Investigations Index (SII), DOD Defense Central Investigations Index (DCII), FBI name check, and a FBI fingerprint check report], a credit report covering a period of 10 years, written inquiries to previous employers and references listed on the application for employment; an interview with the subject, spouse, neighbors, supervisor, co-workers; court records, law enforcement check, and a verification of the educational degree.Contractor Responsibilities: a.The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they maintain the appropriate Background Investigation, and are able to read, write, speak and understand the English language.b.The Contractor shall bear the expense of obtaining background investigations. c.For a Low Risk designation the following forms are required: 1.OF-306 and either 2. DVA Memorandum – Electronic Fingerprints or FD-258 Fingerprint card. For Moderate or High Risk the following forms are required: 1. VA Form 0710 and either 2. DVA Memorandum – Electronic Fingerprints or FD-258 Fingerprint card. These should be submitted to the CO or COTR after award has been made.d.Within three (3) days after award, the Contractor shall provide a staff roster to the CO and COTR to enable the initiation of the Electronics Questionnaire for Investigations Processes (e-QIP) to begin their background investigations.e.The Contractor personnel will receive an email notification from the Electronics Questionnaire for Investigations Processes (e-QIP) identifying the website link that includes detailed instructions regarding completion of the investigation documents (SF85 or SF85P). The Contractor personnel shall submit all required information related to their background investigations utilizing the Office of Personnel Management’s (OPM) Electronic Questionnaire for Investigations Processing (e-QIP).f.The Contractor is to sign the signature page and send to the COTR and CO for electronic submission to the Security and Investigations Center (SIC).g.The Contractor shall be responsible for the actions of all personnel provided to work for VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor shall be responsible for all resources necessary to remedy the incident.h.If the background investigation is not completed prior to the start date of the contract, the Contractor employee may work on the contract once the investigation has been initiated and sent to the OPM. However, the Contractor will be responsible for the actions of the Contractor personnel they provide to perform work for VA. The investigative history for Contractor personnel working under this contract must be maintained in the databases of either the OPM or the Defense Industrial Security Clearance Organization (DISCO).i.The Contractor, when notified of an unfavorable determination by the Government, shall withdraw the employee from consideration in working under the contract.j.Failure to comply with the Contractor personnel investigative requirements may result in termination of the contract for default.6.2METHOD AND DISTRIBUTION OF DELIVERABLESThe Contractor shall deliver documentation in electronic format, unless otherwise directed in Section B of the solicitation/contract. Acceptable electronic media include: MS Word 2000/2003/2007, MS Excel 2000/2003/2007, MS PowerPoint 2000/2003/2007, MS Project 2000/2003/2007, MS Access 2000/2003/2007, MS Visio 2000/2002/2003/2007, AutoCAD 2002/2004/2007/2010, and Adobe Postscript Data Format (PDF).6.3 PERFORMANCE METRICS: The table below defines the Performance Standards and Acceptable Performance Levels for Objectives associated with this effort. Performance ObjectivePerformance StandardAcceptable Performance LevelsSurveillance Method1.Technical NeedsShows understanding of requirementsEfficient and effective in meeting requirements Meets technical needs and mission requirementsOffers quality services/products8 of 10 Positive Customer Survey FeedbackCustomer Survey Feedback2.TimelinessComplete work orders on timeProduce PMI reports by the time specifiedNotifies customer in advance of potential problems100% in Meeting Emergency Service Calls; and 90% in Meeting High, Medium and Low priority Service CallsReview Service Reports3. Contract StaffingCurrency of expertisePersonnel possess necessary knowledge, skills and abilities to perform tasksTechnicians Must Possess OEM Certifications Display of acceptable resumes and certifications4. Telephone System OperationThe telephone system performance of reliability is 99.99% in each year of maintenanceTotal cumulative down time per year is less than .88 hours.Performance AssessmentThe Government will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the contract to ensure that the Contractor is performing the services required by this PWS in an acceptable manner. The Government reserves the right to alter or change the surveillance methods in the QASP at its own discretion. A Performance Based Service Assessment Survey will be used in combination with the QASP to assist the Government in determining acceptable performance levels. 6.4FACILITY/RESOURCE PROVISIONS The Government shall provide office space, telephone service and system access when authorized contract staff work at a Government location as required in order to accomplish the Tasks associated with this PWS. All procedural guides, reference materials, and program documentation for the project and other Government applications will also be provided on an as-needed basis.The Contractor shall request other Government documentation deemed pertinent to the work accomplishment directly from the Government officials with whom the Contractor has contact. The Contractor shall consider the COTR as the final source for needed Government documentation when the Contractor fails to secure the documents by other means. The Contractor is expected to use common knowledge and resourcefulness in securing all other reference materials, standard industry publications, and related materials that are pertinent to the work.VA shall provide access to VA specific systems/network as required for execution of the task via a site-to-site VPN or other technology, including VA specific software such as Veterans Health Information System and Technology Architecture (VistA), ClearQuest, ProPath, Primavera, and Remedy, including appropriate seat management and user licenses. The Contractor shall utilize Government-provided software development and test accounts, document and requirements repositories, etc. as required for the development, storage, maintenance and delivery of products within the scope of this effort.? The Contractor shall not transmit, store or otherwise maintain sensitive data or products in Contractor systems (or media) within the VA firewall IAW VA Handbook 6500.6 dated March 12, 2010. All VA sensitive information shall be protected at all times IAW local security field office System Security Plans (SSP’s) and Authority to Operate (ATO)’s for all systems/LAN’s accessed while performing the tasks detailed in this PWS. For detailed Security and Privacy Requirements refer to ADDENDUM A and ADDENDUM B. ADDENDUM AA1.0Cyber and Information Security Requirements for VA IT ServicesThe Contractor shall ensure adequate LAN/Internet, data, information, and system security IAW VA standard operating procedures and standard PWS language, conditions, laws, and regulations.? The Contractor’s firewall and web server shall meet or exceed VA minimum requirements for security.? All VA data shall be protected behind an approved firewall.? Any security violations or attempted violations shall be reported to the VA Program Manager and VA Information Security Officer as soon as possible.? The Contractor shall follow all applicable VA policies and procedures governing information security, especially those that pertain to certification and accreditation.Each documented initiative under this contract incorporates the security clause VAAR 852.273-75 by reference as though fully set forth therein, as well as the VA Handbook 6500.6, “Contract Security,” March 12, 2010, in its entirety.? Both the security clause VAAR 852.273-75 and the VA Handbook 6500.6, “Contract Security” shall also be included in every related agreement, contract or order.? The VA Handbook 6500.6, Appendix C, is included in this document as Addendum B.Training requirements: The Contractor shall complete all mandatory training courses identified on the current external VA training site, the Employee Education System (EES), and will be tracked therein. The EES may be accessed at . If the decision is made by the local Program Office to provide the Contractor a VA Talent Management System (TMS) account, the Contractor shall use the VA TMS to complete their mandatory training, accessed at Contractor employees shall complete a VA Systems Access Agreement if they are provided access privileges as an authorized user of the computer system of VA.A2.0VA Enterprise Architecture ComplianceThe applications, supplies, and services furnished under this contract must comply with One-VA Enterprise Architecture (EA), available at in force at the time of issuance of this contract, including the Program Management Plan and VA's rules, standards, and guidelines in the Technical Reference Model/Standards Profile (TRMSP).? The VA reserves the right to assess contract deliverables for EA compliance prior to acceptance. A2.1.VA Internet and Intranet Standards:The Contractor shall adhere to and comply with VA Directive 6102 and VA Handbook 6102, Internet/Intranet Services, including applicable amendments and changes, if the Contractor’s work includes managing, maintaining, establishing and presenting information on VA’s Internet/Intranet Service Sites.? This pertains, but is not limited to: creating announcements; collecting information; databases to be accessed, graphics and links to external sites. Internet/Intranet Services Directive 6102 is posted at (copy and paste the following URL to browser): Services Handbook 6102 is posted at (copy and paste following URL to browser): of the Federal Accessibility Law Affecting All Electronic and Information Technology Procurements? (Section 508)On August 7, 1998, Section 508 of the Rehabilitation Act of 1973 was amended to require that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology, that they shall ensure it allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees.? Section 508 required the Architectural and Transportation Barriers Compliance Board (Access Board) to publish standards setting forth a definition of electronic and information technology and the technical and functional criteria for such technology to comply with Section 508. These standards have been developed are published with an effective date of December 21, 2000. Federal departments and agencies shall develop all Electronic and Information Technology requirements to comply with the standards found in 36 CFR 1194.Section 508 – Electronic and Information Technology (EIT) Standards:The Section 508 standards established by the Architectural and Transportation Barriers Compliance Board (Access Board) are incorporated into, and made part of all VA orders, solicitations and purchase orders developed to procure Electronic and Information Technology (EIT). These standards are found in their entirety at: and . A printed copy of the standards will be supplied upon request.? The Contractor shall comply with the technical standards as marked: _x_§ 1194.21 Software applications and operating systems_x_§ 1194.22 Web-based intranet and internet information and applications_x_§ 1194.23 Telecommunications products_x_§ 1194.24 Video and multimedia products_x_§ 1194.25 Self contained, closed products_x_§ 1194.26 Desktop and portable computers_x_§ 1194.31 Functional Performance Criteria_x_§ 1194.41 Information, Documentation, and SupportThe standards do not require the installation of specific accessibility-related software or the attachment of an assistive technology device, but merely require that the EIT be compatible with such software and devices so that it can be made accessible if so required by the agency in the future.A4.0Physical Security & Safety Requirements:The Contractor and their personnel shall follow all VA policies, standard operating procedures, applicable laws and regulations while on VA property.? Violations of VA regulations and policies may result in citation and disciplinary measures for persons violating the law.1.The Contractor and their personnel shall wear visible identification at all times while they are on the premises.2.The VA does not provide parking spaces at the work site; the Contractor must obtain parking at the work site if needed.? It is the responsibility of the Contractor to park in the appropriate designated parking areas.? The VA will not invalidate or make reimbursement for parking violations of the Contractor under any conditions.3.Smoking is prohibited inside/outside any building other than the designated smoking areas.4.Possession of weapons is prohibited.5.The Contractor shall obtain all necessary licenses and/or permits required to perform the work, with the exception of software licenses that need to be procured from a Contractor or vendor IAW the requirements document. The Contractor shall take all reasonable precautions necessary to protect persons and property from injury or damage during the performance of this contract.A5.0Confidentiality and Non-DisclosureThe Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations.The Contractor may have access to Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) that is subject to protection under the regulations issued by the Department of Health and Human Services, as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 CFR Parts 160 and 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”); and 45 CFR Parts 160 and 164, Subparts A and C, the Security Standard (“Security Rule”).? Pursuant to the Privacy and Security Rules, the Contractor must agree in writing to certain mandatory provisions regarding the use and disclosure of PHI and EPHI.??1.The Contractor will have access to some privileged and confidential materials of VA.? These printed and electronic documents are for internal use only, are not to be copied or released without permission, and remain the sole property of VA.? Some of these materials are protected by the Privacy Act of 1974 (revised by PL 93-5791) and Title 38.? Unauthorized disclosure of Privacy Act or Title 38 covered materials is a criminal offense.2.The VA Contracting Officer will be the sole authorized official to release in writing, any data, draft deliverables, final deliverables, or any other written or printed materials pertaining to this contract. The Contractor shall release no information.? Any request for information relating to this contract presented to the Contractor shall be submitted to the VA Contracting Officer for response.3.Contractor personnel recognize that in the performance of this effort, Contractor personnel may receive or have access to sensitive information, including information provided on a proprietary basis by carriers, equipment manufacturers and other private or public entities.? Contractor personnel agree to safeguard such information and use the information exclusively in the performance of this contract.? Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations as enumerated in this section and elsewhere in this Contract and its subparts and appendices.4.Contractor shall limit access to the minimum number of personnel necessary for contract performance for all information considered sensitive or proprietary in nature.? If the Contractor is uncertain of the sensitivity of any information obtained during the performance this contract, the Contractor has a responsibility to ask the VA Contracting Officer.5.Contractor shall train all of their employees involved in the performance of this contract on their roles and responsibilities for proper handling and nondisclosure of sensitive VA or proprietary information.? Contractor personnel shall not engage in any other action, venture or employment wherein sensitive information shall be used for the profit of any party other than those furnishing the information. The sensitive information transferred, generated, transmitted, or stored herein is for VA benefit and ownership alone. 6.Contractor shall maintain physical security at all facilities housing the activities performed under this contract, including any Contractor facilities according to VA-approved guidelines and directives.? The Contractor shall ensure that security procedures are defined and enforced to ensure all personnel who are provided access to patient data must comply with published procedures to protect the privacy and confidentiality of such information as required by VA.7.Contractor must adhere to the following:a.The use of “thumb drives” or any other medium for transport of information is expressly prohibited.b.Controlled access to system and security software and documentation.c.Recording, monitoring, and control of passwords and privileges.d.All terminated personnel are denied physical and electronic access to all data, program listings, data processing equipment and systems.e.VA, as well as any Contractor (or Subcontractor) systems used to support development, provide the capability to cancel immediately all access privileges and authorizations upon employee termination.f.Contractor PM and VA PM are informed within twenty-four (24) hours of any employee termination.g.Acquisition sensitive information shall be marked "Acquisition Sensitive" and shall be handled as "For Official Use Only (FOUO)".h.Contractor does not require access to classified data.8.Regulatory standard of conduct governs all personnel directly and indirectly involved in procurements.? All personnel engaged in procurement and related activities shall conduct business in a manner above reproach and, except as authorized by statute or regulation, with complete impartiality and with preferential treatment for none.? The general rule is to strictly avoid any conflict of interest or even the appearance of a conflict of interest in VA/Contractor relationships.ADDENDUM BVA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE VA HANDBOOK 6500.6, APPENDIX C, MARCH 12, 2010B1.GENERALContractors, Contractor personnel, Subcontractors, and Subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.B2.ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS1.A Contractor/Subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, Subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.2.All Contractors, Subcontractors, and third-party servicers and associates working with VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for Contractors must be IAW VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.3.Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness.4.Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. If such services are proposed to be performed abroad and are not disallowed by other VA policy or mandates, the Contractor/Subcontractor must state where all non-U.S. services are provided and detail a security plan, deemed to be acceptable by VA, specifically to address mitigation of the resulting problems of communication, control, data protection, and so forth. Location within the U.S. may be an evaluation factor. 5.The Contractor or Subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the Contractor or Subcontractor’s employ. The Contracting Officer must also be notified immediately by the Contractor or Subcontractor prior to an unfriendly termination.B3.VA INFORMATION CUSTODIAL rmation made available to the Contractor or Subcontractor by VA for the performance or administration of this contract or information developed by the Contractor/Subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of VA. This clause expressly limits the Contractor/Subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).2.VA information should not be co-mingled, if possible, with any other data on the Contractors/Subcontractor’s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the Contractor must ensure that VA’s information is returned to the VA or destroyed IAW VA’s sanitization requirements. VA reserves the right to conduct on site inspections of Contractor and Subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.3.Prior to termination or completion of this contract, Contractor/Subcontractor must not destroy information received from VA, or gathered/created by the Contractor in the course of performing this contract without prior written approval by VA. Any data destruction done on behalf of VA by a Contractor/Subcontractor must be done IAW National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the Contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract.4.The Contractor/Subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract. 5.The Contractor/Subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on Contractor/Subcontractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/Subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed. 6.If VA determines that the Contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the Contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. 7.If a VHA contract is terminated for cause, the associated Business Associate Agreement (BAA) must also be terminated and appropriate actions taken IAW VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship. 8.The Contractor/Subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.9.The Contractor/Subcontractor’s firewall and Web services security controls, if applicable, shall meet or exceed VA’s minimum requirements. VA Configuration Guidelines are available upon request.10.Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the Contractor/Subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA’s prior written approval. The Contractor/Subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response.11.Notwithstanding the provision above, the Contractor/Subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the Contractor/Subcontractor is in receipt of a court order or other requests for the above mentioned information, that Contractor/Subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response.12.For service that involves the storage, generating, transmitting, or exchanging of VA sensitive information but does not require C&A or a Memorandum of Understanding-Interconnection Service Agreement (MOU-ISA) for system interconnection, the Contractor/Subcontractor must complete a Contractor Security Control Assessment (CSCA) on a yearly basis and provide it to the COTR.RMATION SYSTEM DESIGN AND rmation systems that are designed or developed for or on behalf of VA at non-VA facilities shall comply with all VA directives developed IAW FISMA, HIPAA, NIST, and related VA security and privacy control requirements for Federal information systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security categorization level designations IAW FIPS 199 and FIPS 200 with implementation of all baseline security controls commensurate with the FIPS 199 system security categorization (reference Appendix D of VA Handbook 6500, VA Information Security Program). During the development cycle a Privacy Impact Assessment (PIA) must be completed, provided to the COTR, and approved by the VA Privacy Service IAW Directive 6508, VA Privacy Impact Assessment.2.The Contractor/Subcontractor shall certify to the COTR that applications are fully functional and operate correctly as intended on systems using the VA Federal Desktop Core Configuration (FDCC), and the common security configuration guidelines provided by NIST or VA. This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in Protected Mode on Vista) and future versions, as required.3.The standard installation, operation, maintenance, updating, and patching of software shall not alter the configuration settings from the VA approved and FDCC configuration. Information technology staff must also use the Windows Installer Service for installation to the default “program files” directory and silently install and uninstall.4.Applications designed for normal end users shall run in the standard user context without elevated system administration privileges.5.The security controls must be designed, developed, approved by VA, and implemented IAW the provisions of VA security system development life cycle as outlined in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, VA Handbook 6500, Information Security Program and VA Handbook 6500.5, Incorporating Security and Privacy in System Development Lifecycle. 6.The Contractor/Subcontractor is required to design, develop, or operate a System of Records Notice (SOR) on individuals to accomplish an agency function subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Privacy Act may involve the imposition of criminal and civil penalties.7.The Contractor/Subcontractor agrees to:ply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies:i.The Systems of Records (SOR); andii.The design, development, or operation work that the Contractor/Subcontractor is to perform;b.Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a SOR on individuals that is subject to the Privacy Act; andc.Include this Privacy Act clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a SOR8.In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a SOR on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a SOR on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a SOR on individuals to accomplish an agency function, the Contractor/Subcontractor is considered to be an employee of the agency.a.“Operation of a System of Records” means performance of any of the activities associated with maintaining the SOR, including the collection, use, maintenance, and dissemination of records.b.“Record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and contains the person’s name, or identifying number, symbol, or any other identifying particular assigned to the individual, such as a fingerprint or voiceprint, or a photograph.c.“System of Records” means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.9.The vendor shall ensure the security of all procured or developed systems and technologies, including their subcomponents (hereinafter referred to as “Systems”), throughout the life of this contract and any extension, warranty, or maintenance periods. This includes, but is not limited to workarounds, patches, hot fixes, upgrades, and any physical components (hereafter referred to as Security Fixes) which may be necessary to fix all security vulnerabilities published or known to the vendor anywhere in the Systems, including Operating Systems and firmware. The vendor shall ensure that Security Fixes shall not negatively impact the Systems.10.The vendor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, based upon the severity of the incident. 11.When the Security Fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the vendor will provide written notice to VA that the patch has been validated as not affecting the Systems within 10 working days. When the vendor is responsible for operations or maintenance of the Systems, they shall apply the Security Fixes based upon the requirements identified within their contract.12.All other vulnerabilities shall be remediated as specified in this paragraph in a timely manner based on risk, but within 60 days of discovery or disclosure. Exceptions to this paragraph (e.g. for the convenience of VA) shall only be granted with approval of the contracting officer and the VA Assistant Secretary for Office of Information and Technology.RMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE1.For information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, Contractors/Subcontractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The Contractor’s security control procedures must be equivalent, to those procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also be provided to the COTR and approved by VA Privacy Service prior to operational approval. All external Internet connections to VA’s network involving VA information must be reviewed and approved by VA prior to implementation.2.Adequate security controls for collecting, processing, transmitting, and storing of Personally Identifiable Information (PII), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. These security controls are to be assessed and stated within the PIA and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior to the collection of PII.3.Outsourcing (Contractor facility, Contractor equipment or Contractor staff) of systems or network operations, telecommunications services, or other managed services requires certification and accreditation (authorization) (C&A) of the Contractor’s systems IAW VA Handbook 6500.3, Certification and Accreditation and/or the VA OCS Certification Program Office. Government-owned (Government facility or Government equipment) Contractor-operated systems, third party or business partner networks require memorandums of understanding and interconnection agreements (MOU-ISA) which detail what data types are shared, who has access, and the appropriate level of security controls for all systems connected to VA networks.4.The Contractor/Subcontractor’s system must adhere to all FISMA, FIPS, and NIST standards related to the annual FISMA security controls assessment and review and update the PIA. Any deficiencies noted during this assessment must be provided to the VA contracting officer and the ISO for entry into VA’s POA&M management process. The Contractor/Subcontractor must use VA’s POA&M process to document planned remedial actions to address any deficiencies in information security policies, procedures, and practices, and the completion of those activities. Security deficiencies must be corrected within the timeframes approved by the Government. Contractor/Subcontractor procedures are subject to periodic, unannounced assessments by VA officials, including the VA Office of Inspector General. The physical security aspects associated with Contractor/Subcontractor activities must also be subject to such assessments. If major changes to the system occur that may affect the privacy or security of the data or the system, the C&A of the system may need to be reviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewing and updating all of the documentation (PIA, System Security Plan, and Contingency Plan). The Certification Program Office can provide guidance on whether a new C&A would be necessary.5.The Contractor/Subcontractor must conduct an annual self assessment on all systems and outsourced services as required. Both hard copy and electronic copies of the assessment must be provided to the COTR. The Government reserves the right to conduct such an assessment using Government personnel or another Contractor/Subcontractor. The Contractor/Subcontractor must take appropriate and timely action (this can be specified in the contract) to correct or mitigate any weaknesses discovered during such testing, generally at no additional cost.6.VA prohibits the installation and use of personally-owned or Contractor/Subcontractor owned equipment or software on VA’s network. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW or contract. All of the security controls required for Government furnished equipment (GFE) must be utilized in approved other equipment (OE) and must be funded by the owner of the equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV) software and a personal (host-based or enclave based) firewall that is configured with a VA approved configuration. Software must be kept current, including all critical updates and patches. Owners of approved OE are responsible for providing and maintaining the anti-viral software and the firewall on the non-VA owned OE.7.All electronic storage media used on non-VA leased or non-VA owned IT equipment that is used to store, process, or access VA information must be handled in adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of the contract or (ii) disposal or return of the IT equipment by the Contractor/Subcontractor or any person acting on behalf of the Contractor/Subcontractor, whichever is earlier. Media (hard drives, optical disks, CDs, back-up tapes, etc.) used by the Contractors/Subcontractors that contain VA information must be returned to VA for sanitization or destruction or the Contractor/Subcontractor must self-certify that the media has been disposed of per 6500.1 requirements. This must be completed within 30 days of termination of the contract.8.Bio-Medical devices and other equipment or systems containing media (hard drives, optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are:a.Vendor must accept the system without the drive;b.VA’s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; orc.VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase.d.Due to the highly specialized and sometimes proprietary hardware and software associated with medical equipment/systems, if it is not possible for VA to retain the hard drive, then;i.The equipment vendor must have an existing BAA if the device being traded in has sensitive information stored on it and hard drive(s) from the system are being returned physically intact; andii.Any fixed hard drive on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order or contract.iii.A statement needs to be signed by the Director (System Owner) that states that the drive could not be removed and that (a) and (b) controls above are in place and completed. The ISO needs to maintain the documentation.B6.SECURITY INCIDENT INVESTIGATION1.The term “security incident” means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The Contractor/Subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the Contractor/Subcontractor has access.2.To the extent known by the Contractor/Subcontractor, the Contractor/Subcontractor’s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the Contractor/Subcontractor considers relevant.3.With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made IAW the executed business associate agreement.4.In instances of theft or break-in or other criminal activity, the Contractor/Subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The Contractor, its employees, and its Subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor/Subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.B7.LIQUIDATED DAMAGES FOR DATA BREACH1.Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the Contractor/Subcontractor processes or maintains under this contract.2.The Contractor/Subcontractor shall provide notice to VA of a “security incident” as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.3.Each risk analysis shall address all relevant information concerning the data breach, including the following:a.Nature of the event (loss, theft, unauthorized access);b.Description of the event, including:i.date of occurrence;ii.data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;c.Number of individuals affected or potentially affected;d.Names of individuals or groups affected or potentially affected;e.Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;f.Amount of time the data has been out of VA control;g.The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);h.Known misuses of data containing sensitive personal information, if any;i.Assessment of the potential harm to the affected individuals;j.Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; andk.Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.4.Based on the determinations of the independent risk analysis, the Contractor shall be responsible for paying to the VA liquidated damages in the amount of $37.50 per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:a.Notification;b.One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;c.Data breach analysis;d.Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;e.One year of identity theft insurance with $20,000.00 coverage at $0 deductible; andf.Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.B8.SECURITY CONTROLS COMPLIANCE TESTINGOn a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the Contractor under the clauses contained within the contract. With 10 working-day’s notice, at the request of the Government, the Contractor must fully cooperate and assist in a Government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The Government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time. B9.TRAINING1.All Contractor employees and Subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems:a.Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix D relating to access to VA information and information systems;b.Successfully complete the VA Privacy and Information Security Awareness and Rules of Behavior training and annually complete required security training;c.Successfully complete VHA Privacy Policy Training if Contractor will have access to PHI;d.Successfully complete the appropriate VA privacy training and annually complete required privacy training; ande.Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access 2.The Contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within one (1) week of the initiation of the contract and annually thereafter, as required.3.Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.ATTACHMENT 1 (PMI Checklist and PMI Report Template)ATTACHMENT 2 (Potential Follow-On Service Replacement Parts)ATTACHMENT 3 (Historical Data for 2010)Please reference the VAPAHCS Codes of Practice attached to the RFP which explains what a full compliment (quad) consists of. 2 CAT6 data cable, and 1 voice cable split onto 2 jacks.This is terminated on a 6 port faceplate. Single drops indicate a single voice or data cable. 2010# of drops# of quadsJan142Feb03Mar433Apr1310May44Jun25Jul211Aug7815Sep48Oct183ATTACHMENT 4 (Historical Data 2010 by Month) ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download