Veterans Affairs
TRANSFORMATION TWENTY-ONE TOTAL TECHNOLOGY NEXT GENERATION (T4NG)PERFORMANCE WORK STATEMENT (PWS)DEPARTMENT OF VETERANS AFFAIRSOffice of Information & Technology (OI&T)Enterprise Portfolio Management Division (EPMD)Benefits Appeals and Memorials (BAM) PortfolioVeteran Signals (VSignals) formerly known as “VOICE”Date: 10/03/2018TAC-19-52724Task Order PWS Version Number: 1.4Contents TOC \o "1-4" \h \z \u 1.0BACKGROUND PAGEREF _Toc524687214 \h 42.0APPLICABLE DOCUMENTS PAGEREF _Toc524687215 \h 53.0SCOPE OF WORK PAGEREF _Toc524687216 \h 53.1APPLICABILITY PAGEREF _Toc524687217 \h 53.2ORDER TYPE PAGEREF _Toc524687218 \h 64.0PERFORMANCE DETAILS PAGEREF _Toc524687219 \h 64.1PERFORMANCE PERIOD PAGEREF _Toc524687220 \h 64.2PLACE OF PERFORMANCE PAGEREF _Toc524687221 \h 64.3TRAVEL REQUIREMENTS PAGEREF _Toc524687222 \h 74.4CONTRACT MANAGEMENT PAGEREF _Toc524687223 \h 74.5GOVERNMENT FURNISHED PROPERTY PAGEREF _Toc524687224 \h 74.6SECURITY AND PRIVACY PAGEREF _Toc524687225 \h 84.6.1POSITION/TASK RISK DESIGNATION LEVEL(S) PAGEREF _Toc524687226 \h 95.0SPECIFIC TASKS AND DELIVERABLES PAGEREF _Toc524687227 \h 105.1PROJECT MANAGEMENT PAGEREF _Toc524687228 \h 105.1.1CONTRACTOR PROJECT MANAGEMENT PLAN PAGEREF _Toc524687229 \h 105.1.2REPORTING REQUIREMENTS PAGEREF _Toc524687230 \h 115.1.3TECHNICAL KICKOFF MEETING PAGEREF _Toc524687231 \h 115.1.4VA MANDATORY TRAINING PAGEREF _Toc524687232 \h 125.1.5ONBOARDING PAGEREF _Toc524687233 \h 135.1.6CONFIGURATION MANAGEMENT PAGEREF _Toc524687234 \h 135.2CAPABILITY DELIVERY PAGEREF _Toc524687235 \h 145.2.1OPERATIONAL CAPABILITIES STANDUP PAGEREF _Toc524687236 \h 145.2.2FUNCTIONAL CAPABILITIES PAGEREF _Toc524687237 \h 155.2.2.1SURVEY MANAGEMENT PAGEREF _Toc524687238 \h 155.2.2.2CLOSED LOOP MANAGEMENT PAGEREF _Toc524687239 \h 165.2.2.3ANALYSIS PAGEREF _Toc524687240 \h 175.2.2.4DASHBOARDING AND REPORTING PAGEREF _Toc524687241 \h 185.2.2.5CUSTOMER JOURNEY PAGEREF _Toc524687242 \h 185.2.2.6ADMINISTRATION PAGEREF _Toc524687243 \h 185.3PHASE I TRANSITION-IN PAGEREF _Toc524687244 \h 195.3.1HOSTED ENVIRONMENTS PAGEREF _Toc524687245 \h 205.3.2TRAINING PAGEREF _Toc524687246 \h 205.3.3AUTHORITY TO OPERATE PAGEREF _Toc524687247 \h 215.3.4DATA MIGRATION PAGEREF _Toc524687248 \h 225.4PHASE II PAGEREF _Toc524687249 \h 235.4.1SYSTEM SOLUTION SUPPORT PAGEREF _Toc524687250 \h 235.4.2TECHNICAL SCRUM SUPPORT PAGEREF _Toc524687251 \h 235.4.3CONFIGURATION SCRUM SUPPORT PAGEREF _Toc524687252 \h 245.5SYSTEM DEVELOPMENT LIFECYCLE (SDLC) PAGEREF _Toc524687253 \h 255.5.1AGILE REQUIREMENTS ELABORATION PAGEREF _Toc524687254 \h 255.5.2RELEASE AND CONFIGURATION PAGEREF _Toc524687255 \h 265.5.2.1RELEASE PLANNING PAGEREF _Toc524687256 \h 265.5.2.2SPRINT PLANNING PAGEREF _Toc524687257 \h 265.5.2.3SPRINT EXECUTION PAGEREF _Toc524687258 \h 275.5.3TESTING PAGEREF _Toc524687259 \h 275.5.4508 COMPLIANCE TESTING PAGEREF _Toc524687260 \h 295.5.5RELEASE SUPPORT PAGEREF _Toc524687261 \h 295.5.6TRAINING PAGEREF _Toc524687262 \h 305.6CONFIGURATION LIFECYCLE PAGEREF _Toc524687263 \h 315.7OPERATIONS AND MAINTENANCE SUPPORT PAGEREF _Toc524687264 \h 315.7.1HOSTED PRODUCTION ENVIRONMENTS PAGEREF _Toc524687265 \h 325.7.2CHANGE AND CONFIGURATION MANAGEMENT SUPPORT PAGEREF _Toc524687266 \h 335.7.3HELP DESK SUPPORT PAGEREF _Toc524687267 \h 345.7.4MAINTENANCE UPGRADES PAGEREF _Toc524687268 \h 345.7.5HOSTING SUPPORT PAGEREF _Toc524687269 \h 345.7.5.1HOSTED ENVIRONMENT HELP DESK SUPPORT PAGEREF _Toc524687270 \h 355.7.5.2BACKUP AND RESTORE PAGEREF _Toc524687271 \h 365.7.5.3HOSTED ENVIRONMENTS ISSUE-RELATED TECHNICAL SUPPORT PAGEREF _Toc524687272 \h 365.7.5.4SECURITY AND MONITORING PAGEREF _Toc524687273 \h 375.7.5.5SERVICE LEVEL AGREEMENT (SLA) REQUIREMENTS PAGEREF _Toc524687274 \h 395.7.5.6PROVIDE DATA CALLS AND REPORTING REQUESTS PAGEREF _Toc524687275 \h 445.8OPTION PERIOD 1 PAGEREF _Toc524687276 \h 465.9OPTION PERIOD 2 PAGEREF _Toc524687277 \h 465.10OPTION PERIOD 3 PAGEREF _Toc524687278 \h 465.11OPTION PERIOD 4 PAGEREF _Toc524687279 \h 475.12ADDITIONAL CONFIGURATION (OPTIONAL TASK 1) PAGEREF _Toc524687280 \h 475.13PROFESSIONAL/TECHNICAL SERVICES (OPTIONAL TASK 2) PAGEREF _Toc524687281 \h 475.14CEM CERTIFICATION TRAINING (OPTIONAL TASK 3) PAGEREF _Toc524687282 \h 485.15TRANSITION SUPPORT AND TRANSITION OF ASSETS (OPTIONAL TASK 4) PAGEREF _Toc524687283 \h 486.0GENERAL REQUIREMENTS PAGEREF _Toc524687284 \h 496.1PERFORMANCE METRICS PAGEREF _Toc524687285 \h 496.2SECTION 508 – ELECTRONIC AND INFORMATION TECHNOLOGY (EIT) STANDARDS PAGEREF _Toc524687286 \h 506.2.1EQUIVALENT FACILITATION PAGEREF _Toc524687287 \h 516.2.2COMPATIBILITY WITH ASSISTIVE TECHNOLOGY PAGEREF _Toc524687288 \h 516.2.3ACCEPTANCE AND ACCEPTANCE TESTING PAGEREF _Toc524687289 \h 51BACKGROUNDThe mission of the Department of Veterans Affairs (VA), Office of Information & Technology (OI&T), Enterprise Portfolio Management Division (EPMD), Benefits, Appeals, and Memorials (BAM) Portfolio is to provide benefits and services to Veterans of the United States.? In meeting these goals, OI&T strives to provide high quality, effective, and efficient Information Technology (IT) services to those responsible for providing care to the Veterans at the point-of-care as well as throughout all the points of the Veterans’ VA journey in an effective, timely and compassionate manner.? VA depends on Information Management/Information Technology (IM/IT) systems to meet mission goals. OI&T/EPMD/BAM provides a service to the Veterans Experience Office (VEO) to support them in meeting their goals in improving customer experience.The Department of Veterans Affairs (VA) has been designated as the Lead Agency Partner for the President’s Management Agenda (PMA) Cross-Agency Priority (CAP) Goal of Improving Customer Experience with Federal Services. To enable this important goal, the Department designates the Veterans Experience Office (VEO) as VA’s authoritative organization in customer experience (CX). VEO brings industry best practices and CX capabilities to the Department, including foundational components of CX data, tools, and technology. VEO is responsible for setting VA-wide strategy and minimum standards on how to apply CX capabilities across VA. This includes collection, analysis, and management of CX data and insights; CX training and tools; and integrated multichannel technology.VA is radically transforming its relationship with Veterans. The goal of the effort is to build trusted, lifelong relationships with Veterans by making experiences predictable, consistent, and easy. The current Software-as-a-Service (SaaS) solution (Medallia) provides actionable intelligence on what is influencing the veterans trust in the services provided by VA. BAM/VEO is seeking a true SaaS solution that will contain IT and Non-IT requirements to include further configuration of CEM capabilities to bolster the VEO mission. Today, VA faces unprecedented demands for services and benefits. The service offerings themselves have multiplied dramatically over the years through expanded eligibility for existing benefits and new benefits programs. Many Veterans have increasingly complex needs, expectations, and requirements of VA, partly driven by the Veteran demographics. In 1975, there were two million Veterans over the age of 65. By 2017 that number is expected to be near 10 million, the majority of whom served in the Vietnam era. Additionally, service-connected issues for those returning from the wars in Iraq and Afghanistan are more complex than in prior eras. Overall this has increased the complexity in caring for America’s Veterans. This challenging environment required VA to re-examine its operating norms and institute new programs to meet these challenges specifically around the Veteran and Employee experience.Whether a Veteran or eligible dependent is accessing one of our facilities or services, every contact between these customers and VA should be predictable, consistent, and easy. In today’s environment, insights on these customer experiences are gained through the collection of data using surveys and forms administered by a decentralized and uncoordinated approach; but with the implementation of Veteran Oriented Interactive Customer Evaluation (VOICE), the VA is moving to a centralized, unified approach. There is nothing more?powerful?than knowing what veterans are talking about and how they feel about those topics.Veteran Signals (VSignals) is a continuation of VOICE and is one component to creating a seamless touch-point between a Veteran, eligible dependent, and caregivers and the VA. The goal is to put in place a near real-time understanding of the current customer and employee experience, to adjust and improve service delivery and recovery at a more rapid pace. VA touch-points include, but shall not be limited to: VHA Medical Facility ExperienceVBA Online and Regional Office ExperienceNCA Memorial Service ExperienceContact Center Web ExperienceSuicide and Homelessness Alerts APPLICABLE DOCUMENTSThe Contractor shall comply with the following documents, in addition to the documents in Paragraph 2.0 in the T4NG Basic Performance Work Statement (PWS), in the performance of this effort:VA Directive 6551 ()SCOPE OF WORKThe Contractor shall provide a commercial-off-the-shelf (COTS) tool as a Software-as-a-Service (SaaS) for survey and closed loop action management in support of the VSignals project. The major tasks involved with the VSignals PWS include the following:Customer Experience Management (CEM) solution.Provide any integration services required in support of VA interfaces.Provide configuration and professional/technical services in the areas of customer experience strategy, analysis, identifying customer experience drivers, and operationalizing insights in the complex VA ecosystem.Provide Operations and Maintenance (O&M) for VSignals.APPLICABILITYThis Task Order (TO) effort PWS is within the scope of paragraph(s) 4.1 Program Management, Strategy, Enterprise Architecture and Planning Support, 4.1.1 Strategy and Planning. 4.1.2 Standards, Policy, Procedure and Process Development, and Implementation Support, 4.1.6 Program Management Support, 4.2 Systems/Software Engineering, 4.2.4 Enterprise Application/Services, 4.2.12 Engineering and Technical Documentation, 4.3 Software Technology Demonstration and Transition, 4.4 Test and Evaluation (T&E), 4.6 Enterprise Network, 4.8 Operations and Maintenance, 4.9 Cyber Security, 4.10 Training, and 4.11 Information Technology Facilities of the T4NG Basic PWS.ORDER TYPEThe effort shall be proposed on a Firm Fixed Price (FFP) basis with a Cost Reimbursable (CR) No Fee Contract Line Item Number (CLIN) for travel.PERFORMANCE DETAILSPERFORMANCE PERIODThe Period of Performance (PoP) shall be a Base Period of 12 months from date of award, with four (4) 12-month option periods. Additionally, this task order includes four (4) optional tasks, outlined in the Optional Tasks table.The Base Period shall be 12 months from date of award including two (2) phases Phase I (Transition-In) shall be completed no later than 2 months after award.User licenses will not be procured under this TO during Phase I.O&M will not be performed under this TO during Phase I. Phase II shall begin at the completion of Phase I and shall provide continued systems support until the end of the base period. Optional Tasks 1, 2, 3, and 4 may be exercised at any time and from time to time during the Task Order Period of Performance (PoP). If exercised, the PoP of each Optional Task exercise shall not exceed 12-months and shall not exceed the overall 60-month Task Order PoP. If Optional Task 4 is exercised, the PoP shall be two months but shall not exceed the 60-month total Task Order PoP.DescriptionsPeriod Period of Performance Base Period (Transition-In/Support/Planning/Configuration) Phase I - 2 monthsPhase II -10 MonthsOption Periods 1-4 (O&M) 12 Months each, if exercisedOptional Task 1(Business CEM Services) As defined in the Schedule of?DeliverablesOptional Task 2(Integration IT services)As defined in the Schedule of?Deliverables Optional Task 3(CEM Certification Training)The duration of each training is 2 weeks, if exercisedOptional Task 4(Phase-Out Transition Support)2 Months from exercise PLACE OF PERFORMANCEEfforts under this TO shall be performed at Contractor facilities. The Contractor shall identify the Contractor’s place of performance in their Task Execution Plan submission.TRAVEL REQUIREMENTSThe Government anticipates travel under this effort to attend program-related meetings or conferences and perform testing throughout the period of performance. Travel to Washington, DC would typically involve program-related meetings, and travel to VA Facilities would typically involve program-related meetings and/or training sessions. Travel shall be approved by the COR prior to the commencement of travel. Contractor shall provide cost estimates with each travel request. Travel shall be on a cost reimbursable basis. All travel shall be IAW the Federal Travel Regulations (FTR).CONTRACT MANAGEMENTAll requirements of Sections 7.0 and 8.0 of the T4NG Basic PWS apply to this effort. This TO shall be addressed in the Contractor’s Progress, Status and Management Report as set forth in the T4NG Basic ERNMENT FURNISHED PROPERTYThe Government has determined that remote access solutions involving Citrix Access Gateway (CAG) have proven to be an unsatisfactory access method to complete the tasks on this specific TO. The Government also understands that GFE is limited to Contractors requiring direct access to the network to: access development environments; install, configure and run TRM-approved software and tools (e.g., Oracle, Fortify, Eclipse, SoapUI, WebLogic, LoadRunner, etc.); upload/download/ manipulate code, run scripts, apply patches, etc.; configure and change system settings; check logs, troubleshoot/debug, and test/QA.Based on the Government assessment of remote access solutions and the requirements of this TO, the Government estimates that the following GFE will be required by this TO:70 of developer-grade laptops The Government will not provide IT accessories including but not limited to Mobile Wi-Fi hotspots/wireless access points, additional or specialized keyboards or mice, laptop bags, extra charging cables, extra PIV readers, peripheral devices, additional RAM, etc. The Contractor is responsible for providing these types of IT accessories in support of the TO as necessary and any VA installation required for these IT accessories shall be coordinated with the COR.The Contractor shall be provided access to Government Equipment such as servers, networks and information. The Contractor shall comply with VA information security and privacy policies and procedures as described in Section 6.1 of the Basic T4NG PWS.The Contractor shall be provided access to the following documentation, as attachments to the PWS, during solicitation that describes the baseline system requirements: VSignals Implemented Epics/User Stories (Attachment A) VSignals Backlog (Attachment B) The Contractor shall be provided access to the following documentation, asattachments to the PWS, post award that describes the Authority To Operate (ATO) requirements and process:Authorization Requirements Standard Operating Procedures (SOP) (Attachment C)The Government will provide access to VA’s IBM Rational Collaborative Application Lifecycle Management (CALM) Toolset (hereafter referred to as Rational) to provide a single Agile project/product application lifecycle management toolset to track execution details after contractors complete the training as required in Section 5.1.4. To access VA’s IBM Rational, the Contractor will require VA access. If the mandated toolset changes throughout the period of performance of this task order then the Government will provide access to the new toolset.VA may provide VA-specific software as appropriate. The Contractor shall utilize VA provided accounts, document and requirements repositories and others as required for the configuration, storage, maintenance and delivery of products. The Contractor shall comply with VA information security and privacy policies and procedures as described in Section 6.1 of the Basic T4NG PWS.SECURITY AND PRIVACYAll requirements in Section 6.0 of the T4NG Basic PWS apply to this effort. Specific TO requirements relating to Addendum B, Section B4.0 paragraphs j and k supersede the corresponding T4NG Basic PWS paragraphs, and are as follows,j.The vendor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, based upon the severity of the incident. k.When the Security Fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the vendor will provide written notice to VA that the patch has been validated as not affecting the Systems within 10 working days. When the vendor is responsible for operations or maintenance of the Systems, they shall apply the Security Fixes based upon the requirements identified within the TO.Specific TO requirements relating to Addendum B, Section B7.0, paragraph a. supersede the corresponding T4NG Basic PWS subparagraph, and are as follows:Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. However, it is the policy of VA to forgo collection of liquidated damages in the event the contractor provides payment of actual damages in an amount determined to be adequate by the agency.It has been determined that protected health information may be disclosed or accessed and a signed Business Associate Agreement (BAA) shall be required. The Contractor shall adhere to the requirements set forth within the BAA, referenced in Section D of the Request for Task Execution Plan (RTEP) and shall comply with VA Directive 6066. POSITION/TASK RISK DESIGNATION LEVEL(S)In accordance with VA Handbook 0710, Personnel Security and Suitability Program, the position sensitivity and the level of background investigation commensurate with the required level of access for the following tasks within the PWS are:Position Sensitivity and Background Investigation Requirements by TaskTask NumberTier1 / Low RiskTier 2 / Moderate RiskTier 4 / High Risk5.1 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.2 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.3 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.4 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.5 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.6 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.7 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.8 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.9 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.10 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.11 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.12 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.13 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.14 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX The Tasks identified above and the resulting Position Sensitivity and Background Investigation requirements identify, in effect, the Background Investigation requirements for Contractor individuals, based upon the tasks the Contractor individual will be working. The submitted Contractor Staff Roster must indicate the required Background Investigation Level for each Contractor individual based upon the tasks the Contractor individual will be working, in accordance with their submitted proposal.SPECIFIC TASKS AND DELIVERABLESThe Contractor shall perform the following tasks and provide the specific deliverables described below within the performance period stated in Section 4.1 of this PWS.All tools used in the maintenance of the application and related applications must be approved in the Technical Reference Manual (TRM). Deviations from this will require a waiver through the Strategic Technology Alignment Team (STAT), formerly known as the Architecture and Engineering Review Board (AERB).? Request for exceptions or deviations cannot impact delivery. All tools used in the solution shall be VA Section 508 compliant as determined by tests performed by the VA Section 508 Office.Agile project management is evolutionary (iterative & incremental) which regularly produces high quality results in a cost effective, timely, and highly collaborative manner via VIP’s value driven lifecycle. This requires open lines of communication among all participants contributing to a project/program/portfolio that include multiple consumers within the contracts and with other VA offices/activities. VIP describes a schedule of incremental deliveries of useable capabilities every three (3) months or less. Backlog grooming and prioritization are continued throughout the product life cycle and shall be managed throughout the period of performance. The foundational structure for VA Agile development and project management can be found in the VIP Guide. For delivery of all project artifacts, the Contractor shall utilize VA-approved tool for managing project execution details and for the management and storage of artifacts using approved VIP and/or EPMO website templates.The Contractor shall deliver documentation in Microsoft Windows-based electronic format, unless otherwise directed in Section B of the solicitation/TO. Any person receiving or providing VA services will be identified as ‘Customers’. Any VA employee using the Customer Experience Management (CEM) system will be identified as ‘VA end users’.PROJECT MANAGEMENTCONTRACTOR PROJECT MANAGEMENT PLANThe Contractor shall deliver a Contractor Project Management Plan (CPMP) that lays out the Contractor’s approach, timeline and tools to be used in execution of this TO effort. ?The CPMP should take the form of both a narrative and graphic format that displays the schedule, milestones, risks and resource support.??The CPMP shall also include how the Contractor shall coordinate and execute planned, routine, and ad hoc data collection reporting requests as identified within the PWS. The initial baseline CPMP shall be concurred upon and updated in accordance with Section B of the TO. The Contractor shall update and maintain the VA Program Manager (PgM) approved CPMP throughout the PoP. Deliverable: Contractor Project Management PlanREPORTING REQUIREMENTSThe Contractor shall use the VA’s implementation of the Rational Toolset to provide a single Agile project/product lifecycle management tool to track execution details. The Rational Project/Product Data and Artifact Repository will be used to provide a single authoritative project and product data and artifact repository. All OI&T project data and artifacts will be required to be managed in this data and artifact repository daily. All checked out artifacts shall be checked back in daily and any data updated daily. Rational synchronizes all changed information immediately for all team members to access work proficiently without the concern of working on aged information.The Contractor shall use VA Rational Tools in accordance with the VA Rational Tools Guide to: 1.Input and manage scheduled project/product sprints and backlog 2.Input and manage project/product Agile requirements3.Input and manage project/product risks and issues4.Input and manage project/product configurations and changes5.Input and manage project/product test plans and execution6.Input and manage project/product planning and engineering documentation7.Input and manage linkages to correlate requirements to change orders to configurable items to risks, impediments, and issues to test cases and test results to show full traceability.The Contractor shall show all Agile requirements, changes, tests performed and test results in Rational to show evidence of code coverage and test coverage of all the requirements specified. This expectation will allow VA to have high confidence in a fully documented, as evidenced by data in the tools, requirements traceability matrixTECHNICAL KICKOFF MEETINGThe Contractor shall hold a technical kickoff meeting within 10 days after TO award. The Contractor shall present, for review and approval by the Government, the details of the intended approach, work plan, and project schedule for each effort. The Contractor shall specify dates, locations (can be virtual), agenda (shall be provided to all attendees at least five (5) calendar days prior to the meeting), and meeting minutes (shall be provided to all attendees within three (3) calendar days after the meeting). The Contractor shall invite the Contracting Officer (CO), Contract Specialist (CS), COR, and the VA PM.Deliverables:Technical Kickoff AgendaKickoff Meeting Minutes VA MANDATORY TRAININGThe Contractor and VA Project Manager (PM) shall determine which team members require access to the VA network and Rational. All Contractors that require access shall complete all the required VA Talent Management System (TMS) training courses within fourteen (14) days of the identification of the access need. The Contractor shall work with their respective point of contact, to obtain access to TMS to complete the mandatory training courses.As an action under the Continuous Readiness in Information Security Program (CRISP), VA's Assistant Secretary for Information and Technology issued a memorandum requiring all VA government and contract staff to complete information security awareness and applicable role-based training. The Contractor shall submit Talent Management System (TMS) Training Certificates of completion for VA Privacy and Information Security Awareness (PISA), Rules of Behavior (ROB), Health Insurance Portability and Accountability Act (HIPAA), and Role-Based trainings. The Contractor shall provide signed copies of the Contractor Rules of Behavior in accordance with Section 9, Training, from Appendix C of the VA Handbook 6500.6, “Contract Security”. The Contractor shall complete the following VA TMS training courses for all contractors with required access to Rational:TMS ID 3878248 - IBM Rational Team Concert - Agile Sprint, Configuration/Change Management Level 1TMS ID 3878249 - IBM Rational Team Concert - Agile Sprint, Configuration /Change Management Level 2TMS ID 3878250 - IBM Rational DOORS Next Generation - Requirements Management Level 1TMS ID 3897036 - IBM Rational DOORS Next Generation - Requirements Management Level 2TMS ID 3897034 - IBM Rational Quality Manager - Quality Management Level 1 TMS ID 3897035 - IBM Rational Quality Manager - Quality Management Level 2Contractors who have completed these VA training courses within the past 12 or 24 months, depending on the training requirements, and have furnished training certificates to VA, will not be required to re-take the training courses.Deliverables:TMS Training Certificates for all mandatory training coursesSigned Contractor Rules of BehaviorONBOARDINGThe Contractor shall manage the onboarding of its staff. Onboarding includes steps to obtain a VA PIV card, network and email account, complete training, initiate background investigations, and gain physical and logical access. In addition, the Contractor shall identify individuals which may require elevated privileges to the necessary development and test environments for the various systems to be enhanced. After review between the Contractor and VA COR, a decision will be made as to the necessity of obtaining GFE for the onboarding staff. If approved, Contractor shall follow the appropriate steps to obtain the equipment. A single Contractor Onboarding point of contact (POC) shall be designated by the Contractor that tracks the onboarding status of all Contractor personnel. The Contractor Onboarding POC shall be responsible for accurate and timely submission of all required VA onboarding paperwork to the VA COR. The Contractor shall be responsible for tracking the status of all their staff’s onboarding activities to include the names of all personnel engaged on the task, their initial training date for VA Privacy and Information Security training, and their next required training date. The Contractor Onboarding POC shall also report the status at the staff level during onboarding status meetings. The Contractor shall provide an Onboarding Status Report weekly for any staff with outstanding onboarding requests for review by the COR, VA Program Manager (PgM) and PM.Deliverable:Weekly Onboarding Status ReportCONFIGURATION MANAGEMENTThe Contractor shall:Identify the standard and unique aspects of configuration management to be performed for each project by establishing a Product Configuration Management Plan which meets EPMO Website CM plan requirements. The Contractor shall reflect all CM required activities and standards in each project-level CM plan while determining the unique aspects of the project which require individualized procedures.Deliver a Recommended List of Configuration Items to be placed under configuration and change control. The Contractor shall identify types of configuration items pertaining to each product to be placed under configuration management. Based on EPMO requirements, and the unique needs or nature of each project, the Contractor shall determine the components within each project that must be under configuration control.Use Rational Team Concert as the VA approved tool and repository for all software source code and electronic artifact configuration and version management. The Contractor shall use IBM Rational Team Concert tool to manage change, activity, issue, action, risk, and other project data as prescribed by VA standards and processes. If assigned a project using tools that are being deprecated, the Contractor shall assist the VA Tools Team in migrating projects using other Change and/or Configuration Management tools to the IBM Rational Team Concert tool.Ensure that all project software and non-software artifacts are versioned correctly according to VA standards and follow a build/release promotion versioning approach which identifies all major, minor, and update changes to the components.Create Project and Product Artifacts baselined and versioned in the CM repository to allow the tool to show active and past histories of the check-ins and check-outs of all software components, data, and software project engineering documents. Maintain all baselines of software, software builds, and electronic artifacts in the repository, labeling updates and versions according to CM procedures.Develop, verify and submit with all project build deliveries, a Version Description Document that addresses the manifest of the contents of all software builds created for project releases outside the development environment.Establish and maintain status reporting on change and configuration management activity, and ensure Rational Team Concert data records and artifacts are filed and updated daily.Deliverables:Product Configuration Management Plan Version Description Document CAPABILITY DELIVERYOPERATIONAL CAPABILITIES STANDUP The Contractor shall provide a COTS Software-as-a-Service (SaaS) solution, that at a minimum, shall include survey creation, distribution and collection capabilities, and will provide closed-loop feedback functionality to capture and act on customer compliments and complaints.?The applications, supplies, and services furnished under this task order shall comply with One-VA Enterprise Architecture (EA), available at? and shall comply with all VA rules, standards, and guidelines in the Technical Reference Model/Standards Profile (TRMSP). Any COTS product provided as part of the solution shall be One-VA TRM compliant. The Contractor shall complete the requirements of this section and subsections in accordance with the Configuration LifeCycle (CLC) requirements in Section 5.6.The Contractor solution shall support the following user matrix: Operational Standup CapacitySurvey Creators / ModifiersDashboard ConsumersRespondentsExpected Responses per SurveyFrequency of SurveysTime Burden per SurveyClosed Loop Management Users≤ 300350,0003-5 million~ 80%unique survey minimum ~ 2/week3-5 minutes150,000FUNCTIONAL CAPABILITIESThe following represents a summary of high-level functionality to be inherent (off-the-shelf functionality) in the system. This set of functions is further expressed in the requirements contained in Attachment B. This PWS groups capabilities in terms of modules – Survey Management, Closed Loop Management, Analysis, Dashboarding, and Administration.The CEM system shall deliver a solution that provides the following capabilities:Allow Copying (import/export) of a full or a portion of a configuration from one environment to another.Be fully functional using the following devices: computer, tablet, smart phones, and kiosks; each using any of the following operating systems: Windows, iOS, Android, and Windows Phone.Provide VA the ability to brand the CEM system and surveys with specific coloring, logos, graphics, and text.Can import and export data using CSV, Excel, xml file formats and system to system automated interfaces both near real-time and batch as needed, to support analytics, reporting and dashboards.Translate surveys to other languages, such as Spanish, and translate feedback received in such languages back to English.SURVEY MANAGEMENTThe VSignals solution shall provide VA an understanding of Customer experiences through the ability to create, modify, and delete surveys and/or questions. The functionality includes the distribution of the surveys and/or questions to an identifiable audience via methods identified below (see 5.2.2.1.a and 5.2.2.1.l) including collection from other applications. The anonymous and identified responses received will be stored on a real-time survey collection system (the CEM) accessible by VA end users based on role permissions. At a minimum these roles shall control the ability of users to control read and modify access to each module and workflow.The CEM system shall deliver a solution that provides the following capabilities:Collect, aggregate, and store survey data for additional data analytics. Types of data shall include: electronic modalities, open text/free-form feedback, closed-ended questions, Social Media Listening, Short Message Service (SMS), Interactive Voice Response (IVR), and web intercepts.Map text comments from the survey respondents with structured feedback to identify common trends.Send a survey automatically based on a call that is received and logged by the Contact Center.Display a post survey submission message to the Customer, generate and send a customizable email notification upon survey submission and subsequently can route to another web landing page.Support anonymous and non-anonymous feedback and responses. Develop a survey response interface to be used by VA end users.Generate and distribute surveys and/or questions at any time from any touchpoint through various channels with pre-scheduled timelines and timeframes.Identify, configure, manage, and distribute surveys to subsets of customers based on certain characteristics determined by VA end users.Support web intercepts that integrate surveys with VA affiliated websites.Provide survey features that address the ease of use based on best practices that include select from prepopulated fields, question branching, enter free form text, save without submittal, support chat, and print.Create, modify, version and delete surveys and/or questions. Email surveys directly, including individualized links, to respondents and track reminders and responses.Create customizable email templates that can be assigned to workflow events.Provide surveys and invitations in multiple languages.Prevent respondents from completing the survey multiple times.Show custom end-of-survey messages or redirect respondents to any specified URL.CLOSED LOOP MANAGEMENTThe CEM system shall provide a closed loop management capability for VA end users to ensure collaborative coordination of customer feedback aimed at real-time service recovery. This includes the ability to generate, manage and track customer cases to resolution, and includes tracking interactions with Customers. The CEM system shall deliver a solution that provides the following capabilities:Automatically capture interactions with Customers that occurred using email, text messaging, or phone calls in a central location.Generate cases based upon several inputs so that case collection is consistent across VA. Case generation methods include direct submission from Customers and VA end users.Provide ability to fully customize the Closed Loop Management tool interface to track and record all necessary data elements.Allow VA end users to locally customize their notifications.Allow VA end users who are not assigned to work a case to subscribe to alerts and/or email notifications for the case based on configurable attributes and receive automated notifications.Allow authorized VA end users to act on a workflow, including crisis alerts, transfer cases between workflows, reassign, and escalate to multiple other VA end users, automatically and manually on a case-by-case basis.Allow automated actions on a workflow, including alerts, transfer cases between workflows, reassign, and escalate to multiple other VA end users on a case-by-case basis.View historical interactions with a specific Customer within the Closed Loop Management system.Manage work queue and reassign cases in bulk automatically and manually.Set workflow actions based on timed thresholds.Define and customize workflow and track and display the status of each case. Assign a new case to an individual VA end user or a team based on defined business rules.Send a customized email confirmation to the Customer and a customized email to the VA end user assigned upon case entry. (Customized means details from the survey respondent are included in the email.)Ability to upload documents by VA end users (PDF, GIF, JPEG, Microsoft Suite products).Create, modify, version and delete cases.Support for alerts and aspects like email notifications.Support inclusion of workflow and rule engine.ANALYSISThe CEM system shall provide the ability to glean sentiment, identify common trends based on qualitative and quantitative inputs, and generate automatic triggers accordingly. The CEM system shall deliver a solution that provides the following capabilities:Support statistical analysis and text analytics on the open text and closed-ended feedback, and generate automatic and manual reports and alerts based on triggers.Allow case agent to tag a case with keywords.Search all case fields and/or attachments using a search function. This capability shall include the ability to logically combine search terms.Search a Frequently Asked Questions (FAQ) data library and standard response templates (populated by VA end users).Identify systematic trends based on comments, survey responses, and other data sources based on data accessible to the CEM system.Support for data mining, predictive and prescriptive analytics.Ability analyze unstructured feedback from channels such as surveys and social media.DASHBOARDING AND REPORTINGThe CEM system shall provide dynamic reporting and dashboarding capabilities providing rich graphical interfaces that are available through the web and mobile devices.?The dashboarding capability shall host the dashboard as an accessible webpage within CEM accessible through a web-link.?The CEM system shall deliver a solution that provides the following capabilities:Support near-real-time custom configuration of reports and dashboards. Support adhoc reporting.Support provisioning of access to reports and dashboards.Provide an interface to design reports and dashboards to ensure data is readable and attainable to the non-technical user. Support data-driven filters for reports.Support the ability to export and print reports.Consolidate data collection from multiple signals and unify Customer experience metrics in a single channel using a single platform.Support alerts on queries, filters and other actions which may affect performance of the CEM system.Provide multiple report types to include charts, graphs, tables and various other data visualizations.Allow VA end users to customize reports to data that is relevant to their core duties using filters or parameters.Automatically send canned reports to VA end users. Support role-based reports and dashboards.CUSTOMER JOURNEYThe CEM system shall deliver a solution that provides the following capabilities:Ability to collect survey data from each interaction channel and extract customer-journey-related insightsAbility to ingest operational data linked to customer experiences from multiple channels and combine with the associated survey dataADMINISTRATIONThe CEM system shall have the capability to administer specific components of the enterprise system to support the functional needs of the system by specific VA end users. Administering includes customization of the Closed Loop Management workflow and related interfaces; ensure the enterprise solution is administered in a fashion where it can be integrated with the specific operating systems; ensure the enterprise solution can be integrated with various output devices; and customize access to system interfaces and reports based on specific role permissions. Overall, these components should be customizable at various hierarchies defined by the government. The CEM system shall deliver a solution that provides the following capabilities:Provide VA end users with appropriate permissions to create ad hoc reports.Maintain a local list of VA end users and respective roles and grant access within the tool.PHASE I TRANSITION-INThe Contractor shall transition the current CEM Solution (Medallia), including user interface, data, and external interfaces, to Contractor’s CEM Solution with no service interruption at the start of the Phase II. The Contractor shall provide configuration support to ensure the VSignals system is fully functioning with no service interruption. The Contractor shall schedule and manage a weekly transition status meeting with Government to include:Current status of transition efforts, including technical and security activitiesTransition ScheduleChecklist of requirements from Attachment A that have been incorporated in to new solutionRisks and IssuesResponsible Accountable Consulted Informed (RACI) matrixThe Contractor shall deliver a solution with the following functional capabilities, as described in Section 5.2 and Attachment A:Stand up hosted environments (IAW Paragraphs 5.3.1) and ensure the CEM system is accessible via web browsers.Create/configure existing surveys, including the distribution cadence and invite/org file process.Create/configure existing dashboards and reports that accurately display migrated data as well as current data.Create/configure export functionalities and formats.Create/configure crisis alert management including existing suicide (VCL) and homelessness (NCCHV) crisis alerts.Create/configure social media analytics on Facebook and Twitter VA accounts.Create/configure Text Analytics and existing keywords.Create/configure closed loop management.Create/configure digital feedback.Create/configure fields for interface with Customer Relationship Management (CRM) system.Create/configure a portal comment card (PCC). Create existing security user roles and permission levels.Migration of existing data from existing CEM to new CEM (IAW Paragraph 5.3.4)The Contractor shall work with VA resources to ensure that the following interfaces and functionalities are available:Trusted Internet Connection (TIC)Authority to Operate (ATO)Two-Factor Authentication (2FA)Interface with the Identity and Access Management (IAM) system for Personal Identification Verification (PIV) Authentication and Single Sign On (SSO) functionalityInterface with CRM system, establish bi-directional, real-time transfer of data between the two systemsInterface with VA websites, such as and , for PCCInterface with VCL and NCCHV for crisis alertsHOSTED ENVIRONMENTS Hosting services consist of provisioning the environments to allow VA end users to utilize the CEM system. The Contractor shall setup and configure the hosting environments IAW VA Directive 6551 within 30 calendar days of task order award.Non-Production Environments Five (5) Sandbox Environments to be used for:Development Environments to be used for configuration? SQA Environments to be used for software testing The Sandbox Environment to be utilized for User Acceptance Tests (UAT) The Pre-Prod Environment mirrors the Production Environment to ensure operability prior to promoting into ProductionProduction EnvironmentDeliverables:Hosted Non-Production EnvironmentsHosted Production EnvironmentTRAINING The Contractor shall provide face-to-face training of VA staff in the utilization of the new CEM system. The Contractor shall:Provide a VA End User Training Package which consists of an overview presentation, and User Guide.Perform hands-on training with VA end users and?trainers?(not to exceed a total of?50?participants per training session) prior to Phase II. Provide minutes of training sessions to include a list of attendees, and time attended. The Contractor shall provide five (5) distinct training sessions to train the VA end users and trainers. Specific timing of those training sessions shall be coordinated post award.Provide a Super User Training Package which consists of a system overview presentation, and Super User Guide.Perform hands-on training with Super Users (not to exceed a total of?20?users per training sessions) prior to Phase II. Provide minutes of training session to include a list of attendees and time attended. The Contractor shall provide two (2) distinct training sessions to accomplish this.Provide User Guides consisting of written instructions and associated images, and clear, simplified diagrams. Jargon is kept to a minimum or explained thoroughly. The document reflects the contents of the most recent release (whether a configuration update or release), and is updated to include any changes.Provide Quick Reference Guides consisting of 1-2 pages that provides basic functionality and navigation. Provide a Help Desk Training Package consisting of an overview presentation, Help Desk Reference Guide, and Troubleshooting Decision Trees. Training materials may include videos, presentations, documents, and guides.Deliverables:A. VA End User Training Package and minutesB. Super User Training Package and minutesC. User GuidesD. Quick Reference Guides E. Help Desk Training PackageAUTHORITY TO OPERATEThe Contractor shall coordinate with applicable VA stakeholders for an Authority to Operate (ATO) to interface the hosted environments to the VA Network. The Contractor shall provide all Assessment and Authorization (A&A) support and documentation required to achieve and maintain full A&A certification using the process specified in the EPMO Website and in VA’s Authorization Requirements Standard Operating Procedure (SOP). Obtaining an ATO based on FedRAMP controls versus FISMA controls is acceptable. The Contractor shall be responsible for generating the A&A ATO Package that includes the following security documentation IAW Attachment C Authorization Requirements SOP:System Security Plan (SSP), Risk Assessment (RA), Incident Response Plan (IRP), Information Security Contingency Plan (ISCP), Disaster Recovery Plan (DRP), Configuration Management Plan (CMP), Interconnection Security Agreement/Memorandum of Understanding (ISA/MOU), Additional system description/and diagrams required by VA to gain access to VA network and receive an Authority to Operate (ATO). ?The Contractor shall:Be fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS), and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The contractor’s security control procedures must be equivalent, to those procedures used to secure VA systems. Ensure adequate security controls for collecting, processing, transmitting, and storage and removal of Personally Identifiable Information (PII) and Personal Health Information (PHI), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. Ensure these security controls are to be assessed and stated within the Privacy Impact Assessment (PIA) and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) shall be submitted and approved prior to the collection of PII and PHI. Deliverables:Plan of Action and MilestonesA&A ATO PackageDATA MIGRATIONThe Contractor shall migrate all records, tables, and files from the current CEM system into the new CEM system. The Contractor shall perform the migration and confirm successful migration of all data to the new solutionThe Contractor shall provide a Data Crosswalk mapping data from existing CEM records, files, and tables to the new solution. The crosswalk shall be provided within 10 business days of migration.The Contractor shall validate that all current records have been successfully migrated into the new system. This validation shall be provided in the Data Crosswalk.The Contractor shall provide a Data Validation Report detailing the type of data that was migrated and validating that 100% of data have been accurately migrated. Data validation will verify data elements on each record and table to ensure no changes have occurred.Deliverables:Data CrosswalkData Validation ReportPHASE II The Contractor shall complete the requirements of this section and subsections IAW the SDLC requirements in Section 5.5.SYSTEM SOLUTION SUPPORT The Contractor shall maintain the solution IAW Section 5.7.The contractor shall deliver the CEM solution, including the commercial software and hosted environments required for the system. The contractor shall maintain the operations of the hosted environments and software for Phase I, Phase II, and throughout the remainder of the Base Period. System solution support activities are associated with the on-going support related to the performance of routine, preventive, predictive, scheduled, and unscheduled actions aimed at preventing system/production failure (i.e., break/fix) and correcting software defects with the goal of increasing efficiency and reliability on a continuous basis.INTEGRATION IT SERVICESFor the Base Period, the Contractor shall provide a pro-rated integration IT services scrum team for 10 months (Phase II). For each Option Period, the Contractor shall provide an integration IT services scrum team for 12 months. Each integration IT services team shall consist of a minimum of six (6) Full Time Equivalents (FTE) and a maximum of eight (8) FTE resources per team.The Contractor shall execute all task activities and deliverables defined in Section 5.0 and all applicable subparagraphs to provide configuration management resources to support each release cycle, to include the entire Section 5.5 System Development LifeCycle (SDLC).An individual VSignals Technical Scrum team is comprised of the appropriate distribution of cross functional roles that include; non-dedicated roles Project Manager, technical lead(s), integration architect, solution engineer(s), tester(s), and security analyst(s); dedicated roles quality assurance, configuration analyst(s), and a Certified Scrum Master (CSM). An integration IT services Scrum Team may have one or two Technical Leads as part of the team that provide technical guidance, resolve technical impediments and configure the tool. Each integration IT services Scrum Team shall include at least one resource with a minimum of four (4) years of expertise and experience with implementing and configuring the web-based Customer Experience tool. Each integration IT services Scrum Team shall also include a dedicated resource for requirements refinement and elaboration, this resource will be required to elaborate epics, user stories, etc, to complex technical requirements. Each integration IT services Scrum Team shall include a dedicated resource with knowledge of the complexities inherent to the VA’s architecture.Integration IT services Scrum teams should have a minimum of one (1) person per dedicated role. In the event the Contractor shares a non-dedicated resource across multiple scrum teams, those scrum teams shall still consist of a minimum of six (6) FTE and a maximum of eight (8) FTE.SYSTEM DEVELOPMENT LIFECYCLE (SDLC)SDLC shall be applied to PWS Task 5.13. The Contractor shall configure, develop, enhance, maintain, test, and deploy builds of the CEM System on a continuous basis no shorter than two (2) weeks but no longer than three (3) months in duration throughout the base and option periods if exercised, or as needed based on requirements. The Contractor shall provide deliverable packages/artifacts specified herein that meet documentation and code delivery requirements of activities specified in this PWS and are VIP/EPMO compliant. The Contractor shall leverage and reuse relevant content and pre-existing product documentation as appropriate to satisfying the content of package deliverables. AGILE REQUIREMENTS ELABORATIONThe Contractor shall complete an initial backlog grooming session with the VA team to properly understand and elaborate business Agile requirements. The outcome of this session shall be a complete review of, and agreement to, the initial user stories, including user stories added as a result of backlog grooming by decomposing Epics into stakeholder needs, business requirements, business rules, requirements visualizations and user story elaborations. The Contractor shall: Ensure all Epics, including Standard Epics as defined in PWS Paragraph 4.5, are included and executed as appropriate within the overall Agile backlog grooming effort.Populate the backlog during an initial planning session identifying all features the team considers relevant to building the product. The backlog serves as the primary source for all program requirements and user stories, and the team shall prioritize the contents.Establish initial Unit of measurement (e.g. Story Points) as the estimated relative complexity of user stories. Facilitate any stakeholder briefings, meetings and/or elicitation sessions.Execute requirements reviews with stakeholders and record results of reviews using the VA Approved Tool, updating requirements data as a result of the reviews.Identify the non-production environment access that is needed 30 days prior to configuration start. All Epics, stakeholder needs, visualizations, stories, and other sources of requirements information for functional and non-functional requirements are Input and maintained in VA Approved Tool. All requirements data is under change control and is fully linked to work items that show traceability to design changes, configurable items, test cases and test results. RELEASE AND CONFIGURATIONThe Contractor shall continuously support the iterative release and configuration methodology described within Section 5.5 to complete all epics and user stories identified in the backlog.RELEASE PLANNINGThe Contractor shall develop a release collection 30 days prior to a Release. Each release shall be no shorter than 2 weeks but no longer than 3 months in duration and shall be made up of individual sprints. Any release that is user facing will be fully tested by end users before release. The Contractor shall maintain the program/project backlog, continuously, in every release and throughout the life of the period of performance within the VA Approved Tool. All activity scheduled in each release and backlogs will be captured and have status showing all work items, changes, impediments, and retrospectives. All data and artifacts in the tool shall be fully linked to requirements data and test data. Release planning shall consist of the following: Teams will review, elaborate, and prioritize the backlog. This backlog grooming will occur continuously throughout the release to ensure the customer’s highest priorities are being met.Backlog grooming and Release Planning sessions, facilitated by the Contractor, that outline the intent of the build, and are not a formal commitment. The Contractor shall update the resulting Release Collection within VA Approved Tool.Identification of the Epics and user stories to be completed within the release, the agreement of acceptance criteria of the release, and readiness to begin release. Identification of field sites, test environments, acceptance criteria, and ATO requirements.Coordinate and validate MOU’s and SLA’s for partner dependencies that specifically highlight the commitment of partners to associated release. SPRINT PLANNINGOnce the release planning is completed and accepted, the Contractor will initiate Sprint Planning for the first Sprint of the release. All activity scheduled in each sprint and backlog will be captured and have status showing all work items, changes, impediments, and retrospectives. All data and artifacts in VA Approved Tool shall be fully linked to requirements data and test data. The Contractor shall:Initiate and participate in a Sprint Planning Meeting, at the beginning of each sprint. The Contractor shall update the Sprint Plan in the VA Approved Tool after the Sprint Planning. Support, coordinate and provide input for the Sprint Acceptance Criteria in VA Approved Tool. The Sprint Acceptance Criteria shall be coordinated and approved for every sprint. This task shall result in an Approved Sprint Plan.SPRINT EXECUTIONAll activity executed in each sprint and backlog will be captured and have status showing all work items, changes, risks, issues, impediments, and retrospectives. All data and artifacts in VA Approved Tool shall be fully linked to requirements data and test data.The Contractor shall:Develop the features and capabilities as work items in VA Approved Tool that were established in the Sprint plete sprint configuration including disciplined testing (unit, functional, regression) and reviews as a continuous process, to avoid finding issues at the end of sprint development. Initiate and conduct daily scrums (typically 15 minutes) to show the team progress, impediments and daily plans. Update the VA Approved Tool daily, to include progress on tasks during sprints, blockers and dependencies.Coordinate and support demonstration of the sprint activities with the project team and Users at the end of each sprint. This is termed a Sprint Review and will result in Customer Acceptance of the Sprint. Develop and deliver automated build and automated publishing capabilities to schedule jobs and support continuous integration for every sprint. Automated build tools shall be in compliance with the approved list from the One-VA TRM and code shall be demonstrable and stable enough to be promoted to another environment without issue by evidence of the status of tests and results in the Rational Tools.Initiate and facilitate a Sprint Retrospective at the end of the Sprint to capture team performance lessons learned. Deliverable: Approved Sprint PlanRelease CollectionTESTINGThe Contractor shall adopt Agile best practices for integration testing into each Agile sprint and release. The Contractor shall populate its Test Strategy section of the test plan in VA’s implementation of Quality Manager tool within 15 days after Technical Kickoff Meeting. The Contractor shall conduct tests (e.g. unit, functional, accessibility, system, reliability, usability, interoperability, regression, security, performance) throughout the configuration lifecycle (e.g. user story, sprint, build, release) using industry best practices of continuous integration methods and automated regression testing utilities using One-VA Technical Reference Model (TRM) approved tools. The Contractor shall conduct testing related to non-functional requirements, (e.g. load, performance, installation, back-out, and rollback).The Contractor shall provide Test Plan data in the Quality Manager tool following the templates and data requirements appropriate for each test purpose appropriate to each phase of development. The Contractor shall provide test results in the Quality Manager tool which is the final piece of data that completes the Requirements Traceability Matrix (RTM). COR/VA PgM acceptance will occur through the Quality Manager approval process. The Contractor shall support the security, accessibility, performance, technical standards, architectural compliance, user acceptance and initial operational capability tests, audits, and reviews. Security scanning is done by multiple methods and is done multiple times throughout the course of a project with methods such as infiltration testing (WASA), code analysis tools (Fortify), etc. Accessibility reviews are performed through a variety of tool based and manual reviews, able to scan web applications and other technologies used for user interfaces. Performance testing is done through load testing and technical analysis of capacity planning data submitted by the project team. Architectural compliance assessments are done through submission of design materials to confirm compliance with allowed enterprise architecture.The Contractor shall ensure all test and compliance review planning and execution details and their testing and compliance results are entered and maintained in Quality Manager tool and under version control in the VA Approved Tool. Specifically test management data and artifacts include such items as scripts, configurations, utilities, tools, plans and results. The Contractor shall ensure that results of all assessments of the project performed by the Contractor or by VA offices are consolidated into the VA Approved Tool for planning and status reporting. When a defect is identified during testing, the Contractor shall log it in the Tool, selecting the appropriate severity level. The Contractor shall support the Project Manager for prioritizing the defect in the sprint backlog. Based on a prioritization the defect could be entered into the current sprint or entered into the backlog.The Contractor shall ensure the VA Approved Tool data is up-to-date daily so that VA stakeholders can access accurate and timely status.Deliverables:Test Strategy Data input Test Plan and Test Execution Data input Requirements Traceability Matrix (RTM)508 COMPLIANCE TESTINGThe Contractor shall:Develop a 508 Test plan as part of the Test Plan (See Section 5.5.3).Document and report 508 test findings and test incidences as part of the Quality Manager.Prepare the Section 508 customization Conformance Validation Statement (CVS) (in accordance with the VA Section 508 Program Office CVS form) and the VA Section 508 Self-Certification Form and verify that CEM complies with all requirements identified in the Section 508 Conformance Validation Statement (CVS). If the application is found not to be VA 508 compliant, the Contractor shall provide the CVS form and a 508-compliance waiver package. All tools used in the environments of the CEM and related Programs and all applications produced by CEM and related program projects shall be Section 508 compliant as determined by the tests performed by the VA Section 508 plete Section 508 Self Certification package for each release to include: Self-Certification document, Voluntary Product Accessibility Template (VPAT), Test Methodology Description document, Conformance Validation Statement (CVS), and Plan of Action and Milestone (POAM) and comply with all Process Asset Library (PAL) and Section 508 requirements for documentation and testing in accordance with the VA Test Process Workgroup (TPWG) and Section 508 testing requirements.Support and provide assistance to the VA staff and other Contractors completing 508 compliance testing.Deliverables:A. Section 508 Customization Conformance Validation StatementB. Section 508 Self Certification packageRELEASE SUPPORTThe VA’s Release Process is conducted during the release of new functionality or configuration in compliance with the VA’s Release Process. The Contractor shall support the VA’s Release Process during the TO’s PoP. The POLARIS calendaring process and tool will be used to track release and implementation, special works in progress, and other deployment events in the VA production environment. The Contractor shall provide data for populating and updating the POLARIS calendaring process for each release.TRAINING The Contractor shall provide face-to-face training of VA staff of the CEM system. The Contractor shall:Provide a VA End User Training Package which consists of an overview presentation, and User Guide.Perform hands-on training with VA end users and?trainers?(not to exceed a total of?50?participants per training session). Provide minutes of training sessions to include a list of attendees, and time attended. The Contractor shall provide four distinct training sessions to train the VA end users and trainers. Specific timing of those training sessions shall be coordinated post award.Provide a Super User Training Package which consists of a system overview presentation, and Super User Guide.Perform hands-on training with Super Users (not to exceed a total of?20?users per training sessions). Provide minutes of training session to include a list of attendees and time attended. The Contractor shall provide two distinct training sessions to accomplish this.Provide User Guides consisting of written instructions and associated images, and clear, simplified diagrams. Jargon is kept to a minimum or explained thoroughly. The document reflects the contents of the most recent release (whether a configuration update or release), and is updated to include any changes.Provide Quick Reference Guides consisting of 1-2 pages that provides basic functionality and navigation. Provide a Help Desk Training Package consisting of an overview presentation, Help Desk Reference Guide, and Troubleshooting Decision Trees. Provide hands-on training with Help Desk personnel (not to exceed a total of 15 users per training session). Provide minutes of training sessions to include a list of attendees, and time attended. The Contractor shall provide two distinct training sessions to accomplish this.Training materials may include videos, presentations, documents, and guides.Deliverables:A. VA End User Training Package and minutesB. Super User Training Package and minutesC. User GuidesD. Quick Reference Guides E. Help Desk Training Package and minutesCONFIGURATION LIFECYCLEThe Configuration LifeCycle (CLC) is a Lightweight Agile Framework which aligns with OIT’s SDLC Agile Methodology. CLC shall be applied to PWS Tasks 5.2, 5.3, and 5.12. The Contractor shall plan, configure, test, and deploy releases of the CEM System on a continuous basis no shorter than 3 weeks but no longer than 3 months in duration throughout the period of performance, or as needed based on requirements. The Contractor shall plan, configure, test, and deploy minor changes on a rapid turnaround as needed, in accordance with the VSignals Change Request (CR) Process. The Contractor shall provide deliverable packages/artifacts specified herein that meet documentation and delivery requirements of activities specified in this PWS. The Contractor shall leverage and reuse relevant content and pre-existing product documentation as appropriate to satisfying the content of package deliverables.The Contractor shall deliver a change request log on a weekly basis consisting of a list of all Configuration Change Requests (CR) and status on each CR.The Contractor shall provide training of VA staff in the utilization of the new or modified functionalities of the CEM system. Training materials may include videos, presentations, documents, and guides.Deliverables:Change Request LogOPERATIONS AND MAINTENANCE SUPPORT System solution support activities are associated with the on-going support related to the performance of routine, preventive, predictive, scheduled, and unscheduled actions aimed at preventing system/production failure (i.e., break/fix) and correcting software defects with the goal of increasing efficiency and reliability on a continuous basis. This support shall be provided for the CEM solution and all associated components and environments.In support of these activities, the Contractor shall configure, maintain, test, and deploy CEM maintenance releases applying the same life cycle tasks, as applicable, described in Section 5.5 and 5.6. The Contractor shall provide technical documentation and execute these life cycle processes throughout the period of performance to support the delivery of CEM functionality.Releases may occur after hours and/or during the weekend. It is expected that all deployment release packages are completely developed and SME advisory and troubleshooting support is provided. For releases, Contractor support staff should be identified and available should a problem arise.HOSTED PRODUCTION ENVIRONMENTS Hosting services consist of provisioning the production environment to allow VA end users to utilize the CEM system. The Production Environment is used to host live Customer data, accessed daily, during VA servicing of the Customer. The Production Environment shall initially be classified as Federal Information Security Managements Act (FISMA) Moderate but shall have the option to increase the classification to FISMA High at any point during the Period of Performance of this task order. The Contractor shall complete any FISMA Assessment related activities that are required. The Contractor shall update and maintain the ATO documentation as required to ensure compliance.The Contractor shall be responsible for generating the A&A ATO Package that includes the following security documentation IAW Attachment C Authorization Requirements SOP:System Security Plan (SSP), Risk Assessment (RA), Incident Response Plan (IRP), Information Security Contingency Plan (ISCP), Disaster Recovery Plan (DRP), Configuration Management Plan (CMP), Interconnection Security Agreement /Memorandum of Understanding (ISA/ MOU), Additional system description/and diagrams required by VA to gain access to VA network and receive an Authority to Operate (ATO). ?Environments shall comply with the latest VA Assessment and Authorization (A&A) policies and procedures as referenced in this document via continuous monitoring procedures. The Contractor shall:Be fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system. The contractor’s security control procedures must be equivalent, to those procedures used to secure VA systems. Ensure adequate security controls for collecting, processing, transmitting, and storage and removal of Personally Identifiable Information (PII) and Personal Health Information (PHI), as determined by the VA Privacy Service, must be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the information system, or systems by or on behalf of VA. Ensure these security controls are to be assessed and stated within the PIA and if these controls are determined not to be in place, or inadequate, a Plan of Action and Milestones (POA&M) shall be submitted and approved prior to the collection of PII and PHI. Deliverables:Plan of Action and MilestonesA&A ATO PackageCHANGE AND CONFIGURATION MANAGEMENT SUPPORTChange and Configuration Management addresses the governance, process, roles and responsibilities for the intake, disposition, and documentation of configuration and/or changes under the direction of VA in support of applications that have been deployed to production.The Contractor shall:Update the existing Change and Configuration Management Plan IAW PWS Paragraph 5.1.6.For each defect identified, the Contractor shall triage the defect, identify a resolution for the defect, and provide a plan for resolution, including timeline and impacts and updates to the VA Approved Tool. Perform technical analysis to include: identifying dependencies on other tasks; assessing the impact of changes on the existing system; and classifying changes as indicated below:Corrective Sustainment which is the diagnosis and correction of program errors after release.Adaptive Sustainment which is the modification of software to interface with a changing environment or congressional mandates.Preventive Sustainment which is the modification of software to improve future maintainability or reliability as a result of a requirement to perform a hardware re-platform or operating system/system software upgrade.Perfective Sustainment which is the modification of the software to improve future functionality based on CEM best practice recommended by the CEM Subject Matter Experts (SMEs), sustainment staff and business. This shall include software patches, optimization and incorporation of upgraded and effective software or plugins to improve performance and usability. Update the VA Approved Tool IAW PWS Paragraph 5.1.6 based on the outcome of change and configuration management processes. This shall include:Revision of the functional and technical requirements and user stories in the VA Approved Tool which shall be mapped to the existing requirements affected.Creation of a ranked Product Backlog Report sorted by the priority assigned by VA.Update the ATO documentation in accordance with PWS Paragraph 5.3.3 ensuring continuous compliance with VA regulations. Deliverables:A. Ranked Product Backlog ReportHELP DESK SUPPORTThe Contractor shall deliver the full array of services, staff, and expertise to operate the Help Desk. The Contractor shall provide Tier 2 and Tier 3 support:Help Desk Coordination for interface with the Tier 1 and partner system help desks, enforcing required information on tickets, managing intake, enforcing escalation procedures, and the creation and delivery of Tier 1 training for upcoming releases and other special cases.CEM system Tier 2 and Tier 3 Help Desk Communications, to manage tickets throughout the defined lifecycle, update ticket status, document the content and metadata of all communications around a ticket ensuring that tickets are managed in status updates and responses in the timeframes, and correctly entering ticket data to include required ticket fields.The Contractor help desk support shall consist of the following:Telephonic toll-free help desk support staffed from 8:00 AM to 9:00 PM Eastern time Monday through Friday, excluding Federal holidays. Help Desk response times:Average time for First Contact per ticket less than 12 hours. Average queue time per ticket less than 24 hours. Average time to close tickets less than 48 hours.MAINTENANCE UPGRADESFor the CEM solution, the Contractor shall provide all commercially available maintenance upgrades. However, VA reserves the right whether or not to accept a maintenance upgrade for the proposed CEM system. The Contractor shall notify VA of all upcoming maintenance upgrades within 30 (thirty) calendar days of proposed implementation. Additionally, the Contractor shall document the functionality and compatibility changes from current production system. HOSTING SUPPORTThe Contractor shall provide continued hosting support for all non-production and production hosted environments. The Contractor shall:Support the activities related to acquiring the Authority to Operate (ATO) for production environments within the VA network. Ensure all documentation is current in the VA’s Governance, Risk and Compliance (GRC) tool, currently RiskVision.Assist in the development of Enterprise Architecture (EA) checklists to support Operational Readiness Testing.?? Update all technical artifacts to reflect current maintenance procedures related to servers and product support.?? HOSTED ENVIRONMENT HELP DESK SUPPORTThe Contractor shall provide Tier 3 Help Desk support meeting the requirements listed below for all the CEM Environments exercised above. Tier 3 support is defined as expert level troubleshooting and analysis methods. The Tier 3 Help Desk shall include: Providing help to authorized users.Authenticating a User through questions/challenges in the user profile before giving access; providing information; or making changes to the system.Maintaining a ticket tracking system.Managing and tracking all environment outages.Managing Help Desk request fulfillment, access management, and planned and preventive maintenance.Providing input and technical support to VA help/service desks on all layers until resolution.Providing problem management tracking for three severity (SEV) levels of problem requests and timely resolutions for infrastructure problems in accordance with the SLA:A SEV 1 Incident shall be defined as system down or capacity diminished by greater that 10%. The definition of system down or capacity diminished by greater that 10% shall be defined by VAA SEV 2 Incident shall be defined as system down or capacity diminished by less than 10% or change order not requiring additional resources. The definition of system down or capacity diminished by less than 10% shall be defined by VAA SEV 3 Incident shall be defined as routine maintenance or schedulable activityNotifying the VA Project Manager (PM) of scheduled maintenance windows per the SLA.Coordinating with VA for network outage, reconfiguration, and network troubleshooting issues.The Contractor shall provide a detailed helpdesk support plan that includes metrics of tracking issues for severity levels 1-3, and standard operating procedures for the support provided in 5.7.5.1 (a-g) Deliverables:A.Help Desk Support PlanBACKUP AND RESTOREThe Contractor shall:Work with the VA team to make any networking changes required to bring the CEM applications up and make them operable and accessible to the users.Ensure VA has access to and can recall the archived data to any of the VA data centers upon request. Develop and implement a Backup and Restore Plan for the computing environment using industry best practices. At a minimum, the Plan shall include the requirement to save data for the backup and recovery of information stored on the cloud storage infrastructure to meeting related SLAs and the retention of records as required by VA Handbook 6300.1 (“Records Management Procedures”) and Department of Veterans Affairs (VA) Directive 6300, (“Records and Information Management”)Ensure VA has access to the VA accessible disk space backup media.Deliverables:A.Initial and Updated Backup and Restore PlanHOSTED ENVIRONMENTS ISSUE-RELATED TECHNICAL SUPPORTThe Contractor shall provide technical support during the operating hours defined in Section 5.7.3 to assist VA with issues pertaining to the Hosted Environments. Response times begin when monitoring alerts are discovered and validated or when the Contractor receives a support request from VA. The Contractor shall respond to validated monitoring alerts and support requests according to the following Severity Levels:Severity Level A – Critical impact. Only applies to Production systems. Production stops due to product or major feature failure or data corruption. Issue may be:a complete or substantial loss of service when using a Production System, orreal or perceived data loss or data corruption making an essential part of the Production System unusable, orthe inability to use a mission critical application within a Production System.The Contractor shall respond to all Severity Level A problems within fifteen (15) minutes of event identification. Severity Level A incidents must be elevated to the VA PM and COR. Support requests for Severity Level A problems must be received by phone, from COR-designated personnel.Severity Level B – Major impact. A business impacting function or service is not available. Only applies to Production systems. Major feature/product failure; inconvenient workaround or no workaround exists. Issue may be:the functionality of the software is adversely affected, but can be circumvented, orcertain functions within the software are disabled, but the Software remains operable, ora complete or substantial loss of service when using a Non-Production System.The Contractor shall respond to all Severity Level B problems within thirty (30) minutes of event identification. Severity Level B incidents must be elevated to the VA PM and COR. Support requests for Severity Level B problems must be received by phone, from COR-designated personnel.Severity Level C – Minor impact. VA’s environment is not seriously affected. Minor feature/product failure, convenient workaround exists. Issue may be:partial non-critical functionality loss and the Issue has no significant effect on the usability of the software, or time-sensitive issue important to long-term productivity that is not causing an immediate work stoppage.The Contractor shall respond to all Severity Level C problems within twenty-four (24) hours.Severity Level D – No impact. Response times may vary for Severity Level D support depending on the project work associated with the request.Resolution time for Severity Level A, B, C and D depends on the issues. The Recovery Point Objective (RPO) and Recover Time Objective (RTO) defined in section 5.7.5.5 Service Level Agreement (SLA) will apply. For the RPO, the Contractor shall ensure that no more than fifteen minutes of data is lost. For the RTO, the Contractor shall have the Disaster Recovery site databases and applications operational within 8 hours.The Contractor shall provide detail on all monitoring alerts and support requests as part of the Incident Report outlined in Section 5.7.5.3 within period of time after incident occurrence as defined in section 5.7.5.5 Service Level Agreement (SLA). The report format will be provided by VA.SECURITY AND MONITORINGThe Contractor shall provide continuous monitoring of all critical hosting resources including the computing environments, detailed in Paragraph 5.3.1 and 5.7.1. The Contractor shall generate a Continuous Monitoring and Operations Support Concept of Operations (CONOPS) to outline its processes, procedures and tools used for monitoring and operations support. The Contractor shall monitor all such resources through automated tools to ensure availability and to guarantee that all systems are operating within the expected parameters as defined by the SLA (detailed in Section 5.7.5.5). In the event of a service disruption, the Contractor shall notify the COR within fifteen (15) minutes of detecting the event. Tools employed in the monitoring of resources should have no less than five (5) minute resolution to ensure there is minimal time between event occurrence and detection. Such notifications shall be disseminated according to the severity and impact according to the Event Escalation Plan, provided as GFI in PWS Paragraph 4.5.If an event (System Outage) occurs that impacts the availability of the environment, the Contractor shall provide an Event Update Report every hour until the issue is resolved. After the event, the Contractor shall provide an After-Action Report (AAR) with a detailed summary of the identified problem, chronology of events, impact analysis, remediation actions, total elapsed time, and lessons learned within three (3) business days after the conclusion of the event. The downtime and the impact to the SLA shall be included in the report. Within three (3) business days of resolution, the Contractor shall provide an initial Root Cause Analysis (RCA) outage report IAW Section 5.7.5.5. A final version shall be supplied within (5) business days of receiving Government’s feedback.The Contractor shall be responsible for the execution and reporting of routine environmental health checks and monitoring of the environment to ensure performance requirements and SLAs are met. SLAs to be captured are referenced in Section 5.7.5.5 of this document. Status of conformance to SLAs shall be reported and delivered as part of the Weekly Onboarding Report.Within fifteen (15) business days of award, the Contractor shall update the Security CONOPS to outline its procedures, schedule, and method/type of data/log capture for monitoring by the contractor’s Intrusion Detection Systems (IDS). The Security CONOPS and supporting tools shall be updated monthly to capture new security alerts, configuration changes to support security concerns, and applicable reports to allow for trending related to security events.The Contractor personnel shall be trained and experienced in evidence collection and maintenance procedures that may be required to support forensic analysis in the case of an emergency incident.The Contractor shall capture, FIPS 140-2 encrypt and maintain a Read Only log event information of system and network logs. Access to this data shall be strictly limited and tracked in accordance with a VA-approved access control list. The Contractor shall send output logs of log analysis tools to the VA PM for category 1-3 security events, which shall be subject to inspection. IDS systems shall be configured in accordance with (IAW) NIST Special Publication 800-94; Section 3.2.2 that provides details relating to log configuration. The mechanism for log transference shall be FIPS 140-2 encrypted e-mail, when possible; for instances where encrypted e-mail is not possible, password-protected FIPS 140-2 encrypted .zip files shall be utilized. The Contractor shall retain log output for a minimum period of one (1) year in accordance with VA policy.The Contractor shall be responsible for providing Intrusion Detection Services and Active Monitoring on a 24x7 basis at the active contractor hosting facility. The Contractor shall detect, identify, react to and report security events on all supported VA environments on behalf of VA. The Contractor shall be responsible for reporting incidents within five (5) minutes of event detection to the VA Security Operations Center (1-855-673-4357 (Option 6); General NSOC: Option 6 then Option 4; or email: VANSOC@). Security events include, but not limited to, network intrusions, scans, denial of service attacks, worms and unauthorized access to Contractor-managed devices.The Contractor shall manage incident response and mitigation. The Contractor shall use US CERT or similar to monitor current security threats to protect the integrity of the federal cloud environment and private cloud environment and any data contained in the systems. The Contractor shall actively investigate any attempted or successful intrusion and take steps to halt the attack and isolate the affected systems. Efforts shall be taken to preserve evidence so forensic analysis can be attempted. The Contractor shall conduct a post-incident briefing with the VA PM to assess the response to the incident and provide a written Incident Report within three (3) business days of the event occurrence outlining how the attack occurred and if it succeeded, what data was accessed, what resolution steps have been exercised, and how future attacks could be mitigated. The Contractor shall make appropriate adjustments to Contractor IDS policies, procedures, and thresholds as identified during the post-incident briefing.Deliverables:Event Update ReportAfter Action ReportConcept of Operations PlanSecurity CONOPSSecurity Logs (encrypted)Incident ReportSERVICE LEVEL AGREEMENT (SLA) REQUIREMENTSThe Contractor shall:Ensure services conform to the following SLA parameters effective upon activation of the Hosted Environments and Services: Provide the computing environments 24 hours a day/7 days a week/365 days per year and a recovery time of four (4) business hours. The Contractor shall begin operational checks of the systems to ensure full functionality beginning an hour prior to normal business hours (which are 7:00 AM EST to 6:00 PM EST) and notify the VA of any failures. Calculate the Service’s Unavailability for the CEM environments “Service Unavailability” for each calendar month and include the results in the T4NG Contractor Progress Status and Management Report (CPSMR). “Service Unavailability” consists of the number of hours that the systems were not available during the operational hours defined above.Conduct Root Cause analyses and provide findings to the VA PM within three (3) business days of detection if Service Availability levels have fallen below the levels specified in this section. Provide the VA PM with a Service Interruption Resolution Schedule to resolve the issues within two (2) business days of completion of the Root Cause Analyses.The CEM Program specifies the following performance metrics related to technical support services sought in this PWS.The Contractor shall monitor performance against the established performance objectives that qualitatively summarize the deliverables and/or criteria established in this PWS. The Contractor shall outline and describe in the approved CPMP its process and methodology for quantifying and presenting its performance assessment comparison to performance objectives. The Contractor shall report any deviations in the CPSMR. Table SEQ Table \* ARABIC 6: Service Level Agreement (SLA) RequirementsSLA IDSLA Metric NameRequired ServiceDesired OutcomesPerformance Measure Definition / StandardMinimum Acceptable Performance Level (MAPL)Evaluation FrequencySurveillance Method?1Uptime MetricUptimeEnsure availability of cloud hosted environmentsThe Contractor shall provide consistent availability (e.g. uptime) of cloud hosted environments. The unscheduled downtime of any Contractor supplied and managed service or component will count against availability. Service Availability is defined as all services and applications in the VA private cloud environments are available, whether it is during abnormal system operation or software upgrade regardless of hardware, software or user fault.Uptime Requirement is 99.5%Monthly100% Inspection of Performance Metrics ?2Maintenance WindowScheduled Maintenance WindowThe Contractor's notification of scheduled maintenance to the governmentThe contractor shall notify the COR 48 hours prior to performance of any scheduled maintenance. Calculation of Service Unavailability shall not include any time the Service is unavailable due to scheduled maintenance. Contractor shall notify the government at least 48 hours prior to scheduled maintenance.? Maintenance window shall not exceed the 4-hour period between Midnight and 4 am EST and is not to exceed once per week. If the maintenance conflicts with other program requirements the work will be scheduled at the next agreed upon date.Report for each eventPeriodic Inspection of Maintenance Window Notifications.??4RPO Availability, Backup, Recovery and MonitoringProvide a secure backup, recovery and network solution to facilitate the RPO at CEM SITES.Recovery Point Objective (RPO) For the RPO, the Contractor shall ensure that no more than fifteen minutes of data is lost. MonthlyMonthly Backup and Recovery logs\Backup Performance Metrics ?6Secure Connection AvailabilityInfrastructure Network Availability and MonitoringThe Contractor shall provide and monitor availability of the network connections through the VA Trusted Internet Connection? 1) Secure Site to Site network connection through TIC is defined as the encrypted link between VA's boundary controller and the Contractor's boundary controller. The Contractor is required to maintain the encrypted link on the Contractor-managed end of the connection. Ensure the Contractor-managed end of the connection is available 99.5% of the time and that the Contractor implemented security perimeter is available 100% of the time. Monthly100% Inspection of Performance Metrics ?7Support Response TimeSupport ResponseThe response time of the Contractor to government requestsResponse/Acknowledgment time begins when monitoring alerts are discovered and validated or when the Contractor receives a support request from VA. Severity Level A - Critical Impact notification received from VA by phone Severity Level B - Major Impact notification received from VA by phone Severity Level C - Minor Impact notification varies - either by phone, e-mail or ticket submissionSeverity Level D - No Impact notification varies depending on the project work associated with the requestSupport Response Times:Severity Level A - Critical Impact: within 15 minutesSeverity Level B - Major Impact: within 30 minutesSeverity Level C - Minor Impact: within 24 hoursSeverity Level D - No Impact: varies depending on the project work associated with the requestMonthlyPeriodic Inspection of Help Desk Ticket resolution times for Restorations?8Incident ReportingIncident Reporting for Disaster Recovery and Continuous MonitoringContractor incident reporting to VA that provides VA with visibility into the monitoring and operational status of resourcesIn the event of a service disruption, the Contract shall provide Event Update Reports, After Action Reports and Root Cause Analysis Reports in the Contractor’s report formats.After Action Report (AAR) within 10 work days of report in Contractor formatEvent Update Reports within 3 work days of event in Contractor formatRoot Cause Analysis (RCA) Reports within 20 work days, unless approved otherwise by VA, in Contractor formatMonthlyPeriodic Inspection of Service Disruptions in the Monthly Help Desk Usage reports compared to submission times of AAR and RCA reports.?9Intrusion Detection System (IDS)/Intrusion Protection System (IPS) MetricSecurity BreachesIncident response and mitigations to protect the integrity of the CEM environment and any data contained in the systems.Detect, identify, react to and report security breaches on all supported VA environments.24x7x365 Initial Report within 5 minutes of a breach Incident Report within 3 business days As event occurs/Monthly100% reporting of any Security Breach?10Tier 3 SupportHelp DeskThe Contractor will have the ability to provide expert level troubleshooting and analysis to assist users with the research and solution development for new or unknown issues.The Contractor shall provide Tier 3 support using the Contractor’s existing help desk capabilityDedicated Tier 3 support as required by events/issuesAs events occurPeriodic Inspection of Help Desk Ticket resolution times for Problems.Periodic Inspection of Customer Satisfaction survey dataMonthly Performance Reports?12Help Desk Ticketing, Incident and Outage ReportingHelp Desk ReportingThe Contractor will provide ticketing related data to the GovernmentThe Contractor shall provide monthly ticketing data reports in the Contractor format.Incident and outage reporting will be provided via the DashboardProvide ticketing related dataTicketing reports – monthlyIncident and outage reporting – as event occursPeriodic Inspection of Help Desk Ticket resolution times for Problems.Periodic inspection of Ticketing, incident and outage reporting for problems.Monthly Performance Reports?13Availability of Network MonitoringContinuous Monitoring The availability of continuous monitoring data to be integrated with end-to-end performance monitoring data that will provide a complete view of the health of application business services. Data must be continuously available in real-time to Government IT Security monitoring tools; e.g. Security Information and Event Monitoring (SIEM) and Tenable Security Center. 99.5% Availability of SNMP (Simple Network Management Protocol) polling occurring at a minimum of 5-minute intervals. Application monitoring metrics should be displayed in 15-second intervals with numerous samples in a 15-sec period. Monthly100% Inspection of VA Monitoring Tools?Deliverables:A.Notification of scheduled maintenanceB.Root Cause Analysis ReportC.Service Interruption Resolution Schedule PROVIDE DATA CALLS AND REPORTING REQUESTSThe Contractor shall:Provide Data Call Reports in response to data calls from the COR for any system or process that is involved in the delivery of Contractor services within the given timeframe provided at receipt of the request. These requests may differ in form and substance to support Government Accountability Office (GAO) audits, Inspector General (IG) audits, and Legislative and/or VA Executive Brief requests. The request for these data calls are solicited on an ad-hoc basis, which may surge to a maximum of three (3) per week and which may overlap in occurrence. Historically, there have been 10 data calls per quarter. VA will provide any specified templates for these data calls/reports.Provide support to produce the required reports at an expected level of fifteen (15)-twenty (20) calendar days per quarter during the base period. Provide support at an expected level of five (5) to ten (10) calendar days of support per quarter.Provide any requested customer-specific information that is integral to the delivery of services, including the configuration of Contractor core infrastructure and other Contractor managed resources.One example of responding to data calls and reporting requests is cooperation with the VA Office of the Inspector General (OIG) in the areas of facilities access, audits, security incident notification, and hosting location. Specifically, for any required OIG cooperation, the Contractor (and any Subcontractors) shall: Provide the Contracting Officer, designated representative of the Contracting Officer, and representatives of the agency's Office of Inspector General, full and free access to the Contractor's (and Subcontractors') facilities, installations, operations documentation, databases, and personnel used for contract hosting services. This access shall be provided to the extent required to carry out audits, inspections, investigations, or other reviews to ensure compliance with contractual requirements for IT and information security, and to safeguard against threats and hazards to the integrity, availability, and confidentiality of agency information in the possession or under the control of the Contractor (or Subcontractor) Fully cooperate with all audits, inspections, investigations, or other reviews conducted by or on behalf of the Contracting Officer or the agency Office of Inspector General as described in subparagraph (a). Full cooperation includes, but is not limited to, prompt disclosure (per agency policy) to authorized requests of data, information, and records requested in connection with any audit, inspection, investigation, or review, making employees of the Contractor available for interview by auditors, inspectors, and investigators upon request, and providing prompt access (per agency policy) to Contractor facilities, systems, data and personnel to the extent the auditors, inspectors, and investigators reasonably believe necessary to complete the audit, inspection, investigation, or other review. The Contractor's (and any Subcontractors') cooperation with audits, inspections, investigations, and reviews conducted will be provided at no additional cost to the Government Preserve such data, records, logs and other evidence which are reasonably necessary to conduct a thorough investigation of any computer security incident. A computer security incident (as defined in NIST SP 800-61, Computer Security Incident Handling Guide), including but not limited to those constituting an actual or potential threat or hazard to the integrity, availability, or confidentiality of agency information in the possession or under the control of the Contractor (or Subcontractor), or to the function of information systems operated by the Contractor (or Subcontractor) in the performance of this Order. Promptly notify the designated agency representative in the event of any computer security incident as described in paragraph (c) above. This notification requirement is in addition to any other notification requirements which may be required by law or this Order. Established Federal agency timeframes for reporting security incidents to the United States Computer Emergency Readiness Team (US-CERT), although not exhaustive, serve as a useful guideline for determining whether reports under this paragraph are made promptly. (See NIST SP 800-61, Computer Security Incident Handling Guide, Appendix J) Provide to the requestor (Contracting Officer, a representative of the Contracting Officer, or the agency Office of Inspector General) Government data, information, or records under the control of or in the possession of the Contractor pursuant to this contract, which the Agency, including the Office of Inspector General, may request in furtherance of other audits, inspections, investigations, reviews or litigation in which the Agency or the Office of Inspector General is involved. Requests for production under this paragraph shall specify a deadline not less than 10 days for compliance which will determine whether response to the request has been made in a timely manner. Unless expressly provided otherwise elsewhere in this Order, the production of data, information, or records under this paragraph will be at no additional cost to the Government Include the substance of this paragraph, including this paragraph (f) in any subcontract which would require or otherwise result in Subcontractor employees having access to agency information in the possession or under the control of the Contractor (or Subcontractor), or access to information systems operated by the Contractor (or Subcontractor) in the performance of this Order Ensure that all hosting services pertaining to this Order are performed within the United States of America, including the storage of agency data, information, and records under the control of or in the possession of the Contractor pursuant to this Order OPTION PERIOD 1If exercised, Option Period 1 shall consist of 5.1, Project Management, 5.4.1, System Solution Support, 5.4.2 Integration IT Services, and 5.7 Operations and Maintenance.OPTION PERIOD 2If exercised, Option Period 2 shall consist of 5.1, Project Management, 5.4.1, System Solution Support, 5.4.2 Integration IT Services, and 5.7 Operations and Maintenance. OPTION PERIOD 3If exercised, Option Period 3 shall consist of 5.1, Project Management, 5.4.1, System Solution Support, 5.4.2 Integration IT Services, and 5.7 Operations and Maintenance. OPTION PERIOD 4If exercised, Option Period 4 shall consist of 5.1, Project Management, 5.4.1, System Solution Support, 5.4.2 Integration IT Services and 5.7 Operations and Maintenance. BUSINESS CEM SERVICES (OPTIONAL TASK 1)VA may exercise this optional task for additional business centric configuration of CEM Services. This optional task may be exercised up to 150 times throughout the Period of Performance of this task order. If exercised, each business CEM configuration team shall consist of a minimum of 6 FTE and a maximum of 8 FTE resources per team.The Contractor shall execute all task activities and deliverables defined in Section 5.6 to provide the Configuration LifeCycle (CLC).An individual business CEM configuration team is comprised of the following distribution of cross functional roles that include: non-dedicated roles Project Manager and tester(s); dedicated roles quality assurance, two (2) configuration analyst(s), business analyst(s), and a Certified Scrum Master. A business CEM configuration team may have one or two Engineer as part of the team that provide engineering guidance, resolve impediments and configure the tool. Each business CEM Configuration Team shall include at least one resource with a minimum of four (4) years of expertise and experience with configuring a web-based Customer Experience tool.Each business CEM configuration team shall also include a dedicated resource that is capable of elaborating complex requirements. Business CEM configuration teams should have a minimum of one (1) person per dedicated role. In the event the Contractor shares a non-dedicated resource across multiple scrum teams.Integration IT services (OPTIONAL TASK 2)VA may exercise this optional task for technical services to include interfacing with IT systems. This optional task may be exercised up to 30 times throughout the Period of Performance of this task order. If exercised, each technical scrum team shall consist of a minimum of six (6) FTE and a maximum of eight (8) FTE resources per team.The Contractor shall execute all task activities and deliverables defined in Section 5.0 and all applicable subparagraphs to provide configuration management resources to support each release cycle, to include the entire System Development LifeCycle (SDLC).An individual VSignals Technical Scrum team is comprised of the appropriate distribution of cross functional roles that include; non-dedicated roles Project Manager, technical lead(s), integration architect, solution engineer(s), tester(s), and security analyst(s); dedicated roles quality assurance, configuration analyst(s), and a Certified Scrum Master (CSM). A Scrum Team may have one or two Technical Leads as part of the team that provide technical guidance, resolve technical impediments and configure the tool. Each Technical Scrum Team shall include at least one resource with a minimum of four (4) years of expertise and experience with implementing and configuring the web-based Customer Experience tool. Each Scrum Team shall also include a dedicated resource that can elaborate complex requirements. Each Scrum Team shall include a dedicated resource with knowledge of the complexities inherent to the VA’s architecture.Scrum teams should have a minimum of one (1) person per dedicated role. In the event the Contractor shares a non-dedicated resource across multiple scrum teams, those scrum teams shall still consist of a minimum of six (6) FTE and a maximum of eight (8) FTE.CEM CERTIFICATION TRAINING (OPTIONAL TASK 3)VA may exercise this optional task for CEM certification training for up to three (3) Government employee(s). This optional task may be exercised up to five (5) times throughout the Period of Performance of this task order. VA reserves the right to exercise this optional task on a per person-basis. The Contractor shall provide training to designated Government employee(s) towards earning certification in the CEM solution. The Contractor shall provide any required certification exams to designated Government employee(s) to earn certification. CEM certification, including training and examinations, shall not exceed two (2) weeks.TRANSITION SUPPORT AND TRANSITION OF ASSETS (OPTIONAL TASK 4)In accordance with the VIP Guide, transition of knowledge and of product to Sustainment occurs at the end of Product Warranty. The Contractor shall provide a plan for 60 days of outgoing transition support for transitioning work from the current task order to a follow-on task order or Government entity. This transition may be to a Government entity or to another Contractor or to the incumbent Contractor under a new task order. In accordance with the Government-approved plan, the Contractor shall assist the Government in implementing a complete transition from this task order to a new support provider. This shall include formal coordination with Government staff and successor staff and management. It shall also include delivery of copies of all artifacts delivered under this contract, as well as existing policies and procedures, and delivery of baseline metrics and statistics. This Transition Plan shall include, but is not limited to:Coordination with Government representatives.Review, evaluation and transition of current support services.Transition of historic data to new Contractor system.Transition of Rational accounts.Transfer of all necessary business and/or technical documentationOrientation phase and program to introduce Government and Contractor personnel, programs, and users to the Contractor's team, tools, methodologies, and business processes.Disposition of Contractor purchased Government owned assets, Transfer of Government Furnished Equipment (GFE) and Government Furnished Information, and GFE inventory management assistance.Turn-in of all Government keys, ID/access cards, and security codes.The finalized asset list shall be delivered as a Certificate of Transition Completion for all Assets, which will be signed by the Development PM and the Receiving Organization to indicate acceptance.Deliverable: A. Transition PlanGENERAL REQUIREMENTSPERFORMANCE METRICSThe table below defines the Performance Standards and Acceptable Levels of Performance associated with this effort.Performance ObjectivePerformance StandardAcceptable Levels of PerformanceTechnical / Quality of Product or ServiceShows understanding of requirementsEfficient and effective in meeting requirements Meets technical needs and mission requirementsProvides quality services/productsSatisfactory or higherProject Milestones and ScheduleQuick response capabilityProducts completed, reviewed, delivered in accordance with the established scheduleNotifies customer in advance of potential problemsSatisfactory or higherCost & StaffingCurrency of expertise and staffing levels appropriatePersonnel possess necessary knowledge, skills and abilities to perform tasksSatisfactory or higherManagementIntegration and coordination of all activities to execute effortSatisfactory or higherThe COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the TO to ensure that the Contractor is performing the services required by this PWS in an acceptable level of performance. The Government reserves the right to alter or change the QASP at its own discretion. A Performance Based Service Assessment will be used by the COR in accordance with the QASP to assess Contractor performance. SECTION 508 – ELECTRONIC AND INFORMATION TECHNOLOGY (EIT) STANDARDS On August 7, 1998, Section 508 of the Rehabilitation Act of 1973 was amended to require that when Federal departments or agencies develop, procure, maintain, or use Electronic and Information Technology, that they shall ensure it allows Federal employees with disabilities to have access to and use of information and data that is comparable to the access to and use of information and data by other Federal employees. Section 508 required the Architectural and Transportation Barriers Compliance Board (Access Board) to publish standards setting forth a definition of electronic and information technology and the technical and functional criteria for such technology to comply with Section 508. These standards have been developed are published with an effective date of December 21, 2000. Federal departments and agencies shall develop all Electronic and Information Technology requirements to comply with the standards found in 36 CFR 1194.The following Section 508 Requirements supersede Addendum A, Section A3 from the T4NG Basic PWS.The Section 508 standards established by the Architectural and Transportation Barriers Compliance Board (Access Board) are incorporated into, and made part of all VA orders, solicitations and purchase orders developed to procure Electronic and Information Technology (EIT). These standards are found in their entirety at: . A printed copy of the standards will be supplied upon request.? The Contractor shall comply with the technical standards as marked: FORMCHECKBOX § 1194.21 Software applications and operating systems FORMCHECKBOX § 1194.22 Web-based intranet and internet information and applications FORMCHECKBOX § 1194.23 Telecommunications products FORMCHECKBOX § 1194.24 Video and multimedia products FORMCHECKBOX § 1194.25 Self-contained, closed products FORMCHECKBOX § 1194.26 Desktop and portable computers FORMCHECKBOX § 1194.31 Functional Performance Criteria FORMCHECKBOX § 1194.41 Information, Documentation, and SupportEQUIVALENT FACILITATIONAlternatively, offerors may propose products and services that provide equivalent facilitation, pursuant to Section 508, subpart A, §1194.5. Such offerors will be considered to have provided equivalent facilitation when the proposed deliverables result in substantially equivalent or greater access to and use of information for those with disabilities. COMPATIBILITY WITH ASSISTIVE TECHNOLOGYThe Section 508 standards do not require the installation of specific accessibility-related software or the attachment of an assistive technology device. Section 508 requires that the EIT be compatible with such software and devices so that EIT can be accessible to and usable by individuals using assistive technology, including but not limited to screen readers, screen magnifiers, and speech recognition software.ACCEPTANCE AND ACCEPTANCE TESTINGDeliverables resulting from this solicitation will be accepted based in part on satisfaction of the identified Section 508 standards’ requirements for accessibility and must include final test results demonstrating Section 508 compliance. Deliverables should meet applicable accessibility requirements and should not adversely affect accessibility features of existing EIT technologies. The Government reserves the right to independently test for Section 508 Compliance before delivery. The Contractor shall be able to demonstrate Section 508 Compliance upon delivery.Automated test tools and manual techniques are used in the VA Section 508 compliance assessment.Deliverable:Final Section 508 Compliance Test Results ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- macro express macros for your windows automation needs
- uday thombre
- veterans affairs
- 23 veterans resources a community for military veterans
- brc iif transaction creator pro
- loa 8 pay management interim solution technical manual
- brb arraytools user s manual
- free website builder create free websites webs
- business objects
Related searches
- department of veterans affairs resume
- veterans affairs outlook web access
- veterans affairs outlook webmail
- veterans affairs employee email access
- my pay veterans affairs employees
- department of veterans affairs fms
- veterans affairs email access
- dept veterans affairs co pay
- veterans affairs webmail access
- veterans affairs email directory
- veterans affairs intranet for employees
- veterans affairs employee directory