BACKGROUND - Veterans Affairs



centercenterDRAFT00DRAFTTRANSFORMATION TWENTY-ONE TOTAL TECHNOLOGY NEXT GENERATION (T4NG)PERFORMANCE WORK STATEMENT (PWS)DEPARTMENT OF VETERANS AFFAIRSOffice of Information & TechnologyProject Special Forces (PSF)VA API Development and OperationsDate: June 11, 2019TAC-19-56003Task Order PWS Version Number: 1.0Contents TOC \o "1-4" \h \z \u 1.0BACKGROUND PAGEREF _Toc11155319 \h 41.1Definitions PAGEREF _Toc11155320 \h 62.0APPLICABLE DOCUMENTS PAGEREF _Toc11155321 \h 73.0SCOPE OF WORK PAGEREF _Toc11155322 \h 83.1APPLICABILITY PAGEREF _Toc11155323 \h 93.2ORDER TYPE PAGEREF _Toc11155324 \h 94.0PERFORMANCE DETAILS PAGEREF _Toc11155325 \h 94.1PERFORMANCE PERIOD PAGEREF _Toc11155326 \h 94.2PLACE OF PERFORMANCE PAGEREF _Toc11155327 \h 94.3TRAVEL OR SPECIAL REQUIREMENTS PAGEREF _Toc11155328 \h 94.4CONTRACT MANAGEMENT PAGEREF _Toc11155329 \h 104.5GOVERNMENT FURNISHED PROPERTY PAGEREF _Toc11155330 \h 104.6SECURITY AND PRIVACY PAGEREF _Toc11155331 \h 114.6.1POSITION/TASK RISK DESIGNATION LEVEL(S) PAGEREF _Toc11155332 \h 115.0SPECIFIC TASKS AND DELIVERABLES PAGEREF _Toc11155333 \h 125.1PROJECT MANAGEMENT PAGEREF _Toc11155334 \h 125.1.1CONTRACTOR PROJECT MANAGEMENT PLAN PAGEREF _Toc11155335 \h 125.1.2REPORTING REQUIREMENTS PAGEREF _Toc11155336 \h 125.1.3TECHNICAL KICKOFF MEETING PAGEREF _Toc11155337 \h 135.1.4KEY PERSONNEL PAGEREF _Toc11155338 \h 145.1.5CONTRACTOR ON-BOARDING DOCUMENTATION AND TRAINING REQUIREMENTS-PRIVACY AND HIPAA TRAINING PAGEREF _Toc11155339 \h 155.2WORKING PRINCIPLES AND DEFINITIONS PAGEREF _Toc11155340 \h 165.2.1WORKING PRINCIPLES PAGEREF _Toc11155341 \h 165.2.2HUMAN CENTERED DESIGN (HCD) PAGEREF _Toc11155342 \h 165.2.3USER RESEARCH PAGEREF _Toc11155343 \h 175.2.4CONTENT & DESIGN PAGEREF _Toc11155344 \h 175.2.5DEVELOPMENT AND OPERATIONS PAGEREF _Toc11155345 \h 185.2.5.1PRODUCT PLAN AND ROADMAP PAGEREF _Toc11155346 \h 185.2.5.2BACKLOG MANAGEMENT PAGEREF _Toc11155347 \h 185.2.5.3SPRINT MANAGEMENT PAGEREF _Toc11155348 \h 195.2.5.4COMMON ONGONIG PRODUCT LIFECYCLE ACTIVITES PAGEREF _Toc11155349 \h 195.2.6OPEN SOURCE/REUSE PAGEREF _Toc11155350 \h 205.2.7DELIVERABLE METRICS/SERVICE LEVEL AGREEMENTS PAGEREF _Toc11155351 \h 205.2.8PRODUCT MARKETING AND OUTREACH PAGEREF _Toc11155352 \h 215.2.9ACCESSIBILITY PAGEREF _Toc11155353 \h 215.3VAP PAGEREF _Toc11155354 \h 225.3.1VAP DEVELOPMENT PAGEREF _Toc11155355 \h 225.3.2API MARKETING AND OUTREACH PAGEREF _Toc11155356 \h 265.3.3API OPERATIONS PAGEREF _Toc11155357 \h 275.3.3.1DELIVERABLE METRICS/SLAs PAGEREF _Toc11155358 \h 285.3.3.2SECURITY AND COMPLIANCE PAGEREF _Toc11155359 \h 305.3.3.3DOCUMENTATION AND STANDARDS PAGEREF _Toc11155360 \h 305.3.3.4COST AND COMPUTE OPTIMIZATION AND REPORTING PAGEREF _Toc11155361 \h 315.4ENHANCE API-DEPENDENT VA SOURCES AND SYSTEMS PAGEREF _Toc11155362 \h 315.4.1SITE RELIABILTY ENGINEERING (SRE) CONSULTATION PAGEREF _Toc11155363 \h 315.4.2INTERNAL VA TEAM AUGMENTATION PAGEREF _Toc11155364 \h 325.4.3FULL SPRINT TEAMS PAGEREF _Toc11155365 \h 325.5OPTIONAL TASKS PAGEREF _Toc11155366 \h 325.5.1OPTIONAL TASK 1 - SOFTWARE LICENSE MANAGEMENT PAGEREF _Toc11155367 \h 325.5.2OPTIONAL TASK 2 – VAP DEVELOPMENT PAGEREF _Toc11155368 \h 335.5.3OPTIONAL TASK 3 – API MARKETING AND OUTREACH PAGEREF _Toc11155369 \h 335.5.4OPTIONAL TASK 4 – API OPERATIONS PAGEREF _Toc11155370 \h 335.5.5OPTIONAL TASK 5 – ENHANCE DEPENDENT VA SOURCES AND SYSTEMS PAGEREF _Toc11155371 \h 336.0GENERAL REQUIREMENTS PAGEREF _Toc11155372 \h 336.1PERFORMANCE METRICS PAGEREF _Toc11155373 \h 336.2SECTION 508 – INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) STANDARDS PAGEREF _Toc11155374 \h 346.2.1COMPATIBILITY WITH ASSISTIVE TECHNOLOGY PAGEREF _Toc11155375 \h 356.2.2ACCEPTANCE AND ACCEPTANCE TESTING PAGEREF _Toc11155376 \h 356.3ENTERPRISE AND IT FRAMEWORK PAGEREF _Toc11155377 \h 356.4ONE-VA TECHNICAL REFERENCE MODEL PAGEREF _Toc11155378 \h 356.5FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT (FICAM) PAGEREF _Toc11155379 \h 366.6INTERNET PROTOCOL VERSION 6 (IPV6) PAGEREF _Toc11155380 \h 376.7TRUSTED INTERNET CONNECTION (TIC) PAGEREF _Toc11155381 \h 37BACKGROUNDThe mission of the Department of Veterans Affairs (VA), Office of Information & Technology (OI&T), Project Special Forces (PSF) is to provide benefits and services to Veterans of the United States.? In meeting these goals, OI&T strives to provide high quality, effective, and efficient Information Technology (IT) services to those responsible for providing care to the Veterans at the point-of-care as well as throughout all the points of the Veterans’ health care in an effective, timely and compassionate manner.? VA depends on Information Management/Information Technology (IM/IT) systems to meet mission goals.VA requires Contractor support to design, develop, and maintain various aspects of the Lighthouse VA Application Programming Interface (API) Platform (VAP), including but not limited to platform design, API development and maintenance, developer documentation, and product management best practices to work with teams internal and external to VA, using modern software development methods and tools.From shopping for car insurance, to paying bills online, to scheduling a dentist appointment, Americans expect the places where they do business to offer easy-to-use, secure digital tools. Veterans, caregivers, Servicemembers, Veterans Service Organizations (VSO), and VA’s other users are no different; they expect VA to offer a digital experience on par with the private sector companies they interact with in their day-to-day lives.VA is taking an API-first strategy to deliver the high-quality digital experiences our users expect. A single set of APIs will power every VA digital service, and these same APIs will be exposed to approved third parties to build products and applications on top of VA services and data. These APIs across every vertical of VA’s business will enable VA users to receive a consistent, high quality experience across all VA communication channels (e.g., digital, phone, mail, in person, etc.).The health industry is quickly converging on the Fast Healthcare Interoperability Resources (FHIR) standard to enable enhanced data interoperability between both internal and external systems. API-enabled and FHIR based solutions are easier for developers to implement as it makes use of modern web standards and RESTful architectures with more easily understood specifications. By liberating data and enhancing interoperability with FHIR, VA will shift data ownership to Veterans, making it more readily available.In the benefits space, VSOs and other third parties spend significant amounts of time manually looking in VA systems to check on the status of a claim for a Veteran they are working with, or to find out if a rating has been granted. If VA were instead able to provide APIs to this information, authorized individuals and organizations would be able to access it more readily, improving the experience, they can provide for Veterans and reducing VA costs.Finally, one of VA’s core competencies should be “knowing and sharing what we know” about a Veteran, including data such as service history, accurate mailing address, and disability ratings. VA should be able to share this information with Veterans and Veteran-authorized third parties. Veterans should not need to upload a Department of Defense Form 214 (DD214) to a website to prove their military service history or discharge status, which is not only difficult for some Veterans but also presents identity theft risks by needlessly sharing personally identifiable information (PII). With APIs, VA plans to put this data back in the hands of Veterans so that they can use it more efficiently and securely, resulting in a better, more personalized digital experience for Veterans.The primary objectives of this contract are to: (1) provide platform operational continuity and support for the existing API platform and API’s hosted on it and (2) continued evolution and expansion of API’s provided in development and production environments as well as the underlying infrastructure and deployment pipeline. This includes all functional areas including marketing and business development, user-research, user experience design, software design and development, infrastructure, DevOps, and customer support.In both objectives, this contract is not for creating a specific number of APIs, or APIs in a single domain, but rather for agile, cross-functional teams that can work alongside a VA product team to prioritize, build, operate, and iterate on APIs across many parts of VA. It will include creating new APIs, refactoring or re-platforming existing APIs, building on top of existing APIs, and/or working with other teams to improve their APIs and/or expose their data in a modern way. VA will be emphasizing maturation of API provider on-boarding and support to enable more valuable API’s in VA to be made available for both internal and external consumers and applications through the API platform.As VA has many data sources and systems that provide meaningful content and capabilities for API’s, the API quality and performance is sometimes bound to these underlying data sources and services. As a result, this contract may also include consultation, design, development, and even some refactoring for these data sources and services. This may be scoped from individual subject-matter-expert site-reliability engineer consultation, to team augmentation with a small number of engineers, or all the way up to full sprint teams with product and delivery management capabilities. The deliverables may include documentation of analysis and suggested improvements, software quality improvements and stabilization, feature enhancements, API modernization, performance optimizations, environment creation and migration, process and tool migration, and/or build/test/deployment automation.DefinitionsVA API Platform (VAP): The technical infrastructure and product development processes that support new development (from initial research phases through pre-launch checks) and maintenance to supply self-service API’s to applications and consumers internal to VA and external 3rd-party applications. This includes a self-service developer portal, API gateway, and all associated infrastructure. Technical infrastructure maintenance and development includes responsibility for the technology that supports existing API’s currently deployed as well as any future API’s provided via the platform. These tasks include, but are not limited to:maintaining the API gateway and associated infrastructure, traffic management, authorization and access control, monitoring, rate limiting, API version management, and all other common API features. This is currently implemented using Kong;maintaining the self-service API developer portal found at , including, but not limited to, API onboarding, support, and policy documentation;managing infrastructure, networking, and build/deploy processes with infrastructure as code;managing all Authority to Operate compliance requirements;maintaining rails and java API layers between self-service API’s and internal VA resources;maintaining automated testing, identity and analytics services;maintaining complete documentation of the VAP;monitoring performance for all VAP API’s, infrastructure, and internal VA data sources, API’s, and systems upon which the self-service API’s depend;maintaining consolidated web analytics for the documentation development portal;support for other teams, including:For API consumers,Provided a full Customer Relationship Management (CRM), including, but not limited to, necessary support for development and integration questions and issues, documentation requests, and new feature requestsonboarding and offboarding;For API providers,Supporting standardized checkpoints and reviews with teams to help them achieve quality standards that align with modern API design and development techniques through formal and informal API governance, including RESTful APIs with agile and DevOps focused development and deployment methodologies;onboarding and offboarding;For all teams,providing close support during application developmentconducting code, design, content, analytics, and accessibility reviews; conducting load testing;coordinating and preparing call centers for new featuresVAP makes use of common, modern languages, open source packages, tools, and environments. Other VA Product Teams: Teams that design, build, and manage VA APIs, data sources, and services independently of Contractor. Other VA Product Teams will coordinate and schedule with Contractor to supply API’s or underlying sources and services for hosted API’s.Contracting Officer’s Representative (COR): Responsible for coordinating with Contractor to approve end deliverables, manage the Quality Assurance Surveillance Plan (QASP), and manage schedule and price according to the PWS. Manages contract resolution for issues that arise between VA and the Contractor. Manages escalation for matters beyond the scope of the COR duties to the Contracting Officer.APPLICABLE DOCUMENTSThe Contractor shall comply with the following documents, in addition to the documents in Paragraph 2.0 in the T4NG Basic Performance Work Statement (PWS), in the performance of this effort:42 U.S.C. § 2000d “Title VI of the Civil Rights Act of 1964”NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, January 22, 2015VA Memorandum “Use of Personal Email (VAIQ #7581492), April 24, 2015, VA Memorandum “Updated VA Information Security Rules of Behavior (VAIQ #7823189)”, September, 15, 2017 API Best Practices18 F API StandardsWH API Standards Building Twelve-Factor App Experience with incorporating and using open source technologies The Agile ManifestoThe U.S. Digital Services PlaybookThe Techfar Hub SCOPE OF WORKVAPThis Contractor shall operate, administer, and evolve the VAP in accordance with the Working Principles and Definitions provided in Section 5.2.The Contractor(s) shall provide VA with?iterations of agile software development and DevOps CI/CD delivery. The agile delivery iterations will include product and delivery management, systems architecture, software development, user research, user experience strategy, information architecture, interaction and visual design, static and dynamic content management, content writing, DevOps, data analytics, and platform operation and management to Operate and maintain the VAP, including development, testing, and production environments in VAEC;Onboard and offboard API consumers both internal and external to VA;Onboard and offboard API providers exposing API’s on the VAP;When necessary, develop translation, orchestration, and/or caching software to existing internal VA data sources and services to expose self-service API’s on the VAP;Work with other teams providing data sources, API’s, and services upon which the VAP depends to resolve issues as they arise, independent of the Contractor;Evolve the VAP to support new capabilities and performance as needs arise using priorities provided by VADEPENDENT VA DATA SOURCES, APIS, AND SERVICESAs discussed in Section 1, VAP has dependencies on many internal VA data sources, APIs, and services to provide meaningful APIs to application developers and consumers. As prioritized and directed by VA, the Contractor shall perform the following as necessary using the working principles described in Section 5.2.Provide engineers on a consultation basis to provide subject matter expertise on a site-reliability engineering basis to analyze current problems and provide potential solutions.Provide engineers to work with other VA teams independent of Contractor to develop, refactor, and modernize software to address functional, quality, performance, and/or DevOps needs.Provide full sprint teams to work with other VA teams independent of Contractor to develop, refactor, and modernize software to address functional, quality, performance, and/or DevOps needs.Note that these efforts will be limited in scope only to work that ultimately provides key benefits and/or functionality to API’s delivered on VAP, even if indirectly.If priorities and needs dictate that this work is not required at times, VA will redirect these resources to VAP work items as covered in Section 5.3.APPLICABILITYThis Task Order (TO) effort PWS is within the scope of sections 4.1, 4.2, 4.3, 4.4, 4.5, and 4.9 of the T4NG Basic PWS. ORDER TYPEThe effort shall be proposed on a Firm Fixed Price (FFP) basis with a Cost Reimbursement (CR) Contract Line Item Number (CLIN) for travel.PERFORMANCE DETAILSPERFORMANCE PERIODThe PoP shall be the effort shall be one 12-month Base Period with 4 12-month Option Periods with Optional Tasks for additional Software License Management, VAP Development, API Marketing and Outreach, API Operations, and Enhancements to Dependent VA Sources and Systems.PLACE OF PERFORMANCEEfforts under this TO shall be performed at Contractor facilities. The Contractor shall identify the Contractor’s place of performance in their Task Execution Plan submission. The Contractor is expected to attend in-person VA meetings and / or working sessions as requested by VA.TRAVEL OR SPECIAL REQUIREMENTSThe Government anticipates travel under this effort to perform the tasks associated with the effort, as well as to attend program-related meetings or conferences throughout the PoP. Contractors may be required to perform additional site-visits (CONUS only) to government and non-government facilities to conduct user research or stakeholder engagement.Travel shall be considered a separate CLIN and will be invoiced on a cost reimbursable basis. All travel must be in accordance with the Federal Travel Regulations (FTR) and requires advanced approval by the COR. Contractor travel within the local commuting area will not be reimbursed.CONTRACT MANAGEMENTAll requirements of Sections 7.0 and 8.0 of the T4NG Basic PWS apply to this effort. This TO shall be addressed in the Contractor’s Progress, Status and Management Report as set forth in the T4NG Basic ERNMENT FURNISHED PROPERTYThe Government has multiple remote access solutions available to include Citrix Access Gateway (CAG), Site-to-Site Virtual Private Network (VPN), and RESCUE VPN.?The Government’s issuance of Government Furnished Equipment (GFE) is limited to Contractor personnel requiring direct access to the network to: development environments; install, configure and run Technical Reference Model (TRM) approved software and tools (e.g., Oracle, Fortify, Eclipse, SoapUI, WebLogic, LoadRunner); upload/download/ manipulate code, run scripts, and apply patches; configure and change system settings; check logs, troubleshoot/debug, and test/QA.When necessary, the Government will furnish desktops or laptops, for use by the Contractor to access VA networks, systems, or applications to meet the requirements of this PWS.?The overarching goal is to determine the most cost-effective approach to providing needed access to the VA environment coupled with the need to ensure proper Change Management principles are followed. Contractor personnel shall adhere to all VA system access requirements for on-site and remote users in accordance with VA standards, local security regulations, policies and rules of behavior. GFE shall be approved by the COR and Program Manager on a case-by-case basis prior to issuance. Based upon the Government assessment of remote access solutions and requirements of this TO, the Government estimates that the following GFE will be required by this TO:50 laptops The Government will not provide IT accessories including but not limited to Mobile Wi-Fi hotspots/wireless access points, additional or specialized keyboards or mice, laptop bags, extra charging cables, extra Personal Identity Verification card readers, peripheral devices, or additional Random-Access Memory (RAM). The Contractor is responsible for providing these types of IT accessories in support of the TO as necessary and any VA installation required for these IT accessories shall be coordinated with the COR.The Status of Government Furnished Equipment Report under the T4NG Basic Contract requirements is applicable to this TO and shall be delivered to the COR/VA PM as required.SECURITY AND PRIVACYAll requirements in Section 6.0 of the T4NG Basic PWS apply to this effort. Specific TO requirements relating to Addendum B, Section B4.0 paragraphs j and k supersede the corresponding T4NG Basic PWS paragraphs, and are as follows:The vendor shall notify VA within 24 hours of the discovery or disclosure of successful exploits of the vulnerability which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system). Such issues shall be remediated as quickly as is practical, based upon the severity of the incident. When the Security Fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the vendor will provide written notice to VA that the patch has been validated as not affecting the Systems within 10 working days. When the vendor is responsible for operations or maintenance of the Systems, they shall apply the Security Fixes based upon the requirements identified within the TO.All requirements in Section 6.0 of the T4NG Basic PWS apply. Addendum B requirements have been tailored to reflect the security and privacy requirements of this specific TO. It has been determined that protected health information may be disclosed or accessed and a signed Business Associate Agreement (BAA) shall be required. The Contractor shall adhere to the requirements set forth within the BAA, referenced in Section D of the Request for Task Execution Plan (RTEP) and shall comply with VA Directive 6066. POSITION/TASK RISK DESIGNATION LEVEL(S)In accordance with VA Handbook 0710, Personnel Security and Suitability Program, the position sensitivity and the level of background investigation commensurate with the required level of access for the following tasks within the PWS are:Position Sensitivity and Background Investigation Requirements by TaskTask NumberTier1 / Low RiskTier 2 / Moderate RiskTier 4 / High Risk5.1 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.2 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.3 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.4 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX 5.5 FORMCHECKBOX FORMCHECKBOX FORMCHECKBOX The Tasks identified above, and the resulting Position Sensitivity and Background Investigation requirements identify, in effect, the Background Investigation requirements for Contractor individuals, based upon the tasks the particular Contractor individual will be working. The submitted Contractor Staff Roster must indicate the required Background Investigation Level for each Contractor individual based upon the tasks the Contractor individual will be working, in accordance with their submitted proposal.SPECIFIC TASKS AND DELIVERABLESThe Contractor shall maintain the VAP by iteratively designing and building tools and features for the platform and launching them daily in accordance with the Working Principles and Definitions provided in Section 5.2.PROJECT MANAGEMENTCONTRACTOR PROJECT MANAGEMENT PLANThe Contractor shall deliver a Contractor Project Management Plan (CPMP) that lays out the Contractor’s approach, timeline and tools to be used in execution of this TO effort. ?The CPMP should take the form of both a narrative and graphic format that displays the schedule, milestones, risks and resource support.??The CPMP shall also include how the Contractor shall coordinate and execute planned, routine, and ad hoc data collection reporting requests as identified within the PWS. The initial baseline CPMP shall be concurred upon and updated in accordance with Section B of the TO. The Contractor shall update and maintain the VA Program Manager (PM) approved CPMP throughout the PoP. Deliverable: Contractor Project Management PlanREPORTING REQUIREMENTSThe Contractor shall deliver Monthly Status Reports. These reports shall provide accurate, timely, and complete project information supporting reporting Requirements. The Monthly Status Report shall include the following data elements and reporting capability shall address the below requirements:Project NameOverview and description of the contractOverall high-level assessment of contract progressAll work in-progress and completed during the reporting periodIdentification of any contract related issues uncovered during the reporting period and especially highlight those areas with a high probability of impacting schedule, cost or performance goals and their likely impact on schedule, cost, or performance goalsExplanations for any unresolved issues, including possible solutions and any actions required of the Government and/or Contractor to resolve or mitigate any identified issue, including a plan and timeframe for resolutionStatus on previously identified issues, actions taken to mitigate the situation and/or progress made in rectifying the situation.Work planned for the subsequent two reporting periods, when applicableProvide expenditures based upon your proposed spend plan.Workforce staffing data showing all Contractor personnel performing on the effort by task during the current reporting period along with status of their background investigation/VA clearance and biographies. After the initial labor baseline is provided, each Monthly Status Report shall identify any changes in staffing identifying each person who was added to the contract or removed from the contract.Original schedule of deliverables at the start of each sprint and the corresponding deliverables made during the current reporting period.Cost analysis that includes consumption of cloud resources by API.Software licenses at or nearing end of life and software security certificates nearing expiration.The Contractor shall communicate with VA so that issues that arise are transparent to both parties to prevent escalation of outstanding issues.The Contractor shall provide the COR with Monthly Progress Reports in electronic form in electronic format.? These reports shall reflect data as of the last day of the preceding month.To ensure optimal and efficient usage of cloud resources, the Contractor shall provide a written utilization report in electronic form detailing absolute VPC, network, and storage resources as well as differences from the previous month.Deliverable:? Monthly Progress ReportMonthly Utilization ReportsTECHNICAL KICKOFF MEETINGA technical kickoff meeting shall be held within 10 days after TO award. The Contractor shall coordinate the date, time, and location (can be virtual) with the Contracting Officer (CO), as the Post-Award Conference Chairperson, the VA PM, as the Co-Chairperson, the Contract Specialist (CS), and the COR. The Contractor shall provide a draft agenda to the CO and VA PM at least five (5) calendar days prior to the meeting. Upon Government approval of a final agenda, the Contractor shall distribute to all meeting attendees. During the kickoff-meeting, the Contractor shall present, for review and approval by the Government, the details of the intended approach, work plan, and project schedule for each effort via a Microsoft Office PowerPoint presentation. At the conclusion of the meeting, the Contractor shall update the presentation with a final slide entitled “Summary Report” which shall include notes on any major issues, agreements, or disagreements discussed during the kickoff meeting and the following statement: “As the Post-Award Conference Chairperson, I have reviewed the entirety of this presentation and assert that it is an accurate representation and summary of the discussions held during the Technical Kickoff Meeting for the <insert title of effort>.” The Contractor shall submit the final updated presentation to the CO for review and signature within three (3) calendar days after the meeting. The Contractor shall also work with the CS, the Government’s designated note taker, to prepare and distribute the meeting minutes of the kickoff meeting to the CO, COR and all attendees within three (3) calendar days after the meeting. The Contractor shall obtain concurrence from the CS on the content of the meeting minutes prior to distribution of the document.KEY PERSONNELSpecific expertise and experience in product management, engineering, and operating highly available products are essential for accomplishing the tasks outlined in this PWS.Key Roles:Product Manager:Experience managing entire agile software development lifecycle for a project of at least one million dollars up to and including production delivery and some phase of post-delivery supportExperience as a product manager accountable for delivery with at least 10 software professionals with a duration of greater than one yearDemonstrated success with delivering digital productsChief Engineer:Background as a Software Engineer for at least five years, including experience as a Software Engineer for at least one project in one of the VAEC’s CSP Vendors CloudsChief Architect or Senior Engineer on a production system in one of the VAEC CSP Vendors CloudsDemonstrated knowledge and use of modern software development and Dev/Ops tools, including GitHubChief Operations Manager:Background as a Software Engineer, Site Reliability Engineer, or DevOps Engineer for at least three yearsExperience running a 24x7 Software based System for at least 6 monthsExperience with oversight of an operations team of at least 5 people for at least one yearExperience in Incident Management for a software-based system.Experience with oversight of a team running a trouble ticket system.Demonstrated success using modern DevOps methods and tools includingautomated testing tools and monitoring tools.Demonstrated ability to drive frequent release cycles (daily / weekly)Any personnel the Contractor offers as substitutes shall have the ability and qualifications equal to or better than the key personnel which are being replaced. If any change to a key personnel position becomes necessary, the Contractor shall immediately notify the VA PM and COR in writing, but whenever possible Contractor shall notify the VA PM of substitutions in personnel in writing 30 calendar days prior to making any change in key personnel, and provide a detailed explanation of the circumstances necessitating the proposed substitution and shall demonstrate that the proposed replacement personnel are of at least substantially equal ability and qualifications as the individual originally proposed for that position.The Contractor agrees that it has a contractual obligation to mitigate the consequences of the loss of Key Personnel and shall promptly secure any necessary replacements in accordance with (IAW) this PWS section. Failure to replace a Key Person pursuant to this clause and without a break in performance of the labor category at issue shall be considered a condition endangering contract performance and may provide grounds for termination for cause.CONTRACTOR ON-BOARDING DOCUMENTATION AND TRAINING REQUIREMENTS-PRIVACY AND HIPAA TRAININGThe Contractor shall submit all on-boarding paperwork and documentation as required by all applicable VA onboarding requirements, including but not limited to VA Directive 0710, as well as documentation specifically requested by the COR, to ensure the timely on-boarding of contractor staff. Additionally, the Contractor shall submit all required TMS training certificates of completion for VA Privacy and Information Security Awareness and Rules of Behavior and Health Insurance Portability and Accountability Act (HIPAA) training and provide signed copies of the Contractor Rules of Behavior in accordance with Section TBD, Training, from Appendix C of the VA Handbook 6500.6, “Contract Security”.Deliverables:TMS Training Certificates of Completion for VA Privacy and Information Security Awareness Training VA Privacy and Information Security Awareness Signed Rules of BehaviorVA HIPAA Certificate of CompletionWORKING PRINCIPLES AND DEFINITIONSWORKING PRINCIPLESThe Contractor shall follow the working principles of the “Digital Services Playbook” to iteratively design and build tools and features for the platform and launch daily. The Contractor shall:Follow the practices described in the “Digital Services Playbook”. The Contractor shall be familiar with the concepts in each play and implement them in their solutions and support. Incorporate Agile methodology into all work.Work iteratively by employing commonly used iterative ceremonies such as (but not limited to) sprint planning, daily scrum, sprint review, sprint retrospective, backlog grooming, and estimating.Incorporate user research and usability testing best practices into all solutions. Actively involve users in the design, building, and testing of all solutions.Whenever possible, personalize solutions for the individual using the service. Leverage existing VA identity and authentication systems when appropriate and in line with VA’s overall authentication strategy.Optimize products for mobile-first operation, with all solutions being equally usable on mobile and desktop. Protect user information with best-in-class security, given the constraints of the environment.Prioritize security over compliance.Incorporate robust accessibility principles into design, development and testing for all products to deliver high-quality digital experiences to users of assistive devices. Design, develop, configure, customize, deploy, and operate these solutions. Continuously integrate, test, and deploy code across all environments. Automate all unit, integration, functional, and load tests.Achieve 100% test coverage of all functionality delivered. Utilize test driven development methodologies where appropriate. Ensure configuration and sensitive data, including data the VA defines as sensitive, are not present in source code, and are stored in encrypted credential management systems.Deliver all code as Open Source Software pursuant to OMB Guidance M-16-21.Cultivate positive, trusting, and cooperative working relationships with the Government and all other vendors supporting this work.HUMAN CENTERED DESIGN (HCD) While engaging in the following activities, the Contractor shall:follow the United States Digital Service value: “Design with users, not for them.”;provide expert guidance on user experience (UX) design direction and strategy;incorporate UX guidance for building APIs where industry standards do not exist, andcreate and maintain documentation for all activities, recommendations, and decisions.At the start of work on a new or existing product, conduct a product kick-off meeting with government Product Owner and designated stakeholders.USER RESEARCHFacilitate discovery activities, to include generative research with users and business stakeholders, an assessment of current related features, a content review, an information architecture review, an accessibility review, a business process review; and collection of any available data and analytics. The following Checklist provides additional details on these requirementsPartner with other VA Product Teams building a new tool or service to ensure that the new tool or service fits into the existing structure.Conduct formative and contextual user research to understand users’ goals, needs, journeys, and pain points with respect to the VAP. Apply insights from user research to define minimum viable product (MVP) functionality, including MVP and product increment (PI) epics and user stories, as well as operational, business, functional, technical, data, and integration requirements. Conduct routine, iterative usability testing on VAP, continually improve the user experience and inform content, information architecture, design, functionality, and accessibility. Iteratively apply insights gathered to inform design and development. Before releasing to production and when relevant, conduct user acceptance testing on new features, content reviews of existing VAP content, IA reviews for global navigation and SEO, and design reviews of existing patterns and UI elements to identify and make modifications to accommodate the new VAP, while maintaining a positive user experience.The Contractor shall create a User Experience Research Plan and Summary for each study, which shall include a research write-up documenting research questions, hypotheses, methodology, recruiting needs, synthesis, and next steps.CONTENT & DESIGNEmploy design process management by breaking designs into small, bite-sized implementations and collecting data from each deployment to inform priorities and decisions in the next iteration. Write and edit plain language content for VAP Development Teams per the VA Style Guide.Ensure consistency and continuity in VAP information architecture, including URL schema, page layout, menus and navigation, user flows, and search engine optimization. Work with all VA Product Teams to incorporate new VAP, both authenticated and unauthenticated content and tools, into the information architecture of VAP.Craft, test, and deploy design deliverables, such as wireframes, low- and high-fidelity prototypes, or interactive web forms to facilitate usability testing and agile development of VAP. As appropriate, create and update prototypes to conduct facilitated demos or usability testing to elicit feedback for improvements to the design.Develop designs that adhere to VA’s application of the U.S. Web Design System, available on . If the Contractor determines a need for a new pattern, the Contractor shall collaborate with VAP PM/COR to design that pattern.Support and comply with all UX guidelines and standards as defined by the VA, currently per the Digital Services Handbook.DEVELOPMENT AND OPERATIONSPRODUCT PLAN AND ROADMAPThe Contractor shall prepare and maintain a Product Plan and Roadmap for the VAP. This Product Plan and Roadmap will serve as the canonical source of information about the product, including a description of the problem the product is attempting to solve, summaries of formative research, and a discussion of the team’s approach. The Contractor shall continuously develop and groom the Product Plan epic backlog providing release train and delivery metrics, including but not limited to: delivery confidence, risks, impediments, and product lifecycle phases. Most critically, the Product Plan and Roadmap must include the product’s Key Performance Indicators (KPIs) established in concert with the VA Product Owner and key stakeholders, as well evaluation KPI methodologies. All KPIs shall be designed to allow the team to effectively and objectively evaluate the product against user needs throughout the life of the product.BACKLOG MANAGEMENTIn consultation with the VA Product Owner and the Product Plan and Roadmap, the Contractor shall continuously develop and groom a backlog of tasks based on user needs derived from meaningful user research. The Contractor shall continuously maintain a backlog with two sprints of ready-to-work tasks per team ensuring there is no unnecessary downtime due to unforeseen impediments or changes. Before work commences on a task in the backlog, the task shall include a description of the user need being addressed, references to specific artifacts describing the user need, a proposed approach to meet the user need, a link to the appropriate epic in the product plan epic backlog, and an estimate of the relative complexity of the approach. SPRINT MANAGEMENTPrior to the beginning of a sprint, the VA Product Owner, in collaboration with the Contractor and other key stakeholders, shall prioritize the backlog and use it to generate a Sprint Plan. The Sprint Plan shall include the work to be prioritized for the upcoming sprint. It must be accepted by the VA Product Owner and VA Contracting Officer’s Representative (COR) prior to the sprint commencing. While each task’s approach and hypothesis are expected to change throughout the duration of the sprint as the team learns new information, the goals should be contained in Sprint Plan and the Contractor’s level of effort of work accomplished shall remain unchanged, even if pivots in work performed occur due to issues outside the control of the Contractor. All work completed should have unambiguous, test-driven acceptance criteria.At the end of the sprint, the Contractor shall provide a Sprint Demonstration that confirms all functionality developed in the sprint is operational and meets the work’s acceptance criteria. The Contractor shall also submit a Sprint Report to the VA Product Owner and VA COR for review and acceptance. The Sprint Report shall include a summary of the planned, accomplished, and unaccomplished work for the two-week sprint to include issues encountered and corrective actions taken as well as references to all artifacts produced during the sprint. The Contractor must receive VA Product Owner and VA COR approval of the Sprint Report for the prior sprint before beginning a new MON ONGONIG PRODUCT LIFECYCLE ACTIVITESThe Contractor shall:Continuously deploy code into lower environments and regularly deploy code to production environments with a target of at least one production deployment per day. Maintain proficiency with VA software development tools, including git-based source control tools such as GitHub.Integrate with external systems and other VA systems to access appropriate data. All integrations shall be configured with code, utilize testing and instrumentation to discover and manage reliability issues, and be thoroughly documented.Implement all build, release, and deployment steps as versioned, tested, and source-controlled code. Develop, maintain, and communicate meaningful product metrics that are directly linked to the user need or problem the product is intended to address. This task includes identifying and measuring baseline metrics for comparison.Establish and maintain integrated, cross-functional and cross-organizational (e.g. having Contractor and Government members) teams to enhance communication, share lessons learned, and facilitate rapid identification and mitigation of dependencies between various functional entities. Comprehensively document the VAP’s key specifications, dependencies, data elements, design and architecture decisions, integrations, and any other salient characteristics that would be useful to future teams supporting the VAP.OPEN SOURCE/REUSEThe Contractor shall configure and develop all new VAP content including all technical data, source code, configurations, documentation or other information as Open Source Software pursuant to OMB Guidance M-16-21. The Contractor shall: Approach system design in an “out-of-the-box” manner, using best practice approaches or preconfigured solutions, including libraries, components, modules, or other preconfigured increments of software, drawn from the open source community where possible with a focus on minimizing system customization with written code. Publish all components, source code, or software artifacts under an open source license on behalf of the Government for reuse in an open source manner.Separate configuration and sensitive information from source code.Manage dependencies on other open source libraries and tools and provide recommendations to VA for continued use or updates. Maintain a list of VAP’s open source libraries and tools that are available for reuse. Store source code, technical data, configurations, documentation in publicly accessible source control repositories.DELIVERABLE METRICS/SERVICE LEVEL AGREEMENTSThe Contractor shall meet all SLAs as described in the PWS for all software and infrastructure within the VAP. Downtime and failures in dependent VA data sources, API’s, and systems are excluded. However, if the Contractor’s performance falls below a required service level, the Contractor shall only be paid for the lower service level provided. Please be advised that the VA’s payment for the lower service level provided in no way waives the Government’s right to pursue any remedies available by law, including, but not limited to, termination for breach of contract. Please be further advised that failure to meet the SLAs as set forth in this PWS shall be considered a condition endangering contract performance and may provide grounds for default termination. The Government will conduct a monthly review of the defined SLAs against the Contractor’s performance/solution. If a lower service level is assessed in a particular month, the Contractor shall provide an itemized invoice detailing the lower service level price (percentage and amount) and deducting that lower service level price from the total monthly price of the applicable Contract Line Item Number in the following month’s invoice. SLAs are set forth in PWS FFP tasks TBD. The Government will provide 100% of the FFP payment for VAP operations for every month that meets the SLAs for every metric (Service Availability, Service Reachability, Development Environment Availability).The Government will provide 90% of the FFP payment for VAP operations for every month that does not meet the SLAs for every metric but does maintain availability and reachability above 99.0% for every metric. The Government will provide 85% of the FFP payment for VAP operations for every month that does not meet the SLAs for every metric but does maintain availability and reachability between 98.0% and 99% for every metric. The Government will provide 75% of the FFP payment for VAP operations for every month that does not meet the SLAs for every metric but does maintain availability and reachability between 95.0% and 98% for every metric. The Government will not provide any FFP payment for VAP operations for any month that does not meet the SLAs for every metric and where availability and reachability are below 95.0% for every metric. PRODUCT MARKETING AND OUTREACHThe success of VA’s VAP will be determined by the value they deliver to both VA and its customers. Thus, encouraging VAP consumers to use the VAP and providing those consumers with a positive experience is crucial to the success of VA’s VAP. The Contractor shall:Communicate with current and potential VAP consumers to understand their needs and how VA can best work with them. Create outreach and marketing materials to inform current and potential VAP consumers about what is available and the value of using VAP. Onboard new consumers, as they learn about and use VAP. Work with internal and external customers to define and measure Key Performance Indicators (KPIs) for each stage of the customer marketing funnel and reporting out on KPI status to internal and external audiences. Measure customer satisfaction and usability with APIs built and determine how to maximize customer satisfaction. Evangelize VA VAP internally and externally to VAAll KPI’s should ultimately focus on value provided from the combination of APIs and applications to veterans and VA.ACCESSIBILITYThe Contractor shall ensure that VAP developer portal serves the needs of application developers with disabilities that may impact their access documentation for APIS provided on the VAP. The Contractor shall also provide expert guidance on accessibility direction and strategy. The Contractor shall create and maintain documentation for all related activities, recommendations, and decisions. The Contractor shall: Ensure, through continued development and testing, that VAP development portal is not only accessible (meaning that it meets the requirements of Section 508 of the American Disabilities Act), but that it is also easy for users to interact with using screen readers and other assistive technology that Veterans commonly use.Design and build the documentation that is accessible to the widest range of applications and devices; all products must be Section 508-compliant and mobile responsive.Work with VA’s Section 508 Compliance office to ensure full compliance. Evaluate the VAP developer portal for accessibility on the most commonly used accessible devices, at a minimum before each launch, major update, or new release. This includes meeting regularly with VA’s 508 office to ensure compliance with their standards and requirements as they evolve over time.Ensure that all design/templates for the VAP developer portal are viewable and usable on any mobile device or web browser. Provide expert guidance to determine which range of browsers and devices to target for testing as technology evolves in the commercial marketplace. Create and maintain an Accessibility Testing Plan and Report that delineates all devices upon which all routine accessibility tests are run. This shall be updated as 508 requirements and technologies evolve over the course of this project.Create and maintain an Accessibility Tracking Plan and Report which tracks testing for accessibility and submitted to Section 508 Office for smoke tests, plus the status of such tests. VAPThe VAP will support teams across the VA to develop and deploy API’s which ultimately enable VA and veteran-facing applications. The Contractor shall operate and maintain the platform, including operating the functionality of the VAP, ensuring security and operational compliance, and supporting shared services across the VAP including analytics and authentication management.VAP DEVELOPMENTThe Contractor shall provide cross-functional Contractor Sprint Teams for the development of APIs and underlying infrastructure. This contract is not for creating a specific number of APIs, or APIs in a single domain, but rather for agile, cross-functional teams that can work alongside a VA product team to prioritize, build, operate, and iterate on APIs across many parts of VA. It will include creating new APIs, refactoring or re-platforming existing APIs, extending or wrapping existing APIs, and/or working with other teams to improve their APIs and/or expose their data in a modern way using modern software development practices. The specific scope of functionality of the tasks will be determined by VA API Product Owners and the VA PM/COR, prior to sprint commencing. At the beginning of each two-week sprint, each Contractor Sprint Team shall initiate, coordinate, and participate in a Sprint Planning Meeting and develop a Sprint Plan with the VA Project Team, including the VA PM, COR, designated VA product Owner and additional stakeholders, to plan the work to be prioritized for the sprint. Additionally, the VA Product team and the Contractor Sprint team shall determine the acceptance criteria for work prioritized for the sprint and populate the Sprint Backlog in the sprint planning meeting. The contractor, in collaboration with the VA Project Team, shall prioritize a backlog, estimate the relative complexity of each task, and determine the amount of work that can be accomplished in a two-week sprint. All activity scheduled in each sprint and backlog shall be captured and have status showing all work items, changes, and impediments. The Contractor shall update the Sprint Plan at the end of the sprint planning. Once the Sprint Plan is accepted by the VA PM/COR and the VA Product Team, the sprint backlog may change throughout the duration of the sprint, however, the effort of work will remain constant.The Contractor shall provide a Sprint Demonstration that confirms all functionality developed in the sprint is operational. At the Sprint Demonstration, the Contractor Sprint Team shall submit a Sprint Report to the VA PM/COR for review and approval. The Sprint Report shall include a summary of the planned, accomplished, and unaccomplished work for the two-week sprint, issues encountered, and corrective actions taken as well as all artifacts produced, and all code (submitted to a VA source code repository, such as GitHub), during the sprint. This report, certification that all work is completed, and a demonstration of all work completed in the sprint, are necessary for sprint acceptance by the Government. The Contractor shall receive VA PM/COR approval of the Sprint Report for the prior sprint before beginning a new sprint. Specifically, the Contractor shall support the building and maintaining of APIs as products, including:Discovery - Conduct discovery activities on existing VA APIs, dependent systems, and internal and external business process flows and functions. Work closely with VA customers to understand their needs and how those maps to VA capabilities. Collect available data, user feedback, and VA stakeholder feedback and capture in a Discovery Report.Product Roadmap - A comprehensive list of the APIs and API functionality that needs to be built or updated, and prioritization of these based on completed Discovery efforts. For roadmap items under active discovery or development, issue-tracking and associated documentation should easily enable full visibility and transparency of all work from user-stories through epics up to the roadmap item as well as progress against all work required for a roadmap item.Coordination - Participate in VA stakeholder meetings, some of which will be in-person at VA facilities, to plan and prioritize the building and integrating of the services and change management activities including (but not limited to) managing agendas, minutes, action items, and collaboration tool management meetings.Mock API development – Mock proposed API contracts/specifications, actively gather feedback from potential consumers, and rapidly iterate on designs prior to initiating software development.Code Development - Define, author, and deliver code in a way that meets private sector best practices, meets the needs of the users, and conforms to the requirements and architecture provided by the government; ensure peer reviews for code quality; incorporate testing into code development, including security scans. The Contractor shall follow an agile methodology that may result in several production releases in each sprint. The Contractor shall adhere to objectives defined in the U.S. Digital Services Playbook, as well as VA’s VIP policy. All Contractor team members shall be proficient on modern VA tools, including GitHub, and all code should be developed in the open.Integration Support – Integrate with external systems and other VA systems as needed to access appropriate data, including configuring, testing, and documenting the integration. Data Migration – Develop, implement, and document any necessary data migration strategies/plan(s).Deployment Activities - Plan for, create and validate the implementation and deployment instructions for use during service deployment. All deployment steps should be instrumented as infrastructure as code.Testing. Ensure all code is tested at the unit, functional, and integration level prior to release into the production environment.Ensure that pre and post-launch periodic load-testing is performed on all software developed and maintained by the ContractorWork with API providers and VA teams providing dependent systems and data sources to conduct periodic load testing as supported by those teams, independent of the ContractorDevOps - Work collaboratively and cross-functionally with other contractor engineering and DevOps teams to implement CI/CD processes, including:Maintain multiple pre-production environments where API’s can be releasedMaintain automated pipelines that execute unit, functional, and accessibility tests as part of the code review processMaintain monitoring and metrics (both historical and on-demand) to allow easy assessment of the CI/CD pipeline operation and performanceAPI Monitoring:Ensure that monitoring and alerting exists for new and existing APIs, to ensure compliance with industry-standard uptime numbers. Monitor API dependencies for service disruption and alert the appropriate team(s) responsible for the APIs.API Metrics ReportingDevelop and communicate product metrics. Metrics may include but are not limited to how many users are using the product, transactions performed, concurrent users, and value provided to the VA and API consumers. This task includes identifying and measuring baseline metrics for comparison.Develop automated reporting tools (such as a dashboard) for VA leadership to demonstrate metrics of success including but not limited to compliance with error rates, test coverage, operating status, uptime, and build quality. Upon request, produce other analytics reporting materials to support presentations to VA munication - Participating in integrated program/project teams and/or Scrum teams to enhance communication, share lessons learned, and facilitate rapid identification and mitigation of dependencies between various functional entities. The includes communication internal and external to VA.Documentation - Work with the Government to architect and document, in the API Documentation, the API design specifications, including all data elements that the services provide or read.Improvement of the platform - VA anticipates the need to adapt and refine the VAP as additional API providers and consumers make use of the platform. In consultation with VA, the Contractor shall support VA in conducting research related improvements to VAP, including developing prototypes of potential improvements, creating a product plan and backlog for those improvements, and building and deploying those improvements. This may include:Upgrading or migrating frameworks used in the VAP Automating API consumer and provider workflow processesAdopting proven web containerization/platform strategiesRefactoring VAP software in areas exhibiting performance issues or high bug/issue densityDeveloping solutions such as forward proxies and caching layers within the VAP to effectively implement integration with legacy VA systemsAll scoping for improvement activities will be provided at the request of the Program Manager or COR. The Contractor will not operate independently to determine improvement projects that will be developed, and all projects supported by this PWS must be approved in advance by the VA COR.Rights in Computer Software:The Contractor is required to deliver the APIs, technical data, configurations, documentation or other information, including source code, during contract performance. The Government shall receive Unlimited Rights in intellectual property first produced and delivered in the performance of this contract in accordance with FAR 52.227-14, Rights In Data-General (DEC 2007). This includes all rights to source code and any and all documentation created in support thereof. License rights in any Commercial Computer Software shall be governed by FAR 52.227-19, Commercial Computer SoftwareDeliverables:Sprint PlanProduct Roadmap with associated epic and user-story issue status, minimally for all roadmap items under development, ideally for those soon to be developed as wellDiscovery ReportsAPI Documentation – Consumer-facing and internal design/architecture documentationSprint ReportSoftware Code and ArtifactsAPI MARKETING AND OUTREACHAPI ConsumersThe success of VA’s APIs will be determined by the value they deliver to both VA and its customers. Thus, getting API consumers using the APIs and providing those consumers with a positive experience is crucial to the success of VA’s API Program. The Contractor shall provide:Communication with current and potential API consumers to understand their needs and how VA can best work with them.Outreach and marketing materials to inform current and potential API consumers about what is available and the value of using VA’s APIs.Onboarding for new consumers, as they learn about and use VA APIs.Working with internal and external customers to define and measure Key Performance Indicators (KPIs) for each stage of the API customer marketing funnel and reporting out on KPI status to internal and external audiences.Measuring customer satisfaction with APIs built and determining how to maximize customer satisfaction.Evangelize VA APIs internally and externally to VAAPI ProvidersLike API consumers, API providers require a journey that includes onboarding followed by continuous support. A successful onboarding and support model will ensure success with API Providers. The Contractor shall provide:Communication with current and potential internal VA API providers to understand their needs and how the Contractor can best work with them.Onboarding for new providers, ensuring that standards imposed/expected by the VAP are effectively communicated to potential providers. The Contractor shall provide support, as needed, to ensure VA has the necessary API governance in place to create a world-class API program. As defined by the VA Product Owner, this could include:Documenting API best practices or API standardsTechnical guidance to the product owner and VA development teams building other APIs on top of the VA API GatewayIdentifying and defining architectural changes across VA based on industry best practicesWorking with VA teams to implement changes as neededProvide documentation of processes, procedures, tools, and overall workflow to both onboard and operate API providers hosted on VAP API OPERATIONSThe Contractor shall manage and operate the APIs they develop for the life of this contract, aswell as the existing APIs present at the start of the Contract. The Contractor shall maintain and operate multiple environments for its APIs including (but not limited to) the following environments:Development – no PII/PHI, for development internal to the VASandbox – no PII/PHI, for development external to the VAStaging – duplicates production environment infrastructure for validation and testing prior to productionProductionThe Contractor shall maintain and extend existing environments as necessary. The Contractor shall ensure that all software associated with maintaining and operating VA APIs is delivered and tracked using current tools and processes. Potential improvements to these tools and processes should be considered by the Contractor as well. Development environments should be completely self-service. Furthermore, there must be at least one non-Production environment that can support load-testing for all VAP software maintained by the Contractor, with load that is equivalent to that expected within the production environment.The Contractor shall ensure all API Service Level Agreements, as defined below, are met, andthat the APIs function correctly. The Contractor shall:Provide 24x7 Production support for all VA APIs up to the point a problem is determined to exist in an internal system outside the scope of VAPProvide Database Administration (DBA) support to cloud-based and hosted database systems for VA APIs, as needed.Provide non-production environment support during normal VA business hours (8 am – 8 pm EST).Work collaboratively with VA support-related stakeholders including but not limited to VA call centers, VA Customer Relationship Management (CRM) systems, VA customer service platforms, and other VA teams as needed.Monitor system, network, application, database logs, and SLA metrics via VA approved monitoring tools and provide a real-time dashboard available to all program stakeholders.Write and monitor synthetic monitoring scripts for VA infrastructure, APIs, and applications.Provide external systems integration support through configuring, testing, and documenting the integration. Perform infrastructure, operating system, and product updates, upgrades, and patches without system downtime.Document in the Monthly Status Report support metrics including but not limited to: number of issues reported, problem type identification, % resolved, time for resolution, priority, severity, etc. as requested Perform postmortems of any outages occurred, including root cause analysis and steps to prevent future outages The Contractor shall provide an SLA Monitoring Plan that defines how SLA metrics will be monitored throughout the performance of the requirements, including the automated testing tools and automated SLA testing scripts that shall be used. The Contractor shall provide the SLA Monitoring Plan to the VA PM/COR for review and approval. Upon approval, the Contractor shall implement SLA monitoring IAW the approved plan and establish an SLA Dashboard that provides real time SLA metrics data available to all program stakeholders. The Contractor shall provide a VA API SLA Report monthly which shall capture data as specified in the Deliverable Metrics/SLAs.Deliverables:SLA Monitoring PlanMonthly VA API SLA ReportPostmortemsDELIVERABLE METRICS/SLAsService AvailabilityAll deployed services shall be available and functional to serve user requests at no less than 99.9% availability. An external entity shall always be able to access and receive a successful response to all APIs deployed to this platform. As available on a per API basis, sample transactions or health check endpoints that are exposed to external entities shall be evaluated to determine if the response is successful. In addition to availability, the Contractor shall provide a mechanism to determine performance anomalies using methodologies and metrics best suited to the API and backend system performance characteristics. Anomalies outside the definition of acceptable performance as defined in the SLA Monitoring Plan delivered by the Contractor shall be included in the unavailable time contribution to the SLA. Services that are faulted due to an external entity shall have trouble tickets logged with the responsible party, with all outage time attributable to this team until the ticket is logged with the responsible entity. An automated test, IAW the approved SLA Monitoring Plan, with an execution frequency of no more than 300 seconds, and the logged reports of execution, including timing details, of that test shall be provided in the VA API SLA Report. Any faulted services attributed to an external entity shall include a record of the trouble ticket that was issued to the responsible party. This record shall include the time that it was filed, and if resolved, the time of resolution. Any maintenance window outages due to upstream or downstream maintenance shall include a record of thenotification that was distributed to VA Stakeholders, and the time which the record was distributed.Service ReachabilityServices on this platform shall be reachable by internal and external entities no less than 99.9% of the time. All required routing and proxying services are correctly functioning and forwarding traffic. Services that are faulted due to an external entity shall have trouble tickets logged with the responsible party, with all outage time attributable to this team until the ticket is logged with the responsible entity. Services that are unavailable due to upstream maintenance must have an outage notification to all VA stakeholders prior to the maintenance window for attribution to the upstream team. The Contractor shall have access to test, IAW the approved SLA Monitoring Plan, and the logged reports of execution, including timing details, of that test shall be provided in the VA API SLA Report.Environment AvailabilityThe APIs shall be available in the Staging environment during normal VA business hours (7 am – 9pm EST). An external entity shall be able to log into the environment, execute build and deploy jobs in the development enclave, and observe the results of those jobs with no less than 99.0% availability. An automated test, IAW the approved SLA Monitoring Plan, and the logged reports of execution, including timing details, of that test shall be provided in the VA API Platform SLA Report.SECURITY AND COMPLIANCEThe Contractor shall ensure the continual monitoring, compliance, and security for the VAP. Note, all applications currently on the VAP in production have achieved an Authority to Operate (ATO) or are covered by an existing ATO.The Contractor shall be responsible for:Provide technical documentation support for the VAP Authority to Operate (ATO).Update the ATO (if needed) prior to releasing a new (or enhanced) functionality into production such as risk assessments, system security plans, incident response plans, disaster recovery plans, privacy impact assessments, and privacy threshold analyses.Support teams building VAP APIs in securing those Services in accordance with applicable VA system security policies by validating and reporting on compliance, performing appropriate security audits, and identifying appropriate teams responsible for mitigation.Create Data, Security, and Integration Architecture Diagrams, and update as necessary throughout the Period of Performance.Support teams building VAP in complying with DAP and HTTPS policies.Monitor security scans and ensure all issues are resolved in a timeline commensurate with the severity of the issue.Deliverables:? ATO Documentation Data, Security, and Integration Architecture DiagramsSecurity Audit ResultsSoftware code and artifacts for security scan issue resolutionDOCUMENTATION AND STANDARDSThe Contractor shall establish and document standards for coding practices, VAP architecture, design standards, and content style. The Contractor shall:Maintain documentation of VAP architecture and design as it is evolved.For the Developer Portal, maintain design standards via the VA Design System (Formation) in a public website and source code repository. Including regular updates to design elements, implementation documentation, and versioned releases per the VA Design GuidanceRegularly collect feedback for both consumers and providers of VAP APIs modify the guidelines as needed in response to that feedback.Establish and maintain coding standards, including enforcement via tooling, testing, and code reviews. Coding standards can be found here and here. Deliverables:? VAP ArchitecturesVAP User Research ReportsVAP API Consumer Onboarding documentation improvementsVAP API Provider Onboarding documentation improvementsWebsites and Source Code RepositoriesCOST AND COMPUTE OPTIMIZATION AND REPORTINGThe Contractor shall review all usage of cloud computing services provided by VA associated with this effort. Plans shall be submitted and implemented quarterly on how to best optimize the environment to reduce the costs associated with resource utilization. The Contractor shall provide a breakdown of all costs by API, environment, and utilization and shall report on utilization of each class of resource as a percentage of provisioned capacity in a Monthly Utilization Report. The Contractor shall, as part of its VA API SLA Report, include the total infrastructure expenditure and total number of request services for Cloud Resource Optimization. Deliverables:Quarterly Resource Utilization Optimization PlanMonthly Utilization ReportENHANCE API-DEPENDENT VA SOURCES AND SYSTEMSVAP has dependencies on many internal VA data sources and systems to provide meaningful APIs to application developers and consumers. As prioritized and directed by VAP VA leadership, the Contractor shall perform the following as necessary using the working principles described in Section 4 as included in the firm-fixed-pricing tasks of this contract. In all cases, these efforts will be limited in scope to only work that ultimately provides key benefits and/or functionality to API’s delivered on VAP, even if indirectly.If priorities and needs dictate that this work is not required, VAP VA leadership will redirect these resources to VAP work covered in Section 5.3SITE RELIABILTY ENGINEERING (SRE) CONSULTATIONAt the direction of the VAP VA leadership, redirect 1 or more engineers from the VAP project to serve as a consultant on internal VA data sources and services upon which the VAP APIs depend, independent of the Contractor. The intent would be to analyze current problems and provide potential solutions. This could cover functional, quality, deployment, performance, and/or monitoring aspects of the VA systems.Deliverables:Written analysis of issues observed, detailing recommended course of action, root causes, and /or recommended solutions. VA leadership will determine which of these are to be included in the written analysis.INTERNAL VA TEAM AUGMENTATIONAt the direction of VAP VA leadership, redirect one or more engineers from the VAP project to serve as embedded team members on internal VA teams upon which the VAP APIs depend, independent of the Contractor. The intent would be to help the team execute in the engineering domain with the intent of improving the internal VA system, indirectly benefitting the affected VAP API(s). This could cover functional, quality, deployment, performance, and/or monitoring aspects of the VA systems.Deliverables:Software code and artifactsDesign and architecture documentation if required by VA leadershipFULL SPRINT TEAMSAt the direction of VAP VA leadership, provide full sprint teams to non-VAP data sources and systems to develop, refactor, and modernize software to address quality, performance, and/or DevOps issues. At the conclusion of each sprint, a demonstration of completed items shall be provided by the Contractor.Deliverables:Sprint PlansSoftware code and artifactsDesign and architecture documentation if required by VA leadershipSprint ReportsOPTIONAL TASKS OPTIONAL TASK 1 - SOFTWARE LICENSE MANAGEMENT The Contractor is responsible for procuring, managing, migrating, modifying, and terminating VA API Gateway software licenses as required. The Contractor shall coordinate with other contractors and vendors as necessary to support the procurement, management, migration, modification and termination of the software licenses. Any licenses procured for the proposed API Gateway solution shall be licensed for the benefit of VA. The software licenses listed may change over time and may be substituted for more current versions, quantities, via modification to the contract. Some necessary software licenses may include: Licenses for an API Gateway if Contractor wishes to evolve it form the current opensource Kong implementationLicenses needed for building, deploying, and operating the VAP to maintain defined SLAs (separate from what is already procured for the API Operations in Section 5.3, which is included in that price)All software licenses procured by the Contractor on behalf of VA in support of VAP shall be transferred to the Government at the end of the period of performance.OPTIONAL TASK 2 – VAP DEVELOPMENTUpon execution of this optional task, the contractor shall provide all services within section 5.3 for the Base Period and each Option Period. All Deliverables associated with section 5.3 shall also apply to any Optional Tasks exercised under this paragraph. This optional task may be exercised, up to the number of times listed in the Schedule of Deliverables, per period of performance.OPTIONAL TASK 3 – API MARKETING AND OUTREACHUpon execution of this optional task, the contractor shall provide all services within section 5.3 for the Base Period and each Option Period. All Deliverables associated with paragraphs 5.3 above shall also apply to any Optional Tasks exercised under this paragraph. This optional task may be exercised, up to the number of times listed in the Schedule of Deliverables, per period of performance.OPTIONAL TASK 4 – API OPERATIONSUpon execution of this optional task, the contractor shall provide all services within section 5.3 for each Option Period. All Deliverables associated with paragraphs 5.3 above shall also apply to any Optional Tasks exercised under this paragraph. This optional task may be exercised, up to the number of times listed in the Schedule of Deliverables, per period of performance.OPTIONAL TASK 5 – ENHANCE DEPENDENT VA SOURCES AND SYSTEMSUpon execution of this optional task, the contractor shall provide all services within section 5.4 for the Base Period and each Option Period. All Deliverables associated with paragraphs 5.4 above shall also apply to any Optional Tasks exercised under this paragraph. This optional task may be exercised, up to the number of times listed in the Schedule of Deliverables, per period of performance.GENERAL REQUIREMENTSPERFORMANCE METRICSThe table below defines the Performance Standards and Acceptable Levels of Performance associated with this effort.Performance ObjectivePerformance StandardAcceptable Levels of PerformanceTechnical / Quality of Product or ServiceShows understanding of requirementsEfficient and effective in meeting requirements Meets technical needs and mission requirementsProvides quality services/productsSatisfactory or higherProject Milestones and ScheduleQuick response capabilityProducts completed, reviewed, delivered in accordance with the established scheduleNotifies customer in advance of potential problemsSatisfactory or higherCost & StaffingCurrency of expertise and staffing levels appropriatePersonnel possess necessary knowledge, skills and abilities to perform tasksSatisfactory or higherManagementIntegration and coordination of all activities to execute effortSatisfactory or higherThe COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of the TO to ensure that the Contractor is performing the services required by this PWS in an acceptable level of performance. The Government reserves the right to alter or change the QASP at its own discretion. A Performance Based Service Assessment will be used by the COR in accordance with the QASP to assess Contractor performance. SECTION 508 – INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) STANDARDS On January 18, 2017, the Architectural and Transportation Barriers Compliance Board (Access Board) revised and updated, in a single rulemaking, standards for electronic and information technology developed, procured, maintained, or used by Federal agencies covered by Section 508 of the Rehabilitation Act of 1973, as well as our guidelines for telecommunications equipment and customer premises equipment covered by Section 255 of the Communications Act of 1934. The revisions and updates to the Section 508-based standards and Section 255-based guidelines are intended to ensure that information and communication technology (ICT) covered by the respective statutes is accessible to and usable by individuals with disabilities.The following Section 508 Requirements supersede Addendum A, Section A3 from the T4NG Basic PWS.The Section 508 standards established by the Access Board are incorporated into, and made part of all VA orders, solicitations and purchase orders developed to procure ICT. These standards are found in their entirety at the US Access Standards board. A printed copy of the standards will be supplied upon request.?Federal agencies must comply with the updated Section 508 Standards beginning on January 18, 2018. The Final Rule as published in the Federal Register is available from the Access Board. The Contractor shall comply with “508 Chapter 2: Scoping Requirements” for all electronic ICT and content delivered under this contract. Specifically, as appropriate for the technology and its functionality, the Contractor shall comply with the technical standards marked here: FORMCHECKBOX E205 Electronic Content – (Accessibility Standard -WCAG 2.0 Level A and AA Guidelines) FORMCHECKBOX E204 Functional Performance Criteria FORMCHECKBOX E206 Hardware Requirements FORMCHECKBOX E207 Software Requirements FORMCHECKBOX E208 Support Services and Documentation RequirementsCOMPATIBILITY WITH ASSISTIVE TECHNOLOGYThe standards do not require installation of specific accessibility-related software or attachment of an assistive technology device. Section 508 requires that ICT be compatible with such software and devices so that ICT can be accessible to and usable by individuals using assistive technology, including but not limited to screen readers, screen magnifiers, and speech recognition software.ACCEPTANCE AND ACCEPTANCE TESTINGDeliverables resulting from this solicitation will be accepted based in part on satisfaction of the Section 508 Chapter 2: Scoping Requirements standards identified above.The Government reserves the right to test for Section 508 Compliance before delivery. The Contractor shall be able to demonstrate Section 508 Compliance upon delivery.ENTERPRISE AND IT FRAMEWORKThe required Assurance Levels, in reference to the Federal Identity, Credential, and Access Management (FICAM) requirements set forth in Section 3.8.2 of the T4NG Basic PWS, are Identity Assurance Level (IAL) 3, Authenticator Assurance Level (AAL) 3, and Federation Assurance Level (FAL) 3 for this specific TO.ONE-VA TECHNICAL REFERENCE MODELThe Contractor shall support the VA enterprise management framework. In association with the framework, the Contractor shall comply with OI&T Technical Reference Model (One-VA TRM). One-VA TRM is one component within the overall Enterprise Architecture (EA) that establishes a common vocabulary and structure for describing the information technology used to develop, operate, and maintain enterprise applications. One-VA TRM includes the Standards Profile and Product List that collectively serves as a VA technology roadmap. Architecture, Strategy, and Design (ASD) has overall responsibility for the One-VA TRM.FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT (FICAM) The Contractor shall ensure Commercial Off-The-Shelf (COTS) product(s), software configuration and customization, and/or new software are Personal Identity Verification (PIV) card-enabled by accepting HSPD-12 PIV credentials using VA Enterprise Technical Architecture (ETA), and VA Identity and Access Management (IAM) approved enterprise design and integration patterns. The Contractor shall ensure all Contractor delivered applications and systems comply with the VA Identity, Credential, and Access Management policies and guidelines set forth in the VA Handbook 6510 and align with the Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance v2.0.The Contractor shall ensure all Contractor delivered applications and systems provide user authentication services compliant with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, VA Handbook 6500 Appendix F, “VA System Security Controls”, and VA IAM enterprise requirements for direct, assertion-based authentication, and/or trust based authentication, as determined by the design and integration patterns.?Direct authentication at a minimum must include Public Key Infrastructure (PKI) based authentication supportive of PIV card and/or Common Access Card (CAC), as determined by the business need.The Contractor shall ensure all Contractor delivered applications and systems conform to the specific Identity and Access Management PIV requirements set forth in the Office of Management and Budget (OMB) Memoranda M-04-04, M-05-24, M-11-11, and NIST Federal Information Processing Standard (FIPS) 201-2. Contractor delivered applications and systems shall be on the FIPS 201-2 Approved Product List (APL). If the Contractor delivered application and system is not on the APL, the Contractor shall be responsible for taking the application and system through the FIPS 201 Evaluation Program.The Contractor shall ensure all Contractor delivered applications and systems support:Automated provisioning and are able to use enterprise provisioning service.Interfacing with VA’s Master Veteran Index (MVI) to provision identity attributes, if the solution relies on VA user identities. MVI is the authoritative source for VA user identity data.The VA defined unique identity (Secure Identifier [SEC ID] / Integrated Control Number [ICN]).Multiple authenticators for a given identity and authenticators at every Authenticator Assurance Level (AAL) appropriate for the solution.Identity proofing for each Identity Assurance Level (IAL) appropriate for the solution.Federation for each Federation Assurance Level (FAL) appropriate for the solution, if applicable.Two-factor authentication (2FA) through an applicable design pattern as outlined in VA Enterprise Design Patterns.A Security Assertion Markup Language (SAML) implementation if the solution relies on assertion-based authentication. Additional assertion implementations, besides the required SAML assertion, may be provided as long as they are compliant with NIST SP 800-63-3 guidelines.Authentication/account binding based on trusted Hypertext Transfer Protocol (HTTP) headers if the solution relies on Trust based authentication.Role Based Access Control.Auditing and reporting pliance with VAIQ# 7712300 Mandate to meet PIV requirements for new and existing systems. The required Assurance Levels for this specific effort are Identity Assurance Level 3, Authenticator Assurance Level 3, and Federation Assurance Level 3.INTERNET PROTOCOL VERSION 6 (IPV6)The Contractor solution shall support the latest Internet Protocol Version 6 (IPv6) based upon the directives issued by the Office of Management and Budget (OMB) on August 2, 2005 and September 28, 2010. IPv6 technology, in accordance with the USGv6 Profile, NIST Special Publication (SP) 500-267, the Technical Infrastructure for USGv6 Adoption, and the NIST SP 800 series applicable compliance shall be included in all IT infrastructures, application designs, application development, operational systems and sub-systems, and their integration. In addition to the above requirements, all devices shall support native IPv6 and/or dual stack (IPv6 / IPv4) connectivity without additional memory or other resources being provided by the Government, so that they can function in a mixed environment. All public/external facing servers and services (e.g. web, email, DNS, ISP services, etc.) shall support native IPv6 and/or dual stack (IPv6/ IPv4) users and all internal infrastructure and applications shall communicate using native IPv6 and/or dual stack (IPv6/ IPv4) operations. TRUSTED INTERNET CONNECTION (TIC)The Contractor solution shall meet the requirements outlined in Office of Management and Budget Memorandum M08-05 mandating Trusted Internet Connections (TIC), M08-23 mandating Domain Name System Security (NSSEC), and shall comply with the Trusted Internet Connections (TIC) Reference Architecture Document, Version 2.0. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download