Active

Contract Opportunity

Procurement Technical Assistance Centers (PTACs) are an official government contracting resource for small businesses. Find your local PTAC (opens in new window) for free government expertise related to contract opportunities.

THIS IS A SOURCES SOUGHT NOTICE ONLY. This is not a solicitation for bids, proposals, proposal abstracts, or quotations. The purpose of this Sources Sought Notice is to obtain information regarding the availability and capability of all qualified sources to perform a potential requirement. The responses received from interested contractors will assist the Government in determining the appropriate acquisition method.
The Department of Veterans Affairs (VA), Network Contracting Office (NCO) 20, is conducting market research to identify potential sources which can provide the following services:

The Roseburg VA Medical Center in Roseburg Orgon requires the rental of a Mobile MRI Trailer for approximately 6 months starting October 1 2023.
Statement of Work
Mobile MRI Trailer Rental

1. SERVICES: Contractor shall provide all tools, equipment, maintenance and repair of all Contractor furnished equipment (including a mobile trailer/unit), in accordance with terms and conditions listed herein for Roseburg Healthcare Center VAMC, Roseburg, Or. Contractor shall be responsible to maintain all Contractor provided equipment, in good working order at all times. Every effort should be made to keep equipment down time to a minimum of 24 hours or less. This will be a limited time contract for the duration of the de-install of current MRI system, construction and installation of a new MRI system. The expected time frame for mobile MRI needs will be 180 days. We would like to reserve the right to extend this contract on a weekly basis as may be dictated by delays in construction or installation.

2. CONTRACTOR S FURNISHED EQUIPMENT: Equipment shall include but not be limited to a Contractor furnished fully equipped Mobile MRI Trailer where studies will be performed on a MRI Magnet manufactured after January 2004. All equipment to be used shall be Food and Drug Administration (FDA) approved imaging equipment placed at a location designated by the Contracting Officer Representative (COR) on VISN 20 site. The entire offering of a MRI Mobile Trailer service shall meet all local, state, federal, industry, THE JOINT COMMISSION or equivalent standard, National Electrical Code (NEC), National Fire Protection Association (NFPA), Veterans Administration (VA), Occupational Safety and Health Administration (OSHA), and other regulatory standards internal or external for which the VISN 20 is currently accountable and will be kept current with all future Federal and State regulations. While on Federal property, the contractor s personnel shall abide by all policies of the site of service to include but not limited to: smoking, radiation and patient safety policies.

3. SYSTEM CAPABILITY REQUIREMENTS: The Contractor shall provide an on-site Mobile MRI system that is a 1.5T system.:

Express Exam Host Computer: Intel Xeon Processor
16-Channel receiver architecture
HDxt ScanTools Including:
23.0 Standard Software
23.0 Advanced Software including:
Express Exam: Interface includes the Modality worklist, Protocol library, Autostart, AutoVoice, Linking, and lnline processing that complete much of the work for the user
Modality Worklist: Provides an automated method of obtaining exam and protocol information for a patient directly from a DICOM Worklist
ProtoCopy: Enables a complete exam protocol to be shared with a click of a mouse
Workflow Manager: Can fully automate image Rx, acquisition, processing, visualization, and networking Autostart: Once the landmark has been set and tech leaves the room the first acquisition will be started Image Fusion: Multiple images from separate acquisitions can be overlaid on one another
Connect Pro: Enables the DICOM worklist server class making it easy to query your HIS/RIS
lnhance 2.0 Suite (non-contrast MRA's) including:
lnhance Inflow IR with 3D FIESTA to acquire non-contrast images of arteries
lnhance 3D Velocity is designed to acquire non-contrast angio images in brain and renal arteries
lnhance 3D Delta Flow is designed to acquire 3D non-contrast enhanced Peripheral Arterial Imaging lnhance 2D Inflow is designed to acquire non-contrast images of arteries that follow almost a straight path

PROPELLER 3.0
ASSET Parallel Imaging (Array Spatij:11 Sensitivity Encoding Technique)
Tl FLAIR & T2 FLAIR
BRAVO (BRAin VOiume Imaging)
Cardiac and Angiographic Functionality
QuickStep
3D LAVA-Flex (Liver Acquistion with Volume Acceleration)
3D COSMIC
3D FIESTA
3D FatSat FIESTA
3D TRICKS
Fluoro Triggered MRA

eDWI (enhanced diffusion weighted imaging) 3DFRFSE
20&3D MERGE
BrainSTAT
SPECIAL (Spectral Inversion at Lipids)
Auto-Calibrating Reconstruction (ARC) CUBE
SWAN

Coils:

16-Channel Head/Neck/Spine Array- The 29 Element Coil Serves as a:
High-Resolution Brain coil
High-Resolution Neuro Vascular Array
Multi-element Spine Array
12-Channel Body Array (Optimized for use with ASSET breath-hold Imaging)

8-Channel Knee Array
3-Channel Shoulder Array
Quad Extremity Coil
lnvivo Foot/ Ankle Coil
Flex Coils
Quad Head Coil
Med Rad Spectris Solaris EP injector AK Trailer
4. MOBILE UNIT CAPABILITIES:

Contractor shall provide the following:

a. Hardware and software necessary to permit interpretation of MRI Images at the site where images are obtained.

b. Ability to create, store and export Digital Imaging and Communications in Medicine (DICOM), Joint Photographic Experts Group (JPEG) and Moving Picture Experts Group (MPEG) file formats.

c. The mobile unit shall be equipped with Compact Disk-Recordable CD-R/DVD-R burning capabilities as a backup to network transfer of data.

d. The mobile unit shall be equipped with an Image Analysis Station for image registration quality assurance.

e. The mobile unit shall be equipped with an Intravenous (IV) contrast injector and warmer.

f. The mobile unit shall be equipped with a programmable injector with pressure monitor having the following capabilities (example unit would be the Medrad Stellant Single Syringe Injector):

Scan delay
Multiphase option
Protocol storing
Pause hold functionality

g. Data/Image Transfer: Digital Imaging and Communications in Medicine (DICOM) 3.0 system shall be used to export images from Contractor mobile unit to the facilities PACS system. VA will provide an Access Control List (ACL) for a secure port for imaging connection.
          Â
 Minimum security requirements:
Up-to-date Microsoft (MS) patches and anti-virus software at the vendor mobile unit
Any workstation configuration must be compatible with VA supplied anti-virus (currently McAfee Enterprise)
Medical Device Isolation Architecture (MDIA) security to be provided by VA
No patient identifiers such as name and Social Security Number shall reside on the mobile unit and images shall have an identifier which does not disclose Personally Identifiable Information (PII).

5. MOBILE UNIT ACCESSORIES: Accessory equipment that shall be provided by the Contractor:

a. Handicap/Gurney/Hospital Bed accessibility.

b. Intercom system between the control room and scanning room.
6. MOBILE UNIT EQUIPMENT SPECIFICATIONS: The following minimum performance characteristics of the equipment are required:

a. The MRI shall provide images with consistently high technical quality to be approved by VA employed experts. Poor image quality will be considered non-performance under this contract and must be remedied within 7 days of notification or incurred default.

b. The Mobile MRI unit shall be ready for use regardless of outside environmental conditions.

c. The Mobile MRI unit shall maintain a temperature to assure proper operation of the scanner without frequent calibration and provide for patient comfort.

d. The MRI unit shall meet all federal, state and local fire and safety requirements.

e. Telecommunications: The mobile unit shall be equipped with outlet jack s connections capable of transmitting data and voice through Government provided category five (5) cable and dual pair phone cable. The Government will provide the connection required for the transmission of images, data and voice.

f. The mobile unit shall support DICOM Modality Work list (DMWL), for future use.

g. The mobile unit shall be able to export DICOM images to at least one destination.

h. System shall have been approved by the Federal Drug Agency (FDA) and meets or exceeds minimal standards for the type of equipment being provided as defined herein.
The Roseburg Healthcare Center SHALL PROVIDE THE FOLLOWING UTILITIES/SERVICES UP TO THE DOCKING PAD (IF NECESSARY) FOR OPERATION OF THE MRI MOBILE UNIT.

Pad (12 X 52 X 8 thick concrete (3000psi) with air entrainment, broom finish, reinforcing steel to be ASI-615 Grade 60, #4 bars @ 8 each way, top of steel to be 2 from the top of the concrete surface.)
Electricity (150 amp panel breaker, 3 phase, 480v), (200 amp receptacle, 5 wire, Russelstoll #DF 2504 Frabo)*
Telephone Line(s) **
Data Port ***
Restroom Facilities

* In accordance to the Original Equipment Manufacturers (OEM) electrical specifications.

** Three (3) telephone lines. Use of telephone extension while mobile unit is on site shall be in order to permit personnel of the unit to make and receive telephone calls, and to facilitate the movement of patients to and from the unit. Telephone calls placed and received by the personnel of the unit on the extension shall be restricted to the appropriate free dialing areas. Long distance calls shall be made with calling cards, reverse charges or to toll free numbers provided by and paid for by the vendor.

*** Three (3) data lines. Data Port requirements are for the support of Data/Image transfer support
7. EQUIPMENT MAINTENANCE: Equipment provided shall be in good working order at all times in order to provide high quality scans required under this requirement and any resulting contract. Contractor shall be completely responsible for the preventive maintenance, emergency and general repairs, safety, cleaning, and upkeep of all equipment furnished by the Contractor. Preventative maintenance/repairs on the Mobile MRI unit and all associated equipment shall be performed in accordance with the Conformance Standards and manufacturer s recommendations.
8. SITE PREPARATION: The Roseburg Healthcare Center site participating in this contract will provide a docking site for the contractors MRI mobile unit. The Contractor or designee shall perform a site visit at the Roseburg location after notification of contract award and prior to commencement of work to coordinate with the COR in order to confirm site conditions for trailer/mobile unit docking.
9. CONTRACTOR S STAFF: MRI Mobile Unit Driver shall be licensed as applicable to operate and drive the mobile vehicle in which the unit is housed
10. CONTRACTOR S RESPONSIBILITIES:
Contractor shall be responsible for the timely delivery and pick up of the MRI trailer.
DATA/IMAGE TRANSFER SUPPORT: Contractor shall provide IT Technical Support while the MRI mobile unit is located on-site. Technical Support personnel must have complete knowledge of all Transmission Control Protocols/Internet Protocols (TCP/IP) modification required to interface with the VA network and the Contractor shall provide IT Technical Support to facilitate data transfer to the VA network.

The Contractor will be provided an IP address for Source Data, Default Gateway, and Subnet Mask from the VI OI&T personnel. The Contractor shall be responsible for implementation of data transfer to the VA network with the assistance of VA OI&T personnel. The mobile truck s IP address (es) cannot be part of the VA network. The IP range for the workstation/equipment must be in a range supplied by the Government. It should allow for the IP address to be changed locally. The VA will create an Access Control List (ACL) to address security controls. The Contractor shall ensure all IT devices located in the MRI mobile unit be cleansed of all Virus and Malware prior to connecting to the VA network.
CONTRACTOR FURNISHED FACILITIES, SERVICES, SUPPLIES AND EQUIPMENT:

The Contractor s Vehicle shall be parked and leveled no more than 12 from docking pad ramp. Contractor shall be responsible for leveling of the vehicle at location designed by the Roseburg Healthcare Center.

Contractor shall contact the COR to make the necessary arrangements for a site visit where the actual location of the mobile trailer shall be located so that precise measurements etc. can be taken by the Contractor who shall be responsible to confirm compatibility of the docking pad and connections as noted herein. Any additional costs as a result of the Contractor s failure to confirm the above shall be the responsibility of the successful Contractor.

Contractor shall be held responsible for any damages, which may be done to the Roseburg Healthcare Center property during delivery, hookup and/or removal of equipment at the site. Any damages caused by the Contractor shall be repaired at the Contractor s expense to the satisfaction of the facility Chief of Engineering.

Proper installation/staging of the Contractor s furnished equipment including the mobile trailer must be completed in accordance with industry standards, all OSHA regulations and applicable manufacturer s recommendations. The above must be completed prior to commencement of services. Dates and time for completion of the above shall be mutually agreed upon between the Roseburg Healthcare Center and the Contractor.

NON-CONFORMING PRODUCTS OR SERVICES:

Non conforming products or services will be rejected. Unless otherwise agreed by the parties, deficiencies shall be corrected within seven (7) days of the rejection notice. If the deficiencies cannot be corrected within seven (7) days, the Contractor shall immediately notify the COR and the Contracting Officer of the reason for the delay and provide a proposed corrective action plan within seven (7) working days.

EMERGENCY REPAIRS:

Emergency service: Contractor shall provide, at no cost to the Roseburg Healthcare Center, all emergency service to include all required personnel, parts and labor, and preventive maintenance/repairs of MRI mobile structure and equipment to maintain a safe environment as recommended by the original equipment manufacturer (OEM) recommendations/specifications in accordance with the agreed upon schedule with the COR.

Response Time: In the event of an equipment failure during normal working hours while in the performance of the Contractor s services, the Contractor shall notify the COR or designee immediately after discovery of equipment failure while on site. Every effort should be made to keep equipment down time to a minimum of 24 hours or less. If repair services are required to be performed on site after the normal working hours, the Contractor must notify the COR and the VA Police that services will be performed on-site. All emergency repairs are the responsibility of the contractor and only qualified service engineers shall perform emergency repairs.

Replacement Unit: In the event that the equipment fails and the failed equipment is un-repairable, the Contractor must obtain an alternate unit which shall be available on the next scheduled day and which meets all of the requirements of the resulting contract to ensure that schedule services shall be performed as agreed upon under this agreement.

DOCUMENTATION/REPORTS:

The Contractor shall provide equipment and maintenance reports to the COR if requested during the duration of the contact. The Contractor shall also provide system pre-check and associated documentation at the time the unit is set up at the site where services are to be performed. This is to ensure safety of equipment utilized by the Roseburg Healthcare Center personnel/beneficiaries.

The Contractor shall permit onsite inspection by personnel selected by the Roseburg Healthcare Center without prior notice to ensure the Contractor s equipment is operated in accordance with appropriate safety guidelines and/or regulations as applicable.
Additional Reports/Documentation required by the successful Contractor prior to commencement of services of Preventive Maintenance (PM) / Repair services, unless otherwise stated. This VISN may require specialized documentation to satisfy the requirements of local state and federal government agencies, and independent consultants such as THE JOINT COMMISSION, as well as for services rendered verification for payment of monthly statement. At a minimum, the following information shall be maintained by the Contractor and be available for inspection by a duly authorized VA representative:

Certificate of Insurance not limited to but, includes liability and property insurance of Contractor s furnished equipment which shall be submitted to the Contracting Officer within ten (10) calendar days of receipt of notification of award. It is agreed upon and understood that the Roseburg Healthcare Center or VISN 20 shall not be held responsible for any damage or vandalism, which may be caused to the Contractor s equipment while on Roseburg Healthcare Center premises.

Required Federal, State and local licenses.
DELIVERY/ SETUP AND REMOVAL OF CONTRACTOR S EQUIPMENT: Contractor shall be responsible for the timely removal of the MRI trailer from the Roseburg Healthcare Center as agreed upon with the COR not to exceed a 24-hour period after completion of the last procedure.
Ensure the Mobile Trailer is delivered and hooked up by 7:30 AM Monday.
Removal of Mobile Trailer in a timely manner at the completion of Contract.

11. GOVERNMENT FURNISHED FACILITIES, SERVICES, SUPPLIES AND EQUIPMENT:

a. The VA facility shall provide all patient services and MRI Technologists.

Retain full medical responsibility for its patients and shall be responsible for patient upon pickup at the Roseburg Healthcare Center designated waiting area, while on the Mobile unit and during the entire scanning procedure until patient is returned to the designated waiting area.

The facility will be responsible for transporting patients to and from the Contractor furnished Mobile Trailer.

The VA facility shall ensure each patient arriving for the MRI scans has a written physician order to receive services and such other forms or information as required.

The VA facility will designate in writing one or more qualified physicians who will review orders for appropriateness, interpret MRI reports and take such other steps as may be medically necessary.

b. The Roseburg Healthcare Center facilities will provide the following services, supplies and facilities:

All medical supplies, facilities, personnel and physicians required to provide patients with such emergency medical care as may be required, including oxygen, aspirator and defibrillator when deemed necessary.

The successful Contactor shall provide during the Post Award Orientation a reasonable list of incidental supplies which may be necessary. (Excluding those which are defined as the Contractor s responsibility).

12. COMMENCEMENT OF SERVICES:

Commencement of service date is to be coordinated with the COR. Unit must be ready for patient services no later than 30 days after contract award unless otherwise agreed to in writing with the Contracting Officer.

13. PLACE OF INSPECTION AND ACCEPTANCE:

Delivery location of MRI Mobile Trailer site shall be coordinated with the COR.

14. SCOPE OF INSPECTION:

a. Compliance with Statement of Work will be inspected for content, completeness, and accuracy and conformance to contract requirements by the COR or his/her designee. Inspection will include validation of information or software through the use of automated tools and/or testing of the deliverables, as specified in the contract order. The scope and nature of this testing must be negotiated prior to the contract award and will be sufficiently comprehensive to ensure the completeness, quality and adequacy of all deliverables.

b. In the event that rework of a Scan is required due to no fault of the Veteran Administration or the Veteran beneficiary, the contractor agrees to remake or replace the scan at no cost to the Veteran Administration or to the Veteran beneficiary.

c. Reports, documents and narrative type deliverables shall only be accepted when all discrepancies, errors or other deficiencies identified in writing by the government have been corrected.

Maintenance logs shall be available upon request.

Payment Reconciliation will be accomplished by the Government monthly. The COR or Designated Ordering Office or Officer will validate invoices by reconciliation. If issues occur the COR or Designated Ordering Officer will contact the contractor for clarification and/or correction.

15. VA HANDBOOK 6500.6: Appendix B Security Clause

852.273-75 - SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION
TECHNOLOGY RESOURCES (INTERIM- OCTOBER 2008)
As prescribed in 839.201, insert the following clause:
The contractor, their personnel, and their subcontractors shall be subject to the Federal laws,
regulations, standards, and VA Directives and Handbooks regarding information and
information system security as delineated in this contract.
(END OF CLAUSE)

16. VA HANDB OOK 6500.6: VA Information and Information System Security/Privacy

1. GENERAL
Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be
subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.

2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS

a. A contractor/subcontractor shall request logical (technical) or physical access to VA
information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.

b. All contractors, subcontractors, and third-party servicers and associates working with
VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.

c. Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry contract personnel safeguard the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. The Department of Veterans Affairs does not have a Memorandum of Agreement with Defense Security Service (DSS). Verification of a Security Clearance must be processed through the Special Security Officer located in the Planning and National Security Service within the Office of Operations, Security, and Preparedness.

d. Custom software development and outsourced operations must be located in the U.S.
to the maximum extent practical. If such services are proposed to be performed abroad and
are not disallowed by other VA policy or mandates, the contractor/subcontractor must state
where all non-U.S. services are provided and detail a security plan, deemed to be acceptable
by VA, specifically to address mitigation of the resulting problems of communication, control,
data protection, and so forth. Location within the U.S. may be an evaluation factor.

e. The contractor or subcontractor must notify the Contracting Officer immediately when
an employee working on a VA system or with access to VA information is reassigned or leaves
the contractor or subcontractor s employ. The Contracting Officer must also be notified
immediately by the contractor or subcontractor prior to an unfriendly termination.

3. VA INFORMATION CUSTODIAL LANGUAGE
a. Information made available to the contractor or subcontractor by VA for the performance
or administration of this contract or information developed by the contractor/subcontractor in
performance or administration of the contract shall be used only for those purposes and shall
not be used in any other way without the prior written agreement of the VA. This clause
expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data
- General, FAR 52.227-14(d) (1).

b. VA information should not be co-mingled, if possible, with any other data on the
contractors/subcontractor s information systems or media storage systems in order to ensure
VA requirements related to data protection and media sanitization can be met. If co-mingling
must be allowed to meet the requirements of the business need, the contractor must ensure
that VA s information is returned to the VA or destroyed in accordance with VA s sanitization
requirements. VA reserves the right to conduct onsite inspections of contractor and
subcontractor IT resources to ensure data security controls, separation of data and job duties,
and destruction/media sanitization procedures are in compliance with VA directive
requirements.
c. Prior to termination or completion of this contract, contractor/subcontractor must not
destroy information received from VA, or gathered/created by the contractor in the course of
performing this contract without prior written approval by the VA. Any data destruction done on
behalf of VA by a contractor/subcontractor must be done in accordance with National Archives
and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records
and Information Management and its Handbook 6300.1 Records Management Procedures,
applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media
Sanitization. Self-certification by the contractor that the data destruction requirements above
have been met must be sent to the VA Contracting Officer within 30 days of termination of the
contract.

d. The contractor/subcontractor must receive, gather, store, back up, maintain, use,
disclose and dispose of VA information only in compliance with the terms of the contract and
applicable Federal and VA information confidentiality and security laws, regulations and
policies. If Federal or VA information confidentiality and security laws, regulations and policies
become applicable to the VA information or information systems after execution of the
contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after
execution of this contract, the parties agree to negotiate in good faith to implement the
information confidentiality and security laws, regulations and policies in this contract.

e. The contractor/subcontractor shall not make copies of VA information except as
authorized and necessary to perform the terms of the agreement or to preserve electronic
information stored on contractor/subcontractor electronic storage media for restoration in case
any electronic equipment or data used by the contractor/subcontractor needs to be restored to
an operating state. If copies are made for restoration purposes, after the restoration is
complete, the copies must be appropriately destroyed.

f. If VA determines that the contractor has violated any of the information confidentiality,
privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold
payment to the contractor or third party or terminate the contract for default or terminate for
cause under Federal Acquisition Regulation (FAR) part 12.

g. If a VHA contract is terminated for cause, the associated BAA must also be terminated
and appropriate actions taken in accordance with VHA Handbook 1600.01, Business
Associate Agreements. Absent an agreement to use or disclose protected health information,
there is no business associate relationship.

h. The contractor/subcontractor must store, transport, or transmit VA sensitive information
in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2
validated.

i. The contractor/subcontractor s firewall and Web services security controls, if applicable,
shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available
upon request.

j. Except for uses and disclosures of VA information authorized by this contract for
performance of the contract, the contractor/subcontractor may use and disclose VA information
only in two other situations: (i) in response to a qualifying order of a court of competent
jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all
requests for, demands for production of, or inquiries about, VA information and information
systems to the VA contracting officer for response.
k. Notwithstanding the provision above, the contractor/subcontractor shall not release VA
records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records
and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug
addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human
immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other
requests for the above-mentioned information, that contractor/subcontractor shall immediately
refer such court orders or other requests to the VA contracting officer for response.

l. For service that involves the storage, generating, transmitting, or exchanging of VA
sensitive information but does not require C&A or an MOU-ISA for system interconnection, the
contractor/subcontractor must complete a Contractor Security Control Assessment (CSCA) on
a yearly basis and provide it to the COR.

4. INFORMATION SYSTEM DESIGN AND DEVELOPMENT

a. Information systems that are designed or developed for or on behalf of VA at non-VA
facilities shall comply with all VA directives developed in accordance with FISMA, HIPAA,
NIST, and related VA security and privacy control requirements for Federal information
systems. This includes standards for the protection of electronic PHI, outlined in 45 C.F.R.
Part 164, Subpart C, information and system security categorization level designations in
accordance with FIPS 199 and FIPS 200 with implementation of all baseline security controls
commensurate with the FIPS 199 system security categorization (reference Appendix D of VA
Handbook 6500, VA Information Security Program). During the development cycle a Privacy
Impact Assessment (PIA) must be completed, provided to the COR, and approved by the VA
Privacy Service in accordance with Directive 6507, VA Privacy Impact Assessment.

b. The contractor/subcontractor shall certify to the COR that applications are fully
functional and operate correctly as intended on systems using the VA Federal Desktop Core
Configuration (FDCC), and the common security configuration guidelines provided by NIST or
the VA. This includes Internet Explorer 7 configured to operate on Windows XP and Vista (in
Protected Mode on Vista) and future versions, as required.

c. The standard installation, operation, maintenance, updating, and patching of software
shall not alter the configuration settings from the VA approved and FDCC configuration.
Information technology staff must also use the Windows Installer Service for installation to the
default program files directory and silently install and uninstall.

d. Applications designed for normal end users shall run in the standard user context
without elevated system administration privileges.

e. The security controls must be designed, developed, approved by VA, and implemented
in accordance with the provisions of VA security system development life cycle as outlined in
NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to
Federal Information Systems, VA Handbook 6500, Information Security Program and VA
Handbook 6500.5, Incorporating Security and Privacy in System Development Lifecycle.

f. The contractor/subcontractor is required to design, develop, or operate a System of
Records Notice (SOR) on individuals to accomplish an agency function subject to the Privacy
Act of 1974, (as amended), Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and
applicable agency regulations. Violation of the Privacy Act may involve the imposition of
criminal and civil penalties.
g. The contractor/subcontractor agrees to:

(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations
issued under the Act in the design, development, or operation of any system of records on
individuals to accomplish an agency function when the contract specifically identifies:
(a) The Systems of Records (SOR); and
(b) The design, development, or operation work that the contractor/subcontractor is to
perform;
(2) Include the Privacy Act notification contained in this contract in every solicitation and
resulting subcontract and in every subcontract awarded without a solicitation, when the work
statement in the proposed subcontract requires the redesign, development, or operation of a
SOR on individuals that is subject to the Privacy Act; and
(3) Include this Privacy Act clause, including this subparagraph (3), in all subcontracts
awarded under this contract which requires the design, development, or operation of such a
SOR.
h. In the event of violations of the Act, a civil action may be brought against the agency
involved when the violation concerns the design, development, or operation of a SOR on
individuals to accomplish an agency function, and criminal penalties may be imposed upon the
officers or employees of the agency when the violation concerns the operation of a SOR on
individuals to accomplish an agency function. For purposes of the Act, when the contract is for
the operation of a SOR on individuals to accomplish an agency function, the
contractor/subcontractor is considered to be an employee of the agency.

(1) Operation of a System of Records means performance of any of the activities
associated with maintaining the SOR, including the collection, use, maintenance, and
dissemination of records.
(2) Record means any item, collection, or grouping of information about an individual that
is maintained by an agency, including, but not limited to, education, financial transactions,
medical history, and criminal or employment history and contains the person s name, or identifying number, symbol, or any other identifying particular assigned to the individual, such as a fingerprint or voiceprint, or a photograph.
(3) System of Records means a group of any records under the control of any agency
from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

i. The vendor shall ensure the security of all procured or developed systems and
technologies, including their subcomponents (hereinafter referred to as Systems ), throughout
the life of this contract and any extension, warranty, or maintenance periods. This includes,
but is not limited to workarounds, patches, hotfixes, upgrades, and any physical components
(hereafter referred to as Security Fixes) which may be necessary to fix all security
vulnerabilities published or known to the vendor anywhere in the Systems, including Operating
Systems and firmware. The vendor shall ensure that Security Fixes shall not negatively impact
the Systems.

j. The vendor shall notify VA within 24 hours of the discovery or disclosure of successful
exploits of the vulnerability which can compromise the security of the Systems (including the
confidentiality or integrity of its data and operations, or the availability of the system). Such
issues shall be remediated as quickly as is practical, but in no event longer than _30_ days.

k. When the Security Fixes involve installing third party patches (such as Microsoft OS
patches or Adobe Acrobat), the vendor will provide written notice to the VA that the patch has
been validated as not affecting the Systems within 10 working days. When the vendor is
responsible for operations or maintenance of the Systems, they shall apply the Security Fixes
within three days.

l. All other vulnerabilities shall be remediated as specified in this paragraph in a timely
manner based on risk, but within 60 days of discovery or disclosure. Exceptions to this
paragraph (e.g. for the convenience of VA) shall only be granted with approval of the
contracting officer and the VA Assistant Secretary for Office of Information and Technology.

5. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE

a. For information systems that are hosted, operated, maintained, or used on behalf of VA
at non-VA facilities, contractors/subcontractors are fully responsible and accountable for
ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and
privacy directives and handbooks. This includes conducting compliant risk assessments,
routine vulnerability scanning, system patching and change management procedures, and the
completion of an acceptable contingency plan for each system. The contractor s security
control procedures must be equivalent, to those procedures used to secure VA systems. A
Privacy Impact Assessment (PIA) must also be provided to the COTR and approved by VA
Privacy Service prior to operational approval. All external Internet connections to VA s network
involving VA information must be reviewed and approved by VA prior to implementation.

b. Adequate security controls for collecting, processing, transmitting, and storing of
Personally, Identifiable Information (PII), as determined by the VA Privacy Service, must be in
place, tested, and approved by VA prior to hosting, operation, maintenance, or use of the
information system, or systems by or on behalf of VA. These security controls are to be
assessed and stated within the PIA and if these controls are determined not to be in place, or
inadequate, a Plan of Action and Milestones (POA&M) must be submitted and approved prior
to the collection of PII.

c. Outsourcing (contractor facility, contractor equipment or contractor staff) of systems or
network operations, telecommunications services, or other managed services requires
certification and accreditation (authorization) (C&A) of the contractor s systems in accordance
with VA Handbook 6500.3, Certification and Accreditation and/or the VA OCS Certification
Program Office. Government-owned (government facility or government equipment)
contractor-operated systems, third party or business partner networks require memorandums
of understanding and interconnection agreements (MOU-ISA) which detail what data types
are shared, who has access, and the appropriate level of security controls for all systems
connected to VA networks.

d. The contractor/subcontractor s system must adhere to all FISMA, FIPS, and NIST
standards related to the annual FISMA security controls assessment and review and update
the PIA. Any deficiencies noted during this assessment must be provided to the VA
contracting officer and the ISO for entry into VA s POA&M management process. The
contractor/subcontractor must use VA s POA&M process to document planned remedial
actions to address any deficiencies in information security policies, procedures, and practices,
and the completion of those activities. Security deficiencies must be corrected within the
timeframes approved by the government. Contractor/subcontractor procedures are subject to
periodic, unannounced assessments by VA officials, including the VA Office of Inspector
General. The physical security aspects associated with contractor/subcontractor activities
must also be subject to such assessments. If major changes to the system occur that may
affect the privacy or security of the data or the system, the C&A of the system may need to be
reviewed, retested and re-authorized per VA Handbook 6500.3. This may require reviewing
and updating all of the documentation (PIA, System Security Plan, Contingency Plan). The
Certification Program Office can provide guidance on whether a new C&A would be necessary.

e. The contractor/subcontractor must conduct an annual self-assessment on all systems
and outsourced services as required. Both hard copy and electronic copies of the assessment
must be provided to the COTR. The government reserves the right to conduct such an
assessment using government personnel or another contractor/subcontractor. The
contractor/subcontractor must take appropriate and timely action (this can be specified in the
contract) to correct or mitigate any weaknesses discovered during such testing, generally at no
additional cost.

f. VA prohibits the installation and use of personally-owned or contractor/subcontractor owned
equipment or software on VA s network. If non-VA owned equipment must be used to
fulfill the requirements of a contract, it must be stated in the service agreement, SOW or
contract. All of the security controls required for government furnished equipment (GFE) must
be utilized in approved other equipment (OE) and must be funded by the owner of the
equipment. All remote systems must be equipped with, and use, a VA-approved antivirus (AV)
software and a personal (host-based or enclave based) firewall that is configured with a VA approved
configuration. Software must be kept current, including all critical updates and
patches. Owners of approved OE are responsible for providing and maintaining the anti-viral
software and the firewall on the non-VA owned OE.

g. All electronic storage media used on non-VA leased or non-VA owned IT equipment
that is used to store, process, or access VA information must be handled in adherence with VA
Handbook 6500.1, Electronic Media Sanitization upon: (i) completion or termination of the
contract or (ii) disposal or return of the IT equipment by the contractor/subcontractor or any
person acting on behalf of the contractor/subcontractor, whichever is earlier. Media (hard
drives, optical disks, CDs, back-up tapes, etc.) used by the contractors/subcontractors that
contain VA information must be returned to the VA for sanitization or destruction or the
contractor/subcontractor must self-certify that the media has been disposed of per 6500.1
requirements. This must be completed within 30 days of termination of the contract.

h. Bio-Medical devices and other equipment or systems containing media (hard drives,
optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end
of lease, for trade-in, or other purposes. The options are:
(1) Vendor must accept the system without the drive;
(2) VA s initial medical device purchase includes a spare drive which must be installed in
place of the original drive at time of turn-in; or
(3) VA must reimburse the company for media at a reasonable open market replacement
cost at time of purchase.
(4) Due to the highly specialized and sometimes proprietary hardware and software
associated with medical equipment/systems, if it is not possible for the VA to retain the hard
drive, then;
(a) The equipment vendor must have an existing BAA if the device being traded in has
sensitive information stored on it and hard drive(s) from the system are being returned physically intact; and
(b) Any fixed hard drive on the device must be non-destructively sanitized to the greatest
extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting
technologies/methods/tools. Applicable media sanitization specifications need to be preapproved and described in the purchase order or contract.
(c) A statement needs to be signed by the Director (System Owner) that states that the
drive could not be removed and that (a) and (b) controls above are in place and completed. The ISO needs to maintain the documentation.

6. SECURITY INCIDENT INVESTIGATION

a. The term security incident means an event that has, or could have, resulted in
unauthorized access to, loss or damage to VA assets, or sensitive information, or an action
that breaches VA security procedures. The contractor/subcontractor shall immediately notify
the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any
known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive
information, including that contained in system(s) to which the contractor/subcontractor has
access.

b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s
notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.

c. With respect to unsecured protected health information, the business associate is
deemed to have discovered a data breach when the business associate knew or should have
known of a breach of such information. Upon discovery, the business associate must notify
the covered entity of the breach. Notifications need to be made in accordance with the
executed business associate agreement.

d. In instances of theft or break-in or other criminal activity, the contractor/subcontractor
must concurrently report the incident to the appropriate law enforcement entity (or entities) of
jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its
employees, and its subcontractors and their employees shall cooperate with VA and any law
enforcement authority responsible for the investigation and prosecution of any possible
criminal law violation(s) associated with any incident. The contractor/subcontractor shall
cooperate with VA in any civil litigation to recover VA information, obtain monetary or other
compensation from a third party for damages arising from any incident, or obtain injunctive
relief against any third party arising from, or related to, the incident.

7. LIQUIDATED DAMAGES FOR DATA BREACH

a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to
sensitive personal information. If so, the contractor is liable to VA for liquidated damages in
the event of a data breach or privacy incident involving any SPI the contractor/subcontractor
processes or maintains under this contract.

b. The contractor/subcontractor shall provide notice to VA of a security incident as set
forth in the Security Incident Investigation section above. Upon such notification, VA must
secure from a non-Department entity or the VA Office of Inspector General an independent
risk analysis of the data breach to determine the level of risk associated with the data breach for
the potential misuse of any sensitive personal information involved in the data breach. The
term 'data breach' means the loss, theft, or other unauthorized access, or any access other
than that incidental to the scope of employment, to data containing sensitive personal
information, in electronic or printed form, that results in the potential compromise of the
confidentiality or integrity of the data. Contractor shall fully cooperate with the entity
performing the risk analysis. Failure to cooperate may be deemed a material breach and
grounds for contract termination.

c. Each risk analysis shall address all relevant information concerning the data breach,
including the following:

(1) Nature of the event (loss, theft, unauthorized access);
(2) Description of the event, including:
(a) date of occurrence;
(b) data elements involved, including any PII, such as full name, social security
number, date of birth, home address, account number, disability code;
(3) Number of individuals affected or potentially affected;
(4) Names of individuals or groups affected or potentially affected;
(5) Ease of logical data access to the lost, stolen or improperly accessed data in light of
the degree of protection for the data, e.g., unencrypted, plain text;
(6) Amount of time the data has been out of VA control;
(7) The likelihood that the sensitive personal information will or has been compromised
(made accessible to and usable by unauthorized persons);
(8) Known misuses of data containing sensitive personal information, if any;
(9) Assessment of the potential harm to the affected individuals;
(10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and
Privacy Incidents, as appropriate; and
(11) Whether credit protection services may assist record subjects in avoiding or
mitigating the results of identity theft based on the sensitive personal information that may have been compromised.

d. Based on the determinations of the independent risk analysis, the contractor shall be
responsible for paying to the VA liquidated damages in the amount of $______ per affected
individual to cover the cost of providing credit protection services to affected individuals
consisting of the following:

(1) Notification;
(2) One year of credit monitoring services consisting of automatic daily monitoring of at
Least 3 relevant credit bureau reports;
(3) Data breach analysis;
(4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and
credit freezes, to assist affected individuals to bring matters to resolution;
(5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and
(6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit
records, histories, or financial affairs.

8. SECURITY CONTROLS COMPLIANCE TESTING

On a periodic basis, VA, including the Office of Inspector General, reserves the right to
evaluate any or all of the security controls and privacy practices implemented by the contractor
under the clauses contained within the contract. With 10 working-days notice, at the request
of the government, the contractor must fully cooperate and assist in a government-sponsored
security controls assessment at each location wherein VA information is processed or stored,
or information systems are developed, operated, maintained, or used on behalf of VA,
including those initiated by the Office of Inspector General. The government may conduct a
security control assessment on shorter notice (to include unannounced assessments) as
determined by VA in the event of a security incident or at any other time.

9. TRAINING

a. All contractor employees and subcontractor employees requiring access to VA
information and VA information systems shall complete the following before being granted
access to VA information and its systems:

(1) Sign and acknowledge (either manually or electronically) understanding of and
responsibilities for compliance with the Contractor Rules of Behavior, Appendix E
relating to access to VA information and information systems;
(2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior
training and annually complete required security training;
(3) Successfully complete the appropriate VA privacy training and annually complete
required privacy training; and
(4) Successfully complete any additional cyber security or privacy training, as required
for VA personnel with equivalent information system access [to be defined by the VA
program official and provided to the contracting officer for inclusion in the
solicitation document e.g., any role-based information security training required in
accordance with NIST Special Publication 800-16, Information Technology Security
Training Requirements.]
b. The contractor shall provide to the contracting officer and/or the COR a copy
of the training certificates and certification of signing the Contractor Rules of
Behavior for each applicable employee within 1 week of the initiation of the
contract and annually thereafter, as required.
c. Failure to complete the mandatory annual training and sign the Rules of
Behavior annually, within the timeframe required, is grounds for suspension or
termination of all physical or electronic access privileges and removal from
work on the contract until such time as the training and documents are
complete.


Potential Businesses having the capabilities necessary to provide the above stated equipment services are invited to respond to this Sources Sought Notice via e-mail to Gregory.watson2@va.gov no later than 06/11/23. No telephone inquiries will be accepted.
RESPONSES SHOULD INCLUDE THE FOLLOWING INFORMATION: company name, address, and business size, point of contact name, phone number, and e-mail address, OEM Certifications for Technicians to provide the services must be included in the response. OEM documentation confirming access to all required OEM parts must be included in the response.
Please note whether system is presently offered on a current Government contract. NAICS Code 532490 is applicable to determine business size standard. Any questions or concerns may also be directed to Gregory.watson2@va.gov via e-mail.
Disclaimer and Important Notes:
This Sources Sought Notice does not obligate the Government to award a contract or otherwise pay for the information provided in response. The Government reserves the right to use information provided by respondents for any purpose deemed necessary and legally appropriate. The Government will treat any information received as proprietary and will not share such information with other companies. Any organization responding to this Sources Sought Notice should ensure that its response is complete and sufficiently detailed to allow the Government to determine the organization's qualifications to perform the work. Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted. The Government may or may not issue a solicitation as a result of this announcement. There is no solicitation available at this time.

Attachments/Links