Professional Documents
Culture Documents
Esa2 Pws 042021v2 Draft Rfi
Esa2 Pws 042021v2 Draft Rfi
TAC-TBD
To serve our Veteran, the mission of VA OI&T, Office of Information Security (OIS) is to
ensure Veterans information, VA information systems and infrastructure is cybersecurity
ready. OIS will accomplish this while ensuring the resiliency of VA’s cybersecurity
infrastructure through proactive monitoring, adaptive responses, adherence to Federal
requirements and best practices, and the recruitment, retention, and development of a
world-class cybersecurity workforce. OIS must continue to evolve its information
security program to address existing deficiencies, match the growing and evolving
cybersecurity threat landscape, minimize risks from the use of new technologies,
address existing deficiencies, and align with Federal cybersecurity strategies and
direction. VA Health, Benefits, Memorial, and Corporate business functions that provide
services that our Veterans depend on for VA’s information systems and data. Protecting
these information systems and data is critical to execute VA’s mission. OIS manages,
oversees, and directs VA’s Information Security Program and provides expert products
and services in Information Security Strategy, Information Security Policy &
Compliance, Cybersecurity Architecture, Cybersecurity Technology and Metrics,
Cybersecurity Operations Center, Information Security Risk Management, and
Cybersecurity Workforce Development.
To protect Veteran’s and VA information, OIS has developed a strategic plan, and is
maturing a Enterprise Security Architecture (ESA) with artifacts that link the
organizational and business levels to lower technical, logical-structure and systems
levels that enables the deployment of new and secure technologies with consistency.
As part of its strategic direction and, in accordance with the Presidential Executive
Order on Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure, the VA is looking to strengthen the cybersecurity of its information
technology (IT) infrastructure and solutions to support and enhance the Department’s
mission.
The Enterprise Security Architecture (ESA), for the purpose of this document, focuses
on information security and privacy throughout the VA enterprise and represents an
overarching effort to implement a cohesive security architecture that utilizes national
security standards and guidelines, policies, ESA Framework (i.e. representation
Cybersecurity Framework), Enterprise Architecture Design Patterns, and industry
standards. To ensure mission success, OIS requires Contractor support to define,
develop, and implement the various aspects of ESA required to maintain the
confidentiality, integrity, and availability of Veteran and VA information. The support
provided shall help the VA create, discover, and architect (emphasizing the importance
of aligning enterprise architecture requirements to the reference security architecture),
document, and assess cybersecurity solutions that will ensure Veteran and VA
information is not subjected to unacceptable risk when new technologies and solutions
are employed. The expertise needed to satisfy this requirement will span a broad range
of technologies, technical challenges and user experience to include: mobile and
medical devices, cloud ecosystem, internet of things, zero trust, software defined
networks, enterprise architecture; application testing and deployment, assessments,
defining business processes, and systems design.
The VA ESA shall align, support, and enable the VA ESA Strategy to address the
evolving threat landscape, support VA Business and IT Modernization initiatives, and
take advantage of new and emerging security approaches and technologies. The
Contractor shall provide multi-domain support to address VA’s scope, size and
complexity; which includes but is not limited to enterprise architecture, emerging
technologies, networks, mobile, specialized domain areas (healthcare, medical devices,
cybersecurity, IT Modernization, large-scale architecture, risk management, etc.). The
Contractor shall demonstrate specialized technical and cybersecurity expertise needed
to advance the new technologies that VA introduces; including merging of Electronic
Health Records (EHR), cloud computing, Application Programming Interfaces (APIs),
specialized networks (i.e. software and security perimeter and defined networks),
Internet of Things (IoT), zero trust, analytic ecosystems, 5G, and medical devices.
3.1 APPLICABILITY
This Task Order (TO) effort for this PWS are documented within the scope of
paragraph(s): 4.1.1 Strategy and Planning, 4.1.2 Standards, Policy, Procedure and
Process Development, and Implementation Support, 4.1.3 Requirements Development
and Analysis Support, 4.1.4 Technology Refresh and Configuration Reviews, 4.1.5
Studies and Analyses, 4.2.2 Architecture Development, 4.7 Enterprise Management
Framework, 4.8.4 Security Management, 4.9 Cyber Security, 4.9.1 Information
Assurance (IA), and 4.9.2 Logical Security of the T4NG Basic PWS.
Travel shall be in accordance with the Federal Travel Regulations (FTR) and requires
advanced concurrence and approval by the COR. Two to four days of travel during each
performance period (12 month option executed) is anticipated for program management
(Section 5.1) familiarization, coordination, and facilitation purposes to West Virginia,
Washington, D.C., and Austin, TX. Travel and per diem shall be reimbursed in
accordance with FTR. Each Contractor invoice must include copies of all receipts that
support the travel costs claimed in the invoice. Local travel within a 50-mile radius from
the Contractor’s normal duty location is considered the cost of doing business and will
not be reimbursed. This includes travel, subsistence, and associated labor charges for
travel time. Travel performed for personal convenience and daily travel to and from work
at the Contractor’s facility will not be reimbursed. Travel, subsistence, and associated
labor charges for travel time for travel beyond a 50-mile radius of the Contractor’s
facility are authorized on a case-by-case basis and must be pre-approved by the COR.
The Government requests shall include mileage verification from map applications (e.g.:
MapQuest, Google Maps, etc.)
Additionally, the Government has determined that remote access solutions involving
Citrix Access Gateway (CAG) have proven to be an unsatisfactory access method to
complete the tasks within the scope of this specific Task Order (TO). The Government
also understands that Government Furnished Equipment (GFE) is limited to Contractors
requiring direct access to the network to: access development environments and VA
data sources and repositories; install, configure and run TRM-approved software and
tools (e.g., Project Server, PowerBI Visio, Security Architect, Vovici, Fortify, Eclipse,
SoapUI, WebLogic, LoadRunner, etc.); upload/download/ manipulate code, run scripts,
apply patches, etc.; configure and change system settings; check logs,
troubleshoot/debug, and test/QA.
k. When the Security Fixes involve installing third party patches (such as
Microsoft OS patches or Adobe Acrobat), the vendor will provide written
notice to VA that the patch has been validated as not affecting the Systems
within 10 working days. When the vendor is responsible for operations or
maintenance of the Systems, they shall apply the Security Fixes based
upon the requirements identified within the TO.
Task Number Tier1 / Low Risk Tier 2 / Moderate Tier 4 / High Risk
Risk
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
The Tasks identified above, and the resulting Position Sensitivity and Background
Investigation requirements identify, in effect, the Background Investigation requirements
for Contractor individuals, based on the tasks that Contractor personnel will be working.
The submitted Contractor Staff Roster must indicate the required Background
Investigation Level for each Contractor individual based upon the tasks the Contractor
individual will be working, in accordance with their submitted proposal.
The Contractor shall assist VA in managing projects (of all sizes) through intake,
initiation, planning, managing and monitoring, execution and closing while assisting VA
in managing the constraints of cost, time, resources, scope and quality with
administrative, project management, graphic artist, and engineering expertise.
Additionally, the Contractor shall utilize and support the Program Management Office’s
Agile methodology for initiating, managing, and deploying projects and assist in the
creation of project charters to assist project sponsors in business case creation,
including scoping, and financial justification.
The Contractor agrees that the personnel identified below as key to supporting this
effort shall not be removed from the TO effort, replaced to the TO without a compelling
reason and without written notification to the Contracting Officer (CO).
If any change to the Key Personnel assigned to the labor categories identified below
becomes necessary (substitutions or additions), the Contractor shall immediately notify
the CO in writing, accompanied by the resume, if applicable, of the proposed
replacement personnel who shall be of at least substantially equal ability and
qualifications as the individuals currently performing in that category and that the
proposed replacement meets or exceeds the qualifications designated for that Key
Personnel position. It is expected that substitution or replacement of the personnel will
not occur within the first 90 days after date of TO award.
The Contractor agrees that it has a contractual obligation to mitigate the consequences
of the loss of Key Personnel and shall promptly secure any necessary replacements in
accordance with (IAW) the PWS section. Failure to replace a Key Personnel pursuant to
this clause and without a break in performance of the labor category at issue shall be
considered a condition endangering contract performance and may provide grounds for
default termination.
If at any time the assigned key personnel is unavailable, the Contractor shall notify the
VA in writing and provide an alternate point of contact no later than 48 hours from first
notice of unavailability.
The Contractor shall provide a Program Manager that has the requisite skills as detailed
below:
The Contractor shall provide Subject Matter Expertise in the Enterprise Security
Architecture Lead role. This SME works to ensure that deliverables not only maintain
technical merits but also have high fidelity to stated VA strategies, goals and objectives. The
Chief Architect ensures that deliverables address Customer specific needs, and provides the
overall technical strategy for guidance, policy and implementation that supports ESA PMO
mission needs. The Chief Architect acts as the technical lead for ESA projects. They guide the
execution of specific tasks and the development of deliverables in accordance with the
Performance Work Statement (PWS). They contribute to both scheduled and unscheduled
deliverables. They may function as the primary or contributing author of deliverables. They
shall participate in peer reviews of VA ESA to ensure technical adequacy and alignment to
Customer strategic and mission advancement.
The Contractor shall Provide an Enterprise Security Architecture Lead that has the requisite
skills as detailed below:
The Contractor shall provide Senior Enterprise Security Analyst that have the requisite
skills as detailed below:
The Contractor shall provide a Functional Area Expert II that has the requisite skills
as detailed below:
Deliverable:
A. Contractor Project Management Plan
Deliverables:
A. Weekly and Monthly Status and Activity reporting that highlight performance and
accomplishments
B. Weekly Posting of Technical Forum Minutes
C. Monthly Manpower Reports
D. Monthly GFE Inventory Report
E. Contractor’s Quality Assurance Plan
F. Communication Plan between Prime, Subcontractors and other ESA Contractors
G. PMR Status Support
Contractors who have completed these VA training courses within the past 12 or 24
months, depending on the training requirements, and have furnished training certificates
to VA, will not be required to re-take the training courses.
Deliverables:
5.1.6 ONBOARDING
The Contractor shall manage the onboarding of its staff. Onboarding includes steps to
obtain a VA PIV card, network and email account, complete training, initiate background
investigations, and gain physical and logical access. In addition, the Contractor shall
identify individuals which may require elevated privileges to the necessary development
and test environments for the various systems to be enhanced. After review between
the Contractor and VA COR, a decision will be made as to the necessity of obtaining
GFE for the onboarding staff. If approved, Contractor shall follow the appropriate steps
to obtain the equipment.
Deliverable:
The Contractor shall work collaboratively with stakeholders (e.g.: VA’s Privacy Service,
product line managers, and others) to promote enterprise cybersecurity and privacy
capability standardization and integration of these standards across the VA enterprise.
The Contractor shall support the VA Director, Enterprise Security Architect (ESA) in
preparation, introducing and gaining approval for these standards by the appropriate
information security governance boards. The Contractor shall provide ESA artifacts that
satisfy and guide the design, engineering and implementation of required cybersecurity
capabilities taken into consideration from NIST SP 800-53 Security Controls, NSS and
High Value Asset (HVA) baselines.
The Contractor shall leverage the existing ESA Concept of Operations and refine it as
new charters, organizations stand up, and existing ones reorganize. The Contractor
shall use the ESA CONOP to influence and establish the procedural integration
baseline for implementing ESA services and products across the Department. To do
so, the Contractor shall support facilitate and participate with governance impactful
boards; assess current and new process to determine integration points at the business
and lower technical/information system level. Contractors will not vote, approve nor
concur on any governance. Contractors shall review, compare, check for consistency,
alignment, etc. and advise their Government counterpart on suggested improvements
and offer drafted recommendations. The Contractor shall ensure the ESA CONOP is
actionable and supports ESA strategic benefits. It will be reviewed and updated to
evolve and improve these artifacts to include the development of new ESA technical
forum charters.
The Contractor shall work with ESA leadership to develop the ESA Playbook. As we
transition to an Agile construct, ESA will need to define the plays, or approach, for
stakeholders to appropriately engage and leverage our services. The ESA Playbook
will include the eight main elements that have been identified to solve for in
organizational design (Within the structure, solve for 1. organizing principles, 2. framing,
3. overall size and team size, 4. layers and span of control, and 5. reporting structure.
For roles and competencies, solve for the three levels of 6. team, 7. individual, and 8.
cross functional.)
The Contract shall leverage, and update, the ESA Threat Model Methodology (TMM)
and Threat Assessment Process when determining investment, capability, and security
risks for new and existing IT, OT, and Healthcare services to improve guidance for
acquiring and designing products securely. Using the selected VA Security Architecture
tool, the Contractor shall identify, assess, facilitate, and incorporate mappings to
cybersecurity processes, policies, and standards to create architecture reference
models, architecture flows and diagrams. The process flow shall be captured in an
accompanying Standard Operating Procedure (SOP).
The Contractor shall ensure the Enterprise Security Architecture Framework (ESAF) is
consistent with and supports the NIST Cybersecurity Framework. As cybersecurity
considerations are incorporated, they are to be tied back to the Enterprise Security
Architecture and Cybersecurity Frameworks. Additionally, the Contractor shall create a
feedback loop using the results from the risk assessment and ESRAM to improve the
standards and requirements for the existing.
Deliverables:
Contractors shall assist with the development of Technical Positions, White Papers, and
Briefings on enterprise mobile security. Contractors shall influence and assist in the
development of Mobile Security Policies, Guidelines, and Security Standards.
Contractor subject matter expertise (SMEs) shall be leveraged to drive mobile security
architecture and implementation of security capabilities that meet a high state of
organizational readiness to position the VA to meet current and future use cases.
These SMEs shall also establish and participate in the ESA Mobile Security Architecture
Strategy Working Group. Contractors shall develop, update, and maintain technical
documents for VA mobile security ecosystem, provide mobile Subject Matter expertise
to VA Mobile Security Strategy, Zero Trust and support other related efforts. Contractor
resources shall develop Implementation/Procedural Guidance for VA Mobile Security
Enterprise including Zero Trust, and other efforts and Conduct Threat Modeling for
Mobile Security.
Contractors shall support the development of Mobile Security Use Cases (Gap Analysis,
Risk Assessments, Architecture diagrams, etc.), and develop Mobile Security
Packages. The Contractor shall drive mobile security architecture and the
implementation of security capabilities that positions the VA to meet current mobile use
and future use cases. The Contractor shall support VA project teams in developing
secure architecture solutions to meet mobile strategic and other technical efforts.
Additionally, contractors shall support the development of Security Architecture Reviews
and System Architecture Risk Assessments, and Baseline Reference Architecture
Directive.
The Contractor shall work closely with the MITRE team to develop a Future Network
Security Architecture that will define and coordinate the deployment of cybersecurity
capabilities, security protections to secure the VA network to ensure it corresponds with
its responsible requirements. The Contractor shall support the following:
Create, update, and maintain White Papers/Technical Strategies, Concept of
Operations, and Network Architecture Designs for Zero Trust, Network Security,
and TIC 3.0 Architectures. Develop technical positions, white papers, and
briefings on Zero Trust, Network Security, and TIC 3.0 Architectures.
Conduct and deliver a Risk Assessment and Gap Analysis to support the
proposed future network security modernization effort, and Develop VA TIC Zero
Trust, Network Security, and TIC 3.0 Policies.
Provide subject matter expertise to drive security architecture and
implementation of Zero Trust, Network Security and TIC 3.0 capabilities, and
Provide subject matter expertise to establish and participate in the ESA Network
Security Architecture Modernization Working Group.
Develop, update, and maintain technical Reference Architectures for Zero Trust,
Network Security, and TIC 3.0 Architectures.
Develop Implementation/Procedural Guidance for VA Zero Trust, Network
Security and TIC 3.0.
Develop Threat Modeling for Zero Trust, Network Security, and TIC 3.0.
Develop Security Design Patterns for Zero Trust, Network Security, and TIC 3.0.
Provide subject matter expertise to drive the implementation of security
architecture of Zero Trust, Network Security and TIC 3.0 capabilities.
Support the development of TIC 3.0, Zero Trust & Network Security Use Cases
(Gap Analysis, Risk Assessments, Architecture diagrams, etc.).
Support VA project teams in developing secure architecture solutions to meet VA
TIC 3.0 compliance.
Support the development of Security Architecture Reviews and risk
assessments.
Deliverables:
A. Audit Logging Procedural Guidance
B. Threat Models
C. System Architecture Risk Assessment (SARA) Reports
D. Update Mobile, ZeroTrust, TIC 3.0, (e.g.: Block Chain, 5G) and Network Security
Modernization, Risk Assessments/Gap Analysis
E. Whitepapers/Technology Strategies, Use Cases, and Technology Briefings
F. Security Architecture Packages/Reports
o Reference Architecture Directives/Policies/Procedural Guidance/Security
Standards
o Security Design Pattern
o Implementation Guidelines or Handbook
o Diagrams
o Governance Board Briefing
The Contractor shall support approximately 20 IT, OT, IoT Programs/Projects for new or
existing systems annually. The Contractor shall analyze each system architecture,
including data flows, to identify cybersecurity threats, vulnerabilities, assess risks, and
align with business requirement model to produce a Threat Model and System
Architecture Risk Assessment Reports. The Contractor shall collaborate, work, and
support the implementation, operation and security teams with the use and application
of ESA directives, standards, security patterns and implementing guidelines. The
Contractor shall ensure NIST SP 800-53 Security Controls, ESA Framework, and
applicable security documentation are considered to adequately secure VA and
Veterans data. The Contractor shall serve as a technical cybersecurity subject matter
expert to VA IT and OT Modernization efforts, digital transformation, healthcare, EHR,
specialized medical devices, and digital technologies, and other visible and critical
requests.
Deliverables:
A. System Architecture Risk Assessment (SARA) Reports
B. Threat Model
The Contractor shall provide the cybersecurity support needed to define mandatory
security standards and requirements, policy and guidelines, and to incorporate security
and privacy safeguards in VA’s DevSecOps Playbook. The Contractor shall
collaborate with and support the DevSecOps and its Pillars (Agile Center of Excellence
(ACOE), the Software Factory, and platform) to ensure existing and new IT products are
assessed and authorized in accordance with security authorization guidelines.
As part of that shift, the Contractor shall review and assess the security architecture
components of the VA DevSecOps Ecosystem and architecture: Infrastructure
(DevSecOps Hosting Environment), Platform Services (DevSecOps Software Factory)
and Application Framework (Application Servers) for best use at VA. The Contractor
shall consider DevSecOps enabling technologies, such as Compliance-as-Code (CaC),
containers, Infrastructure-as-Code (IaC), microservices, continuous integration and
continuous delivery (CI/CD) techniques as integral components of the VA DevSecOps
security landscape. The Contractor shall also consider DevSecOps impact on current
IT development, security and operations cultures and environment necessary to support
VA’s overall digital transformation to improve services, efficiency, and benefit delivery to
Veterans. The Contractor shall collaborate with stakeholders to eliminate silos, promote
collaboration and teamwork, and provide better, faster delivery.
The Contractor shall support those goals through the deliverables specified below as
well as through active participation in VA working groups to socialize and educate OIS
and other OIT stakeholders on DevSecOps security requirements, activities and roles
and responsibilities. The Contract shall also facilitate a DevSecOps working group.
Other activities expected for this task include preparation of approximately 8-10 white
papers annually, ad-hoc executive briefings, monthly presentations and providing
cybersecurity and privacy guidance and assistance that support VA DevSecOps
initiatives and project teams.
The Contractor shall provide a DevSecOps Security Package and submit quarterly
thereafter. The package will consist of relevant and necessary Threat Models, Security
Patterns, Directives, Standards and Implementing Guidelines for DevSecOps at VA. As
part of the overall DevSecOps Security Package, the Contractor shall create Security
Patterns for the DevSecOps Infrastructure, Platform and Application Layers of the
proposed DevSecOps Ecosystem at VA.
The Contractor shall also work together with the OIS DevSecOps Government lead and
the VA Enterprise Security Chief Architect to assess DevSecOps effectiveness in the
form of a gap assessment. The Contractor shall support the planning of appropriate risk
mitigation activities and incorporate them into the annual OIS DevSecOps
Implementation Plan. The OIS DevSecOps Implementation Plan shall include the
priorities, activities, and schedules for the Fiscal Year; some of which may require PWS
modification to properly prioritize the schedule of scoped items. The Contractor must
generate an Implementation plan within 30 business days that maps out how to bring
the strategic plan to fruition by breaking it into identifiable steps; where each step is
assigned to a team member to complete by a set timeline.
The Contractor shall prepare a DevSecOps Security Playbook that must provide key
stakeholders with a clear understanding of their responsibilities towards cybersecurity
standards, policies and guidelines. Security is a combination of engineering and
compliance. The DevSecOps Contractor team shall form an alliance between the
development engineers, operations teams, and compliance teams to ensure everyone
in the organization understands the company's security posture and follows the same
standards. The Contractor shall ensure familiarity with the basic principles of application
security, application security testing, and other security engineering practices by
educating stakeholders involved with the delivery process. The Contractor shall
collaborate with developers to better understand thread models, compliance checks,
and ensure they have a working knowledge of how to measure risks, exposures, and
implement security controls. The Contractor shall ensure security is applied
consistently across the enterprise, as the environment changes and adapts to new
requirements.
Deliverables:
The Contractor shall update ESA Metrics Dashboard to provide a quick view of the
metrics with an ability to drill down to the details on the dashboard(s). The metrics shall
be documented as a part of the ESA Strategy and Security Patterns and must be
integrated into the Metrics Dashboard. From the metrics information acquired, the
Contractor shall provide a monthly ESA Metrics Report and present to the Government
for their situational awareness. Contractor shall provide a Microsoft Word document
that details the methodology and design of the ESA Dashboard. The Metrics SOP
should include the following sections: Table of Contents (Executive Summary,
Introduction, Body), List of Figures, List of Tables, and a Summary of Changes. The
Body listed in the Table of Contents should also include Approaches, Explanations, and
Examples specific to the ESA Dashboard. The Contractor shall maintain the ESA
Dashboard as a PowerBI (or application provided) Dashboards and must be published
to a SharePoint website in the VA’s private cloud (VAEC).
Deliverables:
The ESA MEDTECH Security Architecture framework describes an agile and repeatable
process that enables ESA security architects to assess the risk posture of the VA
MEDTECH ecosystem and support development of security reference architectures.
These security reference architectures and patterns enable VA enterprise architects and
MEDTECH system owners to build security into future MEDTECH ecosystem solutions
and is aligned with VA’s DevSecOps strategy. The ESA MEDTECH Security
Architecture framework facilitates the secure development, implementation and
integration of transformational healthcare services and technologies across several
Solution Areas, such as medical and healthcare devices, research environments,
telehealth, and EHRM. Some of these efforts include decommissioning of legacy
healthcare systems.
The Contractor shall support ESA security architects and other VA MEDTECH
ecosystem stakeholders by implementing and updating the MEDTECH Security
Architecture framework for up to four Solution Areas per year. ESA is currently
implementing the MEDTECH Security Architecture framework for two Solution Areas:
healthcare devices and research environments. Several other MEDTECH Solution
Areas have been identified as follow-on efforts. Since there is significant overlap
between the MEDTECH Solution Area requirements and associated VA stakeholders,
the Contractor shall take an integrated and collaborative approach to Solution Area
implementations using well-defined project management, security architecture and
system engineering best practices and standards. Each MEDTECH Solution Area
implementation effort requires analyses and development of security architecture
artifacts in support of system engineering and risk assessments. For each Solution
Area, the Contractor shall develop and update quarterly the following MEDTECH
Solution Area artifacts:
Deliverables:
The Contractor shall provide one or more of the following innovation related capabilities:
Demonstration and Testing of existing IT products/services with realistic data;
Development Modifications and Configurations necessitated from realistic data
processing and findings; new complementary Data and System Orchestration
functionality, consistent/migration capable with existing VA intellectual property; virtual,
augmented and extended reality (VR, AR, XR) platform maturation, e.g. connectivity of
open VR adaptive devices (and equipment), VR application hosting/integration;
unmanned VA Enterprise Cloud (VAEC) support; and Authorization to Operate (ATO)
security engineering and coordination for integration into an operational VAEC instance.
The 5.8 requirement ends after the completion of the base period of performance. The
goal of this requirement is to complete the proof of concept testing with identified VA
locations and to deliver implementation plans and/or recommendations for expanded
use. Use Case / Models shall be developed to test out capabilities and configuration
scenarios. SCRUM Demonstrations/Testing, Use Case Diagrams and Briefings to
assess progress and test results shall be performed monthly by the contractor through
the base period of performance. The Project Plan and Schedule shall be developed
collaboratively with the Government lead.
Deliverables:
Satisfactory or
A. Technical / 1. Shows understanding of
higher
Quality of requirements
Product or 2. Efficient and effective in
Service meeting requirements
3. Meets technical needs
and mission requirements
4. Provides quality
services/products
Satisfactory or
D. Management 1. Integration and
higher
coordination of all
activities to execute effort
The COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life
of the TO to ensure that the Contractor is performing the services required by this PWS
in an acceptable level of performance. The Government reserves the right to alter or
change the QASP at its own discretion. A Performance Based Service Assessment will
be used by the COR in accordance with the QASP to assess Contractor performance.
The following Section 508 Requirements supersede Addendum A, Section A3 from the
T4NG Basic PWS.
The Section 508 standards established by the Access Board are incorporated into, and
made part of all VA orders, solicitations and purchase orders developed to procure ICT.
These standards are found in their entirety at: https://www.access-board.gov/guidelines-
and-standards/communications-and-it/about-the-ict-refresh/final-rule/text-of-the-
standards-and-guidelines. A printed copy of the standards will be supplied upon
request.
Federal agencies must comply with the updated Section 508 Standards beginning on
January 18, 2018. The Final Rule as published in the Federal Register is available from
the Access Board: https://www.access-board.gov/guidelines-and-
standards/communications-and-it/about-the-ict-refresh/final-rule.
The Contractor shall comply with “508 Chapter 2: Scoping Requirements” for all
electronic ICT and content delivered under this contract. Specifically, as appropriate for
the technology and its functionality, the Contractor shall comply with the technical
standards marked here:
The Government reserves the right to test for Section 508 Compliance before delivery.
The Contractor shall be able to demonstrate Section 508 Compliance upon delivery.
All functions related to Acquisition Support shall be on an advisory basis only. Please be
advised that since the awardee of this Task Order will provide systems engineering,
technical direction, specifications, work statements, and evaluation services, some
restrictions on future activities of the awardee may be required in accordance with FAR
9.5 and the clause entitled, Organizational Conflict of Interest, found in Section H of the
T4NG basic contract. The Contractor and its employees, as appropriate, shall be
required to sign Non-Disclosure Agreements (Appendix A).
The Assessment & Authorization (A&A) requirements do not apply, and a Security
Accreditation Package is not required.
Deliverables:
B1. GENERAL
c. Contract personnel who require access to national security programs must have
a valid security clearance. National Industrial Security Program (NISP) was established
by Executive Order 12829 to ensure that cleared U.S. defense industry contract
personnel safeguard the classified information in their possession while performing work
on contracts, programs, bids, or research and development efforts. The Department of
Veterans Affairs does not have a Memorandum of Agreement with Defense Security
Service (DSS). Verification of a Security Clearance must be processed through the
Special Security Officer located in the Planning and National Security Service within the
Office of Operations, Security, and Preparedness.
2. VA information should not be co-mingled, if possible, with any other data on the
Contractors/Subcontractor’s information systems or media storage systems in order to
ensure VA requirements related to data protection and media sanitization can be met. If
co-mingling must be allowed to meet the requirements of the business need, the
Contractor must ensure that VA information is returned to VA or destroyed in
accordance with VA’s sanitization requirements. VA reserves the right to conduct on-
site inspections of Contractor and Subcontractor IT resources to ensure data security
controls, separation of data and job duties, and destruction/media sanitization
procedures are in compliance with VA directive requirements.
10. Except for uses and disclosures of VA information authorized by this contract for
performance of the contract, the Contractor/Subcontractor may use and disclose VA
information only in two other situations: (i) in response to a qualifying order of a court of
competent jurisdiction, or (ii) with VA prior written approval. The
Contractor/Subcontractor must refer all requests for, demands for production of, or
inquiries about, VA information and information systems to the VA CO for response.
12. For service that involves the storage, generating, transmitting, or exchanging of
VA sensitive information but does not require Assessment and Authorization (A&A) or a
Memorandum of Understanding-Interconnection Security Agreement (MOU-ISA) for
system interconnection, the Contractor/Subcontractor must complete a Contractor
Security Control Assessment (CSCA) on a yearly basis and provide it to the COR.
2. The Contractor/Subcontractor shall certify to the COR that applications are fully
functional and operate correctly as intended on systems using the VA Federal Desktop
Core Configuration (FDCC), and the common security configuration guidelines provided
by NIST or VA. This includes Internet Explorer 11 configured to operate on Windows 10
and future versions, as required.
4. Applications designed for normal end users shall run in the standard user context
without elevated system administration privileges.
a. Comply with the Privacy Act of 1974 (the Act) and the agency rules and
regulations issued under the Act in the design, development, or operation of any system
of records on individuals to accomplish an agency function when the contract
specifically identifies:
b. Include the Privacy Act notification contained in this contract in every solicitation
and resulting subcontract and in every subcontract awarded without a solicitation, when
the work statement in the proposed subcontract requires the redesign, development, or
operation of a SOR on individuals that is subject to the Privacy Act; and
c. Include this Privacy Act clause, including this subparagraph (c), in all
subcontracts awarded under this contract which requires the design, development, or
operation of such a SOR.
8. In the event of violations of the Act, a civil action may be brought against the
agency involved when the violation concerns the design, development, or operation of a
SOR on individuals to accomplish an agency function, and criminal penalties may be
imposed upon the officers or employees of the agency when the violation concerns the
operation of a SOR on individuals to accomplish an agency function. For purposes of
the Act, when the contract is for the operation of a SOR on individuals to accomplish an
agency function, the Contractor/Subcontractor is considered to be an employee of the
agency.
c. “System of Records” means a group of any records under the control of any
agency from which information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying particular assigned to the individual.
9. The vendor shall ensure the security of all procured or developed systems and
technologies, including their subcomponents (hereinafter referred to as “Systems”),
throughout the life of this contract and any extension, warranty, or maintenance periods.
This includes, but is not limited to workarounds, patches, hot fixes, upgrades, and any
physical components (hereafter referred to as Security Fixes) which may be necessary
to fix all security vulnerabilities published or known to the vendor anywhere in the
Systems, including Operating Systems and firmware. The vendor shall ensure that
Security Fixes shall not negatively impact the Systems.
The vendor shall notify VA within 24 hours of the discovery or disclosure of successful
exploits of the vulnerability which can compromise the security of the Systems
(including the confidentiality or integrity of its data and operations, or the availability of
the system). Such issues shall be remediated as quickly as is practical, based upon
the severity of the incident.
When the Security Fixes involve installing third party patches (such as Microsoft OS
patches or Adobe Acrobat), the vendor will provide written notice to VA that the patch
has been validated as not affecting the Systems within 10 working days. When the
vendor is responsible for operations or maintenance of the Systems, they shall apply
the Security Fixes based upon the requirements identified within the contract.
a. For information systems that are hosted, operated, maintained, or used on behalf
of VA at non-VA facilities, Contractors/Subcontractors are fully responsible and
accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS,
and VA security and privacy directives and handbooks. This includes conducting
compliant risk assessments, routine vulnerability scanning, system patching and change
management procedures, and the completion of an acceptable contingency plan for
each system. The Contractor’s security control procedures must be equivalent, to those
procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also
be provided to the COR and approved by VA Privacy Service prior to operational
approval. All external Internet connections to VA network involving VA information must
be in accordance with the TIC Reference Architecture and reviewed and approved by
VA prior to implementation. For Cloud Services hosting, the Contractor shall also
ensure compliance with the Federal Risk and Authorization Management Program
(FedRAMP).
2) VA’s initial medical device purchase includes a spare drive which must be installed
in place of the original drive at time of turn-in; or
4) Due to the highly specialized and sometimes proprietary hardware and software
associated with medical equipment/systems, if it is not possible for VA to retain the
hard drive, then;
a) The equipment vendor must have an existing BAA if the device being traded in
has sensitive information stored on it and hard drive(s) from the system are being
returned physically intact; and
b) Any fixed hard drive on the device must be non-destructively sanitized to the
greatest extent possible without negatively impacting system operation. Selective
clearing down to patient data folder level is recommended using VA approved and
validated overwriting technologies/methods/tools. Applicable media sanitization
specifications need to be preapproved and described in the purchase order or
contract.
c) A statement needs to be signed by the Director (System Owner) that states that
the drive could not be removed and that (a) and (b) controls above are in place and
completed. The ISO needs to maintain the documentation.
a. The term “security incident” means an event that has, or could have, resulted in
unauthorized access to, loss or damage to VA assets, or sensitive information, or an
action that breaches VA security procedures. The Contractor/Subcontractor shall
immediately notify the COR and simultaneously, the designated ISO and Privacy Officer
for the contract of any known or suspected security/privacy incidents, or any
unauthorized disclosure of sensitive information, including that contained in system(s) to
which the Contractor/Subcontractor has access.
c. Each risk analysis shall address all relevant information concerning the data
breach, including the following:
a) date of occurrence;
b) data elements involved, including any PII, such as full name, social
security number, date of birth, home address, account number, disability code;
5) Ease of logical data access to the lost, stolen or improperly accessed data in light
of the degree of protection for the data, e.g., unencrypted, plain text;
7) The likelihood that the sensitive personal information will or has been
compromised (made accessible to and usable by unauthorized persons);
11) Whether credit protection services may assist record subjects in avoiding
or mitigating the results of identity theft based on the sensitive personal information
that may have been compromised.
d. Based on the determinations of the independent risk analysis, the Contractor
shall be responsible for paying to VA liquidated damages in the amount of $37.50 per
affected individual to cover the cost of providing credit protection services to affected
individuals consisting of the following:
1) Notification;
2) One year of credit monitoring services consisting of automatic daily
monitoring of at least 3 relevant credit bureau reports;
3) Data breach analysis;
4) Fraud resolution services, including writing dispute letters, initiating fraud
alerts and credit freezes, to assist affected individuals to bring matters to
resolution;
5) One year of identity theft insurance with $20,000.00 coverage at $0
deductible; and
6) Necessary legal expenses the subjects may incur to repair falsified or
damaged credit records, histories, or financial affairs.
On a periodic basis, VA, including the Office of Inspector General, reserves the right to
evaluate any or all of the security controls and privacy practices implemented by the
Contractor under the clauses contained within the contract. With 10 working-days’
notice, at the request of the Government, the Contractor must fully cooperate and assist
in a Government-sponsored security controls assessment at each location wherein VA
information is processed or stored, or information systems are developed, operated,
maintained, or used on behalf of VA, including those initiated by the Office of Inspector
General. The Government may conduct a security control assessment on shorter notice
(to include unannounced assessments) as determined by VA in the event of a security
incident or at any other time.
B9. TRAINING
b. The Contractor shall provide to the CO and/or the COR a copy of the training
certificates and certification of signing the Contractor Rules of Behavior for each
applicable employee within 2 days of the initiation of the contract and annually
thereafter, as required.
c. Failure to complete the mandatory annual training and electronically sign the
Rules of Behavior annually, within the timeframe required, is grounds for suspension
or termination of all physical or electronic access privileges and removal from work on
the contract until such time as the training and documents are complete.
APPENDIX A
This Agreement refers to Contract/Order _________________ entered into between the Department of
Veterans Affairs and _________________________ (Contractor).
As an officer of <fill in name of Contractor>, authorized to bind the company, I understand that in
connection with our participation in the <fill in program> acquisition under the subject
Contract/Order, Contractor’s employees may acquire or have access to procurement sensitive or
source selection information relating to any aspect of <fill in program> acquisition. Company <fill
in name> hereby agrees that it will obtain Contractor - Employee Personal Financial
Interest/Protection of Sensitive Information Agreements from any and all employees who will be
tasked to perform work under the subject Contract/Order prior to their assignment to that
Contract/Order. The Company shall provide a copy of each signed agreement to the Contracting
Officer. Company <fill in name> acknowledges that the Contractor - Employee Personal Financial
Interest/Protection of Sensitive Information Agreements require Contractor’s employee(s) to
promptly notify Company management in the event that the employee releases any of the
information covered by that agreement and/or whether during the course of their participation, the
employee, his or her spouse, minor children or any member of the employee’s immediate
family/household has/or acquires any holdings or interest whatsoever in any other private
organization (e.g., contractors, offerors, their subcontractors, joint venture partners, or team
members), identified to the employee during the course of the employee’s participation, which may
have an interest in the matter the Company is supporting pursuant to the above stated
Contract/Order. The Company agrees to educate its employees in regard to their conflict of interest
responsibilities.
Company <fill in name> further agrees that it will notify the Contracting Officer within 24 hours, or the
next working day, whichever is later, of any employee violation. The notification will identify the
business organization or other entity, or individual person, to whom the information in question was
divulged and the content of that information. Company <fill in name> agrees, in the event of such
notification, that, unless authorized otherwise by the Contracting Officer, it will immediately withdraw
that employee from further participation in the acquisition until the Organizational Conflict of Interest
issue is resolved.
This agreement shall be interpreted under and in conformance with the laws of the United States.
________________________________________ ________________________________________
_________________________________________ _________________________________________
Should “sensitive information” be provided to me under this Contract/Order, I agree not to discuss or
disclose such information with/to any individual not authorized to receive such information. If there is
any uncertainty as to whether the disclosed information comprises “sensitive information”, I will request
my employer to request a determination in writing from the Department of Veterans Affairs Contracting
Officer as to the need to protect this information from disclosure.
I will promptly notify my employer if, during my participation in the subject Contract/Order, I am
assigned any duties that could affect the interests of a company, business or corporate entity in which
either I, my spouse or minor children, or any member of my immediate family/household has a personal
financial interest. “Financial interest” is defined as compensation for employment in the form of wages,
salaries, commissions, professional fees, or fees for business referrals, or any financial investments in
the business in the form of direct stocks or bond ownership, or partnership interest (excluding non-
directed retirement or other mutual fund investments). In the event that, at a later date, I acquire
actual knowledge of such an interest or my employer becomes involved in proposing for a solicitation
resulting from the work under this Contract/Order, as either an offeror, an advisor to an offeror, or as a
Subcontractor to an offeror, I will promptly notify my employer. I understand this may disqualify me
from any further involvement with this Contract/Order, as agreed upon between the Department of
Veterans Affairs and my company.
Among the possible consequences, I understand that violation of any of the above
conditions/requirements may result in my immediate disqualification or termination from working on
this Contract/Order pending legal and contractual review.
I further understand and agree that all Confidential, Proprietary and/or Sensitive Information shall be
retained, disseminated, released, and destroyed in accordance with the requirements of law and
applicable Federal or Department of Veterans Affairs directives, regulations, instructions, policies and
guidance.
This Agreement shall be interpreted under and in conformance with the laws of the United States.
I agree to the Terms of this Agreement and certify that I have read and understand the above
Agreement. I further certify that the statements made herein are true and correct.
_________________________________________ _________________________________________
_________________________________________ _________________________________________