ESA2 MODERNIZATION

PERFORMANCE WORK STATEMENT (PWS)

DEPARTMENT OF VETERANS AFFAIRS

Office of Information & Technology

Office of Cyber Security

Enterprise Security Architecture Support

Date: April 20, 2021

TAC-TBD

Task Order PWS Version Number: 1.0

1.0 BACKGROUND
The mission of the Department of Veterans Affairs (VA), is to provide benefits and
services to Veterans of the United States.  In meeting these goals, the Office of
Information & Technology (OI&T) strives to provide high quality, effective, efficient, and
secure Information Technology (IT) services to those responsible for providing care to
the Veterans at the point-of-care as well as throughout all the points of the Veterans’
health care in an effective, timely and compassionate manner.  VA depends on
Information Management/Information Technology systems to meet mission goals.

To serve our Veteran, the mission of VA OI&T, Office of Information Security (OIS) is to
ensure Veterans information, VA information systems and infrastructure is cybersecurity
ready. OIS will accomplish this while ensuring the resiliency of VA’s cybersecurity
infrastructure through proactive monitoring, adaptive responses, adherence to Federal
requirements and best practices, and the recruitment, retention, and development of a
world-class cybersecurity workforce. OIS must continue to evolve its information
security program to address existing deficiencies, match the growing and evolving
cybersecurity threat landscape, minimize risks from the use of new technologies,
address existing deficiencies, and align with Federal cybersecurity strategies and
direction. VA Health, Benefits, Memorial, and Corporate business functions that provide
services that our Veterans depend on for VA’s information systems and data. Protecting
these information systems and data is critical to execute VA’s mission. OIS manages,
oversees, and directs VA’s Information Security Program and provides expert products
and services in Information Security Strategy, Information Security Policy &
Compliance, Cybersecurity Architecture, Cybersecurity Technology and Metrics,
Cybersecurity Operations Center, Information Security Risk Management, and
Cybersecurity Workforce Development.

To protect Veteran’s and VA information, OIS has developed a strategic plan, and is
maturing a Enterprise Security Architecture (ESA) with artifacts that link the
organizational and business levels to lower technical, logical-structure and systems
levels that enables the deployment of new and secure technologies with consistency.
As part of its strategic direction and, in accordance with the Presidential Executive
Order on Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure, the VA is looking to strengthen the cybersecurity of its information
technology (IT) infrastructure and solutions to support and enhance the Department’s
mission.

The Enterprise Security Architecture (ESA), for the purpose of this document, focuses
on information security and privacy throughout the VA enterprise and represents an
overarching effort to implement a cohesive security architecture that utilizes national
security standards and guidelines, policies, ESA Framework (i.e. representation
Cybersecurity Framework), Enterprise Architecture Design Patterns, and industry
standards. To ensure mission success, OIS requires Contractor support to define,
develop, and implement the various aspects of ESA required to maintain the
confidentiality, integrity, and availability of Veteran and VA information. The support
provided shall help the VA create, discover, and architect (emphasizing the importance
of aligning enterprise architecture requirements to the reference security architecture),
document, and assess cybersecurity solutions that will ensure Veteran and VA
information is not subjected to unacceptable risk when new technologies and solutions
are employed. The expertise needed to satisfy this requirement will span a broad range
of technologies, technical challenges and user experience to include: mobile and
medical devices, cloud ecosystem, internet of things, zero trust, software defined
networks, enterprise architecture; application testing and deployment, assessments,
defining business processes, and systems design.

2.0 APPLICABLE DOCUMENTS

The Contractor shall utilize the following documents, in addition to Paragraph 2.0 in the
ESA2M Basic Performance Work Statement (PWS), in the performance of this effort.

1. Cloud Security Architecture Security Patterns (Attachment A)

2. Cloud Security Architecture Strategy (Attachment B)
3. Cloud Security Architecture Framework (Attachment C)
4. Department of Veterans Affairs Office of Inspector General Audit and
Evaluation; https://www.va.gov/oig/pubs/VAOIG-18-02127-64.pdf

3.0 SCOPE OF WORK

The Contractor shall provide technical and programmatic support services to include the
development, maintenance of the ESA artifacts, administrative engineering support, and
the facilitation of the enterprise-wide use of the VA ESA. The VA ESA shall support an
integrated VA-wide risk management program in accordance with NIST SP 800-39,
Managing Information Security Risk, Organization (High Level), Mission (Business), and
the Information System View (System views may include but would not limited to logical,
data, and tactical). The VA ESA shall be comprehensive and consist of artifacts that
support the VA risk management process at the: (i) organization level (VA-level); (ii)
mission/business process level (VHA, VBA, NCA, and VACO); and (iii) information
system level.

The VA ESA shall align, support, and enable the VA ESA Strategy to address the
evolving threat landscape, support VA Business and IT Modernization initiatives, and
take advantage of new and emerging security approaches and technologies. The
Contractor shall provide multi-domain support to address VA’s scope, size and
complexity; which includes but is not limited to enterprise architecture, emerging
technologies, networks, mobile, specialized domain areas (healthcare, medical devices,
cybersecurity, IT Modernization, large-scale architecture, risk management, etc.). The
Contractor shall demonstrate specialized technical and cybersecurity expertise needed
to advance the new technologies that VA introduces; including merging of Electronic
Health Records (EHR), cloud computing, Application Programming Interfaces (APIs),
specialized networks (i.e. software and security perimeter and defined networks),
Internet of Things (IoT), zero trust, analytic ecosystems, 5G, and medical devices.
 3.1 APPLICABILITY
This Task Order (TO) effort for this PWS are documented within the scope of
paragraph(s): 4.1.1 Strategy and Planning, 4.1.2 Standards, Policy, Procedure and
Process Development, and Implementation Support, 4.1.3 Requirements Development
and Analysis Support, 4.1.4 Technology Refresh and Configuration Reviews, 4.1.5
Studies and Analyses, 4.2.2 Architecture Development, 4.7 Enterprise Management
Framework, 4.8.4 Security Management, 4.9 Cyber Security, 4.9.1 Information
Assurance (IA), and 4.9.2 Logical Security of the T4NG Basic PWS.

3.2 ORDER TYPE

The effort shall be proposed on a Firm Fixed Price (FFP) basis.

4.0 PERFORMANCE DETAILS

4.1 PERFORMANCE PERIOD
The base period of performance (PoP) shall be nine (9) months from the date of award,
with four (4) twelve (12) month option periods and one optional task available in each
executed PoP.

4.2 PLACE OF PERFORMANCE

Efforts under this Task Order (TO) shall be performed at Contractor facilities. The
Contractor staff shall be available to coordinate with VA staff on normal Federal
Government workdays and shall be responsive between the core hours of 8:00am and
5:00pm EST.

4.3 TRAVEL OR SPECIAL REQUIREMENTS

The Government anticipates travel under this effort to perform the tasks associated with
the effort, as well as to attend program-related meetings through the period of
performance.

Travel shall be in accordance with the Federal Travel Regulations (FTR) and requires
advanced concurrence and approval by the COR. Two to four days of travel during each
performance period (12 month option executed) is anticipated for program management
(Section 5.1) familiarization, coordination, and facilitation purposes to West Virginia,
Washington, D.C., and Austin, TX. Travel and per diem shall be reimbursed in
accordance with FTR. Each Contractor invoice must include copies of all receipts that
support the travel costs claimed in the invoice. Local travel within a 50-mile radius from
the Contractor’s normal duty location is considered the cost of doing business and will
not be reimbursed. This includes travel, subsistence, and associated labor charges for
travel time. Travel performed for personal convenience and daily travel to and from work
at the Contractor’s facility will not be reimbursed. Travel, subsistence, and associated
labor charges for travel time for travel beyond a 50-mile radius of the Contractor’s
facility are authorized on a case-by-case basis and must be pre-approved by the COR.
The Government requests shall include mileage verification from map applications (e.g.:
MapQuest, Google Maps, etc.)

4.4 CONTRACT MANAGEMENT

All requirements of Sections 7.0 and 8.0 of the T4NG Basic PWS apply to this effort.
This TO shall be addressed in the Contractor’s Progress, Status and Management
Report as set forth in the T4NG Basic contract.

4.5 GOVERNMENT FURNISHED EQUIPMENT

Contractors will regularly be called upon to perform unscheduled work after normal duty
hours and are responsible for short notice operational responses to the field, senior VA
leadership, the VA CIO, and the IG. Requests often require extensive data gathering,
storage and analysis that cannot be done effectively via CAG access. CAG access
does not have the reliability or speed needed to turn around requests with large
amounts of data. All defined tasks are more efficiently performed via RESCUE
connectivity.

Additionally, the Government has determined that remote access solutions involving
Citrix Access Gateway (CAG) have proven to be an unsatisfactory access method to
complete the tasks within the scope of this specific Task Order (TO). The Government
also understands that Government Furnished Equipment (GFE) is limited to Contractors
requiring direct access to the network to: access development environments and VA
data sources and repositories; install, configure and run TRM-approved software and
tools (e.g., Project Server, PowerBI Visio, Security Architect, Vovici, Fortify, Eclipse,
SoapUI, WebLogic, LoadRunner, etc.); upload/download/ manipulate code, run scripts,
apply patches, etc.; configure and change system settings; check logs,
troubleshoot/debug, and test/QA.

Based on the Government’s assessment of remote access solutions and requirements

of this TO, the Government estimates that 50 GFE laptops will be needed. However,
the Government will not provide IT accessories including but not limited to Mobile Wi-Fi
hotspots/wireless access points, additional or specialized keyboards or mice, laptop
bags, extra charging cables, extra PIV readers, peripheral devices, additional RAM, etc.
The Contractor is responsible for providing these types of IT accessories in support of
the TO as necessary and any VA installation required for these IT accessories shall be
coordinated with the Contracting Officer Representative (COR).
 4.6 SECURITY AND PRIVACY
All requirements in Section 6.0 of the T4NG Basic PWS apply to this effort. Specific TO
requirements relating to Addendum B, Section B4.0 paragraphs ‘j’ and ‘k’ below
supersede the corresponding T4NG Basic PWS paragraphs, and are as follows,

j. The vendor shall notify VA within 24 hours of the discovery or disclosure of

successful exploits of the vulnerability which can compromise the security
of the Systems (including the confidentiality or integrity of its data and
operations, or the availability of the system). Such issues shall be
remediated based upon the severity of the incident.

k. When the Security Fixes involve installing third party patches (such as
Microsoft OS patches or Adobe Acrobat), the vendor will provide written
notice to VA that the patch has been validated as not affecting the Systems
within 10 working days. When the vendor is responsible for operations or
maintenance of the Systems, they shall apply the Security Fixes based
upon the requirements identified within the TO.

4.7 POSITION/TASK RISK DESIGNATION LEVEL(S)

In accordance with VA Handbook 0710, Personnel Security and Suitability Program, the
position, sensitivity and the level of background investigation commensurate with the
required level of access for the following tasks within the PWS are:

Position Sensitivity and Background Investigation Requirements by Task

Task Number Tier1 / Low Risk Tier 2 / Moderate Tier 4 / High Risk
Risk

5.1

5.2

5.3

5.4

5.5

5.6

5.7

5.8
The Tasks identified above, and the resulting Position Sensitivity and Background
Investigation requirements identify, in effect, the Background Investigation requirements
for Contractor individuals, based on the tasks that Contractor personnel will be working.
The submitted Contractor Staff Roster must indicate the required Background
Investigation Level for each Contractor individual based upon the tasks the Contractor
individual will be working, in accordance with their submitted proposal.

5.0 SPECIFIC TASKS AND DELIVERABLES

The Contractor shall perform the following:

5.1 PROJECT MANAGEMENT

The Contractor shall ensure management of IT projects both large and small and shall
be able to manage a portfolio of diverse projects. The Contractor shall provide support
in the full range of systems’ development life cycle phases, enterprise wide network
engineering, strategic information planning, business process reengineering, structure,
and management practices. The Contractor shall identify and mitigate risks to the
program and assist in the management of cost, schedule, and performance.

The Contractor shall assist VA in managing projects (of all sizes) through intake,
initiation, planning, managing and monitoring, execution and closing while assisting VA
in managing the constraints of cost, time, resources, scope and quality with
administrative, project management, graphic artist, and engineering expertise.

Additionally, the Contractor shall utilize and support the Program Management Office’s
Agile methodology for initiating, managing, and deploying projects and assist in the
creation of project charters to assist project sponsors in business case creation,
including scoping, and financial justification.

5.1.1 KEY PERSONNEL

The Contractor shall provide resources that have the requisite skills and experience
required to perform the tasks within the PWS.

The Contractor agrees that the personnel identified below as key to supporting this
effort shall not be removed from the TO effort, replaced to the TO without a compelling
reason and without written notification to the Contracting Officer (CO).

If any change to the Key Personnel assigned to the labor categories identified below
becomes necessary (substitutions or additions), the Contractor shall immediately notify
the CO in writing, accompanied by the resume, if applicable, of the proposed
replacement personnel who shall be of at least substantially equal ability and
qualifications as the individuals currently performing in that category and that the
proposed replacement meets or exceeds the qualifications designated for that Key
Personnel position. It is expected that substitution or replacement of the personnel will
not occur within the first 90 days after date of TO award.

The Contractor agrees that it has a contractual obligation to mitigate the consequences
of the loss of Key Personnel and shall promptly secure any necessary replacements in
accordance with (IAW) the PWS section. Failure to replace a Key Personnel pursuant to
this clause and without a break in performance of the labor category at issue shall be
considered a condition endangering contract performance and may provide grounds for
default termination.

If at any time the assigned key personnel is unavailable, the Contractor shall notify the
VA in writing and provide an alternate point of contact no later than 48 hours from first
notice of unavailability.

The labor categories below are identified as Key Personnel:

A. IT Cybersecurity Program Manager

B. Enterprise Security Architecture Lead
C. Senior Enterprise Security Analyst
D. Functional Area Expert II
E. Project Analyst

5.1.1.1 IT CYBERSECURITY PROGRAM MANAGER (PM)

The Contractor shall provide a Program Manager that has the requisite skills as detailed
below:

o Master’s degree in Engineering, Computer Science, Math or related scientific

/technical discipline.
o 10 years of additional relevant experience may be substituted for education
o 15+ years of both large and small IT Project Management experience preferably
supporting government agencies
o Must be able to manage a portfolio of projects.
o Must be well versed in full systems development life cycle, enterprise wide
network engineering, strategic information planning, business process
reengineering, structure, and management practices.
o Must be able to identify and mitigate risks.
o Must be able to track and manage costs, schedule, and performance progress.
o 5+ years of experience as a PM for security projects
 o 3+ years of experience in Agile development specifically Lean and/or Kanban
o PMP Certification including all continuing education credits

5.1.1.2 ENTERPRISE SECURITY ARCHITECTURE LEAD

The Contractor shall provide Subject Matter Expertise in the Enterprise Security
Architecture Lead role. This SME works to ensure that deliverables not only maintain
technical merits but also have high fidelity to stated VA strategies, goals and objectives. The
Chief Architect ensures that deliverables address Customer specific needs, and provides the
overall technical strategy for guidance, policy and implementation that supports ESA PMO
mission needs. The Chief Architect acts as the technical lead for ESA projects. They guide the
execution of specific tasks and the development of deliverables in accordance with the
Performance Work Statement (PWS). They contribute to both scheduled and unscheduled
deliverables. They may function as the primary or contributing author of deliverables. They
shall participate in peer reviews of VA ESA to ensure technical adequacy and alignment to
Customer strategic and mission advancement.

The Contractor shall Provide an Enterprise Security Architecture Lead that has the requisite
skills as detailed below:

o Extensive experience in design and development of IT architecture. Experience

must include a wide range of work in creating diagrams and documentation with
all components that comprise IT systems including network topology.
o Master’s Degree in Computer Science, Engineering, Math, or technical
equivalent (e.g., Information Technology, Information Systems Architecture,
Telecommunications Systems Design, Architecture, Implementation, Information
Systems Integration, Software Development Methodologies, Security
Engineering, Communications and Network Systems Management)
o 10 years of relevant experience additional relevant experience may be
substituted for education
o Must have a minimum of 10 years of experience (a minimum of 15years desired)
o Ability to support legacy and new health IT digital architectures including cloud,
mobile, IoT, APIs, and AI technologies.
o Ability to analysis and research of complex problems, and processes relating to
the subject matter

5.1.1.3 SENIOR ENTERPRISE SECURITY ANALYST

The Contractor shall provide Senior Enterprise Security Analyst that have the requisite
skills as detailed below:

o Master’s Degree in Engineering or related scientific or technical discipline (e.g.,

Information Technology, Information Systems Architecture, Telecommunications
 Systems Design, Architecture, Implementation, Information Systems Integration,
Software Development Methodologies, Security Engineering, Communications
and Network Systems Management)
o Possesses vast detailed knowledge and security discipline to draw from.
o Has thorough knowledge of security principles, concepts, policy, and regulations.
o Ability to identify risks in security systems and work with technical experts to
resolve security issues.
o Ability to identify key concepts, factors and risks based on conversations and
document these in clear and concise narrative or graphic reports.
o Minimum 10 years of experience
o Minimum of 5 years of additional relevant experience may be substituted for
education
o Experience with legacy and new health IT digital architectures including cloud,
mobile, IoT, APIs, and AI technologies.

5.1.1.4 FUNCTIONAL AREA EXPERT II

The Contractor shall provide a Functional Area Expert II that has the requisite skills
as detailed below:

o Engineering Degree or related scientific or technical discipline (e.g., Information

Technology, Information Systems Architecture, Telecommunications Systems
Design, Architecture, Implementation, Information Systems Integration, Software
Development Methodologies, Security Engineering, Communications and
Network Systems Management)
o Minimum 10 years of experience
o Minimum of 8 years of additional relevant experience may be substituted for
education
o Ability to support legacy and new health IT digital architectures including cloud,
mobile, IoT, APIs, and AI technologies.
o Ability to analysis and research of complex problems, and processes relating to
the subject matter

5.1.1.5 PROJECT ANALYST

The position shall provide an administrative support to the ESA Director and Deputy.
person to enable the successful facilitation of ESA PMO. The Contractor shall
support responses to inquiries, consolidating status, capturing minutes of technical
forums, posting information, build templates and ensure consistent use, and data
entry. The project analyst shall have the requisite skills as detailed below:

o Bachelor’s Degree in Business or IT Discipline.

 o 8 years of additional relevant experience may be substituted for education
o Minimum 5 years of experience in IT discipline
o Must be proficient with graphic and office automation tools and to produce
documents without errors. Specifically, expertise in using Microsoft Suite Tools
(MS Project, Excel, Word, SharePoint, MS Teams, and PowerPoint).
o Must have experience and knowledge in proofreading and editing documents
that are highly technical in nature which was created by others to ensure proper
format, grammar, and style.
o Strong communication skills (mastery of English language written and verbal)
o Provide documentation support (notetaking, capturing minutes, posting to
SharePoint site)
o Perform as a communications officer (collaborating with ESA team members and
other communications officers to respond to action items in action tracking tool)
o Must be able to plan, maintain and manage schedules for ESA Director and
Deputy.
o Create templates for quarterly reporting for ESA
o Be able to construct memos or other correspondence.

5.1.2 CONTRACTOR PROJECT MANAGEMENT PLAN

The Contractor shall deliver a Contractor Project Management Plan (CPMP) that lays
out the Contractor’s approach, timeline, and tools to be used in execution of this TO
effort.  The CPMP should take the form of both a narrative and graphic format that
displays the schedule, milestones, risks, and resource support.  The CPMP shall also
include how the Contractor shall coordinate and execute planned, routine, and ad hoc
data collection reporting requests as identified within the PWS. The initial baseline
CPMP shall be concurred upon and updated in accordance with Section B and
presented during the Contractor Kick-Off meeting. Any discrepancies or items that
require clarification must be discussed during that time. The Contractor shall update
and maintain the VA Program Manager (PM) approved CPMP throughout the PoP.

Deliverable:
A. Contractor Project Management Plan

5.1.3 REPORTING REQUIREMENTS

The Reporting Requirements section the identifies various work products and
deliverables to be provided by, or coordinated with, the Contract PM to meet contract
requirements and ensure the Customer has insights needed to support effective
contract management. The Contractor shall provide a Weekly Activity Report (WAR)
to the COR and/or PM addressing all work completed during the preceding reporting
period and shall present the work to be accomplished during the subsequent period(s)
for each task as described in Section 5.0. The status/activity reporting is expected to
highlight performance and accomplishments towards the various requirements
addressed within this contract. Contractor members shall attend weekly teleconference
meetings with the PM or represent the PM, as required. Contractors shall discuss and
document any issues, pending deliverables or other pertinent topics concerning the task
areas. Each report shall include the work schedule by name for each person assigned
to this contract. Each report shall identify resolved and unresolved issues with and
explanation for each issue.

Deliverables: 

A. Weekly and Monthly Status and Activity reporting that highlight performance and
accomplishments
B. Weekly Posting of Technical Forum Minutes
C. Monthly Manpower Reports
D. Monthly GFE Inventory Report
E. Contractor’s Quality Assurance Plan
F. Communication Plan between Prime, Subcontractors and other ESA Contractors
G. PMR Status Support

5.1.4 TECHNICAL KICKOFF MEETING

A technical kickoff meeting shall be held within ten (10) days after TO award. The
Contractor shall coordinate the date, time, and location (can be virtual) with the CO, as
the Post-Award Conference Chairperson, the VA PM, as the Co-Chairperson, the
Contract Specialist (CS), and the COR. The Contractor shall provide a draft agenda to
the Contracting Officer and VA PM at least five (5) calendar days prior to the meeting.
Upon Government approval of a final agenda, the Contractor shall distribute to all
meeting attendees. During the kick-off meeting, the Contractor shall present, for review
and approval by the Government, the details of the intended approach, work plan, and
project schedule for each effort via a Microsoft Office PowerPoint presentation. At the
conclusion of the meeting, the Contractor shall update the presentation with a final slide
entitled “Summary Report” which shall include notes on any major issues, agreements,
or disagreements discussed during the kickoff meeting and the following statement, “As
the Post-Award Conference Chairperson, I have reviewed the entirety of this
presentation and assert that it is an accurate representation and summary of the
discussions held during the Technical Kickoff Meeting for the, “Enterprise Security
Architecture Support.” The Contractor shall submit the final updated presentation to the
CO for review and signature. The Contractor shall also work with the CS, the
Government’s designated note taker, to prepare and distribute the meeting minutes of
the kickoff meeting to the CO, COR and all attendees within three (3) calendar days
after the meeting. The Contractor shall request concurrence from the CS on the content
of the meeting minutes prior to distribution of the document.

5.1.5 VA MANDATORY TRAINING

The Contractor and VA Project Manager (PM) shall determine which team members
require access to the VA network and Rational/GitHub. All Contractors that require
access shall complete all the required VA Talent Management System (TMS) training
courses within fourteen (14) days of the identification of the access need. The
Contractor shall work with its respective point of contact, to obtain access to TMS to
complete the mandatory training courses.

As an action under the Continuous Readiness in Information Security Program (CRISP),

VA's Assistant Secretary for Information and Technology issued a memorandum
requiring all VA government and contract staff to complete information security
awareness and applicable role-based training. The Contractor shall submit Talent
Management System (TMS) Training Certificates of completion for VA Privacy and
Information Security Awareness (PISA), Rules of Behavior (ROB), Health Insurance
Portability and Accountability Act (HIPAA), and Role-Based trainings. The Contractor
shall provide signed copies of the Contractor Rules of Behavior in accordance with
Section 9, Training, from Appendix C of the VA Handbook 6500.6, “Contract Security”.

Contractors who have completed these VA training courses within the past 12 or 24
months, depending on the training requirements, and have furnished training certificates
to VA, will not be required to re-take the training courses.

Deliverables:

A. TMS Training Certificates

B. Signed Contractor Rules of Behavior

5.1.6 ONBOARDING
The Contractor shall manage the onboarding of its staff. Onboarding includes steps to
obtain a VA PIV card, network and email account, complete training, initiate background
investigations, and gain physical and logical access. In addition, the Contractor shall
identify individuals which may require elevated privileges to the necessary development
and test environments for the various systems to be enhanced. After review between
the Contractor and VA COR, a decision will be made as to the necessity of obtaining
GFE for the onboarding staff. If approved, Contractor shall follow the appropriate steps
to obtain the equipment.

A single Contractor Onboarding point of contact (POC) shall be designated by the

Contractor that tracks the onboarding status of all Contractor personnel. The Contractor
Onboarding POC shall be responsible for accurate and timely submission of all required
VA onboarding paperwork to the VA COR. The Contractor shall be responsible for
tracking the status of all its staff’s onboarding activities to include the names of all
personnel engaged on the task, their initial training date for VA Privacy and Information
Security training, and their next required training date. The Contractor Onboarding POC
shall also report the status at the staff level during onboarding status meetings. The
Contractor shall provide an Onboarding Status Report weekly for any staff with
outstanding onboarding requests for review by the COR, VA PM and PM.

Deliverable:

A. Weekly Onboarding Status Report

5.2 ESA GOVERNANCE, PROCESS, ORGANIZATION, AND INTEGRATION

ESA seeks to integrate at all levels by showing linkage from the higher organizational
business and architecture level to the lower information system levels. ESA seeks to
expand working relationships with stakeholders, partners, governing bodies supporting
IT, OT and other initiatives leveraging technical and architecture services across the VA
enterprise. Opportunities to integrate present themselves via ESA activities such as:
governance board support, technical briefings, consulting, workflow and process flow
development and socialization, and the development of checklists, questionnaires,
operating procedures, etc.

The Contractor shall work collaboratively with stakeholders (e.g.: VA’s Privacy Service,
product line managers, and others) to promote enterprise cybersecurity and privacy
capability standardization and integration of these standards across the VA enterprise.
The Contractor shall support the VA Director, Enterprise Security Architect (ESA) in
preparation, introducing and gaining approval for these standards by the appropriate
information security governance boards. The Contractor shall provide ESA artifacts that
satisfy and guide the design, engineering and implementation of required cybersecurity
capabilities taken into consideration from NIST SP 800-53 Security Controls, NSS and
High Value Asset (HVA) baselines.

The Contractor shall leverage the existing ESA Concept of Operations and refine it as
new charters, organizations stand up, and existing ones reorganize. The Contractor
shall use the ESA CONOP to influence and establish the procedural integration
baseline for implementing ESA services and products across the Department. To do
so, the Contractor shall support facilitate and participate with governance impactful
boards; assess current and new process to determine integration points at the business
and lower technical/information system level. Contractors will not vote, approve nor
concur on any governance. Contractors shall review, compare, check for consistency,
alignment, etc. and advise their Government counterpart on suggested improvements
and offer drafted recommendations. The Contractor shall ensure the ESA CONOP is
actionable and supports ESA strategic benefits. It will be reviewed and updated to
evolve and improve these artifacts to include the development of new ESA technical
forum charters.
The Contractor shall work with ESA leadership to develop the ESA Playbook. As we
transition to an Agile construct, ESA will need to define the plays, or approach, for
stakeholders to appropriately engage and leverage our services. The ESA Playbook
will include the eight main elements that have been identified to solve for in
organizational design (Within the structure, solve for 1. organizing principles, 2. framing,
3. overall size and team size, 4. layers and span of control, and 5. reporting structure.
For roles and competencies, solve for the three levels of 6. team, 7. individual, and 8.
cross functional.)
The Contract shall leverage, and update, the ESA Threat Model Methodology (TMM)
and Threat Assessment Process when determining investment, capability, and security
risks for new and existing IT, OT, and Healthcare services to improve guidance for
acquiring and designing products securely. Using the selected VA Security Architecture
tool, the Contractor shall identify, assess, facilitate, and incorporate mappings to
cybersecurity processes, policies, and standards to create architecture reference
models, architecture flows and diagrams. The process flow shall be captured in an
accompanying Standard Operating Procedure (SOP).

The Contractor shall ensure the Enterprise Security Architecture Framework (ESAF) is
consistent with and supports the NIST Cybersecurity Framework. As cybersecurity
considerations are incorporated, they are to be tied back to the Enterprise Security
Architecture and Cybersecurity Frameworks. Additionally, the Contractor shall create a
feedback loop using the results from the risk assessment and ESRAM to improve the
standards and requirements for the existing.

Deliverables:

A. ESA Concept of Operation (CONOP) updated bi-annually

B. ESA Organization Playbook
C. ESA Framework updated bi-annually
D. ESA Threat Modeling Methodology and SOP updated bi-annually
E. ESA Charters for new boards and/or forums
F. Threat Assessment Process
 5.3 ESA TECHNOLOGY ASSESSMENTS, ARCHITECTURES AND SECURITY
PACKAGES
The Contractor shall leverage ESA Threat Model Methodology (Refer to 5.2). The
Contractor shall develop Threat Models as a part of the Risk Assessment Process in
support of new and existing development of VA Enterprise Security Architecture.
The Contractor shall deliver three (3) Whitepapers (e.g., 5G, Block Chain, Network
Security Modernization) each period of performance. The purpose of the whitepaper
is to develop the technical strategy and approach for OIS adoption of technologies.
It will also describe the capabilities, roadmap for mitigating problems and nominal
resourcing needed. Technologies focus may change year to year.
The Contractor shall provide specialized cybersecurity knowledge and expertise to
identify threats and manage risks for the adoption of new technologies including but
not limited to IT Modernization and Digital Transformation, Healthcare Services and
Operational Technologies and IoT (i.e. medical devices, Research, and Telehealth).
The Contractor shall provide specialized knowledge and expertise for Enterprise and
Security Architecture in accordance with the National Institute Standards and
Technology (NIST), Committee on National Security Systems (CNSS), and Federal
Risk and Authorization Management Program (FedRAMP) publications and
requirements. The Contractor shall take into consideration, where applicable, the
Cybersecurity Framework and The Office of Inspector General findings when
proposing changes to and determining Enterprise Security Architecture Policies,
Standards, Reference Architecture, Security Patterns and Implementing Guidelines
to represent a comprehensive ESA that aligns and integrates with VA Office
Information Security Enterprise Cybersecurity Strategy, Enterprise Architecture (EA)
and EA Design Patterns, and ESA Strategy and Charter. The Contractor shall
provide specialized cybersecurity knowledge to incorporate new security architecture
concepts to adequately address the changing security risk landscape, including but
not restricted to TIC 3.0, Zero Trust Architecture, DEVSECOPS, Mobile, Virtual
Reality and Cyber Operations in the cybersecurity domain. Security Packages
include: Policy or Directive Security, Design Patterns and Enterprise Security
Implementing Handbook or Guidelines.
 The Contractor shall deliver four (4) Security Packages each period of performance.
The security package will consist of threat model, risk assessment, directive,
policies, reference architectures, design patterns, assessments, and handbooks
(guidelines) with regards to their alignment with the twenty-two (22) capabilities of
the VA Enterprise Security Architecture functions and Cybersecurity Framework
(Govern, Identify, Protect, Detect, Respond, and Recover) that comprise the VA
Enterprise Security Architecture Framework (ESAF). Define and develop applicable
capabilities requirements and document at the system level where applicable. It is
anticipated that the VA will require the above ESA support with application expertise
to deliver threat models, risk assessments, and other documents below for IT and
Healthcare Services Divisions, or Portfolios and Product Lines. The threat Models
may or may not be connected to the ESA Risk Assessment process. For new
technologies all will be required as part of the security package. For existing
technologies, only a risk assessment and a threat model may be required.
The technical areas below will require Contractor expertise in the following technologies
below:

A. MOBILE/MEDICAL DEVICE SECURITY ARCHITECTURE

The Contractor shall work closely with the IT, OT, and Technical Lead for mobile/
medical device to execute the ESA and higher organizational strategies, concept of
operations, and reference architecture for secure mobile solutions. The security
architect shall drive the design and development of the implementation guidance for the
security architecture. Contractors shall work closely with the other ESA support teams
responsible for establishing and maintaining technical strategies, concept of operations
and reference architectures for the organizational wide mobile security ecosystem to
ensure synchronization and alignment.

Contractors shall assist with the development of Technical Positions, White Papers, and
Briefings on enterprise mobile security. Contractors shall influence and assist in the
development of Mobile Security Policies, Guidelines, and Security Standards.
Contractor subject matter expertise (SMEs) shall be leveraged to drive mobile security
architecture and implementation of security capabilities that meet a high state of
organizational readiness to position the VA to meet current and future use cases.
These SMEs shall also establish and participate in the ESA Mobile Security Architecture
Strategy Working Group. Contractors shall develop, update, and maintain technical
documents for VA mobile security ecosystem, provide mobile Subject Matter expertise
to VA Mobile Security Strategy, Zero Trust and support other related efforts. Contractor
resources shall develop Implementation/Procedural Guidance for VA Mobile Security
Enterprise including Zero Trust, and other efforts and Conduct Threat Modeling for
Mobile Security.
Contractors shall support the development of Mobile Security Use Cases (Gap Analysis,
Risk Assessments, Architecture diagrams, etc.), and develop Mobile Security
Packages. The Contractor shall drive mobile security architecture and the
implementation of security capabilities that positions the VA to meet current mobile use
and future use cases. The Contractor shall support VA project teams in developing
secure architecture solutions to meet mobile strategic and other technical efforts.
Additionally, contractors shall support the development of Security Architecture Reviews
and System Architecture Risk Assessments, and Baseline Reference Architecture
Directive.

B. NETWORK SECURITY MODERNIZATION ARCHITECTURE

The Contractor shall work closely with the MITRE team to develop a Future Network
Security Architecture that will define and coordinate the deployment of cybersecurity
capabilities, security protections to secure the VA network to ensure it corresponds with
its responsible requirements. The Contractor shall support the following:
 Create, update, and maintain White Papers/Technical Strategies, Concept of
Operations, and Network Architecture Designs for Zero Trust, Network Security,
and TIC 3.0 Architectures. Develop technical positions, white papers, and
briefings on Zero Trust, Network Security, and TIC 3.0 Architectures.
 Conduct and deliver a Risk Assessment and Gap Analysis to support the
proposed future network security modernization effort, and Develop VA TIC Zero
Trust, Network Security, and TIC 3.0 Policies.
 Provide subject matter expertise to drive security architecture and
implementation of Zero Trust, Network Security and TIC 3.0 capabilities, and
Provide subject matter expertise to establish and participate in the ESA Network
Security Architecture Modernization Working Group.
 Develop, update, and maintain technical Reference Architectures for Zero Trust,
Network Security, and TIC 3.0 Architectures.
 Develop Implementation/Procedural Guidance for VA Zero Trust, Network
Security and TIC 3.0.
 Develop Threat Modeling for Zero Trust, Network Security, and TIC 3.0.
 Develop Security Design Patterns for Zero Trust, Network Security, and TIC 3.0.
 Provide subject matter expertise to drive the implementation of security
architecture of Zero Trust, Network Security and TIC 3.0 capabilities.
 Support the development of TIC 3.0, Zero Trust & Network Security Use Cases
(Gap Analysis, Risk Assessments, Architecture diagrams, etc.).
 Support VA project teams in developing secure architecture solutions to meet VA
TIC 3.0 compliance.
 Support the development of Security Architecture Reviews and risk
assessments.

Deliverables:
 A. Audit Logging Procedural Guidance
B. Threat Models
C. System Architecture Risk Assessment (SARA) Reports
D. Update Mobile, ZeroTrust, TIC 3.0, (e.g.: Block Chain, 5G) and Network Security
Modernization, Risk Assessments/Gap Analysis
E. Whitepapers/Technology Strategies, Use Cases, and Technology Briefings
F. Security Architecture Packages/Reports
o Reference Architecture Directives/Policies/Procedural Guidance/Security
Standards
o Security Design Pattern
o Implementation Guidelines or Handbook
o Diagrams
o Governance Board Briefing

5.4 SUPPORT TO VA SYSTEMS AND INITIATIVES

This section is focused on Product Line Management and VIP. ESA support to VA
systems and initiatives supports the secure deployment of IT, OT, IoT capabilities
department wide. The Contractor shall participate and provide ESA support and assist
VA systems and initiatives across the VA Veterans-focused Integrated Process (VIP)
lifecycle weekly meetings, Product Line Portfolios and Management Processes,
DEVSECOPS, and Risk Management Framework (RMF) in the areas of security
solution and architecture expertise; development of architecture security standards,
requirements, and guidance for implementing required NIST SP 800-53 Security
Controls, OMB, GSA, CNSS, and DHS Policies to secure Veterans and VA data, and
satisfy VA’s ESA.

The Contractor shall support approximately 20 IT, OT, IoT Programs/Projects for new or
existing systems annually. The Contractor shall analyze each system architecture,
including data flows, to identify cybersecurity threats, vulnerabilities, assess risks, and
align with business requirement model to produce a Threat Model and System
Architecture Risk Assessment Reports. The Contractor shall collaborate, work, and
support the implementation, operation and security teams with the use and application
of ESA directives, standards, security patterns and implementing guidelines. The
Contractor shall ensure NIST SP 800-53 Security Controls, ESA Framework, and
applicable security documentation are considered to adequately secure VA and
Veterans data. The Contractor shall serve as a technical cybersecurity subject matter
expert to VA IT and OT Modernization efforts, digital transformation, healthcare, EHR,
specialized medical devices, and digital technologies, and other visible and critical
requests.
Deliverables:
A. System Architecture Risk Assessment (SARA) Reports
B. Threat Model

5.5 ESA DEVELOPMENT AND SECURITY OPERATIONS (DevSecOps)

In 2019, the VA evolved from a DevOps approach to a DevSecOps approach modeled
after the Department of Defense (DoD) DevSecOps Airforce framework (new approach
captured in ESA Strategy and CONOPS). The implementation approach for a secure
software development lifecycle (SDLC) leveraged the DoD DevSecOps framework. The
intended result is to develop the process for integrating security into the DevSecOps
environment. The Contractor shall conduct gap analysis and risk assessments of the
proposed DevSecOps architecture and platform to ensure alignment with ESA directive,
security design patterns, and handbook.

The Contractor shall provide the cybersecurity support needed to define mandatory
security standards and requirements, policy and guidelines, and to incorporate security
and privacy safeguards in VA’s DevSecOps Playbook.  The Contractor shall
collaborate with and support the DevSecOps and its Pillars (Agile Center of Excellence
(ACOE), the Software Factory, and platform) to ensure existing and new IT products are
assessed and authorized in accordance with security authorization guidelines.

As part of that shift, the Contractor shall review and assess the security architecture
components of the VA DevSecOps Ecosystem and architecture: Infrastructure
(DevSecOps Hosting Environment), Platform Services (DevSecOps Software Factory)
and Application Framework (Application Servers) for best use at VA.  The Contractor
shall consider DevSecOps enabling technologies, such as Compliance-as-Code (CaC),
containers, Infrastructure-as-Code (IaC), microservices, continuous integration and
continuous delivery (CI/CD) techniques as integral components of the VA DevSecOps
security landscape.  The Contractor shall also consider DevSecOps impact on current
IT development, security and operations cultures and environment necessary to support
VA’s overall digital transformation to improve services, efficiency, and benefit delivery to
Veterans. The Contractor shall collaborate with stakeholders to eliminate silos, promote
collaboration and teamwork, and provide better, faster delivery.

The Contractor shall support those goals through the deliverables specified below as
well as through active participation in VA working groups to socialize and educate OIS
and other OIT stakeholders on DevSecOps security requirements, activities and roles
and responsibilities. The Contract shall also facilitate a DevSecOps working group.
Other activities expected for this task include preparation of approximately 8-10 white
papers annually, ad-hoc executive briefings, monthly presentations and providing
cybersecurity and privacy guidance and assistance that support VA DevSecOps
initiatives and project teams.

The Contractor shall provide a DevSecOps Security Package and submit quarterly
thereafter. The package will consist of relevant and necessary Threat Models, Security
Patterns, Directives, Standards and Implementing Guidelines for DevSecOps at VA.  As
part of the overall DevSecOps Security Package, the Contractor shall create Security
Patterns for the DevSecOps Infrastructure, Platform and Application Layers of the
proposed DevSecOps Ecosystem at VA.

The Contractor shall maintain a DevSecOps Implementation Handbook that prescribes

Department cybersecurity and privacy procedures or operational requirements to
successfully, and securely, implement DevSecOps at the VA. The Handbook will cover
all phases of the DevSecOps Lifecycle -- Plan, Code, Build, Test, Release, Deploy,
Operate and Monitor. The Handbook should provide high-level guidance to incorporate
automation for security testing, applying function and feature software updates, applying
security patches, configuration management as well as creating and using hardened
baselines. The Handbook will identify DevSecOps security roles and responsibilities and
VA organizational resources to aid OIT software development initiatives. The
Handbook will document alignment between the eight phases VA DevSecOps and VA’s
Risk Management Framework (RMF) approach, the NIST Cybersecurity Framework
(CSF) and the VA Enterprise Security Architecture Framework (ESAF). Finally, the
Handbook will identify types and classes of DevSecOps automation tools and those
tools already adopted for VA use.

The DevSecOps Security Authorization Guide should outline a general, modular VA

assessment and authorization (A&A) approach for DevSecOps. The guide will include
the concept of local and enterprise Authorities to Operate (ATO) at VA as part of a
recommended DevSecOps architecture approach. The approach shall examine the
DoD DevSecOps three-part approach to DevSecOps security authorizations:
1) Authorize the DevSecOps Platform;

2) Authorize the DevSecOp Process/ Application and;

3) Authorize the DevSecOps Team.

The DevSecOps Security Authorization Guide will also align with VA continuous
authorization (cATO) processes. The Contractor shall modify or tailor processes and
procedures to VA needs and operational protocols. Platform authorization addresses
security and control inheritance from the DevSecOps hosting environment, platform
infrastructure, and application layers of the DevSecOps Ecosystem. Process
authorization will address the DevSecOps infinity loop, including feedback loops, CI/CD
Pipeline, Security Control Gates (SCG), and continuous monitoring operations. Team
Authorization will address recommended skillsets, experience and training for
DevSecOps teams at VA.

The Contractor shall develop a DevSecOps Security Monitoring Procedures document

in support of the VA DevSecOps Ecosystem. These procedures will include, at a
minimum; metrics/key performance indicator development; continuous logging,
monitoring, and alerting processes and procedures. Monitoring procedures should
include recommendations for centralized visualization; container security monitoring;
integration of security issue tracking into VA software lifecycle management tracking
systems; automated testing and auditing of DevSecOps environment security and
compliance posture. The Contractor should also include recommendations for security
logging schemas for deployed applications, containers and microservices as well as for
the DevSecOps environment.

The Contractor shall also work together with the OIS DevSecOps Government lead and
the VA Enterprise Security Chief Architect to assess DevSecOps effectiveness in the
form of a gap assessment. The Contractor shall support the planning of appropriate risk
mitigation activities and incorporate them into the annual OIS DevSecOps
Implementation Plan. The OIS DevSecOps Implementation Plan shall include the
priorities, activities, and schedules for the Fiscal Year; some of which may require PWS
modification to properly prioritize the schedule of scoped items. The Contractor must
generate an Implementation plan within 30 business days that maps out how to bring
the strategic plan to fruition by breaking it into identifiable steps; where each step is
assigned to a team member to complete by a set timeline.

Auditability is important for ensuring compliance with security controls. Technical,

procedural, and administrative security controls need to be auditable, well-documented,
and adhered to by all stakeholders. The Contractor shall collaborate with the OIS
DevSecOps Lead and operations to obtain quarterly security audits to ensure security
standards are maintained. These audits will be automated using the tools for scripts,
static and dynamic analysis, composition analysis and integration of testing. The
contractor will conduct quarterly security audits to ensure security standards are
maintained.

The Contractor shall prepare a DevSecOps Security Playbook that must provide key
stakeholders with a clear understanding of their responsibilities towards cybersecurity
standards, policies and guidelines. Security is a combination of engineering and
compliance. The DevSecOps Contractor team shall form an alliance between the
development engineers, operations teams, and compliance teams to ensure everyone
in the organization understands the company's security posture and follows the same
standards. The Contractor shall ensure familiarity with the basic principles of application
security, application security testing, and other security engineering practices by
educating stakeholders involved with the delivery process. The Contractor shall
collaborate with developers to better understand thread models, compliance checks,
and ensure they have a working knowledge of how to measure risks, exposures, and
implement security controls. The Contractor shall ensure security is applied
consistently across the enterprise, as the environment changes and adapts to new
requirements.

Deliverables:

A. DevSecOps Security Package

B. DevSecOps Security Implementation Handbook
C. DevSecOps Security Authorization Guide
D. DevSecOps Security Monitoring Procedures Document
E. DevSecOps Security Playbook

5.3 METRICS AND DASHBOARD

VA must define and present metrics to demonstrate value and benefits from the ESA.
The Contractor shall assist in defining and developing ESA metrics. These metrics
should measure the effectiveness of various components of the ESA program and
incorporate existing best practices and recommendations. They should reflect progress
in achieving OIS and ESA strategic goals. These metrics shall be presented in both
numerical and graphical formats, including the development of an ESA dashboard. The
Contractor shall determine the appropriate metrics to measure ESA program
effectiveness and compliance with ESA artifacts (e.g., enterprise compliance with
reference architectures, technology compliance with security patterns, etc.). In addition,
the Contractor shall determine additional metrics that can be developed using ESA tools
and prototypes such as the Enterprise Security Risk Assessment Model (ESRAM) (i.e.,
periodic measurements of the enterprise risk posture, the business impact of incidents,
etc.). The Contractor shall leverage performance measure consultations with
stakeholders internal and external to ESA to assist in the determination of metrics for
the use for the dashboard and ESA reporting.

The Contractor shall update ESA Metrics Dashboard to provide a quick view of the
metrics with an ability to drill down to the details on the dashboard(s). The metrics shall
be documented as a part of the ESA Strategy and Security Patterns and must be
integrated into the Metrics Dashboard. From the metrics information acquired, the
Contractor shall provide a monthly ESA Metrics Report and present to the Government
for their situational awareness. Contractor shall provide a Microsoft Word document
that details the methodology and design of the ESA Dashboard.  The Metrics SOP
should include the following sections: Table of Contents (Executive Summary,
Introduction, Body), List of Figures, List of Tables, and a Summary of Changes. The
Body listed in the Table of Contents should also include Approaches, Explanations, and
Examples specific to the ESA Dashboard. The Contractor shall maintain the ESA
Dashboard as a PowerBI (or application provided) Dashboards and must be published
to a SharePoint website in the VA’s private cloud (VAEC). 

Deliverables:

A. ESA Metrics Definition Description

B. ESA Metrics Dashboard updates
C. Monthly ESA Metrics Reports
D. Metrics Standard Operating Procedure (SOP)

5.4 SECURE ARCHITECTURES FOR VA HEALTHCARE SERVICES

The next generation of VA healthcare technologies require security architectures that
ensure Veteran privacy, safety of Veteran care, and mitigation of risks to VA enterprise
IT infrastructure. The VA medical technology (MEDTECH) ecosystem spans a complex
landscape of clinical, research, and special purpose healthcare applications that are
both on-prem and in the cloud. Vulnerabilities to the MEDTECH ecosystem negatively
impact healthcare data and clinical workflows, which could lead to privacy violations or
life-threatening consequences to Veterans. Mitigation of these threats to Veteran life
and privacy requires development and operation of MEDTECH systems within an
ecosystem that is secure and resilient to cyberattacks.

The ESA MEDTECH Security Architecture framework describes an agile and repeatable
process that enables ESA security architects to assess the risk posture of the VA
MEDTECH ecosystem and support development of security reference architectures.
These security reference architectures and patterns enable VA enterprise architects and
MEDTECH system owners to build security into future MEDTECH ecosystem solutions
and is aligned with VA’s DevSecOps strategy. The ESA MEDTECH Security
Architecture framework facilitates the secure development, implementation and
integration of transformational healthcare services and technologies across several
Solution Areas, such as medical and healthcare devices, research environments,
telehealth, and EHRM. Some of these efforts include decommissioning of legacy
healthcare systems.

The Contractor shall support ESA security architects and other VA MEDTECH
ecosystem stakeholders by implementing and updating the MEDTECH Security
Architecture framework for up to four Solution Areas per year. ESA is currently
implementing the MEDTECH Security Architecture framework for two Solution Areas:
healthcare devices and research environments. Several other MEDTECH Solution
Areas have been identified as follow-on efforts. Since there is significant overlap
between the MEDTECH Solution Area requirements and associated VA stakeholders,
the Contractor shall take an integrated and collaborative approach to Solution Area
implementations using well-defined project management, security architecture and
system engineering best practices and standards. Each MEDTECH Solution Area
implementation effort requires analyses and development of security architecture
artifacts in support of system engineering and risk assessments. For each Solution
Area, the Contractor shall develop and update quarterly the following MEDTECH
Solution Area artifacts:

 Solution Area Stakeholder and Landscape Analyses Document, including a

Solution Area taxonomy that captures and aligns current VA ecosystem state,
policies, use cases, workflows, stakeholders, and structured taxonomic analysis
of Solution Area components;
 Solution Area Threat Assessment Model Document that identifies, analyzes, and
categorizes existing and emerging cybersecurity threats to Solution Area
components and related systems, and are aligned with the ESA Threat Model
and MITRE ATT&CK framework; and
 Solution Area Security Architecture Pattern and Decision Support Documents,
including checklists and decision trees, that identify secure technical and logical
Solution Area components, architectural relationships between components and
with external systems, and data flows between components and with external
systems.
The Contractor shall support ESA and other VA stakeholders with up to four VA security
architecture risk assessments per Solution Area each year. The Contractor shall be
available to support outreach activities with VA and external partners, including working
groups, briefings, and technical evaluations. The Contractor shall support Project
Management and Reporting PWS requirements, including required reporting on key
activities, findings, challenges, impact, and recommendations. The Contractor shall
support the Metrics and Dashboard PWS requirements for performance measurement
requirements.

Deliverables:

A. MEDTECH Solution Area Stakeholder and Landscape analysis Document (one

for each MEDTECH Solution Area per year and updated quarterly)
B. MEDTECH Solution Area Threat Assessment Model Document (one for each
MEDTECH Solution Area per year and updated quarterly)
C. MEDTECH Solution Area Security Patterns and decision support documents (up
to six per each MEDTECH Solution Area per year and updated quarterly)
D. MEDTECH Solution Areas enterprise security risk assessments (up to four
assessments per MEDTECH Solution Area per year and updated as required)
 5.5 SECURE HEALTH AND RESEARCH ENVIRONMENT (SH&RE)
A set of technologies involving block chain, artificial intelligence and virtual reality has
been provided to help resolve several data sharing, cross-collaboration and related
business requirements for VA Research sites and their affiliates; namely the Secure
Health and Research Environment (SH&RE) pilot. The Contractor shall integrate with
the SH&RE functions identified by ESA for these related innovative capabilities.
Enterprise Security Architecture identified requirements, priorities and critical
cybersecurity gaps supporting the Office of Research and Development (OR&D) or
other Veterans Affairs initiatives are key stakeholders.

The Contractor shall provide one or more of the following innovation related capabilities:
Demonstration and Testing of existing IT products/services with realistic data;
Development Modifications and Configurations necessitated from realistic data
processing and findings; new complementary Data and System Orchestration
functionality, consistent/migration capable with existing VA intellectual property; virtual,
augmented and extended reality (VR, AR, XR) platform maturation, e.g. connectivity of
open VR adaptive devices (and equipment), VR application hosting/integration;
unmanned VA Enterprise Cloud (VAEC) support; and Authorization to Operate (ATO)
security engineering and coordination for integration into an operational VAEC instance.

The 5.8 requirement ends after the completion of the base period of performance. The
goal of this requirement is to complete the proof of concept testing with identified VA
locations and to deliver implementation plans and/or recommendations for expanded
use. Use Case / Models shall be developed to test out capabilities and configuration
scenarios. SCRUM Demonstrations/Testing, Use Case Diagrams and Briefings to
assess progress and test results shall be performed monthly by the contractor through
the base period of performance. The Project Plan and Schedule shall be developed
collaboratively with the Government lead.

Deliverables:

A. SCRUM Demonstrations and Briefings

B. Requirements Plan (includes mapping to ESA designs)
C. Project Plan and Schedule
D. Use Case Models
E. System and Data Flow Diagrams
F. User and Integration Test Plans
G. Implementation Plan
H. Security Plan
6.0 GENERAL REQUIREMENTS
6.1 PERFORMANCE METRICS
The table below defines the Performance Standards and Acceptable Levels of
Performance associated with this effort.

Performance Performance Standard Acceptable Levels

Objective of Performance

Satisfactory or
A. Technical / 1. Shows understanding of
higher
Quality of requirements
Product or 2. Efficient and effective in
Service meeting requirements
3. Meets technical needs
and mission requirements
4. Provides quality
services/products

B. Project 1. Quick response capability Satisfactory or

higher
Milestones and 2. Products completed,
Schedule reviewed, delivered in
accordance with the
established schedule
3. Notifies customer in
advance of potential
problems

C. Cost & Staffing 1. Currency of expertise and Satisfactory or

staffing levels appropriate higher
2. Personnel possess
necessary knowledge,
skills and abilities to
perform tasks

Satisfactory or
D. Management 1. Integration and
higher
coordination of all
activities to execute effort

The COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life
of the TO to ensure that the Contractor is performing the services required by this PWS
in an acceptable level of performance. The Government reserves the right to alter or
change the QASP at its own discretion. A Performance Based Service Assessment will
be used by the COR in accordance with the QASP to assess Contractor performance.

6.2 SECTION 508 –INFORMATION AND COMMUNICATION TECHNOLOGY

(ICT) STANDARDS
On January 18, 2017, the Architectural and Transportation Barriers Compliance Board
(Access Board) revised and updated, in a single rulemaking, standards for electronic
and information technology developed, procured, maintained, or used by Federal
agencies covered by Section 508 of the Rehabilitation Act of 1973, as well as our
guidelines for telecommunications equipment and customer premises equipment
covered by Section 255 of the Communications Act of 1934. The revisions and updates
to the Section 508-based standards and Section 255-based guidelines are intended to
ensure that information and communication technology (ICT) covered by the respective
statutes is accessible to and usable by individuals with disabilities.

The following Section 508 Requirements supersede Addendum A, Section A3 from the
T4NG Basic PWS.

The Section 508 standards established by the Access Board are incorporated into, and
made part of all VA orders, solicitations and purchase orders developed to procure ICT.
These standards are found in their entirety at: https://www.access-board.gov/guidelines-
and-standards/communications-and-it/about-the-ict-refresh/final-rule/text-of-the-
standards-and-guidelines. A printed copy of the standards will be supplied upon
request.

Federal agencies must comply with the updated Section 508 Standards beginning on
January 18, 2018. The Final Rule as published in the Federal Register is available from
the Access Board: https://www.access-board.gov/guidelines-and-
standards/communications-and-it/about-the-ict-refresh/final-rule.

The Contractor shall comply with “508 Chapter 2: Scoping Requirements” for all
electronic ICT and content delivered under this contract. Specifically, as appropriate for
the technology and its functionality, the Contractor shall comply with the technical
standards marked here:

E205 Electronic Content – (Accessibility Standard -WCAG 2.0 Level A and AA

Guidelines)
E204 Functional Performance Criteria
E206 Hardware Requirements
E207 Software Requirements
E208 Support Services and Documentation Requirements
6.2.1 COMPATIBILITY WITH ASSISTIVE TECHNOLOGY
The standards do not require installation of specific accessibility-related software or
attachment of an assistive technology device. Section 508 requires that ICT be
compatible with such software and devices so that ICT can be accessible to and usable
by individuals using assistive technology, including but not limited to screen readers,
screen magnifiers, and speech recognition software.

6.2.2 ACCEPTANCE AND ACCEPTANCE TESTING

Deliverables resulting from this solicitation will be accepted based in part on satisfaction
of the Section 508 Chapter 2: Scoping Requirements standards identified above.

The Government reserves the right to test for Section 508 Compliance before delivery.
The Contractor shall be able to demonstrate Section 508 Compliance upon delivery.

6.3 ORGANIZATIONAL CONFLICT OF INTEREST

All functions related to Acquisition Support shall be on an advisory basis only. Please be
advised that since the awardee of this Task Order will provide systems engineering,
technical direction, specifications, work statements, and evaluation services, some
restrictions on future activities of the awardee may be required in accordance with FAR
9.5 and the clause entitled, Organizational Conflict of Interest, found in Section H of the
T4NG basic contract. The Contractor and its employees, as appropriate, shall be
required to sign Non-Disclosure Agreements (Appendix A).

6.4 ASSESSMENT AND AUTHORIZATION (A&A)

(previously called CERTIFICATION AND ACCREDITATION (C&A))
The Contractor shall support the Authority to Operate (ATO) process by providing
requested documentation IAW VA Handbook 6500.3, “Assessment, Authorization, And
Continuous Monitoring of VA Information Systems,” February 3, 2014. The Contractor
shall maintain FISMA Moderate Certification as well as provide all ATO Security and
Computing Environment Documentation and support required for the VA to maintain the
ATO without interruption throughout the entire period of performance. The Contractor
shall also support the certification and accreditation process by providing 508
Compliance Certificate.

The Assessment & Authorization (A&A) requirements do not apply, and a Security
Accreditation Package is not required.
Deliverables:

A. ATO Security and Computing Environment Documentation

B. 508 Compliance Certificate
ADDENDUM B – VA INFORMATION AND INFORMATION SYSTEM
SECURITY/PRIVACY LANGUAGE
APPLICABLE PARAGRAPHS TAILORED FROM: THE VA INFORMATION AND INFORMATION SYSTEM
SECURITY/PRIVACY LANGUAGE, VA HANDBOOK 6500.6, APPENDIX C, MARCH 12, 2010

B1. GENERAL

Contractors, Contractor personnel, Subcontractors, and Subcontractor personnel shall

be subject to the same Federal laws, regulations, standards, and VA Directives and
Handbooks as VA and VA personnel regarding information and information system
security.

B2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS

a. A Contractor/Subcontractor shall request logical (technical) or physical access to

VA information and VA information systems for their employees, Subcontractors, and
affiliates only to the extent necessary to perform the services specified in the contract,
agreement, or task order.

b. All Contractors, Subcontractors, and third-party servicers and associates working

with VA information are subject to the same investigative requirements as those of VA
appointees or employees who have access to the same types of information. The level
and process of background security investigations for Contractors must be in
accordance with VA Directive and Handbook 0710, Personnel Suitability and Security
Program. The Office for Operations, Security, and Preparedness is responsible for
these policies and procedures.

c. Contract personnel who require access to national security programs must have
a valid security clearance. National Industrial Security Program (NISP) was established
by Executive Order 12829 to ensure that cleared U.S. defense industry contract
personnel safeguard the classified information in their possession while performing work
on contracts, programs, bids, or research and development efforts. The Department of
Veterans Affairs does not have a Memorandum of Agreement with Defense Security
Service (DSS). Verification of a Security Clearance must be processed through the
Special Security Officer located in the Planning and National Security Service within the
Office of Operations, Security, and Preparedness.

d. Custom software development and outsourced operations must be located in the

U.S. to the maximum extent practical. If such services are proposed to be performed
abroad and are not disallowed by other VA policy or mandates (e.g. Business Associate
Agreement, Section 3G), the Contractor/Subcontractor must state where all non-U.S.
services are provided and detail a security plan, deemed to be acceptable by VA,
specifically to address mitigation of the resulting problems of communication, control,
data protection, and so forth. Location within the U.S. may be an evaluation factor.
 e. The Contractor or Subcontractor must notify the CO immediately when an
employee working on a VA system or with access to VA information is reassigned or
leaves the Contractor or Subcontractor’s employ. The CO must also be notified
immediately by the Contractor or Subcontractor prior to an unfriendly termination.

B3. VA INFORMATION CUSTODIAL LANGUAGE

1. Information made available to the Contractor or Subcontractor by VA for the

performance or administration of this contract or information developed by the
Contractor/Subcontractor in performance or administration of the contract shall be used
only for those purposes and shall not be used in any other way without the prior written
agreement of VA. This clause expressly limits the Contractor/Subcontractor's rights to
use data as described in Rights in Data - General, FAR 52.227-14(d) (1).

2. VA information should not be co-mingled, if possible, with any other data on the
Contractors/Subcontractor’s information systems or media storage systems in order to
ensure VA requirements related to data protection and media sanitization can be met. If
co-mingling must be allowed to meet the requirements of the business need, the
Contractor must ensure that VA information is returned to VA or destroyed in
accordance with VA’s sanitization requirements. VA reserves the right to conduct on-
site inspections of Contractor and Subcontractor IT resources to ensure data security
controls, separation of data and job duties, and destruction/media sanitization
procedures are in compliance with VA directive requirements.

3. Prior to termination or completion of this contract, Contractor/Subcontractor must

not destroy information received from VA, or gathered/created by the Contractor in the
course of performing this contract without prior written approval by VA. Any data
destruction done on behalf of VA by a Contractor/Subcontractor must be done in
accordance with National Archives and Records Administration (NARA) requirements
as outlined in VA Directive 6300, Records and Information Management and its
Handbook 6300.1 Records Management Procedures, applicable VA Records Control
Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification
by the Contractor that the data destruction requirements above have been met must be
sent to the VA CO within 30 days of termination of the contract.

4. The Contractor/Subcontractor must receive, gather, store, back up, maintain,

use, disclose and dispose of VA information only in compliance with the terms of the
contract and applicable Federal and VA information confidentiality and security laws,
regulations and policies. If Federal or VA information confidentiality and security laws,
regulations and policies become applicable to VA information or information systems
after execution of the contract, or if NIST issues or updates applicable FIPS or Special
Publications (SP) after execution of this contract, the parties agree to negotiate in good
faith to implement the information confidentiality and security laws, regulations and
policies in this contract.
 5. The Contractor/Subcontractor shall not make copies of VA information except as
authorized and necessary to perform the terms of the agreement or to preserve
electronic information stored on Contractor/Subcontractor electronic storage media for
restoration in case any electronic equipment or data used by the
Contractor/Subcontractor needs to be restored to an operating state. If copies are made
for restoration purposes, after the restoration is complete, the copies must be
appropriately destroyed.

6. If VA determines that the Contractor has violated any of the information

confidentiality, privacy, and security provisions of the contract, it shall be sufficient
grounds for VA to withhold payment to the Contractor or third party or terminate the
contract for default or terminate for cause under Federal Acquisition Regulation (FAR)
part 12.

7. If a VHA contract is terminated for cause, the associated Business Associate

Agreement (BAA) must also be terminated and appropriate actions taken in accordance
with VHA Handbook 1600.05, Business Associate Agreements. Absent an agreement to
use or disclose protected health information, there is no business associate relationship.

8. The Contractor/Subcontractor must store, transport, or transmit VA sensitive

information in an encrypted form, using VA-approved encryption tools that are, at a
minimum, FIPS 140-2 validated.

9. The Contractor/Subcontractor’s firewall and Web services security controls, if

applicable, shall meet or exceed VA minimum requirements. VA Configuration
Guidelines are available upon request.

10. Except for uses and disclosures of VA information authorized by this contract for
performance of the contract, the Contractor/Subcontractor may use and disclose VA
information only in two other situations: (i) in response to a qualifying order of a court of
competent jurisdiction, or (ii) with VA prior written approval. The
Contractor/Subcontractor must refer all requests for, demands for production of, or
inquiries about, VA information and information systems to the VA CO for response.

11. Notwithstanding the provision above, the Contractor/Subcontractor shall not

release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality
assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records
pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection
with human immunodeficiency virus. If the Contractor/Subcontractor is in receipt of a
court order or other requests for the above mentioned information, that
Contractor/Subcontractor shall immediately refer such court orders or other requests to
the VA CO for response.

12. For service that involves the storage, generating, transmitting, or exchanging of
VA sensitive information but does not require Assessment and Authorization (A&A) or a
Memorandum of Understanding-Interconnection Security Agreement (MOU-ISA) for
system interconnection, the Contractor/Subcontractor must complete a Contractor
Security Control Assessment (CSCA) on a yearly basis and provide it to the COR.

B4. INFORMATION SYSTEM DESIGN AND DEVELOPMENT

1. Information systems that are designed or developed for or on behalf of VA at

non-VA facilities shall comply with all VA directives developed in accordance with
FISMA, HIPAA, NIST, and related VA security and privacy control requirements for
Federal information systems. This includes standards for the protection of electronic
PHI, outlined in 45 C.F.R. Part 164, Subpart C, information and system security
categorization level designations in accordance with FIPS 199 and FIPS 200 with
implementation of all baseline security controls commensurate with the FIPS 199
system security categorization (reference VA Handbook 6500, Risk Management
Framework for VA Information Systems – Tier 3: VA Information Security Program, and
the TIC Reference Architecture). During the development cycle a Privacy Impact
Assessment (PIA) must be completed, provided to the COR, and approved by the VA
Privacy Service in accordance with Directive 6508, Implementation of Privacy
Threshold Analysis and Privacy Impact Assessment.

2. The Contractor/Subcontractor shall certify to the COR that applications are fully
functional and operate correctly as intended on systems using the VA Federal Desktop
Core Configuration (FDCC), and the common security configuration guidelines provided
by NIST or VA. This includes Internet Explorer 11 configured to operate on Windows 10
and future versions, as required.

3. The standard installation, operation, maintenance, updating, and patching of

software shall not alter the configuration settings from the VA approved and FDCC
configuration. Information technology staff must also use the Windows Installer Service
for installation to the default “program files” directory and silently install and uninstall.

4. Applications designed for normal end users shall run in the standard user context
without elevated system administration privileges.

5. The security controls must be designed, developed, approved by VA, and

implemented in accordance with the provisions of VA security system development life
cycle as outlined in NIST Special Publication 800-37, Guide for Applying the Risk
Management Framework to Federal Information Systems, VA Handbook 6500, Risk
Management Framework for VA Information Systems – Tier 3:  VA Information Security
Program and VA Handbook 6500.5, Incorporating Security and Privacy in System
Development Lifecycle.

6. The Contractor/Subcontractor is required to design, develop, or operate a

System of Records Notice (SOR) on individuals to accomplish an agency function
subject to the Privacy Act of 1974, (as amended), Public Law 93-579, December 31,
1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Privacy Act
may involve the imposition of criminal and civil penalties.
 7. The Contractor/Subcontractor agrees to:

a. Comply with the Privacy Act of 1974 (the Act) and the agency rules and
regulations issued under the Act in the design, development, or operation of any system
of records on individuals to accomplish an agency function when the contract
specifically identifies:

i. The Systems of Records (SOR); and

ii. The design, development, or operation work that the Contractor/Subcontractor is

to perform;

b. Include the Privacy Act notification contained in this contract in every solicitation
and resulting subcontract and in every subcontract awarded without a solicitation, when
the work statement in the proposed subcontract requires the redesign, development, or
operation of a SOR on individuals that is subject to the Privacy Act; and

c. Include this Privacy Act clause, including this subparagraph (c), in all
subcontracts awarded under this contract which requires the design, development, or
operation of such a SOR.

8. In the event of violations of the Act, a civil action may be brought against the
agency involved when the violation concerns the design, development, or operation of a
SOR on individuals to accomplish an agency function, and criminal penalties may be
imposed upon the officers or employees of the agency when the violation concerns the
operation of a SOR on individuals to accomplish an agency function. For purposes of
the Act, when the contract is for the operation of a SOR on individuals to accomplish an
agency function, the Contractor/Subcontractor is considered to be an employee of the
agency.

a. “Operation of a System of Records” means performance of any of the activities

associated with maintaining the SOR, including the collection, use, maintenance, and
dissemination of records.

b. “Record” means any item, collection, or grouping of information about an

individual that is maintained by an agency, including, but not limited to, education,
financial transactions, medical history, and criminal or employment history and contains
the person’s name, or identifying number, symbol, or any other identifying particular
assigned to the individual, such as a fingerprint or voiceprint, or a photograph.

c. “System of Records” means a group of any records under the control of any
agency from which information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying particular assigned to the individual.
 9. The vendor shall ensure the security of all procured or developed systems and
technologies, including their subcomponents (hereinafter referred to as “Systems”),
throughout the life of this contract and any extension, warranty, or maintenance periods.
This includes, but is not limited to workarounds, patches, hot fixes, upgrades, and any
physical components (hereafter referred to as Security Fixes) which may be necessary
to fix all security vulnerabilities published or known to the vendor anywhere in the
Systems, including Operating Systems and firmware. The vendor shall ensure that
Security Fixes shall not negatively impact the Systems.

The vendor shall notify VA within 24 hours of the discovery or disclosure of successful
exploits of the vulnerability which can compromise the security of the Systems
(including the confidentiality or integrity of its data and operations, or the availability of
the system). Such issues shall be remediated as quickly as is practical, based upon
the severity of the incident.

When the Security Fixes involve installing third party patches (such as Microsoft OS
patches or Adobe Acrobat), the vendor will provide written notice to VA that the patch
has been validated as not affecting the Systems within 10 working days. When the
vendor is responsible for operations or maintenance of the Systems, they shall apply
the Security Fixes based upon the requirements identified within the contract.

10. All other vulnerabilities shall be remediated as specified in this paragraph in a

timely manner based on risk, but within 60 days of discovery or disclosure. Exceptions
to this paragraph (e.g. for the convenience of VA) shall only be granted with approval of
the CO and the VA Assistant Secretary for Office of Information and Technology.

B5. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE

a. For information systems that are hosted, operated, maintained, or used on behalf
of VA at non-VA facilities, Contractors/Subcontractors are fully responsible and
accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS,
and VA security and privacy directives and handbooks. This includes conducting
compliant risk assessments, routine vulnerability scanning, system patching and change
management procedures, and the completion of an acceptable contingency plan for
each system. The Contractor’s security control procedures must be equivalent, to those
procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also
be provided to the COR and approved by VA Privacy Service prior to operational
approval. All external Internet connections to VA network involving VA information must
be in accordance with the TIC Reference Architecture and reviewed and approved by
VA prior to implementation.  For Cloud Services hosting, the Contractor shall also
ensure compliance with the Federal Risk and Authorization Management Program
(FedRAMP).

b. Adequate security controls for collecting, processing, transmitting, and storing of

Personally Identifiable Information (PII), as determined by the VA Privacy Service, must
be in place, tested, and approved by VA prior to hosting, operation, maintenance, or use
of the information system, or systems by or on behalf of VA. These security controls are
to be assessed and stated within the PIA and if these controls are determined not to be
in place, or inadequate, a Plan of Action and Milestones (POA&M) must be submitted
and approved prior to the collection of PII.

c. Outsourcing (Contractor facility, Contractor equipment or Contractor staff) of

systems or network operations, telecommunications services, or other managed
services requires A&A of the Contractor’s systems in accordance with VA Handbook
6500.3, Assessment, Authorization and Continuous Monitoring of VA Information
Systems and/or the VA OCS Certification Program Office. Government-owned
(Government facility or Government equipment) Contractor-operated systems, third
party or business partner networks require memorandums of understanding and
interconnection security agreements (MOU-ISA) which detail what data types are
shared, who has access, and the appropriate level of security controls for all systems
connected to VA networks.

d. The Contractor/Subcontractor’s system must adhere to all FISMA, FIPS, and

NIST standards related to the annual FISMA security controls assessment and review
and update the PIA. Any deficiencies noted during this assessment must be provided to
the VA CO and the ISO for entry into the VA POA&M management process. The
Contractor/Subcontractor must use the VA POA&M process to document planned
remedial actions to address any deficiencies in information security policies,
procedures, and practices, and the completion of those activities. Security deficiencies
must be corrected within the timeframes approved by the Government.
Contractor/Subcontractor procedures are subject to periodic, unannounced
assessments by VA officials, including the VA Office of Inspector General. The physical
security aspects associated with Contractor/Subcontractor activities must also be
subject to such assessments. If major changes to the system occur that may affect the
privacy or security of the data or the system, the A&A of the system may need to be
reviewed, retested and re-authorized per VA Handbook 6500.3. This may require
reviewing and updating all of the documentation (PIA, System Security Plan, and
Contingency Plan). The Certification Program Office can provide guidance on whether a
new A&A would be necessary.

e. The Contractor/Subcontractor must conduct an annual self-assessment on all

systems and outsourced services as required. Both hard copy and electronic copies of
the assessment must be provided to the COR. The Government reserves the right to
conduct such an assessment using Government personnel or another
Contractor/Subcontractor. The Contractor/Subcontractor must take appropriate and
timely action (this can be specified in the contract) to correct or mitigate any
weaknesses discovered during such testing, generally at no additional cost.

f. VA prohibits the installation and use of personally-owned or

Contractor/Subcontractor owned equipment or software on the VA network. If non-VA
owned equipment must be used to fulfill the requirements of a contract, it must be
stated in the service agreement, SOW or contract. All of the security controls required
for Government furnished equipment (GFE) must be utilized in approved other
equipment (OE) and must be funded by the owner of the equipment. All remote systems
must be equipped with, and use, a VA-approved antivirus (AV) software and a personal
(host-based or enclave based) firewall that is configured with a VA approved
configuration. Software must be kept current, including all critical updates and patches.
Owners of approved OE are responsible for providing and maintaining the anti-viral
software and the firewall on the non-VA owned OE.

g. All electronic storage media used on non-VA leased or non-VA owned IT

equipment that is used to store, process, or access VA information must be handled in
adherence with VA Handbook 6500.1, Electronic Media Sanitization upon: (i)
completion or termination of the contract or (ii) disposal or return of the IT equipment by
the Contractor/Subcontractor or any person acting on behalf of the
Contractor/Subcontractor, whichever is earlier. Media (hard drives, optical disks, CDs,
back-up tapes, etc.) used by the Contractors/Subcontractors that contain VA information
must be returned to VA for sanitization or destruction or the Contractor/Subcontractor
must self-certify that the media has been disposed of per 6500.1 requirements. This
must be completed within 30 days of termination of the contract.

h. Bio-Medical devices and other equipment or systems containing media (hard

drives, optical disks, etc.) with VA sensitive information must not be returned to the
vendor at the end of lease, for trade-in, or other purposes. The options are:

1) Vendor must accept the system without the drive;

2) VA’s initial medical device purchase includes a spare drive which must be installed
in place of the original drive at time of turn-in; or

3) VA must reimburse the company for media at a reasonable open market

replacement cost at time of purchase.

4) Due to the highly specialized and sometimes proprietary hardware and software
associated with medical equipment/systems, if it is not possible for VA to retain the
hard drive, then;

a) The equipment vendor must have an existing BAA if the device being traded in
has sensitive information stored on it and hard drive(s) from the system are being
returned physically intact; and

b) Any fixed hard drive on the device must be non-destructively sanitized to the
greatest extent possible without negatively impacting system operation. Selective
clearing down to patient data folder level is recommended using VA approved and
validated overwriting technologies/methods/tools. Applicable media sanitization
specifications need to be preapproved and described in the purchase order or
contract.
 c) A statement needs to be signed by the Director (System Owner) that states that
the drive could not be removed and that (a) and (b) controls above are in place and
completed. The ISO needs to maintain the documentation.

B6. SECURITY INCIDENT INVESTIGATION

a. The term “security incident” means an event that has, or could have, resulted in
unauthorized access to, loss or damage to VA assets, or sensitive information, or an
action that breaches VA security procedures. The Contractor/Subcontractor shall
immediately notify the COR and simultaneously, the designated ISO and Privacy Officer
for the contract of any known or suspected security/privacy incidents, or any
unauthorized disclosure of sensitive information, including that contained in system(s) to
which the Contractor/Subcontractor has access.

b. To the extent known by the Contractor/Subcontractor, the

Contractor/Subcontractor’s notice to VA shall identify the information involved, the
circumstances surrounding the incident (including to whom, how, when, and where the
VA information or assets were placed at risk or compromised), and any other
information that the Contractor/Subcontractor considers relevant.

c. With respect to unsecured protected health information, the business associate is

deemed to have discovered a data breach when the business associate knew or should
have known of a breach of such information. Upon discovery, the business associate
must notify the covered entity of the breach. Notifications need to be made in
accordance with the executed business associate agreement.

d. In instances of theft or break-in or other criminal activity, the

Contractor/Subcontractor must concurrently report the incident to the appropriate law
enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and
Law Enforcement. The Contractor, its employees, and its Subcontractors and their
employees shall cooperate with VA and any law enforcement authority responsible for
the investigation and prosecution of any possible criminal law violation(s) associated
with any incident. The Contractor/Subcontractor shall cooperate with VA in any civil
litigation to recover VA information, obtain monetary or other compensation from a third
party for damages arising from any incident, or obtain injunctive relief against any third
party arising from, or related to, the incident.

B7. LIQUIDATED DAMAGES FOR DATA BREACH

a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require

access to sensitive personal information. If so, the Contractor is liable to VA for
liquidated damages in the event of a data breach or privacy incident involving any SPI
the Contractor/Subcontractor processes or maintains under this contract.  However, it is
the policy of VA to forgo collection of liquidated damages in the event the Contractor
provides payment of actual damages in an amount determined to be adequate by the
agency.
 b. The Contractor/Subcontractor shall provide notice to VA of a “security incident”
as set forth in the Security Incident Investigation section above. Upon such notification,
VA must secure from a non-Department entity or the VA Office of Inspector General an
independent risk analysis of the data breach to determine the level of risk associated
with the data breach for the potential misuse of any sensitive personal information
involved in the data breach. The term 'data breach' means the loss, theft, or other
unauthorized access, or any access other than that incidental to the scope of
employment, to data containing sensitive personal information, in electronic or printed
form, that results in the potential compromise of the confidentiality or integrity of the
data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure
to cooperate may be deemed a material breach and grounds for contract termination.

c. Each risk analysis shall address all relevant information concerning the data
breach, including the following:

1) Nature of the event (loss, theft, unauthorized access);

2) Description of the event, including:

a) date of occurrence;

b) data elements involved, including any PII, such as full name, social
security number, date of birth, home address, account number, disability code;

3) Number of individuals affected or potentially affected;

4) Names of individuals or groups affected or potentially affected;

5) Ease of logical data access to the lost, stolen or improperly accessed data in light
of the degree of protection for the data, e.g., unencrypted, plain text;

6) Amount of time the data has been out of VA control;

7) The likelihood that the sensitive personal information will or has been
compromised (made accessible to and usable by unauthorized persons);

8) Known misuses of data containing sensitive personal information, if any;

9) Assessment of the potential harm to the affected individuals;

10) Data breach analysis as outlined in 6500.2 Handbook, Management of

Breaches Involving Sensitive Personal Information, as appropriate; and

11) Whether credit protection services may assist record subjects in avoiding
or mitigating the results of identity theft based on the sensitive personal information
that may have been compromised.
 d. Based on the determinations of the independent risk analysis, the Contractor
shall be responsible for paying to VA liquidated damages in the amount of $37.50 per
affected individual to cover the cost of providing credit protection services to affected
individuals consisting of the following:

1) Notification;
2) One year of credit monitoring services consisting of automatic daily
monitoring of at least 3 relevant credit bureau reports;
3) Data breach analysis;
4) Fraud resolution services, including writing dispute letters, initiating fraud
alerts and credit freezes, to assist affected individuals to bring matters to
resolution;
5) One year of identity theft insurance with $20,000.00 coverage at $0
deductible; and
6) Necessary legal expenses the subjects may incur to repair falsified or
damaged credit records, histories, or financial affairs.

B8. SECURITY CONTROLS COMPLIANCE TESTING

On a periodic basis, VA, including the Office of Inspector General, reserves the right to
evaluate any or all of the security controls and privacy practices implemented by the
Contractor under the clauses contained within the contract. With 10 working-days’
notice, at the request of the Government, the Contractor must fully cooperate and assist
in a Government-sponsored security controls assessment at each location wherein VA
information is processed or stored, or information systems are developed, operated,
maintained, or used on behalf of VA, including those initiated by the Office of Inspector
General. The Government may conduct a security control assessment on shorter notice
(to include unannounced assessments) as determined by VA in the event of a security
incident or at any other time.

B9. TRAINING

a. All Contractor employees and Subcontractor employees requiring access to VA

information and VA information systems shall complete the following before being
granted access to VA information and its systems:

1) Sign and acknowledge (either manually or electronically) understanding of and

responsibilities for compliance with the VA Information Security Rules of
Behavior, relating to access to VA information and information systems;
 2) Successfully complete the VA Privacy and Information Security Awareness and
Rules of Behavior course (TMS 2.0 # VA 10176) and complete this required
privacy and information security training annually;

3) Successfully complete any additional cyber security or privacy training, as

required for VA personnel with equivalent information system access [to be
defined by the VA program official and provided to the CO for inclusion in the
solicitation document – e.g., any role-based information security training required
in accordance with NIST Special Publication 800-16, Information Technology
Security Training Requirements.]

b. The Contractor shall provide to the CO and/or the COR a copy of the training
certificates and certification of signing the Contractor Rules of Behavior for each
applicable employee within 2 days of the initiation of the contract and annually
thereafter, as required.

c. Failure to complete the mandatory annual training and electronically sign the
Rules of Behavior annually, within the timeframe required, is grounds for suspension
or termination of all physical or electronic access privileges and removal from work on
the contract until such time as the training and documents are complete.
 APPENDIX A

CONTRACTOR NON-DISCLOSURE AGREEMENT

This Agreement refers to Contract/Order _________________ entered into between the Department of
Veterans Affairs and _________________________ (Contractor).

As an officer of <fill in name of Contractor>, authorized to bind the company, I understand that in
connection with our participation in the <fill in program> acquisition under the subject
Contract/Order, Contractor’s employees may acquire or have access to procurement sensitive or
source selection information relating to any aspect of <fill in program> acquisition. Company <fill
in name> hereby agrees that it will obtain Contractor - Employee Personal Financial
Interest/Protection of Sensitive Information Agreements from any and all employees who will be
tasked to perform work under the subject Contract/Order prior to their assignment to that
Contract/Order. The Company shall provide a copy of each signed agreement to the Contracting
Officer. Company <fill in name> acknowledges that the Contractor - Employee Personal Financial
Interest/Protection of Sensitive Information Agreements require Contractor’s employee(s) to
promptly notify Company management in the event that the employee releases any of the
information covered by that agreement and/or whether during the course of their participation, the
employee, his or her spouse, minor children or any member of the employee’s immediate
family/household has/or acquires any holdings or interest whatsoever in any other private
organization (e.g., contractors, offerors, their subcontractors, joint venture partners, or team
members), identified to the employee during the course of the employee’s participation, which may
have an interest in the matter the Company is supporting pursuant to the above stated
Contract/Order. The Company agrees to educate its employees in regard to their conflict of interest
responsibilities.

Company <fill in name> further agrees that it will notify the Contracting Officer within 24 hours, or the
next working day, whichever is later, of any employee violation. The notification will identify the
business organization or other entity, or individual person, to whom the information in question was
divulged and the content of that information. Company <fill in name> agrees, in the event of such
notification, that, unless authorized otherwise by the Contracting Officer, it will immediately withdraw
that employee from further participation in the acquisition until the Organizational Conflict of Interest
issue is resolved.

This agreement shall be interpreted under and in conformance with the laws of the United States.

________________________________________ ________________________________________

Signature and Date Company

_________________________________________ _________________________________________

Printed Name Phone Number

 CONTRACTOR EMPLOYEE
PERSONAL FINANCIAL INTEREST/PROTECTION OF SENSITIVE
INFORMATION AGREEMENT

This Agreement refers to Contract/Order _____________________ entered into between the

Department of Veterans Affairs and ____________________ (Contractor).

As an employee of the aforementioned Contractor, I understand that in connection with my

involvement in the support of the above-referenced Contract/Order, I may receive or have access to
certain “sensitive information” relating to said Contract/Order, and/or may be called upon to perform
services which could have a potential impact on the financial interests of other companies, businesses or
corporate entities. I hereby agree that I will not discuss or otherwise disclose (except as may be legally
or contractually required) any such “sensitive information” maintained by the Department of Veterans
Affairs or by others on behalf of the Department of Veterans Affairs, to any person, including personnel
in my own organization, not authorized to receive such information.

“Sensitive information” includes:

(a) Information provided to the Contractor or the Government that would be competitively
useful on current or future related procurements; or
(b) Is considered source selection information or bid and proposal information as defined in FAR
2.101, and FAR 3.104-4; or
(c) Contains (1) information about a Contractor’s pricing, rates, costs, schedule, or contract
performance; or (2) the Government’s analysis of that information; or
(d) Program information relating to current or estimated budgets, schedules or other financial
information relating to the program office; or
(e) Is properly marked as source selection information or any similar markings.

Should “sensitive information” be provided to me under this Contract/Order, I agree not to discuss or
disclose such information with/to any individual not authorized to receive such information. If there is
any uncertainty as to whether the disclosed information comprises “sensitive information”, I will request
my employer to request a determination in writing from the Department of Veterans Affairs Contracting
Officer as to the need to protect this information from disclosure.

I will promptly notify my employer if, during my participation in the subject Contract/Order, I am
assigned any duties that could affect the interests of a company, business or corporate entity in which
either I, my spouse or minor children, or any member of my immediate family/household has a personal
financial interest. “Financial interest” is defined as compensation for employment in the form of wages,
salaries, commissions, professional fees, or fees for business referrals, or any financial investments in
the business in the form of direct stocks or bond ownership, or partnership interest (excluding non-
directed retirement or other mutual fund investments). In the event that, at a later date, I acquire
actual knowledge of such an interest or my employer becomes involved in proposing for a solicitation
resulting from the work under this Contract/Order, as either an offeror, an advisor to an offeror, or as a
Subcontractor to an offeror, I will promptly notify my employer. I understand this may disqualify me
from any further involvement with this Contract/Order, as agreed upon between the Department of
Veterans Affairs and my company.

Among the possible consequences, I understand that violation of any of the above
conditions/requirements may result in my immediate disqualification or termination from working on
this Contract/Order pending legal and contractual review.

I further understand and agree that all Confidential, Proprietary and/or Sensitive Information shall be
retained, disseminated, released, and destroyed in accordance with the requirements of law and
applicable Federal or Department of Veterans Affairs directives, regulations, instructions, policies and
guidance.

This Agreement shall be interpreted under and in conformance with the laws of the United States.

I agree to the Terms of this Agreement and certify that I have read and understand the above
Agreement. I further certify that the statements made herein are true and correct.

_________________________________________ _________________________________________

Signature and Date Company

_________________________________________ _________________________________________

Printed Name Phone Number