Sources Sought Notice

SUBJE Performance Oversight and Access Reporting (POAR) Software as a Service (SaaS)
CT* (VA-25-00012049)

GENERAL INFORMATION
CONTRACTING OFFICE’S ZIP CODE* 07724

SOLICITATION NUMBER* 36C10B25Q0022

RESPONSE DATE/TIME/ZONE 10-16-2024 1:00PM EASTERN TIME, NEW

YORK, USA

ARCHIVE 60 DAYS AFTER THE RESPONSE DATE

RECOVERY ACT FUNDS N

SET-ASIDE

PRODUCT SERVICE CODE* DA10

NAICS CODE* 541519

CONTRACTING OFFICE ADDRESS Department of Veterans Affairs

Technology Acquisition Center

23 Christopher Way

Eatontown NJ 07724

POINT OF CONTACT* Contract Specialist

Erica Wortman

Erica.Wortman@va.gov

PLACE OF PERFORMANCE
ADDRESS

*= Required Field Sources Sought Notice

Page 1 of 79
 Sources Sought Notice

POSTAL CODE

COUNTRY

ADDITIONAL INFORMATION
AGENCY’S URL

URL DESCRIPTION

AGENCY CONTACT’S EMAIL ADDRESS

EMAIL DESCRIPTION

Sources Sought Notice

Page 2 of 79
 DESCRIPTION

Department of Veterans Affairs (VA)

Veterans Health Administration (VHA)

Integrated Veteran Care (IVC)

Request for Information (RFI)

Performance Oversight and Access Reporting (POAR) Software as a Service

(SaaS)

THIS IS A REQUEST FOR INFORMATION (RFI) ONLY (as defined in Federal

Acquisition Regulation (FAR) 15.201(e)), and shall not be considered an Invitation for
Bids, Request for Quotations, or a Request for Proposal. Do not submit a proposal or
quote. This market research is issued for information and planning purposes only and
does not constitute a solicitation nor does it restrict the Government as to the ultimate
acquisition approach. In accordance with FAR 15.201(e), responses to this notice are
not offers and cannot be accepted by the Government to form a binding contract.
Additionally, there is no obligation on the part of the Government to acquire any
products or services described in this RFI. You will not be entitled to payment for direct
or indirect costs that you incur in responding to this RFI. Any contract that might be
awarded based on information received or derived from this market research will be the
outcome of a competitive process. Interested parties are responsible for adequately
marking proprietary, restricted or competition sensitive information contained in their
response. The Government does not intend to pay for the information submitted in
response to this RFI.

Be advised that set-aside decisions may be made based on the information provided in
response to this RFI. Responses should be as complete and informative as possible.
The North American Industry Classification System (NAICS) for this requirement is
541519 with a size standard of 150 employees. A company that is a Service-Disabled
Veteran-Owned Small Business (SDVOSB) or a Veteran-Owned Small Business
(VOSB) must be VetCert registered and verified (https://veterans.certify.sba.gov).

Page 3 of 79
The purpose of this RFI is to conduct market research to obtain information pertaining to
industry capabilities and commercially available solutions for Performance Oversight
and Access Reporting (POAR) Software as a Service (SaaS).

1. VA is seeking input on potential solutions and requesting the capabilities and

experience from industry partners interested in contributing to the solution or
providing these services for VA. Businesses of all sizes are encouraged to
respond. The Government requests that contractors respond to the specific
questions provided in this Request for Information. Responses should
“demonstrate” capability, not just “confirm” the company’s belief that the
capability exists.

2. The agency does not intend to award a contract as a result of this RFI, but rather
gather capabilities and market information pertinent for project and acquisition
planning. The responses to this RFI will be captured as market research and may
contribute to the development of an acquisition strategy. Information provided
may be used to assess tradeoffs and alternatives available for the potential
requirement and may lead to the development of a solicitation. All submissions
become Government property and will not be returned. The Government
reserves the right to use information provided by respondents for any purpose
deemed necessary and legally appropriate.

The information provided in the RFI is subject to change and is not binding on the
Government.

Any organization responding to this notice should ensure that its response is complete
and sufficiently detailed.

PURPOSE

This Request for Information (RFI) is for Market Research Only.

BACKGROUND

Page 4 of 79
The Department of Veterans Affairs (VA) is the largest clinically integrated health
system in the Nation, providing access to medical care for approximately nine
million enrolled Veterans. The Veteran Health Administration (VHA) Integrated
Veteran Care (IVC) leads operational functions to ensure the care provided to
Veterans by community providers is scheduled, accessed, and paid for in a timely
manner. To ensure that all patients have adequate access to timely, high-quality,
specialized care, VA continues to deploy modernization efforts and clinical care
innovations to maximize care efficiency without jeopardizing quality or access.

VA is seeking services to configure a Software as a Service (SaaS) tool to provide

VHA IVC a comprehensive resource for automated analytical reporting leveraged
across multiple levels of the VA organization, to improve the monitoring,
management, and oversight of health care purchased outside of VA Medical
Centers (VAMC) through the Veterans Community Care Programs (VCCP).

EXISTING APPLICATIONS

VA has multiple data sources to include, (but not limited to) EDI Claims (837I, 837P,
837D, 835), Corporate Data Warehouse, Financial Service Center and Electronic
Claims Administration and Management System (eCAMS), which will need to continue
to be utilized as sources for data gathering/mining.

DESIRED END STATE

 VA is seeking a dashboard and reporting system that has the capacity to

configured and subsequently maintained which will contain categorized reports
aligning to the following dashboard titles: Network Management (NM) and
Administrative Fees Oversight (Admin Fee).
 Network Management dashboard reports consist of key elements to monitor
Network Adequacy, Veteran Access, and Provider Utilization.
 Administrative Fee Oversight dashboard reports focus on Contract Performance
Monitoring, monitoring Per Member Per Month (PMPM) fees and utilization as
well as contract Incentive/Disincentive Factors (IDF) for the Community Care
Network (CCN) Contracts.
 Reports developed shall include multiple data sources, as defined by VA during
report development, and shall include retroactive reporting ensuring at least six
(6) rolling years of reporting is housed within the dashboards.

Page 5 of 79
 Reports developed shall provide various filtering and sorting abilities and shall
also allow for geographic mapping display, when applicable as defined by VA.
 Reports developed as a part of the creation of the dashboard shall meet, but not
be limited to, the following minimum requirements:

a. Allow VHA IVC to monitor and analyze the access to care

within the CCN (Community Care Network) in relation to the calculated
timeframes between various date stamped data elements. Wait time
calculations will be processed utilizing CC referral and claims data with
the resulting outputs extracted into custom Network Management reports
that allow end users to analyze CCN coverage at various granularities,
including VA Medical Center (VAMC), Veterans Integrated Service
Network (VISN), and VA Enterprise level.
b. Allow VHA IVC to monitor and analyze the physical
coverage of the CCN (Community Care Network) in proximity to Veteran
locations and across medical specialties. Drive time calculations will be
processed utilizing CC provider and Veteran location with the resulting
outputs extracted into custom Network Management reports that allow
end users to analyze and visualize CCN coverage at various
granularities including at a Medical Center, VISN & Enterprise level.
c. This capability shall also include National Council for
Prescription Drugs Programs (NCPDP) transactions to calculate
pharmacy drive times and identifying the closest Immediate Need
Pharmacy. Drive time calculations will be processed utilizing CC provider
and Veteran location with the resulting outputs extracted into custom
Network Management reports that allow end users to analyze CCN
coverage at various granularities, including Medical Center, VISN &
Enterprise level.
d. Allow VHA IVC to monitor and analyze the utilization of
providers across VCCP through the analysis of network status and
referral volumes. Utilization will be displayed including percentage
comparisons and visuals that allow end users to analyze CCN coverage
at various granularities, including Medical Center, VISN & Enterprise
level.
e. Allow VHA IVC to monitor and analyze a visual
representation of approved network waivers (Deviations) across multiple
provider specialties and categories of care spatially compared to
approved counties and zip codes.
f. Allow VHA IVC to analyze and monitor Quality Assurance
Surveillance Plan (QASP) Performance Objective (PO) calculations of
the CCN contracts. These reports incorporate Network Dashboard

Page 6 of 79
 calculations for wait time and drive time as well as analysis of claims
processing, scheduling times, as well as other quality metrics.
g. Allow VHA IVC to monitor and analyze up to a full year of
CCN Per Member Per Month (PMPM)/Per Member Per Case (PMPC)
budgetary requirements across the unique Veteran and total expenditure
measure selection. Data incorporated into this include Invoice Payment
Processing System (IPPS) data when it is available and admin fee
projections (leveraging historical claims and referral data) when actual
information is not available. The resulting outputs extracted into custom
Admin Fee reports will allow end users to drill-down and analyze raw
data by respective PMPM/PMPC category, CCN region, and fiscal year.
h. Allow VHA IVC to monitor and analyze detailed information
on the Incentives (or disincentives) that are paid (or billed) to the CCN
Third Party Administrators (TPAs) for their performance in supporting
CCN and its various initiatives. This report shall project the feasible
range of outcomes for any given IDF, region, and future fiscal year, it
also incorporates actual Quality Assurance Surveillance Plan (QASP)
Performance Objective (PO), TPA 837/835 Electronic Data Interchange
(EDI), Provider Profile Management System (PPMS), and TPA improper
payment audit deliverable data to calculate the specific outcomes and
cost impacts for IDFs 1 – 5 by region and fiscal year.
 The underlying and supporting system housing and displaying these reports shall
meet the following minimum requirements:

a. Be FEDRAMP MODERATE authorization and validation

through FEDRAMP Marketplace with the ability to move to the High
Impact Level should the need arise. This shall apply to both the SaaS
and any cloud hosting service/infrastructure. Shall be FIPS 140- 2,
NIST 800, HIPAA, and 508 Compliant.
b. Run on a secure cloud infrastructure and shall be accessible
from various client devices through either a thin client interface, such as
a web browser (e.g., web-based email) or a program interface.
c. Not require download of software to VA computers.
d. Not require VA to manage or control the underlying cloud
infrastructure including network, servers, operating systems, storage, or
individual application capabilities.
e. Be accessible to multiple simultaneous VA users at any
given time. The number of user accounts that could be accessed
simultaneously by users of this software is estimated at 500 users.
f. Be able to support the estimated up to 50 million claims per
year with storage capacity that includes the current fiscal year as well
as six (6) prior fiscal years.

Page 7 of 79
 g. Include data objects that shall be editable with the support of
Data Authoring and Versioning (DAV) control.
h. The Contractor shall ensure the POAR SaaS tool is available
and operational for users 24/7.
i. System shall have or achieve an Enterprise-wide (VA-wide)
Authority to Operate
j. System shall support VA trusted internet connection (TIC)
k. System shall be accessible both within VA facilities and
remotely
l. System shall be a configurable Commercial-off-the-shelf
(COTS) SaaS product
m. System shall enable direct Single-Sign-On (SSO) through
integration with VA’s SSOe
n. System shall have adaptable integration options to support
integrations with future VA systems
o. System shall allow for integration with current and future
COTS software and analytical tools utilized by VA, including but not
limited to Tableau, MS Power BI, Service Now
p. VA Users shall be able to appropriately export information
from the system, consistent with VA security and privacy requirements
(User Role access or other solutions to restrict access to protect PII)
q. System shall facilitate role-based user access and
authorization
r. System shall be able to provide continuous release
capability
s. System shall be able to offer Application Program Interfaces
(APIs) that can be consumed by VA systems, e.g., VA.GOV
t. System shall maintain capacity to have data refreshed and
validated monthly
u. Provide unlimited end user access to POAR SaaS solution
via a secure website.

INSTRUCTIONS FOR RESPONDING TO THIS RFI

Page 8 of 79
CONFIDENTIALITY: No proprietary, classified, confidential, or sensitive
information should be included in your response. The Government reserves the
right to use any non-proprietary technical information in any resultant
solicitation(s).

Response Format/Page Limitations:

The overall total page limit for responses to this RFI is five (5) pages. Responses should
be submitted in Microsoft Word format with Times New Roman font, 12 pt. minimum
that addresses the above information. Interested parties should limit marketing material
to allow sufficient space for adequately, directly, and substantively responding with the
information of most interest to the Government.

In all correspondence relevant to this RFI please identify it as a response to the VA-25-
00012049 POAR SaaS (Response and Subject Line of email)

Any organization responding to this notice should ensure that its response is complete
and sufficiently detailed. Respondents are requested to limit responses to the
information, and in the format provided below.

A - GENERAL INFORMATION

A1. Organization Name and the year in which the company was established / founded
(please list any previous names used).

a. Unique Entity ID:

b. Address:

c. Point of Contact:

d. Phone Number:

e. Fax Number:

f. Email Address:

Page 9 of 79
 g. Any applicable schedules (General Services Administration (GSA), Mission
Oriented Business Integrated Services (MOBIS), Veterans Technology
Services (VETS) Government wide Acquisition Contract (GWAC), etc.):

h. Business size status based upon the applicable NAICS code of 541519 Other
Computer Related Services. (For more information refer to
http://www.sba.gov/):

i. If SDVOSB/VOSB, is your business verified in the VetCert database

(https://veterans.certify.sba.gov)

A2. Company ownership (public, private, joint venture).

B – APPROACH, CAPABILITY, AND EXPERIENCE INFORMATION

B1. Describe how your company, partner or sub-contractor’s solution qualifies as a

VA Software as a Service (SaaS) and describe its hosting environment.
a. How does/will your company, partner or sub-contractor’s solution meet
requirements for VA FedRamp approval at the software and hosting level?

****************************************************************************

Submission: Responses to this RFI shall be submitted to the following points of contact
via email to Erica.Wortman@va.gov and Michael.Marone@va.gov no later than at
1:00PM ET on Wednesday, October 16, 2024.

Questions: Questions related to this RFI and/or the draft PD shall be submitted on, or
before 1:00PM ET on Thursday, October 11, 2024. Submit questions, in writing,
regarding this RFI to Erica.Wortman@va.gov and Michael.Marone@va.gov.

See attached documents:

“Draft – PWS Performance Oversight and Access Reporting (POAR) Software as

a Service (SaaS)”

Page 10 of 79
 PERFORMANCE WORK STATEMENT (PWS)

DEPARTMENT OF VETERANS AFFAIRS

Office of Information & Technology Product Engineering (PE)

Veteran Health Administration (VHA),

Integrated Veteran Access Integrated Veteran Care (IVC)

Performance Oversight and Access Reporting (POAR)

Software as a Service (SaaS)

Date: October 8, 2024

VA-25-00012049

PWS Version Number: 2.0

Page 11 of 79
Page 12 of 79
 Contents

Request for Information (RFI).....................................................................................................3

1.0 BACKGROUND....................................................................................................................15
2.0 APPLICABLE DOCUMENTS...............................................................................................15
3.0 SCOPE OF WORK................................................................................................................18
4.0 PERFORMANCE DETAILS..................................................................................................19
4.1 PERFORMANCE PERIOD....................................................................................................19
4.2 PLACE OF PERFORMANCE................................................................................................19
4.3 TRAVEL................................................................................................................................19
5.0 SPECIFIC TASKS AND DELIVERABLES...........................................................................19
5.1 REPORT DEVELOPMENT AND SYSTEM CONFIGURATION SERVICES........................19
5.1.1 DASHBOARD AND REPORT DEVELOPMENT...............................................................20
5.1.2 DATA AND SYSTEM CONFIGURATION..........................................................................23
5.1.3 SOFTWARE AS A SERVICE.............................................................................................25
5.2 PROJECT MANAGEMENT..................................................................................................27
5.2.1 CONTRACTOR PROJECT MANAGEMENT PLAN..........................................................27
5.2.2 REPORTING REQUIREMENTS........................................................................................27
5.2.3 TECHNICAL KICK-OFF MEETING........................................................................28
6.0 GENERAL REQUIREMENTS...............................................................................................28
6.1 ENTERPRISE AND IT FRAMEWORK.................................................................................28
6.1.1 VA TECHNICAL REFERENCE MODEL............................................................................28
6.1.2 FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT (FICAM)............28
6.1.3 INTERNET PROTOCOL VERSION 6 (IPV6).....................................................................30
6.1.4 TRUSTED INTERNET CONNECTION (TIC).....................................................................31
6.1.5 STANDARD COMPUTER CONFIGURATION..................................................................31
6.1.6 VETERAN FOCUSED INTEGRATION PROCESS (VIP) AND PRODUCT LINE
MANAGEMENT (PLM)................................................................................................................32
6.1.7 PROCESS ASSET LIBRARY (PAL).................................................................................32
6.1.8 AUTHORITATIVE DATA SOURCES.................................................................................32
6.1.9 SOCIAL SECURITY NUMBER (SSN) REDUCTION.........................................................33
6.1.10 SOFTWARE AND LICENSING REQUIREMENTS..........................................................34
6.2 SECURITY AND PRIVACY REQUIREMENTS.....................................................................34
6.2.1 POSITION/TASK RISK DESIGNATION LEVEL(S)...........................................................34

Page 13 of 79
6.2.2 CONTRACTOR PERSONNEL SECURITY REQUIREMENTS.........................................35
6.3 METHOD AND DISTRIBUTION OF DELIVERABLES.........................................................37
6.4 PERFORMANCE METRICS.................................................................................................37
6.5 FACILITY/RESOURCE PROVISIONS..................................................................................39
6.6 GOVERNMENT FURNISHED PROPERTY..........................................................................40
6.7 SAAS FEDRAMP REQUIREMENTS....................................................................................41
ADDENDUM A – ADDITIONAL VA REQUIREMENTS, CONSOLIDATED...............................47
ADDENDUM B – VA INFORMATION AND INFORMATION SYSTEM SECURITY AND
PRIVACY LANGUAGE...............................................................................................................58

Page 14 of 79
1.0 BACKGROUND

The Department of Veterans Affairs (VA) is the largest clinically integrated health system
in the Nation, providing access to medical care for approximately nine million enrolled
Veterans. The Veteran Health Administration (VHA) Integrated Veteran Care (IVC) leads
operational functions to ensure the care provided to Veterans by community providers is
scheduled, accessed, and paid for in a timely manner. To ensure that all patients have
adequate access to timely, high-quality, specialized care, VA continues to deploy
modernization efforts and clinical care innovations to maximize care efficiency without
jeopardizing quality or access.

VA is seeking services to configure a Software as a Service (SaaS) tool on a GovCloud

platform to provide VHA IVC a comprehensive resource for automated analytical reporting
leveraged across multiple levels of the VA organization, to improve the monitoring,
management, and oversight of health care purchased outside of VA Medical Centers
(VAMC) through the Veterans Community Care Programs (VCCP).

2.0 APPLICABLE DOCUMENTS

In the performance of the tasks associated with this Performance Work Statement, the
Contractor shall comply with the following:
1. 44 U.S.C. § 3541-3549, “Federal Information Security Management Act
(FISMA) of 2002”
2. “Federal Information Security Modernization Act of 2014”
3. Federal Information Processing Standards (FIPS) Publication 140-2,
“Security Requirements for Cryptographic Modules”
4. FIPS Pub 199. “Standards for Security Categorization of Federal Information
and Information Systems,” February 2004
5. FIPS Pub 200, “Minimum Security Requirements for Federal Information and
Information Systems,” March 2006
6. FIPS Pub 201-2, “Personal Identity Verification of Federal Employees and
Contractors,” August 2013
7. 10 U.S.C. § 2224, "Defense Information Assurance Program"
8. 5 U.S.C. § 552a, as amended, “The Privacy Act of 1974”
9. Public Law 109-461, Veterans Benefits, Health Care, and Information
Technology Act of 2006, Title IX, Information Security Matters
10. 42 U.S.C. § 2000d “Title VI of the Civil Rights Act of 1964”
11. VA Directive 0710, “Personnel Security and Suitability Program,” June 4,
2010, https://www.va.gov/vapubs/index.cfm
12. VA Handbook 0710, “Personnel Security and Suitability Program,” May 2,
2016, https://www.va.gov/vapubs/index.cfm
13. VA Directive and Handbook 6102, “Internet/Intranet Services,” August 5,
2019

Page 15 of 79
14. 36 C.F.R. Part 1194 “Information and Communication Technology Standards
and Guidelines,” January 18, 2017
15. Office of Management and Budget (OMB) Circular A-130, “Managing Federal
Information as a Strategic Resource,” July 28, 2016
16. 32 C.F.R. Part 199, “Civilian Health and Medical Program of the Uniformed
Services (CHAMPUS)”
17. NIST SP 800-66 Rev. 1, “An Introductory Resource Guide for Implementing
the Health Insurance Portability and Accountability Act (HIPAA) Security
Rule,” October 2008
18. Sections 504 and 508 of the Rehabilitation Act (29 U.S.C. § 794d), as
amended, January 18, 2017
19. Homeland Security Presidential Directive (12) (HSPD-12), August 27, 2004
20. VA Directive 6500, “VA Cybersecurity Program,” February 24, 2021
21. VA Handbook 6500, “Risk Management Framework for VA Information
Systems VA Information Security Program,” February 24, 2021
22. VA Handbook 6500.2, “Management of Breaches Involving Sensitive
Personal Information (SPI),” March 12, 2019
23. VA Handbook 6500.5, “Incorporating Security and Privacy into the System
Development Lifecycle,” March 22, 2010
24. VA Handbook 6500.6, “Contract Security,” March 12, 2010
25. VA Handbook 6500.8, “Information System Contingency Planning,” April 6,
2011
26. VA Handbook 6500.10, “Mobile Device Security Policy,” February 15, 2018
27. VA Handbook 6500.11, “VA Firewall Configuration,” August 22, 2017
28. OIT Process Asset Library (PAL), https://www.va.gov/process/ . Reference
Process Maps at https://www.va.gov/process/maps.asp and Artifact
templates at https://www.va.gov/process/artifacts.asp
29. One-VA Technical Reference Model (TRM) (reference at
https://www.va.gov/trm/TRMHomePage.aspx)
30. VA Directive 6508, “Implementation of Privacy Threshold Analysis and
Privacy Impact Assessment,” October 15, 2014
31. VA Handbook 6508.1, “Procedures for Privacy Threshold Analysis and
Privacy Impact Assessment,” July 30, 2015
32. VA Handbook 6510, “VA Identity and Access Management,” January 15,
2016
33. VA Directive and Handbook 6513, “Secure External Connections,” October
12, 2017
34. VA Directive 6300, “Records and Information Management,” September 21,
2018
35. VA Handbook, 6300.1, “Records Management Procedures,“ March 24, 2010
36. NIST SP 800-37 Rev 2, “Risk Management Framework for Information
Systems and Organizations: A System Life Cycle Approach for Security and
Privacy,” December 2018

Page 16 of 79
37. NIST SP 800-53 Rev. 5, “Security and Privacy Controls for Federal
Information Systems and Organizations,” September 23, 2020 (includes
updates as of 12/10/2020)
38. VA Directive 0735, “Homeland Security Presidential Directive 12 (HSPD-12)
Program,” October 26, 2015
39. VA Handbook 0735, “Homeland Security Presidential Directive 12 (HSPD-
12) Program,” March 24, 2014
40. OMB Memorandum 05-24, “Implementation of Homeland Security
Presidential Directive (HSPD) 12 – Policy for a Common Identification
Standard for Federal Employees and Contractors,” August 5, 2005
41. OMB Memorandum M-19-17, “Enabling Mission Delivery Through Improved
Identity, Credential, and Access Management,” May 21, 2019
42. OMB Memorandum, “Guidance for Homeland Security Presidential Directive
(HSPD) 12 Implementation,” May 23, 2008
43. Federal Identity, Credential, and Access Management (FICAM) Roadmap
and Implementation Guidance, December 2, 2011, (NOTE: Part A of the
FICAM Roadmap and Implementation Guidance, v2.0, was replaced in 2015
with an updated Architecture (https://arch.idmanagement.gov/#what-is-the-
ficam-architecture)
44. NIST SP 800-116 Rev 1, “Guidelines for the Use of Personal Identity
Verification (PIV) Credentials in Facility Access,“ June 2018
45. NIST SP 800-63-3, 800-63A, 800-63B, 800-63C, “Digital Identity Guidelines,”
updated March 02, 2020
46. NIST SP 800-157, “Guidelines for Derived PIV Credentials,” December 2014
47. NIST SP 800-164, “Guidelines on Hardware-Rooted Security in Mobile
Devices (Draft),” October 2012
48. Draft National Institute of Standards and Technology Interagency Report
(NISTIR) 7981, “Mobile, PIV, and Authentication,” March 2014
49. VA Memorandum, VAIQ #7100147, “Continued Implementation of Homeland
Security Presidential Directive 12 (HSPD-12),” April 29, 2011 (reference
https://www.voa.va.gov/documentlistpublic.aspx?NodeID=514)
50. IAM Identity Management Business Requirements Guidance document, May
2013, (reference Enterprise Architecture Section, PIV/IAM (reference
https://www.voa.va.gov/documentlistpublic.aspx?NodeID=514)
51. VA Memorandum “Personal Identity Verification (PIV) Logical Access Policy
Clarification,” July 17, 2019, https://www.voa.va.gov/DocumentView.aspx?
DocumentID=4896
52. Trusted Internet Connections (TIC) 3.0 Core Guidance Documents,
https://www.cisa.gov/publication/tic-30-core-guidance-documents
53. OMB Memorandum M-19-26, “Update to the Trusted Internet Connections
(TIC) Initiative,” September 12, 2019
54. OMB Memorandum M-08-23, “Securing the Federal Government’s Domain
Name System Infrastructure,” August 22, 2008

Page 17 of 79
 55. Sections 524 and 525 of the Energy Independence and Security Act of 2007,
(Public Law 110–140), December 19, 2007
56. Section 104 of the Energy Policy Act of 2005, (Public Law 109–58), August
8, 2005
57. Executive Order 13834, “Efficient Federal Operations,” dated May 17, 2018
58. Executive Order 13221, “Energy-Efficient Standby Power Devices,” August
2, 2001
59. VA Directive 0058, “VA Green Purchasing Program,” July 19, 2013
60. VA Handbook 0058, “VA Green Purchasing Program,” July 19, 2013
61. Office of Information Security (OIS) VAIQ #7424808 Memorandum, “Remote
Access,” January 15, 2014,
https://www.voa.va.gov/DocumentListPublic.aspx?NodeId=28
62. Clinger-Cohen Act of 1996, 40 U.S.C. §11101 and §11103
63. “Veteran Focused Integration Process (VIP) Guide 4.0,” January 2021,
https://www.voa.va.gov/DocumentView.aspx?DocumentID=4371
64. VA Memorandum “Proper Use of Email and Other Messaging Services,”
January 2, 2018, https://www.voa.va.gov/DocumentListPublic.aspx?
NodeId=28
65. “DevSecOps Product Line Management Playbook” version 2.0, May 2021,
https://www.voa.va.gov/DocumentView.aspx?DocumentID=4946
66. NIST SP 500-267B Revision 1, “USGv6 Profile,” November 2020
67. OMB Memorandum M-21-07, “Completing the Transition to Internet Protocol
Version 6 (IPv6),” November 19, 2020
68. Social Security Number (SSN) Fraud Prevention Act of 2017
69. Section 240 of the Consolidated Appropriations Act (CAA) 2018, March 23,
2018

3.0 SCOPE OF WORK

The Contractor shall provide configuration, maintenance and sustainment of a

Performance Oversight and Access Reporting System (POAR) SaaS Solution that
provides data visualization and reporting mechanisms that integrates financial
management, medical management and data analytics to predict, forecast, and
analyze the availability of healthcare services leveraged by veterans through
VCCP as well as allows VHA IVC the ability to monitor, oversee, and analyze
financial and performance aspects of the Community Care Network (CCN)
contracts. The Contractor shall provide dashboard and report development and
data architecture professional services to ensure dashboards and respective
reports aligned within are designed and created to meet exact calculation and
display criteria outlined by VHA IVC Subject Matter Experts. Work accomplished
and the underlying SaaS system offered shall be focused to provide accurate and

Page 18 of 79
efficient solutions in support of VHA requirements to improve reporting, analysis,
and oversight of care rendered through VCCP.

4.0 PERFORMANCE DETAILS

4.1 PERFORMANCE PERIOD

This effort shall have a 12-month base period of performance, with two 12-month
option periods for continued access to the POAR SaaS tool subscriptions. In
addition, this procurement includes up to two optional tasks for additional POAR
SaaS licenses, which may be required throughout the period of performance.

4.2 PLACE OF PERFORMANCE

Efforts under this contract shall be performed at contractor facilities. The

contractor shall identify the contractor’s place of performance.

4.3 TRAVEL

Efforts under this contract shall be performed at contractor facilities. The

contractor shall identify the contractor’s place of performance. Travel is not
authorized under this contract.

5.0 SPECIFIC TASKS AND DELIVERABLES

5.1 REPORT DEVELOPMENT AND SYSTEM CONFIGURATION SERVICES

The Contractor shall provide professional services to include dashboard and report
development as well as data architecture support to build and maintain two
dashboards containing categorized reports aligning to the following dashboard
titles: Network Management (NM) and Administrative Fees Oversight (Admin Fee).
Network Management dashboard reports consist of key elements to monitor
Network Adequacy, Veteran Access, and Provider Utilization. Administrative Fee

Page 19 of 79
Oversight dashboard reports focus on Contract Performance Monitoring,
monitoring Per Member Per Month (PMPM) fees and utilization as well as contract
Incentive/Disincentive Factors (IDF) for the Community Care Network (CCN)
Contracts.

Reports developed shall include multiple data sources, as defined by VA during

report development, and shall include retroactive reporting ensuring at least six (6)
rolling years of reporting is housed within the dashboards. NM and Admin Fee
dashboards shall be created and published within the SaaS system no later than
thirty (30) days from data availability in accordance with the Data Transition Plan
(see section 5.1.2).

5.1.1 DASHBOARD AND REPORT DEVELOPMENT

The Contractor shall develop and maintain reports within the Network
Management dashboard throughout the period of performance to predict, forecast,
and analyze the availability of healthcare services to assess Network Adequacy.
Reports within the NM dashboard shall allow the Government to review relevant
referral and claims data that identifies the location of most required healthcare
services in conjunction with the available providers of the same healthcare
services within the CCN Third Party Administrator (TPA) network and Veteran
Care Agreements (VCAs), while also populating other available providers in the
geographic market by utilizing the CMS NPI database of all providers across the
county.

Veteran demographics must be overlaid on the community care provider network

and other non-CCN available providers to determine if services are available within
veteran communities. Available services shall be determined based on drive times
from Veteran addresses and shall be reportable based on type of care and
specialty of the providers utilizing MS Azure mapping Application Programming
Interface (API) to provide the necessary data elements needed by the
Government.

Reports developed as a part of the creation of the dashboard shall meet, but not
be limited to, the following minimum requirements:

Page 20 of 79
 a. Allow VHA IVC to monitor and analyze the access to care within the
CCN (Community Care Network) in relation to the calculated timeframes
between various date stamped data elements. Wait time calculations shall
be processed utilizing CC referral and claims data with the resulting
outputs extracted into custom Network Management reports that allow
end users to analyze CCN coverage at various granularities, including VA
Medical Center (VAMC), Veterans Integrated Service Network (VISN),
and VA Enterprise level.

b. Allow VHA IVC to monitor and analyze the physical coverage of the
CCN (Community Care Network) in proximity to Veteran locations and
across medical specialties. Drive time calculations shall be processed
utilizing CC provider and Veteran location with the resulting outputs
extracted into custom Network Management reports that allow end users
to analyze and visualize CCN coverage at various granularities including
at a Medical Center, VISN & Enterprise level.

c. This capability shall also include National Council for Prescription

Drugs Programs (NCPDP) transactions to calculate pharmacy drive times
and identifying the closest Immediate Need Pharmacy. Drive time
calculations shall be processed utilizing CC provider and Veteran location
with the resulting outputs extracted into custom Network Management
reports that allow end users to analyze CCN coverage at various
granularities, including Medical Center, VISN & Enterprise level.

d. Allow VHA IVC to monitor and analyze the utilization of providers

across VCCP through the analysis of network status and referral volumes.
Utilization shall be displayed including percentage comparisons and
visuals that allow end users to analyze CCN coverage at various
granularities, including Medical Center, VISN & Enterprise level.

e. Allow VHA IVC to monitor and analyze a visual representation of

approved network waivers (Deviations) across multiple provider
specialties and categories of care spatially compared to approved
counties and zip codes.

The contractor shall develop and maintain reports within the Administrative Fees
Oversight (Admin Fee) dashboard throughout the period of performance that
manage, track, and monitor all CCN admin fees for the purposes of supporting
budget formulation and decision-making processes. The Admin Fee Reports
provide actual expenditures, referrals, claims, per member per month (PMPM), per
member per case (PMPC) episodes, and Incentive/Disincentive Factors (IDFs).
These reports allow the Government to review relevant CCN data to formulate the

Page 21 of 79
yearly Incentive/Disincentive, PMPM/PMPC monthly unique veteran count, and the
monthly and annual expenditure counts by CLIN, which provides VA staff detailed
information used to start IDF calculations. Unique Veteran and total expenditure
data shall be parsed according to CCN region and aggregated monthly. This report
incorporates data from Invoice Payment Processing System (IPPS) data and
Financial Management System (FMS) to validate what is processed.
Incentive/Disincentive Factors (IDF) offers information pertaining to the six (6)
CCN Incentive, Disincentive Factors (IDFs) across CCN Regions. More
specifically, users can customize reports to view outputs by respective IDF, IDF
aggregation (i.e., IDF Fee Only or IDF Fee + PMPM Actuals) and FY to
understand the feasible range of IDF outcomes to be expected. Reports shall be
developed at the direction of VA staff and shall meet, but not be limited to, the
following minimum requirements:

a. Allow VHA IVC to analyze and monitor Quality Assurance

Surveillance Plan (QASP) Performance Objective (PO) calculations of
the CCN contracts. These reports incorporate Network Dashboard
calculations for wait time and drive time as well as analysis of claims
processing, scheduling times, as well as other quality metrics.

b. Allow VHA IVC to monitor and analyze up to a full year of CCN Per
Member Per Month (PMPM)/Per Member Per Case (PMPC) budgetary
requirements across the unique Veteran and total expenditure measure
selection. Data incorporated into this include Invoice Payment Processing
System (IPPS) data when it is available and admin fee projections
(leveraging historical claims and referral data) when actual information is
not available. The resulting outputs extracted into custom Admin Fee
reports shall allow end users to drill-down and analyze raw data by
respective PMPM/PMPC category, CCN region, and fiscal year.

c. Allow VHA IVC to monitor and analyze detailed information on the

Incentives (or disincentives) that are paid (or billed) to the CCN Third
Party Administrators (TPAs) for their performance in supporting CCN and
its various PWS initiatives. This report shall project the feasible range of
outcomes for any given IDF, region, and future fiscal year, it also
incorporates actual Quality Assurance Surveillance Plan (QASP)
Performance Objective (PO), TPA 837/835 Electronic Data Interchange
(EDI), Provider Profile Management System (PPMS), and TPA improper
payment audit deliverable data to calculate the specific outcomes and
cost impacts for IDFs 1 – 5 by region and fiscal year.

Page 22 of 79
The contractor shall schedule meetings at a mutually agreed upon cadence to
review exact report and dashboard specifications and review report outputs for
accuracy. Report and dashboard availability within the broader system shall only
be published at the approval of VA Program Manager/Business Owner.

Dashboards and correlated reports developed by the contractor shall be available

in an ongoing capacity and shall be designed to ensure data parsed and
automated by the contractor is updated within the reports at least monthly.
Dashboards and reports will be inspected by VA independently from contractor
data quality checks. Inspection results from VA will be leveraged to accept or
reject corresponding deliverables.

Deliverables:

A. Network Management Dashboard with all corresponding reports

B. Administrative Fee Dashboard with all corresponding reports

5.1.2 DATA AND SYSTEM CONFIGURATION

The Contractor shall provide data architecture support to configure and parse data
to ensure accurate development of reports. Data configuration shall ensure
automated processing of all VHA IVC Claims (837I, 837P, 837D, 835) through an
EDI parser and applying business logic to filter using VHA inclusion criteria for
claims to be compared to other VA data sources. VHA IVC currently leverages a
legacy system, Advanced Medical Cost Management Solution (AMCMS) to parse
raw data and display custom reports. Current data parsing methodology should be
identically matched to ensure accurate and efficient data alignment with required
reports.

The Contractor shall have a data transition plan in place within 5 business days
from kick off meeting. Data transition is needed to convert current data parsing
processes to align to receiving all VHA IVC claims post-parsing within 30 days of
post-parsing data availability within POAR. The transition plan shall include details
of the transition that accommodates a seamless transition to the Performance
Oversight and Access Reporting module. Upon notice from the Government that
the VHA IVC claims change shall take place from raw data to parsed data, the

Page 23 of 79
contractor shall enact the transition plan. The estimated number of claims and
referrals to be processed in each option year is reflected below.

Base Year OY1 OY2

Claims 4,100,000/month 4,346,000 4,606,760

Referrals 820,000/month 869,200 921,352

Total # of Transactions 4,920,000/Month 5,215,200 5,528,112

The Contractor shall utilize MS Azure Mapping to calculate drive time calculations
in support of the Network Management Dashboards. Mapping shall be capable of
matching addresses on a one-to-one and one-to-many structures to ensure
flexibility in calculations. Mapping and Drive Time calculations shall be leveraged
to assess not only exact drive times but forecast potential drive statistics.
Estimated point-to-point calculations are in alignment with the estimated claims
and referrals volumes outlined above. Claims and referral data processing shall
occur at a minimum monthly interval and shall be refreshed at the time of report
creation or realignment. MS Azure Mapping calculations shall occur monthly as
part of the data processing. When report refresh and realignment occurs, the
contractor shall utilize a cache to ensure that previous claims and referral data is
being utilized and not being routed through Azure mapping a second time, to avoid
additional costs.

The contractor shall conduct monthly Data Quality Checks corresponding to

monthly data processing to ensure that all reports have been updated with current
data and filters are working. Outcomes of monthly data quality checks shall be
reported in the Monthly Progress Reports (see section 5.2.2). Data quality checks
shall validate the following:

 Ensuring all Sources have been updated with current data.

 Confirm matching of referral and claims is logical and all EDI claims files
have been received and accurately parsed.
 Assessment of data from previous months and comparison of monthly data
to ensure completeness.

Deliverables:

A. Data Transition Plan

Page 24 of 79
 5.1.3 SOFTWARE AS A SERVICE

The contractor shall provide,

update and maintain a reporting environment that delivers the VA with a
Performance Oversight and Access Reporting (POAR) SaaS tool as the base
operating system to support dashboard and reporting that enables IVC to visualize
and analyze pre-defined and required dashboards for Network Management and
Administrative Fee. The required SaaS tool shall include software subscriptions,
maintenance, and support.

The POAR (SaaS) tool shall:

a. Be FEDRAMP MODERATE authorization and validation through

FEDRAMP Marketplace with the ability to move to the High Impact Level should
the need arise. This shall apply to both the SaaS and any cloud hosting
service/infrastructure. Shall be FIPS 140- 2, NIST 800, HIPAA, and 508
Compliant.
b. Run on a cloud infrastructure and shall be accessible from various client
devices through either a thin client interface, such as a web browser (e.g., web-
based email) or a program interface.
c. Not require download of software to VA computers.
d. Not require VA to manage or control the underlying cloud infrastructure
including network, servers, operating systems, storage, or individual application
capabilities.
e. Be accessible to multiple simultaneous VA users at any given time. The
number of user accounts that could be accessed simultaneously by users of this
software is estimated at 500 users.
f. Be able to support the estimated up to 50 million claims per year with
storage capacity that includes the current fiscal year as well as six (6) prior fiscal
years.
g. Include data objects that shall be editable with the support of Data
Authoring and Versioning (DAV) control.
h. The Contractor shall ensure the POAR SaaS tool is available and
operational for users 24/7.

The POAR SaaS tool shall meet all the following salient characteristics:

REQUIREMENTS DESCRIPTION

1 System shall have or achieve an Enterprise-wide (VA-wide)

Authority to Operate

Page 25 of 79
 2 System shall support VA trusted internet connection (TIC)

3 System shall be accessible both within VA facilities and remotely

4 System shall be a configurable Commercial-off-the-shelf (COTS)

SaaS product

5 System shall enable direct Single-Sign-On (SSO) through

integration with VA’s SSOe

6 System shall have adaptable integration options to support

integrations with future VA systems

7 System shall allow for integration with current and future COTS
software and analytical tools utilized by VA, including but not
limited to Tableau, MS Power BI, Service Now

9 VA Users shall be able to appropriately export information from

the system, consistent with VA security and privacy requirements
(User Role access or other solutions to restrict access to protect
PII)

10 System shall facilitate role-based user access and authorization

11 System shall be able to provide continuous release capability

12 System shall be able to offer Application Program Interfaces

(APIs) that can be consumed by VA systems, e.g., VA.GOV

13 System shall maintain capacity to have data refreshed and

validated monthly

14 Provide unlimited end user access to POAR SaaS solution via a

secure website.

5.1.4 OPTIONAL TASK 1 (ONE) – ADDITIONAL POAR SAAS TOOL LICENSES

This optional task may be exercised at any time during the base and all option periods. If
exercised, the Contractor shall provide, in increments of 500 and up to 1,000,
additional Performance Oversight and Access Reporting SaaS tool licenses in accordance with
the PWS.

Page 26 of 79
5.2 PROJECT MANAGEMENT

5.2.1 CONTRACTOR PROJECT MANAGEMENT PLAN

The Contractor shall deliver a Contractor Project Management Plan (CPMP) that
lays out the Contractor’s approach, timeline, and tools to be used in execution of
the contract. The CPMP should take the form of both a narrative and graphic
format that displays the schedule, milestones, risks, and resource support. The
CPMP shall also include how the Contractor shall coordinate and execute planned,
routine, and ad hoc data collection reporting requests as identified within the PWS.
The initial baseline CPMP shall be concurred upon and updated in accordance
with Section B of the contract. The Contractor shall update and maintain the VA
PM approved CPMP throughout the PoP.

Deliverable:

A. Contractor Project Management Plan

5.2.2 REPORTING REQUIREMENTS

The Contractor shall provide progress reports for the POAR SaaS reporting suites
and allow the VA to export these reports. The data shall be updated monthly, to
include detailed instructions, and explanations for each required data element and
to ensure that data is accurate and consistent.

Progress reports shall cover all work completed during the reporting period and
work planned for the subsequent reporting period. The reports shall also identify
any problems that arose and a description of how the problems were resolved. If
problems have not been completely resolved, the Contractor shall provide an
explanation including their plan and timeframe for resolving the issue. Reports
shall also include an itemized list of all Information and Communication
Technology (ICT) and their current Section 508 conformance status. The
Contractor shall monitor performance against the CPMP and report any deviations.
The Contractor shall keep in communication with VA to ensure that issues that
arise are transparent to both parties to prevent escalation of outstanding issues.

Page 27 of 79
Deliverables:

A. Monthly Progress Reports

5.2.3 TECHNICAL KICK-OFF MEETING

The Contractor shall conduct a kick-off meeting with the VA PM, COR, CO, and Contract
Specialist. The meeting shall be held within 5 business days after contract award. The kick-off
meeting shall be virtual via MS Teams. The Contractor shall propose an agenda for VA COR
approval three days prior to the meeting. The Contractor shall provide meeting minutes capturing
discussion, agreements, and action items resulting from the kick-off meeting. The kick-off meeting
shall address post award topics and shall present the Contractor’s draft plans and approach for
meeting PWS requirements.

Deliverables:

A. Kick Off Meeting Agenda

B. Kick Off Meeting Minutes

6.0 GENERAL REQUIREMENTS

6.1 ENTERPRISE AND IT FRAMEWORK

6.1.1 VA TECHNICAL REFERENCE MODEL

The Contractor shall support the VA enterprise management framework. In association

with the framework, the Contractor shall comply with OIT Technical Reference Model (VA
TRM). The VA TRM is one component within the overall Enterprise Architecture (EA) that
establishes a common vocabulary and structure for describing the information technology
used to develop, operate, and maintain enterprise applications. Moreover, the VA TRM,
which includes the Standards Profile and Product List, serves as a technology roadmap
and tool for supporting OIT. Architecture & Engineering Services (AES) has overall
responsibility for the VA TRM.

6.1.2 FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT (FICAM)

Page 28 of 79
The Contractor shall ensure Commercial Off-The-Shelf (COTS) product(s), software
configuration and customization, and/or new software are Personal Identity Verification
(PIV) card-enabled by accepting HSPD-12 PIV credentials using VA Enterprise Technical
Architecture (ETA),
https://www.ea.oit.va.gov/EAOIT/VA_EA/Enterprise_Technical_Architecture.asp, and VA
Identity and Access Management (IAM) approved enterprise design and integration
patterns, https://www.oit.va.gov/library/recurring/edp/index.cfm. The Contractor shall
ensure all Contractor delivered applications and systems comply with the VA Identity,
Credential, and Access Management policies and guidelines set forth in VA Handbook
6510 VA Identity and Access Management, VA Handbook 0735 Homeland Security
Presidential Directive 12 (HSPD-12) Program, and align with the Federal Identity,
Credential, and Access Management Roadmap and Implementation Guidance v2.0.

The Contractor shall ensure all Contractor delivered applications and systems provide
user authentication services compliant with the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-63-3, VA Handbook 6500 Appendix F,
“VA System Security Controls”, and VA IAM enterprise requirements for direct, assertion-
based authentication, and/or trust based authentication, as determined by the design and

integration patterns. Direct authentication at a minimum must include Public Key

Infrastructure (PKI) based authentication supportive of PIV card and/or Common Access
Card (CAC), as determined by the business need.

The Contractor shall ensure all Contractor delivered applications and systems conform to
the specific Identity and Access Management PIV requirements set forth in the Office of
Management and Budget (OMB) Memoranda M-05-24, M-19-17, and NIST Federal
Information Processing Standard (FIPS) 201-2. OMB Memoranda M-05-24 and M-19-17
can be found at:
https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2005/m05-24.pdf,
and https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf respectively.
Contractor delivered applications and systems shall be on the FIPS 201-2 Approved
Product List (APL). If the Contractor delivered application and system is not on the APL,
the Contractor shall be responsible for taking the application and system through the FIPS
201 Evaluation Program.

The Contractor shall ensure all Contractor delivered applications and systems support:

1. Automated provisioning and are able to use enterprise provisioning service.

2. Interfacing with VA’s Master Person Index (MPI) to provision identity

attributes, if the solution

relies on VA user identities. MPI is the authoritative source for VA user identity
data.

Page 29 of 79
 3. The VA defined unique identity (Secure Identifier [SEC ID] / Integrated
Control Number [ICN]).

4. Multiple authenticators for a given identity and authenticators at every

Authenticator Assurance

Level (AAL) appropriate for the solution.

5. Identity proofing for each Identity Assurance Level (IAL) appropriate for the
solution.

6. Federation for each Federation Assurance Level (FAL) appropriate for the
solution, if applicable.

7. Two-factor authentication (2FA) through an applicable design pattern as

outlined in VA Enterprise

Design Patterns.

8. A Security Assertion Markup Language (SAML) implementation if the

solution relies on assertion

based authentication. Additional assertion implementations, besides the required

SAML assertion, may be provided as long as they are compliant with NIST SP
800-63-3 guidelines.

9. Authentication/account binding based on trusted Hypertext Transfer

Protocol (HTTP) headers if the solution relies on Trust based authentication.

10. Role Based Access Control.

11. Auditing and reporting capabilities.

12. Compliance with VIEWS 00155984, PIV Logical Access Policy Clarification

https://www.voa.va.gov/DocumentView.aspx?DocumentID=4896.

The required Assurance Levels for this specific effort are Identity Assurance Level
3, Authenticator Assurance Level 3, and Federation Assurance Level 3.

6.1.3 INTERNET PROTOCOL VERSION 6 (IPV6)

The Contractor solution shall support Internet Protocol Version 6 (IPv6) based upon the
memo issued by the Office of Management and Budget (OMB) on November 19, 2020
(https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-07.pdf). IPv6 technology,
in accordance with the USGv6 Program (https://www.nist.gov/programs-projects/usgv6-
program/usgv6-revision-1), NIST Special Publication (SP) 500-267B Revision 1 “USGv6
Profile” (https://doi.org/10.6028/NIST.SP.500-267Br1), and NIST SP 800-119 “Guidelines
for the Secure Deployment of IPv6” (https://doi.org/10.6028/NIST.SP.800-119),

Page 30 of 79
compliance shall be included in all IT infrastructures, application designs, application
development, operational systems and sub-systems, and their integration. In addition to
the above requirements, all devices shall support native IPv6 and dual stack (IPv6 / IPv4)
connectivity without additional memory or other resources being provided by the
Government, so that they can function in a mixed environment. All public/external facing
servers and services (e.g. web, email, DNS, ISP services, etc.) shall support native IPv6
and dual stack (IPv6 / IPv4) users and all internal infrastructure and applications shall
communicate using native IPv6 and dual stack (IPv6 / IPv4) operations.

6.1.4 TRUSTED INTERNET CONNECTION (TIC)

The Contractor solution shall meet the requirements outlined in Office of Management and
Budget Memorandum M-19-26, “Update to the Trusted Internet Connections (TIC)
Initiative“ (https://www.whitehouse.gov/wp-content/uploads/2019/09/M-19-26.pdf), VA
Directive 6513 “Secure External Connections”, and shall comply with the TIC 3.0 Core
Guidance Documents, including all Volumes and TIC Use Cases, found at the
Cybersecurity & Infrastructure Security Agency (CISA)
(https://www.cisa.gov/publication/tic-30-core-guidance-documents). Any deviations must
be approved by the VA TIC 3.0 Working Group at vaoisesatic30team@va.gov.

6.1.5 STANDARD COMPUTER CONFIGURATION

The Contractor IT end user solution that is developed for use on standard VA computers
shall be compatible with and be supported on the standard VA operating system, currently
Windows 10 (64bit), Edge (Chromium based), and 365 Apps for enterprise. Applications
delivered to VA and intended to be deployed to Windows 10 workstations shall be
delivered as a signed .msi package with switches for silent and unattended installation
and updates shall be delivered in signed .msp file formats for easy deployment using
Microsoft Endpoint Configuration Manager (CM) VA’s current desktop application
deployment tool. Signing of the software code shall be through a vendor provided
certificate that is trusted by VA using a code signing authority such as Verizon/Cybertrust
or Symantec/VeriSign. The Contractor shall also ensure and certify that their solution

functions as expected when used from a standard VA computer, with non-admin, standard
user rights that have been configured using the United States Government Configuration
Baseline (USGCB) and Defense Information Systems Agency (DISA) Secure Technical
Implementation Guide (STIG) specific to the particular client operating system being used.

Page 31 of 79
6.1.6 VETERAN FOCUSED INTEGRATION PROCESS (VIP) AND PRODUCT LINE
MANAGEMENT (PLM)

The Contractor shall support VA efforts IAW the updated Veteran Focused Integration
Process (VIP) and Product Line Management (PLM). The major focus of the new VIP is
on Governance and Reporting and is less prescriptive, with a focus on outcomes and
continuous delivery of value. Product Line Management (PLM) is a framework that
focuses on delivering functional products that provide the highest priority work to
customers while delivering simplified, reliable, and practical solutions to the business,
medical staff, and our Veterans. The VIP Guide is a companion guide to the PLM
Playbook and can be found at: https://www.voa.va.gov/DocumentView.aspx?
DocumentID=4371 and the PLM Playbook can be found at
https://www.voa.va.gov/DocumentView.aspx?DocumentID=4946. The PLM Playbook
pivots from project-centric to product-centric delivery and contains descriptive practices
that focuses on outcomes. The PLM Playbook contains a set of “plays” that implement
Development, Security, and Operations (DevSecOps) principles and processes such as
automated development, continuous integration/continuous delivery, and release on
demand. The PLM Playbook details how product lines implement Lean-Agile principles,
methods, practices, and techniques through levels of maturity. VIP and PLM are the
authoritative processes that IT projects must follow to ensure development and delivery of
IT products.

6.1.7 PROCESS ASSET LIBRARY (PAL)

The Contractor shall perform their duties consistent with the processes defined in the OIT
Process Asset Library (PAL). The PAL scope includes the full spectrum of OIT functions
and activities, such as VIP project management, operations, service delivery,
communications, acquisition, and resource management. PAL serves as an authoritative
and informative repository of searchable processes, activities or tasks, roles, artifacts,
tools and applicable standards and guides to assist the OIT workforce, Government and
Contractor personnel. The Contractor shall follow the PAL processes to ensure
compliance with policies and regulations and to meet VA quality standards. The PAL
includes the contractor onboarding process consistent with Section 6.2.2 and can be
found at https://www.va.gov/PROCESS/artifacts/maps/process_CONB_ext.pdf. The main
PAL can be accessed at www.va.gov/process.

6.1.8 AUTHORITATIVE DATA SOURCES

The VA Enterprise Architecture Repository (VEAR) is one component within the overall
EA that establishes the common framework for data taxonomy for describing the data
architecture used to develop, operate, and maintain enterprise applications. The

Page 32 of 79
Contractor shall comply with the department’s Authoritative Data Source (ADS)
requirement that VA systems, services, and processes throughout the enterprise shall
access VA data solely through official VA ADSs where applicable, see below. The
Information Classes which compose each ADS are located in the VEAR, in the Data &
Information domain. The Contractor shall ensure that all delivered applications and
system solutions support:

1. Interfacing with VA’s Master Person Index (MPI) (formerly the Master
Veteran Index (MVI)) to
provision identity attributes, if the solution relies on VA user identities. MPI is the
authoritative source for VA user identity data.
2. Interfacing with Capital Asset Inventory (CAI) to conduct real property
record management actions, if the solution relies on real property records data.
CAI is the authoritative source for VA real property record management data.
3. Interfacing with electronic Contract Management System (eCMS) for
access to contract, contract line item, purchase requisition, offering vendor and
vendor, and solicitation information above the micro-purchase threshold, if the
solution relies on procurement data. ECMS is the authoritative source for VA
procurement actions data.
4. Interfacing with HRSmart Human Resources Information System to
conduct personnel action processing, on-boarding, benefits management, and
compensation management, if the solution relies on personnel data. HRSmart is
the authoritative source for VA personnel information data.
5. Interfacing with Vet360 to access personal contact information, if the
solution relies on VA Veteran personal contact information data. Vet360 is the
authoritative source for VA Veteran Personal Contact Data.
6. Interfacing with VA/Department of Defense (DoD) Identity Repository
(VADIR) for determining eligibility for VA benefits under Title 38, if the solution
relies on qualifying active duty military service data. VADIR is the authoritative
source for Qualifying Active Duty military service in VA.

6.1.9 SOCIAL SECURITY NUMBER (SSN) REDUCTION

The Contractor solution shall support the Social Security Number (SSN) Fraud Prevention
Act (FPA) of 2017 which prohibits the inclusion of SSNs on any document sent by mail.
The Contractor support shall also be performed in accordance with Section 240 of the
Consolidated Appropriations Act (CAA) 2018, enacted March 23, 2018, which mandates
VA to discontinue using SSNs to identify individuals in all VA information systems as the
Primary Identifier. The Contractor shall ensure that any new IT solution discontinues the
use of SSN as the Primary Identifier to replace the SSN with the ICN in all VA information
systems for all individuals. The Contractor shall ensure that all Contractor delivered
applications and systems integrate with the VA Master Person Index (MPI) for identity
traits to include the use of the ICN as the Primary Identifier. The Contractor solution may
only use a Social Security Number to identify an individual in an information system if and

Page 33 of 79
only if the use of such number is required to obtain information VA requires from an
information system that is not under the jurisdiction of VA.

6.1.10 SOFTWARE AND LICENSING REQUIREMENTS

The Contractor shall be responsible for the provision of all software licenses and any
associated licensing maintenance required for any development, delivery, integration,
operation, and/or maintenance associated with its proposed application(s), software
products, software solution, and/or system including, but not limited to, any and all
application(s), software and/or software products that comprise, are a part of, or integrate
with the Contractor’s proposed application(s), software products, software solution, and/or
system for the life of any resulting contract.

6.2 SECURITY AND PRIVACY REQUIREMENTS

It has been determined that protected health information may be disclosed or accessed
and a signed Business Associate Agreement (BAA) shall be required. The Contractor
shall adhere to the requirements set forth within the BAA, referenced in Section D of the
contract, and shall comply with VA Directive 6066.

6.2.1 POSITION/TASK RISK DESIGNATION LEVEL(S)

(The Requiring Activity/Program Manager is required to identify the appropriate

background investigation level (Tier 1/Low Risk, Tier 2/Moderate Risk, Tier 4/High Risk)
by PWS task in accordance with VA Handbook 0710. Using the results of the Position
Designation Automated Tool (PDT) (also known as PDAT) performed for each Task,
complete the table below. This “Task” Position Risk Designation correlates to individual
Contractor personnel background investigation levels depending upon which particular
tasks the contractor individual is working.

The PDT Tool is located at the following US Office of Personnel Management Website:
https://www.opm.gov/investigations/suitability-executive-agent/position-designation-tool/)

In accordance with VA Handbook 0710, Personnel Security and Suitability Program, the
position sensitivity and the level of background investigation commensurate with the
required level of access for the following tasks within the PWS are:

Page 34 of 79
(List PWS Task Section Numbers for this effort (Subsections only as required) in the first
column. Double click on the selection box in the appropriate Position Risk Designation
column to indicate the proper Risk Designation associated with each task based upon the
PDT tool results.)

Position Sensitivity and Background Investigation Requirements by Task

Task Number Tier1 / Low Tier 2 / Tier 4 / High

Risk Moderate Risk Risk

5.1

5.2

The Tasks identified above and the resulting Position Sensitivity and Background
Investigation requirements identify, in effect, the Background Investigation requirements
for Contractor individuals, based upon the tasks the particular Contractor individual will be
working. The submitted Contractor Staff Roster must indicate the required Background
Investigation Level for each Contractor individual based upon the tasks the Contractor
individual will be working, in accordance with their submitted proposal.

6.2.2 CONTRACTOR PERSONNEL SECURITY REQUIREMENTS

Contractor Responsibilities:

a. The Contractor shall prescreen all personnel requiring access to the

computer systems to ensure they maintain the appropriate Background
Investigation, and are able to read, write, speak, and understand the English
language.

b. Within 3 business days after award, the Contractor shall provide a roster of
Contractor and Subcontractor employees to the Contracting Officer’s
Representative (COR) to begin their background investigations in accordance with
the PAL template artifact. The Contractor Staff Roster shall contain the
Contractor’s Full Name, Date of Birth, Place of Birth, individual background
investigation level requirement (based upon Section 6.2 Tasks), etc. The
Contractor shall submit full Social Security Numbers either within the Contractor
Staff Roster or under separate cover to the COR. The Contractor Staff Roster

Page 35 of 79
shall be updated and provided to VA within 1 day of any changes in employee
status, training certification completion status, Background Investigation level
status, additions/removal of employees, etc. throughout the Period of
Performance. The Contractor Staff Roster shall remain a historical document
indicating all past information and the Contractor shall indicate in the Comment
field, employees no longer supporting this contract. The preferred method to send
the Contractor Staff Roster or Social Security Number is by encrypted e-mail. If
unable to send encrypted e-mail, other methods which comply with FIPS 140-2 are
to encrypt the file, use a secure fax, or use a traceable mail service.

c. The Contractor should coordinate with the location of the nearest VA

fingerprinting office through the COR. Only electronic fingerprints are authorized.
The Contractor shall bring their completed Security and Investigations Center
(SIC) Fingerprint request form with them (see paragraph d.4. below) when getting
fingerprints taken.

d. The Contractor shall ensure the following required forms are submitted to
the COR within 5 days after contract award:

1) Optional Form 306

2) Self-Certification of Continuous Service

3) Completed Background Investigation Request Form

4) VA Form 10-0539

e. The Contractor personnel shall submit all required information related to

their background investigations (completion of the investigation documents (SF85,
SF85P, or SF 86) utilizing the Office of Personnel Management’s (OPM) Electronic
Questionnaire for Investigations Processing (e-QIP) after receiving an email
notification from the Security and Investigation Center (SIC).

f. The Contractor employee shall certify and release the e-QIP document,
print, and sign the signature pages, and send them encrypted to the COR for
electronic submission to the SIC. These documents shall be submitted to the COR
within 3 business days of receipt of the e-QIP notification email. (Note: OPM is
moving towards a “click to sign” process. If click to sign is used, the Contractor
employee should notify the COR within 3 business days that documents were
signed via e-QIP).

g. The Contractor shall be responsible for the actions of all personnel

provided to work for VA under this contract. In the event that damages arise from
work performed by Contractor provided personnel, under the auspices of this
contract, the Contractor shall be responsible for all resources necessary to remedy
the incident.

h. A Contractor may be granted unescorted access to VA facilities and/or

access to VA Information Technology resources (network and/or protected data)
with a favorably adjudicated Special Agreement Check (SAC), completed training

Page 36 of 79
 delineated in VA Handbook 6500.6 (Appendix C, Section 9), signed “Contractor
Rules of Behavior”, and with a valid, operational PIV credential for PIV-only logical
access to VA’s network. A PIV card credential can be issued once your SAC has
been favorably adjudicated and your background investigation has been scheduled
by OPM. However, the Contractor will be responsible for the actions of the
Contractor personnel they provide to perform work for VA. The investigative
history for Contractor personnel working under this contract must be maintained in
the database of OPM.

i. The Contractor, when notified of an unfavorably adjudicated background

investigation on a Contractor employee as determined by the Government, shall
withdraw the employee from consideration in working under the contract.

j. Failure to comply with the Contractor personnel security investigative

requirements may result in loss of physical and/or logical access to VA facilities
and systems by Contractor and Subcontractor employees and/or termination of the
contract for default.

k. Identity Credential Holders must follow all HSPD-12 policies and

procedures as well as use and protect their assigned identity credentials in
accordance with VA policies and procedures, displaying their badges at all times,
and returning the identity credentials upon termination of their relationship with VA.

Deliverable:

A. Contractor Staff Roster

6.3 METHOD AND DISTRIBUTION OF DELIVERABLES

The Contractor shall deliver documentation in electronic format, unless otherwise directed
in Section B of the solicitation/contract. Acceptable electronic media include: Microsoft
365, MS Word 2000/2003/2007/2010/2019, MS Excel 2000/2003/2007/2010/2019, MS
PowerPoint 2000/2003/2007/2010/2019, MS Project 2000/2003/2007/2010/2019, MS
Access 2000/2003/2007/2010, MS Visio 2000/2002/2003/2007/2010/2019, AutoCAD
2002/2004/2007/2010, and Adobe Postscript Data Format (PDF).

6.4 PERFORMANCE METRICS

The table below defines the Performance Standards and Acceptable Levels of
Performance associated with this effort.

Performance Performance Standard Acceptable Levels

Page 37 of 79
Objective of Performance

A. Technical / 1. Demonstrates Satisfactory or

Quality of understanding of higher
Product or requirements
Service 2. Efficient and effective in
meeting requirements
3. Meets technical needs
and mission
requirements
4. Provides quality
services/products
5. Incorporates “ease of
use” Human Centered
Design principles in any
software developed.
6. Dashboards will reflect
all requirements as
defined by VA.

B. Project 1. Established milestones Satisfactory or

Milestones and project dates are higher
and Schedule met
2. Products completed,
reviewed, delivered in
accordance with the
established schedule
3. Notifies customer in
advance of potential
problems
4. Data refreshed no later
than the 5th of each
month
5. Reports refreshed within
1 business day of data
refresh
6. Issues identified in data
quality checks are
resolved within 5
calendar days, unless
alternate timeline agreed
upon by VA.

C. Cost & 1. Currency of expertise Satisfactory or

Staffing and staffing levels higher
appropriate to perform
tasks required
2. Personnel possess
necessary knowledge,
skills, and abilities to
perform tasks

D. Management 1. Integration and Satisfactory or

coordination of all

Page 38 of 79
 activities to execute effort higher

The COR will utilize a Quality Assurance Surveillance Plan (QASP) throughout the life of
the contract to ensure that the Contractor is performing the services required by this PWS
in an acceptable level of performance. The Government reserves the right to alter or
change the surveillance methods in the QASP at its own discretion. A Performance
Based Service Assessment will be used by the COR in accordance with the QASP to
assess Contractor performance.

6.5 FACILITY/RESOURCE PROVISIONS

VA may provide remote access to VA specific systems/network in accordance with VA

Handbook 6500, which requires the use of a VA approved method to connect external
equipment/systems to VA’s network. Citrix Access Gateway (CAG) is the current and only
VA approved method for remote access users when using or manipulating VA information
for official VA Business. VA permits CAG remote access through approved Personally
Owned Equipment (POE) and Other Equipment (OE) provided the equipment meets all
applicable 6500 Handbook requirements for POE/OE. All of the security controls required
for Government furnished equipment (GFE) must be utilized in approved POE or OE.
The Contractor shall provide proof to the COR for review and approval that their POE or
OE meets the VA Handbook 6500 requirements and VA Handbook 6500.6 Appendix C,
herein incorporated as Addendum B, before use. CAG authorized users shall not be
permitted to copy, print, or save any VA information accessed via CAG at any time. VA
prohibits remote access to VA’s network from non-North Atlantic Treaty Organization
(NATO) countries. The exception to this are countries where VA has approved
operations established (e.g. Philippines and South Korea). Exceptions are determined by
the COR in coordination with the Information Security Officer (ISO) and Privacy Officer
(PO).

This remote access may provide access to VA specific software such as Veterans Health
Information System and Technology Architecture (VistA), ClearQuest, PAL, Primavera,
and Remedy, including appropriate seat management and user licenses, depending upon
the level of access granted. The Contractor shall utilize government-provided software
development and test accounts, documents, and requirements repositories, etc. as
required for the development, storage, maintenance, and delivery of products within the
scope of this effort. The Contractor shall not transmit, store, or otherwise maintain
sensitive data or products in Contractor systems (or media) within the VA firewall IAW VA
Handbook 6500.6 dated March 12, 2010. All VA sensitive information shall be protected
at all times in accordance with VA Handbook 6500, local security field office System
Security Plans (SSP’s) and Authority to Operate (ATO)’s for all systems/LAN’s accessed

Page 39 of 79
while performing the tasks detailed in this PWS. The Contractor shall ensure all work is
performed in countries deemed not to pose a significant security risk. For detailed
Security and Privacy Requirements (additional requirements of the contract consolidated
into an addendum for easy reference) refer to ADDENDUM A – ADDITIONAL VA
REQUIREMENTS, CONSOLIDATED and ADDENDUM B - VA INFORMATION AND
INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE.

6.6 GOVERNMENT FURNISHED PROPERTY

The Government has multiple remote access solutions available to include Citrix Access
Gateway (CAG), Site-to-Site Virtual Private Network (VPN), and RESCUE VPN.

The Government’s issuance of Government Furnished Equipment (GFE) is limited to

Contractor personnel requiring direct access to the network to: development
environments; install, configure and run Technical Reference Model (TRM) approved
software and tools (e.g., Oracle, Fortify, Eclipse, SoapUI, WebLogic, LoadRunner);
upload/download/ manipulate code, run scripts, and apply patches; configure and change
system settings; check logs, troubleshoot/debug, and test/QA.

When necessary, the Government will furnish desktops or laptops, for use by the
Contractor to access VA networks, systems, or applications to meet the requirements of
this PWS. The overarching goal is to determine the most cost-effective approach to
providing needed access to the VA environment coupled with the need to ensure proper
Change Management principles are followed. Contractor personnel shall adhere to all VA
system access requirements for on-site and remote users in accordance with VA
standards, local security regulations, policies, and rules of behavior. GFE shall be
approved by the COR and Program Manager on a case-by-case basis prior to issuance.

Based upon the Government assessment of remote access solutions and requirements of
this effort, the Government estimates that the following GFE will be required by this effort:

1. Seven (7) laptops

The Government will not provide IT accessories including but not limited to Mobile Wi-Fi
hotspots/wireless access points, additional or specialized keyboards or mice, laptop bags,
extra charging cables, extra Personal Identity Verification card readers, peripheral
devices, or additional Random Access Memory (RAM). The Contractor is responsible for
providing these types of IT accessories in support of this effort as necessary and any VA
installation required for these IT accessories shall be coordinated with the COR.

Page 40 of 79
Additionally, the Contractor shall provide a status of all reportable GFE as part of the
Monthly Status Report as required by PWS paragraph 5.1. For purposes of this report,
reportable GFE includes equipment that is furnished by the Government as tangible
“personal” property which the Contractor takes possession of, physically leaves a
Government facility, and needs to be returned the end of Contractor performance. The
following information shall be provided for each piece of GFE:

1. Name of Contractor employee assigned to the GFE

2. Type of Equipment (Make and Model)

3. Tracking Number/Serial Number

4. VA Bar Code

5. Location

6. Value

7. Total Value of Equipment

8. Anticipated Transfer Date to Government

9. Anticipated Transfer Location

6.7 SAAS FEDRAMP REQUIREMENTS

If the solution is not FedRAMP authorized:

1. The information system solution selected by the Contractor shall comply with the
Federal Information Security Management Act (FISMA).

2. The Contractor shall comply with FedRAMP requirements moderate as mandated by

Federal laws and policies, including making available any documentation, physical
access, and logical access needed to support this requirement.

3. The Contractor shall provide a SaaS product as defined by the following criteria:
Software as a Service (SaaS) is an application delivery model in which the application is
hosted on a cloud infrastructure outside the security boundary of VA and is provided to the
Cloud Service Customer (CSC) over the internet. The CSC uses the SaaS offering via a
thin-client interface, such as a web-browser or a program interface. The CSC subscribes
to the SaaS offering and is only responsible for minor in-app customizations. The Cloud
Service Provider (CSP) offering the application is responsible for management of the
application, safeguarding of data stored or processed by the application, and all elements
of the underlying infrastructure. Additionally, the CSP is responsible for all on-going
compliance.

Page 41 of 79
In order to qualify as SaaS for use at VA, and to align with Federal Risk and Authorization
Management Program (FedRAMP) requirements, the hosting for the offering must
conform to the NIST 800-145 definition of Cloud Computing and thus contain following key
characteristics:

• On-Demand Self-Service: The CSP fully automates the provisioning of both the
customer interface and the underlying cloud components of the SaaS offering. In some
cases, to the CSP may provision internal resources manually, while providing the CSC an
automated interface to request and track the service.

• Broad Network Access: The SaaS capabilities are available over the internet or over a
network that is available from all access points the CSC requires. The SaaS offering is
accessible through common platforms (e.g., mobile phones, tablets, laptops, and
workstations).

• Resource Pooling: The computing infrastructure supporting the SaaS offering is shared
among more than one CSC using a multi-tenant model, and resources are dynamically
assigned depending on customer demand.

• Rapid Elasticity: Computing capabilities are automatically provisioned and released in a

manner that scales with customer demand. In some cases, the scaling of resources may
not be fully automated, but it should be fast enough to support the needs of the CSC,
which the CSC would have to define.

• Measured Service: Resource usage, such as storage, processing, bandwidth, and user
activity are measured and reported on in a manner that is relevant to the SaaS offering.

The SaaS offering must be hosted within the United States and data
stored/processed/transmitted within the offering must remain within the United States.
CSPs should be aware of FedRAMP and ready to partner with VA through the SaaS
FedRAMP Authorization process.

4. Following guidance from the Federal CIO, VA will utilize existing JAB ATO or agency
ATO issued by another agency as a starting point for FedRAMP requirements. If neither of
those exist, VA will sponsor The Cloud Service Provider for a FedRAMP Authorization. VA
will be using the FedRAMP baselines as a starting point, since they are specifically
tailored for cloud services.

5. The Contractor shall, where applicable, assist with the VA ATO Process to help achieve
agency authorization of the cloud service or migrated application at the impact level
required by VA to utilize the product. For this solution the required impact level is: <<Insert
Impact Level from the Data Security Categorization. This should be done by DTC.>>

6. The Contractor shall complete a FedRAMP System Security Plan (SSP) and supporting
documentation including required attachments within 75 calendar days after contract
award. (If Data Security Categorization is High Impact, this will be due 94 calendar days
after contract award.)

7. The Contractor shall develop a VA specific system boundary diagram including any
integration and connectivity components that will be known as a VA Implementation

Page 42 of 79
Diagram (VAID) demonstrating the proposed implementation of this system at VA. The
Contractor shall provide the VAID within 10 calendar days of contract award.

8. The Contractor shall complete a Third-Party Assessment Organization (3PAO) Security

Assessment Plan (SAP) within 90 calendar days after contract award. (If Data Security
Categorization is High Impact, this will be due after 113 calendar days after contract
award.)

9. The Contractor shall complete a 3PAO Security Assessment Report (SAR) within 90
calendar days after the SSP is accepted by VA. (If Data Security Categorization is High
Impact, this will be due 113 calendar days after the SSP is accepted by VA.)

10. Contractor shall work with assigned VA SME to develop a VA specific Incident
Response Plan (IRP) and perform an IRP Table Top Exercise with VA Stakeholders. This
should be completed within 30 calendar days of the SSP being delivered.

11. The Contractor shall afford VA access to the Contractor’s and Cloud Service
Provider’s (CSP) facilities, installations, technical capabilities, operations, documentation,
records, and databases.

12. If new or unanticipated vulnerabilities are discovered by either VA or the Contractor, or

if existing safeguards have ceased to function, the discoverer shall immediately bring the
situation to the attention of the other party in accordance with Addendum B, VA
Information and Information System Security/Privacy Language.

13. The Contractor shall comply with data management requirements.

14. Successful issuance of a VA ATO will be required before live VA data can be used in
the system.

Deliverables:

A. FedRAMP System Security Plan (SSP) and supporting documentation

B. VA Implementation Diagram: This is a VA specific architecture diagram

demonstrating the proposed implementation of this system at VA (VAID)

C. 3PAO Security Assessment Plan (SAP)

D. 3PAO Security Assessment Report (SAR)

E. IRP Scenario

If the solution is FedRAMP Authorized but not VA Authorized:

1. The information system solution selected by the Contractor shall comply with the
Federal Information Security Management Act (FISMA)

2. The Contractor shall comply with FedRAMP requirements as mandated by Federal laws
and policies, including making available any documentation, physical access, and logical
access needed to support this requirement

Page 43 of 79
3. The system must be FedRAMP Authorized at no less than the moderate

4. The Contractor shall, where applicable, assist with the VA ATO Process to help achieve
agency authorization of the cloud service or migrated application.

5. The Contractor shall develop a VA specific system boundary diagram including any
integration and connectivity components that will be known as a VA Implementation
Diagram (VAID) demonstrating the proposed implementation of this system at VA. The
Contractor shall provide the VAID within 10 calendar days of contract award.

6. The Contractor shall provide confirmation of their FedRAMP System Security Plan
(SSP) and supporting documentation completion via their repository ID number and a link
for VA to download the SSP and all required artifacts within 5 calendar days of contract
award.

7. The Contractor shall provide the results of their most recent Third-Party Assessment
Organization (3PAO) Security Assessment Plan (SAP) within 10 calendar days of contract
award.

8. The Contractor shall complete a 3PAO Security Assessment Report (SAR) within 10
calendar days after the SSP is accepted by VA.

9. The Contractor shall provide VA with the most recent monthly scans for the production
environment within the authorization boundary and their scan upload schedule for
FedRAMP within 30 calendar days of contract award.

10. The Contractor shall provide their availability to participate in monthly continuous
monitoring meetings to be scheduled following successful VA ATO within 30 calendar
days of contract award.

11. Contractor shall work with assigned VA SME to develop a VA specific Incident
Response Plan (IRP) and perform an IRP Table Top Exercise with VA Stakeholders. This
should be completed within 30 calendar days of the SAR being delivered.

12. If new or unanticipated vulnerabilities are discovered by either VA or the Contractor, or

if existing safeguards have ceased to function, the discoverer shall immediately bring the
situation to the attention of the other party in accordance with Addendum B, VA
Information and Information System Security/Privacy Language

13. The Contractor shall comply with data management requirements.

14. Successful issuance of a VA ATO will be required before live VA data can be used in
the system.

Deliverables:

A. VA Implementation Diagram

B. FedRAMP System Security Plan (SSP) and supporting documentation

C. 3PAO Security Assessment Plan (SAP)

Page 44 of 79
 D. 3PAO Security Assessment Report (SAR)

E. IRP Scenario

If the solution is FedRAMP Authorized and VA Authorized:

1. The information system solution selected by the Contractor shall comply with the
Federal Information Security Management Act (FISMA) and have a current VA
authorization.

2. The Contractor shall comply with FedRAMP requirements as mandated by Federal laws
and policies, including making available any documentation, physical access, and logical
access needed to support this requirement.

3. The FedRAMP Authorization level and existing VA ATO should be no less than the
level required for this use case which has been defined as moderate

4. The Contractor shall, where applicable, assist with the VA ATO Sustainment Process to
help maintain health and quality of agency authorization of the cloud service or migrated
application.

5. The Contractor shall exclusively provide licenses and/or accounts to FedRAMP

authorized and VA authorized environments.

6. The Contractor shall afford VA access to the Contractor’s and Cloud Service Provider’s
(CSP) facilities, installations, technical capabilities, operations, documentation, records,
and databases.

7. If new or unanticipated vulnerabilities are discovered by either VA or the Contractor, or

if existing safeguards have ceased to function, the discoverer shall immediately bring the
situation to the attention of the other party in accordance with Addendum B, VA
Information and Information System Security/Privacy Language

8. The Contractor shall comply with data management requirements.

9. Successful issuance of a VA ATO will be required before live VA data can be used in
the system.

10. The Contractor shall participate in monthly Agency and FedRAMP Sustainment
meetings following the granting of a VA ATO.

11. The Contractor shall provide continuous monitoring activities including scans, security
artifacts, and monthly Plan of Action and Milestones (POAM) reports as outlined by
FedRAMP requirements.

Deliverables:

A. Continuous monitoring security artifacts

B. Continuous monitoring scans

C. Plan of Action and Milestones reports.

Page 45 of 79
Page 46 of 79
ADDENDUM A – ADDITIONAL VA REQUIREMENTS, CONSOLIDATED

A1.0 Cyber and Information Security Requirements for VA IT Services

The Contractor shall ensure adequate LAN/Internet, data, information, and system
security in accordance with VA standard operating procedures and standard PWS
language, conditions, laws, and regulations. The Contractor’s firewall and web server
shall meet or exceed VA minimum requirements for security. All VA data shall be
protected behind an approved firewall. Any security violations or attempted violations
shall be reported to the VA Program Manager and VA Information Security Officer as soon
as possible. The Contractor shall follow all applicable VA policies and procedures
governing information security, especially those that pertain to assessment and
authorization and continuous monitoring

Contractor supplied equipment, PCs of all types, equipment with hard drives, etc. for
contract services must meet all security requirements that apply to Government Furnished
Equipment (GFE) and Government Owned Equipment (GOE). Security Requirements
include: a) VA Approved Encryption Software must be installed on all laptops or mobile
devices before placed into operation, b) Bluetooth equipped devices are prohibited within
VA; Bluetooth must be permanently disabled or removed from the device, unless the
connection uses FIPS 140-2 (or its successor) validated encryption, c) VA approved anti-
virus and firewall software, d) Equipment must meet all VA sanitization requirements and
procedures before disposal. The COR, CO, the PM, and the Information Security Officer
(ISO) must be notified and verify all security requirements have been adhered to.

Each documented initiative under this contract incorporates VA Handbook 6500.6,

“Contract Security,” March 12, 2010 by reference as though fully set forth therein. The VA

Page 47 of 79
Handbook 6500.6, “Contract Security” shall also be included in every related agreement,
contract, or order. The VA Handbook 6500.6, Appendix C, is included in this document as
Addendum B.

Training requirements: The Contractor shall complete all mandatory training courses on
the current VA training site, the VA Talent Management System (TMS) 2.0, and will be
tracked therein. The TMS 2.0 may be accessed at https://www.tms.va.gov/SecureAuth35/

. If you do not have a TMS 2.0 profile, go to

https://www.tms.va.gov/SecureAuth35/

and click on the “Create New User” link on the TMS 2.0 to gain access.

Contractor employees shall complete a VA Systems Access Agreement if they are

provided access privileges as an authorized user of the computer system of VA.

A2.0 VA Enterprise Architecture Compliance

The applications, supplies, and services furnished under this contract must comply with
VA Enterprise Architecture (EA), available at http://www.ea.oit.va.gov/index.asp in force at
the time of issuance of this contract, including the Program Management Plan and VA's
rules, standards, and guidelines in the Technical Reference Model/Standards Profile
(TRMSP). VA reserves the right to assess contract deliverables for EA compliance prior
to acceptance.

A2.1. VA Internet and Intranet Standards

The Contractor shall adhere to and comply with VA Directive 6102 and VA Handbook
6102, Internet/Intranet Services, including applicable amendments and changes, if the
Contractor’s work includes managing, maintaining, establishing, and presenting
information on VA’s Internet/Intranet Service Sites. This pertains, but is not limited to:
creating announcements; collecting information; databases to be accessed, graphics and
links to external sites.

Internet/Intranet Services Directive 6102 is posted at (copy and paste the following URL to
browser): https://www.va.gov/vapubs/viewPublication.asp?Pub_ID=1056&FType=2

Internet/Intranet Services Handbook 6102 is posted at (copy and paste following URL to
browser): https://www.va.gov/vapubs/viewPublication.asp?Pub_ID=1055&FType=2

Page 48 of 79
A3.0 Notice of the Federal Accessibility Law Affecting All Information and
Communication Technology (ICT) Procurements (Section 508)

(Three standards listed in Section A3.1 below [E205 Electronic Content – (Accessibility
Standard -WCAG 2.0 Level A and AA Guidelines), E204 Functional Performance Criteria,
and E208 Support Documentation and Services] always apply to the evaluation of ICT,
and should remain marked as “x”. The requiring activity should un-mark any of the other
remaining standards below [E206 and/or E207] that do not apply to this effort. The
Accessibility Requirements Tool (ART) is a web-based application that will help the
requiring activity determine the Section 508 standards that apply to their specific
acquisition. The ART tool is located at https://app.buyaccessible.gov/home.)

On January 18, 2017, the Architectural and Transportation Barriers Compliance Board
(Access Board) revised and updated, in a single rulemaking, standards for electronic and
information technology developed, procured, maintained, or used by Federal agencies
covered by Section 508 of the Rehabilitation Act of 1973, as well as our guidelines for
telecommunications equipment and customer premises equipment covered by Section
255 of the Communications Act of 1934. The revisions and updates to the Section 508-
based standards and Section 255-based guidelines are intended to ensure that
information and communication technology (ICT) covered by the respective statutes is
accessible to and usable by individuals with disabilities.

A3.1. Section 508 – Information and Communication Technology (ICT) Standards

The Section 508 standards established by the Access Board are incorporated into, and
made part of all VA orders, solicitations and purchase orders developed to procure ICT.
These standards are found in their entirety at: https://www.access-board.gov/guidelines-
and-standards/communications-and-it/about-the-ict-refresh/final-rule/text-of-the-standards-
and-guidelines. A printed copy of the standards will be supplied upon request.

Federal agencies must comply with the updated Section 508 Standards beginning on
January 18, 2018. The Final Rule as published in the Federal Register is available from
the Access Board:
https://www.access-board.gov/guidelines-and-standards/communications-and-it/about-
the-ict-refresh/final-rule.

Page 49 of 79
The Contractor shall comply with “508 Chapter 2: Scoping Requirements” for all electronic
ICT and content delivered under this contract. Specifically, as appropriate for the
technology and its functionality, the Contractor shall comply with the technical standards
marked here:

1 E205 Electronic Content – (Accessibility Standard -WCAG 2.0 Level A and AA

Guidelines)

1 E204 Functional Performance Criteria

1 E206 Hardware Requirements

1 E207 Software Requirements

1 E208 Support Documentation and Services Requirements

A3.2. Compatibility with Assistive Technology

The standards do not require installation of specific accessibility-related software or

attachment of an assistive technology device. Section 508 requires that ICT be compatible
with such software and devices so that ICT can be accessible to and usable by individuals
using assistive technology, including but not limited to screen readers, screen magnifiers,
and speech recognition software.

A3.3. Acceptance and Acceptance Testing

Deliverables resulting from this solicitation will be accepted based in part on satisfaction of
the Section 508 Chapter 2: Scoping Requirements standards identified above.

The Government reserves the right to test for Section 508 Compliance before delivery.
The Contractor shall be able to demonstrate Section 508 Compliance upon delivery.

A4.0 Physical Security & Safety Requirements:

The Contractor and their personnel shall follow all VA policies, standard operating
procedures, applicable laws and regulations while on VA property. Violations of VA
regulations and policies may result in citation and disciplinary measures for persons
violating the law.

Page 50 of 79
1. The Contractor and their personnel shall wear visible identification at all times
while they are on the premises.

2. VA does not provide parking spaces at the work site; the Contractor must obtain
parking at the work site if needed. It is the responsibility of the Contractor to park in the
appropriate designated parking areas. VA will not invalidate or make reimbursement for
parking violations of the Contractor under any conditions.

3. Smoking is prohibited inside/outside any building other than the designated

smoking areas.

4. Possession of weapons is prohibited.

5. The Contractor shall obtain all necessary licenses and/or permits required to
perform the work, with the exception of software licenses that need to be procured from a
Contractor or vendor in accordance with the requirements document. The Contractor
shall take all reasonable precautions necessary to protect persons and property from
injury or damage during the performance of this contract.

A5.0 Confidentiality and Non-Disclosure

The Contractor shall follow all VA rules and regulations regarding information security to
prevent disclosure of sensitive information to unauthorized individuals or organizations.

The Contractor may have access to Protected Health Information (PHI) and Electronic
Protected Health Information (EPHI) that is subject to protection under the regulations
issued by the Department of Health and Human Services, as mandated by the Health
Insurance Portability and Accountability Act of 1996 (HIPAA); 45 CFR Parts 160 and 164,
Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information
(“Privacy Rule”); and 45 CFR Parts 160 and 164, Subparts A and C, the Security Standard
(“Security Rule”). Pursuant to the Privacy and Security Rules, the Contractor must agree
in writing to certain mandatory provisions regarding the use and disclosure of PHI and
EPHI.

1. The Contractor will have access to some privileged and confidential materials of
VA. These printed and electronic documents are for internal use only, are not to be
copied or released without permission, and remain the sole property of VA. Some of
these materials are protected by the Privacy Act of 1974 (revised by PL 93-5791) and Title
38. Unauthorized disclosure of Privacy Act or Title 38 covered materials is a criminal
offense.

2. The VA CO will be the sole authorized official to release in writing, any data, draft
deliverables, final deliverables, or any other written or printed materials pertaining to this
contract. The Contractor shall release no information. Any request for information relating
to this contract presented to the Contractor shall be submitted to the VA CO for response.

3. Contractor personnel recognize that in the performance of this effort, Contractor

personnel may receive or have access to sensitive information, including information

Page 51 of 79
provided on a proprietary basis by carriers, equipment manufacturers and other private or
public entities. Contractor personnel agree to safeguard such information and use the
information exclusively in the performance of this contract. Contractor shall follow all VA
rules and regulations regarding information security to prevent disclosure of sensitive
information to unauthorized individuals or organizations as enumerated in this section and
elsewhere in this Contract and its subparts and appendices.

4. Contractor shall limit access to the minimum number of personnel necessary for
contract performance for all information considered sensitive or proprietary in nature. If
the Contractor is uncertain of the sensitivity of any information obtained during the
performance this contract, the Contractor has a responsibility to ask the VA CO.

5. Contractor shall train all of their employees involved in the performance of this
contract on their roles and responsibilities for proper handling and nondisclosure of
sensitive VA or proprietary information. Contractor personnel shall not engage in any
other action, venture or employment wherein sensitive information shall be used for the
profit of any party other than those furnishing the information. The sensitive information
transferred, generated, transmitted, or stored herein is for VA benefit and ownership
alone.

6. Contractor shall maintain physical security at all facilities housing the activities
performed under this contract, including any Contractor facilities according to VA-
approved guidelines and directives. The Contractor shall ensure that security procedures
are defined and enforced to ensure all personnel who are provided access to patient data
must comply with published procedures to protect the privacy and confidentiality of such
information as required by VA.

7. Contractor must adhere to the following:

a. The use of “thumb drives” or any other medium for transport of information is
expressly prohibited.

b. Controlled access to system and security software and documentation.

c. Recording, monitoring, and control of passwords and privileges.

d. All terminated personnel are denied physical and electronic access to all data,
program listings, data processing equipment and systems.

e. VA, as well as any Contractor (or Subcontractor) systems used to support

development, provide the capability to cancel immediately all access privileges and
authorizations upon employee termination.

f. Contractor PM and VA PM are informed within twenty-four (24) hours of any

employee termination.

g. Acquisition sensitive information shall be marked "Acquisition Sensitive" and shall

be handled as "For Official Use Only (FOUO)".

h. Contractor does not require access to classified data.

Page 52 of 79
8. Regulatory standard of conduct governs all personnel directly and indirectly
involved in procurements. All personnel engaged in procurement and related activities
shall conduct business in a manner above reproach and, except as authorized by statute
or regulation, with complete impartiality and with preferential treatment for none. The
general rule is to strictly avoid any conflict of interest or even the appearance of a conflict
of interest in VA/Contractor relationships.

9. VA Form 0752 shall be completed by all Contractor employees working on this

contract, and shall be provided to the CO before any work is performed. In the case that
Contractor personnel are replaced in the future, their replacements shall complete VA
Form 0752 prior to beginning work.

A6.0 INFORMATION TECHNOLOGY USING ENERGY-EFFICIENT PRODUCTS

(If the requiring activity is procuring the following types of Information Technology
Products delivered or furnished for Government use or for Contractor use at a Federally
controlled facility (applicable to the work being performed and/or the solution requires)
please see the below EPEAT, Energy Star, and FEMP information for applicability and
modify as necessary. If the services do not involve the acquisition of products that fall into
the EPEAT, Energy Star, or FEMP categories at all, this entire section can be indicated as
“Not Applicable”)

The Contractor shall comply with Sections 524 and Sections 525 of the Energy
Independence and Security Act of 2007; Section 104 of the Energy Policy Act of 2005;
Executive Order 13834, “Efficient Federal Operations”, dated May 17, 2018; Executive
Order 13221, “Energy-Efficient Standby Power Devices,” dated August 2, 2001; and the
Federal Acquisition Regulation (FAR) to provide ENERGY STAR®, Federal Energy
Management Program (FEMP) designated, and Electronic Product Environmental
Assessment Tool (EPEAT) registered products in providing information technology
products and/or services.

A6.1. EPEAT

(For information about EPEAT®, see https://www.epeat.net for complete product

specifications, registration requirements, product categories, and updated lists of
qualifying products

The requiring activity must indicate the appropriate clause(s) required from the three listed
in the below paragraph (52.223-13, 52.223-14, and 52.223-16) based upon
products/services intending to be procured:

Page 53 of 79
1. 52.223-13 Acquisition of EPEAT®-Registered Imaging Equipment.

The Contracting Officer will insert contract clause at 52.223-13 in all Contracts requiring
EPEAT®-Registered “Imaging Equipment” category products (Printers, Copiers, Multi-
Function Devices, Scanners, Digital Duplicators). Additionally, if “Imaging Equipment”
category products are being acquired, the requiring activity must insert the paragraph
below within this section of the PWS by changing the text to black and convert to “No
Spacing” style, and identifying clause 52.223-13 where indicated.

2. 52.223-14 Acquisition of EPEAT®-Registered Televisions.

The Contracting Officer will insert contract clause at 52.223-14 in all Contracts requiring
EPEAT®-Registered “Television” category products (TV, Hospital Grade TV).
Additionally, if “Television” category products are being acquired, the requiring activity
must insert the paragraph below within this section of the PWS by changing the text to
black and convert to “No Spacing” style, and identifying clause 52.223-14 where indicated.

3. 52.223-16 Acquisition of EPEAT®-Registered Personal Computer Products.

The Contracting Officer will insert contract clause at 52.223-14 in all Contracts requiring
EPEAT®-Registered “Computers and Displays” category products (Desktop, Notebook,
Monitors, Integrated Desktop Computer, Workstation, Thin Client, Tablet/Slate, Signage
Display). Additionally, if “Computers and Displays” category products are being acquired,
The requiring activity must insert the paragraph below within this section of the PWS by
changing the text to black and convert to “No Spacing” style, and identifying clause
52.223-16 where indicated)

The Contractor shall provide EPEAT-registered products under this contract, as applicable
to clause(s) <Insert Applicable clauses (52.223-13, 52.223-14, and/or 52.223-16)>.

(When acquiring EPEAT®-Registered products in the “Mobile Phones” category, there is

no related FAR clause. Therefore, the requiring activity must insert the following
paragraph within this section of the PWS and change the text to black and convert to “No
Spacing” style. IMPORTANT NOTE FOR MOBILE PHONES: the acquisition of mobile
phones with cellular service must use the appropriate VA enterprise contract for cellular
services (e.g. National Mobile Devices and Service (NMDS) contract:))

Page 54 of 79
The Contractor shall deliver and furnish to the Government, or use in the performance of
work by Contractor employees at a Federally controlled facility, only Mobile Phones that at
the time of submission of proposals and at the time of award, are EPEAT® bronze
registered or higher. For information about EPEAT®, see https://www.epeat.net.

(However, when acquiring EPEAT®-Registered products in the “Servers” category (Blade

Server, Multi-node Server, Pedestal Server, Rack-mounted Server), there is no related
FAR clause. Therefore, the requiring activity must insert the following paragraph within
this section of the PWS and change the text to black and convert to “No Spacing” style:)

The Contractor shall deliver and furnish to the Government, or use in the performance of
work by Contractor employees at a Federally controlled facility, only servers that at the
time of submission of proposals and at the time of award, are EPEAT® bronze registered
or higher. For information about EPEAT®, see https://www.epeat.net.

(If, after consulting with the Contracting Officer and Contract Specialist, the requiring
activity determines there is no EPEAT® standard for the requested product or there is no
EPEAT®-registered product that meets agency requirements, the requiring activity must
insert the following paragraph within this section of the PWS and change the text to black
and convert to “No Spacing” style:)

EPEAT product compliance is not required in this acquisition.

A6.2. ENERGY STAR

(The following is a subset of information technology categories for which Energy Star
qualified products are available:

1. Data Center Equipment- (Data Center Storage, Enterprise Servers, Large Network
Equipment, Small Network Equipment, Uninterruptible Power Supplies)

2. Electronics- (Audio/Video, Digital Media Player, Set-top Boxes, Signage Displays,

Slates and Tablets, Telephones, Televisions)

3. Office Equipment- (Computers, Imaging Equipment, Monitors, Voice over Internet

Protocol (VoIP) Phones)

The complete listing of Energy Star categories and associated products can be found at
https://www.energystar.gov/products.

Page 55 of 79
If the requiring activity has determined that Energy Star qualified products are required,
the Contracting Officer will insert contract clause 52.223-15 into the contract. If Energy
Star designated products are being acquired, the requiring activity must insert the
following paragraph within this section of the PWS by changing the text to black and
convert to “No Spacing” style:)

As required in clause 52.223-15 Energy Efficiency in Energy-Consuming Products, the

Contractor shall provide products that earn the ENERGY STAR label and meet ENERGY
STAR specifications for energy efficiency. For information about ENERGY STAR, see
https://www.energystar.gov/products for complete product specifications and updated lists
of qualifying products.

(If, after consulting with the Contracting Officer and Contract Specialist, the requiring
activity determines that no Energy Star qualified products will be acquired, the requiring
activity must obtain a waiver from the Head of the Contracting Activity (HCA) IAW FAR
23.204:

(a) No ENERGY STAR® designated product is reasonably available that meets the
functional requirements of the agency; or

(b) No ENERGY STAR® designated product is cost effective over the life of the
product taking energy cost savings into account

If a waiver is obtained, please insert the following paragraph within this section of the
PWS and change the text to black and convert to “No Spacing” style:)

Energy Star product compliance is not required in this acquisition.

A6.3. FEMP

(The following is a subset of information technology product categories for which FEMP
designated Low Standby Power products are available:

1. Computers: Workstation and Thin Client – (Workstation, Thin Client, Desktop,

Integrated, and Notebook)

Page 56 of 79
(The complete listing of FEMP product categories can be found at
https://www.energy.gov/eere/femp/search-energy-efficient-products (Note: filter by
“Product Type” and “Efficiency Program” to FEMP). For FEMP Low Standby Power
product listing, see https://www.energy.gov/eere/femp/low-standby-power-product-list)

If the requiring activity has determined that FEMP Low Standby Power designated
products are required, the Contracting Officer will insert contract clause 52.223-15 into the
contract. If FEMP, Low Standby Power designated products are being acquired in the
above FEMP category, the requiring activity must insert the following paragraph within this
section of the PWS by changing the text to black and convert to “No Spacing” style:)

As required in clause 52.223-15 Energy Efficiency in Energy-Consuming Products, the

contractor shall only provide products that meet Federal Energy Management Program
(FEMP) and/or FEMP Low Standby Power purchasing specifications for energy efficiency
under this contract, as applicable. Covered product categories and the applicable energy
efficiency requirements can be found at http://energy.gov/eere/femp/covered-product-
categoriesand low standby power products list can be found at
https://www.energy.gov/eere/femp/low-standby-power-product-list.

(If, after consulting with the Contracting Officer and Contract Specialist, the requiring
activity determines that no FEMP designated products will be acquired, the requiring
activity must obtain a waiver from the Head of the Contracting Activity (HCA) IAW FAR
23.204:

a) No FEMP-designated product is reasonably available that meets the functional

requirements of the agency; or

b) No FEMP-designated product is cost effective over the life of the product taking
energy cost savings into account

If a waiver is obtained, please insert the following paragraph within this section of the
PWS and change the text to black and convert to “No Spacing” style:)

FEMP or FEMP low standby power product compliance is not required in this acquisition.

Page 57 of 79
ADDENDUM B – VA INFORMATION AND INFORMATION SYSTEM SECURITY AND
PRIVACY LANGUAGE

NOTE: In the event of a conflict, VAAR Security Clauses take precedence over the
language in this Addendum B.

Page 58 of 79
APPLICABLE PARAGRAPHS TAILORED FROM: VA NOTICE 24-12, APRIL 22, 2024,
UPDATE TO VA HANDBOOK 6500.6, CONTRACT SECURITY, APPENDIX C VA
INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE, FOR
INCLUSION INTO CONTRACTS, AS APPROPRIATE

B1. GENERAL

This entire section applies to all acquisitions requiring any Information Security and Privacy
language. Contractors, contractor personnel, subcontractors and subcontractor personnel will
be subject to the same federal laws, regulations, standards, VA directives and handbooks, as
VA personnel regarding information and information system security and privacy.

B2. VA INFORMATION CUSTODIAL LANGUAGE

a. The Government shall receive unlimited rights to data/intellectual property first produced
and delivered in the performance of this contract or order (hereinafter “contract”) unless
expressly stated otherwise in this contract. This includes all rights to source code and all
documentation created in support thereof. The primary clause used to define
Government and Contractor data rights is FAR 52.227-14 Rights in Data – General. The
primary clause used to define computer software license (not data/intellectual property
first produced under this contractor or order) is FAR 52.227-19, Commercial Computer
Software License.

b. Information made available to the contractor by VA for the performance or administration

of this contract will be used only for the purposes specified in the service agreement,
SOW, PWS, PD, and/or contract. The contractor shall not use VA information in any
other manner without prior written approval from a VA Contracting Officer (CO). The
primary clause used to define Government and Contractor data rights is FAR 52.227-14
Rights in Data – General.

c. VA information will not be co-mingled with any other data on the contractor’s information
systems or media storage systems. The contractor shall ensure compliance with Federal
and VA requirements related to data protection, data encryption, physical data
segregation, logical data segregation, classification requirements and media sanitization.

d. VA reserves the right to conduct scheduled or unscheduled audits, assessments, or

investigations of contractor Information Technology (IT) resources to ensure information
security is compliant with Federal and VA requirements. The contractor shall provide all
necessary access to records (including electronic and documentary materials related to

Page 59 of 79
 the contracts and subcontracts) and support (including access to contractor and
subcontractor staff associated with the contract) to VA, VA's Office Inspector General
(OIG), and/or Government Accountability Office (GAO) staff during periodic control
assessments, audits, or investigations.

e. The contractor may only use VA information within the terms of the contract and
applicable Federal law, regulations, and VA policies. If new Federal information security
laws, regulations or VA policies become applicable after execution of the contract, the
parties agree to negotiate contract modification and adjustment necessary to implement
the new laws, regulations, and/or policies.

f. The contractor shall not make copies of VA information except as specifically authorized
and necessary to perform the terms of the contract. If copies are made for restoration
purposes, after the restoration is complete, the copies shall be destroyed in accordance
with VA Directive 6500, VA Cybersecurity Program and VA Information Security
Knowledge Service.

g. If a Veterans Health Administration (VHA) contract is terminated for default or cause with
a business associate, the related local Business Associate Agreement (BAA) shall also
be terminated and actions taken in accordance with VHA Directive 1605.05, Business
Associate Agreements. If there is an executed national BAA associated with the
contract, VA will determine what actions are appropriate and notify the contactor.

h. The contractor shall store and transmit VA sensitive information in an encrypted form,
using VA-approved encryption tools which are, at a minimum, Federal Information
Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules
(or its successor) validated and in conformance with VA Information Security Knowledge
Service requirements. The contractor shall transmit VA sensitive information using VA
approved Transport Layer Security (TLS) configured with FIPS based cipher suites in
conformance with National Institute of Standards and Technology (NIST) 800-52,
Guidelines for the Selection, Configuration and Use of Transport Layer Security (TLS)
Implementations.

i. The contractor’s firewall and web services security controls, as applicable, shall meet or
exceed VA’s minimum requirements.

j. Except for uses and disclosures of VA information authorized by this contract for
performance of the contract, the contractor may use and disclose VA information only in
two situations: (i) in response to a qualifying order of a court of competent jurisdiction

Page 60 of 79
 after notification to VA CO (ii) with written approval from the VA CO. The contractor shall
refer all requests for, demands for production of or inquiries about, VA information and
information systems to the VA CO for response.

k. Notwithstanding the provision above, the contractor shall not release VA records
protected by Title 38 U.S.C. § 5705, Confidentiality of medical quality-assurance records
and/or Title 38 U.S.C. § 7332, Confidentiality of certain medical records pertaining to
drug addiction, sickle cell anemia, alcoholism or alcohol abuse or infection with Human
Immunodeficiency Virus (HIV). If the contractor is in receipt of a court order or other
requests for the above-mentioned information, the contractor shall immediately refer
such court order or other requests to the VA CO for response.

l. Information made available to the contractor by VA for the performance or administration

of this contract or information developed by the contractor in performance or
administration of the contract will be protected and secured in accordance with VA
Directive 6500 and Identity and Access Management (IAM) Security processes specified
in the VA Information Security Knowledge Service.

m. Any data destruction done on behalf of VA by a contractor shall be done in accordance

with National Archives and Records Administration (NARA) requirements as outlined in
VA Directive 6300, Records and Information Management, VA Handbook 6300.1,
Records Management Procedures, and applicable VA Records Control Schedules.

n. The contractor shall provide its plan for destruction of all VA data in its possession
according to VA Directive 6500 and NIST 800-88, Guidelines for Media Sanitization prior
to termination or completion of this contract. If directed by the COR/CO, the contractor
shall return all Federal Records to VA for disposition.

o. Any media, such as paper, magnetic tape, magnetic disks, solid state devices or optical
discs that is used to store, process, or access VA information that cannot be destroyed
shall be returned to VA. The contractor shall hold the appropriate material until
otherwise directed by the Contracting Officer’s Representative (COR) or CO. Items shall
be returned securely via VA-approved methods. VA sensitive information must be
transmitted utilizing VA-approved encryption tools which are validated under FIPS 140-2
(or its successor) and NIST 800-52. If mailed, the contractor shall send via a trackable
method (USPS, UPS, FedEx, etc.) and immediately provide the COR/CO with the
tracking information. Self-certification by the contractor that the data destruction
requirements above have been met shall be sent to the COR/CO within 30 business
days of termination of the contract.

Page 61 of 79
 p. All electronic storage media (hard drives, optical disks, CDs, back-up tapes, etc.) used to
store, process or access VA information will not be returned to the contractor at the end
of lease, loan, or trade-in. Exceptions to this paragraph will only be granted with the
written approval of the VA CO.

B3. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS

a. A contractor/subcontractor shall request logical (technical) or physical access to VA

information and VA information systems for their employees and subcontractors only to
the extent necessary to perform the services specified in the solicitation or contract. This
includes indirect entities, both affiliate of contractor/subcontractor and agent of
contractor/subcontractor.

b. Contractors and subcontractors shall sign the VA Information Security Rule of Behavior
(ROB) before access is provided to VA information and information systems (see
Section 4, Training, below). The ROB contains the minimum user compliance
requirements and does not supersede any policies of VA facilities or other agency
components which provide higher levels of protection to VA’s information or information
systems. Users who require privileged access shall complete the VA elevated privilege
access request processes before privileged access is granted.

c. All contractors and subcontractors working with VA information are subject to the same
security investigative and clearance requirements as those of VA appointees or
employees who have access to the same types of information. The level and process of
background security investigations for contractors shall be in accordance with VA
Directive and Handbook 0710, Personnel Suitability and Security Program. The Office of
Human Resources and Administration/Operations, Security and Preparedness
(HRA/OSP) is responsible for these policies and procedures. Contract personnel who
require access to classified information or information systems shall have an appropriate
security clearance. Verification of a Security Clearance shall be processed through the
Special Security Officer located in HRA/OSP. Contractors shall conform to all
requirements stated in the National Industrial Security Program Operating Manual
(NISPOM).

d. All contractors and subcontractors shall comply with conditions specified in VAAR
852.204-71(d); Contractor operations required to be in United States. All contractors and
subcontractors working with VA information must be permanently located within a
jurisdiction subject to the law of the United States or its Territories to the maximum

Page 62 of 79
 extent feasible. If services are proposed to be performed abroad the contractor must
state where all non-U.S. services are provided. The contractor shall deliver to VA a
detailed plan specifically addressing communications, personnel control, data protection
and potential legal issues. The plan shall be approved by the COR/CO in writing prior to
access being granted.

e. The contractor shall notify the COR/CO in writing immediately (no later than 24 hours)
after personnel separation or occurrence of other causes. Causes may include the
following:
(1) Contractor/subcontractor personnel no longer has a need for access to VA
information or VA information systems.

(2) Contractor/subcontractor personnel are terminated, suspended, or otherwise has

their work on a VA project discontinued for any reason.

(3) Contractor believes their own personnel or subcontractor personnel may pose a
threat to their company’s working environment or to any company-owned
property. This includes contractor-owned assets, buildings, confidential data,
customers, employees, networks, systems, trade secrets and/or VA data.

(4) Any previously undisclosed changes to contractor/subcontractor background

history are brought to light, including but not limited to changes to background
investigation or employee record.

(5) Contractor/subcontractor personnel have their authorization to work in the United

States revoked.

(6) Agreement by which contractor provides products and services to VA has either
been fulfilled or terminated, such that VA can cut off electronic and/or physical
access for contractor personnel.

f. In such cases of contract fulfillment, termination, or other causes; the contractor shall
take the necessary measures to immediately revoke access to VA network, property,
information, and information systems (logical and physical) by contractor/subcontractor
personnel. These measures include (but are not limited to): removing and then securing
Personal Identity Verification (PIV) badges and PIV – Interoperable (PIV-I) access
badges, VA-issued photo badges, credentials for VA facilities and devices, VA-issued

Page 63 of 79
 laptops, and authentication tokens. Contractors shall notify the appropriate VA COR/CO
immediately to initiate access removal.

g. Contractors/subcontractors who no longer require VA accesses will return VA-issued

property to VA. This property includes (but is not limited to): documents, electronic
equipment, keys, and parking passes. PIV and PIV-I access badges shall be returned to
the nearest VA PIV Badge Issuance Office. Once they have had access to VA
information, information systems, networks and VA property in their possessions
removed, contractors shall notify the appropriate VA COR/CO.

B4. TRAINING

a. All contractors and subcontractors requiring access to VA information and VA

information systems shall successfully complete the following before being granted
access to VA information and its systems:

(1) VA Privacy and Information Security Awareness and Rules of Behavior course
(Talent Management System (TMS) #10176) initially and annually thereafter.

(2) Sign and acknowledge (electronically through TMS #10176) understanding of

and responsibilities for compliance with the Organizational Rules of Behavior,
relating to access to VA information and information systems initially and
annually thereafter; and

(3) Successfully complete any additional cyber security or privacy training, as

required for VA personnel with equivalent information system or information
access [to be defined by the VA program official and provided to the VA CO for
inclusion in the solicitation document – i.e., any role-based information security
training].

b. The contractor shall provide to the COR/CO a copy of the training certificates and
certification of signing the Organizational Rules of Behavior for each applicable
employee within five days of the initiation of the contract and annually thereafter, as
required.

Page 64 of 79
 c. Failure to complete the mandatory annual training is grounds for suspension or
termination of all physical or electronic access privileges and removal from work on the
contract until such time as the required training is complete.

B5. SECURITY INCIDENT INVESTIGATION

a. The contractor, subcontractor, their employees, or business associates shall

immediately (within one hour) report suspected security / privacy incidents to the VA
OIT’s Enterprise Service Desk (ESD) by calling (855) 673-4357 (TTY: 711). The ESD is
OIT’s 24/7/365 single point of contact for IT-related issues. After reporting to the ESD,
the contractor, subcontractor, their employees, or business associates shall, within one
hour, provide the COR/CO the incident number received from the ESD.

b. To the extent known by the contractor/subcontractor, the contractor/ subcontractor's

notice to VA shall identify the information involved and the circumstances surrounding
the incident, including the following:

(1) The date and time (or approximation of) the Security Incident occurred.

(2) The names of individuals involved (when applicable).

(3) The physical and logical (if applicable) location of the incident.

(4) Why the Security Incident took place (i.e., catalyst for the failure).

(5) The amount of data belonging to VA believed to have been compromised.

(6) The remediation measures the contractor is taking to ensure no future incidents
of a similar nature.

c. After the contractor has provided the initial detailed incident summary to VA, they will
continue to provide written updates on any new and relevant circumstances or facts they
discover. The contractor, subcontractor, and their employes shall fully cooperate with VA

Page 65 of 79
 or third-party entity performing an independent risk analysis on behalf of VA. Failure to
cooperate may be deemed a material breach and grounds for contract termination.

d. VA IT contractors shall follow VA Handbook 6500, Risk Management Framework for VA

Information Systems VA Information Security Program, and VA Information Security
Knowledge Service guidance for implementing an Incident Response Plan or integrating
with an existing VA implementation.

e. In instances of theft or break-in or other criminal activity, the contractor/subcontractor

must concurrently report the incident to the appropriate law enforcement entity (or
entities) of jurisdiction, including the VA OIG, and the VA Office of Security and Law
Enforcement. The contractor, its employees, and its subcontractors and their employees
shall cooperate with VA and any law enforcement authority responsible for the
investigation and prosecution of any possible criminal law violation(s) associated with
any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation
to recover VA information, obtain monetary or other compensation from a third party for
damages arising from any incident, or obtain injunctive relief against any third party
arising from, or related to, the incident.

f. The contractor shall comply with VA Handbook 6500.2, Management of Breaches

Involving Sensitive Personal Information, which establishes the breach management
policies and assigns responsibilities for the oversight, management and reporting
procedures associated with managing of breaches.

g. With respect to unsecured Protected Health Information (PHI), the contractor is deemed
to have discovered a data breach when the contractor knew or should have known of
breach of such information. When a business associate is part of VHA contract,
notification to the covered entity (VHA) shall be made in accordance with the executed
BAA.

h. If the contractor or any of its agents fails to protect VA sensitive personal information or
otherwise engages in conduct which results in a data breach involving any VA sensitive
personal information the contractor/subcontractor processes or maintains under the
contract; the contractor shall pay liquidated damages to the VA as set forth in clause
852.211-76, Liquidated Damages—Reimbursement for Data Breach Costs.

B6. INFORMATION SYSTEM DESIGN AND DEVELOPMENT

a. Information systems designed or developed on behalf of VA at non-VA facilities shall

comply with all applicable Federal law, regulations, and VA policies. This includes

Page 66 of 79
 standards for the protection of electronic Protected Health Information (PHI), outlined in
45 C.F.R. Part 164, Subpart C and information and system security categorization level
designations in accordance with FIPS 199, Standards for Security Categorization of
Federal Information and Information Systems and FIPS 200, Minimum Security
Requirements for Federal Information Systems. Baseline security controls shall be
implemented commensurate with the FIPS 199 system security categorization
(reference VA Handbook 6500 and VA Trusted Internet Connections (TIC) Architecture).

b. Contracted new developments require creation, testing, evaluation, and authorization in

compliance with VA Assessment and Authorization (A&A) processes in VA Handbook
6500 and VA Information Security Knowledge Service to obtain an Authority to Operate
(ATO). VA Directive 6517, Risk Management Framework for Cloud Computing Services,
provides the security and privacy requirements for cloud environments.

c. VA IT contractors, subcontractors and third-party service providers shall address and/or

integrate applicable VA Handbook 6500, VA Handbook 6517, Risk Management
Framework for Cloud Computing Services and Information Security Knowledge Service
specifications in delivered IT systems/solutions, products and/or services. If
systems/solutions, products and/or services do not directly match VA security
requirements, the contractor shall work though the COR/CO to identify the VA
organization responsible for governance or resolution. Contractors shall comply with
FAR 39.1, specifically the prohibitions referenced.

d. The contractor (including producers and resellers) shall comply with Office of
Management and Budget (OMB) M-22-18 and M-23-16 when using third-party software
on VA information systems or otherwise affecting the VA information. This includes new
software purchases and software renewals for software developed or modified by major
version change after the issuance date of M-22-18 (September 14, 2022). The term
“software” includes firmware, operating systems, applications and application services
(e.g., cloud-based software), as well as products containing software. The contractor
shall provide a self-attestation that secure software development practices are utilized as
outlined by Executive Order (EO)14028 and NIST Guidance. A third-party assessment
provided by either a certified Federal Risk and Authorization Management Program
(FedRAMP) Third Party Assessor Organization (3PAO) or one approved by the agency
will be acceptable in lieu of a software producer's self-attestation.

e. The contractor shall ensure all delivered applications, systems and information systems
are compliant with Homeland Security Presidential Directive (HSPD) 12 and VA Identity
and Access management (IAM) enterprise identity management requirements as set
forth in OMB M-19-17, M-05-24, FIPS 201-3, Personal Identity Verification (PIV) of
Federal Employees and Contractors (or its successor), M-21-31 and supporting NIST
guidance. This applies to Commercial Off-The-Shelf (COTS) product(s) that the
contractor did not develop, all software configurations and all customizations.

Page 67 of 79
f. The contractor shall ensure all contractor delivered applications and systems provide
user authentication services compliant with VA Handbook 6500, VA Information Security
Knowledge Service, IAM enterprise requirements and NIST 800-63, Digital Identity
Guidelines, for direct, assertion-based authentication and/or trust-based authentication,
as determined by the design and integration patterns. Direct authentication at a
minimum must include Public Key Infrastructure (PKI) based authentication supportive of
PIV and/or Common Access Card (CAC), as determined by the business need and
compliance with VA Information Security Knowledge Service specifications.

g. The contractor shall use VA authorized technical security baseline configurations and
certify to the COR that applications are fully functional and operate correctly as intended
on systems in compliance with VA baselines prior to acceptance or connection into an
authorized VA computing environment. If the Defense Information Systems Agency
(DISA) has created a Security Technical Implementation Guide (STIG) for the
technology, the contractor may configure to comply with that STIG. If VA determines a
new or updated VA configuration baseline needs to be created, the contractor shall
provide required technical support to develop the configuration settings. FAR 39.1
requires the population of operating systems and applications includes all listed on the
NIST National Checklist Program Checklist Repository.

h. The standard installation, operation, maintenance, updating and patching of software

shall not alter the configuration settings from VA approved baseline configuration.
Software developed for VA must be compatible with VA enterprise installer services and
install to the default “program files” directory with silently install and uninstall. The
contractor shall perform testing of all updates and patching prior to implementation on
VA systems.

i. Applications designed for normal end users will run in the standard user context without
elevated system administration privileges.

j. The contractor-delivered solutions shall reside on VA approved operating systems.

Exceptions to this will only be granted with the written approval of the COR/CO.

k. The contractor shall design, develop, and implement security and privacy controls in
accordance with the provisions of VA security system development life cycle outlined in
NIST 800-37, Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy, VA Directive and Handbook
6500, and VA Handbook 6517.

l. The Contractor shall comply with the Privacy Act of1974 (the Act), FAR 52.224-2 Privacy
Act, and VA rules and regulations issued under the Act in the design, development, or
operation of any system of records on individuals to accomplish a VA function.

m. The contractor shall ensure the security of all procured or developed information
systems, systems, major applications, minor applications, enclaves and platform
information technologies, including their subcomponents (hereinafter referred to as

Page 68 of 79
 “Information Systems”) throughout the life of this contract and any extension, warranty,
or maintenance periods. This includes security configurations, workarounds, patches,
hotfixes, upgrades, replacements and any physical components which may be
necessary to remediate all security vulnerabilities published or known to the contractor
anywhere in the information systems (including systems, operating systems, products,
hardware, software, applications and firmware). The contractor shall ensure security
fixes do not negatively impact the Information Systems.

n. When the contractor is responsible for operations or maintenance of the systems, the
contractor shall apply the security fixes within the timeframe specified by the associated
controls on the VA Information Security Knowledge Service. When security fixes involve
installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the
contractor shall provide written notice to the VA COR/CO that the patch has been
validated as to not affecting the Systems within 10 business days.

B7. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE OR USE

a. The contractor shall comply with all Federal laws, regulations, and VA policies for
Information systems (cloud and non-cloud) that are hosted, operated, maintained, or
used on behalf of VA at non-VA facilities. Security controls for collecting, processing,
transmitting, and storing of VA sensitive information, must be in place. The controls will
be tested by VA or a VA sanctioned 3PAO and approved by VA prior to hosting,
operation, maintenance or use of the information system or systems by or on behalf of
VA. This includes conducting compliance risk assessments, security architecture
analysis, routine vulnerability scanning, system patching, change management
procedures and the completion of an acceptable contingency plan for each system. The
contractor’s security control procedures shall be the same as procedures used to secure
VA-operated information systems.

b. Outsourcing (contractor facility, equipment, or staff) of systems or network operations,

telecommunications services or other managed services require Assessment and
Authorization (A&A) of the contractor’s systems in accordance with VA Handbook 6500
as specified in VA Information Security Knowledge Service. Major changes to the A&A
package may require reviewing and updating all the documentation associated with the
change. The contractor’s cloud computing systems shall comply with FedRAMP and VA
Directive 6517 requirements.

c. The contractor shall return all electronic storage media (hard drives, optical disks, CDs,
back-up tapes, etc.) on non-VA leased or non-VA owned IT equipment used to store,
process or access VA information to VA in accordance with A&A package requirements.
This applies when the contract is terminated or completed and prior to disposal of media.

Page 69 of 79
 The contractor shall provide its plan for destruction of all VA data in its possession
according to VA Information Security Knowledge Service requirements and NIST 800-
88. The contractor shall send a self-certification that the data destruction requirements
above have been met to the COR/CO within 30 business days of termination of the
contract.

d. All external internet connections to VA network involving VA information must be in

accordance with VA Trusted Internet Connection (TIC) Reference Architecture and VA
Directive and Handbook 6513, Secure External Connections and reviewed and
approved by VA prior to implementation. Government-owned contractor-operated
systems, third party or business partner networks require a Memorandum of
Understanding (MOU) and Interconnection Security Agreements (ISA).

e. Contractor procedures shall be subject to periodic, announced, or unannounced

assessments by VA officials, the OIG or a 3PAO. The physical security aspects
associated with contractor activities are also subject to such assessments. The
contractor shall report, in writing, any deficiencies noted during the above assessment to
the VA COR/CO. The contractor shall use VA’s defined processes to document planned
remedial actions that address identified deficiencies in information security policies,
procedures, and practices. The contractor shall correct security deficiencies within the
timeframes specified in the VA Information Security Knowledge Service.

f. All major information system changes which occur in the production environment shall
be reviewed by the VA to determine the impact on privacy and security of the system.
Based on the review results, updates to the Authority to Operate (ATO) documentation
and parameters may be required to remain in compliance with VA Handbook 6500 and
VA Information Security Knowledge Service requirements.

g. The contractor shall conduct an annual privacy and security self-assessment on all
information systems and outsourced services as required. Copies of the assessment
shall be provided to the COR/CO. The VA/Government reserves the right to conduct
assessment using government personnel or a third-party if deemed necessary. The
contractor shall correct or mitigate any weaknesses discovered during the assessment.

h. VA prohibits the installation and use of personally owned or contractor-owned equipment

or software on VA information systems. If non-VA owned equipment must be used to
fulfill the requirements of a contract, it must be stated in the service agreement, SOW,
PWS, PD or contract. All security controls required for government furnished equipment
must be utilized in VA approved Other Equipment (OE). Configuration changes to the
contractor OE, must be funded by the owner of the equipment. All remote systems must
use a VA-approved antivirus software and a personal (host-based or enclave based)

Page 70 of 79
 firewall with a VA-approved configuration. The contractor shall ensure software on OE is
kept current with all critical updates and patches. Owners of approved OE are
responsible for providing and maintaining the anti-virus software and the firewall on the
non-VA owned OE. Approved contractor OE will be subject to technical inspection at any
time.

i. The contractor shall notify the COR/CO within one hour of disclosure or successful
exploits of any vulnerability which can compromise the confidentiality, integrity, or
availability of the information systems. The system or effected component(s) need(s) to
be isolated from the network. A forensic analysis needs to be conducted jointly with VA.
Such issues will be remediated as quickly as practicable, but in no event longer than the
timeframe specified by VA Information Security Knowledge Service. If sensitive personal
information is compromised reference VA Handbook 6500.2 and Section 5, Security
Incident Investigation.

j. For cases wherein the contractor discovers material defects or vulnerabilities impacting
products and services they provide to VA, the contractor shall develop and implement
policies and procedures for disclosure to VA, as well as remediation. The contractor
shall, within 30 business days of discovery, document a summary of these vulnerabilities
or defects. The documentation will include a description of the potential impact of each
vulnerability and material defect, compensating security controls, mitigations,
recommended corrective actions, root cause analysis and/or workarounds (i.e.,
monitoring). Should there exist any backdoors in the products or services they provide to
VA (referring to methods for bypassing computer authentication), the contractor shall
provide the VA CO/CO written assurance they have permanently remediated these
backdoors.

k. All other vulnerabilities, including those discovered through routine scans or other
assessments, will be remediated based on risk, in accordance with the remediation
timelines specified by the VA Information Security Knowledge Service and/or the
applicable timeframe mandated by Cybersecurity & Infrastructure Security Agency
(CISA) Binding Operational Directive (BOD) 22-01 and BOD 19-02 for Internet-
accessible systems. Exceptions to this paragraph will only be granted with the approval
of the COR/CO.

B8. SECURITY AND PRIVACY CONTROLS COMPLIANCE TESTING, ASSESSMENT

AND AUDITING

a. Should VA request it, the contractor shall provide a copy of their (corporation’s, sole
proprietorship’s, partnership’s, limited liability company (LLC), or other business

Page 71 of 79
 structure entity’s) policies, procedures, evidence and independent report summaries
related to specified cybersecurity frameworks (International Organization for
Standardization (ISO), NIST Cybersecurity Framework (CSF), etc.). VA or its third-
party/partner designee (if applicable) are further entitled to perform their own audits and
security/penetration tests of the contractor’s IT or systems and controls, to ascertain
whether the contractor is complying with the information security, network or system
requirements mandated in the agreement between VA and the contractor.

b. Any audits or tests of the contractor or third-party designees/partner VA elects to carry

out will commence within 30 business days of VA notification. Such audits, tests and
assessments may include the following: (a): security/penetration tests which both sides
agree will not unduly impact contractor operations; (b): interviews with pertinent
stakeholders and practitioners; (c): document review; and (d): technical inspections of
networks and systems the contractor uses to destroy, maintain, receive, retain, or use
VA information.

c. As part of these audits, tests and assessments, the contractor shall provide all
information requested by VA. This information includes, but is not limited to, the
following: equipment lists, network or infrastructure diagrams, relevant policy documents,
system logs or details on information systems accessing, transporting, or processing VA
data.

d. The contractor and at its own expense, shall comply with any recommendations resulting
from VA audits, inspections and tests. VA further retains the right to view any related
security reports the contractor has generated as part of its own security assessment.
The contractor shall also notify VA of the existence of any such security reports or other
related assessments, upon completion and validation.

e. VA appointed auditors or other government agency partners may be granted access to

such documentation on a need-to-know basis and coordinated through the COR/CO.
The contractor shall comply with recommendations which result from these regulatory
assessments on the part of VA regulators and associated government agency partners.

B9. PRODUCT INTEGRITY, AUTHENTICITY, PROVENANCE, ANTI-COUNTERFEIT AND

ANTI-TAMPERING

a. The contractor shall comply with Code of Federal Regulations (CFR) Title 15 Part 7,
“Securing the Information and Communications Technology and Services (ICTS) Supply
Chain”, which prohibits ICTS Transactions from foreign adversaries. ICTS Transactions

Page 72 of 79
 are defined as any acquisition, importation, transfer, installation, dealing in or use of any
information and communications technology or service, including ongoing activities, such
as managed services, data transmission, software updates, repairs or the platforming or
data hosting of applications for consumer download.

b. When contracting terms require the contractor to procure equipment, the contractor shall
purchase or acquire the equipment from an Original Equipment Manufacturer (OEM) or
an authorized reseller of the OEM. The contractor shall attest that equipment procured
from an OEM or authorized reseller or distributor are authentic. If procurement is
unavailable from an OEM or authorized reseller, the contractor shall submit in writing,
details of the circumstances prohibiting this from happening and procure a product
waiver from the VA COR/CO.

c. All contractors shall establish, implement, and provide documentation for risk
management practices for supply chain delivery of hardware, software (to include
patches) and firmware provided under this agreement. Documentation will include chain
of custody practices, inventory management program, information protection practices,
integrity management program for sub-supplier provided components, and replacement
parts requests. The contractor shall make spare parts available. All contractor(s) shall
specify how digital delivery for procured products, including patches, will be validated
and monitored to ensure consistent delivery. The contractor shall apply encryption
technology to protect procured products throughout the delivery process.

d. If a contractor provides software or patches to VA, the contractor shall publish or provide
a hash conforming to the FIPS Security Requirements for Cryptographic Modules (FIPS
140-2 or successor).

e. The contractor shall provide a software bill of materials (SBOM) for procured (to include
licensed products) and consist of a list of components and associated metadata which
make up the product. SBOMs must be generated in one of the data formats defined in
the National Telecommunications and Information Administration (NTIA) report “The
Minimum Elements for a Software Bill of Materials (SBOM).”

f. Contractors shall use or arrange for the use of trusted channels to ship procured
products, such as U.S. registered mail and/or tamper-evident packaging for physical
deliveries.

g. Throughout the delivery process, the contractor shall demonstrate a capability for
detecting unauthorized access (tampering).

Page 73 of 79
 h. The contractor shall demonstrate chain-of-custody documentation for procured products
and require tamper-evident packaging for the delivery of this hardware.

B10. VIRUSES, FIRMWARE, AND MALWARE

a. The contractor shall execute due diligence to ensure all provided software and patches,
including third-party patches, are free of viruses and/or malware before releasing them
to or installing them on VA information systems.

b. The contractor warrants it has no knowledge of and did not insert, any malicious virus
and/or malware code into any software or patches provided to VA which could potentially
harm or disrupt VA information systems. The contractor shall use due diligence, if
supplying third-party software or patches, to ensure the third-party has not inserted any
malicious code and/or virus which could damage or disrupt VA information systems.

c. The contractor shall provide or arrange for the provision of technical justification as to
why any “false positive” hit has taken place to ensure their code’s supply chain has not
been compromised. Justification may be required, but is not limited to, when install files,
scripts, firmware, or other contractor-delivered software solutions (including third-party
install files, scripts, firmware, or other software) are flagged as malicious, infected, or
suspicious by an anti-virus vendor.

d. The contractor shall not upload (intentionally or negligently) any virus, worm, malware or
any harmful or malicious content, component and/or corrupted data/source code
(hereinafter “virus or other malware”) onto VA computer and information systems and/or
networks. If introduced (and this clause is violated), upon written request from the VA
CO, the contractor shall:

(1) Take all necessary action to correct the incident, to include any and all
assistance to VA to eliminate the virus or other malware throughout VA’s
information networks, computer systems and information systems; and
(2) Use commercially reasonable efforts to restore operational efficiency and
remediate damages due to data loss or data integrity damage, if the virus or
other malware causes a loss of operational efficiency, data loss, or damage to
data integrity.

B11. CRYPTOGRAPHIC REQUIREMENT

Page 74 of 79
 a. The contractor shall document how the cryptographic system supporting the contractor’s
products and/or services protect the confidentiality, data integrity, authentication and
non-repudiation of devices and data flows in the underlying system.

b. The contractor shall use only approved cryptographic methods as defined in FIPS 140-2
(or its successor) and NIST 800-52 standards when enabling encryption on its products.

c. The contractor shall provide or arrange for the provision of an automated remote key-
establishment method which protects the confidentiality and integrity of the cryptographic
keys.

d. The contractor shall ensure emergency re-keying of all devices can be remotely
performed within 30 business days.

e. The contractor shall provide or arrange for the provision of a method for updating
cryptographic primitives or algorithms

B12. PATCHING GOVERNANCE

a. The contractor shall provide documentation detailing the patch management,

vulnerability management, mitigation and update processes (to include third-party) prior
to the connection of electronic devices, assets or equipment to VA’s assets. This
documentation will include information regarding the follow:.

(1) The resources and technical capabilities to sustain the program or process (e.g.,
how the integrity of a patch is validated by VA); and.

(2) The approach and capability to remediate newly reported zero-day vulnerabilities
for contractor products.

b. The contractor shall verify and provide documentation all procured products (including
third-party applications, hardware, software, operating systems, and firmware) have
appropriate updates and patches installed prior to delivery to VA.

Page 75 of 79
 c. The contractor shall provide or arrange the provision of appropriate software and
firmware updates to remediate newly discovered vulnerabilities or weaknesses for their
products and services within 30 days of discovery. Updates to remediate critical or
emergent vulnerabilities will be provided within seven business days of discovery. If
updates cannot be made available by contractor within these time periods, the contractor
shall submit mitigations, methods of exploit detection and/or workarounds to the
COR/CO prior to the above deadlines.

d. The contractor shall provide or arrange for the provision of appropriate hardware,
software and/or firmware updates, when those products, including open-source
software, are provided to the VA, to remediate newly discovered vulnerabilities or
weaknesses. Remediations of products or services provided to the VA’s system
environment must be provided within 30 business days of availability from the original
supplier and/or patching source. Updates to remediate critical vulnerabilities applicable
to the Contractor’s use of the third-party product in its system environment will be
provided within seven business days of availability from the original supplier and/or
patching source. If applicable third-party updates cannot be integrated, tested and made
available by Contractor within these time periods, mitigations and/or workarounds will be
provided to the COR/CO before the above deadlines.

B13. SPECIALIZED DEVICES/SYSTEMS (MEDICAL DEVICES, SPECIAL PURPOSE

SYSTEMS, RESEARCH SCIENTIFIC COMPUTING)

a. Contractor supplies/delivered Medical Devices, Special Purpose Systems-Operational

Technology (SPS-OT) and Research Scientific Computing Devices shall comply with all
applicable Federal law, regulations, and VA policies. New developments require
creation, testing, evaluation, and authorization in compliance with processes specified
on the Specialized Device Cybersecurity Department Enterprise Risk Management
(SDCD-ERM) Portal, VA Directive 6550, Pre-Procurement Assessment and
Implementation of Medical Devices/Systems, VA Handbook 6500, and the VA
Information Security Knowledge Service. Deviations from Federal law, regulations, and
VA Policy are identified and documented as part of VA Directive 6550 and/or the VA
Enterprise Risk Analysis (ERA) processes for Specialized Devices/Systems processes.

b. All contractors and third-party service providers shall address and/or integrate applicable
VA Handbook 6500 and Information Security Knowledge Service specifications in
delivered IT systems/solutions, products and/or services. If systems/solutions, products
and/or services do not directly match VA security requirements, the contractor shall work
though the COR/CO for governance or resolution.

Page 76 of 79
c. The contractor shall certify to the COR/CO that devices/systems that have completed
the VA Enterprise Risk Analysis (ERA) process for Specialized Devices/Systems are
fully functional and operate correctly as intended. Devices/systems must follow the VA
ERA authorized configuration prior to acquisition and connection to the VA computing
environment. If VA determines a new VA ERA needs to be created, the contractor shall
provide required technical support to develop the configuration settings. Major changes
to a previously approved device/system will require a new ERA.

d. The contractor shall comply with all practices documented by the Food Drug and
Administration (FDA) Premarket Submission for Management of Cybersecurity in
Medical Devices and Postmarket Management of Cybersecurity in Medical Devices.

e. The contractor shall design devices capable of accepting all applicable security patches
with or without the support of the contractor personnel. If patching can only be
completed by the contractor, the contractor shall commit the resources needed to patch
all applicable devices at all VA locations. If unique patching instructions or packaging is
needed, the contractor shall provide the necessary information in conjunction with the
validation/testing of the patch. The contractor shall apply security patches within 30
business days of the patch release and have a formal tracking process for any security
patches not implemented to include explanation when a device cannot be patched.

f. The contractor shall provide devices able to install and maintain VA-approved antivirus
capabilities with the capability to quarantine files and be updated as needed in response
to incidents. Alternatively, a VA-approved whitelisting application may be used when the
contractor cannot install an anti-virus / anti-malware application.

g. The contractor shall verify and document all software embedded within the device does
not contain any known viruses or malware before delivery to or installation at a VA
location.

h. Devices and other equipment or systems containing media (hard drives, optical disks,
solid state, and storage via chips/firmware) with VA sensitive information will be returned
to the contractor with media removed. When the contract requires return of equipment,
the options available to the contractor are the following:

(1) The contractor shall accept the system without the drive, firmware and solid
state.

(2) VA’s initial device purchase includes a spare drive or other replacement media
which must be installed in place of the original drive at time of turn-in; or

Page 77 of 79
 (3) Due to the highly specialized and sometimes proprietary hardware and software
associated with the device, if it is not possible for VA to retain the hard drive,
firmware, and solid state, then:

(a) The equipment contractor shall have an existing BAA if the device being
traded in has sensitive information stored on it and hard drive(s) from the
system are being returned physically intact.

(b) Any fixed hard drive, Complementary Metal-Oxide-Semiconductor

(CMOS), Programmable Read-Only Memory (PROM), solid state and
firmware on the device must be non-destructively sanitized to the greatest
extent possible without negatively impacting system operation. Selective
clearing down to patient data folder level is recommended using VA
approved and validated overwriting technologies/methods/tools.
Applicable media sanitization specifications need to be pre-approved and
described in the solicitation, contract, or order.

B14. DATA CENTER PROVISIONS

a. The contractor shall ensure the VA network is accessed by in accordance with VA

Directive 6500 and IAM security processes specified in the VA Information Security
Knowledge Service.

b. The contractor shall ensure network infrastructure and data availability in accordance
with VA information system business continuity procedures specified in the VA
Information Security Knowledge Service.

c. The contractor shall ensure any connections to the internet or other external networks
for information systems occur through managed interfaces utilizing VA approved
boundary protection devices (e.g., internet proxies, gateways, routers, firewalls, guards
or encrypted tunnels).

d. The contractor shall encrypt all traffic across the segment of the Wide Area Network
(WAN) it manages and no unencrypted Out of Band (OOB) Internet Protocol (IP) traffic
will traverse the network.

Page 78 of 79
e. The contractor shall ensure tunnel endpoints are routable addresses at each VA
operating site.

f. The contractor shall secure access from Local Area Networks (LANs) at co-located sites
in accordance with VA TIC Reference Architecture, VA Directive and Handbook 6513,
and MOU/ISA process specified in the VA Information Security Knowledge Service.

Page 79 of 79