Active

Contract Opportunity

Procurement Technical Assistance Centers (PTACs) are an official government contracting resource for small businesses. Find your local PTAC (opens in new window) for free government expertise related to contract opportunities.

STATEMENT OF WORK

1. BACKGROUND

Department of Radiation Oncology here at VAGLAHS use two main applications to deliver radiation therapy in the Radiation Oncology Service. These applications are Eclipse, for generating 3D radiation treatment plans, and Aria, for treatment record/verify and other department management tasks. Moreover, this software is uniquely able to interface with the treatment machines used here (and at nearly all VA facilities), so it is not replaceable via another software option. These are the “industry standard.” Unfortunately, both these two pieces of software have been declared obsolete by OIT since 2017. We have long since requested upgrades to the current version (v.17), and the request of software upgrade was approved and funded. However, due to new VA cyber security requirement, version (v.17) needs to be run on a network hosting system, known as FullScale On-Premise, separate from the hospital network. In addition, the department is prompted concerning Microsoft discontinuing technical assistance, automatic updates, and security updates for workstations running on Windows 7 and this will impact on current version in use by the department. The issue is that this software requirement is not compliant with the security requirements as per VA HTM and Special Device Security Division (SDSD).

2. ASSESSMENT

Aria and Eclipse upgrades are essential for the functioning of the service. If there are software glitches and/or hardware crashes our ability to provide care will be compromised. The current software versions cannot be reinstalled because they are not supported and are obsolete Moreover, we are unable to install new modules that have been purchased in the past few years to provide better service quality and safety to Veterans. They cannot be installed without the version upgrade. This situation is not unique to VA GLA Radiation Oncology Service – it applies to Radiation Oncology Services through VA. Patient care and service quality of the veterans will be severely impacted for the veterans if Varia Aria is not upgraded. This request is extremely critical for the Radiation Oncology clinical operation. Since our current version of Aria is not being serviced, should there be and data issue, the clinical service will be jeopardized.

3. WHAT IS NEEDED?

VAGLAHS-Department of Radiation Oncology uses Varian’s Aria as its management, treatment verification and record system. Current version, i.e. v11 is declared obsolete and Radiation Oncology was informed by Varian Medical Systems concerning discontinuation of support and maintenance of ARIA oncology information system version 11. Due to new VA cyber security requirement, the new version (v.17) needs to be run on a network hosting system, known as FullScale On-Premise, separate from the hospital network. This request includes the build of the FullScale (hardware), Aria software upgrade, and a 5-year service contract which include a combination of leasing hardware and access to proprietary software. Full Scale Infrastructure and support for: 2 Linear Accelerators, 31 ARIA RO Users, 10 Planning Users, 9 Calc Eclipse Users, 6 GPU FAS Servers Hosted, Default Data Protection NON-CLINICAL SYSTEM SUPPORT, non-clinical T-Box System (includes Citrix support for up to 5 users) and 1 Non Clinical FAS Server and hosted in On-Premise Data Center.

This is an Anti-Obsolescence of the FullScale hardware and software. It is understood and agreed by both Parties that the Software hosted on FullScale must be licensed and purchased separately. Varian Medical Systems shall provide routine preventative and corrective maintenance in order to ensure optimal working condition and lessen the likelihood of down time. The FullScale system will be hosted in an On-Premise Data Center. This requirement includes Weekday Normal Business Hours from 6AM-6PM Monday through Friday, January 1, 2023 to December 31, 2027.

The Varian Medical System has a dedicated VPN connection that allows the OEM to remotely connect into the FullScale system to diagnose user-specified issues, push security patches, allow for error log retrieval, and assist users and service engineers from a remote location. Varian Medical Systems currently has a National BAA in place.

Length of Contract: 5

FullScale System Summary:

FullScale Infrastructure and Support for (Software listed below licensed separately):

2 Total Linacs • 31 ARIA RO Users • 10 Planning Users • 9 Calc Eclipse Users • 6 GPU FAS Servers Hosted • Default Data Protection NON-CLINICAL SYSTEM SUPPORT • Non Clinical T-Box System (Includes Citrix support for up to 5 Users) • and 1 Non Clinical FAS Server • Hosted in On-Premise Data Center

4. PREREQUISITES, CUSTOMER RESPONSIBILITIES AND ACKNOWLEDGEMENT

- Varian and Varian-partner software licenses to be implemented in the Varian FullScale On-Premise solution

- ARIA and Eclipse prerequisites as defined in applicable product descriptions

- For customers with ARIA Disease Management, ensure prerequisites are met (for example, Microsoft Word licensing for End Users).

Customer Responsibilities:

• Network connectivity: 1 Gbps LAN and 20 Mbps WAN connection with appropriate IP addresses and connections.

• Power, cooling, and access to the system location based on system requirement.

• One external IP address assigned to Varian System's Citrix Secure Gateway Server.

• Minimum of 8 internal IP addresses.

• One-Way Domain Trust from customer domain to Varian domain for user authentication.

• New zone with DNS records.

• External DNS A-Record entries on the customer's External domain to point to the Varian System's Citrix Secure Gateway Server via external IP address assigned to Varian (example: "varian.customerdomain.com")

• External signed/trusted SSL certificate assigned to external DNS A-Record for Varian System's Citrix Secure Gateway Server

• Secured connection for Remote System Monitoring

• Client-side thin clients or workstations that meet Varian's minimum specifications. (see www.varian.com/

oncology/products/software/information-systems/aria-ois-radiation-oncology?cat=resources#hardwarespecs)

Customer Acknowledge:

• Customer acknowledges that Varian and its licensors will retain all

right, title, and interest in and to the products, all technology, inventions and pre-existing content incorporated in the products and Services provided under this Agreement, including all derivative works, modifications, and enhancements to them (including database structures), and all intellectual property rights in any of the foregoing (excluding any Customer Data and Customer’s Confidential Information). Customer acknowledges that Varian will retain all right, title, and interest to transactional and performance data (exclusive of Customer Data and Customer’s Confidential Information) related to use of the products and Services and is permitted to use this data for its business purposes (including use optimization and product marketing) provided that such use does not reveal the identity of a Customer, any Customer employee, supplier, or patient, or specific use characteristics that may be identified to a Customer.

• Customer acknowledges and agrees that the Services may not be accessed except by authorized personnel using secure authentication methodologies, including but not limited to user specific passwords. Customer shall be solely responsible for the security of the information required for user authentication including passwords issued by Customer to each of its permitted users. Customer is entirely responsible for allactivity occurring under its permitted users’ user IDs and passwords or security codes related to authentication and shall abide by all applicable local, state, national, and foreign laws, treaties, and regulations in connection with the use of the Services, including those related to data privacy, international communications, and the transmission of technical or personal data. Customer agrees to promptly notify Varian of any unauthorized use

of Customer’s accounts or any other breach of security known to Customer or its permitted users, including compromised passwords or authentication information. Varian may, in its sole discretion, immediately terminate a permitted user’s access to the Services if Customer’s or its permitted user’s conduct fail to conform to this Section. Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership or right to use of all Customer Data and its Confidential Information. To the extent permitted by applicable law, Customer agree to defend, indemnify, and hold Varian harmless from and against any and all claims and liabilities, including reasonable attorneys' fees, related to or

arising from (i) all conduct and activities occurring under Customer’s user ID and authentication passwords; (ii) any defamatory, libelous, or illegal material contained within the Customer Data and Customer’s Confidential Information; (iii) any claim or contention that the Customer Data and Customer’s Confidential Information

infringes any third party's patent, copyright, or other intellectual property rights or violates any third party's rights of privacy or publicity.

• Customer shall retain all right, title, and interest (including any and all

intellectual property rights) in and to the Customer Data. Customer agrees, however, that Varian and its suppliers (including their respective subcontractors) may access and use Customer Data for processing, providing, distributing, displaying, managing, administrating, modifying, performing, supporting and enhancing the products and Services or to carry out legal responsibilities of Varian. Varian and its suppliers will

store Customer Data in a physically and logically secure environment that reasonably protects it from unauthorized access, modification, theft, misuse, and destruction. Without limiting the generality of the provisions of this section. Varian and its suppliers will take reasonable measures to secure and defend its Services location and equipment against “hackers” and others who may seek, without authorization, to modify or access the environment or the information found in such environment without the consent of Customer or Varian. Varian and its suppliers will periodically test the Services environment for potential areas where security could be breached. Varian will report to Customer promptly any breaches of security or unauthorized access to

Customer Data on Varian’s (or its supplier’s) systems which Varian detects or becomes aware. Varian will use diligent efforts to remedy such breach of security or unauthorized access in a timely manner. If Customer has purchased FullScale On-Premise Managed Services, Customer will be responsible for the physical security of the FullScale hardware environment within their facility.

• Customer warrants and represents and assumes sole responsibility for ensuring that due notice is given to, and that sufficient consent obtained from, all relevant persons or entities, including without limitation patients, regarding the use and disclosure of Customer Data under this Agreement. Customer represents and warrants to Varian: (a) that Customer has and shall retain during the term of this Agreement sufficient rights and patient consent with respect to Customer Data to authorize Varian to grant the licenses and other rights contemplated by this Agreement and for Varian to provide and

support the products and Services in the manner contemplated under this Agreement; and (b) Customer shall comply with applicable privacy and similar laws. The Customer shall remain the controller of the Customer Data.

5. CONTRACTOR RESPONSIBILITIES

Contractor shall service and maintain equipment located at VA Greater Los Angeles Healthcare Center at West Los Angeles.

FullScale - On-Premise Services

FullScale On-Premise Services provides all services required to deploy the Varian software solution on premise

Features:

• System components and licensing for Varian FullScale On-Premise solution

• Installation, configuration, and deployment of Varian FullScale On-Premise solution

• Backup and snapshot management

• Antivirus software

• Hardware and system software support to include:

• Remote System Monitoring

• Hardware and Firmware maintenance

• Infrastructure software upgrades

• 510(k) approved Treatment Calculation Platform

• Anti-Obsolescence of hardware and system software to ensure Varian software is kept at required performance level

It is required that service personnel are factory trained and certified on the Varian Medical Systems FullScale equipment. Training and certification documentation must be provided to the Contracting Officer’s Representative (COR), upon execution of the contract. This documentation is to remain on file with the COR.

Uptime: Uptime will be calculated using the following definitions:

• Start Date: Measurement of uptime shall begin on the first calendar day of the first full month following the Commencement Date


• Scheduled Downtime: The actual amount of time the FullScale Services are unavailable for use per agreement with the Customer for operational considerations such as planned maintenance described in Planned Maintenance section


• Available Time: The total number of minutes the FullScale Services are available through a monthly period during Normal Business Hours minus agreed exclusions, such as Scheduled Downtime


• System Downtime: The period of time during which the FullScale Services are completely unavailableduring Normal Business Hours. System Downtime does not include (i) problems caused by factors outside Varian’s reasonable control, (ii) problems resulting from any action or inaction by Customer or any third party, (iii) problems resulting from Customer’s equipment or third party equipment not within Varian’s sole control, (iv) network unavailability or (v) Scheduled Downtime.


• Uptime Calculation= [Available Time – System Downtime] x 100%/[Available Time]


• Uptime: The guaranteed uptime for the FullScale Services will be 99%, covering Normal Business Hours, measured on a monthly basis.


• Remedy: Notwithstanding anything to the contrary in this Agreement, in the event that the UptimeService Level is not met in any three (3) consecutive months, or in any four (4) months in any twelve(12) consecutive month period (each, an “Uptime Service Level Failure”), then Customer will havethe one-time right to terminate this Agreement upon thirty (30) days prior written notice to Varian,subject to such notice being received by Varian within thirty (30) days of the occurrence of the UptimeService Level Failure. The remedy set forth in this section is Customer’s sole remedy for any and all unavailability of the FullScale Services.


• Varian shall furnish data on its compliance with the uptime guarantee within ten (10) business days on customer demand.

Planned Maintenance: Varian reserves the right to perform regularly scheduled Maintenance in accordance with a mutually agreed upon schedule. The parties agree to negotiate in good faith for a different Maintenancetime if the regularly scheduled maintenance period interferes with Customer’s use of the Services. Maintenance that occurs outside of this time frame will not be considered Scheduled Downtime for purposes of calculating Uptime unless agreed to in advance by Customer. Planned Maintenance may prevent the Services from being accessed or used by Customer and its permitted users during this time period. Customer may request that maintenance on its version of the software within FullScale environment be conducted during a specific time frame within the period of time allocated for planned Maintenance of the FullScale Service and Varian will make reasonable efforts to accommodate any such request. Planned Maintenance shall also include agreed upon Maintenance periods for installation of workarounds, patches, updates, upgrades, and other major Maintenance

events of either the FullScale Service or the software within FullScale environment mutually agreed to by the parties in advance. Planned Maintenance will be announced not less than twenty-four (24) hours in advance to the Relationship Manager via email.

Exclusions:

• Service which becomes necessary due to: (i) failure of computer hardware or equipment or programs not under Varian’s or its subcontractor’s control; or (ii) negligent or intentional misuse of the software within FullScale environment or FullScale Services by Customer and its permitted users; and


• Services performed at the Customer's site (other than fee-based Installation Services) unless the parties mutually agree otherwise in writing.

Data Backup: The following default backup frequency and retention policies are provided as part of the FullScale Services; unless otherwise negotiated:

• Hourly: A snapshot of the production data will be made every hour and retained for at least twenty-four (24) hours


• Daily: A snapshot of the production data will be made daily and retained for seven (7) days.


• Weekly: A Snapshot of the production data will be made weekly and retained for four (4) weeks. Furthermore, the weekly backups will be encrypted with at least AES 128 bit methodology. For Customers purchasing FullScale Cloud Managed Services, the weekly backups will be transferred to a secure offsite location to account for major disaster events. Customers purchasing FullScale On-Premise Managed Service will receive in-rack

backups. To enable remote backups, FullScale On-Premise Managed Service customers will need to provide secondary secure site location and will be responsible for ensuring availability and monitoring of their equipment. For backup failures resulting from Customer failed equipment, Varian will notify Customer and wait until Customer resolves the issues.

Disaster Recovery: Varian divides disaster in 2 major categories; Within Site Failure and Site Failure. Within Site Failure events are events where one or more software or hardware components fail within the solution / data center. A Site Failure event is an event where the entire data center goes offline. For both of these scenarios, Varian provides some core return to operation guarantees and purchasable high availability guarantees. Return to operation

means that the infrastructure required to support Varian software is available to the end user. Reconnection and use of the attached treatment machines may require clinical validation and is outside of the stated times.

• Recovery Point Objective is defined by business continuity planning. It is the maximum tolerable period in which data might be lost from an IT service due to a major incident


• Recovery Time Objective is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

Disaster Objectives

Service Offering

Failure Type

RTO

RPO

Standard/Optional

CLOUD

WITHIN SITE

4 HOURS

1 HOUR

STANDARD

CLOUD

SITE-STANDARD

RECOVERY

14 DAYS

24 HOURS

STANDARD

SITE-BUSINESS

CONTINUITY

4 DAYS

24 HOURS

Purchasable

Option

SITE-HIGH

AVAILABITY

4 HOURS

24 HOURS

Purchasable

Option

On Premise

Within Site

6 hours

1 hour

STANDARD

On Premise

SITE-STANDARD

RECOVERY

60 DAYS

24 HOURS

STANDARD

SITE-BUSINESS

CONTINUITY

4 DAYS

24 HOURS

Purchasable

Option

SITE-HIGH

AVAILABITY

4 HOURS

2 HOURS

Purchasable

Option

Exclusions: Disaster Recovery services do not account for activity / personnel / equipment provided by the customer

Monitoring: The third party software and all equipment supplied as part of the service offering are continuously monitored on a 24x7 basis for health and performance, and Varian engineers are on-call to resolve any incidents identified during this continuous monitoring. Varian shall promptly notify Customer of any activity performed on the service offering during Normal Business Hours that may impact the operation of the software within FullScale

environment. Outside of Normal Business Hours, Varian will attempt to rectify any such incidents using all due diligence such that the impact on the operation of the software within FullScale environment is minimized during the Normal Business Hours and will promptly notify the Customer at the next opportunity.

Reports: As part of management of the service offering Varian will provide the Customer standard reports on demand with regards to availability and reported issues.

Operational Support: Operational support will begin on the Commencement Date. The following are provided for the Services for the duration of the term of the contract:

• Ongoing Maintenance of any hardware and software provided as part of the Services (excluding support for the software within the FullScale environment which must be covered under a separate support agreement).


• Monitoring of the Services for Uptime, Availability and Incident Management – Reacting and addressing events which are not part of the standard operation of the Service and which may cause, an interruption to, or a reduction in the quality of that Service.


• Problem Management – Provide workaround / solutions to one or more existing or potential incident(s).

Service Change Requests: The Customer may place Service Change Requests (“SCR”) with Varian which may make material or non-material changes to the implementation of the covered Service. The primary goal of an SCR is to ensure that any changes to either the Service or the Customer environment are properly coordinated to ensure no loss

of performance or availability of the software within FullScale environment or the Services. The procedure for handling an SCR is defined below:

• The party requesting the change will deliver a Service Change Request to the other party.


• The SCR will describe the nature and reason for the change.


• Varian will identify the effect the change may have on the operational functions of the Services.


• Varian and the Customer will evaluate the SCR and negotiate in good faith the changes to the Services including any additional charges, if any, required to implement the SCR. However, Varian is not obligated to implement the SCR if in Varian's judgment the impact of the SCR may lead to a deleterious effect on performance or availability of the software within FullScale environment or the Services.


• If both Parties agree to implement the SCR, the appropriate authorized representative of the parties will sign the SCR, indicating the acceptance of the changes by both parties.


• Upon execution of the SCR, any changes to the software within FullScale environment or the Services initiated by such SCR will be incorporated into, and made part of, the change log for the covered product.

Storage Guarantee: Free storage availability for use by the Varian software via normal application usage shall be guaranteed during the Term. Normal application usage is identified as usage of the software for the purposes of performing treatments of cancer patients, and it is not meant to restrict in any way the Customer's choices with regards to treatment modality or options, but simply to ensure that the data storage provided is for use by the software within

FullScale environment. It does not include guarantees of storage for any third party systems unless otherwise agreed to by the parties. Varian will actively monitor storage usage to ensure that the storage is sufficient and add storage as necessary such that the use of the software within FullScale environment will not be impacted. From time-to-time

Varian may need to work with the Customer on removing potentially temporary files that can be deleted from the system. At no time will Varian remove files from the system related to E-PHI data that the Customer does not agree can be removed.

Hardware non-Obsolescence: Physical compute and network resources will be sufficient for the normal operation of the software within FullScale environment regardless of the version installed. This does not apply to potential required increases due to additional users / user-type or additional purchasable software being installed within FullScale Services

System Updates: Updates of the firmware, operating systems, and any third party software used to supply the Services or for the purposes of maintaining compatibility with the software within FullScale environment are included at no extra charge and specifically do not require any additional or new software usage fees, maintenance fees, or other fees.

Other Exclusions: Unless otherwise negotiated by the parties, Varian's FullScale offering does not include any networking equipment or the telecommunications line(s) required to connect the Customer facilities to the FullScale offering. Customers are responsible for obtaining appropriate networking equipment and telecommunications line(s).

• FullScale Cloud Managed Services: Varian supports two (2) methods of connecting to the FullScale Cloud Managed Services; specifically VPN over the public internet or a private line (MPLS or point-to-point connection) over a Trusted Provider network. Both methods must have sufficient bandwidth to meet the Customer's specific deployment which is dependent on several factors of the software within FullScale environment to be determined at time of implementation (including number of supported linear accelerators, number of users, and type of software within FullScale environment). Varian recommends that these two connection methodologies be used in tandem, as a minimum, such that the private line is the primary connection method and the VPN is the secondary connectivity method should interruptions occur.


• FullScale On-Premise Managed Service: Varian expects Customer to faciliate the necessary access to the On-Premise Managed Services FullScale environment to authorized Varian personnel to support operations.

6. SCHEDULED MAINTENANCE:

The Contractor shall perform preventive maintenance service to ensure that equipment listed in the schedule performs in accordance with Section 5. The contractor shall provide and utilize procedures and checklists with worksheet originals indicating work performed and actual values obtained (as applicable) provided to the COR at the completion of the preventive maintenance. Preventive maintenance services shall include, but need not be limited to, the following: Proactive event management, customer calls, repairs, workarounds, patches, bug fixes, updates, and upgrades of hardware and software to the virtualized environment used to deliver On-Premise Managed Services.

7. PARTS:

The contractor has ready access to unique and/or high mortality replacement parts. All parts supplied shall be OEM or equivalent and fully compatible with existing equipment. The contract invoice shall include all parts. The contractor shall use new or like new parts. Parts being replaced for accidental damage, customer abuse or consumables (including but not limited to batteries) are not covered under this contract. Vendor will notify Contracting Officer to attain approval and separate PO prior to replacement.

8. DOCUMENTATION/REPORTS

The documentation will include detailed descriptions of the scheduled and unscheduled maintenance procedures performed, including replaced parts and prices (for outside normal working hour services) required to maintain the equipment in accordance with conformance standards. Such documentation shall meet the guidelines as set forth in the Conformance Standards Section. In addition, each service report must at a minimum document the following data legibly and in complete detail:

A. Name of Contractor.

B. Name of field service representative who performed services.

C. Contractor Service field service number/Log Number.

D. Date, Time, (starting and ending), Equipment Downtime and ours-On-Site for Service call.

E. VA PO#(s) covering the call, if outside normal working hours.

F. Description of Problem Reported by COR/User.

G. Identification of Equipment to be serviced:

INV. ID# Manufacturer’s Name, Device Name, Model #, Serial #, and any other Manufacturer’s identification #s.

H. Itemized Description of Service Performed (including Costs associated with after normal working hour services), including:

Labor and Travel, Parts (with part #s) and Materials and Circuit location of problem/corrective action.

I. Total Cost to be billed.

J. Signatures:

1. FSE performing services described.

2. VA Employee who witnessed service described.

K. Equipment downtime

NOTE: ANY ADDITIONAL CHARGES CLAIMED MUST BE APPROVED BY THE COR BEFORE SERVICE IS COMPLETED.

9. REPORTING REQUIREMENTS:

The contractor shall be required to report to Biomedical Engineering to log in. This check in is mandatory. When the service is completed, the FSE shall document services rendered on a legible FSR(s). The FSE shall be required to log out with Biomedical Engineering and submit the FSR(s) to the COR. All FSRs shall be submitted to the equipment user for an “acceptance signature” and to the COR for an “authorization signature”. If the COR is unavailable, a signed, authorized copy of the FSR will be sent to the COR after the work which can be reviewed (if requested or noted on the FSR).

10. LIQUIDATED DAMAGES:

A. Contractor shall be liable to the Government for losses of production due to significant equipment downtime. Significant equipment downtime is that which exceeds ten (10) hours/month. Records regarding downtime will be kept by the COR and the maintenance contractor.

B. Equipment downtime is calculated only from those normal hours of coverage that the scheduled equipment is not fully operational. Downtime will begin when the contractor is required to be on site (see Unscheduled Maintenance Section response time definition), after notification by the CO, COR, or designated alternate. Downtime will accumulate until the scheduled equipment is returned to full and usual operation and accepted as such by the CO, COR or designated alternate. This does not include scheduled maintenance for PM purposes. Refusal of access to the equipment indicates that the unit is up and running and this time will not be considered when determining downtime. Refusal of access to the equipment voids the service call.

C. If downtime exceeds Sixteen (16) consecutive hours, the CO may exercise the option to hire an alternate source to resolve the problem. The decision to exercise this alternative will reside exclusively with the CO. All fees generated by the alternate Contractor(s) will be handled in accordance with the Default clause.

D. Monies will be subtracted from the contract if the contractor fails to meet the up-time requirements using the following formula:

MONTHLY MONIES

DOWNTIME

10-11 HOURS/MONTH 0%

12-13 HOURS/MONTH 20%

14-15 HOURS/MONTH 40%

16-17 HOURS/MONTH 60%

18-19 HOURS/MONTH 80%

20+ HOURS/MONTH 100%

These will be computed for monthly dollar totals.

11. PAYMENT:

Invoices will be paid in arrears on a monthly basis. Invoices will be uploaded electronically via Tungsten Network per VA requirements

The paying office is: VA Finance Service Center (FSC), P.O. Box 149971, Austin, TX 78714.

https://www.tungsten-network.com/customer-campaigns/veteransaffairs/

INVOICE REQUIREMENTS. Payments will be made by the VA, paid directly to the contractor, in accordance with the Prompt Payment Act. Invoices shall be submitted electronically to the FSC in Austin, Texas. To constitute a proper invoice, the invoice must include the following information and/or attached documentation:

Name of business concern and invoice date.

Contract number.

Purchase Order number.

Price, payment terms and any discounts, rebates or concessions that apply.

Delivery terms (FOB Destination).

12. ADDITIONAL CHARGES:

There will be no additional charge for time spent on the site during or after the normal hours of coverage awaiting the arrival of additional FSE and/or delivery of parts.

13. REPORTING REQUIRED SERVICES BEYOND THE CONTRACT SCOPE:

The Contractor shall immediately, but not later than 24 consecutive hours after discovery notify the CO and COR, (in writing), of the existence or the development of any defects in, or repairs required to the scheduled equipment which the Contractor considers he/she is not responsible for under the terms of the contract. The contractor shall furnish the CO and COR with a written estimate of the cost to make necessary repairs.

14. CONDITION OF EQUIPMENT:

The Contractor accepts responsibility for the equipment in “as is” condition. Failure to inspect the equipment prior to contract award will not relieve the contractor from performance of the requirements of this contract.

15. COMPETENCY OF PERSONNEL SERVICING EQUIPMENT:

A. Each respondent must have an established business, with an office and full time staff. The staff includes a “fully qualified” FSE and a “fully qualified” FSE who will serve as the backup.

B. “Fully Qualified” is based upon training and on experience in the field. For training, the FSE(s) has successfully completed a formalized training program, for the equipment identified. For field experience, the FSE(s) has a minimum for two (2) years’ experience, with respect to scheduled and unscheduled preventive and remedial maintenance.

C. The FSEs, shall be authorized by the contractor to perform the maintenance services. “Fully Qualified” competent FSEs shall perform all work. The contractor shall provide written assurance of the competency of their personnel and a list of credentials of approved FSEs for each make and model the contractor services at the VAMC. The CO may authenticate the training requirements, request training certificates or credentials from the contractor at any time for any personnel who are servicing or installing any VAMC equipment. The CO and/or the COR specifically reserve the right to reject any of the contractor’s personnel and refuse them permission to work on the VAMC equipment.

D. If subcontractor(s) are used, they must be approved by the CO; the contractor shall submit any proposed changed in subcontractor(s) to the CO for approval/disapproval.

16. TEST EQUIPMENT:

Prior to commencement of work on this contract, the contractor shall provide the VAMC with a copy of the current calibration certification of all test equipment, which is to be used by the contractor on VAMC’s equipment. This certification shall also be provided on a periodic basis when requested by the VAMC. Test equipment calibration shall be traceable to a national standard.

17. INSURANCE:

A. Worker compensation and employer’s liability. Contractors are required to comply with applicable Federal and State Worker Compensation and occupational disease statutes.

B. General Liability. Contractors are required to have Bodily Injury liability insurance coverage written on the comprehensive form of policy of at least $500,000 per occurrence.

C. Property Damage Liability. Contractors are required to have Property Damage Liability insurance coverage of at least $500,000.

18. CONTRACTOR PERSONNEL SECURITY REQUIREMENTS:

All Contractor employees who require access to the Department of Veterans Affairs’ computer systems shall be the subject of a background investigation and must receive a favorable adjudication from the VA Office of Security and Law Enforcement prior to contract performance. This requirement is applicable to all subcontractor personnel requiring the same access. If the investigation is not completed prior to the start date of the contract, the Contractor will be responsible for the actions of those individuals they provide to perform work for VA.

VAAR 852.273-75 SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (Interim - October 2008)

(a) The contractor and their personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA personnel, regarding information and information system security. These include, but are not limited to Federal Information Security Management Act (FISMA), Appendix III of OMB Circular A-130, and guidance and standards, available from the Department of Commerce's National Institute of Standards and Technology (NIST). This also includes the use of common security configurations available from NIST's Web site at:

http://checklists.nist.gov

(b) To ensure that appropriate security controls are in place, Contractors must follow the procedures set forth in "VA Information and Information System Security/Privacy Requirements for IT Contracts" located at the following Web site:

http://www.iprm.oit.va.gov

Position Sensitivity – The position sensitivity has been designated as Low Risk.

Background Investigation – The level of background investigation commensurate with the required level of access is National Agency Check with Written Inquiries (NACI). Non-citizen contract personnel appointed to Low Risk or Nonsensitive positions will be subject to a National Agency Check with Law Enforcement and Credit Check (NACLC).

Contractor Responsibilities:

The Contractor shall bear the expense of obtaining background investigations. If the investigation is conducted by the Office of Personnel Management (OPM), the Contractor shall reimburse VA within 30 days after receipt of a Bill of Collection. The estimated cost of the NACI or NACLC is $200.00 per person.

The Contractor shall prescreen all personnel requiring access to the computer systems to ensure they are able to read, write, speak, and understand the English language.

The Contractor employees shall download, complete, and mail the documents required for a Low Risk Position within twenty (20) calendar days of receipt of e-mail notification from the VA Security Investigations Center (SIC). Documents shall be downloaded from the following website:

http://www.va.gov/vabackground_investigations

Electronic fingerprinting can be performed at the Human Resources Office (See COR for assistance).

The Contractor, when notified of an unfavorable determination by the Government, will withdraw the employee from consideration from working under the contract.

Failure to comply with the Contractor personnel security requirements may result in termination of the contract for default.

Government Responsibilities:

Upon receipt, the VA Office of Security and Law Enforcement will review the completed forms for accuracy and forward the forms to OPM to conduct the background investigation.

The VA facility will pay for investigations conducted by the Office of Personnel Management (OPM) in advance. In these instances, the Contractor will reimburse the VA facility within 30 days after receipt of a Bill of Collection.

The VA Office of Security and Law Enforcement will notify the Contracting Officer and Contractor after adjudicating the results of the background investigations received from OPM.

The Contracting Officer will ensure that the Contractor provides evidence that investigations have been completed or are in the process of being requested.

Contractor personnel performing work under this contract shall satisfy all requirements for appropriate security eligibility in dealing with access to sensitive information and information systems belonging to or being used on behalf of the Department of Veterans Affairs. The Contractor will be responsible for the actions of those individuals they provide to perform work for the VA under this contract. In the event that damages arise from work performed by Contractor provided personnel, under the auspices of this contract, the Contractor will be responsible for all resources necessary to remedy the incident. Printed output containing sensitive VHA data will be stored in a secured area, and disposed of properly by shredding or similar methods. Under the provisions of the Privacy Act of 1974 as amended, personnel performing work under this contract have an obligation to protect VA information indefinitely. Furthermore, it is the Contractor's responsibility to notify the Information Management staff when access to Information Management systems is no longer needed by personnel performing work under this contract.

Contractor employees are required to complete the online training classes entitled “VA Cyber Security Awareness” and “VHA Privacy Policy.” The necessary link and instructions to gain access are found at http://www.vcampus.com/cciivv/valo/index.html. A Certificate of successful completion will be generated. The certificate shall be mailed to Judy Buccini, Information Security Officer, internal mail routing symbol 003I-H or faxed to 412-365-4614.

The Contractor will provide health care to patients seeking such care from or through VA. As such, the Contractor is considered part of the Department health activity for purposes of the following statutes and the VA regulations implementing these statutes: the Privacy Act, 5 U.S.C. § 552a, and 38 U.S.C. §§ 5701, 7705 and 7332. Contractor and its employees may have access to patient medical records to the extent necessary for the contract or to perform this contract. Notwithstanding any other provision of this agreement, the Contractor and its employees may disclose patient treatment records only pursuant to explicit disclosure authority from VA. Contractor and its employees are subject to the penalties and liabilities provided under statutes and regulations for unauthorized disclosures of such records and contents.

The VA may provide Contractor and subcontractor employees with access to VA automated patient records maintained on VA computer systems only to the extent and under the same conditions and requirements as VA provides access to these records to its own employees.

All Contractor personnel and any subcontracted employees, if applicable, accessing the VISTA system will be required to sign and abide by all VA security policies, and applicable VA confidentiality statutes, 38 U.S.C. §5701, 38 U.S.C. §7332, and the Privacy Act, 5 U.S.C. §552a. The VA will provide access applications and security agreements. Contractor shall ensure the confidentiality of all patient information and shall be held liable in the event of the breach of confidentiality. Due to the confidential nature of medical reports, all transcription must be completed in areas that provide reasonable security. All documents are confidential and are protected under the Privacy Act of 1974, as amended. All vendor personnel shall be required to observe the requirements imposed on sensitive data by law, federal regulations, VA statutes and policy, DM&S policy and the associated requirements to insure appropriate screening of personnel.

The database utilized by the Contractor under this agreement, the adverse drug event reports provided to the Contractor by VA, and documents created from analyzing this database, the adverse drug event reports, and patient medical records are medical quality assurance records protected by 38 U.S.C. § 5705, its implementing regulations at 38 U.S.C. §§ 17.500-.511 and VHA Directive 2002-043, Quality Management (QM) And Patient Safety Activities That Can Generate Confidential Documents. These records may be disclosed only as authorized by § 5705 and the VA regulations. Disclosure of these records in violation of § 5705 is a criminal offense under 38 U.S.C. § 5705(e).

The treatment and administrative patient records created by, or provided to, the Contractor under this agreement are covered by the VA system of records entitled "Patient Medical Records - VA (24VA136).

Records created by the Contractor in the course of treating VA patients under this agreement are the property of the VA and shall not be accessed, released, transferred or destroyed except in accordance with applicable federal law and regulations. Upon expiration of this contract or termination of the contract, the Contractor will promptly provide the VA with any individually identified VA patient treatment records.

All portable media (including but not limited to thumb-drives, CD-ROMs, etc) utilized by the Contractor under this contract must be encrypted in accordance with the security requirements identified in FIPS 140-2. Only thumb drives and encryption software explicitly approved by the VA may be used.

No VA data is permitted to be stored on a desktop or laptop computer hard drive. Any portable computer used under this contract must have the hard drive encrypted in accordance with FIPS 140-2.

PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL

All personnel employed by the Contractor must comply with Homeland Security Presidential Directive 12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24 and Federal Information Processing Standards Publication (FIPS PUB) Number 201, which requires all federal employees, Contractors and affiliates to have a Personal Identity Verification (PIV) identification card. The PIV process will be initiated and completed by the VA Medical Center. The Contractor will be responsible for all costs associated with transportation of the employee to the VA Medical Center to initiate the fingerprinting and overall process. The COR will ensure all Contractor employees are informed of procedures for obtaining proper Identification cards.

Supplemental Agreement

Contract is modified to include the VA Information and Information System Security/Privacy Requirements for IT Contracts dated Aug 2008 (provided) and following statement and clause VAAR 852.273-75:

"To monitor and enforce these media sanitization requirements the VA will require the vendor to maintain an active inventory of all media used to store VA information including hard drives in workstations, servers, or RAID sets; CD/optical drives; USB Flash drives; backup tapes; or any other device used for storage of VA information. Each storage device must be specified by description (for example: “Quantity 8: HP 72.8 GB Hard drive – 320 MBps” or “Quantity 75: Sony LTX-200G Ultrium backup tapes”). If feasible the serial number physically attached or marked on the device by the manufacturer must also be included in the inventory. The inventory will be continuously updated as new storage media is added. Disposal of any media used to store VA information without prior approval from the VA is prohibited. "

A.1 VAAR 852.273-75 SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (Interim - October 2008)

(a) The contractor and their personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA personnel, regarding information and information system security. These include, but are not limited to Federal Information Security Management Act (FISMA), Appendix III of OMB Circular A-130, and guidance and standards, available from the Department of Commerce's National Institute of Standards and Technology (NIST). This also includes the use of common security configurations available from NIST's Web site at:

http://checklists.nist.gov

(b) To ensure that appropriate security controls are in place, Contractors must follow the procedures set forth in "VA Information and Information System Security/Privacy Requirements for IT Contracts" located at the following Web site:

http://www.iprm.oit.va.gov

(End of Clause)

VA Information and Information System Security/Privacy Requirements for IT Contracts

General

All contractors and contractor personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA, and VA personnel, regarding information and information system security. Contractors must follow policies and procedures outlined in VA Directive 6500, Information Security Program and its handbooks to ensure appropriate security controls are in place.

Access to VA Information and VA Information Systems

A contractor shall request logical (technical) and/or physical access to VA information and VA information systems for employees, subcontractors, and affiliates only to the extent necessary: (1) to perform the services specified in the contract, (2) to perform necessary maintenance functions for electronic storage or transmission media necessary for performance of the contract, and (3) for individuals who first satisfy the same conditions, requirements and restrictions that comparable VA employees must meet in order to have access to the same type of VA information.

All contractors and subcontractors working with VA Sensitive Information are subject to the same investigative requirements as those of regular VA appointees or employees who have access to the same types of information. The level of background security investigation will be in accordance with VA Directive 0710, Handbook 0710, which are available at: http://www1.va.gov/vapubs/ and VHA Directive 0710 and implementing Handbook 0710.01 which are available at: http://www1.va.gov/vhapublications/index.cfm. Contractors are responsible for screening their employees. The following are VA’s approved policy exceptions for meeting VA’s background screenings/investigative requirements for certain types of contractors:

• Contract personnel not accessing VA information resources such as personnel hired to maintain the medical facility grounds, construction contracts, utility system contractors, etc.,


• Contract personnel with limited and intermittent access to equipment connected to facility networks on which no VA sensitive information is available, including contractors who install, maintain, and repair networked building equipment such as fire alarm; heating, ventilation, and air conditioning equipment; elevator control systems, etc. If equipment to be repaired is located within sensitive areas (e.g. computer room/communications closets) VA IT staff must escort contractors while on site.


• Contract personnel with limited and intermittent access to equipment connected to facility networks on which limited VA sensitive information may reside, including medical equipment contractors who install, maintain, and repair networked medical equipment such as CT scanners, EKG systems, ICU monitoring, etc. In this case, Veterans Health Administration facilities must have a duly executed VA business associate agreement (BAA) in place with the vendor in accordance with VHA Handbook 1600.01, Business Associates, to assure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in addition to the contract. Contract personnel, if on site, should be escorted by VA IT staff.

Contract personnel who require access to national security programs must have a valid security clearance. National Industrial Security Program (NISP) was established by Executive Order 12829 to ensure that cleared U.S. defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts. Defense Security Service (DSS) administers the NISP on behalf of the Department of Defense and 23 other federal agencies within the Executive Branch. VA will verify clearance through DSS.

Attachments/Links