Active

Contract Opportunity

Procurement Technical Assistance Centers (PTACs) are an official government contracting resource for small businesses. Find your local PTAC (opens in new window) for free government expertise related to contract opportunities.

This is a SOURCES SOUGHT announcement only. It is neither a solicitation announcement nor a request for proposal or quote and does not obligate the Government to award a contract. Responses to this Sources Sought must be in writing. The purpose of this Sources Sought Announcement is for market research, to make appropriate acquisition decisions, and to gain knowledge of potential qualified businesses capable of providing the following:

Air Ambulance Services for the following Eastern Kansas VA Medical Centers:
Colmery-O Neil VA Medical Center, 2200 Gage Blvd, Topeka, KS 66622
Dwight D. Eisenhower VA Medical Center, 4101 S. 4th Street Trafficway, Leavenworth, KS 66048
This requirement is for a Base and Four (4) Option Years *** See Statement of Work below for details ***
We are looking for Service-Disabled Veteran Owned Small Businesses (SDVOSB) and Veteran Owned Small Businesses (VOSB) if available.

If this is within your capability, please respond with the information below to both point of contacts below:
Company Name
Address
Point of Contact
Phone, Fax, and Email
UEI number
GSA Contract (as applicable)

Interested firms are reminded that in accordance with FAR 4.12, prospective contractors shall complete electronic annual representations and certifications to be considered for award. In addition, FAR 4.11 states that prospective contractors shall be registered in the System for Award Management (www.SAM.gov) database. All Service-Disabled Veteran Owned Small Businesses (SDVOSB) and Veteran Owned Small Businesses (VOSB) shall be verified in VetBiz at www.vip.vetbiz.gov.

Point of Contact for this Sources Sought is:
Shelley Welton, Shelley.Welton@va.gov

Alternate Point of Contact for this Sources Sought is:
Bruce Kidder, Bruce.Kidder@va.gov

Department of Veterans Affairs
Network Contracting Office -15
3450 S. 4th Street Trafficway
Leavenworth, KS. 66048.Â
Performance Work Statement
Air Ambulance Services
Eastern Kansas Health Care System
Section 1: General Information

General: This Performance Work Statement (PWS) defines non-personal services to provide Air Ambulance (emergent fixed wing) transportation services under a fixed price Indefinite Delivery Indefinite Quantity (IDIQ) contract for the Eastern Kansas Health Care System (EKHCS). The Government shall not exercise any supervision or control over the contract service providers performing the services herein. Such contract service providers shall be accountable solely to the Contractor who, in turn, is responsible to the Government. The contractor shall not accept any instructions issued by any person employed by the U.S. Government, other than: the Contracting Officer (CO), or the Contracting Officers Representative (COR), all acting within the limits of their authority.
Transportation originates at a medical facility in the local area and ends at a medical facility outside the local area. In the case of organ transplant patients, transportation may originate from an airport near the veteran s home address. The price should include all legs of transportation including ground ambulance to and from the respective airports.

Period of Performance:
Base Year: May 16, 2023 to May 15, 2024
Option Year 1: May 16, 2024 to May 15, 2025
Option Year 2: May 16, 2025 to May 15, 2026
Option Year 3: May 16, 2026 to May 15, 2027
Option Year 4: May 16, 2027 to May 15, 2028

Type of Contract: The government will award a single award-indefinite-delivery indefinite quantity (IDIQ), Firm Fixed Price contract.

Invoicing: All invoices from the contractor shall be submitted electronically in accordance with VAAR Clause 852.232-723 Electronic Submission of Payment Requests.
Invoices shall be submitted (monthly in arrears) no later than fifteen (15) calendar days following the end of the month in which services are rendered. Invoices are to include obligation number and all contract services furnished for the preceding month. Invoices shall specify the patient name, 4 digit patient identifier, date of service, time of pick-up, whether the trip was pre-scheduled or unscheduled , pick-up and delivery point, trip number and separate charges (i.e. toll fee, medications, etc.) per trip for which payment is requested. Separate charges must be itemized. All invoices must include a Health Insurance Claim Form OMB-form-1500 (HCFA).

All invoices shall include a fixed base-rate line item and a mileage rate line item. Each line item shall include rate, quantity, description, and line total.

Invoices will be reviewed and reconciled with trip tickets and travel logs. Unauthorized charges will be suspended pending investigation. Unauthorized charges are those that are being disputed or have not been pre-approved by authorized VA personnel. A final determination will be made within 30 days after notifying the Contractor of charges being suspended.

All invoices rendered by the Contractor to EKHCS for contract services furnished in accordance with this contract shall be in full. Neither the beneficiary nor any other party shall be required to bear the burden of additional payments, surcharges, tip or other gratuity.

VA s Electronic Invoice Presentment and Payment System The FSC uses a third-party contractor, Tungsten, to transition vendors from paper to electronic invoice submission. Please go to this website: http://www.tungsten-network.com/US/en/veterans-affairs/ to begin submitting electronic invoices, free of charge.
More information on the VA Financial Services Center is available at http://www.fsc.va.gov/einvoice.asp.

Vendor e-Invoice Set-Up Information:
Please contact Tungsten at the phone number or email address listed below to begin submitting
your electronic invoices to the VA Financial Services Center for payment processing, free of charge. If you have questions about the e-invoicing program or Tungsten, please contact the FSC at the phone number or email address listed below:
Tungsten e-Invoice Setup Information: 1-877-489-6135
Tungsten e-Invoice email: VA.Registration@Tungsten-Network.com
FSC e-Invoice Contact Information: 1-877-353-9791
FSC e-Invoice email: vafsccshd@va.gov

Section 2: Definitions

Contractor: A supplier or vendor awarded a contract to provide specific supplies or service to the government. The term used in this contract refers to the prime.
Work Day: The number or hours per day the Contractor provides services in accordance with the contract.
Work Week: Monday through Friday, unless specified otherwise.
Air Ambulance: Fixed wing aircraft with a compartment that is designed and constructed to afford relative safety and comfort and to avoid aggravation of the patient s condition. The aircraft, compartment, and personnel must meet all applicable federal and state standards for medical air transport.
ALS: Advanced Life Support.
Ground Ambulance: Vehicles for emergency medical care which provide a driver compartment and a patient compartment that will accommodate emergency personnel and patient, equipment and supplies for emergency care at the scene as well as during transport, and two-way radio communication and equipment for light rescue procedures. The ambulance must be designed and constructed to afford relative safety and comfort and to avoid aggravation of the patient s condition.
AOD: Administrative Officer of the Day. This government employee is the administrative officer in charge during other than normal business hours.
BLS: Basis Life Support.
CCT: Critical Care Transport.
CO/Contracting Officer: The person executing this contract on behalf of the Government and the only person authorized to make changes to the contract.
COR/Contracting Officer Representative: Person or persons authorized to act for the Contracting Officer within the limits of his/her authority.
CHIEF, Business Office: Person or persons authorized to act for the Contracting Officer within the limits of his/her authority in the absence of a COR.
Federal Holidays: New Year s Day, Martin Luther King Jr. Birthday, Presidents Day, Memorial Day, Juneteenth Day, Independence Day, Labor Day, Columbus Day, Veteran s Day, Thanksgiving Day, Christmas Day, also any day determined by the President to be a Federal Holiday.
Normal Business Hours: Normal business hours are defined as Monday thru Friday, 8:00a.m. to 4:30p.m. local time.
Trip: A trip is defined as the distance, ONE WAY ONLY, over which a beneficiary will be transported. For all one-way trips ordered under this contract, the contractor shall receive the base rate.
POC: Point of contact.

Section 3: Demand and Government s Minimum Quantity

The estimated demand for the Air Ambulance is:
Base Year: 6 trips
Option Year One (1): 6 trips
Option Year Two (2): 6 trips
Option Year Three (3): 6 trips
Option Year Four (4): 6 trips

The One-Way Average Statue Mileage per trip is _____ miles. Trips vary from ____ miles up to _____ miles or more.

Government s Minimum Quantity: The VA attempts to be as accurate as possible when providing estimated quantities; however, actual dollar value quantities may vary from the dollar value quantities as listed in the price schedule. The guaranteed contract minimum is $10,000.00.
Section 4: Compliance

All work related to this contract must be performed by the Contractor in accordance with all applicable Federal Aviation Administration (FAA), U.S. Department of Transportation, or Occupational Safety and Health Administration (OSHA) regulations, as well as applicable State health and safety regulations, health care accreditation standards (Joint Commission or equivalent accreditation organization) and standard industry practices as defined by the Association of Air Medical Services for air ambulance transportation.
Section 5: Personnel

The Contractor shall provide the necessary licenses/certificates, competencies, privilege and credentialing in accordance with applicable State(s) and Federal regulations for each employee that will perform services under this contract.
Section 6: Rate

For all one-way trips ordered under this contract, the Contractor shall receive the base rate as stated in the price/cost schedule. The BASE RATE shall constitute full compensation for ONE-WAY trips (patient leg of the transport only). Once the base trip rate has been exceeded, the per statute mile price schedule will be effective for statute miles over the base rate.

Section 7: Order Placement

Task orders will be issued as required by the Network Contracting Office to fund each requirement. Scheduling will be done on an as-needed basis. Unit quantities are currently unknown. Orders will be placed in writing.

All trip orders by the end user should contain the following information:
Date of order
Contract number and purchase order number
Contract line item number and description, quantity, and unit price
Delivery or performance schedule
Place of delivery or performance
Accounting and appropriate data.

Section 8: Scheduling

Authorized EKHCS personnel will place telephone requests for contract services only with the Contractor s dispatch office. The request for services shall specify the originating point and final destination. Only such travel is authorized and any costs incurred for unauthorized travel, stops, waiting time, etc. shall be the responsibility of the Contractor. Authorized EKHCS personnel are:

Beneficiary Travel Personnel
Transfer Coordinators
Administrative Officer of the Day (AOD)

For prescheduled pickups, the Contractor shall be required to furnish the ground ambulance within twenty (20) minutes of the prearranged time.

For unscheduled pickups, the Contractor agrees to have patient(s) transported to the departing airport, prepared, and airborne within 4 hours after the receipt of order or as agreed between the Contractor and the authorized EKHCS requestor. If the Contractor identifies they cannot furnish the services within the time required, they shall notify the government at the time of scheduling, or as soon as possible.

In the event of a contractor NO-SHOW , the Government reserves the right to obtain the necessary services from another source.

The Contractor shall respond to phone calls or messages from the Government within 30 minutes.

Section 9: Inspection, Quality, and Performance Standards

The Government has the right to inspect the Contractor premises, maintenance records of medical equipment and aircraft(s), flight logs, and dispatch records being used for the contracted services. Furthermore, annually the Contractor must provide proof of insurance (see Clauses 852.228-71, 852.237-7, and 852.237-70 for further details on insurance requirements) and copies of any licenses for all staff providing services under this contract upon request of the POC.
The last month of each contract year, the Contracting Officer will review contract compliance reports submitted by the POC. The review will employ various monitoring methods but will specifically include complaints and timeliness.

Maintain full compliance with Quality Assurance Surveillance Plan (QASP)
Section 10: Reporting Responsibilities

The Contractor shall furnish an in-flight medical attendant report of the patient s status to the receiving facility. The report should include:
Patient s full name and social security number (whenever possible) if not possible, explain the reasons.
Time picked up.
Originating and terminating points.
Who called (initiator)
Presenting problem.
Immediate First Aid Measures (bandages, oxygen, restraints, etc.)
State of consciousness.
Blood pressure.
Pulse.
Respiration.
Any other noted symptoms or pertinent information, including vital signs not already described, level of consciousness, drugs administered, and details of therapeutic intervention.
Any unusual circumstances encountered during the flight, including but not limited to inordinate altitudes flown, turbulence, and times associated with these conditions.
Section 11: Licenses, Certifications and Insurance

Air Ambulance Pilot Shall have a valid operator s license in accordance with Federal, State and local government requirements for their place of operation and for the services they perform.

Medical Staff Shall be certified, licensed, or otherwise officially recognized by the local, state, or regional government or public entity where the emergency ambulance service is operated or by which it is governed.

Ambulance Driver Shall have a valid operator s or chauffeur s license in accordance with Federal, State, and local government requirements for their place of operation, for the services they perform.

Contractor Shall maintain personal liability, automobile liability, and property damage insurance, as prescribed by the laws of the state in which they operate, and in accordance with VAAR 852.228-71, VAAR 852.237-7, and VAAR 852.237-70.


Section 12: Health Insurance Portability and Accountability Act (HIPAA), Privacy Rule, and Security Rule

Whereas the Contractor will have access to Business Associate Protected Health Information (PHI) and Electronic Protected Health Information (EPHI) that is subject to protection under regulations issued by the Department of Health and Human Services, as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR Parts 160 and 164, Subparts A and E, the Standards for Privacy of Individually Identifiable Health Information ( Privacy Rule ), and 45 CFR Parts 160 and 164, Subparts A and C, the Security Standard (Security Rule ); and whereas, Department of Veterans Affairs Veterans Health Administration is a Covered Entity as that term is defined in the HIPAA implementing regulations, 45 CFR 160.103, the Contractor shall be required to complete the blanks, sign, date and provide a completed Business Associate Agreement with their quotation (as provided as an attachment to this solicitation).

Contractor staff shall sign and follow confidentiality statements as required.

The C&A requirements do not apply, and that a Security Accreditation Package is not required.

The Contractor shall comply with the Privacy Act, 38 USC 5701 and 38 USC 7332. Any information the Contractor may obtain on personnel and/or patient data as a result of performance of this contract will not at any time be disclosed to third parties or used for the Contractor s own purpose except to the extent allowed by the Privacy Act.

Information made available to the Contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor s rights to use data as described in Rights in Data General, FAR 52.227-14(d)(1).

The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.

Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.

Based on the determinations of independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $_____ per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:

Notification;
One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;
Data breach analysis;
Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;
One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and
Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.

Section 13: Patient Privacy and Confidentiality

All patient papers transported with the patient are confidential in accordance with HIPAA. Contractor s personnel may review these records for assessment and treatment purposes only. Appropriate administrative and medical information will be provided to the Contractor for patient transport. If the medical record is transported with the patient, it may be used as a source of information if the situation warrants (i.e. emergent care while en-route). In all other instances, all documents will remain intact and sealed.

Section 14: Security Requirements

Service contractor is expected to perform functions that will require access to VA sensitive information. In the course of providing services, it will be necessary for the service contractor to view and receive protected health information (PHI), and personnel identifiable information (PII).
Contracts, in which VA sensitive information are accessed by a VA contractor/subcontractor require the following requirements per 38 U.S.C. § 5723 and 5725:
A prohibition on unauthorized disclosure: Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA See VA Handbook 6500.6, Appendix C, paragraph 3.a.
A requirement for data breach notification: Upon discovery of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/ subcontractor has access, the contractor/subcontractor shall immediately and simultaneously notify the COTR, the designated ISO, and Privacy Officer for the contract. The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. See VA Handbook 6500.6, Appendix C, paragraph 3.a.
A requirement to pay liquidated damages in the event of a data breach: In the event of a data breach or privacy incident involving any SPI the contractor processes or maintains under this contract, the contractor shall be liable to VA for liquidated damages for a specified amount per affected individual to cover the cost of providing credit protection services to those individuals. See VA Handbook 6500.6, Appendix C, para. 7.2, 7.5.
A requirement for annual security/privacy awareness training: Before being granted access to VA information, all contractor employees and subcontractor employees requiring such access shall complete on an annual basis either (i) the VA security/ privacy awareness training (contains VA s security/privacy requirements) within 1 week of the initiation of the contract, or (ii) security awareness training provided or arranged by the contractor that conforms to VA s security/privacy requirements as delineated in the hard copy of the VA security awareness training provided to the contractor. If the contractor provides their own training that conforms to VA s requirements, they will provide the COTR or CC a yearly report (due annually on the date of the contract initiation) stating that all applicable employees involved in VA s contract have received their annual security/privacy training that meets VA s requirements and the total number of employees trained. See VA Handbook 6500.6, Appendix C, paragraph 9.
A requirement to sign VA s Rules of Behavior: Before being granted access to VA information, all contractor employees and subcontractor employees requiring such access shall sign on an annual basis an acknowledgement that they have read, understand, and agree to abide by VA s Contractor Rules of Behavior which is attached to this contract. See VA Handbook 6500.6, Appendix D. Note: If the vendor anticipates that the services under the contract will be performed by 10 or more individuals, the Contractor Rules of Behavior may be signed by the vendor s designated representative. The contract must reflect by signing the Rules of Behavior on behalf of the vendor that the designated representative agrees to ensure that all such individuals review and understand the Contractor Rules of Behavior when accessing VA s information.

VA Information Custodial Language

Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor s rights to use data as described in Rights in Data General, FAR 52.227-14(d)(1).
VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.
Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300. Records and Information Management and its Handbook 6300.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract.
The contractor/subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract.
The contractor/subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.
If VA determines that the contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.
If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship.
Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response.
Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response.

Security Incident Investigation

The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.
To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.
With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.
In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from third party arising from, or related to, the incident.

Liquidate Damages for Data Breach

Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.
The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term data breach means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.
Each risk analysis shall address all relevant information concerning the data breach, including the following:
Nature of the event (loss, theft, unauthorized access)
Description of the event, including
Date of occurrence;
Data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;
Number of individuals affected or potentially affected;
Names of individuals or groups affected or potentially affected;
Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;
Amount of time the data has been out of VA control;
The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);
Known misuses of data containing sensitive personal information, if any;
Assessment of the potential harm to the affected individuals;
Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and
Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.
Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $______ per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:
Notification;
One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;
Data breach analysis;
Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;
One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and
Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.

Security Controls Compliance Testing

On a periodic basis, VA, including the Office of Inspector General, reserves the right to evaluate any or all of the security controls and privacy practices implemented by the contractor under the clauses contained within the contract. With 10 working-days notice, at the request of the government, the contractor must fully cooperate and assist in a government-sponsored security controls assessment at each location wherein VA information is processed or stored, or information systems are developed, operated, maintained, or used on behalf of VA, including those initiated by the Office of Inspector General. The government may conduct a security control assessment on shorter notice (to include unannounced assessments) as determined by VA in the event of a security incident or at any other time.

Training

All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems:
Sign and acknowledge (either manually or electronically) understanding of and responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information systems;
Successfully complete the appropriate VA privacy training and annually complete required privacy training; and
Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]
The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required.
Failure to complete the mandatory annual training and sign the Rules of Behavior annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.
Additional Security Requirements

The contractor employees shall have access to VA sensitive information and will require routine access to VA Facilities. The contractor employees shall have intermittent access only and will be escorted by VA employees while at VA facilities.

Attachments/Links