Type of document: Contract Notice
Country: United States
Adverse Event Reporting System
Agency:
Department of Health and Human Services
Official Address:
5600 Fishers Lane Rockville MD 20857
Zip Code:
20857
Contact:
Daniel Rosenstengel, Contract Specialist, Email Daniel.Rosenstengel@ihs.gov – Paul B. Premoe, Contracting Officer, Email paul.premoe@ihs.gov
Link:
Date Posted:
13/04/2018
Classification:
D
Contract Description:
Note: Intent is to procure a commercially available off-the-shelf (COTS) software solution that has verifiable and relevant past performance references within Government or Commercial Medical Facilities.
HHSAR 352.239-73 ELECTRONIC INFORMATION AND TECHNOLOGY ACCESSIBILITY NOTICE (DEC 2015)
(a) Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998 and the Architectural and Transportation Barriers Compliance Board Electronic and Information (EIT) Accessibility Standards (36 CFR part 1194), require that when Federal agencies develop, procure, maintain, or use electronic and information technology, Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who are not individuals with disabilities, unless an undue burden would be imposed on the agency. Section 508 also requires that individuals with disabilities, who are members of the public seeking information or services from a Federal agency, have access to and use of information and data that is comparable to that provided to the public who are not individuals with disabilities, unless an undue burden would be imposed on the agency.
(b) Accordingly, any offeror responding to this solicitation must comply with established HHS EIT accessibility standards. Information about Section 508 is available at The complete text of the Section 508 Final Provisions can be accessed at
(c) The Section 508 accessibility standards applicable to this solicitation are stated in the clause at 352.239-74, Electronic and Information Technology Accessibility.
In order to facilitate the Government’s determination whether proposed EIT supplies meet applicable Section 508 accessibility standards, offerors must submit an HHS Section 508 Product Assessment Template, in accordance with its completion instructions. The purpose of the template is to assist HHS acquisition and program officials in determining whether proposed EIT supplies conform to applicable Section 508 accessibility standards. The template allows offerors or developers to self-evaluate their supplies and document-in detail-whether they conform to a specific Section 508 accessibility standard, and any underway remediation efforts addressing conformance issues. Instructions for preparing the HHS Section 508 Evaluation Template are available under Section 508 policy on the HHS Web site
In order to facilitate the Government’s determination whether proposed EIT services meet applicable Section 508 accessibility standards, offerors must provide enough information to assist the Government in determining that the EIT services conform to Section 508 accessibility standards, including any underway remediation efforts addressing conformance issues.
(d) Respondents to this solicitation must identify any exception to Section 508 requirements. If a offeror claims its supplies or services meet applicable Section 508 accessibility standards, and it is later determined by the Government, i.e., after award of a contract or order, that supplies or services delivered do not conform to the described accessibility standards, remediation of the supplies or services to the level of conformance specified in the contract will be the responsibility of the Contractor at its expense.
(End of provision)
Element 12. IAW HHSAR 352.239-73(b) ELECTRONIC INFORMATION AND TECHNOLOGY ACCESSIBILITY NOTICE (DEC 2015), offeror shall submit its methodology to meet Section 508 requirement. Offers shall not be considered acceptable without addressing and meeting this requirement.
C.1.1 Accessibility by Individuals with Disabilities
Section 508 of the Rehabilitation Act of 1973 (29 U.S.C 794d), as amended by P.L. 105-220 under Title IV (Rehabilitation Act Amendments of 1988) and the Transportation Barriers Compliance Board Electronic and Technology (EIT) Accessibility Standards (36CFR part 1194s) require that all EIT acquired must ensure that:
• Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who are not individuals with disabilities; and
• Members of the public with disabilities seeking information or services from an agency have access to and use of information and data that is comparable to the access to and use of information and data by members of the public who are not individuals with disabilities.
This requirement includes the development, procurement, maintenance, and/or use of EIT products/services. Therefore, any proposal submitted in response to this solicitation must demonstrate compliance with the established EIT Accessibility Standards. Further information about Section 508 is available via the Internet at
A. Indian Health Service (IHS) Federal Risk and Authorization Management Program (FedRAMP) Privacy and Security Requirements
The Contractor (and/or any subcontractor) will be responsible for the following privacy and security requirements:
1) FedRAMP Compliant Authority to Operate (ATO). Comply with FedRAMP Security Assessment and Authorization (SA&A) requirements and ensure the information system/service under this contract has a valid FedRAMP compliant (approved) ATO in accordance with Federal Information Processing Standard (FIPS) Publication 199 defined security categorization. If a FedRAMP compliant ATO has not been granted, the Contractor must submit a plan to obtain a FedRAMP compliant ATO within 30 days of the contract-award date.
a. Implement applicable FedRAMP baseline controls commensurate with the IHS-defined security categorization and the applicable FedRAMP security control baseline (www.FedRAMP.gov). The US Department of Health and Human Services (HHS) Information Security and Privacy Policy (IS2P) and HHS Cloud Computing and Federal Risk and Authorization Management Program (FedRAMP) Guidance further define the baseline policies as well as roles and responsibilities. The Contractor will also implement a set of additional controls identified by the agency when applicable.
b. A security control assessment must be conducted by a FedRAMP third-party assessment organization (3PAO) for the initial ATO and annually thereafter or whenever there is a significant change to the system’s security posture in accordance with the FedRAMP Continuous Monitoring Plan.
2) Data Jurisdiction. The contractor must store all information within the security authorization boundary, data at rest or data backup, within the United States (US).
3) Service Level Agreements.
The Contractor must understand the terms of the service agreements that define the legal relationships between cloud customers and cloud providers and work with IHS to develop and maintain an SLA.
4) Interconnection/Information Sharing Agreements.
The Contractor must establish and maintain Interconnection Agreements/Information Sharing Agreements in accordance with IHS and HHS policies.
B. Protection of Information in a Cloud Environment
1) If contractor (and/or any subcontractor) personnel must remove any information from the primary work area, they must protect it to the same extent they would the proprietary data and/or company trade secrets and in accordance with IHS/HHS policies.
2) IHS will retain unrestricted rights to federal data handled under this contract. Specifically, IHS retains ownership of any user created/loaded data and applications collected, maintained, used, or
operated on behalf of IHS and hosted on contractor’s infrastructure, as well as maintains the right to request full copies of these at any time. If requested, data must be available to IHS within one (1) business day from the request date. In addition, the data must be provided at no additional cost to IHS.
3) The Contractor (and/or any subcontractor) must ensure that the facilities that house the network infrastructure are physically and logically secure in accordance with FedRAMP requirements
and IHS and HHS policies.
4) The contractor must support a system of records in accordance with National Archives and Records Administration (NARA) approved records schedule(s) and protection requirements for federal agencies to manage their electronic records in accordance with 36 CFR § 1236.20 & 1236.22 (ref. a), including but not limited to the following:
a. Maintenance of links between records and metadata, and
b. Categorization of records to manage retention and disposal, either through transfer of permanent records to NARA or deletion of temporary records in accordance with NARA- approved retention schedules.
5) The disposition of all IHS data will be at the written direction of IHS. This may include documents returned to IHS control; destroyed; or held as specified until otherwise directed. Items returned to the Government must be hand carried or sent by certified mail to the Contracting Officer’s Representative (COR).
6) If the system involves the design, development, or operation of a system of records on individuals, the Contractor must comply with the Privacy Act requirements.
C. Security Assessment and Authorization (SA&A) Process
1) The Contractor (and/or any subcontractor) must comply with IHS/HHS and FedRAMP requirements as mandated by federal laws, regulations, and IHS/HHS policies, including making available any documentation, physical access, and logical access needed to support the SA&A requirement. The level of effort for the SA&A is based on the system’s FIPS 199 security categorization and IHS/HHS security policies. The Contractor must obtain a FedRAMP certification within 30 days of the contract-award date.
a. In addition to FedRAMP certification, the contractor must develop and complete an agency SA&A package to obtain an agency ATO prior to system deployment/service implementation. The agency ATO must be approved by the IHS Authorizing Official (AO) prior to implementation of system and/or service being acquired.
b. CSP systems must leverage a FedRAMP accredited third-party assessment organization (3PAO).
c. For all acquired cloud services, the SA&A package must contain the following documentation (IHS SA&A deliverables): System Security Plan (SSP), Security Assessment Plan (SAP), Plan of Action and Milestones (POA&M), Security Test and Evaluation (ST&E), and Security Assessment Report (SAR). Following the initial ATO, the Contractor must review and maintain the ATO in accordance with IHS/HHS policies. The Contractor must use IHS-provided templates.
2) IHS reserves the right to perform penetration testing on all systems operated on behalf of the agency. If IHS exercises this right, the Contractor (and/or any subcontractor) must allow IHS employees (and/or designated third parties) to conduct Security Assessment activities to include control reviews in accordance with IHS requirements. Review activities include, but are not limited to, scanning operating systems, web applications, wireless scanning; network device scanning to include routers, switches, and firewall, and IDS/IPS; databases and other applicable systems, including general support structure, that support the processing, transportation, storage, or security of Government information for vulnerabilities.
3) The Contractor must identify any gaps between required FedRAMP Security Control Baseline/Continuous Monitoring controls and the contractor’s implementation status as documented in the Security Assessment Report and related Continuous Monitoring artifacts. In addition, all gaps must be documented and tracked by the contractor for mitigation in a POA&M document. Depending on the severity of the risks, IHS may require remediation at the contractor’s expense before issuing an ATO.
4) The Contractor (and/or any subcontractor) must mitigate security risks for which they are responsible, including those identified during SA&A, and continuous monitoring activities. All vulnerabilities and other risk findings must be remediated by the prescribed timelines from discovery: (1) critical vulnerabilities no later than thirty (30) days and (2) high, medium and low vulnerabilities no later than sixty (60) days. In the event a vulnerability or other risk finding cannot be mitigated within the prescribed timelines above, they must be added to the designated POA&M and mitigated within IHS-designated timelines. IHS will determine the risk rating of vulnerabilities.
5) Revocation of a Cloud Service. IHS has the right to take action in response to the CSP’s lack of compliance and/or increased level of risk. In the event the CSP fails to meet IHS and FedRAMP security and privacy requirements and/or there is an incident involving sensitive information, may suspend or revoke an existing agency ATO (either in part or in whole) and/or cease operations. If an ATO is suspended or revoked in accordance with this provision, the CO and/or COR may direct the CSP to take additional security measures to secure sensitive information. These measures may include restricting access to sensitive information on the Contractor information system under this contract. Restricting access may include disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls.
D. Reporting and Continuous Monitoring
Following the initial IHS ATO, the Contractor (and/or any subcontractor) must perform the minimum ongoing continuous monitoring activities specified below, submit required deliverables by the specified due dates, and meet with the system/service owner and other relevant stakeholders to discuss the ongoing continuous monitoring activities, findings, and other relevant matters. The CSP will work with the agency to schedule ongoing continuous monitoring activities. Continuous Monitoring activities should be in alignment with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137 and the FedRAMP Continuous Monitoring Strategy Guide.
1) At a minimum, the Contractor must provide the following artifacts/deliverables on a monthly
basis:
a. Operating system, database, web application, and network vulnerability scan results;
b. Updated POA&Ms;
c. Any updated authorization package documentation as required by the annual attestation/assessment/review or as requested by the IHS System Owner or AO; and
d. Prior to any configuration changes to the system and/or system components or CSP’s cloud environment that may impact IHS’s security posture. Changes to the configuration of the system, its components, or environment that may impact the security posture of the system under this contract must be IHS approved.
E. Configuration Baseline
1) The contractor must certify that applications are fully functional and operate correctly as intended on systems using the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) configuration baseline. The standard installation, operation, maintenance, updates, and/or patching of software must not alter the configuration settings from the approved IHS configuration baseline.
2) The contractor must use Security Content Automation Protocol (SCAP)-validated tools with configuration baseline scanner capability to certify their products operate correctly with IHS-defined configurations and do not alter these settings.
F. Incident Reporting
The Contractor (and/or any subcontractor) must respond to all alerts/Indicators of Compromise (IOCs) provided by HHS Computer Security Incident Response Center (CSIRC)/IHS CSIRT teams within 24 hours, whether the response is positive or negative.
FISMA defines an incident as “an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines incidents as events involving cybersecurity and privacy threats, such as viruses, malicious user activity, loss of, unauthorized disclosure or destruction of data, and so on.
A privacy breach is a type of incident and is defined by Federal Information Security Modernization Act (FISMA) as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose. The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines a breach as “a suspected or confirmed incident involving Personally Identifiable Information (PII).”
In the event of a suspected or confirmed incident or breach, the Contractor (and/or any subcontractor) must:
1) Protect all sensitive information, including any PII created, stored, or transmitted in the performance of this contract so as to avoid a secondary sensitive information incident with FIPS 140-2 validated encryption.
2) NOT notify affected individuals unless so instructed by the CO or designated representative. If so instructed by the CO or representative, the Contractor must send IHS approved notifications to affected individuals in accordance with IHS-specific timelines, processes, and formats.
3) Report all suspected and confirmed information security and privacy incidents and breaches to the IHS Cybersecurity Incident Response Team (CSIRT), COR, Contracting Officer (CO), IHS Senior Official for Privacy (SOP) (or his or her designee), and other stakeholders, including incidents involving PII/Protected Health Information (PHI), in any medium or form, including paper, oral, or electronic, as soon as possible and without unreasonable delay, no later than one (1) hour, and consistent with the applicable IHS and HHS policy and procedures, NIST standards and guidelines, as well as US-CERT notification guidelines. The types of information required in an incident report must include at a minimum: company and point of contact information, contract information, impact classifications/threat vector, and the type of information compromised. In addition, the Contractor must:
a. cooperate and exchange any information, as determined by the Agency, necessary to effectively manage or mitigate a suspected or confirmed breach;
b. not include any sensitive information in the subject or body of any reporting e-mail; and
c. encrypt sensitive information in attachments to email, media, etc.
4) Comply with OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information and IHS/HHS incident response policies when handling PII breaches.
5) Provide full access and cooperate on all activities as determined by the Government to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. This may involve disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. This may also involve physical access to contractor facilities during a breach/incident investigation IHS-specified timeline if required.
6) The Contractor (and/or any Subcontractor) must provide an Incident Response Plan (IRP) in accordance with IHS, OMB, and US-CERT requirements and obtain IHS approval. In addition, the Contractor must follow the incident response and US-CERT reporting guidance contained in the FedRAMP Incident Communications. The Contractor must include IHS CSIRT, COR, and System Information System Security Officer (ISSO) in any communications with US-CERT.
7) The Contractor (and/or any Subcontractor) must implement a program of inspection to safeguard against threats and hazards to the security, confidentiality, integrity, and availability of federal data, afford IHS access to its facilities, installations, technical capabilities, operations, documentation, records, and databases within two business days of notification. The program of inspection will include, but is not limited to:
a. Conduct authenticated and unauthenticated operating system/network/database/Web application vulnerability scans. IHS/HHS personnel or agents acting on behalf of IHS/HHS, can perform automated scans using IHS-operated equipment and/or specified tools. The Contractor may choose to run its own automated scans or audits provided the scanning tools and configuration settings are compliant with NIST Security Content Automation Protocol (SCAP) standards and have been approved by the IHS CISO. IHS may request the Contractor’s scanning results and, at IHS’s discretion, accept those in lieu of IHS-performed vulnerability scans.
b. In the event an incident involving sensitive information occurs, cooperate on all required activities determined by the agency to ensure an effective incident or breach response and provide all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. In addition, the Contractor must follow the agency reporting procedures and document the steps it takes to contain and eradicate the incident, recover from the incident, and provide a post-incident report that includes at a minimum the following:
• Company and point of contact name;
• Contract information;
• Impact classifications/threat vector;
• Type of information compromised;
• A summary of lessons learned; and
• Explanation of the mitigation steps of exploited vulnerabilities to prevent similar incidents in the future.
G. Media Transport
1) The Contractor and its employees will be accountable and document all activities associated with the transport of government information, devices, and media transported outside controlled areas and/or facilities. These include information stored on digital and non-digital media (e.g., CD- ROM, tapes, etc.), mobile/portable devices (e.g., USB flash drives, external hard drives, and SD cards).
2) All information, devices, and media must be encrypted with IHS-approved encryption mechanisms to protect the confidentiality, integrity, and availability of all government information transported outside of controlled facilities.
H. Boundary Protection
1) The contractor must ensure that restricted government information being transmitted from federal government entities to external entities using cloud services is inspected by Trusted Internet Connection (TIC) or other IHS-approved equivalent processes.
2) The contractor must route all external connections through a TIC or other IHS-approved equivalent processes.
3) Non-Repudiation. The contractor must provide a system that implements FIPS 140-2 validated encryption that provides for origin authentication, data integrity, and signer non-repudiation.
Response Date:
042318
Sol Number:
18-236-SOL-00026