Censis Technologies, Inc.’s CensiTrac®, GovCloud™, Service® ScopeTrac™ Advanced, and LoanerLink® Licenses & Software Support

Statement of Work (SOW) Censis Technologies, Inc. s CensiTrac , GovCloud , Service+ , ScopeTrac Advanced, and LoanerLink Licenses & Software Support Page 2 of 3 The Department of Veterans Affairs, VISN 9 MidSouth Healthcare Network intends to award, on a sole-source basis, a fixed price purchase order to Censis Technologies, Inc., 4031 Aspen Grove Drive, Suite 350, Franklin, TN, 37067 in accordance with FAR 6.302-1. As part of this effort, the Contractor shall conduct requisite site assessments, mark and commission instruments, perform quality assurance testing, perform data validation, and load data standard-compliant data into the new system for all facilities within VISN 9. The Contract is to be effective for a full year, beginning from the date of obligation, with four additional option years to continue the service. (Please see draft performance work statement contained herein for a complete description of required services.) This notice of intent is not a request for competitive proposals. No solicitation document is available, and telephone requests will not be accepted. However, any responsible source who believes it is capable of meeting the requirement may submit a capability statement which shall be considered by the agency, only if received by the closing date and time of this notice. A determination not to compete with the proposed requirement based upon the responses to this notice is solely within the discretion of the government. Responses to this notice are due by Monday, August 27, 2025, at 12:00 PM CST by email to John.McDaniel1@va.gov. GENERAL INFORMATION Purpose: This requirement is for the procurement of system licensing and support which enables Veterans Integrated Service Networks (VISN) 9 Sterile Processing Departments to maximize the use of the CensiTrac Surgical Instrument Tracking system to include the Censis Technologies, Inc. s CensiTrac Surgical Instrument Tracking system, InstrumenTrac, ScopeTrac Advanced, LoanerLink , GovCloud Server, and Service+ Subscriptions. Scope of Work: The Contractor shall provide all resources necessary to accomplish the deliverables described in this (SOW, except as may otherwise be specified. Background: This solution is intended to help VISN 9 Sterile Processing Departments maximize the use of the Censis Technologies CensiTrac Instrument Tracking System, which is currently deployed at all VISN 9 Medical Centers. The software licenses being sought in this acquisition will provide access to additional CensiTrac Software Modules to include the Censis Technologies, Inc. s CensiTrac Surgical Instrument Tracking System, InstrumenTrac, ScopeTrac Advanced, LoanerLink , GovCloud Server, and Service+ Subscriptions. Performance Period: The contract period consists of a base period of performance that shall be twelve (12) months from 10/01/2025 through 09/30/2026. Delivery of software and associated licenses should be completed within ninety (90) days from the date of the award. Any required installation of software modules should be completed within 180 days of the award. Configuration of software and license activation should be completed within 180 days of the award. All associated services shall be delivered within twelve (12) months of the award. Type of Contract: Firm-Fixed-Price. Place of Performance: The Contractor will be expected to utilize a combination of remote and on-site support to satisfy the requirements outlined in this SOW. On-site support or delivery of physical deliverables will be provided at the following VISN 9 Medical Centers located at the following addresses: Facility (Medical Center) Address Veteran Affairs (VA) Lexington Health Care, Troy Bowling Campus 1101 Veterans Drive, Lexington, KY 40502 Robley Rex VA Medical Center (VAMC) 800 Zorn Avenue, Louisville, KY 40206 James H. Quillen VAMC Corner of Lamont Street and Veterans Way, Mountain Home, TN 37604 Lt. Col. Luke Weathers, Jr. VAMC 116 N Pauline St, Memphis, TN 38105 VA TN Valley Health Care, Nashville VAMC 1310 24th Avenue South, Nashville, TN 37212 VA TN Valley Health Care, Alvin C. York VAMC 3400 Lebanon Pike, Murfreesboro, TN 37129 Hours of Operation: Warehouse deliveries are accepted between 9am and 2:30pm local time, Monday through Friday, excluding holidays. Hospital hours of operation are between 8am and 4:30pm local time, Monday through Friday, excluding holidays. Facility (Medical Center) Time Zone Lexington Health Care, Troy Bowling Campus Eastern Time Zone (ET) Robley Rex VAMC Eastern Time Zone (ET) James H. Quillen VAMC Eastern Time Zone (ET) Lt. Col. Luke Weathers, Jr. VAMC Central Time Zone (CT) VA TN Valley Health Care, Nashville VAMC Central Time Zone (CT) VA TN Valley Health Care, Alvin C. York VAMC Central Time Zone (CT) Federal Holidays: New Year s Day January 1st Martin Luther King s Birthday 3rd Monday in January President s Day 3rd Monday in February Memorial Day Last Monday in May Juneteenth June 19th Independence Day July 4th Labor Day 1st Monday in September Columbus Day 2nd Monday in October Veteran s Day November 11th Thanksgiving Day Last Thursday in November Christmas Day December 25th *And any other day that may be designated as a federal holiday by Executive Order of the President of the United States GENERAL REQUIREMENTS The Contractor shall provide software subscription and licensing support for the Censis CensiTrac InstrumenTrac software module. The Contractor shall be responsible for licenses, technical and phone support for the CensiTrac SPS Instrumentation System. The Contractor shall facilitate the operation of the hardware and software in conjunction with all associated functions, upgrades, and components. The Contractor shall continue to support and facilitate the operation of the software and its components after all upgrades to include new versions. The Contractor shall provide support service for any disruption of functionality with the CensiTrac System. The Contractor shall assist with troubleshooting and taking corrective actions to return CensiTrac to its normal operation. The Contractor shall provide the subscription service for GovCloud support and maintenance to host the Censis System. Additionally, the Contractor shall provide any associated software licenses. The Contractor shall maintain remote access capabilities to the CensiTrac Software and Servers to diagnose and resolve issues while abiding by VA information security and privacy guidelines. The Contractor shall provide technical support 24 hours a day, seven (7) days a week via phone support. The Contractor shall provide a utilization assessment comprised of a comprehensive annual review of each site s CensiTrac data along with each site s department processes, to provide a methodical examination of each system. This service will include a comprehensive report outlining opportunities for improvement which can be utilized to identify knowledge and documentation gaps and support quality improvement activities. The Contractor shall provide one of three optional entitlements for each covered site to select from: A user training entitlement to include on-site training. For sites exercising this entitlement, the Contractor shall provide a custom training plan based on the outcome of the site utilization assessment. This training should address any gaps in the current department s use of the system, instruct new features, address system use gaps, and instruct on best practice recommendations. A data analysis entitlement. For sites exercising this entitlement, the Contractor shall provide data analysis service based on the outcome of the site utilization assessment. These data analysis projects focus on identifying opportunities to increase the efficiency, accuracy, and compliant use of the CensiTrac Instrument Tracking System. A one-week entitlement for instrument marking service. For sites exercising this entitlement, the vendor shall provide one-week of instrument marking service to include trays, peel packs and/or high-dollar instrumentation. The Contractor shall furnish the CensiTrac ScopeTrac Advanced Software Module and associated software licenses for tracking endoscope reprocessing and utilization. This software module shall: Facilitate the electronic tracking of endoscopes and endoscope reprocessing. Provide paperless reprocessing documentation Provide on-demand reporting capabilities. Provide access to preconfigured guided workflows. Enable quick access to endoscope instructions for use. The Contractor shall provide an interface to ingest data sent from Medivators Endoscope Reprocessors. The Contractor shall furnish the Censis LoanerLink Software Module and associated software licenses to provide advanced tracking of vendor loaner trays and equipment within the Censis platform. CHANGES TO SOW Any changes to this SOW shall be authorized and approved only through written correspondence from the Contracting Officer (CO). A copy of each change will be kept in a project folder along with all other products of the project. Costs incurred by the Contractor through the actions of parties other than the CO shall be borne by the Contractor. The Contractor shall only invoice for the total amount agreed to on this procurement service contract. The Contractor shall not conduct any work not included within this SOW / provided by the original pricing of this contract, including but not limited to labor, travel, parts provision, and shipping. If any additional service or equipment is necessary, the Contractor shall contact the Contracting Officer (CO) and the Contracting Officer Representative (COR) immediately. The Contractor shall be liable for any work conducted (or equipment provided) outside the scope of this SOW (original order) without approval from the CO. INVOICES Payment will be made upon receipt of a properly prepared detailed invoice, prepared by the Contractor, validated by the COR, and submitted electronically through OB-10 (https://portal.tungsten-network.com/). Annual subscriptions shall be invoiced immediately following the initiation of the subscription service. For subscriptions which are dependent on the installation of hardware and/or software, the subscription period shall not initiate until hardware and/or software have been delivered, installed, configured, implemented, and accepted by the COR. The Contractor shall be permitted to request acceptance from the COR following successful demonstration of system implementation (or go-live ). Monthly and quarterly subscriptions shall be invoiced in arrears, after the conclusion of each subscription period. A properly prepared invoice will contain: Invoice number and invoice date The Contractor s Name and Address Accurate Contract number or other authorization for supplies delivered or service performed (including purchase order number and line-item number). Description, quantity, unit of measure, unit price, and extended price of supplies delivered, or service performed. Each invoice line item should be matched to the corresponding contract line item (CLIN). The Contractor shall include the appropriate CLIN number in the invoice line-item description. For contracts with multiple locations of performance and for which CLIN numbers are repeated for each location, each invoice line item shall specify the corresponding location in addition to the CLIN number (i.e. Line Item 1 description is CLIN 001 Site A, Line Item 2 description is CLIN 001 Site B, etc.) Total amount due for all invoice line items For contracts requiring the delivery of hardware, the Contractor shall include evidence of shipment and delivery from the shipping carrier. INFORMATION SECURITY The Authorization requirements do not apply, and that a Security Accreditation Package is not required. APPENDIX C VA INFORMATION AND INFORMATION SYSTEM SECURITY AND PRIVACY LANGUAGE FOR INCLUSION IN CONTRACTS, AS APPROPRIATE NOTE: Any sections (1-14) which DO NOT apply should not be included in the SOW, Performance Work Statement (PWS), Product Description (PD) or contract. GENERAL. This entire section applies to all acquisitions requiring any Information Security and Privacy language. The Contractor s personnel will be subject to the same federal laws, regulations, standards, VA directives and handbooks, as VA personnel regarding information and information system security and privacy. VA INFORMATION CUSTODIAL LANGUAGE. This entire section applies to all acquisitions requiring any Information Security and Privacy language. The Government shall receive unlimited rights to data/intellectual property first produced and delivered in the performance of this contract or order (hereinafter contract ) unless expressly stated otherwise in this contract. This includes all rights to source code and all documentation created in support thereof. The primary clause used to define Government, and the Contractor data rights is FAR 52.227-14 Rights in Data General. The primary clause used to define computer software license (not data/intellectual property first produced under the Contractor or order) is FAR 52.227-19, Commercial Computer Software License. Information made available to the Contractor by VA for the performance or administration of this contract will be used only for the purposes specified in the service agreement, SOW, PWS, PD, and/or contract. The Contractor shall not use VA information in any other manner without prior written approval from a VA Contracting Officer (CO). The primary clause used to define Government and The Contractor data rights is FAR 52.227-14 Rights in Data General. VA information will not be co-mingled with any other data on the Contractor s information systems or media storage systems. The Contractor shall ensure compliance with Federal and VA requirements related to data protection, data encryption, physical data segregation, logical data segregation, classification requirements and media sanitization. VA reserves the right to conduct scheduled or unscheduled audits, assessments, or investigations of The Contractor Information Technology (IT) resources to ensure information security is compliant with Federal and VA requirements. The Contractor shall provide all necessary access to records (including electronic and documentary materials related to the contracts and support (including access to the Contractor staff associated with the contract) to the VA, VA's Office Inspector General (OIG), and/or Government Accountability Office (GAO) staff during periodic control assessments, audits, or investigations. The Contractor may only use VA information within the terms of the contract and applicable Federal law, regulations, and VA policies. If new Federal information security laws, regulations or VA policies become applicable after execution of the contract, the parties agree to negotiate contract modification and adjustment necessary to implement the new laws, regulations, and/or policies. The Contractor shall not make copies of VA information except as specifically authorized and necessary to perform the terms of the contract. If copies are made for restoration purposes, after the restoration is complete, the copies shall be destroyed in accordance with the VA Directive 6500, VA Cybersecurity Program and VA Information Security Knowledge Service. If a Veterans Health Administration (VHA) contract is terminated for default or cause with a business associate, the related local Business Associate Agreement (BAA) shall also be terminated and actions taken in accordance with VHA Directive 1605.05, Business Associate Agreements. If there is an executed national BAA associated with the contract, VA will determine what actions are appropriate and notify the contactor. The Contractor shall store and transmit VA sensitive information in an encrypted form, using VA-approved encryption tools which are, at a minimum, Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules (or its successor) validated and in conformance with the VA Information Security Knowledge Service requirements. The Contractor shall transmit VA sensitive information using VA approved Transport Layer Security (TLS) configured with FIPS based cipher suites in conformance with National Institute of Standards and Technology (NIST) 800-52, Guidelines for the Selection, Configuration and Use of Transport Layer Security (TLS) Implementations. The Contractor s firewall and web service security controls, as applicable, shall meet or exceed VA s minimum requirements. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the Contractor may use and disclose VA information only in two situations: (i) in response to a qualifying order of a court of competent jurisdiction after notification to the VA CO (ii) with written approval from the VA CO. The Contractor shall refer all requests for, demands for production of or inquiries about, VA information and information systems to the VA CO for response. Notwithstanding the provision above, the Contractor shall not release VA records protected by Title 38 U.S.C. 5705, Confidentiality of medical quality- assurance records and/or Title 38 U.S.C. 7332, Confidentiality of certain medical records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse or infection with Human Immunodeficiency Virus (HIV). If the Contractor is in receipt of a court order or other requests for the above-mentioned information, the Contractor shall immediately refer such court order or other requests to the VA CO for response. Information made available to the Contractor by VA for the performance or administration of this contract or information developed by the Contractor in performance or administration of the contract will be protected and secured in accordance with the VA Directive 6500 and Identity and Access Management (IAM) Security processes specified in the VA Information Security Knowledge Service. Any data destruction done on behalf of VA by a Contractor shall be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management, VA Handbook 6300.1, Records Management Procedures, and applicable VA Records Control Schedules. The Contractor shall provide its plan for destruction of all VA data in its possession according to the VA Directive 6500 and NIST 800-88, Guidelines for Media Sanitization prior to termination or completion of this contract. If directed by the COR/CO, the Contractor shall return all Federal Records to the VA for disposition. Any media, such as paper, magnetic tape, magnetic disks, solid state devices or optical discs that are used to store, process, or access VA information that cannot be destroyed shall be returned to the VA. The Contractor shall hold the appropriate material until otherwise directed by the COR or CO. Items shall be returned securely via VA-approved methods. VA sensitive information must be transmitted utilizing VA-approved encryption tools which are validated under FIPS 140-2 (or its successor) and NIST 800-52. If mailed, the Contractor shall send via a trackable method (USPS, UPS, FedEx, etc.) and immediately provide the COR/CO with the tracking information. Self-certification by the Contractor that the data destruction requirements above have been met shall be sent to the COR/CO within 30 business days of termination of the contract. All electronic storage media (hard drives, optical disks, CDs, back-up tapes, etc.) used to store, process or access VA information will not be returned to the Contractor at the end of lease, loan, or trade-in. Exceptions to this paragraph will only be granted with the written approval of the CO. ACCESS TO THE VA INFORMATION AND VA INFORMATION SYSTEMS. This section applies when any person requires access to information made available to the Contractor by VA for the performance or administration of this contract or information developed by the Contractor in performance or administration of the contract. A The Contractor shall request logical (technical) or physical access to the VA information and VA information systems for their employees and only to the extent necessary to perform the service specified in the solicitation of the contract. The Contractor shall sign the VA Information Security Rule of Behavior (ROB) before access is provided to the VA information and information systems (see Section 4, Training, below). The ROB contains the minimum user compliance requirements and does not supersede any policies of VA facilities or other agency components which provide higher levels of protection to the VA s information or information systems. Users who require privileged access shall complete the VA elevated privilege access request processes before privileged access is granted. The Contractor s employees working with the VA information are subject to the same security investigative and clearance requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for the Contractor shall be in accordance with the VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office of Human Resources and Administration/Operations, Security and Preparedness (HRA/OSP) is responsible for these policies and procedures. Contract personnel who require access to classified information or information systems shall have an appropriate security clearance. Verification of a security clearance shall be processed through the Special Security Officer located in HRA/OSP. The Contractor shall conform to all requirements stated in the National Industrial Security Program Operating Manual (NISPOM). The Contractor shall comply with conditions specified in VAAR 852.204-71(d); The Contractor operations required to be in United States. The Contractor working with the VA information must be permanently located within a jurisdiction subject to the law of the United States or its Territories to the maximum extent feasible. The Contractor shall deliver to the VA a detailed plan specifically addressing communications, personnel control, data protection and potential legal issues. The plan shall be approved by the COR/CO in writing prior to access being granted. The Contractor shall notify the COR/CO in writing immediately (no later than 24 hours) after personnel separation or occurrence of other causes. Causes may include the following: The Contractor s personnel no longer have a need for access to the VA information or VA information systems. The Contractor d personnel are terminated, suspended, or otherwise have their work on a VA project discontinued for any reason. The Contractor believes their own personnel may pose a threat to their company s working environment or to any company- owned property. This includes The Contractor-owned assets, buildings, confidential data, customers, employees, networks, systems, trade secrets and/or VA data. Any previously undisclosed changes to the Contractor s background history are brought to light, including but not limited to changes to background investigation or employee records. The Contractor personnel have their authorization to work in the United States revoked. The agreement by which the Contractor provides products and service to the VA has either been fulfilled or terminated, such that VA can cut off electronic and/or physical access for The Contractor personnel. In such cases of contract fulfillment, termination, or other causes; the Contractor shall take the necessary measures to immediately revoke access to the VA network, property, information, and information systems (logical and physical) by the Contractor s personnel. These measures include (but are not limited to): removing and then securing Personal Identity Verification (PIV) badges and PIV Interoperable (PIV-I) access badges, VA-issued photo badges, credentials for the VA facilities and devices, VA-issued laptops, and authentication tokens. The Contractor shall notify the appropriate VA COR/CO immediately to initiate access removal. When the Contractor no longer requires VA accesses, all VA issued property must be returned to the VA. This property includes (but is not limited to) documents, electronic equipment, keys, and parking passes. PIV and PIV-I access badges shall be returned to the nearest VA PIV Badge Issuance Office. Once they have had access to the VA information, information systems, networks and VA property in their possessions removed, the Contractor shall notify the appropriate VA COR/CO. TRAINING. This entire section applies to all acquisitions which include section 3. The Contractor requiring access to the VA information and VA information systems shall successfully complete the following before being granted access to the VA information and its systems: VA Privacy and Information Security Awareness and Rules of Behavior course (Talent Management System (TMS) #10176) initially and annually thereafter. Sign and acknowledge (electronically through TMS #10176) understanding of and responsibilities for compliance with the Organizational Rules of Behavior, relating to access to the VA information and information systems initially and annually thereafter; and Successfully complete any additional cyber security or privacy training, as required for the VA personnel with equivalent information system or information access [to be defined by the VA program official and provided to the VA CO for inclusion in the solicitation document i.e., any role- based information security training]. The Contractor shall provide to the COR/CO a copy of the training certificates and certification of signing the Organizational Rules of Behavior for each applicable employee within five days of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the required training is complete. SECURITY INCIDENT INVESTIGATION. This entire section applies to all acquisitions requiring any Information Security and Privacy language. The Contractor s employees shall immediately (within one hour) report suspected security/ privacy incidents to the VA OIT s Enterprise Service Desk (ESD) by calling (855) 673-4357 (TTY: 711). The ESD is OIT s 24/7/365 single point of contact for IT-related issues. After reporting to the ESD, the Contractor The Contractor s employees or business associates shall, within one hour, provide the COR/CO the incident number received from the ESD. To the extent known by the Contractor's notice to the VA shall identify the information involved and the circumstances surrounding the incident, including the following: The date and time (or approximation of) the Security Incident occurred. The names of individuals involved (when applicable). The physical and logical (if applicable) location of the incident. Why did the Security Incident take place (i.e., catalyst for the failure). The amount of data belonging to the VA that is believed to have been compromised. The remediation measures the Contractor is taking to ensure no future incidents of a similar nature. After the Contractor has provided the initial detailed incident summary to the VA, they will continue to provide written updates on any new and relevant circumstances or facts they discover. The Contractor s employes shall fully cooperate with the VA or third-party entity performing an independent risk analysis on behalf of VA. Failure to cooperate may be deemed a material breach and grounds for contract termination. The Contractor shall follow the VA Handbook 6500, Risk Management Framework for the VA Information Systems VA Information Security Program, and VA Information Security Knowledge Service guidance for implementing an Incident Response Plan or integrating with an existing VA implementation. In instances of theft or break-in or other criminal activity, the Contractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG, and the VA Office of Security and Law Enforcement. The Contractor s employees shall cooperate with the VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor shall cooperate with the VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. The Contractor shall comply with the VA Handbook 6500.2, Management of Breaches Involving Sensitive Personal Information, which establishes the breach management policies and assigns responsibilities for the oversight, management and reporting procedures associated with managing of breaches. With respect to unsecured Protected Health Information (PHI), the Contractor is deemed to have discovered a data breach when the Contractor knew or should have known of breach of such information. When a business associate is part of VHA contract, notification to the covered entity (VHA) shall be made in accordance with the executed BAA. If the Contractor or any of its agents fails to protect VA sensitive personal information or otherwise engages in conduct which results in a data breach involving any VA sensitive personal information the Contractor processes or maintains under the contract; the Contractor shall pay liquidated damages to the VA as set forth in clause 852.211-76, Liquidated Damages Reimbursement for Data Breach Costs. INFORMATION SYSTEM DESIGN AND DEVELOPMENT. This entire section applies to information systems, systems, major applications, minor applications, enclaves, and platform information technologies (to include the subcomponents of each) designed or developed for or on behalf of VA by any non-VA entity. Information systems designed or developed on behalf of VA at non-VA facilities shall comply with all applicable Federal law, regulations, and VA policies. This includes standards for the protection of electronic Protected Health Information (PHI), outlined in 45 C.F.R. Part 164, Subpart C and information and system security categorization level designations in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems and FIPS 200, Minimum Security Requirements for Federal Information Systems. Baseline security controls shall be implemented commensurate with the FIPS 199 system security categorization (reference VA Handbook 6500 and VA Trusted Internet Connections (TIC) Architecture). Contracted new developments require creation, testing, evaluation, and authorization in compliance with the VA Assessment and Authorization (A&A) processes in VA Handbook 6500 and VA Information Security Knowledge Service to obtain an Authority to Operate (ATO). VA Directive 6517, Risk Management Framework for Cloud Computing Service, provides the security and privacy requirements for cloud environments. VA IT Contractor and third-party service providers shall address and/or integrate applicable VA Handbook 6500, VA Handbook 6517, Risk Management Framework for Cloud Computing Service and Information Security Knowledge Service specifications in delivered IT systems/solutions, products and/or service. If systems/solutions, products and/or service do not directly match VA security requirements, the Contractor shall work though the COR/CO to identify the VA organization responsible for governance or resolution. The Contractor shall comply with FAR 39.1, specifically the prohibitions referenced. The Contractor (including producers and resellers) shall comply with Office of Management and Budget (OMB) M-22-18 and M-23-16 when using third-party software on the VA information systems or otherwise affecting the VA information. This includes new software purchases and software renewals for software developed or modified by major version change after the issuance date of M- 22-18 (September 14, 2022). The term software includes firmware, operating systems, applications and application service (e.g., cloud-based software), as well as products containing software. The Contractor shall provide a self- attestation that secure software development practices are utilized as outlined by Executive Order (EO)14028 and NIST Guidance. A third-party assessment provided by either a certified Federal Risk and Authorization Management Program (FedRAMP) Third Party Assessor Organization (3PAO) or one approved by the agency will be acceptable in lieu of a software producer's self- attestation. The Contractor shall ensure all delivered applications, systems and information systems are compliant with Homeland Security Presidential Directive (HSPD) 12 and VA Identity and Access management (IAM) enterprise identity management requirements as set forth in OMB M-19-17, M-05-24, FIPS 201-3, Personal Identity Verification (PIV) of Federal Employees and The Contractor (or its successor), M-21-31 and supporting NIST guidance. This applies to Commercial Off-The-Shelf (COTS) product(s) that the Contractor did not develop, all software configurations and all customizations. The Contractor shall ensure all delivered applications and systems provide user authentication service compliant with the VA Handbook 6500, VA Information Security Knowledge Service, IAM enterprise requirements and NIST 800-63, Digital Identity Guidelines, for direct, assertion-based authentication and/or trust-based authentication, as determined by the design and integration patterns. Direct authentication at a minimum must include Public Key Infrastructure (PKI) based authentication supportive of PIV and/or Common Access Card (CAC), as determined by the business need and compliance with the VA Information Security Knowledge Service specifications. The Contractor shall use VA authorized technical security baseline configurations and certify to the COR that applications are fully functional and operate correctly as intended on systems in compliance with the VA baselines prior to acceptance or connection into an authorized VA computing environment. If the Defense Information Systems Agency (DISA) has created a Security Technical Implementation Guide (STIG) for the technology, the Contractor may configure to comply with that STIG. If VA determines a new or updated VA configuration baseline needs to be created, the Contractor shall provide the required technical support to develop the configuration settings. FAR 39.1 requires the population of operating systems and applications includes all listed on the NIST National Checklist Program Checklist Repository. The standard installation, operation, maintenance, updating and patching of software shall not alter the configuration settings from VA approved baseline configuration. Software developed for the VA must be compatible with the VA enterprise installer service and install to the default program files directory with silently install and uninstall. The Contractor shall perform testing of all updates and patching prior to implementation on the VA systems. Applications designed for normal end users will run in the standard user context without elevated system administration privileges. The Contractor-delivered solutions shall reside on the VA approved operating systems. Exceptions to this will only be granted with the written approval of the COR/CO. The Contractor shall design, develop, and implement security and privacy controls in accordance with the provisions of VA security system development life cycle outlined in NIST 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, VA Directive and Handbook 6500, and VA Handbook 6517. The Contractor shall comply with the Privacy Act of1974 (the Act), FAR 52.224- 2 Privacy Act, and VA rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish a VA function. The Contractor shall ensure the security of all procured or developed information systems, systems, major applications, minor applications, enclaves and platform information technologies, including their subcomponents (hereinafter referred to as Information Systems ) throughout the life of this contract and any extension, warranty, or maintenance periods. This includes security configurations, workarounds, patches, hotfixes, upgrades, replacements and any physical components which may be necessary to remediate all security vulnerabilities published or known to the Contractor anywhere in the information systems (including systems, operating systems, products, hardware, software, applications and firmware). The Contractor shall ensure security fixes do not negatively impact the Information Systems. When the Contractor is responsible for operations or maintenance of the systems, the Contractor shall apply the security fixes within the timeframe specified by the associated controls on the VA Information Security Knowledge Service. When security fixes involve installing third party patches (such as Microsoft OS patches or Adobe Acrobat), the Contractor shall provide written notice to the VA COR/CO that the patch has been validated as to not affecting the Systems within 10 business days. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE OR USE. This entire section applies to information systems, systems, major applications, minor applications, enclaves, and platform information technologies (cloud and non- cloud) hosted, operated, maintained, or used on behalf of VA at non-VA facilities. The Contractor shall comply with all Federal laws, regulations, and VA policies for Information systems (cloud and non-cloud) that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities. Security controls for collecting, processing, transmitting, and storing of VA sensitive information, must be in place. The controls will be tested by VA or a VA sanctioned 3PAO and approved by VA prior to hosting, operation, maintenance or use of the information system or systems by or on behalf of VA. This includes conducting compliance risk assessments, security architecture analysis, routine vulnerability scanning, system patching, changing management procedures and the completion of an acceptable contingency plan for each system. The Contractor s security control procedures shall be the same as procedures used to secure VA-operated information systems. Outsourcing (The Contractor facility, equipment, or staff) systems or network operations, telecommunications service or other managed service require Assessment and Authorization (A&A) of the Contractor s systems in accordance with the VA Handbook 6500 as specified in VA Information Security Knowledge Service. Major changes to the A&A package may require reviewing and updating all the documentation associated with the change. The Contractor s cloud computing systems shall comply with FedRAMP and VA Directive 6517 requirements. The Contractor shall return all electronic storage media (hard drives, optical disks, CDs, back-up tapes, etc.) on non-VA leased or non-VA owned IT equipment used to store, process or access VA information to the VA in accordance with A&A package requirements. This applies when the contract is terminated or completed and prior to disposal of the media. The Contractor shall provide its plan for destruction of all VA data in its possession according to the VA Information Security Knowledge Service requirements and NIST 800-88. The Contractor shall send a self-certification that the data destruction requirements above have been met to the COR/CO within 30 business days of termination of the contract. All external internet connections to the VA network involving VA information must be in accordance with the VA Trusted Internet Connection (TIC) Reference Architecture and VA Directive and Handbook 6513, Secure External Connections and reviewed and approved by VA prior to implementation. Government-owned The Contractor-operated systems, third party or business partner networks require a Memorandum of Understanding (MOU) and Interconnection Security Agreements (ISA). The Contractor procedures shall be subject to periodic, announced, or unannounced assessments by VA officials, the OIG or a 3PAO. The physical security aspects associated with the Contractor activities are also subject to such assessments. The Contractor shall report, in writing, any deficiencies noted during the above assessment to the VA COR/CO. The Contractor shall use VA s defined processes to document planned remedial actions that address identified deficiencies in information security policies, procedures, and practices. The Contractor shall correct security deficiencies within the timeframes specified in the VA Information Security Knowledge Service. All major information system changes which occur in the production environment shall be reviewed by the VA to determine the impact on privacy and security of the system. Based on the review results, updates to the Authority to Operate (ATO) documentation and parameters may be required to remain in compliance with the VA Handbook 6500 and VA Information Security Knowledge Service requirements. The Contractor shall conduct an annual privacy and security self-assessment on all information systems and outsourced service as required. Copies of the assessment shall be provided to the COR/CO. The VA/Government reserves the right to conduct an assessment using government personnel or a third party if deemed necessary. The Contractor shall correct or mitigate any weaknesses discovered during the assessment. VA prohibits the installation and use of personally owned or the Contractor-owned equipment or software on the VA information systems. If non-VA owned equipment must be used to fulfill the requirements of a contract, it must be stated in the service agreement, SOW, PWS, PD or contract. All security controls required for government furnished equipment must be utilized in VA approved Other Equipment (OE). Configuration changes to the Contractor OE, must be funded by the owner of the equipment. All remote systems must use VA-approved antivirus software and a personal (host-based or enclave based) firewall with a VA-approved configuration. The Contractor shall ensure software on the OE is kept current with all critical updates and patches. Owners of the approved OE are responsible for providing and maintaining the anti-virus software and the firewall on the non-VA owned OE. Approved the Contractor OE will be subject to technical inspection at any time. The Contractor shall notify the COR/CO within one hour of disclosure or successful exploits of any vulnerability which can compromise the confidentiality, integrity, or availability of the information systems. The system or effected component(s) need(s) to be isolated from the network. A forensic analysis needs to be conducted jointly with the VA. Such issues will be remediated as quickly as practicable, but in no event longer than the timeframe specified by VA Information Security Knowledge Service. If sensitive personal information is compromised reference VA Handbook 6500.2 and Section 5, Security Incident Investigation. For cases wherein the Contractor discovers material defects or vulnerabilities impacting products and services they provide to the VA, the Contractor shall develop and implement policies and procedures for disclosure to the VA, as well as remediation. The Contractor shall, within 30 business days of discovery, document a summary of these vulnerabilities or defects. The documentation will include a description of the potential impact of each vulnerability and material defect, compensating security controls, mitigations, recommended corrective actions, FboNotice cause analysis and/or workarounds (i.e., monitoring). Should there exist any backdoors in the products or service they provide to the VA (referring to methods for bypassing computer authentication), the Contractor shall provide the VA CO/CO written assurance they have permanently remediated these backdoors. All other vulnerabilities, including those discovered through routine scans or other assessments, will be remediated based on risk, in accordance with the remediation timelines specified by the VA Information Security Knowledge Service and/or the applicable timeframe mandated by Cybersecurity & Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 22- 01 and BOD 19-02 for Internet-accessible systems. Exceptions to this paragraph will only be granted with the approval of the COR/CO. SECURITY AND PRIVACY CONTROLS COMPLIANCE TESTING, ASSESSMENT AND AUDITING. This entire section applies whenever section 6 or 7 is included. Should VA request it, the Contractor shall provide a copy of their (corporation s, sole proprietorship s, partnership s, limited liability company (LLC), or other business structure entity s) policies, procedures, evidence and independent report summaries related to specified cybersecurity frameworks (International Organization for Standardization (ISO), NIST Cybersecurity Framework (CSF), etc.). VA or its third-party/partner designee (if applicable) are further entitled to perform their own audits and security/penetration tests of the Contractor s IT or systems and controls, to ascertain whether the Contractor is complying with the information security, network or system requirements mandated in the agreement between VA and the Contractor. Any audits or tests of the Contractor or third-party designees/partner VA elects to carry out will commence within 30 business days of VA notification. Such audits, tests and assessments may include the following: (a): security/penetration tests which both sides agree will not unduly impact The Contractor operations; (b): interviews with pertinent stakeholders and practitioners; (c): document review; and (d): technical inspections of networks and systems the Contractor uses to destroy, maintain, receive, retain, or use VA information. As part of these audits, tests and assessments, the Contractor shall provide all information requested by VA. This information includes, but is not limited to, the following: equipment lists, network or infrastructure diagrams, relevant policy documents, system logs or details on information systems accessing, transporting, or processing VA data. The Contractor and at its own expense, shall comply with any recommendations resulting from VA audits, inspections and tests. VA further retains the right to view any related security reports the Contractor has generated as part of its own security assessment. The Contractor shall also notify VA of the existence of any such security reports or other related assessments, upon completion and validation. VA appointed auditors or other government agency partners may be granted access to such documentation on a need-to-know basis and coordinated through the COR/CO. The Contractor shall comply with recommendations which result from these regulatory assessments on the part of VA regulators and associated government agency partners. PRODUCT INTEGRITY, AUTHENTICITY, PROVENANCE, ANTI-COUNTERFEIT AND ANTI-TAMPERING. This entire section applies when the acquisition involves any product (application, hardware, or software) or when section 6 or 7 is included. The Contractor shall comply with Code of Federal Regulations (CFR) Title 15 Part 7, Securing the Information and Communications Technology and Service (ICTS) Supply Chain , which prohibits ICTS Transactions from foreign adversaries. ICTS Transactions are defined as any acquisition, importation, transfer, installation, dealing in or use of any information and communications technology or services, including ongoing activities, such as managed service, data transmission, software updates, repairs or the platforming or data hosting of applications for consumer download. When contracting terms require the Contractor to procure equipment, the Contractor shall purchase or acquire the equipment from an Original Equipment Manufacturer (OEM) or an authorized reseller of the OEM. The Contractor shall attest that equipment procured from an OEM or authorized reseller, or distributor is authentic. If procurement is unavailable from an OEM or authorized reseller, the Contractor shall submit in writing, details of the circumstances prohibiting this from happening and procure a product waiver from the VA COR/CO. The Contractor shall establish, implement, and provide documentation for risk management practices for supply chain delivery of hardware, software (to include patches) and firmware provided under this agreement. Documentation will include a chain of custody practices, inventory management program, information protection practices, integrity management program for sub-supplier provided components, and replacement parts requests. The Contractor shall make spare parts available. All The Contractor(s) shall specify how digital delivery for procured products, including patches, will be validated and monitored to ensure consistent delivery. The Contractor shall apply encryption technology to protect procured products throughout the delivery process. If the Contractor provides software or patches to the VA, the Contractor shall publish or provide a hash conforming to the FIPS Security Requirements for Cryptographic Modules (FIPS 140-2 or successor). The Contractor shall provide a software bill of materials (SBOM) for procured (to include licensed products) and consist of a list of components and associated metadata which make up the product. SBOMs must be generated in one of the data formats defined in the National Telecommunications and Information Administration (NTIA) report The Minimum Elements for a Software Bill of Materials (SBOM). The Contractor shall use or arrange for the use of trusted channels to ship procured products, such as U.S. registered mail and/or tamper-evident packaging for physical deliveries. Throughout the delivery process, the Contractor shall demonstrate a capability for detecting unauthorized access (tampering). The Contractor shall demonstrate chain-of-custody documentation for procured products and require tamper-evident packaging for the delivery of this hardware. VIRUSES, FIRMWARE AND MALWARE. This entire section applies when the acquisition involves any product (application, hardware, or software) or when section 6 or 7 is included. The Contractor shall execute due diligence to ensure all provided software and patches, including third-party patches, are free of viruses and/or malware before releasing them to or installing them on the VA information systems. The Contractor warrants it has no knowledge of and did not insert, any malicious virus and/or malware code into any software or patches provided to the VA which could potentially harm or disrupt VA information systems. The Contractor shall use due diligence, if supplying third-party software or patches, to ensure the third-party has not inserted any malicious code and/or virus which could damage or disrupt VA information systems. The Contractor shall provide or arrange for the provision of technical justification as to why any false positive hit has taken place to ensure their code s supply chain has not been compromised. Justification may be required, but is not limited to when install files, scripts, firmware, or other Contractor-delivered software solutions (including third-party install files, scripts, firmware, or other software) are flagged as malicious, infected, or suspicious by an anti-virus vendor. The Contractor shall not upload (intentionally or negligently) any virus, worm, malware or any harmful or malicious content, component and/or corrupted data/source code (hereinafter virus or other malware ) on to the VA computer and information systems and/or networks. If introduced (and this clause is violated), upon written request from the VA CO, the Contractor shall: Take all necessary actions to correct the incident, to include any and all assistance to the VA to eliminate the virus or other malware throughout VA s information networks, computer systems and information systems; and Use commercially reasonable efforts to restore operational efficiency and remediate damage due to data loss or data integrity damage, if the virus or other malware causes a loss of operational efficiency, data loss, or damage to data integrity. CRYPTOGRAPHIC REQUIREMENT. This entire section applies whenever the acquisition includes section 6 or 7 is included. The Contractor shall document how the cryptographic system supporting the Contractor s products and/or service protect the confidentiality, data integrity, authentication and non-repudiation of devices and data flows in the underlying system. The Contractor shall use only approved cryptographic methods as defined in FIPS 140-2 (or its successor) and NIST 800-52 standards when enabling encryption on its products. The Contractor shall provide or arrange for the provision of an automated remote key-establishment method which protects the confidentiality and integrity of the cryptographic keys. The Contractor shall ensure emergency re-keying of all devices can be remotely performed within 30 business days. The Contractor shall provide or arrange for the provision of a method for updating cryptographic primitives or algorithms. PATCHING GOVERNANCE. This entire section applies whenever the acquisition includes section 7 is included The Contractor shall provide documentation detailing the patch management, vulnerability management, mitigation and update processes (to include third-party) prior to the connection of electronic devices, assets or equipment to the VA s assets. This documentation will include information regarding the following: The resources and technical capabilities to sustain the program or process (e.g., how the integrity of a patch is validated by VA); and The approach and capability to remediate newly reported zero-day vulnerabilities for the Contractor s products. The Contractor shall verify and provide documentation all procured products (including third-party applications, hardware, software, operating systems, and firmware) have appropriate updates and patches installed prior to delivery to the VA. The Contractor shall provide or arrange the provision of appropriate software and firmware updates to remediate newly discovered vulnerabilities or weaknesses for their products and service within 30 days of discovery. Updates to remediate critical or emergent vulnerabilities will be provided within seven business days of discovery. If updates cannot be made available by The Contractor within these time periods, the Contractor shall submit mitigations, methods of exploit detection and/or workarounds to the COR/CO prior to the above deadlines. The Contractor shall provide or arrange for the provision of appropriate hardware, software and/or firmware updates, when those products, including open-source software, are provided to the VA, to remediate newly discovered vulnerabilities or weaknesses. Remediations of products or services provided to the VA s system environment must be provided within 30 business days of availability from the original supplier and/or patching source. Updates to remediate critical vulnerabilities applicable to the Contractor s use of the third- party product in its system environment will be provided within seven business days of availability from the original supplier and/or patching source. If applicable third-party updates cannot be integrated, tested and made available by The Contractor within these time periods, mitigations and/or workarounds will be provided to the COR/CO before the above deadlines. SPECIALIZED DEVICES/SYSTEMS (MEDICAL DEVICES, SPECIAL PURPOSE SYSTEMS, RESEARCH SCIENTIFIC COMPUTING). This entire section applies when the acquisition includes one or more Medical Device, Special Purpose System or Research Scientific Computing Device. If appropriate, ensure selected clauses from section 6 or 7 and 8 through 12 are included. The Contractor supplies/delivered Medical Devices, Special Purpose Systems- Operational Technology (SPS-OT) and Research Scientific Computing Devices shall comply with all applicable Federal law, regulations, and VA policies. New developments require creation, testing, evaluation, and authorization in compliance with processes specified on the Specialized Device Cybersecurity Department Enterprise Risk Management (SDCD-ERM) Portal, VA Directive 6550, Pre-Procurement Assessment and Implementation of Medical Devices/Systems, VA Handbook 6500, and the VA Information Security Knowledge Service. Deviations from Federal law, regulations, and VA Policy are identified and documented as part of VA Directive 6550 and/or the VA Enterprise Risk Analysis (ERA) processes for Specialized Devices/Systems processes. The Contractor shall address and/or integrate applicable VA Handbook 6500 and Information Security Knowledge Service specifications in delivered IT systems/solutions, products and/or service. If systems/solutions, products and/or service do not directly match VA security requirements, the Contractor shall work though the COR/CO for governance or resolution. The Contractor shall certify to the COR/CO that devices/systems that have completed the VA Enterprise Risk Analysis (ERA) process for Specialized Devices/Systems are fully functional and operate correctly as intended. Devices/systems must follow the VA ERA authorized configuration prior to acquisition and connection to the VA computing environment. If VA determines a new VA ERA needs to be created, the Contractor shall provide the required technical support to develop the configuration settings. Major changes to a previously approved device/system will require a new ERA. The Contractor shall comply with all practices documented by the Food Drug and Administration (FDA) Premarket Submission for Management of Cybersecurity in Medical Devices and Post-market Management of Cybersecurity in Medical Devices. The Contractor shall design devices capable of accepting all applicable security patches with or without the support of the Contractor personnel. If patching can only be completed by the Contractor, the Contractor shall commit the resources needed to patch all applicable devices at all VA locations. If unique patching instructions or packaging are needed, the Contractor shall provide the necessary information in conjunction with the validation/testing of the patch. The Contractor shall apply security patches within 30 business days of the patch release and have a formal tracking process for any security patches not implemented to include explanation when a device cannot be patched. The Contractor shall provide devices able to install and maintain VA-approved antivirus capabilities with the capability to quarantine files and be updated as needed in response to incidents. Alternatively, a VA-approved whitelisting application may be used when the Contractor cannot install an anti-virus / anti- malware application. The Contractor shall verify and document all software embedded within the device does not contain any known viruses or malware before delivery to or installation at a VA location. Devices and other equipment or systems containing media (hard drives, optical disks, solid state, and storage via chips/firmware) with the VA sensitive information will be returned to the Contractor with media removed. When the contract requires return of equipment, the options available to the Contractor are the following: The Contractor shall accept the system without the drive, firmware and solid state. VA s initial device purchase includes a spare drive or other replacement media which must be installed in place of the original drive at time of turn- in; or Due to the highly specialized and sometimes proprietary hardware and software associated with the device, if it is not possible for the VA to retain the hard drive, firmware, and solid state, then: The Contractor shall have an existing BAA if the device being traded in has sensitive information stored on it and the hard drive(s) from the system are being returned physically intact. Any fixed hard drive, Complementary Metal-Oxide-Semiconductor (CMOS), Programmable Read-Only Memory (PROM), solid state and firmware on the device must be non-destructively sanitized to the greatest extent possible without negatively impacting system operation. Selective clearing down to patient data folder level is recommended using VA approved and validated overwriting technologies/methods/tools. Applicable media sanitization specifications need to be pre-approved and described in the solicitation, contract, or order. DATA CENTER PROVISIONS. This entire section applies whenever the acquisition requires an interconnection to/from the VA network to/from a non-VA location. The Contractor shall ensure the VA network is accessed in accordance with the VA Directive 6500 and IAM security processes specified in the VA Information Security Knowledge Service. The Contractor shall ensure network infrastructure and data availability in accordance with the VA information system business continuity procedures specified in the VA Information Security Knowledge Service. The Contractor shall ensure any connections to the internet or other external networks for information systems occur through managed interfaces utilizing VA approved boundary protection devices (e.g., internet proxies, gateways, routers, firewalls, guards or encrypted tunnels). The Contractor shall encrypt all traffic across the segment of the Wide Area Network (WAN) it manages, and no unencrypted Out of Band (OOB) Internet Protocol (IP) traffic will traverse the network. The Contractor shall ensure tunnel endpoints are routable addresses at each VA operating site. The Contractor shall secure access from Local Area Networks (LANs) at co- located sites in accordance with the VA TIC Reference Architecture, VA Directive and Handbook 6513, and MOU/ISA process specified in the VA Information Security Knowledge Service.