Brand Name or Equal - SEND Explorer Plus Upgrades -Warehouse Licenses and Annual Maintenance

U.S. Food and Drug AdministrationSEND Explorer Plus Upgrades - Warehouse Licenses and Annual MaintenanceBrand Name or EqualThis is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; proposals are being requested and a separate written solicitation will not be issued. The solicitation is being issued in accordance with FAR Part 13 under the simplified acquisition procedures.The Request for Proposal number is FDA-SOL-19-1214696. Provisions and clauses in effect through Federal Acquisition Circular 05-44 are incorporated into this request. It is the contractor's responsibility to be familiar with the applicable clauses and provisions. The provisions and clauses may be accessed in full text at www.acquisition.gov/far.1. BackgroundThe Office of

Biostatistics and Epidemiology HIVE group (OBE/HIVE) supports review of CDISC-SEND standardized submissions for FDA nonclinical review with SEND Explorer. SEND Explorer is user-friendly, web-based software that is specifically designed to load and display CDISC-SEND formatted datasets without manipulation. Send Explorer Warehouse provides tabular views and summary views for numeric SEND domains including summary statistics, scatterplots for each time point, a visual indication of data points that are different from controls, and % of control calculations. Additionally it provides severity heat maps for MA, MI, and TF Domains. A single animal detail view which can be accessed from tabular views by hyperlink shows results from multiple user-selected study endpoints across domains for the selected animal and provides scatter plots to compare findings for the selected animal to others in the study. Multiple studies can be combined into visualizations, including a correlations matrix for comparing numeric findings, scatter plots to compare an endpoint between studies across a time course, and a visualization to identify patterns in histopathology findings across studies. The SEND Explorer Warehouse upgrade provides the ability to address sponsor specific differences between studies, reload updated studies, maintain and review load history, and load data on-demand from Watch Folders to automate data loading upon receipt to FDA. The software is approved for use on the FDA Network.2. ObjectiveThe FDA CBER Office of Biostatistics and Epidemiology is seeking SEND Explorer Plus upgrades to SEND Explorer Warehouse.3. Brand Name or Equal Requirements:Salient Characteristics and Specifications for the Servers and Switches Configuration:If proposing an alternate solution, the Contractor shall ensure that the proposed solution meets the following salient characteristics.Compatibility:The software licenses the contractor provides: shall have a web-based user interface and support deployment on a cloud computing cluster shall support multiple concurrent users shall work in IE 11, Chrome 50 or later, and Firefox 44 or later shall load CDISC-SEND datasets that are compliant with SENDIG v3.0 shall provide tabular views and summary views for numeric SEND domains to includeo summary statisticso scatterplots for each time pointo a visual indication of data points that are different from controlo percentage of control calculations shall provide a severity heatmap for MA, MI, and TF domains shall support hiding columns, sorting, and filtering in tabular view shall export data to Excel shall provide support for comments, supplemental qualifiers, and related records shall provide single animal detail view which can be accessed from tabular views by hyperlink that show results from multiple user-selected study endpoints across domains for the selected animal, and provide scatter plots to compare findings for the selected animal to others in the study shall provide a way to combine multiple studies into visualizations, including a correlations matrix for comparing numeric findings, scatter plots to compare an endpoint between studies across a time course, and a visualization to identify patterns in histopathology findings across studies 4. Specific Tasks/DeliverablesThe Contractor shall provide warranty and technical support for theitems listed in section 4.A. Software Requirements:Item Quantity1 Upgrade perpetual licenses to SEND Explorer Warehouse including an annual support and maintenance including Annual Support and Maintenance 12 Option Year 1 - Annual Support and Maintenance 13 Option Year2 - Annual Support and Maintenance 15. Period of PerformanceThe Contractor shall deliver equipment within 30 days of award.The warranty and technical support period of performance is:09/30/2019 - 09/29/2020 (Base Year)09/30/2020 - 09/29/2021 (Option Year 1)09/30/2021 - 09/29/2022 (Option Year 2)6. Place of Performance/DeliveryFood & Drug Administration CBER10903 New Hampshire Ave.Building 75, Room G632Silver Spring MD 20993ATTN: Anton Golikov7. Inspection and AcceptanceThe COR/designee shall review all Reporting Requirements/Deliverables in accordance with specifications and standards identified in the task order. The acceptance of equipment and satisfactory work performance, required herein, shall be based upon the timeliness, accuracy, quality of the deliverables.The COR/designee shall perform inspection and acceptance of materials and services. Inspection and acceptance shall be performed at 10903 New Hampshire Ave, Silver Spring, MD 20993-0002 (FDA Campus). FDA shall have 10 days for inspection and acceptance, after which the deliverable will be deemed, accepted. The Contractor shall have 5 business days to fix the deliverable if FDA deems it unacceptable. 8. Security and Privacy RequirementBASELINE SECURITY REQUIREMENTS1) Applicability. The requirements herein apply whether the entire contract or order (hereafter "contract"), or portion thereof, includes either or both of the following:2) Access (Physical or Logical) to Government Information: A Contractor (and/or any subcontractor) employee will have or will be given the ability to have, routine physical (entry) or logical (electronic) access to government information.a. Operate a Federal System Containing Information: A Contractor (and/or any subcontractor) will operate a federal system and information technology containing data that supports the HHS mission. In addition to the Federal Acquisition Regulation (FAR) Subpart 2.1 definition of "information technology" (IT), the term as used in this section includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.3) Safeguarding Information and Information Systems. In accordance with the Federal InformationProcessing Standards Publication (FIPS)199, Standards for Security Categorization of Federal Information and Information Systems, the Contractor (and/or any subcontractor) shall:a. Protect government information and information systems in order to ensure:• Confidentiality, which means preserving authorized restrictions on access and disclosure, based on the security terms found in this contract, including means for protecting personal privacy and proprietary information;• Integrity, which means guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity; and• Availability, which means ensuring timely and reliable access to and use of information.b. Provide security for any Contractor systems, and information contained therein, connected to an FDA network or operated by the Contractor on behalf of FDA regardless of location. In addition, if new or unanticipated threats or hazards are discovered by either the agency or contractor, or if existing safeguards have ceased to function, the discoverer shall immediately, within one (1) hour or less, bring the situation to the attention of the other party. This includes notifying the FDA Systems Management Center (SMC) within one (1) hour of discovery/detection in the event of an information security incident.c. Adopt and implement the policies, procedures, controls, and standards required by the HHS/FDA Information Security Program to ensure the confidentiality, integrity, and availability of government information and government information systems for which the Contractor is responsible under this contract or to which the Contractor may otherwise have access under this contract. Obtain the FDA Information Security Program security requirements, outlined in the FDA Information Security and Privacy Policy (IS2P), by contacting the CO/COR or emailing your ISSO.d. Comply with the Privacy Act requirements and tailor FAR clauses as needed.4) Information Security Categorization. In accordance with FIPS 199 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, Appendix C, and based on information provided by the ISSO or other security representative, the risk level for each Security Objective and the Overall Risk Level, which is the highest watermark of the three factors (Confidentiality, Integrity, and Availability) of the information or information system are the following:Confidentiality: [x] Low [ ] Moderate [ ] HighIntegrity: [x] Low [ ] Moderate [ ] HighAvailability: [x] Low [ ] Moderate [ ] HighOverall Risk Level: [x] Low [ ] Moderate [ ] HighBased on information provided by the Privacy Office, system/data owner, or other privacy representative, it has been determined that this solicitation/contract involves:[x] No PII [ ] Yes PIIPersonally Identifiable Information (PII). Per the OMB Circular A-130, "PII is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual." Examples of PII include, but are not limited to the following: Social Security number, date and place of birth, mother's maiden name, biometric records, etc.PII Confidentiality Impact Level has been determined to be: [x] Low [ ] Moderate [ ] High5) Controlled Unclassified Information (CUI). CUI is defined as "information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information." The Contractor (and/or any subcontractor) must comply with Executive Order 13556, Controlled Unclassified Information, (implemented at 3 CFR, part 2002) when handling CUI. 32 C.F.R. 2002.4(aa). As implemented the term "handling" refers to "...any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re- using, and disposing of the information." 81 Fed. Reg. 63323. All sensitive information that has been identified as CUI by a regulation or statute, handled by this solicitation/contract, shall be:a. marked appropriately;b. disclosed to authorized personnel on a Need-To-Know basis;c. protected in accordance with NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations applicable baseline if handled by a Contractor system operated on behalf of the agency, or NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations if handled by internal Contractor system; andd. returned to FDA control, destroyed when no longer needed, or held until otherwise directed. Destruction of information and/or data shall be accomplished in accordance with NIST SP 800-88, Guidelines for Media Sanitization and the FDA IS2P Appendix T: Sanitization of Computer-Related Storage Media.6) Protection of Sensitive Information. For security purposes, information is or may be sensitive because it requires security to protect its confidentiality, integrity, and/or availability. The Contractor (and/or any subcontractor) shall protect all government information that is or may be sensitive in accordance with OMB Memorandum M-06-16, Protection of Sensitive Agency Information by securing it with a FIPS 140-2 validated solution.Confidentiality and Nondisclosure of Information. Any information provided to the contractor (and/or any subcontractor) by FDA or collected by the contractor on behalf of FDA shall be used only for the purpose of carrying out the provisions of this contract and shall not be disclosed or made known in any manner to any persons except as may be necessary in the performance of the contract. The Contractor assumes responsibility for protection of the confidentiality of Government records and shall ensure that all work performed by its employees and subcontractors shall be under the supervision of the Contractor. Each Contractor employee or any of its subcontractors to whom any FDA records may be made available or disclosed shall be notified in writing by the Contractor that information disclosed to such employee or subcontractor can be used only for that purpose and to the extent authorized herein.The confidentiality, integrity, and availability of such information shall be protected in accordance with HHS and FDA policies. Unauthorized disclosure of information will be subject to the HHS/FDA sanction policies and/or governed by the following laws and regulations:a. 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records);b. 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information); andc. 44 U.S.C. Chapter 35, Subchapter I (Paperwork Reduction Act).7) Internet Protocol Version 6 (IPv6). All procurements using Internet Protocol shall comply with OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6).8) Government Websites. All new and existing public-facing government websites must be securely configured with Hypertext Transfer Protocol Secure (HTTPS) using the most recent version of Transport Layer Security (TLS). In addition, HTTPS shall enable HTTP Strict Transport Security (HSTS) to instruct compliant browsers to assume HTTPS at all times to reduce the number of insecure redirects and protect against attacks that attempt to downgrade connections to plain HTTP. For internal-facing websites, the HTTPS is not required, but it is highly recommended.9) Contract Documentation. The Contractor shall use FDA-provided templates, policies, forms and other agency documents to comply with contract deliverables as appropriate.10) Standard for Encryption. The Contractor (and/or any subcontractor) shall:a. Comply with the HHS Standard for Encryption of Computing Devices and Information to prevent unauthorized access to government information.b. Encrypt all sensitive federal data and information (i.e., PII, protected health information [PHI], proprietary information, etc.) in transit (i.e., email, network connections, etc.) and at rest (i.e., servers, storage devices, mobile devices, backup media, etc.) with FIPS 140-2 validated encryption solution.c. All devices (i.e.: desktops, laptops, mobile devices, etc.) that store, transmit, or process non-public FDA information should utilize FDA-provided or FDA information security authorized devices that meet HHS and FDA-specific encryption standard requirements. Maintain a complete and current inventory of all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive government information (including PII).d. Verify that the encryption solutions in use are compliant with FIPS 140-2. The Contractor shall provide a written copy of the validation documentation to the COR.e. Use the Key Management system on the HHS Personal Identification Verification (PIV) card or establish and use a key recovery mechanism to ensure the ability for authorized personnel to encrypt/decrypt information and recover encryption keys. Encryption keys (PIV card) shall be provided to the COR upon request and at the conclusion of the contract. Upon completion of contract, contractor ensures that COR is able to access and read any encrypted data.11) Contractor Non-Disclosure Agreement (NDA). Each Contractor (and/or any subcontractor) employee having access to non-public government information under this contract shall complete the FDA non- disclosure agreement (3398 Form), as applicable. A copy of each signed and witnessed NDA shall be submitted to the CO and/or COR prior to performing any work under this acquisition.12) Privacy Threshold Analysis (PTA)/Privacy Impact Assessment (PIA) - The Contractor shall assist the procuring activity representative, program office and the FDA SOP or designee with conducting a PTA for the information system and/or information handled under this contract to determine whether or not a full PIA needs to be completed.a. If the results of the PTA show that a full PIA is needed, the Contractor shall assist procuring activity representative, program office and the FDA SOP or designee with completing a PIA for the system or information after completion of the PTA and in accordance with HHS and FDA policy and OMB M- 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. The PTA/PIA must be completed and approved prior to active use and/or collection or processing of PII and is a prerequisite to agency issuance of an authorization to operate (ATO).b. The Contractor shall assist the procuring activity representative, program office and the FDA SOP or designee in reviewing and updating the PIA at least every three years throughout the Enterprise Performance Life Cycle (EPLC) /information lifecycle, or when determined by the agency that a review is required based on a major change to the system, or when new types of PII are collected that introduces new or increased privacy risks, whichever comes first.1.1.1 B. TRAINING13) Mandatory Training for All Contractor Staff. All Contractor (and/or any subcontractor) employees assigned to work on this contract shall complete the applicable FDA Contractor Information Security Awareness, Privacy, and Records Management training (provided upon contract award) before performing any work under this contract. Thereafter, the employees shall complete FDA Information Security Awareness, Privacy, and Records Management training at least annually, during the life of this contract. All provided training shall be compliant with HHS and FDA training policies.14) Role-based Training. All Contractor (and/or any subcontractor) employees with significant security responsibilities (as determined by the program manager) must complete role-based training annually commensurate with their role and responsibilities in accordance with HHS and FDA policy and FDA Role-Based Training (RBT) of Personnel with Significant Security Responsibilities Standard Operating Procedures (SOP).15) Training Records. The Contractor (and/or any subcontractor) shall maintain training records for all its employees working under this contract in accordance with HHS and FDA policy. A copy of the training records shall be provided to the CO and/or COR within 30 days after contract award and annually thereafter or upon request.1.1.2 C. RULES OF BEHAVIOR16) The Contractor (and/or any subcontractor) shall ensure that all employees performing on the contract comply with the HHS Information Technology General Rules of Behavior.17) All Contractor employees performing on the contract must read and adhere to the Rules of Behavior (ROB) before accessing HHS and FDA data or other information, systems, and/or networks that store/process government information, initially at the beginning of the contract and at least annually thereafter, which may be done as part of annual FDA Information Security Awareness Training. If the training is provided by the contractor, the signed ROB must be provided as a separate deliverable to the CO and/or COR per defined timelines.1.1.3 D. INCIDENT RESPONSEThe Contractor (and/or any subcontractor) shall respond to all alerts/Indicators of Compromise (IOCs) provided by HHS Computer Security Incident Response Center (CSIRC)/FDA SMC /Incident Response Team (IRT) teams within 24 hours, whether the response is positive or negative.FISMA defines an incident as "an occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies." The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines incidents as events involving cybersecurity and privacy threats, such as viruses, malicious user activity, loss of, unauthorized disclosure or destruction of data, and so on.A privacy breach is a type of incident and is defined by FISMA as the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose. The HHS Policy for IT Security and Privacy Incident Reporting and Response further defines a breach as "a suspected or confirmed incident involving PII."In the event of a suspected or confirmed incident or breach, the Contractor (and/or any subcontractor) shall:18) Protect all sensitive information, including any PII created, stored, or transmitted in the performance of this contract to avoid a secondary sensitive information incident with FIPS 140-2 validated encryption.19) NOT notify affected individuals unless so instructed by the Contracting Officer or designated representative. If so instructed by the Contracting Officer or representative, the Contractor shall send FDA approved notifications to affected individuals as directed by FDA's SOP.20) Report all suspected and confirmed information security and privacy incidents and breaches to the FDA Systems Management Center, COR, CO, and other stakeholders, (Recommend adding the FDA Senior Official for Privacy with contact information and either defining or deleting "other stakeholders.") including incidents involving PII, in any medium or form, including paper, oral, or electronic, as soon as possible and without unreasonable delay, no later than one (1) hour of discovery/detection, and consistent with the applicable FDA and HHS policy and procedures, NIST standards and guidelines, as well as US- CERT notification guidelines. The types of information required in an incident report must include at a minimum: company and point of contact information, contract information, impact classifications/threat vector, and the type of information compromised. In addition, the Contractor shall:a. cooperate and exchange any information, as determined by the Agency, necessary to effectively manage or mitigate a suspected or confirmed breach;b. not include any sensitive information in the subject or body of any reporting e-mail; andc. encrypt sensitive information in attachments to email, media, etc.21) Comply with OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information and HHS and FDA incident response policies when handling PII breaches.22) Provide full access and cooperate on all activities as determined by the Government to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. This may involve disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. This may also involve physical access to contractor facilities during a breach/incident investigation demand.1.1.4 E. POSITION SENSITIVITY DESIGNATIONSAll Contractor (and/or any subcontractor) employees must obtain a background investigation commensurate with their position sensitivity designation that complies with Parts 1400 and 731 of Title 5, Code of Federal Regulations (CFR). The following position sensitivity designation levels apply to this solicitation/contract: Tier 21.1.5 F. HOMELAND SECURITY PRESIDENTIAL DIRECTIVE (HSPD)- 12The Contractor (and/or any subcontractor) and its employees shall comply with Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors; OMB M-05-24; FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors; HHS HSPD-12 policy; and Executive Order 13467, Part 1 §1.2.Roster. The Contractor (and/or any subcontractor) shall submit a roster by name, position, e-mail address, phone number and responsibility, of all staff working under this acquisition where the Contractor will develop, have the ability to access, or host and/or maintain a government information system(s). The roster and any revisions to the roster as a result of staffing changes shall be submitted to the COR and/or CO per the COR or CO's direction. Any revisions to the roster as a result of staffing changes shall be submitted within a timeline as directed by the COR and/or CO. The COR will notify the Contractor of the appropriate level of investigation required for each staff member.If the employee is filling a new position, the Contractor shall provide a position description and the Government will determine the appropriate suitability level.1.1.6 G. CONTRACT INITIATION AND EXPIRATION23) General Security Requirements. The Contractor (and/or any subcontractor) shall comply with information security and privacy requirements, Enterprise Performance Life Cycle (EPLC) processes, HHS Enterprise Architecture requirements to ensure information is appropriately protected from initiation to expiration of the contract. All information systems development or enhancement tasks supported by the contractor shall follow the FDA EPLC framework and methodology in accordance with the FDA EPLC Project documentation, located here: http://sharepoint.fda.gov/orgs/DelMgmtSupport/IntakeProc/EPLCv2/SitePages/v2/EPLCHome.aspxHHS EA requirements may be located here: https://www.hhs.gov/about/agencies/asa/ocio/index.html24) System Documentation. Contractors (and/or any subcontractors) must follow and adhere to NIST SP 800-64, Security Considerations in the System Development Life Cycle, at a minimum, for system development and provide system documentation at designated intervals (specifically, at the expiration of the contract) within the EPLC that require artifact review and approval.25) Sanitization of Government Files and Information. As part of contract closeout and at expiration of the contract, the Contractor (and/or any subcontractor) shall provide all required documentation in accordance with FDA OAGS SMGs to the CO and/or COR to certify that, at the government's direction, all electronic and paper records are appropriately disposed of and all devices and media are sanitized in accordance with NIST SP 800-88, Guidelines for Media Sanitization and FDA IS2P Appendix T: Sanitization of Computer-Related Storage Media26) Notification. The Contractor (and/or any subcontractor) shall notify the CO and/or COR as soon as it is known that an employee will stop working under this contract.27) Contractor Responsibilities Upon Physical Completion of the Contract. The contractor (and/or any subcontractors) shall return all government information and IT resources (i.e., government information in non-government-owned systems, media, and backup systems) acquired during the term of this contract to the CO and/or COR. Additionally, the Contractor shall provide a certification that all government information has been properly sanitized and purged from Contractor-owned systems, including backup systems and media used during contract performance, in accordance with HHS and/or FDA policies.28) The Contractor (and/or any subcontractor) shall coordinate with the COR via email, copying the Contract Specialist, to ensure that the appropriate person performs and documents the actions identified in the FDA eDepart system http://inside.fda.gov:9003/EmployeeResources/NewEmployee/eDepartDepartureSystem/default.htm as soon as it is known that an employee will terminate work under this contract within days of the employee's exit from the contract. All documentation shall be made available to the CO and/or COR upon request.1.1.7 H. RECORDS AND MANAGEMENT AND RETENTIONThe Contractor (and/or any subcontractor) shall maintain all information in accordance with Executive Order 13556 - Controlled Unclassified Information, National Archives and Records Administration (NARA) records retention policies and schedules and HHS/FDA policies and shall not dispose of any records unless authorized by HHS/FDA.In the event that a contractor (and/or any subcontractor) accidentally disposes of or destroys a record without proper authorization, it shall be documented and reported as an incident in accordance with HHS/FDA policies.8. Contractor Personnel Security Clearance Standards and Residency Requirements (October 2017)1. BACKGROUND - The Office of the Assistant Secretary for Management and Budget, Department of Health and Human Services (DHHS), requires that Contractor employees (including subcontractors) who will be working in DHHS-owned or leased space and/or who will have access to DHHS equipment, and non-public privileged, proprietary, or trade secret information, must undergo a background investigation that results in a favorable determination.Contractor employees who will work in DHHS-owned or leased space for less than thirty (30) days are considered visitors and are exempted from background investigation requirements; and therefore, will not be issued a Personal Identity Verification (PIV) Card. These contractor employees go through visitor screening each day and must be escorted at all time while in DHHS-owned or leased space.2. GENERAL - The Contractor shall submit the following items to the Contracting Officer's Representative (COR), within five (5) business days of commencement of work under this contract:• A roster of contractor employee names, identifying Key Personnel and Tier designation(s);• Confirmation all individual employee security information has been submitted properly; and• "Contractor's Commitment to Protect Non-public Information Agreement" forms signed by each employee named in the roster.Pursuant to HSPD-12, the Contractor shall advise its prospective employees about the security and background requirements stated hereinFor any individual who does not obtain a favorable background investigation he/she must cease work on the contract immediately.If a Contractor employee changes job responsibilities under this contract, the Contractor shall notify the COR, and the Government will make a determination whether an additional security clearance is required.In the event there are any proposed personnel changes in the Contractor's staffing roster previously submitted to the COR, the Contractor must submit an updated roster to the COR, along with a brief explanation for the change. In turn, the COR will initiate the procedures stated herein to ensure any new contractor employees obtain a PIV card in a timely manner - prior to that individual commencing work under the contract.Note: If the proposed personnel change is for a position designated Key Personnel under the contract, a complete justification - along with a resume or curriculum vitae - must be submitted to the Contracting Officer and COR for review and approval. If approved, the Contracting Officer will execute a Contract Modification prior to that individual commencing work under the contract.3. BACKGROUND INVESTIGATIONS - With the exception of costs associated with fingerprinting Contractor employees outside of the FDA Personnel Security Office, the Government will conduct all required background investigations at no cost to the Contractor. The cost of fingerprinting Contractor employees at any location other than the FDA Personnel Security Office will be borne by the Contractor. Employees who hold or have previously held a Government security clearance shall advise the FDA Personnel Security Staff of the details of such clearance.Note: Background investigations will be conducted by the Office of Personnel Management (OPM)4. CONTRACT RISK DESIGNATION(S) - Contractor employees who will be in DHHS-owned or leased space for thirty (30) days or more must be able to obtain and shall obtain a PIV card pursuant to Homeland Security Presidential Directive-12 (HSPD-12) in order to access to DHHS-owned or leased property without an escort. (See Section 6 for details on the PIV Card process) However, in the event that work must commence before a security screening can be completed, contractor employees will be considered visitors, as described above, and allowed onto DHHS-owned or leased property, but must be escorted at all times.All Contractor employees who undergo a background investigation are required to log onto the Office of Personnel Management's (OPM's) Electronic Questionnaire for Investigation Processing system (e-Qip) system. The FDA Personnel Security Specialist will provide access to the e-Qip as well as guidance as to which forms will be required. The forms required vary with the position risk designations for the contract.All standard forms submitted to the FDA will be forwarded to the Office of Personnel Management (OPM) to initiate background investigations. The assigned FDA Personnel Security Specialist will resolve with the contractor employee any issues arising out of inaccurate or incomplete forms.The Risk Designation(s) for this contract is/are Tier(s): Tier 1There are three (3) potential position risk designations, which are:• Non-Sensitive Low Risk (Tier 1) - Positions which involve the lowest degree of adverse impact on the efficiency of the Agency. The forms set forth by the FDA Personnel Security Specialist are required for Non-Sensitive Low Risk Positions.• Sensitive Moderate Risk (Tier 2) or Sensitive High Risk (Tier 4) - Public Trust Positions - Positions in which the incumbent's actions or inaction could diminish public confidence in the integrity, efficiency, or effectiveness of assigned Government activities, whether or not actual damage occurs.In order to access the e-QIP system, Contractor employees must provide the appropriate FDA Personnel Security Specialist with the following information: (a) full name; (b) position title; (c) social security number; (d) date of birth; (e) place of birth; (f) email address; and (g) phone number. This information will be provided on the e-Qip form that will be electronically sent to the employee. The FDA Personnel Security Specialist will use this information to enter each Contractor employee into the e-QIP system. Once this is done, each Contractor employee will receive an email that contains a web link to access the e-QIP system, as well as instructions and additional forms needed to initiate the background investigation.A Contractor's failure to comply with the e-QIP processing guidelines will result in that Contractor's employees being denied access to FDA property until all security processing has been completed. Furthermore, any such noncompliance may detrimentally impact Contractor performance, Contractor performance evaluations, rights and remedies available at law and equity retained by the Government.5. PERSONAL IDENTITY VERIFICATION (PIV) CARDS - All PIV Cards (and any other type of Government-issued Access Card) shall remain the property of the Federal Government. At any time, if a Contractor employee is terminated or otherwise ceases work under the contract, or no longer requires a PIV Card for contract performance purposes, the Contractor shall collect the individual's PIV card and immediately notify FDA Personnel Security Staff in writing, with copies to the respective COR and Contracting Officer. The Contractor shall immediately return the PIV Card(s) to the COR.Because PIV Cards, like other Government-issued Access Cards are Government property, Contractors and Contractor Employees are hereby placed on notice that any abuse, destruction, defacement, unauthorized transfer or withholding (i.e., failure to return to the Government) may be punishable to the greatest extent at law.Unauthorized possession of a PIV Card, or any other type of Government-issued Access Card, and/or willfully allowing any other person to have or to use your Access Card, is prohibited and can be criminally prosecuted under 18 U.S.C. §§ 499 and 70I, which prohibit photographing or otherwise reproducing or possessing HHS identification cards in an unauthorized manner, under penalty of fine, imprisonment, or both. Wrongdoers may also be held financially responsible for any/all civil and equitable remedies - to include, but not limited to, damages for any pecuniary loss suffered by the Government as a result of any of the above-listed actions or failure to act.6. PIV CARD PROCESS - The COR will sponsor Contractor employees on the Form HHS 745 and HHS Smart Card Management System (SCMS) for the purpose of obtaining an FDA PIV Card. In order to obtain a PIV card, a Contractor employee must receive a favorable FBI fingerprint return and complete required security forms. The FDA Personnel Security Specialist shall provide the Contractor employee(s) direction for scheduling fingerprinting appointments at the FDA location or other approved location.During a fingerprint appointment, each contractor employee must present two (2) forms of identification in order to receive his or her PIV Card. One form of identification must be a government-issued photo identification document. Acceptable forms of identification are listed inAppendix A, provided below. An individual who receives an unfavorable report may appeal that finding by submitting a written request to the FDA Personnel Security Specialist.Required background investigations may include, but are not limited to:• Review of prior Government/military personnel records;• Review of FBI records and fingerprint files;• Searches of credit bureaus;• Personal interviews; and• Written inquiries covering the subject's background.7. RESIDENCY REQUIREMENTS FOR FOREIGN NATIONALS - Under the requirements for Homeland Security Presidential Directive-12 (HSPD-12), OPM can complete a background investigation only for persons who have resided in the U.S. for a total of at least three (3) of the past five (5). The residency requirements apply only to foreign nationals (emphasis added). Therefore, Offerors/Contractors are strongly advised to inquire of any prospective foreign national hires as to whether or not they have resided in the U.S. for a total of at least three (3) of the past five (5) years. If any prospective foreign national contractor/subcontractor employee does not meet the residency requirements, he/she cannot qualify for a PIV Card under HSPD-12.8. NON-PUBLIC DATA PROTECTION - The Contractor shall protect the privacy of all information reported by or about Contractor employees and shall protect against unauthorized disclosure.*Upon a favorable fingerprint return, the Contractor will be notified to return to the Badging and Credentialing Office for their building pass.*Food and Drug Administration Badging and Credentialing Office8:00 a.m. - 11:00 a.m. and 1:00 p.m. - 3:00 p.m., Eastern Time 10903 New Hampshire AvenueBuilding 32, Room 1205 Silver Spring, MD 20993No appointment necessaryTelephone: (301) 796-40009. Government Point of ContactsContracting Officer:Jacquelyne NgegbaJacquelyne.Ngegba@fda.hhs.gov301-796-6761Contracting Officer Representative:To Be Determined9. Information Technology Investment Management/Master Approved Technologies ListThe item acquired may require approval by the Food and Drug Administration (FDA) Office of Information Management (OIM) for operation in FDA's Information Technology environment (IT Investment Management Process/Master Approved Technologies List). Any item proposed not previously tested and approved for IT environment operations may require testing by OIM before award. Offerors must provide a full set of technical specifications with their offer. FDA will determine if further testing of the item is required. Consequently, the offeror shall be prepared to provide FDA with a demonstration unit within 2 days of offer submission.10. 508 Standard Requirements• E101.2 Equivalent Facilitation (Appendix A, Application and Scoping Requirements)• E203 Access to Functionality (Appendix A, Application and Scoping Requirements)• E204 Functional Performance Criteria (Appendix A, Application and Scoping Requirements)• E205 Electronic Content (Appendix A, Application and Scoping)• 302 Functional Performance Criteria (Appendix C, Application and Scoping Requirements)• Chapter 4 Hardware11. FAR/HHSAR Clauses and Provisions:The below Federal Acquisition Regulation (FAR) Clauses apply. FAR Clauses can be viewed in full text at: http://www.acquisition.gov/far/current/html/FARTOCP52.html#wp37248252.211-6 Brand Name or Equal (Aug 1999)52.203-19 Prohibition on Requiring Certain Internal Confidentiality Agreements or Statements (Jan 2017)52.204-23 - Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018)52.223-16 IEEE 1680 Standard for the Environmental Assessment of Personal Computer Products. (ALT I)52.232-18 Availability of Funds (Apr 1984)52.232-40 Providing Accelerated Payments to Small Business Subcontractors (Dec 2013)52.227-19 Commercial Computer Software License (Dec 2007)52.217-5 Evaluation of Options (Jul 1990)52.212-4(a) Contract Terms and Conditions - Commercial Items (Feb 2012)(End of clause)The below Health and Human Services Acquisition Regulation (HHSAR) Clauses apply.HHSAR Clauses can be viewed in full text at:http://www.hhs.gov/policies/hhsar/subpart352.html#subpart352.1--Instructions for Using Provisions and Clauses352.201 Definitions ( Jan. 2006)352.270-12 Tobacco Free Facilities352.203-70 Anti-Lobbying (December 2015)352.224-70 Privacy Act (December 2015)52.224-71 Confidential Information (December 2015)352.222-70 Contractor Cooperation in Equal Employment Opportunity Investigations (December 2015)352.237-74 Non-Discrimination in Service Delivery (December 2015)352.239-73 Electronic and Information Technology Accessibility Notice (December 2015)(End of clause)12. Other Pertinent Information or Special Consideration12.1. Confidential Treatment of Sensitive InformationThe Contractor shall guarantee strict confidentiality of the information/data that it is provided by the government during the performance of the task order. The Government has determined that the information/data that the Contractor will be providing during the performance of the task order is of a sensitive nature.Disclosure of the information/data, in whole or in part, by the Contractor can only be made after the Contractor receives prior written approval from the Contracting officer. Whenever the contractor is uncertain with regard to the proper handling of information/data under the contract, the Contractor shall obtain a written determination from the Contracting Officer.12.2. Contracting Officer's AuthorityThe Contracting Officer identified above has responsibility for ensuring the performance of all necessary actions for effective contracting; ensuring compliance with the terms of the contract and safeguarding the interests of the United States in its contractual relationship. The CO is the only individual who has the authority to enter contractual relationships. The CO is the only individual who has the authority to enter into, administer, or terminate this contract and is the only person authorized to approve change to any of the requirements under this contract, and notwithstanding any provision contained elsewhere in this contract, this authority remains solely with the CO. No statement, whether oral or written, by anyone other than the CO shall be interpreted as modifying the terms and condition of this requirement. It is the Contractor's responsibility to contact the CO immediately if there is even the appearance of any technical direction that is or may be outside the scope of the contract. The Government will not reimburse the Contractor for any work not authorized by the CO including work outside the scope of the Contract.A completed version of the chart below (or something substantially similar) shall be included in the quote for the base year and two (2) additional quantities (shall be separately priced). In addition to this pricing information, the Vendor shall provide product specifications for the specific items that are listed above.CLIN DESCRIPTION MANUFACTURER/PART NUMBER UNITS UNIT PRICE TOTAL PRICE1 Base Year: Upgrade perpetual licenses to SEND Explorer Warehouse including One Year Support and Maintenance 12 Option Year 1- Annual Support and Maintenance 13 Option Year 2 - Annual Support and Maintenance 1Quoters' shall submit all applicable terms and conditions in full text as attachments, appendix, or exhibits.Quoters' are advised that additional terms and conditions submitted with their quotations that are in conflict with the terms and conditions of this solicitation may be deemed as technically unacceptable and as such not be considered for award.Quoters' shall submit Product Accessibility Templates (PAT) in full text with their quotations (attached). Additional PAT information can be found at: https://www.hhs.gov/web/section-508/contracting/index.html Failure to submit a PAT may deem a quote as technical unacceptable and as such not be considered for award.Quoters' shall submit all assumptions in their quotation.Quoters' shall notify the Contract Specialist/Contracting Officer immediately if this requirement is registered by a reseller with the Original Equipment Manufacturer (OEM).Quoters' shall provide documentation of been an authorized reseller and/or servicing agent for the solution.Evaluation CriteriaAll quotations will be evaluated on a Lowest Priced Technically Acceptable (LPTA) basis. The award will be made to the lowest price vendor who demonstrates that all requirements of the solicitation are met. Failure to demonstrate meeting any of the requirements or instructions will result in a rating of technically unacceptable and will not be considered for award. Incomplete quotations will not be considered for award.The offeror or applicant shall submit all electronic documents for Microsoft Office suite products without the use of "macros". If the offeror or applicant submits documents that contain macros the Government will not be able to view or open such documents and the submission will be considered non-responsive to the solicitation. No additional time will be given to an offeror or applicant to correct the document submission and the Government will not inform the offeror or applicant that their submission is non-responsive prior to award. It is the offeror's or applicant's responsibility to ensure all electronic documents are submitted without the use of macros. END OF SOLICITATION Contact Information: Jacquelyne A. Ngegba, Contract Officer, Phone 3017966761, Email Jacquelyne.Ngegba@fda.hhs.gov Office Address :4041 Powder Mill Road Beltsville MD 20705 Location: Office of Acquisitions and Grants Services - Rockville Set Aside: N/A