Active

Contract Opportunity

Procurement Technical Assistance Centers (PTACs) are an official government contracting resource for small businesses. Find your local PTAC (opens in new window) for free government expertise related to contract opportunities.

This Sources Sought Notice is for informational and planning purposes only and shall not be construed as a solicitation or as an obligation or commitment by the Government. This notice is intended strictly for Market Research. This is a Request for Information only. This is NOT a solicitation for proposals, proposal abstracts, or quotations.

The Department of Veterans Affairs Olin E. Teague Veterans Medical Center Medical Service in Temple, Texas intends to award a brand name or equal contract award for the purchase of SLEEP DEVICES DIRECT ONE SERVICE. The Government is conducting a market survey to help determine the availability and technical capability of qualified service-disabled veteran-owned small businesses, veteran-owned small businesses, small businesses, HUBZone small businesses and/or other large businesses capable of serving the needs identified below. This notice of intent is for open market as well as Federal Supply Schedule items.

The purpose of this notice is to gain knowledge of potential qualified sources and their size
classification/socioeconomic status (service-disabled veteran owned small business, veteran owned small business, women owned small business, HUB Zone, 8(a), small business or large business, relative to NAICS 339112 with a size standard of 1000 employees. Responses to this notice will be used by the Government to make appropriate acquisition decisions. A solicitation is not currently available. If a solicitation is issued, it will be announced on Federal Business opportunities website http://www.fbo.gov or GSA E-Buy at a later date, and all interested parties must respond to that solicitation announcement separately from the responses to this announcement.

Your responses to the information requested will assist the Government in determining the appropriate acquisition method, including whether a set-aside is possible.

ITEM NUMBER
DESCRIPTION OF SUPPLIES/SERVICES
QUANTITY
UNIT
UNIT PRICE
AMOUNT
0001

1,150.00
EA

- WatchPATOne Direct
LOCAL STOCK NUMBER: CS2116045

0002

1,150.00
EA

- WatchPATOne Direct Service
LOCAL STOCK NUMBER: CS2116046


STATEMENT OF WORK
Watch-Pat One
Introduction/Background
The Central Texas Veterans Health Care System (CTVHCS) requires 1150 disposable ambulatory sleep monitor devices shipped directly to patients over a period of 12 months. Service requests a base, plus four option year contract.
Objectives
CTVHCS shall pursue IDIQ follow on contract for 36C25722P0297, disposable sleep monitoring devices worn on the wrist. VHA currently has a FSS contract with Itamar, V797D-30190, which includes a signed business associate s agreement to protect PHI on Itamar s server. Required sleep device shall utilize signal as a measurement of the pulsatile volume changes in the fingertip arteries which reflects the relative state of the arterial vasomotor activity, and thus indirectly the level of sympathetic activation. Finger Probe shall measure RED and IR (Infra-Red) channels, which are used for the measurement of SpO2 signal. Devices shall be mailed to patients. Physicians shall have real-time access to sleep data and study results. System must be compatible with current equipment and software. Clinicians shall be able to access patient data collected within the past two-years.
Scope of Work
Vendor shall provide 1150 disposable ambulatory sleep monitor devices over a period of twelve (12) months. Sleep devices shall be shipped directly to patients as prescribed by physician.
Period of Performance
Description
Quantity
Base: 02/15/2023 - 02-14-2024
WatchPat One Device
1150 each
Base: 02/15/2023 - 02-14-2024
WatchPat One Direct Service
1150 each
Option 1: 02/15/2024 - 02-14-2025
WatchPat One Device
1150 each
Option 1: 02/15/2024 - 02-14-2025
WatchPat One Direct Service
1150 each
Option 2: 02/15/2025 - 02-14-2026
WatchPat One Device
1150 each
Option 2: 02/15/2025 - 02-14-2026
WatchPat One Direct Service
1150 each
Option 3: 02/15/2026 - 02-14-2027
WatchPat One Device
1150 each
Option 3: 02/15/2026 - 02-14-2027
WatchPat One Direct Service
1150 each
Option 4: 02/15/2027 - 02-14-2028
WatchPat One Device
1150 each
Option 4: 02/15/2027 - 02-14-2028
WatchPat One Direct Service
1150 each

Security
C&A requirements do not apply, and a security Accreditation Package is not required. TRM has been verified and approved with constraints. Veterans Affairs must ensure VA sensitive data is properly protected in compliance with all VA regulations.
GENERAL
Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.
SECTION 508 INFORMATION
This technology has not been assessed by the Section 508 Office. The Implementer of this technology has the responsibility to ensure the version deployed is 508-compliant. Section 508 compliance may be reviewed by the Section 508 Office and appropriate remedial action required if necessary. For additional information or assistance regarding Section 508, please contact the Section 508 Office at Section508@va.gov.
ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS
A contractor/subcontractor shall request logical (technical) or physical access to VA information for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.
VA INFORMATION CUSTODIAL LANGUAGE
a. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).
b. VA information should not be co-mingled, if possible, with any other data on the contractors/subcontractor s information systems or media storage systems to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.
c. Prior to termination or completion of this contract, contractor/subcontractor must not destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract.
d. The contractor/subcontractor must receive, gather, store, back up, maintain, use,
disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract.
e. The contractor/subcontractor shall not make copies of VA information except as
authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.
f. If VA determines that the contractor has violated any of the information confidentiality,
privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.
h. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.
i. The contractor/subcontractor s firewall and Web services security controls, if applicable, shall meet or exceed VA s minimum requirements. VA Configuration Guidelines are available upon request.
SURRENDER OF HDD AND MEDIA SANITIZATION PROCEDURES
Contractor will be required to remove HDD for disposal by approved Central Texas Veterans Health Care System methods.
SECURITY INCIDENT INVESTIGATION
a. The term security incident means an event that has, or could have, resulted in
unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISSO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.
b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s
notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.
LIQUIDATED DAMAGES FOR DATA BREACH
a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. However, it is the policy of VA to forgo collection of liquidated damages in the event the contractor provides payment of actual damages in an amount determined to be adequate by the agency.
b. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.
c. Each risk analysis shall address all relevant information concerning the data breach,
including the following:
(1) Nature of the event (loss, theft, unauthorized access);
(2) Description of the event, including:
(a) date of occurrence;
(b) data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;
(3) Number of individuals affected or potentially affected;
(4) Names of individuals or groups affected or potentially affected;
(5) Ease of logical data access to the lost, stolen or improperly accessed data considering the degree of protection for the data, e.g., unencrypted, plain text;
(6) Amount of time the data has been out of VA control;
(7) The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);
(8) Known misuses of data containing sensitive personal information, if any;
(9) Assessment of the potential harm to the affected individuals;
(10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and
(11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.
(12) Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:
(a) Notification
(b) One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;
(c) Data breach analysis;
(d) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;
(e) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and
(f) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.

TECHNICAL REFERENCE MODEL
Users must ensure their use of this technology/standard is consistent with VA policies and standards, including, but not limited to, VA Handbooks 6102 and 6500; VA Directives 6004, 6513, and 6517; and National Institute of Standards and Technology (NIST) standards, including Federal Information Processing Standards (FIPS). Users must ensure sensitive data is properly protected in compliance with all VA regulations. Prior to use of this technology, users should check with their supervISSOr, Information Systems Security Officer (ISSO), Facility Chief Information Officer (CIO), or local Office of Information and Technology (OI&T) representative to ensure that all actions are consistent with current VA policies and procedures prior to implementation.

Decision Constraints

[1]
Veterans Affairs (VA) users must ensure VA sensitive data is protected properly in accordance with VA Handbook 6500 and the Federal Information Security Management Act (FISMA). Per VA Handbook 6500, FIPS 140-2 certified encryption must be used to protect and encrypt data in transit and at rest if Personally Identifiable Information/Protected Health Information/VA (PII/PHI/VA) sensitive information is involved. If FIPS 140-2 certified encryption in not used, additional mitigating controls must be documented in an approved System Security Plan (SSP). In addition, the technology must be implemented within the VA production network (not in a Demilitarized Zone (DMZ)) unless the specific uses and instances of the technology are approved by the Enterprise Security Change Control Board (ESCCB). All instances of deployment using this technology should be reviewed by the local ISSO (Information Systems Security Officer) to ensure compliance with VA Handbook 6500. In cases where the technology is used for external connections, a full ESCCB review is required in accordance VA Directive 6004, VA Directive 6517 and VA Directive 6513.

[2]
Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information Systems Security Officer) to ensure compliance with VA Handbook 6500.

[3]
Per the May 5th, 2015 memorandum from the VA Chief Information Systems Security Officer (CISSO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Systems Security Officer (ISSO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP).

[4]
Veterans Affairs (VA) users must ensure VA sensitive data is properly protected in compliance with all VA regulations. All instances of deployment using this technology should be reviewed by the local ISSO (Information Systems Security Officer) to ensure compliance with VA Handbook 6500.

[5]
Per the May 5th, 2015 memorandum from the VA Chief Information Systems Security Officer (CISSO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Systems Security Officer (ISSO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP).

[6]
Per the May 5th, 2015 memorandum from the VA Chief Information Systems Security Officer (CISSO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 compliant encryption to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 compliant full disk encryption (FOE) must be implemented on the hard drive where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information Systems Security Officer (ISSO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP).

[7]
Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities.

[8]
Users should check with their supervISSOr, Information Security Office (ISSO) or local OIT representative for permission to download and use this software. Downloaded software must always be scanned for viruses prior to installation to prevent adware or malware. Freeware may only be downloaded directly from the primary site that the creator of the software has advertised for public download and user or development community engagement. Users should note, any attempt by the installation process to install any additional, unrelated software is not approved and the user should take the proper steps to decline those installations.

[9]
Users must ensure that Microsoft Structured Query Language (SQL) Server, and Microsoft .NET Framework are implemented with VA-approved baselines. (refer to the Category tab under Runtime Dependencies )






Salient Characteristic
Disposable Sleep Devices

Disposable Equipment
Non-Invasive
Battery Powered
Cleared by the FDA
Worn on wrist
Finger-mounted probe
Statistical and graphical presentation of the results
Night data view capabilities
High Accuracy with Central Sleep Apnea Identification.
Compatible with current WatchPat equipment and systems.

Attachments/Links