VLER Direct CA/RA Services Page 3 of 6 PerformanceWorkStatementTemplate_NOV_10_2014 STATEMENT OF WORK (SOW) DEPARTMENT OF VETERANS AFFAIRS Veteran s Administration VLER Direct CA-RA Services Date: May 29, 2018 BACKGROUND Over 70 percent of Veterans who receive health care from the Veteran s Administration (VA) also receive care in the private sector much of this care is paid for by the VA. To facilitate the best health care for Veterans, their health information must be shared securely and efficiently between the VA and private sector partners. The Virtual Lifetime Electronic Record (VLER) Health, a VA program to support secure, electronic exchange of health information, has two sections: 1) VLER Health Exchange where a VA user queries non-VA partners to obtain Veteran health information in real time, and 2) VLER Health Direct which allows point-to-point, email-like sharing of health information. VLER Health Direct requires a concrete mechanism for validation and certification of the Direct exchange of electronic health care information. DirectTrust provides such a mechanism. Direct Trust a non-profit healthcare-based alliance focused on creating standards and maintaining rules and policies for Direct exchange. DirectTrust s primary work is centered on building the security and trust-in-identity layer for the operation of Direct exchange The alliance s Security and Trust Framework is the basis for a voluntary accreditation and audit program serving Direct implementers/service providers. These providers include: 1) Health Internet Service Providers (HISPs), 2) Certificate Authorities (CAs) and, 3) Registration Authorities (RAs). This program is known as the Direct Trust Agent Accreditation Program (DTAAP), which is an operating partnership with the Electronic Healthcare Network Accreditation Commission (EHNAC). VLER Health Direct has continues to have DTAAP HISP accreditation and ongoing RA/CA services from a contractor will play a key role in maintaining this accreditation. Participation in the EHNAC/DTAAP Accreditation Program: Validates technical, security, trust, and business practice conformance. Assures HISP-to-HISP interoperability among accredited Trust Agents. Reduces risk to PHI and operations through the demonstration of a risk management program with effective controls that appropriately minimize threats. Prepares organizations for implementing secure communications in support of Meaningful Use requirements by the Office of the National Coordinator (ONC) including secure, scalable, standards-based methods for sending authenticated, encrypted health information to known, trusted recipients. APPLICABLE DOCUMENTS In the performance of the tasks associated with this Statement of Work, the Contractor shall comply with the following: 44 U.S.C. § 3541,  Federal Information Security Management Act (FISMA) of 2002 Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements For Cryptographic Modules FIPS Pub 201-2, Personal Identity Verification of Federal Employees and Contractors, August 2013 10 U.S.C. § 2224, "Defense Information Assurance Program" Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration for Development (CMMI-DEV), Version 1.3 November 2010; and Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration for Acquisition (CMMI-ACQ), Version 1.3 November 2010 5 U.S.C. § 552a, as amended, The Privacy Act of 1974 42 U.S.C. § 2000d Title VI of the Civil Rights Act of 1964 VA Directive 0710, Personnel Suitability and Security Program, June 4, 2010, http://www1.va.gov/vapubs/ VA Handbook 0710, Personnel Suitability and Security Program, September 10, 2004, http://www1.va.gov/vapubs/ VA Directive and Handbook 6102, Internet/Intranet Services, July 15, 2008 36 C.F.R. Part 1194 Electronic and Information Technology Accessibility Standards, July 1, 2003 Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, November 28, 2000 32 C.F.R. Part 199, Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, October 2008 Sections 504 and 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended by the Workforce Investment Act of 1998 (P.L. 105-220), August 7, 1998 Homeland Security Presidential Directive (12) (HSPD-12), August 27, 2004 VA Directive 6500, Managing Information Security Risk: VA Information Security Program, September 20, , 2012 VA Handbook 6500, Risk Management Framework for VA Information Systems Tier 3: VA Information Security Program, September 20, 2012 VA Handbook 6500.2, Management of Data Breaches Involving Sensitive Personal Information (SPI) , January 6, 2012 VA Handbook 6500.3, Assessment, Authorization, And Continuous Monitoring Of VA Information Systems, February 3, 2014 VA Handbook, 6500.5, Incorporating Security and Privacy in System Development Lifecycle March 22, 2010 VA Handbook 6500.6, Contract Security, March 12, 2010 Project Management Accountability System (PMAS) portal (reference https://www.voa.va.gov/pmas/) Technical Reference Model (TRM) (reference at http://www.va.gov/trm/TRMHomePage.asp) National Institute Standards and Technology (NIST) Special Publications (SP) VA Directive 6508, VA Privacy Impact Assessment, October 3, 2008 VA Directive 6300, Records and Information Management, February 26, 2009 VA Handbook, 6300.1, Records Management Procedures, March 24, 2010 OMB Memorandum, Transition to IPv6 , September 28, 2010 VA Directive 0735, Homeland Security Presidential Directive 12 (HSPD-12) Program, February 17, 2011 VA Handbook 0735, Homeland Security Presidential Directive 12 (HSPD-12) Program, March 20, 2014 OMB Memorandum M-06-18, Acquisition of Products and Services for Implementation of HSPD-12, June 30, 2006 OMB Memorandum 05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors, August 5, 2005 SCOPE OF WORK The contractor shall meet federal security and privacy policies while acting as a CA and RA, and providing requisite services in order to facilitate Direct health information exchange. By acting as a CA and RA and providing requisite services, contractor shall be responsible for ensuring VLER Health Direct meets the requirements for obtaining full accreditation with DTAAP for Direct exchange. PERFORMANCE DETAILS PERFORMANCE PERIOD The period of performance shall be 12 months from date of award with 3 option years. PLACE OF PERFORMANCE Tasks under this SOW shall be performed at the Contractor facility. TRAVEL The Government does not anticipate travel under this effort. SPECIFIC TASKS AND DELIVERABLES Task 1 (one): The contractor shall: Provide full identification and organization validation services acting as a RA. Evaluation and validation of document storage per Federal Bridge Certificate Authority (FBCA) standards. Provide the Declaration of Identity Document and capturing/vetting information collected, as well storing all documents for 10.5 years. Vet individuals according to DirectTrust/FBCA standards Validate the identities of all Information Systems Security Officers (ISSOs) and Organizational Representatives listed in certificate requests. Provide 24/7 customer service to take care of issues with validation and technical questions, Maintain DTAAP accreditation for Registration Authority (RA). Deliverable 1.1: Two (2) FBCA Cross Certified Direct Intermediate CA. Description: Co-Branded Intermediate Root. Deliverable 1.2: Two (2) Direct Compliant, FBCA Cross Certified LOA 3 Medium Assurance. Description: Non-SSL Enabled Organization Certs. Task 2(two): The contractors shall act as a Certificate Authority by: Ensuring systems and security are in place to meet DTAAP and FBCA audits, Hosting, managing and maintaining VA dedicated Intermediate Certifying Authority (CA). T Ensuring the certificates are issued with the proper certificate profile, and set up production account with unlimited User profiles Assuming primary responsibility of onboarding and training users. Setting up a detailed work plan for: Archiving documents, Annual WebTrust and Federal PKI Audits, Establishment of Disaster Recovery Services, Service Level Agreements (SLAs). Deliverable 2.1: Services Work Plan Deliverable 2.2: Registration Authority and Certificate Authority Services Schedule of Deliverables CLIN/Deliverable 0001 1.1 Item FBCA Cross Certified Direct Intermediate Certificates Quantity 2 Delivery Date Within 30 calendar days after award 0002 1.2 Direct Compliant, FBCA Cross Certified LOA 3 Medium Certificates 2 Within 30 calendar days after award 0003 2.1 Services Work Plan 1 Within 30 calendar days after award 0004 2.2 Registration Authority and Certificate Authority services 1 As required throughout the contract GENERAL REQUIREMENTS GOVERNMENT FURNISHED PROPERTY Not Applicable

Bid Protests Not Available