Active

Contract Opportunity

DEPARTMENT OF VETERAN AFFAIRS
LEBANON VETERANS MEDICAL CENTER
STATEMENT OF NEED (SON)

Drager Apollo Anesthesia Workstation and Drager Infinity Acute Care System Monitoring Solution

Background:
The Drager Infinity Acute Care System Monitoring Solution is intended for multi-parameter, physiologic patient monitoring of adult, pediatric and neonatal patients. It obtains the physiologic, multi-parameter data from the connection to the M540 monitor and optimal medical devices and displays. It also provides all monitoring of the patient s vital signs while under anesthesia. The Drager Apollo Anesthesia Workstation can be used for manually assisted or automatic ventilation, delivery of gases and anesthetic vapor, and monitoring of oxygen and CO2 concentration, breathing pressure, respiratory volume, and anesthetic agent concentration and identification.

Scope of Work:
The Lebanon VA Medical Center (LVAMC) has a brand name only requirement for 8 (eight) Drager Apollo Anesthesia Workstation and Drager Infinity Acute Care System Monitoring Solution. Our current fleet of Drager Anesthesia Machines has reached the end of their life cycle and need replacement. The vendor shall provide all necessary labor, parts, transportation, configurations, equipment needed for installation and any training that maybe required for the Drager Apollo Anesthesia Workstation and Drager Infinity Acute Care System Monitoring Solution. Onsite Draeger Service and Technical implementation specialists will unpack, inventory, install all components and calibrate/verify function. Care will be taken to protect floors and surfaces and remove packaging and debris from the work area.
Salient Characteristics of the brand name only required Drager equipment:

Drager Apollo Anesthesia Workstation:
Weight: (without vaporizers and gas cylinders) 365 lbs. (165 kg)
Dimensions (H x W x D): 59 x 33.5 x 31.5 inches (150 x 85 x 80 cm)
Power: 200 W, typically
Operating voltage: 100 to 127 VAC (- 15 % + 10 %) 45 - 65 Hz
Integrated power backup: 30 minutes minimum
Utilizes a piston ventilator (non bellows)
Ventilator E-Vent plus: Electrically driven and electronically controlled, fresh gas decoupled.
Ventilation modes: Manual, spontaneous, Volume Mode, Pressure Mode
Pressure limitation PMAX (in Volume Mode): (PEEP + 10) up to 70 cmH2O
Pressure limitation PINSP (in Pressure Mode): (PEEP + 5) up to 70 cmH2O
Trigger: 0.3 - 15 L/min
Tidal volume VT (compliance compensated): 20 - 1400 mL (in Volume Mode): 10 - 1400 mL with option Pressure Support
Breathing frequency (freq.): 3 - 80 bpm
Inspiration time (TINSP): 0.2 - 6.7 s
Inspiration/Expiration time ratio (I:E): max. 5:1
Plateau time (TIP:TINSP): 0 - 60 %
Inspiratory flow (in Pressure Mode): max. 150 L/min
PEEP in Volume Mode: 0 - 20 cmH2O (max. PMAX - 10 cmH2O)
PEEP in Pressure Mode: 0 - 20 cmH2O (max. Pinsp - 5 cmH2O)
Fresh-gas flow: 0 - 12 L/min for each gas (oxygen, air, nitrous oxide)
TSLOPE (in Pressure Mode and Pressure Support): 0 - 2 s
Total system leakage: O2 flow control: Sensitive ORC function: at least 21 Vol.% with N2O as carrier gas
O2 flush: > 35 L/min

Monitoring:
Inspiratory and expiratory concentration of O2, N2O, CO2 as well as anesthetic agents (Halothane, Enflurane, Isoflurane, Sevoflurane, Desflurane)
Minute volume (MV) and Tidal volume (VT); Breathing frequency; Peak pressure, plateau pressure, mean pressure, PEEP; Patient compliance CPAT
The following parameters maybe displayed as waveforms:
Concentration of CO2, O2, as well as anesthetic agents, airway pressure, inspiratory and expiratory flow
Serial interface: 2 x RS 232
Protocol: Medibus
Absorber volume: 1.5 L
Advanced ventilation capability
Spontaneous breathing support
Electrically powered piston ventilator requires no drive gas
Lock in place with a central foot brake
Must monitor for: Airway pressure PAW, Expiratory minute volume MV
and Apnea
Inspiratory and expiratory anesthetic gas concentration
Detection of anesthetic gas mixtures (simultaneous detection of up to two anesthetic agents)
Inspiratory O2 and N2O concentrations
Inspiratory and expiratory CO2 concentrations
Special alarm response in Bypass Mode
Automatic agent alarm activation for multiples of MAC (xMAC)

Ventilation modes:
Volume-controlled ventilation in Volume Mode
With activation of:
Synchronization
Press. Support (Pressure Support) (optional)
Pressure-controlled ventilation in Pressure Mode
With activation of:
Sync. (Synchronization)
Press. Support (Pressure Support) (optional)
Manual Ventilation
Spontaneous Breathing
Pressure-Assisted Spontaneous Breathing in Pressure Support CPAP
Volume Mode AutoFlow
With activation of:
Synchronization
Pressure Support
The following measured values are displayed:
Peak pressure
Mean pressure
Plateau pressure
Positive end-expiratory pressure
Expiratory minute volume
Difference between insp. and exp. minute volume
Patient compliance
Tidal volume
Breathing rate Freq.
Inspiratory and expiratory concentration of O2, N2O, anesthetic gas, and CO2
Difference between insp. and exp. O2 concentration O2
The following parameters can be displayed as mini trends:
CO2 minute volume MV*CO2
O2 Uptake
PEEP, patient compliance CPAT
The following parameters are displayed as curves:
Airway pressure PAW
Inspiratory and expiratory flow
Inspiratory and expiratory concentration of O2, CO2, and anesthetic gas
The following parameters are displayed as bar graphs:
Inspiratory, expiratory, and leakage tidal volume
Volumeter
Pressure
Low-flow wizard for indicating fresh-gas utilization

Infinity Acute Care System:
Must work together with Dräger anesthesia and ventilator devices.
Provide up to 96 hours of trends on the system, and 72 hours on the M540 transport component
Data resolution 30-second sampling Trend tables 1 minute, 5-minute, 10 minute, 15 minute (default), 30 minute, 1 hour display formats
Trend graphs 1 hour (default), 2-hour, 4-hour, 8 hour, 12 hour, 1 day, 2 day, 3 day, 4 day display formats
Event storage provides up to 150 events, 20-second strips, all monitored waveforms.
Customize a drug list of up to 40 drugs
Resolution From: C500: 17 in (43 cm) display: 1440 × 900 pixel
Maximum supported distance: 5 m (16.4 ft)

Performance Characteristics of the brand name only required Drager equipment:

Integrated Anesthesia Workstation- including a piston driven anesthesia machine, anesthesia monitor and integration with the existing anesthesia record keeper (ARK).Â
Offers an actively heated breathing system designed specifically to prevent rainout (moisture accumulation)
Allows the clinician to be able to continue to deliver (1) all fresh gases (O2, N2O and Air), (2) agent, (3) monitor airway pressure with a mechanical gauge, and (4) ventilate via the bag during (1) power outage/brown out, (2) battery failure, (3) power supply failure, or (4) circuit board failure.
Is equipped with an APL (airway pressure limitation) valve which is easily accessible to the user and can simply be pulled up to release breathing system pressure.
Is equipped with a user interface and a fresh gas control operating philosophy that is consistent across the vendor's currently sold anesthesia machine portfolio
Must be a continuous-flow anesthetic machine, which provides a steady flow of air containing a regulated supply of gas while also monitoring important vital signs of the patient to ensure quality and safety.
Trade-in
Equipment Trade-in: Current eight (8) Drager Apollos are to be returned by the installation technician and given a monetary credit by the contractor for each machine. A monetary credit will also be given by the contractor for the trade-in value of the Drager Apollos.
Additional Information:
The Drager Apollo Unit is required for continuity of care for Veterans, as the facility already utilizes Drager Anesthesia Units throughout the OR and Endo Suite and all of our Anesthesia Staff are trained to use them, the accessories we have in stock only work with Drager machines, and the durability, dependability and stellar functionality of such an important device is of paramount importance.
Delivery:
Delivery shall be within sixty (60) days from the time of award. The Drager Apollo Anesthesia Workstation and Drager Infinity Acute Care System Monitoring Solution
shall be delivered to the Lebanon VAMC located at 1700 S. Lincoln Ave., Lebanon, PA 17042; Attn; Warehouse. Placement in the LVAMC clinic shall be coordinated through the Point of Contact (POC).

CONTRACTOR RESPONSIBILITIES: The contractor shall be responsible for the following:
Assign a Project Manager upon award of contract. The Project Manager shall develop a project schedule and implementation plan.
Contractor shall provide qualified and VA credentialed personnel to perform the installation of the items as noted in this Statement of Need (SON).
Contractor is responsible to ensure all equipment to be installed meets VA standards.
Contractor is responsible for ensuring the proper disposal of all debris generated from installation activities.
Contractor is responsible for securing all materials, equipment, and tools while on government property or in government facility. Government is not liable for any lost or stolen items that are not properly secured.
Contractors coming on station or working remotely will be required to take the VA Privacy and Information Security Awareness Program and the Privacy and HIPAA Training. Completed training certificates should be maintained by the POC of this contract for audit purposes. Appropriate fingerprinting and background investigation is required.

GOVERNMENT RESPONSIBILITIES:Â The Government shall provide the following: The authorized POC will assume responsibility for the installation and performance of all other equipment and work necessary for completion of this project.
Provide site access and escorts to the customer's location to where the equipment is located.
Provide adequate space for the work to be performed.
Provide the contractor with contact information and the necessary authorization to coordinate connectivity issues with applicable U.S. Government POC's.

CONTRACT ADMINISTRATION: Veterans Administration Medical Center Lebanon contracting office is responsible for the sole administration for this contract.
Contract Administrator: Contract administrator shall be designated at time of contract award.
The POC will be identified upon contract award. The POC is responsible, as applicable, for: receiving all deliverables, inspecting and accepting the supplies or services provided hereunder in accordance with the terms and conditions of this contract; providing clarification to the contractor, fills in details or otherwise serves to accomplish the contractual Scope of Work; evaluating performance; and certifying all invoices/vouchers for acceptance of the supplies or services furnished for payment.

The POC does not have the authority to alter the contractor's obligation under the contract, and/or modify any of the expressed terms, conditions, specifications, or cost of the agreement. If as a result of technical discussions, it is desirable to alter/change contractual obligations or the Scope of Work, the Contracting Officer shall issue such changes.

CONTRACTOR PERFORMANCE ASSESSMENT REPORTING SYSTEM (CPARS)

The services, although not directly supervised, shall be reviewed by the Department of Veterans Affairs staff to ensure contract compliance. The contractor's performance will be evaluated in accordance with FAR 42.15. Contract monitoring reports will be prepared by the Contracting Officer's Representative (COR) and maintained in the contract file.

In accordance with FAR 42.1502 and 42.1503, agencies shall prepare an evaluation of contractor performance and submit it to the Contractor Performance Assessment Reporting System (CPARS). The VAMC utilizes the Department of Defense (DOD) web-based Contractor Performance Assessment Reporting System (CPARS) to provide contractor performance evaluations. The contractor shall provide and maintain a current e-mail from the Focal Point thru the following website address webptsmh@navy.mil when the contractor is registered in CPARS. The contractor must be registered to access and review its evaluation and/or provide a response.

PRIVACY LANGUAGE

1. GENERAL

Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be
subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security.

2. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS

a. A contractor/subcontractor shall request logical (technical) or physical access to VA
information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.

b. All contractors, subcontractors, and third-party servicers and associates working with
VA information are subject to the same investigative requirements as those of VA appointees or employees who have access to the same types of information. The level and process of background security investigations for contractors must be in accordance with VA Directive and Handbook 0710, Personnel Suitability and Security Program. The Office for Operations, Security, and Preparedness is responsible for these policies and procedures.

e. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination.

3. VA INFORMATION CUSTODIAL LANGUAGE

a. Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data- General, FAR 52.227-14(d) (1).

b. VA information should not be co-mingled, if possible, with any other data on the
contractors/subcontractor s information systems or media storage systems in order to ensure VA requirements related to data protection and media sanitization can be met. If co-mingling must be allowed to meet the requirements of the business need, the contractor must ensure that VA s information is returned to the VA or destroyed in accordance with VA s sanitization requirements. VA reserves the right to conduct onsite inspections of contractor and subcontractor IT resources to ensure data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA directive requirements.
c. Prior to termination or completion of this contract, contractor/subcontractor must not
destroy information received from VA, or gathered/created by the contractor in the course of performing this contract without prior written approval by the VA. Any data destruction done on behalf of VA by a contractor/subcontractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization. Self-certification by the contractor that the data destruction requirements above have been met must be sent to the VA Contracting Officer within 30 days of termination of the contract.

d. The contractor/subcontractor must receive, gather, store, back up, maintain, use,
disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to the VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract.

e. The contractor/subcontractor shall not make copies of VA information except as
authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on contractor/subcontractor electronic storage media for restoration in case any electronic equipment or data used by the contractor/subcontractor needs to be restored to an operating state. If copies are made for restoration purposes, after the restoration is complete, the copies must be appropriately destroyed.

f. If VA determines that the contractor has violated any of the information confidentiality,
privacy, and security provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.

g. If a VHA contract is terminated for cause, the associated BAA must also be terminated and appropriate actions taken in accordance with VHA Handbook 1600.01, Business Associate Agreements. Absent an agreement to use or disclose protected health information, there is no business associate relationship.

h. The contractor/subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using VA-approved encryption tools that are, at a minimum, FIPS 140-2 validated.

j. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor/subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA s prior written approval. The contractor/subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA contracting officer for response.

k. Notwithstanding the provision above, the contractor/subcontractor shall not release VA records protected by Title 38 U.S.C. 5705, confidentiality of medical quality assurance records and/or Title 38 U.S.C. 7332, confidentiality of certain health records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse, or infection with human immunodeficiency virus. If the contractor/subcontractor is in receipt of a court order or other requests for the above-mentioned information, that contractor/subcontractor shall immediately refer such court orders or other requests to the VA contracting officer for response.

5. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE

h. Bio-Medical devices and other equipment or systems containing media (hard drives,
optical disks, etc.) with VA sensitive information must not be returned to the vendor at the end of lease, for trade-in, or other purposes. The options are:

(1) Vendor must accept the system without the drive.

(2) VA s initial medical device purchase includes a spare drive which must be installed in place of the original drive at time of turn-in; or

(3) VA must reimburse the company for media at a reasonable open market replacement cost at time of purchase.

6. SECURITY INCIDENT INVESTIGATION

a. The term security incident means an event that has, or could have, resulted in
unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access.

b. To the extent known by the contractor/subcontractor, the contractor/subcontractor s
notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant.
c. With respect to unsecured protected health information, the business associate is
deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement.

d. In instances of theft or break-in or other criminal activity, the contractor/subcontractor
must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.

7. LIQUIDATED DAMAGES FOR DATA BREACH

a. Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract.

b. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.

c. Each risk analysis shall address all relevant information concerning the data breach,
including the following:

(1) Nature of the event (loss, theft, unauthorized access);
(2) Description of the event, including:
(a) date of occurrence;
(b) data elements involved, including any PII, such as full name, social security number,
date of birth, home address, account number, disability code;

(3) Number of individuals affected or potentially affected;

(4) Names of individuals or groups affected or potentially affected;

(5) Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;

(6) Amount of time the data has been out of VA control;

(7) The likelihood that the sensitive personal information will or has been compromised
(made accessible to and usable by unauthorized persons);

(8) Known misuses of data containing sensitive personal information, if any;

(9) Assessment of the potential harm to the affected individuals;

(10) Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and

(11) Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.

d. Based on the determinations of the independent risk analysis, the contractor shall be
responsible for paying to the VA liquidated damages in the amount of $______ per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:

(1) Notification;
(2) One year of credit monitoring services consisting of automatic daily monitoring of at least three (3) relevant credit bureau reports;
(3) Data breach analysis;
(4) Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;
(5) One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and
(6) Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.

9. TRAINING
a. All contractor employees and subcontractor employees requiring access to VA
information and VA information systems shall complete the following before being granted access to VA information and its systems:
(1) Sign and acknowledge (either manually or electronically) understanding of and
responsibilities for compliance with the Contractor Rules of Behavior, Appendix E relating to access to VA information and information systems.
(2) Successfully complete the VA Cyber Security Awareness and Rules of Behavior
training and annually complete required security training.
(3) Successfully complete the appropriate VA privacy training and annually complete
required privacy training; and
(4) Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access [to be defined by the VA program official and provided to the contracting officer for inclusion in the solicitation document e.g., any role-based information security training required in accordance with NIST Special Publication 800-16, Information Technology Security Training Requirements.]

a. The contractor shall provide to the contracting officer and/or the COTR a copy of the
training certificates and certification of signing the Contractor Rules of Behavior for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required.
b. Failure to complete the mandatory annual training and sign the Rules of Behavior
annually, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete.

RECORDS MANAGEMENT LANGUAGE

A. Applicability
This clause applies to all Contractors whose employees create, work with, or otherwise handle Federal records, as defined in Section B, regardless of the medium in which the record exists.

B. Definitions
Federal record as defined in 44 U.S.C. § 3301, includes all recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them.
The term Federal record:
1 .includes [Agency] records.
2. does not include personal materials.
3. applies to records created, received, or maintained by Contractors pursuant to their [Agency] contract.
4. may include deliverables and documentation associated with deliverables.

C. Requirements
1. Contractor shall comply with all applicable records management laws and regulations, as well as National Archives and Records Administration (NARA) records policies, including but not limited to the Federal Records Act (44 U.S.C. chs. 21, 29, 31, 33), NARA regulations at 36 CFR Chapter XII Subchapter B, and those policies associated with the safeguarding of records covered by the Privacy Act of 1974 (5 U.S.C. 552a). These policies include the preservation of all records, regardless of form or characteristics, mode of transmission, or state of completion.

2. In accordance with 36 CFR 1222.32, all data created for Government use and delivered to, or falling under the legal control of, the Government are Federal records subject to the provisions of 44 U.S.C. chapters 21, 29, 31, and 33, the Freedom of Information Act (FOIA) (5 U.S.C. 552), as amended, and the Privacy Act of 1974 (5 U.S.C. 552a), as amended and must be managed and scheduled for disposition only as permitted by statute or regulation.

3. In accordance with 36 CFR 1222.32, Contractor shall maintain all records created for Government use or created in the course of performing the contract and/or delivered to, or under the legal control of the Government and must be managed in accordance with Federal law. Electronic records and associated metadata must be accompanied by sufficient technical documentation to permit understanding and use of the records and data.

4. [Agency] and its contractors are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Records may not be removed from the legal custody of [Agency] or destroyed except for in accordance with the provisions of the agency records schedules and with the written concurrence of the Head of the Contracting Activity. Willful and unlawful destruction, damage or alienation of Federal records is subject to the fines and penalties imposed by 18 U.S.C. 2701. In the event of any unlawful or accidental removal, defacing, alteration, or destruction of records, Contractor must report to [Agency]. The agency must report promptly to NARA in accordance with 36 CFR 1230.

5. The Contractor shall immediately notify the appropriate Contracting Officer upon discovery of any inadvertent or unauthorized disclosures of information, data, documentary materials, records or equipment. Disclosure of non-public information is limited to authorized personnel with a need-to-know as described in the [contract vehicle]. The Contractor shall ensure that the appropriate personnel, administrative, technical, and physical safeguards are established to ensure the security and confidentiality of this information, data, documentary material, records and/or equipment is properly protected. The Contractor shall not remove material from Government facilities or systems, or facilities or systems operated or maintained on the Government s behalf, without the express written permission of the Head of the Contracting Activity. When information, data, documentary material, records and/or equipment is no longer required, it shall be returned to [Agency] control or the Contractor must hold it until otherwise directed. Items returned to the Government shall be hand carried, mailed, emailed, or securely electronically transmitted to the Contracting Officer or address prescribed in the [contract vehicle]. Destruction of records is EXPRESSLY PROHIBITED unless in accordance with Paragraph (4).

6. The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any contractual relationship (sub-contractor) in support of this contract requiring the disclosure of information, documentary material and/or records generated under, or relating to, contracts. The Contractor (and any sub-contractor) is required to abide by Government and [Agency] guidance for protecting sensitive, proprietary information, classified, and controlled unclassified information.

7. The Contractor shall only use Government IT equipment for purposes specifically tied to or authorized by the contract and in accordance with [Agency] policy.

8. The Contractor shall not create or maintain any records containing any non-public [Agency] information that are not specifically tied to or authorized by the contract.

9. The Contractor shall not retain, use, sell, or disseminate copies of any deliverable that contains information covered by the Privacy Act of 1974 or that which is generally protected from public disclosure by an exemption to the Freedom of Information Act.

10. The [Agency] owns the rights to all data and records produced as part of this contract. All deliverables under the contract are the property of the U.S. Government for which [Agency] shall have unlimited rights to use, dispose of, or disclose such data contained therein as it determines to be in the public interest. Any Contractor rights in the data or deliverables must be identified as required by FAR 52.227-11 through FAR 52.227-20.

11. Training. All Contractor employees assigned to this contract who create, work with, or otherwise handle records are required to take [Agency]-provided records management training. The Contractor is responsible for confirming training has been completed according to agency policies, including initial training and any annual or refresher training.

Attachments/Links