AJ11--Web-Based Assessments for Project IN DEPTH

7 Sources Sought Announcement: This is a SOURCES SOUGHT ANNOUNCEMENT ONLY , it is neither a solicitation announcement nor a request for proposals or quotes and does not obligate the Government to award a contract. Requests for a solicitation will not receive a response. Responses to this sources-sought must be in writing. The purpose of this sources sought announcement is for market research to make appropriate acquisition decisions and to gain knowledge of potential sources capable of providing the services described below. Documentation of technical expertise must be presented in sufficient detail for the Government to determine that your company possesses the necessary functional area expertise and experience to compete for this acquisition. The Capability Statement shall be limited to 5 pages. The Government will not review generic marketing materials that do not address the information contained herein or the attached documents Responses to this notice shall include the following: a. Company Name b. SAM Unique Entity Identifier (UEI) & cage code which the company is registered in sam.gov and https://veterans.certify.sba.gov/ c. Company Address d. Point of contact(s) name e. Telephone number(s) f. Email address(s) g. Type of business, SDVOSB; VOSB, WOSB, small, large, etc., as appropriate: h. Company Business Size Status and representations of your business i. Any previous contract(s) similar or the same as the required functional capabilities in the statement of work j. Estimated pricing This is not a request for quotes, however general pricing will be used for the purpose of market research. There will not be a confirmation email for any response(s) received. Your submittal with not be confirmed. All interested parties shall respond no later than 2/27/2026 at 11:00AM EST. All e-mails must have as the Sources Sought Number in the subject line. Submit responses or suggestions via email to Melissa.ChanduviHolmes@va.gov. Telephone responses will not be accepted. Contractor: Qualtrics at Carahsoft 11493 Sunset Hills Road, Reston, VA 20190 Phone: (703) 871-8500 Fax: (703) 871-8505 Title: Web-based Surveys and Questionnaires for the War Related Illness & Injury Study Center (WRIISC) Purpose: To host online surveys and questionnaires for Veteran research participants that participate in research study #20-34. Background: The War Related Illness and Injury Study Center (WRIISC) at the Washington DC VAMC will be one of three participating VA sites (along with Miami VA Healthcare System and Palo Alto VA Healthcare System) in a national, 5-year long VA research study titled VA-NIH Collaboration Recruitment to NIH Intramural Clinical Services , hereon referred to as VA IN-DEPTH (IRB #20-34). The purpose of the VA IN-DEPTH research study is to screen and evaluate Gulf War Veterans across the country that meet eligibility for referral to a separate study that occurs at the National Institutes of Health (NIH). As a part of VA IN-DEPTH research study, research participants will complete a series of surveys and questionnaires in order to determine if they are eligible to participate in VA screening assessments. These validated surveys and questionnaires will help Principal Investigators (PIs) and study leads to understand the participant s symptom profile and determine if they are eligible in participating in further VA research evaluations. Research participants will be in various parts of the country (including some remote areas) and allowing for the option to complete these questionnaires and surveys remotely from the comfort of their own home would lessen the burden of requiring Veterans to travel to one of the three participating VA sites (Washington D.C., Miami Florida, Palo Alto California), particularly given that this cohort of Veterans (Gulf War Veterans) historically suffer from symptoms such as chronic fatigue. Furthermore, allowing research participants the option to complete questionnaires and surveys remotely also lessens the burden of completing and mailing these surveys via pen-and-paper, although that is still an option if they prefer that method. Lastly, given the national scope of Project IN-DEPTH, allowing Veterans to participate in VA research using VA-approved, ATO (Authority to Operate) approved means from the comfort and safety of their own home would allow for us to care for the safety and wellbeing of Veterans we serve, while also engaging with Veterans who are interested in participating in VA research. The Federal Chief Information Officer has confirmed that for Software as a Service (SaaS) agencies such as Qualtrics have the option of: (1) leveraging a Provisional Authority to Operate (P-ATO) completed by the Joint Authorization Board; (2) leveraging an ATO completed by another agency, or (3) conducting their own ATO. However, if either the Joint Authorization Board or another agency has already gone through the Risk Management Framework process with the cloud service provider then we encourage the agency to leverage the work already done. This is less burdensome for both the agencies and the service providers and is the impetus behind our decision to utilize a SaaS agency (Qualtrics) that already has an ATO in place with the VHA. Regardless of the approach, VA will be using the Federal Risk and Authorization Management Program (FedRAMP) baselines as a starting point, since they are specifically tailored for cloud services. Scope: This Quality Improvement Operations project will use Veteran email address to send a survey electronically (using VA approved secure file transfer mechanism, e.g. Azure RMS) to Veterans participating in the research study, to collect health history forms using Federal Risk and Authorization Management Program (FedRAMP) Qualtrics Software as a Service (SaaS). Qualtrics is FedRAMP Authorized. Qualtrics meets the general requirements set forth by many U.S. Federal requirements, including the FISMA Act of 2002. Qualtrics uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data. Surveys may be protected with passwords and HTTP referrer checking. The survey will be sent as a link and each participant will have a non-identifiable VA Study ID#. No identifiable information will be placed into Qualtrics. The contractor will agree to abide by all VA security policies as deemed appropriate by the DC VAMC ISSO and PO offices. Period of Performance: Base: May 21, 2026 May 20,2027 Option Year 1: May 21, 2027-May 20,2028 Option Year 2: May 21, 2028-May 20, 2029 Place of Performance: The contract services and activities described will take place at the Contractor s place of business. Custom software development and outsourced operations must be located in the U.S. to the maximum extent practical. Tasks: 6.1. Task 1: Platform Design 6.1.1. The Contractor shall provide a professional platform for internet-based surveys and questionnaires. The platform may include customized summary reports (for internal use). 6.1.1.1 Ensure full compliance with FedRAMP requirements, including documentation, processes and technical capabilities and obtain authority to operate (ATO). 6.1.1.2 The Contractor must be able to provide basic survey questions and functionalities of the tool that are fully compliant with Section 508 (Americans with Disabilities Act of 1973) and user friendly for disabled recipients. 6.1.2. The Contractor will provide the DC WRIISC research team with the opportunity to provide feedback on the platform to verify that all links, design, and functionality are working and meet the needs for Veterans. 6.2 Task 2: Platform Hosting/Maintenance /Security 6.2.1. The Contractor shall host and maintain the platform and content over approximately 3 years to include the base period. 6.2.2. The Contractor will also provide service support for any issues that may arise with the platform and its content. This may include issues with site access and performance issues. 6.2.3. Contractors, Contractor personnel, Subcontractors, and Subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. 6.2.4 The contractor shall adhere to the applicable security requirements (Section 8) relevant to the information provided and processes required to support the defined research study procedures listed in Project IN-DEPTH [cIRB#: 20-34] and contract specifications. Contractor will make best efforts to meet reporting and security requirements mutually agreed upon by the parties, and guided by the VA COR/Program Manager. Deliverable Table: Tasks Deliverable Planned Completion Date Task 1 6.1.1. Extend access to platform for external survey system for web-based questionnaires/surveys supporting Project IN-DEPTH Date of award until completion Task 1 6.1.2. VA provides quality control and feedback on product for further testing. Date of award until completion Task 2 6.2.1. Host and maintain platform. Date of award until completion Task 2 6.2.2. Provide service support. As needed during length of contract Task 2 6.2.3. Perform security updates. As needed during length of contract Security Controls GENERAL. Contractors, contractor personnel, subcontractors and subcontractor personnel will be subject to the same federal laws, regulations, standards, VA directives and handbooks, as VA personnel regarding information and information system security and privacy. VA INFORMATION CUSTODIAL LANGUAGE. The Government shall receive unlimited rights to data/intellectual property first produced and delivered in the performance of this contract or order (hereinafter contract ) unless expressly stated otherwise in this contract. This includes all rights to source code and all documentation created in support thereof. The primary clause used to define Government and Contractor data rights is FAR 52.227-14 Rights in Data General. The primary clause used to define computer software license (not data/intellectual property first produced under this contractor or order) is FAR 52.227-19, Commercial Computer Software License. Information made available to the contractor by VA for the performance or administration of this contract will be used only for the purposes specified in the service agreement, SOW, PWS, PD, and/or contract. The contractor shall not use VA information in any other manner without prior written approval from a VA Contracting Officer (CO). The primary clause used to define Government and Contractor data rights is FAR 52.227-14 Rights in Data General. VA information will not be co-mingled with any other data on the contractor s information systems or media storage systems. The contractor shall ensure compliance with Federal and VA requirements related to data protection, data encryption, physical data segregation, logical data segregation, classification requirements and media sanitization. VA reserves the right to conduct scheduled or unscheduled audits, assessments, or investigations of contractor Information Technology (IT) resources to ensure information security is compliant with Federal and VA requirements. The contractor shall provide all necessary access to records (including electronic and documentary materials related to the contracts and subcontracts) and support (including access to contractor and subcontractor staff associated with the contract) to VA, VA's Office Inspector General (OIG) and/or Government Accountability Office (GAO) staff during periodic control assessments, audits, or investigations. The contractor may only use VA information within the terms of the contract and applicable Federal law, regulations, and VA policies. If new Federal information security laws, regulations or VA policies become applicable after execution of the contract, the parties agree to negotiate contract modification and adjustment necessary to implement the new laws, regulations, and/or policies. The contractor shall not make copies of VA information except as specifically authorized and necessary to perform the terms of the contract. If copies are made for restoration purposes, after the restoration is complete, the copies shall be destroyed in accordance with VA Directive 6500, VA Cybersecurity Program and VA Information Security Knowledge Service. If a Veterans Health Administration (VHA) contract is terminated for default or cause with a business associate, the related local Business Associate Agreement (BAA) shall also be terminated and actions taken in accordance with VHA Directive 1605.05, Business Associate Agreements. If there is an executed national BAA associated with the contract, VA will determine what actions are appropriate and notify the contactor. The contractor shall store and transmit VA sensitive information in an encrypted form, using VA-approved encryption tools which are, at a minimum, Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules (or its successor) validated and in conformance with VA Information Security Knowledge Service requirements. The contractor shall transmit VA sensitive information using VA approved Transport Layer Security (TLS) configured with FIPS based cipher suites in conformance with National Institute of Standards and Technology (NIST) 800-52, Guidelines for the Selection, Configuration and Use of Transport Layer Security (TLS) Implementations. The contractor s firewall and web services security controls, as applicable, shall meet or exceed VA s minimum requirements. Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the contractor may use and disclose VA information only in two situations: (i) in response to a qualifying order of a court of competent jurisdiction after notification to VA CO (ii) with written approval from the VA CO. The contractor shall refer all requests for, demands for production of or inquiries about, VA information and information systems to the VA CO for response. Notwithstanding the provision above, the contractor shall not release VA records protected by Title 38 U.S.C. § 5705, Confidentiality of medical quality- assurance records and/or Title 38 U.S.C. § 7332, Confidentiality of certain medical records pertaining to drug addiction, sickle cell anemia, alcoholism or alcohol abuse or infection with Human Immunodeficiency Virus (HIV). If the contractor is in receipt of a court order or other requests for the above- mentioned information, the contractor shall immediately refer such court order or other requests to the VA CO for response. Information made available to the contractor by VA for the performance or administration of this contract or information developed by the contractor in performance or administration of the contract will be protected and secured in accordance with VA Directive 6500 and Identity and Access Management (IAM) Security processes specified in the VA Information Security Knowledge Service. Any data destruction done on behalf of VA by a contractor shall be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management, VA Handbook 6300.1, Records Management Procedures, and applicable VA Records Control Schedules. The contractor shall provide its plan for destruction of all VA data in its possession according to VA Directive 6500 and NIST 800-88, Guidelines for Media Sanitization prior to termination or completion of this contract. If directed by the COR/CO, the contractor shall return all Federal Records to VA for disposition. Any media, such as paper, magnetic tape, magnetic disks, solid state devices or optical discs that is used to store, process, or access VA information that cannot be destroyed shall be returned to VA.The contractor shall hold the appropriate material until otherwise directed by the Contracting Officer s Representative (COR) or CO. Items shall be returned securely via VA-approved methods. VA sensitive information must be transmitted utilizing VA-approved encryption tools which are validated under FIPS 140-2 (or its successor) and NIST 800-52. If mailed, the contractor shall send via a trackable method (USPS, UPS, FedEx, etc.) and immediately provide the COR/CO with the tracking information. Self-certification by the contractor that the data destruction requirements above have been met shall be sent to the COR/CO within 30 business days of termination of the contract. All electronic storage media (hard drives, optical disks, CDs, back-up tapes, etc.) used to store, process or access VA information will not be returned to the contractor at the end of lease, loan, or trade-in. Exceptions to this paragraph will only be granted with the written approval of the VA CO. SECURITY INCIDENT INVESTIGATION. The contractor, subcontractor, their employees, or business associates shall immediately (within one hour) report suspected security / privacy incidents to the VA OIT s Enterprise Service Desk (ESD) by calling (855) 673-4357 (TTY: 711). The ESD is OIT s 24/7/365 single point of contact for IT-related issues. After reporting to the ESD, the contractor, subcontractor, their employees, or business associates shall, within one hour, provide the COR/CO the incident number received from the ESD. To the extent known by the contractor/subcontractor, the contractor/ subcontractor's notice to VA shall identify the information involved and the circumstances surrounding the incident, including the following: The date and time (or approximation of) the Security Incident occurred. The names of individuals involved (when applicable). The physical and logical (if applicable) location of the incident. Why the Security Incident took place (i.e., catalyst for the failure). The amount of data belonging to VA believed to have been compromised. The remediation measures the contractor is taking to ensure no future incidents of a similar nature. After the contractor has provided the initial detailed incident summary to VA, they will continue to provide written updates on any new and relevant circumstances or facts they discover. The contractor, subcontractor, and their employes shall fully cooperate with VA or third-party entity performing an independent risk analysis on behalf of VA. Failure to cooperate may be deemed a material breach and grounds for contract termination. VA IT contractors shall follow VA Handbook 6500, Risk Management Framework for VA Information Systems VA Information Security Program, and VA Information Security Knowledge Service guidance for implementing an Incident Response Plan or integrating with an existing VA implementation. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG, and the VA Office of Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. The contractor shall comply with VA Handbook 6500.2, Management of Breaches Involving Sensitive Personal Information, which establishes the breach management policies and assigns responsibilities for the oversight, management and reporting procedures associated with managing of breaches. With respect to unsecured Protected Health Information (PHI), the contractor …