Targeted Dissemination of Tick and Mosquito
Please see attached synopsis, SOW, and SSJ. This is a presolicitation notice synopsis. The OAS intends to issue a firm fixed price purchase order, sole source award. This notice is not a formal Reques... Please see attached synopsis, SOW, and SSJ. This is a presolicitation notice synopsis. The OAS intends to issue a firm fixed price purchase order, sole source award. This notice is not a formal Request for Quotes (RFQ), and no contract will result from this notice, nor does it commit the Government to any acquisition for these services. The OAS in Atlanta, GA requires communication services. The North American Industry Classification System (NAICS) code for this project is 541613 and PSC of R702 with a small business size standard of 150 employees. The Government intends to issue a sole source contract to Banyan Communications. Competition is being limited because Banyan Communications has already provided similar services under a previous competitive blanket purchase agreement (BPA). This work is a logical follow-on to the BPA. Point of contact is Kristopher Lemaster, email: ene3@cdc.gov. All responsible sources may submit a capability statement which shall be considered by the agency. Statement of Work Procurement Request #: 1T Period of Performance: 04/10/2023 – 08/31/2023 Title: Targeted Dissemination of Tick and Mosquito Bite Prevention Materials SECTION 1 – BACKGROUND The number of reported cases of vector-borne disease are increasing in the United States. A recently released estimate suggests that each year approximately 476,000 Americans are diagnosed and treated for Lyme disease alone. Increases in the number of other tickborne diseases such as anaplasmosis and ehrlichiosis, are also occurring. Simultaneously, the emergence of new tickborne diseases such as Borrelia miyamotoi, Heartland virus disease, and others is ongoing. Outbreaks of mosquito-borne infections such as West Nile, Chikungunya, and Zika virus disease are ongoing but difficult to predict. Congress and public health officials across the nation recognize the need to inform Americans about ways they can reduce their risk in particular for harmful tickborne disease. In 2016, the 21st Century Cures Act mandated the establishment of a Tick-Borne Disease Working Group to serve as a Federal Advisory Committee to the Health and Human Services Secretary and Congress. The Working Group is responsible for reviewing ongoing research and advances and for identifying research gaps. In a 2020 Report to Congress, the Working Group recognized the urgent need for public education about tickborne diseases and recommended that the general public be educated about the regional and specific risks related to tickborne diseases. None of the diseases listed above are currently vaccine preventable. Additionally, large-scale vector-control efforts face many barriers, including cost and public acceptability. As a result, prevention of vector-borne diseases rests primarily on the public and their willingness and ability to employ personal prevention techniques consistently throughout the warm months of the year. Despite research that demonstrates the efficacy of tick- and mosquito-borne personal prevention techniques, the public does not perform these behaviors consistently. In a recent study of personal prevention techniques for tickborne disease, people reported consistently performing these behaviors between 1/3 and 2/3 of the time. High quality, targeted prevention messages that are audience-tested, strategically developed, and evaluated are key to preventing vector-borne disease. Through a previously awarded contract with Banyan Communications, the Division of Vector-Borne Diseases has recently developed tick- and mosquito-specific prevention messages, materials, and videos based on formative research and message testing with key high-risk populations. Due to delays at no fault to the vendor, the materials were unable to be promoted in conjunction with tick and mosquito season in spring and summer 2021. This contract requires the targeted dissemination and evaluation of the recently developed materials. SUBSECTION A – DEFINITIONS N/A SECTION 2 – PURPOSE Parties the Project Involves – Parties involved include the Division of Vector-Borne Diseases staff, including staff from the Bacterial Diseases Branch, Arboviral Diseases Branch, and Rickettsial Zoonoses Branch, and Banyan Communications. Overall Objectives – The purpose of the project is to disseminate tick- and mosquito-borne disease prevention materials developed. Additionally, evaluation of the number of people seeing and interacting with the materials and accessing the website, should be reported. xxxxxxxxxxxxxxxxx 04/10/2023 - 08/31/2023 General Period and Place of Performance – April 10, 2023 – August 31st, 2023. Performance Objectives or Required Results – Digital links to the final advertisements and promotions and metrics of the activities’ performance. Operating Constraints – N/A SECTION 3 – SCOPE OF WORK The purpose of the contract is to disseminate targeted tick and mosquito bite prevention materials to high-risk audiences. Additionally, metrics and evaluation of the dissemination should be reported. The Vendor will finalize creative materials developed in prior contracts based on subject matter expert feedback and review. The vendor will then manage a media dissemination plan including opportunities for paid and non-paid media placement, focusing on educational opportunities to reach target audiences. Finally, the Vendor shall provide metrics to measure the reach and impact of the media placements and social media tactics against key performance indicators SECTION 4 – TASKS TO BE PERFORMED 1.0 Project Management. The Vendor will hold a kickoff meeting no later than 10 workdays after the initial award is made to discuss plans and timelines as well as clarify roles and responsibilities, to be held virtually. Following the kickoff meeting, the Vendor shall develop a written work plan, minimally including all essential interim and final deliverables, key staff responsible for tasks (including Vendor, CDC, or other partners) and schedule of key deadlines for COR review and correction before acceptance. 2.0 Educational Awareness Materials. Based on subject matter expert feedback and comments during the clearance and review process, the vendor shall refine materials and finalize a set of interrelated materials for target audiences (including outdoor enthusiasts, parents of children, outdoor workers, dog owners, older adults, Hispanic identifying Spanish speakers, and southeasterners) that address common questions, concerns, and misperceptions related to vector-borne disease prevention. Materials including social media assets, advertisements, and videos will also need to be translated into Spanish for the Hispanic identifying audience. 2.1 Submission and Coordination. The Vendor shall transfer all materials to DVBD so they can be made available to states, local communities, and other potential users. The Vendor must ensure all original source files, talent information, and communication product/ad descriptions are submitted to the COR. All materials will be property of CDC and available in the public domain. Note: for materials to be uploaded to CDC’s server, they must meet Section 508 compliance, which means appropriately captioned and audiodescribed. 3.0 Distribution: Paid and Non-paid Media & Social Media The Vendor shall manage a comprehensive media buying plan that will integrate into and support the Communication Strategy developed in the prior contract. The Vendor shall provide CDC with written documentation outlining the media buying plan including timeline, budget allocation, and media monitoring. 3.1 Placement. The plan shall include opportunities for paid and non-paid media placement, focusing on educational opportunities to reach target audiences. The Vendor shall manage the media buying process and xxxxxxxxxxxxxxxxxxxxxxxxxxxx 04/10/2023 - 08/31/2023 make direct placement of ads and sponsorships. Media buys must include digital and traditional media targeting including outdoor enthusiasts, parents of children, outdoor workers, dog owners, older adults, Hispanic identifying Spanish speakers, and southeasterners. Social media and direct advertising will be used to reach these populations. Distribution strategies must include paid media placement and other digital and social media distribution platforms such as Facebook, Instagram, and other platforms recommended by the Vendor and approved by CDC. 3.2 Media Metric Reporting. The Vendor shall submit a media report template for CDC approval 2 weeks prior to the product placement period. Once agreed upon, the Vendor must provide email copies of the media report weekly and monthly during the period of media placement to monitor media performance and allow for adjustments and optimization to reach target audiences. 3.3 Final Evaluation Report. The Vendor shall measure the reach and impact of the media placements and social media tactics against key performance indicators. 1. Reports must feature a narrative, visuals, comparisons of data over time, and recommendations to improve and enhance content, strategies, and outreach. a. Overview of content strategy, promotional efforts, and page performance b. Current metrics following an agreed upon format: page likes, post count, comments, responses, reactions, shares, daily total reach, new organizational likes, video views, etc. c. Highest performing content and key messages d. Highest performing media (e.g., images, videos) e. Noteworthy comments f. Updates on specific tactics or special activities g. Unique findings and recommendations SECTION 5 – GOVERNMENT FURNISHED MATERIALS The Government will provide CDC subject matter-related and/or resources that will be used for the development of the digital and printed products. SECTION 6 – PERIOD OF PERFORMANCE 04/10/2023 – 08/31/2023 SECTION 7 – DELIVERABLES/REPORTING SCHEDULE xxxxxxxxxxxxxxxxxxxxxxxxxxSECTION 8 – REFERENCE MATERIALS This Statement of Work is based on previous work completed with Banyan Communications through BPA #75D30121F11584. SECTION 9 – POINT OF CONTACT INFORMATION The Point of Contact (POC) for this procurement is: Amy Ullmann Centers for Disease Control and Prevention 3156 Rampart Road Fort Collins, CO 80521 Telephone Number: 970-225-4251 E-mail Address: aff1@cdc.gov Preferred method of communication: E-mail SECTION 10 – PAYMENT TERMS Payments will be delivered in accordance with media buys for tick and mosquitoes with the first payment of $TBD being made one week prior to dissemination of tickborne disease materials on May 1st, 2023. The second payment of $TBDwill be made one week prior to dissemination of mosquito-borne disease materials on June 15th, 2023. The final payment of $TBD will be made upon completion of all deliverables. SECTION 11 – MINIMUM VENDOR QUALIFICATIONS AND LEVEL OF EFFORT Vendor should have experience disseminating and evaluating educational materials to target audience groups. In addition, vendor should have knowledge of vector-borne disease and experience creating vector-borne disease educational materials. SECTION 12 – EVALUATION FACTORS 1. Technical Evaluation Vendor is to provide a discussion of their technical approach for providing the services required for this Purchase Order. Vendor must be able to assign personnel to this project with the technical expertise for providing the services required for this Purchase Order. Provide information reflecting experience of assigned staff, including a detailed resume, biography, or curriculum vitae (CV) of each candidate. This criterion will be evaluated according to the soundness, practicality, and feasibility of the Contractor’s technical approach for providing the services required for this Purchase Order. 2. Price Evaluation: A price analysis of the quote will be conducted to determine the reasonableness of the Vendor’s price. Media buys were based upon previous work in contract # plus a percentage increase based on annual increases in expenses. SECTION 13 – SPECIAL CONSIDERATIONS Electronic and Information Technology Accessibility 1. Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998 and the Architectural and Transportation Barriers Compliance Board Electronic xxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxx xxxxxxxxxxxxxxxx xxxxxxxxxxx xxxxxxxxx xxxxxxxxxx and Information (EIT) Accessibility Standards (36 CFR part 1194), require that when Federal agencies develop, procure, maintain, or use electronic and information technology, Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who are not individuals with disabilities, unless an undue burden would be imposed on the agency. Section 508 also requires that individuals with disabilities, who are members of the public seeking information or services from a Federal agency, have access to and use of information and data that is comparable to that provided to the public who are not individuals with disabilities, unless an undue burden would be imposed on the agency. 2. Accordingly, any offeror responding to this solicitation must comply with established HHS EIT accessibility standards. Information about Section 508 is available at http://www hhs.gov/web/508. The complete text of the Section 508 Final Provisions can be accessed at http://www.accessaboard. gov/sec508/standards htm. 3. The Section 508 accessibility standards applicable to this contract are: 1194. 205 WCAG 2.0 Level A & AA Success Criteria 302 Functional Performance Criteria 502 Inoperability with Assistive Technology 504 Authoring Tools 602 Support Documentation 603 Support Services In order to facilitate the Government's determination whether proposed EIT supplies meet applicable Section 508 accessibility standards, offerors must submit an HHS Section 508 Product Assessment Template, in accordance with its completion instructions. The purpose of the template is to assist HHS acquisition and program officials in determining whether proposed EIT supplies conform to applicable Section 508 accessibility standards. The template allows offerors or developers to self-evaluate their supplies and documentation detail - whether they conform to a specific Section 508 accessibility standard, and any underway remediation efforts addressing conformance issues. Instructions for preparing the HHS Section 508 Evaluation Template are available under Section 508 policy on the HHS Web site http://hhs.gov/web/508. In order to facilitate the Government's determination whether proposed EIT services meet applicable Section 508 accessibility standards, offerors must provide enough information to assist the Government in determining that the EIT services conform to Section 508 accessibility standards, including any underway remediation efforts addressing conformance issues. 4. Respondents to this solicitation must identify any exception to Section 508 requirements. If a offeror claims its supplies or services meet applicable Section 508 accessibility standards, and it is later determined by the Government, i.e., after award of a contract or order, that supplies or services delivered do not conform to the accessibility standards, remediation of the supplies or services to the level of conformance specified in the contract will be the responsibility of the Contractor at its expense. 5. Electronic content must be accessible to HHS acceptance criteria. Checklist for various formats are available at http://508.hhs.gov/, or from the Section 508 Coordinator listed at https://www.hhs.gov/web/section-508/additional-resources/section-508-contacts/index html. Materials that are final items for delivery should be accompanied by the appropriate checklist, except upon approval of the Contracting Officer or Representative. Information Security Standard-1: Procurements Requiring Information Security and/or Physical Access Security 1. Baseline Security Requirements a. Applicability. The requirements herein apply whether the entire contract or modification (hereafter "contract"), or portion thereof, includes either or both of the following: i. Access (Physical or Logical) to Government Information: A Contractor (and/or any subcontractor) will have or will be given the ability to have, routine physical (entry) or logical (electronic) access to government information. ii. Operate a Federal System Containing Information: A Contractor (and/or any subcontractor) will operate a federal system and information technology containing data that supports the HHS mission. In addition to the Federal Acquisition Regulation (FAR) Subpart 2.1 definition of "information technology" (IT), the term as used in this section includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. b. Safeguarding Information and Information Systems. All government information and information systems must be protected in accordance with HHS/CDC policies and level of risk. At a minimum, the Contractor (and/or any subcontractor) must: i. Protect the: ? Confidentiality, which means preserving authorized restrictions on access and disclosure, based on the security terms found in this contract, including means for protecting personal privacy and proprietary information; ? Integrity, which means guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity; and ? Availability, which means ensuring timely and reliable access to and use of information. ii. Categorize all information owned and/or collected/managed on behalf of HHS/CDC and information systems that store, process, and/or transmit HHS information in accordance with FIPS 199 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. Based on information provided by the ISSO, CISO, CDC CPO, or other representative, the impact level for each Security Objective (Confidentiality, Integrity, and Availability) and the Overall Impact Level, which is the highest watermark of the three factors of the information or information system are the following: ? Confidentiality: [ x ] Low [ ] Moderate [ ] High ? Integrity: [ x ] Low [ ] Moderate [ ] High ? Availability: [ x ] Low [ ] Moderate [ ] High ? Overall Impact Level: [ x ] Low [ ] Moderate [ ] High iii. Based on the agreed-upon level of impact, implement the necessary safeguards to protect all information systems and information collected and/or managed on behalf of HHS/CDC regardless of location or purpose. iv. Report any discovered or unanticipated threats or hazards by either the agency or contractor, or if existing safeguards have ceased to function immediately after discovery, within one (1) hour or less, to the government representative(s). v. Adopt and implement all applicable policies, procedures, controls, and standards required by the HHS/CDC Information Security Program to ensure the confidentiality, integrity, and availability of government information and government information systems for which the Contractor is responsible under this contract or to which the Contractor may otherwise have access under this contract. Obtain all applicable security and privacy policies by contacting the CO/COR or HHS/CDC security and/or privacy officials. c. Privacy Act. Comply with the Privacy Act requirements (when applicable), and tailor FAR and HHSAR clauses as needed. d. Privacy Compliance. Comply with the E-Government Act of 2002, NIST SP 800-53, and applicable HHS/CDC privacy policies, and complete all the requirements below: i. Per the Office of Management and Budget (OMB) Circular A-130, Personally Identifiable Information (PII), is "information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual." Examples of PII include, but are not limited to the following: Social Security number, date and place of birth, mother's maiden name, biometric records, etc. ii. To ensure that the public's personal information is protected in a manner commensurate with the privacy risks, HHS uses a privacy analysis process to assess the risks associated with HHS's collection and maintenance of PII and to ensure information is handled in accordance with applicable legal, regulatory, and policy requirements. PTAs analyze how information is handled in IT systems and electronic information collections and determines if the IT system or electronic information collection collects, disseminates, maintains, or disposes of PII. PIAs are used to assess the privacy risks of IT systems and electronic information collections that collect, disseminate, maintain, or dispose of PII about members of the public. PIAs also provide transparency into how HHS collects, disseminates, maintains, or disposes of the public's PII. iii. The Contractor must support the agency with conducting a Privacy Threshold Analysis (PTA) for the information system and/or information handled under this contract to determine whether or not PII is collected, disseminated, maintained, or disposed as part of the contract. The PTA will determine if a full Privacy Impact Assessment (PIA) needs to be completed. ? If the results of the PTA show that a full PIA is needed, the Contractor must support the agency with completing a PIA for the system or information within 60-90 days after completion of the PTA and in accordance with HHS policy and OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. ? The Contractor must support the agency in reviewing the PIA at least every three years throughout the system development lifecycle (SDLC)/information lifecycle, or when determined by the agency that a review is required based on a major change to the system, or when new types of PII are collected that introduces new or increased privacy risks, whichever comes first. e. Controlled Unclassified Information (CUI). Executive Order 13556 defines CUI as "information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information." The Contractor (and/or any subcontractor) must comply with 3 CFR, part 2002) when handling CUI. 32 C.F.R. 2002.4(aa) As implemented the term "handling" refers to "…any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information." 81 Fed. Reg. 63323. The requirements below apply only to nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. All sensitive information that has been identified as CUI by a regulation or statute, handled by this solicitation/contract, must be: i. Marked appropriately; ii. Disclosed to authorized personnel on a Need-To-Know basis; iii. Protected in accordance with NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations applicable baseline if handled by a Contractor system operated on behalf of the agency, or NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations if handled by internal Contractor system; and iv. Returned to HHS control, destroyed when no longer needed, or held until otherwise directed. Information and/or data must be disposed of in accordance with NIST SP 800- 88, Guidelines for Media Sanitization. f. Protection of Sensitive Information. For security purposes, information is or may be sensitive because it requires security to protect its confidentiality, integrity, and/or availability. The Contractor (and/or any subcontractor) must protect all government information that is or may be sensitive by securing it with a solution that is validated with current FIPS 140 validation certificate from the NIST CMVP. g. Confidentiality and Nondisclosure of Information. Any information provided to the contractor (and/or any subcontractor) by HHS or collected by the contractor on behalf of HHS must be used only for the purpose of carrying out the provisions of this contract and must not be disclosed or made known in any manner to any persons except as may be necessary in the performance of the contract. The Contractor assumes responsibility for protection of the confidentiality of Government records and must ensure that all work performed by its employees and subcontractors must be under the supervision of the Contractor. Each Contractor employee or any of its subcontractors to whom any HHS records may be made available or disclosed must be notified in writing by the Contractor that information disclosed to such employee or subcontractor can be used only for that purpose and to the extent authorized herein. h. The confidentiality, integrity, and availability of such information must be protected in accordance with HHS and CDC policies. Unauthorized disclosure of information will be subject to the HHS/CDC sanction policies and/or governed by the following laws and regulations: i. 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records); ii. 18 U.S.C. 1905 (Criminal Code: Disclosure of Confidential Information); and iii. 44 U.S.C. Chapter 35, Subchapter I (Paperwork Reduction Act). i. Internet Protocol Version 6 (IPv6). All procurements using Internet Protocol must comply with OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6). j. Information and Communications Technology (ICT). ICT products and services from prohibited entities/sources must not be used/acquired in compliance with Public Law 115-232, Section 889 Parts A and B, FAR 4.21, FAR 52.204.23, FAR 52.204.24, and FAR 52.204.25. The contractor (and/or any subcontractor) must notify the government if they identify prohibited ICT products and/or services are used during the contract performance. k. Government Websites. All new and existing public-facing government websites must be securely configured with Hypertext Transfer Protocol Secure (HTTPS) using the most recent version of Transport Layer Security (TLS). In addition, HTTPS must enable HTTP Strict Transport Security (HSTS) to instruct compliant browsers to assume HTTPS at all times to reduce the number of insecure redirects and protect against attacks that attempt to downgrade connections to plain HTTP. For internal-facing websites, HTTPS is not required, but it is highly recommended. Consult the HHS Policy for Internet and Email Security for additional information. l. Contract Documentation. The Contractor must use provided templates, policies, forms and other agency documents to comply with contract deliverables as appropriate. m. Standard for Encryption. The Contractor (and/or any subcontractor) must: i. Comply with the HHS Standard for Encryption of Computing Devices and Information to prevent unauthorized access to government information. include, but are not limited to, scanning operating systems, web applications, wireless scanning; network device scanning to include routers, switches, and firewall, and IDS/IPS; databases and other applicable systems, including general support structure, that support the processing, transportation, storage, or security of Government information for vulnerabilities. c. The Contractor must identify any gaps between required FedRAMP Security Control Baseline/Continuous Monitoring controls and the contractor's implementation status as documented in the Security Assessment Report and related Continuous Monitoring artifacts. In addition, the contractor must document and track all gaps for mitigation in a Plan of Action and Milestones (POA&M) document. Depending on the severity of the risks, HHS may require remediation at the contractor's expense before HHS issues an ATO. d. The Contractor (and/or any subcontractor) must mitigate security risks for which they are responsible, including those identified during A&A and continuous monitoring activities. All vulnerabilities and findings must be remediated, in accordance with timelines specified in the HHS POA&M Standard, from discovery: (1) critical vulnerabilities no later than fifteen (15) days and (2) high within thirty (30) days (3) medium within sixty (60) days and (4) low vulnerabilities no later than three hundred and sixty (360) days. In the event a vulnerability or other risk finding cannot be mitigated within the prescribed timelines above, they must be added to the designated POA&M and mitigated within the newly designated timelines. HHS will determine the risk rating of vulnerabilities using FedRAMP Baselines. CDC timelines for mitigating POA&M: a. 15 days for critical weaknesses; b. 30 days for high weaknesses; c. 60 days for medium weaknesses; and d. 360 days for low weakness. e. Revocation of a Cloud Service. HHS and CDC have the right to take action in response to the CSP's lack of compliance and/or increased level of risk. In the event the CSP fails to meet HHS and FedRAMP security and privacy requirements and/or there is an incident involving sensitive information, HHS and/or CDC may suspend or revoke an existing agency ATO (either in part or in whole) and/or cease operations. If an ATO is suspended or revoked in accordance with this provision, the CO and/or COR may direct the CSP to take additional security measures to secure sensitive information. These measures may include restricting access to sensitive information on the Contractor information system under this contract. Restricting access may include disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls. 4. Reporting and Continuous Monitoring i. Following the initial ATOs, the Contractor (and/or any subcontractor) must perform the minimum ongoing continuous monitoring activities specified below, submit required deliverables by the specified due dates, and meet with the system/service owner and other relevant stakeholders to discuss the ongoing continuous monitoring activities, findings, and other relevant matters. The CSP will work with the agency to schedule ongoing continuous monitoring activities. At a minimum, the Contractor must provide the following artifacts/deliverables on a monthly basis: Application and Host Scans (if applicable) according to CSPO ISCM guidance. ii. Perform weekly scans (at a minimum) and provide results to C/I/O/ISSO and CSPO ISCM for systems with a FIPS 199 impact level of High, HVA, or if the system contains PII, and ensure scan results are submitted in either CSV or PDF format for deliverables. iii. Operating system, database, Web application, and network vulnerability scan results; iv. Updated POA&Ms; Any updated authorization package documentation as required by the annual attestation/assessment/review or as requested by the CDC System Owner or AO, and; iv. Any configuration changes to the system and/or system components or CSP's cloud environment, that may impact HHS/CDC’s security posture. Changes to the configuration of the system, its components, or environment that may impact the security posture of the system under this contract must be approved by the agency. 5. Configuration Baseline a. The contractor must certify that applications are fully functional and operate correctly as intended on systems using HHS Minimum Security Configurations Standards Guidance. The standard installation, operation, maintenance, updates, and/or patching of software must not alter the configuration settings from the approved HHS/CDC configuration baseline. b. The contractor must use Security Content Automation Protocol ...
Links ()
Attachments ()
Data sourced from SAM.gov.
View Official Posting »