Notice ID: 75N94024R00010
STATEMENT OF WORK:
This Statement of Work (SOW) is for the acquisition of professional Information Technology (IT) program and technical services, including program and project management, specialized IT security expertise, and data analysis, in order to support the National Institutes Diabetes and Digestive and Kidney Diseases (NIDDK) Computer Technology Branch (CTB) in fulfilling the NIH mission. Additionally, NIDDK seeks to provide resources in support of the NIDCR IT Security program which are included in the scope and description below.
- Scope
The Contractor shall provide experienced credentialed (e.g., ISO 9001) Information Technology (IT) management support for CTB program and project management, business analysis, development, and implementation services in accordance with this SOW.
- Detailed Technical Requirements/Tasks to be Performed
Task 1 – Program Management Support – (Optional Task)
The Contractor shall provide part-time (40% level of effort) senior-level IT Program Management support within the Computer Technology Branch (CTB). Candidates shall work directly with the Chief Information Officer (CIO) and CTB management to assist with strategic planning and special initiatives development, execution, and progress monitoring. Candidates must be proficient in the use of communications interfaces such as Zoom, Microsoft Teams, and WebEx. Activities shall include the following tasks:
- Support the CIO in the execution of CTB’s IT project management governance structure and overall management of its IT portfolio through administrative tasks as assigned.
- Coordinate planning and execution of activities for special projects and management initiatives as directed by the CIO, including but not limited to customer relationship management, risk management, change management, and NIH Inclusion, Diversity, Equity, Accessibility, and Civility (IDEA-C) efforts.
- Evaluate IT portfolio adherence to applicable industry and government standards and best practices (e.g., CMMI, ISO 9001, HHS Enterprise Performance Life Cycle) and provide leadership with performance management recommendations and strategies.
- Assist in preparation and delivery of project and system implementation plan presentations for executives, project teams, and other project stakeholders.
- Facilitate visioning sessions with CTB management in order to develop actionable strategic goals and organizational roadmap.
- Facilitate 360◦ assessment feedback collection and analysis of results for CTB management.
- Provide executive coaching and advisory support to CTB management.
- Coordinate and provide oversight for CTB’s annual strategic goal setting process to ensure all CTB managers submit feasible goals with measurable outcomes to the CIO by the institute-set deadline.
- Provide CTB management with strategic planning templates, resources, and guidance.
- Assess CTB’s progress against annual strategic plan goals and management initiatives.
- Provide administrative support for the development and preparation of CTB program management documentation (e.g., charters, overall project plans, requirements specifications, test plans, architectural and software development plans).
- Provide monthly status reports to CTB management.
Task 2 – IT Security Support
The Contractor shall provide dedicated, key personnel to support NIDDK’s security program and assessment and authorization activities. This position, though key, is estimated to be part-time work (up to 50% effort). Candidates must show proof of CISSP certification (Certified Information System Security Professional). The Government shall provide Government-Furnished Equipment (GFE) necessary for contractor staff.
Activities shall include the following tasks:
- Perform Security Assessment and Authorization (SA&A) tasks.
- Register new systems in the NIH Security Authorization Tool (NSAT) and define accurate authorization boundaries; ensure the system is categorized with NSAT according to FIPS-199.
- Ensure a Privacy Impact Assessment (PIA) is completed, and an E-Authentication Threshold Analysis/Risk Assessment is documented.
- Use the NIH Responsibility Matrix to plan inheritance by identifying common security controls, potential hybrid controls, and system specific controls ensuring that all controls are addressed for the system’s FIPS-199 categorization level.
- Assist with the development and review of the System Security Plan (SSP); assist with preparation of the Security Assessment Report (SAR) based on the issues, findings, and recommendations from the assessment.
- Ensure remediation actions are taken based on the findings and recommendations and that the controls are retested as appropriate.
- Coordinate the development of a Contingency Plan and ensure that the plan is tested and maintained annually.
- Ensure a Plan of Action and Milestones (POAM) is completed and maintained based on the findings, weaknesses, and recommendations of the SAR and any audits.
- Provide technical review and recommendations for Vulnerability Assessments that are conducted on the systems and also determine the risk to organizational operations.
- Assemble the Security Authorization package
- Continuously monitor the information system and environment for changes.
- Ensure testing of security controls is conducted as needed in conjunction with configuration management and NIST/HHS/NIH policy.
- Maintain the system inventory, POCs, SSP, SAR, and POAM based on the results on the Continuous Monitoring Process and applicable audits.
- Assist with System Development Lifecycle (SDLC) tasks
- Ensure that security is incorporated into the information system throughout the entire Life Cycle and provide necessary technical security support to management.
- Assist application system managers in selecting and implementing administrative, physical, and technical safeguards; determining the sensitivity level of the application or system; defining security specifications; conducting design reviews of security features; and testing security features.
- Support the IT Security Audit process
- Conduct periodic quality measurements to verify that the Institute or Center (IC) operates in a manner consistent with standard industry practices.
- Conduct system security evaluations, audits, and reviews.
- Provide information for NIH IT audits when requested.
- Administrative Requirements
- The contractor shall work with Agency stakeholders (such as system owners, business owners, and the CIO) and technology professionals to properly understand business requirements and develop an industry best practice approach to technology solutions, policies, and practices.
- The contractor shall design solutions that offer role or attribute-based identity management, authorization, and authentication across all business applications.
- The contractor shall ensure all content is preserved according to Federal record retention requirements and systems have the ability to protect personally identifiable information (PII).
- The contractor shall ensure applications are developed such that response times for application end users fall within best practice levels.
- The contractor shall provide comprehensive documentation and information necessary to analyze processes, procedures, and/or policies that were implemented in the creation of applications and the security program.
Task 3 – IT Security Support (NIDCR) – (Optional Task)
The Contractor shall provide dedicated, key personnel, part-time support (up to 50% FTE) under the same qualifications and tasks cited in Section 3.2 for NIDCR’s security program.
Task 4 – Clinical Informatics Support
The Contractor shall provide dedicated, key personnel clinical data analyst support for NIDDK’s Office of the Clinical Director to provide system administration and data management for REDCap and other clinical data sources. Candidates must have work experience in administration and validation of REDCap instances. The Government shall provide GFE necessary for contractor staff. Activities shall include the following tasks:
- Provide REDCap system administration and configuration
- Create and manage REDCap user accounts and permissions.
- Create, configure, and manage REDCap projects and instruments for NIDDK project teams according to their needs and specifications.
- Provide REDCap and 21 CFR Part 11 resources and training upon request or as needed by NIDDK project teams.
- REDCap Validation and Compliance
- Conduct validation of NIDDK’s REDCap instance to ensure 21 CFR Part 11 compliance.
- Instruct project teams on controls required for 21 CFR Part 11 compliance.
- Data Cleaning and Transformation
- Assist NIDDK teams with data import and export from REDCap
- Use data cleaning and analysis tools such as Tableau Prep and Tableau to clean, transform, analyze, and visualize data per NIDDK research team requirements
- Develop reusable cleaning routines and automate data management procedures when appropriate.
- Clinical Informatics Support
- Work with staff across the Office of the Clinical Director to facilitate protocol monitoring, Quality Assurance/Quality Improvement activities, data harmonization across projects, and safety review.
- Assist project teams with NIH Biomedical Translational Research Information System (BTRIS) data downloads from project web interface.
- Participate in periodic review and update of clinical informatics SOPs.
Task 5 – Application Development Support – (Optional Task)
The Contractor shall provide optional part-time support for application design, development, optimization, maintenance, and support for NIDDK application development activities and support as described below. The Government shall provide access to GFE on site and any applicable Government Furnished Information (GFI) needed for contractor staff supporting application development.
Task 5.1 Business Analysis/Requirements Management – (Optional Task)
The Contractor shall provide business analyst support to analyze, document, and report on business processes and rules, analyze and document requirements for system development, and communicate this information to test and development teams. Candidates must have past experience in Agile development methodology and Atlassian tools Jira and Confluence. Activities shall include the following tasks:
- Document current business processes with business owners
- Develop “to-be” business processes based on input from stakeholders
- Meet with management and provide requirements gathering facilitation
- Prepare business documentation including process workflow diagrams, user stories, requirements validation and status report presentations,
- Work with diverse user groups, often including scientists and other subject matter experts, and stakeholders, to define and prioritize project IT system requirements
- Prepare and document all functional, technical, and security requirements in a consolidated location, with sufficient detail to develop and test the application
- Work with the project development and test teams to define development and testing strategies for the target application(s)
Task 5.2 Application and Web Development – (Optional Task)
The Contractor shall provide part-time application and web development support for multiple types of CTB development initiatives including we application development, dashboard design, Commercial Off-The-Shelf (COTS)/custom applications development with database backend, and automated test script development. Specific technology requirements that may be needed include: Microsoft Power Apps, Microsoft Power BI, Microsoft Power Automate, Microsoft SharePoint Online, Oracle, Microsoft SQL Server, Windows, UNIX, .NET, Subject7.
Filling any positions under Task 5, 5.1, or 5.2 above must be approved by the Contracting Officer’s Representative (COR) as needed…
