TASK REQUEST FOR THE WAGE AND INVESTMENT
TAX PROFESSSIONALS SURVEY
BPA TIRNO-05-Z-00012, TIRNO 05-Z-00013, TIRNO-05-Z-00014
Task Request XXX
I. Statement of Work
A. Background and Objectives
The Taxpayer Assistance Blueprint (TAB) Phase 1 and 2 reports have recognized the important role that tax practitioners assume as intermediaries between the IRS and taxpayers and have recommended conducting additional research studies to identify and better understand practitioners’ needs, preferences, and behaviors.
During TAB Phase 2, the Office of Program Evaluation and Risk Analysis (OPERA) developed and implemented a survey of tax practitioners who prepare individual returns in order to identify their needs and assess how IRS can better meet their needs. Due to time and resource limitations, the survey universe was restricted to practitioners who subscribe to the email listserv of their professional organizations. Of course, this methodology narrowed the universe of tax practitioners and made it difficult to make statistical generalizations. The report acknowledges this limitation and recommends conducting future research that attempts to include those practitioners who do not have an affiliation with a professional association or who do not subscribe to their associations’ listserv.
The Small Business and Self Employed (SB/SE) Division of IRS conducts a survey of tax practitioners who prepare business returns for individuals and small businesses. By targeting practitioners who prepare business returns, the survey provides valuable information about the SB/SE practitioners’ needs and behavior patterns and suggests strategies for the IRS to better support these practitioners. However, the SB/SE survey misses an important segment of the practitioner community – the segment that primarily assists Wage and Investment taxpayers.
The current task will expand on both the SB/SE Practitioner Survey and the TAB II Practitioner Survey by conducting a large scale survey of practitioners who prepare Wage and Investment (W&I) returns. Due to the known seasonal nature of some W&I practitioners, it is expected that this survey will take place during the filing season.
The purpose of this task is to assist W&I Research in developing a more thorough understanding of the characteristics of the W&I practitioner and increase our knowledge of the needs, preferences and behaviors of practitioners. This study is in line with the recommendation from the TAB Phase 2 report to conduct additional studies that will inform strategies that enhance the quality and accessibility of practitioner assistance.
W&I Research is suggesting a mail survey with telephone follow-up for the current study. The Contractor is welcome to propose other survey modes they feel would meet the needs of the task in the best manner possible. Proposals should include enough detail including projected response rates and rationale including advantages and disadvantages for all proposed survey methods to allow for proper evaluation.
Tasks
1. Planning Meeting
Within ten business days after the contract is awarded, the Contractor will coordinate a planning meeting with W&I Research. The goal of this planning meeting will be to review previous research, including the SB/SE Practitioner Survey and the TAB II Practitioner Survey, discuss survey development, the sampling plan, survey methodology, survey administration, weighting schemes, and reporting and to establish a Project Plan. Special attention will be paid to issues associated with survey communications and tax professionals’ concerns with the legitimacy of this survey as an IRS-sponsored solicitation. Another reason for the meeting will be to establish the roles and responsibilities of the contractor and the IRS. At the conclusion of the planning meeting, but not more than five business days thereafter, the Contractor will prepare a summary report documenting the issues and decisions made with regard to the W&I Practitioner Survey. The government does not expect or require the Contractor to expend significant resources for this task. For this and all other meetings between W&I Research and the Contractor, the Contractor will provide W&I Research meeting notes two (2) business days after the meeting for W&I Research review and approval.
2. Develop a Project Plan
The Contractor will develop a Project Plan that addresses and finalizes survey development, the sampling plan, survey methodology, survey administration, weighting schemes, and reporting. The Project Plan will also include the expected timeline of the project.
Although it is expected that proposals will address the Contractor’s quality assurance plan, the Project Plan will contain a detailed Quality Assurance Plan that will include procedures for the quality assurance of the questionnaire, sampling procedures, survey administration, data entry, data preparation, analysis and reporting. The Quality Assurance Plan should include reporting of quality assurance activities.
3. Assist in the Development of the Questionnaire
Based on information gained from the SB/SE Tax Professionals Surveys, the TAB II Practitioner Survey and internal customers, W&I Research will develop and provide the Contractor a draft questionnaire addressing at a minimum the following business questions:
How do tax practitioners get their tax law information, forms, and publications;
What IRS and non-IRS services practitioners are aware of and use;
What tax administration issues practitioners face most often when preparing their clients’ 1040 tax returns;
How satisfied practitioners are with the services provided by IRS
How practitioners would improve or change the services provided by IRS
The Contractor will review the questionnaire and provide expert guidance including guidance on question development and overall total questionnaire design and structure.
W&I Research and the Contractor will also jointly develop and validate any associated materials including any advance letters or other survey communications.
The Contractor will appropriately pretest all survey materials. If a telephone survey will be utilized the Contractor will oversee programming the questionnaire into a CATI system. The Contractor will ensure that the logic and skip patterns are functioning properly by manually testing the program and by running an automated test that will force 100 randomly generated interviews.
After ensuring the questionnaire is functioning properly, the Contractor will manage a pre-test with approximately 25 completed interviews with W&I tax professionals. IRS and the Contractor will be present for the pre-test. The Contractor will finalize the questionnaire based on feedback from the pre-test and approval from W&I Research.
The Contractor will provide W&I Research reports of any and all pretests that are conducted.
Develop Sampling Plan
The Contractor will consult with W&I Research on a sampling plan, including possible stratification of the sample, and final sample size. Initial plans call for a completed sample of 1800 respondents. It is important for this survey to accurately represent the population of W&I tax practitioners, including those who are seasonal tax preparers and those that are part time tax professionals, as well as CPAs, enrolled agents and other tax professionals. The Contractor will ensure that the results have a maximum sampling error of +/-3% at the 95% confidence level.
W&I Research is prepared to provide a list of preparers compiled from IRS data from which the sample can be drawn. The Contractor is welcome to propose other methods of acquiring the necessary sample data such as the use of a purchased listing of tax preparers.
In order to ensure we do not add unnecessary burden to tax practitioners, the sample will need to be cleaned of any practitioners that were surveyed as part of the SB/SE survey. Although the selection criteria and screening process should minimize the possibility of this occurring, W&I Research believes this is an important part of the sampling plan.
Based on the agreed survey mode and expected response rates, a finalized sampling plan indicating the source of the sample, stratification of the sample and final sample size will be developed. It is anticipated that the Contractor will include up to 20 times the number of required responses in whatever strata are determined.
Provide Review of and Data for OMB Clearance Documents
Once the questionnaire and sampling plan have been completed, W&I Research will prepare a draft OMB clearance document for the Contractor to review to ensure accuracy of the document including accurate representation of the survey methodology, sampling plan, and burden hours. Once finalized, W&I Research will submit and track the OMB Clearance Package. After completion of the survey, the Contractor will provide W&I Research the necessary data for the OMB Follow-Up Report.
Draw and Prepare the Sample
Depending on the data source used for drawing the sample, the Contractor may be required to look up mailing addresses and/or telephone numbers of survey respondents. The proposed IRS data does include addresses and some phone numbers. The exact percentage of addresses and phone numbers in the IRS data cannot be determined until the sample is selected. The Contractor will be responsible for exercising due diligence in securing phone numbers not contained in the IRS data or in any purchased lists used.
The Contractor will draw the sample and apply applicable controls in an attempt to increase response rate. The Contractor will conduct a test of the sampling procedures and provide the results of the test to W&I Research prior to survey administration. This should be part of the Quality Assurance Plan.
Survey Administration
Once the sample has been prepared, the Contractor will administer the survey utilizing the survey methodology agreed upon during the planning meeting and ensuring the highest standards of quality as discussed in the Quality Assurance Plan. W&I Research is suggesting a 4 wave mail survey with telephone follow-up for the current study. The Contractor is welcome to propose other survey modes and should include detailed survey methodologies, expected response rates, survey administration procedures and costs for all proposed survey modes.
During administration of the survey, the Contractor will provide W&I Research with weekly progress reports including response rates. These reports should also include any concerns or difficulties with survey administration.
It is anticipated that survey administration would begin no later than January 15, 2008 and conclude no later than May 1, 2008.
Data Preparation, Analysis, and Reporting
The Contractor will clean the data and perform quality checks on all data. The Contractor will create and submit to W&I research the formatted data in a mutually agreed upon electronic format including a record layout, and variable definitions.
The Contractor will analyze and report on top line results and preliminary key findings from the survey. Where applicable the data will be compared to the findings of the SB/SE Practitioner Survey and the TAB II Practitioner Survey. Statistical tests of significance will be performed within the survey dataset. It is expected that W&I Research will conduct more in-depth data analysis and will develop a second set of reports.
9. Option Years
For CY 2008 and CY 2009 of this survey, provide option year pricing for each year at the same levels of effort/service as the current year. These option years would be exercisable at the Governments discretion only, with no guarantee that they will be exercised. For each option year, include a separate cost proposal.
C. Deliverables
Report of Planning Meeting Outcomes and Agreements
Within two (2) business days after the completion of the planning meeting in Task One, the Contractor will deliver a report summarizing the key results and agreements of the initial Planning Meeting.
Project Plan
Within 15 business days of the conclusion of the Planning Meeting, the Contractor will provide W&I Research with a draft Project Plan. This plan will include a detailed description of the finalized survey mode, general sampling plan including the sampling frame and identification of any strata, general questionnaire framework, data management, suggested weighting schemes, a quality assurance plan, agreed format of survey data to be provided to W&I Research, overview of the Contractor’s analysis plan and the project time line.
The Project Plan will also contain the Quality Assurance Plan. The Quality Assurance Plan will address all procedures for ensuring the accuracy and validity of questionnaire, sampling procedures, survey administration, data entry, data preparation, analysis and reporting.
Questionnaire Assistance
The Contractor will provide expert guidance on the development of the questionnaire. Expert guidance is expected on the development of all questionnaire material including advance letters and any other survey communications. It is generally expected that written and verbal comments and suggestions will be provided to W&I Research within 3 business days on all draft submissions of the questionnaire and associated documents.
The Contractor will provide W&I Research reports of any and all pretests of the questionnaire, survey communications and survey administration systems, such as CATI, that are conducted.
Sampling Procedures
The Contractor will document a detailed sampling plan, including the strategy for achieving target quotas within strata. This deliverable may be included in the Project Plan, Deliverable 2, if the Contractor notifies W&I Research in writing of this intention before the Project Planning Meeting (Task 1).
OMB Clearance Data
The Contractor will review and provide written and oral comments on the OMB package and burden hour estimates within 3 days of submission from W&I Research. Upon completion of the survey and initial data analysis, the Contractor will submit to W&I Research the data necessary to complete the OMB Follow-Up Report.
Survey Administration, Reporting and Quality Assurance of Data
The Contractor will conduct a test of the sampling procedures and provide the results of the test to W&I Research prior to survey administration. The Contractor will also test the system of data entry and provide the results of the test to W&I Research prior to survey administration.
The Contractor will administer the survey in accordance with the survey methodology agreed to during the planning meeting and detailed in the Project Plan. The Contractor will provide all survey respondents a Privacy Act Statement. This content of this statement will be provided by W&I Research. During administration of the survey, the Contractor will provide W&I Research with weekly progress reports including response rates. These reports should also include any concerns or difficulties with survey administration
Data Preparation, Analysis, and Reports
The Contractor will create and submit to W&I research the formatted raw data in a mutually agreed upon electronic format including a record layout, and variable definitions. This data will include any weighting variables created for the data. The Contractor will also provide W&I Research with proper documentation of any and all weighting variables and any and all recoded variables. The data should be purged of all taxpayer identification.
The Contractor will perform a top line, preliminary analysis on the survey data. Where applicable the data will be compared to the findings of the SB/SE Practitioner Survey and the TAB II Practitioner Survey. Statistical tests of significance will be performed within the survey dataset. The Contractor will provide documentation of all statistical techniques employed in the analysis.
The Contractor will report on the top line analysis and preliminary findings. The report will also include applicable comparisons to the findings of the SB/SE Practitioner Survey and the TAB II Practitioner Survey and any statistical tests of significance performed. The report will include appendices providing information on survey background and methodology, segment definitions, demographic analysis, tables of frequencies and cross-tabulations, a brief description of the weighting procedures and a clean copy of the survey as administered. The Contractor will submit a draft version of the report, and upon W&I Research approval of the draft report, the Contractor will provide five (5) physical copies of the report as well as an electronic copy.
II. Administrative Requirements
A. Period of Performance
The period of performance shall extend for 15 months from the date of contract award and shall cover up-front planning and design (maximum of four months) plus sampling, survey administration, and reporting of survey results on one year. The Government anticipates the contract will be awarded by 8/15/2007.
Inspection and acceptance of all work performed shall be by the Government Task Manager for W&I Research. Written deliverables shall be reviewed for accuracy, clarity, completeness, and timeliness within ten (10) business days after receipt unless specified differently elsewhere in the statement of work. W&I Research will provide any concerns and comments to the Contractor, who shall assure completion of each deliverable in an acceptable manner.
Usage Rights
All products and data developed for this contract and instructions produced by this contract will belong to the IRS during and at the conclusion of the contract. If the Contractor has proprietary research, copyrighted materials, and literary property copyright material used in this contract, the Contractor will recognize the IRS will have the right to use and make available to others outside of IRS for their use for no additional charge. IRS is the owner of data resulting from this contract.
III. Security and Safeguards
IRSAP 1052.224-9000(a) DISCLOSURE OF INFORMATION--SAFEGUARDS (JAN 1998)
In performance of this contract, the Contractor agrees to comply and assume responsibility for compliance by his/her employees with the following requirements:
(1) All work shall be performed under the supervision of the Contractor or the Contractor’s responsible employees.
(2) Any return or return information made available shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made know in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone other than an officer or employee of the Contractor shall require prior written approval of the Internal Revenue Service. Requests to make such inspections or disclosures should be addressed to the IRS Contracting Officer.
(3) Should a person (contractor or subcontractor) or one of his/her employees make any unauthorized inspection(s) or disclosure(s) of confidential tax information, the terms of the Default clause (FAR 52.249-9), incorporated herein by reference, may be invoked, and the person (contractor or subcontractor) will be considered to be in breach of this contract.
Privacy Act requirements are expressly set forth in:
• FAR 52.224-1 Privacy Act Notification (APR 1984)
• FAR 52.224-2 Privacy Act (APR 1984)
The Privacy Act clauses properly inform the Contractor that it is incumbent upon the contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(I)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government.
(b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases.
(c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party
IRSAP 1052.224-9001(a) -Disclosure of Information--Criminal/Civil Sanctions
(l) Each officer or employee of any person (contractor or subcontractor) at any tier to whom returns or return information is or may be disclosed shall be notified in writing by the person (contractor or subcontractor) that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as five years, or both, together with the costs of prosecution. Such person (contractor or subcontractor) shall also notify each such officer and employee that any such unauthorized future disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance or unauthorized disclosure plus in the case of willful disclosure or an disclosure which is the result of gross negligence, punitive damages, plus the cost of the action. These penalties are prescribed by IRC Sections 7213 and 7431 and set forth at 26 CFR 301.6103 (n).
(2) Each officer or employee of any person (contractor or subcontractor) to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract and that inspection of any such returns or return information for a purpose or to an extent not authorized herein constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000.00 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person (contractor or subcontractor) shall also notify each such officer and employee that any such unauthorized inspection of returns or return information may also result in an award of civil damages against the officer or employee in an amount equal to the sum of the greater of $1,000.00 for each act of unauthorized inspection with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection plus in the case of a willful inspection or an inspection which is the result of gross negligence, punitive damages, plus the costs of the action. The penalties are prescribed by IRC Sections 7213A and 7431.
(3) Additionally, it is incumbent upon the contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(I)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
The contractor must be cognizant of all IRSAP (disclosure of taxpayer information) clauses in the BPA under which this Task Order Statement of Work falls. In addition, the contractor must be cognizant of all FAR 52.224 (Privacy Act) clauses related to this work.
All disclosure/safeguards/privacy/security language and requirements made applicable to the contractor must be mirrored in the contract of any subcontractor.
No work involving IRS information can be further subcontracted beyond the GPO subcontractor without prior written approval from the Internal Revenue Service. The contractor is to obtain such approval from the Procurement Contracting Officer and/or the Contracting Officer’s Technical Representative (COTR).
The contractor shall comply with Treasury Directive T.D. 85-01, Internal Revenue Manual 10.8.1, IRS Computer Security Awareness briefings and training, IRS Contractor Site Reviews/audits, Privacy Impact Assessment and disclosure/ safeguards guidance, and all applicable IT Security Guidance by Treasury.
· Directives, IRS Documents, Policies and Procedures.
The following FAR clauses are incorporated by reference to each BPA (TIRNO-05-Z-00012, 00013, and 00014):
FAR clauses can be accessed at http://www.arnet.gov/far/
52.224-1 Privacy Act
52.224-2 Privacy Act Notification
52.239-1 Privacy or Security Safeguards
The following System of Records pertains to this contract:
Treasury/IRS 22.0062 Electronic Filing Records
Treasury/IRS 24.030 – CADE Individual Master File (IMF)/Individual Return Transaction File (IRTF)
Treasury/IRS 24.046 – CADE Business Master File (BMF)/Business Return Transaction File (BRTF)
Treasury/IRS 00.003 Taxpayer Advocate Service and Customer Feedback and Survey Records
Treasury/IRS 00.001 Correspondence Files (Including Stakeholder Relationship Files)
IRSAP
1052.204-9000 Screening Requirements
1052.204-9001 Identification/Badging Requirements
1052.224-9000(a) Disclosure of Information – Safeguards
(returns and return information)
1052.224-9000(b) Disclosure of Information – Safeguards
(film and photocopying)
1052.224-9000(d) Disclosure of Information – Safeguards
(OUO material)
1052.224-9000(e) Disclosure of Information – Safeguards
(contracts with other Federal agencies)
1052.224-9001(a) Disclosure of Information – Criminal/Civil Sanctions
(SBU data)
1052.224-9001(b) Disclosure of Information – Criminal/Civil Sanctions
(OUO data)
1052.224-9002 Disclosure of Information – Inspection
(inspection of contractor site)
1052.224-9003 Disclosure of Information – Contractor Acceptance
(contract modification)
http://awss.procurement.irs.gov/policy/docs/irsap.doc
Non-disclosure Agreement TDP 71-10
http://intranet-apps2.cio.treas.gov/security/secmanual/ch2sec2.pdf
Personal Identity Verification of Contract Personnel, effective October 27, 2005. Contractor shall comply with Presidential Directive, called HSPD-12, which states (a) the contractor shall comply with Treasury and Bureau personal identity verification procedures that implement HSPD-12, OMB guidance memorandum M-05-24 and FIPS Pub 201, and (b) the contractor shall insert this provision in all subcontracts when the subcontractor is required to have physical access to a Federally controlled facility or access to a Federal information system. Also, at a minimum, contractors working onsite must possess an Interim Staff-Like Access Clearance from the IRS National Background Investigation Center (NBIC) prior to reporting to work.
STANDARD IT SECURITY CONTRACT LANGUAGE (new as of October 2006):
a. Information Security / Federal Information Security Management Act (FISMA)
Pursuant to the Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002, P.L. 107-347, the contractor shall provide minimum security controls required to protect Federal information and information systems. The term ‘information security’ means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentially, integrity and availability.
The contractor shall provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency; or information systems used or operated by an agency or by a contractor of an agency. This applies to individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, and outsourcing providers, which use or operate information technology systems containing IRS data.
An IRS information or information system are defined as a General Support System (GSS), Major or Minor Application with a FIPS 199 security categorization impact level of low, moderate or high, and those systems identified by the As Built Architecture (ABA) and agency FISMA Master Inventory.
b. Treasury / IRS Policies for Information Technology (IT) Security
The contractor shall comply with Department of Treasury Directive TD P 85-01, Treasury Security Manual TDP 71-10, and Internal Revenue Manual 10.8.1 Information Technology Security Policy and Guidance. The contractor shall comply with IRS Internal Revenue Manuals (IRM) and Law Enforcement Manuals (LEM) when developing or administering IRS information and information systems.
The contractor shall comply with the Taxpayer Browsing Protection Act of 1997 - Unauthorized Access (UNAX), the Act amends the Internal Revenue Code 6103 of 1986 to prevent the unauthorized inspection of taxpayer returns or tax return information.
c. Certification and Accreditation Process
Contractors systems that collect, maintain, operate or use agency information or an information system on behalf of the agency (a General Support System (GSS), Major or Minor Application with a FIPS 199 security categorization) must ensure annual reviews, risk assessments, security plans, control testing, a Privacy Impact Assessment (PIA), contingency planning, and certification and accreditation, at a minimum meet NIST guidance, if required by the IRS.
d. Contractor System Review / Site Visit
The contractor shall be subject to at the option / discretion of the agency, to periodically test, (but no less than annually) and evaluate the effectiveness of information security controls and techniques. The assessment of information security controls may be performed by an agency independent auditor, security team or Inspector General, and shall include testing of management, operational, and technical controls of every information system that maintain, collect, operate or use federal information on behalf of the agency. The agency and contractor shall document and maintain a remedial action plan, also known as a Plan of Action and Milestones (POA&M) to address any deficiencies identified during the test and evaluation. The contractor must cost-effectively reduce information security risks to an acceptable level within the scope, terms and conditions of the contract.
e. Information Security Awareness and Training
The contractor shall comply with IRS mandatory annual Computer Security Awareness briefings, UNAX briefings and receive an initial orientation before access to IRS Information Systems. Perform HSPD-12 Personal Identify Verification, physical and personnel security screening / background investigation for approval of a contractor badge for staff like access; then obtain 5081 approval to IRS information systems.
All contractors and contractor employees who are involved with the management, use, programming or maintenance of IRS information systems must complete the IRS mandatory Computer Security briefing. All contractors and contractor employees who could have access to return information must complete the mandatory UNAX briefing. Contractors shall certify the completion of training by their employees annually. The certification shall be submitted to the contracting officer, with a copy to the COTR and Mission Assurance Security Services Awareness and Training Team.
MA&SS conducts a series of security awareness training; in particularly the Unauthorized Access (UNAX) training and Computer Security Awareness training, which is conducted annually and mandatory for all IRS employees and contractors. FISMA requires continuous security awareness training to inform personnel, including contractors, other users, and individuals with significant IT Security responsibilities that support the operations and assets of the agency to receive specific training on agency guidance, policies and procedures to reduce information security risks.
Office of the President Management and Budget (OMB) Policies for Security of Federal Automated Information Resources
The contractor shall comply with OMB Circular No. A-130 Security of Federal Automated Information Resources Appendix III. The contractor shall comply with the guidance in OMB Circular policy M-06-16 Protection of Sensitive Agency Information to implement protections for personally identifiable information being transported and/or stored offsite. In those instances where personally identifiable information is transported to a remote site of the contractor, the contractor shall implement NIST Special Publication 800-53 security controls and IRS specific security procedures to ensure that information is transported in encrypted form. The contractor shall comply with OMB Circular Policy M-06-16, Safeguarding Personally Identifiable Information (PII), and Policy M-06-19 Reporting Incidents Involving Personally Identifiable Information.
Safeguarding / Protecting Sensitive Personally Identifiable Information (PII)
Sensitive PII is defined by OMB as “any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.” Information systems can be either electronic or manual.
IRM 10.8.1 require IRS' sensitive information is to be handled and protected at the contractor's site, including any information stored, processed, or transmitted using the contractor's computer systems. Contractor personnel shall perform a background investigation and/or clearances required; receive security awareness and training required for contractor activities or facilities; and any facility physical security requirements. Most IRS information is categorized as SBU. This includes: a.) taxpayer information, b.) employee data - such as evaluations, c.) personnel and payroll records, d.) financial and statistical information on agency operations not normally available for public disclosure, and e.) proprietary information provided to the government by third parties.
Various laws and regulations have addressed the need to protect sensitive information held by government agencies including the Federal Information Security Management Act (FISMA), the E-Government Act of 2002, the Privacy Act of 1974, and OMB Circular A-130, Management of Federal Information Resources. FISMA requires agencies to have a security program and controls for systems to protect their sensitive information. Therefore, the contractor shall comply with OMB policies and Treasury / IRS specific policies, procedures or guidance to protect sensitive information, such as the following guidance from OMB Policy M-06-16:
1.) Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;
2.) Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining agency access;
3.) Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and
4.) Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.
The National Institute of Standards and Technology (NIST) Guidance for Information Security
The contractor shall follow Information Security guidance established by the National Institute of Standards and Technology (NIST). The contractor shall establish the minimum security controls identified in NIST Special Publication 800-53 Recommended Security Controls for Federal Information / NIST 800-53A and Revision 1, and FIPS 200 Minimum Security Requirements for Federal Information and Information Systems. The contractor shall follow the best practices and guidance established by NIST special publication 800 Series and Federal Information Processing Standards (FIPS) for computer security. The IRS may determine such applicable Information Technology (IT) Security standards and policies.
Handling Information Security Incidents
The IRS Computer Security Incident Response Capability (CSIRC) defines a security incident as: “any adverse event whereby some aspect of computer security could be threatened. Adverse events may include the loss of data confidentiality, disruption of data or system integrity, disruption or denial of availability, loss of accountability, or damage to any part of the system.” User Compromise, Disclosure of Taxpayer/Sensitive Data, Malicious Code (successful or unsuccessful), Denial of Service (DoS) (successful or unsuccessful), Website Defacement, Identity Theft, Misuse of Resources or Policy Violation, Loss or Theft of IT Equipment, IRM/LEM Non- Compliance, Unauthorized Access Attempt, Probe/Scan, and any other security incident that may threaten or damage any IRS or federal agency information or information system(s).
The contractor shall maintain procedures for detecting, reporting, and responding to security incidents, and mitigating risks associated with such incidents before substantial damage is done to federal information or information systems. The contractor shall immediately report all computer security incidents that involve IRS information systems to the IRS Computer Security Incident Response Center (CSIRC). Any theft or loss of IT equipment with federal information / data must be reported within one hour of the incident to CSIRC. Those incidents involving the loss or theft of sensitive but unclassified (SBU) data (i.e. taxpayer, PII) shall be reported to CSIRC, first-line manager, and Treasury Inspector General for Tax Administration (TIGTA). Based on the computer security incident type, CSIRC may further notify the Treasury Computer Security Incident Response Capability (TCSIRC) in accordance with TCSIRC procedures.
CONTACTING IRS CSIRC
Web Site http://www.csirc.web.irs.gov/incident/
Email [email protected]
Phone (202) 283-4809
Toll-Free (866) 216-4809, Fax (202) 283-0345
A. Proposal Delivery
Please submit your proposal electronically no later than 1:00 PM on to
Kathy Pham
Please identify your proposal with the BPA TIRNO-05-Z-00012,
TIRNO-05-Z-00013, TIRNO-05-Z-00014-00014 and the Task Request Number XXXX
B. Technical Proposal
The proposal shall indicate either agreement with or exception to the tasks and deliverables set forth in sections I and II and will be evaluated in accordance with Attachment 1, Section 7 of the BPA.
C. Cost Proposal
For each task, itemize the work to be accomplished, the contractor who will complete the work, the cost, and an estimated total for each contractor.
V. Evaluation Criteria
A. Technical Approach
The specific approach, methods, techniques, and human resource utilization to be used for sampling, administration, analysis, and reporting should be explained clearly and logically so it is apparent how the task will be accomplished. Assessment of the technical approach includes, but is not limited to the following elements:
Element #1: Technical Approach to Survey Method and Design
W&I will evaluate the clarity, detail, and innovativeness of the proposed survey method presented in the technical proposal. This includes the rationale, advantages and disadvantages, and expected response rates for all survey methods proposed.
Element #2: Methodology for Survey Administration
W&I will evaluate the clarity, detail, quality, and innovativeness of the survey administration presented in the technical proposal. This includes survey development and validation, development and application of sampling specifications, and survey procedures and administration.
Element # 3: Data Collection, Analysis, and Reporting
W&I will evaluate the clarity, detail, quality, and the innovativeness of the data collection, type(s) of analysis, and reporting presented in the technical proposal. The potential contractor must have knowledge of database creation and data collection methods to effectively capture and ensure the quality of sample survey results from the targeted population. This also includes using appropriate data analysis techniques.
Element # 4: Qualifications & Corporate Resources
W&I will evaluate the qualifications of the individuals working on the task based on the resumes provided, particularly the experience with designing and conducting surveys similar to that called for in the SOW. W&I will also evaluate the quality and capacity of the facilities to be used in testing the survey design and conducting the survey, including availability of adequate computer resources, ability to provide the appropriate safeguards and security of information, etc.
B. Cost
The Contractor will submit the cost of all work to be accomplished in this specific task for all proposed personnel in the labor mix and any Other Direct Cost (ODC). The Contractor shall submit a spreadsheet organized by task.
C. Relevant Experience and Past Performance
The Government will evaluate past performance using the information from the initial BPA, the contractor shall only submit additional information that was not evaluated in the initial BPA.
Point of Contact
Kathleen Holland
401 W. Peachtree Street NW
Stop 16-WI -Room 2031
Atlanta, GA 30308
404-338-8803
File Type | application/msword |
File Title | STATEMENT OF WORK |
Author | Ron Bradley |
Last Modified By | ysflb |
File Modified | 2007-06-29 |
File Created | 2007-06-29 |