Court Document Retrieval
Click for official SAM (FBO) notice, additional information, and accompanying attachments
PLEASE READ THIS ENTIRE NOTICE CAREFULLY AS IT CONSTITUTES THE ONLY NOTICE THAT WILL BE ISSUED. The Department of Justice (DOJ), Criminal Division, is issuing a combined synopsis/solicitation under solicitation number 15JCRM-21-PR-0456 for thepurchaseof Court Document Retrieval Service. This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in FAR Subpart 12.6, using the procedures of FAR Part 13, and supplemented with additional information included in this notice. This announcement constitutes the only solicitation; quotes are being requested. This solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2005-88, the North American Industry Classification System (NAICS) is 519120 with a business size standard of 27.5 million dollars.The Government intends to establish asingle base year award, time and materials pricecontract. Requirement Description: The Office of International Affairs (OIA) serves as the "Central Authority" for the United Stateswith respect toallrequests for information and evidence received from foreign authoritiesunder Mutual Legal Assistance Treaties (MLATs), letters of request, and multilateral conventions in criminal investigations and/or prosecutions. In this capacity, OIA personnel uphold U.S. treaty obligations by, among other things, purchasing public records on behalf of foreign authorities directly from state agencies using the government purchase card approval process. As a recurring, operational requirement, OIA must locate, order, and purchase plain and/or certified public records. The custodians of these records are located nationwide and often include, but are not limited to, federal or state courts, state governments (e.g. divisions of corporations, departments of health, etc.), county clerks offices, and other third-party vendors. LOCATION OF PERFORMANCE Nationwide (CONUS & OCONUS) ANTICIPATED PERIOD OF PERFORMANCE The anticipated period of performance is 07/01/2021 06/30/2022. SCOPE OF REQUIREMENTS The requested service begins when the service provider receives a request from an OIA employee for records from a public or private records custodian in a specific format. The requested service will be considered complete once OIA receives all plain and/or certified copies in physical or digital format, as specified in the original request. OIAs specific requirements are as follows: The service provider shall conduct all research required to determine what records are available in response to the request submitted by the OIA employee. The service provider shall communicate the findings of the research, to include any results related or associated with the original requested search, to the OIA employee. The service provider shall seek confirmation or input from the OIA employee regarding whether to proceed with obtaining the available records; The service provider shall procure records from the public or private records custodian by whatever means deemed appropriate and efficient. The service provider shall abide by any and all procedural instructions provided by the OIA employee, including, but not limited to, country certification requirements and deadlines. The service provider shall deliver all requested records to the OIA employee directly via mail or email, as specified by the OIA employee. OIA shall review the requested records provided and advise the service provider if the records are complete and meet the requested certification requirements. If the documents are incomplete and/or do not meet the requested certification requirements, the OIA employee will notify the service provider via email and provide any further procedural instructions needed to correct the deficiencies. The service provider will provide a point of contact or a digital mechanism through which OIA employees can track their requests. DELIVERABLES Document Retrieval Contingency Research Hours Copy Fee Delivery Fee Disbursement Fee Monthly Report (send report to TBD) PROPRIETARY RIGHTS All proprietary rights with respect to the information, data and materials produced by the contractor in connection with this contract shall vest in the Government. Such information and materials include: reports, databases, plans, designs, procedures, recommendations and any other such physical or intellectual property. The contractor shall not publish or otherwise publicly provide any of the above without written approval by the contracting officer. This provision shall be placed into any subcontracts supporting this effort when a subcontract is entered into by the prime contractor and a subcontractor. Shipping Requirement All deliveries under this order shall be FOB Destination. Delivery Requirement United States Department of Justice 1400 New York Avenue Washington, DC 20530 Attn: TBD InvoicingRequirement: All invoices shall be submitted electronically toTo Be Determined. Invoices will be handled in accordance with the Prompt Payment Act and Far Clause 52.232-25. Contractors shall assign an identification number to each invoice. The contractor shall certify with a signed and dated statement that the invoice is correct and proper for payment. Small Business status shall be self-certified on each invoice. Vendors must be registered in SAM, effective July 29, 2012 to receive government contracts. The DOJ uses a financial system that has a direct interface with SAM. Please ensure that your companys SAM information is updated and accurate. This includes TIN, EFT, DUNS, addresses and contact information. The EFT banking information on file in SAM will be what the DOJ uses to process payment to your organization. Eachinvoice shallincludethe following information: (1) Name of vendor; (2) Invoice date; (3) Government contract number, or authorization for delivery of goods or services; (4) Vendor invoice number, account number, and/or any other identifying number agreed to by the contract; (5) Description (including, for example, contract line/sub line number), price, and quantity of goods and services rendered; (6) Taxpayer Identification Number (TIN); (7) Banking information necessary to facilitate an electronic funds transfer (EFT) payment; (8) Contact name (where practicable), title and telephone number; Termsand Conditions: The selected offeror must comply with the following commercial item terms and conditions, which are incorporated herein by reference: FAR REFERENCE DESCRIPTION 52.212-1 Instruction to Offerors-Commercial Items(JAN 2017): 52.212-2 Evaluation Commercial Item (OCT 2014) 52.212-3 Offeror Representations and Certifications-Commercial Items(NOV 2017). 52.212-4 Contract Terms and Conditions-Commercial Items(JAN 2017); 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items(JUL 2018). 52.204-7 System for Award Management(Oct 2018) 52.204-13 System for Award Management Maintenance(Oct 2018) 52.232-20 Limitation of Cost (Apr 1984) 52.239-1 Privacy or Security Safeguards (Aug 1996) 52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment (Aug 2020) 52.244-6 Subcontracts for Commercial Items (Nov 2020) 52.217-8 Option to Extend Services (Nov 1999) 52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (Jul 2018) 52.204-26 Covered Telecommunications Equipment or Services-Representation (Oct2020) 52.232-7 Payments under Time-and-Materials and Labor Hour Contracts (Aug 2012) The full text of the referenced FAR clauses may be accessed electronically at: https://www.acquisition.gov/far/. Clauses by full text: DJAR-PGD-07-12 Maintaining Contractor Performance During a Pandemic or Other Emergency Continuing Contract Performance During a Pandemic Influenza or other National Emergency During a Pandemic or other emergency we understand that our contractor workforce will experience the same high levels of absenteeism as our federal employees. Although the Excusable Delays and Termination for Default clauses used in government contracts list epidemics and quarantine restrictions among the reasons to excuse delays in contract performance, we expect our contractors to make a reasonable effort to keep performance at an acceptable level during emergency periods. The Office of Personnel Management (OPM) has provided guidance to federal managers and employees on the kinds of actions to be taken to ensure the continuity of operations during emergency periods. This guidance is also applicable to our contract workforce. Contractors are expected to have reasonable policies in place for continuing work performance, particularly those performing mission critical services, during a pandemic influenza or other emergency situation. The types of actions a federal contractor should reasonably take to help ensure performance are: Encourage employees to get inoculations or follow other preventive measures as advised by the public health service. Contractors should cross-train workers as backup for all positions performing critical services. This is particularly important for work such as guard services where telework is not an option. Implement telework to the greatest extent possible in the workgroup so systems are in place to support successful remote work in an emergency. Communicate expectations to all employees regarding their roles and responsibilities in relation to remote work in the event of a pandemic health crisis or other emergency. Establish communication processes to notify employees of activation of this plan. Integrate pandemic health crisis response expectations into telework agreements. With the employee, assess requirements for working at home (supplies and equipment needed for an extended telework period). Security concerns should be considered in making equipment choices; agencies or contractors may wish to avoid use of employees' personal computers and provide them with PCs or laptops as appropriate. Determine how all employees who may telework will communicate with one another and with management to accomplish work. Practice telework regularly to ensure effectiveness. Make it clear that in emergency situations, employees must perform all duties assigned by management, even if they are outside usual or customary duties. Identify how time and attendance will be maintained. It is the contractor's responsibility to advise the government contracting officer if they anticipate not being able to perform and to work with the Department to fill gaps as necessary. This means direct communication with the contracting officer or in his/her absence, another responsible person in the contracting office via telephone or email messages acknowledging the contractors notification. The incumbent contractor is responsible for assisting the Department in estimating the adverse impacts of nonperformance and to work diligently with the Department to develop a strategy for maintaining the continuity of operations. DJAR-PGD-15-03 Security of Department Information and Systems I. Applicability to Contractors and Subcontractors This clause applies to all contractors and subcontractors, including cloud service providers (CSPs), and personnel of contractors, subcontractors, and CSPs (hereinafter collectively, Contractor) that may access, collect, store, process, maintain, use, share, retrieve, disseminate, transmit, or dispose of DOJ Information. It establishes and implements specific DOJ requirements applicable to this Contract. The requirements established herein are in addition to those required by the Federal Acquisition Regulation (FAR), including FAR 11.002(g) and 52.239-1, the Privacy Act of 1974, and any other applicable laws, mandates, Procurement Guidance Documents, and Executive Orders pertaining to the development and operation of Information Systems and the protection of Government Information. This clause does not alter or diminish any existing rights, obligation or liability under any other civil and/or criminal law, rule, regulation or mandate. II. General Definitions The following general definitions apply to this clause. Specific definitions also apply as set forth in other paragraphs. A. Information means any communication or representation of knowledge such as facts, data, or opinions, in any form or medium, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information includes information in an electronic format that allows it be stored, retrieved or transmitted, also referred to as data, and personally identifiable information (PII), regardless of form. B. Personally Identifiable Information (or PII) means any information about an individual maintained by an agency, including, but not limited to, information related to education, financial transactions, medical history, and criminal or employment history and information, which can be used to distinguish or trace an individual's identity, such as his or her name, social security number, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. C. DOJ Information means any Information that is owned, produced, controlled, protected by, or otherwise within the custody or responsibility of the DOJ, including, without limitation, Information related to DOJ programs or personnel. It includes, without limitation, Information (1) provided by or generated for the DOJ, (2) managed or acquired by Contractor for the DOJ in connection with the performance of the contract, and/or (3) acquired in order to perform the contract. D. Information System means any resources, or set of resources organized for accessing, collecting, storing, processing, maintaining, using, sharing, retrieving, disseminating, transmitting, or disposing of (hereinafter collectively, processing, storing, or transmitting) Information. E. Covered Information System means any information system used for, involved with, or allowing, the processing, storing, or transmitting of DOJ Information. III. Confidentiality and Non-disclosure of DOJ Information A. Preliminary and final deliverables and all associated working papers and material generated by Contractor containing DOJ Information are the property of the U.S. Government and must be submitted to the Contracting Officer (CO) or the COs Representative (COR) at the conclusion of the contract. The U.S. Government has unlimited data rights to all such deliverables and associated working papers and materials in accordance with FAR 52.227-14. B. All documents produced in the performance of this contract containing DOJ Information are the property of the U.S. Government and Contractor shall neither reproduce nor release to any third-party at any time, including during or at expiration or termination of the contract without the prior written permission of the CO. C. Any DOJ information made available to Contractor under this contract shall be used only for the purpose of performance of this contract and shall not be divulged or made known in any manner to any persons except as may be necessary in the performance of this contract. In performance of this contract, Contractor assumes responsibility for the protection of the confidentiality of any and all DOJ Information processed, stored, or transmitted by the Contractor. When requested by the CO (typically no more than annually), Contractor shall provide a report to the CO identifying, to the best of Contractors knowledge and belief, the type, amount, and level of sensitivity of the DOJ Information processed, stored, or transmitted under the Contract, including an estimate of the number of individuals for whom PII has been processed, stored or transmitted under the Contract and whether such information includes social security numbers (in whole or in part). IV. Compliance with Information Technology Security Policies, Procedures and Requirements A. For all Covered Information Systems, Contractor shall comply with all security requirements, including but not limited to the regulations and guidance found in the Federal Information Security Management Act of 2014 (FISMA), Privacy Act of 1974, EGovernment Act of 2002, National Institute of Standards and Technology (NIST) Special Publications (SP), including NIST SP 800-37, 800-53, and 800-60 Volumes I and II, Federal Information Processing Standards (FIPS) Publications 140-2, 199, and 200, OMB Memoranda, Federal Risk and Authorization Management Program (FedRAMP), DOJ IT Security Standards, including DOJ Order 2640.2, as amended. These requirements include but are not limited to: 1. Limiting access to DOJ Information and Covered Information Systems to authorized users and to transactions and functions that authorized users are permitted to exercise; 2. Providing security awareness training including, but not limited to, recognizing and reporting potential indicators of insider threats to users and managers of DOJ Information and Covered Information Systems; 3. Creating, protecting, and retaining Covered Information System audit records, reports, and supporting documentation to enable reviewing, monitoring, analysis, investigation, reconstruction, and reporting of unlawful, unauthorized, or inappropriate activity related to such Covered Information Systems and/or DOJ Information; 4. Maintaining authorizations to operate any Covered Information System; 5. Performing continuous monitoring on all Covered Information Systems; 6. Establishing and maintaining baseline configurations and inventories of Covered Information Systems, including hardware, software, firmware, and documentation, throughout the Information System Development Lifecycle, and establishing and enforcing security configuration settings for IT products employed in Information Systems; 7. Ensuring appropriate contingency planning has been performed, including DOJ Information and Covered Information System backups; 8. Identifying Covered Information System users, processes acting on behalf of users, or devices, and authenticating and verifying the identities of such users, processes, or devices, using multifactor authentication or HSPD-12 compliant authentication methods where required; 9. Establishing an operational incident handling capability for Covered Information Systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities, and tracking, documenting, and reporting incidents to appropriate officials and authorities within Contractors organization and the DOJ; 10. Performing periodic and timely maintenance on Covered Information Systems, and providing effective controls on tools, techniques, mechanisms, and personnel used to conduct such maintenance; 12. Protecting Covered Information System media containing DOJ Information, including paper, digital and electronic media; limiting access to DOJ Information to authorized users; and sanitizing or destroying Covered Information System media containing DOJ Information before disposal, release or reuse of such media; 13. Limiting physical access to Covered Information Systems, equipment, and physical facilities housing such Covered Information Systems to authorized U.S. citizens unless a waiver has been granted by the Contracting Officer (CO), and protecting the physical facilities and support infrastructure for such Information Systems; 14. Screening individuals prior to authorizing access to Covered Information Systems to ensure compliance with DOJ Security standards; 15. Assessing the risk to DOJ Information in Covered Information Systems periodically, including scanning for vulnerabilities and remediating such vulnerabilities in accordance with DOJ policy and ensuring the timely removal of assets no longer supported by the Contractor; 16. Assessing the security controls of Covered Information Systems periodically to determine if the controls are effective in their application, developing and implementing plans of action designed to correct deficiencies and eliminate or reduce vulnerabilities in such Information Systems, and monitoring security controls on an ongoing basis to ensure the continued effectiveness of the controls; 17. Monitoring, controlling, and protecting information transmitted or received by Covered Information Systems at the external boundaries and key internal boundaries of such Information Systems, and employing architectural designs, software development techniques, and systems engineering principles that promote effective security; and 18. Identifying, reporting, and correcting Covered Information System security flaws in a timely manner, providing protection from malicious code at appropriate locations, monitoring security alerts and advisories and taking appropriate action in response. B. Contractor shall not process, store, or transmit DOJ Information using a Covered Information System without first obtaining an Authority to Operate (ATO) for each Covered Information System. The ATO shall be signed by the Authorizing Official for the DOJ component responsible for maintaining the security, confidentiality, integrity, and availability of the DOJ Information under this contract. The DOJ standards and requirements for obtaining an ATO may be found at DOJ Order 2640.2, as amended. (For Cloud Computing Systems, see Section V, below.) C. Contractor shall ensure that no Non-U.S. citizen accesses or assists in the development, operation, management, or maintenance of any DOJ Information System, unless a waiver has been granted by the by the DOJ Component Head (or his or her designee) responsible for the DOJ Information System, the DOJ Chief Information Officer, and the DOJ Security Officer. D. When requested by the DOJ CO or COR, or other DOJ official as described below, in connection with DOJs efforts to ensure compliance with security requirements and to maintain and safeguard against threats and hazards to the security, confidentiality, integrity, and availability of DOJ Information, Contractor shall provide DOJ, including the Office of Inspector General (OIG) and Federal law enforcement components, (1) access to any and all information and records, including electronic information, regarding a Covered Information System, and (2) physical access to Contractors facilities, installations, systems, operations, documents, records, and databases. Such access may include independent validation testing of controls, system penetration testing, and FISMA data reviews by DOJ or agents acting on behalf of DOJ, and such access shall be provided within 72 hours of the request. Additionally, Contractor shall cooperate with DOJs efforts to ensure, maintain, and safeguard the security, confidentiality, integrity, and availability of DOJ Information. E. The use of Contractor-owned laptops or other portable digital or electronic media to process or store DOJ Information covered by this clause is prohibited until Contractor provides a letter to the DOJ CO, and obtains the COs approval, certifyingcompliance with the following requirements: 1. Media must be encrypted using a NIST FIPS 140-2 approved product; 2. Contractor must develop and implement a process to ensure that security and other applications software is kept up-to-date; 3. Where applicable, media must utilize antivirus software and a host-based firewall mechanism; 4. Contractor must log all computer-readable data extracts from databases holding DOJ Information and verify that each extract including such data has been erased within 90 days of extraction or that its use is still required. All DOJ Information issensitive information unless specifically designated as non-sensitive by the DOJ; and, 5. A Rules of Behavior (ROB) form must be signed by users. These rules must address, at a minimum, authorized and official use, prohibition against unauthorized users and use, and the protection of DOJ Information. The form also must notify the user that he or she has no reasonable expectation of privacy regarding any communications transmitted through or data stored on Contractor-owned laptops or other portable digital or electronic media. F. Contractor-owned removable media containing DOJ Information shall not be removed from DOJ facilities without prior approval of the DOJ CO or COR. G. When no longer needed, all media must be processed (sanitized, degaussed, or destroyed) in accordance with DOJ security requirements. H. Contractor must keep an accurate inventory of digital or electronic media used in the performance of DOJ contracts. I. Contractor must remove all DOJ Information from Contractor media and return all such information to the DOJ within 15 days of the expiration or termination of the contract, unless otherwise extended by the CO, or waived (in part or whole) by the CO, and all such information shall be returned to the DOJ in a format and form acceptable to the DOJ. The removal and return of all DOJ Information must be accomplished in accordance with DOJ IT Security Standard requirements, and an official of the Contractor shall provide a written certification certifying the removal and return of all such information to the CO within 15 days of the removal and return of all DOJ Information. J. DOJ, at its discretion, may suspend Contractors access to any DOJ Information, or terminate the contract, when DOJ suspects that Contractor has failed to comply with any security requirement, or in the event of an Information System Security Incident (see Section V.E. below), where the Department determines that either event gives cause for such action. The suspension of access to DOJ Information may last until such time as DOJ, in its sole discretion, determines that the situation giving rise to such action has been corrected or no longer exists. Contractor understands that any suspension or termination in accordance with this provision shall be at no cost to the DOJ, and that upon request by the CO, Contractor must immediately return all DOJ Information to DOJ, as well as any media upon which DOJ Information resides, at Contractors expense. V. Cloud Computing A. Cloud Computing means an Information System having the essential characteristics described in NIST SP 800-145, The NIST Definition of Cloud Computing. For the sake of this provision and clause, Cloud Computing includes Software as a Service, Platform as a Service, and Infrastructure as a Service, and deployment in a Private Cloud, Community Cloud, Public Cloud, or Hybrid Cloud. B. Contractor may not utilize the Cloud system of any CSP unless: 1. The Cloud system and CSP have been evaluated and approved by a 3PAO certified under FedRAMP and Contractor has provided the most current Security Assessment Report (SAR) to the DOJ CO for consideration as part of Contractors overall System Security Plan, and any subsequent SARs within 30 days of issuance, and has received an ATO from the Authorizing Official for the DOJ component responsible for maintaining the security confidentiality, integrity, and availability of the DOJ Information under contract; or, 2. If not certified under FedRAMP, the Cloud System and CSP have received an ATO signed by the Authorizing Official for the DOJ component responsible for maintaining the security, confidentiality, integrity, and availability of the DOJ Information under the contract. C. Contractor must ensure that the CSP allows DOJ to access and retrieve any DOJ Information processed, stored or transmitted in a Cloud system under this Contract within a reasonable time of any such request, but in no event less than 48 hours from the request. To ensure that the DOJ can fully and appropriately search and retrieve DOJ Information from the Cloud system, access shall include any schemas, meta-data, and other associated data artifacts. VI. Information System Security Breach or Incident A. Definitions 1. Confirmed Security Breach (hereinafter, Confirmed Breach) means any confirmed unauthorized exposure, loss of control, compromise, exfiltration, manipulation, disclosure, acquisition, or accessing of any Covered Information System or any DOJ Information accessed by, retrievable from, processed by, stored on, or transmitted within, to or from any such system. 2. Potential Security Breach (hereinafter, Potential Breach) means any suspected, but unconfirmed, Covered Information System Security Breach. 3. Security Incident means any Confirmed or Potential Covered Information System Security Breach. B. Confirmed Breach. Contractor shall immediately (and in no event later than within 1 hour of discovery) report any Confirmed Breach to the DOJ CO and the CO's Representative (COR). If the Confirmed Breach occurs outside of regular business hours and/or neither the DOJ CO nor the COR can be reached, Contractor must call DOJ-CERT at 1-866-US4-CERT (1-866-874-2378) immediately (and in no event later than within 1 hour of discovery of the Confirmed Breach), and shall notify the CO and COR as soon as practicable. C. Potential Breach. 1. Contractor shall report any Potential Breach within 72 hours of detection to the DOJ CO and the COR, unless Contractor has (a) completed its investigation of the Potential Breach in accordance with its own internal policies and procedures for identification, investigation and mitigation of Security Incidents and (b) determined that there has been no Confirmed Breach. 2. If Contractor has not made a determination within 72 hours of detection of the Potential Breach whether an Confirmed Breach has occurred, Contractor shall report the Potential Breach to the DOJ CO and COR within one-hour (i.e., 73 hours from detection of the Potential Breach). If the time by which to report the Potential Breach occurs outside of regular business hours and/or neither the DOJ CO nor the COR can be reached, Contractor must call the DOJ Computer Emergency Readiness Team (DOJ-CERT) at 1-866-US4-CERT (1-866-874-2378) within one-hour (i.e., 73 hours from detection of the Potential Breach) and contact the DOJ CO and COR as soon as practicable. D. Any report submitted in accordance with paragraphs (B) and (C), above, shall identify (1) both the Information Systems and DOJ Information involved or at risk, including the type, amount, and level of sensitivity of the DOJ Information and, if the DOJ Information contains PII, the estimated number of unique instances of PII, (2) all steps and processes being undertaken by Contractor to minimize, remedy, and/or investigate the Security Incident, (3) any and all other information as required by the USCERT Federal Incident Notification Guidelines, including the functional impact, information impact, impact to recoverability, threat vector, mitigation details, and all available incident details; and (4) any other information specifically requested by the DOJ. Contractor shall continue to provide written updates to the DOJ CO regarding the status of the Security Incident at least every three (3) calendar days until informed otherwise by the DOJ CO. E. All determinations regarding whether and when to notify individuals and/or federal agencies potentially affected by a Security Incident will be made by DOJ senior officials or the DOJ Core Management Team at DOJs discretion. F. Upon notification of a Security Incident in accordance with this section, Contractor must provide to DOJ full access to any affected or potentially affected facility and/or Information System, including access by the DOJ OIG and Federal law enforcement organizations, and undertake any and all response actions DOJ determines are required to ensure the protection of DOJ Information, including providing all requested images, log files, and event information to faci...