HHS/ACF/OCSE - Insurance Data Match Services

Description The Department of Health and Human Services intends to negotiate a Sole Source IDIQ contract with Insurance Services Office (ISO) located in Jersey City, NJ for the Administration of Children and Families (ACF)/Office of Child Support Enforcement (OCSE), for insurance data match services. The IDIQ will be for a five-year base period. Purpose The purpose of this Statement of Work is to perform all steps necessary to receive, from a single source, claim information from participating insurers (or their agents), that has been matched and determined to be payable to individuals owing past-due child support. OCSE will forward information on claims that are payable to individuals who are delinquent in their child support obligations to the participating state IV-D child support agency responsible for collecting the past due support. As authorized by section 452(m) of the Social Security Act, this requirement is to compare information concerning individuals who owe past-due child support with information maintained by Insurance Services Office (ISO) in their ClaimSearch® database, as authorized by individual insurance companies, to identify claims, payments, settlements and/or awards. ISO will return matched data to OCSE and OCSE will return the matches to the State CSE agency responsible for collecting the past-due child support. Background The Deficit Reduction Act of 2005 amended section 452 of the Social Security Act by adding at the end subsection (m), which authorizes the Office of Child Support Enforcement (OCSE), through the Federal Parent Locator Service, to compare information concerning individuals owing past-due child support with information maintained by insurers (or their agents) concerning insurance claims, settlements, awards, and payments. In addition, as amended, the Social Security Act provides that OCSE may furnish information resulting from the data matches to the State agencies responsible for collecting the past-due child support from the individuals. 42 U.S.C. § 652(m)(1)(B) . The Social Security Act also confers nonliability on insurers. In pertinent part, the Social Security Act provides as follows: An insurer (including any agent of an insurer) shall not be liable under any Federal or State law to any person for any disclosure provided for under this subsection, or for any other action taken in good faith in accordance with this subsection. 42 U.S.C. 652(m)(2) . The OCSE Insurance Match Program is a tool to assist state IV-D agencies in their efforts to collect past-due child support. The goals of the information comparison and the legislation on which the comparison is based are as follows: • Provide a centralized, standardized, and cost-effective method for identifying insurance claims that may be used by state IV-D child support programs to collect past-due child support; • Minimize the burden on insurers (or their agents) and thereby increase their participation in the insurance match; and • Increase the collection of past-due support owed to children receiving IV-D child support services. 1. SPECIFIC TASKS Tasks include: • ISO shall accept records from OCSE containing information about individuals who are delinquent in their child support obligations and compare that data with insurance claims, payments, settlements or awards, as authorized by insurance companies. • ISO shall furnish matches containing insurance claim data concerning individuals delinquent in their child support obligation to OCSE. • ISO shall furnish the matched insurance claim data to OCSE and provide daily match and weekly OCSE file processing reports via email, and otherwise take all necessary measures for the performance of the work set forth. • ISO shall provide an electronic link from its customer viewable web site to the OCSE public website. OCSE will provide the correct URL upon award and notify ISO thirty days in advance of any required changes to the OCSE public website URL. • ISO shall provide OCSE with an electronic list of ISO customers agreeing to participate in the OCSE match. The electronic list must clearly indicate new insurer participants or changes in participant status. The electronic list must clearly identify if a participating insurer has limited the state child support agencies that can receive match information. ISO must send the electronic list any time there is a change in the insurers participating in the OCSE insurance program match. • ISO shall support promotion of the OCSE insurance match program in their marketing materials their customers including but not limited to brochures, newsletters or enrollment documentation. OCSE will provide input on the content of the OCSE related materials and must approve the wording of any materials issued referencing the OCSE insurance match program. ISO shall provide OCSE with a semi-annual updated on the marketing efforts completed during the previous six month period. • ISO shall provide a monthly invoice that includes the number of matches sent to OCSE for the invoice period. OCSE will reconcile the match counts to their records and notify ISO if any adjustments are needed to the invoice. SECURITY REQUIREMENTS ISO shall ensure that administrative, technical, and physical security measures are in effect to safeguard the personal information contained in the input file furnished to ISO by OCSE and the personal information resulting from the match. In compliance with the HHS Information Security Program Policy, the Computer Security Act of 1987, OMB directives, NIST guidance publications and guidance from OMB, the following minimum security controls are required: The security requirements are presented in three categories: administrative security requirements; technical security requirements; and physical security requirements. For all purposes described in this Statement of Work, personnel described in the three categories are defined as employees or contractors of ISO. A. ADMINISTRATIVE SECURITY REQUIREMENTS 1. ISO shall ensure that access to and disclosure of the OCSE file will be restricted to authorized personnel who need it to perform their official duties. 2. ISO shall establish and/or maintain ongoing management oversight and quality assurance capabilities to ensure that only authorized personnel have access to the OCSE file. 3. ISO shall ensure that all persons who will access the OCSE file are advised of the confidentiality of the results, the safeguards required to protect the data contained in the file, and the civil and criminal sanctions for non-compliance contained in the applicable Federal laws. 4. ISO shall ensure that non-disclosure oaths are signed by all personnel with authorized access to the OCSE file. The non-disclosure oath will outline the authorized purposes for the OCSE file and the civil and criminal penalties for unauthorized use. ISO will maintain a record of users with access to the file, including a copy of each individual's signed non-disclosure oath. 5. ISO shall have appropriate procedures in place in place corporate and/or law enforcement to the extent the disclosure does not compromise the (potential) investigation. B. TECHNICAL SECURITY REQUIREMENTS 1. ISO shall use and maintain technological (logical) access controls that limit access to the OCSE file to only those users authorized for such access based on their official duties. 2. ISO shall ensure that the OCSE file will not be subject to browsing. 3. ISO shall ensure the transmission and storage of all OCSE data provided pursuant to this Statement of Work in a manner that safeguards the data and prohibits unauthorized access. All data transmitted between the ISO and OCSE shall be via Secure FTP. 4. ISO shall not copy or store OCSE data on mobile media (i.e. laptops, CD-ROMS, USB drives). 5. ISO shall limit remote access to OCSE data to only those personnel whose access is essential to accomplishing the purposes of this Statement of Work and that such access shall be allowed only via a secure and encrypted transmission link. If ISO is unable to provide two-factor authentication, ISO shall ensure strong authentication by implementing compensating controls, as specified below. 6. ISO shall restrict users by way of a multifactor authentication, using their computer as a form of identification by: • Requiring each user to answer a unique set of questions from their user profile. For new users, this will occur at the time of initial registration. For current users, this will occur at the time of their next regularly scheduled password rotation/change. • If the questions are correctly answered, an encrypted cookie or certificate will be placed on the user's machine. The cookie/certificate will have an expiration timeframe of 90 days. • The ClaimSearch® applications will check for the encrypted cookie/certificate tied to the user ID each time the user logs in. • If a user authenticates successfully and the encrypted cookie/certificate is valid, then the user will be logged in successfully. • The cookie/certificate expiration date will then be refreshed to 90 days. • If a valid cookie/certificate does not exist, a user will be required to go through the step outlined in the first bullet. 7. Within one working day after completing authorized use, ISO shall erase electronic records furnished to OCSE resulting from the comparison of OCSE records to information maintained by ISO for their customers participating in the OCSE insurance match program. 8. In the event of an incident involving the compromise of OCSE data, ISO shall have the capability to identify which records were compromised. For example, a fully automated audit trail system would provide such capability. C. PHYSICAL SECURITY REQUIREMENTS 1. ISO shall ensure that all OCSE data provided pursuant to this Statement of Work will be stored in an area that is physically safe from access by unauthorized persons during duty hours as well as non-duty hours or when not in use. 2. ISO shall ensure that lists are maintained of persons authorized to access facilities and systems processing sensitive data. Access to facilities and systems is controlled wherever sensitive data is processed. 3. ISO shall ensure that reports containing OCSE data will be labeled as "Sensitive." These reports are to be kept in a locked container when not in use and never transported off ISO premises. When no longer needed, these reports are to be destroyed by burning or shredding. 4. ISO shall ensure that locks and other protective measures are used at access points to prevent unauthorized access to computer and support areas. The statutory authority for other than full and open competition is 41 U.S.C. 3304(a)(1), in accordance with FAR Part 6.302-1, only one responsible source and no other supplies or services will satisfy agency requirements. Vendors interested in this acquisition must demonstrate in writing that they can meet the Government's requirement. Responses must include a written narrative statement of capability, including detailed technical information and other technical literature demonstrating the ability to satisfy the stated requirements. The written statements of capability (no more than 20 pages in length) should be emailed to the Contract Specialist, Ginger Lease, at [email protected] and are due no later than 10:00 a.m. (ET) on June 8, 2018. Failure to submit adequate documentation will result in the Government proceeding with a sole source award to ISO. A determination by the Government not to open the requirement based upon responses to this notice is solely within the discretion of the Government. No solicitation document is available. The purpose of this announcement is to determine whether there may be other sources with the requisite qualifications to perform the work described above. Primary Point of Contact.: Ginger R. Lease Contract Specialist Email: [email protected] Phone: (301) 492-4645 Contracting Office Address: 7700 Wisconsin Ave., Mail Stop 10230B Bethesda, Maryland 20857 United States