VIEWS: 3 PAGES: 5 POSTED ON: 7/9/2012
Amendment 0001 To DTFAWA-10-R-00014 1. How do we formally acknowledge our desire to bid on this RFI? Submit a proposal in response to this Solicitation. 2. How many employees are currently enrolled in the current credit monitoring product? Approximately, 24,000. 3. Will the employees enrolled in the current solution be automatically enrolled in the new “comprehensive” identity monitoring service as a replacement to their current product? No. Employees must enroll in the identity monitoring to be covered, but all employees must be covered (without having to enroll) in the identity restoration service. 4. Will currently un-enrolled employees (if any are not enrolled) be automatically enrolled in the new product? See response to Question #3. 5. Section B Requirements: This section does not include any specifications for credit monitoring. For credit services, the scope only includes a requirement for providing steps for employees to receive their free credit report. For pricing purposes, would you like the bids to include credit report access and credit monitoring in addition to all of the other services you identified in Section B? All services requested by the FAA are specified in the Statement of Work. Please read and respond to the Statement of Work. All services must priced in accordance with Section B.3 – Services to be Rendered and Prices. 6. You state that the requirements for section B are the “minimum” requirements. We currently offer all of the “minimum” requirements plus several additional identity monitoring features as part of our comprehensive monitoring solution. Since our current product offering is much broader than the minimum requirements stated in Section B, would you like us propose a product that meets your minimum requirements only or would you like us to provide our full comprehensive identity monitoring solution? All Services requested by the FAA are specified in the Statement of Work. Please read and respond to the Statement of Work. 7. Is it possible to schedule a brief introductory call to review our product offerings prior to the 3/1 submission date? No. 8. Is FAA willing to consider other certifications and training for employees working on this contract? The employees that would work on this contract have passed the exam to become Certified under the FCRA (as amended by FACTA), which is provided by the Consumer Data Industry Association (CDIA). The CDIA is the Association of Credit Reporting Agencies (CRA) and financial services organizations that report to CRAs. The CDIA provides online study and a workbook for the certification examination, conducted online. Annual re- credentialing is required to maintain the certification status. No. See the answer to question 9 below. 9. Would the FAA consider amending C.4.1 EMPLOYEE QUALIFICATIONS mandatory requirement to include “Identity Theft Risk Management Specialist” certification through ICFE (Institute of Consumer Financial Education) as an acceptable alternative certification program? Yes. The agency researched the two proposed alternate certifications – 1) Certified Identity Theft Risk Management Specialist (CITRMS) and 2) Fair Credit Reporting Act Certification (FCRAC). The Institute of Consumer Financial Education Certified Identity Theft Risk Management Specialist qualification would be an acceptable alternative to the Certified Fraud Examiner (CFE) in providing the level of support the FAA will need when addressing breaches and deploying remediation and restoration activities. A summary of our research can be found below: ---------------------------------------------------------------------------------------------------- The Certified Fraud Examiner (CFE) credential denotes proven expertise in fraud prevention, detection, and deterrence. Members with the CFE credential are seen as leaders in the global anti-fraud community. 1) Certified Identity Theft Risk Management Specialist (CITRMS) The CITRMS certification program prepares and equips professionals (law enforcement professionals, financial planners, CPA's, resolution advocates, notaries, lawyers, credit and debt counselors) through education, testing and computer software training, with the knowledge and skills necessary to help consumers and businesses fully assess and minimize their present risk of credit and identity theft. These professionals understand fraud and identity theft on a fundamental level, and know how to mitigate and remediate these issues and assist victims. CITRMS utilizes a risk management approach in addressing breach incidents by deploying identity theft risk mitigation efforts in addition to credit monitoring, and uses resolution software and restoration tactics when dealing with fraud/identity theft. In short, a vendor that possesses this capability or certification alongside credit monitoring will be able to: Monitor financial activities/ changes to individuals’ credit report; Actively mitigate and manage the risk of identity theft before it occurs; and Provide victim assistance and identity restoration should theft/fraud occur Furthermore, this certification is accepted by the CFP Board of Standards and Practices, IARFC-Registered Financial Consultants, Association for Financial Counseling and Planning Education and Information Systems Security Association. CITRMS are trained and tested in the following areas: 1. Understanding Identity Theft 2. Credit Reports, Specialty Reports and Public Records 3. Identity Theft Risk Management and Resolution 4. Consumer Protection Law Summaries 5. Identity Theft Risks and Issues for Businesses 2) Fair Credit Reporting Act Certification (FCRAC) The FCRAC is administered by the Consumer Industry Data Association appears to focus on the Fair Credit Reporting Act itself rather than victim assistance and fraud. The FAA’s primary objective is to procure a vendor that can provide (1) identity monitoring services, and (2) fully managed identity restoration services, should fraud occur. The FCRAC is only a subset of laws that make up the privacy regulatory environment. As a result its certification program only provide insight on a subset of requirements (i.e. credit reporting) and does not address or instruct professionals (in our case vendors) how to assist identify theft victims or restore the identity of victims. According to the FCRAC, the main objective of its certification program is to teach professionals about the Fair Credit Reporting Act and how it affects their job; professional will be able to “understand how credit grantors, consumers, and consumer reporting agencies interact under the FCRA, and develop the knowledge and skills needed to effectively comply with the FCRA.” Under the FCRAC program professionals are trained and tested in the following areas: 1. History of the Fair Credit Reporting Act 2. Consumer Reports 3. Disclosure 4. Identity Theft 5. Enforcement & Penalties In short, if a vendor who only possesses a FCRAC is procured, the vendor will not be able to assist employees and FAA affiliates (i.e. airmen, contractors etc.) that are victims of identity theft as a result of a breach. Therefore, this certification will not be acceptable for this procurement. A suitable vendor must have the ability to not only monitor breach victims’ credit but also be able to provide hands on assistance to breach victims whose identity has been stolen. A suitable vendor must have the knowledge and capability for rectifying associated damages made to a victim’s credit and restoring the individual’s pre- theft credit report and financial identity. 10. Is ACFE certification required? We have resources which are CITRMS certified with the Institute of Consumer Financial Education. Will that suffice? See the answer to question 9 above. 11. B.1: Mentions that employees are "automatically enrolled and qualified for the program". What exactly does this mean? Please see the response to Question #3. 12. B.2.a: Are all of the unique identification points outlined (name,address,DOB,SSN,DL,mothers' maiden name) required under this solicitation? Currently, we scan for up to 10 credit/debit card number as well as SSN. All services requested by the FAA are specified in the Statement of Work. Please read and respond to the Statement of Work. 13. B.2.b: Customer Service based in the US; Is this a requirement? All requirements of the FAA are specified in the Statement of Work. Please read and respond to the Statement of Work. 14. B.2.d: Employee Website Access: Is this website to be restricted to the employees only or can a general educational identity theft page be displayed? All requirements of the FAA are specified in the Statement of Work. Please read and respond to the Statement of Work. 15. General: What is the timeline for employee adoption of the program? When is the go-live requested date? Each vendor must be able to provide these services upon award of the contract. 16. Requirements state "All employees . . . will be qualified to receive the fully managed identity theft recovery program at any time during the contract period." Usually, there is a stated enrollment period ranging from 3-6 months. Does FAA intend to allow qualified employees and past employees to enroll anytime throughout the contract period? Yes. 17. Also, if a qualified FAA employee/past employee decides to not participate in identity monitoring services, is FAA requesting a separate price for offline/telephone fully managed services? No. 17. How does the FAA intend to make the 55,000 qualified employees, both past and present, aware of the services to be provided by the awarded vendor? A broadcast message from the Administrator will be sent to all current employees along with a “Focus FAA” article. New employees will be informed through the entry process. Past employees, who are eligible, will be sent a letter. 18. Does FAA want the prices quoted based on the number of members who actually activate the product or on the number of total activation codes issued (total of 55,000/year)? No. All pricing must be based on an estimated total of 55,000 employees. 19. Will FAA consider tiered pricing if the prices are based on the number of activations per month within any given contract year? No. 20. Please clarify whether FAA employees (and qualified past employees) who are already enrolled in the existing program (2009 FAA solution) will be transferred to/included in this solicitation's contract coverage. No.