Amendment by jennyyingdi


									                                    Amendment 0001

   1.    How do we formally acknowledge our desire to bid on this RFI?

         Submit a proposal in response to this Solicitation.

    2. How many employees are currently enrolled in the current credit monitoring

        Approximately, 24,000.

    3. Will the employees enrolled in the current solution be automatically enrolled in
the new “comprehensive” identity monitoring service as a replacement to their current


Employees must enroll in the identity monitoring to be covered, but all employees must be
covered (without having to enroll) in the identity restoration service.

 4. Will currently un-enrolled employees (if any are not enrolled) be
automatically enrolled in the new product?

See response to Question #3.

 5. Section B Requirements: This section does not include any specifications for credit
monitoring. For credit services, the scope only includes a requirement for providing
steps for employees to receive their free credit report. For pricing purposes, would you
like the bids to include credit report access and credit monitoring in addition to all of the
other services you identified in Section B?

All services requested by the FAA are specified in the Statement of Work. Please
read and respond to the Statement of Work. All services must priced in accordance
with Section B.3 – Services to be Rendered and Prices.
 6. You state that the requirements for section B are the “minimum” requirements.
 We currently offer all of the “minimum” requirements plus several additional identity
monitoring features as part of our comprehensive monitoring solution. Since our
current product offering is much broader than the minimum requirements stated in
Section B, would you like us propose a product that meets your minimum requirements
only or would you like us to provide our full comprehensive identity monitoring

All Services requested by the FAA are specified in the Statement of Work. Please
read and respond to the Statement of Work.

7. Is it possible to schedule a brief introductory call to review our product offerings prior
to the 3/1 submission date?


8. Is FAA willing to consider other certifications and training for employees
working on this contract? The employees that would work on this contract have
passed the exam to become Certified under the FCRA (as amended by FACTA),
which is provided by the Consumer Data Industry Association (CDIA). The CDIA
is the Association of Credit Reporting Agencies (CRA) and financial services
organizations that report to CRAs. The CDIA provides online study and a
workbook for the certification examination, conducted online. Annual re-
credentialing is required to maintain the certification status.

No. See the answer to question 9 below.

9. Would the FAA consider amending C.4.1 EMPLOYEE QUALIFICATIONS mandatory
requirement to include “Identity Theft Risk Management Specialist” certification
through ICFE (Institute of Consumer Financial Education) as an acceptable alternative
certification program?

Yes.   The agency researched the two proposed alternate certifications – 1) Certified
Identity Theft Risk Management Specialist (CITRMS) and 2) Fair Credit
Reporting Act Certification (FCRAC). The Institute of Consumer Financial Education
Certified Identity Theft Risk Management Specialist qualification would be an acceptable
alternative to the Certified Fraud Examiner (CFE) in providing the level of support the
FAA will need when addressing breaches and deploying remediation and restoration
activities. A summary of our research can be found below:
The Certified Fraud Examiner (CFE) credential denotes proven expertise in fraud
prevention, detection, and deterrence. Members with the CFE credential are seen as
leaders in the global anti-fraud community.

1) Certified Identity Theft Risk Management Specialist (CITRMS)
The CITRMS certification program prepares and equips professionals (law enforcement
professionals, financial planners, CPA's, resolution advocates, notaries, lawyers, credit
and debt counselors) through education, testing and computer software training, with the
knowledge and skills necessary to help consumers and businesses fully assess and
minimize their present risk of credit and identity theft. These professionals understand
fraud and identity theft on a fundamental level, and know how to mitigate and remediate
these issues and assist victims.       CITRMS utilizes a risk management approach in
addressing breach incidents by deploying identity theft risk mitigation efforts in addition
to credit monitoring, and uses resolution software and restoration tactics when dealing
with fraud/identity theft. In short, a vendor that possesses this capability or certification
alongside credit monitoring will be able to:
         Monitor financial activities/ changes to individuals’ credit report;
         Actively mitigate and manage the risk of identity theft before it occurs; and
         Provide victim assistance and identity restoration should theft/fraud occur

Furthermore, this certification is accepted by the CFP Board of Standards and Practices,
IARFC-Registered Financial Consultants, Association for Financial Counseling and Planning
Education and Information Systems Security Association. CITRMS are trained and tested
in the following areas:
    1. Understanding Identity Theft
    2. Credit Reports, Specialty Reports and Public Records
    3. Identity Theft Risk Management and Resolution
    4. Consumer Protection Law Summaries
    5. Identity Theft Risks and Issues for Businesses

2) Fair Credit Reporting Act Certification (FCRAC)

The FCRAC is administered by the Consumer Industry Data Association appears to focus
on the Fair Credit Reporting Act itself rather than victim assistance and fraud. The FAA’s
primary objective is to procure a vendor that can provide (1) identity monitoring services,
and (2) fully managed identity restoration services, should fraud occur. The FCRAC is
only a subset of laws that make up the privacy regulatory environment. As a result its
certification program only provide insight on a subset of requirements (i.e. credit
reporting) and does not address or instruct professionals (in our case vendors) how to
assist identify theft victims or restore the identity of victims.
According to the FCRAC, the main objective of its certification program is to teach
professionals about the Fair Credit Reporting Act and how it affects their job; professional
will be able to “understand how credit grantors, consumers, and consumer reporting
agencies interact under the FCRA, and develop the knowledge and skills needed to
effectively comply with the FCRA.” Under the FCRAC program professionals are trained
and tested in the following areas:
    1. History of the Fair Credit Reporting Act
    2. Consumer Reports
    3. Disclosure
    4. Identity Theft
    5. Enforcement & Penalties

In short, if a vendor who only possesses a FCRAC is procured, the vendor will not be able
to assist employees and FAA affiliates (i.e. airmen, contractors etc.) that are victims of
identity theft as a result of a breach. Therefore, this certification will not be acceptable
for this procurement. A suitable vendor must have the ability to not only monitor breach
victims’ credit but also be able to provide hands on assistance to breach victims whose
identity has been stolen. A suitable vendor must have the knowledge and capability for
rectifying associated damages made to a victim’s credit and restoring the individual’s pre-
theft credit report and financial identity.
10. Is ACFE certification required? We have resources which are CITRMS certified with
the Institute of Consumer Financial Education. Will that suffice?

See the answer to question 9 above.

11. B.1: Mentions that employees are "automatically enrolled and qualified for the
program". What exactly does this mean?

Please see the response to Question #3.

12. B.2.a: Are all of the unique identification points outlined
(name,address,DOB,SSN,DL,mothers' maiden name) required under this solicitation?
Currently, we scan for up to 10 credit/debit card number as well as SSN.

All services requested by the FAA are specified in the Statement of Work. Please
read and respond to the Statement of Work.

13. B.2.b: Customer Service based in the US; Is this a requirement?

All requirements of the FAA are specified in the Statement of Work. Please read and
respond to the Statement of Work.

14. B.2.d: Employee Website Access: Is this website to be restricted to the employees
only or can a general educational identity theft page be displayed?

All requirements of the FAA are specified in the Statement of Work. Please read and
respond to the Statement of Work.

15. General: What is the timeline for employee adoption of the program? When is the
go-live requested date?

Each vendor must be able to provide these services upon award of the contract.

16. Requirements state "All employees . . . will be qualified to receive
the fully managed identity theft recovery program at any time during
the contract period." Usually, there is a stated enrollment period
ranging from 3-6 months.

Does FAA intend to allow qualified employees and past employees to
enroll anytime throughout the contract period?

17. Also, if a qualified FAA employee/past employee decides to not
participate in identity monitoring services, is FAA requesting a
separate price for offline/telephone fully managed services?


17. How does the FAA intend to make the 55,000 qualified employees,
both past and present, aware of the services to be provided by the
awarded vendor?

A broadcast message from the Administrator will be sent to all current employees
along with a “Focus FAA” article. New employees will be informed through the
entry process. Past employees, who are eligible, will be sent a letter.

18. Does FAA want the prices quoted based on the number of
members who actually activate the product or on the number of total
activation codes issued (total of 55,000/year)?

No. All pricing must be based on an estimated total of 55,000 employees.

19. Will FAA consider tiered pricing if the prices are based on the
number of activations per month within any given contract year?


20. Please clarify whether FAA employees (and qualified past
employees) who are already enrolled in the existing program (2009
FAA solution) will be transferred to/included in this solicitation's
contract coverage.


To top