The SCTOD contract includes a Statement of Work with 15 tasks, which are further categorized into specific deliverables to be submitted to HRSA. Tasks and deliverables are included /
updated with each five-year contract renewal, and some may already be complete in fulfillment of the current contract. The following tasks and deliverables are associated with the contract:
Task 1: Meet with the Contracting Officer’s Representative (COR).
Meet with the COR and HRSA’s security team within the Office of Information Technology to review the requirements and schedule for the contract. There is frequent communication with HRSA CORs including:
Quarterly COR meetings including management from HRSA, the National Institutes of Health, the CIBMTR, and other Program contractors;
Monthly meetings with HRSA CORs, the SCTOD Project Director and Program Manager;
Teleconferences as needed with the Primary COR and Program Manager.
Deliverables for this task are to submit:
A final, refined deliverable schedule within 14 days of initial HRSA meeting; Draft minutes from quarterly COR meetings within two weeks;
Final minutes from quarterly COR meetings within one week of receiving HRSA comments.
Task 2: Establish and Maintain a Board of Directors and Committees.
The CIBMTR Advisory Committee (Chapter 2) serves as Board of Directors for the SCTOD. CIBMTR Working Committees (Chapter 6) develop and execute studies. Deliverables for this task are to submit:
Written procedures and an annual certification for handling conflicts of interest for Board members;
Written policies, standards, and membership criteria for committees, updated as needed;
A committee report, updated annually.
Task 3: Collect Stem Cell Therapeutic Outcomes Data.
The SCTOD requires collection and receipt of outcomes data for all recipients of allogeneic (related and unrelated) transplants from transplant centers and other appropriate parties. This includes procedures performed in the US and procedures outside the US that involve products from the US. Deliverables for this task are to submit:
A schedule and implementation plan for the electronic system for collecting outcomes data;
CIBMTR Manual of Operations Chapter 10: SCTOD
Data collection, form, and report clearances, including Office of Management and Budget approval as needed;
An assessment of the SCTOD in meeting the needs of transplant centers and cord blood banks and for providing additional services, updated annually;
Agreements with other database contractors to maintain data, as needed.
Task 4: Disseminate Data.
Research data and relevant published material are provided to the public via the Program website (http://bloodcell.transplant.hrsa.gov) and the NMDP/Be The Match website
(bethematch.org). The Program website is managed by the Office of Patient Advocacy / Single Point of Access component of the Program (operated by the NMDP/Be The Match Patient and Health Professional Services Department). This website includes survival and center volume reports and information about the uses and outcomes of HCT, using data reported to the CIBMTR by participating transplant programs worldwide. This information is useful for
understanding trends in the use of HCT according to diseases treated, donor type, graft sources, patient age, and transplant regimes. Website content is reviewed annually by the Program Website Working Group to ensure that it is both accurate and understandable to a lay audience. The Transplant Center Directory, which includes results from the annual center- specific analysis, is published on the NMDP/Be The Match website. This task also requires the CIBMTR to provide domestic umbilical cord blood banks with reports on the characteristics of their products upon receipt and thaw at the transplant centers, adverse events associated with the infusion of products, engraftment, and overall patient survival. Deliverables for this task are to submit:
Plans for making data available to the public;
A quarterly Database download.
Task 5: Maintain Privacy and Confidentiality Policies.
The CIBMTR maintains policies, procedures, and safeguards to protect the confidentiality of donors and patients, according to federal laws and provisions. See Chapter 12 for more information.
Task 6: Establish a Quality Control Program for Database Functions.
The CIBMTR ensures that data collection and management procedures are adequate for quality control and analysis and also maximize participation and compliance of transplant centers and umbilical cord blood banks. Deliverables for this task are to submit:
An annual assessment of and plan to address gaps in data;
An annual assessment of cord blood bank quarterly outcomes data reports against bank needs.
Task 7: Conduct Research and Analyze Data.
The CIBMTR ensures that research conducted or sponsored by the SCTOD results in peer- reviewed published articles whenever possible and follows the guidelines established in the contract. Deliverables for this task are to submit:
An implementation plan and report on activities for research repository(ies), updated annually.
The Research Sample Repository collects, processes, and stores pre-HCT blood pair samples for DNA-based analyses. It contains biospecimens from unrelated pairs of adult donors and
recipients of NMDP/Be The Match-facilitated transplants; NMDP/Be The Match-facilitated cord blood transplants; and related donor-recipient samples. The Repository provides research samples to link with clinical data for use in studies approved through the CIBMTR Research Programs. The SCTOD requires maintenance of the Related Donor-Recipient Repository.
Chapters 5, 6, 7 and 13 provide further details about how the CIBMTR conducts its research
including how it receives requests to use its data, how it responds to these requests, and how data are analyzed and by whom.
Task 8: Prepare Special Studies and Reports.
The CIBMTR prepares several reports in fulfillment of SCTOD obligations. Specific initiatives are discussed below. Deliverables for this task are to submit the following reports:
Data collection approaches for quality-of-life data and other therapeutic applications;
Comparisons of treatment options;
Draft and final National Cord Blood Inventory and adult donor registry models including the de-identified dataset(s) used to conduct the analyses;
Approach and methodology for conducting center-specific survival analyses, updated annually;
Draft and final transplant center-specific survival rates including the de-identified dataset(s) used to conduct the analysis, updated annually;
Proposed outline, draft, and final annual statistical report.
Task 9: Participate in Working Groups and Collaborations.
The CIBMTR participates in the following collaborative working groups and forums as requested:
Transition Working Group (led by HRSA);
Website Working Group (led by the NMDP/Be The Match Patient Services Department);
Data Working Group (led by SCTOD staff);
Search and Distribution Working Group (led by the NMDP/Be The Match Patient Services Department);
Program Participation Working Group (led by HRSA).
The deliverable for this task is to submit a report on Data Working Group activities within 15 days of meetings.
Task 10: Develop and Maintain Websites.
The CIBMTR supports maintenance of the Program website
(http://bloodcell.transplant.hrsa.gov), which provides public access to data collected for the SCTOD. NMDP/Be The Match manages this website through its Patient and Health Professional
CIBMTR Manual of Operations Chapter 10: SCTOD
Services Department as part of its contractual obligation to the Program. The deliverable for this task is to submit a plan for making content available to the public on the web.
Task 11: Participate in and Support Activities of the HRSA Advisory Council on Blood Stem Cell Transplantation.
The CIBMTR supports the Advisory Council by participating in the planning of and preparation for its meetings. The deliverable for this task is to prepare reports for the Advisory Council within 14 days of request, unless otherwise specified.
Task 12: Submit Routine Reports.
Routine reports address significant contract activities and accomplishments. Deliverables for this task are to submit:
Monthly task reports, due on the last business day of each month;
Base period report (generally the first one-two years of the contract), due on the last day of the base period.
Task 13: Comply with Requirements of the HRSA’s Office of Information and Technology.
Information security is an integral functional requirement of the SCTOD contract. CIBMTR representatives meet with the HRSA Office of Information and Technology staff to review security requirements and risk assessments. The deliverable for this task is to maintain the Authorization to Operate by providing documentation according to the Office of Information and Technology security calendar. Related tasks to achieve Authorization to Operate are listed in Table 10.1.
Table 10.1: SCTOD Tasks to achieve Authorization to Operate
Deliverable Description Frequency
System Security Plan (SSP) Detailed document of security controls and
implementation methods
Annually*
Risk Assessment Conducted by third-party assessor (ITSS) Annually*
Security Test & Evaluation Security Assessment Report outlining status of
security and privacy controls to identify findings
Annually
FIPS 199 Assessment Categorize the federal information system to establish necessary security framework
By Request*
Contingency Policy & Plan Furnish Contingency Policy and Plan Annually
Contingency Plan Exercise Results
Provide After-Action Report on the outcome of the contingency plan exercise
Annually
Configuration
Management Policy & Plan
Furnish Configuration Management Policy and Plan
Deliverable Description Frequency Minimum Security
Configuration Requirements
Documentation of system configurations required to meet US Government Configuration Baselines and Federal Desktop Core Configurations (SCAP)
Annually
Vulnerability Scans Provide results of system vulnerability scans Monthly
Information Security Awareness and Training
Documentation of organization-specific awareness and training course attendance
Annually
HRSA ISSO Meetings Attend monthly ISSO Meetings Monthly
Section 508 Report Documentation of agency / contractor providing reasonable accommodations for employees with disabilities (HHS Section 508 Product Assessment Template)
Annually
Incidence Response Policy and Plan
Furnish Incidence Response Policy and Plan Annually
Incidence Response Event Report
Provide summary of detected IR events and status of remediation
Monthly
Specific Threat Remediation Plans
Documentation of remediation efforts around a specific or zero-day threat to the system (e.g. Shellshock)
By Request
Privacy Impact Assessment
Update Security and Privacy Online Reporting Tool regarding status of PII protections (SPORT)
Annually
E-Authentication Questionnaire
Provide E-Authentication Report that reviews electronic transactions / authentication processes to ensure correct level of assurance
By Request
Plan of Action and Milestones (POA&M) Report
Provide a report formalizing the weakness mitigation process and appropriately prioritizing mitigation efforts
By Request
*Due within 30 days of contract award
The security controls and standards outlined in the NIST Special Publication 800-53, for a given risk classification, are enforced by US Department of Health and Human Services and HRSA Office of Information Technology throughout the SCTOD development and operational lifecycle.
CIBMTR Manual of Operations Chapter 10: SCTOD
The CIBMTR designates an Information System Security Officer who is tasked with ensuring compliance and fulfilling all other information security HRSA requests.
SCTOD systems must comply with federal data security standards including:
National Institute of Standards and Technology Special Publications 800-18 Rev. 1 “Guide for Developing Security Plans for Information Technology Systems”
National Institute of Standards and Technology Special Publications 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems”
National Institute of Standards and Technology Special Publications800-53 Rev. 4 “Security and Privacy Controls for Federal Information Systems and Organizations” National Institute of Standards and Technology Special Publications 800-60 Volume 1,
Rev. 1, “Guide for Mapping Types of Information and Information Systems to Security
Categories”
National Institute of Standards and Technology Federal Information Processing Standards Publications 199 “Standards for Security Categorization of Federal Information and Information Systems”
Office of Management and Budget Circular A-130 Appendix III;
Title III of the E-Government Act: Federal Information Security Management Act.
Task 14: Comply with Database Performance Standards.
Establish quantifiable measures for monitoring Database performance in the following areas: Timeliness, completeness, and accuracy of cord blood transplant data and the overall
data contained in the SCTOD; Ongoing analysis of outcomes data; Publications that use SCTOD data;
Efficiency and effectiveness of cooperative arrangements established with other Program and non-Program components and other relevant organizations; Participation in working groups;
Efficiency of the SCTOD operations;
Number of data requests received and fulfilled. Deliverables for this task are:
Annual submission of performance standards;
Semi-annual report of performance against performance standards.
Task 15: Transition to New Database Contractor.
The SCTOD contract holder must develop a detailed transition plan. Deliverables for this task are:
Draft transition plan, due annually within 240 days of the effective date of the contract; Final transition plan due within 30 days upon request;
Copy of data files and digital media relevant to the contract, due on the last day of the contract.