DA01--Controlled Unclassified Information (CUI) (VA-26-00041445)

Performance Work Statement (PWS)

This PWS outlines the requirements for the Department of Veterans Affairs (VA), Office of Information & Technology (OIT), Enterprise Records Service (ERS) to implement and sustain a Controlled Unclassified Information (CUI) program. The goal is to manage unclassified information requiring safeguarding or dissemination controls.

The contractor shall provide resources to:

• Tailor VA-specific CUI policy based on National Archives and Records Administration (NARA) policy.

• Establish an executive steering committee and sustain a CUI working group.

• Develop CUI training materials.

• Review IT systems for CUI impact.

• Conduct self-inspections and prepare incident management procedures.

• Prepare monthly status reports.

• Implement electronic marking solutions for CUI.

• Develop and maintain an IT Systems Marking Strategic Plan.

• Support the implementation of a Self-Inspection Program.

• Develop and implement a CUI Compliance Dashboard.

• Tailor existing CUI training for VA personnel and contractors.

• Weekly Status Reports and Monthly Activities Reports are required.

• Contractor Project Management Plan (CPMP) must be delivered and maintained.

• Performance metrics will be assessed via a Quality Assurance Surveillance Plan (QASP).

• Key deliverables include updated VA CUI Directive, VA CUI Handbook, CUI process guide, various reports on IT systems, training materials, and program plans.

• Performance Period: One 12-month base period with four (4) 12-month option periods, plus two optional tasks. Overall Task Order (TO) PoP not to exceed 60 months.

• Place of Performance: Virtual or onsite at 811 Vermont Avenue, NW, Washington, DC 20420.

• Travel is not anticipated.

• Compliance with numerous federal laws, regulations, and VA directives related to IT security, privacy, identity management (HSPD-12, FICAM), IPv6, Zero Trust, and AI.

• Personnel security requirements include background investigations and specific forms.

• All IT solutions must comply with the VA Technical Reference Model (TRM).

• Strict adherence to cybersecurity and privacy requirements, including encryption, access controls, and incident reporting.

• Generative AI usage is strictly governed, with limitations on sensitive data and requirements for documentation and unbiased principles.

• Deliverables must be in electronic format using specified software suites.

Solicitation / RFP / RFQ

This document is a solicitation (Number: 36C10B26Q0291) for Controlled Unclassified Information (CUI) services, as indicated by the Product Service Code DA01 and NAICS Code 541611 (Management Consulting Services). The Department of Veterans Affairs, Technology Acquisition Center, is issuing this solicitation.

The primary deliverable is related to Controlled Unclassified Information (CUI), with specific details expected in an attached document referenced as "PWS CUI with comment 3_9_26."

Not explicitly detailed in this section, but the solicitation number is 36C10B26Q0291.

• Response Date/Time: April 2, 2026, 11:00 AM Eastern Time, New York, USA.
• Archive: 99 days after the response date.

No specific set-aside information is provided in this excerpt.

• Contracting Office: Department of Veterans Affairs, Technology Acquisition Center, 23 Christopher Way, Eatontown NJ 07724.
• Point of Contact: Michael Gruen, Contract Specialist, michael.gruen@va.gov, 848-377-5251.
• The document references an attached PWS for detailed requirements regarding CUI.

Request For Information (RFI)

This RFI is issued by the Department of Veterans Affairs (VA) Technology Acquisition Center (TAC) to gather information on the availability of capable contractors to implement and monitor Controlled Unclassified Information (CUI) Self-Inspection and Incident Management programs, as detailed in the draft Performance Work Statement (PWS).

• This is an RFI only; do not submit a proposal or quote.
• Responses are for informational purposes and will not result in payment.
• No contract will be awarded based on this RFI.
• The Government is not obligated to acquire any products or services described.
• Page limit for responses (excluding PWS feedback) is 10 pages.

Interested parties should provide:

1. Capabilities Statement: Address the specific questions below.
2. PWS Feedback: Indicate if the draft PWS provides sufficient detail (YES/NO). If NO, provide technical comments and recommendations for improvement.
3. Contract Vehicles: Identify any contract vehicles that can be used for acquisition, along with your company's business size and status for each, specifically for NAICS 541611.
4. Small Business Confirmation: If a small business, confirm compliance with subcontracting limitations (FAR 52.219-6, 52.219-14) or relevant VAAR clauses for SDVOSBs.
5. Labor Categories: Propose required labor categories, descriptions, and estimated annual hours.
6. Past Performance: Describe experience providing services similar to the PWS, particularly in reviewing VA IT system inventories and identifying systems for reporting requirements (e.g., CUI Report, Electronic Markings Solutions Report).

Direct all responses to Michael Gruen (michael.gruen@va.gov) and Debra Clayton (debra.clayton2@va.gov).

Statement of Work (SOW) / Performance Work Statement (PWS)

This document outlines the Performance Work Statement (PWS) for services provided to the Department of Veterans Affairs (VA), Office of Information & Technology (OIT). It serves as a template for creating detailed requirements for IT services.

This PWS template guides the development of specific IT service requirements. It covers areas such as project management, reporting, and various general requirements including enterprise IT framework compliance, security, privacy, and specific task requirements. It also includes sections on Artificial Intelligence (AI) and Source Code Harmonization (SHARE IT Act).

Performance metrics are defined generically, focusing on technical quality, project milestones, cost/staffing, and management integration. A Quality Assurance Surveillance Plan (QASP) will be used to monitor performance against acceptable levels.

The Performance Period (PoP) duration and specific Place of Performance (Government or Contractor facilities) are to be defined within the document. Travel requirements are also detailed, including estimated trips, duration, and locations.

Key requirements include compliance with VA Enterprise and IT Framework standards, Zero Trust principles, FICAM, IPv6, TIC, standard computer configurations, VIP and PLM processes, and adherence to the Process Asset Library (PAL). Extensive security and privacy requirements are detailed, including personnel vetting, data protection, and incident reporting. Specific clauses address AI development, usage, and documentation, as well as requirements for the SHARE IT Act. The document also outlines requirements for Software and Licensing, and mandates compliance with various federal laws, directives, and NIST publications.

Solicitation / RFP / RFQ

This document is a solicitation (Solicitation Number: 36C10B26Q0291) for services related to Controlled Unclassified Information (CUI) for the Department of Veterans Affairs, Technology Acquisition Center. The contracting office is located in Eatontown, NJ (ZIP Code: 07724).

• Product Service Code: DA01

• NAICS Code: 541611 (Management Consulting Services)

• Place of Performance: Not specified in this section.

• Response Date/Time/Zone: 04-02-2026 11:00 EASTERN TIME, NEW YORK, USA

• Archive: 99 days after the response date.

• Set-Aside: Not specified in this section.

• Contact Point: Michael Gruen, Contract Specialist, michael.gruen@va.gov, 848-377-5251.

• Referenced attachments include 'PWS Template_May_16_Rev2_MAR_18_2026' and 'rfi cover page with questions to the vendors rfi final'.