DA01--Enterprise Cybersecurity Program Audit Support
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
The Department of Veterans Affairs (VA), specifically the Office of Information & Technology (OIT), is conducting a Sources Sought / Request for Information (RFI) for Enterprise Cybersecurity Program (ECSP) Audit Support. This RFI aims to gather information from potential sources regarding their capabilities to provide comprehensive support for VA audit cycle processes, continuous improvement of the Audit Portal, and management of audit lifecycle information. Responses are due by April 7, 2026, at 3:00 PM ET.
Scope of Work
The anticipated scope of work, as outlined in the draft Performance Work Statement (PWS), includes:
- Supporting various audit cycle stages, from preparation to follow-up.
- Managing the OIT Audit Portal, including user support, data quality control, documentation, and portal improvements.
- Developing Business Intelligence (BI) artifacts, such as data visualizations and dashboards, potentially using tools like Power BI.
- Providing SharePoint support, including development, maintenance, and integration recommendations.
- Key activities involve stakeholder and schedule management, tracking audit findings and recommendations, trend analysis, data modeling, and reporting.
Contract & Timeline
- Type: Sources Sought / Request for Information (RFI)
- Anticipated Duration: A 12-month base period with three 12-month option periods, plus a 60-day optional transition period, not to exceed 50 months.
- Set-Aside: None specified in this RFI announcement.
- Response Due: April 7, 2026, 3:00 PM ET.
- Published: March 25, 2026.
Special Requirements & Deliverables
- Security: Compliance with VA cybersecurity directives, including Zero Trust principles, FICAM, and PIV card enablement. Personnel require background investigations. Strict adherence to data protection, encryption, and non-disclosure agreements is mandatory.
- IT Frameworks: Compliance with VA Technical Reference Model (TRM), IPv6 requirements, and Trusted Internet Connection (TIC) standards.
- Generative AI: If AI is used, compliance with specific Executive Orders and OMB Memoranda regarding trustworthy, secure, and unbiased AI is required. No sensitive VA data is permitted in unapproved public AI services.
- Deliverables: Include a Contractor Project Management Plan, Monthly Progress Reports, Audit Stakeholder Lists, Audit Schedules, Finding Records, Trend Reports, various Audit Reports, Audit Portal Documentation, BI Artifacts, User Guides, and Release Notes.
- Place of Performance: Contractor facilities.
Additional Notes
This RFI (Solicitation Number: 36C10B26Q0155) is for planning purposes only and does not constitute a solicitation for proposals. Responses will be used to inform potential future acquisition strategies. Interested parties should review the attached RFI documents and draft PWS for detailed requirements.