DA01--NBEKRSS (VA-26-00031146) Professional Service - Network Based Encryption Key Recovery Storage Solution

Other / Unclassified

This document is a Product Description (PD) for a Network-based Encryption Key Recovery Storage Solution (NBEKRSS) for the Department of Veterans Affairs (VA). It outlines the requirements for renewing maintenance of the existing COTS software solution, which is critical for VA's Public Key Infrastructure (PKI) ecosystem. The system supports secure key recovery, high-volume S/MIME decryption for investigations, cybersecurity operations, litigation discovery, and other authorized VA use cases. It must integrate with VA's existing PKI services, directories, and Hardware Security Modules (HSMs).

• PKI Compatibility: Must be fully interoperable with the U.S. Treasury SSP PKI (VACA1 and VACA2) and integrate with VA enterprise directory services.

• On-Premises Operation: All components must operate within VA facilities on VA-owned infrastructure.

• Cryptographic Requirements: Must use FIPS-validated cryptographic modules (FIPS 140-3 or 140-2) and support modern TLS configurations (TLS 1.2/1.3 per NIST SP 800-52 Rev. 2).

• Key Recovery: Secure ingestion, cataloging, and recovery of VA user encryption private keys with controlled, auditable processes.

• Decryption Capabilities: Must achieve ≥95% successful decryption on eligible items, sustain ≥50,000 email items/hour, and support large-scale S/MIME decryption.

• HSM Integration: Compatible with VA’s Luna T5000 HSMs and PED-based key controls.

• Access Controls: Implement a least-privilege model with separate operator, approver, and auditor roles.

• Support Services: 24/7/365 support from U.S.-based personnel, including software/firmware updates, patches, hotfixes, and technical support.

• Audit Logging: Generate immutable, exportable logs of user activity.

• ATO Support: Assist with Authority to Operate (ATO) processes, audits, and evidence collection.

• Compliance: Must comply with Section 508 accessibility standards (WCAG 2.0 A/AA), VA Technical Reference Model (TRM), Zero Trust controls, IPv6 requirements, and sustainable product mandates.

• Scope: Renewal of maintenance for the existing NBEKRSS solution.

• Period of Performance: 12-month base period with four subsequent 12-month option periods.

• Quantity: 1 NBEKRSS Core Software License, 1 Software Maintenance, 1 Technical Support.

This document details the technical requirements and salient characteristics for a critical PKI maintenance renewal. Vendors offering solutions for encryption key recovery, storage, and decryption, particularly those compatible with VA's existing infrastructure and security standards, should review these requirements carefully. The document specifies a "Brand Name or Equal" approach for the current Zeva DecryptNaBox solution, requiring offers to meet specific minimum characteristics and support a minimum of 3.5 million encryption keys.

Request for Information (RFI)

This RFI is for planning purposes to gather market research on potential providers for software maintenance and support of the Department of Veterans Affairs' (VA) existing Network-based Encryption Key Recovery Storage System (NBEKRSS) solution. The VA is also assessing the market for new potential entrants and capabilities of similar solutions. This RFI does not constitute a solicitation and does not obligate the government to acquire any products or services.

• NAICS Code: 541519 (with a $34 million size standard).
• Response Deadline: March 23, 2026, 16:00 Eastern Time.
• Submission: Responses are due via email to Dennis.Simms@va.gov and Michael.Weckesser@va.gov. Include "Network-based Encryption Key Recovery Storage System" in the subject line.
• Page Limit: 15 pages. No marketing materials or generic capability statements will be accepted.
• Proprietary Information: Mark responses as "Proprietary Information" if applicable. Email file size limit is 5 MB.

Interested vendors must provide:

• Company Name, Address, Point of Contact, Phone, Email, CAGE Code, UEI, Business Size/Status, NAICS Code, Socioeconomic Data, and existing Contractual Vehicles.

• A summary of capabilities related to the draft Product Description (PD), specifically addressing:

  1. Company Qualifications and Product Overview: Experience with enterprise on-premises cryptographic or key management software, a high-level description of the encryption key recovery storage system, CA/HSM integration experience, and confirmation of "customer-applied update" model support in non-cloud environments.
  2. Federal PKI and Security Compliance: How the solution complies with Federal PKI policy, NIST cryptographic standards, and FIPS 1402/1403 validated modules.
  3. Licensing Model: Pricing structure (perpetual vs. subscription, metrics), and separate costs for integration or modules.
  4. Release Management & Patching: Methods for software updates (secure download, offline packages), ensuring VA personnel apply updates without contractor remote access. Description of the software maintenance lifecycle and approach to avoid disrupting operational workflows.
  5. Technical Support Model: Support tiers, response times, availability, escalation procedures, and methods for troubleshooting without contractor access to VA networks.

• Specific examples or references for Corporate Service Line experience, including agency, POC, dollar value, and contract number.

• Confirmation on whether the draft PD provides sufficient detail (YES/NO). If NO, provide technical comments/recommendations.

• NBEKRSS PD

• RFI DRAFT NBEKRSS PD 05Mar2026 v3_3 Final Draft