DA10--Alternative to BigFix Endpoint Management (VA-26-00012805)
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
The Department of Veterans Affairs (VA) is conducting market research through a Request for Information (RFI) to identify alternative Enterprise Server Endpoint Management (ESEM) solutions. The VA seeks products that can meet or exceed the capabilities of its current HCL BigFix system for managing up to 150,000 endpoints across on-premises, AWS, and Azure environments. Responses will inform the VA's acquisition strategy and Performance Work Statement (PWS). Responses are due February 3, 2026.
Purpose & Background
This RFI is solely for market research and does not constitute a Request for Quote (RFQ) or Proposal (RFP). The VA's Office of Information and Technology (OI&T), Office of Information Security (OIS), currently uses HCL BigFix for endpoint management, security, remediation, and sustainment. The objective is to explore alternative ESEM Software as a Service (SaaS) or Hybrid SaaS solutions, including integration and optional sustainment services, to enhance cybersecurity and manage endpoints across the VA's network.
Scope of Interest
The VA is interested in solutions capable of managing up to 150,000 clients/endpoints, with automation at scale for over 500,000 endpoints. Key prioritized capabilities include:
- Cross-OS Patching: For Windows Server, Linux, Solaris, and MacOS, with content available within 24 hours.
- Real-Time Compliance/Enforcement: Continuous monitoring and enforcement of policies, including CCE and CVE detection and remediation.
- Offline/Air-Gapped Support: Full functionality for intermittently connected endpoints.
- Third-Party Patch Catalog Depth: Extensive library for third-party applications.
- Role-Based Control / Least Privilege: Granular access controls.
- Compliance Reporting: Detailed reports based on STIG, CIS benchmarks, and USGCB.
- Integration: Seamless integration with CMDB, SIEM, SOAR, Azure, AWS, and ServiceNow via APIs.
- Software Distribution, Asset Discovery/Management, and Vulnerability Correlation.
- Federal Compliance Posture: Adherence to FISMA/CDM mandates.
Solutions must meet FedRAMP Moderate requirements (High within 12 months) and store data within the Continental United States. Integration with existing VA tools like ServiceNow, ICAMP, Splunk, CrowdStrike, and Microsoft Active Directory is essential.
Information Requested
Vendors are requested to submit:
- A capability statement (max 10 pages).
- A brief technical solution summary detailing how their product meets the 12 prioritized capabilities.
- A Rough Order of Magnitude (ROM) cost estimate for professional services, including labor categories and FTEs.
- Comments and recommendations on the sufficiency of the draft PWS.
- Company identification information, including business size, NAICS code(s), and any GSA/GWAC schedules held.
- Small businesses, SDVOSBs, and VOSBs should provide details on meeting set-aside requirements, available resources, and proposed team members/subcontracting plans.
Submission Details
Responses must be submitted via email to Angel Santos (Angel.Santos2@va.gov) and Kendra Casebolt (Kendra.Casebolt@va.gov) by 1:00 PM EST on February 3, 2026. The subject line must include "RFI# 36C10B26Q0142".
Contract & Timeline
- Type: Sources Sought / Request for Information (RFI)
- Published: January 27, 2026
- Response Due: February 3, 2026, 1:00 PM EST
- Set-Aside: None specified (market research stage)