DA10--VA-26-00029054 - Data Loss Prevention (DLP) Infrastructure Solution - New Requirement

Form / Attachment / Pricing Sheet

This document is a price model spreadsheet for the DLP and DAG Infrastructure Solution. Bidders are instructed to complete all sections highlighted in yellow.

Base Tasks:

• Development, implementation, update, and maintenance of a single-vendor COTS solution for DLP and DAG functionality.
• Requirements Compliance Matrix.
• Section 508 Accessibility Compliance Package.
• Assessment and Authorization (A&A) and Continuous Monitoring Requirements.
• A&A/ATO Program Management & Planning.
• RMF Security Package Development and Maintenance.
• Security Control Assessment Support (3PAO/Assessor Coordination).
• Continuous Monitoring (Conmon) Operations and Monthly Reporting.
• Vulnerability Scanning, Reporting, and Evidence.
• POA&M Lifecycle Management.
• Significant Change and Security Impact Analysis Support.
• Maintenance Support Services.
• Data Access Governance Platform (DAG) Administration.
• Project Management.
• Contractor Management Plan.
• Kickoff Meeting.

Optional Tasks:

• Data Access Governance Platform (DAG) Administration (Optional Task 1).
• Software and Maintenance Support Services (Option Periods 1-4).

General Instructions:

• Pricing shall include licenses for the life of the contract.

This spreadsheet requires bidders to provide detailed pricing for all base tasks and optional periods, including software licenses for the duration of the contract. It outlines the specific components and services for which pricing must be submitted, directly impacting proposal cost development.

Product Description

This Product Description (PD) outlines the Department of Veterans Affairs (VA) Office of Information & Technology's (OI&T) requirements for a Data Loss Prevention (DLP) and Data Access Governance (DAG) Infrastructure Solution. The VA is seeking to migrate its existing Varonis deployment to a Software as a Service (SaaS) solution to ensure continuity of enterprise DLP and DAG capabilities, as the current vendor is deprecating its self-hosted architecture. The solution must cover data at rest across network, cloud, and storage environments.

• Solution Type: Single-vendor Commercial Off-the-Shelf (COTS) solution.

• Functionality: Must provide comprehensive DLP and DAG capabilities, including data discovery, classification, protection, risk reduction, misconfiguration management, third-party application risk assessment, identity security, activity monitoring, threat detection, and data access governance.

• Data Discovery & Classification: Capabilities to discover, classify sensitive data, scan various file types (including OCR), apply labels, and locate data pertaining to individuals.

• Data Protection: Ability to identify and report on data access paths, permissions, publicly exposed data, and externally shared data. Must include automated remediation for stale permissions and external access.

• User Licensing: Support for a minimum of 700,000 users.

• Period of Performance: 1 12-month Base Period followed by 4 12-month Option Periods, plus 1 Optional Task.

• Transition: If an alternative vendor solution is proposed, the awardee must sustain existing Varonis licensing and support during the transition, completing migration within 90 days of award without degrading security posture.

• Security & Compliance: Solution must maintain FedRAMP Moderate authorization and be certified in SOC 2, SOC 3, ISO, HIPAA, and NIAP Common Criteria.

• Accessibility: Compliance with Section 508 standards for all delivered ICT, including providing a Section 508 Compliance Package (VPAT/ACR).

• AI Requirements: If AI is used, compliance with federal directives on trustworthy, secure, and responsible AI is mandatory. Sensitive data must be protected from unauthorized use or training of vendor AI models.

• Deliverables: Include Section 508 Accessibility Compliance Package, VA Implementation Diagram, 3PAO Security Assessment Plan/Report, POA&M Reports, Monthly VA License Reports, A&A Project Plan, System Security Plan (SSP), Contractor Project Management Plan (CPMP), and AI System/LLM Development and Operation Documentation Package.

• Maintenance: 24/7 phone support for service outages.

• Bidders must provide detailed responses in a Requirements Compliance Matrix.

• The VA is currently leveraging Varonis for DLP and DAG across approximately 4.2 billion files and 700,000 users.

• The solution must integrate with existing VA workflows and tools.

Request for Information (RFI)

This RFI is issued by the Department of Veterans Affairs (VA) Office of Information and Technology (OIT) for market research purposes. The VA is seeking information on a single-vendor Commercial Off-the-Shelf (COTS) Data Loss Prevention (DLP) and Data Access Governance (DAG) Infrastructure Solution for the VA Enterprise. This RFI does not constitute a solicitation for quotes or proposals and does not commit the government to any contract award.

• Solution Functionality: Enterprise-wide DLP capabilities including data discovery, classification, protection, access governance, and continuous monitoring across network, cloud, and storage environments.

• User Capacity: Licenses must support a minimum of 700,000 users.

• Compliance: Must meet VA cybersecurity, governance, and federal compliance requirements, including FedRAMP Moderate and FISMA Moderate controls.

• Features: Support for delegated access governance, data classification, automated policy enforcement, and owner-led access reviews.

• Documentation: A detailed Product Description (PD) is attached, outlining technical specifications.

• Response Format: Clear, concise, and complete response.

• Required Information: Company identification (Name, Address, POC, CAGE/UEI, Business Size, NAICS), GSA/GWAC schedules, socioeconomic data, corporate experience, and answers to specific questions regarding the draft PD.

• Technical Details: A Bill of Materials (BOM) with pricing, a Rough Order of Magnitude (ROM) via Schedule B/Price Schedule, and a Compliance Matrix are required.

• Alternative Solutions: If proposing an alternative to Varonis, provide a proposal for continuity of operations.

• Page Limit: Responses must not exceed 10 pages.

• Deadline: Responses are due by 12:00 PM EST on May 14, 2026, via email.

• Questions: Submit questions via SAM.gov.

• Interested parties should provide company business size and NAICS codes.

• Specific questions regarding compliance with FAR 52.219-6, 52.219-14, VAAR 852.219-73, and VAAR 852.219-74 are included for small businesses, VOSBs, and SDVOSBs.

• The VA is not seeking proposals or quotes at this time.

• No reimbursement for costs associated with RFI response submission.

• Submitted information becomes government property.

• Attached documents include: Product Description, RFI Schedule B Price Model Spreadsheet, and Compliance Matrix.

• The TAC point of contact is Kevin Andujar (Kevin.Andujar@va.gov).

Form / Attachment / Pricing Sheet

This document is a Compliance Matrix that bidders must complete. It outlines specific product requirements, data protection measures, misconfiguration management capabilities, third-party application risk assessment, identity security, activity monitoring, data access governance, data lifecycle automation, architecture, scalability, and security/compliance standards. Bidders are instructed to use the provided matrix to indicate whether their solution "Meets," "Does Not Meet," or "Partially Meets" each listed specification.

• Instructions: Bidders must complete all sections highlighted in yellow. For each Solution Requirement Specification (Column B), select a compliance status in Column C ("Meets," "Does Not Meet," or "Partially Meets") and provide a detailed explanation in Column D for all responses.
• Categories: The matrix is organized into sections including Product Requirements (Data Discovery and Classification), Data Protection and Risk Reduction, Misconfiguration Management, Third-Party Application Risk, Identity Security and Risk Management, Activity Monitoring and Threat Detection, Data Access Governance, Data Lifecycle Automation, Architecture and Scalability, and Security and Compliance.
• Specific Requirements: Detailed technical and functional requirements are listed within each category, covering aspects such as data discovery across various stores, classification policies, scanning capabilities (including OCR), data labeling, data access controls, risk reduction strategies, misconfiguration detection and remediation, integration with security platforms (SIEM/SOAR), identity management, threat detection, and compliance standards (FedRAMP Moderate, SOC 2/3, ISO, HIPAA, NIAP).

This matrix is critical for bidders to demonstrate how their proposed solution meets the government's technical and security requirements. A thorough and accurate completion of this document is essential for proposal evaluation and will directly impact the assessment of the bidder's capability to fulfill the opportunity's needs.

Form / Attachment / Pricing Sheet

This document package contains several attachments related to the "Data Loss Prevention (DLP) Infrastructure Solution - New Requirement" opportunity (Solicitation Number: 36C10B26Q0418). These attachments provide detailed information necessary for potential bidders to understand the requirement and prepare their responses.

• RFI Description: Provides a description of the Request for Information.
• Product Description - Data Loss Prevention and Data Access Governance Infrastructure Solution: Details the specific product and infrastructure solution requirements for DLP and Data Access Governance.
• Compliance Matrix: Outlines compliance requirements that vendors must address.
• DLP and DAG Infrastructure Solution - RFI Schedule B Price Model Spreadsheet: A spreadsheet for vendors to provide pricing information based on the RFI schedule.

These attachments are critical for bidders to understand the technical specifications, compliance needs, and pricing structure for the Data Loss Prevention and Data Access Governance Infrastructure Solution. The Price Model Spreadsheet is specifically required for submitting pricing information. Bidders should carefully review all attached documents to ensure their proposal meets all stated requirements and to accurately complete the pricing model.