DJ10--Data Monitoring and Sensing - Structured Data - RFI (VA-26-00050089)

Request for Information (RFI)

This is a Request for Information (RFI) for planning purposes only, not a solicitation or quote request. The Department of Veterans Affairs (VA) Technology Acquisition Center is conducting market research to gather information on industry capabilities for Data Monitoring and Sensing - Structured Data. The government is not committing to awarding a contract and will not reimburse costs for responses.

Vendors are encouraged to respond if they have the capability to provide items identified in the attached draft Product Description (PD). The RFI seeks information on:

• Vendor capabilities to meet the requirements in the draft PD.

• Technical capabilities for the described services.

• Proposed approach to the requirement.

• Informal quote for the requirement.

• Corporate experience and specific examples/references (including agency, POC, dollar value, contract number).

• Whether the DRAFT PD provides sufficient detail (YES/NO), and if NO, provide technical comments/recommendations.

• Deadline: April 24, 2026, 1:00 p.m. ET.

• Format: Email to Jennifer.jefferson@va.gov and ioannis.vardouniotis@va.gov.

• Subject Line: "Zero Trust Data Monitoring RFI".

• Page Limit: Ten pages maximum. No marketing materials allowed.

• Content: Must include company name, SAM Unique Entity ID, CAGE code, address, POC details, business size/status, NAICS code(s), socioeconomic data, existing contract vehicles, and SDVOSB/VOSB verification proof if applicable.

• Proprietary Information: Mark clearly if applicable. Email file size limit is 20 MB.

• The NAICS code is currently undecided. Small businesses with capability are encouraged to participate.

• Responses may influence future set-aside decisions.

• If multiple responses from preferred socioeconomic categories are not received, future RFQs may be open to all contract holders.

• Indicate if interested only in subcontracting opportunities.

• Responses should be clear, concise, and complete. The VA is not obligated to provide feedback or seek clarification.

• This requirement may be delayed, canceled, or revised at any time.

Statement of Work (SOW) / Performance Work Statement (PWS)

The Department of Veterans Affairs (VA), Office of Information & Technology (OIT), Office of Information Security (OIS) requires a comprehensive Zero Trust Data Monitoring and Sensing - Structured Data Protection solution. The primary goal is to enhance cybersecurity measures across VA's enterprise environments, supporting the VA's Zero Trust Architecture Strategy and Executive Order 14028.

• Provide a data protection solution for structured data, both on-premises and in the VA Enterprise Cloud (AWS and Azure).

• Implement robust Data Loss Prevention (DLP) capabilities with automated policy enforcement to prevent unauthorized access, transfer, or exfiltration of sensitive structured data.

• Support automated and persistent data labeling, ensuring consistent application of labels to structured data assets and integration with DLP policies for dynamic access control.

• The solution must be a commercial off-the-shelf (COTS) product or an equivalent turnkey implementation, including management, threat detection, runtime policy enforcement, support, and virtual patching.

• The solution must meet Key Performance Indicators (KPIs) related to data element identification and categorization, data labeling, remediation of open access data, system onboarding, DLP policy implementation, reduction in unauthorized data transfers, sensitive data coverage, system uptime (>= 99.95%), scalability, integration time, user training completion rate, support response time, and resource utilization.

• Specific targets and reporting cadences (e.g., monthly) are defined for each KPI.

• Not explicitly detailed in the provided sections, but the document outlines various phases including a pilot period and potential option years.

• Compliance with numerous federal laws, regulations, directives, and handbooks (e.g., FISMA, FIPS, NIST, HIPAA, Executive Orders related to cybersecurity and AI).

• Must support IPv6-Only environments.

• Adherence to Section 508 accessibility standards.

• Specific requirements for contractor personnel security, including background investigations and training.

• Detailed requirements for Artificial Intelligence (AI) systems, including adherence to Trustworthy AI Framework and Unbiased AI Principles.

• Strict security and privacy controls, including data encryption, incident reporting, and vulnerability management.

• The solution must integrate with existing VA systems such as SIEM, UEBA, and DevSecOps pipelines.

• Must support hybrid deployment across VA on-premises data centers and VA Enterprise Cloud (AWS GovCloud (US), Azure Government) under a unified SaaS control plane.

• Requires a FedRAMP High authorization and a VA Authority to Operate (ATO) before live VA data can be used.