Request for Information - Travel System

Request for Information (RFI)

This RFI is issued by Oak Ridge National Laboratory (ORNL), managed by UT-Battelle, LLC, to gather information on modern travel solutions. The goal is to replace or enhance the current 25-year-old homegrown travel system, which has limitations in functionality and reporting. The new system aims to streamline the travel process, improve user experience, and enhance reporting and analytics capabilities for approximately 7,000 employees.

The scope includes replacing some or all of the current travel systems, meeting cybersecurity requirements, and delivering the following functionality:

• Travel reservation requests (including online reservations)
• Expense reimbursement requests and approvals
• Travel audit functions
• Travel analytics
• Handling of multiple expense types
• Workflow approval determination
• Employee and external vendor/non-employee payments
• Reporting functionality

The system should be cloud-based or on-premises, Software-as-a-Service (SaaS) model, and meet Federal Information Security Management Act (FISMA) and regulatory requirements. It should also support compliance audits and offer adaptable system configuration with role-based security management.

Respondents are required to submit a narrative summary (up to 10 pages) addressing:

• Description of currently available full-functioning travel solutions and capabilities.
• Summary of relevant DOE/Federal Work Experience, including contact information.
• Examples of two similar projects with contact information.
• Methodology for meeting security and data protection requirements.
• Company information (name, key contact, address).

Additional information is requested for Exhibits 1, 2, and 3 regarding High-Level Travel Processes, Cybersecurity & Data Protection, and Technical Integration Requirements.

Responses are due electronically by 12:00 PM EST on March 11, 2026.

This RFI is for information and planning purposes only and does not constitute a solicitation or commitment to issue an RFP. Submission is not required for future consideration in an invitation to bid.

Other / Unclassified

This document outlines high-level travel process requirements requested from Suppliers as part of a Travel System Request for Information (RFI). It is not a Request for Proposal (RFP), and detailed documentation is not required at this stage. Responders are asked to provide concise descriptions of their travel system processes.

This document details the functional and technical capabilities expected for a travel system. Key requirements include:

• Core Travel Processes:

  • Travel pre-approval
  • Reservation requests (online)
  • Expense reimbursement
  • Conference attendance tracking and approvals
  • Travel and conference audit functions
  • Travel analytics
  • Integration with third-party reservation systems and credit card companies
  • Mobile platform for travelers

• Supplier System Capabilities:

  • Support for multiple expense types
  • Workflow approval determination
  • Reimbursement for employees and non-employees
  • Reporting functionality
  • Flexible, scalable, resilient, and sustainable infrastructure
  • Effective, efficient, and user-friendly application configuration and implementation
  • Process simplification by reducing paperwork and approvals
  • Accessible reporting and querying for analytics
  • Intuitive user interface guiding data entry
  • Standard mobile platform for all expense types
  • Accurate financial entries per expense type
  • Reduction of manual tasks in request entry, approval, and audit review

Form / Attachment / Pricing Sheet

This document, "Exhibit 2: High-Level Cybersecurity & Data Protection Information Requested," outlines the cybersecurity and data protection information required from potential suppliers as part of a Request for Information (RFI) for the Travel System. It clarifies that detailed evidence, certifications, or documentation are not required at this RFI stage; instead, concise descriptions of capabilities, architecture, and security practices are sought.

The exhibit requests information across ten categories:

1. System Hosting & Data Location: Where the system is hosted, location of environments, and data residency.
2. Access Control & Authentication: Supported methods, access control approach, and foreign national access.
3. Data Protection Practices: Encryption methods and general approach to securing sensitive travel information.
4. Incident Response & Monitoring: Incident detection/response and logging/monitoring capabilities.
5. Business Continuity & Disaster Recovery: DR/COOP approach, RTO/RPO targets, and security controls for DR environments.
6. Data Retention & Post-Contract Handling: Data retention policies, data return/deletion processes, and persistence of logs/backups.
7. Third-Party Integrations & Supply Chain: Major third-party services and supply-chain risk management approach.
8. Compliance & Security Standards: Relevant certifications or frameworks followed.
9. Foreign National Access Considerations: Disclosure of staff locations and controls for restricted access.
10. Optional: Additional Security Features: Differentiating security capabilities.

This document is crucial for potential bidders to understand the specific cybersecurity and data protection information that needs to be provided in response to the RFI. It guides bidders on the level of detail required (broad descriptions, not detailed documentation) and the key areas of focus for the government's assessment of capabilities and security posture at this early stage. Bidders should prepare to provide high-level summaries for each of the listed categories.

Form / Attachment / Pricing Sheet

This document, "Exhibit 3 - Travel System Requirements Technical Integration," outlines the technical and functional requirements for a travel system. It serves as a detailed specification for potential vendors to understand the necessary capabilities and integration points for a government travel solution.

• ERP Integration: Bi-directional integration with SAP S/4HANA On Premise (2023) via modern APIs (REST, OData).
• Identity and Access Management: Requirements for SSO (SAML 2.0/OAuth 2), Role-Based Access Control (RBAC), and user provisioning.
• External Services: Support for airline bookings, per diem programs (domestic/foreign), GovTravel lodging, risk/safety tools, and corporate credit card integration.
• Security and Compliance: Preference for FedRAMP, data encryption (TLS 1.2+ in transit and at rest), MFA, secure mobile access, and adherence to FISMA requirements.
• Data Protection: All data and storage facilities must be within the continental United States, with specified data retention and PII handling protocols.
• Audit and Governance: Requirements for detailed audit logs, access reporting, and change tracking.
• System Architecture: Cloud-hosted SaaS or on-premise options, high availability (99.9% uptime), and disaster recovery plan.
• APIs and Data Access: Open APIs for data extraction and integration, flat-file capability (SFTP), and support for custom fields.
• Performance: Page load expectations.
• Usability and User Experience: Modern, responsive UI (desktop/mobile/tablet), mobile application, accessibility compliance, and traveler profile storage.
• Reporting and Analytics: Standard and custom dashboards, with export capabilities (Excel/CSV, API).
• Policy and Compliance: Configurable travel and expense policies, automated workflows, and risk/safety vendor integration.
• Vendor Support: Expectations for implementation timeline, 24/7 support model, training materials, data migration, and customer success management.

This exhibit is critical for bidders as it defines the technical backbone and functional scope of the required travel system. Vendors must demonstrate their ability to meet these integration, security, functional, and support requirements to be considered for the opportunity. It directly informs the technical solution proposed and the associated costs.