SOURCES SOUGHT
D -- Secure Access Service Edge (SASE) (VA-25-00072720)
- Notice Date
- 6/4/2025 5:52:11 AM
- Notice Type
- Sources Sought
- NAICS
- 541519
— Other Computer Related Services
- Contracting Office
- TECHNOLOGY ACQUISITION CENTER NJ (36C10B) EATONTOWN NJ 07724 USA
- ZIP Code
- 07724
- Solicitation Number
- 36C10B25Q0347
- Response Due
- 6/13/2025 11:00:00 AM
- Archive Date
- 09/20/2025
- Point of Contact
- Joshua Fitzmaurice, Contract Specialist, Phone: 848-377-5122
- E-Mail Address
-
Joshua.Fitzmaurice@va.gov
(Joshua.Fitzmaurice@va.gov)
- Awardee
- null
- Description
- Request for Information Enterprise Secure Access Service Edge (SASE) VA-25-00072720 Introduction This Request for Information (RFI) is for planning purposes only and shall not be considered an Invitation for Bid, Request for Task Execution Plan, Request for Quotation or a Request for Proposal. Additionally, there is no obligation on the part of the Government to acquire any products or services described in this RFI. Your response to this RFI will be treated only as information for the Government to consider. You will not be entitled to payment for direct or indirect costs that you incur in responding to this RFI. This request does not constitute a solicitation for proposals or the authority to enter into negotiations to award a contract. No funds have been authorized, appropriated or received for this effort. Interested parties are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. The Government does not intend to pay for the information submitted in response to this RFI. The North American Industry Classification System (NAICS) for this requirement is 541519 with a size standard of 150 Employees. 2. Submittal Information: All responsible sources may submit a response in accordance with the below information. There is a page limitation for this RFI of 10 pages. The Government will not review any other information or attachments included, that are in excess of the 10 page limit. NO MARKETING MATERIALS ARE ALLOWED AS PART OF THIS RFI. Generic capability statements will not be accepted or reviewed. Your response must address capabilities specific to the services required in the attached Product Description (PD) and must include the following: Interested Vendors shall at a minimum, provide the following information in the initial paragraph of the submission: Name of Company Address Point of Contact Phone Number Fax Number Email address Company Business Size and Status For VOSB and SDVOSBs, proof of verification in SBA VETCert NAICS code(s) Socioeconomic data Data Universal Numbering System (DUNS) Number Existing Contractual Vehicles (GWAC, FSS, or MAC) Provide a summary of your capability to meet the requirements contained within the draft PD for the following areas: Does the proposed solution support out-of-band log processing (e.g., log ingestion via Department of Veterans Affairs (VA)-hosted sensors) to identify shadow IT? If so, what formats and parsers are supported? Does the platform need to steer all web traffic to provide inline Cloud Access Security Broker (CASB) capabilities? Please provide data flow diagram for scope of traffic. For inline traffic processing, what user activity actions are supported for VA Medical, Health care, Financial and business applications? Does the proposed solution identify application instances automatically for Atlassian, Amazon Web Services (AWS), Azure, and SalesForce. Please provide the level of visibility with regard to user activity. What is the workflow to enforce user identity and domain specific login for inline traffic processing. Does the proposed solution identify the logged in identity? (example: non-VA-account) Please describe Data Loss Prevention (DLP) policy rule capabilities and limitations for Exact Data Match (EDM), Indexed Document Matching (IDM), Optical Character Recognition (OCR), Artificial Intelligence (AI) Classifiers, and total number of file types supported by the DLP engine. Please describe infrastructure requirements for IDM, EDM & workflow engine. Please describe the user notification framework for web browsers and native applications. What notification types and actions are supported for end user? Please describe how real-time user notifications can be provided for the following use case: AWS instance shutdown via AWS Command Line Interface CLI with user risk score exceeds set threshold. Please describe capabilities to identify unmanaged instances (NOT PERSONAL) to VA managed instance of Office365, Gmail, SalesForce, ServiceNow, AWS & Azure. Does the proposed solution utilize synthetic or real-user monitoring for Digital Experience Monitoring? Please list User and Entity Behavior Analytics (UEBA) capabilities to monitor user risk. Can risk scores be used in policy to construct policies such as allowing editing of an online document only if risk scores are above a VA defined trusted threshold? Please describe the ability to share bi-directional risk scores & threat scores from the proposed platform with existing VA solutions such as Microsoft SENTINEL, Microsoft Defender and Splunk. Does the platform support Insider threat detection, including access, data, activity or administrative anomalies and shared or compromised credentials? What is the estimated timeline to scale the platform to support 650,000 endpoints? Please list milestones and infrastructure planning. Does the solution provide a means for agency specific egress Internet Protocols (IP) natively? If yes, please provide data flow diagram(s)? What components of the solution are not currently FedRAMP High-authorized? If not currently authorized, please describe the component(s), the role, and risk mitigation strategy. Does the solution integrate Advanced Threat Protection and DLP capabilities within UEBA functions? Is this licensed separately? Does the platform support application instance-level policy controls beyond static tenant ID enforcement? Does the platform provide the ability for VA to utilize built-in application decoders/parsers for bedrock applications to enable granular control (e.g., upload, delete, view, send, shutdown)? Does the solution support selective steering by app, user group, or device type? Can policies be tested with limited user groups prior to full deployment? How are tenant-specific Software as a Service (SaaS) app actions (e.g., Create within Contractor vs. VA Salesforce treated differently in real-time traffic and policy logic? Does the platform allow for testing of SaaS instance-specific policies with subsets of users before full rollout? Can DLP, access, or coaching policies be uniquely applied based on the SaaS tenant instance (e.g., Contractor vs. VA Salesforce)? Can the platform apply DLP or access policies dynamically based on AI-driven user behavior or anomalies? Please provide examples. Can sanctioned and unsanctioned SaaS applications be discovered and enforced at the instance level (e.g., distinguishing contractor vs. corporate Salesforce)? Does the platform integrate with third-party classification engines; e.g. Microsoft Purview? If yes, please provide details of the integration, use cases and gaps. Does the platform support inline CASB capabilities for VA web applications supporting Veteran benefits programs? Does the solution meet cloud application applicable OMB M21-31 EL1-EL3 logging visibility with 12 months of live-log storage within the tenant? In addition, are there any logging or storage costs incurred outside of the VA s required logging solution? Does the solution extend cloud application visibility, logging and compliance for secure web gateway connections to meet M-21-31 and Trusted Internet Connection (TIC) 3.0 Zero Trust and Continuous Diagnostics and Mitigation Corporate experience or expertise in performing these services and specific examples or references. Specific examples or references provided must include the agency, point of contact, dollar value, and contract number. Your company s intent and ability to meet the set aside requirement in accordance with VAAR 852.219-10 (JAN 2023) (DEVIATION) VA Notice of Total Set-Aside for Certified SDVOSBs and 13 CFR ยง125.6, which states the contractor will not pay more than 50% of the amount paid by the Government to it to firms that are not SDVOSBs. Your response shall include information as to available personnel and financial resources; full names of proposed team members and the PD requirements planned to be subcontracted to them, which must include the prime planned percentage or the names of the potential team members that may be used to fulfill the set aside requirement. Has the draft PD provided sufficient detail to describe the technical requirements that encompass the software development and production operations support services to be performed under this effort. _______ YES _______ NO (if No, answer question f) If NO , please provide your technical comments/recommendations on elements of the draft PD that may contribute to a more accurate proposal submission and efficient, cost effective effort. NOTE: Technical questions may be submitted as part of your response, however, questions directed to the customer are prohibited. All questions in response to this RFI shall be included in a separate word document titled, SASE RFI_Questions. The answers to all questions received will be posted prior to/with the Solicitation. Responses are due no later than 2:00 PM EST, June 13, 2025 via email to Joshua Fitzmaurice, Contract Specialist at Joshua.Fitzmaurice@va.gov and Contracting Officer Mina Awad at Mina.Awad@va.gov. Please note Secure Access Service Edge in the subject line of your response. Mark your response as Proprietary Information if the information is considered business sensitive. The email file size shall not exceed 5 MB. See Attached Document: SASE_DRAFT PD
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/8f6b7d77099045d4a55812cfec671e19/view)
- Record
- SN07466336-F 20250606/250604230053 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |