DA10--Alternative to BigFix Endpoint Management (VA-26-00012805)

REQUEST FOR INFORMATION Enterprise Server Endpoint Management Introduction: This is a Request for Information (RFI) only issued for conducting market research. Accordingly, this RFI constitutes neither a Request for Quote (RFQ), Request for Proposal (RFP), nor a guarantee that one will be issued by the Government in the future; furthermore, it does not commit the Government to contract for any services described herein. The Department of Veterans Affairs (VA) is not, at this time, seeking proposals or quotes, and therefore, will not accept, review, or evaluate unsolicited proposals or quotes received in response hereto. This notice is not to be construed as a commitment on the part of the Government to award a contract, nor does the Government intend to pay for any information submitted because of this request. The Government does not reimburse respondents for any costs associated with submission of the information being requested or reimburse expenses incurred for responses to this RFI. The information provided may be used by VA in developing its acquisition strategy and Performance Work Statement (PWS). Any information submitted by respondents to this RFI is strictly voluntary; however, any information received shall become the property of the Government and will not be returned to the respondent. Interested parties are responsible for adequately marking proprietary, restricted, or competition sensitive information contained in their response. This is a request for information and does not obligate the Government in any way, nor does it commit the Government to any specific course of action. Product information, brochures, part numbers, and/or other description information may be included with the submission. Requirement: The Department of Veterans Affairs (VA), Office of Information and Technology (OI&T), Office of Information Security (OIS), is presently using brand name HCL Technologies Limited (HCL) BigFix endpoint management software to facilitate endpoint management and security, remediation and sustainment throughout its vast network infrastructure. VA is seeking alternative products which can meet or exceed the capability of the currently deployed BigFix solution. The scope of this market research shall be no more than 150,000 clients/endpoints encompassing VA server and application infrastructure across on-premises, AWS and Azure environments. VA prioritizes the following capabilities of the currently deployed solution: Cross-OS Patch Manage and deploy patches across different operating systems including Windows Server, Linux, Solaris, and MacOS, ensuring all endpoints, regardless of their OS, are up-to-date and secure. Content must be available within 24 hours of release. Include support for customization of patch content detection and installation. Real-Time Compliance/Enforcement. Continuously monitor and enforce compliance policies in real-time, ensuring endpoints adhere to regulatory and internal standards. Continuous Diagnostic Monitoring (CDM). All Common Configuration Enumeration (CCE) and Common Vulnerability Enumeration (CVE) detection, remediation, and compliance monitoring must be real time. Offline/Air-Gapped Support Provide all capabilities, including patching and compliance capabilities for endpoints that are not always connected to the network, such as those in secure or isolated environments. Third-Party Patch Catalog Depth Offer an extensive library of patches for third-party applications, ensuring comprehensive coverage and security for various software programs. Role-Based Control / Least Privilege Implement role-based access controls, granting users the minimum necessary privileges to reduce security risks and enhance operational efficiency. Compliance Reporting Generate detailed compliance reports based on standards such as Security Technical Implementation Guides (STIG), Center for Internet Security (CIS) benchmarks, and United States Government Configuration Baseline (USGCB). Include support for customization of STIGs. Integration Seamlessly integrate with Configuration Management Databases (CMDB), Security Information and Event Management (SIEM) systems, Security Orchestration Automation and Response (SOAR) tools, Azure, AWS and ServiceNow, enhancing overall IT operations and security. Solution must support API integration. Software Distribution Manage the deployment of applications and updates across an organization, ensuring software consistency and reducing manual effort. Asset Discovery / Asset Management Identify and catalog all hardware and software assets on the network, providing comprehensive asset management and inventory capabilities. Must include customization of software and configuration discovery and detection. Vulnerability Correlation Correlate identified vulnerabilities with patch availability and other mitigations, prioritizing actions to improve security posture. Automation at Scale (500,000+ endpoints) Deliver automated management, patching, and compliance for large-scale environments, efficiently handling in excess of 500,000 endpoints. Federal Compliance Posture (FISMA/CDM) Ensure compliance with federal mandates such as the Federal Information Security Management Act (FISMA) and Continuous Diagnostics and Mitigation (CDM) program, supporting a robust security framework for government organizations. Provide a brief summary of your technical solution for meeting the requirements for an Enterprise Server Endpoint Management (see attached Draft PWS) specific to the following: Provide a brief description of your product and how it meets each of the 12 prioritized capabilities listed above; including elaboration on supported client versions, third party support catalog, patching and update capabilities. Please provide a Rough Order of Magnitude (ROM) cost estimate for delivering the professional services to meet the Draft PWS requirements. The ROM should include a detailed breakdown of costs associated with each service or activity to include labor categories and number of Full-Time Equivalents (FTEs). Does the draft PWS outline provide sufficient detail to describe the technical and functional requirements that encompass the requirement? If NO , please provide your technical and functional comments/recommendations/questions on elements of the draft outline that may contribute to a more accurate proposal submission and efficient, cost effective effort. Include the following identification information: Name of Company Address Point of Contact Phone Number Fax Number Email address Company Business Size NAICS code(s) Any Schedules held on General Services Administration (GSA), Government-Wide Acquisition Contracts (GWAC) held on the National Aeronautics and Space Administration (NASA) Solutions for Enterprise Wide Procurement (SEWP) V, or any other schedule not mentioned above to assist in determining acquisition strategy if you are included in one or more. Please also include Contract Number, expiration date, etc. For small business concerns, indicate whether at least 50 percent of the total amount paid by the Government will be paid to firms that are similarly situated. Service Disabled Veteran Owned Small Businesses (SDVOSB) and Veteran Owned Small Businesses (VOSB) must indicate whether at least 50% of the cost incurred would be expended for prime employees or employees of other eligible SDVOSB/VOSB firms. This should also include the prime planned percentage and if under 50%, the names of the potential team members that may be used to fulfill the 50% SDVOSB/VOSB requirement. If your company is a Small Business, also include the following: The intent and ability to meet set-aside requirements for performance of this effort. Information as to available personnel and financial resources to support a requirement of this magnitude. Information as to proposed team members, the percentage of work each is to perform and which PWS requirements would be subcontracted. Responses: Please submit a capability statement describing your company s ability to meet the overall requirement described and responses to the questions below. The capability statement shall be limited to 10 pages. Responses to this RFI shall be submitted via email to Angel Santos at Angel.Santos2@va.gov and Kendra Casebolt at Kendra.Casebolt@va.gov no later than 1PM EST on February 3, 2026. Please note RFI# 36C10B26Q0142 in the subject line of your email response.