DA01--NBEKRSS (VA-26-00031146) Professional Service - Network Based Encryption Key Recovery Storage Solution

Introduction This Request for Information (RFI) is for planning purposes only and shall not be considered an Invitation for Bid, Request for Task Execution Plan, Request for Quotation or a Request for Proposal. Additionally, there is no obligation on the part of the Government to acquire any products or services described in this RFI. Your response to this RFI will be treated only as information for the Government to consider. You will not be entitled to payment for direct or indirect costs that you incur in responding to this RFI. This request does not constitute a solicitation for proposals or the authority to enter into negotiations to award a contract. No funds have been authorized, appropriated or received for this effort. Interested parties are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. The Government does not intend to pay for the information submitted in response to this RFI. The North American Industry Classification System (NAICS) for this requirement is projected to be 541519 with a size standard of $34 million. VA is contemplating a potential requirement to renew software maintenance and support of its deployed Network-based Encryption Key Recovery Storage System (NBEKRSS) solution. VA is conducting Market Research into potential providers of that software maintenance, as well as assessing the market conditions for new potential entrants and capabilities of like solutions. At this time, VA is conducting research, and as such this RFI shall not bind VA in any way. See attached draft Product Description for additional details. 2. Submittal Information: All responsible sources may submit a response in accordance with the information below. There is a page limitation for this RFI of 15 pages. The Government will not review any other information or attachments included that are in excess of the (15) page limit. NO MARKETING MATERIALS ARE ALLOWED AS PART OF THIS RFI. Generic capability statements will not be accepted or reviewed. Your response must address capabilities specific to the services required in the attached PD and must include the following: Interested Vendors shall at a minimum provide the following information in the initial paragraph of the submission [For SDVOSBs and VOSB, proof of verification in SBA Small Business Search (SBS) website https://search.certifications.sba.gov/]: Name of Company Address Point of Contact Phone Number Email address Commercial and Government Entity (CAGE) Code Unique Entity Identifier (UEI) Company Business Size and Status North American Industry Classification System (NAICS) code Socioeconomic data Existing Contractual Vehicles (Governmentwide Acquisition Contract (GWAC), Federal Supply Schedule (FSS), etc.) Provide a summary of your ability to meet the requirements contained within the draft Product Description (PD) for the following areas: 1. Company Qualifications and Product Overview Describe your organization s experience providing enterprise on premises cryptographic or key management software to federal agencies of comparable scale to the Department of Veterans Affairs. Provide a high level description of your encryption key recovery storage system and its primary functional components. Include Certificate Authority (CA) and Hardware Security Module (HSM) integration experience and any requirements/limitations for the configurations. Identify any existing contract vehicles under which your product and support services are offered. Confirm whether your product fully supports a customer applied update model in an on premises, non cloud environment. 2. Federal Public Key Infrastructure (PKI) and Security Compliance Explain how your solution complies with: Federal PKI policy requirements National Institute of Standards and Technology (NIST) cryptographic standards Federal Information Processing Standard (FIPS) 140 2 or 140 3 validated modules Provide documentation or references validating these claims. 3. Licensing Model Provide your pricing/licensing structure, including: Perpetual vs subscription licensing Per user, per server, per appliance, or usage based metrics Any separate costs for HSM/CA integration or PKI modules 4. Release Management & Patching Describe how all software updates can be provided to the VA (e.g., secure download portal, customer portal, offline packages), ensuring that: All updates can be applied by VA personnel only No contractor login to VA systems is required No remote access sessions into the VA environment are required Explain your software maintenance lifecycle for: Patches Security updates Hotfixes Major/minor version releases Describe your approach to ensuring patches and updates do not disrupt operational cryptographic workflows, including how VA staff can validate updates in an offline or isolated environment. 5. Technical Support Model Describe your technical support offerings including: Tiers of support Response times Availability (business hours vs 24/7) Escalation procedures Describe your technical support model, including: How troubleshooting is performed without contractor access to VA networks or systems Methods for VA only log collection, diagnostic exports, or offline troubleshooting Escalation processes that do not require direct access to VA infrastructure Provide your Corporate Service Line experience or expertise in performing these services and specific examples or references. Specific examples or references provided must include the agency, point of contact, dollar value, and contract number. Has the draft PD provided sufficient detail to describe the technical requirements that encompass the software development and production operations support services to be performed under this effort. ______ YES _______ NO (if No, answer question below) If NO , please provide your technical comments/recommendations on elements of the draft PD that may contribute to a more accurate proposal submission and efficient, cost-effective effort. Responses are due no later than March 23, 2025 via email to Dennis.Simms@va.gov and Michael.Weckesser@va.gov. Please note Network-based Encryption Key Recovery Storage System in the subject line of your response. Mark your response as Proprietary Information if the information is considered business sensitive. The email file size shall not exceed 5 MB. See attached document: NBEKRSS PD.