VETERANS AFFAIRS, DEPARTMENT OF USA Tender

Request For Information description department Of Veterans Affairs request For Information (rfi) production Web Application Protection this Is A Request For Information (rfi) Only. Do Not Submit A Quote. This Rfi Is For Planning Purposes Only And Shall Not Be Considered A Request For Quotation. Additionally, There Is No Obligation On The Part Of The Government To Acquire Any Products Or Services Described In This Rfi. Your Response To This Rfi Will Be Treated Only As Information For The Government To Consider. You Will Not Be Entitled To Payment For Direct Or Indirect Costs That You Incur In Responding To This Rfi. This Request Does Not Constitute A Solicitation For Quotes Or The Authority To Enter Into Negotiations To Award A Task Order. No Funds Have Been Authorized, Appropriated Or Received For This Effort. The Information Provided May Be Used By The Department Of Veterans Affairs (va) In Developing Its Acquisition Strategy. Interested Parties Are Responsible For Adequately Marking Proprietary, Restricted Or Competition Sensitive Information Contained In Their Response. The Government Does Not Intend To Pay For The Information Submitted In Response To This Rfi. the Government Requests Industry To Review And Provide Commentary On The Governments Requirement Detailed Below. The Government Intends To Review Rfi Responses To Exchange Information And Improve Industry S Understanding Of The Government Requirement And The Government S Understanding Of Industry Capabilities. This Will Allow Potentialâ offerorsâ to Judge Whether Or How They Can Satisfy The Government S Requirements And Enhance The Government S Ability To Obtain Qualityâ suppliesâ and Services. submittal Information: all Responsible Sources May Submit A Response In Accordance With The Below Information. As Part Of Your Market Research Response, Please Provide A 10-page Submission Detailing Similar Work Experience To That Of The Governments Requirement Detailed Below. interested Vendors Shall Provide Constructive Comments And/or Feedback Regarding The Following Elements Of The Proposed Procurement: proposed Contract Type: Firm Fixed Price schedule: Base Year Plus Four (4) Option Years industry To Propose A Contract Line-item Numberâ (clin)/price Structure And Deliverables; industry To Propose The Team Level Of Effort And Labor Categories feasibility Of The Requirement, Including Performance Requirements any Other Industry Concerns, Comments, Or Questions interested Vendors Shall Provide The Following Information In The Initial Paragraph Of The Submission: name Of Company address point Of Contact phone Number email Address company Business Size And Status Under The Following North American Industry Classification System (naics) Code: 541519 Other Computer Related Services With A Size Standard Of $34 Million. existing Contractual Vehicles (gwac, Fss, Mac, Sewp) To Include The Contract And Schedule Numbers. socioeconomic Data (for Veteran-owned Small Business (vosb) And Service-disabled Veteran-owned Small Business (sdvosb)s, Proof Of Verification In Small Business Administration (sba) Veteran Small Business Certification (vetcert)) indicate Whether You Can Comply With The Limitations On Subcontracting At Va Acquisition Regulation (vaar) 852.219-73, Va Notice Of Total Set-aside For Certified Service-disabled Veteran-owned Small Businesses Or Vaar 852.219-74 Va Notice Of Total Set-aside For Certified Veteran-owned Small Businesses system For Award Management Unique Identity Identification Number while Not Required, Artifacts Supporting Your Submission May Be Submitted To Better Demonstrate The Above. The Artifacts Can Be In Addition To The Page Limit. there Are No Specific Submission Requirements Other Than The Page Limit, But The Government Requests That It Not Be Inundated With Marketing Materials Or Peripheral Content, And That The Submission Be Readable. contractor Response: all Contractor Questions Are Required To Be Submitted Via Email No Later Than 12:00 Pm Et, February 28, 2025 To Michael Berberich, Contract Specialist At Michael.berberich@va.gov And Contracting Officer David Long At David.long4@va.gov. Once All Of The Questions Have Been Received, The Government Will Provide A Response And Extend The Rfi An Additional Four Business Days To Allow Industry Time To Provide Their Formal Response. government Requirement: va Requires A Comprehensive Application Security Solution To Protect Applications From Exploitation By Threat Actors, Unauthorized System Access, Data Breaches, And Service Disruptions. The Solution Address Vulnerabilities As Defined By Open Worldwide Application Security Project (owasp) That May Not Be Caught During Static Scanning In Software Development. key Challenges This Solution Address Include: protection Against Known Owasp Vulnerabilities. defense Against Zero-day Attacks Through Runtime Protection. support For Both Modern And Legacy Applications Across Diverse Operating Systems. integration With Existing Va Security Infrastructure Including Palo Alto Next Generation Firewalls (ngfw). enterprise Scalability While Starting With Initial Deployment Of 100 Systems. minimal Performance Impact On Protected Applications. comprehensive Logging And Security Analytics Capabilities. the Vendor Shall Provide Details On The Solution Including: hardware And Software Required. hardware, Software And/or Cloud Requirements. installation Requirements. licensing (including Type Of Licensing, I.e., Annual, Perpetual, Etc.) And Maintenance Requirements. what Is Included With Licensing And Maintenance. description Of Warranty. adapter Requirements. description Of Training For Government Full-time Equivalents (ftes) Employees. operation/customization Capabilities Of The Solution virtual Lab Usage And Materials description Of Professional Services Provided. any Features Not Specifically Mentioned, But Which May Be Required And Necessary For The Completeness And Efficient Performance Of The Proposed Solution As An Operating Entity. appendix A-detailed Operating And Capability List (see Below), Includes A Full List Of Requirements That The Vendor Is Requested To Provide A Response To. For Each Line A Response Shall Be Provided About Whether The Solution Can Fully Meet The Requirement Or Not As Shown With The Check Boxes. parameters Include: the Solution Shall Provide Both Web Application Firewall (waf) And Runtime Applications Self-protection (rasp) Capabilities, Either As An Integrated Platform Or As Compatible, Interoperable Components With The Existing Next Generation Firewalls (ngfw). the Solution Shall Be Scalable To Protect At Least 1,000 Web Applications Across The Va's Infrastructure, With The Capability To Expand To 1,500 Applications Within Two Years. the Solution Shall Support Both On-premises And Cloud-based Deployments, Including Hybrid Environments, Aligning With The Va's Cloud Migration Strategy. the Solution Shall Offer Centralized Management And Monitoring Capabilities For All Protected Applications, Providing A Single Pane Of Glass View For Security Operations. the Solution Shall Be A Comprehensive, Vendor-managed System That Includes Ongoing Support, Maintenance, Updates, Performance Monitoring, And Reporting. The Reporting Must Feature Metrics And Benchmarks To Demonstrate The Effectiveness Of The Solution. the Solution Shall Interface And Provide Integrations To Va Security Information And Event Management (siem) , Continuous Monitoring (conmon), And Incident Response Platforms (e.g. Splunk, Servicenow) the Solution Must Comply With Relevant Government Security Standards, Including Federal Information Security Management Act Of 2002â (fisma), Federal Risk And Authorization Management Program (fedramp), Federal Information Security Management Act Of 2002â (fisma), And Federal Information Processing Standard Publication 140-2, (fips Pub 140-2), While Maintaining Compliance With Evolving Regulations And Emerging Federal Standards Such As The Latest National Institute Of Standards And Technologyâ (nist) Updates. additional Questions To Be Answered By Industry In The Rfi Response: licensing - What Is Included As Part Of The Licensing Model? (i.e., Perpetual, Concurrent, Subscription-based, Proprietary, Network, Other)? Is Support Included As A Part Of Licensing? Does The License Have The Flexibility To Increase Licenses To Your Current Configurations Over Time? Do The Licenses Need To Be Installed Or Can Va Install? please Describe What Is Included In Ongoing Support, Maintenance, Updates, And Performance Monitoring. what Metrics And Benchmarks Do You Provide That Measure And Proves The Effectiveness Of The Solution In Protecting Application? maintenance - Will The Maintenance Renewal Be Annual, Or Can You Provide A Quote To Estimate For 4 (four) Years Of Maintenance? What Does The Maintenance Renewal Cover (updates, Patches, Support, Etc.)? training - What Type Of Software Training Is Offered (i.e., User Training, Technical Training/knowledge Transfer, Etc.)? How Many Days Does Software Training Consist Of? Is The Training On-site, Remote, Or Virtual? What Is The Cost Of Training? please Provide A Pricing Estimate For An Enterprise License To Include A Proof Of Concept Funding Scenario For 6 Months, Annual Maintenance Costs Or Annual Licensing Costs, Any Additional Support Costs, Any Additional Service Costs, Training Costs, And Any Costs Not Otherwise Specified Or Identified. how Is The Effectiveness Of The Proposed Solution Measured? appendix A detailed Operating And Capability List the Contractor Shall Provide A Response To Each Line In The List. Responses Requested For Each Line Are Fully Capable Or Not Capable. item # requirement fully Compliant not Compliant 1 runtime Threat Detection And Prevention provide Real-time Threat Detection And Prevention At The Application Runtime, With A Response Time Of Less Than 10 Milliseconds. protect Against Zero-day Vulnerabilities And Novel Attack Vectors, With The Demonstrated Ability To Prevent Previously Unknown Attacks. 2 application Compatibility And Performance Impact support Major Programming Languages And Frameworks Used By The Va, Including But Not Limited To Java, .net, Python, Node.js be Fully Compatible With Both Legacy And Modern Va Applications, Enabling Protection Without Requiring Extensive Modifications To Existing Systems. Maintain Less Than 5% Overhead In Application Response Times, Even Under High-load Transaction Scenarios, To Ensure Negligible Impact On End-user Experience And Application Functionality. 3 traffic Inspection And Filtering (waf/ngfw) inspect And Filter All Incoming Hypertext Transfer Protocol (http)/hypertext Transfer Protocol Secure (https) Traffic, With The Capacity To Process At Least 100,000 Requests Per Second During Peak Usage Without Compromising Performance. support Both Positive Security Models (allowlisting) And Negative Security Models (blocklisting), With The Flexibility To Switch Or Combine Models Based On Application-specific Requirements. provide Robust Protection Against The Owasp Top 10 Vulnerabilities, With Regular Signature And Behavior-based Updates To Address Emerging Threats And Attack Techniques. achieve A 50% Reduction In Successful Web Application Attacks Within The First Year Of Full Implementation, As Verified Through Periodic Security Incident Reports And Analytics. 4 protocol Validation And Bot Mitigation must Validate Http/https Protocols To Prevent Protocol-based Attacks, Including Http Desync Attacks. offer Transport Layer Security (tls)/secure Sockets Layer (ssl) Termination And Inspection Capabilities, Supporting Tls 1.2 And 1.3. include Advanced Bot Detection And Mitigation Capabilities Using Artificial General Intelligence (ai) And Machine Learning, With A False Positive Rate Of Less Than 0.1%. To 1% 5 distributed Denial-of-service (ddos) Protection And Performance provide Protection Against Application Layer (layer 7) Ddos Attacks, Capable Of Mitigating Attacks Of Up To 10 Gbps. offer Integration With Network-layer Ddos Protection Solutions Already In Use By The Va, Including The Ngfw. 6 cross-system Integration integrate With Existing Va Security Information And Event Management (siem) Systems, Including [specific Siem Solution Used By Va], With Bi-directional Data Flow From Ngfw, Waf, And Rasp. provide Apis For Custom Integrations With Other Va Security Tools, Including [list Of Specific Tools Used By Va], With Comprehensive Documentation And Support. 7 identity And Access Management integrate With The Va's Identity And Access Management Systems, Including Okta And Active Directory, Ensuring Role-based Access Control Across Ngfw, Waf, And Rasp. offer Unified Threat Intelligence Across All Components, With The Ability To Share Threat Data Across The Entire Va Network. 8 compatibility And Configuration integrate Seamlessly With The Va S Existing Palo Alto Ngfw Solution, Ensuring No Disruption To Existing Configurations. the Solution Synchronize Security Policies Across Ngfw, Waf, And Rasp To Prevent Conflicts And Ensure A Unified Approach To Traffic Inspection And Filtering. the Ngfw Must Retain Its Role In Network-layer Protection While Delegating Application-layer Protection To Waf And Runtime Threat Prevention To Rasp. 9 data Flow And Protocols the Integration Support Bi-directional Data Flow Between Ngfw, Waf, And Rasp, Allowing Threat Intelligence And Logs To Be Shared Across Systems. the Solution Support Standard Communication Protocols Such As Http, Https, Tls 1.2/1.3, And Integration With Siem Systems Already Used By The Va. 10 performance And Monitoring the Integrated Solution Maintain Optimal Performance With Minimal Impact On Network Latency, Ensuring That Traffic Inspection Remains Efficient Across All Three Systems. monitoring Occur Through A Centralized Dashboard That Aggregates Logs And Performance Metrics From Ngfw, Waf, And Rasp. 11 centralized Monitoring And Reporting provide A Unified Dashboard For Monitoring Ngfw, Waf, And Rasp Security Events, With Real-time Updates And Customizable Alerts. offer Customizable Views For Different Stakeholders (e.g., Security Teams, Application Owners, Executives), With Role-based Access Control. provide Detailed Logging Of Security Events From Ngfw, Waf, And Rasp, With Log Retention For At Least One Year To Support Forensic Analysis. 12 performance Scalability maintain High Availability And Fault Tolerance Across All Systems, With 99.99% Uptime Guaranteed. support Active-active Configurations For High Traffic Volumes, Capable Of Load Balancing Across Multiple Data Centers. 13 unified Deployment And Management support Various Deployment Options (e.g., Agent-based, Container-based For Rasp; Appliance-based, Cloud-based For Waf), Compatible With Va's Existing Infrastructure. provide Centralized Policy Management, Allowing For Consistent Policy Enforcement Across All Va Facilities. support Policy Version Control And Rollback Capabilities Across All Systems, With The Ability To Track Changes And Revert To Previous Configurations If Needed. 14 compliance aid In Meeting And Demonstrating Compliance With Fisma, Hipaa, And Fedramp Requirements, Providing Necessary Documentation And Audit Support. provide Data Masking Capabilities To Protect Sensitive Veteran Information, Including Social Security Numbers, Health Records, And Personal Identifiers. 15 security support Encryption Of Data In Transit And At Rest, Using Fips 140-2 Validated Cryptographic Modules Across All Integrated Systems. provide Audit Trails For All Administrative Actions And Policy Changes, With Tamper-evident Logging For Ngfw, Waf, And Rasp. provide A Fedramp Authorization If Cloud Deployed, And Support For An Authority To Operate (ato) In The Va Risk Management Framework (rmf). 16 interfaces provide Integrations To Va S Siem, Conmon, And Incident Response Platforms.