Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF JULY 16, 2025 SAM #8633
SOURCES SOUGHT

D -- Zero Trust Application Realtime Protection (ZARP) (VA-25-00093376)

Notice Date
7/14/2025 4:05:28 PM
 
Notice Type
Sources Sought
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
TECHNOLOGY ACQUISITION CENTER NJ (36C10B) EATONTOWN NJ 07724 USA
 
ZIP Code
07724
 
Solicitation Number
36C10B25Q0429
 
Response Due
7/16/2025 9:00:00 AM
 
Archive Date
08/15/2025
 
Point of Contact
Michael Berberich, Contract Specialist
 
E-Mail Address
michael.berberich@va.gov
(michael.berberich@va.gov)
 
Awardee
null
 
Description
QUESTION: Can you list the number of applications and break out how they are hosted? Interested in the number of container nodes, VMs, Serverless functions, etc. ANSWER: VA does not publish its application inventory at the market-research (RFI) stage.� The exact number of applications and their hosting breakdown across on-premises data centers, VA Enterprise Cloud (AWS GovCloud US & Azure Government), and other environments will be provided to the selected vendor during post-award discovery and onboarding. QUESTION: Could the Government clarify whether Elastic SIEM integration is a requirement or if Splunk-only integration would be sufficient? ANSWER: Splunk-only Integration is sufficient QUESTION: Are there specific Splunk configurations or deployment models (cloud, on-premises, or hybrid) that the solution must support? ANSWER: The ZARP solution must cleanly support on-prem, cloud, and hybrid Splunk ingestion. QUESTION: Do you require SPUNK pricing in the ROM? ANSWER: No QUESTION: SOAR Platforms (Swimlane): Are there particular Swimlane integrations or workflows that the solution should accommodate to align with VA s current SOAR environment? ANSWER: At this stage we are not releasing VA-specific Swimlane playbooks or connector details. QUESTION: Which IAM systems are deployed within VA (e.g., Microsoft Azure AD, Okta, Ping Identity), and are there specific protocols (SAML, OAuth, OpenID Connect) required for integration? ANSWER: The VA uses multiple IAM services in a hybrid on-prem / cloud environment. More details will be furnished to the selected vendor during post-award discovery and onboarding. QUESTION: Given the use of Tenable for vulnerability management, are there specific integration requirements or use cases VA expects? Additionally, could VA identify CI/CD platforms in use (e.g., Jenkins, GitLab, Azure DevOps) that the solution should integrate with? ANSWER: VA uses several CI/CD pipelines. � Pipeline details are sensitive and will be shared only with the awardee under post-award security procedures. QUESTION: To provide a meaningful Rough Order of Magnitude (ROM) for the ZARP RFI, could the government provide approximate counts of workloads (VMs, containers, serverless functions) and anticipated data ingestion volumes for SIEM/SOAR integration? ANSWER: The requested information is not available QUESTION: Please clarify which Prisma Cloud modules (e.g., WAAS, CWPP, CSPM) VA expects vendors to include. ANSWER: WAAS & CWPP QUESTION: For scoping the number of VA workloads, how many on-premise container hosts will the solution need to support? ANSWER: The requested information is not available QUESTION: For scoping the number of VA workloads, how many K8 worker nodes will the solution need to support? ANSWER: The requested information is not available QUESTION: For scoping the number of VA workloads, how many serverless containers (AWS-Fargate / Azure ACI) will the solution need to support? ANSWER: The requested information is not available QUESTION: Can the VA confirm the solution must be capable of Runtime Application Self Protection (RASP)? ANSWER: Yes, the solutions must be capable of Runtime Application Self Protection QUESTION: Will the proposed zero trust solution require traffic visibility and enforcement aspects of ZTS Zero Trust Segmentation (or micro-segmentation), or will it be primarily based on North-South subnet-based enforcement? ANSWER: This RFI covers runtime-application and workload protection (ZARP).� Network-level Zero Trust Segmentation (micro-segmentation) is handled by separate VA controls. The solution must inspect and enforce at Layer 7 for both North-South traffic (ingress/egress) and East-West traffic that remains within a subnet or host. Detailed integration points with VA s ZTS environment will be defined during post-award discovery. QUESTION: What is the scope of number of locations, workloads, applications as part of this solicitation or any other details you can provide that would be helpful for vendors? ANSWER: This information is not available QUESTION: Is the request for this new solution replacing existing technology and what is the existing solution today? ANSWER: There is no existing solution QUESTION: Is the VA using any segmentation solutions today within this environment and what is the technology being used? ANSWER: The specific vendors, products, and policy schemas are considered sensitive architecture details and will be disclosed only to the awardee under post-award security procedures. QUESTION: What GWACs is the VA currently considering for this procurement? Is GSA VETS 2 being considered? ANSWER: To be determined. The contract vehicle will be determined based on the responses received from the RFI. Please provide any existing contract vehicles per RFI Submittal Information paragraph 3(g).
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/689132701f7541739923ed6f0da40984/view)
 
Record
SN07508695-F 20250716/250714230051 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.