DA10--Alternative to BigFix Endpoint Management (VA-26-00012805)

Active

Contract Opportunity

REQUEST FOR INFORMATION
Alternative to BigFix Endpoint Management

Introduction:

This is a Request for Information (RFI) only issued for conducting market research. Accordingly, this RFI constitutes neither a Request for Quote (RFQ), Request for Proposal (RFP), nor a guarantee that one will be issued by the Government in the future; furthermore, it does not commit the Government to contract for any services described herein. The Department of Veterans Affairs (VA) is not, at this time, seeking proposals or quotes, and therefore, will not accept, review, or evaluate unsolicited proposals or quotes received in response hereto. This notice is not to be construed as a commitment on the part of the Government to award a contract, nor does the Government intend to pay for any information submitted because of this request. The Government does not reimburse respondents for any costs associated with submission of the information being requested or reimburse expenses incurred for responses to this RFI. The information provided may be used by VA in developing its acquisition strategy and Performance Work Statement (PWS) or Product Description (PD). Any information submitted by respondents to this RFI is strictly voluntary; however, any information received shall become the property of the Government and will not be returned to the respondent. Interested parties are responsible for adequately marking proprietary, restricted, or competition sensitive information contained in their response. This is a request for information and does not obligate the Government in any way, nor does it commit the Government to any specific course of action. Product information, brochures, part numbers, and/or other description information may be included with the submission.

Requirement:
The Department of Veterans Affairs (VA), Office of Information and Technology (OI&T), Office of Information Security (OIS), is presently using brand name HCL Technologies Limited (HCL) BigFix endpoint management software to facilitate endpoint management and security, remediation and sustainment throughout its vast network infrastructure. VA is seeking alternative products which can meet or exceed the capability of the currently deployed BigFix solution.

The scope of this market research shall be no more than 150,000 clients/endpoints encompassing VA server and application infrastructure across on-premises, AWS and Azure environments.

VA prioritizes the following capabilities of the currently deployed solution:

Cross-OS Patch
Manage and deploy patches across different operating systems including Windows Server, Linux, Solaris, and MacOS, ensuring all endpoints, regardless of their OS, are up-to-date and secure. Content must be available within 24 hours of release. Include support for customization of patch content detection and installation.
Real-Time Compliance/Enforcement.
Continuously monitor and enforce compliance policies in real-time, ensuring endpoints adhere to regulatory and internal standards. Continuous Diagnostic Monitoring (CDM). All Common Configuration Enumeration (CCE) and Common Vulnerability Enumeration (CVE) detection, remediation, and compliance monitoring must be real time.

Offline/Air-Gapped Support
Provide all capabilities, including patching and compliance capabilities for endpoints that are not always connected to the network, such as those in secure or isolated environments.
Third-Party Patch Catalog Depth
Offer an extensive library of patches for third-party applications, ensuring comprehensive coverage and security for various software programs.

Role-Based Control / Least Privilege
Implement role-based access controls, granting users the minimum necessary privileges to reduce security risks and enhance operational efficiency.

Compliance Reporting
Generate detailed compliance reports based on standards such as Security Technical Implementation Guides (STIG), Center for Internet Security (CIS) benchmarks, and United States Government Configuration Baseline (USGCB). Include support for customization of STIGs.
Integration
Seamlessly integrate with Configuration Management Databases (CMDB), Security Information and Event Management (SIEM) systems, Security Orchestration Automation and Response (SOAR) tools, Azure, AWS and ServiceNow, enhancing overall IT operations and security. Solution must support API integration.
Software Distribution
Manage the deployment of applications and updates across an organization, ensuring software consistency and reducing manual effort.
Asset Discovery / Asset Management
Identify and catalog all hardware and software assets on the network, providing comprehensive asset management and inventory capabilities. Must include customization of software and configuration discovery and detection.
Vulnerability Correlation
Correlate identified vulnerabilities with patch availability and other mitigations, prioritizing actions to improve security posture.
Automation at Scale (500,000+ endpoints)
Deliver automated management, patching, and compliance for large-scale environments, efficiently handling in excess of 500,000 endpoints.
Federal Compliance Posture (FISMA/CDM)
Ensure compliance with federal mandates such as the Federal Information Security Management Act (FISMA) and Continuous Diagnostics and Mitigation (CDM) program, supporting a robust security framework for government organizations.
Responses:
Please submit a capability statement describing your company s ability to meet the overall requirement described and responses to the questions below. The capability statement shall be limited to 10 pages. Responses to this RFI shall be submitted via email to Angel Santos at Angel.Santos2@va.gov and Kendra Casebolt at Kendra.Casebolt@va.gov no later than 4PM EST on October 2, 2026. Please note RFI# 36C10B26Q0019 in the subject line of your email response.
Provide a brief summary of your technical solution for meeting the requirements for an alternative to BigFix Endpoint Management specific to the following:

Provide a brief description of your product and how it meets each of the 12 prioritized capabilities listed above; including elaboration on supported client versions, third party support catalog, patching and update capabilities.
Demonstrate experience with planning, implementation, and roll out of your product within an enterprise-wide system including deployment considerations and challenges as would be seen across the large VA landscape.
Please provide a high level BOM of software components and indicate whether your solution is perpetual or subscription based? Does the price include support or is that a separate line item? Please provide details for any AI/ML capabilities or feature sets required to meet requirements.

Do you offer a managed service for your proposed solution?

Please provide high level BOM of software components and services, and timeline, to include government authority to operate (16 weeks) and deployment/migration from existing BigFix Enterprise solution, to meet all 12 requirements listed above. Assume VA does not provide any governmental resources for this estimate and timeline; hosting infrastructure (compute, storage, network) shall be only Government provided components.

Do you offer a Software as a Service (SaaS) solution? If so, is your solution FEDRAMP certified?
What additional information would be needed to provide a firm fixed price quote for each item/task?

Include the following identification information:
Name of Company
Address
Point of Contact
Phone Number
Fax Number
Email address
Company Business Size
NAICS code(s)
Any Schedules held on General Services Administration (GSA), Government-Wide Acquisition Contracts (GWAC) held on the National Aeronautics and Space Administration (NASA) Solutions for Enterprise Wide Procurement (SEWP) V, or any other schedule not mentioned above to assist in determining acquisition strategy if you are included in one or more. Please also include Contract Number, expiration date, etc.
Socioeconomic data: If a small business, what type of small business are you? Are you able to comply with FAR 52.219-6 and 52.219-14 in execution of this effort? Are you able to comply with VAAR 852.219-10, VA Notice of Total Service-Disabled Veteran-Owned Small Business Set-Aside and with subcontracting limitations in 13 CFR 125.6 in execution of this effort?

Is your company currently providing similar services to any government agency or other non-government customers? If so, please identify the agency or non-government customer. If you are unwilling to share your customers' identity, please address whether your company offers the same or similar services, commercially (outside the federal government).

VA is requesting assistance in obtaining rough estimated pricing for the product detailed above. The results of the estimated pricing and technical capabilities may be used to finalize the VAs requirements prior to issuing a solicitation. Please provide a Rough Order of Magnitude (ROM) for the product/solution being proposed if possible.

Post RFI Phase
VA envisions that once RFI responses are reviewed, select responders may be invited to provide a face-to-face or telephonic briefing to VA personnel to answer additional questions with respect to the response given. VA retains sole discretion of whether any post RFI briefings are warranted and which industry partners may be invited to provide additional market research information.
Based on market research results, the RFP/RFQ may be made available on SAM.gov. It is the responsibility of interested parties to regularly monitor the SAM.gov Website for updates. The government will not provide hard copies of the solicitation once issued. Interested parties are responsible for monitoring the website and downloading the solicitation, its attachments, and any amendments from the internet site identified above when/if issued. All information regarding the procurement is provided herein, and no additional information shall be provided at this time.

OFFERORS ARE ADVISED THAT THIS REQUIREMENT MAY BE DELAYED, CANCELED, OR REVISED AT ANY TIME

Attachments/Links