DJ01--Zero Trust Application Realtime Protection (ZARP) (VA-25-00093376)
| Location: | Federal |
|---|---|
| Posted: | Jul 8, 2025 |
| Due: | Jul 16, 2025 |
| Agency: | VETERANS AFFAIRS, DEPARTMENT OF |
| Type of Government: | Federal |
| Category: |
|
| Solicitation No: | 36C10B25Q0429 |
| Publication URL: | To access bid details, please log in. |
Follow
Active
Contract Opportunity
Notice ID
36C10B25Q0429
Related Notice
Department/Ind. Agency
VETERANS AFFAIRS, DEPARTMENT OF
Sub-tier
VETERANS AFFAIRS, DEPARTMENT OF
Office
TECHNOLOGY ACQUISITION CENTER NJ (36C10B)
Looking for contract opportunity help?
APEX Accelerators are an official government contracting resource for small businesses. Find your local APEX Accelerator (opens in new window) for free government expertise related to contract opportunities.
APEX Accelerators are funded in part through a cooperative agreement with the Department of Defense.
The APEX Accelerators program was formerly known as the Procurement Technical Assistance Program (opens in new window) (PTAP).
- Contract Opportunity Type: Sources Sought (Original)
- Original Published Date: Jul 08, 2025 05:24 pm EDT
- Original Response Date: Jul 16, 2025 12:00 pm EDT
- Inactive Policy: Manual
- Original Inactive Date: Aug 15, 2025
-
Initiative:
- None
- Original Set Aside:
- Product Service Code: DJ01 - IT AND TELECOM - SECURITY AND COMPLIANCE SUPPORT SERVICES (LABOR)
-
NAICS Code:
- 541519 - Other Computer Related Services
-
Place of Performance:
,
DESCRIPTION
Department of Veterans Affairs
Request for Information (RFI)
Zero Trust Application Runtime Protection (ZARP)
This is a Request for Information (RFI) only. Do not submit a quote. This RFI is for planning purposes only and shall not be considered a Request for Quotation. Additionally, there is no obligation on the part of the Government to acquire any products or services described in this RFI. Your response to this RFI will be treated only as information for the Government to consider. You will not be entitled to payment for direct or indirect costs that you incur in responding to this RFI. This request does not constitute a solicitation for quotes or the authority to enter into negotiations to award a task order. No funds have been authorized, appropriated or received for this effort. The information provided may be used by the Department of Veterans Affairs (VA) in developing its acquisition strategy. Interested parties are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. The Government does not intend to pay for the information submitted in response to this RFI.
The Government requests Industry to review and provide commentary on the Governments requirement detailed below. The Government intends to review RFI responses to exchange information and improve industry s understanding of the Government requirement and the Government s understanding of industry capabilities. This will allow potential offerors to judge whether or how they can satisfy the Government s requirements and enhance the Government s ability to obtain quality supplies and services.
SUBMITTAL INFORMATION:
All responsible sources may submit a response in accordance with the below information. As part of your market research response, please provide a (10-page limit) submission detailing a solution that meets or exceeds the Government s requirement detailed below.
Interested vendors shall provide constructive comments and/or feedback regarding the following elements of the proposed procurement:
Proposed contract type: Firm Fixed Price
Schedule: Base Year plus four (4) option years
Industry to suggest a Contract Line-Item Number (CLIN)/Price Structure and deliverables.
Industry to provide a Rough Order of Magnitude (ROM) to include level of effort, associated labor categories and estimated pricing
Feasibility of the requirement, including performance requirements
Industry to provide part numbers (if applicable).
Any other industry concerns, comments, or questions
Interested Vendors shall provide the following information in the initial paragraph of the submission:
Name of Company
Address
Point of Contact
Phone Number
Email address
Company Business Size and Status under the following North American Industry Classification System (NAICS) Code: 541519 Other Computer Related Services with a Size Standard of $34 Million.
Existing Contractual Vehicles (GWAC, FSS, MAC, SEWP) to include the contract and schedule numbers.
Socioeconomic data (For Veteran-Owned Small Business (VOSB) and Service-Disabled Veteran-Owned Small Business (SDVOSB)s, proof of verification in Small Business Administration (SBA) Veteran Small Business Certification (VetCert))
Indicate whether you can comply with the limitations on subcontracting at VA Acquisition Regulation (VAAR) 852.219-73, VA Notice of Total Set-Aside for Certified Service-Disabled Veteran-Owned Small Businesses or VAAR 852.219-74 VA Notice of Total Set-Aside for Certified Veteran-Owned Small Businesses
System for Award Management Unique Identity Identification Number
While not required, artifacts supporting your submission may be submitted to better demonstrate the above. The artifacts can be in addition to the page limit.
There are no specific submission requirements other than the page limit, but the Government requests that it not be inundated with marketing materials or peripheral content, and that the submission be readable.
CONTRACTOR RESPONSE:
All Contractors shall submit via email to Michael Berberich, Contract Specialist at michael.berberich@va.gov and Contracting Officer Jason King at jason.king6@va.gov. Any/all questions from industry must be submitted by close of business (COB) on 7/11/25. The Government intends to have all questions answered and posted by COB on 7/14/25. Final responses are due no later than 12:00 PM ET, July 16, 2025.
GOVERNMENT REQUIREMENT:
Introduction / Background: The Department of Veterans Affairs (VA) is conducting market research to identify capable vendors that can deliver a comprehensive, turnkey solution for application and API runtime protection across VA's enterprise environments. This initiative, titled Zero Trust Application Runtime Protection (ZARP), supports the agency's cybersecurity modernization goals under Executive Order 14028 and the VA's Zero Trust Architecture Strategy.
The ZARP initiative is focused on runtime protection for web applications, APIs, and associated workloads. It will prioritize VA mission critical systems to include support for both externally facing and non-web-based services.
Purpose of this RFI This RFI seeks industry feedback and solution concepts from qualified vendors. The Government intends to use responses to:
Validate technical feasibility and market availability
Refine its acquisition strategy
Determine industry capacity to meet ZARP objectives
Identify best practices and potential innovations
Scope of the ZARP Solution This solution must be delivered as a total turnkey implementation, meaning the contractor shall be responsible for all components and phases of delivery without reliance on VA-led development or integration efforts. The VA seeks a commercial off the shelf (COTS) solution that provides end-to-end protection for web applications, APIs, and critical backend services across VA s hybrid environments.
VA is interested in Palo Alto s Prisma Cloud Enterprise Edition or similar. Vendors are encouraged to propose alternative or equivalent solutions if they can clearly demonstrate equal or superior functionality, integration maturity, and compliance with federal standards.
Salient Characteristics Respondents should confirm their solution supports or addresses the following key characteristics:
Turnkey Delivery Model
Implementation and integration
Solution process design and configuration
Documentation and training
Operational support (including 24/7 monitoring and incident response)
Supporting the Authority to Operate (ATO) process
Runtime Protection Scope
Coverage of cloud-native, web-facing and non-web workloads (e.g., internal APIs, headless services)
Support for host-based, container, and serverless applications
Support for monolithic, microservice, containerized, and serverless architectures
Capable of protecting on-prem or VA Enterprise Cloud (VAEC) environments
Platform Capabilities
Web Application and API Security (WAAS)
Cloud Workload Protection Platform (CWPP)
Compute Defender or equivalent functionality
Runtime policy enforcement, threat detection, and virtual patching
Compliance
FedRAMP-authorized (Moderate or High) for SaaS
Applicable legislation (e.g. FISMA, NIST 800-53 and CISA directives)
Tool Integration Support
SIEM (Splunk, Elastic)
SOAR platforms
Identity and Access Management systems
Vulnerability Management and CI/CD pipelines
Measurable Outcomes
Reduction in successful exploits and faster Mean time to detect (MTTD) / Mean time to respond (MTTR)
Capable of achieving a true-positive detection rate of at least 98% and cross-over error rate of no more than 2%, as measured against independent OWASP Benchmarks or equivalent tests
Requested Information from Respondents
Vendors are encouraged to provide the following:
A description of their proposed solution, including people processes and technologies
A response matrix mapping their solution to each of the salient characteristics
Details of past performance with similar enterprise security deployments, especially within federal environments
Licensing models and scalability options
Key differentiators or innovations
Any anticipated deployment challenges and mitigation strategies
Any recommended additions, corrections, or clarifications to the scope or requirements described in this RFI
Department of Veterans Affairs
Request for Information (RFI)
Zero Trust Application Runtime Protection (ZARP)
This is a Request for Information (RFI) only. Do not submit a quote. This RFI is for planning purposes only and shall not be considered a Request for Quotation. Additionally, there is no obligation on the part of the Government to acquire any products or services described in this RFI. Your response to this RFI will be treated only as information for the Government to consider. You will not be entitled to payment for direct or indirect costs that you incur in responding to this RFI. This request does not constitute a solicitation for quotes or the authority to enter into negotiations to award a task order. No funds have been authorized, appropriated or received for this effort. The information provided may be used by the Department of Veterans Affairs (VA) in developing its acquisition strategy. Interested parties are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. The Government does not intend to pay for the information submitted in response to this RFI.
The Government requests Industry to review and provide commentary on the Governments requirement detailed below. The Government intends to review RFI responses to exchange information and improve industry s understanding of the Government requirement and the Government s understanding of industry capabilities. This will allow potential offerors to judge whether or how they can satisfy the Government s requirements and enhance the Government s ability to obtain quality supplies and services.
SUBMITTAL INFORMATION:
All responsible sources may submit a response in accordance with the below information. As part of your market research response, please provide a (10-page limit) submission detailing a solution that meets or exceeds the Government s requirement detailed below.
Interested vendors shall provide constructive comments and/or feedback regarding the following elements of the proposed procurement:
Proposed contract type: Firm Fixed Price
Schedule: Base Year plus four (4) option years
Industry to suggest a Contract Line-Item Number (CLIN)/Price Structure and deliverables.
Industry to provide a Rough Order of Magnitude (ROM) to include level of effort, associated labor categories and estimated pricing
Feasibility of the requirement, including performance requirements
Industry to provide part numbers (if applicable).
Any other industry concerns, comments, or questions
Interested Vendors shall provide the following information in the initial paragraph of the submission:
Name of Company
Address
Point of Contact
Phone Number
Email address
Company Business Size and Status under the following North American Industry Classification System (NAICS) Code: 541519 Other Computer Related Services with a Size Standard of $34 Million.
Existing Contractual Vehicles (GWAC, FSS, MAC, SEWP) to include the contract and schedule numbers.
Socioeconomic data (For Veteran-Owned Small Business (VOSB) and Service-Disabled Veteran-Owned Small Business (SDVOSB)s, proof of verification in Small Business Administration (SBA) Veteran Small Business Certification (VetCert))
Indicate whether you can comply with the limitations on subcontracting at VA Acquisition Regulation (VAAR) 852.219-73, VA Notice of Total Set-Aside for Certified Service-Disabled Veteran-Owned Small Businesses or VAAR 852.219-74 VA Notice of Total Set-Aside for Certified Veteran-Owned Small Businesses
System for Award Management Unique Identity Identification Number
While not required, artifacts supporting your submission may be submitted to better demonstrate the above. The artifacts can be in addition to the page limit.
There are no specific submission requirements other than the page limit, but the Government requests that it not be inundated with marketing materials or peripheral content, and that the submission be readable.
CONTRACTOR RESPONSE:
All Contractors shall submit via email to Michael Berberich, Contract Specialist at michael.berberich@va.gov and Contracting Officer Jason King at jason.king6@va.gov. Any/all questions from industry must be submitted by close of business (COB) on 7/11/25. The Government intends to have all questions answered and posted by COB on 7/14/25. Final responses are due no later than 12:00 PM ET, July 16, 2025.
GOVERNMENT REQUIREMENT:
Introduction / Background: The Department of Veterans Affairs (VA) is conducting market research to identify capable vendors that can deliver a comprehensive, turnkey solution for application and API runtime protection across VA's enterprise environments. This initiative, titled Zero Trust Application Runtime Protection (ZARP), supports the agency's cybersecurity modernization goals under Executive Order 14028 and the VA's Zero Trust Architecture Strategy.
The ZARP initiative is focused on runtime protection for web applications, APIs, and associated workloads. It will prioritize VA mission critical systems to include support for both externally facing and non-web-based services.
Purpose of this RFI This RFI seeks industry feedback and solution concepts from qualified vendors. The Government intends to use responses to:
Validate technical feasibility and market availability
Refine its acquisition strategy
Determine industry capacity to meet ZARP objectives
Identify best practices and potential innovations
Scope of the ZARP Solution This solution must be delivered as a total turnkey implementation, meaning the contractor shall be responsible for all components and phases of delivery without reliance on VA-led development or integration efforts. The VA seeks a commercial off the shelf (COTS) solution that provides end-to-end protection for web applications, APIs, and critical backend services across VA s hybrid environments.
VA is interested in Palo Alto s Prisma Cloud Enterprise Edition or similar. Vendors are encouraged to propose alternative or equivalent solutions if they can clearly demonstrate equal or superior functionality, integration maturity, and compliance with federal standards.
Salient Characteristics Respondents should confirm their solution supports or addresses the following key characteristics:
Turnkey Delivery Model
Implementation and integration
Solution process design and configuration
Documentation and training
Operational support (including 24/7 monitoring and incident response)
Supporting the Authority to Operate (ATO) process
Runtime Protection Scope
Coverage of cloud-native, web-facing and non-web workloads (e.g., internal APIs, headless services)
Support for host-based, container, and serverless applications
Support for monolithic, microservice, containerized, and serverless architectures
Capable of protecting on-prem or VA Enterprise Cloud (VAEC) environments
Platform Capabilities
Web Application and API Security (WAAS)
Cloud Workload Protection Platform (CWPP)
Compute Defender or equivalent functionality
Runtime policy enforcement, threat detection, and virtual patching
Compliance
FedRAMP-authorized (Moderate or High) for SaaS
Applicable legislation (e.g. FISMA, NIST 800-53 and CISA directives)
Tool Integration Support
SIEM (Splunk, Elastic)
SOAR platforms
Identity and Access Management systems
Vulnerability Management and CI/CD pipelines
Measurable Outcomes
Reduction in successful exploits and faster Mean time to detect (MTTD) / Mean time to respond (MTTR)
Capable of achieving a true-positive detection rate of at least 98% and cross-over error rate of no more than 2%, as measured against independent OWASP Benchmarks or equivalent tests
Requested Information from Respondents
Vendors are encouraged to provide the following:
A description of their proposed solution, including people processes and technologies
A response matrix mapping their solution to each of the salient characteristics
Details of past performance with similar enterprise security deployments, especially within federal environments
Licensing models and scalability options
Key differentiators or innovations
Any anticipated deployment challenges and mitigation strategies
Any recommended additions, corrections, or clarifications to the scope or requirements described in this RFI
Attachments/Links
Contracting Office Address
- 23 CHRISTOPHER WAY
- EATONTOWN , NJ 07724
- USA
Primary Point of Contact
- Michael Berberich
- michael.berberich@va.gov
Secondary Point of Contact
- Jul 08, 2025 05:24 pm EDTSources Sought (Original)
Related Document
| Jul 14, 2025 | [Sources Sought (Updated)] DJ01--Zero Trust Application Realtime Protection (ZARP) (VA-25-00093376) |
| Sep 16, 2025 | [Sources Sought (Updated)] DJ01--Zero Trust Application Realtime Protection (ZARP) (VA-25-00093376) |
Daily notification on new contract opportunities
With GovernmentContracts, you can:
- Find more opportunities and win more business
- Receive daily alerts for all new bid opportunities
- Get contract opportunities matched to your business
See also
Follow 53--CASTER,SWIVEL Active Contract Opportunity Notice ID SPE7LX26U7976 Related Notice Department/Ind. Agency DEPT
DEPT OF DEFENSE
Bid Due: 6/12/2026
Follow 62--LIGHT ASSEMBLY,INDICAT Active Contract Opportunity Notice ID SPE4A626Q0915 Related Notice Department/Ind. Agency
DEPT OF DEFENSE
Bid Due: 6/11/2026
Follow SUBMIT A QUOTE TO PROVIDE, INSTALL, AND MAINTAIN 10GB ETHERNET CIRCUIT BETWEEN
DEPT OF DEFENSE
Bid Due: 6/29/2026
Follow FY26 REDWOOD CITY CHANNEL MAINTENANCE DREDGING PROJECT Active Contract Opportunity Notice ID
DEPT OF DEFENSE
Bid Due: 6/11/2026
* Disclaimer: Information regarding bids, requests for proposals (RFPs), or requests for qualifications (RFQs) is provided on this website only for convenience and does not constitute official public notice. Persons wishing to respond to or inquire about bids, RFPs, or RFQs should contact the appropriate government department.