6540--Intraoperative Digital Guidance System - Cataract Surgery Lebanon VA Medical Center

Active

Contract Opportunity

Page 1 of
Page 1 of
THIS IS NOT A SOLICITATION ANNOUNCEMENT. THIS IS A REQUEST FOR INFORMATION ONLY.
This Request for Information (RFI) is intended for information and planning purposes only at this time; and shall not be construed as a solicitation or as an obligation on the part of the Department of Veterans Affairs. Because this is a Request for Information announcement, no evaluation letters and/or results will be issued to the respondents.
The Department of Veterans Affairs, Network Contracting Office (NCO) 4, Lebanon VA Medical Center is looking for sources offering an Intraoperative Digital Guidance System for Cataract Surgery.
Salient characteristics:
Core Purpose
Computer-assisted surgical guidance: Provides graphical visual assistance and overlay information directly in the surgeon s view during procedures such as cataract surgery and toric intraocular lens (IOL) implantation.
Assistance, information, and documentation: Acts as a support system for visualization, planning, and documenting ophthalmic surgeries.

Key Functional Features
Markerless toric IOL alignment: Eliminates the need for manual preoperative or intraoperative marking by using reference images to align toric IOLs accurately, helping reduce residual astigmatism.
Surgeon-controlled guidance: All assistance functions are controlled in real time by the surgeon using foot pedals or handgrips.
Step-by-step surgical support: Includes tools for:
Incision guidance (incl. positioning on specific axes)
Precise capsulorhexis size and shape guidance
Limbal relaxing incisions (LRI)
Corneal curvature estimation (K-TRACK®)

Workflow & Integration
Direct data transfer & overlays: Biometric data and reference images are transferred from diagnostic devices to the eye system and displayed intraoperatively as overlays in the microscope eyepiece or monitor.
Efficient data management: Patient lists can be imported (via DICOM Modality Worklist or USB) and videos/photos exported for documentation, teaching, and quality assurance. Full-screen live video aids team communication during surgery.

Documentation & Recording
High-definition recording: Captures HD video and still images including the guidance overlays for quality management and educational purposes.

Technical & System Characteristics
Panel PC with touchscreen: Integrated touchscreen system with anti-reflective coating.
Hardware: Typical computing hardware (e.g., Intel Core i5, SSD + HDD storage), integrated color display and multiple video I/O options to interface with surgical microscopes and hospital networks.
Connectivity: DICOM network capability and USB interfaces support data exchange and interoperability.

Clinical Impact
Precision & efficiency: Aims to increase surgical precision (especially for IOL alignment) and streamline workflow by reducing manual steps.
Integrated surgical support: Works with microscopes to bring guidance directly into the surgical environment.

The information identified above is intended to be descriptive, not restrictive, and to indicate the quality of the supplies/services that will be satisfactory. It is the responsibility of the interested source to demonstrate to the government that the interested parties can provide the supplies/services that fulfill the required specifications mentioned above.

Security Language:

1. GENERAL. This entire section applies to all acquisitions requiring any Information
Security and Privacy language. Contractors, contractor personnel, subcontractors
and subcontractor personnel will be subject to the same federal laws, regulations,
standards, VA directives and handbooks, as VA personnel regarding information
and information system security and privacy.

2. VA INFORMATION CUSTODIAL LANGUAGE. This entire section applies to all
acquisitions requiring any Information Security and Privacy language.
a. The Government shall receive unlimited rights to data/intellectual property
first produced and delivered in the performance of this contract or order
(hereinafter contract ) unless expressly stated otherwise in this contract. This
includes all rights to source code and all documentation created in support
thereof. The primary clause used to define Government and Contractor data
rights is FAR 52.227-14 Rights in Data General. The primary clause used to
define computer software license (not data/intellectual property first produced
under this contractor or order) is FAR 52.227-19, Commercial Computer
Software License.
b. Information made available to the contractor by VA for the performance or
administration of this contract will be used only for the purposes specified in
the service agreement, SOW, PWS, PD, and/or contract. The contractor shall
not use VA information in any other manner without prior written approval
from a VA Contracting Officer (CO). The primary clause used to define
Government and Contractor data rights is FAR 52.227-14 Rights in Data
General.
c. VA information will not be co-mingled with any other data on the contractor s
information systems or media storage systems. The contractor shall ensure
compliance with Federal and VA requirements related to data protection, data
encryption, physical data segregation, logical data segregation, classification
requirements and media sanitization.
d. VA reserves the right to conduct scheduled or unscheduled audits,
assessments, or investigations of contractor Information Technology (IT)
resources to ensure information security is compliant with Federal and VA
requirements. The contractor shall provide all necessary access to records
(including electronic and documentary materials related to the contracts and
subcontracts) and support (including access to contractor and subcontractor
staff associated with the contract) to VA, VA's Office Inspector General (OIG),
and/or Government Accountability Office (GAO) staff during periodic control
assessments, audits, or investigations.
e. The contractor may only use VA information within the terms of the contract
and applicable Federal law, regulations, and VA policies. If new Federal
information security laws, regulations or VA policies become applicable after
execution of the contract, the parties agree to negotiate contract modification
and adjustment necessary to implement the new laws, regulations, and/or
policies.
f. The contractor shall not make copies of VA information except as specifically
authorized and necessary to perform the terms of the contract. If copies are
made for restoration purposes, after the restoration is complete, the copies shall
be destroyed in accordance with VA Directive 6500, VA Cybersecurity Program
and VA Information Security Knowledge Service.
g. If a Veterans Health Administration (VHA) contract is terminated for default or
cause with a business associate, the related local Business Associate Agreement
(BAA) shall also be terminated and actions taken in accordance with VHA
Directive 1605.05, Business Associate Agreements. If there is an executed
national BAA associated with the contract, VA will determine what actions are
appropriate and notify the contactor.
h. The contractor shall store and transmit VA sensitive information in an
encrypted form, using VA-approved encryption tools which are, at a minimum,
Federal Information Processing Standards (FIPS) 140-2, Security Requirements
for Cryptographic Modules (or its successor) validated and in conformance
with VA Information Security Knowledge Service requirements. The contractor
shall transmit VA sensitive information using VA approved Transport Layer
Security (TLS) configured with FIPS based cipher suites in conformance with National
Institute of Standards and Technology (NIST) 800-52, Guidelines for the
Selection, Configuration and Use of Transport Layer Security (TLS)
Implementations.
i. The contractor s firewall and web services security controls, as applicable, shall
meet or exceed VA s minimum requirements.
j. Except for uses and disclosures of VA information authorized by this contract
for performance of the contract, the contractor may use and disclose VA
information only in two situations: (i) in response to a qualifying order of a
court of competent jurisdiction after notification to VA CO (ii) with written
approval from the VA CO. The contractor shall refer all requests for, demands
for production of or inquiries about, VA information and information systems
to the VA CO for response.
k. Notwithstanding the provision above, the contractor shall not release VA
records protected by Title 38 U.S.C. § 5705, Confidentiality of medical quality
assurance records and/or Title 38 U.S.C. § 7332, Confidentiality of certain
medical records pertaining to drug addiction, sickle cell anemia, alcoholism or
alcohol abuse or infection with Human Immunodeficiency Virus (HIV). If the
contractor is in receipt of a court order or other requests for the
abovementioned information, the contractor shall immediately refer such court
order or other requests to the VA CO for response.
l. Information made available to the contractor by VA for the performance or
administration of this contract or information developed by the contractor in
performance or administration of the contract will be protected and secured in
accordance with VA Directive 6500 and Identity and Access Management
(IAM) Security processes specified in the VA Information Security Knowledge
Service.
m. Any data destruction done on behalf of VA by a contractor shall be done in
accordance with National Archives and Records Administration (NARA)
requirements as outlined in VA Directive 6300, Records and Information
Management, VA Handbook 6300.1, Records Management Procedures, and
applicable VA Records Control Schedules.
n. The contractor shall provide its plan for destruction of all VA data in its
possession according to VA Directive 6500 and NIST 800-88, Guidelines for
Media Sanitization prior to termination or completion of this contract. If
directed by the COR/CO, the contractor shall return all Federal Records to VA
for disposition.
o. Any media, such as paper, magnetic tape, magnetic disks, solid state devices or
optical discs that is used to store, process, or access VA information that cannot
be destroyed shall be returned to VA. The contractor shall hold the appropriate
material until otherwise directed by the Contracting Officer s Representative
(COR) or CO. Items shall be returned securely via VA-approved methods. VA
sensitive information must be transmitted utilizing VA-approved encryption
tools which are validated under FIPS 140-2 (or its successor) and NIST 800-52. If
mailed, the contractor shall send via a trackable method (USPS, UPS, FedEx,
etc.) and immediately provide the COR/CO with the tracking information. Self-certification
by the contractor that the data destruction requirements above
have been met shall be sent to the COR/CO within 30 business days of
termination of the contract.
p. All electronic storage media (hard drives, optical disks, CDs, back-up tapes,
etc.) used to store, process or access VA information will not be returned to the
contractor at the end of lease, loan, or trade-in. Exceptions to this paragraph
will only be granted with the written approval of the VA CO.

3. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS. This
section applies when any person requires access to information made available to
the contractor by VA for the performance or administration of this contract or
information developed by the contractor in performance or administration of the
contract.
a. A contractor/subcontractor shall request logical (technical) or physical access to
VA information and VA information systems for their employees and
subcontractors only to the extent necessary to perform the services specified in
the solicitation or contract. This includes indirect entities, both affiliate of
contractor/subcontractor and agent of contractor/subcontractor.
b. Contractors and subcontractors shall sign the VA Information Security Rule of
Behavior (ROB) before access is provided to VA information and information
systems (see Section 4, Training, below). The ROB contains the minimum user
compliance requirements and does not supersede any policies of VA facilities
or other agency components which provide higher levels of protection to VA s
information or information systems. Users who require privileged access shall
complete the VA elevated privilege access request processes before privileged
access is granted.
c. All contractors and subcontractors working with VA information are subject to
the same security investigative and clearance requirements as those of VA
appointees or employees who have access to the same types of information. The
level and process of background security investigations for contractors shall be
in accordance with VA Directive and Handbook 0710, Personnel Suitability and
Security Program. The Office of Human Resources and
Administration/Operations, Security and Preparedness (HRA/OSP) is
responsible for these policies and procedures. Contract personnel who require
access to classified information or information systems shall have an
appropriate security clearance. Verification of a Security Clearance shall be
processed through the Special Security Officer located in HRA/OSP.
Contractors shall conform to all requirements stated in the National Industrial
Security Program Operating Manual (NISPOM).
d. All contractors and subcontractors shall comply with conditions specified in
VAAR 852.204-71(d); Contractor operations required to be in United States.
All contractors and subcontractors working with VA information must be
permanently located within a jurisdiction subject to the law of the United States
or its Territories to the maximum extent feasible. If services are proposed to be
performed abroad the contractor must state where all non-U.S. services are
provided. The contractor shall deliver to VA a detailed plan specifically
addressing communications, personnel control, data protection and potential
legal issues. The plan shall be approved by the COR/CO in writing prior to
access being granted.
e. The contractor shall notify the COR/CO in writing immediately (no later than
24 hours) after personnel separation or occurrence of other causes. Causes may
include the following:
(1) Contractor/subcontractor personnel no longer has a need for access to VA
information or VA information systems.
(2) Contractor/subcontractor personnel are terminated, suspended, or
otherwise has their work on a VA project discontinued for any reason.
(3) Contractor believes their own personnel or subcontractor personnel may
pose a threat to their company s working environment or to any company
owned property. This includes contractor-owned assets, buildings,
confidential data, customers, employees, networks, systems, trade secrets
and/or VA data.
(4) Any previously undisclosed changes to contractor/subcontractor
background history are brought to light, including but not limited to
changes to background investigation or employee record.
(5) Contractor/subcontractor personnel have their authorization to work in
the United States revoked.
(6) Agreement by which contractor provides products and services to VA has
either been fulfilled or terminated, such that VA can cut off electronic
and/or physical access for contractor personnel.
f. In such cases of contract fulfillment, termination, or other causes; the contractor
shall take the necessary measures to immediately revoke access to VA network,
property, information, and information systems (logical and physical) by
contractor/subcontractor personnel. These measures include (but are not
limited to): removing and then securing Personal Identity Verification (PIV)
badges and PIV Interoperable (PIV-I) access badges, VA-issued photo badges,
credentials for VA facilities and devices, VA-issued laptops, and authentication
tokens. Contractors shall notify the appropriate VA COR/CO immediately to
initiate access removal.
g. Contractors/subcontractors who no longer require VA accesses will return VA
issued property to VA. This property includes (but is not limited to):
documents, electronic equipment, keys, and parking passes. PIV and PIV-I
access badges shall be returned to the nearest VA PIV Badge Issuance Office.
Once they have had access to VA information, information systems, networks
and VA property in their possessions removed, contractors shall notify the
appropriate VA COR/CO.

4. TRAINING. This entire section applies to all acquisitions which include section 3.
a. All contractors and subcontractors requiring access to VA information and VA
information systems shall successfully complete the following before being
granted access to VA information and its systems:
(1) VA Privacy and Information Security Awareness and Rules of Behavior
course (Talent Management System (TMS) #10176) initially and annually
thereafter.
(2) Sign and acknowledge (electronically through TMS #10176)
understanding of and responsibilities for compliance with the
Organizational Rules of Behavior, relating to access to VA information
and information systems initially and annually thereafter; and
(3) Successfully complete any additional cyber security or privacy training, as
required for VA personnel with equivalent information system or
information access [to be defined by the VA program official and
provided to the VA CO for inclusion in the solicitation document i.e.,
any role based information security training].
b. The contractor shall provide to the COR/CO a copy of the training certificates
and certification of signing the Organizational Rules of Behavior for each
applicable employee within five days of the initiation of the contract and
annually thereafter, as required.
c. Failure to complete the mandatory annual training is grounds for suspension or
termination of all physical or electronic access privileges and removal from
work on the contract until such time as the required training is complete.

5. SECURITY INCIDENT INVESTIGATION. This entire section applies to all
acquisitions requiring any Information Security and Privacy language.
a. The contractor, subcontractor, their employees, or business associates shall
immediately (within one hour) report suspected security / privacy incidents to
the VA OIT s Enterprise Service Desk (ESD) by calling (855) 673-4357 (TTY:
711). The ESD is OIT s 24/7/365 single point of contact for IT-related issues.
After reporting to the ESD, the contractor, subcontractor, their employees, or
business associates shall, within one hour, provide the COR/CO the incident
number received from the ESD.
b. To the extent known by the contractor/subcontractor, the contractor/
subcontractor's notice to VA shall identify the information involved and the
circumstances surrounding the incident, including the following:
(1) The date and time (or approximation of) the Security Incident occurred.
(2) The names of individuals involved (when applicable).
(3) The physical and logical (if applicable) location of the incident.
(4) Why the Security Incident took place (i.e., catalyst for the failure).
(5) The amount of data belonging to VA believed to have been compromised.
(6) The remediation measures the contractor is taking to ensure no future
incidents of a similar nature.
c. After the contractor has provided the initial detailed incident summary to VA,
they will continue to provide written updates on any new and relevant
circumstances or facts they discover. The contractor, subcontractor, and their
employes shall fully cooperate with VA or third-party entity performing an
independent risk analysis on behalf of VA. Failure to cooperate may be deemed
a material breach and grounds for contract termination.
d. VA IT contractors shall follow VA Handbook 6500, Risk Management
Framework for VA Information Systems VA Information Security Program,
and VA Information Security Knowledge Service guidance for implementing
an Incident Response Plan or integrating with an existing VA implementation.
e. In instances of theft or break-in or other criminal activity, the
contractor/subcontractor must concurrently report the incident to the
appropriate law enforcement entity (or entities) of jurisdiction, including the
VA OIG, and the VA Office of Security and Law Enforcement. The contractor,
its employees, and its subcontractors and their employees shall cooperate with
VA and any law enforcement authority responsible for the investigation and
prosecution of any possible criminal law violation(s) associated with any
incident. The contractor/subcontractor shall cooperate with VA in any civil
litigation to recover VA information, obtain monetary or other compensation
from a third party for damages arising from any incident, or obtain injunctive
relief against any third party arising from, or related to, the incident.
f. The contractor shall comply with VA Handbook 6500.2, Management of
Breaches Involving Sensitive Personal Information, which establishes the
breach management policies and assigns responsibilities for the oversight,
management and reporting procedures associated with managing of breaches.
g. With respect to unsecured Protected Health Information (PHI), the contractor is
deemed to have discovered a data breach when the contractor knew or should
have known of breach of such information. When a business associate is part of
VHA contract, notification to the covered entity (VHA) shall be made in
accordance with the executed BAA.
h. If the contractor or any of its agents fails to protect VA sensitive personal
information or otherwise engages in conduct which results in a data breach
involving any VA sensitive personal information the contractor/subcontractor
processes or maintains under the contract; the contractor shall pay liquidated
damages to the VA as set forth in clause 852.211-76, Liquidated Damages
Reimbursement for Data Breach Costs.

7. INFORMATION SYSTEM HOSTING, OPERATION, MAINTENANCE OR USE.
This entire section applies to information systems, systems, major applications,
minor applications, enclaves, and platform information technologies (cloud and
noncloud) hosted, operated, maintained, or used on behalf of VA at non-VA
facilities.
a. The contractor shall comply with all Federal laws, regulations, and VA policies
for Information systems (cloud and non-cloud) that are hosted, operated,
maintained, or used on behalf of VA at non-VA facilities. Security controls for
collecting, processing, transmitting, and storing of VA sensitive information,
must be in place. The controls will be tested by VA or a VA sanctioned 3PAO
and approved by VA prior to hosting, operation, maintenance or use of the
information system or systems by or on behalf of VA. This includes conducting
compliance risk assessments, security architecture analysis, routine
vulnerability scanning, system patching, change management procedures and
the completion of an acceptable contingency plan for each system. The
contractor s security control procedures shall be the same as procedures used to
secure VA-operated information systems.
b. Outsourcing (contractor facility, equipment, or staff) of systems or network
operations, telecommunications services or other managed services require
Assessment and Authorization (A&A) of the contractor s systems in accordance
with VA Handbook 6500 as specified in VA Information Security Knowledge
Service. Major changes to the A&A package may require reviewing and
updating all the documentation associated with the change. The contractor s
cloud computing systems shall comply with FedRAMP and VA Directive 6517
requirements.
c. The contractor shall return all electronic storage media (hard drives, optical
disks, CDs, back-up tapes, etc.) on non-VA leased or non-VA owned IT
equipment used to store, process or access VA information to VA in accordance
with A&A package requirements. This applies when the contract is terminated
or completed and prior to disposal of media. The contractor shall provide its
plan for destruction of all VA data in its possession according to VA
Information Security Knowledge Service requirements and NIST 800-88. The
contractor shall send a self-certification that the data destruction requirements
above have been met to the COR/CO within 30 business days of termination of
the contract.
d. All external internet connections to VA network involving VA information
must be in accordance with VA Trusted Internet Connection (TIC) Reference
Architecture and VA Directive and Handbook 6513, Secure External
Connections and reviewed and approved by VA prior to implementation.
Government-owned contractor-operated systems, third party or business
partner networks require a Memorandum of Understanding (MOU) and
Interconnection Security Agreements (ISA).
e. Contractor procedures shall be subject to periodic, announced, or unannounced
assessments by VA officials, the OIG or a 3PAO. The physical security aspects
associated with contractor activities are also subject to such assessments. The
contractor shall report, in writing, any deficiencies noted during the above
assessment to the VA COR/CO. The contractor shall use VA s defined
processes to document planned remedial actions that address identified
deficiencies in information security policies, procedures, and practices. The
contractor shall correct security deficiencies within the timeframes specified in
the VA Information Security Knowledge Service.
f. All major information system changes which occur in the production
environment shall be reviewed by the VA to determine the impact on privacy
and security of the system. Based on the review results, updates to the
Authority to Operate (ATO) documentation and parameters may be required to
remain in compliance with VA Handbook 6500 and VA Information Security
Knowledge Service requirements.
g. The contractor shall conduct an annual privacy and security self-assessment on
all information systems and outsourced services as required. Copies of the
assessment shall be provided to the COR/CO. The VA/Government reserves
the right to conduct assessment using government personnel or a third-party if
deemed necessary. The contractor shall correct or mitigate any weaknesses
discovered during the assessment.
h. VA prohibits the installation and use of personally owned or contractor-owned
equipment or software on VA information systems. If non-VA owned
equipment must be used to fulfill the requirements of a contract, it must be
stated in the service agreement, SOW, PWS, PD or contract. All security
controls required for government furnished equipment must be utilized in VA
approved Other Equipment (OE). Configuration changes to the contractor OE,
must be funded by the owner of the equipment. All remote systems must use a
VA-approved antivirus software and a personal (host-based or enclave based)
firewall with a VA-approved configuration. The contractor shall ensure
software on OE is kept current with all critical updates and patches. Owners of
approved OE are responsible for providing and maintaining the anti-virus
software and the firewall on the non-VA owned OE. Approved contractor OE
will be subject to technical inspection at any time.
i. The contractor shall notify the COR/CO within one hour of disclosure or
successful exploits of any vulnerability which can compromise the
confidentiality, integrity, or availability of the information systems. The system
or effected component(s) need(s) to be isolated from the network. A forensic
analysis needs to be conducted jointly with VA. Such issues will be remediated
as quickly as practicable, but in no event longer than the timeframe specified by
VA Information Security Knowledge Service. If sensitive personal information
is compromised reference VA Handbook 6500.2 and Section 5, Security Incident
Investigation.
j. For cases wherein the contractor discovers material defects or vulnerabilities
impacting products and services they provide to VA, the contractor shall
develop and implement policies and procedures for disclosure to VA, as well as
remediation. The contractor shall, within 30 business days of discovery,
document a summary of these vulnerabilities or defects. The documentation
will include a description of the potential impact of each vulnerability and
material defect, compensating security controls, mitigations, recommended
corrective actions, FboNotice cause analysis and/or workarounds (i.e., monitoring).
Should there exist any backdoors in the products or services they provide to
VA (referring to methods for bypassing computer authentication), the
contractor shall provide the VA CO/CO written assurance they have
permanently remediated these backdoors.
k. All other vulnerabilities, including those discovered through routine scans or
other assessments, will be remediated based on risk, in accordance with the
remediation timelines specified by the VA Information Security Knowledge
Service and/or the applicable timeframe mandated by Cybersecurity &
Infrastructure Security Agency (CISA) Binding Operational Directive (BOD)
2201 and BOD 19-02 for Internet-accessible systems. Exceptions to this
paragraph will only be granted with the approval of the COR/CO.

8. SECURITY AND PRIVACY CONTROLS COMPLIANCE TESTING, ASSESSMENT
AND AUDITING. This entire section applies whenever section 6 or 7 is included.
a. Should VA request it, the contractor shall provide a copy of their (corporation s,
sole proprietorship s, partnership s, limited liability company (LLC), or other
business structure entity s) policies, procedures, evidence and independent
report summaries related to specified cybersecurity frameworks (International
Organization for Standardization (ISO), NIST Cybersecurity Framework (CSF),
etc.). VA or its third-party/partner designee (if applicable) are further entitled
to perform their own audits and security/penetration tests of the contractor s
IT or systems and controls, to ascertain whether the contractor is complying
with the information security, network or system requirements mandated in
the agreement between VA and the contractor.
b. Any audits or tests of the contractor or third-party designees/partner VA elects
to carry out will commence within 30 business days of VA notification. Such
audits, tests and assessments may include the following: (a):
security/penetration tests which both sides agree will not unduly impact
contractor operations; (b): interviews with pertinent stakeholders and
practitioners; (c): document review; and (d): technical inspections of networks
and systems the contractor uses to destroy, maintain, receive, retain, or use VA
information.
c. As part of these audits, tests and assessments, the contractor shall provide all
information requested by VA. This information includes, but is not limited to,
the following: equipment lists, network or infrastructure diagrams, relevant
policy documents, system logs or details on information systems accessing,
transporting, or processing VA data.
d. The contractor and at its own expense shall comply with any recommendations
resulting from VA audits, inspections and tests. VA further retains the right to
view any related security reports the contractor has generated as part of its own
security assessment. The contractor shall also notify VA of the existence of any
such security reports or other related assessments, upon completion and
validation.
e. VA appointed auditors or other government agency partners may be granted
access to such documentation on a need-to-know basis and coordinated
through the COR/CO. The contractor shall comply with recommendations
which result from these regulatory assessments on the part of VA regulators
and associated government agency partners.

9. PRODUCT INTEGRITY, AUTHENTICITY, PROVENANCE, ANTI-COUNTERFEIT
AND ANTI-TAMPERING. This entire section applies when the acquisition involves
any product (application, hardware, or software) or when section 6 or 7 is included.
a. The contractor shall comply with Code of Federal Regulations (CFR) Title 15
Part 7, Securing the Information and Communications Technology and
Services (ICTS) Supply Chain , which prohibits ICTS Transactions from foreign
adversaries. ICTS Transactions are defined as any acquisition, importation,
transfer, installation, dealing in or use of any information and communications
technology or service, including ongoing activities, such as managed services,
data transmission, software updates, repairs or the platforming or data hosting
of applications for consumer download.
b. When contracting terms require the contractor to procure equipment, the
contractor shall purchase or acquire the equipment from an Original
Equipment Manufacturer (OEM) or an authorized reseller of the OEM. The
contractor shall attest that equipment procured from an OEM or authorized
reseller or distributor are authentic. If procurement is unavailable from an OEM
or authorized reseller, the contractor shall submit in writing details of the
circumstances prohibiting this from happening and procure a product waiver
from the VA COR/CO.
c. All contractors shall establish, implement, and provide documentation for risk
management practices for supply chain delivery of hardware, software (to
include patches) and firmware provided under this agreement. Documentation
will include chain of custody practices, inventory management program,
information protection practices, integrity management program for sub supplier
provided components, and replacement parts requests. The contractor
shall make spare parts available. All contractor(s) shall specify how digital
delivery for procured products, including patches, will be validated and
monitored to ensure consistent delivery. The contractor shall apply encryption
technology to protect procured products throughout the delivery process.
d. If a contractor provides software or patches to VA, the contractor shall publish
or provide a hash conforming to the FIPS Security Requirements for
Cryptographic Modules (FIPS 140-2 or successor).
e. The contractor shall provide a software bill of materials (SBOM) for procured
(to include licensed products) and consist of a list of components and
associated metadata which make up the product. SBOMs must be generated in
one of the data formats defined in the National Telecommunications and
Information Administration (NTIA) report The Minimum Elements for a
Software Bill of Materials (SBOM).
f. Contractors shall use or arrange for the use of trusted channels to ship procured
products, such as U.S. registered mail and/or tamper-evident packaging for
physical deliveries.
g. Throughout the delivery process, the contractor shall demonstrate a capability
for detecting unauthorized access (tampering).
h. The contractor shall demonstrate chain-of-custody documentation for procured
products and require tamper-evident packaging for the delivery of this
hardware.

10. VIRUSES, FIRMWARE AND MALWARE. This entire section applies when the
acquisition involves any product (application, hardware, or software) or when
section 6 or 7 is included.
a. The contractor shall execute due diligence to ensure all provided software and
patches, including third-party patches, are free of viruses and/or malware
before releasing them to or installing them on VA information systems.
b. The contractor warrants it has no knowledge of and did not insert, any
malicious virus and/or malware code into any software or patches provided to
VA which could potentially harm or disrupt VA information systems. The
contractor shall use due diligence if supplying third-party software or patches,
to ensure the third party has not inserted any malicious code and/or virus
which could damage or disrupt VA information systems.
c. The contractor shall provide or arrange for the provision of technical
justification as to why any false positive hit has taken place to ensure their
code s supply chain has not been compromised. Justification may be required,
but is not limited to, when install files, scripts, firmware, or other contractor delivered software solutions (including third-party install files, scripts,
firmware, or other software) are flagged as malicious, infected, or suspicious by
an anti-virus vendor.
d. The contractor shall not upload (intentionally or negligently) any virus, worm,
malware or any harmful or malicious content, component and/or corrupted
data/source code (hereinafter virus or other malware ) onto VA computer
and information systems and/or networks. If introduced (and this clause is
violated), upon written request from the VA CO, the contractor shall:
(1) Take all necessary action to correct the incident, to include any and all
assistance to VA to eliminate the virus or other malware throughout VA s
information networks, computer systems and information systems; and
(2) Use commercially reasonable efforts to restore operational efficiency and
remediate damages due to data loss or data integrity damage, if the virus
or other malware causes a loss of operational efficiency, data loss, or
damage to data integrity
.
11. CRYPTOGRAPHIC REQUIREMENT. This entire section applies whenever the
acquisition includes section 6 or 7 is included.
a. The contractor shall document how the cryptographic system supports the
contractor s products and/or services protect the confidentiality, data integrity,
authentication and non-repudiation of devices and data flows in the underlying
system.
b. The contractor shall use only approved cryptographic methods as defined in
FIPS 140-2 (or its successor) and NIST 800-52 standards when enabling
encryption on its products.
c. The contractor shall provide or arrange for the provision of an automated
remote key-establishment method which protects the confidentiality and
integrity of the cryptographic keys.
d. The contractor shall ensure emergency re-keying of all devices can be remotely
performed within 30 business days.
e. The contractor shall provide or arrange for the provision of a method for
updating cryptographic primitives or algorithms.

12. PATCHING GOVERNANCE. This entire section applies whenever the acquisition
includes section 7 is included
a. The contractor shall provide documentation detailing the patch management,
vulnerability management, mitigation and update processes (to include third
party) prior to the connection of electronic devices, assets or equipment to VA s
assets. This documentation will include information regarding the follow:
(1) The resources and technical capabilities to sustain the program or process
(e.g., how the integrity of a patch is validated by VA); and
(2) The approach and capability to remediate newly reported zero-day
vulnerabilities for contractor products.
b. The contractor shall verify and provide documentation on all procured products
(including third-party applications, hardware, software, operating systems, and
firmware) have appropriate updates and patches installed prior to delivery to
VA.
c. The contractor shall provide or arrange the provision of appropriate software
and firmware updates to remediate newly discovered vulnerabilities or
weaknesses for their products and services within 30 days of discovery.
Updates to remediate critical or emergent vulnerabilities will be provided
within seven business days of discovery. If updates cannot be made available
by contractor within these time periods, the contractor shall submit mitigations,
methods of exploit detection and/or workarounds to the COR/CO prior to the
above deadlines.
d. The contractor shall provide or arrange for the provision of appropriate
hardware, software and/or firmware updates, when those products, including
open-source software, are provided to the VA, to remediate newly discovered
vulnerabilities or weaknesses. Remediations of products or services provided to
the VA s system environment must be provided within 30 business days of
availability from the original supplier and/or patching source. Updates to
remediate critical vulnerabilities applicable to the Contractor s use of the third
party product in its system environment will be provided within seven
business days of availability from the original supplier and/or patching source.
If applicable third-party updates cannot be integrated, tested and made
available by Contractor within these time periods, mitigations and/or
workarounds will be provided to the COR/CO before the above deadlines.

Responses to this RFI should include:

Page 1 of
Page 1 of
Page 1 of
Company name
Address
Point of contact
Phone number
Point of contact e-mail
Contractor s Unique Entity ID (SAM) number
NAICS: 334510
Size standard: 1250 Employees
Capability Statement

Page 1 of
Page 14 of 14
Page 1 of
This RFI will be conducted in accordance with Federal Acquisition Regulation (FAR) Part 12.
Telephone responses will not be accepted. Responses must be received via e-mail to Adriane.Perretti@va.gov no later, 10:00 AM Eastern Standard Time (EST) on February 23, 2026, with 36C24426Q0269 in the subject line. This notice will help the VA in determining available potential sources only. Do not contact VA Medical Center staff regarding this requirement, as they are not authorized to discuss this matter related to this procurement action.
All firms responding to this Request for Information are advised that their response is not a request for proposal, therefore proposals will not be considered for a contract award.
If a solicitation is issued, information will be posted on the www.sam.gov web site for all qualified interested parties. Interested parties must respond to the solicitation to be considered for award. This notice does not commit the government to contract for any supplies or services. The government will not pay for any information or administrative cost incurred in response to this Request for Information.
DISCLAIMER
This RFI is issued solely for information and planning purposes only and does not constitute a solicitation. All information received in response to this RFI that is marked as proprietary will be handled accordingly. Responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this RFI.

End of Document

Attachments/Links