DJ01--Zero Trust Application Realtime Protection (ZARP) (VA-25-00093376)
| Location: | Federal |
|---|---|
| Posted: | Jul 14, 2025 |
| Due: | Jul 16, 2025 |
| Agency: | VETERANS AFFAIRS, DEPARTMENT OF |
| Type of Government: | Federal |
| Category: |
|
| Solicitation No: | 36C10B25Q0429 |
| Publication URL: | To access bid details, please log in. |
Follow
Active
Contract Opportunity
Notice ID
36C10B25Q0429
Related Notice
Department/Ind. Agency
VETERANS AFFAIRS, DEPARTMENT OF
Sub-tier
VETERANS AFFAIRS, DEPARTMENT OF
Office
TECHNOLOGY ACQUISITION CENTER NJ (36C10B)
Looking for contract opportunity help?
APEX Accelerators are an official government contracting resource for small businesses. Find your local APEX Accelerator (opens in new window) for free government expertise related to contract opportunities.
APEX Accelerators are funded in part through a cooperative agreement with the Department of Defense.
The APEX Accelerators program was formerly known as the Procurement Technical Assistance Program (opens in new window) (PTAP).
- Contract Opportunity Type: Sources Sought (Updated)
- Updated Published Date: Jul 14, 2025 07:05 pm EDT
- Original Published Date: Jul 08, 2025 05:24 pm EDT
- Updated Response Date: Jul 16, 2025 12:00 pm EDT
- Original Response Date: Jul 16, 2025 12:00 pm EDT
- Inactive Policy: Manual
- Updated Inactive Date: Aug 15, 2025
- Original Inactive Date: Aug 15, 2025
-
Initiative:
- None
- Original Set Aside:
- Product Service Code: DJ01 - IT AND TELECOM - SECURITY AND COMPLIANCE SUPPORT SERVICES (LABOR)
-
NAICS Code:
- 541519 - Other Computer Related Services
-
Place of Performance:
,
QUESTION: Can you list the number of applications and break out how they are hosted? Interested in the number of container nodes, VMs, Serverless functions, etc.
ANSWER: VA does not publish its application inventory at the market-research (RFI) stage. The exact number of applications and their hosting breakdown across on-premises data centers, VA Enterprise Cloud (AWS GovCloud US & Azure Government), and other environments will be provided to the selected vendor during post-award discovery and onboarding.
QUESTION: Could the Government clarify whether Elastic SIEM integration is a requirement or if Splunk-only integration would be sufficient?
ANSWER: Splunk-only Integration is sufficient
QUESTION: Are there specific Splunk configurations or deployment models (cloud, on-premises, or hybrid) that the solution must support?
ANSWER: The ZARP solution must cleanly support on-prem, cloud, and hybrid Splunk ingestion.
QUESTION: Do you require SPUNK pricing in the ROM?
ANSWER: No
QUESTION: SOAR Platforms (Swimlane): Are there particular Swimlane integrations or workflows that the solution should accommodate to align with VA s current SOAR environment?
ANSWER: At this stage we are not releasing VA-specific Swimlane playbooks or connector details.
QUESTION: Which IAM systems are deployed within VA (e.g., Microsoft Azure AD, Okta, Ping Identity), and are there specific protocols (SAML, OAuth, OpenID Connect) required for integration?
ANSWER: The VA uses multiple IAM services in a hybrid on-prem / cloud environment. More details will be furnished to the selected vendor during post-award discovery and onboarding.
QUESTION: Given the use of Tenable for vulnerability management, are there specific integration requirements or use cases VA expects? Additionally, could VA identify CI/CD platforms in use (e.g., Jenkins, GitLab, Azure DevOps) that the solution should integrate with?
ANSWER: VA uses several CI/CD pipelines. Â Pipeline details are sensitive and will be shared only with the awardee under post-award security procedures.
QUESTION: To provide a meaningful Rough Order of Magnitude (ROM) for the ZARP RFI, could the government provide approximate counts of workloads (VMs, containers, serverless functions) and anticipated data ingestion volumes for SIEM/SOAR integration?
ANSWER: The requested information is not available
QUESTION: Please clarify which Prisma Cloud modules (e.g., WAAS, CWPP, CSPM) VA expects vendors to include.
ANSWER: WAAS & CWPP
QUESTION: For scoping the number of VA workloads, how many on-premise container hosts will the solution need to support?
ANSWER: The requested information is not available
QUESTION: For scoping the number of VA workloads, how many K8 worker nodes will the solution need to support?
ANSWER: The requested information is not available
QUESTION: For scoping the number of VA workloads, how many serverless containers (AWS-Fargate / Azure ACI) will the solution need to support?
ANSWER: The requested information is not available
QUESTION: Can the VA confirm the solution must be capable of Runtime Application Self Protection (RASP)?
ANSWER: Yes, the solutions must be capable of Runtime Application Self Protection
QUESTION: Will the proposed zero trust solution require traffic visibility and enforcement aspects of ZTS Zero Trust Segmentation (or micro-segmentation), or will it be primarily based on North-South subnet-based enforcement?
ANSWER: This RFI covers runtime-application and workload protection (ZARP). Network-level Zero Trust Segmentation (micro-segmentation) is handled by separate VA controls. The solution must inspect and enforce at Layer 7 for both North-South traffic (ingress/egress) and East-West traffic that remains within a subnet or host.
Detailed integration points with VA s ZTS environment will be defined during post-award discovery.
QUESTION: What is the scope of number of locations, workloads, applications as part of this solicitation or any other details you can provide that would be helpful for vendors?
ANSWER: This information is not available
QUESTION: Is the request for this new solution replacing existing technology and what is the existing solution today?
ANSWER: There is no existing solution
QUESTION: Is the VA using any segmentation solutions today within this environment and what is the technology being used?
ANSWER: The specific vendors, products, and policy schemas are considered sensitive architecture details and will be disclosed only to the awardee under post-award security procedures.
QUESTION: What GWACs is the VA currently considering for this procurement? Is GSA VETS 2 being considered?
ANSWER: To be determined. The contract vehicle will be determined based on the responses received from the RFI. Please provide any existing contract vehicles per RFI Submittal Information paragraph 3(g).
ANSWER: VA does not publish its application inventory at the market-research (RFI) stage. The exact number of applications and their hosting breakdown across on-premises data centers, VA Enterprise Cloud (AWS GovCloud US & Azure Government), and other environments will be provided to the selected vendor during post-award discovery and onboarding.
QUESTION: Could the Government clarify whether Elastic SIEM integration is a requirement or if Splunk-only integration would be sufficient?
ANSWER: Splunk-only Integration is sufficient
QUESTION: Are there specific Splunk configurations or deployment models (cloud, on-premises, or hybrid) that the solution must support?
ANSWER: The ZARP solution must cleanly support on-prem, cloud, and hybrid Splunk ingestion.
QUESTION: Do you require SPUNK pricing in the ROM?
ANSWER: No
QUESTION: SOAR Platforms (Swimlane): Are there particular Swimlane integrations or workflows that the solution should accommodate to align with VA s current SOAR environment?
ANSWER: At this stage we are not releasing VA-specific Swimlane playbooks or connector details.
QUESTION: Which IAM systems are deployed within VA (e.g., Microsoft Azure AD, Okta, Ping Identity), and are there specific protocols (SAML, OAuth, OpenID Connect) required for integration?
ANSWER: The VA uses multiple IAM services in a hybrid on-prem / cloud environment. More details will be furnished to the selected vendor during post-award discovery and onboarding.
QUESTION: Given the use of Tenable for vulnerability management, are there specific integration requirements or use cases VA expects? Additionally, could VA identify CI/CD platforms in use (e.g., Jenkins, GitLab, Azure DevOps) that the solution should integrate with?
ANSWER: VA uses several CI/CD pipelines. Â Pipeline details are sensitive and will be shared only with the awardee under post-award security procedures.
QUESTION: To provide a meaningful Rough Order of Magnitude (ROM) for the ZARP RFI, could the government provide approximate counts of workloads (VMs, containers, serverless functions) and anticipated data ingestion volumes for SIEM/SOAR integration?
ANSWER: The requested information is not available
QUESTION: Please clarify which Prisma Cloud modules (e.g., WAAS, CWPP, CSPM) VA expects vendors to include.
ANSWER: WAAS & CWPP
QUESTION: For scoping the number of VA workloads, how many on-premise container hosts will the solution need to support?
ANSWER: The requested information is not available
QUESTION: For scoping the number of VA workloads, how many K8 worker nodes will the solution need to support?
ANSWER: The requested information is not available
QUESTION: For scoping the number of VA workloads, how many serverless containers (AWS-Fargate / Azure ACI) will the solution need to support?
ANSWER: The requested information is not available
QUESTION: Can the VA confirm the solution must be capable of Runtime Application Self Protection (RASP)?
ANSWER: Yes, the solutions must be capable of Runtime Application Self Protection
QUESTION: Will the proposed zero trust solution require traffic visibility and enforcement aspects of ZTS Zero Trust Segmentation (or micro-segmentation), or will it be primarily based on North-South subnet-based enforcement?
ANSWER: This RFI covers runtime-application and workload protection (ZARP). Network-level Zero Trust Segmentation (micro-segmentation) is handled by separate VA controls. The solution must inspect and enforce at Layer 7 for both North-South traffic (ingress/egress) and East-West traffic that remains within a subnet or host.
Detailed integration points with VA s ZTS environment will be defined during post-award discovery.
QUESTION: What is the scope of number of locations, workloads, applications as part of this solicitation or any other details you can provide that would be helpful for vendors?
ANSWER: This information is not available
QUESTION: Is the request for this new solution replacing existing technology and what is the existing solution today?
ANSWER: There is no existing solution
QUESTION: Is the VA using any segmentation solutions today within this environment and what is the technology being used?
ANSWER: The specific vendors, products, and policy schemas are considered sensitive architecture details and will be disclosed only to the awardee under post-award security procedures.
QUESTION: What GWACs is the VA currently considering for this procurement? Is GSA VETS 2 being considered?
ANSWER: To be determined. The contract vehicle will be determined based on the responses received from the RFI. Please provide any existing contract vehicles per RFI Submittal Information paragraph 3(g).
Attachments/Links
Contracting Office Address
- 23 CHRISTOPHER WAY
- EATONTOWN , NJ 07724
- USA
Primary Point of Contact
- Michael Berberich
- michael.berberich@va.gov
Secondary Point of Contact
- Jul 14, 2025 07:05 pm EDTSources Sought (Updated)
- Jul 08, 2025 05:24 pm EDT Sources Sought (Original)
Related Document
| Jul 8, 2025 | [Sources Sought (Original)] DJ01--Zero Trust Application Realtime Protection (ZARP) (VA-25-00093376) |
| Sep 16, 2025 | [Sources Sought (Updated)] DJ01--Zero Trust Application Realtime Protection (ZARP) (VA-25-00093376) |
Daily notification on new contract opportunities
With GovernmentContracts, you can:
- Find more opportunities and win more business
- Receive daily alerts for all new bid opportunities
- Get contract opportunities matched to your business
* Disclaimer: Information regarding bids, requests for proposals (RFPs), or requests for qualifications (RFQs) is provided on this website only for convenience and does not constitute official public notice. Persons wishing to respond to or inquire about bids, RFPs, or RFQs should contact the appropriate government department.