J059--Sources Sought PIV - WB JCI and Software

Active

Contract Opportunity

Personal Identification Verification (PIV) Access Control Maintenance Service at the Wilkes-Barre VA Medical Center
Sources Sought

THIS IS NOT A SOLICITATION ANNOUNCEMENT. THIS IS A REQUEST FOR INFORMATION ONLY. This Request for Information (RFI) is intended for information and planning purposes only at this time and shall not be construed as a solicitation or as an obligation on the part of the Department of Veterans Affairs. Because this is a Request for Information announcement, no evaluation letters and/or results will be issued to the respondents. No solicitation exists. Therefore, do not request a copy of a solicitation. The Wilkes Bare VA Medical Center (WBVAMC) needs assistance maintaining its access control system commonly called Personal Identification Verification (PIV). Assistance includes updating and maintaining software licenses, servers, installation of new access control hardware, and troubleshooting hardware/software as needed.

Requirements

2.1 Preventive Maintenance: The contractor shall inspect all I-Star panels, including power supplies, at the WBVAMC and outpatient clinics. The contractor shall replace all batteries in the I-Star panels and power supplies. A report of deficiencies and repairs will be submitted to the POC. The contractor shall provide 50 man-hours per contract period to train VA staff in the operation of the system including the software and basic troubleshooting of hardware. The contractor s primary technician will provide information needed for a background check including ePass criminal history. The purpose is so the technician can be vetted and granted a PIV card and logical access to the VA network.

2.2 Service Call Agreement: The contractor shall provide a service call response providing a technician capable of troubleshooting and repair services for all PIV door hardware, I-STARS, power supplies, card readers, sensors, and programming on the server or software. The contractor is responsible for the labor associated with the troubleshooting or repair service call. The government is responsible for providing the replacement part(s) associated with damaged hardware (e.g. T-Rex, power supply, latch, REX, ect.). Service requests will be placed via the contactors existing service request phone number.

2.3 Software Licensing: The contractor shall provide the following and install on the VA-owned servers with the assistance of VA IT Staff. see Section 3 VA Software Technical Security Requirements for additional requirements.

2.3.1 Contactor to provide and install, C-CURE 9000 license in a version meeting the most current requirements of the VA Technical Reference Model (TRM) C-CURE 9000 (va.gov). The contractor must install version 2.7 or better as identified in TRM. As of spring 2024, releases C-CURE 9000 2.7,2.8,2.9, and 3.0 are the only approved versions listed in TRM.

2.3.2 Contactor to provide any required sub-licensed program required to integrate the issuances and validation of government-issued ID/PIV cards to C-CURE 9000.

2.3.3 Contactor to provide and install, Lynx (LynxClient) license in a version meeting the most current requirements of the VA Technical Reference Model (TRM) VA Technical Reference Model. The contractor must install version 10.4.X or better as identified as approved in TRM. As of spring 2024, releases LynxClient 10.4.X is the only approved version listed in TRM.

2.4 C-CURE Server Migration (Base year service only): The contractor shall provide onsite and offsite staff to migrate the data from the VA-owned C-CURE physical server onto the VA-owned virtual server with limited assistance from the VA IT staff.

2.5 Spare Equipment (Base year service only): The contractor shall provide the following hardware components for the government to use as replacement stock.

2.5.1 Two (2), I-Stars ultra SE wall mount panels with 2 ACM boards in each with fire alarm override functions
2.5.2 Three (3), PSX-WISU16-E8SNE power supplies; 150/250W, Wired for 16 readers iStar Ultra SE, Tie Wrap, Network Connected, 16 Aux Outputs

2.6 New Installations (Base year service only): The contractor shall provide, replace, repair and/or install the following items to upgrade the current system.

Job Description
Room #
Hardware type/function
Replace I-STAR 25 w/ New
AG-32 (Pump Room)
Most Current Compatible
Replace I-STAR 1 w/ New
CG-10
Most Current Compatible
Replace I-STAR 2 w/ New
AG-46A
Most Current Compatible
Replace I-STAR 35 w/ New
Bldg 3 IT Closet
Most Current Compatible
Replace I-STAR Allentown CBOC w/ New
Allentown CBOC IT Closet
Most Current Compatible
Replace I-STAR Williamsport CBOC w/ New
Williamsport CBOC IT Closet
Most Current Compatible
Install PIV door @ Women s Clinic
Corridor near A2-017
Crash bar with latch retract on PIV and auto door opener integration
Install PIV door
A2-052
HESS strike
Install PIV door
NG-130
HESS strike
Install PIV door
Ward 9 med room
Mag lock
Install PIV door
A4-48
Mag lock
Install PIV door
3-150
Mag lock
Install PIV door
2-149 2CLC
Mag lock
Install PIV door
C10-7B01
HESS strike - door prepped with reader
Install PIV door
C10-7B02
HESS strike - door prepped with reader

3. VA Software Technical Security Requirements for Software

3.1. The contractor will notify the government and patch any vulnerability identified by the manufacturer, or the government including National Institute of Standards and Technology (NIST). The contractor will review the NIST vulnerability listing at least semi- annually. Any patches to the software are at no cost to the government. The local WBVAMC ISSO (Information System Security Officer) can assist in reviewing the NIST vulnerabilities.

3.2 The contractor will ensure, with VA IT Staff, that Microsoft Edge, Firefox, Google Chrome, Microsoft Internet Information Services (IIS), and Microsoft Structured Query Language (SQL) Server are implemented with VA-approved baselines. Users must not utilize the Secure Sockets Layer (SSL) protocol and Microsoft Sync Framework, as it is unapproved for use on the TRM.

3.3 Per the Initial Product Review, users must abide by the following constraints:
C-Cure 9000 / Lynx will require a 3rd party FIPS 140-2 (or its successor) certified solution for any data containing PHI/PII or VA sensitive information. The system should undergo routine audits to ensure the users of the system have the intended access permissions to the system itself and secured or non-secured access to physical areas it provides.
VA & contractor administrators must ensure that they are using an approved version of SQL Server and that it is configured to meet the VA baseline standard. System owners should use the latest version of this product and monitor both the CVE Details and NIST National Vulnerability Database websites for any new security vulnerabilities.

3.4 System owners should not install or configure the C-Cure / Lynx Auto-Update service. All software updates should only be performed after a thorough examination of the update.

3.5 Per the May 5th, 2015 memorandum from the VA Chief Information Security Officer (CISO) FIPS 140-2 Validate Full Disk Encryption (FOE) for Data at Rest in Database Management Systems (DBMS) and in accordance with Federal requirements and VA policy, database management must use Federal Information Processing Standards (FIPS) 140-2 or its successor to protect the confidentiality and integrity of VA information at rest at the application level. If FIPS 140-2 encryption at the application level is not technically possible, FIPS 140-2 or 140-3 compliant full disk encryption (FOE) must be implemented on the storage device where the DBMS resides. Appropriate access enforcement and physical security control must also be implemented. All instances of deployment using this technology should be reviewed to ensure compliance with VA Handbook 6500 and National Institute of Standards and Technology (NIST) standards. It is the responsibility of the system owner to work with the local CIO (or designee) and Information System Security Officer (ISSO) to ensure that a compliant DBMS technology is selected and that if needed, mitigating controls are in place and documented in a System Security Plan (SSP). By September 22, 2026, all FIPS 140-2 certificate validations will be placed on the Historical List, please refer to FIPS Transition Effort for further guidance and timeline of changes.

Responses to this RFI should include company name, address, point of contact, phone number, and point of contact e-mail, UEI Number, Cage Code, size of business pursuant to North American Industrial Classification System (NAICS) 561621 (size standard of $ 22 Million). Please answer the following questions:
Please indicate the size status and representations of your business, such as but not limited to: Service-Disabled Veteran Owned Small Business (SDVOSB), Veteran Owned Small Business (VOSB), Hubzone, Woman Owned Small Business (WOSB), Large Business, etc.)?
Is your company considered small under the NAICS code identified under this RFI?
If you intend to subcontract any work on this contract, what portion of the total cost will be self-performed/will be performed by your organization? Please provide estimated detailed percentage breakdowns related to subcontracted work and completion of job.
Does your company have an FSS contract with GSA or the NAC or are you a contract holder with any other federal contract? If so, please provide the contract number.
If you are an FSS GSA/NAC contract holder or other federal contract holder, are the items/solution you are providing information for available on your schedule/contract?
General pricing of your solution is encouraged. Pricing will be used for the purpose of market research only. It will not be used to evaluate for any type of award.
Please submit your capabilities regarding the salient characteristics detailed above to establish capabilities for planning purposes.
Please review salient characteristics/statement of work (if applicable) and provide feedback or suggestions. If none, please reply as N/A.
Please provide your UEI number.

This RFI will be conducted in accordance with Federal Acquisition Regulation (FAR) Part 13. Telephone responses will not be accepted. Responses must be received via e-mail to edward.ferkel@va.gov no later than, 10:00 AM Eastern Standard Time (EST) on May 10, 2024. This notice will help the VA in determining available potential sources only. Do not contact VA Medical Center staff regarding this requirement, as they are not authorized to discuss this matter related to this procurement action. All questions will be addressed by the Contracting Officer, Edward Ferkel.

All firms responding to this Request for Information are advised that their response is not a request for proposal, therefore will not be considered for a contract award.

If a solicitation is issued, information will be posted on the Contract Opportunities website for all qualified interested parties at a later date and interested parties must respond to the solicitation to be considered for award. This notice does not commit the government to contract for any supplies or services. The government will not pay for any information or administrative cost incurred in response to this Request for Information. Information will only be accepted in writing by e-mail to Contracting Officer, Edward Ferkel at Edward.ferkel@va.gov
DISCLAIMER
This RFI is issued solely for information and planning purposes only and does not constitute a solicitation. All information received in response to this RFI that is marked as proprietary will be handled accordingly. Responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this RFI.

Attachments/Links