Network-Based Encryption Key Recovery and Storage Services

This Request for Information (RFI) is for planning purposes only and shall not be considered an Invitation for Bid, Request for Task Execution Plan, Request for Quotation or a Request for Proposal. Additionally, there is no obligation on the part of the Government to acquire any products or services described in this RFI. Your response to this RFI will be treated only as information for the Government to consider. You will not be entitled to payment for direct or indirect costs that you incur in responding to this RFI. This request does not constitute a solicitation for proposals or the authority to enter into negotiations to award a contract. No funds have been authorized, appropriated or received for this effort. Interested parties are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. The Government does not intend to pay for the information submitted in response to this RFI. The North American Industry System (NAICS) for this requirement is projected to be 541519 with a size standard of $34 million. VA is contemplating a potential requirement to renew software maintenance and support of its deployed Network-based Encryption Key Recovery Storage System (NBEKRSS) solution. VA is conducting Market Research into potential providers of that software maintenance, as well as assessing the market conditions for new potential entrants and capabilities of like solutions. At this time, VA is conducting research, and as such this RFI shall not bind VA in any way. See attached draft Product Description for additional details. 2. Submittal Information: All responsible sources may submit a response in accordance with the information below. There is a page limitation for this RFI of 15 pages. The Government will not review any other information or

attachments included that are in excess of the (15) page limit. NO MARKETING MATERIALS ARE ALLOWED AS PART OF THIS RFI. Generic capability statements will not be accepted or reviewed. Your response must address capabilities specific to the services required in the attached PD and must include the following: Interested Vendors shall at a minimum provide the following information in the initial paragraph of the submission [For SDVOSBs and VOSB, proof of verification in SBA Small Business Search (SBS) website https://search.certifications.sba.gov/]: Name of Company Address

Point of Contact Phone Number Email address Commercial and Government Entity (CAGE) Code Unique Entity Identifier (UEI) Company Business Size and Status North American Industry System (NAICS) code Socioeconomic data Existing Contractual Vehicles (Governmentwide Acquisition Contract (GWAC), Federal Supply Schedule (FSS), etc.) Provide a summary of your ability to meet the

requirements contained within the draft Product Description (PD) for the following areas: 1. Company Qualifications and Product Overview Describe your organization s experience providing enterprise on premises cryptographic or key management software to federal agencies of comparable scale to the Department of Veterans Affairs. Provide a high level description of your encryption key recovery storage system and its primary functional components. Include Certificate Authority (CA) and Hardware Security Module (HSM) integration experience and any

requirements/limitations for the configurations. Identify any existing contract vehicles under which your product and support services are offered. Confirm whether your product fully supports a customer applied update model in an on premises, non cloud environment. 2. Federal Public Key Infrastructure (PKI) and Security Compliance Explain how your solution complies with: Federal PKI policy

requirements National Institute of Standards and Technology (NIST) cryptographic standards Federal Information Processing Standard (FIPS) 140 2 or 140 3 validated modules Provide documentation or references validating these claims. 3. Licensing Model Provide your