Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF SEPTEMBER 05, 2025 SAM #8684
SOURCES SOUGHT

D -- Healthcare Technology Management

Notice Date
9/3/2025 8:33:10 AM
 
Notice Type
Sources Sought
 
NAICS
541512 — Computer Systems Design Services
 
Contracting Office
TECHNOLOGY ACQUISITION CENTER AUSTIN (36C10A) AUSTIN TX 78744 USA
 
ZIP Code
78744
 
Solicitation Number
36C10A25Q0088
 
Response Due
9/19/2025 12:00:00 PM
 
Archive Date
10/19/2025
 
Point of Contact
Scott R. Kopp, Director, Tele Technology Division, Phone: 512-981-4467
 
E-Mail Address
Scott.Kopp2@va.gov
(Scott.Kopp2@va.gov)
 
Small Business Set-Aside
SDVOSBC Service-Disabled Veteran-Owned Small Business Set Aside
 
Awardee
null
 
Description
DEPARTMENT OF VETERANS AFFAIRS REQUEST FOR INFORMATION MAY 8, 2025 1. INTRODUCTION This Request for Information (RFI) is issued for conducting market research and planning purposes only. Accordingly, this RFI constitutes neither a Request for Quote (RFQ), Request for Proposal (RFP), nor a guarantee that one will be issued by the Government in the future; furthermore, it does not commit the Government to contract for any services described herein. Additionally, this RFI does not restrict the Government as to the ultimate acquisition approach. In accordance with Federal Acquisition Regulation (FAR) 15.201(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. The purpose of this RFI is to identify qualified vendors, who can meet Department of Veterans Affairs (VA) requirements for a Clinical Device Maintenance & Optimization Platform (CD-MOP) solutions. Any contract/order that might be awarded based on information received or derived from this market research will be the outcome of the competitive process. The purpose of this RFI is to obtain market information on capable sources. The Government is not responsible for any cost incurred by industry in furnishing this information. All costs associated with responding to this RFI will be solely at the interested vendor's expense. Not responding to this RFI does not preclude participation in any future solicitation if any is issued. Any information submitted by respondents to this RFI is strictly voluntary. All submissions will become Government property and will not be returned. Interested vendors are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. VA is under no obligation to provide feedback to the company, or to contact the company for clarification of any information submitted in response to this RFI. 2. RFI Response Instructions Provide the following information: (A) Provide Company Information: 1) Company Name 2) CAGE/Unique Entity ID (previously DUNS) under which the company is registered in SAM/VetBiz.gov 3) Company Business Size and Status for North American Industry Classification (NAICS) 541512* * � If you believe there is a more appropriate NAICS code, please provide that to the Government with your rationale. 4) Contract Vehicles: Identify if you can provide services via a Government-wide Acquisition Contract, Federal Supply Schedule, National Aeronautics and Space Administration (NASA) Solutions for Enterprise-Wide Procurement (SEWP) VI, etc., that may assist in determining acquisition strategy. 5) Socioeconomic Data: Identify business size. If a small business, please identify socio-economic category(ies). 6) Company Address 7) Point of Contact Name 8) Pont of Contact Telephone Number 9) Point of Contact Email Address (B) Brief summary (not to exceed 20 pages), describing your company s technical approach to meeting the requirements, by responding to the below 25 questions, if there is question that indicates information can be provided in an Appendices, it will not count towards the 20 page limit: Appendix A: Lists of classifications as subclassifications solution uses out of the box (2a) Appendix B: Network protocols recognized by the solution and data attributes obtained (2f) Appendix C: Screenshots of utilization information (7e) Asset Discovery How does your solution discover all connected medical devices across the enterprise, including those on guest network, devices with unknown MAC addresses, or behind converters/workstations (e.g. Lantronix, lab analyzers, infusion pumps, USB connected devices)? Please describe how your solution is able to recognize these devices. How does your solution perform agentless discovery of medical devices and IT systems, including RPC and passive methods (e.g., deep packet inspection)? Does your system support continuous discovery (real-time) vs scheduled scans? How do you handle device subcomponents (e.g. modules connected to a patient monitor, IoT endpoints connected via workstation)? Please describe how your solution associates these subcomponents with the device communicating on the network. Asset Recognition & Classification What methods does your solution use to identify and classify/categorize devices (e.g. by MAC OUI, traffic signatures, medical protocol support like HL7/ DICOM)? In Appendix A please provide a detailed list of all the classifications and sub-classifications of devices. Include hierarchies of these classifications/categorizations. Does your platform automatically collect and reconcile device attributes (e.g., manufacturer, model, serial number, OS details, patch levels, AV status)? If so, how does it collect and reconcile. Please provided details of how your solution determines what information to display if there are potentially multiple sources for the same information. What elements are discoverable regardless of OS type (commercial vs real time OS)? Can your classification/categorization logic be mapped to VA s standards (VA Medical Device Nomenclature System [VA-MDNS], Naming Standard Index [NSI})? Is the solution capable out of the box with the ability to display VA custom fields? If so, please describe how these fields can be populated. For example, manual entry only, ETL processes, or some other methodology. How does your solution differentiate between medical vs non-medical devices and ensure accuracy? Is there functionality to apply VA business rules to refine this classification/categorization. Please describe in detail what medical device specific communication protocols your solution is able to recognize and parse relevant information through network traffic analysis only. Please provide in Appendix B a list of all these protocols and what data attributes they support bring into your solution. For example (DICOM: parse DICOM header information to obtain field x, y, z, or Welch Ally vitals signs monitors proprietary protocol to obtain fields x, y, z). Integration Capabilities Which of the following systems does your solution natively integrate with: Active Directory, VA CDW, Palo Alto Firewalls, Cisco ISE, SCCM, Microsoft Defender, ServiceNow, Summit Data Platform, Splunk SIEM, VMware vCenter, Forescout, Juniper/HP, Gigamon? Please also include information on other native integrations not otherwise listed. How does your solution integrate with Microsoft Active Directory for both device identification and system user permissioning (OU, logins, device associations, etc). Can your solution integrate with internal Windows Server Update Servers to update patch history of devices? How does your solution handle ETL processes for IoT data with incremental updates rather than full refreshes? Please describe if your solution is able to display applicable ACL rules applied to specific devices/VLANs. Provide details on how you obtain that information for display. Please describe if your solution is able to display applicable Palo Alto Firewall rules applied to specific devices/VLANs. Provide details on how you obtain that information for display in association with that device. Asset Management and Reconciliation How does your solution ingest and reconcile asset management from legacy or current CMMS systems (AEMS/MERS, Maximo, DMLSS, Nuvolo) What methods are available for automatic reconciliation (e.g., serial number, MAC address matching)? Can your solution highlight discrepancies (devices in CMSS but not discovered, or discovered but not in CMMS)? How does your solution handle asset/device detail discrepancies where information for multiple integrations disagrees on device data elements? How do you manage and compare MDS2 form data with current device operational/ security status? Solution Architecture and Deployment How does your solution handle redundancy, failover, and scalability to support up 2.5 million connected devices that include 200,000 networked medical devices with 20% variation in demand? If your system is licensed based on endpoint devices, how will your system handle seeing non-medical devices and need to collect some data on the non-medical systems to complete the picture of medical device interactions? Can your solution support both on-premises and cloud-based deployments? If cloud, is it FedRAMP-authorized and compliant with NIST 800-145 cloud computing characteristics Provide a list of three healthcare facilities where the solution has been successfully implemented. Include: Site name and type (hospital, research, clinic, etc.) Scope of deployment (number of devices, integration with EHR, security systems, etc.) Year of implementation References or points of contact for verification (if permitted) Lifecycle and Topology Does your platform maintain a device history log (connectivity, patches, configuration changes, usage trends)? Can your solution provide a network topology view showing device relationships, VLAN information, and subnet mapping? How does your solution support tracking of recalls, misconfigurations, and risk posture throughout the device lifecycle? Please describe how your solution handles each of these. Does the solution track device activity and automatically determine baseline communication profiles by monitoring packet-level communications and provide flow analytics for each VLAN and subnet, where information is anchored to specific device (e.g. Switch Port Analyzer (SPAN), Test Access Point (TAP))? Does the solution have the ability to collect and maintain Device inventory of detected devices, with the ability to query for changes to inventory? Reporting and Usability What reporting capabilities are available for asset inventory, discrepancies, device classifications, and lifecycle history? Can reports be exported in CSV and PDF formats, and tailored to VISN, facility, or clinic-level organizational groupings? Can the solution provide device specific reports that can be exported in CSV or PDF that define Source and Destination (IP, MAC, Manufacturer, Model, OS) Internal/External, Protocol, TCP/UDP, Ports, Directionality, Total Bytes Exchanged., for a user specified period of time? Does your solution offer role-based dashboards so HTM, Security, and clinical teams can view device data relevant to their needs? How do you provide device utilization reporting? Please describe in detail what utilization information can be provided and for what types of devices? In Appendix C please provide screenshots of device utilization information provided for a CT Scanner, PACS workstation, Retinal Camera, Patient Monitor, and Infusion Pump over a week period of time. If available, provide Device Information, Sankey Diagrams/equivalent, DICOM exam information, Utilization heatmaps, account logins, or any other pertinent information. Can the solution provide reports that define all DICOM AE Title communications on the network including source and destinations of that information? Vulnerability Discovery and Remediation How does your solution provide vulnerability insights by tracking patch releases, ICS-CERT advisories, FDA recalls, and Manufacturer Disclosure Statements (MDS2)? Can your solution automatically track vulnerability confirmed detection and confirm remediation status? Can your system detect and block unauthorized or malicious traffic (unapproved external IPs, OCONUS, ransomware or phishing)? Can your solution detect whitelisted traffic? Can your device flag devices to monitor them for external communications? Can this monitoring be customized to authorize specific external communications (whitelisting), while alerting for potential unauthorized communications. Please describe how this process would be done within the application, if capable. Can your solution track whether medical devices are patched versus having compensating security controls applied? Can your solution support multilevel administration (role-based access controls, MLA) for vulnerability management? Can your solution detect devices running unsupported or End-of-Life (EoL) operating systems and real-time operating systems? Does your solution identify vulnerabilities based on NVD CVE IDs and known exploited vulnerabilities CISA catalog? (C) Catalog prices and a Rough Order of Magnitude for the technical approach to meeting the requirement. Responses to this RFI shall be submitted electronically by September 19, 2025, at 3:00 PM Eastern Standard Time via email to the point of contacts below: Subject Title: Healthcare Technology Management Scott R. Kopp - Scott.Kopp2@va.gov Nadia Elkaissi - Nadia.Elkaissi@va.gov All proprietary/company confidential material shall be clearly marked on every page that contains such.
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/b4e4d9118d59459cb4b40464594bfca9/view)
 
Record
SN07577261-F 20250905/250903230049 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.