SOURCES SOUGHT
D -- RFI for Medical Scanning Devices (VA-20-00039162)
- Notice Date
- 3/19/2020 7:05:17 AM
- Notice Type
- Sources Sought
- NAICS
- 541519
— Other Computer Related Services
- Contracting Office
- TECHNOLOGY ACQUISITION CENTER AUSTIN (36C10A) AUSTIN TX 78744 USA
- ZIP Code
- 78744
- Solicitation Number
- 36C10A20Q0080
- Response Due
- 3/25/2020 12:00:00 AM
- Archive Date
- 04/09/2020
- Point of Contact
- Luke Makenzie Contract Specialist 512-981-4406
- E-Mail Address
-
Luke.Makenzie@va.gov
(Luke.Makenzie@va.gov)
- Awardee
- null
- Description
- Securing Medical Devices Demonstration Request for Information (RFI) Page 2 of 3 Introduction The purpose of this Request for Information (RFI) is for market research from Original Equipment Manufacturers (OEMs) to determine industry s capability to meet the Department of Veterans Affairs (VA) requirements for securing Medical Devices and ancillary Special Purpose Systems. The mission of the VA is to provide benefits and services to Veterans of the United States.� In meeting these goals, the Office of Information and Technology (OIT) strives to provide high quality, effective, and efficient Information Technology (IT) services to those responsible for providing care to the Veterans at all the touch points of all VA facilities in an effective, timely and compassionate manner.� To provide these services, VA s, Information Technology Operations and Service (ITOPS), operates and maintains IT within 220 VA medical facilities, and their associated remote offices, with 1.5 million endpoints. This RFI is issued for information and planning purposes only and does not constitute a solicitation, nor does it restrict the government as to the ultimate acquisition approach. In accordance with Federal Acquisition Regulation (FAR) 15.201(e), responses to this notice are not offers and cannot be accepted by the government to form a binding contract. Any contract that might be awarded based on information received or derived from this market research will be the outcome of the competitive process. The purpose of this RFI is to obtain market information on capable sources of supply, industry practices, and input specific to the information provided. The Government is not responsible for any cost incurred by industry in furnishing this information. All costs associated with responding to this RFI will be solely at the interested vendor's expense. Not responding to this RFI does not preclude participation in any future Request for Proposal (RFP), if any is issued. Any information submitted by respondents to this RFI is strictly voluntary. All submissions become Government property and will not be returned. As healthcare providers automate medical records, clinical systems, and medical imaging, protecting the privacy of patient information and securing IT infrastructures is becoming increasingly challenging. VA, as well as other Healthcare organizations worldwide, is facing more security threats that increase the risks of inappropriate access to patient information, inability to access the information, and impaired integrity of the information. Medical devices and Special Purpose Systems (SPS), like other computer systems, can be vulnerable to security breaches. This potentially impacts the safety and effectiveness of the device. As a result, VA is conducting market research to investigate alternative approaches and industry solutions to implement a comprehensive scalable solution to secure, monitor, and isolate medical devices and SPS. The intent is to reduce cyber security material weakness without creating an overly complex environment while maximizing the re-use of existing infrastructure and network technologies in order to determine system network readiness. VA is seeking Original Equipment Manufacturers (OEMs) to participate in an internal VA test/demonstration for securing, monitoring and isolating medical devices and SPS. The intent of the demonstration is to validate the functionality of the system features and gain insight into the current state of technology. An area of concern is the reduction of cyber security material weakness while maximizing the re-use of existing infrastructure. The results of the test/demonstration will be used to support VA in refining the requirement to take advantage of the latest technology. Once VA completes testing, the VA intends to issue a combination RFI/draft Request for Proposal (RFP) which will provide industry an opportunity to provide additional feedback prior to the final RFP. The VA intends to meet the requirement through a competitive acquisition, so any vendor who believes that the ultimate requirement in the second RFI/draft RFP is unduly or unnecessarily restrictive is encouraged to contact the Contracting Officer and provide specific feedback about any aspect of the proposed requirement limits competition. The following Technical Requirements are provided for review by industry. As stated above, any aspect of the requirement that limits competition should be brought to the attention of the Contracting Officer. Asset Discovery and Recognition: The solution must be able to profile all Internet of Things (IOT) devices on the network to include medical devices and SPS. Passively discover all devices (medical, facilities, security, industrial, workstations, etc.) and gathers hi-resolution information about each including MAC/IP address, Firmware Version, make, model, serial number and OS-type/patches. Automatically classifies all devices into groups and profiles and separates them by device model & type. Discovers, learns and tracks network anchoring information (MAC/IP, VLAN, subnet, access-type, switch/WLC, interface/AP, OS and Protocols used) about each device automatically. Tracks device activity and automatically determines baseline communication profiles by monitoring packet-level communications and provides flow analytics for each VLAN and subnet, where information is anchored to specific device (e.g. SPAN, TAP). Collect and maintain Device Inventory of detected devices and ability to query for changes to inventory. Tracks device activity and automatically builds baseline communication profiles by monitoring packet summarization flow data and providing flow analytics for each device (e.g. NetFlow, SFlow, etc). Provides IoT device utilization tracking. Ability�to name and group non IoT devices to assist in traffic mapping. Identify/label assets and other detailed associated information (vendor, Type, Criticality, Risk level, etc.). Save and display historical information of devices including changes of: device name, IP(s), MAC addresses, hostname, software/firmware, pattern of communication, configurations, OS/IOS, new devices, applications and databases, disconnected devices, mode/state, etc. Maintain asset historical record. Identify attributes of each labelled asset including model, vendor, hardware type (and attributes such as memory load, condition/errors, mode, etc.), controller code checksum, firmware version, serial number, mac address. Identify assets talking to the Internet or using IPSec, SSH, or other protocol Differentiates physical IT hardware/appliances with virtual. Allows manually added attributes to an identified asset (e.g. site, physical site location, function, system, description). Identify new additions/assets. 2. Vulnerability Discovery and Remediation Management: Automatically identifies and provides alerts for IOT devices that exhibit anomalous communication behavior. Must support passive vulnerability scanning. Must understand medical device protocols, including but not limited to HL7 and Digital Imaging and Communications within Medicine (DICOM). Must provide context regarding existing and potential cyber threats. Must provide Risk Scoring of Endpoints. Provides device vulnerability insights based on tracking manufacturer patch releases and information disclosures (ICS-Cert advisories, FDA recall notices, MDS2 forms). Automatically tracks vulnerability remediation. Provides the ability to blacklist or quarantine a device without any service interruption. Automatically generates policies to protect devices by type for zero-trust micro segmentation that can be enforced in the network at the access layer (switch port or wireless controller) via (API, SNMP-RO, SNMP-Write, SSH, etc.). Must leverage data gathered through its visibility and detection capabilities to help minimize the device attack surface through clinical micro-segmentation, as well as tailored security policies. Automatically generates policies to protect devices by type for zero-trust zone-based segmentation that can be enforced on firewalls. Ability to detect traffic from outside network to include whitelisted IPs, OCONUS, and unapproved IPs. Proactively Tracks if a medical device has been patched or compensating controls have been applied, (Case Management, Rule Creation). Provide Multilevel Administration (MLA) with Role Based Access Controls (RBAC). Provides Vulnerability Assessment of Endpoints. Proactively Tracks if a medical device has been patched or compensating controls have been applied, (Case Management, Rule Creation). Device Impact level score must match NIST RMF requirements. Alerting and Displaying: Provides a robust display of data that is configurable by the operator to include but not limited (Network Flow, Data Flow, Device Criticality, Inventory etc). Proactively Alerts and Identifies assets that are vulnerable to the latest high-impact/high-profile vulnerability (WannaCry, NotPetya, BlueKeep, Urgent11). Ability to provide Customized Dashboards National, Regional, VISN and facility level. The solution must integrate with VA existing Splunk Enterprise Security (ES) infrastructure, presenting medical device and IoT related analytics to help CSOC teams make more informed decisions around protection and threat prevention. Flag/alert new additions/assets until detailed and acknowledged. Alert on new devices or devices that have not communicated in a period of time. Alert on security related events (Man in the middle, Port scan, Ping scan, active tool scans). Alert forwarding as syslog events to a third party SIEM Splunk. Identify scanning, reconnaissance activities and log and/or alert via configuration. Notification logged regarding when a new type of event is experienced. Audit Trail of events/ alarms and ability to sort and link to CVE and ICS-CERT alerts. (Enterprise View) Reporting Capabilities and Certifications: Centralized administration management console that will provide an enterprise view and assist with policy management. Provides and Enterprise-wide view of the Asset Database with new assets/ info on changes replicated from sites. Capable of performing an individual site view and network topology from a backup during a site outage. Provide graphical mapping topology of monitored IT and IoT network. Graphically mapping topology can filter on IT and/or IoT devices to include medical devices and SPS for assets for viewing. Able to baseline communication traffic, identify anomalies, and have the flexibility to adapt to planned changes (add/remove). Configurable sort/list on assets by system type (e.g. PLC), date of discovery, subnet/IP address, asset labels, undefinable assets, vendor make and Model, and, using specific communication protocol (TCP, Ethernet/IP, etc.). Perform Deep Packet Inspection on traditional IT protocols, (TCP/IP, SNMP, SSH, HTTP / HTTPS, Telnet, FTP, SMB/CIFS, DNS, ICMP). Logging capable to be ingested by Splunk. Controls to prevent local login without additional authentication. The solution must be FIPS 140-2 certified. Offers private cloud management with the ability to scale indefinitely. Offers SaaS deployment option so an organization doesn't need to host or operate servers in their own environment. FedRamp certified moderate cloud component. Fingerprint devices using deep packet inspection. Must provide encrypted data transmission. Ensure all API s are available are exposed for administrative use. Demonstration and Testing Vendors may be invited to provide and demonstrate a system suitable for testing by VA technical experts at no cost to the government. VA will review the submitted information and assess products for its ability to meet its claimed functionality, ease of use and advanced features. The vendor will be required to allow VA to test the solution at no additional cost to VA in accordance with the attached (Attachment A) test agreement that reflects the rules between the Vendor and the Government as it relates to services, materials, liability, etc. The testing period is currently expected to last approximately 90 days which includes, setup, demonstration, and data/performance assessment. The vendor will connect to the VA test site through a dedicated port on the gigamon which will span all network traffic of the test site. For the purpose of this test/demonstration, the OEM is requested to provide their solution to the government at no cost. During the demonstration period, the Vendor shall provide required support to successfully setup the demonstration (approx.1 week on-site), as well as support ensuring connectivity and operations during the demonstration, data collection, troubleshooting and issue resolution (on call/online support - 1 business day resolution). The OEM will also be requested to provide a short tutorial on the solution to the demonstration team. VA will coordinate a set-up, test and demonstration schedule with interested vendors between April-June, 2020. Response Instructions For RFI purposes, VA is requesting responses from Original Equipment Manufactures only (not resellers or integrators). Please submit the below requested information by 12:00 PM (Noon) EST on March 25, 2020 via email to Luke.Makenzie, Contract Specialist, at luke.makenzie@va.gov . VA reserves the right to not respond to any, all, or select responses or materials submitted. All VA current requirements identified herein are subject to change at any time. If you experience any problems or have any questions concerning this announcement, please contact Luke Makenzie at 512-981-4406 General Company Information Include the following identification information Company Name CAGE/DUNS Number under which the company is registered in SAM/VetBiz.gov Company Address Point of contact name Telephone number Email address Do you have available SDVOSB, VOSB, or other Small Business resellers available? Please list any contracts (GSA, NASA SEWP, etc) in which your solution may be offered. Technical Questions: Submit a capability statement of your company s ability and understanding of providing a solution that meets the above functional requirements. Please describe your solutions ability to interface with 3rd party and other existing VA solutions and applications including but not limited to the following: Active Directory Cisco ISE Forescout HW Asset Management Software Mfgs (Nuvolo, etc) Infoblox Palo Alto Firewall Service Now (SNow) VA's CMMS, SIEM Splunk Please describe the licensing strategy for your solution. Please describe scalability and impacts to network with the deployment of your solution to meet VA enterprise requirements. Please describe your network connectivity requirements and solution architecture. Please provide comments, recommendations, or questions regarding the strategy and attached agreement. Responses should be a maximum of 10 pages, using a page size 8.5 by 11 inches with 1 inch margins, single space paragraphs, with minimum font size/style 12 point Times New Roman font for text, 9 point minimum size Arial or Times New Roman font for tables, and 8 point minimum size Arial or Times New Roman font for graphics, maps, charts, graphs, diagrams, or figures. Tables and graphics may be landscape; all other text must be portrait. All proprietary/company confidential material shall be clearly marked on every page that contains such.
- Web Link
-
SAM.gov Permalink
(https://beta.sam.gov/opp/b36b6fcf8b7a4562bbb3c6ef36909869/view)
- Record
- SN05595132-F 20200321/200319230148 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |