Zero Trust Encryption RFI

Summary (Newest Update)

Background The VA Office of Information and Technology, Infrastructure Operations manages a vast and intricate IT environment within the federal government, encompassing on-premises data centers, private cloud infrastructure, and public cloud services via the VA Enterprise Cloud (VAEC). Central to this environment is the VA's enterprise Hardware Security Module (HSM) fleet, which underpins the Public Key Infrastructure (PKI), Key Management Services (KMS), digital certificate operations, and cryptographic processing for various clinical and administrative systems. The fleet includes ten production network-attached HSM appliances: eight Luna Network HSM T-5000 and two Luna Network HSM T-2000, all at firmware version 7.11, distributed across four CONUS gateway data centers. The contract aims to support the VA's Zero Trust modernization program aligned with Critical Security Controls and mandates readiness for post-quantum cryptography (PQC) as per NIST standards. Work Details The Contractor will provide comprehensive managed services, hardware sustainment, lifecycle support, professional services, and PQC upgrade capabilities for the VA's enterprise HSM infrastructure. Key tasks include: 1. Project Management 2. HSM Hardware Sustainment and Maintenance 3. HSM Managed Services and Partition Lifecycle Management 4. Post-Quantum Cryptography Readiness and Upgrade Services 5. Professional Services, Market Research, and Advisory Support 6. Transition-Out to Government Operation All solutions must comply with defined Salient Characteristics including: - FIPS 140-3 Level 3 validation for cryptographic modules. - Tamper-resistant enclosure with automatic zeroization upon intrusion. - In-field firmware upgradeable to NIST-standardized PQC algorithms without hardware replacement. - Support for multi-tenancy with isolated cryptographic partitions. - Minimum 99.9% availability across the managed HSM fleet. Period of Performance The anticipated period of performance is a twelve-month base period with four twelve-month option periods, totaling up to sixty months. Place of Performance Services will be performed across the VA's national footprint of data centers and gateway locations. Bidder Requirements Bidders must meet the Service Disabled Veteran Owned Small Business Set-Aside (SDVOSBC) status. Additionally, they must ensure compliance with all relevant standards including FIPS 140-3 for cryptographic modules and demonstrate capability in providing managed services that align with VA's Zero Trust Critical Security Controls.