Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.
Added: Aug 11, 2011 11:45 am
Request For Information (RFI)
DEPARTMENT OF VETERAN AFFAIRS
Office of Information Technology (OIT)
Enterprise Systems Engineering (ESE)
Off Premises SaaS Cloud Based Collaborative Tool
RFI Version Number: 1.04
1 Purpose of this RFI 3
2 Background 3
3 Project Description 4
4 Service Level Agreements (SLA) 5
5 Answers VA Is Looking For: 5
6 How to Respond 11
Appendix A - Acronym List 12
Appendix B - SaaS Data Flow and Security Architecture DRAFT 13
1 Purpose of this RFI
This Request for Information (RFI) is to solicit preliminary information from vendors who wish to work in partnership with the Department of Veterans Affairs (VA) to add VA users to the vendors established/existing Cloud SaaS Collaborative Tool solution for the VA, which will integrate with existing VA systems (Exchange Calendaring, SharePoint, Active Directory, etc), and holds, at a minimum, Federal Information Security Management Act (FISMA) Moderate Certification. Specifically to meet a critical need:
The impetus to look at this type of product is to determine if a deployment of a Cloud SaaS based set of Collaborative Tools will fill the need for such collaborative tools as has been documented by VHA's Health Alliance. The Health Alliance Report concluded that VA's doctors need a new effective and intuitive collaborative tool, to improve communications, while also reducing data breaches. By implementing a pilot of Cloud SaaS based Collaborative Tools the VA would be able demonstrate how collaborative tools will improve veteran care, reduce the amount of time the VA's doctor's spend on collaboration, and prevent further data breaches which have been caused, in part, due to the lack of a VA approved collaborative tool.
Our plan is to pilot the Cloud SaaS based solution to VA staff physicians and residents. Up to 5,000 will participate in the pilot and if successful, and approved, the Cloud solution has the potential to be expanded to a total of 134,000 VA medical personal (17,000 staff physicians, 36,000 residents, and 81,000 others).
The mission of VA is to provide benefits and services to Veterans of the United States. In meeting these goals, Office of Information and Technology (OIT) strives to provide high quality, effective, and efficient Information Technology (IT) services to those responsible for providing care to the Veterans at the point-of-care as well as throughout all the points of VA in an effective, timely and compassionate manner. VA depends on Information Management/Information Technology (IM/IT) systems to meet mission goals. In order support VA's medical staff with an intuitive Cloud SaaS Collaborative Tools solution, VA is considering the integration of a commercially available SaaS set of tools which can be deployed in a seamless fashion which results in superior care to the veteran through improved physician collaboration and cost efficiencies.
Based on recent Office of Management and Budget (OMB) guidance, VA is evaluating Cloud based tools, as opposed to developing and hosting its' own applications for collaboration for use across VA enterprise and possibly outside VA's enterprise.
3 Project Description
VA would like to receive industry recommendation for, or against the possibility of providing Federal Cloud SaaS collaborative tools solution to VA. These tools should include the sharing of documents and calendars once authenticated to the VA network with the vendor's Cloud SaaS environment. VA intends to consider the options from different vendors in order to provide collaborative tools to our staff physicians and residents initially, and others in the future if the Cloud SaaS solution is determined to be successful by VA Senior Executives. The collaborative sharing solution shall allow VA personnel at VA facilities and off-site to collaborate seamlessly via the onsite LAN, and offsite VA VPN or VA's Citrix Access Gateway (CAG).
The Cloud SaaS environment must be able to synchronize with existing VA Outlook calendars. Please provide details on what functionally compared to an Outlook user connected to an Exchange 2007 server you can or cannot perform with your proposed solution.
This potential project entails the design, implementation, testing, and training of the proposed Cloud SaaS Collaboration Tools which will address the following use case scenarios:
Use Case 1: Sharing of sensitive (PII/PHI) and non-sensitive patient information from one VA physician to another (to include, but not limited to, documents and calendar sharing).
Please note there are two sets of users for sensitive (PII/PHI) and non-sensitive patient information: (1) Users would be at a VA facility using the VA network and possibly the Citrix Access Gateway (CAG), and (2) Users would be off-site, but would go through the VA's CAG, once logged into the CAG all data is seen as coming and going from the VA's network.
o This is the initial trial being launched due to the urgent need.
Use Case 2: Sharing of non-sensitive health related information on education, published and un-published, non-patient specific research, policy and similar document developmental collaboration.
Please note there are three sets of users for sharing of non sensitive information: (1) Users would be at a VA facility using the VA network and possibly the CAG, and (2) Users would be off-site, but would go through the VA's CAG, once logged into the CAG all data is seen as coming and going from the VA's network; (3) The third possible set of users would be outside VA and would have access from their organizations version of the Cloud based collaborative tool. They would be able to collaborate on non-sensitive information.
o This is the next most critical need in order to support the five centers of excellence that VHA has for health education.
Use Case 3: Use of Cloud SaaS tools as a substitute for the VA's standard Outlook Exchange Email and for interconnection with the VA's existing emails systems for sharing of sensitive and non-sensitive general VA Collaboration.
Please note there are two sets of users for sharing of sensitive and non-sensitive general VA Collaboration: (1) Users would be at a VA facility using the VA network and possibly the CAG, and (2) Users would be off-site, but would go through the VA's CAG, once logged into the CAG, all data is seen as coming and going from the VA's network.
Use Case 4: Sharing of sensitive patient information between VA and DoD
Please provide a description of how your solution could meet these use cases.
4 Service Level Agreements (SLA)
In Cloud SaaS based collaborative tools solution the vendor will have the administrative rights to all of the Cloud based systems necessary to provide VA with the Cloud SaaS. VA will maintain internal help desk staff to provide end user support, training, creating and deleting accounts via Active Directory, and administering some portion of authentication, depending on the solution model offered. Activities that require administrative access include, but are not limited to, OS/Application patching, backup restores, disaster recovery, and network outage recovery will be handled by the Contractor's administrative staff. Interconnections between the Contractor's network to VA's network will be jointly worked with each entity troubleshooting up to their respective demark.
Please provide sample SLA documents with your RFI submission.
5 Answers VA Is Looking For:
1. Does industry recommend Cloud Software as a Service (SaaS) based applications (as defined in DRAFT NIST SP 800-145) for use in VA to replace or augment its existing collaboration and office application suite (SharePoint 2007, SharePoint 2010, JIVE, Wiki's, Web sites, File shares, etc.)? Please provide supporting rationale including advantages and disadvantages?
2. Please provide cost estimates for services initiation, customization and establishment of an authentication model which allows VA to control the authentication process, and will also integrate with existing on-premises and potential web-based applications (e.g., Microsoft email, calendar, and documents).
3. What is your recommended connection strategy and options for an agency the size of VA. (Please note VA has 4 existing demarks for Internet communications)
4. Are there yearly recurring costs for administrative support, over and above the cost of licenses? If so, please provide estimates.
5. In a SaaS environment, does industry recommend the primary interface and data interconnection between our agency and a SaaS provider to be across the Internet, via a point-to-point link, or intra data center interconnection? Please provide supporting rationale?
6. Can VA reasonably expect vendors to provide existing SaaS Collaborative Tools certified at the FISMA High level today? If not, what FISMA level is currently available and when could VA expect a SaaS environment certified at the FISMA High level?
7. If a SaaS offering is made which is not FISMA High, would additional mitigating controls be implemented to provide the necessary additional controls and security that are required to upgrade to a FISMA High certification?
8. Can the vendor describe and document that all controls are monitored for deviation from standards and audited for compliance with relevant standards?
9. At what frequency can VA expect to see reports and audits of monitoring and logging of the Cloud Service Providers (CSP) systems and service?
10. What type of SLA can the VA expect industry to provide in a cloud SaaS environment?
11. What is the order of magnitude difference in cost for an SLA of 99.99 vs. 99.999%?
12. Will vendor provide VA access to their Risk Assessment and System Security Plan used for their FISMA Certification?
13. How will the vendor provide authentication for a restricted, public accessible environment?
14. Can the vendor ensure VA data storage be restricted to locations within the continental US?
15. Can the vendor provide a Cloud SaaS collaboration tool which will only be accessible after a user authenticates through VA's Active Directory (AD) Single Sign-On (SSO) solution? Please see Appendix B for more information
16. Can the vendor meet all existing VA polices in the hosted cloud, including obtaining a high Federal Information Processing Standards (FIPS) 199 categorization for Security during the system Certification and Accreditation (C&A) process, before obtaining an Authority To Operate (ATO).
17. Can the vendor provide training for VA administrators, support personnel, and users?
18. Can the vendor provide an order of magnitude of cost for web based training for the following groups:
" Web based end-user training - (Pilot: 2,000 to 5,000; possibly later 134,000+)
" Administrator training - (2 per medical center, and 10 others (FSS, SD&E, OIS others) 358 in total
" Help Desk Training - (20 people)
" Train the trainer - (2 per VISN) 42 total
19. What type of continuing support can the vendor provide, after an award is made and at what cost?
20. How will the Contractor provide VA with incident response and forensic investigation data for incidents, data breaches, and service interruptions when requested by VA?
21. Can the vendor provide an integrated/joint incident response plan for specific VA designated data breaches?
22. Can the Contractor ensure proper destruction of all failed drives? Proper destruction includes, but is not limited to: returning the drive to VA, Contractor destruction supervised by VA personnel, or if authorized by VA, failed drives may be destroyed by the Contractor and the Contractor will provide certification of their destruction.
23. Can the Contractor provide 24x7x365 support for all Cloud SaaS services implemented in the solution?
24. Can the Contractor provide a Cloud SaaS Solution in two, VA designated, commercial data centers to interconnect to VA's infrastructure with two or more 1 Gbps point-to-point connections, at each site, between VA's network and the vendor's network for the purposes of interconnecting?
25. Will the Cloud SaaS solution work seamlessly via a CAG?
26. Can the vendor provide for Internet Protocol (IP) address filtering so only a connection coming from specific VA IP addresses will be allowed access to the vendor's Cloud based SaaS service?
27. Can the vendor provide a means which allows VA Cloud based SaaS administrators to control calendar sharing, and have the ability to control the level of detail, and turn on and off calendar text alerts to cell phones?
28. Can the vendor provide a means which allows VA Cloud based SaaS administrators to designate which documents can be shared and provide a control mechanism which will allow administrators to control sharing within and outside of the VA's AD Domain?
29. At the end of a contract to provide cloud services how would VA receive its information back if it chooses to cancel offering a cloud solution, switch to a different provider, or move to an internal solution?
30. Is there a mechanism to migrate existing SharePoint Site collections, SharePoint Sites, or general web sites to the cloud provider?
31. If VA procured an internal e-discovery, archiving, or records management solution how would we interface with and control the data in the cloud solution? Do you have examples of companies doing this today with your solution?
32. How would an internal VA Search system crawl the content in the cloud system to make it searchable along with internal VA content?
33. If there was top secret information accidentally stored in the cloud system how would the eradication of that information and physical drive destruction be handled?
34. Please provide information regarding your ability to be 508 compliant.
35. Please provide information on the different options to provide access control to VA information with and without the use of 3rd party software such as Citrix type VPN solution on a mobile or non Government Furnished Equipment (GFE) device.
36. Does the cloud solution include the native ability to control file downloads or prevent the copying of data to non GFE devices?
37. Does the cloud solution include a workflow capability?
38. Does the cloud solution include an alerting capability? For example can the solution send an email to a user when a list or document changes?
39. Does the cloud solution include the ability to receive external email and store them along with their attachments in a site
40. As users are hired and leave VA how are user license accounted for? For example is there a total # of users that VA pays for and any users up to that # can use the system, or is each individually named user counted as using a license and if so, will VA continue to pay for the user license as long as it retains that users data even though they are no longer employed by VA?
41. What are the storage limits and are they controlled by the user, site owner or at a higher level?
42. How are those storage limits measured? Is the storage use measured as a combined total for VA or is it on an individual user basis? What happens if the limits are exceeded? Is there an additional cost, if so, what is it? Can VA limit the storage at some level so it can't be exceeded by an individual user and thus incur an additional cost? Basically what options does VA have to control storage cost?
43. If a user deletes a file or an entire site, or some higher level can that be restored and is there a charge for that restoration? Is there a SLA for that restoration?
44. Do you provide presence information for users that are online? Can that be connected to VA's internal Office Communication server presence information?
45. Please provide a breakdown of each cost of your service.
46. Please provide a redacted sample/actual contract, costs, and monthly/yearly bill for another government agency that has contracted with your service
47. What are the impacts if email, instance messaging, and (Web Meeting/Live Meeting/desktop sharing functionally) were not enabled or migrated to your service?
48. Would there need to be any special services (hardware, software, cost) involved concerning the use of Blackberry mobile devices managed by the VA's Blackberry enterprise server and your system?
49. Would there need to be any special services (hardware, software, cost) involved concerning the use of any other mobile device and your system?
6 How to Respond
THIS IS A REQUEST FOR INFORMATION (RFI) ONLY. This RFI is issued solely for information and planning purposes - it does not constitute a solicitation nor does it restrict the Government as to the ultimate acquisition approach. In accordance with FAR 15.201(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Any contract that might be awarded based on information received or derived from this market research will be the outcome of a competitive process. Responders are advised that the U.S. Government will not pay for any information or administrative costs incurred in response to this RFI. All costs associated with responding to this RFI will be solely at the interested vendor's expense. Not responding to this RFI does not preclude participation in any future RFP, if any is issued. The formal closing date for this RFI and for the submission of responses is September 9, 2011. All responses should be submitted electronically using PDF, HTML, MS Word or PowerPoint formats to the following Email address with subject "RFI VA118-11-RI-0618": email@example.com
*Total e-mail file limit size is restricted to 5MB. Files exceeding this threshold shall be submitted over multiple messages, and be identified as "Message #x of #x".
The official VA contacts for this RFI to whom all requests and communications should be addressed are:
Contracting Officer (CO): Anne Marie Vasconcelos, firstname.lastname@example.org (732) 440-9658
Contract Specialist (CS): Matthew Truex, email@example.com (732) 440-9650
Appendix A - Acronym List
See Attached: NIST IR 7298, rev. 1 , Glossary of Key Information Security Terms, February 2011.
Appendix B - SaaS Data Flow and Security Architecture DRAFT
Please consult the list of document viewers if you cannot open a file.
Other (Draft RFPs/RFIs, Responses to Questions, etc..)
August 11, 2011
Department of Veterans Affairs;Office of Acquisition and Logistics;Technology Acquisition Center;260 Industrial Way West;Eatontown NJ 07724
August 11, 2011
September 9, 2011
Automatic, on specified date
November 8, 2011
Original Set Aside:
D -- Information technology services, including telecommunications services
541 -- Professional, Scientific, and Technical Services/541519 -- Other Computer Related Services