This Sources Sought Notice is for planning purposes only and shall not be considered as an invitation for bid, request for quotation, request for proposal, or as an obligation on the part of the Government to acquire any products or services. Your response to this Sources Sought Notice will be treated as information only. No entitlement to payment of direct or indirect costs or charges by the Government will arise because of contractor submission of responses to this announcement or the Government use of such information. This request does not constitute a solicitation for proposals or the authority to enter negotiations to award a contract. No funds have been authorized, appropriated, or received for this effort. The information provided may be used by the Department of Veterans Affairs in developing its acquisition approach, statement of work/statement of objectives and performance specifications. Interested parties are responsible for adequately marking proprietary or competition sensitive information contained in their response. The Government does not intend to award a contract based on this Sources Sought Notice or to otherwise pay for the information submitted in response to this Sources Sought Notice. The purpose of this sources sought announcement is for market research to make appropriate acquisition decisions and to gain knowledge of potential qualified Service-Disabled Veteran Owned Small Businesses, Veteran Owned Small Businesses, 8(a), HubZone and other Small Businesses interested and capable of providing the services described below. Documentation of technical expertise must be presented in sufficient detail for the Government to determine that your company possesses the necessary functional area expertise and experience to compete for this acquisition. Responses to this notice shall include the following: (a) Company Name (b) Address (c) Point of Contact (d) Phone, Fax, and Email (e) UEI number (f) Cage Code (g) Tax ID Number (h) Please indicate the size status and representations of your business, such as but not limited to: Service-Disabled Veteran Owned Small Business (SDVOSB), Veteran Owned Small Business (VOSB), Hubzone, Woman Owned Small Business (WOSB), Large Business, etc.)? (i) Is your company considered small under the NAICS code identified under this SSN/RFI? (j) Are you the manufacturer, distributor, or an equivalent solution to the items being referenced above? (k) If you are a large business, do you have any designated distributors? If so, please provide their company name, telephone, point of Contact and size status (if available). (l) If you re a small business and you are an authorized distributor/reseller for the items identified above or an equivalent solution, do you alter; assemble; modify; the items requested in any way? If you do, state how and what is altered; assembled; modified? (m) If you intend to subcontract any work on this contract, what portion of the total cost will be self-performed/will be performed by your organization? Please provide estimated detailed percentage breakdowns related to subcontracted work. (n) Does your company have an FSS contract with GSA or the NAC or are you a contract holder with NASA SEWP or any other federal contract? If so, please provide the contract number. (o) If you are an FSS GSA/NAC or NASA SEWP contract holder or other federal contract holder, are the items/solution you are providing information for available on your schedule/contract? (p) Please provide general pricing of your products/solution for market research purposes (q) Does your company have an FSS contract with GSA or the NAC or are you a contract holder with NASA SEWP or any other federal contract? If so, please provide the contract number. (r) Please provide general pricing of your products/solution for market research purposes (s) Must provide a capability statement that clearly addresses the organizations qualifications and ability to perform as a contractor for the work described below. Requirement: The VA Heartland Network 15 Contracting Office located at 3450 South 4th Street, Leavenworth, KS, 66048-5055 is seeking a potential qualified contractor to provide VPN ethernet service needed to access the Illinois Law Enforcement Agencies Data System (LEADS 3.0) through the currently installed Police Desktop computer for the Marion VA Medical Center located at 2401 West Main St., Marion, Illinois 62959-1621. The contractor will upgrade as needed or retain currently installed equipment to provide the fiber, VPN line, and all other required items or software to complete the circuit for functional service, to allow access to Illinois LEADS 3.0. This service will not be on the VA network. It will and has to be on its own network due to the law enforcement-sensitive data associated with the LEADS 3.0 service. It can only be accessed through the state network through a VPN and our desktop computer. Please see the Statement of Work for more specific details. The North American Industry Classification System Code (NAICS Code) is 517311 Wired Telecommunications Carriers, size standard 1,500 employees. Based on this information, please indicate whether your company would be a Large or Small Business and have a socio-economic designation as a Small Business, VOSB or SDVOSB. Important Information: The Government is not obligated to, nor will it pay for or reimburse any costs associated with responding to this source sought synopsis request. This notice shall not be construed as a commitment by the Government to issue a solicitation or ultimately award a contract, nor does it restrict the Government to an acquisition approach. The Government will in no way be bound to this information if any solicitation is issued. Currently a total set-aside for Service-Disabled Veteran Owned Small Business firms is anticipated based on the Veterans Administration requirement with Public Law 109-461, Section 8127 Veterans Benefit Act. However, if response by Service-Disabled Veteran Owned Small Business firms proves inadequate, an alternate set-aside or full and open may be used. Responses to this notice shall be submitted via email to Erika Kobulnicky at Erika.Kobulnicky@va.gov. Telephone responses will not be accepted. Responses must be received no later than Thursday, February 26, 2026, at 10:00AM CST. If a solicitation is issued it shall be announced at a later date, and all interested parties must respond to that solicitation announcement separately from the responses to this sources sought. Responses to these sources sought notice are not a request to be added to a prospective bidders list or to receive a copy of the solicitation. VIRTUAL PRIVATE NETWORK (VPN) ETHERNET SERVICE for Marion VA Health Care System STATEMENT OF WORK INTRODUCTION This Statement of Work (SOW) outlines the requirements for procuring the VPN circuit service needed to access the Illinois Law Enforcement Agencies Data System (LEADS 3.0) through our currently installed Police Desktop computer. SCOPE Vendor will upgrade as needed or retain currently installed equipment to provide the fiber, VPN line, and all other required items or software to complete the circuit for functional service, to allow access to the Illinois Law Enforcement Agencies Data System (LEADS 3.0). This service will not be on the VA network. It will and has to be on its own network due to the law enforcement-sensitive data associated with the LEADS 3.0 service. It can only be accessed through the state network through a VPN and our desktop computer. SPECIFICATIONS. Ethernet VPN is provided through a modem/router in either a multi-mode handoff or single mode. ADDITIONAL REQUIREMENTS None. INFORMATION SECURITY The vendor/contractor/subcontractor shall immediately notify the COR and simultaneously, the designated ISO and Privacy Officer, for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. For the purposes of this SOW, the term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE FOR INCLUSION INTO CONTRACTS GENERAL Contractors, contractor personnel, subcontractors, and subcontractor personnel shall be subject to the same Federal laws, regulations, standards, and VA Directives and Handbooks as VA and VA personnel regarding information and information system security. ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMS A contractor/subcontrator shall request logical (technical) or physical access to VA information and VA information systems for their employees, subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order. The contractor or subcontractor must notify the Contracting Officer immediately when an employee working on a VA system or with access to VA information is reassigned or leaves the contractor or subcontractor s employ. The Contracting Officer must also be notified immediately by the contractor or subcontractor prior to an unfriendly termination. VA INFORMATION CUSTODIAL LANGUAGE Information made available to the contractor or subcontractor by VA for the performance or administration of this contract or information developed by the contractor/subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of the VA. This clause expressly limits the contractor/subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1). If VA determines that the contractor has violated any of the information confidentiality, privacy, security, and other provisions of the contract, it shall be sufficient grounds for VA to withhold payment to the contractor or third party or terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12. SECURITY INCIDENT INVESTIGATION The term security incident means an event that has, or could have, resulted in unauthorized access to, loss or damage to VA assets, or sensitive information, or an action that breaches VA security procedures. The contractor/subcontractor shall immediately notify the COTR and simultaneously, the designated ISO and Privacy Officer for the contract of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access. To the extent known by the contractor/subcontractor, the contractor/subcontractor s notice to VA shall identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the contractor/subcontractor considers relevant. With respect to unsecured protected health information, the business associate is deemed to have discovered a data breach when the business associate knew or should have known of a breach of such information. Upon discovery, the business associate must notify the covered entity of the breach. Notifications need to be made in accordance with the executed business associate agreement. In instances of theft or break-in or other criminal activity, the contractor/subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction, including the VA OIG and Security and Law Enforcement. The contractor, its employees, and its subcontractors and their employees shall cooperate with VA and any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The contractor/subcontractor shall cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident. LIQUIDATED DAMAGES FOR DATA BREACH Consistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the contractor/subcontractor processes or maintains under this contract. The contractor/subcontractor shall provide notice to VA of a security incident as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or other unauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination. Each risk analysis shall address all relevant information concerning the data breach, including the following: Nature of the event (loss, theft, unauthorized access); Description of the event, including: 1. date of occurrence; 2. data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code; Number of individuals affected or potentially affected; Names of individuals or groups affected or potentially affected; Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text; Amount of time the data has been out of VA control; The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons); Known misuses of data containing sensitive personal information, if any; Assessment of the potential harm to the affected individuals; Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; and Whether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised. Based on the determinations of the independent risk analysis, the contractor shall be responsible for paying to the VA liquidated damages in the amount of $__37.50__ per affected individual to cover the cost of providing credit protection services to affected individuals consisting of the following: Notification; One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports; Data breach analysis; Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution; One year of identity theft insurance with $20,000.00 coverage at $0 deductible; and Necessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs. TRAINING All contractor employees and subcontractor employees requiring access to VA information and VA information systems shall complete the following before being granted access to VA information and its systems: Successfully complete the appropriate VA privacy training and annually complete required privacy training (See below training); and Successfully complete any additional cyber security or privacy training, as required for VA personnel with equivalent information system access. The contractor shall provide to the contracting officer and/or the COTR a copy of the training certificates for each applicable employee within 1 week of the initiation of the contract and annually thereafter, as required. Failure to complete the mandatory annual training, within the timeframe required, is grounds for suspension or termination of all physical or electronic access privileges and removal from work on the contract until such time as the training and documents are complete. ADDITIONAL REQUIREMENTS The COR is responsible for coordinating with the Police prior to contractor arrival to identify the names of contractor personnel so that Police can ensure sufficient number of contractor badges are available for issuance prior to beginning work. COR is also responsible for signing out and signing in temporary contractor badges. The COR is also responsible for maintaining copies of signed Privacy training for all contractors according to RCS 10-1. Any work performed outside of official VA business hours after hours will require escorts. Escort duties for un-cleared contractors are strictly limited to government officials, specifically VA employees. At no time are contractors allowed to escort other contractors. The Department of Veterans Affairs, VA must comply with all applicable privacy and confidentiality statutes and regulations. One of the requirements in VA is to have all personnel trained annually on privacy requirements. Privacy represents what must be protected by VA in the collection, use, and disclosure of personal information whether the medium is electronic, paper or verbal. This document satisfies the basic privacy training requirement for a contractor, volunteer, or other personnel only if the individual does not use VA sensitive information or protected health information (PHI) in any form such as electronic or paper or have access to any VA computer system such as VA Time and Attendance System (VATAS), Computerized Patient Record System (CPRS), Joint Legacy Viewer (JLV), Veterans Health Information Exchange (VHIE), Compensation and Pension Record Interchange (CAPRI). You will find this training outlines your role and responsibility for protecting VA sensitive information (medical, financial, or educational) that you may incidentally or accidentally see or overhear. If you have direct access to VA sensitive information or access to a VA computer system where there is protected health information such as VaTAS, CPRS, JLV, VHIE or CAPRI you must take Privacy and HIPAA Focused Training (TMS 10203). VA Privacy and Information Security Awareness and Rules of Behavior (TMS 10176) is always required to use or gain access to a VA computer system or VA sensitive information, whether or not protected health information is included. Both trainings are located within the VA Talent Management System (TMS): https://www.tms.va.gov What is VA Sensitive Information/Data? All Department information and/or data on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes not only information that identifies an individual but also other information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions. What is Protected Health Information? The HIPAA Privacy Rule defines protected health information as Individually Identifiable Health Information transmitted or maintained in any form or medium by a covered entity, such as VHA. What is an Incidental Disclosure? An incidental disclosure is one where an individual s information may be disclosed incidentally, even though appropriate safeguards are in place. Due to the nature of VA communications and practices, as well as the various environments in which Veterans receive healthcare or other services from VA, the potential exists for a Veteran s protected health information or VA sensitive information to be disclosed incidentally. For example: You overhear a healthcare provider s conversation with another provider or patient even when the conversation is taking place appropriately. You may see limited Veteran information on sign-in sheets or white boards within a treating area of the facility. You may hear a Veteran s name being called out for an appointment or when the Veteran is being transported/escorted to and from an appointment Safeguards You Must Follow To Secure VA Sensitive Information: Secure any VA sensitive information found in unsecured public areas (parking lot, trash can, or vacated area) until information can be given to your supervisor or Privacy Officer. You must report such incidents to your Privacy Officer timely. Don t take VA sensitive information off facilities grounds without VA permission unless the VA information is general public information, i.e., brochures/pamphlets. Don t take pictures using a personal camera without the permission from the Medical Center Director. Any protected health information overheard or seen in VA should not be discussed or shared with anyone who does not have a need to know the information in the performance of their official job duties, this includes spouses, employers or colleagues. Do not share VA access cards, keys, or codes to enter the facility. Immediately report lost or stolen Personal Identity Verification (PIV) or Veteran Health Identification Cards (VHIC), VA keys or keypad lock codes to your supervisor or VA police. Do not use a VA computer using another VA employee s access and password. Do not ask another VA employee to access your own protected health information. You must request this information in writing from the Release of Information section at your facility What are the Six Privacy Laws and Statutes Governing VA? Freedom of Information Act (FOIA) compels disclosure of reasonably described VA records or a reasonably segregated portion of the records to any person upon written request unless one or more of the nine exemptions apply. Privacy Act of 1974 provides for the confidentiality of personal information about a living individual who is a United States citizen or an alien lawfully admitted to U.S. and whose information is retrieved by the individual s name or other unique identifier, e.g. Social Security Number. Health Insurance Portability and Accountability Act (HIPAA) provides for the improvement of the efficiency and effectiveness of health care systems by encouraging the development of health information systems through the establishment of standards and requirements for the electronic transmission, privacy, and security of certain health information. 38 U.S.C. 5701 provides for the confidentiality of all VA patient and claimant information, with special protection for their names and home addresses. 38 U.S.C. 7332 provides for the confidentiality of drug abuse, alcoholism and alcohol abuse, infection with the human immunodeficiency virus (HIV) and sickle cell anemia medical records and health information. 38 U.S.C. 5705 provides for the confidentiality of designated medical-quality assurance documents. What are the Privacy Rules Concerning Use and Disclosure? You are not authorized to use or disclose protected health information. In general, VHA personnel may only use information for purposes of treatment, payment or healthcare operations when they have a need-to-know in the course of their official job duties. VHA may only disclose protected health information upon written request by the individual who is the subject of the information or as authorized by law. How is Privacy Enforced? There are both civil and criminal penalties, including monetary penalties that may be imposed if a privacy violation has taken place. Any willful negligent or intentional violation of an individual s privacy by VA personnel, contract staff, volunteers, or others may result in such corrective action as deemed appropriate by VA including the potential loss of employment, contract, or volunteer status. Know your VA/VHA Privacy Officer and Information Systems Security Officer. These are the individuals to whom you can report any potential violation of protected health information or VA sensitive information, or any other concerns regarding privacy of VA sensitive information. YOU ARE RESPONSIBLE FOR PROTECTING THE CONFIDENTIAL INFORMATION OF OUR VETERANS
