QUESTION: Can you list the number of applications and break out how they are hosted? Interested in the number of container nodes, VMs, Serverless functions, etc. ANSWER: VA does not publish its application inventory at the market-research (RFI) stage. The exact number of applications and their hosting breakdown across on-premises data centers, VA Enterprise Cloud (AWS GovCloud US & Azure Government), and other environments will be provided to the selected vendor during post-award discovery and onboarding. QUESTION: Could the Government clarify whether Elastic SIEM integration is a requirement or if Splunk-only integration would be sufficient? ANSWER: Splunk-only Integration is sufficient QUESTION: Are there specific Splunk configurations or deployment models (cloud, on-premises, or hybrid) that the solution must support? ANSWER: The ZARP solution must cleanly support on-prem, cloud, and hybrid Splunk ingestion. QUESTION: Do you require SPUNK pricing in the ROM? ANSWER: No QUESTION: SOAR Platforms (Swimlane): Are there particular Swimlane integrations or workflows that the solution should accommodate to align with VA s current SOAR environment? ANSWER: At this stage we are not releasing VA-specific Swimlane playbooks or connector details. QUESTION: Which IAM systems are deployed within VA (e.g., Microsoft Azure AD, Okta, Ping Identity), and are there specific protocols (SAML, OAuth, OpenID Connect) required for integration? ANSWER: The VA uses multiple IAM services in a hybrid on-prem / cloud environment. More details will be furnished to the selected vendor during post-award discovery and onboarding. QUESTION: Given the use of Tenable for vulnerability management, are there specific integration requirements or use cases VA expects? Additionally, could VA identify CI/CD platforms in use (e.g., Jenkins, GitLab, Azure DevOps) that the solution should integrate with? ANSWER: VA uses several CI/CD pipelines.  Pipeline details are sensitive and will be shared only with the awardee under post-award security procedures. QUESTION: To provide a meaningful Rough Order of Magnitude (ROM) for the ZARP RFI, could the government provide approximate counts of workloads (VMs, containers, serverless functions) and anticipated data ingestion volumes for SIEM/SOAR integration? ANSWER: The requested information is not available QUESTION: Please clarify which Prisma Cloud modules (e.g., WAAS, CWPP, CSPM) VA expects vendors to include. ANSWER: WAAS & CWPP QUESTION: For scoping the number of VA workloads, how many on-premise container hosts will the solution need to support? ANSWER: The requested information is not available QUESTION: For scoping the number of VA workloads, how many K8 worker nodes will the solution need to support? ANSWER: The requested information is not available QUESTION: For scoping the number of VA workloads, how many serverless containers (AWS-Fargate / Azure ACI) will the solution need to support? ANSWER: The requested information is not available QUESTION: Can the VA confirm the solution must be capable of Runtime Application Self Protection (RASP)? ANSWER: Yes, the solutions must be capable of Runtime Application Self Protection QUESTION: Will the proposed zero trust solution require traffic visibility and enforcement aspects of ZTS Zero Trust Segmentation (or micro-segmentation), or will it be primarily based on North-South subnet-based enforcement? ANSWER: This RFI covers runtime-application and workload protection (ZARP). Network-level Zero Trust Segmentation (micro-segmentation) is handled by separate VA controls. The solution must inspect and enforce at Layer 7 for both North-South traffic (ingress/egress) and East-West traffic that remains within a subnet or host. Detailed integration points with VA s ZTS environment will be defined during post-award discovery. QUESTION: What is the scope of number of locations, workloads, applications as part of this solicitation or any other details you can provide that would be helpful for vendors? ANSWER: This information is not available QUESTION: Is the request for this new solution replacing existing technology and what is the existing solution today? ANSWER: There is no existing solution QUESTION: Is the VA using any segmentation solutions today within this environment and what is the technology being used? ANSWER: The specific vendors, products, and policy schemas are considered sensitive architecture details and will be disclosed only to the awardee under post-award security procedures. QUESTION: What GWACs is the VA currently considering for this procurement? Is GSA VETS 2 being considered? ANSWER: To be determined. The contract vehicle will be determined based on the responses received from the RFI. Please provide any existing contract vehicles per RFI Submittal Information paragraph 3(g).
