Notice ID: 36C10B24Q0421
The Department of Veterans Affairs (VA), Office of Information and Technology (OIT) requires a Software-as-a-Service (SaaS) Identity and Access Management (IAM) product for both internal (workforce) and external users (Veterans, caregivers, etc.) that provides the required capabilities as part of a single product. The solution will provide a single cloud-native, Federal Risk and Authorization Management Program (FedRAMP) High authorized, SaaS IAM product that will meet current and future requirements for a department-wide enterprise Identity Provider (IdP), including authentication, access management, automated administration, and reporting.
The product must adhere to federal cybersecurity standards and guidance, ensuring robust authentication protocols, encryption mechanisms, and adherence to security frameworks such as National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63 and Federal Information Processing Standards (FIPS) 140-2. A single integrated SaaS IAM product is required to maximize interoperability across capabilities and features, such as custom workflows and the access management features, and provide a more consistent user experience. VA requires the ability to automate complex workforce and customer identity workflows using a no-code/low-code GUI-based automation platform to streamline administration of the identity solution, eliminate time-consuming tasks and reducing errors due to manual entry. VA also maintains a complex suite of modern and legacy digital products and services, some of which require the capability to support legacy authentication protocols and technologies.
The solution shall include:
- Workforce IAM capabilities to support identity management, authentication, and access management for employees and other internal users accessing internal VA applications and services, including VA-managed computers. These capabilities include provisioning and managing workforce identities in a central user directory, Single Sign-On (SSO) capabilities supporting adaptive Multi-Factor Authentication (MFA), including PIV/CAC cards and other alternative methods, Application Programming Interface (API) access management, and adaptive “real-time” cybersecurity threat monitoring and reporting.
- Customer IAM capabilities to support identity management, authentication, and access management for Veterans, their delegates, and other external users accessing public-facing VA applications and services. These capabilities include inbound federation with third-party Credential Service Providers, API Access management, Adaptive MFA, self-service account management, integration with VA identity data repositories, support for patient access to healthcare-related data following the Fast Healthcare Interoperability Resources (FHIR) standard, and adaptive “real-time” cybersecurity threat monitoring and reporting.
- Custom automation capabilities to automate recurring administrative tasks and workflows as well as customize workforce and external user authentication flows using a no-code/low-code GUI-based automation platform, allowing workflows to be created and managed by authorized users across the VA.
- Legacy application support to allow the SaaS IAM product to integrate with the numerous legacy systems that the VA uses to support its critical operations, including healthcare services, benefits administration, burial, and veteran support programs. While many VA systems support direct integration with a cloud IAM solution over standard protocols, some critical systems are deployed in “on-premises” environments and/or don’t support modern authentication protocols. Until such systems are modernized or replaced, the SaaS IAM product will need to provide a bridge/connector between those legacy systems and the cloud-hosted product.
- General platform capabilities including high (99.99% or greater) availability, conformance to security standards such as NIST SP 800-63 and FIPS 140-2, FedRAMP High authorization, support for multiple deployment environments, including sandbox environments, API-based product configuration and management, custom reporting and alerting. Product support to include dedicated support staff available to address complex technical issues and support incident response and remediation 24×7.
- Professional services to provide technical support and subject matter expertise to support the initial setup, configuration, deployment, and expansion of the SaaS IAM product within the VA as well as the transition from existing VA IAM solutions to the SaaS IAM product, advisory and project support to facilitate the integration of VA systems with the SaaS IAM product, guidance and support enabling and leveraging advanced features and capabilities, and support with security and compliance activities to mitigate risks and maintain the VA Authority to Operate (ATO) for the SaaS IAM product.
- Training materials to provide accessible and comprehensive training materials, including documentation, tutorials, and video guides, to empower users (both end-users and administrators) to understand how to use the SaaS IAM product effectively, as well as interactive training sessions, certification tracks, and periodic refresher courses should be provided to ensure users remain informed about security best practices and the latest features of the SaaS IAM product.
Want to get involved with OS AI? - A small number of Sponsorship Opportunities are now available here. Starting at $500.