7E20--Remote Automated Laboratory System Software and Support

The solicitation for the Remote Automated Laboratory System Software and Support, identified as 36C26126Q0619, is issued by the Department of Veterans Affairs through the 261-NETWORK Contract Office 21 in Mather, California, with a response deadline of July 2, 2026. This is a sources-sought notice aimed at gathering market information for a software solution that integrates 94 diagnostic medical devices—including Nova Glucometers, Abbott I-Stat docks, and Hemosonics Quantra—with the VA’s VISTA and CPRS systems via secure HL7 data transmission. The primary performance location is the BioMed Virtual Server at the San Francisco VA Medical Center, with a proposed period of performance spanning five years: one base year from October 1, 2026, through September 30, 2027, and four option years extending through September 30, 2031. The contract requires a licensed software module capable of 24/7 remote monitoring and support with no-cost updates, ensuring continuous bidirectional data flow of patient results, quality control metrics, critical alerts, and flagged records. All software must comply with NIST, FIPS 140-2, VA Handbook 6500, FDA cybersecurity guidance, and NTIA SBOM requirements, including submission of a compliant Software Bill of Materials and adherence to patch governance that mandates critical vulnerabilities be remediated within seven business days. Security, supply chain integrity, and data handling are strictly governed by federal and VA-specific standards. Offerors must ensure tamper-evident packaging and chain-of-custody controls for all physical components, though the primary deliverable is software-based. All contractors and personnel must comply with VA’s Information Security Rule of Behavior, undergo required training, and hold appropriate clearances if accessing sensitive systems. Product authenticity must be attested, with procurement limited to original equipment manufacturers or authorized resellers; unauthorized sources require explicit waiver approval. Cryptographic standards must meet FIPS 140-2 compliance with remote key management capabilities. Contractors are prohibited from uploading malware or unverified firmware, and any detected malicious code must be remediated immediately. All electronic media must be destroyed upon contract termination with self-certification provided within 30 days. Data generated under this contract is government property with unlimited rights; no retention or dissemination of Privacy Act information is permitted. Offerors must be registered in SAM, provide their