VA advances biometric authentication pilot through small business competition

The U.S. Department of Veterans Affairs (VA) has embarked on a biometric experiment that could reshape how tens of thousands of its healthcare staff access restricted spaces and sensitive systems.

What began as a broad request for information has now been looped back into a small business set-aside solicitation. The Biometric Authentication Proof of Concept (POC), first outlined in a Request for Information (RFI) earlier this year, aims to determine whether facial and iris recognition can securely and efficiently replace traditional access controls for clinical staff.

The loopback notice issued this week clarified how the procurement would proceed. The VA signaled that the Biometric Authentication Pilot would not remain in indefinite RFI status, but would advance as a set-aside procurement, providing small businesses an opportunity to compete for what is likely to be a technically complex and high-profile federal contract.

This follows the model of other VA procurements that begin as exploratory RFIs and evolve into restricted competitions designed to broaden participation among smaller firms.

Industry observers say the VA’s biometric pilot is one of the most detailed and security-sensitive federal proofs of concept in recent years. The requirements align tightly with federal cybersecurity mandates such as FIPS 201-3 for personal identity verification and National Institute of Standards and Technology’s digital identity guidelines, as well as VA’s own directives on data protection and identity management.

By setting strict rules around data use – barring any collection of veterans’ health information or non-participant data – the VA is attempting to address long-standing concerns about biometric privacy in healthcare environments.

The pilot’s outcome could have far-reaching consequences. If successful, the VA could scale the system across multiple facilities, extending it not only to physical access but eventually to logical access for IT systems, desktops, and clinical workstations.

The VA’s Technology Acquisition Center in Eatontown, New Jersey confirmed that the pilot will be competed under a small business set-aside via the General Services Administration’s eBuy platform.

The shift reflects how the VA often transitions from broad market research to focused acquisition channels. The original Sources Sought RFI was explicit that it was not a solicitation, but rather a way to gauge industry capabilities and gather best practices for deploying biometric systems in sensitive environments like hospitals.

Vendors were asked to demonstrate experience with large-scale biometric deployments, outline their approaches to physical and logical access integration, and provide rough order of magnitude cost estimates for hardware, software, and services.

At the heart of the program is a draft Performance Work Statement (PWS) that was issued in May that lays out in meticulous detail what the VA expects from the chosen contractor.

The VA’s Office of Information Security is spearheading the initiative with the goal of increasing efficiency for healthcare staff, reducing friction in sterile environments, and strengthening security through phishing-resistant multifactor authentication.

The PWS makes clear that contractors will be responsible for delivering an end-to-end, commercial-off-the-shelf solution covering both front-end capture devices and back-end matching systems, all integrated with the VA’s existing Physical Access Control Systems (PACS).

The document envisions a 12-month base period of performance, with an optional additional year, and a pilot deployment at either a healthcare training facility or an active VA hospital.

Core requirements include a one-to-many biometric match of enrolled staff, hands-free access to restricted spaces, on-premises storage of biometric templates, and strict prohibitions on collecting or storing data from anyone other than enrolled VA personnel.

The pilot is structured to run in parallel with existing badge-based access methods to avoid disruptions, and the contractor must also handle enrollment processes, operator training, user support, and eventual system removal if the technology is not scaled.

The VA’s RFI Q&A further reinforced the agency’s expectations. Partial solutions were ruled out. Vendors must deliver both the hardware and the software components, as well as the integration work needed to make the system operate within VA’s IT and physical security frameworks.

The VA was explicit that it expects front-end scanners, back-end authentication, and any additional hardware required to connect to PACS to be included in bids. Suggestions that digital wallets or software-only back-end authentication might suffice were rejected outright.

“We would like a complete use case implementation handled by a single contractor,” the VA wrote, though it encouraged teaming arrangements to build holistic solutions.

Optional tasks laid out in the PWS envision migrating the solution to the VA Enterprise Cloud and expanding deployment to dozens of facilities. Conversely, if the pilot encounters major performance, privacy, or user satisfaction issues, the system will be stood down and removed, with findings documented to inform future efforts.

For now, industry responses are being funneled through the Technology Acquisition Center. As the process advances into a formal small business set-aside, the focus will shift from gathering ideas to evaluating concrete proposals capable of meeting the VA’s stringent technical, security, and operational demands.

The VA’s decision to loop back its biometric authentication pilot illustrates both the promise and the caution surrounding biometrics in federal healthcare and underscores the government’s desire for innovation in access control, but only under carefully controlled conditions and with accountability built into every stage.

How small businesses rise to meet this challenge could shape not only the future of access management at VA facilities but also set precedents for biometric adoption across the federal healthcare sector.

Article Topics

biometric authentication  |  biometrics  |  digital identity  |  face biometrics  |  government purchasing  |  iris biometrics  |  pilot project  |  U.S. Department of Veterans Affairs  |  U.S. Government