Defense Contract Management Agency Cyber Security Services
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
The Defense Information Systems Agency (DISA), on behalf of the Defense Contract Management Agency (DCMA), has issued a Sources Sought notice to identify potential small business sources for Cyber Security Services. This market research aims to gather information on firms capable of providing skilled contract labor to support DCMA's tactical and strategic cybersecurity goals. Responses are due by May 1, 2026, 12:00 PM EDT.
Scope of Work
DCMA's Cyber Security Directorate requires support across various critical cybersecurity domains, including:
- Cybersecurity Vulnerability Management (CVM): Threat-informed support for identification, analysis, mitigation, and verification, including compliance with CJCSI 6510.01F and DoDI 8531.01, Tenable (ACAS) use, and Zero Trust Architecture (ZTA) integration.
- Incident Response: 24x7x365 monitoring, detection, and remediation of security alerts, threat hunting, and incident reporting per CJCSM 6510.01B.
- Security Architecture Engineering Program (SAEP): Support for enterprise defense-in-depth, Zero Trust principles, Enterprise Ports, Protocols, and Services Management (PPSM), and IA tool lifecycle management.
- Risk Management Framework (RMF) Support: Comprehensive Assessment & Authorization (A&A) activities for DCMA information systems, adhering to DoD instructions and NIST standards.
- Audits Readiness: Support for Cyberspace Resilience Evaluations managed by DCDC J10.
Contract & Timeline
- Opportunity Type: Sources Sought (for market research only)
- Anticipated Period of Performance: Base Year (Feb 8, 2027 – Feb 7, 2028) plus two option years.
- Primary Place of Performance: DCMA Atlanta, GA, and DCMA Headquarters, Fort Gregg-Adams, VA, with anticipated hybrid telework options.
- Incumbent Contract: 47QTCA18D002A/HC104723F4060, held by CREST SECURITY ASSURANCE LLC (Small Business).
- Previous Acquisition Method: 8(a) small business set-aside.
- Response Due: May 1, 2026, 12:00 PM EDT.
- Published Date: April 17, 2026.
Set-Aside & Eligibility
- NAICS Code: 541519 (Other Computer Related Services), Size Standard: $34M.
- The government is conducting market research to determine the potential for a small business set-aside (including SDB, HUBZone, 8(a), SDVOSB, WOSB).
- Respondents should outline plans for joint venturing or partnering and demonstrate compliance with FAR 52.219-14 (Limitations on Subcontracting).
- Special Requirement: A Top-Secret Facility Clearance is required, with a minimum Secret clearance for all staff and Top Secret as needed.
Submission & Evaluation
This is for informational purposes only and is not a Request for Proposal. Interested businesses should submit a capabilities statement package (maximum 5 pages) addressing the required capabilities and special requirements. Responses will inform the government's acquisition strategy.