DHS Network Operations Security Center (NOSC) Network, Cloud, and Cyber Services (NCCS) 2.0

Statement of Work (SOW) / Performance Work Statement (PWS)

This Statement of Work (SOW) outlines the requirements for comprehensive cybersecurity, network operations, and management support services for the Department of Homeland Security (DHS) Office of the Chief Information Officer (OCIO) and select DHS Components. The primary goal is to evolve the DHS Headquarters Network Operations and Service Center (NOSC) into a best-in-class service entity.

• Network, Cloud, and Cyber Services (NCCS) 2.0: The contract covers a broad range of cybersecurity, network operations, and management services.

• Monitoring and Analysis (M&A): Proactive and reactive monitoring of network infrastructure (WAN and select LAN), cloud platforms, systems, and applications across all classification levels (open source, SBU, CUI, Classified, SCI, SAP).

• Event and Incident Management and Response: Management of events and incidents, including alert and notification, incident response, and recovery for the DHS Onenet.

• Cybersecurity Services: Includes monitoring and analysis, log management, incident handling, asset visibility, email security, cyber threat intelligence, intrusion defense, threat hunting, cyber forensics, malware analysis, evidence management, insider threat support, cybersecurity maturity analytic testing, and penetration testing.

• Program Management: Establishment and continuous improvement of a Program Management Office (PMO), including doctrine, policy, organization, planning, test, training, exercise, systems, leadership, personnel, facilities, and regulations.

• Capability Delivery and Improvement: Support for designing, developing, and improving IT service management and cybersecurity capabilities.

• Network Operations Services: 24x7x365 monitoring and management of DHS Networks, including troubleshooting and resolving network outage incidents.

• Cloud, Platform, and System Operations Services: Management and troubleshooting of DHS's cloud compute, storage, and application hosting platforms.

• Core Cybersecurity Services: Log management and analysis, email security, cybersecurity threat intelligence, vulnerability assessments, attack sensing and warning, and content development.

• Field Engineering Technical Services: Regional IT support requiring hands-on intervention at DHS facilities.

• Other Cybersecurity Services: Includes Cybersecurity Services Provider (CSP) Program and Information Security Vulnerability Management (ISVM) Program.

• Period of Performance: One 12-month Base Period (August 1, 2026 - July 30, 2027) and four (4) 12-month Optional Ordering Periods (through July 30, 2031).

• Place of Performance: A combination of DHS, Contractor, and remote work locations, including facilities in Washington D.C. metropolitan area, Stennis, Mississippi, Chandler, Arizona, and other potential CONUS locations.

• Security: Requires personnel with TS/SCI/SAP clearances. Compliance with DHS security policies, including Information Security Policy (MD 140-01) and DHS Sensitive Systems Policy Directive 4300A.

• Personnel: Requires qualified personnel, including Key Personnel (Program Manager, Deputy Program Manager) with specific experience and certifications (PMP, CISSP).

• Contractor Furnished Items: Government will provide workspace, equipment, and supplies. Government-furnished laptops will be provided to employees requiring access to DHS information.

• Accessibility: All ICT products and services must conform to Section 508 Standards.

• Travel: Local travel is not reimbursed; non-local travel requires written approval and funding.

Request for Information (RFI)

This RFI is for market research purposes only and is not a solicitation for proposals or quotes. The Department of Homeland Security (DHS) is seeking information regarding network and system management, cloud management, and cybersecurity support services for its Network Operations and Security Center (NOSC) facilities. The goal is to understand industry best practices, potential approaches, and capable sources for these services.

• Services Required: Network and system management, cloud management, and cybersecurity support. This includes 24x7x365 operations for Tier 1 and Tier 2 support across multiple locations.

• Locations: National Capital Region (NCR), Bluemont, VA, Stennis, Mississippi, and Chandler, Arizona.

• Technical Expertise: The DHS NOSC requires a mix of technical skills in network and systems management, cloud management, and cybersecurity. The government is specifically looking for junior and journeyman level personnel, not senior subject matter experts.

• Staffing Approach: Feedback is requested on the proposed staffing model, including the feasibility of the skill mix and the approach to building and maintaining resources.

• Contract Type: Interested parties should provide recommendations on the most effective contract type (e.g., LH, T&M, FFP, Hybrid) and justify their reasoning.

• AI Integration: Input is sought on how traditional tools and agentic AI can be leveraged for these services.

• Surge Support: Information is requested on capabilities and approaches for providing temporary surge support in response to increased workloads or cyber threats.

• Personnel Security: Requirements include TS/SCI cleared personnel who must be onsite and within commuting distance of NOSC locations.

• Responses should address one or more of the areas outlined in the RFI.

• The submission page count shall not exceed 15 pages (excluding the cover page).

• Only electronic submissions will be accepted.

• The deadline for submission is Friday, March 6, 2026, no later than 12:00 p.m. Eastern Time.

• Submissions should be sent to opoindustryliaison@hq.dhs.gov.

• The Government will not pay for response expenses.

• All responses become Government property.

• The Government may hold one-on-one meetings with vendors who provide comprehensive responses.