FA830726RB019 - SBOM Vulnerability Scanning RFI

SOL #: FA830726RB019Sources Sought

Overview

Buyer

DEPT OF DEFENSE

Dept Of The Air Force

FA8307 AFLCMC HNCK C3IN

SAN ANTONIO, TX, 78243-7007, United States

Place of Performance

San Antonio, TX

NAICS

Other Computer Related Services (541519)

PSC

Application Development Software Delivered By Perpetual License, Consisting Of Analysis, Design, Development, Code, Test And Release Packages Associated With Application Development Projects. (7A20)

Set Aside

No set aside specified

Original Source

https://sam.gov/opp/e94e09248da945bcac93c1fa3b856fab/view

Timeline

Posted

Jan 28, 2026

Last Updated

Feb 9, 2026

Response Deadline

Feb 19, 2026, 5:00 PM

Qualification Details

Fit reasons

NAICS alignment with historical contract wins in similar service areas.
Scope strongly matches core technical capabilities and delivery model.

Risks

Past performance thresholds may require one additional teaming partner.
Potential clarification needed on staffing minimums before bid/no-bid.

Next steps

Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.

Quick Summary

The Department of the Air Force (AFLCMC) is conducting market research through a Request for Information (RFI) for a Software Bill of Materials (SBOM) Generation & Vulnerability Analysis Solution. This RFI, identified as FA830726RB019, seeks to identify sources capable of providing software licenses and capabilities to meet the requirements outlined in the attached Draft Statement of Work. This is for planning purposes only and is not a solicitation. Responses are due by February 20, 2026.

Scope of Work

The government is seeking an enterprise solution for automated SBOM generation, container image analysis, and vulnerability scanning to support DevSecOps and Platform One operations. The solution must:

Provide licenses, software, technical support, implementation, and sustainment services.
Operate in classified and unclassified cloud environments (IL4/IL5/IL6).
Support common programming languages and ecosystems (e.g., npm, Maven, PyPI, Go, NuGet, RubyGems, Cargo).
Generate SBOMs compliant with SPDX/CycloneDX standards, including PURL format.
Scan container images and identify vulnerabilities against NVD, RHSA, and GHSA, mapping them to CVSS scores.
Support malware scanning, policy engines, configurable alerts, and a vulnerability dashboard.
Integrate with CI/CD tools (Gitlab CI, Github Actions, Jenkins) and support RBAC, SSO, and secure authentication.
Encrypt stored vulnerability data and SBOM artifacts at rest, with backup/restore capabilities.
Support advanced license compliance checks and source code repository scanning.

Contract & Timeline

Type: Request for Information (RFI) / Sources Sought
Anticipated Duration: Base one-year software license plus four (4) one-year option periods (August 1, 2026 – July 31, 2031).
Set-Aside: None specified.
Response Due: February 20, 2026.
Published: January 28, 2026.

Response Requirements

Interested parties are requested to submit White Paper responses, limited to 2 pages (1-inch margins, 12-point Times New Roman font), including:

Company information (UEI, CAGE Code, Contract Vehicles, POC).
Potential software solution(s) that meet the requirements.
A brief narrative explaining how the software solution(s) meet the requirements.

Submissions should be sent to aflcmc.hncx.p1licensemanagement@us.af.mil and aflcmc.hnckp.platformonectr@us.af.mil.

Additional Notes

This RFI is for market research and planning purposes only. It is not a request for proposal, and the government does not intend to award a contract based on this RFI or pay for information submitted. Responses are voluntary and will not affect future solicitation participation.