FA830726RB019 - SBOM Vulnerability Scanning RFI

Quick Summary

The Department of the Air Force, AFLCMC, Cryptologic and Cyber Systems Division (CCSD) is conducting market research via a Request for Information (RFI) for a Software Bill of Materials (SBOM) Generation & Vulnerability Analysis Solution. This RFI seeks commercial software licenses and capabilities to support DevSecOps and Platform One operations. The government is looking for an enterprise solution for automated SBOM generation, container image analysis, and vulnerability scanning. White paper responses are due by February 19, 2026.

Purpose & Scope

This RFI is for market research and planning purposes only, not a solicitation for proposals. The Air Force aims to identify sources capable of providing software licenses and associated services for a comprehensive SBOM and vulnerability analysis solution. The solution must be production-ready for classified and unclassified cloud environments (IL4/IL5/IL6) and support common programming languages and ecosystems. Key capabilities include generating industry-standard SBOMs (SPDX, CycloneDX), scanning container images and source code for vulnerabilities against databases like NVD, RHSA, and GHSA, mapping vulnerabilities to CVSS scores, and supporting malware scanning and policy engines.

Performance Requirements & Deliverables

The contractor will provide a base one-year software license with four (4) one-year option periods, covering August 1, 2026, through July 31, 2031, if all options are exercised. The solution must be a commercial license meeting the requirements of the attached Draft Statement of Work. Deliverables include software licenses/subscriptions, implementation and onboarding support, documentation, training, integration into CI/CD pipelines, ongoing technical support, vulnerability feed updates, and Authority to Operate (ATO) artifacts/support.

Special Requirements

The solution must comply with FAR/DFARS, DoD DevSecOps Reference Design, Executive Order 14028, DoD/AF SBOM and cybersecurity policy guidance, and Platform One DevSecOps architecture standards. It must be horizontally scalable for container analysis, support secure development lifecycle practices, and be deployable in Kubernetes with P1 Big Bang compatible helm charts. The solution should support on-premises, cloud-based (SaaS), and hybrid deployments, and include features like RBAC, SSO, secure authentication, and encryption of stored data.

Response Instructions

Interested parties are requested to submit white paper responses, limited to two pages (1-inch margins, 12-point Times New Roman font). Responses should include company information (UEI, CAGE Code, Contract Vehicles, POC), potential software solution(s), and a brief narrative explaining how the solution meets government requirements. Submissions must be sent to aflcmc.hncx.p1licensemanagement@us.af.mil and aflcmc.hnckp.platformonectr@us.af.mil by February 19, 2026. This RFI does not guarantee a future solicitation or contract award.

Contract & Timeline

• Type: Request for Information (RFI) / Sources Sought
• Set-Aside: None
• Product Service Code: 7A20 - Application Development Software Delivered By Perpetual License
• Response Due: February 19, 2026
• Published: February 9, 2026
• Period of Performance (Anticipated): August 1, 2026 - July 31, 2031 (Base + 4 Option Years)
• Issuing Office: FA8307 AFLCMC HNCK C3IN, Joint Base San Antonio - Lackland, TX
• Primary Contact: Platform One License Management Team (aflcmc.hncx.p1licensemanagement@us.af.mil)