NAS Cyber Information Security and Operations
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
The Federal Aviation Administration (FAA) is conducting a Sources Sought / Market Survey for NAS Cyber Information Security and Operations. This market survey aims to gather information on vendor capabilities and obtain recommendations on draft requirements for cybersecurity testing, risk assessment, and operational security services within the National Airspace System (NAS). Responses are due March 18, 2026.
Purpose
This market survey serves two primary purposes: (1) to gather information about potential vendors and their capabilities in cybersecurity for aviation environments, and (2) to obtain vendor comments and recommendations regarding draft requirements for these services. This is explicitly not a Screening Information Request (SIR) or Request for Proposals (RFP), and no solicitation exists at this time. The FAA will review responses to inform future acquisition decisions.
Scope of Work
The FAA anticipates requirements to support cybersecurity testing, risk assessment, and operational security services within the NAS. These services involve complex operational technology (OT) environments, safety-critical infrastructure, and distributed systems. Key areas include:
- Independent risk assessment, penetration testing, and vulnerability assessment on NAS systems.
- Cybersecurity testing in lab, simulation, and operational environments without impacting safety-critical operations.
- Evaluation of cybersecurity controls for OT, ICS, SCADA, telecommunications, and aviation-specific systems.
- Support for regression testing, validation of remediation actions, and NAS Cyber Operations (NCO) activities (threat hunting, incident response).
- Assessment of NAS cybersecurity architecture, system interdependencies, and identification of capability gaps. Work will be performed at both contractor and government facilities, including FAA HQ, ATCSCC, WJHTC, FTI/Harris SOCC, MMAC, and FAA SOCC (Leesburg, VA).
Contract & Timeline
- Type: Sources Sought / Market Survey
- Set-Aside: Total Small Business Set-Aside (FAR 19.5)
- Response Due: March 18, 2026, by 22:00Z
- Published: March 11, 2026
- NAICS Code: Not yet finalized.
- Product Service Code: DB02 (Computing Support Services)
Submission Requirements
Interested sources should submit a Capability Statement (maximum 5 pages, including cover sheet) demonstrating:
- Company's capabilities in cybersecurity for NAS, aviation, or safety-critical environments.
- Experience performing work of similar size, scope, and complexity as described in the SOW.
- Familiarity with FAA cybersecurity orders and NAS architecture.
- Ability to support Independent Risk Assessments and Cybersecurity testing nationwide on short notice.
- Ability to identify technologies, areas for development, and analyze risks to mitigate vulnerabilities. The cover page must include vendor name, available NAICS, UEI, CAGE code(s), business size/socioeconomic status, point of contact, and FAA eFAST contract number (if applicable).
Additional Notes
This market survey is for planning purposes only and does not obligate the FAA to acquire services. Proprietary or confidential information must be clearly marked. The FAA's Acquisition Management System (AMS) policies apply, not FAR. Vendors should monitor SAM.gov for any future solicitations.