NAS Cyber Information Security and Operations
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
The Federal Aviation Administration (FAA) is conducting a Market Survey for NAS Cyber Information Security and Operations. This is to gather information on potential vendors and their capabilities, and to obtain recommendations on draft requirements for strengthening the cybersecurity posture of the National Airspace System (NAS). Responses are due March 19, 2026.
Purpose & Background
The FAA relies on secure and resilient information systems to ensure safe and efficient air travel. Growing cyber threats necessitate strengthening cybersecurity to protect systems, maintain operational continuity, and safeguard the NAS. This market survey aims to identify industry capabilities for supporting NAS cybersecurity, which involves complex operational technology (OT) environments and safety-critical infrastructure, distinct from traditional IT.
Scope of Work
The FAA anticipates requirements for cybersecurity testing, risk assessment, and operational security services within the NAS. This includes, but is not limited to:
- Performing independent risk assessment, penetration testing, and vulnerability assessment on NAS systems.
- Conducting cybersecurity testing in lab, simulation, and operational environments without impacting safety-critical NAS operations.
- Evaluating cybersecurity controls for OT, industrial control systems (ICS), SCADA, telecommunications infrastructure, and aviation-specific systems.
- Supporting regression testing, validation of remediation actions, and NAS Cyber Operations (NCO) activities like threat hunting and incident response.
- Assessing NAS cybersecurity architecture, system interdependencies, and identifying capability gaps.
Submission Requirements
Interested sources must submit a Capability Statement (maximum 5 pages, including cover sheet) by March 19, 2026. The cover page should include vendor name, NAICS, UEI, CAGE code(s), business size/socioeconomic status, POC, and FAA eFAST contract number (if applicable). The statement should demonstrate:
- Capabilities in NAS, aviation, or safety-critical cybersecurity work.
- Experience performing the full scope of work described, of similar size, scope, and complexity.
- Familiarity with FAA cybersecurity orders and NAS architecture.
- Ability to support Independent Risk Assessments and Cybersecurity testing nationwide on short notice.
- Ability to identify technologies, develop new technologies, and analyze/mitigate risks.
Contract & Timeline
- Opportunity Type: Sources Sought / Market Survey
- Response Due: March 19, 2026
- Published: March 13, 2026
- NAICS Code: Not yet finalized.
- Set-Aside: The nature of the competition has not been finalized at this time.
- Place of Performance: Contractor and Government facilities, including FAA HQ Washington D.C., ATCSCC, WJHTC, FTI/Harris SOCC, MMAC, FAA SOC (Leesburg, VA), and Contingent Operations Locations.
Additional Notes
This is a market survey for planning purposes only and is not a Screening Information Request (SIR) or Request for Proposals (RFP). The FAA is not seeking or accepting unsolicited proposals and will not pay for information received. Any future solicitation will be announced on SAM.gov. FAA acquisition policies are governed by AMS, not FAR.