NGA Common Operations Release Environment (CORE), Helm-Infrastructure as a Code

Questions & Answers / Clarifications

This document provides responses to vendor questions regarding the NGA CORE Modernization and Helm/IaC RFIs, offering clarifications on technical requirements, acquisition strategies, and submission guidelines.

• Past Performance: NGA will not provide incumbent information. While past performance in a classified DoW/IC environment is requested, NGA is seeking industry input on its importance for small business competitiveness.
• RFI Responses: Vendors are required to submit two separate responses, one for the Helm/IaC RFI and one for the CORE Modernization RFI.
• Technical Details: NGA will provide pertinent information in a bidder's library during the RFP process. Specific details on current and future architectural documentation, technologies, cluster counts, node footprints, and tool versions will be made available.
• Team Structure & Support: NGA is seeking industry input on optimal team structures and is interested in hybrid support models combining hands-on engineering and consulting services. 24x7 operational support is expected, with extended hours dictated by mission needs.
• Security & Compliance: CMMC Level 2 compliance is required for CUI access. All software must undergo NGA's C-ATO process, including various security scans and integration with NGA's IdAM solution. Container security tools like ACS and Kyverno are expected.
• Modernization Focus: The CORE Modernization RFI primarily focuses on platform-level DevSecOps and Kubernetes engineering, not application-specific development. NGA seeks enhanced efficiencies and cost savings through industry best practices to address limitations in flexibility and scaling.
• IaC & Helm: Helm/IaC implementation is integral to a day 0 strategy. NGA is open to various IaC tools and GitOps approaches, seeking industry best practices. Standardized Helm charts should be promoted, and configurations should maintain parity across security domains.

This Q&A document clarifies requirements and submission expectations, influencing how vendors should prepare their responses to the RFIs and potential future RFP. Key clarifications include the number of required responses, the scope of technical support, and security compliance mandates.

Questions & Answers / Clarifications

This document contains responses to questions submitted by vendors regarding the NGA CORE Helm-IaC and NGA CORE Modernization RFIs. It clarifies technical requirements, submission guidelines, and operational expectations.

• Font Size: All font within RFI responses must be 12pt; Arial 8pt is not acceptable for graphics and tables.
• Page Counts: For the CORE Helm-IaC RFI, the white paper limit is 10 pages. For the CORE Modernization RFI, the limit is 12 pages. Separate responses are required for each RFI.
• Deployment Scope: The government is referring to the deployment of CORE tools, not program-specific applications, when discussing deployment to various environments.
• Application Packaging: NGA CORE applications are to be packaged into a Kubernetes deployment managed by Helm and IaC.
• Cross Domain Solution (CDS): Vendors are expected to maintain and enhance an existing CDS, collaborate with the NGA CDS Office, and propose/integrate/accredit solutions.
• Infrastructure-as-Code (IaC): Performers are authorized to use IaC for automated provisioning and network management within existing security boundaries, but must propose efficiencies and collaborate with NGA risk management.
• Legacy Application Modernization: Performers are not expected to migrate or modernize legacy applications; their role is to provide documentation and engagement to enable customer success.
• Technology Alternatives: Named technologies (e.g., GitLab, Grafana) are not necessarily hard requirements; the government is open to alternative technologies.
• Cloud Operations Interface: While Cloud OPS maintains a formal SLA, specific services currently require ticket submission. Vendors are encouraged to propose automation enhancements.

These clarifications provide specific guidance on response formatting, technical expectations for deployment and infrastructure management, and the scope of vendor responsibilities, which will directly impact how potential offerors prepare their proposals for any subsequent solicitations.

Request for Information (RFI)

This RFI seeks information on implementing a cost-effective, "Configuration as a Service" centric platform for the National Geospatial-Intelligence Agency (NGA) CORE DevSecOps environment. The goal is to gather technical solutions and industry practices for a holistic deployment approach using Infrastructure as Code (IaC) / Helm or wrapper scripts for orchestration.

• Develop bundled NGA CORE DevSecOps environment solutions using Helm/IaC.

• Support deployment to both internet-connected and air-gapped environments.

• Include deployment solutions for initial CORE DevSecOps service offerings: Source Control Management (SCM) & CI/CD Pipeline (GitLab), Artifact store (Nexus), CORE PaaS (OpenShift), Code Quality (SonarQube), and Security tools (Fortify, OWASP, Anchore, Grype).

• Operate under a "bring your own license" model.

• Provide support for teams without NGA affiliation for CORE product line IaC and Helm deployment.

• Work within Department of War (DoW), Intelligence Community (IC), and NGA specific IT and cyber requirements.

• Demonstrate monthly complete deployment of the CORE environment.

• Anticipated Period of Performance: One (1) Year Base Period with Four (4) One (1) Year Option-Periods.

• Location: CONUS, site location TBD based on RFI input.

• Responses are due by 5:00 pm ET on February 20, 2026.

• Submit responses as a white paper (Microsoft Word, max 10 pages).

• Questions are due by 12:00 Noon ET on January 30, 2026.

• Responses can be uploaded to the CORE Helm-IaC effort or emailed.

• Not applicable for this RFI, as it is for information gathering only.

• This RFI does not constitute a Request for Proposal (RFP) and does not commit the Government to a contract.

• Responders must have or be able to obtain TS/SCI level access to NGA sites.

• Respondents should identify potential Organizational Conflicts of Interest (OCI).