NGA Common Operations Release Environment (CORE) Modernization RFI

Questions & Answers / Clarifications

This document provides responses to vendor questions regarding the NGA CORE Modernization and Helm/IaC RFIs, offering clarifications on technical requirements, acquisition strategies, and submission guidelines.

• Incumbent Information: NGA will not provide information on incumbent contractors.
• Travel Guidance: Some travel is available at the government's discretion for mission planning.
• Past Performance: NGA requires past performance information in a classified DoW/IC environment and will not remove this requirement for small businesses. Respondants may choose to respond to Commercial, Government, or NGA Past Performance requirements.
• Response Format: Font size for tables should be 12 pt. White paper responses are limited to 12 pages per RFI, totaling 24 pages if responding to both.
• SOO/SOW/PWS: NGA is seeking industry input to make determinations regarding these documents.
• Team Size & Structure: The anticipated size and composition of the CORE support team is undetermined; NGA is seeking industry input. NGA currently aligns 1-2 Scrum teams per CORE product lane and is interested in industry best practices for optimizing team structures.
• CMMC: Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance is required for processing, accessing, or storing Controlled Unclassified Information (CUI).
• RFP Timeline: The anticipated release timeframe for the RFP and expected award/PoP start dates are undetermined.
• RFI Responses: Respondents are expected to submit two separate responses, one for each RFI (Helm/IaC and CORE Modernization).
• Platform & Tooling: Red Hat OpenShift is the current enterprise Kubernetes baseline. NGA is seeking enhanced efficiencies and cost savings through modernization and is open to recommendations for tools and practices, including AI-powered developer assistance and AIOps.
• Security: Solutions must meet IC requirements, including CMMC Level 2. NGA's Risk Management Division establishes guidance for the C-ATO process, requiring continuous monitoring and approval for all software.
• Cost Management: NGA requires cost management and showback/chargeback capabilities, ideally per workload with roll-up to Key Component (KC).

Respondents should adhere to the specified page limits, font sizes, and submission requirements. Key technical and security requirements, such as CMMC Level 2 and OpenShift as the baseline, must be addressed. NGA is actively seeking industry input on various aspects, indicating flexibility in certain areas.

Questions & Answers / Clarifications

This document contains responses to questions submitted by potential bidders regarding the NGA CORE Helm-IaC and NGA CORE Modernization RFIs. It clarifies requirements, scope, and submission details for these opportunities.

• Font Size: Arial 8pt is not acceptable for graphics and tables; 12pt font is required.
• Page Counts: Supplemental comment matrices are not included in the overall page count for white papers.
• Deployment Scope: The government is referring to the deployment of CORE tools, not program-specific applications, when discussing deployment to various environments.
• RFI Structure: Two separate RFIs (Helm-IaC and Modernization) require two separate responses, with specific page limits: 10 pages for Helm-IaC and 12 pages for Modernization.
• Application Migration: Performers are not expected to migrate or modernize customer software applications. Their role is to provide technical documentation and engagement to enable customer success.
• Cross Domain Solutions (CDS): Vendors are expected to maintain and enhance an existing CDS, collaborate with the NGA CDS Office, and propose/integrate/accredit solutions.
• Infrastructure as Code (IaC): Performers are authorized to use IaC for automated provisioning and network management within existing security boundaries, with an expectation to propose efficiencies and collaborate on risk management.
• Technology Alternatives: While specific technologies are named (e.g., GitLab, Grafana), the government is open to alternative technologies/tools.
• Cloud OPS Interface: Cloud OPS maintains a formal SLA, but specific services currently require ticket submission. Enhancements through automation are encouraged.

These clarifications refine the understanding of technical requirements, submission guidelines, and the scope of work for potential bidders. Bidders must adhere to the specified font sizes, page limits, and understand the government's expectations regarding application migration, CDS, and IaC implementation.

Request for Information (RFI)

This RFI seeks information on how interested contractors can provide cost-effective modernization, software pipeline/platform engineering, and architecture expertise to extend the National Geospatial-Intelligence Agency's (NGA) Development, Security, and Operations (DevSecOps) environment. The goal is to enhance operational efficiencies and capabilities, particularly for the "NGA Common Operations Release Environment (NGA CORE)" and related DevSecOps capabilities. It also seeks expertise in engineering, architecture, coding, integration, and product management for Kubernetes deployment and container orchestration platforms.

Respondents are asked to address:

• Operations, sustainment, and modernization of the NGA CORE DevSecOps environment.

• Direct engineering, architectural, coding, integration, and product management for Kubernetes and container orchestration platforms.

• Solutions should emphasize scalability, affordability, effectiveness, lifecycle affordability, operational efficiency, security, scalability, and ease of integration.

• Proposed solutions should be modular, forward-compatible, and platform-agnostic.

• Respondents must demonstrate solutions that follow industry standards.

• Respondents must identify and address perceived execution risk factors (people, process, technology) and implementation timeframes.

• Proposed environments/platforms must be demonstratable and operational.

• Evidence of past performance in classified DoW/IC environments is required.

• This is an RFI ONLY and does not constitute a Request for Proposal (RFP).

• It does not commit the Government to a contract.

• Anticipated period of performance: One Base Period with multiple option-periods.

• Location: CONUS, site location TBD.

• Responses are due no later than 5:00 pm ET on February 20, 2026.

• Responses should be submitted as a white paper, not exceeding 12 pages.

• Questions regarding the RFI are due no later than 12:00 Noon ET on January 30, 2026.

• Responses can be uploaded to the classified ACR site or emailed.

• The NAICS code is 518210 – Computing Infrastructure Provider, Data Processing, Web-Hosting and Related Services.

• Respondents must indicate their business type (Small Business, Small Disadvantaged, etc.).

• Respondents may recommend alternative NAICS codes.

• Personnel must have or be able to obtain TS/SCI level access.

• All costs associated with responding are at the interested party's expense.

• Not responding does not preclude participation in any future RFP.

• The RFI is subject to change and is not binding.