RegScale Alternative Sources/Solutions

Statement of Work (SOW) / Performance Work Statement (PWS)

To modernize and streamline regulatory compliance management for organizations operating in complex, high-stakes environments by providing the RegScale platform. This solution aims to ensure mission-critical systems align with evolving regulatory requirements in real-time, centralize documentation, and provide audit trails.

• Provide access to agreed-upon RegScale licenses.

• All products and services must meet Department of War (DoW) guidelines.

• The contract includes the RegScale Compliance Platform License plus Services Accelerator Pack.

• Base Period: 17 June 2026 – 16 June 2027

• Option Year 1: 17 June 2027 – 16 June 2028

• Option Year 2: 17 June 2028 – 16 June 2029

• Place of Performance: Platform One/HNCX, 420 Broadway St., San Antonio, TX 78205

• The contractor shall provide a single Point of Contact (POC) for coordination with the P1 Program/Acquisition Manager (PM/AM) and the Procurement Contracting Officer (PCO).

• The contractor must provide necessary licenses/keys, timely issue identification, root cause remedies, and effective communication of license updates/timelines/expiration dates.

• License keys shall be emailed to specific Air Force email addresses and delivered within 5 business days after receipt of the Award.

Request for Information (RFI)

This RFI is issued for market research and acquisition planning to identify and assess commercially available alternatives to RegScale for supporting Platform One (P1) mission requirements. The government is seeking solutions for Governance, Risk, and Compliance (GRC) automation, continuous compliance monitoring, security control management, risk assessment tracking, audit readiness, and authorization support within a government security-compliant environment.

The government is looking for solutions capable of supporting:

• Enterprise compliance operations
• Risk Management Framework (RMF) activities
• Continuous Authority to Operate (CATO) sustainment
• Control inheritance management
• Evidence collection automation
• Policy mapping
• Security documentation management within a DevSecOps ecosystem

The RFI includes specific questions for vendors regarding:

• Continuous Controls Monitoring (CCM) capabilities
• Automation of evidence collection for compliance artifacts
• Supported regulatory frameworks (NIST 800-53, RMF, FedRAMP, CMMC, STIG)
• Policy-as-code capabilities
• Audit trail retention and logging
• Integrations with various tools (GitLab, Jira, Kubernetes, AWS GovCloud, ServiceNow)
• Support for Continuous ATO (CATO)
• Compliance drift detection and remediation
• Role-based access control (RBAC) and SSO/SAML
• Implementation timelines and migration support
• Support escalation processes
• License delivery timelines
• Pricing (subscription and implementation)
• Federal or DoD customer examples
• Data ownership, storage, and retention for on-prem environments

Responses will help the government identify qualified sources, evaluate capabilities, and inform future acquisition strategy decisions. This RFI is for informational purposes only and is not a solicitation or commitment to award a contract.