Request for Information: Information Assurance Compliance Support Services

Statement of Work (SOW) / Performance Work Statement (PWS)

This Statement of Work (SOW) outlines the requirements for Information Assurance Compliance Support Services for the U.S. Department of Homeland Security (DHS) Science & Technology Directorate (S&T) Office of the Chief Information Officer (OCIO). The primary goal is to support DHS S&T in integrating innovative technology into everyday use and maintaining/evolving its organizations.

The scope of work is to support the Information Assurance Compliance function within S&T OCIO, limited to S&T contract staffing. Key areas include:

• Program Management Support: Managing all aspects of service delivery, including transition planning, resource management, quality assurance, and risk management. This involves developing Project Management Plans and providing professional administrative support.

• Compliance Services: Overseeing the Plan of Action and Milestones (POA&M) process, validating system security reporting, maintaining system inventories, developing procedures for DHS IT security policy, supporting the S&T CISO in addressing security issues, implementing IT Security Review and Assistance Programs, conducting Security Assessment and Authorization (A&A) or Ongoing Security Assessments per NIST SP 800-37, and evaluating system configurations and vulnerabilities.

• Information System Security Officer (ISSO) Services: Ensuring compliance with ISSO roles and responsibilities, tracking A&A processes, maintaining continuous monitoring information, updating security documentation, and documenting NIST publications and security controls.

• Information System Security Manager (ISSM) Services: Overseeing ISSO team activities, ensuring adequate ISSO support, reviewing security documentation, and acting as the interface between the ISSO team and Federal Management.

• Security Operations Center (SOC) Services: Operating a 24x7x365 SOC, monitoring and analyzing security events, performing incident triage, maintaining SOPs, conducting technical investigations, and supporting the vulnerability management program.

• Zero Trust Architecture (ZTA) Services: Supporting ZTA implementation, modernization, and program services, including executing DHS's ZTA Strategic Plan, developing implementation plans, and providing expertise on Zero Trust concepts.

• The period of performance is 5 years, starting July 01, 2026, to June 30, 2031.

• The primary place of performance is the S&T headquarters in the National Capital Region. Additional performance locations may be added.

• Contract type: Time and Material (T&M) for base effort and surge support.

• Security: Contractor access to classified information up to Top Secret/SCI is required. Personnel must be vetted for security clearance, with a Single Scope Background Investigation. Key personnel must have at least a SECRET Clearance.

• Accessibility: All Information and Communications Technology (ICT) delivered must conform to Section 508 standards.

• Cyber Supply Chain Risk Management (C-SCRM) is a critical requirement.

• Reporting: Regular reporting (weekly, monthly, quarterly) is required, including status reports, performance metrics, and compliance documentation.

Request for Information (RFI)

This RFI is issued by the Department of Homeland Security (DHS), Science and Technology (S&T) Directorate, Chief Information Office (CIO) for Information Assurance Compliance Support Services for FY26. The purpose is to collect information from qualified and interested sources regarding their capability and experience in providing services related to Information Assurance (IA) and compliance support for S&T's IT systems. This RFI is for planning purposes only and does not constitute a solicitation or an obligation to award a contract.

Respondents are asked to address the following six questions:

• Capability and experience implementing FedRAMP baseline for cloud systems, considering NIST SP 800-53 and 800-37.
• Recommendations for knowledge, skills, qualifications, certifications, and experience for Information System Security Manager (ISSM) and Zero Trust/Security Operations (SOC) personnel.
• Capability and experience supporting the Zero Trust Framework in a federal environment.
• Capability and experience developing performance metrics and reporting for cyber mandates.
• Capability and experience with emerging technologies and continuous improvement in cybersecurity programs.
• Capability and experience implementing and managing a Project Management Office (PMO) Level III.

Not applicable, as this is an RFI.

• Responses are due no later than 10:00 a.m. on February 17, 2026.
• Submissions should be made using Microsoft Office applications, with a font no smaller than 12-point Times New Roman.
• Responses shall not exceed eight (8) pages and must include a cover letter.
• Submissions should be sent to Danette Williams (danette.williams@hq.dhs.gov) and Marco Macherelli (marco.macherelli@hq.dhs.gov).

Not specified. Responses from all interested sources are encouraged.

• The RFI is associated with previous RFIs related to Service Delivery Support, Information Assurance Compliance Support, and Systems Engineering/Operations and Maintenance Support under BPA 70RSAT22A00000001, which expires July 31, 2026.
• An Industry Day may be held, with details to be provided later.
• The Government may hold one-on-one meetings with respondents as part of market research.