Supply Chain Illumination RFI

Questions & Answers / Clarifications

This document provides clarifications and answers to vendor questions regarding the Supply Chain Illumination (SCRM) opportunity.

• Deployment Models: Alternative deployment models (government-controlled, on-premises, enclave-based) are acceptable if not connected to the secret enclave or network. FedRAMP Moderate is acceptable for unclassified networks. SaaS is the preferred deployment model.
• Data Ingestion & Storage: Solutions should operate without ingesting FBI asset inventory into vendor-hosted environments but should have the ability to ingest future inventory. FBI-derived or enriched data is restricted from being stored outside government-controlled infrastructure.
• Traceability: Hardware microcomponent traceability should go at least three layers back. For products like computers, granularity should include smart chips and transistors. Vendors must clearly state limitations in commercially available data.
• Data Update Frequency: Near real-time updates are expected for all data types (cyber vulnerabilities, corporate ownership, trade/shipping), with a maximum latency of 24 hours. Alert latency should be near real-time, with at least daily updates.
• Integration: No direct integrations with FBI systems are required at this time, but outputs should be in common file formats (Word, PDF, CSV). The FBI is interested in the vendor's current approach to integration standards and data schemas.
• Risk Scoring: Methodologies must align with NIST 800-161 and FIPS 199, with a preference for customization capabilities.
• Scope: The initial deployment is for 15-20 users in a limited scenario, monitoring an estimated 500 vendors with unknown products. The initial deployment will be on the unclassified network only.
• Data Sources: Preferred sources include technical vulnerability data, blockchain, and shipping data. Vendor-supplied data is acceptable but will be validated.

These clarifications refine expectations regarding deployment, data handling, traceability, update frequencies, and integration, which bidders should consider when preparing their responses.

Request for Information (RFI)

The Federal Bureau of Investigation (FBI) is issuing this Request for Information (RFI) to gather industry input on commercially available technologies and services for an enterprise Supply Chain Risk Management (SCRM) capability. The goal is to illuminate information and communication technology (ICT) products, software, and services, providing detailed insights into threats, risks, and vulnerabilities within the supply chain. This RFI is for informational and planning purposes only and does not constitute a solicitation.

The FBI is seeking solutions that can:

• Provide continuous monitoring of product/entity risk levels and associated factors.

• Perform in-depth due diligence for initial risk assessment and mitigation planning.

• Generate automatic alerts for changes in risk ratings or status.

• Offer automated or scheduled management and tasking features.

• Provide automated or customizable visualizations and data exports.

• Group products, vendors, or entities for easy access and coordination.

• Map supply chains at least three tiers upstream.

• Provide structured product/vendor registries and supply chain relationship mapping.

• Integrate with FBI enterprise systems.

• Break down supply chain Bills of Materials (SBOMs).

• Offer micro component traceability.

• Track shipping/transport records.

• Identify financial, operational, cyber, governance, third-party, and trade risks.

• Include Application Programming Interfaces (APIs) and be FedRAMP high approved.

• This RFI is open to manufacturers for market research.

• Interested parties must submit capability packages.

• Submissions must be UNCLASSIFIED, in Microsoft Word/Excel/PowerPoint or PDF format, and not exceed 20 pages (8.5x11, 1-inch margins, 12-point font).

• Questions are due by April 17th, Noon ET, with answers posted by April 24th.

• Submissions are due by May 6th, 2026, 3:00 PM ET.

• Email submissions to bmjames@fbi.gov and hlwilliams@fbi.gov with the subject line "RFI- Supply Chain Illumination."

• Not applicable, as this is an RFI.

• Responses are voluntary and will not be used to form a binding contract.

• No funds are available to pay for response preparation.

• The FBI may request demonstrations based on RFI responses.

• The FBI is looking for solutions that can be maintained within FBI control and operate independently of completed inventories, without requiring data entry into systems outside FBI networks or secured government clouds.