RFI - Next Generation of the Assured Compliance Assessment Solution (ACAS)
ID: 842571649Type: Sources Sought
Overview

Buyer

DEPT OF DEFENSEDEFENSE INFORMATION SYSTEMS AGENCY (DISA)IT CONTRACTING DIVISION - PL84SCOTT AFB, IL, 62225-5406, USA

Original Source

https://sam.gov/opp/f466c15e54de4ff590a8438cd1aef0c4/view
Timeline
    Description

    The Defense Information Systems Agency (DISA) is seeking industry input through a Request for Information (RFI) for the next generation of the Assured Compliance Assessment Solution (ACAS), aimed at enhancing cybersecurity measures across the Department of Defense (DoD). The objective is to identify scalable scanning solutions capable of assessing approximately 11 million devices, ensuring compliance and effective vulnerability assessments while integrating with existing technologies, including Internet of Things (IoT) and cloud environments. This initiative is critical for maintaining the security posture of the DoD, as it will support continuous assessments and compliance reporting across diverse operating systems and devices. Interested vendors must submit their responses by 5 p.m. EDT on May 9, 2025, to the designated DISA contacts, with the anticipated contract performance period spanning from November 2025 to October 2030.

    Point(s) of Contact
    Melyssa Lafontaine
    melyssa.d.lafontaine.civ@mail.mil
    Carmelyn Bryan
    carmelynanne.bryan.civ@mail.mil
    Files
    Title
    Posted
    ACAS 3 Requirements RFI.xlsx
    The document outlines the technical requirements for a network vulnerability and compliance assessment system for government agencies. It includes extensive specifications for network discovery, automated vulnerability scanning, application assessments, and compliance with security standards such as FISMA and DoD STIGs. The system is expected to perform continuous assessments across various operating systems, including both Windows and Linux, and assess both networked and non-networked devices. Key features outlined in the requirements include the capability to assess compliance through automated scans, generate detailed reports, track vulnerabilities, and integrate with existing security protocols. The emphasis is on providing a non-disruptive scanning process that maintains the integrity of network operations while ensuring accurate incident detection and compliance reporting. Central to the purpose of this document is the need for a robust system to enhance cybersecurity measures within federal and state agencies, reflecting a proactive approach to managing vulnerabilities across diverse technological environments. The document serves as a foundational framework for government RFPs seeking trusted solutions that improve compliance and security posture across various IT infrastructures.
    Attachment 1 Questions and Answers.pdf
    The document outlines the Request for Information (RFI) related to the development and deployment of a comprehensive software solution for the Department of Defense (DoD). Key topics include pricing estimates for a five-year lifecycle, operations support, and the breakdown of devices requiring software licenses—estimated at 11 million across the DoD. It confirms that companies submitting proposals can include additional documentation and may propose alternative solutions. The DoD expresses a preference for a single comprehensive solution but remains open to multi-vendor approaches that could meet all requirements. Varying vendor inquiries address topics such as technical demonstrations, compliance with regulatory standards, cloud integration, and capabilities for managing diverse assets, indicating a focus on flexibility and operational efficiency. Clarifications provide expectations for assessing security, such as the need for threat detection, event-triggered scanning, and capabilities across both online and offline environments. The document emphasizes the importance of a solution that can maintain operational continuity while embracing advancements in technology and ensuring adherence to compliance standards. Overall, the RFI reflects the DoD's intent to enhance cybersecurity measures through robust, adaptable solutions tailored to a dynamic operational landscape.
    Attachment 2 Master Device Endpoint Record (MDER).docx
    The DISA Master Device Endpoint Record (MDER) outlines essential device configurations encompassing network, hardware, software settings, operational context, vulnerabilities, compliance results, and user data, necessitating weekly vulnerability scans and compliance checks. The document specifies that security configuration settings for applications should be maintained and reported monthly, particularly emphasizing DoD's minimum STIG benchmark requirements for operating systems and applications. Additionally, IAVM compliance is mandated, integrating vulnerability scan data into the reporting framework.
    RFI ACAS .pdf
    The Defense Information Systems Agency (DISA) has issued a Request for Information (RFI) to explore solutions for the next generation of the Assured Compliance Assessment Solution (ACAS). This initiative aims to enhance endpoint security for the Department of Defense (DoD), focusing on scalable enterprise scanning capabilities that can accommodate approximately 11 million devices. The RFI seeks insights from industry vendors regarding advanced scanning options, covering various asset types and technologies including Internet of Things (IoT) and cloud environments. The new solution must sustain current ACAS capabilities and expand functionalities, ensuring compliance with security controls and facilitating operational technology needs. Key requirements include automated vulnerability scanning, network assessment, configuration evaluation, and compatibility with established compliance frameworks like NIST standards. The program targets a contract period from November 2025 to October 2030, with responses due by April 24, 2025. The document emphasizes the need for a flexible, robust solution that can evolve alongside emerging technologies while minimizing disruption to existing operations within the DoD framework.
    RFI ACAS Amendement 0002 .pdf
    The Defense Information Systems Agency (DISA) is soliciting information from the industry for the development of the next generation of the Assured Compliance Assessment Solution (ACAS). This Request for Information (RFI) aims to identify scanning solutions capable of assessing approximately 11 million devices across the Department of Defense (DoD). The ACAS team enhances DoD's security posture by providing robust scanning tools that ensure compliance and effective vulnerability assessment. The RFI highlights the need for a scalable solution that supports various technological environments, including Internet of Things (IoT) and cloud computing, while maintaining existing capabilities. Key aspects of the proposed solution include comprehensive scanning capabilities, automated vulnerability assessments, and compatibility with diverse operating systems and devices. Responses are expected to address technical specifications, architectural integration with existing DoD systems, operational support, training, and pricing structures. The RFI stipulates a target performance timeline from November 2025 through October 2030 and seeks comprehensive feedback from vendors to aid in selecting a suitable successor to the current system. This initiative reflects DISA's commitment to evolving its cybersecurity strategies to adapt to emerging threats and technologies.
    RFI ACAS Amendment 0001.pdf
    The Defense Information Systems Agency (DISA) is soliciting information from industry for the next generation of the Assured Compliance Assessment Solution (ACAS). This Request for Information (RFI) aims to gather insights to enhance endpoint security solutions within the Department of Defense (DoD). The ACAS is currently utilized across various DoD entities to scan approximately 11 million devices, identifying compliance and security posture. The new solution must support existing capabilities, integrate with emerging technologies like IoT and cloud, and ensure scalability while providing detailed security assessments. The RFI outlines the technical specifications required, such as agent-based and agentless scanning, automated vulnerability assessments, and support for compliance frameworks. Companies responding must detail their technological recommendations, operational support plans, and cost structures over a proposed five-year lifecycle. This RFI underscores DISA’s commitment to advancing cybersecurity measures within the DoD while seeking vendor collaboration to ensure a robust and scalable scanning solution for current and future security challenges.
    Lifecycle
    Title
    Type
    RFI - Next Generation of the Assured Compliance Assessment Solution (ACAS)
    Currently viewing
    Sources Sought
    Similar Opportunities
    Request for Information - Data at Rest
    Buyer not available
    The Department of Defense, through the Air Force Life Cycle Management Center (AFLCMC), is issuing a Request for Information (RFI) to identify sources capable of providing Commercial Solutions for Classified (CSfC) Dual Data at Rest (DAR) capabilities for Tactical Air Control Party Modernization (TACP-M) Core Computers. The objective is to enhance operational security by ensuring that classified data is properly sanitized when computers are powered off or logged out, thereby allowing them to be considered unclassified and mitigating logistical and operational security concerns during travel and field operations. The proposed solution requires a minimum hardware update to NVMe SSD hard drives (M.2 2280, TCG Opal compliant, 1 TB minimum) and a software update for full disk encryption, with compliance to NSA certification for Full Drive Encryption (FDE) and NIAP-approved collaborative protection profiles. Interested parties must submit their responses, including company data, product capabilities, rough cost estimates, and potential risks, by January 5, 2026. For further inquiries, contact Edwin Hernandez Mendez at edwin.hernandezmendez.2@us.af.mil or Denis Grenier at denis.grenier@us.af.mil.
    Draft RFP - Capacity Services Communications III
    Buyer not available
    The Department of Defense, through the Defense Information Systems Agency (DISA), is seeking industry feedback on a draft Request for Proposal (RFP) for the Capacity Services Communications III contract. This indefinite delivery/indefinite quantity (ID/IQ) contract aims to provide reliable and cost-effective communication infrastructure services, including hardware, software, and technical services, to enhance DISA's communication capabilities at various locations. The contract is crucial for ensuring the scalability, security, and modernization of communication infrastructure, particularly for data centers and hybrid-cloud solutions. Interested parties can direct their inquiries to Shaun Bright or Tyme Sampson via email, and should note that the government will not accept proposals in response to this draft RFP.
    Defense Information Systems Agency (DISA) Commercial Solutions Opening (CSO) - Other Transactions for Prototype Projects
    Buyer not available
    The Defense Information Systems Agency (DISA) is inviting proposals for its Commercial Solutions Opening (CSO) HC108425S0001, aimed at fostering innovative commercial technologies through prototype projects. This initiative seeks to partner with both traditional and nontraditional defense contractors, as well as nonprofit organizations, to enhance defense capabilities while bypassing standard Federal Acquisition Regulations under the authority of 10 U.S.C. § 4022. The CSO outlines a three-phase evaluation process that includes submitting Solution Briefs, participating in Pitch sessions, and submitting full proposals for selected candidates, emphasizing technical merit and innovation aligned with specific Areas of Interest (AOIs). Interested parties can reach out to the DITCO OTA Mailbox at disa.scott.ditco.mbx.ps84-other-transaction-authority@mail.mil for further information, noting that awards will depend on available funding and may lead to follow-on production contracts for successful prototypes.
    Protecting Army Modernization and Supply Chains- Commercial Solutions Opening (CSO)
    Buyer not available
    The Department of Defense, through the Army Contracting Command, is seeking innovative solutions to enhance cybersecurity within the Defense Industrial Base (DIB) as part of the Protecting Army Modernization and Supply Chains initiative. This opportunity invites proposals for automated cybersecurity measures that comply with critical standards such as NIST controls and Cybersecurity Maturity Model Certification (CMMC), aimed at supporting small businesses in mitigating cyber threats while ensuring the protection of intellectual property and secure access. The initiative is crucial for safeguarding defense technologies and ensuring the rapid delivery of military capabilities, with submissions accepted until March 6, 2030. Interested parties can contact the Army NCODE Team at usarmy.apg.acc.mbx.dc3oe-ncode-cso@army.mil for further information.
    Industry Feedback on NGC2 Emerging Architecture
    Buyer not available
    The Department of Defense, specifically the Army Contracting Command at Aberdeen Proving Ground, is seeking industry feedback on the Next Generation Command and Control (NGC2) Emerging Architecture. This request for information (RFI) aims to gather insights on a multi-layer technology stack that supports Army operations, focusing on composability, data layer design patterns, and software deployment readiness within the NGC2 ecosystem. The initiative is critical for enhancing decision-making capabilities on the modern battlefield, emphasizing the need for innovative technical and business approaches. Interested parties must submit their responses via a designated form by December 22, 2025, and can contact MAJ Quentin Sica or William Wimbury for further information.
    Microbial Identification System (MIS)
    Buyer not available
    The Department of Defense, through the United States Army Health Contracting Activity, is seeking information regarding a commercial solution for a Microbial Identification System (MIS) to enhance its MicroScan autoSCAN-4 System. The objective is to procure a system that meets the Critical Operational Device Specifications (CODS), which include operational characteristics, support for specific testing panels, and compatibility with a LabPro computer running Windows 11. This procurement is crucial for ensuring reliable laboratory systems in medical environments, particularly in austere settings. Interested vendors must submit their responses by 4:00 PM Central Time on April 3, 2025, to Linda McGhee at linda.a.mcghee.civ@health.mil, and are encouraged to provide detailed information about their capabilities and products as outlined in the RFI documents.
    Transportation Security Administration’s Open Architecture Initiatives
    Buyer not available
    The Transportation Security Administration (TSA) is seeking industry participation in its Open Architecture (OA) initiatives, aimed at enhancing the efficiency and interoperability of transportation security systems. This opportunity invites vendors to provide feedback on next-generation OA solutions, including the Digital Imaging and Communications in Security (DICOS) standard and the Open Platform Software Library (OPSL), to inform TSA's implementation strategy and future requirements. The TSA's OA approach is critical for modernizing security screening processes, ensuring agility in response to evolving threats, and improving the overall passenger experience. Interested parties should submit their comments using the provided forms by September 30, 2024, and respond to the Request for Information (RFI) by June 3, 2024, with inquiries directed to Siobhan Mullen at siobhan.mullen@tsa.dhs.gov or Siobhan Lawson at Siobhan.Lawson@tsa.dhs.gov.
    RFI: 2.5 GB, 5 GB, and 10 GB Commercial Circuits Intra SWA
    Buyer not available
    The Defense Information Systems Agency (DISA) is conducting a Request for Information (RFI) to gather insights on the availability of 2.5 GB, 5 GB, and 10 GB commercial lease circuits for intra-Southwest Asia (SWA) operations. This RFI aims to collect market research data to inform strategies for fulfilling the Agency's telecommunications requirements outside the contiguous United States (OCONUS). The information gathered will be crucial for understanding the capabilities of potential service providers in the wired telecommunications sector, specifically for satellite communications and telecom access services. Interested parties are encouraged to reach out to Rachel Kern at rachel.e.kern.civ@mail.mil for further inquiries, noting that this RFI does not guarantee any future contract opportunities or funding commitments.
    RFI: 2.5 GB, 5 GB, and 10 GB Commercial Circuit Intra SWA
    Buyer not available
    The Defense Information Systems Agency (DISA) is conducting a Request for Information (RFI) to gather insights on the availability of 2.5 GB, 5 GB, and 10 GB commercial circuits for Intra-Southwest Asia (SWA) services. This RFI aims to collect market research data to inform the Agency's strategies for fulfilling its telecommunications requirements outside the contiguous United States (OCONUS). The information gathered will be crucial for understanding the capabilities of potential providers in the wired telecommunications sector, particularly in satellite communications and telecom access services. Interested parties can reach out to Rachel Kern at rachel.e.kern.civ@mail.mil for further inquiries, noting that this RFI does not guarantee any future contract opportunities or funding commitments.
    Consolidated Standard Inmarsat Broadband Global Area Network (BGAN) and Global Xpress (GX) Services for the Department of Defense (DoD) and Federal Agencies
    Buyer not available
    The Department of Defense, through the Defense Information Systems Agency (DISA), is seeking to establish a Blanket Purchase Agreement (BPA) Bridge for Consolidated Standard Inmarsat Broadband Global Area Network (BGAN) and Global Xpress (GX) Services. This procurement aims to provide essential telecommunications services to the DoD and other federal agencies, ensuring reliable and efficient connectivity for various operations. The services are critical for maintaining communication capabilities in diverse environments, supporting both operational and strategic missions. Interested vendors can reach out to primary contact Jenalle L. Hilmes at jenalle.hilmes@disa.mil or by phone at 618-418-6585, or secondary contact Ashley T. Hubert at ashley.t.hubert.civ@mail.mil or 618-418-6249 for further details.