RFI - Next Generation of the Assured Compliance Assessment Solution (ACAS)
ID: 842571649Type: Sources Sought
Overview

Buyer

DEPT OF DEFENSEDEFENSE INFORMATION SYSTEMS AGENCY (DISA)IT CONTRACTING DIVISION - PL84SCOTT AFB, IL, 62225-5406, USA

Original Source

https://sam.gov/opp/f466c15e54de4ff590a8438cd1aef0c4/view
Timeline
    Description

    The Defense Information Systems Agency (DISA) is seeking industry input through a Request for Information (RFI) for the next generation of the Assured Compliance Assessment Solution (ACAS), aimed at enhancing cybersecurity measures across the Department of Defense (DoD). The objective is to identify scalable scanning solutions capable of assessing approximately 11 million devices, ensuring compliance and effective vulnerability assessments while integrating with existing technologies, including Internet of Things (IoT) and cloud environments. This initiative is critical for maintaining the security posture of the DoD, as it will support continuous assessments and compliance reporting across diverse operating systems and devices. Interested vendors must submit their responses by 5 p.m. EDT on May 9, 2025, to the designated DISA contacts, with the anticipated contract performance period spanning from November 2025 to October 2030.

    Point(s) of Contact
    Melyssa Lafontaine
    melyssa.d.lafontaine.civ@mail.mil
    Carmelyn Bryan
    carmelynanne.bryan.civ@mail.mil
    Files
    Title
    Posted
    ACAS 3 Requirements RFI.xlsx
    The document outlines the technical requirements for a network vulnerability and compliance assessment system for government agencies. It includes extensive specifications for network discovery, automated vulnerability scanning, application assessments, and compliance with security standards such as FISMA and DoD STIGs. The system is expected to perform continuous assessments across various operating systems, including both Windows and Linux, and assess both networked and non-networked devices. Key features outlined in the requirements include the capability to assess compliance through automated scans, generate detailed reports, track vulnerabilities, and integrate with existing security protocols. The emphasis is on providing a non-disruptive scanning process that maintains the integrity of network operations while ensuring accurate incident detection and compliance reporting. Central to the purpose of this document is the need for a robust system to enhance cybersecurity measures within federal and state agencies, reflecting a proactive approach to managing vulnerabilities across diverse technological environments. The document serves as a foundational framework for government RFPs seeking trusted solutions that improve compliance and security posture across various IT infrastructures.
    Attachment 1 Questions and Answers.pdf
    The document outlines the Request for Information (RFI) related to the development and deployment of a comprehensive software solution for the Department of Defense (DoD). Key topics include pricing estimates for a five-year lifecycle, operations support, and the breakdown of devices requiring software licenses—estimated at 11 million across the DoD. It confirms that companies submitting proposals can include additional documentation and may propose alternative solutions. The DoD expresses a preference for a single comprehensive solution but remains open to multi-vendor approaches that could meet all requirements. Varying vendor inquiries address topics such as technical demonstrations, compliance with regulatory standards, cloud integration, and capabilities for managing diverse assets, indicating a focus on flexibility and operational efficiency. Clarifications provide expectations for assessing security, such as the need for threat detection, event-triggered scanning, and capabilities across both online and offline environments. The document emphasizes the importance of a solution that can maintain operational continuity while embracing advancements in technology and ensuring adherence to compliance standards. Overall, the RFI reflects the DoD's intent to enhance cybersecurity measures through robust, adaptable solutions tailored to a dynamic operational landscape.
    Attachment 2 Master Device Endpoint Record (MDER).docx
    The DISA Master Device Endpoint Record (MDER) outlines essential device configurations encompassing network, hardware, software settings, operational context, vulnerabilities, compliance results, and user data, necessitating weekly vulnerability scans and compliance checks. The document specifies that security configuration settings for applications should be maintained and reported monthly, particularly emphasizing DoD's minimum STIG benchmark requirements for operating systems and applications. Additionally, IAVM compliance is mandated, integrating vulnerability scan data into the reporting framework.
    RFI ACAS .pdf
    The Defense Information Systems Agency (DISA) has issued a Request for Information (RFI) to explore solutions for the next generation of the Assured Compliance Assessment Solution (ACAS). This initiative aims to enhance endpoint security for the Department of Defense (DoD), focusing on scalable enterprise scanning capabilities that can accommodate approximately 11 million devices. The RFI seeks insights from industry vendors regarding advanced scanning options, covering various asset types and technologies including Internet of Things (IoT) and cloud environments. The new solution must sustain current ACAS capabilities and expand functionalities, ensuring compliance with security controls and facilitating operational technology needs. Key requirements include automated vulnerability scanning, network assessment, configuration evaluation, and compatibility with established compliance frameworks like NIST standards. The program targets a contract period from November 2025 to October 2030, with responses due by April 24, 2025. The document emphasizes the need for a flexible, robust solution that can evolve alongside emerging technologies while minimizing disruption to existing operations within the DoD framework.
    RFI ACAS Amendement 0002 .pdf
    The Defense Information Systems Agency (DISA) is soliciting information from the industry for the development of the next generation of the Assured Compliance Assessment Solution (ACAS). This Request for Information (RFI) aims to identify scanning solutions capable of assessing approximately 11 million devices across the Department of Defense (DoD). The ACAS team enhances DoD's security posture by providing robust scanning tools that ensure compliance and effective vulnerability assessment. The RFI highlights the need for a scalable solution that supports various technological environments, including Internet of Things (IoT) and cloud computing, while maintaining existing capabilities. Key aspects of the proposed solution include comprehensive scanning capabilities, automated vulnerability assessments, and compatibility with diverse operating systems and devices. Responses are expected to address technical specifications, architectural integration with existing DoD systems, operational support, training, and pricing structures. The RFI stipulates a target performance timeline from November 2025 through October 2030 and seeks comprehensive feedback from vendors to aid in selecting a suitable successor to the current system. This initiative reflects DISA's commitment to evolving its cybersecurity strategies to adapt to emerging threats and technologies.
    RFI ACAS Amendment 0001.pdf
    The Defense Information Systems Agency (DISA) is soliciting information from industry for the next generation of the Assured Compliance Assessment Solution (ACAS). This Request for Information (RFI) aims to gather insights to enhance endpoint security solutions within the Department of Defense (DoD). The ACAS is currently utilized across various DoD entities to scan approximately 11 million devices, identifying compliance and security posture. The new solution must support existing capabilities, integrate with emerging technologies like IoT and cloud, and ensure scalability while providing detailed security assessments. The RFI outlines the technical specifications required, such as agent-based and agentless scanning, automated vulnerability assessments, and support for compliance frameworks. Companies responding must detail their technological recommendations, operational support plans, and cost structures over a proposed five-year lifecycle. This RFI underscores DISA’s commitment to advancing cybersecurity measures within the DoD while seeking vendor collaboration to ensure a robust and scalable scanning solution for current and future security challenges.
    Lifecycle
    Title
    Type
    RFI - Next Generation of the Assured Compliance Assessment Solution (ACAS)
    Currently viewing
    Sources Sought
    Similar Opportunities
    Defense Information Systems Agency (DISA) Commercial Solutions Opening (CSO) - Other Transactions for Prototype Projects
    Dept Of Defense
    The Defense Information Systems Agency (DISA) is inviting proposals for its Commercial Solutions Opening (CSO) HC108425S0001, aimed at fostering innovative commercial technologies through prototype projects. This initiative seeks to partner with both traditional and nontraditional defense contractors, as well as nonprofit organizations, to enhance defense capabilities while bypassing standard Federal Acquisition Regulations under the authority of 10 U.S.C. § 4022. The CSO outlines a three-phase evaluation process that includes submitting Solution Briefs, participating in Pitch sessions, and submitting full proposals for selected candidates, emphasizing technical merit and innovation aligned with specific Areas of Interest (AOIs). Interested parties can reach out to the DITCO OTA Mailbox at disa.scott.ditco.mbx.ps84-other-transaction-authority@mail.mil for further information, noting that awards will depend on available funding and may lead to follow-on production contracts for successful prototypes.
    Protecting Army Modernization and Supply Chains- Commercial Solutions Opening (CSO)
    Dept Of Defense
    The Department of Defense, through the Army Contracting Command, is seeking innovative solutions to enhance cybersecurity within the Defense Industrial Base (DIB) as part of the Protecting Army Modernization and Supply Chains initiative. This opportunity invites proposals for automated cybersecurity measures that comply with critical standards such as NIST controls and Cybersecurity Maturity Model Certification (CMMC), aimed at supporting small businesses in mitigating cyber threats while ensuring the protection of intellectual property and secure access. The initiative is crucial for safeguarding defense technologies and ensuring the rapid delivery of military capabilities, with submissions accepted until March 6, 2030. Interested parties can contact the Army NCODE Team at usarmy.apg.acc.mbx.dc3oe-ncode-cso@army.mil for further information.
    Industry Feedback on NGC2 Emerging Architecture
    Dept Of Defense
    The Department of Defense, specifically the Army Contracting Command at Aberdeen Proving Ground, is seeking industry feedback on the Next Generation Command and Control (NGC2) Emerging Architecture. This request for information (RFI) aims to gather insights on a multi-layer technology stack that supports Army operations, focusing on composability, data layer design patterns, and software deployment readiness within the NGC2 ecosystem. The initiative is critical for enhancing decision-making capabilities on the modern battlefield, emphasizing the need for innovative technical and business approaches. Interested parties must submit their responses via a designated form by December 22, 2025, and can contact MAJ Quentin Sica or William Wimbury for further information.
    Microbial Identification System (MIS)
    Dept Of Defense
    The Department of Defense, through the United States Army Health Contracting Activity, is seeking information regarding a commercial solution for a Microbial Identification System (MIS) to enhance its MicroScan autoSCAN-4 System. The objective is to procure a system that meets the Critical Operational Device Specifications (CODS), which include operational characteristics, support for specific testing panels, and compatibility with a LabPro computer running Windows 11. This procurement is crucial for ensuring reliable laboratory systems in medical environments, particularly in austere settings. Interested vendors must submit their responses by 4:00 PM Central Time on April 3, 2025, to Linda McGhee at linda.a.mcghee.civ@health.mil, and are encouraged to provide detailed information about their capabilities and products as outlined in the RFI documents.
    Department of the Air Force (DAF) Identity, Credential, and Access Management (ICAM) Enterprise III, Request For Information (RFI)
    Dept Of Defense
    The Department of the Air Force (DAF) is seeking a qualified vendor to provide comprehensive services for its Identity, Credential, and Access Management (ICAM) Enterprise III program, as outlined in a Request for Information (RFI). The procurement aims to identify a single vendor capable of managing platform operations, sustainment, and enhancement of the DAF ICAM platform, which is critical for onboarding over 3,300 applications and supporting a user base of over 750,000 personnel and millions of non-person entities. This initiative is part of a broader cybersecurity transformation to transition to a Zero Trust Architecture, aligning with the Department of Defense's Digital Modernization Strategy. Interested parties must submit their responses by January 6, 2026, and can direct inquiries to Kurtavius Brown at kurtavius.brown@us.af.mil or Darnita McBride at darnita.mcbride@us.af.mil.
    Draft RFP - Enterprise Service Solutions IV
    Dept Of Defense
    The Department of Defense, through the Defense Information Systems Agency (DISA), is seeking industry feedback on a draft Request for Proposal (RFP) for the Enterprise Service Solutions IV contract. This procurement aims to establish an indefinite delivery/indefinite quantity contract for managed storage services and on-demand storage solutions, addressing the need for a scalable storage system that can adapt to varying demands while ensuring cost flexibility and comprehensive maintenance of necessary assets. The contract will support both continental United States (CONUS) and outside continental United States (OCONUS) operations, emphasizing high availability, security, and interoperability with existing government infrastructure. Interested parties can direct inquiries to Tricia L. Singler at tricia.l.singler.civ@mail.mil or Joe Santel at joseph.l.santel2.civ@mail.mil, with no proposals accepted in response to this draft notice.
    Request for Information (RFI) for Passive Defense Solutions
    Dept Of Defense
    The Department of Defense, specifically the Department of the Air Force, has issued a Request for Information (RFI) for passive defense solutions aimed at countering threats posed by Group 1-3 Unmanned Aerial Systems (UAS) to USAF assets. The Air Force is seeking industry input on solutions that utilize Camouflage, Concealment, Deception, and Hardening (CC&D+H) measures, with an emphasis on low-cost, user-friendly, and rapidly deployable options that can integrate with existing systems. These solutions are critical for enhancing the protection of Air Force assets by reducing spectral and visual signatures while ensuring operational continuity. Interested vendors are required to submit a five-page response detailing their company overview, proposed solutions, technical approaches, performance data, and cost/schedule by December 22, 2025, at 1600 EST. For further inquiries, vendors may contact Timothy Overby at timothy.overby.1@us.af.mil or Jennifer Judkins at jennifer.judkins@us.af.mil.
    Transportation Security Administration’s Open Architecture Initiatives
    Homeland Security, Department Of
    The Transportation Security Administration (TSA) is seeking industry participation in its Open Architecture (OA) initiatives, aimed at enhancing the efficiency and interoperability of transportation security systems. This opportunity invites vendors to provide feedback on next-generation OA solutions, including the Digital Imaging and Communications in Security (DICOS) standard and the Open Platform Software Library (OPSL), to inform TSA's implementation strategy and future requirements. The TSA's OA approach is critical for modernizing security screening processes, ensuring agility in response to evolving threats, and improving the overall passenger experience. Interested parties should submit their comments using the provided forms by September 30, 2024, and respond to the Request for Information (RFI) by June 3, 2024, with inquiries directed to Siobhan Mullen at siobhan.mullen@tsa.dhs.gov or Siobhan Lawson at Siobhan.Lawson@tsa.dhs.gov.
    RFI: 2.5 GB, 5 GB, and 10 GB Commercial Circuits Intra SWA
    Dept Of Defense
    The Defense Information Systems Agency (DISA) is conducting a Request for Information (RFI) to gather insights on the availability of 2.5 GB, 5 GB, and 10 GB commercial lease circuits for intra-Southwest Asia (SWA) operations. This RFI aims to collect market research data to inform strategies for fulfilling the Agency's telecommunications requirements outside the contiguous United States (OCONUS). The information gathered will be crucial for understanding the capabilities of potential service providers in the wired telecommunications sector, specifically for satellite communications and telecom access services. Interested parties are encouraged to reach out to Rachel Kern at rachel.e.kern.civ@mail.mil for further inquiries, noting that this RFI does not guarantee any future contract opportunities or funding commitments.
    RFI: 2.5 GB, 5 GB, and 10 GB Commercial Circuit Intra SWA
    Dept Of Defense
    The Defense Information Systems Agency (DISA) is conducting a Request for Information (RFI) to gather insights on the availability of 2.5 GB, 5 GB, and 10 GB commercial circuits for Intra-Southwest Asia (SWA) services. This RFI aims to collect market research data to inform the Agency's strategies for fulfilling its telecommunications requirements outside the contiguous United States (OCONUS). The information gathered will be crucial for understanding the capabilities of potential providers in the wired telecommunications sector, particularly in satellite communications and telecom access services. Interested parties can reach out to Rachel Kern at rachel.e.kern.civ@mail.mil for further inquiries, noting that this RFI does not guarantee any future contract opportunities or funding commitments.