GovCon Bid and Proposal Insights
GovCon Bid and Proposal Insights
Cybersecurity and Infrastructure Security Agency (CISA) Indefinite Delivery Indefinite Quantity Contract (IDIQ)
In this episode, we break down the upcoming Cybersecurity and Infrastructure Security Agency (CISA) IDIQ opportunity—a major federal contract that’s drawing attention across the cybersecurity and IT services community. With a projected scope covering legacy DEFEND task orders, plus connections to past RFIs such as Deployment Services (47QFRA23K0003) and SCABS (47QFRA24K0005), this contract signals a strategic move by CISA to modernize and consolidate cybersecurity efforts across the federal enterprise.
We unpack what vendors need to know now, the critical functional alignment areas likely to be emphasized, and how to best prepare for this evolving opportunity.
Listen now to stay ahead of the curve and get ready to position your team for success.
Contact ProposalHelper at sales@proposalhelper.com to find similar opportunities and help you build a realistic and winning pipeline.
You know how sometimes you read those really dense government documents and, buried in all the jargon, you find these like incredible insights into where things are actually heading.
Speaker 2:Definitely.
Speaker 1:Well, today that's exactly what we're doing. We've got a couple of request for information RFIs that the GSA put out for CISA.
Speaker 2:Right, cisa, the Cybersecurity and Infrastructure Security Agency, and these aren't just, you know, routine bits of paper.
Speaker 1:Not at all.
Speaker 2:No, these docs, they're both from February 2025. And they're basically CISA doing some really significant market research. Okay, they're signaling what could be a massive, potentially multi-billion dollar plan really looking to reshape how they buy cybersecurity services products, and there's a huge focus on cyber training.
Speaker 1:A really huge focus.
Speaker 2:Yeah, Across federal agencies. Critical infrastructure, the works.
Speaker 1:So for this deep dive, our mission basically is to cut through that bureaucratic language. We want to figure out what CISA's grand vision really is here.
Speaker 2:What's the actual scale they're talking about?
Speaker 1:Yeah, and what are these critical training gaps they're trying so hard to fill?
Speaker 2:Yeah.
Speaker 1:And maybe most interesting, what are they really asking industry partners Like what help do they need right now?
Speaker 2:And why should you? Listening, care, well, understanding this blueprint gives you a kind of front row seat, doesn't it? To how the US government is strategically tackling its huge cybersecurity challenge? And it really does. It's about the resources, the skills, the infrastructure they think are absolutely essential to defend against threats that are just getting well, more and more sophisticated.
Speaker 1:Okay, let's start unpacking this then. First off CISA itself. Right, these documents. They really position CISA clearly, don't they? The nation's risk advisor, the lead cyber defense agency.
Speaker 2:National coordinator for critical infrastructure security. Yeah, they're not just another federal agency, they're central tasked with this unifying role in cyber defense.
Speaker 1:And their mandate is just incredibly broad.
Speaker 2:It is. They're working with the federal civilian executive branch, sceb. That's the non-defense federal agencies, right, but also state, local, tribal, territorial governments, yeah, private sector companies, critical infrastructure entities it's just this vast network they have to help protect.
Speaker 1:And the challenge is obviously huge. I mean the threat landscape they describe.
Speaker 2:Yeah.
Speaker 1:It's complex, it's geographically spread out and, crucially, it's evolving so fast.
Speaker 2:That lightning speed yeah.
Speaker 1:Yeah.
Speaker 2:How do you build a defense against a target that's constantly moving Exactly and that speed is key? Citus's goals, as they lay them out here, they're really centered on understanding risk, managing it, reducing it. They want to build national capacity. That's a big theme capacity to defend and recover Bolster cybersecurity within the FCEB, partner effectively with industry and everyone else. It's proactive defense, but also resilience.
Speaker 1:And the documents. They really highlight the cybersecurity division CSD within CISA as being key here.
Speaker 2:Yeah, csd's focus is safeguarding those FCEB networks, protecting critical national functions, high value assets, got it? Which brings us to capacity building or CB. This is presented as a core part of CSD. They're the ones fostering those FCEB partnerships, giving guidance, implementing directives, especially under FISMA, the Federal Information Security Modernization Act. They're kind of the engine driving improvements in maturity.
Speaker 1:And woven all through one of these RFIs, is this deep, deep focus on cyber training Within that CB structure.
Speaker 2:It's not a side note.
Speaker 1:No, it feels fundamental. This group is responsible for CISE's mandates to boost cyber skills across all those different groups Federal, SLTT, critical infrastructure, even veterans mentioned.
Speaker 2:Oh right. And they want to drive innovation in how that training is done.
Speaker 1:And that intense focus on training. It's part of a much larger potential strategic move that these documents reveal, isn't it?
Speaker 2:Absolutely. Cisa, working with GSA, they're doing market research for what could be a massive acquisition vehicle.
Speaker 1:Like really big.
Speaker 2:Yeah, they're exploring a capacity building, indefinite delivery, indefinite quantity contract and IDIQ or maybe some other large multiple award structure.
Speaker 1:And this isn't just out of the blue. It builds on earlier stuff, right Like that. 2024 industry day. Previous RFIs.
Speaker 2:Exactly RFIs, covering things like deployment services, strategic buying support, which interestingly they call SCABS.
Speaker 1:CBS Strategic Cybersecurity Acquisition and Buying Services.
Speaker 2:Right and the strategic thinking here is really interesting. They explicitly say major programs like CDM.
Speaker 1:Continuous Diagnostics and Mitigation.
Speaker 2:Right. Cdm could use this vehicle for their dynamic needs and the needs of the FCEB more broadly. It seems designed to consolidate, streamline a really significant chunk of CISA and CB's future cyber buys.
Speaker 1:And the scale they're thinking about is laid out pretty clearly A potential structure, five distinct service areas, one product area.
Speaker 2:Let's tick through those service areas.
Speaker 1:the SA's Okay, sa1 is cyber IT project management support. Managing task orders. Overall program objectives seems pretty standard.
Speaker 2:Yeah, foundational stuff. Sa2 is requirements management, Helping program offices, the PMOs define and prioritize what they need, Making sure requests actually align with objectives. Resources Essential for managing all this complexity.
Speaker 1:Makes sense. Then SA3 is capability implementation. This sounds like the real hands-on work for big programs like CDM.
Speaker 2:Exactly Technical planning, direct support to the FCEB agencies to get tech configured, deployed, tested, the nuts and bolts.
Speaker 1:Okay, sa4 is operations, sustainment and ancillary support, so keeping things running once they're deployed.
Speaker 2:Right the ONS.
Speaker 1:Yeah.
Speaker 2:But interestingly it also includes that consultative procurement support. We mentioned SGAVS.
Speaker 1:Oh, okay, so SGAGabe S is potentially within SA4?.
Speaker 2:Potentially Putting strategic buying support there suggests they see it as kind of intertwined with sustaining and evolving capabilities, not just a separate upfront thing.
Speaker 1:Interesting and SA5 is solution development. This is where they tap into industry for custom solutions software development, sec dev, ops.
Speaker 2:Right, the bespoke stuff. And then complementing all those services is the single product area PA1, cybersecurity products and tools.
Speaker 1:And they call this a strict procurement sleeve.
Speaker 2:Yes, specifically for buying hardware, software, cloud infrastructure, security tools. It's intended to either supplement the services or just fill distinct product needs Suggests. They want a clear path for just buying stuff alongside getting services.
Speaker 1:And they're also thinking about small businesses here.
Speaker 2:Definitely. They specifically mentioned small business participation for SA5 and PA1. Small business participation for SA5 and PA1. But they're also really interested in understanding how small businesses could potentially handle the scale and staffing for SA1 through SA4. They're actively asking for that feedback.
Speaker 1:Okay, now the number, the one that really hammers home the scale of this vision, the big one, the estimated total value. Yeah.
Speaker 2:The RFIs say they were looking at potentially $18 to $20 billion, billion with a B. Over 10 years five year base, five option years. That is just a monumental potential investment in building up national cyber capacity.
Speaker 1:And they're surprisingly open in the documents about the problems this huge IDIQ is meant to solve.
Speaker 2:Yeah, they list procurement challenges. They want to tackle head on Things like shelfware.
Speaker 1:Buying software that just sits there there, never gets fully used.
Speaker 2:Right Transferability issues, where agencies need slight variations of products but vendors make it difficult Out your pricing.
Speaker 1:Where the price jumps up after the initial contract term.
Speaker 2:Exactly and just disjointed buying approaches across this huge decentralized government landscape. They want to fix that.
Speaker 1:Trying to address those kinds of systemic issues with one big vehicle. That's definitely a strategic move.
Speaker 2:It points to wanting more unified, efficient, maybe more cost-effective acquisition. They even give examples of potential initial task orders under this thing. Like what Things like CDM requirements and implementation management, those SCAB, es consulting services. We mentioned specific tech implementations IDAM, edr, cloud IoT.
Speaker 1:Identity and access management endpoint detection and response.
Speaker 2:Okay and critically, cybersecurity training program support services. That training piece keeps coming back.
Speaker 1:Which brings us neatly to the other core focus of these RFIs, the really detailed requirements for that cybersecurity training program.
Speaker 2:Yeah, this isn't just a general call for more training. They outline specific urgent objectives.
Speaker 1:They want to directly tackle critical skill gaps entry, intermediate and advanced levels.
Speaker 2:Right across the board and the emphasis is really on interactive hands-on labs training that prepares people for emerging threats, not just today's problems.
Speaker 1:So forward-looking.
Speaker 2:Definitely, the goal seems to be a diverse portfolio of training that can scale up efficiently, meets compliance needs, but stays adaptable and integrates well.
Speaker 1:The documents break this down into three high-level functional areas for the CB training program. First, providing the core cybersecurity training capabilities.
Speaker 2:Operating existing training, developing new stuff, delivering it both live synchronous and self-paced asynchronous.
Speaker 1:Okay, that's good.
Speaker 2:Providing cyber range training capabilities. This means operating, maintaining and, importantly, enhancing their existing environment. They call it the CVLE.
Speaker 1:The Cybersecurity Virtual Learning Environment.
Speaker 2:Okay.
Speaker 1:And third, providing cyber training specifically tailored for something called the Federal Cyber Defense Skilling Academy. All right, let's pause on that cyber range, the CVLE, because the documents give some pretty telling details about how complex this thing is.
Speaker 2:They describe it as a virtual learning environment providing labs, hands-on assessment stuff. It's cloud-based, using dynamic virtual labs you can spin up and tear down.
Speaker 1:Creating safe simulated environments for learning.
Speaker 2:Exactly, and the reason for all this complexity. It's designed to meet this growing demand for web-based courses that absolutely need interactive labs for people to actually practice skills.
Speaker 1:You can't just read about it.
Speaker 2:Nope, you got to do it. And the docs highlight key technical components. There's the Range Learning Management System, rlms.
Speaker 1:Which they note is a customized Moodle, so not just off the shelf.
Speaker 2:Right, that's the entry point. Yeah, then there's an orchestration layer described as a customized range management system, kind of the brains connecting everything.
Speaker 1:Okay.
Speaker 2:That sits on underlying infrastructure built on AWS using various cloud services, then a virtualization layer.
Speaker 1:Using a custom remote gateway to deliver those simulated environments hosted in AWS reduces the physical footprint Right and finally the target infrastructure itself.
Speaker 2:That's the actual simulated environment students mess around in.
Speaker 1:And they mentioned the CVLE currently has eight distinct target infrastructures with multiple virtual machines inside, plus cross-cutting capabilities.
Speaker 2:Yeah, the takeaway is this isn't simple. It's a complex, tailored cloud-native system. They need operated and enhanced.
Speaker 1:Makes sense and all that complexity exists to support programs like this Federal Cyber Defense Silling Academy.
Speaker 2:Exactly. Its stated goal is to maximize access to high-quality training across the entire federal government and really strengthen CISA's connection to that federal cyber talent pool.
Speaker 1:How does it do that?
Speaker 2:Well by directly addressing workforce gaps, growing the pipeline of trained people, continuously improving existing skills, fostering partnerships across agencies.
Speaker 1:And the target audience for the Skilling Academy is pretty specific.
Speaker 2:Yeah, entry-level and intermediate federal employees. They're focusing on those foundational skills, getting people up to speed, maybe reskilling folks.
Speaker 1:And the scale they're thinking about for the Skilling Academy roughly 500 students a year.
Speaker 2:Annually, yeah yeah. Delivered through two main formats microcourses and cyber-skilling pathways.
Speaker 1:Okay, microcourses.
Speaker 2:Those are shorter, like one to two-week sessions focused on foundational or specialized skills. The emphasis is explicitly practical, real-world training to get people ready for specific essential cyber roles fast.
Speaker 1:Quick hits and skilling pathways.
Speaker 2:More intensive Full-time, one-, three months accelerated programs, lots of hands-on practice in those lab environments, using that CVE we just talked about.
Speaker 1:Oh, okay.
Speaker 2:And they're 100% virtual, but and this seems important with live online instructors, so it's interactive, not just watching videos.
Speaker 1:Got it. So that's the big picture CISIS sketching out this potentially huge acquisition vehicle, detailed plans for scaling up training and the RFIs themselves are basically CISIS saying to industry OK, we need your input to make this real.
Speaker 2:Exactly. They lay out exactly what information they want in their responses.
Speaker 1:And their specific responses have to come from prime contractors.
Speaker 2:Right, and they need corporate experience, corporate capabilities and answers to a whole bunch of specific questions they've posed.
Speaker 1:They even give strict formatting guidelines, page limits for each section.
Speaker 2:Yeah, like. Corporate overview two pages, corporate experience three pages, capabilities approaches two pages. General RFI questions two pages, and the specific training RFI questions three pages. They want concise, targeted feedback.
Speaker 1:Tells you they're serious about getting usable info and there's a firm deadline March 7, 2025, 11 am Eastern. Pretty quick turnaround.
Speaker 2:It is, and the sheer range of questions CISA is asking industry. It's really revealing.
Speaker 1:What kind of things?
Speaker 2:Well, general feedback on the requirement stocks, the functional areas, recommendations on the best acquisition approach, contract types, even incentive structures, it shows they're still figuring out the how of this massive plan.
Speaker 1:Makes sense. They're asking industry to highlight their expertise too right, Especially around the CVLE.
Speaker 2:Definitely Things like developing, enhancing, maintaining a cloud-based cyber range. They want to know about cloud expertise for optimizing it, experience, customizing and sustaining LMS systems like Moodle.
Speaker 1:And proving capabilities in developing and delivering training across all levels entry, intermediate, advanced.
Speaker 2:Soice is also kind of probing, asking if they should maybe narrow the scope of some functional areas like can companies really handle all the requirements holistically, especially for the training stuff which involves both content and infrastructure?
Speaker 1:That's a fair question.
Speaker 2:They're asking about experience delivering both live synchronous and self-paced asynchronous training on specific cyber topics. Asking about managing those virtual cloud-based ranges, including system development, security, compliance, getting an ATO.
Speaker 1:Authority to operate Crucial government approval.
Speaker 2:Absolutely. They want to know about experience developing those simulated target infrastructures within a range and how that actually impacts the learner experience so focused on effectiveness.
Speaker 1:And they're asking for recommended NAICS scans, the industry classification codes.
Speaker 2:Yeah, beyond the primary one listed, trying to understand the breadth of relevant industry players.
Speaker 1:They also want specific feedback on the whole proposed IDIQ approach itself.
Speaker 2:Right, pros, cons. From industry's viewpoint, challenges, benefits they see. They question if integrated service area pools are achievable or if you really need distinct expertise for each area.
Speaker 1:Getting granular too, asking about where to put that SAPAB-YES procurement consulting support.
Speaker 2:Exactly Standalone SA or integrated into SA4 operations sustainment, like they tentatively proposed. What works best?
Speaker 1:Other questions touch on aligning labor categories to the SA's past experiences, good and bad, with ordering procedures on other big government contracts.
Speaker 2:And the challenges around mixing commercial services and products with potentially more custom, non-commercial requirements. How to balance that?
Speaker 1:And circling back to small business, they specifically ask small businesses interested in SA1 through 4.
Speaker 2:Beyond the SA5 PA1 they initially flagged.
Speaker 1:Right. They ask them to provide substantial detail in their responses. Basically, prove you have the capability and staffing to handle the magnitude. Make your case strongly.
Speaker 2:Yeah, they're putting the onus on them. Finally, they ask industry if more engagement. Like another industry, day.
Speaker 1:Maybe due diligence opportunities would be helpful. Shows they're open to more collaboration before locking things down. They also require specific tables detailing company info, interest areas, certifications, relevant past contracts.
Speaker 2:So OK, pulling all these threads together, what do these RFIs really tell us?
Speaker 1:Well, first, cisa is seriously considering a massive multi-billion dollar acquisition vehicle, potentially $18-20 billion over 10 years.
Speaker 2:Designed to streamline buying across a huge range of cyber services and products and tackle those known procurement headaches.
Speaker 1:And second, there's this incredibly detailed focus on cyber training, outlining specific programs like the Federal Cyber Defense Skilling Academy, the microcourses, the skilling pathways.
Speaker 2:And giving significant insight into the complex tech infrastructure needed to support it, especially that cloud-based cyber range, the CVLE.
Speaker 1:These documents. They really reveal a strategic government effort addressing both the tech needs of national cyber defense and those critical workforce skill gaps.
Speaker 2:Through integrated acquisition and dedicated training initiatives. It's a move to build national capacity on a truly massive scale.
Speaker 1:So what does this deep dive reveal for you, the listener? I mean? It really underscores the immense complexity, the urgency, the sheer scale of the nation's cybersecurity challenge.
Speaker 2:It's not just about buying more tools, is it? It's about building the foundational skills, the resilient infrastructure needed across the whole ecosystem Federal agencies, critical infrastructure, everyone.
Speaker 1:And these documents highlight the specific kinds of capabilities SISA thinks are essential Sophisticated cloud-based cyber ranges, tailored training programs that's what they believe it takes to meet the challenge head on.
Speaker 2:Okay, here's maybe a provocative thought to leave you with. Building on all this, sisa is trying to build a framework here for acquisition, for training that could last a decade, 10 years.
Speaker 1:That's a long time in cyber.
Speaker 2:Exactly the cyber threat landscape it changes like daily, sometimes hourly. So how effectively can a structured government procurement and training framework, even one designed with adaptability in mind, informed by industry through RFIs like these, truly stay ahead of threats that move at that insane speed? What does this RFI process specifically tell us about how they're trying right now, at the beginning, to bake that kind of dynamic adaptation into such a long-term plan? How do you build for a future you can barely predict?