How to Seize the Moment: CISA’s $18B Cyber Challenge

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is preparing to release an Indefinite Delivery Indefinite Quantity (IDIQ) contract for cybersecurity products and services this summer. The General Services Administration (GSA) Federal Acquisition Service (FAS) Assisted Acquisition Services (AAS) is assisting CISA with the procurement. It released a request for information (RFI) on February 28, 2025, and CISA is reviewing industry feedback. Table 1 contains an overview of the procurement.

Table 1: CISA IDIQ At a Glance

Critical Mission Need

CISA serves as the nation’s risk advisor. It works with partners to defend against cyber threats and ensure the security and resilience of national infrastructure. This includes safeguarding Federal Civilian Executive Branch (FCEB) systems and supporting national critical functions across large-scale programs. Key components such as capability deployment, operations, solutions development, and cybersecurity tool acquisition are central to building national resilience against cyberattacks, underscoring the critical nature of CISA’s mission.

Summary of Requirements

CISA requires a comprehensive and flexible acquisition approach to support various functional areas essential to operations. CISA’s requirements encompass:

• Service Areas: Five distinct service areas, including Cyber/IT Project Management Support, Requirements Management, Capability Implementation, Operations and Sustainment, and Solution Development.
• Product Area: Cybersecurity products and tools aligned with the service areas.
• Support Services: Agile, scalable, and responsive solutions that align with CISA’s overarching goals and improve IT flexibility while reducing redundancy and cost.
• Specialized Expertise: High-level security policy compliance and threat awareness support services are essential.
• Procurement Efficiency: The ability to effectively resolve procurement challenges, particularly in managing cybersecurity software acquisitions. CISA emphasizes shelfware elimination, transferability, cost-effective pricing policies, and strategic procurement alignment.

Risk Considerations

When preparing a proposal response, offerors should consider the following risks.

• Execution Risk Due to Scope and Complexity: The breadth of five service areas and one product area, spanning project management, requirements management, development, operations, and procurement, creates significant complexity in oversight, coordination, and performance management. Inconsistent execution, misaligned priorities, or contractor confusion over roles could lead to delays or duplicated efforts.
• Misalignment Between Procurement and Readiness: One of the main goals is to avoid shelfware, but this requires precise alignment between procurement timing, agency readiness, and deployment capability. Agencies may still procure software before fully deploying it, recreating the problem the IDIQ is trying to solve.
• Resistance from Original Equipment Manufacturers (OEMs): The government wants software and tools to be transferable across agencies, but OEMs often resist this due to licensing restrictions or revenue protection strategies. This may lead to an inability to maximize licenses.
• Contracting and Governance Challenges: A flexible ordering mechanism used by multiple entities introduces governance risks, such as unclear authority, uneven task order quality, or performance inconsistency. Weak governance could reduce accountability, increase contract administration burden, or dilute strategic outcomes.
• Budget Uncertainty and Out-of-Year Pricing: The RFI notes concern over out-of-year pricing and vendor stock-keeping unit (SKU) re-packaging. With tightening federal budgets, escalating costs in later years could erode value.

Capture and Proposal Tips

It is crucial to thoroughly understand the RFP requirements, emphasizing your past performance and expertise in large-scale cybersecurity projects. Develop a strong value proposition by offering agile, flexible, cost-effective solutions that align with CISA’s strategic goals and address procurement challenges like shelfware and pricing policies. Assemble a highly qualified team, form strategic partnerships, and demonstrate the ability to work with CISA and its critical infrastructure partners.

Conclusion

The upcoming IDIQ represents a significant opportunity for industry leaders to contribute to the national security mission by offering innovative, resilient, and cost-effective solutions. Offerors must use their expertise and past performance to address CISA’s complex requirements, focusing on agility, scalability, and integration. Given the critical nature of CISA’s mission to protect national infrastructure, proactive risk mitigation strategies, comprehensive team building, and diverse partnerships will be indispensable. As the landscape of cyber threats continues to evolve, aligning industry capabilities with CISA’s critical mission needs will not only place a proposal in a competitive position but also contribute to strengthening national resilience against cyberattacks.

Relevant Information

• How to Adapt Your Proposal Strategy for Executive Order Disruption

• How to Use GenAI to Quickly Mine CPARS Reports

• Tips for Winning the $927M DISA ModEL BPA

By Brenda Crist, Vice President at Lohfeld Consulting Group, MPA, CPP APMP Fellow

Lohfeld Consulting Group has proven results specializing in helping companies create winning captures and proposals. As the premier capture and proposal services consulting firm focused exclusively on government markets, we provide expert assistance to government contractors in Capture Planning and Strategy, Proposal Management and Writing, Capture and Proposal Process and Infrastructure, and Training. In the last 3 years, we’ve supported over 550 proposals winning more than $170B for our clients—including the Top 10 government contractors. Lohfeld Consulting Group is your “go-to” capture and proposal source! Start winning by contacting us at www.lohfeldconsulting.com and join us on LinkedIn, Facebook, and YouTube^(TM).