Assured Compliance Assessment Solution (ACAS) for the Program Acquisition Executive (PAE) Cyber Sensing Portfolio Management Office

Background
The Defense Information Systems Agency (DISA) is seeking sources for the next-generation Assured Compliance Assessment Solution (ACAS) for the Program Acquisition Executive (PAE) Cyber Sensing Portfolio Management Office.
The goal of this contract is to enhance cybersecurity measures across the Department of War (DoW) by implementing a comprehensive scanning solution that ensures compliance with security controls and best practices.

Work Details
The contractor will provide a comprehensive scanning solution for approximately 11 million DoW devices, including:
- Network-based, host-based agent, and agentless scanning capabilities.
- Assessment of compliance with security controls, configuration best practices, and patch management.
- Support for various operating systems such as Windows, UNIX/Linux, macOS, and Cisco IOS.
- Cloud deployment support utilizing at least FedRAMP high with Impact Level 5 (IL5).
- Scanning capabilities for cloud assets including AWS, Azure, OCI, GCP.
- Scanning capabilities for IoT and OT assets including Siemens and Rockwell devices.
- Scanning capabilities for container assets like Docker and Kubernetes.
- Scanning capabilities for web applications such as ServiceNow.
- Enterprise license management.

The solution must sustain on-premises capabilities while expanding to cover IoT, OT, container scanning, and cloud environments. It should adhere to standards like SCAP, CVE, CPE, XCCDF, and OVAL while automating network discovery and vulnerability scanning.

Period of Performance
Base Year: January 1, 2029 – December 31, 2029; Option Year One: January 1, 2030 – December 31, 2030; Option Year Two: January 1, 2031 – December 31, 2031; Option Year Three: January 1, 2032 – December 31, 2032; Option Year Four: January 1, 2033 – October 31, 2033.

Place of Performance
The anticipated place of performance is both CONUS (Continental United States) and OCONUS (Outside Continental United States).

Incumbent Analysis (see Incumbents section for more detail)
This opportunity appears to have a confirmed incumbent based on prior DISA ACAS awards, including Sirius Federal’s ACAS Contract 2.0 bundle (NNG15SC34B-HC108421F0030, $39,222,000, 12/27/20–12/26/25) and FCN’s Assured Compliance Assessment Solution contract (NNG15SC71B-HC108426F0066, $25,051,377, 12/27/25–12/26/26). The current requirement for a next-generation ACAS scanning and compliance assessment solution for large-scale device coverage aligns with the prior ACAS scope of providing assured compliance assessment capabilities (e.g., vulnerability/compliance scanning services), suggesting continuity in delivering and evolving the same core solution.