Request for Information (RFI) for Army Enterprise Identity, Credential, and Access Management (E-ICAM) Services Delivery Contract
RFI Number: RFI-ARMY-EICAM-2026-02
Date of Issuance: July 14, 2026
Response Due Date: August 04, 2026, 1:00 PM ET
1.0 Introduction and Purpose
This is a Request for Information (RFI) as defined in Federal Acquisition Regulation (FAR) 15.201(e). The Army Contracting Command, Aberdeen Proving Ground (ACC-APG), on behalf of Product Lead Enterprise Identity, Credential, and Access Management (PdL E-ICAM) under PdL Enablers, is conducting market research to identify potential sources, best practices, and innovative solutions for a comprehensive Enterprise Identity, Credential, and Access Management (E-ICAM) service. The Army seeks to continuously deliver its current E-ICAM capabilities and modernize its enterprise platform to support a globally deployed force, enable multi-domain operations, integrate with tactical environments, and accelerate the implementation of a Zero Trust Architecture.
This RFI is for planning and informational purposes only and does not constitute a Request for Proposal (RFP). The Government will not award a contract based on responses to this RFI or pay for any information submitted.
2.0 Background and Current Environment
The Army's E-ICAM infrastructure is a complex ecosystem that requires both continuously delivery of currently fielded systems and modernization to address future requirements. This service must manage the full lifecycle of identities for all users (soldiers, civilians, contractors, mission partners), enforce the principle of least privilege, and align with the DoD's Zero Trust Strategy. To assist vendors in understanding the scale of this effort, the current E-ICAM environment encompasses approximately:
- Identities Managed: Est. up to 3.5M user
- Applications Integrated: Est. 2,000 applications
- Privileged Accounts: Est. up to 4,000 users
- Average Monthly Help Desk Tickets (Tier 3/4): Est. Up to 3,500
The future solution must be scalable, leverage commercial innovation (including Commercial Off-The-Shelf (COTS) products), utilize non-proprietary connections where feasible, and operate effectively under a single prime contractor who will coordinate with other Government and vendor stakeholders.
3.0 Scope of Interest
The Army is interested in information related to the following key areas:
- Continuous Delivery: Strategies for operations, maintenance, and incremental improvement of existing enterprise ICAM systems.
- Modernization & Onboarding: Application of Agile/DevSecOps methodologies to modernize the architecture and efficiently onboard a backlog of existing and future Army applications.
- Integration & Interoperability: Methodologies for extending enterprise capabilities to tactical environments when connected.
- Organizational Conflict of Interest (OCI): Strategies to comply with strict OCI requirements regarding the recommendation and integration of commercial products.
- Contracting & Pricing Approach: Recommendations for structuring a hybrid contract that defaults to Firm-Fixed-Price (FFP) CLINs for defined deliverables and agile modernization tasks, while providing structured flexibility for the Contracting Officer to utilize alternative, performance-tied CLIN structures for complex delivery components where justified in accordance with Executive Order 14402.4.0 Information Requested
Interested parties are requested to provide concise responses to the following. Please limit your total response to 15 pages, not including the cover page and corporate information.
Corporate Information:
- Company Name, Address, Website, CAGE Code, and Unique Entity Identifier Number.
- Point of Contact (Name, Title, Email, Phone).
- Business Size and applicable NAICS codes.
Section A: Continuously Delivery (Existing State)
- Describe your experience providing solutions to continuously deliver the following ICAM capabilities at a scale similar to the Army's environment (as detailed in Section 2.0):
- Identity Repository: (e.g., Radiant Logic)
- Identity Governance and Administration (IGA): (e.g., SailPoint IdentityIQ)
- Privileged Access Management (PAM): (e.g., CyberArk)
- Describe your approach to providing Tier 3/4 helpdesk support. The focus should be on both ticket closure speed and root-cause elimination. Explain how you would use analytics, automation, and Site Reliability Engineering (SRE) practices to reduce closure speed and repeated incidents. Provide specific metrics you would use to measure and incentivize a decrease in repeat issues and demonstrate long-term problem resolution.
- Describe your experience supporting Federal Government clients in remediating Notice of Findings and Recommendations (NFRs) related to identity and access management controls for financial statement audits (e.g., FISCAM, FIAR, ICOFR).
- Provide a specific example of how you have used an ICAM platform (e.g., SailPoint, CyberArk) to implement and automate controls to directly address an audit deficiency related to Joiner/Mover/Leaver processes, periodic access reviews, or privileged access.
- The Government requires the use of "non-proprietary connections" for integrations. How do you approach this requirement when utilizing enterprise COTS tools (like SailPoint or CyberArk) that often feature deep, vendor-specific connectors?
Section B: Modernization and Application Onboarding
- Describe your approach to implementing and operating a Zero Trust-aligned ICAM program. Provide specific examples of Key Performance Indicators (KPIs) you would use, such as reduction in time for user access provisioning, or percentage of privileged sessions monitored.
- The Performance Work Statement (PWS) requires a Site Reliability Engineering (SRE) model focused on engineering fixes into the platform rather than applying temporary patches. Describe your experience implementing an SRE model for a large-scale, enterprise service. What specific metrics (SLOs/SLIs) would you propose to measure service reliability, drive automation, and ensure enhancements are delivered through DevSecOps and Infrastructure as Code (IaC) pipelines?
- Provide an example of how you have used Infrastructure as Code (IaC) and Configuration as Code (CaC) to automate the deployment, configuration, and remediation of a COTS ICAM platform in a classified cloud environment.
- The Government intends to provide a prioritized list of applications to be onboarded annually. [For estimation purposes, assume 50 legacy applications and 50 cloud-native applications per year. Describe your Agile methodology for estimating the Level of Effort (LOE) required to onboard an application when the exact complexity is initially unknown.
- Describe two specific commercial innovations (e.g., AI/ML for risk management, phishing resistant multi-factor authentication) your company could bring to the Army's E-ICAM program and the expected benefit.
- Describe your technical approach and experience in managing the full identity lifecycle for Non-Person Entities (NPEs) and Non-Human Identities (NHI), including robotic process automation (RPA) bots and AI/ML models. Detail how these technologies will be used as workforce multipliers and to combat cyber threats. Include examples such as AI-driven capabilities for expedited onboarding, automated provisioning, predictive system diagnostics, and self-healing actions that reduce manual intervention.
- These changes will help align the RFI with your strategic goals and encourage more detailed, forward-looking responses from potential vendors.
Section C: Integration, Tactical Interoperability, and OCI
- As the single prime contractor, how will you ensure seamless coordination and integration with other Government application owners and third-party vendors? What objective artifacts would you provide to demonstrate accountability?
- Describe your experience and methodology for managing subcontractors on a contract of this complexity, particularly for ensuring the seamless flow-down of technical requirements, security compliance (including personnel clearances), and adherence to performance thresholds as defined in the PWS.
- Organizational Conflict of Interest (OCI): The anticipated contract includes a strict OCI clause prohibiting the contractor from providing impartial advice on products in which it has a financial interest. If your company holds partnerships with major ICAM software vendors (e.g., CyberArk, SailPoint), how will you firewall these relationships and mitigate "impaired objectivity" conflicts when recommending architectural changes or product implementations?
Section D: Key Personnel
- Describe your approach to recruiting, retaining, and providing qualified personnel for a contract of this nature. The contractor is required to have a Secret Facility Clearance (FCL), and most personnel will require, at a minimum, a Secret Security Clearance.
- What is your ability to staff a program with cleared personnel holding required certifications (e.g., PMP, CISSP, vendor-specific credentials)?
- For the three Key Personnel positions identified in the PWS (Program Manager, Cyber Security Engineer III, System Engineer III), describe your approach to identifying and vetting candidates who meet the specific experience and certification requirements. You may provide sanitized resumes or profiles for representative candidates that demonstrate your access to a qualified talent pool.
Section E: Transition and Program Management
- Describe your detailed approach to transitioning complex, enterprise-scale ICAM services from a single incumbent contractor. Address your methodologies for:
a) Executing knowledge transfer and capturing undocumented institutional knowledge.
b) Ensuring Continuity of Operations (COOP) and zero degradation of service during the handover.
c) Rapidly staffing the effort, including strategies for recruiting cleared incumbent personnel.
d) Proposing a realistic timeline to achieve Full Operational Capability (FOC) from contract award.
Section F: Contracting Approach
- Question 1: The Government intends to use a single-award, hybrid contract utilizing Fixed-Price CLIN structures. Based on your experience, what are the primary risks of using a hybrid contract utilizing Fixed-Price CLIN structures)) for Agile modernization and application onboarding, and how would you recommend the Government structure the CLINs or performance metrics to mitigate these risks?
- Question 2: Beyond the information provided in Section 2.0, what specific Government Furnished Information (GFI) and data sets (e.g., number and complexity of existing audit findings, current state of application integration documentation, detailed license utilization reports) would be most critical for you to accurately estimate the level of effort for both the continuous delivery and modernization tasks?
5.0 Submission Instructions
Responses to this RFI should be submitted electronically in PDF format to Kenneth Faulcon (Kenneth.faulcon2.civ@army.mil) no later than 4 August, 2026, 1:00 PM ET. The email subject line should read: Response to RFI-ARMY-EICAM-2026-02: [Your Company Name] . Proprietary information, if any, should be clearly marked. All information received in response to this RFI that is marked "Proprietary" will be handled and protected as such. Please be advised that all submissions become Government property and will not be returned.
Background
The Army Contracting Command, Aberdeen Proving Ground (ACC-APG), is conducting market research for the Army Enterprise Identity, Credential, and Access Management (E-ICAM) Services Delivery Contract. The goal is to identify potential sources and innovative solutions to continuously deliver and modernize E-ICAM capabilities that support a globally deployed force and align with the DoD's Zero Trust Strategy.
The current E-ICAM environment manages approximately 3.5 million identities across 2,000 applications, with an average of 3,500 help desk tickets monthly. The future solution must be scalable and leverage commercial innovations while ensuring effective coordination among government and vendor stakeholders.
Work Details
The contractor will provide non-personal services necessary for the continuous delivery and modernization of the Army's ICAM platform. Key tasks include:
1. Continuous operation, maintenance, and Tier 3 helpdesk support for existing capabilities such as the Army Master Identity Directory (AMID), Identity Governance and Administration (IGA), Privileged Access Management (PAM), and auditing services.
2. Incremental development and integration of modernized ICAM capabilities using agile methodologies to incorporate Zero Trust principles.
3. Implementing a Site Reliability Engineering (SRE) model for proactive security patching and automated enhancements.
4. Managing the full lifecycle of identities for all users while enforcing least privilege principles.
5. Providing audit compliance support by remediating findings from financial audits.
6. Ensuring seamless integration with other government application owners and third-party vendors.
Period of Performance
The contract will be performed over a base period with options for extensions, including a transition-in period of 60 days at the start of the contract.
Place of Performance
Work can be performed remotely but requires access to Fort Belvoir, VA, as well as compliance with DoD regulations including access to NIPRNet, SIPRNet, Top Secret, and SCI environments.
Bidder Requirements
Bidders must have a Secret Facility Clearance (FCL) with personnel requiring at least a Secret Security Clearance. Key personnel must include a Program Manager with PMP certification and ten years of experience in DoD IT programs; a Cyber Security Engineer III with eight years in cybersecurity engineering; and a System Engineer III with eight years in systems engineering. All personnel must maintain required certifications throughout the contract.
Incumbent Analysis (see Incumbents section for more detail)
This opportunity appears to have a closely related prior contract, W15P7T26C0006, awarded to Nash Harbor Solutions for $27,777,581 (01/28/26–01/29/27). The prior effort provided program management office support with systems engineering and technical assistance for the Army Enterprise Identity, Credential, and Access Management (EICAM) mission, which aligns with the current RFI’s focus on continuous delivery/modernization of ICAM capabilities and ongoing integration and support activities.