Cyber Asset Attack Surface Management
ID: BPM056393
• State: Maryland
Opportunity Assistant
Loading
Description
Background
The Department of Information Technology (DoIT) of the State of Maryland is issuing an Invitation for Bids (IFB) to procure a Cloud-hosted Cyber Asset Attack Surface Management (CAASM) platform. The purpose of this procurement is to establish a unified system for digital asset inventory, vulnerability correlation, and identity mapping across the State's IT infrastructure. This initiative aligns with the mandates of NIST 800-53 security controls and aims to enhance cybersecurity governance.
Work Details
The contractor will provide a cloud-hosted CAASM platform that aggregates, normalizes, correlates, and presents asset, vulnerability, and identity data from integrated State systems. Key functionalities include:
1. Multi-tenant architecture with logical data isolation.
2. Integration with external identity providers for federated authentication.
3. Asset discovery capabilities without requiring proprietary software agents.
4. Ingestion of vulnerability findings from third-party tools.
5. Reporting and analytics capabilities for asset inventory distributions and vulnerability compliance.
6. Support for custom tags and metadata on assets.
7. Compliance with functional requirements detailed in Sections 2.3.1 through 2.3.8 of the IFB.
Period of Performance
The contract duration is three years from the date of award.
Place of Performance
The services will be performed primarily at the Department of Information Technology's facilities in Crownsville, Maryland.
Bidder Requirements
Bidders must demonstrate a minimum market presence of five years for their proposed CAASM platform and provide references from three State, Local, or Education (SLED) customers who have utilized their platform for at least twelve months within the past five years. Additionally, bidders must comply with insurance requirements including Commercial General Liability and Workers' Compensation coverage.
The Department of Information Technology (DoIT) of the State of Maryland is issuing an Invitation for Bids (IFB) to procure a Cloud-hosted Cyber Asset Attack Surface Management (CAASM) platform. The purpose of this procurement is to establish a unified system for digital asset inventory, vulnerability correlation, and identity mapping across the State's IT infrastructure. This initiative aligns with the mandates of NIST 800-53 security controls and aims to enhance cybersecurity governance.
Work Details
The contractor will provide a cloud-hosted CAASM platform that aggregates, normalizes, correlates, and presents asset, vulnerability, and identity data from integrated State systems. Key functionalities include:
1. Multi-tenant architecture with logical data isolation.
2. Integration with external identity providers for federated authentication.
3. Asset discovery capabilities without requiring proprietary software agents.
4. Ingestion of vulnerability findings from third-party tools.
5. Reporting and analytics capabilities for asset inventory distributions and vulnerability compliance.
6. Support for custom tags and metadata on assets.
7. Compliance with functional requirements detailed in Sections 2.3.1 through 2.3.8 of the IFB.
Period of Performance
The contract duration is three years from the date of award.
Place of Performance
The services will be performed primarily at the Department of Information Technology's facilities in Crownsville, Maryland.
Bidder Requirements
Bidders must demonstrate a minimum market presence of five years for their proposed CAASM platform and provide references from three State, Local, or Education (SLED) customers who have utilized their platform for at least twelve months within the past five years. Additionally, bidders must comply with insurance requirements including Commercial General Liability and Workers' Compensation coverage.
Loading Map
Loading Map
Overview
Opportunity Type
IFB: Invitation for Bid (w/ Min Quals)
Opportunity ID
BPM056393
Version
1
Response Deadline
May 26, 2026
Due in 2 Days
Date Posted
May 14, 2026
Source
Q&A Deadline
Questions must be submitted in writing via e-mail to the Procurement Officer with the subject line, “Question for Cyber Asset Attack Surface Management # BPM056393.”
Set Aside Preferences
Minority Owned
Est. Value Range
Experimental
$250,000 - $1,500,000
(AI estimate)
Agency Distribution
High
On 5/14/26 DoIT - Dept Of Information Technology - Administration in Maryland issued IFB: Invitation for Bid (w/ Min Quals) Cyber Asset Attack Surface Management with ID BPM056393 due 5/26/26.
Contacts
Documents
Posted documents for Cyber Asset Attack Surface Management
Opportunity Assistant
AI Analysis
AI Generate
Classifications
Opportunity Classification
Cloud-based protection or security software
Additional Details
Additional Instructions
Bidders must submitted the Requirements Complicance Checklist (RCC) with the Price Proposal form and other required documents. Bidders failing to satisfy the Minimum Qualifications and submitting the required documents will be deemed not responsible and not susceptible for award and their bids will not be evaluated.
Bidders shall furnish any and all agreements and terms and conditions the Master Contractor expects the State to sign or to be subject to in connection with or in order to use the services under this Contract. This includes physical copies of all agreements referenced and incorporated in primary documents, including but not limited to any software licensing agreement for any software proposed to be licensed to the State under this Contract (e.g., EULA, Enterprise License Agreements, Professional Service agreement, Master Agreement) and any Acceptable Use Policy (AUP). The State does not agree to terms and conditions not provided in a Bidder’s Technical Proposal or submitted with Financial Proposal and no action of the State, including but not limited to the use of any such software, shall be deemed to constitute acceptance of any such terms and conditions. Failure to comply with this section renders any such agreement unenforceable against the State.
Questions Due (Closing) Date and Time: 05/08/2026 at 10:00 AM EST. Questions must be submitted in writing with the subject line, “Question for Cyber Asset Attack Surface Management # BPM056393” and be submitted in writing via e-mail to the Procurement Officer no later than the date and time specified.
Lot #
1
Round #
3