Congress is moving to soften CMMC's sharpest edge for small firms: the Senate's FY2027 defense bill, text released this week, would create a federal grant program to cover small and nontraditional contractors' CMMC compliance costs.

1. U.S. Air Force (AFLCMC, Cyber & Networks) — COMSEC Managerial Security Support Services

Solicitation (biddable now) · Response due June 29, 2026 · Total Small Business Set-Aside · NAICS 541513

Communications-security (COMSEC) management support for the Air Force's cyber and networks directorate. A cyber-core requirement, set aside for small business, open now — strong fit for firms with COMSEC or information-assurance past performance.

View on SAM.gov →

2. U.S. Marine Corps (MCIEAST) — VTSCADA with Support Plus

Solicitation (biddable now) · ⚠️ Response due June 26, 2026 — THIS WEEK · Total Small Business Set-Aside · NAICS 541513

A SCADA/operational-technology platform acquisition with support at Marine Corps Installations East. OT security is a low-competition niche; small-business set-aside, biddable today.

View on SAM.gov →

3. Dept. of Defense — Persistent Cyber Training Environment (PCTE) Cyber Range Development (RFI)

Sources Sought · Response due July 14, 2026 · Full & open · NAICS 541519

Market research for software to build a simulated-internet cyber range for training events under PCTE. As on-brand as cyber work gets — respond to the RFI to position for the eventual development effort.

View on SAM.gov →

The next cryptographic mandate is now on the legislative clock. The same Senate defense bill sets a deadline for federal systems to adopt post-quantum cryptography (PQC) for digital signatures — a runway that, while multi-year, signals where requirements are heading; keys generated by NSA for classified systems are exempted. What this means for you: if you build or maintain anything touching encryption, PKI, or identity, start tracking NIST's PQC standards now. PQC-readiness will move from differentiator to expectation, and the vendors who can speak to a migration path will be ahead when it lands in solicitations.

Values are shown where published. Most federal RFIs, sources-sought, and presolicitation notices carry no stated dollar figure — act on set-aside, notice type, and deadline.

1. U.S. Air Force — COMSEC Managerial Security Support Services

Solicitation · Due 06/29/2026 · Total Small Business Set-Aside · NAICS 541513 · View on SAM.gov →

Bid/No-Bid: Realistic for SB firms with COMSEC/IA past performance. Cyber-core, biddable now.

2. DoD — Persistent Cyber Training Environment (PCTE) Cyber Range Development

Sources Sought · Due 07/14/2026 · Full & open · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Realistic for firms with cyber-range, simulation, or training-environment experience. Good runway.

3. USMC — VTSCADA with Support Plus

Solicitation · Due 06/26/2026 — this week · Total Small Business Set-Aside · NAICS 541513 · View on SAM.gov →

Bid/No-Bid: Realistic for SDVOSB/SB firms with OT/ICS/SCADA experience. Biddable now.

4. DoD — Data Protection and Recovery Services

Sources Sought · Due 06/29/2026 · Full & open · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Cyber-resilience / backup & recovery. Realistic for firms with data-protection or DR past performance.

5. HHS / CDC — Managed Service Provider (MSP) 2.0

Sources Sought · Due 07/02/2026 · Full & open · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Enterprise MSP recompete (see Recompete alert). Teaming play for most small firms; respond to the SS to get on the radar.

6. FDIC — Acquisition System Next Generation (AS-NG)

Solicitation · Due 07/01/2026 · Full & open · NAICS 541512 · View on SAM.gov →

Bid/No-Bid: Major system modernization; biddable now. Realistic for firms with acquisition-system or enterprise-software experience.

7. U.S. Army (MICC Ft Sam Houston) — Enterprise IT Support

Sources Sought · Due 07/16/2026 · Total Small Business Set-Aside · NAICS 541513 · View on SAM.gov →

Bid/No-Bid: Strong fit for SB IT-services firms. Good runway; shape it at the SS stage.

8. DoD — Services for Technology Engineering & Knowledge Management

Sources Sought · Due 07/01/2026 · Total Small Business Set-Aside · NAICS 541512 · View on SAM.gov →

Bid/No-Bid: Realistic for SB firms with engineering-support or KM past performance.

9. HHS / Indian Health Service — Enterprise IT Service Management (ITSM)

Sources Sought · Due 06/30/2026 · Buy Indian Act Set-Aside (Indian Economic Enterprise) · NAICS 541512 · View on SAM.gov →

Bid/No-Bid: Realistic only for Indian Economic Enterprise (IEE)-eligible firms (see Agency intelligence). ITSM/ServiceNow experience is the differentiator.

10. HHS — Sage 300 Technical Services

Presolicitation · Due 07/01/2026 · Total Small Business Set-Aside · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Realistic for SB firms with Sage 300 / ERP-accounting experience. RFP coming.

11. VA — MyPath Tools Software Maintenance & Support

Combined Synopsis/Solicitation · Due 07/15/2026 · SDVOSB · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Realistic for SDVOSB software-maintenance firms. Biddable, good runway.

12. Dept. of State — Mexican Criminal Courts Telepresence

Solicitation · Due 07/10/2026 · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: AV/telepresence integration overseas; SB set-aside, biddable. Realistic for firms able to deploy/support abroad.

13. Dept. of State — Next Generation Passport Personalization Printers

Solicitation · Due 07/20/2026 · Full & open · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Identity/credentialing hardware + integration. Likely OEM-led; teaming play for most small firms.

14. U.S. Trade & Development Agency — Indo-Pacific Digital Infrastructure Project Scoping Services

Combined Synopsis/Solicitation · Due 07/22/2026 · Total Small Business Set-Aside · NAICS 541690 · View on SAM.gov →

Bid/No-Bid: Realistic for SB firms with digital-infrastructure or ICT advisory experience. Niche, low-competition, good runway.

15. DoD — PM LOG-FIN: Ammunition, Logistics, Finance & Personnel Modernization

Combined Synopsis/Solicitation · Due 06/30/2026 · Full & open · NAICS 541512 · View on SAM.gov →

Bid/No-Bid: Large modernization "call for solutions"; teaming play for most small firms. Track and partner.

DHS/CISA — State & Local Cybersecurity Grant Program Support. Incumbent PADRON LLC; 8(a); completion forecast ~09/30/2026 — now roughly 100 days out, squarely inside the positioning window. If you're an 8(a) cyber firm, this is the one to move on now. (Forecast record F2025069027; confirm live status.)

HHS/CDC — Managed Service Provider (MSP) 2.0. The "2.0" signals a follow-on to CDC's existing managed-services contract. Identify the incumbent now and shape the requirement through the open sources-sought (due 07/02) before it converts to an RFP.

DoD and VA again drive roughly two-thirds of this week's small-business IT/cyber volume, but the notable secondary story is the State Department. State posted an unusually broad IT slate this week — next-generation passport personalization printers, courtroom telepresence in Mexico, a timekeeping COTS solution, a dermatology reference tool, and (via the U.S. Trade & Development Agency) Indo-Pacific digital-infrastructure scoping. The throughline is foreign-affairs IT and identity/credentialing modernization, a lane that rewards firms comfortable with overseas deployment and integration. Worth flagging separately: the Indian Health Service continues as a steady IT buyer using the Buy Indian Act Set-Aside (Indian Economic Enterprise) (ITSM, ServiceNow, and more this week). If your firm qualifies as an Indian Economic Enterprise (IEE), IHS is an accessible and recurring source of IT work that larger competitors often overlook.

The single biggest threat CMMC poses to this newsletter's readers isn't technical — it's financial. DoD's own 2024 rule pegged Level 2 certification for a small business at just over $101,000, and that figure excludes the cost of actually building the cybersecurity program behind it. Analysts have warned the cumulative burden could drive a 15–20% contraction in the defense industrial base, as smaller specialists either exit or get absorbed. For firms that make up roughly 70% of the defense supply chain, that's existential.

This week, Congress acknowledged the problem directly. The Senate Armed Services Committee's FY2027 defense authorization bill — text released June 16 — includes a CMMC grant program to help small and nontraditional contractors cover compliance costs. The numbers matter: grants would be capped at $100,000 per firm, total program funding at $50 million, and the money can only be used to offset direct costs of a CMMC Level 2 third-party assessment — not readiness work or consulting. The program would prioritize organizations that have not previously held a DoD contract or subcontract. The House Armed Services Committee has advanced its own FY2027 NDAA with parallel CMMC relief provisions; differences between the two chambers will be resolved in conference before anything becomes law.

Three things to take from this. First, the relief is real but distant and uncertain: it's not law yet, it must survive conference, and even on the optimistic schedule it arrives July 1, 2027. Second, the grant covers assessment costs only — not the months of remediation work that typically precede a C3PAO visit, which is where most small firms actually spend the money. Third, and most important, none of this changes your near-term timeline. DoD's Level 2 third-party assessment requirements begin phasing into solicitations from November 10, 2026 — well before any grant exists.

The read: treat the grant as a tailwind that may help you recover assessment costs later, not as a reason to wait. The firms that certify ahead of the deadline will be bidding while competitors are still scheduling assessments. A future subsidy is no reason to delay scoping your environment, running a NIST 800-171 gap assessment, and booking a C3PAO while slots are available.

(Verify every opportunity and deadline directly on SAM.gov before acting.)

Know a small firm drowning in SAM.gov? Forward this brief.
federalcyberbrief.com

Federal Cyber Brief is an independent publication providing general information for educational purposes. It is not legal, financial, or procurement advice. Verify all opportunities and deadlines directly on SAM.gov before acting.