A June 22 executive order set the first hard deadline for federal contractors to adopt post-quantum cryptography — December 31, 2030 — turning "quantum-safe" from a policy discussion into a coming procurement requirement.

1. Dept. of Defense — Support for the Industrial Wastewater Treatment Plant

Combined Synopsis/Solicitation (biddable now) · Response due July 26, 2026 · Total Small Business Set-Aside · NAICS 541512

IT and control-system support for an industrial wastewater treatment plant — operational-technology work in exactly the OT-security niche federal guidance keeps emphasizing. Small-business set-aside with real runway.

View on SAM.gov →

2. Dept. of Veterans Affairs — VISN 21 Patient Elopement & Wandering Prevention

Combined Synopsis/Solicitation (biddable now) · Response due July 13, 2026 · SDVOSB Set-Aside · NAICS 541519

A real-time location / patient-safety system deployment across VA's VISN 21. SDVOSB set-aside, biddable now — suited to firms with RTLS, IoT, or healthcare-systems integration experience.

View on SAM.gov →

3. Dept. of State — Online Presence Vetting (OPV)

Sources Sought · Response due July 10, 2026 · Full & open · NAICS 541519

Market research for online-presence vetting — OSINT and social-media analysis in support of security screening. A distinctive cyber-adjacent requirement; respond to the RFI to shape the eventual solicitation.

View on SAM.gov →

CISA added to its zero-trust playbook this week, publishing guidance to help civilian agencies move off the legacy Trusted Internet Connections (TIC) 2.0 model to TIC 3.0 and adopt Secure Access Service Edge (SASE) architectures. What this means for you: if you sell networking, identity, or security services to civilian agencies, zero-trust modernization — SASE specifically — is where the civilian buying is heading. Firms that can map a customer's path off perimeter-based security and onto TIC 3.0 flexibilities will find a receptive audience.

Values are shown where published. Most federal RFIs, sources-sought, and presolicitation notices carry no stated dollar figure — act on set-aside, notice type, and deadline.

1. DoD — Support for the Industrial Wastewater Treatment Plant

Combined Synopsis/Solicitation · Due 07/26/2026 · Total Small Business Set-Aside · NAICS 541512 · View on SAM.gov →

Bid/No-Bid: Realistic for SB firms with OT/ICS or facility-controls experience. Biddable now, strong runway.

2. GAO — Class B and RPKI

Solicitation · Due 07/24/2026 · Full & open · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Routing-security work (Resource Public Key Infrastructure) — directly relevant as federal procurement leans into cryptographic security. Realistic for firms with BGP/network-security depth.

3. VA — VISN 21 Patient Elopement & Wandering Prevention

Combined Synopsis/Solicitation · Due 07/13/2026 · SDVOSB · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Realistic for SDVOSB firms with RTLS/IoT or healthcare-integration past performance. Biddable now.

4. Dept. of the Interior — ESC Science & Technical Support Services

Solicitation · Due 07/17/2026 · SDVOSB · NAICS 541512 · View on SAM.gov →

Bid/No-Bid: Realistic for SDVOSB firms with scientific/technical IT support experience. Biddable, good runway.

5. HHS — OIT Clinical Data Mart Operations & Maintenance (CDM)

Sources Sought · Due 07/13/2026 · 8(a) Competed · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Realistic for 8(a) firms with data-warehouse / O&M past performance.

6. HHS — Web-EHRS 2027-2032

Sources Sought · Due 07/27/2026 · Full & open · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Electronic health record recompete (see Recompete alert). Large; teaming play for most small firms — but engage the SS now.

7. VA — DA01 Enterprise Resource Planning (ERP) System Integrator

Sources Sought · Due 07/13/2026 · Full & open · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: ERP systems integration at scale. Realistic for firms with federal ERP/SI experience; respond to shape scope.

8. Dept. of Transportation — SIR: Strategic Sourcing (SAVES)

Solicitation · Due 07/21/2026 · Partial Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Strategic-sourcing vehicle; the partial set-aside carves out a small-business lane. Track closely.

9. HHS (Interior/IHS) — FBSU Claim Management / Revenue Cycle Management

Combined Synopsis/Solicitation · Due 07/06/2026 · ISBEE Set-Aside · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Realistic only for Indian Small Business Economic Enterprise (ISBEE)-eligible firms with health revenue-cycle experience.

10. DoD — RFI: Joint Staff GFM Decision-Ready Data Products (Gold Tables)

Sources Sought · Due 07/15/2026 · Full & open · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Data-engineering / analytics for force-management data. Realistic for firms with data-products or data-mesh experience.

11. American Battle Monuments Commission — Digital Asset Management System

Sources Sought · Due 07/10/2026 · Full & open · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: DAM platform for WeRemember.ABMC.gov. Realistic for small firms with content/asset-management experience.

12. HUD — National Standards for the Physical Inspection of Real Estate (software)

Sources Sought · Due 07/10/2026 · Full & open · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Inspection-software development. Realistic for firms with custom application-development past performance.

13. VA — Staffing Software Subscription (Brand Name or Equal)

Combined Synopsis/Solicitation · Due 07/16/2026 · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: "Brand Name or Equal" — winnable for authorized resellers or credible-equivalent providers. SB set-aside.

14. VA — SteriDate Kiosk System

Combined Synopsis/Solicitation · Due 07/17/2026 · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Kiosk hardware + software; SB set-aside. Realistic for healthcare-IT integrators.

15. State Dept — Online Presence Vetting (OPV)

Sources Sought · Due 07/10/2026 · Full & open · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: OSINT / social-media vetting for screening. Realistic for firms with OSINT or threat-analysis capability.

DHS/CISA — State & Local Cybersecurity Grant Program Support. Incumbent PADRON LLC; 8(a); completion ~09/30/2026 — now roughly 90 days out and the most time-sensitive recompete we track. 8(a) cyber firms should be moving. (Forecast record F2025069027; confirm live status.)

HHS — Web-EHRS (2027-2032). The 2027–2032 period of performance on this sources-sought signals a recompete of an existing electronic-health-record contract. Identify the incumbent and engage now, before it converts to a solicitation.

DoD and VA again account for roughly two-thirds of this week's small-business IT volume, and within VA the standout pattern is procurement style: a wave of "Brand Name or Equal" solicitations — staffing software, inventory systems, recording servers, kiosks, building-management platforms. That phrasing is an opening. It means VA has a specific commercial product in mind but must, by law, consider equivalents — so authorized resellers and integrators of those exact products (or credible equivalents) have a clear lane. If you hold reseller authority or integration experience with a named product, a "Brand Name or Equal" notice is often the most winnable kind of VA work for a small firm. The broader signal remains health-IT modernization: clinical data marts, EHR recompetes, ERP integration, and patient-safety systems all appear in this week's pipeline.

For three years, "quantum-safe" was a problem for the horizon. On June 22, that horizon acquired a date. President Trump signed Executive Order 14412, "Securing the Nation Against Advanced Cryptographic Attacks," and the line that matters for this newsletter's readers is this: the FAR Council has 180 days to publish a proposed rule requiring covered contractors to comply with NIST's post-quantum FIPS by December 31, 2030. A second rule, due within 270 days, will require contractors to run vulnerability disclosure programs that explicitly cover cryptographic weaknesses. The order arrives as Congress was already moving to accelerate PQC — momentum we flagged last week — but an executive order carrying FAR deadlines is a different order of seriousness than a bill in committee.

Why it bites now, four years out: the threat model is "harvest now, decrypt later" — adversaries collecting encrypted data today to crack once quantum computers mature. Waiting until 2029 to begin is waiting too long.

In practice: CISA has already split products into "widely available" PQC categories (cloud, browsers, endpoint encryption — procure only PQC-capable) and "transitioning" ones (routers, firewalls, HSMs, certificate systems). Expect a cryptographic bill of materials (CBOM) requirement to follow, forcing vendors to document where and how they use cryptography.

The move for a small firm: build a cryptographic inventory now — know every place RSA or elliptic-curve crypto lives in your products and services. Favor crypto-agile designs you can swap algorithms in. And start drafting the vulnerability-disclosure policy you'll need regardless. The contractors who can answer "where is your cryptography?" when the FAR rule lands will be the ones still eligible to bid.

Know a small firm drowning in SAM.gov? Forward this brief.
federalcyberbrief.com

Federal Cyber Brief is an independent publication providing general information for educational purposes. It is not legal, financial, or procurement advice. Verify all opportunities and deadlines directly on SAM.gov before acting.