This week's signal

DoD is expected to publish an interim final rule this month setting the deadline to move CMMC assessments from NIST 800-171 Rev 2 to Rev 3 — and interim final rules take effect the day they publish.

Top 3 opportunities

1. U.S. Air Force — 16WS Cloud Platform BPA

Combined Synopsis/Solicitation (biddable now) · Response due July 20, 2026 · Total Small Business Set-Aside · NAICS 518210

A blanket purchase agreement for cloud platform services out of the 16th Weather Squadron. A multi-year cloud vehicle set aside for small business is the kind of anchor a firm builds a practice around — not a one-off quote.

2. U.S. Air Force — SIPR Thin Client & Network Infrastructure (Goodfellow AFB)

Solicitation (biddable now) · Response due July 23, 2026 · HUBZone Set-Aside · NAICS 541519

Classified-network (SIPR) thin-client and infrastructure buildout at Goodfellow. A HUBZone set-aside on classified infrastructure is rare air — if you're HUBZone-certified with cleared staff, this is a lane with almost no traffic.

3. Dept. of Defense — Project Pioneer

Presolicitation · Response due July 23, 2026 · Total Small Business Set-Aside · NAICS 518210

A named data/hosting program in the pre-solicitation window, set aside for small business. The name tells you little by design; the RFI response is how you learn what it is before the RFP writes the incumbent's strengths into the requirements.

Compliance flash

Read this week's Rev 3 signal against the FAR CUI rule from Issue #4 and the shape becomes clear: the civilian side already proposed Rev 3, and now DoD is moving CMMC the same way. The two tracks are converging on one standard — but not on the same clock, and not yet. What this means for you: if you're pursuing CMMC Level 2, keep assessing against Rev 2; that's still the standard your C3PAO will use. But start your Rev 3 crosswalk now — document your organization-defined parameters, stand up thin Planning and Supply Chain Risk Management artifacts — so the eventual transition is a mapping exercise, not a rebuild.

Full weekly pipeline

Values are shown where published. Most federal RFIs, sources-sought, and presolicitation notices carry no stated dollar figure — act on set-aside, notice type, and deadline. The Q4 clock is still running: most notices below close within two weeks.

1. U.S. Air Force — 16WS Cloud Platform BPA

Combined Synopsis/Solicitation · Due 07/20/2026 · Total Small Business Set-Aside · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Realistic for SB cloud/managed-services firms. A BPA is a multi-year relationship — worth real proposal effort.

2. U.S. Air Force — SIPR Thin Client & Network Infrastructure (Goodfellow AFB)

Solicitation · Due 07/23/2026 · HUBZone Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Realistic only for HUBZone firms with cleared staff and classified-network experience. Low competition if you qualify.

3. DoD — Project Pioneer

Presolicitation · Due 07/23/2026 · Total Small Business Set-Aside · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Realistic for SB data/hosting firms. Engage at the RFI to shape scope before the solicitation.

4. DoD — Persistent Cyber Training Environment (PCTE) Cyber Range Development

Sources Sought · Due 07/21/2026 · No set-aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: The week's most on-brand cyber buy. Realistic for firms with cyber-range, simulation, or training-environment experience.

5. DoD (NSWC Carderock) — Common Access Card (CAC) Office Support Services

Sources Sought · Due 07/22/2026 · 8(a) Competed · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Identity/credentialing support (CAC/PKI-adjacent). Realistic for 8(a) firms with ICAM or badging-office experience.

6. DoD — RegScale or Equal (SDN & SDN-S)

Sources Sought · Due 07/23/2026 · Full & open · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Compliance-automation / GRC tooling on classified networks. "Or Equal" opens the door beyond the named product for firms with a comparable platform.

7. HHS — Digital Accessibility Program Services (Section 508)

Sources Sought · Due 07/20/2026 · Total Small Business Set-Aside · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Section 508 accessibility is a durable niche. Realistic for SB firms with 508 audit/remediation past performance.

8. Interior — Recreation Permitting & Transaction System

Solicitation (biddable now) · Due 07/20/2026 · Total Small Business Set-Aside · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Public-facing transaction platform, SB set-aside, open now. Realistic for small dev shops with citizen-services experience.

9. DoD — UiPath

Combined Synopsis/Solicitation · ⚠️ Due 07/17/2026 — closes Friday · Full & open · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: RPA licensing/support. Quick-quote territory for authorized UiPath partners this week.

10. DoD — PTC Kepware Subscription Software

Combined Synopsis/Solicitation · Due 07/20/2026 · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Industrial/OT connectivity software, SB set-aside. Straightforward for resellers with the SKU.

11. State Dept — Mexican Criminal Courts Telepresence

Solicitation · Due 07/24/2026 · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: AV/telepresence integration overseas, SB set-aside. Realistic for firms able to deploy and support abroad.

12. HHS/IHS — Cisco Network Hardware and Software (Buy Indian)

Combined Synopsis/Solicitation · Due 07/22/2026 · Buy Indian Act Set-Aside (Indian Economic Enterprise) · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Realistic only for Indian Economic Enterprise-eligible Cisco resellers.

13. Interior — Loan Management System Development

Combined Synopsis/Solicitation · Due 07/30/2026 · Full & open · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Custom financial-system development. Realistic for firms with loan/financial-platform experience.

14. VA — Digital Pathology System Expansion (RFI)

Sources Sought · Due 07/17/2026 · No set-aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Health-imaging IT with recurring VA demand. Respond to the RFI to position for the eventual buy.

15. DoD (DARPA) — Program Security Services

Sources Sought · Due 07/24/2026 · Full & open · NAICS 541690 · View on SAM.gov →

Bid/No-Bid: Program-security / OPSEC support for DARPA. Realistic for firms with cleared security-program staff.

Recompete alert

DHS/CISA — State & Local Cybersecurity Grant Program Support. Incumbent PADRON LLC; 8(a); completion ~09/30/2026 — now inside 80 days. For an 8(a) cyber firm this is the final stretch to have a capture story ready. (Forecast record F2025069027; confirm live status.)

DoD (Army, MICC Fort Sam Houston) — Enterprise IT Support. The sources-sought is live again, responses due 07/16/2026. A recurring installation-IT requirement worth tracking toward its eventual RFP.

Agency intelligence

The Q4 pace held into week two: across our seven NAICS codes, DoD (49 biddable notices) and VA (26) again drove roughly two-thirds of volume, and the short-clock pattern continues — most notices close within two weeks of posting. Two currents are worth naming. First, classified-infrastructure work is showing up in the small-business channel this week — a HUBZone SIPR buildout, DARPA program security, a CAC support 8(a) — which rewards firms that carry clearances and can say so credibly in a capability statement. Second, the "brand name or equal" pattern is now spread beyond VA into DoD and IHS: UiPath, Kepware, RegScale, Cisco, Amion. The read is unchanged from last week but broader — if you resell or integrate a named platform, an "or equal" notice is often your highest-probability win, and Q4 is when they cluster. Have the SKU, the authorization letter, and the quote template ready before the notice posts.

Deep dive — Rev 3 is coming to CMMC, and the clock is now visible

Two weeks ago, the FAR CUI proposed rule put NIST SP 800-171 Revision 3 onto the civilian side of federal contracting. This week, the other shoe started to drop. The federal government's Unified Agenda — the semiannual list of what regulations agencies plan to issue — shows DoD moving this month on an interim final rule that sets the deadline for shifting CMMC assessments from Rev 2 to Rev 3. The mechanism matters: an interim final rule takes effect on publication, without the usual wait for comments to be processed first. The transition won't be instant, but the starting gun is closer than most contractors assume.

Here's what actually changes. Rev 3, published by NIST in May 2024, restructures the standard small firms have spent two years implementing. It trims the raw control count from 110 to 97, but that's misleading — assessment complexity rises, with roughly a third more determination statements to satisfy. It adds three new control families: Planning, System and Services Acquisition, and Supply Chain Risk Management. And it introduces organization-defined parameters — values you set yourself, like password length, session timeout, and audit-log retention — which you'll be expected to document rather than leave implied.

The practical guidance is the same we'd give on any converging-standard problem: don't throw out your Rev 2 work, because Rev 2 is still what your C3PAO assesses against today, and a Level 2 certification earned now stays valid for three years. Use the runway. Document your organization-defined parameter values even though Rev 2 doesn't require it. Stand up thin Planning and Supply Chain Risk Management artifacts so those families aren't a standing start when they become mandatory. Cross-reference your System Security Plan against the 800-53 moderate baseline, which Rev 3 leans on more heavily. Do that, and the day the interim final rule lands, your transition is a mapping exercise instead of a rebuild — and you'll be bidding while competitors are still reading the Federal Register.

(Verify every opportunity and deadline directly on SAM.gov before acting.)

Sources

Know a small firm drowning in SAM.gov? Forward this brief.
federalcyberbrief.com

Federal Cyber Brief is an independent publication providing general information for educational purposes. It is not legal, financial, or procurement advice. Verify all opportunities and deadlines directly on SAM.gov before acting.

If you're building capture strategy, not just tracking
opportunities:

The TallyPoint Brief

The TallyPoint Brief

Data-driven capture architecture and intelligence for GovCon founders and small businesses.

Keep Reading