FEDERAL CYBER BRIEF
Issue #1 — June 16, 2026
Cleared to Bid
This week's signal
AI is now both the hottest buy and the next compliance frontier: three agencies posted AI-governance or AI-services opportunities this week, even as DoD's deadline to hand Congress its plan for an AI security framework (NDAA Section 1513) lands today.
Top 3 opportunities (Free)
1. Dept. of Veterans Affairs — Zero Trust Encryption (RFI)
Sources Sought · Due June 23, 2026 · SDVOSB Set-Aside · NAICS 541519
VA is researching zero-trust encryption capabilities. A cyber-core requirement set aside for SDVOSB firms — respond to position for the eventual solicitation.
2. Selective Service System — Website Modernization
Solicitation (biddable now) · Due June 30, 2026 · Total Small Business Set-Aside · NAICS 541519
An open solicitation to modernize the agency's public website. Clean set-aside, real runway, biddable today — strong fit for web/app modernization shops.
3. Dept. of Defense — Wireless Network Deployment at SOCNORTH
Combined Synopsis/Solicitation (biddable now) · Due June 30, 2026 · Total Small Business Set-Aside · NAICS 541512
A live solicitation to deploy wireless network infrastructure for U.S. Special Operations Command North. Set aside for small business — suited to network engineering and integration firms able to work in a secure environment.
Compliance flash
CMMC is now live, not looming. Phase 1 began November 10, 2025 and runs through November 9, 2026; from November 10, 2026, contractors must hold the required certification to be eligible for new awards. Level 2 (the tier for most CUI) requires the 110 NIST SP 800-171 controls and, depending on the contract, either a self-assessment or an independent C3PAO assessment. What this means for you: there is a documented shortage on both the assessor side and the readiness/IT-support side — firms waiting until fall will be competing for scarce assessment slots against a deadline. If certification is on your roadmap, book now.
Full weekly pipeline
Values are shown where published. Most federal RFIs, sources-sought, and presolicitation notices carry no stated dollar figure — act on set-aside, notice type, and deadline.
1. VA — Zero Trust Encryption (RFI)
Bid/No-Bid: Realistic for SDVOSB cyber firms. Cyber-core, low cost to respond, high positioning value.
2. DoD — Endpoint Security Event Management
Bid/No-Bid: Strong fit for SOC/SIEM and endpoint-detection specialists. Engage at the RFI to shape the requirement.
3. DoD — Wireless Intrusion Detection Systems (WIDS) RFI
Bid/No-Bid: Wireless-security niche; RFP coming. Realistic for firms with WIDS/WIPS past performance.
4. VA — Enterprise AI Governance, Management & Implementation Support
Bid/No-Bid: On-theme and growing. Realistic for firms with AI governance, MLOps, or data-governance experience — respond even if you'd sub on the award.
5. DoD — RFI: Artificial Intelligence & Advanced Analytics Services
Bid/No-Bid: Broad AI/analytics market research. Worth a response if AI/ML is your lane; expect a competitive eventual field.
6. VA — National Digital Telepathology / AI (NDTP-AI) RFI
Bid/No-Bid: Niche AI + medical-imaging buy. Realistic for firms with clinical-AI or imaging-pipeline past performance.
7. DoD — Enterprise Cloud Services
Bid/No-Bid: Likely a large vehicle; teaming play for most small firms. Track the solicitation and line up cloud partners now.
8. VA — Enterprise Cloud Brokerage Service
Bid/No-Bid: Cloud brokerage/management. Realistic for firms with FinOps or multi-cloud management depth.
9. DoD — Wireless Network Deployment at SOCNORTH
Combined Synopsis/Solicitation · Due 06/30/2026 · Total Small Business Set-Aside · NAICS 541512 · View on SAM.gov →
Bid/No-Bid: Realistic for SB network engineering/integration firms able to operate in a secure SOF environment. Biddable now.
10. Selective Service System — Website Modernization
Bid/No-Bid: Realistic for small web/app shops. Clean set-aside, biddable now — prioritize.
11. DoD — Video Teleconferencing Modernization
Bid/No-Bid: Realistic for SDVOSB AV/IT integrators. Open now.
12. VA — DA01 Chat Bot
Bid/No-Bid: Realistic for SDVOSB conversational-AI developers. RFP coming.
13. U.S. Coast Guard (DHS) — Power Platform Modernization, Training & SME Support
Bid/No-Bid: Realistic for SB low-code/Power Platform firms. Clean set-aside.
14. DoD — J6 Program Management Office Support Services
Bid/No-Bid: Realistic for 8(a) firms with IT PMO/support past performance. Good runway.
15. Intl. Boundary & Water Commission — SCADA Systems Maintenance
Bid/No-Bid: Realistic for SDVOSB firms with OT/ICS/SCADA-security experience — a low-competition niche.
Recompete alert
DHS/CISA — State & Local Cybersecurity Grant Program Support. Incumbent PADRON LLC; 8(a); contract completion forecast ~09/30/2026. The positioning window is open now — confirm the live solicitation status before committing proposal time. (Forecast record F2025069027.)
DHS/TSA — Governance, Risk & Compliance Support. Incumbent Zermount, on NITAAC CIO-SP3 (NAICS 541519). Watch whether the recompete stays on CIO-SP3 or migrates vehicles — that decision sets eligibility. (Forecast record F2025070558.)
Agency intelligence
Two buyers dominate the small-business IT/cyber space this week: across the NAICS we track, DoD and VA together account for roughly two-thirds of biddable opportunities, with VA alone posting 35. The pattern inside VA's volume is modernization and security — zero-trust encryption, enterprise AI governance, cloud brokerage, interoperability, telepathology AI. VA's IT shop is pushing this into the small-business channel via SDVOSB and small-business set-asides; if you lack a VA past-performance reference, this is the quarter to earn one by responding to the RFIs. Separately, SBA has launched a new audit of economically disadvantaged (8(a)) firms — worth noting if you hold or are pursuing 8(a) status, including for the J6 opportunity above.
Deep dive — CMMC for AI: the next compliance frontier is already in the NDAA
If your firm builds, deploys, or hosts AI for the government, a new compliance regime is taking shape — and its first milestone lands this week. Section 1513 of the FY2026 National Defense Authorization Act directs DoD to develop a framework governing the cybersecurity and physical security of the AI and machine-learning systems the Pentagon acquires, and to fold that framework into both the DFARS and the CMMC program. The law sets no hard implementation date, but it requires DoD to deliver Congress a plan with timelines and milestones by June 16, 2026 — today.
Read alongside this week's opportunity flow, the message is unmistakable. VA is seeking enterprise AI governance support; DoD wants AI and advanced-analytics services; agencies from Commerce to VA are buying AI-driven tools. The buying is here, and the compliance scaffolding is being built around it in parallel.
In practice: CMMC verifies that you protect controlled information; the AI framework extends that logic to the models and pipelines themselves. Expect requirements around data provenance, secure development, and human review of AI-generated artifacts — because, as security analysts put it bluntly, generated code is draft material, not compliant code. It still needs secure review and validation before it goes near a mission system, and CISA's secure-by-design posture points the same way.
The move for a small firm: if AI is your lane, start documenting now how you secure training data, model artifacts, and generated outputs. The contractors who can demonstrate that discipline before the DFARS clauses land will have the edge when they do.
(Verify every opportunity and deadline directly on SAM.gov before acting.)
Know a small firm drowning in SAM.gov? Forward this brief.
federalcyberbrief.com
Federal Cyber Brief is an independent publication providing general information for educational purposes. It is not legal, financial, or procurement advice. Verify all opportunities and deadlines directly on SAM.gov before acting.