This week's signal

The FAR Council's rewrite of civilian CUI rules is open for comment until July 23 — putting NIST 800-171 Revision 3 and 72-hour incident reporting on a path into every federal contract.

Top 3 opportunities

1. Dept. of Justice — Managed Attribution Systems (Chameleon)

Combined Synopsis/Solicitation (biddable now) · Response due July 31, 2026 · Total Small Business Set-Aside · NAICS 518210

Managed-attribution infrastructure — the systems investigators use to research online without revealing a government origin. A requirement this specialized rarely appears as an open small-business set-aside. Biddable now, real runway.

2. Dept. of the Interior — Cisco Enterprise Software and Equipment IDIQ

Combined Synopsis/Solicitation (biddable now) · Response due July 31, 2026 · Total Small Business Set-Aside · NAICS 541519

A department-wide IDIQ for Cisco software and equipment, set aside for small business. For authorized Cisco resellers and integrators this is a lane, not a lottery ticket.

3. Defense Health Agency — PEO DHMS Enterprise Software Services (ESS) Next

Presolicitation (RFI stage) · Response due July 13, 2026 · No set-aside · NAICS 541513

The follow-on enterprise software services vehicle from PEO DHMS — the office behind the military health system's digital backbone. No set-aside, so expect a teaming play; the RFI window is how small firms get on the radar before teams form.

Compliance flash

CISA is reviving the long-delayed CIRCIA rulemaking — the statute that will require critical-infrastructure entities to report significant cyber incidents within 72 hours. Read alongside the 72-hour window in the new FAR CUI clause, the direction is unmistakable: 72 hours is becoming the federal standard clock. What this means for you: build one incident-response playbook that can produce a complete report — with evidence preservation — inside 72 hours. Do it once, properly, and you're positioned for both regimes.

Updates on tracked opportunities

Three notices from prior briefs were reposted or amended this week — deadlines moved:

State Dept — Online Presence Vetting (OPV): reposted under a new notice; responses now due 07/14/2026. View on SAM.gov →

VA — ERP System Integrator: amended under a new notice; responses due 07/13/2026. View on SAM.gov →

DoD — Industrial Wastewater Treatment Plant Support: reposted; responses now due 07/27/2026. View on SAM.gov →

Full weekly pipeline

Values are shown where published. Most federal RFIs, sources-sought, and presolicitation notices carry no stated dollar figure — act on set-aside, notice type, and deadline. Note the short clocks this week: that's the fourth quarter talking.

1. DOJ — Managed Attribution Systems (Chameleon)

Combined Synopsis/Solicitation · Due 07/31/2026 · Total Small Business Set-Aside · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Realistic for SB firms with OSINT, non-attribution, or investigative-infrastructure capability. The week's most distinctive cyber buy.

2. DOI — Cisco Enterprise Software and Equipment IDIQ

Combined Synopsis/Solicitation · Due 07/31/2026 · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Cisco authorization is the gate. If you hold it, prioritize — department-wide vehicles set aside for SB don't recur often.

3. DHA — PEO DHMS Enterprise Software Services (ESS) Next

Presolicitation · Due 07/13/2026 · No set-aside · NAICS 541513 · View on SAM.gov →

Bid/No-Bid: Teaming play. Respond to the RFI to be visible when primes assemble teams.

4. DoD (DCSA) — Audio-Visual (AV) Design Consultant RFI

Sources Sought · Due 07/20/2026 · Total Small Business Set-Aside · NAICS 541512 · View on SAM.gov →

Bid/No-Bid: Realistic for SB AV/integration firms; DCSA work often requires cleared staff — flag your clearance posture in the response.

5. VA — OR Integration System

Solicitation (biddable now) · Due 07/13/2026 · No set-aside · NAICS 541512 · View on SAM.gov →

Bid/No-Bid: Realistic for clinical-systems integrators with OR/biomed experience. Open now, six-day clock.

6. DoD — FY27 Mission Planning Support Tool (MPST)

Sources Sought · Due 07/17/2026 · Full & open · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Defense software with FY27 runway. Respond now to shape scope before the solicitation drafts.

7. State Dept — Boundaries and Sovereignty Encyclopedia (BASE)

Sources Sought · Due 07/22/2026 · Full & open · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: Knowledge-platform development for geographic/sovereignty data. Realistic for small dev shops with GIS or data-platform depth.

8. DOI — Data Protection and Storage (Globus GridFTP)

Combined Synopsis/Solicitation · Due 07/20/2026 · Full & open · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Research data transfer/protection. Realistic for firms with Globus, HPC, or scientific-data experience.

9. VA — GigXR Software or Equal

Solicitation · ⚠️ Due 07/10/2026 — closes Friday · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: "Or Equal" opens the door beyond the named brand. Only if you can quote XR training software this week.

10. DoD — Enterprise Skills Assessment Platform

Solicitation · ⚠️ Due 07/10/2026 — closes Friday · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: SaaS assessment platform, SB set-aside. Quick-quote territory for firms with a ready product.

11. DoD — Ruggedized Laptops

Combined Synopsis/Solicitation · Due 07/16/2026 · Total Small Business Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: Straightforward hardware quote for SB resellers. Q4 bread-and-butter.

12. HHS/IHS — Revenue Enhancement Services (ISBEE)

Sources Sought · Due 07/17/2026 · ISBEE Set-Aside · NAICS 518210 · View on SAM.gov →

Bid/No-Bid: Realistic only for Indian Small Business Economic Enterprise-eligible firms with health revenue-cycle experience.

13. DOI — Cloud-Based Adult Education SaaS Platform (ISBEE)

Combined Synopsis/Solicitation · Due 07/30/2026 · ISBEE Set-Aside · NAICS 541519 · View on SAM.gov →

Bid/No-Bid: ISBEE-eligible SaaS/education-tech firms. Biddable, good runway.

14. NRC — Maintenance of NRC Codes V

Presolicitation · Due 08/03/2026 · Full & open · NAICS 541690 · View on SAM.gov →

Bid/No-Bid: Scientific-code maintenance for the nuclear regulator. Niche, technical, longest runway in this week's list.

15. DHS/USCG — Enterprise Geospatial Support Services (Office of Shore Forces)

Sources Sought · ⚠️ Due 07/09/2026 — closes Thursday · Total Small Business Set-Aside · NAICS 541511 · View on SAM.gov →

Bid/No-Bid: A capability statement by Thursday keeps you in this one. Only worth it if geospatial is already your lane.

Recompete alert

DHS/CISA — State & Local Cybersecurity Grant Program Support. Incumbent PADRON LLC; 8(a); completion ~09/30/2026 — roughly 85 days out. If you're an 8(a) cyber firm and haven't started capture, this is the last comfortable window. (Forecast record F2025069027; confirm live status.)

HHS — Web-EHRS (2027–2032). The sources-sought we flagged last week remains open, responses due 07/27/2026. Identify the incumbent and respond before it converts to an RFP.

Agency intelligence

The federal fourth quarter opened July 1, and this week's data already runs on Q4 time: more than 80% of the biddable notices in our seven NAICS codes close within three weeks of posting — quick-turn quotes, compressed RFIs, brand-name-or-equal buys. DoD (34 notices) and VA (22) again account for roughly two-thirds of volume. Inside VA, the Brand Name or Equal pattern we flagged last week continues — XR training software, inventory management, patient-monitoring systems — which remains the most winnable VA lane for resellers and integrators who can quote fast. The Buy Indian Act channel also stays active: three ISBEE set-asides this week across IHS and Interior. Practical Q4 read: speed beats polish for the next twelve weeks. Have your capability statement, reps and certs, and quote templates ready before the notice drops, because response windows this quarter won't wait for you to build them.

Deep dive — The FAR CUI rule is back, and this time it has a deadline

For fifteen years, civilian agencies handled Controlled Unclassified Information through an inconsistent patchwork while DoD built DFARS 7012 and CMMC. On June 23, the FAR Council moved to end that era: as part of the Revolutionary FAR Overhaul's first formal rulemaking package, it re-issued the FAR CUI rule as a proposed regulation — reorganized, revised in response to industry comments, and open for public comment until July 23 (FAR Case 2026-001).

Three changes matter most for a small contractor. First, the architecture: CUI requirements now live in a consolidated FAR Part 40 alongside Section 889 and supply-chain exclusions — one home for security obligations, communicated through a new standard form (SF XXX) that contracting officers must complete for every solicitation, telling you exactly what CUI is in play. You safeguard what's identified, and you report what looks mismarked. Second, the reporting clock: the widely criticized 8-hour incident-reporting window from the January 2025 draft is now 72 hours, harmonized with other federal cyber regimes, with evidence preserved for at least 90 days. Third, and least noticed: the technical baseline is NIST SP 800-171 Revision 3 — a step ahead of the Revision 2 that DFARS and CMMC still assess against. Firms working in both civilian and defense markets will be running one environment against two revisions of the same standard, and the delta is real work: new controls, revised assessment objectives, re-documentation.

What to do now: map where CUI could enter your systems on civilian contracts; run a Rev 3 delta check against your existing 800-171 posture rather than assuming CMMC work covers it; rebuild your incident-response playbook around a documented 72-hour capability; and if the compliance burden looks disproportionate for a firm your size, say so on the record — comments citing FAR Case 2026-001 are due July 23, and small-business operational impact is precisely what the Council asked about.

(Verify every opportunity and deadline directly on SAM.gov before acting.)

Know a small firm drowning in SAM.gov? Forward this brief.
federalcyberbrief.com

Federal Cyber Brief is an independent publication providing general information for educational purposes. It is not legal, financial, or procurement advice. Verify all opportunities and deadlines directly on SAM.gov before acting.

Sources

Keep Reading