Access Control System in Defense Health Agency (DHA) Facilities
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
The Defense Information Systems Agency (DISA), under the Department of Defense, has issued a Sources Sought / Request for Information (RFI) to gather market research and planning information for Access Control Systems (ACS) in Defense Health Agency (DHA) facilities. The DHA aims to establish an enterprise standard for evaluating and integrating these systems, ensuring compliance with DoD cybersecurity, interoperability, and sustainment requirements. This RFI is for market research only and does not constitute a solicitation. Responses are due May 29, 2026, by 5:00 PM ET.
Requested Information
Respondents are requested to provide detailed information on:
- System Design & Security: Standards for ACS design, core functions, deployment modes, secure architecture for medical facilities, and integration with Enterprise Security Systems (ESS).
- RMF & Interoperability: Support for Risk Management Framework (RMF) authorization, communication interfaces (Ethernet, RS-485, wireless), operation on DHA Medical-Community of Interest (Med-COI) or other DoD networks, and system interdependencies.
- Authentication & Authorization: System-level and user authentication methods (including PIV/CAC, multi-factor authentication), zero-trust principles, and auditing capabilities.
- Data Handling & Security: Types of data processed/stored (including PII/ePHI), encryption standards, and compliance with Federal Information Processing Standards (FIPS) such as FIPS 140-3, FIPS 197, FIPS 199, and FIPS 200.
- Maintenance & Vulnerability Management: Patching processes, vulnerability management, support for credentialed scans, and remote access capabilities (including DHA's approved B2B VPN).
- Operational Technology (OT) Security: Support for OT network segmentation, secure OT protocols, OT-specific patch management, and incident response.
- Supply Chain Risk Management: Compliance with DFARS clauses (e.g., Buy American), country of origin for components, and information on third-party vendor components.
Submission Guidelines & Timeline
- Opportunity Type: Sources Sought / Request for Information (RFI)
- Set-Aside: None specified
- Response Due: May 29, 2026, 5:00 PM ET
- Questions Due: May 21, 2026, 5:00 PM ET
- Submission Format: White paper, not exceeding 50 pages (single-spaced, 12-point type, 1-inch margins).
- Submission Method: Email to jennifer.m.everly2.civ@mail.mil and son.m.pham2.civ@mail.mil. Email attachment limit is 5 MB.
- Published Date: May 14, 2026
Important Notes
This RFI is for market research and planning purposes only. It does not guarantee a future solicitation or contract award. No costs incurred in response will be reimbursed. Responses become Government property and will not be returned. Proprietary information must be clearly marked.