Request for Information: Automated Cryptographic Discovery and Inventory (ACDI) Tool
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
The U.S. Department of Health and Human Services (HHS), Office of the Chief Information Officer (OCIO), Office of Information Security (OIS), has issued a Request for Information (RFI) for Automated Cryptographic Discovery and Inventory (ACDI) Tools. This RFI is for market research and planning purposes to identify commercial solutions for enterprise cryptographic discovery, inventory management, and Post-Quantum Cryptography (PQC) transition planning across HHS environments. Responses are due June 5, 2026, at 12:00 PM ET.
Purpose & Scope
HHS seeks information on commercial or commercially available ACDI solutions to support its PQC transition activities, driven by federal mandates such as National Security Memorandum 10 (NSM-10) and OMB Memorandum M-23-02. The desired capability includes:
- Automated Discovery: Identifying cryptographic implementations across on-premises, cloud, application, network, and data-at-rest environments.
- Cryptographic Identification: Pinpointing algorithms (symmetric, asymmetric, hash), protocols, certificates, key lengths, and hybrid cryptography instances.
- Inventory Management: Maintaining a centralized repository with system details, tagging, deduplication, and historical tracking.
- Risk Assessment: Identifying deprecated, weak, non-compliant, or quantum-vulnerable cryptography and providing contextual risk analysis.
- Continuous Monitoring & Reporting: Providing ongoing discovery, change detection, alerts, and comprehensive reports/dashboards on inventory, vulnerabilities, and compliance.
- Technical Requirements: Scalable architecture, distributed scanning, agent-based/agentless discovery, integration with enterprise systems (CMDB, SIEM), role-based access control, SSO, and a path to ATO/FedRAMP High authorization.
- Anticipated Tasks: Project management, software deployment, testing, operational readiness, and training.
Contract & Timeline
- Opportunity Type: Request for Information (RFI) / Sources Sought
- Anticipated Contract Type (if pursued): Firm-Fixed-Price (FFP) with a 12-month base period and four 12-month option years.
- Set-Aside: None specified.
- Published Date: May 21, 2026
- Questions Due: June 1, 2026, 12:00 PM ET
- Responses Due: June 5, 2026, 12:00 PM ET
Submission Requirements
Interested parties should submit a capability statement or white paper via email to Contract Specialist Jordan Neal (jordan.neal@hhs.gov) and Contracting Officer Julie Rodriguez (julie.rodriguez@hhs.gov). The email subject line must include the solicitation number and company name. Proprietary information should be minimized and clearly marked.
Additional Notes
This RFI is for planning and market research only and does not constitute a commitment by the Government to issue a solicitation or award a contract. The CISA strategy document on migrating to automated PQC discovery and inventory tools provides further context on government requirements and data collection approaches for PQC transition.