CISA is not a household name outside of federal contracting circles, but it is one of the faster-growing buyers in the federal government. Created under the Department of Homeland Security in 2018, the Cybersecurity and Infrastructure Security Agency oversees the protection of civilian federal networks, critical infrastructure sectors, and election security. That mission translates into consistent, recurring spend on technology, security services, and technical consulting — and a portion of that work is specifically set aside for small and diverse businesses.
Annual procurement runs approximately $2.5 billion. If you run a cybersecurity firm, IT services company, or physical security operation, CISA belongs on your target list.
What CISA actually buys
CISA's spend concentrates in three areas: information technology services, cybersecurity operations, and physical security integration.
On the IT side, CISA buys software development, systems integration, network operations, cloud migration, and help desk support. The agency manages continuous diagnostics and mitigation (CDM) across federal civilian agencies, which drives substantial spend on endpoint detection tools, dashboards, and integration services.
Cybersecurity operations spending covers incident response, threat hunting, red team and penetration testing, security operations center (SOC) support, and vulnerability assessments. CISA runs the Continuous Diagnostics and Mitigation program — a multi-billion-dollar initiative with multiple contract vehicles — and staffs joint operations centers that monitor federal agency networks around the clock.
Physical security falls under the Federal Protective Service (FPS), which sits within CISA and protects federal buildings. FPS contracts for guard services, access control systems, surveillance equipment installation, and facility security assessments. Contract sizes here range from under $100,000 for single-site assessments to multi-million-dollar protective service contracts at large federal campuses.
Typical contract sizes at CISA vary widely. Task orders under existing governmentwide acquisition contracts (GWACs) commonly run $500,000 to $5 million. Standalone contracts for specialized cybersecurity work can reach $10 million to $50 million over a base period and options. Guard service contracts through FPS tend to be awarded annually or biannually, with values tied to the number of buildings and personnel hours required.
Primary NAICS codes
If you are building your SAM.gov profile or researching opportunities, focus on these codes:
- 541519 — Other Computer Related Services. This is the broadest catch-all for IT support, cybersecurity consulting, and technical services that do not fit neatly elsewhere. CISA uses it frequently.
- 541512 — Computer Systems Design Services. Applies to systems integration, architecture design, and custom software development tied to infrastructure security.
- 561621 — Security Systems Services (except Locksmiths). Covers FPS-related work: guard services, alarm monitoring, access control installation, and physical security assessments.
Your SAM.gov registration should list all NAICS codes that reflect your actual capabilities. Contracting officers search by NAICS, so a missing code means a missed opportunity.
Getting into the vendor ecosystem
Your first step is SAM.gov registration. Every vendor doing business with the federal government must have an active registration, which requires a Unique Entity Identifier (UEI) from SAM.gov and an active CAGE code. Registration is free, takes about ten business days for initial processing, and must be renewed annually. Do not pay third-party services to register for you.
Once registered, set up keyword alerts on SAM.gov for "CISA," "Cybersecurity and Infrastructure Security Agency," and the NAICS codes above. New solicitations, sources-sought notices, and requests for information will surface before full solicitations post.
CISA uses several contract vehicles that small businesses can access without competing on a full-and-open procurement. The most relevant include:
- Alliant 2 Small Business (GSA GWAC for IT services, small business set-aside pool)
- SEWP V (NASA GWAC for IT products and services, small business pool)
- CIO-SP3 Small Business (NIH GWAC for IT services)
- GSA Multiple Award Schedule (MAS) under IT large categories
Being on one of these vehicles means CISA contracting officers can issue task orders directly to you without running a new competition. If you do not hold a vehicle, teaming with a prime that does is a legitimate path to your first award.
CISA's small business and diversity programs
CISA, as a DHS component, falls under the DHS Office of Small and Disadvantaged Business Utilization (OSDBU). DHS has one of the stronger OSDBU programs in the federal government, with a stated goal of awarding 23% of eligible contract dollars to small businesses and specific sub-goals for 8(a) firms, service-disabled veteran-owned small businesses (SDVOSBs), HUBZone businesses, and women-owned small businesses (WOSBs).
CISA maintains a small business program office that works directly with contracting officers to identify set-aside opportunities. The office also participates in DHS-sponsored matchmaking events, vendor outreach sessions, and industry days. These events are posted on the DHS OSDBU website and on SAM.gov.
If you hold an 8(a) certification, CISA can award contracts to your firm on a sole-source basis up to $4.5 million for services. This threshold is meaningful for cybersecurity firms with specialized capabilities. You do not have to compete if your firm and the contracting officer agree on price and scope.
HUBZone firms should note that CISA has facilities and operations in regions that qualify for HUBZone benefits. HUBZone set-asides can be used when at least two qualified HUBZone firms are expected to bid competitively.
SDVOSBs have access to set-aside and sole-source awards at CISA through the SDVOSB program administered by the Small Business Administration.
One practical tip for your first contract
Attend DHS Procurement Forecasts and vendor outreach sessions before a solicitation posts.
CISA and other DHS components release annual procurement forecast reports that list planned acquisitions by fiscal year, estimated dollar value, NAICS code, and anticipated set-aside type. The DHS OSDBU publishes this forecast on its website. Reviewing it gives you a 6-to-12-month runway to get on a relevant contract vehicle, identify teaming partners, and make contact with the program office before the formal competition begins.
Contracting officers are most open to vendor conversations during market research, which typically happens 60 to 180 days before a solicitation posts. A well-timed capability statement delivered to the right program manager during that window can influence how a requirement is scoped. After a solicitation posts, that window closes.
Who to contact
The DHS Office of Small and Disadvantaged Business Utilization is your primary point of contact. The OSDBU director and program managers provide vendor counseling, help you navigate DHS contract vehicles, and connect you with CISA component representatives. Contact information is posted on the DHS OSDBU website at dhs.gov/osdbu.
For CISA-specific opportunities, the CISA Industry Relations team manages formal industry engagement. CISA posts Requests for Information and sources-sought notices on SAM.gov; responding to those notices is the direct path to getting your capabilities in front of the contracting officers who write the requirements.
For FPS physical security work specifically, the Federal Protective Service posts its own solicitations and has a separate contracting division. Region-specific FPS contracting offices handle guard and security systems contracts for federal buildings in their jurisdiction.
If you are navigating DHS contracting for the first time, an APEX Accelerator (formerly Procurement Technical Assistance Center) can review your SAM registration, help you identify relevant solicitations, and provide free pre-bid technical assistance. The APEX Accelerator network covers every state and territory.
