Opportunity

SAM #47QFRA20Q0048

Contract Extension for SaaS Vulnerability Disclosure Policy Platform and Support Services

Buyer

FAS Region 6

Posted

July 16, 2026

Identifier

47QFRA20Q0048

NAICS

541519, 541512, 518210

This document details the extension of a sole-source contract with EnDyna, Inc. for a Software-as-a-Service (SaaS) Vulnerability Disclosure Policy (VDP) platform supporting CISA and Federal Civilian Executive Branch agencies. - The VDP platform enables secure submission, triage, tracking, and management of cybersecurity vulnerabilities. - The contract extension is for up to three years, ensuring uninterrupted service during acquisition planning and transition to a future competitive contract. - The platform supports bug bounty programs, centralized vulnerability reporting, role-based user management, API integration, and secure collaboration with security researchers. - EnDyna, Inc. is responsible for platform configuration, operation, security, administration, technical support, user onboarding, and maintaining Authority to Operate (ATO). - The extension is necessary to maintain continuity of critical cybersecurity services while a competitive follow-on acquisition is planned and executed. - No specific product part numbers or quantities are listed; the focus is on continued SaaS platform and support services.

Description

The Cybersecurity and Infrastructure Security Agency (CISA) partners with Federal agencies, industry, and other stakeholders to strengthen the security and resilience of the Nation's critical infrastructure and Federal information systems. As part of this mission, CISA supports ongoing efforts to reduce cybersecurity risk by identifying, assessing, and facilitating the remediation of vulnerabilities affecting Federal Civilian Executive Branch (FCEB) systems. These efforts support the implementation of Binding Operational Directive (BOD) 20-01, which requires FCEB agencies to establish and maintain Vulnerability Disclosure Policies (VDPs) to receive and address vulnerability reports submitted by external security researchers. 

This requirement provides CISA and participating FCEB agencies with continued access to a secure, commercially available Software-as-a-Service (SaaS) Vulnerability Disclosure Policy (VDP) platform that enables the centralized submission, validation, routing, tracking, and reporting of cybersecurity vulnerabilities identified in internet-accessible Federal systems. The platform supports secure collaboration between security researchers and participating agencies, provides configurable reporting and metrics, role-based user management, application programming interface (API) integration capabilities, and optional functionality to support agency-managed bug bounty programs.

The contractor shall configure, operate, secure, and administer the platform; maintain the platform's Authority to Operate (ATO) and support applicable Federal cybersecurity authorization requirements; provide technical support and user onboarding; perform vulnerability triage, validation, routing, and tracking services; generate operational reporting; and support agencies that elect to implement bug bounty programs. The platform is designed to scale as agency participation changes while ensuring the confidentiality, integrity, and availability of vulnerability information and supporting the Government's continued ability to receive and manage coordinated vulnerability disclosures. 

This modification extends the period of performance for the existing contract to ensure continuity of the enterprise Vulnerability Disclosure Policy (VDP) platform and associated support services. The modification continues uninterrupted support for participating Federal Civilian Executive Branch agencies and maintains the Government's capability to receive, triage, track, and manage vulnerability disclosures during the transition period.

View original listing