The Department of Homeland Security announced block-one awards under its centralized Cumulus cloud vehicle, with non-competitive contracts to the four major hyperscalers: Amazon Web Services, Microsoft Azure, Google Cloud, and Oracle Cloud Infrastructure. Each contract has a 1-year base ordering period followed by up to four individual option years. Financial details were redacted from DHS's justification-and-approval notice. Coverage from Washington Technology and GovCon Wire.
What Cumulus actually is
Cumulus is DHS's enterprise-wide contract vehicle for commercial cloud services. It consolidates what used to be component-specific cloud purchasing (CBP, TSA, ICE, USCIS, etc. each running their own arrangements) into a single DHS-wide framework. The scope includes:
- Compute, storage, database services
- Network services
- Artificial intelligence and machine learning capabilities
- Cybersecurity tooling native to cloud environments
- Logging, monitoring, and operational observability
Why non-competitive for block one
DHS justified the non-competitive approach based on existing FedRAMP authorizations, proven capability, and the need to move quickly on cloud consolidation. Each hyperscaler has established federal-market infrastructure and existing component-level relationships across DHS.
The block-one awards are expected to be followed by competitive task orders against each of the four hyperscaler contracts for specific workloads.
Where small firms fit
Small firms don't win Cumulus block-one — that's a four-way award to the hyperscalers. But the downstream services layer is where small-business opportunity sits:
- Cloud migration, modernization, and integration services. DHS workloads moving onto Cumulus require migration. Expect competitive follow-on services procurement.
- FedRAMP-adjacent tooling and services. Firms providing security tools, observability, identity/access, and cost management that integrate with the hyperscalers have a clear role.
- Specialized software running on Cumulus. DHS components will procure mission-specific software (passenger screening, biometrics, case management). Those are separate acquisitions that run on Cumulus infrastructure.
- Subcontracts under hyperscaler prime arrangements. Each hyperscaler will sub specialized work. AWS Professional Services, Microsoft Consulting, and Google/Oracle equivalents routinely sub to specialized firms.
Related DHS cloud news
DHS cybersecurity spend has been trending up. Leidos won a $918 million DHS network support contract in 2024. General Dynamics IT (GDIT) was awarded a separate CISA telecommunications contract around the same time. DHS has committed more recently to $200M in CISA IT services contracts.
What to do this week
- If you sell anything cloud-adjacent into DHS (security tools, data, ML ops, observability), identify which hyperscaler contract vehicle your workload best fits and establish a partnership path before specific workloads RFP.
- Services firms: add Cumulus expertise to your capability statement and BD materials. DHS components will be hiring migration and modernization expertise through calendar 2026-28.
- Monitor the Agile Cybersecurity Technical Security (ACTS) contract reformulation at DHS — Leidos's ACTS award was challenged, and the re-procurement is adjacent to Cumulus.