The Transportation Security Administration released the Cybersecurity Services BPA II solicitation in March 2026, opening the recompete of its primary cybersecurity contracting vehicle. The BPA carries a $1.2 billion ceiling over five years and covers TSA's full cybersecurity mission — from screening system security to enterprise SOC operations. Proposals are due May 30, 2026. The solicitation is posted on SAM.gov.
Three ordering tracks
- Unrestricted track: $700M ceiling, any size; estimated 6–8 awardees
- SDVOSB track: $300M ceiling; VA CVE certification required at time of award
- 8(a) track: $200M ceiling; active SBA 8(a) participation required
Capability areas
- 24/7 Security Operations Center monitoring and incident response
- Penetration testing and red team operations on TSA networks and OT systems (baggage screening, access control)
- Cloud security architecture and FedRAMP advisory for TSA's AWS/Azure environment
- Zero-trust architecture design and implementation
- Workforce training and cybersecurity awareness programs
What makes TSA cyber work distinctive
TSA operates both IT and operational technology (OT) environments — the security systems on airport checkpoints run on specialized OT networks that require different security approaches than enterprise IT. Firms with ICS/SCADA or OT security experience have a significant advantage in technical evaluations.
- Highlight OT/ICS security references explicitly if you have them — they are rare and heavily weighted
- Confirm your SDVOSB or 8(a) status in SAM.gov before the proposal deadline