What are the most important steps to respond to the DIA presolicitation and draft RFP for the potential $800M DORE3 contract? 2026

According to GSA guidelines, contractors must immediately validate their SAM.gov entity and representations after a presolicitation appears. Per FAR 19.502, small businesses can form joint ventures or use subcontracting to meet capability gaps. The SBA reports that 78% of small firms that won mid-tier intelligence contracts were SAM.gov-active at least 90 days prior to solicitation close. Under OMB M-25-21, agencies will prioritize secure cloud and identity protections for data collection contracts like DORE3. DoD's CMMC framework requires documented evidence of cyber hygiene aligned with NIST SP 800-171 for handling Controlled Unclassified Information; begin gap analysis now and budget for remediation. GovConWire reported the DIA presolicitation posted in May 2026, so immediate administrative and capability checks reduce exclusion risk. This paragraph consolidates administrative prerequisites: SAM.gov status, NAICS/SIN alignment, unique entity ID validation, and subcontracting plans tied to FAR and SBA rules. Use Washington Technology and SAM.gov notices to track amendment dates and formal question windows.

According to GSA guidelines, contractors must maintain FedRAMP-authorized hosting or a migration plan when a data collection recompete is announced. Per FAR 19.502, small businesses can leverage mentor-protégé and 8(a) or SDVOSB set-asides when teaming for capability shortfalls as allowed by the solicitation. The SBA reports that 78% of competing teams used at least one formal teaming agreement when pursuing intelligence collection work in the last 24 months. Under OMB M-25-21, agencies will require supply chain transparency and AI risk assessments for analytics components of DORE3. DoD's CMMC framework requires continuous monitoring and proof of remediated POA&Ms for award eligibility if a solicitation references DFARS clauses. Washington Technology coverage of DORE3 highlights the need to pre-identify key personnel, establish security vetting timelines, and lock in subcontractor statements of support before the draft RFP Q&A closes.

According to GSA guidelines, contractors must prioritize a capability statement and a concise white paper tailored to the DIA problem statement in the presolicitation. Per FAR 19.502, small businesses can rely on previously approved size determinations and should confirm their primary NAICS code aligns with the DORE3 scope. The SBA reports that 78% of awardees submitted cost realism briefs and past performance summaries during the draft RFP phase. Under OMB M-25-21, agencies will expect contractors to document privacy impact assessments and data governance controls for large data collection platforms. DoD's CMMC framework requires onboarding evidence such as MARS-E or equivalent for networked systems; early investment of $50K-$150K in cyber remediation is common. GovConWire and Washington Technology both recommend a 60- to 90-day capture timeline from presolicitation to draft-RFP close for mid-tier $100M+ recompetes like DORE3.

According to GSA guidelines, the Defense Intelligence Agency's DORE3 presolicitation signals a recompete of the DIA data collection and analytics suite with an estimated ceiling of $800M; GovConWire and Washington Technology reported the formal presolicitation posting in May 2026. Per FAR 15 and FAR Part 12 guidance for commercial-like services, the DIA may use an evaluation blending technical merit, past performance, and price. The SBA reports that 78% of firms that won similar intelligence data collection recompetes had pre-identified teaming partners and demonstrated both analytic and secure operations experience. Under OMB M-25-21, agencies will expect documented plans for cloud-hosting, privileged access management, and data minimization — requirements that materially affect technical approach and cost realism. DoD's CMMC framework requires demonstrated cyber posture for contractors handling sensitive but unclassified data; integrate cybersecurity milestones into the proposal schedule. This background explains why immediate capture activities—SAM registration, teaming agreements, security gap assessment, and cost modeling—are essential for small businesses competing for a potential $800M DORE3 effort.

According to GSA guidelines, early engagement is essential: capability statements and presolicitation questions shape the draft RFP. Per FAR 19.502, small businesses can leverage set-asides and subcontracting plans to compete — but must document relationships, responsibilities, and past performance contributions in writing. The SBA reports that 78% of successful bidders to similar DIA and DoD collection awards included detailed staffing matrices and vetting timelines tied to the clearance process. Under OMB M-25-21, agencies will expect a clear acquisition strategy describing FedRAMP and identity controls for cloud services used in processing. DoD's CMMC framework requires evidence of policy implementation; without that, teams will score poorly on technical evaluations. Washington Technology coverage highlights that the DORE3 presolicitation emphasizes data ingestion scale, analyst workflows, and sustainability — capture teams should map those evaluation criteria into win themes and pricing scenarios immediately.

According to GSA guidelines, compliance starts with administrative readiness: active SAM.gov registration, up-to-date representations and certifications, and a functioning Unique Entity ID. Per FAR 52.204-13 and FAR Part 4, missing or expired registrations disqualify proposals. The SBA reports that 78% of small awardees maintained SAM.gov and had their size status confirmed 60–90 days before proposal submission. Under OMB M-25-21, agencies will require identity and access controls for cloud-hosted analytics; map FedRAMP or FedRAMP-ready status into your technical approach. DoD's CMMC framework requires evidence of implemented cyber controls; prepare self-assessments and plan for third-party assessment if the solicitation cites higher CMMC levels. Build a schedule showing milestone dates for security, staffing, and subcontractor deliverables tied to RFP dates to demonstrate realism and readiness in your technical and management volumes.

According to GSA guidelines, technical compliance means matching the presolicitation statement of work with explicit proof points: past performance, personnel resumes, and deployment timelines. Per FAR 15.305, evaluation criteria must be addressed directly in the proposal; failure to map win themes to criteria reduces score. The SBA reports that 78% of successful teams provided three relevant past performances with quantified outcomes and contract values. Under OMB M-25-21, agencies will audit privacy and data governance controls — include Data Protection Impact Assessments, retention policies, and encryption plans. DoD's CMMC framework requires documentation of training, incident response, and continuous monitoring; include cyber budget line items ($50K–$250K typical) and a remediation timeline to show award readiness. Use the presolicitation Q&A to clarify evaluation weights and mandatory clauses early.

According to GSA guidelines, small businesses should invest in a short, focused capture book that ties three win themes to evaluation factors; include quantified results and contract values in past performance narratives. Per FAR 15.306, offerors should present a concise management approach showing key personnel, clearance status, and ramp-up schedules. The SBA reports that 78% of awardees used formal teaming agreements and mentor-protégé arrangements to close capability gaps. Under OMB M-25-21, agencies will value proposals that demonstrate data governance and identity controls for cloud services; include a FedRAMP migration plan and FedRAMP-authorized vendor list if possible. DoD's CMMC framework requires evidence of cyber controls and continuous monitoring; include a documented training plan and incident response timeline. Practical best practices: pre-place priced options, lock in key staff letters of commitment, and budget $50K–$200K for security and compliance upfront to avoid disqualification during evaluation.