As Turkey Day approaches and you envision yourself in a tryptophan stupor watching parades and football, take a break from that heady endeavor and look to First Source as a way to feed your future as a Small Business.

Given the 41 incumbent contracts in the present program, there is a good opportunity for qualified challengers.


Starting back in 2006. The Department of Homeland Security (DHS) established the First Source Program as a more efficient way to access commoditized information technology (IT) products. Since that time and in two iterations, DHS has issued more than 28,000 task orders, all of which have gone to small business. We are now anticipating the release of the solicitation for the third iteration of the program which has pumped approximately $6.5B into the Small Business economy.

First Source III Key Information:

The requirements for the First Source III program are generally broken into the following:

  • Provide DHS commercial IT commodity solutions and value-added reseller services
  • Provide DHS access to emerging technological advances and new business practices to improve productivity, efficiency and reduce costs
  • Provide DHS with managed IT services combining IT support with proactive monitoring (this is new scope and it is unclear what form this may take in the final solicitation)

During the Industry Day held on in July of 2020, DHS formally announced the $10B program centered around delivery order competitions for hardware software and managed services. Major differences between FirtSource III and the previous contract are:

  • Longer period of performance (10 years)
  • Managed services are now in scope
  • NAICS codes are different (541519 footnote 18, IT Value Added Reseller; 511210, Software Publishing)

The competition will be across 5 tracks that are all small business. The tracks and their spend-spread under the current contract are shown below:

  • 8(a) (4.5%)
  • HUBZone (33.8%)
  • Service Disabled Owned Small Business (12.0%)
  • Woman Owned Small Business (3.6%)
  • Small Business (46.1%)

Obviously, the percentages may change but are indicative of what might be anticipated from the expected primary user agencies, namely (in rank order of spend):

Organization First Source II Spend %
Customs and Border Protection (CBP) 36
US Citizenship and Immigration Services (USCIS) 16
Federal Emergency Management Agency (FEMA) 9.5
Transportation Security Administration (TSA) 9.4
DHS Headquarters 9.2


The remaining spend was spread across other organizational elements such as Immigration and Customs Enforcement’s (ICE), US Coast Guard, Federal Law Enforcement Training Centers (FLETC), and Office of the Inspector General (OIG).

In the Q&A released in September it’s noted that Large Businesses can team with multiple partners across the tracks so long as SBA rules are followed.

First Source III RFP Requirements:

In the draft RFP released in early November, the government stated its intention to use a two-phased approach for evaluation. The first phase will constitute a “Go/No Go” for entry into Phase II. In Phase I, will evaluate three requirements:

  1. The government will review the offeror’s existing commercially published catalog. The offeror should provide an explanation of how their catalog supports the entire First Source scope.
  2. The offeror must prove that they currently hold reseller authorizations with major distributors such as Carahsoft, Ingram Micro, and EC America – Immix.
  3. The offeror must prove ISO 28001:2007 Supply Chain Certification. You will also have to describe your supply chain risk management approach and how you mitigate risks.

You must participate in Phase I. If evaluated successfully, you will then proceed to Phase II. In Phase II, you will be asked to provide your experience in providing VAR services across a variety of commoditized IT hardware and software, your experience dealing with providing hardware and software from multiple OEMS at scale, experience with perpetual licensing, and experience in providing IT Managed Services.

Only a brief Past Performance submission is required, as the government will pull relevant data from the Contractor Performance Assessment Rating System (CPARS) based upon the experience types cited above.

Finally, in Phase II, your proposal submission will contain pricing, part of which will be a priced response to a sample Task Order.


The solicitation is expected to be released in December with an award date targeted for some time in March 2021.

How Do I Win First Source III:

The primary consideration is whether or not you currently hold the required NAICS of 541519 and 511210. If you hold one or both NAICS and have the required ISO 28001:2007 certification, you may be competitive. Failing either of those, don’t bother.

What Do I Need to Do NOW:

You need to do the following in anticipation of the final solicitation release:

  • Start gathering your documentation for Phase I and start developing a cogent explanation of how your catalog supports the full scope of the requirements.
  • Review your ISO 28001: 2007 certification to ensure its validity through at least March of next year (preferably later)
  • Start developing proof points for your Phase II requirements. Be specific and as voluminous as you can. It’s always better to have to pare information down than having to figure where to get more
  • Consider a Proposal Readiness Review (PRR) by an objective third party (either organic or from outside the organization) to assess where you stand and to help guide you in document identification and collection. A PRR could help you save precious Bid and Proposal Resources!


GovWin Opportunity ID:            171342

Beta.SAM.Gov Notice ID:          70RTAC21R00000003