Department of Homeland Security Contracting Guide: How to Win DHS Contracts
A practical end-to-end guide to winning DHS contracts: how DHS buys by component (CBP, TSA, FEMA, USCG, CISA), the FAR/HSAR/HSAM regulatory stack, key acquisition thresholds, small business set-asides, FEMA disaster contracting and local area set-asides, Section 889 and Kaspersky supply-chain rules, CUI handling obligations, past performance strategy, and a seven-step action plan.
Tiatun T.
Federal Sales Consultant · Apr 26, 2026
This article is a practical, end-to-end guide to winning contracts with the Department of Homeland Security (DHS). By the time you finish reading, you will understand how DHS buys goods and services, which regulations govern those purchases, how the agency’s component structure affects your strategy, and exactly what steps to take — whether you are a first-time bidder or a seasoned capture manager looking to sharpen your DHS-specific approach.
How DHS Is Organized for Buying
DHS is the third-largest federal department by contract spending, yet it does not buy as a monolith. The vast majority of contract dollars flow through component contracting offices — not a single central procurement shop.
The Office of the Chief Procurement Officer (OCPO) sets acquisition policy at the headquarters level, but purchasing authority is distributed across components. The components you will encounter most often include:
- U.S. Customs and Border Protection (CBP) — border-security technology, surveillance, and enforcement
- Transportation Security Administration (TSA) — airport screening, passenger data systems
- FEMA — emergency management, disaster logistics, temporary housing
- U.S. Coast Guard (USCG) — maritime maintenance, communications, vessel support
- Cybersecurity and Infrastructure Security Agency (CISA) — cybersecurity services, critical infrastructure protection
Target at the component level
A capability statement pitched generically to “DHS” rarely gains traction. Identify which component’s mission aligns with your offering and tailor your outreach accordingly. Use GovBidLab’s free NAICS Code Lookup to match your industry codes to a specific component’s buying patterns.
The Regulatory Stack: FAR, HSAR, and HSAM
Every DHS procurement starts with the Federal Acquisition Regulation (FAR), the government-wide rulebook that applies to virtually all executive-branch purchases [1]. Layered on top of the FAR is the Homeland Security Acquisition Regulation (HSAR), published at 48 CFR Chapter 30 [5]. The HSAR adds DHS-specific requirements — personnel security, facility access, organizational conflicts of interest, and incident-reporting obligations — without repeating what the FAR already covers.
Beneath the HSAR sits the Homeland Security Acquisition Manual (HSAM), DHS’s internal procedural guide that tells contracting officers how to implement FAR and HSAR policies in practice [6]. The HSAM is not a regulation, but it often reveals the operational priorities and internal thresholds that explain why a solicitation is structured the way it is.
HSAR Subpart 3052 — the practitioner’s must-read
This subpart houses the DHS-specific solicitation provisions and contract clauses that flow into your contract and often down to your subcontractors [5]. These clauses can require background investigations for all personnel accessing DHS systems, non-disclosure agreements for Sensitive But Unclassified (SBU) information, and security incident reporting timelines that are shorter than what you may see at other agencies. Read them before you price your proposal.
Key Thresholds at a Glance
| Threshold | Dollar Value | What It Means | Authority |
|---|---|---|---|
| Micro-Purchase Threshold (MPT) | $10,000 (general) | Below this, the government can buy with a purchase card — no competitive bidding required. | FAR 2.101, FAR 13.201 [1] |
| Simplified Acquisition Threshold (SAT) | $250,000 (general) | Between the MPT and SAT, streamlined procedures apply and small business set-asides are presumed. | FAR 2.101, FAR 13.003 [1] |
| Commercial Item Streamlined Threshold | Up to $7.5 million | Commercial products and services can use simplified procedures up to this ceiling (higher in contingency situations). | FAR 13.5, FAR 13.500(a) [1] |
Many newcomers fixate on large, full-and-open competitions governed by FAR Part 15 (Contracting by Negotiation), when in reality a significant volume of DHS spending occurs through FAR Part 13 simplified acquisition procedures or through task orders placed against existing IDIQ vehicles and Government-Wide Acquisition Contracts (GWACs). Understanding thresholds is the first step toward finding the most efficient entry point.
Small Business Set-Asides and Socioeconomic Programs
DHS follows the same small business rules as the rest of the federal government, governed by FAR Part 19 and SBA regulations at 13 CFR 121 and 13 CFR 125 [2]. The foundational rule: for acquisitions between the MPT ($10,000) and the SAT ($250,000), the contracting officer must set the procurement aside exclusively for small businesses unless there is no reasonable expectation that two or more small businesses will submit competitive offers.
Above the SAT, contracting officers still have discretion to set procurements aside for small business categories — 8(a) Business Development, Service-Disabled Veteran-Owned Small Business (SDVOSB), Women-Owned Small Business (WOSB), and HUBZone — when market research supports it. If your firm holds one of these designations, verify that your NAICS code and corresponding size standard align with the specific DHS opportunity.
Limitations on Subcontracting — the rule that trips people up
Under 13 CFR 125.6 and FAR clauses 52.219-14, -27, -29, and -32, a small business prime contractor must self-perform a specified percentage of the work [2]. The “similarly situated entity” exception allows work subcontracted to another firm that holds the same small-business program designation to count toward that requirement — but it must be explicitly invoked and properly documented.
FEMA Disaster Contracting and Local Area Set-Asides
FEMA is DHS’s most distinctive contracting environment. When the President declares a major disaster or emergency, FEMA can invoke contracting authorities under the Robert T. Stafford Disaster Relief and Emergency Assistance Act, implemented through FAR Subpart 26.2 and clauses FAR 52.226-3, 52.226-4, and 52.226-5 [3]. These authorities create a local area set-aside: a preference for contractors and subcontractors located in or near the declared disaster area.
For practitioners, the local area set-aside means that geographic presence — or a teaming arrangement with local firms — can be a deciding factor in disaster-response contract awards, even when it would be irrelevant in a normal acquisition.
Pre-positioning is everything in FEMA contracting
FEMA maintains pre-solicited IDIQ vehicles for debris removal, temporary housing, logistics, and other emergency-response categories. These vehicles are awarded before disasters happen, and task orders are issued rapidly once an emergency is declared. If you wait until a hurricane makes landfall to start your FEMA strategy, you are at least one contract cycle behind. The time to get on FEMA vehicles is during peacetime, not after a declaration.
Cybersecurity Compliance and Supply-Chain Rules
Given DHS’s central role in national cybersecurity, supply-chain integrity clauses receive heightened scrutiny in DHS solicitations. Three sets of requirements merit your immediate attention.
Section 889 — Covered Telecommunications Equipment
Part A (effective August 13, 2019) prohibits the government from procuring covered telecommunications equipment or services from specified Chinese manufacturers (Huawei, ZTE, Hytera, Hikvision, Dahua, and their affiliates). Part B (effective August 13, 2020) goes further: it prohibits contracting with any entity that uses covered equipment or services — even internally and unrelated to the contract work — unless a waiver applies [4]. Audit your entire IT environment, not just the equipment you plan to use on a DHS contract.
Kaspersky Prohibition — FAR 52.204-23
FAR 52.204-23 bars the use of any Kaspersky Lab products or services in performing government contracts [4]. This clause applies government-wide, but DHS contracting officers tend to scrutinize it closely given the agency’s cybersecurity mission.
Controlled Unclassified Information (CUI) — 32 CFR Part 2002
CUI is information that, while not classified, requires safeguarding — think law enforcement sensitive data, personally identifiable information (PII) collected during border screenings, or vulnerability assessments from CISA engagements. The HSAR 3052 clauses [5] may impose incident-reporting timelines, encryption standards, and system-access controls that require advance security planning well before contract performance begins.
Past Performance and Evaluation Strategies
DHS components evaluate proposals using the same basic framework as other agencies — FAR Part 15 for negotiated procurements and FAR 16.505 for task-order competitions — but they frequently employ techniques that accelerate the evaluation process. Oral presentations, advisory down-selects, and phased evaluations are all common [9].
Past performance evaluations are required for contracts at or above the SAT ($250,000) under FAR 42.1502 [9]. Your record in the Contractor Performance Assessment Reporting System (CPARS) is effectively your report card. New entrants without CPARS history can often cite past performance from commercial or state/local government work, but the lack of a federal track record is a tangible disadvantage. Pursuing subcontracting roles on existing DHS contracts is a proven path to building that record.
Advisory down-selects — the gate most firms miss
DHS components increasingly use advisory down-selects and phased evaluations even within task-order competitions. Your initial submission — often a brief capabilities summary or preliminary technical approach — functions as a gate. If you do not clear it, you never get the chance to submit a full proposal. Invest in those initial submissions as seriously as you would a final proposal.
Your Step-by-Step Action Plan
Register in SAM.gov and obtain your UEI
The UEI replaced the former DUNS number on April 4, 2022 [7]. Without an active SAM.gov registration, you cannot receive a federal contract. Verify your UEI instantly using GovBidLab’s free UEI Lookup tool.
Identify your target DHS component and align your NAICS codes
Use SBA’s size standards at 13 CFR 121 [2] and GovBidLab’s NAICS Code Lookup to ensure your codes match the work categories your target component buys.
Build a capability statement in DHS mission language
Generic marketing materials do not resonate with DHS contracting officers or program managers. Tailor your message to the component’s priorities: border security for CBP, transportation screening for TSA, emergency management for FEMA, maritime operations for USCG, cyber defense for CISA. GovBidLab’s Capability Statement Generator can help you structure a professional, mission-focused document quickly.
Monitor the DHS Acquisition Planning Forecast System (APFS) and SAM.gov
The APFS [8] publishes planned acquisitions across DHS components, often months before a solicitation appears on SAM.gov. Matching forecast entries to your capabilities early gives you time for teaming, capture, and compliance preparation.
Conduct Section 889 supply-chain due diligence now
Audit your entire IT environment — not just the equipment you plan to use on a DHS contract, but everything your company uses [4]. Part B of Section 889 covers internal use as well. This diligence cannot wait until after you receive an award.
Read the HSAR and HSAM as mandatory preparation
The DHS-specific clauses in HSAR Subpart 3052 [5] and the procedural guidance in the HSAM [6] will reveal security, personnel, and reporting requirements that directly affect your cost estimates and staffing plans.
Explore existing contract vehicles
If you are considering a GSA Schedule or other GWAC as an on-ramp to DHS work, GovBidLab’s GSA Eligibility Calculator can help you determine whether your company meets the prerequisites before investing in the application process.
Choosing the Simplest Viable Path
A recurring theme in learning how to win government contracts is that the simplest acquisition path often yields the best return on your bid-and-proposal investment. At DHS, that means considering several approaches before defaulting to a full FAR Part 15 competition:
- Can you position for FAR Part 13 simplified acquisitions (procurements under the SAT, or up to $7.5 million for commercial items under FAR 13.5)? [1]
- Can you win a seat on a multiple-award IDIQ and compete for task orders instead of prime competitions?
- Can you enter the DHS market as a subcontractor first, building past performance and agency relationships before pursuing a prime role?
For experienced firms already holding IDIQ positions: DHS components increasingly use advisory down-selects and phased evaluations even within task-order competitions. Your initial submission — often a brief capabilities summary or preliminary technical approach — functions as a gate. Invest in those initial submissions as seriously as you would a final proposal.
What to Do Next
Start with the most concrete action available to you today: verify your SAM.gov registration and UEI using GovBidLab’s UEI Lookup tool, then pull up the DHS APFS and search for forecasted procurements that match your capabilities. Even fifteen minutes of targeted research on the APFS will reveal whether DHS components are planning to buy what you sell — and that single data point will tell you whether to invest further in a DHS capture strategy.
From there, read the HSAR Subpart 3052 clauses that appear most often in your target component’s solicitations; understanding those requirements early is the difference between a compliant, competitively priced proposal and one that stumbles on security or personnel obligations.
For a full suite of free tools to support your government contracting journey — including the UEI Lookup, NAICS Code Lookup, Capability Statement Generator, GSA Eligibility Calculator, and CMMC Calculator — visit GovBidLab’s tools page.
Glossary of Terms Used in This Article
| Term | Definition |
|---|---|
| APFS (Acquisition Planning Forecast System) | A DHS-maintained database that publishes planned contract actions across DHS components, typically well before solicitations appear on SAM.gov. |
| CBP (U.S. Customs and Border Protection) | The DHS component responsible for securing U.S. borders, managing ports of entry, and enforcing customs and immigration laws. |
| CISA (Cybersecurity and Infrastructure Security Agency) | The DHS component responsible for defending civilian federal networks and coordinating critical infrastructure security. |
| CPARS | The government’s official system for recording and reviewing contractor past performance evaluations. Functions like a report card for federal contractors. |
| CUI (Controlled Unclassified Information) | Information that is not classified but requires safeguarding or dissemination controls under federal law or policy (e.g., law enforcement data, PII). |
| FAR (Federal Acquisition Regulation) | The primary set of rules governing how federal agencies purchase goods and services. Published at Title 48 of the Code of Federal Regulations. |
| FEMA (Federal Emergency Management Agency) | The DHS component that coordinates federal disaster response and recovery efforts. |
| GWAC (Government-Wide Acquisition Contract) | A pre-competed, multiple-award contract vehicle that any federal agency can use to purchase IT products and services. |
| HSAR (Homeland Security Acquisition Regulation) | DHS’s agency-specific supplement to the FAR, published at 48 CFR Chapter 30, adding requirements unique to DHS contracts. |
| HSAM (Homeland Security Acquisition Manual) | DHS’s internal procedural guide that tells contracting officers how to implement FAR and HSAR policies operationally. |
| HUBZone | An SBA program that provides contracting preferences to small businesses located in economically distressed areas. |
| IDIQ (Indefinite-Delivery, Indefinite-Quantity) | A contract type that provides for an indefinite quantity of supplies or services during a fixed period, with individual orders placed as needs arise. |
| MPT (Micro-Purchase Threshold) | The dollar amount (generally $10,000) below which the government can make purchases using simplified methods like purchase cards, without competitive bidding. |
| NAICS | A coding system that classifies businesses by industry type. The government uses NAICS codes to identify what a procurement involves and to determine small-business size standards. |
| NDAA (National Defense Authorization Act) | An annual federal law that authorizes defense spending and often includes procurement policy provisions affecting all agencies (e.g., Section 889). |
| OCPO (Office of the Chief Procurement Officer) | The DHS headquarters office that sets department-wide acquisition policy and oversees procurement operations across components. |
| PII (Personally Identifiable Information) | Information that can be used to identify a specific individual, such as Social Security numbers, biometric data, or full name combined with date of birth. |
| SAM.gov | The federal government’s official website where businesses register to do business with the government and where agencies post contract opportunities. |
| SAT (Simplified Acquisition Threshold) | The dollar amount (generally $250,000) below which agencies may use streamlined purchasing procedures. Most procurements in this range are set aside for small businesses. |
| SBA (Small Business Administration) | The federal agency that sets small-business size standards, manages socioeconomic contracting programs (8(a), HUBZone, SDVOSB, WOSB), and advocates for small businesses in federal procurement. |
| SBU (Sensitive But Unclassified) | A legacy designation for information that requires protection but does not meet the threshold for national security classification. Largely being subsumed under the CUI framework. |
| SDVOSB | A small-business designation for firms owned and controlled by veterans with service-connected disabilities, qualifying for certain federal contracting preferences. |
| Section 889 | A provision of the FY2019 NDAA that prohibits federal agencies from purchasing or contracting with entities that use telecommunications equipment from certain Chinese manufacturers. |
| TSA (Transportation Security Administration) | The DHS component responsible for security of the nation’s transportation systems, most visibly airport passenger screening. |
| UEI (Unique Entity Identifier) | A 12-character alphanumeric ID assigned in SAM.gov that uniquely identifies an entity for federal awards. Replaced the DUNS number on April 4, 2022. |
| USCG (U.S. Coast Guard) | The DHS component responsible for maritime law enforcement, search and rescue, and coastal defense. |
| WOSB (Women-Owned Small Business) | A small-business designation for firms that are at least 51% owned and controlled by women, qualifying for certain federal contracting preferences. |
References
- FAR 2.101 (Definitions), FAR Part 4, FAR Part 12, FAR Part 13, FAR 13.5. General Services Administration. https://www.acquisition.gov
- FAR Part 19 (Small Business Programs), FAR 52.219-14/-27/-29/-32; SBA regulations at 13 CFR 121 and 13 CFR 125.6. General Services Administration and U.S. Small Business Administration. https://www.acquisition.gov; https://www.sba.gov
- FAR Subpart 26.2 (Disaster or Emergency Assistance Activities), FAR 52.226-3/-4/-5; Robert T. Stafford Disaster Relief and Emergency Assistance Act. https://www.acquisition.gov
- FAR 52.204-23 (Kaspersky Prohibition), FAR 52.204-24/-25/-26 (Section 889). Section 889, FY2019 National Defense Authorization Act. Part A effective August 13, 2019; Part B effective August 13, 2020. https://www.acquisition.gov
- Homeland Security Acquisition Regulation (HSAR), 48 CFR Chapter 30, including Subpart 3052. Department of Homeland Security. https://www.dhs.gov
- Homeland Security Acquisition Manual (HSAM). Department of Homeland Security, Office of the Chief Procurement Officer. https://www.dhs.gov
- SAM.gov UEI Transition Notice. FAR 4.1102 (registration requirement). U.S. General Services Administration. https://sam.gov
- DHS Acquisition Planning Forecast System (APFS). Department of Homeland Security. https://www.dhs.gov
- FAR 42.1502 (Past Performance Information), FAR Part 15, FAR 16.505. General Services Administration. https://www.acquisition.gov; CPARS at https://www.cpars.gov