PrimeRFP Insights
What $400M in Cybersecurity Awards Tells You About Price-to-Win in 2026
A pricing-professional's read of federal cybersecurity awards: SCOUT data shows a 33% award-to-ceiling ratio on NAICS 541512 (25% on cloud), 58.8% single-offer rate (74.3% on cloud), 87% of dollars going full-and-open, and an $89B / 163-award recompete wall inside 18 months. Why ceiling is the least honest number in a cyber procurement — and how to build a cost volume around obligation history, single-offer reality, the set-aside lane gap, and agency-by-agency rate patterns.
SCOUT Insights · Pricing Intelligence
Author: Charles Sanders, PrimeRFP
Data sources: PrimeRFP SCOUT (live award, recompete, and solicitation queries, June 10 2026), USASpending.gov transaction-level award data
Scope: Federal cybersecurity and cyber-adjacent IT spend across NAICS 541512 (Computer Systems Design), 541519 (Other Computer Related Services), and 518210 (Data Processing & Hosting), 24-month rolling window, obligations only, ≥$100K floor.
33%
award-to-ceiling ratio on NAICS 541512 — only 33¢ of every ceiling dollar is obligated
58.8%
of 541512 awards have a single bidder — 74.3% on cloud (518210)
87%
of obligated cyber-IT dollars go full-and-open, not to set-asides
$89B
cyber recompete pipeline inside 18 months — 163 awards above $100M
Pricing professionals are handed a ceiling and asked to win under it. But the ceiling is the least honest number in a federal cybersecurity procurement. Across $167.8B in NAICS 541512 ceiling value, the government has actually obligated $55.4B — about a third. The marquee awards, the ~$400M cyber actions that anchor the market, tell the same story even more sharply. If your cost volume is built to the ceiling, you are pricing a number the government never intends to spend.
Executive summary
We pulled SCOUT's federal award, recompete, and solicitation data for the three NAICS codes that carry most cybersecurity work — 541512 (Computer Systems Design), 541519 (Other Computer Related Services), and 518210 (Data Processing & Hosting) — over a 24-month rolling window. Four pricing signals come through cleanly, and every one of them changes how a cost volume should be built.
First, ceiling is not spend. NAICS 541512 carries $167.8B in ceiling value but only $55.4B obligated, a 33% award-to-ceiling ratio. Cloud (518210) is more extreme: $22.6B ceiling, $5.7B obligated — 25%. Two thirds to three quarters of every ceiling dollar is headroom that never converts. The real competition happens at the task-order level, not the vehicle ceiling.
Second, most cyber awards see one bidder. 58.8% of NAICS 541512 awards are single-offer; on cloud it climbs to 74.3%. When you are the only bidder, “price to win” stops meaning “beat a competitor” and starts meaning “clear the IGCE and the incumbent's burdened rate.” Reflexive discounting into a single-offer environment is margin left on the table.
Third, the set-aside / full-and-open split is a pricing chasm. 87% of 541512 obligations and 91% of cloud obligations go full-and-open, where large primes set the rate card. The set-aside lanes are real but smaller, with a different competitive set and different rate pressure. A single PTW posture across both lanes will misprice at least one of them.
Fourth, the recompete wall is a pricing event. SCOUT counts 1,650 cyber-IT contracts worth $89B expiring inside 18 months, 163 of them above $100M. The largest are moving through sole-source bridges — a signal that incumbent rates are locked in and the real PTW contest is still ahead.
How to read this report
Every figure here is reproducible from USASpending's transaction-level data through SCOUT. We use three lenses. Lens A sizes each NAICS market by obligations and ceiling (get_award_summary, 24-month window, obligations only, ≥$100K floor, IDV base vehicles excluded so ceiling isn't double-counted). Lens B reads the marquee awards individually (get_award_history) to compare obligated-to-ceiling at the contract level. Lens C is the forward recompete pipeline (find_recompete_contracts), which is where the next round of pricing decisions actually lands. Dollar figures are obligated unless explicitly labeled as ceiling.
One caution on NAICS as a cyber proxy: 541512 and 518210 contain far more than pure cybersecurity work. We treat them as the cyber-bearing envelope — the codes under which SOC operations, zero-trust engineering, ICAM/PAM, CDM, and managed security are actually obligated — not as a clean cyber-only total. The pricing dynamics described below are properties of how the government buys this envelope, and they hold across the cyber task orders inside it.
The ceiling trap: award-to-ceiling ratios
The single most useful number a pricing lead can carry into a cyber capture is the award-to-ceiling ratio — obligated dollars divided by ceiling value. It tells you how much of the advertised number the government has historically been willing to actually spend. Across the cyber-bearing NAICS codes, that ratio is low and remarkably consistent.
| NAICS | Scope | Obligated (24 mo) | Ceiling | Award-to-ceiling | Avg. award |
|---|---|---|---|---|---|
| 541512 | Computer Systems Design | $55.41B | $167.75B | 33% | $1.34M |
| 518210 | Data Processing & Hosting (cloud) | $5.70B | $22.61B | 25% | $0.82M |
Read that as a warning about base-of-estimate anchoring. When a solicitation cites a $2B ceiling, the historical pattern says roughly $500M–$650M of it will obligate over the life of the work. If your cost volume staffs to the ceiling — full ODC pools, maximal labor ramps, option years priced at peak — you are pricing a program that, on the evidence, will not be funded at that level. The marquee awards make the point concrete:
| Award | Agency / Prime | Obligated | Ceiling | Award-to-ceiling |
|---|---|---|---|---|
| NCAPS (consolidated app & platform services) | NASA / CACI | $465.3M | $2.02B | 23% |
| CDM DEFEND Group BD (bridge) | GSA / Booz Allen | $843.0M | $1.17B | 72% |
| DMCS default-loan platform | Education / Maximus | $390.1M | $390.1M | ~100% |
The spread between these three is the whole lesson. A long IDIQ-style platform award (NCAPS) obligates a fraction of its ceiling. A single-award bridge (CDM DEFEND) obligates most of it because the government already knows the run-rate. A definitized fixed-scope award (DMCS) obligates essentially all of it. The pricing posture for each is different, and the only way to tell them apart before bid is to read the obligation history of the vehicle — not the ceiling on the cover page.
The single-offer reality and what it does to PTW
Price-to-win modeling assumes a competitor to price against. In federal cybersecurity, most of the time, there isn't one. SCOUT's offer data shows 58.8% of NAICS 541512 awards received a single offer (median offers: 1; average: 2.8). On cloud (518210) the single-offer rate is 74.3%, with an average of just 2.1 offers. Three out of five cyber-IT awards, and three out of four cloud awards, are effectively uncontested at the moment of award.
That changes the math in two directions. In a genuinely competitive recompete — a known incumbent, multiple capable challengers, a best-value tradeoff — aggressive PTW discipline is rational; the win probability curve is steep around the competitor's likely price. But in the single-offer majority, the binding constraint is not a competitor's number. It is the government's Independent Government Cost Estimate and the incumbent's last burdened rate. Pricing 8–12% below your own defensible BOE to “win” a bid you were going to win anyway is a direct transfer of margin to the government for nothing.
The practical move is to classify the pursuit before the cost volume starts. Is this a contested best-value action, or a likely single-offer sole-source/bridge? SCOUT's number-of-offers history on the predecessor contract is the fastest tell. The CDM DEFEND bridges, the DHS BEAGLE-class actions, and most VA T4NG task orders in the data carried one offer. Those are not PTW shootouts; they are clear-the-IGCE exercises, and they should be priced to a defensible rate, not to an imagined competitor.
The set-aside vs. full-and-open pricing gap
The two lanes are not the same market priced differently — they are different markets. In NAICS 541512, full-and-open (unrestricted) competition absorbs $48.3B of $55.4B obligated, or 87%. The remaining 13% is split across 8(a), SDVOSB, HUBZone, WOSB, and small-business set-asides. Cloud is even more concentrated: 91% full-and-open.
| Lane | 541512 obligated | Share | Pricing dynamic |
|---|---|---|---|
| Full & open (unrestricted) | $48.3B | 87.2% | Large primes set the rate card; rate competition is fierce at the labor-category level |
| 8(a) (incl. sole-source) | $3.32B | 6.0% | Sole-source ceilings cap value, not rate; relationship & past performance dominate |
| SBA small business | $2.41B | 4.4% | Smaller awards ($0.5M–$5M band); price-sensitivity high, fewer ODCs |
| SDVOSB | $1.16B | 2.1% | VA-anchored; evaluation preference softens the price weight |
For a pricing professional, the takeaway is that the full-and-open lane is where rate discipline is tested. With large primes — Accenture ($4.45B obligated), Booz Allen ($4.34B), Leidos ($3.44B), GDIT ($3.43B), SAIC ($2.66B) — setting the market, your burdened labor rates are benchmarked against a known and aggressive field. In the set-aside lanes, especially 8(a) sole-source, the binding constraint shifts from rate to ceiling and relationship; over-discounting there wins nothing and signals a thin BOE. The error to avoid is carrying a full-and-open discount reflex into a set-aside pursuit where it doesn't move win probability.
Agency-by-agency pricing patterns
Where the dollars sit tells you whose cost expectations you are pricing against. NAICS 541512 obligations concentrate heavily, and each leading buyer carries a distinct rate and structure profile.
| Agency | 541512 obligated (24 mo) | What it means for pricing |
|---|---|---|
| Department of Defense | $14.05B | Largest buyer; rate ceilings often anchored to prior DoD ceilings and DCAA-audited indirect rates |
| GSA | $10.35B | Vehicle-driven (Alliant 3, ASSIST, CDM); ceiling true-ups are routine and signal low award-to-ceiling |
| Veterans Affairs | $8.01B | T4NG task-order machine; high single-offer rate; SDVOSB preference reshapes the price weight |
| DHS | $4.82B | Component-program buying (CBP, USCIS, CISA); bridge-heavy, incumbent rates locked in |
| HHS | $4.72B | CMS-led; more genuinely competitive offers per award than the DoD/VA average |
The GSA line is the one pricing teams most often misread. GSA's cyber-IT vehicles show a steady drumbeat of ceiling true-up modifications — the ASSIST and CDM task orders in SCOUT's data carry repeated “true up the ceiling” actions. A rising ceiling on an active task order is not a buying signal; it is an accounting alignment, and it widens the gap between ceiling and what will obligate. Pricing to a freshly trued-up ceiling is the most common way to overprice a GSA cyber recompete.
The recompete wall is your pricing calendar
Pricing strategy is set long before the RFP drops, and SCOUT's recompete pipeline is the calendar. Filtering the cyber-bearing 541512 landscape to actions over $10M expiring inside 18 months returns 1,650 contracts worth $89.0B, split into a fat $10M–$100M band (1,487 contracts, $40.8B) and a heavy tail of 163 awards above $100M ($48.2B). A representative slice of the near-term wall:
| Incumbent | Agency | Est. value | Expires | Pricing read |
|---|---|---|---|---|
| SAIC | GSA (ASSIST / USACE IT) | $1.40B | ~17 days | Imminent; bridge or fast follow-on likely — incumbent rate is the anchor |
| Booz Allen Hamilton | VA (T4NG benefits) | $1.37B | ~69 days | Options exercisable to Aug; single-offer history |
| VSOLVIT | DOJ | $3.08B | ~112 days | Large; watch for set-aside posture change at recompete |
| CACI | GSA | $1.17B | ~162 days | Ceiling trued up via mandatory system update — low award-to-ceiling |
| Booz Allen / CACI | GSA (CDM DEFEND A/BD bridges) | $843M–$906M | ~324 days | Sole-source bridges — PTW contest deferred, not resolved |
The CDM DEFEND bridges deserve a specific note for pricing teams. When a $1B+ program is extended through a sole-source bridge rather than recompeted on schedule, two things are true at once: the incumbent's burdened rate is now the de facto government baseline, and the real competition has been pushed 12–18 months downstream. If you intend to challenge on price, the bridge period is your window to gather the incumbent's rate signals — not the 30 days after the eventual RFP.
How to price a cyber pursuit, given the data
Pulling the four signals together produces a short, concrete pricing checklist for federal cybersecurity work:
- Anchor to obligation history, not ceiling. Before the cost volume, pull the predecessor vehicle's award-to-ceiling ratio. If it sits near the 25–33% NAICS norm, build your BOE to the realistic obligation path and treat the ceiling as a not-to-exceed envelope, not a target.
- Classify the competitive environment first. Check number-of-offers history. If the action is in the single-offer majority, price to a defensible IGCE-clearing rate and protect margin; reserve aggressive discounting for the genuinely contested best-value minority.
- Match the lane. Carry a full-and-open rate discipline into full-and-open pursuits and a ceiling/relationship discipline into set-aside pursuits. Do not let a discount reflex from one lane leak into the other.
- Treat ceiling true-ups as noise. A rising ceiling on an active GSA task order is an accounting event, not demand. Re-baseline to obligations.
- Use the recompete calendar. Start rate intelligence on a target 12–18 months before expiry, especially on bridged programs where the incumbent baseline is already visible.
None of this is exotic. It is the discipline of pricing to what the government actually does — obligate a third of the ceiling, award most of the work to a single bidder, and concentrate spend in full-and-open competition — rather than to the headline numbers on the cover page. The pricing professionals who win in 2026's cyber market are the ones reading the obligation data, not the ceiling.