Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JUNE 21, 2017 FBO #5689
DOCUMENT

70 -- TAC-17-39312 Core Impact Licenses and Maintenance - Attachment

Notice Date
6/19/2017
 
Notice Type
Attachment
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Department of Veterans Affairs;Technology Acquisition Center;23 Christopher Way;Eatontown NJ 07724
 
ZIP Code
07724
 
Solicitation Number
VA11817Q2128
 
Archive Date
7/15/2017
 
Point of Contact
Jessica.Adamitis@va.gov
 
E-Mail Address
jessica.adamitis@va.gov
(jessica.adamitis@va.gov)
 
Small Business Set-Aside
N/A
 
Award Number
NNG15SD38B VA118-17-F-2069
 
Award Date
6/15/2017
 
Awardee
REDHAWK IT SOLUTIONS LLC;2689 MAPLE RIDGE DR;WOODBRIDGE;VA;22192
 
Award Amount
$737,631.36
 
Description
Core Impact Software Licenses and Maintenance Control Number TAC-17-39312 Core Impact Software Licenses and Maintenance Control Number TAC-17-39312 JUSTIFICATION FOR AN EXCEPTION TO FAIR OPPORTUNITY 1. Contracting Activity: Department of Veterans Affairs (VA) Office of Acquisition Operations Technology Acquisition Center 23 Christopher Way Eatontown, NJ 07724 2. Description of Action: This proposed action is for a firm-fixed-price task order to be issued under the National Aeronautics and Space Administration (NASA) Solutions for Enterprise-Wide Procurement (SEWP) V Government-wide Acquisition Contract (GWAC) for the procurement of Core Security, Inc. brand name Core Impact software licenses and maintenance. 3. Description of the Supplies or Services: VA Office of Information Security (OIS), Network Security Operations Center (NSOC) Compliance Scanning Service (CSS) has a requirement to procure Core Impact software licenses and associated maintenance. The Core Impact software is a penetration testing (including mobile device, wireless, web, network, client-side, and Supervisory Control and Data Acquisition (SCADA)), phishing assessment, and vulnerability scan validation software that allows security and compliance testers to discover any known and unknown software defects in running workstations, servers, network devices, web servers, and web applications so that they may be remediated. The Core Impact software simulates a cyber adversary to VA networks and allows VA to detect the exploitation of network vulnerabilities. With the Core Impact standalone software VA is able to probe and exploit security vulnerabilities on the VA enterprise network; perform blended attacks from the web into the network, parallel to the actions and the attack approach of a hacker; validate security of systems upgrades, modifications, and patches; and maintain an audit trail of vulnerability management practices. The product detects security, privacy, Section 508/Accessibility Software compatibility and general software configuration and coding defects. The use of this software will allow VA to quickly conduct penetration testing to assess VA s security posture and rate the impact on VA s cyber security posture. The Core Impact software is developed as a closed source solution as VA requires that sensitive information such as Personally Identifiable Information (PII) and Protected Health Information (PHI) be protected at all times. The use of this software is to detect network vulnerabilities and ultimately protect VA data, it is imperative that risk to such sensitive information, be mitigated to the maximum extent possible. As a closed source solution, the Core Impact software significantly reduces risk of exploitation to the VA enterprise network and sensitive information. Additionally, Core Impact software is compatible with VA infrastructure and scanning media to include, but not limited to Nessus Vulnerability Scanner, NMap, Burp Suite and International Business Machines (IBM) AppScan. The software maintenance shall include weekly and daily exploit updates, access to customer portal (24x7) security patches and software updates, and telephone support.   The period of performance for this effort shall be 12 months with three 12-month option periods. 4. Statutory Authority: The statutory authority permitting an exception to fair opportunity is Section 41 U.S.C. 4106(c)(2) as implemented by the Federal Acquisition Regulation (FAR) Subpart 16.505(b)(2)(i)(B), entitled Only one awardee is capable of providing the supplies or services required at the level of quality required because the supplies or services ordered are unique or highly specialized. 5. Rationale Supporting Use of Authority Cited Above: Based on extensive market research, as described in section 8 of this justification, it was determined that limited competition is viable among authorized resellers for Core Impact software and associated maintenance. Core Impact is the only penetration testing, phishing assessment, and vulnerability scan validation software that provides VA a closed source solution that is interoperable with the VA infrastructure. Core Security develops exploits as a closed source solution, not relying on the open source community. The Government requires a closed source solution as open source software makes the source code available to the public which allows amateurs/nefarious actors to easily design and distribute malware by embedding malicious code into the original open source distribution. The use of an open source solution presents unacceptable levels of risk of malicious attacks to the Government by nefarious actors and/or foreign Governments. If the Government were to utilize an open source software there would be increased risk of jeopardizing PII and PHI information to malicious attack. Additionally, access to these databases alleviates Government burden and resources that would be spent on keeping abreast of vulnerabilities, writing exploit code, and validating that it safely works on the production VA network. Furthermore, Core Impact software is the only closed source solution that is interoperable with current VA infrastructure operating systems (OS), Red Hat Enterprise Linux (RHEL) and Windows. Based on the market research, no other software provides a closed source solution that is interoperable with VA scanning media and OS infrastructure. Finally, Core Impact is a proprietary software product; therefore, only Core Security or its authorized resellers have the access to the proprietary data and source code necessary to maintain its software. The proprietary code is required to ensure all Core Impact software updates and patches are properly pushed through to the fielded software and to ensure the software is properly configured. Access to this code is also required to ensure all services provided on the currently fielded software are properly configured. Access to Core Security proprietary data and source code is required to provide the required software maintenance on the Core Impact software. Failure to procure the brand name Core Impact software and associated software maintenance may prohibit VA s ability to detect the exploitation of network vulnerabilities presenting an increased security risk to VA networks. 6. Efforts to Obtain Competition: Market research was conducted, details of which are in the market research section of this document. This effort did not yield any additional sources that can meet the Government s requirements. It was determined, however, that limited competition is viable among authorized resellers for this brand name software maintenance. In accordance with FAR 5.301 and 16.505(b)(2)(ii)(D), this action will be synopsized and the justification will be made publicly available on the Federal Business Opportunities Page within 14 days of award of the order, and this justification will also be posted to the NASA SEWP V GWAC website along with the Request for Quotation. 7. Actions to Increase Competition: The Government will continue to conduct market research to ascertain if there are changes in the marketplace that would enable future actions to be competed. 8. Market Research: Government NSOC technical experts conducted market research in April 2017 by reviewing similar software providers and maintenance to ascertain if these services could meet the Government requirements.   VA NSOC technical experts also regularly review industry trade publications such as SC Magazine and ICSA Labs who test the products, review them all and compare similar products. Specifically the Government technical experts reviewed similar products including Metasploit Pro and Cobalt Strike via current usage, product demos, and information technology (IT) security websites. A review of Metasploit Pro determined that product development relies on open sourced community participation and is absent a formal development life cycle. As an open source solution, Metaploit presents increased risk to VA sensitive information and malicious attacks to the VA network. A review of Cobalt Strike determined that its software solution requires OS software, Kali and Ubuntu in order to operate. As VA utilizes OS RHEL and Windows, Cobalt Strike cannot interoperate within the current VA infrastructure. As a result of this market research, for the reasons stated above, the Government technical experts confirmed that only Core Security can provide a penetration testing, phishing assessment, and vulnerability scan validation scanning software as a closed source solution that doesn t rely on open source code and therefore drastically reducing risk of security incidents to VA networks and PII/PHI data. Finally, only Core Security Core Impact is interoperable with existing VA software and infrastructure.   Furthermore, it was found that only Core Security and resellers of Core Security products are the only software providers that are able to provide maintenance on the Core Impact software licenses as no other manufacturer has the required access to Core Security proprietary data and source code. Government representatives released Request for Information (RFI) #50586 on NASA SEWP from January 18, 2017 through January 25, 2017. The RFI closed with three quotes received: one from Group B(2) (Service Disabled Veteran-Owned Small Businesses (SDVOSB)), one from Group C (small businesses), and one from Group D (Value Added Resellers). Additional market research was conducted during April 2017 by utilizing the NASA SEWP Provider Lookup Tool. The Provider Lookup Tool yielded 30 contract holders, of which seven are Group B(2) SDVOSB offering Core Security products. There is reasonable expectation that limited competition exists on the NASA SEWP V GWAC amongst Group B(2) concerns for Core Impact software and maintenance. 9. Other Facts: N/A
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/notices/ce5a29c553cab04f7eaf164ea07cb9dd)
 
Document(s)
Attachment
 
File Name: NNG15SD38B VA118-17-F-2069 NNG15SD38B VA118-17-F-2069_1.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3593538&FileName=NNG15SD38B-018.docx)
Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3593538&FileName=NNG15SD38B-018.docx

 
Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 
Record
SN04550081-W 20170621/170619235801-ce5a29c553cab04f7eaf164ea07cb9dd (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.