The following market research is in accordance with Federal Acquisition Regulation Part 10.
The purpose of this acquisition is to upgrade purchase a license for a Nessus Manager Vulnerability Scanner -- referred to as Nessus throughout the rest of this document. Nessus is a product required for cloud.gov to maintain its FedRAMP Provisional Authority to Operate (P-ATO). The purpose of the scanner is to detect security vulnerabilities in the platform and alert GSA staff with potential remediation efforts.
GSA TTS builds and delivers digital services for clients within the federal government, including within GSA. Many current and projected projects are hosted on GSA infrastructure, including cloud.gov.
Currently, GSA cloud.gov holds a 128-host Nessus license. After receiving an activation code, the license manager logs on to cloud.gov’s customer dashboard and downloads the Nessus program to begin a vulnerability scan of the cloud.gov platform.
The cost for the current 128-host Nessus license is below the micro-purchase threshold, and has been purchased via a Purchase Card (p-card). Due to the growth of GSA TTS over the past year, cloud.gov is now hosting more sites and requires an upgrade to the Nessus 512-host license, to allow scans to be completed on the current and new sites and meet all GSA IT security requirements. The larger host license is above the micro-purchase threshold, but does not exceed the simplified acquisition threshold. The current license expires June 4, 2017.
NAICS Code 511210 - Software Publishers
The following methods were utilized to conduct Market Research:
- FedBizOpps (FBO)
- GSA/FSS (GSA Advantage)
- NASA Solutions for Enterprise Wide Procurement (SEWP)
- SAM.gov
- Internet
- Other
Market research conducted by GSA TTS, including the industry-expert developers, designers, and engineers on the cloud.gov team, fully supports this determination of essentiality, and thus, justification for limiting competition to this single brand name product.
Market research included an internet search which revealed several vendors provide vulnerability scanner licenses; however, Nessus is the only product listed and approved on the GSA EA Analytics & Reporting (GEAR) list. The GEAR list is a the authoritative location for all GSA employees and contractors use for information about applications, business capabilities, Federal Information Security Modernization Act (FISMA) systems, IT hardware and software standards.
Nessus is not available on GSA IT Schedule 70 or NASA SEWP.
Currently, cloud.gov has been using a Purchase Card (p-card) to acquire the 128-host license; however, the cost has gone above the p-card threshold, and can no longer be purchased that way because cloud.gov has more sites being hosted on it and they needed to expand so the new "containers" can be scanned. The current 128-host license expires June 4, 2017. There is no other relevant history to this action.
The results of market research have determined that the Government's needs can be met by awarding a brand name purchase order to one of the vendors offering the Nessus brand name product. Tenable is the manufacturer of Nessus but they do not sell the 512-host themselves; this is literally posted on their webpage. Tenable created an authorized resellers list of vendors who can sell the 512-host license and has a contract with each of those vendors.
There are 14 vendors on the North American Government resellers list, 6 of which are registered in SAM.gov, located in the US, and all have a socioeconomic status.
The current cloud.gov license expires June 3, 2017. An award must be in place prior to that date to avoid a lapse in service, otherwise a new license would need to be purchased which would result in additional cost to the Government. After an exhaustive review of government databases and market intelligence tools identified above, the Government has determined that Nessus is a commercial item and is the only product that can be purchased to fulfill cloud.gov’s needs, keep from the Government spending duplicative costs and effort to use any other strategy.
(Signature block for TTS Contracting Officer)