GSA, TTS, 1800 F St NW, Washington, DC, 20006.
The statutory authority permitting other than full and open competition is implemented by FAR 6.302 et seq. The rationale for this justification is based on FAR 13.106-1(b)(1), which relates to soliciting from only one source for purchases not exceeding the simplified acquisition threshold.
GSA TTS intends to award a brand name, firm fixed price purchase order for commercial item peculiar to one vendor. The basis for limiting the sources for this acquisition is due to the technical characteristics of the Nessus Manager product, referred to as Nessus throughout the rest of this document, and the specific government requirements of GSA Information Technology (IT) security policy and cloud.gov.
Currently, GSA cloud.gov holds a 128-host Nessus. After receiving an activation code, the license manager logs on to cloud.gov’s customer dashboard and downloads the Nessus program to begin a vulnerability scan of the cloud.gov platform.
The cost for the current 128-host license is below the micro-purchase threshold, and has been purchased via a Purchase Card (p-card). Due to the growth of GSA TTS over the past year, cloud.gov is now hosting more sites and requires an upgrade to the Nessus 512-host license, to allow scans to be completed on new the new sites and meet all GSA IT security requirements. The larger host license is above the micro-purchase threshold, but does not exceed the simplified acquisition threshold. The current license expires June 4, 2017.
The period of performance will be as follows:
- Base Year (12-months): June 3, 2017 - June 2, 2018
- Option Period 1 (12-months): June 3, 2018 - June 2, 2019
- Option Period 2 (12-months): June 3, 2019 - June 2, 2020
The government estimate is $8,000.00 each year. Total estimated contract value: $24,000.00.
The statutory authority permitting other than full and open competition is implemented by FAR 13.106 -- Soliciting Competition, Evaluation of Quotations or Offers, Award and Documentation.
(b) Soliciting from a single source.
(1) For purchases not exceeding the simplified acquisition threshold.
(i) Contracting officers may solicit from one source if the contracting officer determines that the circumstances of the contract action deem only one source reasonably available (e.g., urgency, exclusive licensing agreements, brand-name or industrial mobilization).
(ii) Where a single source is identified to provide a portion of a purchase because that portion of the purchase specifies a particular brand-name item, the documentation in paragraph (b)(1)(i) of this section only applies to the portion of the purchase requiring the brand-name item. The documentation should state it is covering only the portion of the acquisition which is brand-name.
The current cloud.gov Nessus 128-host license is used by GSA Information Security and is the only vulnerability scanner approved on the GSA EA Analytics & Reporting (GEAR) list. Nessus is also required for cloud.gov to maintain its FedRAMP Provisional Authority to Operate (P-ATO) which is specifically based on a System Security Plan (SSP) that is completely supported by the Nessus.
It is critical for GSA Information Security to have consistent tools for oversight of GSA systems. Nessus runs baseline configuration scans and compliance scans for virtual infrastructure using custom scan policies and templates. Access to Nessus is limited to the GSA IP address space only. Nessus runs both authenticated and unauthenticated scans against cloud.gov components. Nessus allows Cloud Operations and GSA Information Security to track risk level changes based on remediation efforts. These features all allow Nessus to provide cloud.gov with all the required functions and features to satisfy vulnerability scanner requirements for its FedRAMP JAB P-ATO at the Moderate impact level.
The entire purchase order is peculiar to one manufacturer. The brand name description of the Nessus will be posted via GSA TTS GitHub.
Market research conducted by GSA TTS, including the industry-expert developers, designers, and engineers on the cloud.gov team, fully supports this determination of essentiality, and thus, justification for limiting competition to this single brand name product.
Market research included an internet search which revealed several vendors provide vulnerability scanner licenses; however, none of them are on the GSA EA Analytics & Reporting (GEAR) list. The GEAR list is a tool to provide commonly used strategic, business and technical information to users throughout GSA in order to provide insight into the common direction for GSA IT and to provide working groups with data that they need to do their jobs.
This product is not available on GSA IT Schedule 70.
This product is not available on NASA SEWP.
Fair opportunity will be given to all vendors offering the Nessus brand name product and provide the upgrade from 128-host to 512-host.
The price will be determined fair and reasonable based on the Government Estimate and survey of the market.
Fair opportunity will be given to all vendors offering the Nessus brand name product.
The RFQ and this Brand Name Justification will be posted on GSA TTS Github. Any responses for the Brand Name will be considered for use in future procurements similar to this one.
I hereby certify that the information contained in this Justification and Approval for Other Than Full and Open Competition for acquiring Nessus for cloud.gov is accurate and complete to the best of my knowledge and belief, and is in the best interest of the Government.
(Signature blocks for TTS Product Lead and TTS Contracting Officer)