This repository has been archived by the owner on Dec 8, 2017. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
First draft of documents converted to Markdown
- Loading branch information
Omid Ghaffari-Tabrizi
authored and
Omid Ghaffari-Tabrizi
committed
Jun 7, 2017
0 parents
commit 2348f67
Showing
9 changed files
with
722 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| ## Welcome! | ||
|
|
||
| We're so glad you're thinking about contributing to a TTS open source project! If you're unsure about anything, just ask -- or submit the issue or pull request anyway. The worst that can happen is you'll be politely asked to change something. We love all friendly contributions. | ||
|
|
||
| We want to ensure a welcoming environment for all of our projects. Our staff follow the [18F Code of Conduct](https://github.com/18F/code-of-conduct/blob/master/code-of-conduct.md) and all contributors should do the same. | ||
|
|
||
| We encourage you to read this project's CONTRIBUTING policy (you are here), its [LICENSE](LICENSE.md), and its [README](README.md). | ||
|
|
||
| If you have any questions or want to read more, check out the [18F Open Source Policy GitHub repository](https://github.com/18f/open-source-policy), or just [shoot us an email](mailto:[email protected]). | ||
|
|
||
| ## Public domain | ||
|
|
||
| This project is in the public domain within the United States, and | ||
| copyright and related rights in the work worldwide are waived through | ||
| the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). | ||
|
|
||
| All contributions to this project will be released under the CC0 | ||
| dedication. By submitting a pull request, you are agreeing to comply | ||
| with this waiver of copyright interest. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| As a work of the United States Government, this project is in the | ||
| public domain within the United States. | ||
|
|
||
| Additionally, we waive copyright and related rights in the work | ||
| worldwide through the CC0 1.0 Universal public domain dedication. | ||
|
|
||
| ## CC0 1.0 Universal Summary | ||
|
|
||
| This is a human-readable summary of the [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode). | ||
|
|
||
| ### No Copyright | ||
|
|
||
| The person who associated a work with this deed has dedicated the work to | ||
| the public domain by waiving all of his or her rights to the work worldwide | ||
| under copyright law, including all related and neighboring rights, to the | ||
| extent allowed by law. | ||
|
|
||
| You can copy, modify, distribute and perform the work, even for commercial | ||
| purposes, all without asking permission. | ||
|
|
||
| ### Other Information | ||
|
|
||
| In no way are the patent or trademark rights of any person affected by CC0, | ||
| nor are the rights that other persons may have in the work or in how the | ||
| work is used, such as publicity or privacy rights. | ||
|
|
||
| Unless expressly stated otherwise, the person who associated a work with | ||
| this deed makes no warranties about the work, and disclaims liability for | ||
| all uses of the work, to the fullest extent permitted by applicable law. | ||
| When using or citing the work, you should not imply endorsement by the | ||
| author or the affirmer. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Nessus Manager | ||
|
|
||
| This repository was created in the hopes that government agencies -- from Federal to state to local municipalities -- can make an acquisition of a Nessus Manager license simpler. We have included our internal [acquisition documents](acquisition_documents) as well as our public facing [solicitation documents](solicitation_documents). The [README](SOLICITATION_README.md) file associated with the solicitation itself is also included. | ||
|
|
||
| ## Background | ||
|
|
||
| As part of its Authorization to Operate (ATO), [cloud.gov](https://cloud.gov/) (TTS) had to purchase access to a pre-existing, commercially available, and specific vulnerability scanner that will allow it to continuously monitor its infrastructure. Having outgrown a license that could be purchased on a Purchase Card (p-card), the purpose of this acquisition was to give [cloud.gov](https://cloud.gov/) a license that would allow it to monitor the larger number of hosts/agents now required to be scanned. | ||
|
|
||
| ### What we're hoping to end up with | ||
|
|
||
| The purpose of this repository is to provide government agencies (and even private industry partners) the ability to learn from our experiences and acquire this specific vulnerability scanner for themselves. | ||
|
|
||
| ## Contents | ||
|
|
||
| ### [Solicitation Documents](solicitation_documents) | ||
|
|
||
| 1. [Request for Quotation (RFQ)](solicitation_documents/001_RFQ.md) (as had been amended to extend the response deadline) | ||
|
|
||
| 2. [Statement of Work (SOW)](solicitation_documents/002_SOW.md) | ||
|
|
||
| 3. [Brand Name Justification](solicitation_documents/003_Justification.md) | ||
|
|
||
| 4. [Solicitation Readme](SOLICITATION_README.md) (though not used, this is what would have been used and is being provided as a convenience) | ||
|
|
||
| ### [Acquisition Documents](acquisition_documents) | ||
|
|
||
| 1. [Independent Government Cost Estimate](acquisition_documents/IGCE_Nessus.xlsx) | ||
|
|
||
| 2. [Market Research Report](acquisition_documents/Market_Research_Report.md) | ||
|
|
||
| ## Contributing | ||
|
|
||
| See [CONTRIBUTING](CONTRIBUTING.md) for additional information. | ||
|
|
||
| ## Public domain | ||
|
|
||
| This project is in the worldwide [public domain](LICENSE.md). As stated in [CONTRIBUTING](CONTRIBUTING.md): | ||
|
|
||
| > This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). | ||
| > | ||
| > All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # cloud.gov Vulnerability Scanner Upgrade | ||
|
|
||
| This solicitation is being sent directly to your company, along with other Nessus Manager authorized resellers. Please submit any questions by *May 22, 2017 at 4:00pm EST*. The TTS Contracting Officer will only be responding to questions submitted by email. Comments from other parties or in other formats will still be considered but we cannot commit to responding to them. | ||
|
|
||
| **Proposals are due by May 23, 2017 at 4:00pm EST.** | ||
|
|
||
| ## Background | ||
|
|
||
| As part of its Authorization to Operate (ATO), [cloud.gov](https://cloud.gov/) (TTS) has to purchase access to a pre-existing, commercially available, and specific vulnerability scanner that will allow it to continuously monitor its infrastructure. Having outgrown a license that could be purchased on a Purchase Card (p-card), the purpose of this acquisition is to give [cloud.gov](https://cloud.gov/) a license that will allow it to monitor the larger number of hosts/agents now required to be scanned. | ||
|
|
||
| ### What we're hoping to end up with | ||
|
|
||
| The purpose of this solicitation is for the contractor to deliver a license which cloud.gov will utilize to scan up to 512 hosts/agents. The contractor will provide access to the Tenable Nessus Manager vulnerability scanner license via a URL. | ||
|
|
||
| ### How to respond | ||
|
|
||
| Detailed instructions about how to respond are explained in [our RFQ](solicitation_documents/001_RFQ.md). | ||
|
|
||
| ### Key personnel | ||
|
|
||
| There are none required for this acquisition. | ||
|
|
||
| ### Period of performance | ||
|
|
||
| There will be a Base Period of 12 months and two Option Periods of 12 months each. Details, including the official start date, are explained in [our SOW](solicitation_documents/002_SOW.md). | ||
|
|
||
| ## Contents | ||
|
|
||
| 1. [Request for Quotation (RFQ)](solicitation_documents/001_RFQ.md) (as had been amended to extend the response deadline) | ||
|
|
||
| 2. [Statement of Work (SOW)](solicitation_documents/002_SOW.md) | ||
|
|
||
| 3. [Brand Name Justification](solicitation_documents/003_Justification.md) | ||
|
|
||
| ## Contributing | ||
|
|
||
| See [CONTRIBUTING](CONTRIBUTING.md) for additional information. | ||
|
|
||
| ## Public domain | ||
|
|
||
| This project is in the worldwide [public domain](LICENSE.md). As stated in [CONTRIBUTING](CONTRIBUTING.md): | ||
|
|
||
| > This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/). | ||
| > | ||
| > All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest. |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| # General Services Administration (GSA) | ||
| # Technology Transformation Service (TTS) | ||
| ## cloud.gov Vulnerability Scanner License Upgrade | ||
|
|
||
| # Market Research Report | ||
|
|
||
| The following market research is in accordance with Federal Acquisition Regulation [Part 10](https://www.acquisition.gov/sites/default/files/current/far/html/Subpart%2010_0.html#wp1087786). | ||
|
|
||
| ## PRODUCT/SERVICE DESCRIPTION | ||
| The purpose of this acquisition is to upgrade purchase a license for a Nessus Manager Vulnerability Scanner -- referred to as Nessus throughout the rest of this document. Nessus is a product required for cloud.gov to maintain its [FedRAMP Provisional Authority to Operate](https://www.fedramp.gov/resources/faqs/what-is-a-fedramp-provisional-authorization/) (P-ATO). The purpose of the scanner is to detect security vulnerabilities in the platform and alert GSA staff with potential remediation efforts. | ||
|
|
||
| ## BACKGROUND | ||
| GSA TTS builds and delivers digital services for clients within the federal government, including within GSA. Many current and projected projects are hosted on GSA infrastructure, including cloud.gov. | ||
|
|
||
| Currently, GSA cloud.gov holds a 128-host Nessus license. After receiving an activation code, the license manager logs on to cloud.gov’s customer dashboard and downloads the Nessus program to begin a vulnerability scan of the cloud.gov platform. | ||
|
|
||
| The cost for the current 128-host Nessus license is below the micro-purchase threshold, and has been purchased via a Purchase Card (p-card). Due to the growth of GSA TTS over the past year, cloud.gov is now hosting more sites and requires an upgrade to the Nessus 512-host license, to allow scans to be completed on the current and new sites and meet all GSA IT security requirements. The larger host license is above the micro-purchase threshold, but does not exceed the simplified acquisition threshold. The current license expires June 4, 2017. | ||
|
|
||
| ## APPROPRIATE CODES | ||
| NAICS Code 511210 - Software Publishers | ||
|
|
||
| ## RESEARCH METHODS | ||
| The following methods were utilized to conduct Market Research: | ||
|
|
||
| * FedBizOpps (FBO) | ||
| * GSA/FSS (GSA Advantage) | ||
| * NASA Solutions for Enterprise Wide Procurement (SEWP) | ||
| * SAM.gov | ||
| * Internet | ||
| * Other | ||
|
|
||
| ## RESULTS & ALTERNATIVES | ||
| Market research conducted by GSA TTS, including the industry-expert developers, designers, and engineers on the cloud.gov team, fully supports this determination of essentiality, and thus, justification for limiting competition to this single brand name product. | ||
|
|
||
| Market research included an internet search which revealed several vendors provide vulnerability scanner licenses; however, Nessus is the only product listed and approved on the [GSA EA Analytics & Reporting](https://ea.gsa.gov/EAWEB/#!/itstandards/find/all=nessus&cols=Name,Description,Category,Status,Comments) (GEAR) list. The GEAR list is a the authoritative location for all GSA employees and contractors use for information about applications, business capabilities, Federal Information Security Modernization Act (FISMA) systems, IT hardware and software standards. | ||
|
|
||
| Nessus is not available on GSA IT Schedule 70 or NASA SEWP. | ||
|
|
||
| ## PROCUREMENT HISTORY | ||
| Currently, cloud.gov has been using a Purchase Card (p-card) to acquire the 128-host license; however, the cost has gone above the p-card threshold, and can no longer be purchased that way because cloud.gov has more sites being hosted on it and they needed to expand so the new "containers" can be scanned. The current 128-host license expires June 4, 2017. There is no other relevant history to this action. | ||
|
|
||
| ## MARKET ANALYSIS | ||
| The results of market research have determined that the Government's needs can be met by awarding a brand name purchase order to one of the vendors offering the Nessus brand name product. Tenable is the manufacturer of Nessus but they do not sell the 512-host themselves; this is literally posted on their [webpage](https://store.tenable.com/?main_page=index&cPath=23). Tenable created an authorized resellers list of vendors who can sell the 512-host license and has a contract with each of those vendors. | ||
|
|
||
| There are 14 vendors on the [North American Government resellers list](http://www.tenable.com/partners/find-a-reseller?title=&shs_term_node_tid_depth=32&field_partner_audience_tid=427), 6 of which are registered in SAM.gov, located in the US, and all have a socioeconomic status. | ||
|
|
||
| ## CONCLUSION | ||
| The current cloud.gov license expires June 3, 2017. An award must be in place prior to that date to avoid a lapse in service, otherwise a new license would need to be purchased which would result in additional cost to the Government. After an exhaustive review of government databases and market intelligence tools identified above, the Government has determined that Nessus is a commercial item and is the only product that can be purchased to fulfill cloud.gov’s needs, keep from the Government spending duplicative costs and effort to use any other strategy. | ||
|
|
||
| (Signature block for TTS Contracting Officer) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # General Services Administration (GSA) | ||
| # Technology Transformation Service (TTS) | ||
| ## cloud.gov Vulnerability Scanner License Upgrade | ||
|
|
||
| # Request for Quote (RFQ) | ||
| ## Amendment 1 | ||
|
|
||
| This RFQ is issued under FAR Part 13 Simplified Acquisition Procedures. | ||
|
|
||
| Your company, along with other Nessus Manager authorized resellers, is being requested to provide a competitive price quote to upgrade the current cloud.gov Nessus Manager License, CID #29905. | ||
|
|
||
| By submission of its quote, the vendor accepts all RFQ requirements, including terms and conditions, representations and certifications, and technical requirements in the [Scope of Work (Attachment 1)](002_SOW.md). | ||
|
|
||
| This acquisition will utilize Lowest Price Technically Acceptable (LPTA) source selection procedures in accordance with [FAR 13.106-2](https://www.acquisition.gov/sites/default/files/current/far/html/Subpart%2013_1.html#wp1125487). This is a competitive LPTA source selection in which price is considered the most important factor. By submission of its quote, the vendor accepts all RFQ requirements, including terms and conditions, representations and certifications, and technical requirements. All technically acceptable vendors, shall be treated equally except for their prices. Failure to meet a requirement may result in a quote being determined technically unacceptable. Vendors must clearly identify any exception to the solicitation and conditions and provide complete accompanying rationale. The Government intends to select ONE contractor for award of this requirement. | ||
|
|
||
| For the purpose of award, the government shall evaluate quotes based on the evaluation factors described below: | ||
|
|
||
| ## FACTOR 1: Technical Acceptability (Pass/Fail) | ||
| Provide a quote for the Nessus Manager license upgrade from the current 128-host/agent license to the a 512-host/agent license. | ||
|
|
||
| ## FACTOR 2: Cost/Price | ||
| The vendor shall submit the total Firm-Fixed-Price (FFP), including the cost of software license(s) and any other items necessary to upgrade from the current 128-host/agent license to the a 512-host/agent license, using the format below. | ||
|
|
||
| The price shall be broken out to show all costs for the one Base Year and 2 Option Years. The Government will not make an award of the purchase order until such time as the price quotation received is determined to be fair and reasonable, and award of the contract is in the best interest of the Government. | ||
|
|
||
| The Government may reject any quote that is evaluated to be unrealistic in terms of program commitments, including contract terms and conditions, or unrealistically high or low in cost/price, or are unbalanced, such that the quote is deemed to reflect an inherent lack of competence or failure to comprehend the technical requirements. | ||
|
|
||
| Quotes shall be emailed to [email protected] as soon as possible, but no later than 10:00 AM Eastern Time on May 23, 2017. |
Oops, something went wrong.