Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF MARCH 04, 2010 FBO #3022
SOURCES SOUGHT

D -- The Transportation Administration (TSA) is seeking sources for an Enterprise Vulnerability Scanning System (EVSS)

Notice Date
3/2/2010
 
Notice Type
Sources Sought
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Department of Homeland Security, Transportation Security Administration, Headquarters TSA, 601 S. 12th Street, TSA-25, 10th Floor, Arlington, Virginia, 20598, United States
 
ZIP Code
20598
 
Solicitation Number
EVSS
 
Point of Contact
Renee Grace, Phone: 571-227-1411, Tonya R Pruitt, Phone: 571-227-3892
 
E-Mail Address
renee.grace@dhs.gov, tonya.pruitt@dhs.gov
(renee.grace@dhs.gov, tonya.pruitt@dhs.gov)
 
Small Business Set-Aside
N/A
 
Description
Title: The Transportation Security Administration (TSA) is seeking sources for an Enterprise Vulnerability Scanning System (EVSS). Description: The Transportation Security Administration (TSA) is seeking sources for Enterprise Vulnerability Scanning System (EVSS) technologies that are currently available in the marketplace. This is a Sources Sought Notice only and vendors will not be compensated for the information provided. No solicitation will be issued at this time. The Transportation Security Administration (TSA) mission is to protect the Nation's transportation systems and to ensure freedom of movement for people and commerce. To support this mission, TSA is evaluating Enterprise Vulnerability Scanning System (EVSS) products/solutions that can provide the ability to scan, identify, report, and resolve information technology vulnerabilities across the entire TSA environment. The product/solution should allow authorized users to perform routine and ad-hoc scans across different types of infrastructure, track and report identified vulnerabilities, integrate with Security Information and Event Management tools, and allow TSA leadership access to information as needed. Please provide a detailed description on how the product works and what differentiates it in the Enterprise Vulnerability Scanning market space. Please include at a minimum the following information: • Describe how your product manages and performs Enterprise Vulnerability Scanning across multiple types of information technology systems. Please provide specific information on scanning capabilities for operating systems, databases, software applications, email servers, web applications/web servers/ web services, firewalls, routers, middleware/ Enterprise Service Bus(ESB)/SOA, SaaS/PaaS/IaaS, and any other system/platform that your product can be used to identify and remediate software and system vulnerabilities. • Describe the scanning mechanisms that are used, the typical load that is placed on the target system during scanning, approximate time that scanning takes on a per host/software scan basis, and anticipated network load for scanning activities. Does the scanner have the capability to exploit identified vulnerabilities? Does the scanner operate in an agent or agent-less basis? Does the scanner require a privileged account to operate on the system? • Describe any mechanisms and product capabilities to identify previously unknown vulnerabilities and 0-day vulnerabilities. Discuss how the product addresses vulnerabilities that have not been previously identified. Does the system have the ability to perform near-real time updates from other product deployments and quickly identify newly found vulnerabilities on TSA systems with the updated information? • Describe mechanisms used to exclude previously identified "false-positive" scan information on periodically recurring scans. Are there any structures in your product to allow for known vulnerability exceptions on a per system basis, or some mechanism to establish an expected baseline configuration? • Describe any product functionalities that allow the delegation of vulnerability findings to another user who can remediate the vulnerability. Please describe any functions used to manage and control information in the system, and any other options for users to manage/track vulnerability information. Discuss integration options that are available to Change Control Software/Service Tracking packages. Describe any Role Based Access Control (RBAC) structure your product supports. • Describe any knowledge base that is available for identified vulnerabilities and research of false-positives. Please describe your organizations methodology for incorporating/updating vulnerability information into your scanning tool, the frequency of updates the scanning tool, and the frequency of updates for vulnerability information on your knowledge repositories. • Describe the reporting functionality that the product provides, and the extent to which it can be customized to provide unique and customizable reports. Describe reporting dashboards that are available for Sr. Management reporting and monitoring. • Describe authentication and authorization (A&A) mechanisms including Single Sign On and multifactor authentication mechanisms your product supports. Describe any remote access mechanisms that your product provides. • Describe how your product controls privileged accounts from viewing information contained in the vulnerability tracking system. Explain how IT administrative users (server, database, other system administrators) not associated with the vulnerability system content are controlled and unable to access information that is in the vulnerability system. • Describe how your product interfaces with other systems such as Security Information Event Management (SIEM) systems and interfaces with other business systems (i.e. Microsoft Office products, Microsoft Outlook/Exchange). Can vulnerability information be used to create tickets in Incident and Service tracking systems by sending email messages or some other application programming interfaces to automate ticket creation? • Describe the product architecture and provide a representative diagram(s) if available. Include at a minimum the following product information: o User Interfaces o Directory Integration o Role-based Administration o Policy Creation and Management o System Administration, Reporting, and Other features • Provide additional features/capabilities that differentiate your product from other product/solutions in the market. o Product roadmap o Third party products that have been successfully integrated including monitoring, SIEM, and forensic tools • Provide company information and product history o Main Products/Services o Number of Years in the marketplace o Number of deployments, Number of federal government deployments o Professional Services capabilities and partnerships ADMINISTRATIVE All interested parties should submit a capability statement to the TSA Office of Acquisition (OA). The capability statement should clearly explain the contractor's abilities and experience directly related to the tasks listed in this notice. Submissions shall not exceed five (5) pages in length. A company must identify its business size status, type of small business, and applicable NAICS code(s) in the capability statement. Capability statements are required to be received electronically via email to renee.grace@tsa.dhs.gov. Subject: TSA Enterprise Vulnerability Scanning System (EVSS), no later than March 16, 2010 at 5:00 p.m. Eastern Time. Responses received after this deadline will not be reviewed. TSA's primary point of contact is the Contracting Officer Renee Grace, who can be reached via e-mail at renee.grace@dhs.gov. Any questions regarding this notice shall be directed to Mrs. Grace in writing, via email by March 9, 2010 at 5:00 p.m. Eastern Time. Companies responding to this Sources Sought Notification are responsible for all expenses associated with responding to this Notification. (Note: TSA will not pay any costs associated with this effort). The TSA is not seeking or accepting unsolicited proposals. Since this Sources Sought Notification is for information and planning purposes, no evaluation letters or results will be issued to respondents.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DHS/TSA/HQTSA/EVSS/listing.html)
 
Place of Performance
Address: Headquarters TSA, Arlington, Virginia, 20598, United States
Zip Code: 20598
 
Record
SN02080570-W 20100304/100302235114-8cd1eb5b85d6311e9632043ae1cb4a2c (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.