DOCUMENT
D -- TAC-16-30082_Trusted Internet Connection (TIC) Gateway Application Firewalls - Attachment
- Notice Date
- 7/11/2016
- Notice Type
- Attachment
- NAICS
- 541519
— Other Computer Related Services
- Contracting Office
- Department of Veterans Affairs;Technology Acquisition Center;23 Christopher Way;Eatontown NJ 07724
- ZIP Code
- 07724
- Solicitation Number
- SEWPRFQ32958
- Archive Date
- 10/4/2016
- Point of Contact
- Tinamarie Giraud, Contract Specialist
- E-Mail Address
-
tinamarie.giraud@va.gov
(Tinamarie.Giraud@va.gov)
- Small Business Set-Aside
- N/A
- Award Number
- NNG15SC73B VA118-16-F-1156
- Award Date
- 7/6/2016
- Awardee
- FOUR LLC;15413 SNOWHILL LN;CENTREVILLE;VA;20120
- Award Amount
- $8,596,000.00
- Description
- JUSTIFICATION FOR AN EXCEPTION TO FAIR OPPORTUNITY 1. Contracting Activity:Department of Veterans Affairs (VA) Office of Acquisition and Logistics Technology Acquisition Center 23 Christopher Way Eatontown, NJ 07724 2. Description of Action: This proposed action is for a firm-fixed-price Delivery Order issued under the National Aeronautics and Space Administration (NASA) Solutions for Enterprise-Wide Procurement (SEWP) V Government Wide Acquisition Contract (GWAC) for 10 brand name Palo Alto Networks Gateway Application Firewalls equipped with hardware and software components and maintenance support services. 3. Description of the Supplies or Services: The proposed action is to procure 10 Palo Alto Networks Gateway Application Firewalls, inclusive of, hardware, software and maintenance support for the VA Office of Information Technology, Office of Information Security Network Security Operations Center (NSOC). The proposed action includes cabling, hardware security modules and interface transceivers that are not required to be a specific brand; however, these computing devices and ancillary hardware are required to be integrated into the firewalls. The proposed action also includes training which is not required to be a specific brand; however, it is required to complete the VA Trusted Internet Connection (TIC) Palo Alto Application Firewall solution. Brand agnostic products will be specified as brand name or equal in the solicitation and will include salient characteristics to allow prospective offerors the opportunity to propose equivalent products. The VA enterprise firewall network is managed from a central Palo Alto application and VA operates more than 30 Palo Alto Networks firewalls throughout the VA enterprise. There is a need to replace 10 older firewalls with new next generation firewalls that will ensure users have secure and safe network access to applications, files, protection against viruses, spam and malware while continuing to seamlessly integrate with other existing components of the TIC infrastructure. Two Gateway Application Firewalls are needed for each of VA's four Internet Gateways located in Sterling, Virginia; Dallas, Texas; Chicago, Illinois; and San Jose, California. The VA NSOC test environment located at the Capital Region Readiness Center (CRRC) in Martinsburg, West Virginia will receive the other two Gateway Application Firewalls. These firewalls are required for the NSOC to be in full compliance with the Office of Management and Budget (OMB) and Department of Homeland Security Trusted Internet Connections (TIC) Initiative Critical Capability #TS.CF.01. Specifically, Initiative Critical Capability #TS.CF.01 requires the TIC access point to deploy firewalls, proxies, or other technical means to facilitate inspection of application layer (layer 4 and above) traffic, inbound and outbound and the TIC Access Provider to have an approval process that considers risk when allowing new (or exempting previous) application traffic. Without this procurement, VA is exposed to increased risk of cyber-attacks. With increased user traffic, newer gateway application firewalls will allow users to gain the combination of easier connectivity and overall protection against network threats when performing their mission. VA's application firewalls interface and are heavily integrated with VA's existing visibility and monitoring tools, security information and event management tools, and advanced security and analytics tools. Any replacement firewall must seamlessly integrate with other VA Information Technology (IT) systems. Due to the need for integration with other VA IT systems as well as the need to operate with the existing Palo Alto Network, VA requires the exact same functionality that the present Palo Alto Networks Gateway provides in order to ensure there is no increased risk of cyber-attacks or vulnerabilities. Maintenance support is essential to ensure full compliance with Critical Capability requirements; support confidentiality, integrity and availability for minimizing risks associated with known and unknown application-borne threats. Maintenance support includes software subscription licenses, technical support, replacement parts with four hour Return Material Authorization (RMA), and 24 hours a day, 7 days a week (24X7) phone and email support. The maintenance support shall commence upon VA's acceptance of the Palo Alto firewalls. Delivery of first two (2) firewalls shall be within 30 days after receipt of order. The remaining eight (8) shall be due seven (7) days after formal Government acceptance of the initial two (2) firewalls. Delivery shall include all required system licensing necessary to ensure all application firewalls fully meet the requirements specified in the Product Description. The period of performance shall consist of a 12-month base period and three (3) 12-month option periods for maintenance support. 4. Statutory Authority: The statutory authority permitting this exception to fair opportunity is Section 41 U.S.C. 4106(c)(2) as implemented by the Federal Acquisition Regulation (FAR) 16.505(b)(2)(i)(B), entitled "Only one awardee is capable of providing the supplies or services required at the level of quality required because the supplies or services ordered are unique or highly specialized." 5. Rationale Supporting Use of Authority Cited Above: Based on extensive market research, as described in Section 8 of this document, it was determined that limited competition is viable among authorized resellers of Palo Alto Networks Gateway Application Firewalls and maintenance support services. VA currently utilizes Palo Alto Networks brand hardware and software to meet VA's requirements for Application Firewall. The VA enterprise is managed from a central Palo Alto application and VA operates more than 30 of Palo Alto Networks firewalls throughout the VA enterprise. VA is not replacing its entire Firewall network, but rather is replacing 10 firewalls, therefore, any firewall being replaced must interoperate and be compatible with the existing VA enterprise firewall management appliance. The existing Palo Alto Gateway Firewall is proprietary to Palo Alto and due to the proprietary code of Palo Alto no other brand of firewall is compatible with the current enterprise firewall management appliance and can interoperate within VA's existing application firewall enterprise system. If the solution is not interoperable with VA's current enterprise firewall management compliance and firewall enterprise system, VA will lose the capability to manage the firewalls. Additionally, the existing Palo Alto Networks Gateway Application Firewalls interface with VA's existing visibility and monitoring tools, security information and event management tools, and advanced security and analytics tools. VA has built custom security monitoring and alerting tools that are based on the Palo Alto Networks platform. These tools provide VA management with critical information on active and potential threats to VA networks. Therefore, use of another brand firewall would require VA to replace the management appliance currently integrated in the TIC architecture. It is not possible for another brand management appliance to manage Palo Alto proprietary devices. Use of non-Palo Alto firewalls will require re-engineering of VA networks and redesigning of the VA architecture including protocols and business process. The costs associated for VA to completely reconfigure the other VA IT systems would not be recovered by competition, and there would be a significant increase in risk to VA information systems during any such reconfiguration. By way of example, the portal used by VA Information Security Officers (ISO) to retrieve a complete log of a VA user's web browsing history is built on the Palo Alto Networks platform. Engineering another system to provide these functions would result in delays in processing of critical information security reports placing the VA enterprise at significant risk of security breaches. It is estimated that a minimum of 2,880 hours (18 months) of senior level engineering time would be required to duplicate the functionality described above using a non-Palo Alto Networks solution, during which time significant security functions would be unavailable to information security teams and ISOs within VA. This estimate is based on previous efforts conducted by VA. In addition, due to the integration and compatibility requirement with the enterprise firewall management appliance, the current functionality of the VA enterprise firewall must be maintained in its entirety in order to prevent any increased risk to VA systems. All of the current Application Firewalling functionalities are critical to maintaining VA's current architecture and ensuring compliance with OMB. The current functionalities of the Application Firewalling are actively in use by VA and can only be satisfied by Palo Alto Networks Gateway Application Firewalls. Removing even one of any of these features will reduce the functionality of the firewall and present significantly increased security risk to VA networks. Additionally, VA requires maintenance support to include software subscription licenses, technical support, replacement parts with four hour RMA and 24X7 phone and email support. Only Palo Alto or an authorized reseller can provide the necessary support because of the propriety nature of the technology required to troubleshoot, diagnose and configure the Palo Alto Networks firewalls. Because of the proprietary nature of Palo Alto firewalls other manufacturers will not have access to the source code and databases required for to provide support. Based on market research, as described in Section 8 of this document, it was determined that limited competition is viable among authorized resellers. 6. Efforts to Obtain Competition: Market research was conducted, details of which are in the market research section of this document. This effort did not yield any additional sources that can meet the Government's requirements. It was determined, however, that limited competition is viable among authorized resellers for this brand name item. In accordance with FAR 5.301 and 16.505(b)(2)(ii)(D), this action will be synopsized on the Federal Business Opportunities Page (FBO) within 14 days of award, and the justification will also be posted to the NASA SWEP V GWAC website along with the Request for Quotation. 7. Actions to Increase Competition: In order to remove or overcome barriers to competition in future acquisitions for this requirement, the agency will work with the program office to perform additional market research so that other solutions can be considered. Specifically, the Government's technical experts will continue to research other brand name firewalls, their required infrastructure, their potential ability to integrate with the existing infrastructure and their ability to meet VA TIC requirements. 8. Market Research: A Request for Information (RFI) #21850 was posted to all Groups under the NASA SEWP V GWAC on February 5, 2016 and closed February 25, 2016. The RFI yielded a response from 13 vendors. After review of the responses the Government requirements were better refined based on questions asked during the initial RFI and included training. Another RFI was posted to NASA SEWP V to obtain additional market research on April 15, 2016, RFI #27145 and closed on April 21, 2016. The RFI yielded a response from seven vendors. The Government technical representatives evaluated interested sources capable of providing a solution based on VA's requirements. Out of the 20 responses received, four responded with a Palo Alto firewall. The remaining 16 vendors proposed a variety of vendor solutions as follows: Juniper, Fortinet, Imperva, Bluecoat and Dell SonicWall and A10. Based on the market research, no other brand can interoperate and be compatible with the existing VA enterprise firewall network due to the proprietary code of Palo Alto. Based on the market research, only a Palo Alto Networks based solution was able to meet all of the technical requirements of the government including the requirement to interoperate within VA's current infrastructure. Furthermore, based on the market research conducted by the Government's technical experts, it has been determined that no other maintenance support providers have access to the proprietary data required to provide the necessary maintenance support. Additionally, in April 2016, the Technology Acquisition Center conducted additional market research utilizing the Provider Lookup Tool on the NASA SEWP V GWAC website, which confirmed that there are 62 federal registered partners that can provide brand name Palo Alto and maintenance support services warranty on the NASA SEWP V GWAC, including 14 service-disabled Veteran-owned small businesses. Based on the market research efforts, the Government's technical experts determined that only Palo Alto maintenance support can meet all of NSOC's requirements. 9. Other Facts: None.
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/notices/01b8144171d34aadc8f92d88b77f643f)
- Document(s)
- Attachment
- File Name: NNG15SC73B VA118-16-F-1156 NNG15SC73B VA118-16-F-1156.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=2863524&FileName=NNG15SC73B-000.docx)
- Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=2863524&FileName=NNG15SC73B-000.docx
- Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
- File Name: NNG15SC73B VA118-16-F-1156 NNG15SC73B VA118-16-F-1156.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=2863524&FileName=NNG15SC73B-000.docx)
- Record
- SN04177905-W 20160713/160711234844-01b8144171d34aadc8f92d88b77f643f (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |