Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

Department of Defense (DoD) Enterprise-wide Host-Based Security System (HBSS)

Solicitation Number:
Agency: Defense Information Systems Agency
Office: Procurement Directorate
Location: DITCO-Scott
  • Print
:
Justification and Approval (J&A)
:
FAR 6.302-1 - Only one responsible source (except brand name)
:
July 25, 2011
:
HC102808D20140009
:
Added: Aug 08, 2011 10:12 am
 

 



JUSTIFICATION FOR OTHER THAN FULL AND OPEN COMPETITION (OTFAOC)


LIMITED SOURCES JUSTIFICATION


Justification for OTFAOC Number:  JA11-096


 


Upon the basis of the following justification, I, as PROCURING ACTIVITY COMPETITON ADVOCATE, hereby approve the use of other than full and open competition of the proposed contractual action pursuant to the authority of  10 U.S.C. §2304c(b), Task and Delivery Order Contracts: Orders - Fair Opportunity Exceptions.


 


 


JUSTIFICATION


 


1.  REQUIRING AGENCY AND CONTRACTING OFFICE:


 


Requiring Agency: Defense Information Systems Agency (DISA)/Program Executive Office Mission Assurance and Network Operations (PEO MA)


 


Contracting Activity: DISA/Defense Information Technology Contracting Organization (DITCO), ATTN: PL8313, 2300 East Drive, Scott AFB IL  62225


 


2.  NATURE/DESCRIPTION OF ACTION(S): 


The objective of this effort is the procurement of continuing license maintenance for a unique suite of products currently under perpetual license and training for the existing Department of Defense (DoD) Enterprise-wide Host-Based Security System (HBSS).  This is for a new task order under ECORE II an existing IDIQ contract.


 


Fragmentary Orders (FRAGO) and Communication Tasking Orders (CTO) issued by USSTRATCOM mandate the continued implementation and operation of HBSS across DoD networks.  (Fragmentary Orders provide timely changes of existing Operation Orders (directives a commander issues to subordinate commanders to coordinate the execution of an operation) to subordinate and supporting commands while providing notification to higher and adjacent commands.) After issuance of the initial FRAGO mandate, DoD has deployed HBSS across DoD networks under the auspices of the DoD Enterprise Wide Information Assurance/Computer Network Defense (CND) Enterprise Solutions Steering Group (ESSG).


 


The IASSURE Contract DCA200-00-D-5021 Task Order 0036 currently provides for the license maintenance, Tier III support and Training and expires 31 July 2011.  The IASSURE contract resides with BAE, Inc.  The current IASSURE task order was awarded in 2006, licenses were purchased on a Firm-Fixed-Price basis, and services on a Time and Material basis for one base year and four one-year options. 


 


The purchase of the original McAfee licenses was through BAE on the IASSURE contract.   The license was for a perpetual DoD enterprise license. BAE as an integrator subcontracted to McAfee, the product vendor. The licenses include the McAfee ePolicy orchestrator suite of products and its Computer Network Defense (CND) capabilities.  These HBSS capabilities include: Host intrusion prevention, asset information, base lining centralized management, policy auditor, rogue system detection, and enterprise reporting.   These functionalities are aligned with the following HBSS system threat combatant capabilities:  Host Intrusion Prevention System (HIPS), Rogue System Detection (RSD), Policy Auditor (APS), Asset Publishing Service (APS), Operational Attributes Module (OAM), Device Control Module (DCM), and Asset Baseline Module (ABM).


 


a.  Type of action: Firm-Fixed-Price


 


b.  Amount: Approximately $8.64M for base and all option periods


 


c.  Type of funding: Operations and Maintenance (O&M)


d.  Years of funding: FY 2011-2012


 


1 Month Base Period                          1-31 Aug 2011            $1,211,103.00


1st Option Period                                1-30 Sep 2011             $1,211,103.00


2nd Option Period                              1-31 Oct 2011             $1,211,103.00


3rd Option Period                               1-30 Nov 2011            $1,211,103.00


4th Option Period                               1-31 Dec 2011                        $1,211,103.00


5th Option Period                               1-31 Jan 2012              $1,211,103.00


6th Option Period                               1-29 Feb 2012             $1,211,103.00


 


 


3.  DESCRIPTION OF SUPPLIES/SERVICES:


This Justification and Approval (J&A) is to acquire continued license maintenance and training, for Host Based Security System for all Department of DoD Components. This is a bridge contract to protect against a gap in capability and to allow transition for the HBSS Phase I acquisition that is planned for award between 1 August 2011 - 1 September 2011.


 


The DoD networks are currently under increasing attack and continuing maintenance and network security support of the McAfee HBSS product is critical to DoD network defense. 


HBSS is a flexible, commercial-off-the-shelf (COTS) based solution which can detect and counter, in real time, known cyber-threats to DoD enterprise assets.  The capability provided by HBSS allows DoD components to:


 



  • Integrate existing security products and capabilities

  • Eliminate redundant systems management processes

  • Enhance end-point system (e.g., hosts) security

  • Automate the development of host CYBERCON baselines through a unified security product and management suite


 


HBSS provides advanced mitigation efforts necessary to detect, defend, react and deter, in real time, against known cyber-threats.  In the current DoD network environment, HBSS is critical to maintaining network security, and addresses current network vulnerabilities to prevent future intrusions. 


 


Due to the sensitive and continuing nature of the attacks and the criticality of the networks, continuing use and maintenance of the McAfee tool with BAE as integrator and support services provider is necessary to meet FRAGO mandates and prevent a capability 'gap'.  Continuity of HBSS license maintenance and support services is required starting 1 August 2011 in order to meet critical timelines for the remainder of the FRAGO mandate, implement updates and new modules across DoD, provide continuity of training for rotating personnel across DoD.  HBSS is in current use, and constitutes the only solution suitable to address the current vulnerabilities and prevent future intrusions. BAE Systems Information Technology is the current integrator, as such, BAE has had just under 5 years of unique experience with deploying and providing implementation support for HBSS.  It would take a minimum of six months for another vendor to gain comparable experience based on the complexity and diversity of DoD host systems.  This bridge is only for the period until the competitive acquisition can be awarded.     


 


4.  IDENTIFICATION OF STATUTORY AUTHORITY:  10 U.S.C. §2304c(b)(2), Task and Delivery Order Contracts: Orders - Fair Opportunity Exceptions and FAR 16.505(b)(2)(ii) only one awardee is capable of providing the supplies or services required at the level of quality required because the supplies or services ordered are unique or highly specialized.


 


5.  DEMONSTRATION OF CONTRACTOR'S UNIQUE QUALIFICATIONS:  The DoD community has been using the existing suite of McAfee products and associated BAE support services across their networks since 2006.   This suite of products and associated support services provides DoD a proven up-to-date capability and tools to detect and counter, in real time, known cyber-threats to DoD enterprise assets.  HBSS integrates existing security products and capabilities, eliminates redundant systems management processes, enhances host security, and automates the development of host INFOCON baselines as specified in USSTRATCOM Directive 527-1, through a unified security product and management suite.  There are no other products currently on the market that meet all requirements outside the HBSS solution.  Extensive market research and industry outreach conducted by the HBSS PMO from May 2010 to January 2011yielded no options outside of the current BAE HBSS solution. 
Market research included two separate Request for Proposals; web and database searchs; and awarded contract vehicle analysis. In addition, acquiring a replacement solution would be cost prohibitive due to the time and effort associated with the transition of a new product throughout all of DoD.  It is estimated that $500M and 4 years would be needed to transition to a new system. 
The $500M figure is derived from projected costs, including existing BAE and CSD support as well as, a percentage of other contractor support. This figure also includes the projected cost for CC/S/A's to install and implement HBSS over a period of five years.  To date there have been no similar deployments of such a diverse collection of integrated capabilities into a single solution on this large of a scale within the DoD.  This analysis was conducted by the PEO-MA acquisition team and the Program Manager for the existing HBSS contract who has worked with the HBSS program for the last four years.  The cost and time estimates are derived from the length of time taken and funding required for deploying the existing HBSS solution  By maintaining the current ESSG-sponsored HBSS solution, the cost and mission impact of migrating to another vendor's products can be avoided.


These costs would be driven by the need for the following:


 


•·         New Competition and Acquisition


•·         Certification and accreditation (C&A) of the new product(s)


•·         Training (both for new tool operations and replacement support)


•·         Evaluation and testing for software compatibility/interoperability


•·         Establishment of new distribution mechanisms


•·         Deployment of multiple management platforms/console for network operators/administrators


 


BAE as the integrator and implementer throughout DoD has unique experience. With BAE, the time required to cross-train and transition a new team is non-existent, because they have in-depth familiarity with the HBSS solution and immediate access to experienced manpower.  At a minimum, new teams would need 18 months in order to gain the same level of expertise required for training across the diverse infrastructure that exists within the DoD. 


 


Based on input from the DoD community and PEO-MA historical experience deploying, implementing and maintaining the current HBSS solution, it is estimated that it will take over four years to transition to a new product with an estimated cost of $500,000,000 over the Enterprise.  The $500M figure is derived from projected costs, including existing BAE and CSD support as well as, a percentage of other contractor support, and the funds that are provided to Carnegie-Mellon for virtualized training. This figure also includes the projected cost for CC/S/A's to install and implement HBSS over a period of five years.  To date there have been no similar deployments of such a diverse collection of integrated capabilities into a single solution on this large of a scale within the DoD.  This analysis was conducted by the PEO-MA acquisition team and the Program Manager for the existing HBSS contract who has worked with the HBSS program for the last four years.  The cost and time estimates are derived from the length of time taken and funding required for deploying the existing HBSS solution. 


 


 

:
2300 East Dr.
Building 3600
Scott AFB, Illinois 62225-5406
United States
:
Brittney Galle