30 Oct 2018

Sources Sought – Application Vulnerability Scanner

Type of document: Contract Notice
Country: United States

Sources Sought – Application Vulnerability Scanner

Department of Housing and Urban Development

Official Address:
451 7th Street S.W Washington DC 20410

Zip Code:

Candace Jackson, Contract Specialist, Phone 2024028301, Email cjackson@hudoig.gov – Ergene Lee, Director of Contracts and Procurement, Phone 2024023105, Email elee@hudoig.gov


Date Posted:


Contract Description:

THIS IS A SOURCES SOUGHT NOTICE ONLY. This is not a request for offers, quotes or proposals. This notice does not represent a commitment by the Government to issue a solicitation or award a contract. This is a market research tool only to determine the capability of potential sources.
The Office of Inspector General (HUD OIG) Department of Housing and Urban Development (HUD) is contemplating establishing a contract under NAICS Code(s) 511210, Software Publishers, Small Business Size Standard is 38.5 Million, PSC Code 7030 for Information Technology, for Application Scanner Vulnerability Software and is issuing this Request For Information (RFI) in order to solicit responses from capable sources and capability statements to ensure sufficient competition exists to meet the government’s requirements. The anticipated contract would be for software/software as a service, on a Fixed Price / Firm Fixed Price Basis.

The anticipated acquisition will acquire for HUD OIG an Information Security (INFOSEC) Application Security Scanner. Application Vulnerability Scanners are automated tools that scan web applications, normally from internally and externally, to look for security vulnerabilities such as Cross-site scripting (XSS), SQL Injection, Command Injection, Path Traversal and insecure server configuration.
The anticipated solution shall adhere to all Federal Government and HUD OIG Office of Information Technology’s (OIT’s) INFOSEC regulations, directives and standards related to the Clinger-Cohen Act of 1996, also known as the Information Technology Management Reform Act (ITMRA), the Federal Information Technology Acquisition Reform (FITARA) Act, the Federal Information Security Management Act (FISMA), the Computer Security Act of 1987, OMB Circulars A-130 and A-123, and applicable Treasury Directives.
At a minimum, the solution shall provide the following INFOSEC/CyberSecurity capabilities to the Government:
(a) The ability to detect Reflected XSS, SQL Injection, Path Traversal/Local File Inclusion/Remote File Inclusion Vulnerabilities,
(b) The ability to scan multiple URLs at once (using either a crawler/spider feature, URL/Log file parsing feature or a built-in proxy,
(c) The ability to control and limit the scan to internal or external host,
(d) On-Premise implementation (deployment and maintenance),
(e) Cloud Provider (FEDRAMP approved or in process),
(f) Country Location of Main Office and Development,
(g) Canned and custom reporting,
(h) Continuous Monitoring,
(i) Ability to scan various coding languages (e.g., C, C++, .NET, Drupal).

Contemplated Performance Objectives Are

Performance Objective(s)/Threshold/Method Of Surveillance

Provide the following INFOSEC/CyberSecurity capabilities to the Government
Maintain 90% accuracy and timeliness
Within 10 days of Contract Award

Provide support and technical expertise for the installation, configuration, test, and deployment of an application security scanner
Maintain 90% accuracy and timeliness
Within 10 days of Contract Award

Perform all phases of software development with emphasis on analysis, coding, testing, documentation acceptance and maintenance/sustainment phases
Meet all government performance, schedule and cost requirements with 95% compliance
Within 10 days of Contract Award

Perform application functionality user acceptance testing to verify the application security scanner software functionality Meet all government performance, schedule
and cost requirements with 95% compliance
Within 10 days of Contract Award

Provide Application Security Scanning capabilities identified
Maintain 90% accuracy and timeliness
Periodic (Weekly)

Provide application technical support
Maintain 90% accuracy and timeliness
Periodic (Monthly)

The action is anticipated as to be a Base 12 Month with two (2) option periods.


As the requirement is for Software/Software as a service, HUD OIG will utilize it primarily from its HQ in Washington, DC.


HUD OIG is specifically seeking capabilities statements from interested small businesses , but will accept capabilities statements from all interested parties.   HUD OIG is especially interested in Federal Schedules and other Contract Vehicles which may provide the required services.

Statements shall not exceed three (3) pages. Parties shall specify their applicable GSA Schedule as part of their response.

This synopsis is a market research tool being used to determine the availability and capability of potential sources prior to determining the method of acquisition and whether the government will proceed with this acquisition. The Government will not pay for any information solicited. If a contract is ultimately pursued, responses to this synopsis will be used to aid in determining whether the acquisition is set-aside for small business or in establishing small business subcontracting goals. All qualified firms are encouraged to respond.

The capability statement shall address, at a minimum, the following for the past three years:
1. Name and address of company and or companies (if there is a teaming arrangement or joint venture);
2. Technical expertise relevant to the requirement;
3. Technical approach relevant of the requirement (1 to 2 paragraphs);
4. Management approach relevant to the requirement (1 to 2 paragraph);
5. Corporate experience relevant to the requirement (1 to 2 paragraph);
6. Indicate if you are a small business or any other socio-economic categories that apply to your firm under the designated NAICS code;
7. Whether you have had unequal access to any information relevant to the acquisition that could provide an unfair competitive advantage; 
8.  Any schedules or contract vehicles available for use
9. Relevant past performance. Your capability statement needs to include a list of three customers (Government/non-Government) within the past three (3) years highlighting similar work in nature, scope, complexity, and difficulty and a brief description of the scope of work. Your submission for relevant past performance must include for each customer:

• Contract name;
• Contracting Agency or Department, POC and contact information;
• Yearly contract value (in $);
• Whether your firm was the prime or a subcontractor;
• Period of performance;
• Description of work and how it relates to the requirements.

Interested firms responding to this market survey must provide a capability statement demonstrating their experience, skills and capability to fulfill the Governments requirements for the above. The capability statement shall be in sufficient enough detail, but not exceed four (4) pages TOTAL, so that the Government can determine the experience and capability of your firm to provide the requirements above. Please specify one primary and one alternate Point of Contact (POC) within your firm, including telephone numbers and email addresses in case clarifications of your submission are needed.

Only electronic copies of capability statements will be accepted and should be submitted via email to Cjackson@hudoig.gov with a CC to Rcoyle@hudoig.gov and Elee@hudoig.gov.  The Government may use the responses received to determine whether to proceed with the acquisition as a set-aside, or in the absence of a least two small business responses to this notice, may determine to proceed with a full and open competition. This decision and whether to proceed with the acquisition is at the sole discretion of the Government.

Response Date:

Sol Number: