Networx Unit Pricer

Home
Unit Pricer
ICB Pricer
Contract Mods
Lookup Tools
Service Guides: Vulnerability Scanning Service (VSS)
Return to full list of service guides.

1. Overview

The Networx contracts require a basic level of security management for its contractors that ensures compliance with Federal Government generally accepted security principles and practices, or better. The contracts employ adequate and reasonable means to ensure and protect the integrity, confidentiality, and availability of Networx services, Operational Support Systems (OSS), and Government information transported or stored in the contractor's Networx services infrastructure. These requirements are detailed in Section C.3.3.2 Security Management of the Networx contracts.

In addition to this mandatory level of security, the Networx contracts provide additional security services that may be ordered on a fee-for-service basis. These are:

  • 1.Managed Tiered Security Service (MTSS)
  • 2.Managed Firewall Service (MFS)
  • 3.Intrusion Detection and Prevention Service (IDPS)
  • 4.Vulnerability Scanning Service (VSS)
  • 5.Anti-Virus Management Service (AVMS)
  • 6.Incident Response Service (INRS)
  • 7.Managed E-Authentication Service (MEAS)
  • 8.Secure Managed E-Mail Service (SMEMS)

The VSS offering is described below.

2. Technical Description

VSS Technical Summary

VSS allows Agencies to conduct effective and proactive assessments of critical networking environments, and correct vulnerabilities before they are exploited. VSS searches for security holes, flaws, and exploits on Agency systems, networks and applications. VSS helps to guard the Agency network infrastructure against emerging threats.

VSS builds on the FTS2001 contracts offerings. The service connects to and interoperates with the Agency networking environment, including Demilitarized Zones (DMZs) and secure LANs as required by the Agency. The service also supports Internet connectivity.

The Agency may order one or more of the following:

  • External Vulnerability Scanning which tests Internet connected nodes in the network, including Web environments
  • Internal Vulnerability Scanning which looks for local/host flaws and internal threats, usually inside the firewall

The diagram below illustrates a sample VSS implementation. Illustrative hardware such as edge routers, firewalls and Agency servers are not provided as part of the VSS.



Sample VSS Implementation

VSS also provides an Application Programming Interface (API) feature. This allows the Agency to integrate the service into its own tools and applications, as required, using for example, a standard Extensible Markup Language (XML) API. This enables Agency security personnel to assess the vulnerabilities of hosts, export vulnerability data, etc.

VSS Technical Detail

VSS tests for vulnerabilities by comparing scanned information to threat data contained in a database. VSS can also simulate a real intrusion in a controlled environment, in order to gauge a network's susceptibility to attacks. The service performs external scans by remotely probing a network for vulnerabilities that generally come from the outside; and internal scans which detect flaws originating from the inside.

VSS supports a range of technical capabilities that are available in commercial offerings. The contractor establishes, implements, and maintains the vulnerability scanning service, which operates on a 24x7 basis. The systems periodically probe networks, including operating systems and application software, for potential openings, security holes, and improper configuration. VSS explores vulnerabilities in, but not limited to, the following areas as applicable:

  • Backdoors.
  • Brute Force Attacks.
  • Network Sniffing.
  • Protocol Spoofing.
  • Trojan Horses.

The VSS contractor proactively identifies network vulnerabilities, and proposes appropriate countermeasures, fixes, patches, and workarounds. The contractor notifies the Agency of vulnerabilities discovered, and also provides secure Web access to vulnerability information, scan summaries, device/host reports, and trend analyses. VSS provides scan scheduling flexibility to the Agency in order to minimize any interruptions in normal business activities. The service also supports non-destructive and non-intrusive vulnerability scans that will not crash the systems being analyzed, or disrupt Agency operations. The scans will not provoke a debilitating denial of service condition on the Agency system being probed. The VSS scanning engine is regularly updated with new vulnerabilities information in order to maintain effectiveness of the service. These and other VSS service capabilities are detailed in Section C.2.10.3.1.4 Technical Capabilities of the Networx contracts.

VSS is required to support the User-to-Network Interfaces (UNIs) defined in applicable Networx services, for example:

C.2.4.1 Internet Protocol Service (IPS). C.2.7.2 Premises-based IP VPN Services (PBIP-VPNS). C.2.7.3 Network-based IP VPN Services (NBIP-VPNS).

Each Networx contractor may provide variations or alternatives to the offering and pricing for VSS. The specific details can be found within each Contractor's Networx contract files and pricing notes for VSS.

For more information on the general VSS specifications and requirements, please refer to Section C.2.10.3 of the Networx contract for technical specifications and Section B.2.10.3 for pricing.

3. Price Description

VSS Price Basics

VSS provides external and internal vulnerability assessments of the Agency's networking environment. The service mitigates security holes and flaws before they are exploited. VSS provides the following pricing options:

  • Unlimited Scans consist of unlimited scans within a month for a predetermined number of IP addresses. The NRC includes the design, implementation, and configuration of VSS. The MRC comprises the management and ongoing scanning/monitoring support.
  • Usage consists of a predefined number of scans to be distributed over any IP addresses as defined by the Agency at the time the scan is conducted. A scan comprises one scan of one IP address one time.

VSS builds on the FTS2001 contracts offerings.

Price components required for service are:

  • Underlying transport services, such as IPS to provide connectivity
  • Basic service (NRC and/or MRC) consisting of either:
    • VSS Unlimited Scans (NRC + MRC per IP address or per block of IP address)
    • VSS Usage (NRC per scan or per block of scans)
  • VSS Application Programming Interface feature ordered as needed by the Agency
  • Service Enabling Devices (SEDs) may be required to implement VSS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

Example 1: VSS Unlimited Scans for 10 IP addresses



  • Transport: Choose Networx telecommunications services such as IPS
  • Unlimited Scans NRC: Choose CLIN 350002 (Unlimited Scans for 10 specified IP addresses NRC per block of 10 IP addresses)
  • Unlimited Scans MRC: Choose CLIN 350102 (Unlimited Scans for 10 specified IP addresses MRC per block of 10 IP addresses)
  • SEDs may be required to implement VSS. Illustrative hardware is not provided as part of the VSS.

Example 2: VSS Usage for 50 scans



  • Transport: Choose Networx telecommunications services such as IPS
  • Usage NRC: Choose CLIN 350009 (50 scans NRC per block of 50 scans)
  • SEDs may be required to implement VSS. Illustrative hardware is not provided as part of the VSS.

Each Networx contractor may provide variations or alternatives to the offering and pricing for VSS. The specific details can be found within each Contractor's Networx contract files and pricing notes for VSS.

For more information on the general VSS specifications and requirements, please refer to Section C.2.10.3 of the Networx contract for technical specifications and Section B.2.10.3 for pricing.