SEC's OIT Spends $2.5M on Application Security Tools and Services

Contract Overview

Contract Amount: $2,528,505 ($2.5M)

Contractor: Thundercat Technology, LLC

Awarding Agency: Securities and Exchange Commission

Start Date: 2024-03-26

End Date: 2027-03-31

Contract Duration: 1,100 days

Daily Burn Rate: $2.3K/day

Competition Type: FULL AND OPEN COMPETITION AFTER EXCLUSION OF SOURCES

Number of Offers Received: 8

Pricing Type: FIRM FIXED PRICE

Sector: IT

Official Description: THE SEC'S OFFICE OF INFORMATION TECHNOLOGY (OIT) REQUIRES AN INTEGRATED SET OF COMMERCIAL APPLICATION SECURITY TESTING TOOLS AND SERVICES TO ENABLE ENTERPRISE-SCALE IDENTIFICATION AND RISK PRIORITIZATION OF VULNERABILITIES WITHIN SEC-MANAGED SER

Place of Performance

Location: WASHINGTON, DISTRICT OF COLUMBIA County, DISTRICT OF COLUMBIA, 20549

State: District of Columbia Government Spending

Plain-Language Summary

Securities and Exchange Commission obligated $2.5 million to THUNDERCAT TECHNOLOGY, LLC for work described as: THE SEC'S OFFICE OF INFORMATION TECHNOLOGY (OIT) REQUIRES AN INTEGRATED SET OF COMMERCIAL APPLICATION SECURITY TESTING TOOLS AND SERVICES TO ENABLE ENTERPRISE-SCALE IDENTIFICATION AND RISK PRIORITIZATION OF VULNERABILITIES WITHIN SEC-MANAGED SER Key points: 1. The contract focuses on enterprise-scale vulnerability identification and risk prioritization. 2. Competition was full and open after exclusion of sources, suggesting a deliberate process. 3. The primary risk lies in the effectiveness and integration of the chosen tools and services. 4. This falls under IT services, a critical sector for government operations.

Value Assessment

Rating: fair

The total award amount is $2,528,505.18. Without specific per-unit pricing for the tools and services, a direct comparison to similar contracts is difficult. The pricing appears reasonable for a comprehensive suite of security solutions.

Cost Per Unit: N/A

Competition Analysis

Competition Level: full-and-open

The contract was awarded under 'FULL AND OPEN COMPETITION AFTER EXCLUSION OF SOURCES.' This indicates an initial broad solicitation followed by a specific exclusion, which may have limited the pool of potential bidders. The price discovery impact is unclear without knowing the excluded sources.

Taxpayer Impact: Taxpayer funds are being used for essential cybersecurity infrastructure to protect SEC systems and data.

Public Impact

Enhances the security posture of the Securities and Exchange Commission's digital assets. Aims to proactively identify and mitigate cyber threats to sensitive financial data. Supports the SEC's mission by ensuring the integrity and availability of its IT systems.

Waste & Efficiency Indicators

Waste Risk Score: 50 / 10

Warning Flags

• Potential for vendor lock-in with specific application security tools.
• Effectiveness of the chosen tools in identifying complex, zero-day vulnerabilities.
• Integration challenges between different security testing tools.

Positive Signals

• Addresses a critical need for robust application security.
• Utilizes a competitive procurement process.
• Focuses on risk prioritization, an important aspect of cybersecurity management.

Sector Analysis

This contract falls within the Information Technology sector, specifically focusing on application security. Spending benchmarks for such services vary widely based on the scope and sophistication of the tools and services required. The SEC's investment reflects the growing importance of cybersecurity for regulatory bodies.

Small Business Impact

The data indicates this contract was awarded to THUNDERCAT TECHNOLOGY, LLC. There is no explicit information provided regarding small business participation or subcontracting goals within this specific award. Further analysis would be needed to determine if small businesses were involved.

Oversight & Accountability

The Securities and Exchange Commission (SEC) is the procuring agency, indicating internal oversight. The contract type is a Delivery Order, suggesting it's part of a larger indefinite-delivery/indefinite-quantity (IDIQ) contract or a similar framework. Accountability will be managed through contract performance monitoring and reporting.

Related Government Programs

• Other Computer Related Services
• Securities and Exchange Commission Contracting
• Securities and Exchange Commission Programs

Risk Flags

• Limited visibility into specific tools and services procured.
• Potential for 'exclusion of sources' to limit competition.
• Effectiveness dependent on integration and ongoing maintenance.
• Cybersecurity tool market is rapidly evolving, requiring continuous adaptation.

Tags

other-computer-related-services, securities-and-exchange-commission, dc, delivery-order, 1m-plus

Frequently Asked Questions

What is this federal contract paying for?

Securities and Exchange Commission awarded $2.5 million to THUNDERCAT TECHNOLOGY, LLC. THE SEC'S OFFICE OF INFORMATION TECHNOLOGY (OIT) REQUIRES AN INTEGRATED SET OF COMMERCIAL APPLICATION SECURITY TESTING TOOLS AND SERVICES TO ENABLE ENTERPRISE-SCALE IDENTIFICATION AND RISK PRIORITIZATION OF VULNERABILITIES WITHIN SEC-MANAGED SER

Who is the contractor on this award?

The obligated recipient is THUNDERCAT TECHNOLOGY, LLC.

Which agency awarded this contract?

Awarding agency: Securities and Exchange Commission (Securities and Exchange Commission).

What is the total obligated amount?

The obligated amount is $2.5 million.

What is the period of performance?

Start: 2024-03-26. End: 2027-03-31.

What is the specific suite of application security testing tools and services being procured, and how do they compare to industry best-of-breed solutions?

The provided data does not detail the specific application security testing tools and services. A comprehensive understanding of their capabilities, vendor reputation, and integration potential with existing SEC infrastructure is crucial. Benchmarking against industry best-of-breed solutions would require access to the solicitation documents and vendor proposals to assess if the selected tools offer optimal functionality and value for the identified vulnerabilities.

What are the key performance indicators (KPIs) for this contract, and how will the SEC measure the effectiveness of the identified vulnerabilities and risk prioritization?

Key performance indicators are not detailed in the provided data. Effectiveness will likely be measured by the number and severity of vulnerabilities identified, the accuracy of risk prioritization, and the subsequent reduction in security incidents. The SEC should establish clear metrics for tool performance, reporting timeliness, and the actionable insights provided to remediation teams to ensure the contract meets its security objectives.

What is the long-term strategy for maintaining and updating these application security tools and services, considering the rapidly evolving threat landscape?

The long-term strategy for maintaining and updating these tools is not specified. Given the dynamic nature of cybersecurity threats, the SEC must ensure the contract includes provisions for regular software updates, threat intelligence feeds, and potential technology refreshes. A proactive approach to adapting to new vulnerabilities and attack vectors will be essential for sustained effectiveness beyond the initial contract period.

Industry Classification

NAICS: Professional, Scientific, and Technical Services › Computer Systems Design and Related Services › Other Computer Related Services

Product/Service Code: IT AND TELECOM - APLLICATIONS

Competition & Pricing

Extent Competed: FULL AND OPEN COMPETITION AFTER EXCLUSION OF SOURCES

Solicitation Procedures: SUBJECT TO MULTIPLE AWARD FAIR OPPORTUNITY

Solicitation ID: 50310224Q0037

Offers Received: 8

Pricing Type: FIRM FIXED PRICE (J)

Evaluated Preference: NONE

Contractor Details

Parent Company: Thundercat Technology LLC

Address: 11190 SUNRISE VALLEY DR STE 200, RESTON, VA, 20191

Business Categories: Category Business, Corporate Entity Not Tax Exempt, Limited Liability Corporation, Service Disabled Veteran Owned Business, Small Business, Special Designations, U.S.-Owned Business, Veteran Owned Business

Financial Breakdown

Contract Ceiling: $5,077,212

Exercised Options: $2,528,505

Current Obligation: $2,528,505

Actual Outlays: $2,067,741

Contract Characteristics

Commercial Item: COMMERCIAL PRODUCTS/SERVICES

Parent Contract

Parent Award PIID: NNG15SC92B

IDV Type: GWAC

Timeline

Start Date: 2024-03-26

Current End Date: 2027-03-31

Potential End Date: 2029-03-31 00:00:00

Last Modified: 2026-03-27

More Contracts from Thundercat Technology, LLC

• Intersystems Software Updates and Technical Assistance — $222.0M (Department of Veterans Affairs)
• Internet Operations Management — $139.2M (Department of Defense)
• Itau/Swm/Renew Software Maintenance for Ca/Broadcom Software — $71.6M (Department of Justice)
• Palo Alto Networks Enterprise License Agreement (ELA) for the National Nuclear Security Administration (nnsa) — $58.3M (Department of Energy)
• Nasa Sewp Award of Talent Management System 2.0 Sustainment Services — $51.3M (Department of Veterans Affairs)

View all Thundercat Technology, LLC federal contracts →

Other Securities and Exchange Commission Contracts

• Infrastructure Support Services (ISS) Igf::ot::igf — $461.3M (General Dynamics Information Technology, Inc.)
• Information Systems Testing and Compliance Support Services — $185.5M (Booz Allen Hamilton Inc)
• SEC Enterprise Edgar System Support Services — $159.5M (Maximus Federal Consulting, LLC)
• Reconstructed the Corrupted Fssp Conversion Document — $158.0M (Amentum Services, Inc.)
• FOR Other Functions Operations and Maintenance Support for Software Applications — $150.9M (Maximus Federal Consulting, LLC)

View all Securities and Exchange Commission contracts →

Explore Related Government Spending