ITegrity Inc.
Highlights
ITegrity Inc., of Silver Spring, Maryland, protests the establishment of a blanket purchase agreement (BPA) with AttainX, LLC, of Herndon, Virginia, under request for quotations (RFQ) No. 1305M2-23-Q-NAAA0226, issued by the Department of Commerce, National Oceanic and Atmospheric Administration (NOAA), for Federal Information Security Management Act (FISMA) assessment and authorization (A&A) support services. The protester contends that the agency unreasonably and unequally evaluated quotations and performed a flawed best-value tradeoff analysis.
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.
Decision
Matter of: ITegrity Inc.
File: B-422694; B-422694.2
Date: September 26, 2024
Elizabeth Jochum, Esq., and Amanda DeLaPerriere, Esq., Blank Rome LLP, for the protester.
Daniel Strouse, Esq., Pablo Nichols, Esq., John O’Brien, Esq., and Jason W. Moy, Esq., Cordatis LLP, for AttainX, LLC, the intervenor.
Florence Nancy Bridges, Esq., and Celia Crabbe, Esq., Department of Commerce, for the agency.
Christine Milne, Esq., and Tania Calhoun, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.
DIGEST
Protest that the agency unreasonably and unequally evaluated quotations and performed a flawed best-value tradeoff analysis is denied where the record shows the agency evaluated quotations in accordance with the solicitation’s terms and on an equal basis.
DECISION
ITegrity Inc., of Silver Spring, Maryland, protests the establishment of a blanket purchase agreement (BPA) with AttainX, LLC, of Herndon, Virginia, under request for quotations (RFQ) No. 1305M2-23-Q-NAAA0226, issued by the Department of Commerce, National Oceanic and Atmospheric Administration (NOAA), for Federal Information Security Management Act (FISMA) assessment and authorization (A&A) support services. The protester contends that the agency unreasonably and unequally evaluated quotations and performed a flawed best-value tradeoff analysis.
We deny the protest.
BACKGROUND
The RFQ was issued on September 21, 2023, via the General Services Administration (GSA) eBUY website pursuant to Federal Acquisition Regulation (FAR) subpart 8.4 to vendors holding contracts under GSA multiple award schedule special item number (SIN) 54151S information technology (IT) professional services and SIN 54151 highly adaptive cybersecurity services. Agency Report (AR), Exh. 2(b)(ii), RFQ, amend. 0001, Terms and Conditions at 2; AR, Exh. 2(b)(iv), RFQ amend. 0001, attach. A, Performance Work Statement (PWS) at ¶¶ 1-2. The agency issued the RFQ to obtain IT services, specifically A&A support services as they relate to FISMA and its objectives. The FISMA objectives generally include tasks relating to the operation, maintenance, testing, and reporting of the security of IT systems. PWS at ¶ 1.
The A&A services included performing prompt, reliable, repeatable, and high-quality annual security assessments of all National Weather Service (NWS) systems to support NWS’s risk management framework. PWS at ¶ 2. While ITegrity is the incumbent contractor, the current RFQ requirements expand the scope of the incumbent A&A contract by also requiring A&A services for systems other than NOAA’s NWS systems. Memorandum of Law (MOL) at 3; PWS at ¶ 2.
The BPA was to be performed over a 1-year base period and four 1-year option periods and would be established with the vendor offering the best value to the government considering price and two non-price factors: technical approach and past performance. AR, Exh. 2(b)(ii), RFP amend. 0001, Terms and Conditions at 27; AR, Exh. 2(e)(ii), RFQ amend. 0004, Instructions and Evaluation Criteria at 12. Under the technical factor, vendors were to demonstrate an approach that met the requirements of the PWS. AR, Exh. 2(e)(ii), RFQ amend. 0004, Instructions and Evaluation Criteria at 13. As relevant here, the PWS required such tasks as penetration testing, compliance reviews, preparing final assessment packages and related reports, and familiarity with parent/child organization models.[1] PWS ¶¶ 4.1.4, 4.3, 4.4, 4.5. Quotations would be assigned a rating of either acceptable or unacceptable under the technical factor.
Under the past performance factor, vendors were to provide up to three past performance references that were both performed within the last five years from the date the solicitation was issued and similar to the current solicitation in size, scope, and complexity. AR, Exh. 2(e)(ii), RFQ amend. 0004, Instructions and Evaluation Criteria at 9. The agency would also consider the quality of performance of each reference. Id. at 13. Quotations would be assigned a confidence level rating of high confidence, some confidence, low confidence, no confidence, or unknown confidence (neutral). Id.; AR, Exh. 5, Technical Evaluation Team (TET) Report at 19-20. Price was evaluated for fairness and reasonableness. AR, Exh. 2(e)(ii), RFQ amend. 0004, Instructions and Evaluation Criteria at 14-15.
The RFQ provided that the agency would utilize a technically acceptable, past performance/price tradeoff evaluation methodology so that award could be made to the vendor that submitted a technically acceptable quotation and provided the best value to the government based on a tradeoff analysis between past performance and price. Id. at 12. Past performance was significantly more important than price. Id.
The agency received 21 quotations, including those of ITegrity and AttainX, and their ratings were as follows:
Technical Approach |
Past Performance |
Price |
|
---|---|---|---|
ITegrity |
Acceptable |
Some Confidence |
$21,025,099 |
Attainx |
Acceptable |
High Confidence |
$21,551,388 |
Contracting Officer’s Statement at 5; AR, Exh. 5, TET Report at 21; AR, Exh. 6, Contract Award Memorandum at 75. As both vendors were rated technically acceptable, the agency proceeded to consider each vendor’s past performance. AR, Exh. 5, TET Report at 11.
The agency reviewed three past performance references from ITegrity. ITegrity’s first reference was for its performance as the incumbent, which the TET evaluated as similar in size though slightly smaller in scale, similar in scope and complexity, very good quality performance, and overall very relevant. AR, Exh. 5, TET Report at 115. ITegrity’s second and third references were both performed by its subcontractor. The agency found the second reference similar in size and of very good quality performance, but not relevant in scope and complexity. Id. The agency noted that this reference was limited in focus and did not encompass most of the tasks in the PWS, especially critical tasks such as penetration testing, comprehensive assessments and authorizations, experience with parent/child organization models, or ensuring compliance and high-quality results. Id. at 120-121. The agency concluded that because this reference lacked experience with most of the essential PWS tasks, it was not relevant. Id. The agency found the third reference similar in size but smaller in scale, of satisfactory quality performance, and similar in scope though not including all of the same tasks as required in the PWS. Id. at 115. The agency noted that, as with the second reference, this reference did not include penetration testing, independent assessments, experience with parent/child organization models, or ensuring compliance with high-quality results. Id. at 123-125. The agency assessed this reference as somewhat relevant. For these reasons, ITegrity’s past performance was assigned an overall rating of some confidence. Id.
The agency reviewed three past performance references from AttainX. AttainX’s first reference was considered similar in size, of exceptional quality performance, and very similar in scope and complexity because it involved comprehensive cybersecurity and A&A services, threat and vulnerability assessments, penetration testing, independent assessments of security controls, and parent/child organizational models. Id. at 100, 105. This reference was rated very relevant overall. Id. at 100. AttainX’s second and third references were performed by each of two proposed subcontractors. Id. The second reference was considered similar in size though smaller in value, of very good quality performance, and very relevant in scope and complexity as it included independent assessments of security controls and penetration testing, and a final security assessment report. Id. at 109. The third reference was considered similar in size, of satisfactory quality performance, and very similar in scope and complexity as it included penetration testing and independent assessment of security controls. Id. at 112-113. For these reasons, AttainX’s received an overall past performance rating of high confidence. Id. at 114.
In comparing the two proposals, the agency noted that, while ITegrity’s experience on the incumbent contract was very relevant and demonstrated superior performance, the two references from its subcontractor were not as relevant. AR, Exh. 6, Contract Award Memorandum at 73-74. The agency found that ITegrity’s second reference was not relevant at all, and its third reference was only partially relevant. In contrast, AttainX and its subcontractors had very relevant past performance which demonstrated that AttainX had a robust team of subcontractors with strong performance. Id. at 73. The agency determined that AttainX’s stronger past performance warranted its small price premium and that overall AttainX offered the best value to the government. Id. at 76. The agency established the BPA with AttainX on June 13; this protest followed.
DISCUSSION
ITegrity contends that the agency unreasonably and unequally evaluated its and AttainX’s quotations under the past performance factor and conducted a flawed best-value tradeoff. Where, as here, an agency issues an RFQ to Federal Supply Schedule contractors under FAR subpart 8.4 and conducts a competition, we will review the agency’s source selection decision to ensure that the evaluation was reasonable and consistent with the terms of the solicitation. Redhorse Corp., B-417268, Mar. 21, 2019, 2019 CPD ¶ 114 at 2. We will not reevaluate vendors’ quotations, and a protester’s disagreement with the agency’s evaluation, without more, is not sufficient to render the evaluation reasonable. M Inc., d/b/a Minc Interior Design, B-413166.2, Aug. 1, 2016, 2016 CPD ¶ 210 at 5. We have reviewed the record and find no basis upon which to sustain the protest.
Past Performance
ITegrity first asserts that the agency should have given greater weight to its first past performance reference in arriving at its overall past performance rating. Protester’s Comments & Supp. Protest at 3. ITegrity asserts that its first reference, which was for its performance as the incumbent, should have caused ITegrity to receive an overall rating of high confidence because the contract was very relevant and because of ITegrity’s positive performance feedback. Protest at 12; Protester’s Comments & Supp. Protest at 4. ITegrity asserts that the agency improperly used its second and third references to downgrade its overall rating and essentially penalized ITegrity for including additional references. Protester’s Comments & Supp. Protest at 5; Protester’s Supp. Comments at 4.
The agency responds that ITegrity implies that its positive performance as the incumbent entitles it to a higher rating overall. The agency also asserts that ITegrity is simply disagreeing with the agency’s evaluation of all the references ITegrity chose to submit, and that while vendors were not required to submit a certain number of references, the solicitation stated that the agency would consider the amount and type of work each vendor had undertaken. MOL at 16-18. The agency notes that ITegrity’s second and third references were both from its subcontractors and it was important for the agency to take into consideration the experience of ITegrity’s team. Id.
Here, we find that the protester has not demonstrated that the agency unreasonably evaluated its first past performance reference. An agency’s evaluation of past performance, which includes its consideration of the relevance, scope, and size of an offeror’s performance history, is a matter of discretion, which we will not disturb unless the agency’s assessment is unreasonable or inconsistent with the solicitation criteria. D&G Support Servs., LLC, B-419245, B-419245.3, Jan. 6, 2021, 2021 CPD ¶ 15 at 8. When a protester challenges an agency’s past performance evaluation, we will review the evaluation to determine if it was reasonable and consistent with the solicitation’s evaluation criteria, and procurement statutes and regulations, and to ensure that the agency’s rationale is adequately documented. Id.
As an initial matter, while the solicitation did not require a specific number of references, the solicitation expressly provided that the “[g]overnment will use its discretion to determine the sources of Past Performance information used in the evaluation, and the information may be obtained from references provided by the vendor,” as well as from other sources. AR, Exh. 2(e)(ii), RFQ amend. 0004, Instructions & Evaluation Criteria at 14. As a result, the protester was on notice that the agency could consider and weigh the references a vendor chose to submit. The agency was under no obligation to conduct an evaluation in a light most favorable to the protester, by, for example, considering only its most relevant past performance reference and disregarding the references ITegrity chose to submit for the other members of its team that would be performing on the contract. The agency was required only to conduct an evaluation in accordance with the terms of the solicitation, and the record shows that it did so by considering all of the references submitted by ITegrity for all of its team members. Therefore, the protester’s arguments amount to nothing more than disagreement with the weight the agency gave ITegrity’s first reference when evaluating ITegrity’s past performance as a whole. Such disagreement, without more, does not establish that an evaluation is unreasonable. D&G, supra at 9-10.
ITegrity next asserts that the agency unreasonably determined that its second reference was not relevant. The protester argues that while the agency correctly determined that this reference does not include one of the most important PWS tasks - penetration testing - the agency incorrectly determined that this reference did not include compliance assessments and authorization, managing multiple assessments, and experience with parent/child organization models. Protester’s Comments and Supp. Protest at 6-14.
The agency responds that it correctly determined that ITegrity’s second past performance reference was not relevant because the work performed in this reference is fundamentally different from the current requirement and included little to none of the most essential PWS tasks, such as penetration testing, compliance assessments and authorization, managing multiple assessments, and familiarity with parent/child organization models. MOL at 19; AR, Exh. 5, TET Report at 120-121. The agency explains that the work performed in the second reference is related to “post-assessment day-to-day management” and ITegrity’s subcontractor was not “on the assessment team performing services required by the PWS” as part of this reference, but rather performed “ancillary work in support of the work performed by a [s]ecurity [a]ssessment team.” AR, Exh. 8, TET Chair Statement at 3. The TET chair explained that this reference’s “focus on support activities ancillary to security assessment and the lack of critical outputs specified in the PWS” caused this reference to be rated not relevant. Id. at 6.
We find that the record supports the agency’s determination that ITegrity’s second past performance reference was not relevant. While we have considered all of the protester’s arguments regarding each of the agency’s findings, we discuss only a few examples below. As described above, the PWS required such tasks as penetration testing, compliance reviews, preparing deliverables such as final assessment packages and related reports, managing multiple assessments, and familiarity with parent/child organization models. PWS ¶¶ 4.1.4, 4.3, 4.4, and 4.5.
The record shows that one of the most important tasks in the PWS is penetration testing, because through this testing, cyber security vulnerabilities in the system can be uncovered. Supp. AR, Exh. 12, Amended TET Chair Statement at 4-5. One of the primary reasons the agency determined that ITegrity’s second reference was not relevant was because this the reference did not include this task, a fact ITegrity has conceded. Protester’s Supp. Comments at 5.
Another essential PWS task related to the most critical output to be provided by the contractor was the development of a final assessment package. This package includes a number of reports detailing the security status of the systems. PWS ¶ 4.5; AR, Exh. 8, TET Chair Statement at 3. ITegrity again concedes that this reference did not include preparing final assessment packages but asserts that it did include “Plans of Actions and Milestones,” a component of final authorization packages, and continuous monitoring, which is a related service. Protester’s Supp. Comments at 5; AR, Exh. 3b, ITegrity Quotation Vol. II – Non-Price Factors at 37. Here, the protester does not refute the agency’s findings that preparing authorization packages was absent from its reference or that the absence of this task was significant, but rather disagrees with the agency’s assessment and asserts the agency should have given greater weight to the related tasks its reference did include. Protester’s Supp. Comments at 5. Such an argument amounts to disagreement with the agency’s judgment and does not provide a basis to sustain a protest. D&G, supra at 9-10.
Finally, another important PWS task related to parent/child organizational models. The protester concedes that its second reference does not include an express description of parent/child organizational models, but argues that the “GSS,Major,Minor” systems mentioned in its reference are equivalent to parent/child models and that the agency is improperly ignoring it. Protester’s Supp. Comments at 5; AR, Exh. 3b, ITegrity Quotation Vol. II – Non-Price Factors at 37. The agency argues that the protester is incorrect that the GSS, Major and Minor systems are equivalent to parent/child models. MOL at 19-20. The agency explains that the PWS described parent/child models as either parent systems that are the primary information technology system with child systems as add-on enclaves, or parent systems as a governance system for child systems in which computer resources are deployed. PWS ¶ 4.1.4; AR, Exh. 8, TET Chair Statement at 4. The agency explains that the GSS, Major, and Minor systems and applications described do not align with the PWS descriptions of parent/child systems. AR, Exh. 8, TET Chair Statement at 4. The agency also points out that ITegrity’s first reference explicitly mentions parent/child models, and therefore it is unclear why ITegrity would not have referred to them expressly in its second reference if they were indeed part of the reference. Id.
The protester has not provided us with a basis to find the evaluation unreasonable in this regard. An agency’s evaluation of past performance is, by its nature, subjective, and that evaluation, including the agency’s assessments about relevance, scope and significance, are matters of discretion that we will not disturb absent a clear demonstration the assessments are unreasonable or inconsistent with the solicitation criteria. Pioneer Credit Recovery, Inc., B-419599, B‑419599.2, June 1, 2021, 2021 CPD ¶ 223 at 8. We are not persuaded that the terms “GSS,Major,Minor” are simply different terms for parent/child organization models, and even if they are, there is nothing in the second reference to make this clear. A vendor has the burden of submitting an adequately written quotation and runs the risk that its quotation will be evaluated unfavorably where it fails to do so. NextStep Tech., Inc., B‑416877, Jan. 3, 2019, 2019 CPD ¶ 16 at 5. ITegrity clearly referred to parent/child models in its first reference and bore the responsibility for being consistently clear that it intended to apply this term throughout its quotation. Referring to parent/child models by a different name, if they are in fact parent/child models, created an ambiguity that ITegrity could have avoided. Accordingly, we find no basis to conclude that the evaluation of ITegrity’s second reference was unreasonable or inconsistent with the terms of the solicitation.
Disparate Treatment
ITegrity also asserts that the agency unequally evaluated AttainX’s and ITegrity’s third past performance references. ITegrity asserts that the agency noted negative performance feedback that it received in its evaluation and downgraded its overall confidence rating as a result, yet the agency’s evaluation did not consider similar negative performance feedback about AttainX’s third reference. Protester’s Comments & Supp. Protest at 15-17. The agency responds that the differences in the overall confidence ratings are the results of the differences between the relevance of the references, and that the relevance of ITegrity’s third reference did not turn on negative performance feedback. Supp. MOL at 6-7. The agency also indicates that in any case, the agency did note the negative feedback AttainX received for its performance. Id. at 7-8; AR, Exh. 5, TET Report at 112-113.
Here, the protester has failed to show that the differences in ratings did not arise from differences in the relevance of the references. It is a fundamental principle of government procurement that agencies must treat offerors equally, which means, among other things, that they must evaluate quotations in an even-handed manner. Where a protester alleges unequal treatment in an evaluation, it must show that the differences in ratings do not stem from differences in the quotations. Agile-Bot II, LLC, B-419350.3, B-419350.4, June 16, 2021, 2021 CPD ¶ 231 at 10-12.
Here, as already discussed, the differences in the overall confidence ratings resulted from the relevance of the references submitted, which was based primarily on the size, scope, and complexity of the references. As noted above, the protester submitted only one very relevant reference for itself, no relevant references for one of its subcontractors and a somewhat relevant reference for its other subcontractor, whereas AttainX’s proposal included three very relevant references. In any event, the protester does not address the agency’s argument that its evaluation in fact acknowledged AttainX’s negative performance feedback and has provided us with no evidence that the agency did not consider the performance ratings of both vendors with equal scrutiny. Moreover, the record shows that the agency expressly noted the negative past performance feedback that Attainx received in its evaluation. See AR, Exh. 5, TET Report at 112-113 (stating that “[t]he [g]overnment encountered minor problems with providing quality planning, control, and delivery of technical tasks within the PWS [and as a result the vendor] . . . rectified issues by hiring additional staff.”). As a result, this protest ground is denied.[2]
The protest is denied.
Edda Emmanuelli Perez
General Counsel
[1] A penetration test is a security test that launches a mock cyberattack to find vulnerabilities in a computer system. IBM, What is Penetration Testing? https://www.ibm.com/topics/penetration-testing (last visited Sep. 16, 2024).
A parent/child organization model is a system hierarchy with multiple levels that tracks the relationships within the hierarchy. IBM, Parent-child hierarchies, https://www.ibm.com/docs/en/ida/9.1.2?topic=hierarchies-parent-child (last visited Sep. 16, 2024).
[2] ITegrity also asserts that the agency performed a flawed best-value tradeoff analysis as a result of the alleged evaluation errors. Protester’s Comments & Supp. Protest at 18. Where other challenges to an evaluation of quotations have been denied or otherwise dismissed, a derivative challenge to the best-value determination does not afford a basis to sustain the protest. NetCentrics Corp., B-421172.2, B-421172.3, Oct. 23, 2023, 2023 CPD ¶ 247 at 22. Here, we have denied all of the protester’s other challenges to the evaluation of quotations and therefore the protester’s derivative challenge to the best-value tradeoff analysis is dismissed.