Red River Computer Company, Inc.; MIS Sciences Corporation
Highlights
Red River Computer Company, Inc., of Claremont, New Hampshire, and MIS Sciences Corporation, of Burbank, California, protest the establishment of blanket purchase agreements (BPAs) with three vendors under request for quotations (RFQ) No. HSHQDC-16-Q-00195 issued by the Department of Homeland Security (DHS) for agency-wide enterprise computing services and cloud computing services. Both protesters assert that the agency improperly credited one of the awardees, Knight Point, with cloud system offerings that were not within the scope of the services provided on Knight Point's General Services Administration (GSA) schedule contract. In addition, Red River challenges the agency's evaluation of Knight Point's technical and price quotations, asserts that DHS evaluated quotations unequally, and contends that the agency conducted an improper best-value tradeoff determination. MIS also challenges the agency's evaluation of Knight Point's technical quotation and asserts that DHS engaged in unequal discussions.
We sustain Red River's protest in part and deny the remainder of the protest grounds raised by Red River and MIS.
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This version has been approved for public release.
Decision
Matter of: Red River Computer Company, Inc.; MIS Sciences Corporation
File: B-414183.8; B-414183.9; B-414183.10; B-414183.11; B-414183.12; B-414183.13
Date: December 22, 2017
Gregory R. Hallmark, Esq., Elizabeth N. Jochum, Esq., and Rodney M. Perry, Esq., Holland & Knight LLP, for Red River Computer Company, Inc.; David S. Black, Esq., Eric S. Crusius, Esq., Thomas M. Brownell, Esq., and Amy L. Fuentes, Esq., Holland & Knight LLP, for MIS Sciences Corporation, the protesters.
William A. Shook, Esq., The Law Offices of William A. Shook PLLC, for InfoReliance LLC; James C. Fontana, Esq., Jeffry R. Cook, Esq., and L. James D’Agostino, Esq., Dempsey Fontana, PLLC, for GovPlace, Inc.; Francis E. Purcell Jr., Esq., Thomas O. Mason, Esq., Raymond C. McCann, Esq., and Joseph R. Berger, Esq., Thompson Hine LLP, for Knight Point Systems, LLC, the intervenors.
James C. Richardson Jr., Esq., and Peter G. Hartman, Esq., Department of Homeland Security, for the agency.
Alexander O. Levine, Esq., and Jennifer D. Westfall-McGrail, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.
DIGEST
1. Protest of the establishment of a blanket purchase agreement (BPA) for cloud computing services against a vendor’s General Services Administration Federal Supply Schedule (FSS) contract is denied where the contracting agency properly determined that the services called for under the BPA were within the scope of the vendor’s FSS contract.
2. Protest challenging agency’s technical evaluation is denied where the agency evaluated quotations in accordance with the stated evaluation criteria and did not treat vendors unequally.
3. Protest asserting that agency conducted discussions with four vendors, but not with all of the vendors, is denied where the letter sent by the agency to the four vendors constituted clarifications rather than discussions.
4. Protest challenging agency’s price evaluation is sustained where one of the awardees failed to provide pricing discounts that complied with the solicitation requirements.
DECISION
Red River Computer Company, Inc., of Claremont, New Hampshire, and MIS Sciences Corporation, of Burbank, California, protest the establishment of blanket purchase agreements (BPAs) with three vendors under request for quotations (RFQ) No. HSHQDC-16-Q-00195 issued by the Department of Homeland Security (DHS) for agency-wide enterprise computing services and cloud computing services.[1] Both protesters assert that the agency improperly credited one of the awardees, Knight Point, with cloud system offerings that were not within the scope of the services provided on Knight Point’s General Services Administration (GSA) schedule contract. In addition, Red River challenges the agency’s evaluation of Knight Point’s technical and price quotations, asserts that DHS evaluated quotations unequally, and contends that the agency conducted an improper best-value tradeoff determination. MIS also challenges the agency’s evaluation of Knight Point’s technical quotation and asserts that DHS engaged in unequal discussions.
We sustain Red River’s protest in part and deny the remainder of the protest grounds raised by Red River and MIS.
BACKGROUND
On June 24, 2016, DHS issued the RFQ, which was limited to vendors holding GSA Federal Supply Schedule (FSS) Contract 70, General Purpose Commercial Information Technology, Equipment, Software and Services. RFQ at 3.[2] The purpose of the procurement was to provide DHS components with the ability to acquire commercial, commodity-based Infrastructure-as-a-Service (IaaS) cloud services[3] and to provide access to these “cloud services, either directly from Cloud Service Providers . . . or through their Resellers.”[4] Id. at 6. The Special Identification Numbers (SINs) applicable to this acquisition were SIN 132-52, Electronic Commerce and Subscription Services, and SIN 132-40, Cloud Computing Services. Id. at 3.
The solicitation anticipated that the contractor would provide IaaS cloud computing services that were authorized under the Federal Risk and Authorization Management Program (FedRAMP),[5] and which offered the essential characteristics of on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured services to meet DHS cloud computing needs. Id. at 8. Amendment 6, which was issued after the release of the final RFQ, clarified that a cloud system offering would be considered FedRAMP-authorized if it had any of the following designations: Joint Authorization Board provisional authorization (P-ATO), agency authorization, or cloud service provider supplied package.[6]
The solicitation contemplated the establishment of three to five BPAs and envisioned that task orders issued under the BPAs would be fixed-price, time and material, or a combination of the two. RFQ at 13, 64. Each BPA would have a 5-year term comprised of five 12-month ordering periods. Id. at 34-35. The solicitation provided that the maximum value of all task orders to be issued under the BPAs would be $1.6 billion. Id. at 13.
The solicitation provided for award on a best-value tradeoff basis, considering price and the following four non-price evaluation factors, in descending order of importance: (1) breadth of IaaS cloud services solutions offered; (2) cloud service solutions experience; (3) customer service approach; and (4) past performance. Id. at 64‑65. The non-price factors, when combined, were significantly more important than price. Id. at 65. As the non-price ratings become more equal, however, the solicitation stated that price would become more important in the award determination. Id. In the event the agency found two or more quotations to be technically equal, the agency reserved the right to award a BPA to the vendor that provided the greatest discount from its GSA schedule pricing. Id.
Relevant to these protests, under the breadth of IaaS cloud services solutions offered factor, the solicitation contemplated that quotations would be evaluated based on the “number of IaaS FedRAMP authorized Cloud Systems the Quoter is authorized to sell/resell to the Government at the time quotes are due.” Id. at 65. The RFQ anticipated that a “wider selection of offerings will be more favorably evaluated by the Government.” Id. Under this factor, the agency would also evaluate the “extent of the Quoter’s established relationship with each Cloud Service Provider whose products it intends to offer (e.g., special distributor or reseller status, awards, ratings, certifications, etc.).” Id. at 66.
Also relevant here, the solicitation permitted vendors to structure their quotations as either a GSA Multiple Award Schedule Contractor Teaming Arrangement or a GSA Prime Contractor/Subcontractor arrangement. Id. at 54. If a vendor opted for the latter arrangement, the solicitation provided as follows:
If a GSA Prime Contractor / Subcontractor Arrangement(s) is proposed, only the Prime Contractor must have a GSA Schedule 70 IT contract. GSA authorized subcontractors may fulfill requirements under the Prime Contractor’s GSA Contract number and pricing table. The Prime may not delegate responsibility for performance to subcontractors. The Prime cannot contract to offer services for which it does not hold a Schedule contract.
Id. The solicitation also stated that the “Quoter is responsible for verifying that the Original Equipment Manufacturer (OEM) Cloud Service Provider for the Quoter’s cloud computing services solution is in agreement with the terms and conditions of the BPA.” Id. at 53.
With regard to the price evaluation, the RFQ called for the agency to evaluate a cloud service scenario over the BPA’s 5-year ordering period. To enable this, vendors were instructed to complete “pricing model tables . . . by inputting the fixed unit prices, discounts, and extended prices offered at the BPA level for a scenario of Cloud Service Items 0001 through 0005 for the five (5) ordering periods.” Id. at 55. The RFQ stated that discounts submitted in the pricing model must “correspond to the discounts submitted for the BPA” and that prices “should reflect the Quoter’s best available offering to meet the identified DHS needs.” Id.[7]
DHS received 18 quotations in response to the solicitation. Red River Contracting Officer’s Statement (COS) at 3; MIS COS at 3. On November 30, 2016, DHS announced BPA awards to Knight Point and three other vendors, Four Points Technology, LLC, Govplace, and InfoReliance. Id. Following protests of these awards before our Office, DHS announced that it would take corrective action by conducting a new evaluation and making a new source selection determination. Id.
On February 13, 2017, DHS announced awards to three vendors: Four Points, Govplace, and InfoReliance. Id. at 4. Knight Point did not receive a BPA award in the reevaluation due to the agency’s conclusion that the majority of the cloud services Knight Point quoted were not on its GSA schedule contract. See Knight Point Sys., LLC, B-414183.3, B-414183.5, May 31, 2017, 2017 CPD ¶ 179 at 4.
In two decisions, our Office sustained protests filed by Red River and Knight Point to the BPA awards. In the Knight Point decision, our Office found that DHS had failed to properly evaluate whether the services proposed by Knight Point fell within the scope of its GSA schedule contract. Knight Point Sys., LLC, supra, at 7. Instead, our Office found that the agency had merely examined whether the cloud services offered in Knight Point’s quotation were listed by brand name on Knight Point’s schedule. Id. In light of this finding, we recommended that DHS conduct and document a new technical evaluation and prepare a new source selection decision. Id. at 9.
In the Red River decision, our Office sustained Red River’s protest on the basis that one of the awardees, Four Points, failed to comply with the solicitation requirement to use on-demand pricing, thereby resulting in the agency failing to evaluate price quotations equally. Red River Computer Co., Inc., B-414183.4 et al., June 2, 2017, 2017 CPD ¶ 157 at 11. In light of this finding, we recommended, among other actions, that DHS perform a price evaluation consistent with the requirements of the solicitation, and then rely on that evaluation as part of its source selection determination. Id. at 13.
In response, the agency conducted a reevaluation of the technical and price quotations for 16 of the vendors.[8] Red River COS at 4. As relevant here, the agency reevaluated the quotations as follows:
Breadth of IaaS Cloud Services |
Cloud Service Solutions Experience |
Customer Service Approach |
Past Performance |
Average Discounted Monthly Price |
|
Govplace |
Exceptional |
Exceptional |
Exceptional |
Very Good |
$227.00 |
InfoReliance |
Exceptional |
Exceptional |
Exceptional |
Very Good |
$487.24 |
Knight Point |
Exceptional |
Exceptional |
Exceptional |
Very Good |
$489.32 |
MIS |
Very Good |
Satisfactory |
Satisfactory |
Very Good |
$498.26 |
Red River |
Exceptional |
Very Good |
Satisfactory |
Very Good |
$509.34 |
AR, Tab 12, Best Value Tradeoff Presentation, at 17.[9]
On September 12, 2017, DHS issued letters of award to Govplace, InfoReliance, and Knight Point. Red River COS at 4; MIS COS at 4. These protests followed.
DISCUSSION
The protesters challenge the technical evaluation of Knight Point’s quotation and contend that the agency improperly credited Knight Point with proposing cloud system offerings that did not meet the solicitation requirements and which were not within the scope of Knight Point’s GSA schedule contract. MIS further argues that the agency engaged in unequal discussions by conducting discussions with some of the vendors, but not with MIS. Red River, in turn, asserts that DHS treated vendors unequally by assigning its quotation a weakness under the customer service approach factor, but not assigning a similar weakness to Knight Point’s quotation. In addition, Red River challenges the agency’s price evaluation, contending that Knight Point’s price quotation was materially non-compliant. Both protesters contend that DHS’s best-value tradeoff determination was flawed as a result of such errors.[10]
For the reasons discussed below, we sustain Red River’s protest in part and deny the remainder of the protest grounds.
Technical Evaluation
Both MIS and Red River argue that the agency failed to properly evaluate whether the unique cloud systems offered by Knight Point in its quotation were included on Knight Point’s GSA schedule. In this regard, while the RFQ permitted vendors to enter into subcontracting agreements to provide the cloud systems being solicited, it also prohibited the prime contractor from contracting to offer services for which it does not hold a schedule contract. RFQ at 54. MIS asserts, however, that DHS failed to specifically compare the services being quoted by Knight Point to the line items included on its schedule, and instead “simply paid lip service to such a comparison by referencing the threadbare descriptions of the service offerings of Knight Point’s subcontractors.” MIS Comments at 7. MIS further contends that DHS was prevented from conducting a reasonable comparison of each quoted cloud system offering by the failure of Knight Point’s quotation to include a breakdown of specifications for each cloud system offering. Both protesters assert that had DHS reasonably analyzed this issue, it would have concluded that Knight Point quoted cloud systems that were not within the scope of services provided under its GSA schedule. In support of this point, Red River notes that many of the specific features of the cloud system offerings included in Knight Point’s quotation, such as [DELETED], were not provided on Knight Point’s schedule. For the reasons discussed below, we disagree with the arguments raised by the protesters and instead find that the agency reasonably determined that the services quoted by Knight Point were within the scope of its GSA schedule contract.
An agency may not use schedule contracting procedures to purchase items that are not listed on a vendor’s GSA schedule. Tri-Starr Mgmt. Servs., Inc., B-408827.2, B-408827.4, Jan. 15, 2015, 2015 CPD ¶ 43 at 8. When a concern arises that a vendor is offering services outside the scope of its schedule contract, the relevant inquiry is whether the services offered are actually included on the vendor’s contract, as reasonably interpreted. American Sec. Programs, Inc., B-402069, B-402069.2, Jan. 15, 2010, 2010 CPD ¶ 2 at 3. In this regard, our Office will consider whether the function being sought under a particular solicitation is the same as the function covered under a vendor’s schedule contract. Tarheel Specialties, Inc., B-298197, B-298197.2, July 17, 2006, 2006 CPD ¶ 140 at 9.
Knight Point’s GSA schedule contract does not list, by brand name, the [DELETED] cloud systems offered by Knight Point’s subcontractors. See AR, Tab 18c, Knight Point Quotation, Vol. III, Tab B, at 49-54. Rather, as Knight Point explained in its quotation, it adopts a [DELETED] approach, which [DELETED]. AR, Tab 18b, Knight Point Quotation, Vol. II, Tab C, at 1. In other words, Knight Point’s schedule contract includes [DELETED]. AR, Tab 18a, Knight Point Quotation, Vol. I, Sec. 2.3, at 2. As a result of this portfolio of solutions, [DELETED]. AR, Tab 18c, Knight Point Quotation, Vol. III, Tab B, at 49. Knight Point asserts that this flexible approach enables it to include all [DELETED] FedRAMP authorized cloud systems provided by its subcontractors while obviating the need to make constant updates to its GSA schedule contract. AR, Tab 18a, Knight Point Quotation, Vol. I, Sec. 2.3, at 2.
The agency’s reevaluation of Knight Point’s quotation credited this explanation, quoting it in support of DHS’s conclusion that the [DELETED] “service offerings are available thru the [Knight Point] GSA schedule contract GS-35F-0646S, as described in their Quote.” AR, Tab 21, Tech. Evaluation Team Consensus Report (TET Report) of Knight Point, at 2. DHS further noted that because the CLINs listed on Knight Point’s schedule are not specific to the cloud service provider, “all cloud service providers identified above can be delivered through the use of the [Knight Point] common CLIN structure as described in their quotation.” Id. at 2-3.
To assess the reasonableness of this determination, we first examine the function sought by the solicitation. In this regard, the RFQ states that the purpose of the acquisition “is to provide DHS components with the ability to acquire commercial, commodity-based [IaaS] cloud services.” RFQ at 6. Cloud services were defined as having the essential characteristic of on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured services to meet DHS cloud computing needs. Id. at 8. The IaaS solutions sought would support on-demand provisioning, access and control of a shared pool of configurable fundamental computing and storage resources.[11] Id. As these definitions suggest, the commercial, commodity-based IaaS function being solicited was to provide DHS with flexible access to infrastructure in order to execute certain essential computing functions.
In light of this function, we find reasonable the agency’s conclusion that Knight Point’s [DELETED] approach provided the commercial, commodity-based IaaS function requested by the solicitation. In this regard, Knight Point’s schedule provides generic product names and descriptions of cloud computer services such as: bandwidth to customer; data transfer; public IP; LAN to LAN IPSEC Tunnel; Gb storage; a la carte CPU and a la carte RAM; bundled compute resources; installation services, etc. See AR, Tab 18c, Knight Point Quotation, Vol. III, at 49-51. These generic cloud computing descriptions enable Knight Point to [DELETED] in order to match the agency’s solicited requirements. For instance, the agency sought as part of the cloud services scenario, “Virtual Machines--Windows: 2vCPU, 2GB vRam, 2 vNIC adapters.” RFQ at 56. In response to this request, Knight Point was able to quote [DELETED] from its schedule that met these precise specifications. See AR, Tab 18b, Knight Point Quotation, Vol. II, Tab C-3. While the protesters assert that the agency failed to match the individual, value-added features encompassed by each quoted IaaS offering, we do not find such an analysis to be required where, as here, the core function of the cloud services being quoted falls within the scope of the line items offered on Knight Point’s schedule.
Red River additionally argues that DHS improperly credited Knight Point, under the breadth of IaaS cloud service solutions offered factor, for cloud system offerings that Knight Point was not authorized to resell. The solicitation contemplated that this evaluation factor would consider the “number of IaaS FedRAMP authorized Cloud Systems the Quoter is authorized to sell/resell to the Government at the time quotes are due.” RFQ at 65. Red River contends that DHS improperly credited Knight Point with providing [DELETED] different cloud system offerings despite the fact that Knight Point lacks an established relationship with the cloud service providers for those [DELETED] offerings. Red River additionally points out that Knight Point is not an authorized reseller for such cloud system offerings and instead proposed to subcontract with companies that have relationships with the applicable cloud service providers in order to include such offerings in Knight Point’s quotation.
Where a protester and agency disagree over the meaning of solicitation language, we will resolve the matter by reading the solicitation as a whole and in a manner that reasonably gives effect to all its provisions. Solec Corp., B-299266, Mar. 5, 2007, 2007 CPD ¶ 42 at 2. We will not read a provision restrictively where it is not clear from the solicitation that such a restrictive interpretation was intended by the agency. XTec, Inc., B-299744.2, B-299744.3, Aug. 6, 2007, 2007 CPD ¶ 148 at 11.
Here, we do not agree with the restrictive interpretation of the solicitation language advocated by Red River. In this regard, we note that the solicitation broadly permitted vendors to utilize prime contractor/subcontractor arrangements to fulfill solicitation requirements. See RFQ at 54. The RFQ also provided that such subcontractors “may fulfill requirements under the Prime Contractor’s GSA Contract number and pricing table.” Id. The solicitation cautioned, however, that the prime contractor “may not delegate responsibility for performance to subcontractors” and “cannot contract to offer services for which it does not hold a Schedule contract.” Id. Reading the solicitation as a whole, therefore, we find the agency’s interpretation reasonable, i.e., that the solicitation permitted prime contractors to offer cloud systems through authorized subcontractors. We note, as discussed above, that the cloud system offerings quoted by Knight Point fell within the scope of its GSA schedule. Accordingly, we find it reasonable for DHS to have concluded that Knight Point would be able to provide the cloud system offerings included in its quotation.
Red River also asserts that Knight Point is not authorized to resell the [DELETED] cloud system offerings in question under its GSA schedule contract because it does not have a letter of supply from the original equipment manufacturer as required by GSA Schedule program requirements. In this regard, the GSA Schedule 70 solicitation provides:
If you are not the manufacturer of the product(s) you are offering, an acceptable Letter of Commitment/Supply must be provided. See Clause I-FSS-644 Dealers and Suppliers in the Basic Solicitation and the letter requirements. Failure to provide acceptable Letters of Commitment/Supply may result in rejection of the offer as non-responsive. See Letter of Supply template for required language.
AR, Tab 30, GSA Schedule 70 Solicitation, at ii. Red River argues that Knight Point does not have letters of supply from the cloud service providers that manufacture the cloud systems included in Knight Point’s quotation. The protester asserts that, as a result, Knight Point may not resell the [DELETED] cloud system offerings via its GSA schedule.
In our view, this argument concerns a matter of contract administration that is beyond the scope of our bid protest jurisdiction. See Bid Protest Regulations, 4 C.F.R. § 21.5(a); see also Boehringer Ingelheim Pharm., Inc., B-294944.3, B-295430, Feb. 2, 2005, 2005 CPD ¶ 32 at 2 n.3. In this regard, any requirement to possess a letter of supply was not an express requirement found in the BPA RFQ, nor were vendors asked to submit such letters in their quotations.[12] Instead, the quoted language is found in the GSA Schedule 70 solicitation, which was issued by the GSA, not DHS. Accordingly, the issue of whether Knight Point is in compliance with that requirement relates to whether it is in compliance with its underlying GSA schedule contract and therefore is a matter of contract administration.[13]
MIS also challenges the agency’s technical evaluation of Knight Point’s quotation, arguing that DHS failed to find that the cloud system offerings quoted by Knight Point were FedRAMP-authorized as required by the RFQ. In this regard, the RFQ provided that “[s]ervices provided must be authorized by [FedRAMP] as demonstrated by FedRAMP [P-ATO or ATO].” RFQ at 6.[14] MIS argues that there is no indication in either Knight Point’s quotation or in its schedule contract that its quoted cloud system offerings met this requirement. MIS further asserts that there is no indication in the evaluation record that DHS independently verified whether Knight Point’s cloud system offerings met this requirement.
Based on our review of the evaluation record, we do not agree. While Knight Point’s quotation did not specifically reference which cloud system offerings had received an ATO or P-ATO, the solicitation did not require vendors to specifically include this information. Instead, the solicitation required vendors to complete a table of their cloud system offerings, and to list each cloud system “exactly as identified” on the FedRAMP website. RFQ at 51. Knight Point complied with this requirement, listing its [DELETED] cloud system offerings in the “exactly as identified” column of the appropriate table. AR, Tab 18A, Knight Point Quotation, Vol. I, at Table A-1.
The record evidences that the agency appropriately considered this issue. While the evaluation record does not indicate affirmatively whether such offerings had received an ATO or P-ATO (or were part of a cloud service provider-supplied package), the record fully supports the conclusion that the agency examined the FedRAMP authorization status of Knight Point’s cloud system offerings as contemplated by the RFQ. For instance, in reviewing Knight Point’s quotation, the technical evaluation team concluded that “Team [Knight Point] offers an exceptionally diverse number of FedRAMP services, products, and tools . . .” AR, Tab 21, TET Report of Knight Point, at 3. The corrective action decision memorandum similarly noted that Knight Point’s “IaaS FedRAMP authorized offerings provided [DELETED] IaaS FedRAMP authorized offerings.” AR, Tab 13, Corrective Action Decision Official Memorandum (CADOM), at 7. In addition to such assessments, the agency also reviewed the FedRAMP impact levels applicable to Knight Point’s cloud system offerings, noting, for instance, that “[a]ll Team KPS offerings have FedRAMP Moderate authorization.” AR, Tab 21, TET Report of Knight Point, at 3.
While MIS argues that the agency failed to document its analysis of the specific ATO or P-ATO status of each Knight Point cloud system offering, we note that an agency is not required to document how it rated or disposed of every component in a vendor’s quotation. See Hernandez Eng’g, Inc.; ASR Int’l Corp., B-286336 et al., Jan. 2, 2001, 2001 CPD ¶ 89 at 9. While DHS was required to document its evaluation in sufficient detail to permit a meaningful review of the evaluation, see KMS Fusion, Inc., B-242529, May 8, 1991, 91-1 CPD ¶ 447 at 7, we think that it did so here by documenting its determination that Knight Point’s cloud system offerings were FedRAMP-authorized. While MIS asserts that more was required, we note that MIS has not pointed to any Knight Point cloud system offering that it contends did not have a relevant ATO or P-ATO.
Unequal Treatment
Red River argues that DHS engaged in unequal treatment. Specifically, the protester alleges that DHS improperly assessed a weakness in Red River’s customer service approach due to a lack of clarity regarding whether the vendor would provide direct access to the cloud service provider for ordering, configuring, and provisioning IaaS resources,[15] but ignored a similar ambiguity in Knight Point’s quotation.
In conducting procurements, agencies may not generally engage in conduct that amounts to unfair or disparate treatment of competing vendors. Arc Aspicio, LLC et al., B-412612 et al., Apr. 11, 2016, 2016 CPD ¶ 117 at 13. Where a protester alleges unequal treatment in a technical evaluation, it must show that the differences in ratings do not stem from differences between the vendors’ quotations. See Camber Corp., B-413505, Nov. 10, 2016, 2016 CPD ¶ 350 at 8.
Based on our review of the record, we are not persuaded that the agency treated the two vendors unequally. Instead, we find that the differences in treatment stem from differences in the vendors’ quotations. In this regard, we note that Knight Point’s quotation was clearer than Red River’s quotation in addressing the requirement for the agency to have direct access to the cloud service provider for ordering, configuring, and provisioning IaaS resources. For instance, Knight Point’s quotation stated, as part of the description of its ordering process, that “DHS personnel are able to self-provision resources.” AR, Tab 18a, Knight Point Quotation, Vol. I, at § 2.3.2. The quotation also stated that “[a]ll services provided by Team [Knight Point] are geared toward allowing customers to self-serve [DELETED].” Id. Additionally, while Knight Point’s quotation described how [DELETED] customers could [DELETED] for provisioning, it also stated that [DELETED]. Id.
In contrast, Red River’s quotation was less clear on whether the vendor would provide direct access to the cloud service provider for ordering, configuring, and provisioning IaaS resources. Indeed, Red River’s quotation did not expressly provide this specific access, even as it noted in several places that Red River would provide provisioning services itself. For instance, Red River’s quotation stated that the Red River team would [DELETED] and would [DELETED]. AR, Tab 7a, Red River Technical Quotation, at 25. Red River’s quotation also provided a chart that detailed the use of Red River’s [DELETED] for ordering and noted that “Red River team to provision service and setup reports, alerts.” Id. at 24. Accordingly, we do not conclude that DHS treated Red River’s quotation unequally for assigning a weakness based on the lack of clarity on this issue.
Unequal Discussions
MIS asserts that DHS engaged in unequal discussions when it sent what the agency termed a letter of clarification to four of the vendors, but did not formally open discussions with any of the vendors including MIS. The protester contends that these letters actually constituted discussions because they permitted the four vendors to provide information that was missing from their quotations and that was needed for such quotations to be deemed technically acceptable.
In this regard, the letters stated that:
In accordance with the solicitation, Section 4, (Instruction To Quoters, Volume II -Business & Price Quote, Tab A: BPA Cloud Pricing Model) the following issue was identified with your quote: The quoter did not address the statement that “The Quoter is responsible for verifying that the Original Equipment Manufacturer (OEM) Cloud Service Provider for the Quoter’s cloud computing services solution is in agreement with the terms conditions of the BPA.” Please address the above statement.
AR, Tab 25, Clarification Letters, at 1-3. The letters further advised that they were “written strictly for clarification purposes” and that vendors would not be permitted to submit a revised quotation in response to the letter. Id.
There is no requirement in Federal Acquisition Regulation (FAR) subpart 8.4 that an agency seek clarifications or otherwise conduct discussions with vendors. USGC Inc., B-400184.2 et al., Dec. 24, 2008, 2009 CPD ¶ 9 at 3. However, exchanges that do occur with vendors in a FAR subpart 8.4 procurement, like all other aspects of such a procurement, must be fair and equitable; our Office has looked to the standards in FAR part 15 for guidance in making this determination. Arrington Dixon & Assocs., Inc., B-409981, B-409981.2, Oct. 3, 2014, 2014 CPD ¶ 284 at 9. In this regard, clarifications are “limited exchanges” that agencies may use to allow vendors to clarify certain aspects of their proposals or quotations or to resolve minor or clerical mistakes. See FAR § 15.306(a)(1), (2); PricewaterhouseCoopers Public Sector, LLP, B-413316.2, B-413316.3, Dec. 27, 2016, 2017 CPD ¶ 12 at 13. Discussions, by contrast, occur when an agency communicates with a vendor for the purpose of obtaining information essential to determining the acceptability of a quotation, or provides the vendor with an opportunity to revise or modify its quotation in some material respect. PricewaterhouseCoopers Public Sector, LLP, supra, at 13; see FAR § 15.306(d). The agency’s characterization of a communication as clarifications or discussions is not controlling; it is the actions of the parties that determine whether discussions have been held. Kardex Remstar, LLC, B-409030, Jan. 17, 2014, 2014 CPD ¶ 1 at 4.
Here, we conclude that the letters at issue do not constitute discussions, because the requested information was not necessary for determining the technical acceptability of the quotations at issue. In this regard, we note that the solicitation language quoted by the letters does not clearly establish a requirement that the vendor affirm, within its quotation, the OEM cloud service provider’s agreement with the BPA terms and conditions.[16] This is in sharp contrast to other solicitation provisions, where the RFQ expressly spells out that the vendor must include certain information within its quotation. For instance, in the sentence preceding the one at issue, the solicitation states “[t]he Quoter shall include the Quotation Cover/Transmittal Letter, signed copy of the Standard Form (SF) 18 ‘Request for Quotation: signed copies of the SF30, if applicable, and disclosures and other certifications, i.e., [Homeland Security Acquisition Regulation (HSAR)] 3052.209-70 and HSAR 3052.209-73.” RFQ at 53.
Nor is there any indication within the contemporaneous record that the agency considered vendors to be technically unacceptable when they did not provide the agency with a written affirmation of the OEM’s agreement. In this regard, we note that the agency’s business evaluation memorandum flagged 11 vendors as having not addressed the Tab A OEM requirement. See AR, Tab 11, Corrective Action Business Price Evaluation, at 11-14. Yet the agency did not find any of these vendors to be technically unacceptable on this basis, despite only sending letters to 4 of the 11 vendors.
It therefore does not appear that vendors were required to include, within their quotations, a written affirmation of the OEM’s agreement to the BPA terms and conditions in order to be considered technically acceptable. In light of this fact, we conclude that the letters sent to the four vendors were clarifications since they did not request information that was required for technical acceptability, and since the letters did not provide vendors with an opportunity to revise their quotations.
Price Evaluation
Red River additionally argues that the agency’s price evaluation was flawed because Knight Point provided pricing that was not compliant with solicitation requirements. Specifically, Red River asserts that Knight Point’s cloud scenario pricing was calculated by using additional task order-level discounts, instead of simply using BPA-level discounts to calculate such pricing, as required by the solicitation.
A quotation that fails to conform to material terms and conditions of a solicitation should be considered unacceptable and may not form the basis for an award. Technology & Telecomms. Consultants, Inc., B-413301, B-413301.2, Sept. 28, 2016, 2016 CPD ¶ 276 at 12. Where an irregularity in a quotation results in benefits to the vendor that were not extended to all of the vendors by the solicitation, and is prejudicial to other vendors, the quotation is unacceptable. Capitol Supply, Inc., B-309999.3, Jan. 22, 2008, 2008 CPD ¶ 35 at 6; see also Tri-State Gov't Servs., Inc., B-277315.2, Oct. 15, 1997, 97-2 CPD ¶ 143 at 4.
At issue here, the solicitation required vendors to complete a pricing model table for a cloud service scenario by “inputting the fixed unit prices, discounts, and extended prices offered at the BPA level for a scenario of Cloud Service Items 0001 through 0005 for the five (5) ordering periods.” RFQ at 55. The solicitation further provided that:
Discounts submitted in the pricing model for purposes of evaluation must correspond to the discounts submitted for the BPA. Quoters are advised that DHS ordering components will seek additional discounts or price reductions for task orders placed under the BPA.
Id.
The RFQ thus contemplated that, although DHS was not ordering the items requested by the cloud service scenario, the pricing submitted would be used for evaluation purposes. Id. at 67. The RFQ further noted that the agency did not intend to calculate or evaluate vendors’ aggregate pricing. Id. Without such aggregate pricing, the cloud scenario pricing became the primary means by which DHS evaluated and compared vendors’ pricing. See, e.g., AR, Tab 13, CADOM, at 7-10 (detailing DHS’s tradeoff analysis).
In its price quotation, Knight Point provided two BPA-level discounts that would apply to all pricing submitted under the BPA, with the specific discount used depending on which SIN the cloud service item fell under. See AR, Tab 18b, Knight Point Quotation, Vol. II, at Tab C-1. Knight Point also stated that it was prepared to offer additional discounts on CLINs at the task order level to ensure that it provided the greatest possible value to the government. Id. Knight Point provided further information on what these task order-level discounts might entail by providing a table of “average additional task order level discounts on schedule line items” for each cloud service line item used in its pricing model. Id.[17]
In completing its pricing model, Knight Point used proposed discounts that were created by summing its BPA-level discounts and various additional task order-level discounts. While the agency argues that this methodology was consistent with the solicitation instructions, we do not agree. The RFQ, here, required vendors to provide prices and discounts in the cloud pricing model “at the BPA level,” expressly noting that the discounts used in the model “must correspond to the discounts submitted for the BPA.” RFQ at 55. The RFQ noted that once DHS issued task order solicitations, the agency would then “seek additional discounts or price reductions for task orders placed under the BPA.” Id.
The RFQ therefore contemplated that vendors would use BPA-level discounts in completing the pricing model. Knight Point, however, did not use its BPA-level discounts to determine its pricing, instead creating task order level discounts that purportedly reflected what Knight Point would have quoted had the pricing model CLINs been issued as a task order solicitation. Such discounts were not binding on Knight Point, as it would be under no obligation to use the same arbitrary “average task order discounts” even if the agency were to issue a task order solicitation for the exact same line item. Nor were these discounts consistent with Knight Point’s overall BPA discounts. Accordingly, we find that Knight Point’s cloud service scenario discounts and pricing were not compliant with the solicitation requirements.
Moreover, we note that, by ignoring the solicitation requirement to use BPA-level discounts, Knight Point realized a tremendous price advantage over vendors that followed the solicitation’s instructions and used their BPA-level discounts to determine relevant pricing. By providing such discounts, Knight Point’s total proposed discount rose from approximately [DELETED] percent to [DELETED] percent, which represented a drop in its average discounted monthly price of more than [DELETED] percent. See AR, Tab 18b, Knight Point Quotation, Vol. II, at Tab C-1. This led to a price competition in which Knight Point was not competing on an equal basis with the other vendors.
Prejudice
As noted above, we conclude that the agency’s price evaluation of Knight Point’s quotation was unreasonable. Our Office, however, will not sustain a protest unless the protester demonstrates a reasonable possibility that it was prejudiced by the agency’s actions; that is, unless the protester demonstrates that, but for the agency’s actions, it would have had a substantial chance of receiving the award. McDonald-Bradley, B-270126, Feb. 8, 1996, 96-1 CPD ¶ 54 at 3.
Here, we conclude that there is a reasonable possibility Red River was prejudiced by the above error. In this regard, had the agency conducted a proper price evaluation, it would not have been able to evaluate Knight Point’s quotation on an equal basis to the other vendors and would have needed to either eliminate Knight Point’s quotation from the competition or to accept revised pricing quotations. Either avenue would have created a substantial chance that Red River would have been able to receive an award. In this regard, we note that of the vendors that did not receive an award, Red River’s quotation received the highest technical ratings. See AR, Tab 13, CADOM, at 4. In such circumstances, we resolve any doubts regarding prejudice in favor of a protester since a reasonable possibility of prejudice is a sufficient basis for sustaining a protest. See Kellogg, Brown & Root Servs., Inc.--Recon., B-309752.8, Dec. 20, 2007, 2008 CPD ¶ 84 at 5. Accordingly, we conclude that Red River has established the requisite competitive prejudice to prevail in a bid protest.
RECOMMENDATION
We recommend that the agency perform a price evaluation consistent with the requirements of the solicitation, and then rely on that evaluation as part of its source selection determination. Alternately, the agency may choose to amend the solicitation requirements and/or seek revised quotations from vendors. If, upon reevaluation of quotations, the quotations of vendors other than the current awardees are determined to offer the best value to the government, DHS should terminate the existing BPAs for the convenience of the government and establish BPAs with the selected vendors. We also recommend that Red River be reimbursed the costs of filing and pursuing this protest, including reasonable attorneys’ fees. 4 C.F.R. § 21.8(d)(1). The protester’s certified claim for costs detailing the time expended and the costs incurred must be submitted to the agency within 60 days after receipt of this decision. 4 C.F.R. § 21.8(f).
The protests are sustained in part and denied in part.
Thomas H. Armstrong
General Counsel
[1] These vendors are: (1) Knight Point Systems, LLC, of Reston, Virginia; (2) Govplace Inc., of Reston, Virginia; and (3) InfoReliance Corporation, of Fairfax, Virginia.
[2] Unless otherwise noted, citations to the RFQ refer to the version of the solicitation issued on August 19, 2016, provided in tab 4 of both sets of agency reports (AR) provided in response to these protests.
[3] Infrastructure-as-a-Service provides an agency the capability to provision processing, storage, networks, and other fundamental computing resources and to run its own software, including operating systems and applications. Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance, GAO‑16‑325 at 4‑5 (April 2016). The agency does not manage or control the underlying infrastructure, but controls and configures operating systems, storage, deployed applications, and possibly selected networking components, such as host firewalls. Id. at 5.
[4] The solicitation defined cloud service providers as “private industry suppliers or resellers providing cloud offerings and solutions to government and commercial customers.” RFQ at 5.
[5] FedRAMP is a government-wide program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. SRA Int’l, Inc., B-409939, Sept. 2, 2014, 2014 CPD ¶ 264 at 2 n.1. All federal agencies must meet FedRAMP requirements when using cloud services and the cloud service providers must implement the FedRAMP security requirements in their cloud environment. Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance, supra, at 7.
[6] As a general matter, cloud systems with a FedRAMP P-ATO have undergone a rigorous technical review by the FedRAMP program management office (PMO), been assessed by a FedRAMP accredited third party assessment organization (3PAO), and received a P-ATO from the DHS, Department of Defense, and GSA chief information officers. FedRAMP Package Validation Process, FedRAMP, available at https://www.fedramp.gov/resources/documents-2016/ (last visited Dec. 21, 2017). Cloud systems with an agency authorization have worked directly with a customer agency to achieve a FedRAMP-compliant authority to operate (ATO) that has been verified by the FedRAMP PMO. Id. Cloud systems that are part of a cloud service provider supplied package have submitted to the FedRAMP PMO a completed security assessment package that has been assessed by a FedRAMP accredited 3PAO. Id.
[7] For the evaluation of the remainder of vendors’ price quotations, the RFQ anticipated that DHS would “evaluate the individual areas in each vendor’s price quotation to make a determination of price reasonableness,” but also warned that the agency did not intend to evaluate aggregate pricing for the vendors’ solutions, i.e., by determining an overall bottom line price for the entire 5-year BPA ordering period. Id. at 64.
[8] The agency stated that 2 of the 18 quotations received were not “provided for technical and past performance evaluation.” AR, Tab 9, Corrective Action Tech. Evaluation Report, at 1 n.1. In this regard, one of the quotations was missing any pricing information, and the vendor that submitted the second quotation notified the agency that its quotation “was not a formal bid.” Id.
[9] Subsequent to the submission of separate agency reports, our Office consolidated Red River’s and MIS’s protests. The two agency reports contain many of the same documents, albeit with different tab numbers. Unless otherwise indicated, citations made herein cite to documents using the tab numbers provided under Red River’s protests, docketed as B-414183.8, .9, .10, and .12.
[10] While we do not address every argument raised by Red River and MIS in their protests, we have reviewed each issue and, with the exception of Red River’s below-discussed challenge to the agency’s price evaluation, do not find any basis to sustain the protest. For example, MIS raised various challenges to DHS’s evaluation of its technical quotation. We dismissed these arguments as untimely because MIS was previously advised of the agency’s evaluation findings but failed to protest them within 10 calendar days of when it knew, or should have known, its basis for protest. See 4 C.F.R. § 21.2(a)(2). Specifically, after an earlier award decision, DHS provided MIS with an explanation of its evaluation findings which was nearly identical to the explanation provided to MIS after the current award decision. Despite receiving this explanation, however, MIS did not raise its challenge to these conclusions until the instant protest, which was filed more than seven months later. The fact that an agency makes a new source selection decision or reevaluates vendors’ quotations does not provide a basis for reviving otherwise untimely protest allegations where, as here, the basis of the otherwise untimely protest allegations concern aspects of the agency’s evaluation that were not subsequently affected by the agency’s corrective action. Synergy Solutions, Inc., B-413974.3, June 15, 2017, 2017 CPD ¶ 332 at 7; Savvee Consulting, Inc., B-408416.3, Mar. 5, 2014, 2014 CPD ¶ 92 at 6.
[11] These definitions conform to the definition of IaaS provided by the National Institute of Standards and Technology (NIST) in its publication “NIST Definition of Cloud Computing,” a document that was specifically referenced in the solicitation. See RFQ at 7. In the NIST document, IaaS was defined as the “capability provided to the consumer . . . to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).” NIST, U.S. Department of Commerce, SP800-145, “NIST Definition of Cloud Computing,” at 3, Sept. 2011, available at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-14… (last visited on Dec. 21, 2017).
[12] We further note that it is not clear that the letter of supply requirement, which applies when the vendor is “not the manufacturer of the product” being offered, is applicable here as the cloud system offerings are better described as services rather than products. Cf. Small Business Government Contracting and National Defense Authorization Act of 2013 Amendments, 81 Fed. Reg. 34243, 34255 (May 31, 2016) (describing the Small Business Administration’s view that cloud based solutions are services that are being provided to the government rather than supplies that the government is purchasing).
[13] Additionally, while DHS may reject a quotation that is inconsistent with the terms of the vendor’s underlying GSA contract, here we do not conclude that the agency was on notice of such an inconsistency, particularly in light of the fact that letters of supply were not required to be submitted in response to the RFQ.
[14] RFQ Amendment 6 later clarified that the agency would also consider a cloud service provider-supplied package to be FedRAMP-authorized.
[15] This was one part of a significant weakness assessed by DHS due to a lack of clarity in Red River’s quotation in describing what services were on-demand vs. by request only, centralized vs. decentralized, automated vs. manual, and what the division of control would be between Red River and the government. See AR, Tab 14, TET Report of Red River, at 6.
[16] The section of the solicitation where the verification requirement appears further supports the conclusion that the RFQ language was not intended to create a requirement to include an affirmative certification within the quotation. In this regard, the language in question is located within the RFQ section discussing Tab A of the price quotation. See RFQ at 53. The RFQ, however, also provided a list of documents to be included within Tab A, including a cover/transmittal letter and various completed standard forms and regulatory disclosures. Not included in this list was any document that would logically encompass a certification regarding the OEM cloud service provider’s agreement to the BPA terms and conditions.
[17] We note that such “average task order level discounts” were not true weighted averages of the discounts provided in Knight Point’s cloud services scenario. In this regard, Knight Point calculated the “average task order level discount” for each pricing model line item by summing the task order discounts for each component included in that line item and then dividing the sum by the total number of components without consideration of the differences in the components’ pricing.