Atlantic Systems Group, Inc.
Highlights
Atlantic Systems Group, Inc. (ASG), of Rockledge, Florida, protests the issuance of an order to IntePros Federal, Inc., of Washington, D.C., under request for quotations (RFQ) No. EDEICM16Q0003, issued by the Department of Education (DOE) for Cybersecurity Risk Management Framework (CRMF) services. ASG asserts that the agency unreasonably evaluated its proposal.
We deny the protest.
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.
Decision
Matter of: Atlantic Systems Group, Inc.
File: B-413901; B-413901.2
Date: January 9, 2017
James M. White, Esq., Marshall & White, PLLC, for the protester.
Michael Hall, Inteprosfed, for the intervenor.
Sara Falk, Esq., and Jose Otero, Esq., Department of Education, for the agency.
Mary G. Curcio, Esq., and Laura Eyester, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.
DIGEST
1. Protest challenging agency’s evaluation of proposals under technical approach and past performance factors is denied where evaluation is reasonable and in accordance with the solicitation.
2. Protest that agency was required to consider proposed subcontractor’s past performance is denied where solicitation is conducted under Federal Acquisition Regulation part 8, and where the solicitation only requested past performance information for the “offerors.”
DECISION
Atlantic Systems Group, Inc. (ASG), of Rockledge, Florida, protests the issuance of an order to IntePros Federal, Inc., of Washington, D.C., under request for quotations (RFQ) No. EDEICM16Q0003, issued by the Department of Education (DOE) for Cybersecurity Risk Management Framework (CRMF) services. ASG asserts that the agency unreasonably evaluated its proposal.
We deny the protest.
BACKGROUND
On March 23, 2016, the agency issued the solicitation pursuant to Federal Acquisition Regulation (FAR) § 8.405-2, Ordering Procedures for Services Requiring a Statement of Work. RFQ at 1; Memorandum of Law (MOL) at 2. The procurement was set-aside for service-disabled veteran-owned small business concerns holding General Service Administration Federal Supply Schedule (FSS) Contract 70, General Purpose Commercial Information Technology Equipment, Software, and Services, Special Identification Number 132 51, Information Technology Professional Services. The solicitation provided for the issuance of an order on a best-value tradeoff basis, considering, in descending order of importance, the following factors: technical approach, resource plan, management plan, corporate experience, past performance, and price.[1] RFQ at 51.
The agency issued the RFQ for technical, engineering, management, operation, logistical, and administrative support for its CRMF. RFQ at 58. The CRMF is the basis for the development of the agency’s cybersecurity risk management program, and is a major feature of the initiative to attain secure information technology systems. Id. at 57. DOE’s CRMF is in its nascent stage and must be fully defined, continuously improved and implemented across the agency. Id. There are six steps to the agency’s CRMF process, each of which is further elaborated as a task in the performance work statement (PWS): categorize information system; select security controls; implement security controls; assess security controls; authorize information system; and monitor security controls. Id. at 57-58. The services to be performed by the contractor would include independent security control assessments; planning and implementation support for the CRMF governance forums; and coordination with the education security operations center to develop, publish, and maintain system security status and risk information for the monitoring of security controls. Id. at 59.
Nine vendors, including the protester and the awardee, responded to the solicitation. Contracting Officer Statement of Facts (COSF) at 13. Following an initial evaluation, negotiations, and the submission and evaluation of revised proposals, the agency rated ASG and Intepros as follows:
|
|
|
Technical Approach |
Satisfactory |
Superior |
Resource Plan |
Satisfactory |
Satisfactory |
Management Plan |
Satisfactory |
Satisfactory |
Corporate Experience |
Does not Possess |
Does Not Possess |
Past Performance |
Neutral |
Neutral |
Price |
$9,077,099.92 |
$9.874,048.56 |
AR, Tab U, Award Memorandum, at 5. The agency performed a best-value tradeoff, which discussed the strengths and weaknesses of the offerors, and selected IntePros for award. Id. at 9-12. With respect to the awardee and ASG, the agency stated that there is a significant difference in quality in the awardee’s technical approach as compared to ASG’s. Id. at 11. The agency identified four areas of strength and no weaknesses for the awardee. Id. The agency identified several strengths for ASG, but noted that ASG had a weakness in that it focused primarily on [DELETED] in its technical approach, and did not provide detail on [DELETED]. Id. The agency concluded the awardee’s technical approach provided several distinct discriminators that provide a benefit beyond those of ASG and given that the awardee’s strengths provide such significant additional value, the price premium is warranted. Id. at 12. On September 28, the agency provided an in-depth explanation of the basis for award to ASG and this protest followed.[2]
DISCUSSION
The protester argues that the agency unreasonably evaluated proposals under the technical approach and past performance factors, and therefore conducted an unreasonable best-value tradeoff.[3] The agency contends that its evaluation and award decision were reasonable. We have reviewed all of ASG’s protest allegations and find none provide a basis to sustain the protest. We discuss several significant issues below.
Where, as here, an agency conducts a competition under the FSS provisions of FAR subpart 8.4, we will review the record to ensure that the agency’s evaluation is reasonable and consistent with the terms of the solicitation. J. Squared Inc., dba University Loft Co., B-407302, Dec. 17, 2012, 2013 CPD ¶ 9 at 4-5. In reviewing a protest challenging an agency’s technical evaluation, our Office will not reevaluate the quotations; rather, we will examine the record to determine whether the agency’s evaluation conclusions were reasonable and consistent with the terms of the solicitation and applicable procurement laws and regulations. Maybank Indus., LLC, B-403327, B-403327.2, Oct. 21, 2010, 2010 CPD ¶ 249 at 5.
Technical Approach Evaluation
Under the technical approach factor, the solicitation instructed vendors to elaborate in sufficient detail as to how the tasks set forth in the PWS would be accomplished. RFQ at 49. Further, the solicitation advised offerors that the agency would evaluate whether the proposed technical approach provides a comprehensive and quality solution to achieving the outlined objectives in a timely manner. Id. at 51.
As relevant to this issue, one task of the solicitation required offerors to implement security controls, and another task required offerors to assess security controls. Id. at 79, 81. In describing these services, the solicitation informed offerors that the contractor will be required to, among other things, perform independent security control assessments, interviews, examinations, testing, and risk assessments for DOE’s information systems. Id. at 58. According to the solicitation, these interviews could be held with information system support staff, physical security personnel, management staff, application system support service providers, infrastructure support staff, application/system owners and users, business process managers, and security support personnel. Id.
As noted above, ASG was rated satisfactory under the technical approach factor and was evaluated with one strength and one weakness. The agency assigned the weakness because ASG’s proposed technical approach focused primarily on [DELETED] and did not provide details [DELETED]. AR, Tab U, Award Memorandum, at 11. The evaluators found that in its proposal, ASG stated that it would [DELETED], but did not provide any detail on what that entailed. AR at 10, 11. The agency believed that this weakness negated the value provided by any of ASG’s strengths and increased the risk associated with ASG’s approach. AR, Tab U, Award Memorandum, at 11.
ASG asserts that the evaluation is unreasonable because it offered to [DELETED], which it defined in its proposal as including [DELETED]. ASG further asserts that the solicitation did not require offerors to provide a detailed description of the processes, such as [DELETED], that the offeror would utilize. In ASG’s view, it was unreasonable for the agency to expect offerors to submit a detailed description because the agency has preexisting operating procedures that govern the implementation and assessment of security control, which offerors were directed to utilize when performing the tasks. ASG specifically points to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53A, which was referenced in the agency’s security assessment plan template and provided to all offerors.
We find that the agency’s evaluation of ASG’s proposal was reasonable. The agency does not disagree that ASG indicated in its proposal that it would assess security controls. Rather, the agency’s concern is that the technical proposal focused on [DELETED] and lacked details as to [DELETED]. We disagree with ASG that there was no need for it to provide details with regard to the [DELETED], and the other processes it would use to assess security controls because the solicitation had preexisting, operating procedures governing the implementation and assessment of security controls that offerors were required to utilize. To the contrary, under the technical approach factor, the solicitation specifically advised offerors to elaborate in sufficient detail as to how the tasks set forth in the PWS would be accomplished. RFP at 49. This would include details as to the offeror’s technical approach relating to implementation and assessment of security controls, especially where the solicitation informed offerors that the contractor will be required to perform independent security control assessments, interviews, examinations, testing, and risk assessments for DOE’s information systems. Id. at 58, 79, 81. Thus, ASG should have been aware that a detailed explanation of what it intended to do to accomplish the work was required.
Further, as the agency points out, and ASG does not dispute, NIST SP 800-53A is a starting point in the process of defining procedures for assessing the security and privacy controls in information systems and organizations. Evaluation Chair Declaration, Nov. 23, 2016, at 6. Offerors were therefore required to elaborate on how they would use these procedures in performing the contract.[4] For example, as noted in the RFQ, the offeror might interview information system support staff, physical security personnel, management staff, application system support service providers, infrastructure support staff, or application/system owners and users. Id. ASG, however, did not define [DELETED]. Id. at 7. Moreover, [DELETED] are only one of the techniques that ASG failed to elaborate on. Id. Under these circumstances, we have no basis to question the agency’s evaluation. This protest issue is denied.
Corporate Experience Evaluation/Past Performance Evaluation
With respect to corporate experience, offerors were required to include evidence of experience and capabilities “of the organization” with similar projects or contracts, in terms of the nature and objectives of the project or contract; types of activities performed; studies conducted; and major reports produced. RFQ at 50. With respect to past performance, the solicitation stated that “[o]fferors are instructed to identify” a minimum of three and maximum of five contracts performed in the past three years that were similar in size, scope, and complexity to the current requirements. Id. at 50-51. Offerors were to describe the contracts in the proposal, and to provide a past performance questionnaire to a reference for the purpose of “evaluating the offeror’s past performance”. Id. at 51. The reference was to complete the questionnaire and submit it directly to the agency. Id.
ASG identified two contracts under the corporate experience factor it performed (for contracts performed for the Joint Chiefs of Staff and the Department of Agriculture) and two performed by its subcontractor. AR, Tab J, ASG Initial Quotation, at 55-58. For past performance, ASG identified the same two contracts for itself and one of the same two experience contracts for its subcontractor. Id. at 86-95.
In reviewing ASG’s experience and past performance, the agency did not consider the contracts performed by the subcontractor. Rather, since the solicitation asked for experience and past performance information for the organization/offeror, the agency only considered the information provided for the entities in whose name the offers were submitted. AR, Tab N, Initial Past Performance Evaluation, at 3; see also Tab T, Consensus Technical Evaluation, at 7; Tab U, Award Memorandum, at 8; COSF at 27.
With respect to the contracts ASG performed, one of its references, the Department of Agriculture, did not submit the past performance questionnaire. AR, Tab K, ASG Past Performance Evaluation Forms; COSF at 17; Evaluation Chair Declaration, Nov. 2, 2016, at 4. However, the agency considered whether the contract was relevant for purposes of the experience factor and determined it was not since the contract was a limited term engagement focused primarily on providing support services. AR, Tab T, Consensus Technical Evaluation, at 7; Evaluation Chair Declaration, Nov. 2, 20. Therefore, the Department of Agriculture contract was viewed as not comparable in scope and complexity.
With respect to the Joint Chiefs of Staff contract, the agency found that it was comparable in size, but was focused primarily on infrastructure and network defense activities. AR, Tab T, Consensus Technical Evaluation, at 7; Evaluation Chair Declaration, Nov. 2, 2016, at 4. The agency therefore did not consider that this contract was the same in scope or complexity as the current requirement. Based on this review, the agency assigned ASG a rating of “does not possess” for corporate experience and neutral for past performance. Id.
The protester disagrees with these ratings. ASG first asserts that the agency improperly failed to consider the experience/past performance of its proposed subcontractor, as the solicitation did not prohibit the agency from doing so. ASG cites to our decision in Singleton Enterprises, B-298576, Oct. 30, 2006, 2006 CPD ¶ 157 for support. ASG also asserts that the solicitation was ambiguous on this point.
We disagree. In Singleton, the agency issued its solicitation under FAR part 15. Similar to ASG here, the protester in that decision complained that the agency failed to consider the past performance of its proposed subcontractor. The agency responded that the solicitation requested the past performance of the offeror, and the agency intended that to mean the prime contractor only. We stated that FAR § 15.305(a)(2)(iii) provides that contracting agencies should consider the past performance of subcontractors. Singleton Enterprises, supra, at 4. In addition, we acknowledged that decisions of our Office have stated that in the absence of a provision indicating that the agency will not consider a subcontractor’s past performance, the agency has discretion to do so. Id. Therefore, we concluded that the protester reasonably interpreted the solicitation as indicating that the agency would consider the past performance of proposed subcontractors. Id. at 5. We also concluded that the agency reasonably interpreted the term “offeror” to mean only the entity submitting the proposal, and therefore, the solicitation contained a latent ambiguity. Id. We sustained the protest and recommended that the agency amend the solicitation to clarify its intent. Id. at 6.
Here, in contrast, the solicitation was issued pursuant to FAR part 8 and requested corporate experience of the organization and past performance information for the offeror, without mentioning subcontractors.[5] RFQ at 50. FAR part 8 does not suggest that in evaluating an offeror’s past performance an agency should also consider the past performance of its proposed subcontractors. Accordingly, we do not find that the solicitation here is ambiguous, and it was reasonable for the agency to consider the experience and past performance of the offeror (i.e., the entity that submitted the offer) and not its subcontractors.
ASG next disputes the agency’s conclusion that ASG’s contract with the Joint Chiefs of Staff focused primarily on infrastructure and network defense activities and is therefore not relevant to the solicitation. In this regard, ASG asserts that in performing the contract for the Joint Chiefs, it performed vulnerability assessments, vulnerability management/mitigation, security controls identification and assessments, security controls monitoring, program management support, policy support and governance, and advisory services. Protest at 29-31. According to ASG, it mentioned these services in its proposal in describing this contract. ASG notes that it also described the work it performed for the Joint Chiefs by the tasks required under the PWS.[6] Id. Finally, the protester asserts that the agency improperly analyzed whether ASG’s past performance specifically aligned with the PWS instead of generally determining whether ASG performed similar services.
We find that the evaluation here was reasonable. In so far as the protester asserts that the agency was not justified in looking at the specific details of ASG’s past performance as compared to the requirements of the solicitation, the solicitation defined relevant past performance as similar to the size, scope and complexity of the requirements set forth in the PWS. RFP at 50, 51. Accordingly, it was reasonable for the agency to evaluate whether ASG had experience and past performance with the tasks listed in the PWS. Moreover, we find that the agency reasonably concluded that the past performance of ASG on the Joint Chiefs contract project was not similar in scope or complexity to the solicitation. For example, in its proposal with respect to vulnerability management ASG provides:
The [vulnerability management] Team is responsible for conducting bi-weekly enterprise vulnerability assessments of [Joint Staff] networks and enclaves (7,500 to 10,000 assets per network) and assessment scans as needed in support of US Army Information Technology Agency’s (ITA) connection approval process (CAP). ASG is responsible for employing a variety of vulnerability assessment tools to assess web applications (dynamic and static analysis) (e.g. HP Fortify), databases (e.g. AppDetective), and OS/network (e.g. Retina, ACAS, NMAP). ASG employs the Vulnerability Management System (VMS) to upload scan results, providing reports to USCYBERCOM as well as analyzing vulnerabilities and developing metrics that illustrate trends in vulnerability mitigation efforts, outstanding vulnerabilities, identify security issues and other anomalies of interest to better enhance the security posture of JS networks. ASG tracks [] documentation based upon system owner inputs for JS Certification Authority (CA) and Designated Accrediting Authority (DAA) approval.
AR, Tab J, ASG Initial Quotation, at 90-91. As the agency notes, however, vulnerability assessments are only one aspect of vulnerability management; there are four other tasks in the RFQ that are not addressed here. Evaluation Chair Declaration, Nov. 2, at 3. In addition, vulnerability scans, as discussed in ASG’s past performance proposal, are only one method for vulnerability assessments (offerors are also required to use other methods such as interviewing, examining and testing). Id. Further, ASG does not address whether it conducted security control assessments here; instead, the past performance proposal only states that it has verified and validated security control assessments and supporting artifacts. AR, Tab J, ASG Initial Quotation, at 90-91.
Similarly, with respect to its past performance for monitor security controls, in its proposal, the protester provides:
Team protects, monitors, analyzes, detects, and responds as the Tier 3 [] component for the Joint Staff in accordance with Joint Staff and Army IT Agency Memorandum of Agreement. ASG also performs in-depth technical analysis in support of mission assurance and vulnerability assessments of mission systems. ASG is responsible for analysis of security network incidents, cyber intelligence material, vulnerability reports, malware reports, and other security relevant sources for purposes of defining and providing early warning of cyber threats. Such activities include developing processes for cyber threat assessments to support cyber risk assessments and performing as primary subject matter professional for the gathering, evaluating, authoring and presentation of various assessments/analysis of intelligence as it may pertain to cyberspace operations, and performing malware analysis using [] and industry vetted tools (e.g. OllyDB and IDAPro).
AR, Tab J, ASG Initial Quotation, at 90. The agency has stated that here, the protester discusses security operations such as incident response, operations, and day-to-day monitoring, which the RFQ did not address. Evaluation Chair Declaration, Nov. 2, at 2. Rather, the RFQ addresses designing and supporting the overarching governance framework, RFQ at 65, which the agency believes the protester’s past performance proposal did not address. Evaluation Chair Declaration, Nov. 2, at 2. Under these circumstances we have no basis to question the agency’s evaluation. This protest issue is denied.
The protest is denied.
Susan A. Poling
General Counsel
[1] Technical approach, resource plan, and management plan were each assigned a rating of superior, satisfactory, marginal, or unsatisfactory. Agency Report (AR), Tab G, Source Selection Plan, at 7. Corporate experience was evaluated as possesses or does not possess. Id. Past performance was assigned a rating of neutral, superior, satisfactory, or unsatisfactory. Id. at 8.
[2] As this procurement is not conducted under FAR part 15, debriefings were not required.
[3] ASG submitted a supplemental protest in which it alleged that the agency omitted identified strengths and added a new weakness to the final consensus evaluation, and noted strengths in IntePros’ quotation without noting strengths in ASG’s quotation where ASG offered a similar approach. ASG’s supplemental protest was dismissed because ASG failed to timely submit its comments in response to the agency report. See 4 C.F.R. § 21.3(i).
[4] One of the negotiation questions posed to ASG stated: “The proposed technical approach references the performance of [DELETED] but makes no references to [DELETED]. Please clarify what the offeror will use to guide security control assessment/testing activities and make any necessary revisions.” AR, Tab P, Negotiation Questions, at 9. ASG revised its proposal to include references to [DELETED], but the agency found the proposal lacked detail regarding [DELETED]. AR, Tab T, Consensus Technical Evaluation, at 2.
[5] Other parts of the solicitation also reference offeror, and distinguish the offeror from its subcontractors: failure to identify key personnel may result “in the Offeror being considered non-responsive”; resumes shall be provided for all individuals who are not currently employed “by the offeror or an offeror’s subcontractor”; failure to provide letters of commitment may result in the “Offeror being considered non-responsive.” RFQ at 50.
[6] In its protest, ASG also asserted that the Department of Agriculture contract was relevant in terms of past performance and experience. In its comments on the agency report, ASG did not respond to the agency’s assertion that the contract was not relevant because it focused primarily on program support services and was not comparable in scope or complexity. Consequently, we find that ASG abandoned this protest ground. See 22nd Century Tech., Inc., B-412547 et al., Mar. 18, 2016, 2016 CPD ¶ 93 at 10.