Skip to main content

Panasonic I-PRO Sensing Solutions Corporation of America

B-419260 Jan 12, 2021
Jump To:
Skip to Highlights

Highlights

Panasonic i-PRO Sensing Solutions Corporation of America (Panasonic), of Rolling Meadows, Illinois, protests the award of contract No. 70B03C20C00000167, on a sole-source basis, to Axon Enterprise, Inc. (Axon), of Scottsdale, Arizona, by the Department of Homeland Security, U.S. Customs and Border Protection (CBP), for an incident-driven video recording system. Panasonic challenges the basis of the sole-source award and contends that it offered a solution that could meet the agency's needs.

We deny the protest.
View Decision

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of:  Panasonic I-PRO Sensing Solutions Corporation of America

File:  B-419260

Date:  January 12, 2021

Francis E. Purcell Jr., Esq., Thompson Hine LLP, for the protester.
Craig A. Holman, Esq., and Amanda J. Sherwood, Esq., Arnold & Porter Kaye Scholer LLP, for Axon Enterprise, Inc., the intervenor.
Ross D. Boone, Esq., Department of Homeland Security, for the agency.
Lois Hanshaw, Esq., and Evan C. Williams, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Sole-source award for an incident-driven video recording system is unobjectionable where the agency reasonably determined that the protester and its solution are not capable of meeting the agency’s needs.

DECISION
 

Panasonic i-PRO Sensing Solutions Corporation of America (Panasonic), of Rolling Meadows, Illinois, protests the award of contract No. 70B03C20C00000167, on a sole-source basis, to Axon Enterprise, Inc. (Axon), of Scottsdale, Arizona, by the Department of Homeland Security, U.S. Customs and Border Protection (CBP), for an incident-driven video recording system.  Panasonic challenges the basis of the sole-source award and contends that it offered a solution that could meet the agency’s needs.

We deny the protest.

BACKGROUND

CBP’s mission involves active patrolling, monitoring, and screening of those entering the United States.  Agency Report (AR), Tab 30, Justification and Approval (J&A) at 1. CBP states that it must conduct these activities and other interactions with the public in a transparent and accountable manner.  Id.  The agency further explains that this requirement ensures that non-surveillance, agent-activated recordings of interactions between CBP agents and the public are conducted in a straightforward and transparent manner.  Id.

The agency states that it received a mandate from Congress to expand the use of body‑worn cameras (BWCs) and develop a comprehensive plan and implementation schedule for camera technology.Id. (citing Department of Homeland Security Appropriations Bill, 2017, H. Rept. 114-668 (2016)).  To implement Congress’s mandate that CBP deploy BWC technology prior to the end of fiscal year 2021, CBP intends to purchase 4,300 BWCs, 700 docking stations, and 4,000 video management system (VMS) software and cloud storage licenses (to be purchased annually) over the course of multiple base and option years through fiscal year 2025.  AR, Tab 30, J&A at 1. 

On July 22, 2020, the agency finalized a J&A to support its decision to award a sole-source contract to Axon for the incident-driven video recording system.  Id.; Tab 31, J&A Signature Page at 1  The J&A concluded that a sole-source award to Axon was justified pursuant to 41 U.S.C. § 3304(a)(1) and Federal Acquisition Regulation (FAR) 6.302-1, which states that only one source can satisfy the agency’s needs.  AR, Tab 30, J&A at 2.  CBP estimates the value of this procurement to be approximately $15.7 million.  Id. at 1. 

The J&A explained the agency’s basis for concluding that only Axon could meet the agency’s requirements.  AR, Tab 30, J&A at 2.  Specifically, the J&A stated that only Axon demonstrated the necessary security and data management authorizations that would support immediate deployment of the required technology. Id.  In this regard, the J&A identified Federal Risk and Authorization Management Program (FedRAMP) authorization as a requirement for all government cloud systems.[1]  Id.  The J&A explains that Axon is uniquely qualified to perform the requirement because it is the only BWC vendor listed in the FedRAMP marketplace that has achieved FedRAMP moderate risk impact level authorization and Federal Information Processing Standard (FIPS) 140-2 compliance.[2]  Id.  During the agency’s acquisition planning, Axon was able to provide documentation proving both its video management application and cloud storage solution are FedRAMP authorized.  Id. at 3.  The J&A notes the CBP would endeavor to monitor the marketplace and FedRAMP authorization status for other potential incident-driven video recording systems that could meet CBP’s needs.  Id. at 4. 

In addition to security and data management authorizations, the J&A cites the need to use a single vendor as another fact supporting the use of other than full and open competition.  Id. at 3.  CBP concluded that the use of a single vendor would not only ensure the seamless accessing of information, but also prevent the compatibility and performance risks found to arise when CBP moved between one vendor’s VMS and another’s cloud storage platform.  Id.  In this regard, the agency explains that Axon offers an all-in-one solution including camera, docking station, video management on premises, cloud-based application, and cloud storage.  Id.

Additionally, the J&A outlines the market research the agency conducted beginning in 2014.  Id. at 2.  The agency’s market outreach and assessment included a feasibility study in 2015, a request for information (RFI) and an industry day in 2016, a 6-month field evaluation in 2018, a second RFI conducted in October 2019, and in-person vendor meetings held in February 2020.  Id.; AR, Tab 27, Market Research Report at 7. 

Pertinent to this protest, on October 16, 2019, the agency issued its second RFI to obtain information and recommendations for the requirement and invited firms to show their capability to provide incident-driven recording systems.  AR, Tab 9, October 2019 RFI at 1, 9.  The RFI advised that offerings should meet a desired minimum threshold for the operational requirements identified by CBP.  Id. at 1.  In this regard, the RFI included a table identifying the operational features that CBP was seeking and the minimum thresholds, attributes, and attribute description associated with each operational feature.  Id. at 2.  The table identified 10 operational features and 42 associated attributes required to support incident-driven video recording systems.[3]  Id. at 3-8. 

As relevant here, the operational feature of information security identified nine attributes including FedRAMP.  Id.  The attribute, attribute description, and minimum desired threshold for FedRAMP authorization are identified below.

Operational Feature

Attribute

Attribute Description

Minimum Threshold Desired






Information Security






FedRAMP

CBP and DHS require that all cloud products and services meet the standardized approach under FedRAMP.


FedRAMP moderate risk impact level certification for cloud storage platform.

 

Id. at 3.

Thirteen firms responded to the October 2019 RFI.  AR, Tab 27, Market Research Report at 20.  The protester’s RFI response included a claimed capability narrative for FedRAMP that indicated that its cloud-hosted storage solution was built to meet FedRAMP requirements and was undergoing FedRAMP assessment and audit.  AR, Tab 12, Panasonic RFI Response at 5. 

Between November 2019 and January 2020, the agency emailed follow-up questions to the respondents of the October 2019 RFI and received responses from several vendors, including Panasonic.  In December and November 2019, the agency inquired about vendors’ security policies and protocols critical to CBP.  AR, Tab 14, Post-RFI Planning Emails at 1; Tab 16, Email between Agency and Panasonic at 1, 3.  In January 2020, the agency requested information regarding storage offerings and procedures.  AR, Tab 18, Emails between Agency and Panasonic at 1-3.  In February 2020, at Panasonic’s request, CBP met with Panasonic to discuss Panasonic’s qualifications and capabilities.  AR, Tab 20, Emails between Panasonic and Agency at 3; Tab 22, Panasonic Vendor Meeting Notes at 2.  In that meeting, Panasonic indicated that its evidence management system was neither FedRAMP approved, nor in the process of being approved,[4] and that CBP’s data would be stored on the FedRAMP approved [DELETED].[5]  AR, Tab 22, Panasonic Vendor Meeting Notes at 2. 

In April 2020, the agency issued its Market Research Report.  In that report, the agency concluded that mandatory minimum federal security requirements, such as FedRAMP, limited the number of vendors capable of providing BWC (body worn camera) technology to law enforcement agencies.  AR, Tab 27, Market Research Report at 41.  On this point, the agency explained that the selected vendor and its cloud video management application must be authorized at a FedRAMP moderate risk impact level to ensure the security of the entire system, i.e., to ensure the sharing, retention, tagging, retrieval, and redaction of footage captured by BWCs is not compromised.  Id. at 8.  CBP further asserted that FedRAMP authorization was required prior to selecting and procuring a solution in order to achieve full security compliance and approval from security authorities at CBP.  Id. at 9. 

The agency also explained that because FedRAMP authorization takes several years to complete, and the requirement cannot be waived, the agency required a vendor that has already been FedRAMP authorized in order to prevent delay.  Id.  In this regard, the agency notes that if it were to select a vendor that lacked FedRAMP authorization, and FedRAMP authorization was subsequently denied, the implementation of the BWC technology could be delayed by several years.  Id.

In its Market Research Report, the agency also determined that Panasonic’s proprietary solutions were not FedRAMP authorized and, of the 13 firms that responded to the October 2019 RFI, only Axon provided proprietary solutions that were FedRAMP authorized.  Id. at 27-28, 41.  In this respect, CBP explains that the government makes a company’s FedRAMP authorization status publicly available through the FedRAMP marketplace dashboard.  Id. at 9.  The agency noted that as of the date of the Market Research Report, i.e., April 20, 2020, only Axon offered a viable FedRAMP authorized solution for incident-driven recording systems.  Id. at 31.

On September 25, CBP posted notice of the sole-source award on beta.sam.gov.  On October 5, Panasonic timely protested to our Office.

DISCUSSION

Panasonic contends that the agency erred in concluding that only Axon could perform the requirement and raises various challenges to the agency’s conclusion.  For example, Panasonic asserts that the agency’s second RFI failed to inform firms that FedRAMP authorization was required at the time of RFI submission, and further contends that its solution can meet the agency’s requirement.  Protest at 19-22.  Additionally, Panasonic challenges the agency’s decision to require a single vendor solution.  Protest at 16-19.  While we do not address every issue raised, we have considered all of the protester’s arguments and conclude that none furnishes a basis on which to sustain the protest. 

When using noncompetitive procedures pursuant to 41 U.S.C. § 3304(a)(2), as here, agencies are required to execute a written J&A with sufficient facts and rationale to support the use of the cited authority.  41 U.S.C. §§ 3304(e)(1)(A), (f); FAR 6.302-1, 6.303, 6.304; eFedBudget Corp., B-298627, Nov. 15, 2006, 2006 CPD ¶ 159 at 7.  Our review of an agency’s decision to conduct a noncompetitive procurement focuses on the adequacy of the rationale and conclusions set forth in the J&A; where the J&A sets forth a reasonable justification for the agency’s actions, we will not object to the award.  See Bravura Info. Tech. Sys., Inc., B-418755, Aug. 18, 2020, 2020 CPD ¶ 277 at 3; Space Vector Corp., B-253295, B-253295.2, Nov. 8, 1993, 93-2 CPD ¶ 273 at 6.

The protester argues that the agency cannot justify a sole-source contract because Panasonic can meet the agency’s needs.  Protest at 20-21.  In this regard, Panasonic alleges that its cloud-hosted service is capable of achieving FedRAMP authorization surpassing the moderate authorization level specified in the RFI and therefore can meet federal government security policies.  Id. at 20-21.

In response, the agency states that OMB requires that cloud service providers comply with FedRAMP security authorization requirements.  Memorandum of Law (MOL) at 20.  Stated differently, FedRAMP authorization is a mandatory minimum requirement of the procurement that was communicated to offerors in the October 2019 RFI.  Id. at 23.  The agency explains that although Panasonic’s 2019 RFI response did not demonstrate that it had achieved FedRAMP authorization, its response was nevertheless considered during the agency’s acquisition planning, as evidenced by several follow-up email exchanges, and a February 2020 vendor meeting discussing FedRAMP authorization.  Id. at 21, 23.  Additionally, the agency notes that at the direction of CBP’s competition advocate, the agency continued to consider whether companies could attain FedRAMP authorization at some point between the 2019 RFI and contract award.  Id.  Prior to concluding its market research and issuing the J&A, the agency explains that it considered Panasonic’s ability to meet the FedRAMP authorization requirement, and found that the protester had not met this requirement.  Id.  Thus, the agency maintains that it reasonably determined that Panasonic’s solution could not meet the agency’s minimum needs.

The agency further contends that even now, after the filing of the protest, that Panasonic cannot meet the fundamental security requirements of the contract, and thus, the sole-source contract to Axon is appropriate.  Id. at 8.  The agency asserts that because Panasonic cannot meet the FedRAMP requirements, it is not an interested party to challenge the agency’s decision to award the contract to Axon on a sole-source basis.  Id. at 16-17.

Panasonic acknowledges that neither it, nor its solution, currently meet the FedRAMP certification requirement.  Protester’s Resp. to GAO Req. for Additional Briefing at 1.  Moreover, the protester specifically states that its protest “does not challenge the Agency’s application of FedRAMP certification to [this] procurement or the right of the Agency to include possession of FedRAMP moderate authorization as a procurement requirement.”  Id. at 2. 

Based on the record before us, Panasonic has not demonstrated that the firm or its solution is capable of meeting the agency’s needs.  The J&A indicates that the agency is procuring an incident-driven video recording system, comprised of BWCs, docking stations, VMS, and cloud storage licenses.  AR, Tab 30, J&A at 1.  The J&A clearly establishes that FedRAMP authorization is a mandatory minimum requirement for all federal agencies procuring cloud systems, and therefore is required here.  Id. at 2.  The protester acknowledges that Panasonic and its solution cannot demonstrate a current FedRAMP authorization.[6]  Protester’s Reponses to GAO Request for Additional Briefing at 1.  Thus, the protester has not shown that it can meet the agency’s needs.  In addition, the protester has not effectively challenged Axon’s ability to satisfy the agency’s requirements as it relates to FedRAMP authorization.[7]  As a result, the protester’s assertions provide no basis to question the agency’s decision to award a sole-source contract to Axon on the basis that Axon is the only source that can satisfy the agency’s needs.  Consequently, we deny this protest ground.

Since the protester concedes that neither Panasonic, nor its solution, has attained FedRAMP authorization, we need not address the protester’s remaining arguments.  That is, because the agency reasonably determined that Panasonic cannot meet the requirements to perform the contract, it is not an interested party to challenge other aspects of the agency’s sole-source determination.  Research Analysis & Maintenance, Inc., B-296206, B-296206.2, July 12, 2005, 2005 CPD ¶ 182 at 11 n.5.  Under the bid protest provisions of the Competition in Contracting Act of 1984, 31 U.S.C. §§ 3551-3556, only an “interested party” may protest a federal procurement.  That is, a protester must be an actual or prospective offeror whose direct economic interest would be affected by the award of a contract or the failure to award a contract.  4 C.F.R. § 21.0(a).  A protester is not an interested party where it would not be in line for contract

award were its protest to be sustained.  Bluehorse Corp., B-414643.2, Aug. 11, 2017, 2017 CPD ¶ 259 at 3. Accordingly, we dismiss the protester’s remaining arguments.

The protest is denied.

Thomas H. Armstrong
General Counsel

 

[1] A 2011 Office of Management and Budget (OMB) Memorandum (Memo) explains that FedRAMP improves the government’s data security by making available standardized security requirements, uniform security assessments, authorization packages, standardized contract language for acquisitions, and a repository of authorization packages to leverage across the government.  AR, Tab 8, OMB Memo, Security Authorization of Information Systems in Cloud Computing Environments, (Dec. 8, 2011).  This memo establishes federal policy for the protection of federal information in cloud services and requires each executive department or agency to use FedRAMP when procuring cloud services.  Id. at 2. 

[2] The FedRAMP marketplace is an online repository that identifies the companies that have achieved FedRAMP authorization.  See https://marketplace.fedramp.gov/#/
products?sort=productName (last visited on Dec. 28, 2020).  FIPS 140-2 compliance allows for single sign-on using personal identity verification to prevent unauthorized access and allow for easy authorized access.  AR, Tab 27, Market Research Memo at 8-9.

[3] The other operational features were cloud storage; data management; audio; video resolution; video offloading; mounting; start/stop recording; support; and camera unit.  AR, Tab 9, October 2019 RFI at 3-8.

[4] Panasonic indicated that the decision to begin the approval process was under consideration.  AR, Tab 22, Panasonic Vendor Meeting Notes at 2.

[5] [DELETED] is one of [DELETED] offered by [DELETED].  See https://marketplace.fedramp.gov/#/products?sort=productName (last visited on Dec. 28, 2020.

[6] The protester contends that the agency failed to inform vendors that FedRAMP authorization was required at the time of the October 2019 RFI submission and then improperly used current possession of FedRAMP authorization as a limiting factor in its decision to make a sole-source award.  Protest at 20.  We note at the outset that the agency identified FedRAMP authorization as a minimum threshold requirement in the RFI.  AR, Tab 9, October 2019 RFI at 3.  In our view, the RFI informed offerors that FedRAMP authorization would be a consideration in the award decision.  Nevertheless, nothing in the record shows that the agency decided not to consider Panasonic’s solution prior to the issuance of the Market Research Memo in April 2020.  Rather, the record shows that the agency considered the protester’s October 2019 RFI response and continued to engage with the protester through follow-up emails in December 2019 and January 2020, and with a February 2020 vendor meeting.  AR, Tab 14, Post-RFI Planning Emails at 1; Tab 16, Email between Agency and Panasonic at 1, 3; Tab 18, Emails between Agency and Panasonic at 1-3; Tab 20, Emails between Panasonic and Agency at 3; Tab 22, Panasonic Vendor Meeting Notes at 2.  Therefore, this argument provides no basis to sustain the protest.

[7] In its comments, the protester alleges for the first time that Axon’s solution is not FedRAMP authorized because it is listed as a dependent product under the Microsoft Azure Government FedRAMP page.  Comments at 16.  This argument is untimely because the protester had all the facts necessary to raise this ground in its initial protest.  In this respect, the publically available FedRAMP pages for Axon and Microsoft show that the companies’ solutions were approved on April 2, 2019, and February 29, 2020, respectively.  See https://marketplace.fedramp.gov/#/products?sort=productName (last visited on Dec. 28, 2020).  Because the protester failed to raise this issue in its initial protest, this argument is dismissed as untimely.  4 C.F.R. § 21.2(a)(2); RIVA Sols., Inc., B-417858.2, B-417858.10, Oct. 29, 2020, 2020 CPD ¶ 358 at 8 n.8 (protest issues must be filed within 10 days after the basis is known or should have been known; piecemeal presentation of protest grounds, raised for the first time in comments, are untimely).  In any event, since the FedRAMP marketplace clearly lists Axon as a company that received FedRAMP authorization, we find the protester’s argument unpersuasive.  

Downloads

GAO Contacts

Kenneth E. Patton
Managing Associate General Counsel
Office of the General Counsel

Edward (Ed) Goldstein
Managing Associate General Counsel
Office of the General Counsel

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries