Martek Global Services, Inc.--Costs

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of: Martek Global Services, Inc.‑‑Costs

File: B-420865.3

Date: March 9, 2023

DIGEST

Request for reimbursement of protest costs following an agency’s corrective action is denied where the protest was not clearly meritorious.

Martek Global Services, Inc. (Martek), a small business of Bethesda, Maryland, requests that our Office recommend it be reimbursed the costs of filing and pursuing its protest challenging the agency’s evaluation of its quotation responding to request for quotations (RFQ) No. 36C10B22Q0246. The RFQ was issued by the Department of Veterans Affairs (VA), for a project management information system (PMIS).

We deny the request.

Background

On May 10, 2022, the VA issued the RFQ as a small business set‑aside under the procedures of Federal Acquisition Regulation subpart 8.4, Federal Supply Schedules, to small business vendors holding multiple award schedule No. 54151S, information technology professional services. AR, Tab 7, RFQ amend. 0001 at 1, 99.[1] The RFQ explained that the VA required a commercially available off‑the‑shelf, software as a service (SaaS) brand name TRIRIGA[2] or equal solution to replace an incumbent PMIS. Id. at 19. The RFQ required any proposed solution to be Federal Risk and Authorization Management Program (FedRAMP) “approved” at a moderate impact level.[3] Id. Award was to be made to the vendor offering the lowest‑priced, technically acceptable quotation. Id. at 22, 98.

The agency received multiple quotations by the submission due date, including quotations from Martek and the eventual awardee, Blue Water Thinking.[4] Contracting Officer’s Statement (COS) ¶¶ 3, 7‑8. Martek’s quotation described its proposed solution as consisting of a “[PMIS Application]” which would be “[d]elivered as a scoped application on the [Hosting Service] platform[,]” and stated that this solution was FedRAMP authorized.[5] AR, Tab 9, Technical Quotation at 1, 3. The agency found Martek’s quotation to be technically unacceptable, assessing it with a deficiency for failing to demonstrate the ability to meet the agency’s minimum requirements as described in the solicitation. AR, Tab 10, Technical Evaluation Report at 2.

On June 24, the agency issued the task order to Blue Water Thinking, and notified Martek of the award decision. AR, Tab 12, Award Notice at 1. On June 28, the agency provided Martek with a written brief explanation of the award decision which detailed the agency’s evaluation of the firm’s quotation. COS ¶ 10; AR, Tab 13, Brief Explanation at Slide 8.

On July 6, Martek filed an agency‑level protest challenging the basis for the agency’s conclusion that its quotation was technically unacceptable. AR, Tab 14, Agency‑Level Protest & Decision at 1-11. The VA denied Martek’s agency‑level protest. Id. at 162‑163. In its decision, the agency explained that it found Martek’s proposed solution deficient because the solution was not FedRAMP authorized, as required. Id. at 162. The agency stated that while Martek’s proposed hosting environment (the Hosting Service) was FedRAMP authorized, Martek’s proposed solution included the PMIS Application which had not been FedRAMP authorized to run within the Hosting Service. Id. For this reason, the agency concluded that Martek’s proposed solution was technically unacceptable. Id.

On September 19, Martek timely filed the underlying protest with our Office. Martek challenged the VA’s conclusion that its proposed solution was technically unacceptable, arguing that the assessed deficiency was inconsistent with the terms of the solicitation. Protest at 7‑9. Martek contended that by asking for a FedRAMP authorized “solution,” the RFQ did not require that each component of the solution have its own independent FedRAMP authorization; rather, so long as the solution as a whole met the applicable FedRAMP requirements, such a solution was technically acceptable under the terms of the solicitation. Id. Crucially, Martek urged that its proposed solution fit within this interpretation because the Hosting Service was FedRAMP authorized at the appropriate level and the PMIS Application operated within the Hosting Service. Id.

On October 19, the agency filed its report in response to the protest. See (Memorandum of Law) MOL at 1. The agency explained that VA policy mandates FedRAMP authorization for all cloud service offerings (CSOs) used by the VA, and that the RFQ reflected this mandate. MOL at 2‑4 (citing RFQ at 19, 22‑23, 46,100); see also AR, Tab 18, VA Handbook 6517. The VA asserted that FedRAMP authorization does not flow from a FedRAMP authorized hosting environment to a hosted product, as argued by Martek. MOL at 5. The agency defended its evaluation by arguing that Martek’s inclusion of the PMIS Application in its solution rendered the solution technically unacceptable because the PMIS Application is properly categorized as a SaaS CSO, the PMIS Application does not have FedRAMP authorization, and FedRAMP authorization is required for all CSOs used by the VA, as reflected in the RFQ. Id. at 2‑10.

On October 28, Martek filed comments on the agency report. Martek agreed with the VA that FedRAMP authorization applies to CSOs, but asserted that the PMIS Application is not a CSO. Comments at 1. Martek argued that evaluating the PMIS Application for its own independent FedRAMP authorization was improper and contrary to the terms of the RFQ because such a product is not subject to FedRAMP. Id. Martek urged that the only piece of its solution subject to FedRAMP authorization was the Hosting Service, and that the Hosting Service possessed the appropriate FedRAMP authorization. Id.

As additional context, Martek proffered that FedRAMP applies to the CSOs of cloud service providers (CSPs), i.e., companies that provide CSOs. Id. at 5‑6. Martek claimed that the PMIS Application’s vendor does not provide cloud computing products or services and therefore the vendor is not a CSP. Id. Martek identified the PMIS Application’s vendor as an independent software vendor rather than a CSP, and the PMIS Application as a software application rather than a CSO. Id. at 6‑8.

At this juncture, the focus of the parties’ protest filings transitioned from considering whether the RFQ required every component of a solution to be FedRAMP authorized, to considering whether the VA had a reasonable basis to categorize the PMIS Application as a SaaS CSO subject to its own FedRAMP authorization. Based on the record at that point, we determined that further development of this issue was necessary. We thus requested supplemental briefing to clarify the nature of the PMIS Application and whether it was subject to FedRAMP authorization. See GAO Req. for Supp. Briefing.

In response to this request, the VA maintained its position that the PMIS Application was properly categorized as a SaaS CSO, and as such, was required to be FedRAMP authorized in order to meet the RFQ’s requirements. See Agency Supp. Briefing at 1‑2. As part of its response, the VA filed a document published by the National Institute of Standards and Technology (NIST) which provided a definition of cloud computing. Id. at 3‑4; Agency Supp. Briefing, exh. A, NIST Publication. Using the NIST document for support, the VA insisted that the PMIS Application’s essential characteristics fit within the NIST definition of a SaaS, cloud computing service model, and therefore, as a CSO, the PMIS Application needed its own FedRAMP authorization in order for the agency to find Martek’s solution technically acceptable. Agency Supp. Briefing at 3‑4.

Martek maintained its position to the contrary; that the PMIS Application is a software application but is not a SaaS or otherwise a CSO. Martek Supp. Briefing at 2‑3. Martek insisted that software applications such as the PMIS Application are not subject to FedRAMP authorization because FedRAMP authorization applies only to CSOs provided by CSPs, and not to non-CSO applications. Id. at 2‑9. To be clear, Martek conceded that the PMIS Application would be subject to “some of the FedRAMP security controls[,]” but maintained that an actual FedRAMP authorization was not available to the PMIS Application. Id. at 8. In explaining this position, Martek filed as additional support certain articles published by FedRAMP recognized third party assessment organizations (3PAOs).[6] Martek Supp. Briefing, exh. 1, Coalfire Article; Martek Supp. Briefing, exh. 2, A‑LIGN Article. Martek contended that these articles provided support for the proposition that it was possible for a solution such as the one proposed by Martek to be FedRAMP compliant without the PMIS Application having its own FedRAMP authorization.

After considering the supplemental briefing, our Office determined that the record still remained insufficiently developed to reach a conclusion as to whether the VA had a reasonable basis for finding Martek’s quotation technically unacceptable. In its comments and supplemental filing, Martek had plausibly shown that there may have existed a scenario where its proposed solution could in fact meet the requirements of the solicitation. However, based on the record to date, we were unable to verify the protester’s position. We were also unable to find clear support in the record showing how the agency reached the conclusion that the PMIS Application was a SaaS CSO, or how it concluded that the proper way to evaluate Martek’s solution was to assess the PMIS Application for FedRAMP authorization. Moreover, in the supplemental briefing both parties had introduced into the record additional documentation addressing the technical aspects of FedRAMP authorization that they each relied on to support their respective positions.

To obtain more information and further develop the record on this issue, on November 30, our Office conducted a hearing at which the technical evaluation chairperson and the contracting officer testified regarding the agency’s evaluation and conclusions about Martek’s proposed solution. The hearing testimony indicated that in evaluating Martek’s quotation, the agency made certain conclusions that were undocumented or unsupported in the contemporaneous evaluation record.

For example, the hearing testimony indicated that the VA found Martek’s proposed solution deficient because the PMIS Application was not listed on the FedRAMP Marketplace website, and considered this to be a sufficient approach to determine whether Martek’s proposed solution met the requirements of the solicitation. Hearing Transcript at 26, 73, 123, 133‑134, 158. This analysis was not documented or otherwise reflected in the contemporaneous record. See AR, Tab 10, Technical Evaluation Report at 1‑3.

On December 12, our Office conducted outcome prediction alternative dispute resolution (ADR).[7] During the ADR session, the assigned GAO attorney advised the parties that he took no position on the issue of whether the PMIS Application was reasonably categorized as a SaaS CSO or whether the agency’s assessment of that product for FedRAMP authorization was proper. The GAO attorney informed the parties that GAO would likely sustain the protest because the protester reasonably called into question the agency’s evaluation conclusions regarding the assessed deficiency, and the contemporaneous record did not adequately demonstrate how the agency reached its evaluation conclusions.

Later on December 12, the VA filed a notice of corrective action which pledged to reevaluate Martek’s quotation and to make a new award decision if appropriate. Notice of Corrective Action at 1. Based on the agency’s proposed corrective action, our Office dismissed the protest as academic. Martek Global Servs. Inc., B‑420865.2, Dec. 15, 2022 (unpublished decision).

Discussion

Martek requests that our Office recommend that it be reimbursed the reasonable costs of filing and pursuing its protest because the VA unduly delayed taking corrective action in the face of a clearly meritorious protest. Req. for Costs at 1. According to Martek, had the VA “conducted a reasonable inquiry in response to Martek’s initial protest, it would have . . . understood that its entire protest defense was inconsistent with the evaluators’ conduct and entirely absent from the contemporaneous record.” Id. at 3. Martek further contends that our Office routinely recommends costs where an agency takes corrective action after both a hearing and outcome prediction ADR, and that we should follow that trend here. Id. at 4-5 (citing Wisconsin Physicians Serv. Ins. Corp.--Costs, B-401068.12, Mar. 22, 2013, 2013 CPD ¶ 81; KGL Food Servs., WLL; Intermarkets Glob.--Costs, B‑400660.7, B‑400660.8, June 20, 2011, 2011 CPD ¶ 131; and DevTech Sys., Inc.--Costs, B‑284860.4, Aug. 23, 2002, 2002 CPD ¶ 150).

The VA asks our Office to deny Martek’s request, arguing that the protest was neither clearly meritorious nor did the agency unduly delay in taking corrective action. Resp. to Req. for Costs at 1‑2. The VA argues that under “any objective analysis, the Agency certainly established a defensible legal position, and this [matter] was not, as the protester suggests, a clear case.” Id. at 5. As explained below, we deny the request.

When a procuring agency takes corrective action in response to a protest, our Office may recommend reimbursement of protest costs. 4 C.F.R. § 21.8(e). We will recommend reimbursement of costs if we determine that the agency unduly delayed taking corrective action in the face of a clearly meritorious protest, thereby causing the protester to expend unnecessary time and resources to make further use of the protest process in order to obtain relief. Bowhead Mission Sols., LLC--Costs, B‑419385.7, July 14, 2022, 2022 CPD ¶ 183 at 4 (granting request); Tom & Jerry, Inc.--Costs, B‑417474.2, Nov. 20, 2019, 2019 CPD ¶ 405 at 4‑5 (denying request).

As a prerequisite to our recommending the reimbursement of costs where a protest has been settled by corrective action, the protest must have been clearly meritorious, i.e., not a close question. Science Applications Int’l Corp.--Costs, B‑410760.5, Nov. 24, 2015, 2015 CPD ¶ 370 at 3. A protest is clearly meritorious where a reasonable agency inquiry into the protester’s allegations would have revealed facts showing the absence of a defensible legal position. Bowhead Mission Sols., LLC--Costs, supra at 4, 7 (protest viewed as clearly meritorious); Apex Transit Sols., LLC--Costs, B‑418631.4, Feb. 8, 2021, 2021 CPD ¶ 102 at 5‑6 (protest not viewed as clearly meritorious); Tom & Jerry, Inc.--Costs, supra at 5‑6 (protest not viewed as clearly meritorious).

Our Office has previously determined that the willingness of a GAO attorney to conduct outcome prediction ADR is generally an indication that a protest is viewed as clearly meritorious. See e.g., Glen Mar Constr., Inc.--Costs, B‑410603.4, Apr. 5, 2016, 2016 CPD ¶ 107 at 8. However, we have also explained “the offer of ADR does not automatically translate to the conclusion that the protester should be awarded costs.” Tom & Jerry, Inc.--Costs, supra at 6. In this regard, we have maintained that the determination of whether to recommend reimbursement of costs rests on the unique factual and legal posture of each individual protest. Id.; see also Glen Mar Constr., Inc.‑‑Costs, supra.

In its initial pleadings, Martek argued that the VA unreasonably assessed a deficiency to its quotation due to the PMIS Application’s lack of FedRAMP authorization because: the terms of the RFQ did not require each component of a proposed SaaS solution to carry FedRAMP authorization, the Hosting Service in Martek’s solution satisfied the RFQ’s FedRAMP requirement, and all applicable cybersecurity requirements were met because the PMIS Application would run within the FedRAMP authorized Hosting Environment. Protest at 7‑9. In response, the agency argued that due to the specific nature of the PMIS Application, the application was subject to FedRAMP authorization standing alone because the PMIS Application product was a CSO, and FedRAMP authorization would not flow from the Hosting Service to the PMIS Application as suggested by Martek. See generally MOL at 2-10. At this point in the protest, our Office could not determine which party’s position was correct from the record and pleadings and therefore required further record development in the form of another round of briefing followed by a hearing and post-hearing briefing.

Accordingly, we find that reimbursement is not appropriate in this matter. Even if we were to find that the agency’s corrective action was not prompt, we conclude that the protest was not clearly meritorious. In this regard, we find that the VA had a defensible legal position in response to the issue raised in Martek’s protest which proved to be a close call. The extensive record development required to assess this matter supports a conclusion that the protest, as raised on September 19, was not clearly meritorious. See e.g., Tom & Jerry, Inc.--Costs, supra at 5‑6 (protest was not viewed as clearly meritorious where extra record development was required to assess the merits of the protest); Northrop Grumman Sys. Corp.--Costs, B‑412278.6, Feb. 7, 2017, 2017 CPD ¶ 68 at 4 (the scheduling of a hearing to further develop the record indicated that the issue presented was viewed as a close question); Distributed Sols., Inc.--Costs, B‑403566.2, Feb. 14, 2011, 2011 CPD ¶ 41 at 3‑4 (where development of the record included supplemental briefing and the consideration of a hearing, the protest was not viewed as clearly meritorious). As we do not view Martek’s protest as having been clearly meritorious, the standard for issuing a recommendation for costs is not met.

The request for costs is denied.

Edda Emmanuelli Perez
General Counsel