TITLE: B-299131.1; B-299131.2, Operational Research Consultants, Inc., February 16, 2007
BNUMBER: B-299131.1; B-299131.2
DATE: February 16, 2007
*********************************************************************************
B-299131.1; B-299131.2, Operational Research Consultants, Inc., February 16, 2007
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective
Order. This redacted version has been approved for public release.
Decision
Matter of: Operational Research Consultants, Inc.
File: B-299131.1; B-299131.2
Date: February 16, 2007
John S. Pachter, Esq., Jonathan D. Shaffer, Esq., Mary Pat Gregory, Esq.,
and Stephanie D. Capps, Esq., Smith Pachter McWhorter, PLC, for the
protester.
Daniel S. Koch, Esq., and Hillary E. Clark, Esq., Paley Rothman Goldstein
Rosenberg Eig & Cooper, for Enspier Technologies, Inc., an intervenor.
John E. Cornell, Esq., General Services Administration, for the agency.
Jonathan L. Kang, Esq., and Glenn G. Wolcott, Esq., Office of the General
Counsel, GAO, participated in the preparation of the decision.
DIGEST
1. Protest that award was tainted by organizational conflicts of interest
is denied where the record does not support allegations that the awardee
participated in the drafting of the statement of work or had access to
non-public information that would have provided a competitive advantage.
2. Protest challenging agency's evaluation of vendor's technical and price
quotations is denied where the record supports the reasonableness of the
agency's evaluations, and does not support the protester's allegations
regarding inadequate discussions.
DECISION
Operational Research Consultants, Inc. (ORC) protests the award of a task
order to Enspier Technologies, Inc. under request for quotations (RFQ) No.
TQ-PLB-06-0001, issued by the General Services Administration (GSA) for
operations and maintenance services for the Federal Public Key
Infrastructure Architecture (FPKIA). The protester argues that the award
to Enspier was tainted by organizational conflicts of interest (OCIs), and
challenges the agency's evaluation of vendors' price and technical
quotations, the adequacy of discussions, and the reasonableness of the
agency's source selection decision.
We deny the protest.
BACKGROUND
Generally, a public key infrastructure (PKI) is a system that allows
parties to exchange information electronically and verify the identity of
the sender and recipient and determine whether the contents of the
information have been altered. A PKI relies on cryptography methods to
establish a framework whereby parties use codes called "keys"; each party
keeps a secret "private key" and publishes a "public key" that any other
party can access. A sender uses the intended recipient's public key to
encrypt the message, and the sender's own private key to encrypt his
signature. The recipient uses his private key to de-encrypt the message
that was encrypted with his own public key and can verify that it was not
altered; the recipient can also use the public key of the sender to verify
the identity of that sender.
The E-Government Act of 2002 requires GSA to establish a "framework to
allow efficient interoperability among Executive agencies when using
electronic signatures, including processing digital signatures." Pub. L.
107-347 sect. 203. Use of digital signatures authenticated through a PKI
framework allows government agencies to have confidence in electronic
messages by verifying the identity of the sender and the integrity of the
message. GSA established the E-Authentication Initiative to implement the
E-Government Act and provide a structure for differing levels of security
for digital signatures. The E-Authentication Initiative contains four
levels of "assurance" regarding the ability to validate the identity of
the individual presenting a digital signature. The two lower levels of
assurance allow individuals to validate their identity through
"credentials" such as passwords or personal identification numbers,
whereas the two higher levels of assurance require more sophisticated
PKI-based credentials.
The FPKIA governs the requirements for the two higher-level PKI
assurances, and administers the systems used to validate messages and
digital signatures using PKI credentials. The Federal Public Key
Infrastructure Policy Authority (FPKIPA) is responsible for oversight of
the FPKIA and its constituent certification authorities (CAs), which are
the entities responsible for establishing PKI rules for authentication and
the authentication of messages and digital signatures.
Enspier currently holds a contract with GSA to support the
E-Authentication Program Management Office (PMO) by providing secretarial
support for the PMO, and design and operations services for the two lower,
non-PKI-based levels of assurances.[1] Agency Report (AR) at 5. Enspier
also holds a contract with the National Institutes of Health (NIH), to
provide secretarial services for the FPKIAPA. Id.
The solicitation sought quotations for services required to relocate the
government's prototype FPKIA from a government facility to a contractor
location, redesign the FPKIA, and then provide maintenance and support for
the redesigned system. The solicitation anticipated the award of a
fixed-price task order with cost-reimbursement elements. The agency
conducted the procurement under the streamlined acquisition procedures of
Federal Acquisition Regulation (FAR) part 12.6 and relied upon the "GSA
E-Buy" website to publicize the RFQ through a combined
synopsis/solicitation.[2]
The solicitation advised prospective vendors that quotations would be
evaluated on the basis of the following factors: key personnel, technical
approach, organizational experience, and price. The three non-price
evaluation factors were of equal weight and, when combined, were of equal
weight to price for purposes of award. RFQ at 8. The statement of work
(SOW) identified 11 subtasks required for performance of the task order:
(1) relocate the prototype FPKIA to the contractor location; (2) support
the FPKIA lab; (3) support the six FPKIA CAs; (4) re-design the FPKIA; (5)
security management; (6) redesign the FPKIA lab; (7) directory support;
(8) path discovery and validation support; (9) related assistance; (10)
weekly status reports; (11) FPKIA monthly reports and FPKIA statistical
reports.
After receiving initial quotations from vendors, the agency conducted
discussions and received revised quotations. Following discussions, the
agency concluded that ORC's revision had not adequately addressed all of
the agency's concerns. AR, Exh. 14, Final Technical Evaluation, at 2. The
agency identified three "significant weaknesses" in ORC's quotation under
the key personnel evaluation factor:
[A]lthough [ORC] offers a [project manager] experienced in PKI system
engineering . . . [i]t does not cite any information about the bid
individual['s] abilities to organize and manage resources to perform the
work required within defined scope, time, and cost constraints.
The bid auditors appear to have skill sets (i.e., SAS 70, Web Trust, and
quality assessments) that are only tangential to the requirements. These
skills are appropriate for third-party auditors, but not for daily
operations. . . .
[T]he Officer and Administrator roles require a high percentage of
dedicated time and the likelihood of [the proposed personnel] being able
to carry out the responsibilities for their trusted roles effectively,
in addition to the full-time Project Manager and Program Manager roles,
is doubtful.
Id. at 2-3.
The agency identified five "significant weaknesses" in ORC's quotation
under the technical approach factor:
[ORC] responses to subtasks 2 and 8 show they do not have a clear
understanding of the requirement. This work is based on testing products
against a particular test suite with the intent to qualify them.
However, [ORC] bids to test hardware and software module updates rather
than products.
Subtask 4 cites their capability, rather than ability, to create and
maintain an ISMS [information security management system]. Additionally,
they go to great lengths explaining the importance of having an ISMS
instead of describing their technical approach.
The related assistance in Subtask 9 is considered a basic part of
operations and management and shows no insight to the advancement of
Federal PKI or its processes.
[S]ubtasks 10 and 11 offer web-based approaches for reports, but state
that the web-based interfaces must be customized for this project. They
do not state that this would be done at no cost to the government, and
that is a concern.
In Subtask 3, ORC cites having a similar operating environment to the
FPKIA. This assertion demonstrates a lack of understanding of how
policies can be implemented in various ways. It is true that ORC has a
policy that maps to one of the FPKIA policies, but this is not a direct
correlation to how operations are set up.
Id. at 3.
The agency also identified a "significant weakness" regarding ORC's
organizational experience, stating that "ORC does not have ISMS experience
as an organization to meet the requirements in Subtask 5." Id.
As relevant here, the agency's final evaluation of vendor's quotations was
as follows:
+------------------------------------------------------------------------+
| | ORC | Enspier |
|----------------------------+---------------------+---------------------|
|Key Personnel | 50.7 / Marginal | 78.1 / Satisfactory |
|----------------------------+---------------------+---------------------|
|Technical Approach | 80.1 / Very Good | 79.7 / Satisfactory |
|----------------------------+---------------------+---------------------|
|Organizational Experience | 75.0 / Satisfactory | 95.0 / Outstanding |
|----------------------------+---------------------+---------------------|
|Total Technical Score | 68.6 / Marginal | 84.3 / Very Good |
|----------------------------+---------------------+---------------------|
|Price | [deleted] | $5,993,639 |
+------------------------------------------------------------------------+
AR, Exh. 6, Post-Negotiation Memorandum, at 5.[3]
In its source selection determination, the agency noted that ORC's
proposed price of [deleted] was approximately [deleted] lower than
Enspier's proposed price of $5,993,639. Id. at 8. However, the agency
noted that "when ORC's price proposal is compared to the historical cost
of running the PKI (the IGE [independent government estimate] is
$6,110,472), it appears that ORC is seriously underbidding this job," and
concluded that Enspier's higher-rated technical quotation was worth the
price premium. Id. In selecting Enspier's quotation for award, the agency
noted that "[t]he Enspier team advisory council model is unique and brings
to the Federal PKI Operational Authority a broad range of benefits
including access to world-class expertise in PKI operational engineering,"
and "[t]he expertise available in this council will minimize false starts
for both operational and policy initiatives, which also lower overall
operational and maintenance costs." Id. at 9.
Following its debriefing by the agency, ORC filed this protest.
DISCUSSION
Organizational Conflicts of Interest
ORC first argues that the award to Enspier was tainted by OCIs arising
from the awardee's performance of the GSA and NIH contracts, which involve
authentication-related services. Specifically, the protester alleges that
Enspier participated in the drafting of the SOW, and that Enspier had
access to non-public information as the result of its performance of the
GSA and NIH contracts.
The FAR generally requires contracting officers to avoid, neutralize or
mitigate potential significant conflicts of interest so as to prevent
unfair competitive advantage or the existence of conflicting roles that
might impair a contractor's objectivity. FAR sections 9.504, 9.505; Snell
Enters., Inc., B-290113, B-290113.2, June 10, 2002, 2002 CPD para. 115 at
3. The situations in which OCIs arise, as addressed in FAR subpart 9.5 and
the decisions of our Office, can be broadly categorized into three groups:
biased ground rules, unequal access to non-public information, and
impaired objectivity. Contracting officers must exercise "common sense,
good judgment, and sound discretion" in assessing whether a potential
conflict exists and in developing appropriate ways to resolve it; the
primary responsibility for determining whether a conflict is likely to
arise, and the resulting appropriate action, rests with the contracting
agency. FAR sect. 9.505; Science Applications Int'l Corp., B-293601.5,
Sept. 21, 2004, 2004 CPD para. 201 at 4. Once an agency has given
meaningful consideration to potential conflicts of interest, our Office
will not sustain a protest challenging a determination in this area unless
the determination is unreasonable or unsupported by the record. Science
Applications Int'l Corp., supra.
As relevant to the protester's allegations, a biased ground rules OCI
arises where a firm, as part of its performance of a government contract,
has in some sense set the ground rules for the competition for another
government contract by, for example, writing the SOW or the
specifications. In these cases, the primary concern is that the firm could
skew the competition, whether intentionally or not, in favor of itself.
FAR sections 9.505-1, 9.505-2. An unequal access to nonpublic information
OCI arises where, as part of its performance of a government contract, a
firm has access to information that may provide the firm an unfair
competitive advantage in a later competition for a government contract.
FAR sect. 9.505-4.
With regard to the protester's claim of a biased ground rules OCI, the
protester alleges that, as the contractor for the GSA and NIH contracts
discussed above, Enspier may have had a role in drafting the SOW. The
agency states that Mitretek Systems, the incumbent contractor for the
FPKIA services that are the subject of this procurement, was the entity
that assisted the government in developing the SOW, and that Enspier
played no role in drafting or developing the SOW.[4] AR, at 6; Contracting
Officer's Statement at 1. The protester fails to identify any information
in the record that demonstrates that Enspier played a role in developing
or drafting the SOW, and thus does not rebut the agency's specific
statement that Enspier had no such involvement with the SOW. In this
regard, substantial facts and hard evidence are necessary to establish a
conflict; mere inference or suspicion of an actual or apparent conflict is
not enough. Snell Enters., Inc., supra, at 4.
With regard to the protester's claim of an unequal access to information
OCI, the protester alleges that Enspier may have had access to non-public
information that provided the awardee an unfair competitive advantage in
the competition. Specifically, the protester contends that the positions
held by Enspier under the GSA and NIH contracts suggest that that firm may
have had access to non-public information. Although the agency report
contained the SOWs for Enspier's contracts, and the record further
describes the activities of Enspier under those contracts, the protester
is unable to identify any specific examples of non-public information that
would have provided an unfair competitive advantage to the awardee in the
competition. Furthermore, as discussed above, the activities performed by
Enspier under the NIH contract in support of the FPKIA were generally
secretarial in nature, and the work for GSA under the E-Authentication
contract pertained to the performance of validation work that relied on
publicly-available FPKIA documentation for the two lower-tier levels of
authentication, not the two higher-level levels that are the subject of
this RFQ.
The protester argues that certain publicly-available documents which were
either prepared by Enspier or refer to Enspier suggest that that firm may
have had access to non-public information. For example, the protester
argues that a publicly-available document titled "Technical Approach for
the Authentication Service Component," AR, Exh. 32, supports ORC's protest
to the extent that an Enspier employee is listed as the "author" of the
electronic file. The agency explains, however, that this document is
merely a recitation of public information regarding PMO polices. Further,
even assuming that an Enspier employee was the drafter of this document,
the protester does not identify any non-public information that might have
been used in its creation, nor does the protester suggest how any such
information could have given Enspier an unfair competitive advantage in
the competition. In sum, the protester has not provided support for its
assertion that the award to Enspier was tainted by an OCI.[5]
Key Personnel Evaluation
As discussed above, the agency identified three weaknesses in ORC's
quotation under the key personnel evaluation factor, which the agency
rated as "marginal." The protester challenges the agency's evaluation of
all three weaknesses.
The evaluation of technical proposals is a matter within the agency's
discretion, since the agency is responsible for defining its needs and the
best method for accommodating them. U.S. Textiles, Inc., B-289685.3, Dec.
19, 2002, 2002 CPD para. 218 at 2. In reviewing a protest against an
agency's evaluation of proposals, our Office will examine the record to
determine whether the agency's judgment was reasonable and consistent with
the stated evaluation criteria and applicable procurement statutes and
regulations. See Shumaker Trucking & Excavating Contractors, Inc.,
B-290732, Sept. 25, 2002, 2002 CPD para. 169 at 3. A protester's mere
disagreement with the agency's judgment in its determination of the
relative merit of competing proposals does not establish that the
evaluation was unreasonable. C. Lawrence Constr. Co., Inc., B-287066, Mar.
30, 2001, 2001 CPD para. 70 at 4.
As an initial matter, the protester argues that the RFQ only identified
two "key roles," a systems administrator and a security officer, and
therefore the agency was precluded from evaluating other proposed
personnel. On this basis, the protester argues that the agency's criticism
of the qualifications of ORC's proposed project and program managers and
auditors was unreasonable. We disagree with the protester's interpretation
of the RFQ. Although the RFQ did not explain to vendors how the "key
personnel" evaluation would be conducted, we do not believe that the use
of the term "key role" (a term which is not defined) with regard to two
positions reasonably indicated that they would be the only positions that
would be evaluated under the key personnel evaluation factor. In any
event, the agency specifically requested that ORC clarify the identity and
qualifications of its proposed project manager and auditors during
discussions, which clearly placed ORC on notice that the agency considered
those positions subject to evaluation. See AR, Exh. 3, at 2-3, 7.
As discussed above with regard to the evaluation of ORC's project manager,
the agency concluded that although the proposed individual had PKI
engineering expertise, the information provided did not demonstrate the
ability "to organize and manage resources to perform the work required
within defined scope, time and cost constraints." AR, Exh. 14, at 2-3. The
protester argues that the resume provided for its proposed project manager
demonstrates such experience. The agency notes that although the ORC's
project manager lists experience regarding leadership of various technical
projects, including PKI projects, there is not a clear description of any
management activities, that is, guidance of a team through a specific
project with regard to "scope, time and cost constraints." Id. Based on
our review of the entire record, the agency's evaluation was reasonable
with regard to the agency's understanding of the type of experience
required for "project management," and the agency reasonably concluded
that ORC's proposed project manager did not demonstrate that experience.
Next, the protester challenges the agency's determination that ORC's
proposed auditors did not provide skills that were relevant to the SOW.
The RFQ stated that vendors must provide auditors who have experience with
"[p]erforming or overseeing internal compliance audits to ensure that the
FPKI architecture is operating in accordance with this [certification
policy]." SOW at 15, sect. 7.2. In its evaluation, the agency noted that
ORC's proposed auditors demonstrated skills that are "appropriate for
third-party auditors, but not for daily operations." AR, Exh. 14, at 2.
The parties disagree over the agency's use of the terms "internal" and
"external" auditing skills; the protester contends that the distinction
between the skill sets described by the agency are "arbitrary" and also
that its proposed auditors demonstrated skills relevant to both. We
believe, however, that the agency's terminology reasonably distinguishes
between "internal" auditors who possess subject matter expertise relevant
to the internal technical operations of a particular PKI system, such as
the FPKIA, and "external" auditors who possess the more general knowledge
and skills required to understand whether a PKI system meets another
party's certification standards. See Decl. of Agency Program Manager, at
2. In this regard, the agency's evaluation of ORC's proposed auditors was
reasonable, in that ORC's quotation did not describe the skills of its
proposed auditors in a manner that was relevant to the SOW.
Next, the protester challenges the agency's criticism of ORC's proposed
approach of using [deleted] individuals to perform more than one task
under the SOW. Specifically, ORC proposed one individual for [deleted]
positions: [deleted]; and another individual for [deleted] positions:
[deleted]. ORC contends that this approach allowed for "streamlining roles
and eliminating unnecessary personnel." Protester's Comments on the Agency
Report, Dec. 26, 2006, at 13.
As the agency notes, the RFQ identified the project manager, ISSO and
ISMSA positions as "full-time roles," and further stated that the "trusted
roles," which included the primary and backup security officer positions,
are part-time positions that require 24-hour per day coverage and need to
be staffed with "at least two (2) complete teams to maintain adequate
coverage." SOW at 13, para. 7.1. Because ORC proposed single individuals
for positions that the RFQ clearly described as either full-time positions
or part-time positions requiring multiple personnel to cover, we find no
basis to question the agency's criticism of ORC's proposed approach of
assigning one individual to perform [deleted] different positions. ORC's
disagreement with the agency's assessments provides no basis to challenge
the reasonableness of the agency's evaluation.
Finally, the protester alleges that Enspier's quotation was
non-responsive, because the quotation did not discuss whether Enspier has
a top secret facility clearance. In its report on the protest, the agency
responded that a vendor's compliance with facility security clearance
requirements was a matter of contract administration.[6] AR, at 7. ORC did
not address this issue in its comments on the agency report or in its
supplemental protest, and thus did not meaningfully address the agency's
response to this matter; accordingly, we find no basis to question the
agency's evaluation of Enspier's quotation with regard to a facility
clearance.[7]
Technical approach
Next, as discussed above, the agency identified five significant
weaknesses in ORC's quotation under the technical approach evaluation
factor, which the agency evaluated as "very good." The protester
challenges the agency's evaluation of each weakness.
First, the agency determined that ORC's quotation did not address the
requirement in SOW subtask 8 to assist the FPKIA in testing products
against National Institute of Standards and Technology requirements for
path discovery and validation support. The agency determined during the
initial technical evaluation that ORC had not adequately described its
technical approach, noting that the quotation merely "mimics the RFP and
does not address this requirement." AR, Exh. 12, Technical Evaluation, at
11. The agency asked the protester during discussions to further address
ORC's approach to path discovery validation and support. AR, Exh. 3, ORC
Discussions Reponses, at 14. ORC responded that its approach was to
provide unit testing, integration testing, and O&M testing of "[hardware]
and [software] module updates and changes." Id. The agency concluded that
ORC's quotation focused on updates to hardware and software modules,
rather than the products themselves, and that this approach showed a lack
of understanding of the requirement.
The protester argues that the agency unreasonably read its discussions
response too narrowly, and that the references to "updates" should have
been interpreted to apply to all potential hardware and software product
requirements. However, the agency explains that it perceived a difference
between validating upgrades to existing software and equipment, as
proposed by ORC, and the more general SOW requirement for testing of
products. AR, Exh. 14, Final Technical Evaluation, at 3. Although the
protester argues that it did not intend to convey such a distinction in
its post-discussions revision, we conclude that the agency reasonably
identified this distinction based on the plain text of ORC's revision.
Next, the agency determined that ORC did not address the subtask 5
requirement to create and maintain an ISMS and provide training to FPKIA
staff regarding ISMS requirements. The agency asked ORC during discussions
to describe "What is the ISMS approach to advise and train FPKIA
personnel?" and "What is the technical approach to construct and maintain
the ISMS in accordance with ISO:270001." AR, Exh. 3, ORC Discussions
Responses, at 12. The agency concluded that ORC's responses to these
questions was inadequate, because the response largely described ORC's
understanding of the importance of an ISMS, rather than its approach to
actually performing the requirements. The protester argues that its
quotation fully addressed the ISMS requirements.[8] Here, the agency's
evaluation was reasonable. In this regard, ORC's response to the agency's
discussion question is devoted primarily to ORC's recognition of the
reasons for implementing an ISMS. Although the protester argues that it
did provide adequate detail regarding its approach, we have no basis to
question the agency's assessment that ORC's discussion response only
minimally described its approach to actually maintaining an ISMS or
training FPKIA staff, and that the response addressed these requirements
in only a very general manner.
Next, the agency determined that ORC's quotation did not meet the SOW
requirements with regard to subtask 9, which required vendors to provide
"related assistance to the government in support of the FPKIA." The agency
asked ORC during discussions to describe "some of the related assistance .
. . that you believe will enhance the FPKIA or streamline its processes."
AR, Exh. 3, ORC Final Discussions Response, at 14. The agency concluded
that ORC's response to this question did not discuss any features that
were different from the baseline requirements, but rather merely
referenced existing services needed for the operations. The protester
contends that its response did address the related assistance requirement
and the agency's discussion question. However, aside from repeating the
text of its discussion response, the protester does not explain why it
believes that its response addressed the agency's concern. See Protester's
Comments on the Agency Report, Dec. 27, 2006, at 16-17. On this record, we
believe the protester has failed to meaningfully challenge the agency's
evaluation.
Next, the agency determined that ORC's approach to meeting the subtask 10
and 11 requirements for weekly and monthly reports was a concern because
ORC offered web-based approaches for its reports, but did not state that
this approach would be performed at no cost to the government. The
protester notes that the agency's concern appears to be price-related,
i.e. that the agency might incur additional costs because the reports were
not included in ORC's fixed price. ORC thus argues that this concern was
not reasonable because the task order would be fixed price, and its
quotation did not indicate that the services would be provided on an
other-than fixed price basis.
Without addressing this issue, the agency report argues that the
protester's response to discussions, for the first time, identified its
approach to providing information to the agency as relying on "email,
phone and web tracking." AR, Exh. 3, ORC Discussions Response at 15. The
agency argues that this approach was non-responsive to the RFQ, which
required deliverables, such as the reports, in the Microsoft Word format.
SOW sect. 6. The protester argues that the agency cannot now argue that
its approach is non-responsive, as the agency had a duty to raise such
concerns during discussions. However, the non-responsive details, i.e. the
web-based approach, were first introduced in response to discussions.
Compare AR, Exh. 2, ORC Quotation, at 14-15 (quotation regarding subtasks
10 and 11 do not discuss web-based approach); with Exh. 3, ORC Discussions
Responses, at 15 (describing web-based approach). Thus, the protester was
not entitled to further discussions on this matter. Cube-All Star Servs.
Joint Venture, B-291903, Apr. 30, 2003, 2003 CPD para. 145 at 10-11
(agencies have no duty to reopen discussions in response to new
deficiencies first introduced in post-discussions proposal revision).
Moreover, the protester does not dispute the agency's characterization of
its approach as non-responsive. On this basis, we believe that the
protester cannot demonstrate any prejudice with regard to the agency's
evaluation of its quotation here. McDonald-Bradley, B-270126, Feb. 8,
1996, 96-1 CPD para. 54 at 3; see Statistica, Inc. v. Christopher, 102
F.3d 1577, 1681 (Fed. Cir. 1996).
Finally, the agency concluded that ORC's quotation did not demonstrate an
adequate understanding of the SOW regarding subtask 3, which required
support of the six CAs. During discussions, the agency asked ORC whether
it intended to incorporate the FPKIA operations into its own operations,
rather than following the prescribed assumption of responsibilities set
forth in the SOW. In its response, ORC stated that it would follow the SOW
requirements, and that "ORC's response illustrates that it is already
intimately and extensively familiar and is currently operating a similar
environment since ORC's CPS and Systems Security Plan have been audited
and approved compliant with the same Federal Policies as required by this
solicitation." AR, Exh. 3, ORC Discussions Responses, at 11.
The agency was concerned that ORC's response indicated a lack of
understanding of the SOW requirements because the agency disagreed with
the ORC's claim that the firm was "currently operating in a similar
environment" to the FPKIA. AR, Exh. 14, Final Technical Evaluation, at 3.
The agency argues that the fact that a party's PKI polices are compatible
with another party's PKI policies demonstrates that the two policies are
compatible for purposes of authentication; it does not demonstrate that
the one party is familiar with the underlying technical operating
environment for the other party. AR at 11-12.
ORC argues that its quotation and discussion responses indicated that it
was "intimately and extensively familiar" with the FPKIA polices and
operating environment, and that this response was sufficient to address
the agency's concern. The protester, however, does not meaningfully rebut
the agency's analysis regarding the implications of its claim to be
"currently operating in a similar environment." In this regard, we believe
that the agency's concern was reasonable, and that the protester provides
no basis to challenge the reasonableness of the agency's evaluation.
Organizational Experience
The protester next argues that the agency unreasonably determined that ORC
did not have sufficient ISMS experience to meet the requirements of
subtask 5, which requires operation of the FPKIA in accordance with the
Federal Information Security Management Act (FISMA), and advice and
training for government personnel to maintain the ISMS in accordance with
ISO:27001. During discussions, the agency requested that ORC address an
apparent lack of relevant experience, asking: "What ISMS experience do you
have using the ISO:27001 standards to train individuals and achieve
authorization?" AR, Exh. 3, ORC Discussions Responses, at 17. ORC
responded that "[t]o date, ORC has not directly applied ISO:27001
standards to train individuals and achieve authorization." Id. ORC further
explained, however, that it has experience regarding the FISMA, and that
it has "adopted many of the ISO 27001 requirements" in support of certain
sales contracts. Id. Although the protester argues that its description of
its experience with FISMA should have given the agency confidence in ORC's
ability to meet the solicitation requirements, we believe that, on this
record, the agency's evaluation was reasonable based on ORC's lack of
ISO:27001 training experience.
Price Evaluation and Discussions
The protester next challenges the agency's determination that ORC's
proposed price was unrealistically low. The agency stated in the source
selection determination that, "when ORC's price proposal is compared to
the historical cost of running the PKI (the IGE estimate is $6,110,472),
it appears that ORC is seriously underbidding this job." AR, Exh. 6,
Post-Negotiation Memorandum, at 8. The agency weighed this consideration
in its tradeoff comparison between ORC's lower-priced, lower
technically-rated quotation and Enspier's higher-priced, higher
technically-rated quotation.
The protester contends that the agency's analysis regarding the IGE failed
to consider ORC's unique approach to the SOW, which included a
"streamlined and more cost-effective approach." As discussed above,
however, the agency clearly considered, for example, ORC's approach to
dual-hatting various positions, and concluded that this approach was a
flawed approach to staffing. We believe that the agency understood ORC's
proposed approach, and reasonably determined that, to the extent that
ORC's quotation achieved a lower price through proposing single
individuals for more than one full-time position, such an approach
represented a risk to performance.
The protester also argues that the agency did not conduct meaningful
discussions regarding the agency's price concerns. The contracting officer
states that, during discussions, he specifically advised ORC that its
proposed price was too low. AR, Exh. 33, Contracting Officer's Statement,
at 1. The protester contends that such a statement was not made or
conveyed during discussions, and submitted declarations from two ORC
personnel who attended discussions, both of which state that the agency
did not inform ORC that its proposed price was too low. Protester's
Comments on the Agency Report, Attachs. 4, 5.
The record here supports the contracting officer's version of events, in
that the discussions summary notes among other price concerns: "There is a
concern regarding the pricing of Security Management." AR, Exh. 3, ORC
Discussions Responses, at 20. Additionally, the agency's source selection
decision specifically mentions details regarding discussions, wherein the
agency advised ORC regarding price concerns:
The discussions included a concern that the offering might be too low to
sustain the required effort necessary to maintain this contract. It was
stipulated at the discussion table that the Government's concern in the
pricing centered around the Security Management requirements and that
ORC's price may not reflect a true understanding of the requirements.
ORC significantly underbid this particular area.
AR, Exh. 6, Post-Negotiation Memorandum, at 7.
The agency also noted that "ORC was advised that their prices were too low
in discussions, to which they replied by lowering their prices by another
$100k." Id. at 8.
Although the agency and protester have directly contradictory
recollections of the substance of the discussions, we believe that the
agency's account is reasonably supported by the record, and that the
discussions with the protester were meaningful.
Source Selection Decision
Finally, ORC challenges the agency's determination to select Enspier for
award, despite that vendor's higher proposed price. Where, as here, the
solicitation allows for a price/technical tradeoff, the agency retains
discretion to select a higher-priced, higher technically rated proposal if
doing so is reasonably found to be in the government's best interest and
is consistent with the solicitation's stated evaluation scheme. 4-D
Neuroimaging, B-286155.2, B-286155.3, Oct. 10, 2001, 2001 CPD para. 183 at
10.
As discussed above, the agency concluded that Enspier's higher-technically
rated quotation was worth the approximately [deleted] price premium as
compared to ORC's lower-technically rated quotation. We believe that the
agency's source selection decision reasonably identified strengths that
justified Enspier's technical ratings and the price premium. Based on the
record, the agency's selection of Enspier's quotation for award was
reasonable.
The protest is denied.[9]
Gary L. Kepplinger
General Counsel
------------------------
[1] ORC also has a contract to provide credential certificates services to
the E-Authentication Program Management Office. AR, at 5.
[2] The solicitation is referenced in the record alternatively as an RFQ
and a request for proposals (RFP). Because the solicitation required
prospective contractors to identify the Federal Supply Schedule contract
under which the agency could place orders for the services required under
the solicitation, we refer to the solicitation as an RFQ and use
terminology appropriate to that type of solicitation.
[3] Vendors' quotations were assigned a numerical score for each
evaluation factor. A score of 90-100 was considered "outstanding," 80-89
"very good," 70-79 "satisfactory," 50-69 "marginal," and 0-49
"unsatisfactory."
[4] Mitretek did not submit a quotation for this competition.
[5] The contracting officer explains that he considered Enspier's
contracts and its duties under those contracts vis-`a-vis the drafting of
the SOW, and concluded that there were no OCI concerns raised. Contracting
Officer's Statement at 1. Although the contracting officer's statement did
not specifically address a similar analysis regarding the protester's
allegations of an unequal access to information OCI, as discussed above,
the protester was unable to identify any information that would give rise
to an OCI under either of the theories identified in the protest.
[6] As the intervenor notes, the solicitation did not require vendors to
address whether they have a top secret facility clearance at the time
quotations were submitted; rather security clearance requirements are
identified only with regard to individual personnel clearances. See SOW,
at 13, 15. The protester does not identify any solicitation provision
regarding facility clearances and, as discussed below, did not address any
such requirements in its comments on the agency report.
[7] Subsequently, the protester alleged for the first time in its comments
on the agency's report responding to its supplemental protest that
Enspier's quotation failed to meet the solicitation's requirements for
personnel security clearances. Protester's Supplemental Comments on the
Agency Report, Jan. 16, 2007, at 6. The initial protest issue regarding
top secret facility clearances is separate and distinct from the
protester's subsequent allegation regarding personnel security clearances.
Because the protester did not raise this distinct issue within 10 days of
when it received the awardee's quotation as part of the agency's report,
we dismiss this subsequent protest allegation as untimely raised. Bid
Protest Regulations, 4 C.F.R. sect. 21.2(a)(2) (2006); Maden Techs., B-
298543.2, Oct. 30, 2006, 2006 CPD para. 167, at 10-11.
[8] The protester also contends that the agency's discussions regarding
its ISMS personnel indicated that the agency had no concerns regarding the
adequacy of its ISMS approach. See Protester's Comments on the Agency
Report, at 15-16. The protester, however, incorrectly views the agency's
discussions, regarding key personnel, AR, Exh. 3, ORC Final Quotation
Revision, at 2, as the only area where the agency's ISMS concerns were
mentioned. As discussed above, the agency addressed specific ISMS concerns
regarding ORC's proposed technical approach during discussions.
[9] In pursuing this protest, ORC has raised various collateral issues. We
have reviewed all of the protester's arguments, and conclude that none
provides a basis for sustaining the protest.