TITLE: B-299131.1; B-299131.2, Operational Research Consultants, Inc., February 16, 2007
BNUMBER: B-299131.1; B-299131.2
DATE: February 16, 2007
*********************************************************************************
B-299131.1; B-299131.2, Operational Research Consultants, Inc., February 16, 2007

   DOCUMENT FOR PUBLIC RELEASE
   The decision issued on the date below was subject to a GAO Protective
   Order. This redacted version has been approved for public release.

   Decision

   Matter of: Operational Research Consultants, Inc.

   File: B-299131.1; B-299131.2

   Date: February 16, 2007

   John S. Pachter, Esq., Jonathan D. Shaffer, Esq., Mary Pat Gregory, Esq.,
   and Stephanie D. Capps, Esq., Smith Pachter McWhorter, PLC, for the
   protester.

   Daniel S. Koch, Esq., and Hillary E. Clark, Esq., Paley Rothman Goldstein
   Rosenberg Eig & Cooper, for Enspier Technologies, Inc., an intervenor.

   John E. Cornell, Esq., General Services Administration, for the agency.

   Jonathan L. Kang, Esq., and Glenn G. Wolcott, Esq., Office of the General
   Counsel, GAO, participated in the preparation of the decision.

   DIGEST

   1. Protest that award was tainted by organizational conflicts of interest
   is denied where the record does not support allegations that the awardee
   participated in the drafting of the statement of work or had access to
   non-public information that would have provided a competitive advantage.

   2. Protest challenging agency's evaluation of vendor's technical and price
   quotations is denied where the record supports the reasonableness of the
   agency's evaluations, and does not support the protester's allegations
   regarding inadequate discussions.

   DECISION

   Operational Research Consultants, Inc. (ORC) protests the award of a task
   order to Enspier Technologies, Inc. under request for quotations (RFQ) No.
   TQ-PLB-06-0001, issued by the General Services Administration (GSA) for
   operations and maintenance services for the Federal Public Key
   Infrastructure Architecture (FPKIA). The protester argues that the award
   to Enspier was tainted by organizational conflicts of interest (OCIs), and
   challenges the agency's evaluation of vendors' price and technical
   quotations, the adequacy of discussions, and the reasonableness of the
   agency's source selection decision.

   We deny the protest.

   BACKGROUND

   Generally, a public key infrastructure (PKI) is a system that allows
   parties to exchange information electronically and verify the identity of
   the sender and recipient and determine whether the contents of the
   information have been altered. A PKI relies on cryptography methods to
   establish a framework whereby parties use codes called "keys"; each party
   keeps a secret "private key" and publishes a "public key" that any other
   party can access. A sender uses the intended recipient's public key to
   encrypt the message, and the sender's own private key to encrypt his
   signature. The recipient uses his private key to de-encrypt the message
   that was encrypted with his own public key and can verify that it was not
   altered; the recipient can also use the public key of the sender to verify
   the identity of that sender.

   The E-Government Act of 2002 requires GSA to establish a "framework to
   allow efficient interoperability among Executive agencies when using
   electronic signatures, including processing digital signatures." Pub. L.
   107-347 sect. 203. Use of digital signatures authenticated through a PKI
   framework allows government agencies to have confidence in electronic
   messages by verifying the identity of the sender and the integrity of the
   message. GSA established the E-Authentication Initiative to implement the
   E-Government Act and provide a structure for differing levels of security
   for digital signatures. The E-Authentication Initiative contains four
   levels of "assurance" regarding the ability to validate the identity of
   the individual presenting a digital signature. The two lower levels of
   assurance allow individuals to validate their identity through
   "credentials" such as passwords or personal identification numbers,
   whereas the two higher levels of assurance require more sophisticated
   PKI-based credentials.

   The FPKIA governs the requirements for the two higher-level PKI
   assurances, and administers the systems used to validate messages and
   digital signatures using PKI credentials. The Federal Public Key
   Infrastructure Policy Authority (FPKIPA) is responsible for oversight of
   the FPKIA and its constituent certification authorities (CAs), which are
   the entities responsible for establishing PKI rules for authentication and
   the authentication of messages and digital signatures.

   Enspier currently holds a contract with GSA to support the
   E-Authentication Program Management Office (PMO) by providing secretarial
   support for the PMO, and design and operations services for the two lower,
   non-PKI-based levels of assurances.[1] Agency Report (AR) at 5. Enspier
   also holds a contract with the National Institutes of Health (NIH), to
   provide secretarial services for the FPKIAPA. Id.

   The solicitation sought quotations for services required to relocate the
   government's prototype FPKIA from a government facility to a contractor
   location, redesign the FPKIA, and then provide maintenance and support for
   the redesigned system. The solicitation anticipated the award of a
   fixed-price task order with cost-reimbursement elements. The agency
   conducted the procurement under the streamlined acquisition procedures of
   Federal Acquisition Regulation (FAR) part 12.6 and relied upon the "GSA
   E-Buy" website to publicize the RFQ through a combined
   synopsis/solicitation.[2]

   The solicitation advised prospective vendors that quotations would be
   evaluated on the basis of the following factors: key personnel, technical
   approach, organizational experience, and price. The three non-price
   evaluation factors were of equal weight and, when combined, were of equal
   weight to price for purposes of award. RFQ at 8. The statement of work
   (SOW) identified 11 subtasks required for performance of the task order:
   (1) relocate the prototype FPKIA to the contractor location; (2) support
   the FPKIA lab; (3) support the six FPKIA CAs; (4) re-design the FPKIA; (5)
   security management; (6) redesign the FPKIA lab; (7) directory support;
   (8) path discovery and validation support; (9) related assistance; (10)
   weekly status reports; (11) FPKIA monthly reports and FPKIA statistical
   reports.

   After receiving initial quotations from vendors, the agency conducted
   discussions and received revised quotations. Following discussions, the
   agency concluded that ORC's revision had not adequately addressed all of
   the agency's concerns. AR, Exh. 14, Final Technical Evaluation, at 2. The
   agency identified three "significant weaknesses" in ORC's quotation under
   the key personnel evaluation factor:

     [A]lthough [ORC] offers a [project manager] experienced in PKI system
     engineering . . . [i]t does not cite any information about the bid
     individual['s] abilities to organize and manage resources to perform the
     work required within defined scope, time, and cost constraints.

     The bid auditors appear to have skill sets (i.e., SAS 70, Web Trust, and
     quality assessments) that are only tangential to the requirements. These
     skills are appropriate for third-party auditors, but not for daily
     operations. . . .

     [T]he Officer and Administrator roles require a high percentage of
     dedicated time and the likelihood of [the proposed personnel] being able
     to carry out the responsibilities for their trusted roles effectively,
     in addition to the full-time Project Manager and Program Manager roles,
     is doubtful.

   Id. at 2-3.

   The agency identified five "significant weaknesses" in ORC's quotation
   under the technical approach factor:

     [ORC] responses to subtasks 2 and 8 show they do not have a clear
     understanding of the requirement. This work is based on testing products
     against a particular test suite with the intent to qualify them.
     However, [ORC] bids to test hardware and software module updates rather
     than products.

     Subtask 4 cites their capability, rather than ability, to create and
     maintain an ISMS [information security management system]. Additionally,
     they go to great lengths explaining the importance of having an ISMS
     instead of describing their technical approach.

     The related assistance in Subtask 9 is considered a basic part of
     operations and management and shows no insight to the advancement of
     Federal PKI or its processes.

     [S]ubtasks 10 and 11 offer web-based approaches for reports, but state
     that the web-based interfaces must be customized for this project. They
     do not state that this would be done at no cost to the government, and
     that is a concern.

     In Subtask 3, ORC cites having a similar operating environment to the
     FPKIA. This assertion demonstrates a lack of understanding of how
     policies can be implemented in various ways. It is true that ORC has a
     policy that maps to one of the FPKIA policies, but this is not a direct
     correlation to how operations are set up.

   Id. at 3.

   The agency also identified a "significant weakness" regarding ORC's
   organizational experience, stating that "ORC does not have ISMS experience
   as an organization to meet the requirements in Subtask 5." Id.

   As relevant here, the agency's final evaluation of vendor's quotations was
   as follows:

   +------------------------------------------------------------------------+
   |                            |         ORC         |       Enspier       |
   |----------------------------+---------------------+---------------------|
   |Key Personnel               |   50.7 / Marginal   | 78.1 / Satisfactory |
   |----------------------------+---------------------+---------------------|
   |Technical Approach          |  80.1 / Very Good   | 79.7 / Satisfactory |
   |----------------------------+---------------------+---------------------|
   |Organizational Experience   | 75.0 / Satisfactory | 95.0 / Outstanding  |
   |----------------------------+---------------------+---------------------|
   |Total Technical Score       |   68.6 / Marginal   |  84.3 / Very Good   |
   |----------------------------+---------------------+---------------------|
   |Price                       |      [deleted]      |     $5,993,639      |
   +------------------------------------------------------------------------+

   AR, Exh. 6, Post-Negotiation Memorandum, at 5.[3]

   In its source selection determination, the agency noted that ORC's
   proposed price of [deleted] was approximately [deleted] lower than
   Enspier's proposed price of $5,993,639. Id. at 8. However, the agency
   noted that "when ORC's price proposal is compared to the historical cost
   of running the PKI (the IGE [independent government estimate] is
   $6,110,472), it appears that ORC is seriously underbidding this job," and
   concluded that Enspier's higher-rated technical quotation was worth the
   price premium. Id. In selecting Enspier's quotation for award, the agency
   noted that "[t]he Enspier team advisory council model is unique and brings
   to the Federal PKI Operational Authority a broad range of benefits
   including access to world-class expertise in PKI operational engineering,"
   and "[t]he expertise available in this council will minimize false starts
   for both operational and policy initiatives, which also lower overall
   operational and maintenance costs." Id. at 9.

   Following its debriefing by the agency, ORC filed this protest.

   DISCUSSION

   Organizational Conflicts of Interest

   ORC first argues that the award to Enspier was tainted by OCIs arising
   from the awardee's performance of the GSA and NIH contracts, which involve
   authentication-related services. Specifically, the protester alleges that
   Enspier participated in the drafting of the SOW, and that Enspier had
   access to non-public information as the result of its performance of the
   GSA and NIH contracts.

   The FAR generally requires contracting officers to avoid, neutralize or
   mitigate potential significant conflicts of interest so as to prevent
   unfair competitive advantage or the existence of conflicting roles that
   might impair a contractor's objectivity. FAR sections 9.504, 9.505; Snell
   Enters., Inc., B-290113, B-290113.2, June 10, 2002, 2002 CPD para. 115 at
   3. The situations in which OCIs arise, as addressed in FAR subpart 9.5 and
   the decisions of our Office, can be broadly categorized into three groups:
   biased ground rules, unequal access to non-public information, and
   impaired objectivity. Contracting officers must exercise "common sense,
   good judgment, and sound discretion" in assessing whether a potential
   conflict exists and in developing appropriate ways to resolve it; the
   primary responsibility for determining whether a conflict is likely to
   arise, and the resulting appropriate action, rests with the contracting
   agency. FAR sect. 9.505; Science Applications Int'l Corp., B-293601.5,
   Sept. 21, 2004, 2004 CPD para. 201 at 4. Once an agency has given
   meaningful consideration to potential conflicts of interest, our Office
   will not sustain a protest challenging a determination in this area unless
   the determination is unreasonable or unsupported by the record. Science
   Applications Int'l Corp., supra.

   As relevant to the protester's allegations, a biased ground rules OCI
   arises where a firm, as part of its performance of a government contract,
   has in some sense set the ground rules for the competition for another
   government contract by, for example, writing the SOW or the
   specifications. In these cases, the primary concern is that the firm could
   skew the competition, whether intentionally or not, in favor of itself.
   FAR sections 9.505-1, 9.505-2. An unequal access to nonpublic information
   OCI arises where, as part of its performance of a government contract, a
   firm has access to information that may provide the firm an unfair
   competitive advantage in a later competition for a government contract.
   FAR sect. 9.505-4.

   With regard to the protester's claim of a biased ground rules OCI, the
   protester alleges that, as the contractor for the GSA and NIH contracts
   discussed above, Enspier may have had a role in drafting the SOW. The
   agency states that Mitretek Systems, the incumbent contractor for the
   FPKIA services that are the subject of this procurement, was the entity
   that assisted the government in developing the SOW, and that Enspier
   played no role in drafting or developing the SOW.[4] AR, at 6; Contracting
   Officer's Statement at 1. The protester fails to identify any information
   in the record that demonstrates that Enspier played a role in developing
   or drafting the SOW, and thus does not rebut the agency's specific
   statement that Enspier had no such involvement with the SOW. In this
   regard, substantial facts and hard evidence are necessary to establish a
   conflict; mere inference or suspicion of an actual or apparent conflict is
   not enough. Snell Enters., Inc., supra, at 4.

   With regard to the protester's claim of an unequal access to information
   OCI, the protester alleges that Enspier may have had access to non-public
   information that provided the awardee an unfair competitive advantage in
   the competition. Specifically, the protester contends that the positions
   held by Enspier under the GSA and NIH contracts suggest that that firm may
   have had access to non-public information. Although the agency report
   contained the SOWs for Enspier's contracts, and the record further
   describes the activities of Enspier under those contracts, the protester
   is unable to identify any specific examples of non-public information that
   would have provided an unfair competitive advantage to the awardee in the
   competition. Furthermore, as discussed above, the activities performed by
   Enspier under the NIH contract in support of the FPKIA were generally
   secretarial in nature, and the work for GSA under the E-Authentication
   contract pertained to the performance of validation work that relied on
   publicly-available FPKIA documentation for the two lower-tier levels of
   authentication, not the two higher-level levels that are the subject of
   this RFQ.

   The protester argues that certain publicly-available documents which were
   either prepared by Enspier or refer to Enspier suggest that that firm may
   have had access to non-public information. For example, the protester
   argues that a publicly-available document titled "Technical Approach for
   the Authentication Service Component," AR, Exh. 32, supports ORC's protest
   to the extent that an Enspier employee is listed as the "author" of the
   electronic file. The agency explains, however, that this document is
   merely a recitation of public information regarding PMO polices. Further,
   even assuming that an Enspier employee was the drafter of this document,
   the protester does not identify any non-public information that might have
   been used in its creation, nor does the protester suggest how any such
   information could have given Enspier an unfair competitive advantage in
   the competition. In sum, the protester has not provided support for its
   assertion that the award to Enspier was tainted by an OCI.[5]

   Key Personnel Evaluation

   As discussed above, the agency identified three weaknesses in ORC's
   quotation under the key personnel evaluation factor, which the agency
   rated as "marginal." The protester challenges the agency's evaluation of
   all three weaknesses.

   The evaluation of technical proposals is a matter within the agency's
   discretion, since the agency is responsible for defining its needs and the
   best method for accommodating them. U.S. Textiles, Inc., B-289685.3, Dec.
   19, 2002, 2002 CPD para. 218 at 2. In reviewing a protest against an
   agency's evaluation of proposals, our Office will examine the record to
   determine whether the agency's judgment was reasonable and consistent with
   the stated evaluation criteria and applicable procurement statutes and
   regulations. See Shumaker Trucking & Excavating Contractors, Inc.,
   B-290732, Sept. 25, 2002, 2002 CPD para. 169 at 3. A protester's mere
   disagreement with the agency's judgment in its determination of the
   relative merit of competing proposals does not establish that the
   evaluation was unreasonable. C. Lawrence Constr. Co., Inc., B-287066, Mar.
   30, 2001, 2001 CPD para. 70 at 4.

   As an initial matter, the protester argues that the RFQ only identified
   two "key roles," a systems administrator and a security officer, and
   therefore the agency was precluded from evaluating other proposed
   personnel. On this basis, the protester argues that the agency's criticism
   of the qualifications of ORC's proposed project and program managers and
   auditors was unreasonable. We disagree with the protester's interpretation
   of the RFQ. Although the RFQ did not explain to vendors how the "key
   personnel" evaluation would be conducted, we do not believe that the use
   of the term "key role" (a term which is not defined) with regard to two
   positions reasonably indicated that they would be the only positions that
   would be evaluated under the key personnel evaluation factor. In any
   event, the agency specifically requested that ORC clarify the identity and
   qualifications of its proposed project manager and auditors during
   discussions, which clearly placed ORC on notice that the agency considered
   those positions subject to evaluation. See AR, Exh. 3, at 2-3, 7.

   As discussed above with regard to the evaluation of ORC's project manager,
   the agency concluded that although the proposed individual had PKI
   engineering expertise, the information provided did not demonstrate the
   ability "to organize and manage resources to perform the work required
   within defined scope, time and cost constraints." AR, Exh. 14, at 2-3. The
   protester argues that the resume provided for its proposed project manager
   demonstrates such experience. The agency notes that although the ORC's
   project manager lists experience regarding leadership of various technical
   projects, including PKI projects, there is not a clear description of any
   management activities, that is, guidance of a team through a specific
   project with regard to "scope, time and cost constraints." Id. Based on
   our review of the entire record, the agency's evaluation was reasonable
   with regard to the agency's understanding of the type of experience
   required for "project management," and the agency reasonably concluded
   that ORC's proposed project manager did not demonstrate that experience.

   Next, the protester challenges the agency's determination that ORC's
   proposed auditors did not provide skills that were relevant to the SOW.
   The RFQ stated that vendors must provide auditors who have experience with
   "[p]erforming or overseeing internal compliance audits to ensure that the
   FPKI architecture is operating in accordance with this [certification
   policy]." SOW at 15, sect. 7.2. In its evaluation, the agency noted that
   ORC's proposed auditors demonstrated skills that are "appropriate for
   third-party auditors, but not for daily operations." AR, Exh. 14, at 2.

   The parties disagree over the agency's use of the terms "internal" and
   "external" auditing skills; the protester contends that the distinction
   between the skill sets described by the agency are "arbitrary" and also
   that its proposed auditors demonstrated skills relevant to both. We
   believe, however, that the agency's terminology reasonably distinguishes
   between "internal" auditors who possess subject matter expertise relevant
   to the internal technical operations of a particular PKI system, such as
   the FPKIA, and "external" auditors who possess the more general knowledge
   and skills required to understand whether a PKI system meets another
   party's certification standards. See Decl. of Agency Program Manager, at
   2. In this regard, the agency's evaluation of ORC's proposed auditors was
   reasonable, in that ORC's quotation did not describe the skills of its
   proposed auditors in a manner that was relevant to the SOW.

   Next, the protester challenges the agency's criticism of ORC's proposed
   approach of using [deleted] individuals to perform more than one task
   under the SOW. Specifically, ORC proposed one individual for [deleted]
   positions: [deleted]; and another individual for [deleted] positions:
   [deleted]. ORC contends that this approach allowed for "streamlining roles
   and eliminating unnecessary personnel." Protester's Comments on the Agency
   Report, Dec. 26, 2006, at 13.

   As the agency notes, the RFQ identified the project manager, ISSO and
   ISMSA positions as "full-time roles," and further stated that the "trusted
   roles," which included the primary and backup security officer positions,
   are part-time positions that require 24-hour per day coverage and need to
   be staffed with "at least two (2) complete teams to maintain adequate
   coverage." SOW at 13, para. 7.1. Because ORC proposed single individuals
   for positions that the RFQ clearly described as either full-time positions
   or part-time positions requiring multiple personnel to cover, we find no
   basis to question the agency's criticism of ORC's proposed approach of
   assigning one individual to perform [deleted] different positions. ORC's
   disagreement with the agency's assessments provides no basis to challenge
   the reasonableness of the agency's evaluation.

   Finally, the protester alleges that Enspier's quotation was
   non-responsive, because the quotation did not discuss whether Enspier has
   a top secret facility clearance. In its report on the protest, the agency
   responded that a vendor's compliance with facility security clearance
   requirements was a matter of contract administration.[6] AR, at 7. ORC did
   not address this issue in its comments on the agency report or in its
   supplemental protest, and thus did not meaningfully address the agency's
   response to this matter; accordingly, we find no basis to question the
   agency's evaluation of Enspier's quotation with regard to a facility
   clearance.[7]

   Technical approach

   Next, as discussed above, the agency identified five significant
   weaknesses in ORC's quotation under the technical approach evaluation
   factor, which the agency evaluated as "very good." The protester
   challenges the agency's evaluation of each weakness.

   First, the agency determined that ORC's quotation did not address the
   requirement in SOW subtask 8 to assist the FPKIA in testing products
   against National Institute of Standards and Technology requirements for
   path discovery and validation support. The agency determined during the
   initial technical evaluation that ORC had not adequately described its
   technical approach, noting that the quotation merely "mimics the RFP and
   does not address this requirement." AR, Exh. 12, Technical Evaluation, at
   11. The agency asked the protester during discussions to further address
   ORC's approach to path discovery validation and support. AR, Exh. 3, ORC
   Discussions Reponses, at 14. ORC responded that its approach was to
   provide unit testing, integration testing, and O&M testing of "[hardware]
   and [software] module updates and changes." Id. The agency concluded that
   ORC's quotation focused on updates to hardware and software modules,
   rather than the products themselves, and that this approach showed a lack
   of understanding of the requirement.

   The protester argues that the agency unreasonably read its discussions
   response too narrowly, and that the references to "updates" should have
   been interpreted to apply to all potential hardware and software product
   requirements. However, the agency explains that it perceived a difference
   between validating upgrades to existing software and equipment, as
   proposed by ORC, and the more general SOW requirement for testing of
   products. AR, Exh. 14, Final Technical Evaluation, at 3. Although the
   protester argues that it did not intend to convey such a distinction in
   its post-discussions revision, we conclude that the agency reasonably
   identified this distinction based on the plain text of ORC's revision.

   Next, the agency determined that ORC did not address the subtask 5
   requirement to create and maintain an ISMS and provide training to FPKIA
   staff regarding ISMS requirements. The agency asked ORC during discussions
   to describe "What is the ISMS approach to advise and train FPKIA
   personnel?" and "What is the technical approach to construct and maintain
   the ISMS in accordance with ISO:270001." AR, Exh. 3, ORC Discussions
   Responses, at 12. The agency concluded that ORC's responses to these
   questions was inadequate, because the response largely described ORC's
   understanding of the importance of an ISMS, rather than its approach to
   actually performing the requirements. The protester argues that its
   quotation fully addressed the ISMS requirements.[8] Here, the agency's
   evaluation was reasonable. In this regard, ORC's response to the agency's
   discussion question is devoted primarily to ORC's recognition of the
   reasons for implementing an ISMS. Although the protester argues that it
   did provide adequate detail regarding its approach, we have no basis to
   question the agency's assessment that ORC's discussion response only
   minimally described its approach to actually maintaining an ISMS or
   training FPKIA staff, and that the response addressed these requirements
   in only a very general manner.

   Next, the agency determined that ORC's quotation did not meet the SOW
   requirements with regard to subtask 9, which required vendors to provide
   "related assistance to the government in support of the FPKIA." The agency
   asked ORC during discussions to describe "some of the related assistance .
   . . that you believe will enhance the FPKIA or streamline its processes."
   AR, Exh. 3, ORC Final Discussions Response, at 14. The agency concluded
   that ORC's response to this question did not discuss any features that
   were different from the baseline requirements, but rather merely
   referenced existing services needed for the operations. The protester
   contends that its response did address the related assistance requirement
   and the agency's discussion question. However, aside from repeating the
   text of its discussion response, the protester does not explain why it
   believes that its response addressed the agency's concern. See Protester's
   Comments on the Agency Report, Dec. 27, 2006, at 16-17. On this record, we
   believe the protester has failed to meaningfully challenge the agency's
   evaluation.

   Next, the agency determined that ORC's approach to meeting the subtask 10
   and 11 requirements for weekly and monthly reports was a concern because
   ORC offered web-based approaches for its reports, but did not state that
   this approach would be performed at no cost to the government. The
   protester notes that the agency's concern appears to be price-related,
   i.e. that the agency might incur additional costs because the reports were
   not included in ORC's fixed price. ORC thus argues that this concern was
   not reasonable because the task order would be fixed price, and its
   quotation did not indicate that the services would be provided on an
   other-than fixed price basis.

   Without addressing this issue, the agency report argues that the
   protester's response to discussions, for the first time, identified its
   approach to providing information to the agency as relying on "email,
   phone and web tracking." AR, Exh. 3, ORC Discussions Response at 15. The
   agency argues that this approach was non-responsive to the RFQ, which
   required deliverables, such as the reports, in the Microsoft Word format.
   SOW sect. 6. The protester argues that the agency cannot now argue that
   its approach is non-responsive, as the agency had a duty to raise such
   concerns during discussions. However, the non-responsive details, i.e. the
   web-based approach, were first introduced in response to discussions.
   Compare AR, Exh. 2, ORC Quotation, at 14-15 (quotation regarding subtasks
   10 and 11 do not discuss web-based approach); with Exh. 3, ORC Discussions
   Responses, at 15 (describing web-based approach). Thus, the protester was
   not entitled to further discussions on this matter. Cube-All Star Servs.
   Joint Venture, B-291903, Apr. 30, 2003, 2003 CPD para. 145 at 10-11
   (agencies have no duty to reopen discussions in response to new
   deficiencies first introduced in post-discussions proposal revision).
   Moreover, the protester does not dispute the agency's characterization of
   its approach as non-responsive. On this basis, we believe that the
   protester cannot demonstrate any prejudice with regard to the agency's
   evaluation of its quotation here. McDonald-Bradley, B-270126, Feb. 8,
   1996, 96-1 CPD para. 54 at 3; see Statistica, Inc. v. Christopher, 102
   F.3d 1577, 1681 (Fed. Cir. 1996).

   Finally, the agency concluded that ORC's quotation did not demonstrate an
   adequate understanding of the SOW regarding subtask 3, which required
   support of the six CAs. During discussions, the agency asked ORC whether
   it intended to incorporate the FPKIA operations into its own operations,
   rather than following the prescribed assumption of responsibilities set
   forth in the SOW. In its response, ORC stated that it would follow the SOW
   requirements, and that "ORC's response illustrates that it is already
   intimately and extensively familiar and is currently operating a similar
   environment since ORC's CPS and Systems Security Plan have been audited
   and approved compliant with the same Federal Policies as required by this
   solicitation." AR, Exh. 3, ORC Discussions Responses, at 11.

   The agency was concerned that ORC's response indicated a lack of
   understanding of the SOW requirements because the agency disagreed with
   the ORC's claim that the firm was "currently operating in a similar
   environment" to the FPKIA. AR, Exh. 14, Final Technical Evaluation, at 3.
   The agency argues that the fact that a party's PKI polices are compatible
   with another party's PKI policies demonstrates that the two policies are
   compatible for purposes of authentication; it does not demonstrate that
   the one party is familiar with the underlying technical operating
   environment for the other party. AR at 11-12.

   ORC argues that its quotation and discussion responses indicated that it
   was "intimately and extensively familiar" with the FPKIA polices and
   operating environment, and that this response was sufficient to address
   the agency's concern. The protester, however, does not meaningfully rebut
   the agency's analysis regarding the implications of its claim to be
   "currently operating in a similar environment." In this regard, we believe
   that the agency's concern was reasonable, and that the protester provides
   no basis to challenge the reasonableness of the agency's evaluation.

   Organizational Experience

   The protester next argues that the agency unreasonably determined that ORC
   did not have sufficient ISMS experience to meet the requirements of
   subtask 5, which requires operation of the FPKIA in accordance with the
   Federal Information Security Management Act (FISMA), and advice and
   training for government personnel to maintain the ISMS in accordance with
   ISO:27001. During discussions, the agency requested that ORC address an
   apparent lack of relevant experience, asking: "What ISMS experience do you
   have using the ISO:27001 standards to train individuals and achieve
   authorization?" AR, Exh. 3, ORC Discussions Responses, at 17. ORC
   responded that "[t]o date, ORC has not directly applied ISO:27001
   standards to train individuals and achieve authorization." Id. ORC further
   explained, however, that it has experience regarding the FISMA, and that
   it has "adopted many of the ISO 27001 requirements" in support of certain
   sales contracts. Id. Although the protester argues that its description of
   its experience with FISMA should have given the agency confidence in ORC's
   ability to meet the solicitation requirements, we believe that, on this
   record, the agency's evaluation was reasonable based on ORC's lack of
   ISO:27001 training experience.

   Price Evaluation and Discussions

   The protester next challenges the agency's determination that ORC's
   proposed price was unrealistically low. The agency stated in the source
   selection determination that, "when ORC's price proposal is compared to
   the historical cost of running the PKI (the IGE estimate is $6,110,472),
   it appears that ORC is seriously underbidding this job." AR, Exh. 6,
   Post-Negotiation Memorandum, at 8. The agency weighed this consideration
   in its tradeoff comparison between ORC's lower-priced, lower
   technically-rated quotation and Enspier's higher-priced, higher
   technically-rated quotation.

   The protester contends that the agency's analysis regarding the IGE failed
   to consider ORC's unique approach to the SOW, which included a
   "streamlined and more cost-effective approach." As discussed above,
   however, the agency clearly considered, for example, ORC's approach to
   dual-hatting various positions, and concluded that this approach was a
   flawed approach to staffing. We believe that the agency understood ORC's
   proposed approach, and reasonably determined that, to the extent that
   ORC's quotation achieved a lower price through proposing single
   individuals for more than one full-time position, such an approach
   represented a risk to performance.

   The protester also argues that the agency did not conduct meaningful
   discussions regarding the agency's price concerns. The contracting officer
   states that, during discussions, he specifically advised ORC that its
   proposed price was too low. AR, Exh. 33, Contracting Officer's Statement,
   at 1. The protester contends that such a statement was not made or
   conveyed during discussions, and submitted declarations from two ORC
   personnel who attended discussions, both of which state that the agency
   did not inform ORC that its proposed price was too low. Protester's
   Comments on the Agency Report, Attachs. 4, 5.

   The record here supports the contracting officer's version of events, in
   that the discussions summary notes among other price concerns: "There is a
   concern regarding the pricing of Security Management." AR, Exh. 3, ORC
   Discussions Responses, at 20. Additionally, the agency's source selection
   decision specifically mentions details regarding discussions, wherein the
   agency advised ORC regarding price concerns:

     The discussions included a concern that the offering might be too low to
     sustain the required effort necessary to maintain this contract. It was
     stipulated at the discussion table that the Government's concern in the
     pricing centered around the Security Management requirements and that
     ORC's price may not reflect a true understanding of the requirements.
     ORC significantly underbid this particular area.

   AR, Exh. 6, Post-Negotiation Memorandum, at 7.

   The agency also noted that "ORC was advised that their prices were too low
   in discussions, to which they replied by lowering their prices by another
   $100k." Id. at 8.

   Although the agency and protester have directly contradictory
   recollections of the substance of the discussions, we believe that the
   agency's account is reasonably supported by the record, and that the
   discussions with the protester were meaningful.

   Source Selection Decision

   Finally, ORC challenges the agency's determination to select Enspier for
   award, despite that vendor's higher proposed price. Where, as here, the
   solicitation allows for a price/technical tradeoff, the agency retains
   discretion to select a higher-priced, higher technically rated proposal if
   doing so is reasonably found to be in the government's best interest and
   is consistent with the solicitation's stated evaluation scheme. 4-D
   Neuroimaging, B-286155.2, B-286155.3, Oct. 10, 2001, 2001 CPD para. 183 at
   10.

   As discussed above, the agency concluded that Enspier's higher-technically
   rated quotation was worth the approximately [deleted] price premium as
   compared to ORC's lower-technically rated quotation. We believe that the
   agency's source selection decision reasonably identified strengths that
   justified Enspier's technical ratings and the price premium. Based on the
   record, the agency's selection of Enspier's quotation for award was
   reasonable.

   The protest is denied.[9]

   Gary L. Kepplinger
   General Counsel

   ------------------------

   [1] ORC also has a contract to provide credential certificates services to
   the E-Authentication Program Management Office. AR, at 5.

   [2] The solicitation is referenced in the record alternatively as an RFQ
   and a request for proposals (RFP). Because the solicitation required
   prospective contractors to identify the Federal Supply Schedule contract
   under which the agency could place orders for the services required under
   the solicitation, we refer to the solicitation as an RFQ and use
   terminology appropriate to that type of solicitation.

   [3] Vendors' quotations were assigned a numerical score for each
   evaluation factor. A score of 90-100 was considered "outstanding," 80-89
   "very good," 70-79 "satisfactory," 50-69 "marginal," and 0-49
   "unsatisfactory."

   [4] Mitretek did not submit a quotation for this competition.

   [5] The contracting officer explains that he considered Enspier's
   contracts and its duties under those contracts vis-`a-vis the drafting of
   the SOW, and concluded that there were no OCI concerns raised. Contracting
   Officer's Statement at 1. Although the contracting officer's statement did
   not specifically address a similar analysis regarding the protester's
   allegations of an unequal access to information OCI, as discussed above,
   the protester was unable to identify any information that would give rise
   to an OCI under either of the theories identified in the protest.

   [6] As the intervenor notes, the solicitation did not require vendors to
   address whether they have a top secret facility clearance at the time
   quotations were submitted; rather security clearance requirements are
   identified only with regard to individual personnel clearances. See SOW,
   at 13, 15. The protester does not identify any solicitation provision
   regarding facility clearances and, as discussed below, did not address any
   such requirements in its comments on the agency report.

   [7] Subsequently, the protester alleged for the first time in its comments
   on the agency's report responding to its supplemental protest that
   Enspier's quotation failed to meet the solicitation's requirements for
   personnel security clearances. Protester's Supplemental Comments on the
   Agency Report, Jan. 16, 2007, at 6. The initial protest issue regarding
   top secret facility clearances is separate and distinct from the
   protester's subsequent allegation regarding personnel security clearances.
   Because the protester did not raise this distinct issue within 10 days of
   when it received the awardee's quotation as part of the agency's report,
   we dismiss this subsequent protest allegation as untimely raised. Bid
   Protest Regulations, 4 C.F.R. sect. 21.2(a)(2) (2006); Maden Techs., B-
   298543.2, Oct. 30, 2006, 2006 CPD para. 167, at 10-11.

   [8] The protester also contends that the agency's discussions regarding
   its ISMS personnel indicated that the agency had no concerns regarding the
   adequacy of its ISMS approach. See Protester's Comments on the Agency
   Report, at 15-16. The protester, however, incorrectly views the agency's
   discussions, regarding key personnel, AR, Exh. 3, ORC Final Quotation
   Revision, at 2, as the only area where the agency's ISMS concerns were
   mentioned. As discussed above, the agency addressed specific ISMS concerns
   regarding ORC's proposed technical approach during discussions.

   [9] In pursuing this protest, ORC has raised various collateral issues. We
   have reviewed all of the protester's arguments, and conclude that none
   provides a basis for sustaining the protest.