TITLE: B-310611, Merlin International, Inc., January 2, 2008
BNUMBER: B-310611
DATE: January 2, 2008
*****************************************************
B-310611, Merlin International, Inc., January 2, 2008

   DOCUMENT FOR PUBLIC RELEASE

   The decision issued on the date below was subject to a GAO Protective
   Order. This redacted version has been approved for public release.

   Decision

   Matter of: Merlin International, Inc.

   File: B-310611

   Date: January 2, 2008

   Richard B. Oliver, Esq., McKenna Long & Aldridge, for the protester.

   Allison V. Feierabend, Esq., and Joseph P. Hornyak, Esq. Holland & Knight,
   for MTM Technologies, Inc., an intervenor.

   Capt. Joshua Drewitz, Department of the Army, for the agency.

   Mary G. Curcio, Esq., and John M. Melody, Esq., Office of the General
   Counsel, GAO, participated in the preparation of the decision.

   DIGEST

   Protest that successful vendor's encryption software does not meet
   agency's requirement for compatibility with specified operating systems is
   denied where vendor's blanket purchase agreement included required vendor
   certification of compatibility, which satisfied requirement.

   DECISION

   Merlin International, Inc. protests the Department of the Army's issuance
   of a purchase order to MTM Technologies, Inc. under Federal Supply
   Schedule (FSS) blanket purchase agreement (BPA) No. FA8771-07-A-0301, for
   encryption software. Merlin alleges that MTM's software does not meet the
   agency's requirements, and that the agency improperly failed to permit
   Merlin to compete for the requirement, instead issuing the purchase order
   to MTM on a sole-source basis.

   We deny the protest.

   The Army reports that the Office of Management and the Budget has directed
   all federal agencies to encrypt personal identifiable information and
   agency sensitive but unclassified information on all mobile devices.
   Agency Report (AR) at 2. Here, pursuant to this directive, the Army sought
   to procure commercial-off-the-shelf data at rest encryption (DAR) software
   through the issuance of multiple purchase orders against the Department of
   Defense (DOD) Enterprise Software Initiative/General Services
   Administration (GSA) Smart Buy DAR FSS BPA. The Army determined that, in
   addition to being listed on the Smart Buy BPA, the software must meet six
   requirements. Justification and Approval, Sept. 28, 2007, at 4-5. As
   relevant here, the software was required to be listed on the Army's
   Information Assurance Approved Product List (IAAPL) and to have a Federal
   Information Processing Standards (FIPS) 140-2 validation certificate for
   the MAC OS X, WIN Mobile 5.0, and WIN Mobile 6.0 operating systems, or, if
   the certificate is not available, a vendor statement that its product will
   operate with these operating systems without modification. Id. at 4-5.

   From July through September 2007, the agency reviewed vendors' BPAs for
   encryption software products, and determined that MTM was the only current
   BPA holder with a product that met all of its requirements. Contracting
   Officer's Statement at 1. The Army issued the purchase order to MTM on
   September 30.

   Merlin asserts that the issuance of the purchase order was improper
   because MTM's encryption software does not meet several of the Army's
   requirements. This argument is without merit. The agency's requirement was
   for FIPS 140-2 certification for the operating system or, if the
   certification was unavailable, a vendor statement attesting that its
   product operates with the identified operating systems without
   modification. MTM's BPA includes this vendor statement: "Although not
   tested and validated within them, this product or module is also installed
   without any modifications in the following operating systems . . . and
   thus the cryptography will operate correctly with MAC OS X . . . ."
   (underline in original). Certification of FIPS Validation, MTM's BPA, at
   589. This vendor statement expressly satisfies the agency's requirement.

   Merlin asserts that MTM's software is not compatible with the MAC OS X
   operating system. In this regard, it cites a statement in MTM's BPA that
   "[MTM's software does not] currently provide support for the Mac OS X.
   Support can be easily added . . . ." The parties dispute the meaning of
   the reference in this statement to "support." Merlin asserts that the
   reference indicated that MTM's product does not operate with the MAC OS X
   system, contrary to the agency's requirement. The Army and MTM, on the
   other hand, state that the language referred only to help desk support,
   and had nothing to do with compatibility with MAC OS X. Agency Statement,
   Dec. 14, 2007; MTM Statement, Dec. 14, 2007. We find that the BPA language
   is not clear, but that the agency's and MTM's explanation of the language
   is the more plausible one. The BPA does not explicitly state that the
   software is not compatible with, does not operate with, or even does not
   support MAC OS X. Rather, it states that the software does not "currently
   provide support," and that "Support can be easily added," which language,
   we think, is more consistent with the agency's and MTM's explanation that
   the BPA was speaking to the possibility of adding functionality--such as
   help desk support, as the agency and MTM suggest--in the future. This
   interpretation is all the more plausible in light of MTM's vendor
   statement, discussed above, which unequivocally states that the quoted
   product will operate with MAC OS X. Since MTM supplied the required
   certification, and there was no clear indication that MTM intended to take
   exception to the requirement with regard to MAC OS X, the Army reasonably
   concluded that the MTM product met the requirement.

   Merlin also argues that the MTM software should not be considered
   compatible with the Windows Mobile versions 5.0 and 6.0 operating systems,
   because MTM's handheld product was successfully "hacked" during validation
   testing at Southern Methodist University (SMU).

   This argument is without merit. First, Merlin does not identify the
   handheld product to which it is referring, or explain how it relates to
   the validation testing of MTM's encryption software. Moreover, the Army
   reports that SMU is not an authorized federal laboratory for testing
   products for inclusion on the IAPPL, and that it did not request testing
   at SMU. In any case, the Army only required that the product be FIPS 140-2
   certified, or that the vendor statement be provided. As the agency points
   out, MTM's vendor certification letter expressly states that its products
   will operate correctly, without modification, in the Windows Mobile 5.0
   and 6.0 operating systems. Since MTM included the required vendor
   statement in its BPA, AR at 8, we think the agency reasonably determined
   that MTM met the requirement for compatibility with the Windows Mobile 5.0
   and 6.0 operating systems.

   Merlin maintains that the Army did not reasonably justify its decision to
   purchase the encryption software from MTM on a sole-source basis. Merlin
   is not an interested party to challenge this determination. Under the bid
   protest provisions of the Competition in Contracting Act of 1984, 31
   U.S.C. sections 3551-56 (2000 and Supp. IV 2004), only an interested party
   may protest a federal procurement. That is, a protester must be an actual
   or prospective supplier whose direct economic interest would be affected
   by the award of a contract or the failure to award a contract. Bid Protest
   Regulations, 4 C.F.R. sect. 21.0(a) (2007). Here, while Merlin states that
   it will have an acceptable product on the BPA in the future, it does not
   dispute that it did not have a product on the BPA that met all of the
   agency's requirements at the time of the sole-source determination. This
   being the case, Merlin would not have been eligible to receive the
   purchase order if the agency had not issued it to MTM on a sole-source
   basis. Thus, Merlin is not an interested party to challenge the Army's
   determination to proceed on a sole-source basis. Sales Resources
   Consultants, Inc., B-284943, B-284943.2, June 9, 2000, 2000 CPD para. 102
   at 5.[1]

   The protest is denied.

   Gary L. Kepplinger
   General Counsel

   ------------------------

   [1]On November 7, in response to a dismissal request from the Army, Merlin
   argued for the first time that the agency should have issued the purchase
   order for a limited amount of time so that Merlin would have an
   opportunity to become qualified to meet its needs. A protest based on
   other than a solicitation impropriety must be filed within 10 days after
   the protester knows or should know the basis of protest. 4 C.F.R. sect.
   21.2(a)(2). New, independent grounds of protest that supplement a timely
   protest must independently satisfy the timeliness requirements under our
   Regulations. Advanced Seal Tech., Inc., B-242362, Apr. 9, 1991, 91-1 CPD
   para. 363 at 3. Since Merlin should have been aware of this basis of
   protest when it filed its protest on October 10, but did not raise the
   issue until November 7, it is untimely.