Operational Research Consultants, Inc.

B-299131.1,B-299131.2: Feb 16, 2007

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Operational Research Consultants, Inc. (ORC) protests the award of a task order to Enspier Technologies, Inc. under request for quotations (RFQ) No. TQ-PLB-06-0001, issued by the General Services Administration (GSA) for operations and maintenance services for the Federal Public Key Infrastructure Architecture (FPKIA). The protester argues that the award to Enspier was tainted by organizational conflicts of interest (OCIs), and challenges the agency's evaluation of vendors' price and technical quotations, the adequacy of discussions, and the reasonableness of the agency's source selection decision.

We deny the protest.

B-299131.1; B-299131.2, Operational Research Consultants, Inc., February 16, 2007

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of: Operational Research Consultants, Inc.

File: B-299131.1; B-299131.2

Date: February 16, 2007

John S. Pachter, Esq., Jonathan D. Shaffer, Esq., Mary Pat Gregory, Esq., and Stephanie D. Capps, Esq., Smith Pachter McWhorter, PLC, for the protester.

Daniel S. Koch, Esq., and Hillary E. Clark, Esq., Paley Rothman Goldstein Rosenberg Eig & Cooper, for Enspier Technologies, Inc., an intervenor.

John E. Cornell, Esq., General Services Administration, for the agency.

Jonathan L. Kang, Esq., and Glenn G. Wolcott, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

1. Protest that award was tainted by organizational conflicts of interest is denied where the record does not support allegations that the awardee participated in the drafting of the statement of work or had access to non-public information that would have provided a competitive advantage.

2. Protest challenging agency's evaluation of vendor's technical and price quotations is denied where the record supports the reasonableness of the agency's evaluations, and does not support the protester's allegations regarding inadequate discussions.

DECISION

Operational Research Consultants, Inc. (ORC) protests the award of a task order to Enspier Technologies, Inc. under request for quotations (RFQ) No. TQ-PLB-06-0001, issued by the General Services Administration (GSA) for operations and maintenance services for the Federal Public Key Infrastructure Architecture (FPKIA). The protester argues that the award to Enspier was tainted by organizational conflicts of interest (OCIs), and challenges the agency's evaluation of vendors' price and technical quotations, the adequacy of discussions, and the reasonableness of the agency's source selection decision.

We deny the protest.

BACKGROUND

Generally, a public key infrastructure (PKI) is a system that allows parties to exchange information electronically and verify the identity of the sender and recipient and determine whether the contents of the information have been altered. A PKI relies on cryptography methods to establish a framework whereby parties use codes called –keys—; each party keeps a secret –private key— and publishes a –public key— that any other party can access. A sender uses the intended recipient's public key to encrypt the message, and the sender's own private key to encrypt his signature. The recipient uses his private key to de-encrypt the message that was encrypted with his own public key and can verify that it was not altered; the recipient can also use the public key of the sender to verify the identity of that sender.

The E-Government Act of 2002 requires GSA to establish a –framework to allow efficient interoperability among Executive agencies when using electronic signatures, including processing digital signatures.— Pub. L. 107-347 sect. 203. Use of digital signatures authenticated through a PKI framework allows government agencies to have confidence in electronic messages by verifying the identity of the sender and the integrity of the message. GSA established the E-Authentication Initiative to implement the E-Government Act and provide a structure for differing levels of security for digital signatures. The E-Authentication Initiative contains four levels of –assurance— regarding the ability to validate the identity of the individual presenting a digital signature. The two lower levels of assurance allow individuals to validate their identity through –credentials— such as passwords or personal identification numbers, whereas the two higher levels of assurance require more sophisticated PKI-based credentials.

The FPKIA governs the requirements for the two higher-level PKI assurances, and administers the systems used to validate messages and digital signatures using PKI credentials. The Federal Public Key Infrastructure Policy Authority (FPKIPA) is responsible for oversight of the FPKIA and its constituent certification authorities (CAs), which are the entities responsible for establishing PKI rules for authentication and the authentication of messages and digital signatures.

Enspier currently holds a contract with GSA to support the E-Authentication Program Management Office (PMO) by providing secretarial support for the PMO, and design and operations services for the two lower, non-PKI-based levels of assurances.[1] Agency Report (AR) at 5. Enspier also holds a contract with the National Institutes of Health (NIH), to provide secretarial services for the FPKIAPA. Id.

The solicitation sought quotations for services required to relocate the government's prototype FPKIA from a government facility to a contractor location, redesign the FPKIA, and then provide maintenance and support for the redesigned system. The solicitation anticipated the award of a fixed-price task order with cost-reimbursement elements. The agency conducted the procurement under the streamlined acquisition procedures of Federal Acquisition Regulation (FAR) part 12.6 and relied upon the –GSA E-Buy— website to publicize the RFQ through a combined synopsis/solicitation.[2]

The solicitation advised prospective vendors that quotations would be evaluated on the basis of the following factors: key personnel, technical approach, organizational experience, and price. The three non-price evaluation factors were of equal weight and, when combined, were of equal weight to price for purposes of award. RFQ at 8. The statement of work (SOW) identified 11 subtasks required for performance of the task order: (1) relocate the prototype FPKIA to the contractor location; (2) support the FPKIA lab; (3) support the six FPKIA CAs; (4) re-design the FPKIA; (5) security management; (6) redesign the FPKIA lab; (7) directory support; (8) path discovery and validation support; (9) related assistance; (10) weekly status reports; (11) FPKIA monthly reports and FPKIA statistical reports.

After receiving initial quotations from vendors, the agency conducted discussions and received revised quotations. Following discussions, the agency concluded that ORC's revision had not adequately addressed all of the agency's concerns. AR, Exh. 14, Final Technical Evaluation, at 2. The agency identified three –significant weaknesses— in ORC's quotation under the key personnel evaluation factor:

[A]lthough [ORC] offers a [project manager] experienced in PKI system engineering . . . [i]t does not cite any information about the bid individual['s] abilities to organize and manage resources to perform the work required within defined scope, time, and cost constraints.
The bid auditors appear to have skill sets (i.e., SAS 70, Web Trust, and quality assessments) that are only tangential to the requirements. These skills are appropriate for third-party auditors, but not for daily operations. . . .
[T]he Officer and Administrator roles require a high percentage of dedicated time and the likelihood of [the proposed personnel] being able to carry out the responsibilities for their trusted roles effectively, in addition to the full-time Project Manager and Program Manager roles, is doubtful.

Id. at 2-3.

The agency identified five –significant weaknesses— in ORC's quotation under the technical approach factor:

[ORC] responses to subtasks 2 and 8 show they do not have a clear understanding of the requirement. This work is based on testing products against a particular test suite with the intent to qualify them. However, [ORC] bids to test hardware and software module updates rather than products.
Subtask 4 cites their capability, rather than ability, to create and maintain an ISMS [information security management system]. Additionally, they go to great lengths explaining the importance of having an ISMS instead of describing their technical approach.
The related assistance in Subtask 9 is considered a basic part of operations and management and shows no insight to the advancement of Federal PKI or its processes.
[S]ubtasks 10 and 11 offer web-based approaches for reports, but state that the web-based interfaces must be customized for this project. They do not state that this would be done at no cost to the government, and that is a concern.
In Subtask 3, ORC cites having a similar operating environment to the FPKIA. This assertion demonstrates a lack of understanding of how policies can be implemented in various ways. It is true that ORC has a policy that maps to one of the FPKIA policies, but this is not a direct correlation to how operations are set up.

Id. at 3.

The agency also identified a –significant weakness— regarding ORC's organizational experience, stating that –ORC does not have ISMS experience as an organization to meet the requirements in Subtask 5.— Id.

As relevant here, the agency's final evaluation of vendor's quotations was as follows:

ORC

Enspier

Key Personnel

50.7 / Marginal

78.1 / Satisfactory

Technical Approach

80.1 / Very Good

79.7 / Satisfactory

Organizational Experience

75.0 / Satisfactory

95.0 / Outstanding

Total Technical Score

68.6 / Marginal

84.3 / Very Good

Price

[deleted]

$5,993,639

AR, Exh. 6, Post-Negotiation Memorandum, at 5.[3]

In its source selection determination, the agency noted that ORC's proposed price of [deleted] was approximately [deleted] lower than Enspier's proposed price of $5,993,639. Id. at 8. However, the agency noted that –when ORC's price proposal is compared to the historical cost of running the PKI (the IGE [independent government estimate] is $6,110,472), it appears that ORC is seriously underbidding this job,— and concluded that Enspier's higher-rated technical quotation was worth the price premium. Id.In selecting Enspier's quotation for award, the agency noted that –[t]he Enspier team advisory council model is unique and brings to the Federal PKI Operational Authority a broad range of benefits including access to world-class expertise in PKI operational engineering,— and –[t]he expertise available in this council will minimize false starts for both operational and policy initiatives, which also lower overall operational and maintenance costs.— Id. at 9.

Following its debriefing by the agency, ORC filed this protest.

DISCUSSION

Organizational Conflicts of Interest

ORC first argues that the award to Enspier was tainted by OCIs arising from the awardee's performance of the GSA and NIH contracts, which involve authentication-related services. Specifically, the protester alleges that Enspier participated in the drafting of the SOW, and that Enspier had access to non-public information as the result of its performance of the GSA and NIH contracts.

The FAR generally requires contracting officers to avoid, neutralize or mitigate potential significant conflicts of interest so as to prevent unfair competitive advantage or the existence of conflicting roles that might impair a contractor's objectivity. FAR sections 9.504, 9.505; Snell Enters., Inc., B-290113, B-290113.2, June 10, 2002, 2002 CPD para. 115 at 3. The situations in which OCIs arise, as addressed in FAR subpart 9.5 and the decisions of our Office, can be broadly categorized into three groups: biased ground rules, unequal access to non-public information, and impaired objectivity. Contracting officers must exercise –common sense, good judgment, and sound discretion— in assessing whether a potential conflict exists and in developing appropriate ways to resolve it; the primary responsibility for determining whether a conflict is likely to arise, and the resulting appropriate action, rests with the contracting agency. FAR sect. 9.505; Science Applications Int'l Corp., B-293601.5, Sept. 21, 2004, 2004 CPD para. 201 at 4. Once an agency has given meaningful consideration to potential conflicts of interest, our Office will not sustain a protest challenging a determination in this area unless the determination is unreasonable or unsupported by the record. Science Applications Int'l Corp., supra.

As relevant to the protester's allegations, a biased ground rules OCI arises where a firm, as part of its performance of a government contract, has in some sense set the ground rules for the competition for another government contract by, for example, writing the SOW or the specifications. In these cases, the primary concern is that the firm could skew the competition, whether intentionally or not, in favor of itself. FAR sections 9.505-1, 9.505-2. An unequal access to nonpublic information OCI arises where, as part of its performance of a government contract, a firm has access to information that may provide the firm an unfair competitive advantage in a later competition for a government contract. FAR sect. 9.505-4.

With regard to the protester's claim of a biased ground rules OCI, the protester alleges that, as the contractor for the GSA and NIH contracts discussed above, Enspier may have had a role in drafting the SOW. The agency states that Mitretek Systems, the incumbent contractor for the FPKIA services that are the subject of this procurement, was the entity that assisted the government in developing the SOW, and that Enspier played no role in drafting or developing the SOW.[4] AR, at 6; Contracting Officer's Statement at 1. The protester fails to identify any information in the record that demonstrates that Enspier played a role in developing or drafting the SOW, and thus does not rebut the agency's specific statement that Enspier had no such involvement with the SOW. In this regard, substantial facts and hard evidence are necessary to establish a conflict; mere inference or suspicion of an actual or apparent conflict is not enough. Snell Enters., Inc., supra, at 4.

With regard to the protester's claim of an unequal access to information OCI, the protester alleges that Enspier may have had access to non-public information that provided the awardee an unfair competitive advantage in the competition. Specifically, the protester contends that the positions held by Enspier under the GSA and NIH contracts suggest that that firm may have had access to non-public information. Although the agency report contained the SOWs for Enspier's contracts, and the record further describes the activities of Enspier under those contracts, the protester is unable to identify any specific examples of non-public information that would have provided an unfair competitive advantage to the awardee in the competition. Furthermore, as discussed above, the activities performed by Enspier under the NIH contract in support of the FPKIA were generally secretarial in nature, and the work for GSA under the E-Authentication contract pertained to the performance of validation work that relied on publicly-available FPKIA documentation for the two lower-tier levels of authentication, not the two higher-level levels that are the subject of this RFQ.

The protester argues that certain publicly-available documents which were either prepared by Enspier or refer to Enspier suggest that that firm may have had access to non-public information. For example, the protester argues that a publicly-available document titled –Technical Approach for the Authentication Service Component,— AR, Exh. 32, supports ORC's protest to the extent that an Enspier employee is listed as the –author— of the electronic file. The agency explains, however, that this document is merely a recitation of public information regarding PMO polices. Further, even assuming that an Enspier employee was the drafter of this document, the protester does not identify any non-public information that might have been used in its creation, nor does the protester suggest how any such information could have given Enspier an unfair competitive advantage in the competition. In sum, the protester has not provided support for its assertion that the award to Enspier was tainted by an OCI.[5]

Key Personnel Evaluation

As discussed above, the agency identified three weaknesses in ORC's quotation under the key personnel evaluation factor, which the agency rated as –marginal.— The protester challenges the agency's evaluation of all three weaknesses.

The evaluation of technical proposals is a matter within the agency's discretion, since the agency is responsible for defining its needs and the best method for accommodating them. U.S. Textiles, Inc., B-289685.3, Dec. 19, 2002, 2002 CPD para. 218 at 2. In reviewing a protest against an agency's evaluation of proposals, our Office will examine the record to determine whether the agency's judgment was reasonable and consistent with the stated evaluation criteria and applicable procurement statutes and regulations. See Shumaker Trucking & Excavating Contractors, Inc., B'290732, Sept. 25, 2002, 2002 CPD para. 169 at 3. A protester's mere disagreement with the agency's judgment in its determination of the relative merit of competing proposals does not establish that the evaluation was unreasonable. C. Lawrence Constr. Co., Inc., B-287066, Mar. 30, 2001, 2001 CPD para. 70 at 4.

As an initial matter, the protester argues that the RFQ only identified two –key roles,— a systems administrator and a security officer, and therefore the agency was precluded from evaluating other proposed personnel. On this basis, the protester argues that the agency's criticism of the qualifications of ORC's proposed project and program managers and auditors was unreasonable. We disagree with the protester's interpretation of the RFQ. Although the RFQ did not explain to vendors how the –key personnel— evaluation would be conducted, we do not believe that the use of the term –key role— (a term which is not defined) with regard to two positions reasonably indicated that they would be the only positions that would be evaluated under the key personnel evaluation factor. In any event, the agency specifically requested that ORC clarify the identity and qualifications of its proposed project manager and auditors during discussions, which clearly placed ORC on notice that the agency considered those positions subject to evaluation. See AR, Exh. 3, at 2-3, 7.

As discussed above with regard to the evaluation of ORC's project manager, the agency concluded that although the proposed individual had PKI engineering expertise, the information provided did not demonstrate the ability –to organize and manage resources to perform the work required within defined scope, time and cost constraints.— AR, Exh. 14, at 2-3. The protester argues that the resume provided for its proposed project manager demonstrates such experience. The agency notes that although the ORC's project manager lists experience regarding leadership of various technical projects, including PKI projects, there is not a clear description of any management activities, that is, guidance of a team through a specific project with regard to –scope, time and cost constraints.— Id.Based on our review of the entire record, the agency's evaluation was reasonable with regard to the agency's understanding of the type of experience required for –project management,— and the agency reasonably concluded that ORC's proposed project manager did not demonstrate that experience.

Next, the protester challenges the agency's determination that ORC's proposed auditors did not provide skills that were relevant to the SOW. The RFQ stated that vendors must provide auditors who have experience with –[p]erforming or overseeing internal compliance audits to ensure that the FPKI architecture is operating in accordance with this [certification policy].— SOW at 15, sect. 7.2. In its evaluation, the agency noted that ORC's proposed auditors demonstrated skills that are –appropriate for third-party auditors, but not for daily operations.— AR, Exh. 14, at 2.

The parties disagree over the agency's use of the terms –internal— and –external— auditing skills; the protester contends that the distinction between the skill sets described by the agency are –arbitrary— and also that its proposed auditors demonstrated skills relevant to both. We believe, however, that the agency's terminology reasonably distinguishes between –internal— auditors who possess subject matter expertise relevant to the internal technical operations of a particular PKI system, such as the FPKIA, and –external— auditors who possess the more general knowledge and skills required to understand whether a PKI system meets another party's certification standards. See Decl. of Agency Program Manager, at 2. In this regard, the agency's evaluation of ORC's proposed auditors was reasonable, in that ORC's quotation did not describe the skills of its proposed auditors in a manner that was relevant to the SOW.

Next, the protester challenges the agency's criticism of ORC's proposed approach of using [deleted] individuals to perform more than one task under the SOW. Specifically, ORC proposed one individual for [deleted] positions: [deleted]; and another individual for [deleted] positions: [deleted]. ORC contends that this approach allowed for –streamlining roles and eliminating unnecessary personnel.— Protester's Comments on the Agency Report, Dec. 26, 2006, at 13.

As the agency notes, the RFQ identified the project manager, ISSO and ISMSA positions as –full-time roles,— and further stated that the –trusted roles,— which included the primary and backup security officer positions, are part-time positions that require 24-hour per day coverage and need to be staffed with –at least two (2) complete teams to maintain adequate coverage.— SOW at 13, para. 7.1. Because ORC proposed single individuals for positions that the RFQ clearly described as either full-time positions or part-time positions requiring multiple personnel to cover, we find no basis to question the agency's criticism of ORC's proposed approach of assigning one individual to perform [deleted] different positions. ORC's disagreement with the agency's assessments provides no basis to challenge the reasonableness of the agency's evaluation.

Finally, the protester alleges that Enspier's quotation was non-responsive, because the quotation did not discuss whether Enspier has a top secret facility clearance. In its report on the protest, the agency responded that a vendor's compliance with facility security clearance requirements was a matter of contract administration.[6] AR, at 7. ORC did not address this issue in its comments on the agency report or in its supplemental protest, and thus did not meaningfully address the agency's response to this matter; accordingly, we find no basis to question the agency's evaluation of Enspier's quotation with regard to a facility clearance.[7]

Technical approach

Next, as discussed above, the agency identified five significant weaknesses in ORC's quotation under the technical approach evaluation factor, which the agency evaluated as –very good.— The protester challenges the agency's evaluation of each weakness.

First, the agency determined that ORC's quotation did not address the requirement in SOW subtask 8 to assist the FPKIA in testing products against National Institute of Standards and Technology requirements for path discovery and validation support. The agency determined during the initial technical evaluation that ORC had not adequately described its technical approach, noting that the quotation merely –mimics the RFP and does not address this requirement.— AR, Exh. 12, Technical Evaluation, at 11. The agency asked the protester during discussions to further address ORC's approach to path discovery validation and support. AR, Exh. 3, ORC Discussions Reponses, at 14. ORC responded that its approach was to provide unit testing, integration testing, and O&M testing of –[hardware] and [software] module updates and changes.— Id.The agency concluded that ORC's quotation focused on updates to hardware and software modules, rather than the products themselves, and that this approach showed a lack of understanding of the requirement.

The protester argues that the agency unreasonably read its discussions response too narrowly, and that the references to –updates— should have been interpreted to apply to all potential hardware and software product requirements. However, the agency explains that it perceived a difference between validating upgrades to existing software and equipment, as proposed by ORC, and the more general SOW requirement for testing of products. AR, Exh. 14, Final Technical Evaluation, at 3. Although the protester argues that it did not intend to convey such a distinction in its post-discussions revision, we conclude that the agency reasonably identified this distinction based on the plain text of ORC's revision.

Next, the agency determined that ORC did not address the subtask 5 requirement to create and maintain an ISMS and provide training to FPKIA staff regarding ISMS requirements. The agency asked ORC during discussions to describe –What is the ISMS approach to advise and train FPKIA personnel?— and –What is the technical approach to construct and maintain the ISMS in accordance with ISO:270001.— AR, Exh. 3, ORC Discussions Responses, at 12. The agency concluded that ORC's responses to these questions was inadequate, because the response largely described ORC's understanding of the importance of an ISMS, rather than its approach to actually performing the requirements. The protester argues that its quotation fully addressed the ISMS requirements.[8] Here, the agency's evaluation was reasonable. In this regard, ORC's response to the agency's discussion question is devoted primarily to ORC's recognition of the reasons for implementing an ISMS. Although the protester argues that it did provide adequate detail regarding its approach, we have no basis to question the agency's assessment that ORC's discussion response only minimally described its approach to actually maintaining an ISMS or training FPKIA staff, and that the response addressed these requirements in only a very general manner.

Next, the agency determined that ORC's quotation did not meet the SOW requirements with regard to subtask 9, which required vendors to provide –related assistance to the government in support of the FPKIA.— The agency asked ORC during discussions to describe –some of the related assistance . . . that you believe will enhance the FPKIA or streamline its processes.— AR, Exh. 3, ORC Final Discussions Response, at 14. The agency concluded that ORC's response to this question did not discuss any features that were different from the baseline requirements, but rather merely referenced existing services needed for the operations. The protester contends that its response did address the related assistance requirement and the agency's discussion question. However, aside from repeating the text of its discussion response, the protester does not explain why it believes that its response addressed the agency's concern. See Protester's Comments on the Agency Report, Dec. 27, 2006, at 16-17. On this record, we believe the protester has failed to meaningfully challenge the agency's evaluation.

Next, the agency determined that ORC's approach to meeting the subtask 10 and 11 requirements for weekly and monthly reports was a concern because ORC offered web-based approaches for its reports, but did not state that this approach would be performed at no cost to the government. The protester notes that the agency's concern appears to be price-related, i.e. that the agency might incur additional costs because the reports were not included in ORC's fixed price. ORC thus argues that this concern was not reasonable because the task order would be fixed price, and its quotation did not indicate that the services would be provided on an other-than fixed price basis.

Without addressing this issue, the agency report argues that the protester's response to discussions, for the first time, identified its approach to providing information to the agency as relying on –email, phone and web tracking.— AR, Exh. 3, ORC Discussions Response at 15. The agency argues that this approach was non-responsive to the RFQ, which required deliverables, such as the reports, in the Microsoft Word format. SOW sect. 6. The protester argues that the agency cannot now argue that its approach is non-responsive, as the agency had a duty to raise such concerns during discussions. However, the non-responsive details, i.e. the web-based approach, were first introduced in response to discussions. Compare AR, Exh. 2, ORC Quotation, at 14-15 (quotation regarding subtasks 10 and 11 do not discuss web-based approach); with Exh. 3, ORC Discussions Responses, at 15 (describing web-based approach). Thus, the protester was not entitled to further discussions on this matter. Cube-All Star Servs. Joint Venture, B-291903, Apr. 30, 2003, 2003 CPD para. 145 at 10-11 (agencies have no duty to reopen discussions in response to new deficiencies first introduced in post-discussions proposal revision). Moreover, the protester does not dispute the agency's characterization of its approach as non-responsive. On this basis, we believe that the protester cannot demonstrate any prejudice with regard to the agency's evaluation of its quotation here. McDonald-Bradley, B-270126, Feb. 8, 1996, 96-1 CPD para. 54 at 3; see Statistica, Inc. v. Christopher, 102 F.3d 1577, 1681 (Fed. Cir. 1996).

Finally, the agency concluded that ORC's quotation did not demonstrate an adequate understanding of the SOW regarding subtask 3, which required support of the six CAs. During discussions, the agency asked ORC whether it intended to incorporate the FPKIA operations into its own operations, rather than following the prescribed assumption of responsibilities set forth in the SOW. In its response, ORC stated that it would follow the SOW requirements, and that –ORC's response illustrates that it is already intimately and extensively familiar and is currently operating a similar environment since ORC's CPS and Systems Security Plan have been audited and approved compliant with the same Federal Policies as required by this solicitation.— AR, Exh. 3, ORC Discussions Responses, at 11.

The agency was concerned that ORC's response indicated a lack of understanding of the SOW requirements because the agency disagreed with the ORC's claim that the firm was –currently operating in a similar environment— to the FPKIA. AR, Exh. 14, Final Technical Evaluation, at 3. The agency argues that the fact that a party's PKI polices are compatible with another party's PKI policies demonstrates that the two policies are compatible for purposes of authentication; it does not demonstrate that the one party is familiar with the underlying technical operating environment for the other party. AR at 11-12.

ORC argues that its quotation and discussion responses indicated that it was –intimately and extensively familiar— with the FPKIA polices and operating environment, and that this response was sufficient to address the agency's concern. The protester, however, does not meaningfully rebut the agency's analysis regarding the implications of its claim to be –currently operating in a similar environment.— In this regard, we believe that the agency's concern was reasonable, and that the protester provides no basis to challenge the reasonableness of the agency's evaluation.

Organizational Experience

The protester next argues that the agency unreasonably determined that ORC did not have sufficient ISMS experience to meet the requirements of subtask 5, which requires operation of the FPKIA in accordance with the Federal Information Security Management Act (FISMA), and advice and training for government personnel to maintain the ISMS in accordance with ISO:27001. During discussions, the agency requested that ORC address an apparent lack of relevant experience, asking: –What ISMS experience do you have using the ISO:27001 standards to train individuals and achieve authorization?— AR, Exh. 3, ORC Discussions Responses, at 17. ORC responded that –[t]o date, ORC has not directly applied ISO:27001 standards to train individuals and achieve authorization.— Id.ORC further explained, however, that it has experience regarding the FISMA, and that it has –adopted many of the ISO 27001 requirements— in support of certain sales contracts. Id.Although the protester argues that its description of its experience with FISMA should have given the agency confidence in ORC's ability to meet the solicitation requirements, we believe that, on this record, the agency's evaluation was reasonable based on ORC's lack of ISO:27001 training experience.

Price Evaluation and Discussions

The protester next challenges the agency's determination that ORC's proposed price was unrealistically low. The agency stated in the source selection determination that, –when ORC's price proposal is compared to the historical cost of running the PKI (the IGE estimate is $6,110,472), it appears that ORC is seriously underbidding this job.— AR, Exh. 6, Post-Negotiation Memorandum, at 8. The agency weighed this consideration in its tradeoff comparison between ORC's lower-priced, lower technically-rated quotation and Enspier's higher-priced, higher technically-rated quotation.

The protester contends that the agency's analysis regarding the IGE failed to consider ORC's unique approach to the SOW, which included a –streamlined and more cost-effective approach.— As discussed above, however, the agency clearly considered, for example, ORC's approach to dual-hatting various positions, and concluded that this approach was a flawed approach to staffing. We believe that the agency understood ORC's proposed approach, and reasonably determined that, to the extent that ORC's quotation achieved a lower price through proposing single individuals for more than one full-time position, such an approach represented a risk to performance.

The protester also argues that the agency did not conduct meaningful discussions regarding the agency's price concerns. The contracting officer states that, during discussions, he specifically advised ORC that its proposed price was too low. AR, Exh. 33, Contracting Officer's Statement, at 1. The protester contends that such a statement was not made or conveyed during discussions, and submitted declarations from two ORC personnel who attended discussions, both of which state that the agency did not inform ORC that its proposed price was too low. Protester's Comments on the Agency Report, Attachs. 4, 5.

The record here supports the contracting officer's version of events, in that the discussions summary notes among other price concerns: –There is a concern regarding the pricing of Security Management.— AR, Exh. 3, ORC Discussions Responses, at 20. Additionally, the agency's source selection decision specifically mentions details regarding discussions, wherein the agency advised ORC regarding price concerns:

The discussions included a concern that the offering might be too low to sustain the required effort necessary to maintain this contract. It was stipulated at the discussion table that the Government's concern in the pricing centered around the Security Management requirements and that ORC's price may not reflect a true understanding of the requirements. ORC significantly underbid this particular area.

AR, Exh. 6, Post-Negotiation Memorandum, at 7.

The agency also noted that –ORC was advised that their prices were too low in discussions, to which they replied by lowering their prices by another $100k.— Id. at 8.

Although the agency and protester have directly contradictory recollections of the substance of the discussions, we believe that the agency's account is reasonably supported by the record, and that the discussions with the protester were meaningful.

Source Selection Decision

Finally, ORC challenges the agency's determination to select Enspier for award, despite that vendor's higher proposed price. Where, as here, the solicitation allows for a price/technical tradeoff, the agency retains discretion to select a higher-priced, higher technically rated proposal if doing so is reasonably found to be in the government's best interest and is consistent with the solicitation's stated evaluation scheme. 4-D Neuroimaging, B-286155.2, B-286155.3, Oct. 10, 2001, 2001 CPD para. 183 at 10.

As discussed above, the agency concluded that Enspier's higher-technically rated quotation was worth the approximately [deleted] price premium as compared to ORC's lower-technically rated quotation. We believe that the agency's source selection decision reasonably identified strengths that justified Enspier's technical ratings and the price premium. Based on the record, the agency's selection of Enspier's quotation for award was reasonable.

The protest is denied.[9]

Gary L. Kepplinger
General Counsel



[1] ORC also has a contract to provide credential certificates services to the E-Authentication Program Management Office. AR, at 5.

[2] The solicitation is referenced in the record alternatively as an RFQ and a request for proposals (RFP). Because the solicitation required prospective contractors to identify the Federal Supply Schedule contract under which the agency could place orders for the services required under the solicitation, we refer to the solicitation as an RFQ and use terminology appropriate to that type of solicitation.

[3] Vendors' quotations were assigned a numerical score for each evaluation factor. A score of 90-100 was considered –outstanding,— 80-89 –very good,— 70-79 –satisfactory,— 50-69 –marginal,— and 0-49 –unsatisfactory.—

[4] Mitretek did not submit a quotation for this competition.

[5] The contracting officer explains that he considered Enspier's contracts and its duties under those contracts vis- -vis the drafting of the SOW, and concluded that there were no OCI concerns raised. Contracting Officer's Statement at 1. Although the contracting officer's statement did not specifically address a similar analysis regarding the protester's allegations of an unequal access to information OCI, as discussed above, the protester was unable to identify any information that would give rise to an OCI under either of the theories identified in the protest.

[6] As the intervenor notes, the solicitation did not require vendors to address whether they have a top secret facility clearance at the time quotations were submitted; rather security clearance requirements are identified only with regard to individual personnel clearances. See SOW, at 13, 15. The protester does not identify any solicitation provision regarding facility clearances and, as discussed below, did not address any such requirements in its comments on the agency report.

[7] Subsequently, the protester alleged for the first time in its comments on the agency's report responding to its supplemental protest that Enspier's quotation failed to meet the solicitation's requirements for personnel security clearances. Protester's Supplemental Comments on the Agency Report, Jan. 16, 2007, at 6. The initial protest issue regarding top secret facility clearances is separate and distinct from the protester's subsequent allegation regarding personnel security clearances. Because the protester did not raise this distinct issue within 10 days of when it received the awardee's quotation as part of the agency's report, we dismiss this subsequent protest allegation as untimely raised. Bid Protest Regulations, 4 C.F.R. sect. 21.2(a)(2) (2006); Maden Techs., B- 298543.2, Oct. 30, 2006, 2006 CPD para. 167, at 10-11.

[8] The protester also contends that the agency's discussions regarding its ISMS personnel indicated that the agency had no concerns regarding the adequacy of its ISMS approach. See Protester's Comments on the Agency Report, at 15-16. The protester, however, incorrectly views the agency's discussions, regarding key personnel, AR, Exh. 3, ORC Final Quotation Revision, at 2, as the only area where the agency's ISMS concerns were mentioned. As discussed above, the agency addressed specific ISMS concerns regarding ORC's proposed technical approach during discussions.

[9] In pursuing this protest, ORC has raised various collateral issues. We have reviewed all of the protester's arguments, and conclude that none provides a basis for sustaining the protest.