SRA International, Inc.
B-409939: Sep 2, 2014
- Full Report:
SRA International, Inc., of Fairfax, Virginia, protests the establishment of a blanket purchase agreement (BPA) with InfoReliance Corporation, also of Fairfax, Virginia, under request for quotations (RFQ) No. 14-233-SOL-00020, issued by the Department of Health and Human Services (HHS) for services to support the agency's transition to a cloud-based email solution. The protester argues that the agency unreasonably concluded that its quotation failed to demonstrate compliance with two of the solicitation's qualification criteria.
We deny the protest.
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.
Matter of: SRA International, Inc.
Date: September 2, 2014
Agency reasonably excluded protester’s quotation from consideration for establishment of a blanket purchase agreement where protester failed to furnish documentation establishing compliance with phase I qualifying criterion pertaining to Federal Risk and Authorization Management Program (FedRAMP) authorization to operate.
SRA International, Inc., of Fairfax, Virginia, protests the establishment of a blanket purchase agreement (BPA) with InfoReliance Corporation, also of Fairfax, Virginia, under request for quotations (RFQ) No. 14-233-SOL-00020, issued by the Department of Health and Human Services (HHS) for services to support the agency’s transition to a cloud-based email solution. The protester argues that the agency unreasonably concluded that its quotation failed to demonstrate compliance with two of the solicitation’s qualification criteria.
We deny the protest.
The RFQ, which was issued pursuant to the procedures of Federal Acquisition Regulation (FAR) Part 8.4, contemplated the establishment of a single BPA against the successful vendor’s Federal Supply Schedule 70 contract. The anticipated period of performance is five years (a 1-year base period, plus four 1-year options).
The solicitation provided for a 2-phase evaluation process. Under phase I, vendors’ compliance with each of six qualifying criteria was to be evaluated, with a failure to meet any of the six resulting in exclusion of the quotation from further consideration. Under phase II, the agency was to select the quotation that represented the best value to the government. Of relevance to this protest, two of the phase I criteria were (1) compliance with Federal Risk and Authorization Management Program (FedRAMP) requirements, and (2) compliance with the requirements of section 508 of the Rehabilitation Act of 1973.
With regard to the requirement for FedRAMP compliance, the solicitation provided as follows under section 188.8.131.52, Security Requirements:
The Quoter shall achieve Authority to Operate (ATO) in meeting FedRAMP requirements through the FedRAMP Joint Authorization Board (JAB) or through an agency authorization official. If this ATO has not been achieved and/or does not meet FedRAMP compliance by the time of quote submitted, the following shall be provided:
a. Official documentation that confirms FedRAMP initiation has taken place through the FedRAMP Program Management Office or an authorizing Agency.
b. A current [ATO] issued from another federal agency that supports a Federal Information Processing Standard (FIPS) 199 security categorization of MODERATE.
RFQ at 102.
The RFQ’s submission instructions under section 10.3.3 Criteria 3: FedRAMP reiterated the above FedRAMP compliance requirements. Section 10.3.3 instructed vendors to “provide documentation confirming” that they had achieved ATO through the JAB or an agency authorization official, or, if a compliant ATO had not been achieved by the time quotes were submitted, to provide the evidence identified above with their quotes. RFQ at 151-152.
Under the RFQ section detailing the evaluation factors for award--specifically the phase I, qualifying criteria--the solicitation advised that the agency would evaluate compliance with the above stated ATO requirement. Section 184.108.40.206, entitled “Criteria 3: FedRAMP” included a restatement of the ATO requirement previously identified under sections 220.127.116.11 and 10.3.3, and warned that a vendor would “be given a ‘fail’ for failing to demonstrate it has achieved ATO or if the ATO has not been achieved and insufficient documentation is provided to demonstrate either (a) or (b) above.” Id. at 169.
With regard to the requirement for compliance with section 508, which pertains to electronic and information technology (EIT) accessibility, the solicitation instructed vendors that their quotations must demonstrate compliance with the established EIT standards. The RFQ further advised that to facilitate the government’s evaluation of whether offered EIT services and products met the applicable standards, vendors were required to prepare an HHS Section 508 Product Assessment Template and provide a binding statement of conformance. In connection with the latter, the solicitation provided that if a vendor claimed on its template that its products or services met section 508 accessibility standards and it was later determined by the government that they did not, “remediation of the products and services to the level of conformance specified in the vendor’s Product Assessment Template will be the responsibility of the Contractor and at its expense.” Id. at 161. The solicitation provided that to be evaluated as acceptable under the section 508 compliance criterion, vendors had to “complete the HHS 508 Evaluation Template, demonstrate compliance with the established EIT accessibility standards, and must include a binding statement of conformance to the established EIT accessibility standards.” Id. at 169-170.
Several vendors, including the protester, submitted quotations prior to the April 10, 2014 due date. A technical evaluation panel (TEP) evaluated the quotations against the six qualifying criteria. The TEP found that SRA failed to meet the RFQ’s FedRAMP requirements in that the protester “did not provide evidence of an ATO by way of the JAB or another agency authorizing official as required.” Phase I Evaluation Results, Apr. 21, 2014, at 5. The TEP also found that the protester had failed to provide the required section 508 binding statement of conformance. Id. at 9.
After completing its phase I evaluation, the agency conducted the phase II evaluation. On May 27, the agency established a BPA with InfoReliance and notified the other vendors of their non-selection. On June 6, HHS furnished the protester with a brief explanation of the basis for the award decision, as required by FAR § 8.405-3(b). SRA protested to our Office on June 13.
The protester argues the agency’s evaluation of its quotation was unreasonable. SRA contends in this connection that its quotation demonstrated compliance with both the FedRAMP and section 508 requirements.
Where an agency conducts a formal competition under the FSS program for the establishment of a BPA, we will review the agency’s actions to ensure that the evaluation was reasonable and consistent with the solicitation and applicable procurement statutes and regulations. OfficeMax, Inc., B-299340.2, July 19, 2007, 2007 CPD ¶ 158 at 5.
With regard to the FedRAMP requirement, SRA maintains that it reasonably understood the solicitation to provide for a rating of “pass” if a vendor that had not achieved ATO in meeting FedRAMP requirements through the FedRAMP JAB or through an agency authorization official provided either (a) official documentation confirming that FedRAMP initiation had taken place through the FedRAMP Program Management Office, or (b) a current ATO issued from another federal agency supporting a FIPS 199 security categorization of moderate. In this regard, SRA maintains that the listing of the two elements, with neither the word “and” nor the word “or” between them, made it unclear whether the agency intended for vendors to comply with both elements. However, according to SRA, the use of “or” in the subsequent provision warning that a vendor would receive a fail rating if “insufficient documentation is provided to demonstrate either (a) or (b) above” clarified that the provisions were to be read in the disjunctive.
SRA contends that it satisfied the former of the two elements by submitting a statement [deleted]. SRA Quotation, Vol I, App. C. In the alternative, the protester contends that even to the extent compliance with both requirements was required, it met the second by stating in its quotation that [deleted]. Id.
In response, the agency argues that the RFQ clearly required that if a vendor had not already achieved ATO in meeting FedRAMP requirements, it had to provide information demonstrating that it met both prongs (a) and (b). That is, according to the agency, “the plain language of the solicitation clearly indicates that insufficient documentation of ‘either’ element (a) or (b) results in a ‘fail’ rating.” Agency Memorandum of Law at 3. HHS also disagrees with the protester’s alternative argument that, in any event, it satisfied element (b) by stating in its quotation that [deleted]. The agency contends that the solicitation clearly required a copy of the ATO itself to satisfy element (b).
Where a dispute exists as to the meaning of a particular solicitation provision, our Office will resolve the matter by reading the solicitation as a whole and in a manner that gives effect to all its provisions; to be reasonable, an interpretation of a solicitation must be consistent with such a reading. ArmorWorks Enter. LLC, B‑405450, Oct. 28, 2011, 2011 CPD ¶ 242 at 3.
Here, the only reasonable interpretation of the solicitation language pertaining to the FedRAMP evaluation criteria set forth in section 18.104.22.168 is that if a vendor had not achieved an ATO meeting FedRAMP requirements by the time of quotation submission, it was required to provide both (a) documentation confirming FedRAMP initiation, and (b) a current ATO issued by another federal agency supporting a FIPS 199 security categorization of moderate. In this regard, sections 22.214.171.124 and 10.3.3 both separately identified the ATO requirements, and listed elements (a) and (b) without any indication that they could be provided in the alternative. Such a listing was not ambiguous, as the protester maintains, and could only be reasonably understood as a requirement for both items. Reading these two sections in conjunction with section 126.96.36.199, which set forth the ATO requirements in an identical manner, the instruction to provide “the following” items could only have meant that both items (a) and (b) were to be provided. Furthermore, the logical corollary of the statement advising that a vendor would receive a rating of fail for failing to demonstrate either (a) or (b) is that the vendor must demonstrate both (a) and (b) to receive a rating of pass.
We also agree with the agency that the only reasonable interpretation of the solicitation language requiring the submission of a current ATO from another agency supporting a FIPS 199 security categorization of moderate is that a copy of the ATO itself needed to be provided. In this connection, where an RFQ requires the submission of particular documentation to achieve an acceptable rating under a particular evaluation factor, and the vendor fails to furnish the required documentation, it runs the risk that its quotation will be rejected as unacceptable. See JRS Management, B-405361 et al., Oct. 3, 2011, 2011 CPD ¶ 201 at 3. Accordingly, the agency reasonably rejected the protester’s general statement [deleted], which was unsupported by any documentation.
Because we find that the agency properly rejected the protester’s quotation as unacceptable for failing to demonstrate compliance with the RFQ’s FedRAMP requirements, we need not address the issue of its compliance with the requirements of section 508.
The protest is denied.
Susan A. Poling
 FedRAMP is a government-wide program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. See http://cloud.cio.gov/fedramp.
 The other four phase I criteria (which are not at issue in this protest) were compliance with mandatory Email as a Service (EaaS) features and functions, EaaS in-use service confirmation, data center location, and team commitment. RFQ at 168-169.