Network Security Technologies, Inc.

B-290741.2: Nov 13, 2002

Additional Materials:


Ralph O. White
(202) 512-8278

Kenneth E. Patton
(202) 512-8205


Office of Public Affairs
(202) 512-4800

Network Security Technologies, Inc. (NETSEC) protests the award of a contract to VA Security Team, LLC (VAST) under request for proposals (RFP) No. 101-21-02, issued by the Department of Veterans Affairs (VA) as a 100-percent small business set-aside for a central incident response capability (CIRC) for computer security. NETSEC principally challenges the evaluation of VAST's past performance.

We deny the protest.

B-290741.2, Network Security Technologies, Inc., November 13, 2002


Matter of: Network Security Technologies, Inc.

File: B-290741.2

Date: November 13, 2002

Robert Kalchthaler and John H. Kitchings, Jr., Esq., for the protester.
John M. Linton, VA Security Team, LLC, an intervenor.
Phillipa L. Anderson, Esq., and Dennis Foley, Esq., Department of Veterans Affairs, for the agency.
Paul E. Jordan, Esq., and John M. Melody, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.


1. GAO finds convincing evidence that protester sought to obtain for purposes of drafting its comments on the agency's report--and did obtain from its attorney, who was admitted to GAO protective order--information to which it was fully aware it was not entitled because the information was covered by protective order; while deciding this case on the merits, GAO provides notice that, in a future case, it may impose the sanction of dismissal to protect the integrity of GAO's bid protest process, where, as here, protester has abused that process.

2. Protest challenging awardee's past performance evaluation is denied where agency properly considered the past performance record of the various member firms of the joint venture proposed to perform the contract.


Network Security Technologies, Inc. (NETSEC) protests the award of a contract to VA Security Team, LLC (VAST) under request for proposals (RFP) No. 101-21-02, issued by the Department of Veterans Affairs (VA) as a 100-percent small business set-aside for a central incident response capability (CIRC) for computer security. NETSEC principally challenges the evaluation of VAST's past performance.

We deny the protest.


There are two aspects to the background of this procurement that are relevant to our decision--information regarding the solicitation and award process, which goes to the merits of NETSEC's arguments, and facts regarding NETSEC's and its counsel's actions in pursuing the protest.

The Procurement

The RFP sought proposals to create and operate a CIRC for the VA to ensure that computer security incidents are detected, reported, and corrected as quickly as possible, and with minimal impact on the availability and integrity of veterans services. In addition, the CIRC is to provide assurance that cyber security controls are in place to protect automated information systems from financial fraud, waste, and abuse. The RFP contemplated the award of a fixed-price, performance-based contract for a base year, with up to 9 option years.

The evaluation factors, in descending order of importance, were: management plan, past performance, and cost/price. Overall, technical factors were more important than price. Proposals were to be evaluated using a color code system including blue (exceptional), green (acceptable), yellow (marginal), white (neutral), and red (unacceptable). Award was to be made on a best value basis. The RFP provided that small businesses could form joint ventures, so long as at least 51 percent of the work was performed by the small businesses.

Sixteen offerors submitted proposals, five of which, including NETSEC's and VAST's, were included in the competitive range. The offerors made oral presentations and engaged in discussions with the agency before submitting final proposal revisions. The final evaluations for VAST and NETSEC (the only proposals relevant here) were as follows:


Past Performance





Light Blue

Yellow ($9.2 million)




Dark Blue

Blue ($6.5 million)


In reaching its evaluation conclusions, the agency noted that NETSEC's proposal contained more weaknesses than strengths. For example, in the area of proposed proprietary tools, the agency found that the proposal lacked information on necessary customization, and provided a limited commitment of NETSEC's key personnel (90 days). Agency Report (AR), exh. 8, at 14. In contrast, the agency found that the VAST team had extensive experience in computer security; that its key personnel were likewise well'experienced and fully committed to perform for the base year; and that it had demonstrated the use of various tools. Id. at 15-16. With regard to price, NETSEC proposed the highest cost per hour of any of the vendors in the competitive range, and VAST proposed the lowest cost per hour. Because VAST's proposal had the highest technical rating and the lowest proposed price of all offerors, the agency determined that it represented the best value and awarded it the contract. After receiving notice of the award and a debriefing, NETSEC filed this protest challenging the evaluation and award decision.

NETSEC's Actions

The protest was originally filed on behalf of NETSEC in the name of Mr. Robert Kalchthaler, NETSEC's senior vice president. During the course of the development of the protest record, Mr. John Kitchings, NETSEC's contract administrator, acted as the protester's representative. Because NETSEC had filed its protest pro se, our Office did not issue a protective order in the matter, and NETSEC's copy of the agency report therefore did not include various source selection documents or VAST's proposal. See Bid Protest Regulations, 4 C.F.R. 21.4(a) and (b) (2002). Instead, the agency submitted these source selection sensitive and proprietary documents to our Office for in camera review. 4 C.F.R. 21.4(b). In the midst of the 10-day comment period following receipt of the agency report, NETSEC objected to this procedure and requested that we issue a protective order so that an attorney for NETSEC could review the withheld documents; we promptly did as NETSEC requested. While Mr. Kitchings is an attorney, he did not submit an application for admission to the protective order. NETSEC also elected not to have an attorney from the firm that usually represents the company submit an application for admission to the protective order. Instead, Mr. Kitchings retained an attorney who (according to Mr. Kitchings) was a recent graduate of law school and had been a member of the bar for about 45 days. Video Transcript (VT) at 11:44.[1] After submitting an application, NETSEC's retained counsel was admitted to the protective order 3 days before the comments were due. [2] He subsequently received, among other documents, a copy of VAST's past performance proposal. On the day comments were due, our Office received comments not from retained counsel, but instead comments prepared by Mr. Kitchings and signed by Mr. Kalchthaler. The comments were not marked as protected.

While NETSEC's protest had made no references to the contents of VAST's proposal, NETSEC's comments included what appeared to be several direct references to the content of VAST's protected proposal as support for the firm's protest arguments. For example, it stated how the proposals are titled on the cover page. The comments then stated that [t]hroughout the VAST, LLC. proposal, a particular name for the awardee is used quite frequently as being analogous to VAST, LLC. (NETSEC Comments at 2); and that [a] close examination of the VAST, LLC. proposal, under the caption of past performance, will show a very polished evasion tactic on the issue of VAST, LLC's past performance. . . . For example, after naming the sham transaction d/b/a as VAST, LLC., the proposal smoothly reverted to the performance evaluations of the alleged limited liability company entities . . . . NETSEC Comments at 7.

On September 17, within 24 hours of receipt of the comments, Mr. John Linton, VAST's representative, advised our Office by telephone that he believed there had been a violation of the protective order, as evidenced by the fact that NETSEC's comments appeared to include several references to VAST's proprietary proposal.[3] On that same date, 4 days after he had been admitted to the protective order, the retained counsel submitted a Notice of Withdrawal as NETSEC's counsel. Thereafter, we requested that VAST put its allegations in writing, and that NETSEC's (former) counsel and the firm's representatives (Messrs. Kitchings and Kalchthaler) submit statements in sworn, notarized form at a minimum, covering the basis/origin of information for each reference in NETSEC's comments to VAST's proposal and the agency's evaluation of that proposal (e.g., pp. 2, 4, 5, 7-9, and 12). Fax from GAO, Sept. 19, 2002. Subsequently, we requested that VAST respond to NETSEC's statements.

In response to our request, Mr. Kitchings initially declined to provide any explanation, invoking his privileged rights not to divulge any information, discussions, and/or relationships concerning [retained counsel]. NETSEC Letter, Sept. 23, 2002. After our Office notified the parties that the protest was subject to dismissal due to the alleged violation, Mr. Kitchings submitted a statement. In this statement, Mr. Kitchings denies knowledge of any alleged violations of the GAO Protective Order or any allegations of divulging any proposal information to anyone at NETSEC. Affidavit of Mr. John Kitchings, Sept. 24, 2002, 6. However, other than stating generally that the references to VAST's proposal were based on publicly available information obtained during his own investigation of several named trade journals, Mr. Kitchings' statement did not explain the origin of NETSEC's comments' specific references to the content of VAST's protected proposal.[4]

In response to our request, NETSEC's former counsel provided a statement denying that he revealed any of [the] information protected within the order. Affidavit of NETSEC's Former Counsel, Sept. 25, 2002, 12.

On November 7, 2002, at 10:00 a.m., our Office convened a hearing regarding the apparent inclusion of protected information in NETSEC's comments. Messrs. Kitchings and Kalchthaler attended, as did Mr. Linton and representatives from the VA. Although NETSEC's former counsel was invited to participate and had agreed to attend at a time that he specified, Mr. Kitchings informed our Office at the beginning of the hearing that the company's former counsel could not attend due to a previously scheduled deposition and the short notice of the hearing (the notice was faxed to the parties on November 1). In a letter received in our Office by fax at 11:54 a.m., nearly 2 hours after the hearing convened, the company's former counsel confirmed this explanation and advised us that, because he no longer represented NETSEC, he could not attend the hearing gratis.


Protective Order Violation

The terms of our protective order limit disclosure of certain material and information submitted in the . . . protest, so that no party obtaining access to protected material under this order will gain a competitive advantage as a result of the disclosure. Protective Order, Sept. 9, 2002. The order applies to all material that is identified by any party as protected, unless [our Office] specifically provides otherwise, and strictly limits access to protected material only to those persons authorized under the order. Id. 1-3. The protective order also provides that [e]ach individual covered under [the order] shall take all precautions necessary to prevent disclosure of protected material[; including but not limited] . . . to physically and electronically securing, safeguarding, and restricting access to the protected material in one's possession and [t]he confidentiality of protected material shall be maintained in perpetuity. Id. 6. Any violation of the terms of a protective order may result in the imposition of such sanctions as GAO deems appropriate. Id. 8; 4 C.F.R. 21.4(d).

We find that the record establishes a violation of the protective order here. We note that, while the evidence in the record is to a large extent circumstantial in nature, it strongly supports our finding of a violation. The starting point in our analysis is the several references in NETSEC's comments to the particular wording used in VAST's protected proposal. In this regard, we reject as not credible Mr. Kitchings' assertion in his written statement that publicly available information was the origin of the references, and his hearing testimony, in response to our specific questions regarding the origin of the references, that he merely speculated and concluded that the VAST proposal contained this information based on the knowledge he gained from his investigation into VAST. VT at 11:47, 49, 51, 54-56, 58, 12:01, 03, 07. As indicated above, the references to VAST's proposal were pointed and unqualified, containing no speculative language whatsoever.[5] In particular, we find it implausible that the final reference quoted above was the result of speculation ([a] close examination of the VAST, LLC. proposal, under the caption of past performance, will show a very polished evasion tactic on the issue of VAST, LLC's past performance. . . . For example, after naming the sham transaction d/b/a as VAST, LLC., the proposal smoothly reverted to the performance evaluations of the alleged limited liability company entities . . . .). This language does not merely refer to information as being in the proposal; it essentially walks the reader through the referenced portion of the proposal, identifying the caption under which the information appears, the substantive content of that portion of the proposal, and even the order in which information is presented. The other references--to the cover page of the proposal and to the use of a certain name for the awardee throughout the proposal--while less detailed, are no less pointed and specific; they purport to speak directly to the appearance of the proposal. While Mr. Kitchings' investigation may have revealed information about VAST and how it does business, the protester has pointed to no evidence that the manner in which VAST identified itself in its proposal was publicly available.[6] We conclude that Mr. Kitchings' explanation is implausible, and that the referenced information therefore came from review of VAST's proposal.[7]

Given this conclusion, it of course follows that NETSEC necessarily obtained the information from some source. There is no evidence in the record that VAST's proposal information was made available to NETSEC through the VA or VAST itself, and there is no reason to believe that this is the case. Neither Mr. Kitchings nor Mr. Kalchthaler has suggested that anyone at NETSEC obtained the VAST proposal information from VA or VAST employees, and neither testified that NETSEC obtained the information from any other source. VT at 11:47-48, 51, 12:50. Thus, while there is no direct evidence that retained counsel disclosed or failed to adequately safeguard the contents of VAST's past performance proposal, he remains as the only logical source of the information. The actions of Mr. Kitchings and the company's former counsel discussed above fully support this logical conclusion. To briefly recap, NETSEC's protest filing did not make any reference to information in VAST's proposal. NETSEC retained its counsel (after initially seeking protective order admission for Mr. Kitchings' spouse) only after learning that NETSEC's copy of the agency report did not include proprietary and source selection sensitive information concerning the VAST proposal. On September 16, NETSEC filed its comments containing the specific VAST proposal references. The next day, September 17, the same day that Mr. Linton advised our Office that NETSEC's comments appeared to evidence a violation of the protective order, the retained counsel advised us that he was withdrawing as NETSEC's counsel. In response to our initial request, Messrs. Kitchings and Kalchthaler declined to provide an explanation of the VAST proposal references, citing attorney-client privilege.[8]

We are compelled by the facts to conclude that NETSEC's former counsel either disclosed protected information or did not adequately safeguard it from disclosure, in violation of our protective order. We would have preferred to hear that individual's testimony in response to our direct questioning before reaching our conclusion here; as noted above, however, he declined to appear at the hearing after initially indicating that he would attend. Based on his failure to appear, we draw an unfavorable inference against his position. 4 C.F.R. 21.7(f).

NETSEC seems to believe that there could be no protective order violation because NETSEC does not consider VAST's different name designations to be proprietary, confidential, source-selection, or other information the release of which could result in a competitive advantage to one or more firms. Testimony of Mr. Kalchthaler, VT at 13:00-01; see 4 C.F.R. 21.4(a). This argument reflects a misunderstanding of the provisions of protective orders issued by our Office. Although an individual admitted to a protective order may believe that certain information marked as protected cannot properly be protected because it is publicly available through other sources, that individual may not unilaterally disclose the information to individuals not admitted under the protective order. As clearly stated in the protective order, it applies to all material that is identified by any party as protected, unless GAO specifically provides otherwise. Protective Order, 1. If a party were permitted to determine on its own that information marked as protected can nevertheless be released to persons not admitted to the protective order, the protections afforded by the protective order would become meaningless.

Abuse of Process

This case involves more than a protective order violation; our Regulations provide for the imposition of sanctions in the case of a violation, and we will consider appropriate sanctions against NETSEC's former counsel as a separate matter. Beyond the violation, we find that the record shows Mr. Kitchings actively sought, and obtained from the company's retained counsel, protected information, which he then used in pursuing NETSEC's protest. Again, the evidence in this regard is largely circumstantial. However, as discussed above, the circumstances strongly support our conclusion. Mr. Kitchings, who is himself an attorney, was aware that he was not permitted to view or possess the VAST proposal information released to retained counsel under the terms of our protective order. Mr. Kitchings nevertheless was able to obtain the VAST proposal information through retained counsel, as a result of either retained counsel's disclosure of the information, or his failure adequately to safeguard it.

The protective order process is essential to the proper functioning of the bid protest process as a whole. While the protective order applies primarily to those admitted under it (usually counsel to the private parties), where, as here, a protester's purposeful actions subvert that process, we believe it is appropriate to consider dismissing the protest to protect the integrity of our bid protest process. Fortunately, our experience is that the individuals concerned, both attorneys and non-attorneys, respect the process, and that we believe that the abuse apparent in this case is unprecedented. Nonetheless, we view our authority to impose dismissal or other sanctions as inherent, as do other fora. See Roadway Express Inc. v. Piper, 447 U.S. 752, 764 (1980); Reid v. Prentice-Hall, 261 F.2d 700, 701 (6th Cir.1958) ([e]very litigant has the duty to comply with reasonable orders of the court, and if such compliance is not forthcoming, the court has the power to apply the penalty of dismissal); see also General Services Administration Board of Contract Appeals Rules of Procedure, Rule 1.18(b)(6) (48 C.F.R. 6101.18(b)(6) (2002)) (When a party or its representative or attorney . . . engages in misconduct affecting the Board, its process, or its proceedings, the Board may . . . impos[e] . . . appropriate sanctions . . . includ [ing] . . . [d]ismissing the case or any part thereof). Notwithstanding the seriousness of this matter, however, we are refraining from dismissing the protest, and instead hereby provide notice that we may avail ourselves of this sanction in a future case where a protester abuses our process. We thus proceed to the merits of NETSEC's protest.


NETSEC challenges the agency's evaluation and award decision on numerous grounds. In reviewing a protest against a procuring agency's proposal evaluation, our role is limited to ensuring that the evaluation was reasonable and consistent with the terms of the solicitation and applicable statutes and regulations. National Toxicology Labs., Inc., B'281074.2, Jan. 11, 1999, 99-1 CPD 5 at 3. We have reviewed all of NETSEC's arguments and find that none has merit. We discuss its central arguments below.

Past Performance

NETSEC primarily challenges VAST's superior rating under the past performance factor. The protester asserts that, because VAST is a newly formed firm, it does not possess any experience or past performance of its own, and that VAST's team members also lack relevant direct experience or past performance.

Federal Acquisition Regulation 15.305(a)(2)(iii) directs agencies to take into account past performance information regarding predecessor companies, key personnel, and major subcontractors when such information is relevant to an acquisition. Thus, the agency properly may consider the relevant experience and past performance history of the individual joint venture partners in evaluating the past performance of a joint venture, so long as doing so is not expressly prohibited by the RFP. MVM, Inc., B'290726 et al., Sept. 23, 2002, 2002 CPD 167 at 4; Dynamic Isolation Sys., Inc., B'247047, Apr. 28, 1992, 92-1 CPD 399 at 7 n.7.

We find nothing objectionable in the agency's evaluation of VAST's experience and past performance. The RFP not only did not prohibit considering the experience and past performance of individual joint venture partners and key employees in the evaluation, but specifically encouraged offerors to provide such information. Specifically, the RFP provided that performance information shall include key personnel who have relevant experience and, predecessor companies who will perform major or critical elements of this [RFP]. RFP at 71. It also provided that [r]elated experience may be used in place of corporate experience for those companies who formed a Joint Venture for the sole purpose of performance under this solicitation and have no corporate experience. RFP at 65.

NETSEC's assertion that the members of the VAST joint venture lack individual experience is without merit. VAST's past performance proposal includes a detailed submission explaining the team members' and proposed personnel's relevant performance history and experience, and how that experience is relevant to the specific tasks of this contract. Based on this information, the evaluation summary states as follows:

The joint venture includes: SecureInfo Corp. - global leader in cyber security solutions, specialized protection of critical information resources against universal threats and vulnerabilities; . . .ADTECH Systems-extensive CIRC operations experience, comprehensive support to the Air Force Computer Emergency Response Team (AFCERT) for incident handling; AEM Corp. - leader in providing software development services in support of Information Assurance (IA) efforts, specializing in integrating the best commercial tools into a unified security environment; DSD Laboratory - detailed forensics analysis of security incidents, comprehensive training curriculum for computer security; SEIDCON, Inc. - deployment support for IT security products, host and network Intrusion Detection System (IDS), firewalls and virus scanning products, specializes in systems security engineering [from] conception through accreditation, in-depth experience in all facets of security test and evaluation; TEAMBI Solutions, Inc. - expertise in best practices for healthcare systems information security, extensive experience in information security and information management policy, procedures and program implementation, extensive VA experience providing VA ITSCAP security engineering support services. COMPAQ, Signal, and SAIC were added, bringing the experience and knowledge of the VA environment to the joint venture team. COMPAQ has maintained VHA's VistA systems for the past 20 years.
AR, exh. 8, at 15-16. In our view, the record reflects a proposed joint venture team with significant experience and relevant past performance. This being the case, we find no basis to object to the agency's evaluation of VAST's proposal under the past performance factor as blue/exceptional. We note that NETSEC has provided no rebuttal to the agency's evaluation; its mere disagreement with the agency's judgment does not establish that the evaluation was unreasonable. UNICCO Gov't Servs., Inc., B-277658, Nov. 7, 1997, 97-2 CPD 134 at 7.

Legal Status

NETSEC asserts that VAST is not entitled to the award because it does not possess a legal existence in its home state, Texas, and also that, as a non'existent firm, VAST cannot rely on the past performance of its team members.[9] NETSEC concedes that VAST's managing partner registered the VA Security Team, LLC, but maintains that the award is improper because the registration was not made until after the proposal was submitted and, in any event, because that firm is not the same entity as VAST.

These assertions are also without merit. Although a contracting officer may determine that the absence of an appropriate business license renders an offeror nonresponsible, compliance with state or local requirements is generally a matter between the contractor and the issuing authority, and will not be a bar to contract award unless the solicitation so provides. Calian Tech. (US) Ltd., B'284814, May 22, 2000, 2000 CPD 85 at 10. Here, there was no requirement in the RFP that offerors be registered in their home state prior to submitting an offer.

With regard to the use of different designations for the awardee--VA Security Team, LLC, Veterans Affairs Security Team (VAST), LLC, or VAST--the name of an offeror need not be exactly the same in all of the offer documents, although the offer documents or other information available must show that differently-identified offering entities are in fact the same legal entity. See S3 LTD, B-288195 et al.,
Sept. 10, 2001, 2001, 2001 CPD 164 at 11; Trandes Corp., B'271662, Aug. 2, 1996,
96-2 CPD 57 at 2. Here, we find it is plain from the proposal that VAST is simply an acronym for the registered entity and that the three designations identify the same entity; the different designations are clearly synonymous and present no ambiguity whatsoever as to the identity of the offeror. NETSEC's arguments to the contrary are make weight at best.

The protest is denied.

Anthony H. Gamboa
General Counsel


[9] e.g.