Decision

Matter of:  Opus Group, LLC

File:  B-413104.40

Date:  October 11, 2019

DIGEST

Protest challenging agency’s exclusion from the competition for failing to comply with the solicitation’s requirements to submit certain financial documents is denied where the record shows that the protester’s teaming member submitted documents that were encrypted and did not provide the passwords required to decrypt them.

Opus Group, LLC, of McLean, Virginia, protests the decision by the Department of Health and Human Services, National Institutes of Health (NIH), to find its proposal unacceptable in the competition conducted under request for proposals (RFP) No. NIHJT2016015, for information technology (IT) solutions and services.  Opus argues that NIH unreasonably found its teaming members failed to provide decryption passwords for documents that were required to be submitted by the solicitation.

We deny the protest.

BACKGROUND

The RFP was issued on March 14, 2016, for the award of additional indefinite‑delivery, indefinite-quantity (IDIQ) contracts for NIH’s existing Chief Information Officer-Solutions and Partners 3, small business governmentwide acquisition contract (GWAC), for IT solutions and services.  Agency Report (AR), Tab 2, RFP at B-1, M-2; Contracting Officer’s Statement (COS) at 1.  The RFP provided that NIH would establish contractor groups for award including, as relevant here, the section 8(a) contractor group.[1]  See RFP at M-2, M-3.  The RFP contemplated the issuance of fixed-price, time‑and- materials, or cost‑reimbursement task orders during the period of performance, which would correspond with the current GWAC contracts, and would end in 2022.  Id. at B‑1, F‑1, G-6-G-8, L-6.  The maximum order amount established for the contract was $20 billion with a guaranteed minimum of $250 per awardee.  Id. at B-2.

Proposals were to be evaluated in two phases.  Id. at M-1.  During phase 1, proposals would be evaluated under four go/no-go requirements:  compliant proposal; verification of an adequate accounting system; IT services for biomedical research, health sciences, and healthcare; and domain-specific capability in a health-related mission.  Id. at M-1, M-3-M-4.  A proposal found unacceptable for any of these four requirements would be ineligible for further consideration for award.  Id. at M-4.  Proposals found acceptable under phase 1 would proceed to be evaluated under phase 2, using a best-value tradeoff methodology, considering price and the following three evaluation factors:  technical capability and understanding; management approach; and past performance.  The technical capability and management approach factors were of equal importance, and both factors, individually, were more important than past performance.  Price was the least important of all evaluation factors.  Id. at M-1.

The agency received 552 proposals--of which 167 were for the 8(a) contractor group-- including a proposal from Opus.  COS at 2; Protest at 1.  NIH found Opus’ proposal unacceptable at phase 1 under the compliant proposal requirement.  Opus’ proposal included encrypted financial statements for two of its teaming members but did not provide decryption passwords that would allow NIH to review the files, thus rendering the proposal ineligible for further consideration.[2]  Protest, attach. 7, Debriefing, at 1.

NIH notified Opus that it was not selected for award, and after receiving a request for a debriefing, provided one to Opus on July 5, 2019.  This protest timely followed.

DISCUSSION

Opus argues that NIH unreasonably found its proposal unacceptable because its teaming partners had, in fact, submitted the decryption password for the required documents as reflected in the “evidence” submitted with Opus’ protest.  Protest at 2.  Opus also argues that the contracting officer was required under the FAR to bring to Opus’ attention “a suspected mistake and provide an opportunity to correct.”  Id. at 3. 

The agency states that it did not receive the passwords--which it confirmed again after Opus’ exclusion--and the “evidence” submitted by Opus in its protest did not demonstrate that its teaming partners timely submitted passwords to NIH.  Memorandum of Law (MOL) at 5-8.  NIH also argues that while it had the discretion to request additional information, it had no obligation to request Opus provide the missing passwords.  Id. at 8-9.

Clearly stated RFP requirements are considered material to the needs of the government, and a proposal that fails to conform to such material terms is unacceptable and may not form the basis for award.  AttainX, Inc.; FreeAlliance.com, LLC, B‑413104.5, B-413104.6, Nov. 10, 2016, 2016 CPD ¶ 330 at 5.  It is an offeror’s responsibility to submit a well-written proposal, with adequately detailed information that clearly demonstrates compliance with the solicitation requirements and allows a meaningful review by the procuring agency.  See, e.g., International Med. Corps, B‑403688, Dec. 6, 2010, 2010 CPD ¶ 292 at 8.  An offeror runs the risk that a procuring agency will evaluate its proposal unfavorably where it fails to do so.  Recon Optical,Inc., B-310436, B-310436.2, Dec. 27, 2007, 2008 CPD ¶ 10 at 6.  On this record, Opus’ arguments provide no basis to sustain the protest.

The solicitation advised that during the first phase of proposal evaluation, the agency would evaluate proposals under four go/no-go requirements.  RFP at M-1, M-3-M-4.  Under the “compliant proposal” requirement, the solicitation stated that “[i]f the proposal does not contain the required documents, the Government may deem the proposal to be ‘Unacceptable’ and ineligible for further consideration for award.”  Id. at M-3.

The RFP instructed offerors to provide a copy of the most recent annual financial report or, if not a public corporation, the most recent asset and liability statement for the prime contractor and all CTA members.  Id. at L-13.  If the CTA members did not want to share their proprietary financial information with the prime, the solicitation permitted offerors to submit this information from the CTA members as encrypted files.  The CTA members were instructed to send an email to the Electronic Procurement Information Center (EPIC) help desk (webmaster@acqcenter.com) with the decryption password.  Id. at L-13.  The solicitation also stated that in order to be considered timely, “[a]ll information, including the email from the CTA member” was required to be submitted by the proposal due date.  Id.  The submitted information would be reviewed as part of the agency’s responsibility determination of apparent successful offerors, which the solicitation stated would be evaluated on a pass/fail basis.  RFP at L‑13, L‑23, M-11.Opus’ proposal stated that it was submitting its most recent asset and liability statement as a separate file, and that each teaming member was also providing their most recent asset and liability statements as separate encrypted files, with the decryption passwords to be provided directly by each teaming member, as instructed by the solicitation.  AR, Tab 4, Protester’s Proposal, Other, L.4.2. Section 7, Other Administrative Data.  The only password NIH received as part of Opus’ proposal, however, was from teaming member C.  See generally AR, Tab 4, Protester’s Proposal, Other. 

The agency found Opus’ proposal to be unacceptable (i.e., “no-go”) under the compliant proposal requirements of phase 1.  AR, Tab 14, Go/No-Go Compliance Review, at 140.  NIH’s assessment found that while Opus’ proposal included two encrypted documents for its teaming member A, purporting to be teaming member A’s most recent annual financial report or asset and liability report, the submitted files were encrypted and no decryption password was provided to allow NIH to review the files.[3]  Id.  As a result, NIH determined that because the proposal did not contain documents required by the RFP, Opus’ proposal was unacceptable under section M.2(a)(1) of the RFP and was eliminated from the competition.[4]  Id.

We agree with the agency that the record here does not show that NIH received the decryption password for Opus’ teaming members prior to evaluation.  Here, the “evidence” provided by Opus does not demonstrate that its team members timely sent emails to the EPIC help desk with the decryption passwords.  In support of its argument that teaming member B timely submitted its password, Opus provided a printed copy of an email with a decryption password that was sent on May 16, 2016 from teaming member B to three individuals, one of which was simply identified as “webmaster.”  This email, however, does not reveal the actual email addresses of the named recipients nor does it provide any other information related to the name “webmaster” on the email’s “to” line.  Protest, attach. 8, Teaming Member B.  For teaming member A, Opus alleges, without support, that:

[Teaming member A] has not retained a record of the password submission, but abundant evidence shows that this password was also timely submitted.  This is evident from their statement to that effect and the explanation that the email is difficult to track down due to the fact that the event occurred over three (3) years ago and they have since changed offices and changed their email systems.

Protest at 2.[5]  Opus also points to the emails between it and its CTA members, demonstrating their awareness of the RFP’s requirement as evidence of submission, again which does not demonstrate that the passwords were timely submitted.[6]  Id.  Here, NIH asserts that after providing the debriefing, Opus sent several emails to the agency, alleging that teaming members A and B had, indeed, sent the required passwords with Opus’ proposal.  In response, NIH initiated an investigation with EPIC’s Acqcenter help desk.  MOL at 6-7; COS at 4; AR, Tab 7, EPIC Email re Question About Decryption Passwords.  NIH explains that, in response to its inquiry, the EPIC help desk conducted multiple searches of its email records, yet was unable to find any emails from either teaming members A or B that contained any passwords related to the RFP.  Id.

While Opus disputes the adequacy of the agency’s search attempts, those arguments, without sufficient evidence to support Opus’ contention that the passwords had been sent to the proper email address, do not provide us a basis to sustain the protest.  See generally Comments.  As we have consistently explained, it is an offeror’s responsibility to submit a well-written proposal, with adequately detailed information that clearly demonstrates compliance with solicitation requirements and allows meaningful review by the agency.  Offerors run the risk that a procuring agency will evaluate their proposal unfavorably where they fail to do so.  See, e.g., International Med. Corps, supra.

Because the necessary passwords were not provided for NIH to review the required financial statements, we find reasonable NIH’s conclusion that Opus’ proposal did not contain the required documents and therefore failed to meet the compliant proposal criterion of phase 1.[7]  As a result, we find that the agency reasonably rejected Opus’ proposal.  See RFP at M-3-M-4; AttainX, Inc.; FreeAlliance.com, LLC, supra; Chags Health Info. Tech., LLC, supra at 8.

The protest is denied.

Thomas H. Armstrong
General Counsel