Decypher Technologies, Ltd.

B-415716.15: Jan 9, 2019

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

Kenneth E. Patton
(202) 512-8205
PattonK@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Decypher Technologies, Ltd., a small business of San Antonio, Texas, protests the exclusion of its proposal from the competition by the Department of the Air Force under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.

We deny the protest.

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision 

Matter of:  Decypher Technologies, Ltd.

File:  B-415716.15

Date:  January 9, 2019

Kristin E. Zachman, Esq., Johnathan M. Bailey, Esq., Bailey & Bailey, PC, for the protester.
Lieutenant Colonel Ryan J. Lambrecht, Alexis J. Bernstein, Esq., Department of the Air Force, for the agency.
Katherine I. Riback, Esq., and Amy B. Pereira, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest challenging the agency’s evaluation of protester’s proposal under the technical experience evaluation factor is denied where the record shows that the evaluation was reasonable and consistent with the solicitation, and any errors in the agency’s evaluation did not prejudice the protester.

DECISION

Decypher Technologies, Ltd., a small business of San Antonio, Texas, protests the exclusion of its proposal from the competition by the Department of the Air Force under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.

We deny the protest.

BACKGROUND

On September 28, 2017, the Air Force issued the Small Business Enterprise Application Solutions (SBEAS) RFP, which was set aside for small businesses, pursuant to the procedures of Federal Acquisition Regulation (FAR) part 15.  Agency Report (AR), Tab 5, RFP at 162.[1]  The solicitation contemplated the award of 40 indefinite-delivery, indefinite-quantity (IDIQ) contracts with a 5-year base and 5-year option ordering period.  Id. at 138-139, 162.  The scope of the SBEAS RFP included a “comprehensive suite of IT services and IT solutions to support IT systems and software development in a variety of environments and infrastructures.”  Id. at 130.  Additional IT services in the solicitation included, but were not limited to, “documentation, operations, deployment, cybersecurity, configuration management, training, commercial off-the-shelf (COTS) product management and utilization, technology refresh, data and information services, information display services and business analysis for IT programs.”  Id.

Proposals were to be evaluated based on two factors, technical experience and past performance.[2]  Id. at 164.  The technical experience factor was comprised of ten technical elements and various sub-elements (each with a designated point value), and one non‑technical experience element.[3]  Id. at 165-172.  The past performance factor was comprised of the following three subfactors in descending order of importance:  life‑cycle software services, cybersecurity, and information technology business analysis.  Id. at 164.  Award was to be made on a past performance tradeoff basis among technically acceptable offerors, using the three past performance subfactors.  Id. at 162. 

Section L of the solicitation instructed offerors that “[t]he proposal shall be clear, specific, and shall include sufficient detail for effective evaluation and for substantiating the validity of stated claims.”  Id. at 142.  Offerors were instructed to not simply rephrase or restate requirements, but to “provide [a] convincing rationale to address how the [o]fferor’s proposal meets these requirements.”  Id.  The RFP also instructed offerors to assume that the agency has no knowledge of the offeror’s facilities and experience, and would “base its evaluation of the information presented in the [o]fferor’s proposal.”  Id.

The solicitation provided that offerors should submit their proposals in four volumes:  capability maturity model integration (CMMI) documentation, technical experience, past performance, and contract documentation.  Id. at 145.  As relevant to this protest, the technical volume was to contain a table of contents, a cross-reference matrix,[4] a glossary of terms, a self-scoring worksheet, and technical narratives. [5]  Id. at 149.  The RFP instructed offerors to describe in the technical narrative section of their proposals, experience that supports the technical element points claimed in the self-scoring worksheet.  Id.

Regarding the definition of terms in the technical element criteria, the solicitation stated the following:

Offerors shall utilize the Definition of Terms provided in Section J, Attachment 7 of this solicitation, the Risk Management Framework (RMF) and DoD [Department of Defense] Information Assurance Certification and Accreditation Process (DIACAP) standards to help form a better understanding of the Government’s use and definition of specific technical terms.

Id. at 150.  Of relevance to this protest, the RFP included the following definition in Section J:

15. Cybersecurity

*  *  *  *  *

15.3  Availability

Ensuring timely and reliable access to and use of information.

Id. at 206.  The solicitation stated that the agency intended to evaluate proposals and make awards without discussions to the offerors deemed responsible, and whose proposals conformed to the solicitation’s requirements and were judged, based on the evaluation factors, to represent the best value to the government.[6]  Id. at 163. 

Section M of the solicitation set up a tiered evaluation process.  Id. at 163-164.  The first step of the evaluation was a CMMI appraisal, which required offerors to be certified at level 2 in CMMI.[7]  Id.  If an offeror passed the CMMI appraisal as level 2 certified, the agency would then evaluate an offeror’s technical experience using the self‑scoring worksheet and technical narratives provided by the offeror.  Id. at 164.  The solicitation provided that technical experience would receive an adjectival rating of acceptable or unacceptable.  Id. at 164-165.  A proposal would be considered acceptable when it attained 4,200 points per the self-scoring worksheet, and was “verified per the technical narratives.”  Id. at 165.  Section M further provided that the agency would “utilize the technical narratives provided by each offeror in conjunction with the self‑scoring worksheet used by each offeror to claim points in the 10 technical elements and in the one non-technical experience element.”  Id. at 164.

In the event that technical experience was evaluated as acceptable, the agency would then evaluate the offeror’s past performance.  Id. at 164.  The agency would review the accompanying past performance narratives and evaluate each offeror’s past performance references for recency, relevancy, and quality.[8]  Id. at 172.

Decypher timely submitted its proposal in response to the solicitation.  On August 21, the agency notified Decypher that its proposal was considered unacceptable and had been eliminated from further consideration because its proposal received a score of 3,750 points under the technical experience factor.  AR, Tab 10, Decypher Notice of Ejection from Competition (Aug. 21, 2018) at 1. 

Following a debriefing, Decypher filed an agency-level protest on September 10, contesting the exclusion of its proposal from the competition, which was denied by the agency on September 21.  AR, Tab 13, Decypher Agency-Level Protest (Sept. 10, 2018); Tab 14, Agency Response of Decypher’s Agency-Level Protest (Sept. 21, 2018).  On October 1, Decypher filed this protest with our Office.

DISCUSSION

Decypher protests the exclusion of its proposal from the competition, alleging that the agency failed to properly evaluate its proposal under the technical experience factor.  Specifically, the protester contends that the agency’s evaluation of its proposal was improper with regard to the risk management sub-element of the cybersecurity element.  Decypher contests the agency’s determination that its proposal failed to demonstrate the prevention of the loss of data availability as required under this sub-element.  The protester further contends that the agency erred in its technical evaluation of Decypher’s proposal regarding this sub-element by reviewing only the specifically identified portion of its technical narrative, rather than the entire narrative.[9]   

Our Office will examine an agency’s evaluation of an offeror’s technical experience only to ensure that it was reasonable and consistent with the stated evaluation criteria and applicable statutes and regulations.  See Shumaker Trucking & Excavating Contractors, Inc., B-290732, Sept. 25, 2002, 2002 CPD ¶ 169 at 3.  A protester’s disagreement with a procuring agency’s judgment, without more, is insufficient to establish that the agency acted unreasonably.  WingGate Travel, Inc., B-412921, July 1, 2016, 2016 CPD ¶ 179 at 4-5.  In addition, it is an offeror’s responsibility to submit an adequately written proposal with adequately detailed information which clearly demonstrates compliance with the solicitation requirements and allows a meaningful review by the procuring agency.  See International Med. Corps, B-403688, Dec. 6, 2010, 2010 CPD ¶ 292 at 8.  An offeror’s technical evaluation is dependent on the information furnished, and an offeror that fails to submit an adequately written proposal runs the risk of having its proposal downgraded.  LOGMET, B-400535, Oct. 30, 2008, 2008 CPD ¶ 199 at 3. 

The cybersecurity element was comprised of the following two sub-elements:  vulnerabilities and threats, and risk management.  RFP at 167.  Decypher protests the agency’s evaluation of its proposal under the risk management sub-element of this element.  In order to receive the 500 points available under this sub-element, an offeror was required to show the following:

Demonstrate knowledge and experience in incorporating risk management principles and information security requirements to prevent the loss of data Confidentiality, Integrity, and Availability using the following three (3) preventative technical controls; Authentication, Authorization, and Accountability.

Id. at 186.  The solicitation provided that the agency would not accept points claimed by the offeror if it did not address “all 3 risk management principles (Confidentiality, Integrity and Availability).”  Id. at 167.  The agency found that Decypher’s proposal did “not demonstrate that the offeror prevented the loss of availability.”  AR, Tab 9, Decypher Technical Evaluation at 8. 

The protester argues that the agency’s evaluation did not utilize the definition of availability in the solicitation and failed to take into account the solicitation instructions to offerors requiring the use of other documents to understand the government’s use of specific technical terms, such as availability. [10]  For example, the protester argues that the agency took an overly restrictive view of availability not reflected in the solicitation, and therefore failed to consider that paragraph 2.3.2.2 of its proposal demonstrates availability due to its demonstration of [DELETED] contained in Committee on National Security Systems Instructions 1253 and National Institute of Standards and Technology Special Publications 800-53.  Protest at 17-18; Comments at 13-17.  According to the protester, each of these documents is referenced in and required by the DIACAP and these documents include information, such as which security controls are associated with availability.  The protester seeks to align the language in its proposal to these documents to show that its proposal demonstrated experience in preventing the loss of data availability.   

We find that the agency reasonably determined that the protester failed to demonstrate that its technical narrative, paragraph 2.3.2.2, demonstrated experience in the prevention of the loss of data availability.  While the protester now seeks to explain how, other documents referenced in the RFP that concern security controls should have led the agency to determine that it met the required criteria, much of this information was not included in its proposal.  As noted above, offerors are responsible for submitting well-written proposals with adequately-detailed information that allows for a meaningful review by the procuring agency.  Government Telecomms., Inc., B‑299542.2, June 21, 2007, 2007 CPD ¶ 136 at 5.  In our view, rather than explaining how the information included in its proposal demonstrated experience in preventing the loss of data availability, Decypher now seeks to rely on linking to other documents referenced in the solicitation as a substitute for a well-written proposal.  We further find that this section of Decypher’s technical narrative describes specific features and then states that these features “facilitated confidentiality, integrity and availability for the [DELETED],” without providing any explanation as to how these features achieved this outcome.  AR, Tab 6, Decypher’s Proposal Vol. II, Technical Experience at 46.  We therefore find no reason to question the agency’s evaluation in this regard.

Decypher next argues that the agency erred in its evaluation of the risk management sub-element by only evaluating paragraph 2.3.2.2 of its proposal and not evaluating its technical narrative in its entirety.[11]  Decypher contends that information provided in paragraph 2.3.2.1 of its proposal further demonstrates experience in preventing the loss of data availability. The protester argues that the solicitation does not state that the agency, in determining whether the points were validly claimed by the offeror, will only evaluate the specific portions of the technical narrative cited to in the self-scoring worksheet.  Protest at 14.  In support of this, the protester cites section M.3.1.1 of the RFP which states that “[t]he Government will use the technical narratives to verify the points claimed on the Self-Scoring Worksheet.”  RFP at 165. 

The protester contends that its interpretation of the solicitation was reinforced by the questions and answers (Q&As), where the following exchange occurred: 

Q. 189:  For Clarification, If the Offeror fails to completely demonstrate the required experience to verify the points claimed in a section on Technical Narrative 1 but also includes additional justification in Technical Narrative 3 for the same section, Will the government read and include that additional information in their decision of points claimed?

A. 189:  All narratives will be considered to verify points claimed on the Self-Scoring Worksheet.

GAO Protest at 11 citing AR, Tab 4, Final RFP Q&As at 13.

The agency disagrees with the protester’s interpretation of the solicitation and argues that only the specific paragraphs from the technical narratives that were cited in an offeror’s self-scoring worksheet would be evaluated.  COS at 13.  The agency maintains that the solicitation was “specifically crafted to enable the [a]gency to go directly to the place in the proposal that the offeror referenced.”  Id. at 12.  In addition to the solicitation language that the protester cites, the agency also cites to section M.3.1, which states that the agency will “utilize the technical narratives provided by each offeror in conjunction with the self-scoring worksheet used by each offeror to claim points.”  Id. at 10 citing RFP at 164 (emphasis omitted), as well as language stating that “[a]n offeror’s proposal has met the requirements of the solicitation and is considered Acceptable, when the required minimum of 4,200 is obtained per the Self-Scoring Worksheet and verified per the technical narratives.”  RFP at 165.  

The agency contends that the protester’s argument that the entire technical narrative cited by the offeror should be evaluated and used to verify points for a sub-element would render meaningless the solicitation’s instructions regarding the self-scoring worksheet.  These instructions required offerors to “enter the technical narrative [number], page [number] and paragraph [number] of the technical narrative(s) that supports each technical element claimed.”  Id. at 184.  In the agency’s view, if Decypher wanted to have paragraphs other than paragraph 2.3.2.1 of its technical narrative evaluated under the risk management sub-element, it should have listed those paragraphs in the correct place on its self-scoring worksheet.

Where a dispute exists as to a solicitation’s requirements, we begin by examining the plain language of the solicitation.  Harper Constr. Co., Inc., B-415042, B-415042.2, Nov. 7, 2017, 2018 CPD ¶ 47 at 4; Point Blank Enters., Inc., B-411839, B-411839.2, Nov. 4, 2015, 2015 CPD ¶ 345 at 3.  We resolve questions of solicitation interpretation by reading the solicitation as a whole and in a manner that gives effect to all provisions; to be reasonable, and therefore valid, an interpretation must be consistent with such a reading.  Desbuild Inc., B-413613.2, Jan. 13, 2017, 2017 CPD ¶ 23 at 5.  If the solicitation language is unambiguous, our inquiry ceases.  Id.  An ambiguity, however, exists where two or more reasonable interpretations of the solicitation are possible.  Colt Def., LLC, B-406696, July 24, 2012, 2012 CPD ¶ 302 at 8.  If the ambiguity is an obvious, gross, or glaring error in the solicitation (e.g., where solicitation provisions appear inconsistent on their face), then it is a patent ambiguity; a latent ambiguity is more subtle.  A-P-T Research, Inc., B-414825, B-414825.2, Sept. 27, 2017, 2017 CPD ¶ 337 at 12; Harper Constr. Co., Inc., supra.  Here, as detailed below, we conclude that the disputed terms of the solicitation were latently ambiguous because the provisions appear to be susceptible to two reasonable interpretations.

We first find that the agency’s interpretation of the solicitation is not unreasonable.  The agency’s interpretation ties together the part of section M quoted above that technical narratives will be used to verify the points claimed on the self-scoring worksheet (RFP at 164-165), with the instructions to the self‑scoring worksheet instructing offerors to “enter the technical narrative [number], page [number], and paragraph [number] of the technical narrative(s) that supports each technical element claimed.”  Id. at 184.  We find that the agency’s interpretation is consistent with the solicitation when read as a whole and gives effect to each of its provisions.  See Arch Sys., LLC; KEN Consulting, Inc., B‑415262, B‑415262.2, Dec. 12, 2017, 2017 CPD ¶ 379 at 6.

We also find that Decypher’s alternate interpretation of the solicitation--which is based on, and not contradicted by, the express language of the solicitation--is reasonable.  In this regard the solicitation, in section M, does not state that the agency will only evaluate the specific cited paragraphs of the technical narrative cited in its self‑scoring worksheet, rather, the solicitation in section M states that the agency will “utilize the technical narratives provided by each offeror in conjunction with the self-scoring worksheet used by the offeror to claim points. . . .” RFP at 164.  Section M further states that the “Government will use the technical narratives to verify the points claimed on the Self-Scoring Worksheet.”  RFP at 165.  

We conclude that the RFP here did not contain any inconsistency in its language that was obvious, gross, or glaring, such that the ambiguity was patent on the face of the solicitation.  We therefore find the ambiguity in the RFP was latent with regard to what portions of the technical narratives listed in the offerors’ self-scoring worksheets would be evaluated.  While the Air Force may have intended that only those portions of the technical narratives specifically cited in an offeror’s self-scoring worksheet for a particular element would be evaluated, the specific language in section M and the accompanying Q&A did not specifically state this and was latently ambiguous.  Millennium Corp., Inc., B-416485.2, Oct. 1, 2018, 2018 CPD ¶ 329 at 6.

However, while we find that there was a latent ambiguity in the solicitation, Decypher cannot demonstrate that it was competitively prejudiced by the agency’s evaluation.  Competitive prejudice is an essential element of a viable protest; where a protester fails to demonstrate that, but for the agency’s actions, it would have had a substantial chance of receiving the award, these is no basis for finding prejudice, and our Office will not sustain the protest, even it deficiencies in the procurement are found.  DynCorp Int’l LLC, B-411465, B-411465.2, Aug. 4, 2015, 2015 CPD ¶ 228 at 12-14. 

Here, Decypher contends that the agency also should have considered the information in paragraph 2.3.2.1 of its proposal, a portion of the technical narrative not specifically cited under the risk management sub-element in Decypher’s self-scoring worksheet.  According to Decypher, this information shows demonstrated experience in prevention of the loss of data availability.  The protester argues that 2.3.2.1 includes paragraphs discussing continuity of operations and backups, malicious code protection, and patches, and that each of these paragraphs respectively, demonstrates that it had experience in the prevention of loss of data availability.  AR, Tab 13, Agency-Level Protest at 14-15; GAO Protest at 15-16. 

The agency states that, even if it had evaluated this section of the technical narrative, it would have found that Decypher did not demonstrate the prevention of the loss of data availability.  COS at 17.  The agency examined the three paragraphs in 2.3.2.1 that discuss the continuity of operations and backups, malicious code protection, and patches, in turn.

Regarding the section of the technical narrative that discussed continuity of operations and backups, the agency notes that while Decypher in its proposal states that it developed continuity of operations “[DELETED],” its proposal failed to demonstrate those [DELETED] procedures.  COS at 17 citing AR, Tab 6, Decypher’s Proposal Vol. II, Technical Experience at 44.  The agency states that this section gave “only conclusory statements and partial information about how Decypher had experience ensuring system Availability.”  Id.

Concerning the sections of Decypher’s technical narrative that discuss installing anti‑malware software and patches, the agency notes that these features were mentioned as ensuring the prevention of the loss of data availability, but that Decypher failed to demonstrate how these features ensured the “timely and reliable access to and use of information.”  Memorandum of Law at 23; COS at 17.  For example, the agency notes that while installing anti-malware protects a system from infiltration and infection by detecting malware, removing it, and cleaning up damage to the systems caused by the malware, that statement alone does not demonstrate how anti-malware prevents the loss of data availability.  Id.  The agency points out as well that while Decypher states in its protest that anti-malware or patches ensure availability of data by preventing data from being “held hostage by ransomware or even destroyed” (GAO Protest at 15), this statement was not included in Decypher’s proposal.  COS at 18. 

Thus, even accepting the protester’s assertion that the agency should have evaluated paragraph 2.3.2.1 of the technical narrative for its demonstration of the prevention of the loss of data availability, we find that the agency reasonably concluded that even if it had evaluated this section of technical narrative 2, that this portion of Decypher’s technical narrative did not demonstrate the prevention of the loss of data availability.  We agree with the agency that although paragraph 2.3.2.1 discussed the continuity of operations and backups, malicious code protection, and patches, Decypher failed to articulate how these features contributed to the prevention of the loss of data availability.  While the protester provided additional explanation in pursuing this protest, this information does not compensate for the lack of explanation in Decypher’s proposal.  Thus, we find no basis to sustain this protest ground.

The protest is denied.

Thomas H. Armstrong
General Counsel



[1] Citations to the RFP are to the conformed copy provided by the agency.  AR, Tab 5, RFP.

[2] The solicitation stated that pursuant to “10 U.S.C. § 2305(a)(3)(C), as amended by Section 825 of the National Defense Authorization Act (NDAA) for Fiscal Year 2017, the Government will not evaluate cost or price for the IDIQ contract.  Cost or price to the Government will be considered in conjunction with the issuance of a task or delivery order under any contract awarded hereunder.”  RFP at 162.

[3] The technical experience factor was comprised of the following technical elements:  life-cycle software services; cybersecurity; IT business analysis; programming languages/frameworks; tools/software development methodologies; platforms/environments; database components; mobile/internet of things; server operating systems; and COTS/GOTS (government-off-the-shelf)/FOSS (free and open source software) software, as well as the non‑technical experience element of government facility clearance level.  Id. at 165-171. 

[4] The RFP’s instructions directed offerors to complete a cross-reference matrix, which was attached to the solicitation.  Id. at 146, 179-183.  The offeror’s cross‑reference matrix was required to demonstrate “traceability” between the offeror’s contract references.  An offeror’s cross-reference matrix was required to show “which contract references [were] used to satisfy each technical element and each past performance sub-factor.”  Id. at 146.

[5] The solicitation allowed offerors to provide up to six contract references, each of which was to have its own technical narrative, to demonstrate its technical experience.  RFP  at 149.  Technical narratives were to be submitted in numerical order.  Id.  At issue in this protest is Decypher’s technical narrative 2.

[6] The agency’s estimated value for all of the SBEAS contract awards is a maximum of $13.4 billion.  Contracting Officer’s Statement (COS) at 3. 

[7] CMMI is a process level improvement training and appraisal program that is administered by the CMMI Institute. 

[8] The RFP provided that each offeror must receive a confidence rating of “[s]atisfactory or higher” for each past performance subfactor in order to be eligible for award.  Id. at 164. 

[9] Decypher’s protest raised numerous allegations.  While our decision here does not specifically discuss each and every argument, we have considered all of the protester’s assertions and find that none furnish a basis for sustaining the protest.

[10] The protester argued in its protest that its description of access management in this section of its technical narrative demonstrated that its proposal fulfilled the solicitation’s cybersecurity definition of “availability,” as required by the evaluation criteria because the solicitation’s definition of “access management” states that it “contributes to achieving the appropriate confidentiality, availability, and integrity of the command’s data.”  AR, Tab 13, Agency-Level Protest at 6; GAO Protest at 17.  Although the agency addressed this issue in its agency report, COS at 20, Decypher did not address this issue in its comments on the agency report.  Thus we find that the protester abandoned this issue.  IntelliDyne, LLC, B‑409107 et al., Jan. 16, 2014, 2014 CPD ¶ 34 at 3 n.3

[11] The agency states that it did not evaluate paragraph 2.3.2.1 of Decypher’s proposal against the RFP’s sub-element 2b evaluation criteria.  COS at 16. 

Apr 17, 2019

Apr 16, 2019

Apr 15, 2019

Apr 12, 2019

Looking for more? Browse all our products here