Dfuse Technologies, Inc.

B-415716.19: Mar 4, 2019

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

Kenneth E. Patton
(202) 512-8205
PattonK@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Dfuse Technologies, Ltd., a small business of Ashburn, Virginia, protests the exclusion of its proposal from the competition by the Department of the Air Force under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.

We deny the protest in part and dismiss it in part.

Decision

Matter of:  Dfuse Technologies, Inc.

File:  B-415716.19

Date:  March 4, 2019

Sandeep Suri, Dfuse Technologies, Inc., for the protester.
Alexis J. Bernstein, Esq., Lieutenant Colonel Kevin P. Stiens, and Rachell J. Reilly, Esq., Department of the Air Force, for the agency.
Katherine I. Riback, Esq., and Amy B. Pereira, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest challenging the agency’s evaluation of protester’s technical proposal is denied where the record shows that the evaluation was reasonable and consistent with the solicitation.

DECISION

Dfuse Technologies, Ltd., a small business of Ashburn, Virginia, protests the exclusion of its proposal from the competition by the Department of the Air Force under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.[1]

We deny the protest in part and dismiss it in part.

BACKGROUND

On September 28, 2017, the Air Force issued the Small Business Enterprise Application Solutions (SBEAS) RFP, which was set aside for small businesses, pursuant to the procedures of Federal Acquisition Regulation (FAR) part 15.  Agency Report (AR), Tab 5, RFP at 162.[2]  The solicitation contemplated the award of 40 indefinite-delivery, indefinite-quantity (IDIQ) contracts with a 5-year base and 5-year option ordering period.  Id. at 138-139, 162.  The scope of the SBEAS RFP included a “comprehensive suite of IT services and IT solutions to support IT systems and software development in a variety of environments and infrastructures.”  Id. at 130.  Additional IT services in the solicitation included, but were not limited to, “documentation, operations, deployment, cybersecurity, configuration management, training, commercial off-the-shelf (COTS) product management and utilization, technology refresh, data and information services, information display services and business analysis for IT programs.”  Id.

Proposals were to be evaluated based on two factors, technical experience and past performance.[3]  Id. at 164.  The technical experience factor was comprised of ten technical elements and various sub-elements (each with a designated point value), and one non‑technical experience element.[4]  Id. at 165-171.  The past performance factor was comprised of the following three subfactors in descending order of importance:  life‑cycle software services, cybersecurity, and information technology business analysis.  Id. at 164.  Award was to be made on a past performance tradeoff basis among technically acceptable offerors, using the three past performance subfactors.  Id. at 162. 

Section L of the solicitation instructed offerors that “[t]he proposal shall be clear, specific, and shall include sufficient detail for effective evaluation and for substantiating the validity of stated claims.”  Id. at 142.  Offerors were instructed to not simply rephrase or restate requirements, but to “provide [a] convincing rationale [addressing] how the [o]fferor’s proposal meets these requirements.”  Id.  The RFP also instructed offerors to assume that the agency has no knowledge of the offeror’s facilities and experience, and would “base its evaluation on the information presented in the [o]fferor’s proposal.”  Id.

The solicitation provided that offerors should submit their proposals in four volumes:  capability maturity model integration (CMMI) documentation, technical experience, past performance, and contract documentation.  Id. at 145.  As relevant to this protest, the technical volume was to contain a table of contents, a cross-reference matrix,[5] a glossary of terms, a self-scoring worksheet, and technical narratives. [6]  Id. at 149.  The RFP instructed offerors to describe, in their technical narratives, experience that supports the technical element points claimed in the self-scoring worksheet.  Id.

The solicitation stated that the agency intended to evaluate proposals and make awards without discussions to the offerors deemed responsible, and whose proposals conformed to the solicitation’s requirements and were judged, based on the evaluation factors, to represent the best value to the government.[7]  Id. at 163. 

Section M of the solicitation established a tiered evaluation process.  Id. at 163-164.  The first step of the evaluation was a CMMI appraisal, which required offerors to be certified at level 2 in CMMI.[8]  Id.  If an offeror passed the CMMI appraisal as level 2 certified, the agency would then evaluate an offeror’s technical experience using the self‑scoring worksheet and technical narratives provided by the offeror.  Id. at 164.  The solicitation provided that technical experience would receive an adjectival rating of acceptable or unacceptable.  Id. at 164-165.  A proposal would be considered acceptable when it attained 4,200 points per the self-scoring worksheet, and was “verified per the technical narratives.”  Id. at 165. 

In the event that technical experience was evaluated as acceptable, the agency would then evaluate the offeror’s past performance.  Id. at 164.  The agency would review the accompanying past performance narratives and evaluate each offeror’s past performance references for recency, relevancy, and quality.[9]  Id. at 172.

Dfuse timely submitted its proposal in response to the solicitation.  On August 21, the agency notified Dfuse that its proposal was considered unacceptable and had been eliminated from further consideration because its proposal did not receive the minimum required 4,200 points under the technical experience factor.  AR, Tab 3, Dfuse GAO Protest (Dec. 14, 2018) at 2. 

On August 31, Dfuse filed a protest with our Office arguing that the agency’s technical evaluation was unreasonable.  In response, the agency notified our Office of its intent to take corrective action, and, on September 18, GAO dismissed Dfuse’s protest as academic.  Dfuse Techs., Inc., B-415716.14, Sept. 18, 2018 (unpublished decision).  The agency reevaluated Dfuse’s proposal, and on November 29, the agency again notified Dfuse that its proposal was considered unacceptable and been eliminated from further consideration because its proposal received a score of 2,000 points under the technical experience factor.  AR, Tab 8, Dfuse Notice of Removal from Competition (Nov. 29, 2018).  On December 14, following its debriefing, Dfuse filed this protest with our Office.  AR, Tab 9, Dfuse Debriefing Slides (Dec. 4, 2018).

DISCUSSION


Dfuse protests the agency’s exclusion of its proposal from the competition, alleging that the agency failed to properly evaluate its proposal under the technical experience factor.  Specifically, the protester argues that the agency deducted points under 12 sub‑elements under five separate elements, without providing a clear rationale, and that this was “arbitrary, unreasonable and unfair,” as well as “an abuse of the [a]gency’s ‘discretion.’”  Comments at 5.  Because the RFP provided that an offeror must score a minimum of 4,200 points to be rated technically acceptable, for the reasons discussed below we need only address the agency’s evaluation of Dfuse’s proposal with regard to the developing/implementation sub-element of the life‑cycle software services element, and the agency’s evaluation of Dfuse’s proposal with regard to the risk management sub-element of the cybersecurity element.

Our Office will examine an agency’s evaluation of an offeror’s technical experience only to ensure that it was reasonable and consistent with the stated evaluation criteria and applicable statutes and regulations.  See Shumaker Trucking & Excavating Contractors, Inc., B-290732, Sept. 25, 2002, 2002 CPD ¶ 169 at 3.  A protester’s disagreement with a procuring agency’s judgment, without more, is insufficient to establish that the agency acted unreasonably.  WingGate Travel, Inc., B-412921, July 1, 2016, 2016 CPD ¶ 179 at 4-5.  In addition, it is an offeror’s responsibility to submit an adequately written proposal with adequately detailed information which clearly demonstrates compliance with the solicitation requirements and allows a meaningful review by the procuring agency.  See International Med. Corps, B-403688, Dec. 6, 2010, 2010 CPD ¶ 292 at 8.  An offeror’s technical evaluation is dependent on the information furnished, and an offeror that fails to submit an adequately written proposal runs the risk of having its proposal downgraded.  LOGMET, B-400535, Oct. 30, 2008, 2008 CPD ¶ 199 at 3. 

Developing/Implementation Sub-element of the Life Cycle Software Services Element

The life-cycle software services element was comprised of five sub-elements:  developing/implementation; re-engineering; data or system migration; modernization; and COTS/GOTS/FOSS enterprise resource planning software systems.  RFP at 165‑166.  Dfuse protests the agency’s evaluation of its proposal under the developing/implementation sub-element of this element.  Protest at 3-4.  In order to receive the 500 points available under this sub‑element, an offeror was required to demonstrate experience in the design, build, test and implementation of an information system in each of the following four areas:

  • The process of implementing software solutions to one or more sets of problems.
  • The process by which source code is converted into a stand-alone form that can be run on a computer or to the form itself.  One of the most important steps of a software build is the compilation process, where source code files are converted into executable code.
  • Obtaining, verifying, or providing data for any of the following:  the performance, operational capability, and suitability of systems, subsystems, components, or equipment items; or vulnerability and lethality of systems, subsystems, components, or equipment items.
  • Planning; coordinating; scheduling; deploying/installing (or providing all needed technical assistance to deploy/install) and transitioning a technical solution (e.g., information system) into the operational environment.

RFP at 165‑166,185.  

The agency’s evaluation of Dfuse’s proposal found that the pertinent technical narrative did not provide any information to establish that what its senior data management personnel worked on, referred to in the technical narrative as the “data warehouse,” was an information system, as the term is defined in the solicitation.[10]  COS at 13 . 

The agency also concluded that Dfuse’s proposal did not demonstrate design, build, test, or implementation experience as required by the solicitation.  Id. at 11‑18.  In this regard, the agency concluded that while the protester’s proposal did use terms such as “design,” “develop,” “testing,” and “implemented,” the proposal lacked detail and failed to demonstrate, in the pertinent technical narrative, the offeror’s experience performing those particular functions.  Id. at 11.  For example, the agency argues that Dfuse’s proposal does not address the process of how it implemented a software solution to one or more sets of problems, as the proposal “simply does not identify a problem, a software solution, nor an implementation process.”  Id. at 14.

The protester argues that “data warehouse” is an information system, as that term is defined in the RFP, by virtue of the fact that its senior data management personnel “performed data analysis, ETL [extract, transform and load] design, development, testing and maintenance.”  Comments at 2.  Dfuse also responds that the fact that it executed certain functions thereby demonstrated its experience in the “process of implementing software solutions to one or more sets of problems.”  Id. citing RFP at 166. 

We find that the agency reasonably determined that Dfuse’s proposal failed to identify the system in which it was required to demonstrate experience in design, build, test, and implementation, as an information system, as required by the solicitation.  RFP at 165.  Dfuse in its proposal referred to the system in which it worked in its applicable technical narrative, as a “data warehouse.”  The protester in its comments refers to a “[d]atawarehouse system,” rather than “data warehouse,” which is the phrase that is in the applicable technical narrative in Dfuse’s technical proposal.  Comments at 2.  It was Dfuse’s responsibility to prepare a well-written proposal.  Dfuse cannot now, in its comments, re-characterize its proposal in a manner not consistent with its initial proposal.  We find no basis to question the agency’s evaluation in this regard. 

Based on our review of the record, we also find that the agency reasonably determined that Dfuse’s technical narrative lacked necessary detail.  The agency found that Dfuse’s proposal included the recitation of certain actions that it performed in its technical narrative, but did not demonstrate “[t]he process of implementing software solutions to one or more sets of problems.”  RFP at 166.  While Dfuse’s proposal provides general statements and concludes that it has the required experience, its proposal does not provide sufficient information demonstrating its experience in the process of implementing software solutions to one or more sets of problems.  As a result, we find that Dfuse’s argument that it provided adequate detail, amounts to disagreement with the agency’s evaluation, which, without more, is insufficient to establish that the agency’s evaluation under this sub-element was unreasonable.  Trofholz Techs., Inc., B-404101, Jan. 5, 2011, 2011 CPD ¶ 144 at 3-4.

As stated above, in order to receive the 500 points available under the developing/implementation sub-element, offerors were required to demonstrate experience in all four areas of this sub-element.  Because we find reasonable the agency’s determination that the protester failed to demonstrate experience in the process of implementing software solutions to one or more sets of problems, we need not address the protester’s arguments with regard to the other areas of this sub‑element.  This protest ground is denied. 

Risk Management Sub-element of the Cybersecurity Element

Defuse also challenges the agency’s evaluation of its proposal under the risk management sub-element of the cybersecurity element.[11]  Protest at 6.  In order to receive the 500 hundred points available under this sub-element an offeror was required to:

Demonstrate knowledge and experience in incorporating risk management principles and information security requirements to prevent the loss of data Confidentiality, Integrity, and Availability using the following three (3) preventative technical controls; Authentication, Authorization, and Accountability.

RFP at 186.  The solicitation provided that the agency would not accept points claimed by the offeror if it did not address “all 3 risk management principles (Confidentiality, Integrity and Availability),” as well as “all 3 preventative technical controls (Authentication, Authorization and Accountability).”  Id. at 167.

In its protest, Dfuse argues that its proposal clearly demonstrates Dfuse’s experience incorporating the required risk management principles and the preventative controls to prevent the loss of data.  Protest at 6.  Dfuse further contends that the agency’s debriefing charts did not provide a “specific reason” as to why it determined that its proposal failed to demonstrate the required experience.  Id.  The agency report included a detailed response to Dfuse’s protest allegations under this sub-element.  For example, the agency stated that the protester used the solicitation’s definitions of risk management principles in its protest (Protest at 6), to claim experience that was not shown in Dfuse’s proposal narrative on its referenced project.  COS at 32-33. 

Rather than rebutting or responding to the agency report by, for example, identifying where to find the information the agency was seeking in its designated technical narrative, Dfuse provided the following statement regarding the agency’s evaluation of this sub‑element:

In the Agency Report, the USAF [United States Air Force] does not provide a specific reason as to why it believes that Dfuse’s proposal does not demonstrate the offeror’s experience incorporating all risk management principles and all information security requirements to prevent the loss of data.  The Agency merely states its judgment without providing the reason for arriving at the judgment.  Clearly, Dfuse must be awarded 500 points under this element [Sub-Element 2b].

Comments at 3 (emphasis in original).

As we have previously found, in responding to an agency report, protesters are required to provide a substantive response to the arguments advanced by the agency.  enrGies, Inc., B-408609.9, May 21, 2014, 2014 CPD ¶ 158 at 4.  Where a protester merely references earlier arguments advanced in an initial protest without providing a substantive response to the agency’s position, our Office will dismiss the referenced allegations as abandoned.  Id.  Here, Dfuse has not provided a substantive or meaningful response to the agency’s arguments on the merits regarding the evaluation of the risk management sub-element and its various parts.  We therefore dismiss this protest ground as abandoned.[12]  See 4 C.F.R. § 21.3(i)(3). 

Given our conclusion that the agency’s evaluation of these two sub-elements is reasonable, we need not address the other ten alleged evaluation errors because, even if it were to prevail on all of its additional allegations, its proposal would remain technically unacceptable. [13]  As stated above, a proposal needs to achieve a score of at least 4,200 points to receive a technical score of acceptable, and Dfuse’s technical proposal received a score of 2,000 points.  Even if our Office agreed with Dfuse that the other ten evaluation errors were in fact incorrect, this would only afford Dfuse an additional 2,050 points, for a total technical score of 4,050, which is 150 points below the score necessary for an acceptable score.

The protest is denied.

Thomas H. Armstrong
General Counsel



[1] Our Office did not issue a protective order in connection with this protest.  Accordingly, our discussion of some aspects of the evaluation is necessarily general in nature.

[2] Citations to the RFP are to the conformed copy provided by the agency.  AR, Tab 4, RFP.

[3] The solicitation stated that pursuant to “10 U.S.C. § 2305(a)(3)(C), as amended by Section 825 of the National Defense Authorization Act (NDAA) for Fiscal Year 2017, the Government will not evaluate cost or price for the IDIQ contract.  Cost or price to the Government will be considered in conjunction with the issuance of a task or delivery order under any contract awarded hereunder.”  RFP at 162.

[4] The technical experience factor was comprised of the following technical elements:  life-cycle software services; cybersecurity; IT business analysis; programming languages/frameworks; tools/software development methodologies; platforms/environments; database components; mobile/internet of things; server operating systems; and COTS/GOTS (government-off-the-shelf)/FOSS (free and open source software) software, as well as the non‑technical experience element of government facility clearance level.  Id. at 165-171. 

[5] The RFP’s instructions directed offerors to complete a cross-reference matrix, which was attached to the solicitation.  Id. at 146, 179-183.  The offeror’s cross‑reference matrix was required to demonstrate “traceability” between the offeror’s contract references.  An offeror’s cross-reference matrix was required to show “which contract references [were] used to satisfy each technical element and each past performance sub-factor.”  Id. at 146.

[6] The solicitation allowed offerors to provide up to six contract references, each of which was to have its own technical narrative, to demonstrate its technical experience.  RFP at 149.  Technical narratives were to be submitted in numerical order.  Id.

[7] The agency’s estimated value for all of the SBEAS contract awards is a maximum of $13.4 billion.  Contracting Officer’s Statement (COS) at 3. 

[8] CMMI is a process level improvement training and appraisal program that is administered by the CMMI Institute. 

[9] The RFP provided that each offeror must receive a confidence rating of “[s]atisfactory or higher” for each past performance subfactor in order to be eligible for award.  Id. at 164. 

[10] The solicitation in the Definition of Terms section defined information system (IS) as follows:

A discrete set information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.  IS can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones.  IS can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems.)

RFP at 214.

[11] The cybersecurity element was comprised of two sub-elements:  vulnerabilities and threats, and risk management.  RFP at 167. 

[12] In any event, based on our review of the record, we find the agency evaluation of this sub-element to be reasonable.  For example the agency reasonably determined that Dfuse’s proposal described Dfuse’s knowledge of the risk management framework, but did not demonstrate what it did to incorporate all three preventative technical controls (authentication, authorization, and accountability) and did not demonstrate Dfuse’s experience with all three risk management principles (confidentiality, integrity and availability).  COS at 33.

[13]  Dfuse did not claim points for sub-elements 4c, 5b, 6c, 6d, 7b, 8a, nor 8c.  AR, Tab 6, Dfuse Vol. II Self-Scoring Worksheet at 4-5; Memorandum of Law (MOL) at 6 n.1.

May 17, 2019

May 16, 2019

May 15, 2019

  • AeroSage, LLC
    We deny the protest in part and dismiss the protest in part.
    B-417289.2

May 14, 2019

Looking for more? Browse all our products here