B-415716.20: Apr 5, 2019
- Full Report:
InfoPoint LLC, a small business of Livonia, Michigan, protests the exclusion of its proposal from the competition by the Department of the Air Force under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.
We deny the protest.
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.
Matter of: InfoPoint LLC
Date: April 5, 2019
Protest challenging the agency’s evaluation of protester’s proposal under the technical experience evaluation factor is denied where the record shows that the evaluation was reasonable and consistent with the solicitation.
InfoPoint LLC, a small business of Livonia, Michigan, protests the exclusion of its proposal from the competition by the Department of the Air Force under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.
We deny the protest.
On September 28, 2017, the Air Force issued the Small Business Enterprise Application Solutions (SBEAS) RFP, which was set aside for small businesses, pursuant to the procedures of Federal Acquisition Regulation part 15. Agency Report (AR), Tab 5, RFP at 162. The solicitation contemplated the award of 40 indefinite-delivery, indefinite-quantity (IDIQ) contracts with a 5-year base and 5-year option ordering period. Id. at 138-139, 162. The scope of the SBEAS RFP included a “comprehensive suite of IT services and IT solutions to support IT systems and software development in a variety of environments and infrastructures.” Id. at 130. Additional IT services in the solicitation included, but were not limited to, “documentation, operations, deployment, cybersecurity, configuration management, training, commercial off-the-shelf (COTS) product management and utilization, technology refresh, data and information services, information display services and business analysis for IT programs.” Id.
Proposals were to be evaluated based on two factors, technical experience and past performance. Id. at 164. The technical experience factor was comprised of ten technical elements and various sub-elements (each with a designated point value), and one non‑technical experience element. Id. at 165-171. The past performance factor was comprised of the following three subfactors in descending order of importance: life‑cycle software services, cybersecurity, and information technology business analysis. Id. at 164. Award was to be made on a past performance tradeoff basis among technically acceptable offerors, using the three past performance subfactors. Id. at 162.
Section L of the solicitation instructed offerors that “[t]he proposal shall be clear, specific, and shall include sufficient detail for effective evaluation and for substantiating the validity of stated claims.” Id. at 142. Offerors were instructed to not simply rephrase or restate requirements, but to “provide [a] convincing rationale address[ing] how the [o]fferor’s proposal meets these requirements.” Id. The RFP also instructed offerors to assume that the agency has no knowledge of the offeror’s facilities and experience, and would “base its evaluation on the information presented in the [o]fferor’s proposal.” Id.
The solicitation provided that offerors should submit their proposals in four volumes: capability maturity model integration (CMMI) documentation, technical experience, past performance, and contract documentation. Id. at 145. As relevant to this protest, the technical volume was to contain a table of contents, a cross-reference matrix, a glossary of terms, a self-scoring worksheet, and technical narratives.  Id. at 149. The RFP instructed offerors to describe, in their technical narratives, experience that supports the technical element points claimed in the self-scoring worksheet. Id.
The solicitation stated that the agency intended to evaluate proposals and make awards without discussions to the offerors deemed responsible, and whose proposals conformed to the solicitation’s requirements and were judged, based on the evaluation factors, to represent the best value to the government. Id. at 163.
Section M of the solicitation established a tiered evaluation process. Id. at 163-164. The first step of the evaluation was a CMMI appraisal, which required offerors to be certified at level 2 in CMMI. Id. If an offeror passed the CMMI appraisal as level 2 certified, the agency would then evaluate an offeror’s technical experience using the self‑scoring worksheet and technical narratives provided by the offeror. Id. at 164. The solicitation provided that technical experience would receive an adjectival rating of acceptable or unacceptable. Id. at 164-165. A proposal would be considered acceptable when it attained 4,200 points per the self-scoring worksheet, and was “verified per the technical narratives.” Id. at 165.
In the event that technical experience was evaluated as acceptable, the agency would then evaluate the offeror’s past performance. Id. at 164. The agency would review the accompanying past performance narratives and evaluate each offeror’s past performance references for recency, relevancy, and quality. Id. at 172.
InfoPoint timely submitted its proposal in response to the solicitation. On December 18, the agency notified InfoPoint that its proposal was considered technically unacceptable and had been eliminated from further consideration because its proposal, which received a score of 3,850 points, did not receive the minimum required 4,200 points under the technical experience factor. AR, Tab 8, Agency Notification Memorandum to InfoPoint (Dec. 18, 2018).On December 28, InfoPoint filed this protest with our Office.
InfoPoint protests the agency’s exclusion of its proposal from the competition, alleging that the agency failed to properly evaluate its proposal under the technical experience factor. Specifically, the protester argues that the agency unreasonably deducted points under four sub-elements under two separate elements, and that the agency’s evaluation ignored portions of its proposal that supported its experience. Protest at 2. Because the RFP provided that an offeror must score a minimum of 4,200 points to be rated technically acceptable, for the reasons discussed below we need only address the agency’s evaluation of InfoPoint’s proposal with regard to the risk management sub‑element of the cybersecurity element, and the mainframe, mid-tier/client-server, or web services sub‑element of the platforms/environments element.
Our Office will examine an agency’s evaluation of an offeror’s technical experience only to ensure that it was reasonable and consistent with the stated evaluation criteria and applicable statutes and regulations. See Shumaker Trucking & Excavating Contractors, Inc., B-290732, Sept. 25, 2002, 2002 CPD ¶ 169 at 3. A protester’s disagreement with a procuring agency’s judgment, without more, is insufficient to establish that the agency acted unreasonably. WingGate Travel, Inc., B-412921, July 1, 2016, 2016 CPD ¶ 179 at 4-5. In addition, it is an offeror’s responsibility to submit an adequately written proposal with adequately detailed information which clearly demonstrates compliance with the solicitation requirements and allows a meaningful review by the procuring agency. See International Med. Corps, B-403688, Dec. 6, 2010, 2010 CPD ¶ 292 at 8. An offeror’s technical evaluation is dependent on the information furnished, and an offeror that fails to submit an adequately written proposal runs the risk of having its proposal downgraded. LOGMET, B-400535, Oct. 30, 2008, 2008 CPD ¶ 199 at 3.
Risk Management Sub-element of the Cybersecurity Element
InfoPoint challenges the agency’s evaluation of its proposal under the risk management sub-element of the cybersecurity element. Protest at 5. In order to receive the 500 points available under this sub-element the offeror was required to:
[D]escribe its knowledge and experience in incorporating risk management principles and information security requirements to prevent the loss of data Confidentiality, Integrity, and Availability using the following three (3) preventative technical controls; Authentication, Authorization, and Accountability (Nonrepudiation) (SOO [Statement of Objectives] Section 3.1.10).
RFP at 151. The solicitation provided that the agency would evaluate offerors’ “demonstrated knowledge and experience” with the requirements stated above and it would not accept points claimed by the offeror if the offeror did not address “all 3 risk management principles (Confidentiality, Integrity and Availability),” as well as “all 3 preventative technical controls (Authentication, Authorization and Accountability).” Id. at 167.
InfoPoint argues that the agency unreasonably determined that its proposal failed to demonstrate its experience incorporating confidentiality, integrity, availability, authentication, authorization or accountability, as the terms are defined in the solicitation. The protester states that its proposal “adequately, and in great detail, reflect[ed] ‘demonstrated knowledge and experience in incorporating risk management principles and information security requirements.’” Comments at 5. InfoPoint maintains that its proposal included two technical narratives (TNs), 2 and 4, that involved “high‑profile and national security focused” programs which demonstrated InfoPoint’s prime contractor experience providing cybersecurity solutions. Protest at 6. The protester further explains that both TNs “utilized the [r]isk [m]anagement [f]ramework” to protect and prevent loss of data for their information systems. Id.
The agency contends that InfoPoint’s proposal did not demonstrate its experience incorporating risk management principles and information security requirements to prevent the loss of data confidentiality, integrity and availability. AR, Tab 7, Technical Evaluation at 7. The agency argues that this sub-element required offerors to “demonstrate knowledge and experience in incorporating risk management principles and information security requirements,” which required more than demonstrating knowledge or understanding of the cybersecurity principles and requirements. COS/MOL at 13 citing RFP at 167. The agency further explains that this sub-element required an offeror to detail its real‑world experience in authentication, authorization, and accountability controls to prevent the loss of data confidentiality, integrity, and availability. RFP at 167, COS/MOL at 13. The agency concluded that InfoPoint’s technical narratives “lacked specific examples showing where it implemented--not just managed--cybersecurity measures and it failed to state how these security measures prevented the loss of data.” Id. at 12. In this regard, the agency explains that while both of InfoPoint’s TNs demonstrated its knowledge of the cybersecurity principles and preventative controls, that neither of its TNs demonstrated how InfoPoint implemented a technical control or how its experience prevented the loss of data confidentiality, integrity and availability, as required by the RFP. COS/MOL at 13.
For example, TN 2’s discussion of confidentiality, integrity, and availability included the following:
Based on our RMF [risk management framework] experience, we developed, published, and maintained procedures for monitoring controls across the enterprise. These procedures [DELETED] to the maximum extent possible, thus reducing costs. We continually sought opportunities for [DELETED].
AR, Tab 4, InfoPoint’s Proposal Vol. II, Technical Experience at 18. The agency maintains that, while InfoPoint’s experience developing procedures and supporting solutions demonstrates its knowledge of the concepts, it does not demonstrate InfoPoint’s experience in incorporating all three risk management principles, confidentiality, integrity and availability, as the terms are defined in the solicitation. AR, Tab 7, Technical Evaluation at 7.
The agency similarly concluded that TN 4 lacked sufficient detail and failed to demonstrate InfoPoint’s experience in incorporating risk management principles and information security requirements. TN 4 described InfoPoint’s experience assisting the Air Force National Capital Region to implement policies and an information assurance program for RMF by providing a “[DELETED]” that provides technical assessment services. AR, Tab 4, InfoPoint’s Proposal Vol. II, Technical Experience at 23, 24. The agency contends that this TN included “general statements about [its] overall responsibilities,” but did not demonstrate InfoPoint’s experience incorporating the technical controls to prevent the loss of data confidentiality, integrity, or availability. AR, Tab 7, Technical Evaluation at 8. The agency argues that while InfoPoint states in this technical narrative that it “demonstrate[d] Defense-in-Depth through system patching, system hardening, and continuous system monitoring,” that simply stating “system patching, system hardening, and continuous system monitoring,” without providing further context, does not show InfoPoint’s experience with the evaluation criteria for risk management. COS/MOL at 15 citing AR, Tab 4, InfoPoint’s Proposal Vol. II, Technical Experience at 24.
Finally, InfoPoint’s protest included tables, not provided to the agency as part of its proposal, to crosswalk the relevant portions of its TNs to the required risk management principles and RMF controls. Protest at 11-14. The agency maintains that this information is simply an attempt “to supplement” its proposal with information it did not provide as part of its proposal. COS/MOL at 17. In this regard, the agency explains that InfoPoint’s proposal did not “reference a single RMF control, let alone what controls were required” for the programs referenced in TNs 2 and 4. Id. The agency further contends that the tables provided excerpts from InfoPoint’s technical narratives with no context, and failed to show how InfoPoint’s proposal satisfied the evaluation criteria for this sub-element.
Based on our review of the record, we find reasonable the agency’s evaluation of this sub-element. The agency reasonably determined that the protester’s proposal lacked specific information demonstrating InfoPoint’s experience with all three risk management principles (confidentiality, integrity and availability), as well as how it incorporated all three preventative technical controls (authentication, authorization, and accountability). While the protester now, with the tables provided as part of its protest, seeks to explain how its technical narratives met the requirements of the solicitation, we find that much of this information was not included in its proposal. As noted above, offerors are responsible for submitting well-written proposals with adequately-detailed information that allows for a meaningful review by the procuring agency. Government Telecomms., Inc., B-299542.2, June 21, 2007, 2007 CPD ¶ 136 at 5. The additional information provided by InfoPoint in its protest does not compensate for the lack of explanation in InfoPoint’s proposal. We find no basis to question the agency’s evaluation in this regard.
Mainframe, Mid-tier/Client-Server, or Web Services Sub‑element of the Platforms/Environments Element
InfoPoint next challenges the agency’s evaluation of its proposal under the mainframe, mid-tier/client-server, or web services sub-element of the platform/environments element. In order to receive the 100 points available under this sub-element, an offeror was required to demonstrate that it had “[i]mplemented an IS [information system] into any of the following: mainframe, mid-tier/client server, web services.” RFP at 169.
The RFP defined implementation as follows:
Planning; coordinating; scheduling; deploying/installing (or providing all needed technical assistance to deploy/install) and transitioning a technical solution (e.g. information system) into the operational environment. Implementation services also include performing data conversion before loading data into the system and training appropriate personnel on the operation and use of the technical solution.
RFP at 213.
InfoPoint argues that the agency’s finding that its proposal did not demonstrate its experience implementing an IS into a mainframe, mid-tier/client-server, or web service was unreasonable. The protester maintains that it demonstrated its experience in implementing an IS into a mid‑tier/client server in TN 3 of its proposal. Protest at 16‑17; Comments at 7. InfoPoint contends that it provided detail throughout its cited technical narratives describing its experience in all of the stages of implementation as defined above. Id. InfoPoint maintains that while all of the information may not have been included in the section of its technical narrative regarding this particular sub‑element, this information was nonetheless found within this technical narrative, when viewed as a whole. Id. The protester argues that the agency improperly ignored information in its proposal simply because it did not appear within a particular subsection of the technical narrative. Protest at 16. InfoPoint also maintains that it did not reiterate all 5-steps of implementation as laid out in the RFP, under each sub‑element due to the 20-page limitation for the technical experience volume. Comments at 7.
The agency responds that the RFP required offerors to identify an information system that was either a mainframe, mid‑tier/client‑server or one that used web services, and explain the process of making it operational in the real‑world. The agency contends that TN 3 lacked the detail required to establish implementation as required in the RFP. The agency provides that it considered the totality of InfoPoint’s narrative in evaluating this sub-element, but did not find that InfoPoint demonstrated its experience implementing an IS as required by the RFP. COS/MOL at 28. The agency states that InfoPoint’s narrative, which involved a contract for the maintenance and enhancement of the Defense Security Assistance Management System (DSAMS), a mid-tier/client-server application supporting the Defense Security Cooperative Agency (DSCA), provided only a “broad overview” of implementation regarding a mid-tier server. Id. at 29.
For example, the agency notes that while InfoPoint described its work in this technical narrative as involving a three‑tiered client/server system comprised of a [DELETED], the technical narrative did not show a “complete mid-tier/client-server solution.” Id. citing AR, Tab 4, InfoPoint’s Proposal Vol. II, Technical Experience at 21. Rather, InfoPoint’s proposal only addressed the implementation of two components of the three-tier architecture ([DELETED]). COS/MOL at 29-30. The agency argues that because InfoPoint’s proposal failed to address the third component (i.e. [DELETED]), its explanation of implementation is incomplete. Id. The agency states that rather than providing information on how InfoPoint planned, scheduled, deployed, or installed the software (i.e. [DELETED]) onto a government workstation, the protester’s proposal stated that “DSAMS users access the system through a [DELETED].” COS/MOL at 30 citing AR, Tab 4, InfoPoint’s Proposal Vol. II, Technical Experience at 21. The agency states that by omitting this information InfoPoint failed to demonstrate its experience implementing the IS into the client-server architecture and the agency was therefore unable to verify the 100 points that InfoPoint claimed for this sub-element.
In sum, we find reasonable the agency’s categorization of InfoPoint’s response under this sub‑element as a “broad overview”. In this regard, we find that the agency reasonably concluded that the protester’s proposal did not demonstrate InfoPoint’s experience implementing an IS into a mid‑tier/client-server because InfoPoint’s proposal failed to include adequate detail, such as addressing the third component of its three‑tier architecture. As a result, this protest ground is denied.
Given our conclusion that the agency’s evaluation of these two sub-elements is reasonable, we need not address the other two alleged evaluation errors. Even if InfoPoint was to prevail on all of its additional allegations, its proposal would remain technically unacceptable. As stated above, to be considered technically acceptable, a proposal must achieve a score of at least 4,200 points, and InfoPoint’s technical proposal received a score of 3,850 points. Even if our Office agreed with InfoPoint that the other two evaluation findings were in fact incorrect, this would only afford InfoPoint an additional 300 points, leading to a technical score of 4,150, which is 50 points below the minimum acceptable score.
The protest is denied.
Thomas H. Armstrong
 Citations to the RFP are to the conformed copy provided by the agency. AR, Tab 3, RFP.
 The solicitation stated that pursuant to “10 U.S.C. § 2305(a)(3)(C), as amended by Section 825 of the National Defense Authorization Act (NDAA) for Fiscal Year 2017, the Government will not evaluate cost or price for the IDIQ contract. Cost or price to the Government will be considered in conjunction with the issuance of a task or delivery order under any contract awarded hereunder.” RFP at 162.
 The technical experience factor was comprised of the following technical elements: life-cycle software services; cybersecurity; IT business analysis; programming languages/frameworks; tools/software development methodologies; platforms/environments; database components; mobile/internet of things; server operating systems; and COTS/GOTS (government-off-the-shelf)/FOSS (free and open source software) software, as well as the non‑technical experience element of government facility clearance level. Id. at 165-171.
 The RFP’s instructions directed offerors to complete a cross-reference matrix, which was attached to the solicitation. Id. at 146, 179-183. The offeror’s cross‑reference matrix was required to demonstrate “traceability” between the offeror’s contract references. An offeror’s cross-reference matrix was required to show “which contract references [were] used to satisfy each technical element and each past performance sub-factor.” Id. at 146.
 The solicitation allowed offerors to provide up to six contract references, each of which was to have its own technical narrative, to demonstrate its technical experience. RFP at 149. Technical narratives were to be submitted in numerical order. Id.
 The agency’s estimated value for all of the SBEAS contract awards is a maximum of $13.4 billion. Combined Contracting Officer’s Statement and Memorandum of Law (COS/MOL) at 3.
 CMMI is a process level improvement training and appraisal program that is administered by the CMMI Institute.
 The RFP provided that each offeror must receive a confidence rating of “[s]atisfactory or higher” for each past performance subfactor in order to be eligible for award. Id. at 164.
 InfoPoint’s protest raised numerous allegations. While our decision here does not specifically address every argument, we have considered all of the protester’s assertions and find none furnish a basis for sustaining the protest.
 The cybersecurity element was comprised of the following two sub-elements: vulnerabilities and threats, and risk management. RFP at 151.
 This element was comprised of four sub-elements: mainframe, mid-tier/client-server, or web services; customer’s facility; commercial, non‑commercial, or hybrid cloud; and Defense Information Systems Agency [DISA] Enterprise Computing Center [DECC] or Department of Defense [DOD] Computing Facility. RFP 169-170.
 InfoPoint for the first time in its comments, cites to specific information throughout TN 3 that it contends demonstrates its experience in the various stages of implementation, which it argues the agency failed to consider in its evaluation. Under our Bid Protest Regulations, protests based on other than solicitation improprieties must be filed within 10 days of when the protester knew or should have known their basis. 4 C.F.R. § 21.2(a)(2). Our regulations do not contemplate the piecemeal presentation or development of protest issues; where a protester raises a broad ground of protest in its initial submission but fails to provide details within its knowledge until later, so that a further response from the agency would be needed to adequately review the matter, these later issues will not be considered. 22nd Century Technologies, Inc., B-413210, B‑413210.2, Sept. 2, 2016, 2016 CPD ¶ 306 at 7. Although InfoPoint’s initial protest generally asserts that the agency unreasonably evaluated its proposal by not evaluating the technical narrative as a whole, the protester failed to provide information regarding the specific information it believed demonstrated its experience in implementation until it filed its comments. Accordingly, these protest grounds are dismissed as untimely.
 According to the agency, [DELETED]. COS/MOL at 29 n.7. The agency states that an example of a [DELETED] would be installing software on a user’s computer. Id.
 InfoPoint also contends that the RFP only required offerors to “discuss their experience with implementation,” with regard to one type of environment, and maintains that the agency applied an unstated evaluation criteria by requiring offerors to demonstrate a 5-step discussion of “planning,” “coordinating,” “scheduling,” “deployment/installation,” and “transition” activities of a technical solution in a particular operating environment in order to receive the 100 points for this sub-element. Protest at 15; Comments at 6. However, as explained in detail above, the RFP expressly defined implementation as including “[p]lanning; coordinating; scheduling; deploying/installing (or providing all needed technical assistance to deploy/install) and transitioning a technical solution (e.g. information system) into the operational environment.” RFP at 213. In light of the solicitation’s precise definition of implementation, we cannot conclude that the evaluation was unreasonable. Biswas Information Technology Solutions, Inc., B-414760.3, B-414760.4, Oct. 5, 2018, 2018 CPD ¶ 332 at 10 n.4.
 To the extent that InfoPoint attributes the lack of specificity in its proposal to the solicitation’s page limitations, this alleged apparent solicitation impropriety should have been protested before the closing time for receipt of proposals under our Bid Protest Regulations. 4 C.F.R. ¶ 21.2(a)(1). We further note that InfoPoint’s proposal utilized 16 of the 20 pages allotted for its technical experience volume. AR, Tab 4, InfoPoint’s Proposal Vol. II, Technical Experience.