OSC-NDF, LLC

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of: OSC-NDF, LLC

File: B-415716.21

Date: April 10, 2019

Stuart W. Turner, Esq., and Michael Samuels, Esq., Arnold & Porter Kaye Scholer, LLP, for the protester.
Alexis J. Bernstein, Esq., Jason R. Smith, Esq., and Frank D. Hollifield, Esq., Department of the Air Force, for the agency.
Katherine I. Riback, Esq., and Amy B. Pereira, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest challenging the agency's evaluation of protester's proposal under the past performance evaluation factor is denied where the record shows that the evaluation was reasonable and consistent with the solicitation.

DECISION

OSC-NDF, LLC, a small business of Atlanta, Georgia, protests the exclusion of its proposal from the competition by the Department of the Air Force under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.

We deny the protest.

BACKGROUND

The RFP, known as the Small Business Enterprise Application Solutions (SBEAS) solicitation, set aside for small businesses, was issued on September 28, 2017, pursuant to the procedures of Federal Acquisition Regulation (FAR) part 15, and contemplated the award of 40 multiple-award, indefinite-delivery, indefinite-quantity (IDIQ) contracts. Agency Report (AR), Tab 7, RFP at 162.¹ The scope of the SBEAS RFP, as stated in the statement of objectives (SOO), included a "comprehensive suite of IT services and IT solutions to support IT systems and software development in a variety of environments and infrastructures." Id. at 130. Additional IT services in the solicitation included, but were not limited to, "documentation, operations, deployment, cybersecurity, configuration management, training, commercial off-the-shelf (COTS) product management and utilization, technology refresh, data and information services, information display services and business analysis for IT programs." Id. Proposals were to be evaluated based on technical experience and past performance factors. Id. at 142. The past performance factor was comprised of the following three subfactors in descending order of importance: life-cycle software services, cybersecurity, and information technology business analysis.²Id. at 164. Award was to be made on a past performance tradeoff basis among technically acceptable offerors, using the three past performance subfactors. Id. at 162.

Section L of the solicitation instructed offerors that "[t]he proposal shall be clear, specific, and shall include sufficient detail for effective evaluation and for substantiating the validity of stated claims." Id. at 142. Offerors were instructed to not simply rephrase or restate requirements, but to "provide [a] convincing rationale to address how the [o]fferor's proposal meets these requirements." Id. The RFP also instructed offerors to assume that the agency has no knowledge of the offeror's facilities and experience, and would "base its evaluation of the information presented in the [o]fferor's proposal." Id. The solicitation provided that offerors should submit their proposals in four volumes: capability maturity model integration (CMMI) documentation, technical experience, past performance, and contract documentation. Id. at 145.

The RFP's instructions also directed offerors to complete a cross-reference matrix, which was attached to the solicitation. Id. at 146, 179-183. The offeror's cross-reference matrix was required to demonstrate "traceability" between the offeror's contract references. An offeror's cross-reference matrix was required to show "which contract references [were] used to satisfy each technical element and each past performance sub-factor." Id. at 146.

As relevant to this protest, the past performance volume was to include the cross-reference matrix, described above, past performance narratives (PPNs) for each of up to six contract references, and contractor performance assessment reports (CPARs) or past performance questionnaires (PPQs).³ Id. at 155-156. The past performance narratives were to describe how the offeror's past performance supported the three past performance subfactors. Id. at 156-158.

The solicitation stated that the agency intended to evaluate proposals and make awards without discussions to the offerors deemed responsible, and whose proposals conformed to the solicitation's requirements and were judged, based on the evaluation factors, to represent the best value to the government.⁴ Id. at 163.

Section M of the solicitation set up a tiered evaluation process. Id. at 163-164. The first step of the evaluation was a CMMI appraisal, which required offerors to be certified at level 2 in CMMI.⁵ Id. If an offeror passed the CMMI appraisal as level 2 certified, the agency would then evaluate an offeror's technical experience (factor 1) using the self-scoring worksheet and technical narratives provided by the offeror.⁶ Id. at 164.

In the event that technical experience was evaluated as acceptable, then the agency would evaluate the offeror's past performance for recency, relevancy and quality. Id. at 172. The agency would first review the accompanying PPNs for recency.⁷ Next, the agency would use the PPNs to evaluate relevancy. Id. Each past performance subfactor would receive a relevancy rating of very relevant, relevant, somewhat relevant or not relevant depending on whether the offeror demonstrated past performance regarding certain SOO sections identified for each past performance subfactor. Id. at 176.

The agency would then assess "all past performance information collected" and assign a performance quality rating of acceptable or unacceptable for each subfactor. Id. at 173. The solicitation provided that in making this quality assessment the agency would review the PPQs and/or CPARs it received, "as well as other relevant CPARs available to the Government." Id. at 173.

These ratings would then be rolled up into a performance confidence assessment rating for each subfactor of substantial confidence, satisfactory confidence, neutral confidence, limited confidence, or no confidence. Id. at 177. The RFP provided that each offeror must receive a confidence rating of "[s]atisfactory or higher" for each past performance subfactor in order to be eligible for award.⁸ Id. at 164. The solicitation stated that to receive a satisfactory confidence rating at the subfactor level, an offeror's past performance must be recent, relevant and of acceptable quality. Id. at 178.

OSC-NDF timely submitted its proposal in response to the solicitation. On December 21, the agency notified OSC-NDF that its proposal received an acceptable rating under the technical experience factor. AR, Tab 12, OSC-NDF Notification Memorandum at 1. Regarding past performance, the agency's notification to OSC-NDF indicated that the firm received performance confidence assessment ratings of substantial confidence under the cybersecurity subfactor and limited confidence under the life-cycle software services and information technology business analysis subfactors. Id. at 2. The agency noted that the solicitation provided that the "Government will not award to any offeror that receives a Past Performance Confidence Rating below Satisfactory for any of the Past Performance subfactors." Id. citing RFP at 226. Because OSC-NDF received performance confidence assessment ratings below satisfactory, as defined by the RFP, for two of the past performance subfactors, the agency determined that OSC-NDF was ineligible for award. Id. Following a written debriefing on December 21, OSC-NDF filed this protest with our Office on December 31.

DISCUSSION

OSC-NDF challenges the agency's exclusion of its proposal from the competition, alleging that the agency failed to properly evaluate its proposal under two of the past performance subfactors. Specifically, the protester contends that the agency "ignored the plain text of OSC-NDF's proposal and imposed requirements not found in the [s]olicitation." Protest at 2. OSC-NDF contests the agency's evaluation of eight of the fourteen sub-elements of the life-cycle subfactor, and the service desk, field and technical support (SOO section 3.2.3) requirement of the information technology business analysis subfactor.⁹Id. at 10-34. While OSC-NDF protests the agency's evaluation of its proposal under two of the past performance subfactors, the RFP provided that a rating below satisfactory in any one of the past performance subfactors would render OSC-NDF's proposal ineligible for award. Therefore, for the reasons discussed below, we need only address the agency's evaluation of OSC-NDF's proposal with regard to the information technology business analysis subfactor.

The information technology business analysis subfactor instructed offerors to describe their past performance in two areas: IT business analysis and functional business area expertise; and service desk, field and technical support (SOO section 3.2.3). RFP at 159. As part of addressing the area of service desk, field and technical support, offerors were required to demonstrate past performance in each of the following five elements: access management, event management, incident management, problem management, and request fulfillment. Id. at 175.

In order to receive a rating of very relevant under this subfactor, offerors were required to demonstrate past performance in at least two functional business areas of expertise and in all five elements of service desk field and technical support listed in SOO section 3.2.3. Id. at 175. To receive a rating of relevant, offerors were required to demonstrate past performance with one functional business area of expertise and all five of the service desk field and technical support elements listed in SOO section 3.2.3; to receive a rating of somewhat relevant, offerors were required to demonstrate past performance in one functional business area of expertise or all five of the service desk field and technical support elements listed in SOO section 3.2.3; a rating of not relevant was for offerors who failed to demonstrate past performance in at least one functional business area of expertise or all five of the service desk field and technical support elements listed in SOO section 3.2.3. Id.

As stated above, an offeror's past performance was evaluated for recency, relevance and quality. Id. at 177. The RFP provided that in order to receive a rating of satisfactory confidence under this subfactor, an offeror's past performance must be evaluated as recent and relevant with acceptable quality.¹⁰ Id. at 178.

The agency evaluated OSC-NDF's past performance narratives and determined that its proposal failed to demonstrate past performance for the following elements: access management, incident management, and request management, as defined in the RFP's definition of terms. The agency assigned OSC-NDF's proposal a relevancy rating of somewhat relevant, and a performance confidence assessment rating of limited confidence. AR, Tab 11, Agency Evaluation of OSC-NDF's Proposal, at 22.

Our Office will examine an agency's evaluation of an offeror's past performance only to ensure that it was reasonable and consistent with the stated evaluation criteria and applicable statutes and regulations. Kiewit Infrastructure West Co., B-415421, B-415421.2, Dec. 28, 2017, 2018 CPD ¶ 55 at 8. A protester's disagreement with a procuring agency's judgment, without more, is insufficient to establish that the agency acted unreasonably. WingGate Travel, Inc., B-412921, July 1, 2016, 2016 CPD ¶ 179 at 4-5. Moreover, it is an offeror's responsibility to submit an adequately written proposal; this includes adequate information relating to the offeror's past performance. Wolf Creek Federal Servs., Inc., B-409187 et al., Feb. 6, 2014, 2014 CPD ¶ 61 at 8. An offeror failing to submit an adequately written proposal runs the risk that its proposal will be evaluated unfavorably. Id.

OSC-NDF challenges the agency's determination that its proposal did not demonstrate access management with regard to the service desk field and technical support elements listed in SOO section 3.2.3. Specifically, OSC-NDF contests the agency's conclusion that its relevant past performance in PPN 4, which involved the U.S. Army Civil Affairs and Psychological Operations Command (USACAPOC), did not demonstrate access management. Protest at 30. According to OSC-NDF, its proposal demonstrated past performance providing access management because PPN 4 reflected that the firm "established access control software, monitored that function and required all users to maintain a valid account," and granted access to user accounts where the access level had been validated through the customer. Id. at 30-31.

The RFP defined access management as follows:

The process of granting authorized users the right to use a service while preventing access to non-authorized users. The process provides the ability to control and track who has access to data and services ("who" may be another system, service, or process, as well as an individual). It contributes to achieving the appropriate confidentiality, availability, and integrity of the command's data and includes levels of access to the service catalog for requesting services, access to data, and access to facilities.

RFP at 215.

In support of its contention, OSC-NDF also cites to the following language in PPN 4:

Access Management. Our service desk provides full lifecycle access management and application software and/or hardware support to callers; including addressing more complex hardware and operating system software problems [DELETED] to [DELETED] which are handled by our [DELETED]. All users require an account to access the system and must have a [DELETED] access request Navy on file to be granted an account. The access level granted to an account is validated through the customer.

AR, Tab 8, OSC-NDF's Proposal, Vol. III, Past Performance at 31. The protester contends that it only "granted" access to user accounts where the "access level" had been "validated through the customer." Protest at 30-31. According to OSC-NDF, the solicitation did not require "any additional detail" beyond what it provided. Id. at 31.

The agency states that OSC-NDF, in its protest, mischaracterizes its proposal when it states that OSC-NDF "established access control software, monitored that function and required all users to maintain a valid account." COS/MOL at 40 citing Protest at 30-31. Rather, the agency notes that OSC-NDF's proposal provides in its PPN 4 that it "transformed the USACAPOC service desk from a poorly documented, disjointed implementation," that was lacking a ticketing system, and that it created an IT infrastructure library service operations lifecycle process that demonstrated certain competencies, including access management. COS/MOL at 40 citing AR, Tab 8, OSC-NDF's Proposal, Vol. III, Past Performance at 31. The agency found that OSC-NDF's PPN 4 in fact "reflects [that] OSC-NDF provided service desk support to callers," rather than creating and monitoring access control software.¹¹ COS/MOL at 40.

The agency also argues that OSC-NDF's proposal did not demonstrate OSC-NDF performing access management for USACAPOC as defined in the RFP, by using a "process of granting authorized users the right to use a service while preventing access to non-authorized users." COS/MOL at 40 citing RFP at 215. The agency provides that while OSC-NDF's proposal states that it has an access process, its proposal did not demonstrate the offeror using the process.¹² AR, Tab 11, Agency Evaluation of OSC-NDF's Proposal, at 20.

Based on our review of the record, the agency reasonably evaluated OSC-NDF's proposal under the access management element of the service desk, field and technical support requirement. The agency reasonably concluded that OSC-NDF failed to provide the information required in sufficient detail so that the agency could determine that it had provided all aspects of IT service desk access management, as defined in the solicitation. Specifically, the agency found that while OSC-NDF's proposal discussed that it has an access process, it failed to demonstrate its use of that process. We note that the solicitation specifically required that offerors demonstrate access management in "sufficient detail" that would allow the agency to substantiate the validity of the stated claims. RFP at 142.

As stated above, an offeror is responsible for affirmatively demonstrating the merits of its proposal and risks rejection of its proposal if it fails to do so. Intelligent Decisions, Inc., et al., B-409686 et al., July 15, 2014, 2014 CPD ¶ 213 at 8. The agency reviewed OSC-NDF's proposal and found that it lacked detail that the solicitation required. While OSC-NDF contests the agency's evaluation in this regard, we find its arguments amount to disagreement with the agency evaluation which, by itself, is not sufficient to establish that the evaluation was unreasonable. This protest ground is denied.

OSC-NDF also challenges the reasonableness of the agency's evaluation of its proposal under the information technology business analysis subfactor with regard to incident management and request management, as defined in the RFP. The RFP provided that to be rated relevant under this subfactor, an offeror was required to demonstrate past performance in one functional business area of expertise and all five elements of service desk, field and technical support described in SOO section 3.2.3. Because we find reasonable the agency's determination that OSC-NDF failed to demonstrate past performance in access management, we need not address its challenges to the agency's evaluation of its proposal with regard to incident management or request management. Even if the protester were to prevail in these two areas, according to the terms of the solicitation, it could not receive a rating of relevant under this subfactor, which is required to receive a satisfactory confidence rating.

Given our conclusion that the agency reasonably evaluated OSC-NDF's proposal under the information technology business analysis subfactor as providing limited confidence and given that a performance confidence assessment rating lower than satisfactory confidence in any subfactor rendered the proposal ineligible for award, we need not address OSC-NDF's allegations regarding the lifecycle software services subfactor. Even if OSC-NDF were to prevail on the grounds related to the life-cycle software services subfactor, it would not be eligible for award.

The protest is denied.

Thomas H. Armstrong
General Counsel