Strategic Services and Solutions, JV

B-415716.38: Dec 4, 2019

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

Kenneth E. Patton
(202) 512-8205
PattonK@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Strategic Services and Solutions, JV (Space-S3), a service-disabled veteran-owned small business joint venture (JV) of Bellevue, Nebraska, protests the decision by the Department of the Air Force to exclude its proposal from competition under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.1 The protester maintains that the agency unreasonably excluded its proposal from competition.

We deny the protest.

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

 
 
 

Decision

Matter of:  Strategic Services and Solutions, JV

File:  B-415716.38

Date:  December 4, 2019

John M. Heida, Esq., Heida Law Firm, LLC, for the protester.
Alexis J. Bernstein, Esq., Colonel Patricia S. Wiegman-Lenz, Kevin P. Stiens, Esq., and Major Celina E. Duvall, Department of the Air Force, for the agency.
Katherine I. Riback, Esq., and Amy B. Pereira, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest challenging the agency’s evaluation of protester’s proposal under the past performance evaluation factor is denied where the record shows that the evaluation was reasonable and consistent with the solicitation.

DECISION
 

Strategic Services and Solutions, JV (Space-S3), a service-disabled veteran-owned small business joint venture (JV) of Bellevue, Nebraska, protests the decision by the Department of the Air Force to exclude its proposal from competition under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.[1]  The protester maintains that the agency unreasonably excluded its proposal from competition.

We deny the protest.

BACKGROUND

On September 28, 2019, the agency issued the RFP, known as the Small Business Enterprise Application Solutions (SBEAS) solicitation, as a set-aside for small businesses, pursuant to the procedures of Federal Acquisition Regulation part 15.  The solicitation contemplated the award of 40 multiple-award, indefinite‑delivery, indefinite‑quantity (IDIQ) contracts.  AR, Tab 5, RFP at 162.[2]  The scope of the SBEAS RFP included a “comprehensive suite of IT services and IT solutions to support IT systems and software development in a variety of environments and infrastructures.”  Id. at 130.  Additional IT services in the solicitation included, but were not limited to, “documentation, operations, deployment, cybersecurity, configuration management, training, commercial off-the-shelf (COTS) product management and utilization, technology refresh, data and information services, information display services and business analysis for IT programs.”  Id. 

Proposals were to be evaluated based on technical experience and past performance factors.  Id. at 142.  The past performance factor was comprised of the following three subfactors in descending order of importance:  life-cycle software services, cybersecurity, and information technology business analysis.[3]  Id. at 164.  Award was to be made on a past performance tradeoff basis among technically acceptable offerors, using the three past performance subfactors.[4]  Id. at 162. 

Section L of the solicitation instructed offerors that “[t]he proposal shall be clear, specific, and shall include sufficient detail for effective evaluation and for substantiating the validity of stated claims.”  Id. at 142.  Offerors were instructed to not simply rephrase or restate requirements, but to “provide [a] convincing rationale to address how the [o]fferor’s proposal meets these requirements.”  Id.  The solicitation provided that offerors should submit their proposals in four volumes:  capability maturity model integration (CMMI) documentation, technical experience, past performance, and contract documentation.  Id. at 145.

As relevant to this protest, the past performance volume was to include a cross‑reference matrix[5], past performance narratives (PPNs) for each of up to six contract references, and contractor performance assessment reports or past performance questionnaires. Id. at 155-156.  The past performance narratives were to describe how the offeror’s past performance supported the three past performance subfactors.  Id. at 156-158.

Section M of the solicitation set up a tiered evaluation process.  Id. at 163-164.  The first step of the evaluation was a CMMI appraisal, which required offerors to be certified at level 2 in CMMI.[6]  Id.  If an offeror passed the CMMI appraisal as level 2 certified, the agency would then evaluate an offeror’s technical experience (factor 1) using a self‑scoring worksheet and technical narratives provided by the offeror.[7]  Id. at 164. 

In the event that technical experience was evaluated as acceptable, then the agency would evaluate the offeror’s past performance.  Id. at 164.  The agency would review the past performance volume and evaluate each offeror’s past performance references for recency, relevancy, and quality.  Id. at 172.  Recent contracts were those contracts that were ongoing or completed within 3 years of the issuance of the solicitation.  Id.  With regard to relevance, the RFP stated that:

[T]he Government will evaluate all recent PPNs to determine the relevancy of the Offeror’s past performance contract reference as it relates to each sub-factor’s criteria set forth below.  The Government’s relevancy assessment of the PPNs will utilize the applicable SOO [Statement of Objectives] sections identified below and the Definition of Terms (Section J, Attachment 7).

Id.  Each past performance subfactor would receive a relevancy rating of very relevant, relevant, somewhat relevant, or not relevant, depending on whether the offeror demonstrated past performance regarding certain SOO sections identified for each past performance subfactor.  RFP at 176.  The agency would then assign a past performance quality rating of acceptable or unacceptable.  Id. at 176-177.  The solicitation further stated that these subfactor ratings would be rolled up into a performance confidence assessment rating for each subfactor of substantial confidence, satisfactory confidence, neutral confidence, limited confidence, or no confidence.  Id. at 177.  The RFP provided that each offeror must receive a confidence rating of “[s]atisfactory or higher” for each past performance subfactor in order to be eligible for award.[8]  Id. at 164. 

Space-S3 timely submitted its proposal in response to the solicitation.  On August 13, 2019, the agency notified Space-S3 that its proposal was ineligible for award.  AR, Tab 10, Space-S3 Notification Memorandum at 2.  While Space-S3 received an acceptable rating under the technical experience factor, it was not eligible for award based on the agency’s evaluation of its past performance.  Under the past performance factor, the firm received performance confidence assessment ratings of satisfactory for the life‑cycle software services subfactor, neutral for the cybersecurity subfactor, and limited for the information technology business analysis subfactor.  Id. at 2.  In accordance with the solicitation, the neutral rating under the cybersecurity subfactor and limited rating under the information technology business analysis subfactor rendered Space-S3’s proposal ineligible for award.  Id.  On August 26, Space-S3 filed this protest with our Office. 

DISCUSSION

Space-S3 challenges the agency’s evaluation of its proposal under the past performance factor.  The protester contends that the agency’s assignment of relevancy ratings under both the cybersecurity and information technology business analysis subfactors was unreasonable.  Protest at 4-17.  While we do not address each of Space‑S3’s arguments, we have considered them all and find that none provide a basis for sustaining Space-S3’s protest.

Under the cybersecurity subfactor, the solicitation instructed offerors to demonstrate past performance as it relates to certain requirements identified in the SOO, (SOO Sections 3.1.10.1, 3.1.10.2, and 3.1.10.3), including the offeror’s solutions that supported risk management framework (RMF) cybersecurity objectives of confidentiality, integrity and availability.  RFP at 158.  The solicitation also instructed offerors to demonstrate past performance as it relates to certain requirements, identified in the SOO, (SOO Sections 3.1.10.4, 3.1.10.5, and 3.1.10.6), including offerors’ methods used to implement the basic information security concepts for identity assurance, including authentication, authorization, and accountability.  Id.

The agency would then evaluate the offeror’s past performance relating to requirements identified in the SOO by evaluating the offeror’s solutions that supported the cybersecurity objectives of confidentiality, integrity and availability (SOO Sections 3.1.10.1, 3.1.10.2, and 3.1.10.3), and the methods used to implement the basic information security concepts for identity assurance (authentication, authorization, and accountability (nonrepudiation)) (SOO Sections 3.1.10.4, 3.1.10.5, and 3.1.10.6).  Id. at 175.

The agency reviewed the PPNs that Space-S3 cited in its cross‑reference matrix as exhibiting confidentiality, integrity, and availability, and those that it referenced as exhibiting authentication, authorization, and accountability.  The agency concluded that these PPNs failed to demonstrate past performance in confidentiality, integrity, and authentication.  AR, Tab 9, Space-S3 Evaluation, at 40‑44.  The agency assigned Space-S3’s proposal a relevancy rating of not relevant because it demonstrated past performance for only three of the six cybersecurity objectives and concepts listed in the SOO along with a confidence assessment rating of neutral confidence.[9]  Id. at 47.

Our Office will examine an agency’s evaluation of an offeror’s past performance only to ensure that it was reasonable and consistent with the stated evaluation criteria and applicable statutes and regulations.  Kiewit Infrastructure West Co., B-415421, B‑415421.2, Dec. 28, 2017, 2018 CPD ¶ 55 at 8.  A protester’s disagreement with a procuring agency’s judgment, without more, is insufficient to establish that the agency acted unreasonably.  WingGate Travel, Inc., B-412921, July 1, 2016, 2016 CPD ¶ 179 at 4-5.  Moreover, it is an offeror’s responsibility to submit an adequately written proposal; this includes providing adequate information relating to the offeror’s past performance.  Intelligent Decisions, Inc. et al., B-409686 et al., July 15, 2014, 2014 CPD ¶ 213 at 8.  An offeror failing to submit an adequately written proposal runs the risk that its proposal will be evaluated unfavorably.  Id.

Space-S3 challenges the agency’s determination that its proposal did not demonstrate confidentiality, integrity and authentication with regard to cybersecurity, and argues that its proposal provided all of the required information that would demonstrate these concepts.  The protester quotes PPN 4 in its entirety,[10] and argues that this PPN demonstrates that it provided solutions which supported the objectives of confidentiality and integrity, “to the same extent and with the same level of detail,” as it described availability, which the agency determined that Space-S3 had described adequately.  Protest at 5.  Similarly, Space-S3 argues that this PPN demonstrates methods used to implement authentication with the same level of detail as it used to show authorization and accountability, both of which the agency determined were provided in its proposal.  Id. at 9. The protester claims that a “more careful and consistent evaluation [of Space‑S3’s] PPN descriptions of experience” with confidentiality, integrity and authentication would have shown that its proposal adequately met these objectives and concepts.  As a result, Space-S3 argues that the agency should have given it a higher relevancy rating and confidence assessment. [11]  Id. at 9. 

The agency responds that Space-S3’s argument emphasizes the extent of detail and length of its explanation regarding confidentiality and integrity, but fails to point to specific language in PPN 4 that explains how its proposal fulfills the requirement to describe how the offeror’s past performance provides a solution for confidentiality, and integrity.[12]  COS at 13-14.  The agency also contends that Space-S3’s proposal failed to demonstrate past performance with methods used to implement the security concept of authentication.  The agency provides that Space-S3 again fails to identify specific language in its narrative or explain how the content of its proposal demonstrates its past performance with authentication.  Rather, the agency contends, Space-S3 simply states that it described authentication in the same level of detail that it used to describe the authorization and accountability concepts that the agency determined that Space-S3 demonstrated in its proposal.  Id. at 17, 19. 

We find reasonable the agency’s conclusion that Space-S3’s proposal failed to include adequate information to demonstrate its past performance in confidentiality, integrity, and authentication.  While the protester focuses on the level of detail provided for each of the six components of cybersecurity, it fails to provide any argument or analysis as to why the language in the narrative met the requirements of the solicitation.  It further fails to explain any error in the agency’s findings that it had not shown solutions that it implemented to support confidentiality, integrity or methods used to implement authentication.  Offerors were responsible for providing proposals that were “clear, specific, and [ ] include[d] sufficient detail for effective evaluation and for substantiating the validity of [the] stated claims.”  RFP at 142.  We find that Space-S3’s argument that it provided adequate detail regarding these concepts, amounts to disagreement with the evaluation and is insufficient to establish that the agency’s evaluation was unreasonable. [13]  Ben-Mar Enters., Inc., B-295781, Apr. 7, 2005, 2005 CPD ¶ 68 at 7.  Accordingly, we deny this protest ground.

Because the RFP expressly provided that a rating below satisfactory in any one of the past performance subfactors would render a proposal ineligible for award, we need not address Space-S3’s challenges to the agency’s evaluation under the information technology business analysis subfactor.  In this regard, because we find reasonable the agency’s evaluation under the cybersecurity subfactor, even if Space-S3 were to prevail on its challenges under the information technology business analysis subfactor, its proposal would remain ineligible for award.

The protest is denied.

Thomas H. Armstrong

General Counsel

 

[1] Space-S3 is a JV comprised of Software Engineering Services; Defense Acquisition Inc.; SIM&S; INADEV; People, Technology & Processes; and MILVETS.  Agency Report (AR), Tab 6, Space-S3 Proposal, Vol. III, Past Performance at 1.

[2] Citations to the RFP are to the conformed copy provided by the agency.  AR, Tab 5, RFP.

[3] The solicitation stated that pursuant to “10 U.S.C. § 2305(a)(3)(C), as amended by Section 825 of the National Defense Authorization Act (NDAA) for Fiscal Year 2017, the Government will not evaluate cost or price for the IDIQ contract.  Cost or price to the Government will be considered in conjunction with the issuance of a task or delivery order under any contract awarded hereunder.”  RFP at 162.

[4] The agency’s estimated value for the SBEAS contract is a maximum of $13.4 billion over the possible ten year ordering period of the contract.  Contracting Officer’s Statement (COS) at 3.

[5] The cross‑reference matrix was required to demonstrate “traceability” between the contract references.  An offeror’s cross-reference matrix was required to show “which contract references [were] used to satisfy each technical element and each past performance sub-factor.”  Id. at 146.

[6] CMMI is a process level improvement training and appraisal program that is administered by the CMMI Institute. 

[7] The solicitation provided that the technical experience factor would receive an adjectival rating of acceptable or unacceptable.  RFP at 164. 

[8] As a general matter, a neutral rating is not considered to be lower than a satisfactory rating.  However, according to the solicitation here, a past performance confidence rating of neutral is considered lower than satisfactory.  RFP at 164.

[9] To receive a rating of very relevant under the cybersecurity subfactor offerors must have demonstrated past performance in all six of the cybersecurity objectives and concepts listed in the applicable SOO sections.  RFP at 176.  To receive a rating of relevant the offeror must have demonstrated past performance with five of the six cybersecurity objectives in the SOO; to receive a somewhat relevant rating offerors must have demonstrated past performance in four of the six cybersecurity objectives; a not relevant rating was for offerors who failed to demonstrate past performance in at least four of the six cybersecurity objectives.  Id.

[10] Space-S3’s PPN 4 involved a contract performed by MILVETS at the Department of Agriculture and involved Small Business Alliance Security Support.  AR, Tab 8, Space‑S3 Cross-Reference Matrix at 5; AR, Tab 6, Space-S3 Proposal, Vol. III, Past Performance, at 18. 

[11] Space-S3’s cross reference matrix listed PPNs 3, 4, and 5 as exhibiting confidentiality, integrity and authentication.  AR, Tab 8, Space-S3 Cross-Reference Matrix at 5.  However Space-S3 in its protest only challenged the assessment of PPN 4 with regard to confidentiality, integrity and authentication.  Protest at 5-9.  Therefore we discuss below only the agency’s evaluation of Space-S3’s proposal of its PPN 4 with regard to confidentiality, integrity and authentication. 

[12] The agency further notes that Space-S3’s proposal demonstrated past performance in availability based on information found in another of its PPNs, not PPN 4.  COS at 14; AR, Tab 9, Space-S3 Evaluation at 43.

[13] Space-S3 also argues in its comments that the relevance ratings for the cybersecurity subfactor were ambiguous (Comments at 7), and that the solicitation instructions--which instructed offerors to demonstrate past performance as it relates to the offeror’s solutions used to support RMF cybersecurity objectives of confidentiality, integrity and availability--should have asked offerors to also demonstrate their experience maintaining proven systems.  Comments at 10.  These arguments are untimely.  Apparent solicitation improprieties must have been protested before the closing time for receipt of proposals under our Bid Protest Regulations.  4 C.F.R. § 21.2(a)(1).