Avosys Technology, Inc.

B-415716.6: Jul 30, 2018

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

Kenneth E. Patton
(202) 512-8205
PattonK@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Avosys Technology, Inc., a small business of San Antonio, Texas, protests the decision by the Department of the Air Force to exclude its proposal from competition under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services. The protester maintains that the agency unreasonably excluded its proposal from competition.

We deny the protest.

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of:  Avosys Technology, Inc.

File:  B-415716.6

Date:  July 30, 2018

Johnathan M. Bailey, Esq., and Kristin E. Zachman, Esq., Bailey & Bailey, PC, for the protester.
Alexis J. Bernstein, Esq., Michael G. McCormack, Esq., and Rachell J. Reilly, Esq., Department of the Air Force, for the agency.
Katherine I. Riback, Esq., and Amy B. Pereira, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest challenging the agency’s evaluation of protester’s proposal under the past performance evaluation factor is denied where the record shows that the evaluation was reasonable and consistent with the solicitation.

DECISION

Avosys Technology, Inc., a small business of San Antonio, Texas, protests the decision by the Department of the Air Force to exclude its proposal from competition under request for proposals (RFP) No. FA8771-17-R-1000 for information technology (IT) services.  The protester maintains that the agency unreasonably excluded its proposal from competition.

We deny the protest.

BACKGROUND

The RFP, known as the Small Business Enterprise Application Solutions (SBEAS) solicitation, set aside for small businesses, was issued on September 28, 2017, pursuant to the procedures of Federal Acquisition Regulation (FAR) part 15, and contemplated the award of 40 multiple-award, indefinite‑delivery, indefinite-quantity (IDIQ) contracts.  Agency Report (AR), Tab 8, RFP at 162.[1]  The scope of the SBEAS RFP, as stated in the statement of objectives (SOO), included a “comprehensive suite of IT services and IT solutions to support IT systems and software development in a variety of environments and infrastructures.”  Id. at 130.  Additional IT services in the solicitation included, but were not limited to, “documentation, operations, deployment, cybersecurity, configuration management, training, commercial off-the-shelf (COTS) product management and utilization, technology refresh, data and information services, information display services and business analysis for IT programs.”  Id.  Proposals were to be evaluated based on the technical experience and past performance factors.  Id.  The past performance factor was comprised of the following three subfactors in descending order of importance:  life-cycle software services, cybersecurity, and information technology business analysis. [2]  Id. at 164.  Award was to be made on a past performance tradeoff basis among technically acceptable offerors, using the three past performance subfactors.  Id. at 162. 

Section L of the solicitation instructed offerors that “[t]he proposal shall be clear, specific, and shall include sufficient detail for effective evaluation and for substantiating the validity of stated claims.”  Id. at 142.  Offerors were instructed to not simply rephrase or restate requirements, but to “provide [a] convincing rationale to address how the [o]fferor’s proposal meets these requirements.”  Id.  The solicitation provided that offerors should submit their proposals in four volumes:  capability maturity model integration (CMMI) documentation, technical experience, past performance, and contract documentation.  Id. at 145. 

The RFP’s instructions also directed offerors to complete a cross-reference matrix, which was attached to the solicitation.  Id. at 146 and 179-183.  The offeror’s cross‑reference matrix was required to demonstrate “traceability” between the offeror’s contract references.  An offeror’s cross-reference matrix was required to show “which contract references [were] used to satisfy each technical element and each past performance sub-factor.”  Id. at 146.

As relevant to this protest, the past performance volume was to include the cross‑reference matrix, described above, past performance narratives (PPNs) for each of up to six contract references, and contractor performance assessment reports or past performance questionnaires (PPQs).[3]  Id. at 155-156.  The past performance narratives were to describe how the offeror’s past performance supported the three past performance subfactors.  Id. at 156-158. 

The solicitation stated that the agency intended to evaluate proposals and make awards without discussions to the offerors deemed responsible, and whose proposals conformed to the solicitation’s requirements and were judged, based on the evaluation factors, to represent the best value to the government.[4]  Id. at 163. 

Section M of the solicitation set up a tiered evaluation process.  Id. at 163-164.  The first step of the evaluation was a CMMI appraisal, which required offerors to be certified at level 2 in CMMI.[5]  Id.  If an offeror passed the CMMI appraisal as level 2 certified, the agency would then evaluate an offeror’s technical experience (factor 1) using the self‑scoring worksheet and technical narratives provided by the offeror.[6]  Id. at 164. 

In the event that technical experience was evaluated as acceptable, then the agency would evaluate the offeror’s past performance.  Id. at 164.  The agency would review the accompanying past performance narratives (PPNs) and evaluate each offeror’s past performance references for recency, relevancy, and quality.  Id. at 172.  As relevant to this protest, the RFP stated that:

[T]he Government will evaluate all recent PPNs to determine the relevancy of the Offeror’s past performance contract reference as it relates to each sub-factor’s criteria set forth below.  The Government’s relevancy assessment of the PPNs will utilize the applicable SOO sections identified below and the Definition of Terms (Section J, Attachment 7).

RFP at 172.  Each past performance subfactor would receive a relevancy rating of very relevant, relevant, somewhat relevant or not relevant depending on whether the offeror demonstrated past performance regarding certain SOO sections identified for each past performance subfactor.[7]  RFP at 176.  The agency would then assign a past performance quality rating of acceptable or unacceptable.  Id. at 176-177.  The solicitation further stated that these subfactor ratings would be rolled up into a performance confidence assessment rating for each subfactor of substantial confidence, satisfactory confidence, neutral confidence, limited confidence, or no confidence.  Id. at 177.  The RFP provided that each offeror must receive a confidence rating of “satisfactory or higher” for each past performance subfactor in order to be eligible for award.[8]  Id. at 164. 

Avosys timely submitted its proposal in response to the solicitation.  On April 6, 2018, the agency notified Avosys that its proposal received an acceptable rating under the technical experience factor.  AR, Tab 15, Avosys Notification Memorandum at 1.  Regarding past performance, the agency’s notification to Avosys indicated that the firm received performance confidence assessment ratings of limited confidence for the life‑cycle software services subfactor and the cybersecurity subfactor, and neutral for the information technology business analysis subfactor.  Id. at 2.  The agency noted that the solicitation provided that the “the Government will not award to any offeror that receives a Past Performance Confidence Rating below Satisfactory for any of the Past Performance sub-factors.”  Id. (citing Section M § 2.5).  Because Avosys received performance confidence assessment ratings below satisfactory, as defined in the RFP, for each of the past performance subfactors, the agency determined and notified Avosys that it was ineligible for award.  Id.  On April 23, Avosys filed this protest with our Office. 

DISCUSSION

Avosys protests the agency’s exclusion of its proposal from the competition, alleging that the agency failed to properly evaluate its proposal under the past performance factor.  Specifically, the protester contends that the agency “failed to evaluate its proposal consistent with the evaluation scheme[ ], failed to evaluate referenced narrative[s] for specific sub‑elements, and failed to reasonably evaluate Avosys’ past performance narratives.”  Protest at 19.  Avosys contests the agency’s evaluation of six of the fourteen sub‑elements of the life cycle subfactor, two of the six requirements of the cyber security subfactor, and one of the two requirements of the information technology business analysis subfactor.  Id. at 21-66.  While we do not address all of Avosys’ arguments, we have considered them and find that none provide a basis for sustaining Avosys’ protest. 

While Avosys protested the agency’s evaluation of its proposal regarding each of the past performance subfactors, the RFP provided that a rating below satisfactory in any one of the past performance sub‑factors would render Avosys’ proposal ineligible for award.  Therefore, for the reasons discussed below, we need only address the agency’s evaluation of Avosys’ proposal with regard to the cybersecurity subfactor.

Cybersecurity Subfactor

As relevant to this protest, as part of subfactor 2, cybersecurity, the solicitation instructed offerors to demonstrate past performance as it relates to certain requirements identified in the SOO, (SOO Sections 3.1.10.1, 3.1.10.2, and 3.1.10.3), including the offeror’s solutions that were used to support risk management framework (RMF) cybersecurity objectives of confidentiality, integrity and availability.  RFP at 158.  The agency would then evaluate the offeror’s past performance relating to requirements identified in the SOO, including evaluating the “[o]fferor’s solutions that supported Risk Management Framework (RMF) Cybersecurity Objectives (Confidentiality, Integrity, and Availability) (SOO Sections 3.1.10.1, 3.1.10.2, and 3.1.10.3)”  Id. at 175 (emphasis added).

The RFP defined confidentiality as “[p]reserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information,” and defined integrity as “[g]uarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.”  Id. at 205-206. 

The agency reviewed the sections of Avosys’ PPNs that the firm cited in its cross‑reference matrix as exhibiting confidentiality and integrity, and determined that the PPNs cited in Avosys’ proposal did not demonstrate past performance providing solutions that supported RMF cybersecurity confidentiality for preventing an unauthorized person to access the data/system, or provide solutions which supported the RMF Cybersecurity for integrity.  AR, Tab 14, Avosys Technical Evaluation at 30-31.  The agency then assigned Avosys’ proposal a relevancy rating of somewhat relevant because it had demonstrated past performance for four of the six cybersecurity objectives and concepts listed in the SOO, along with a confidence assessment rating of limited confidence.  Id. at 33.

Our Office will examine an agency’s evaluation of an offeror’s past performance only to ensure that it was reasonable and consistent with the stated evaluation criteria and applicable statutes and regulations.  Kiewit Infrastructure West Co., B-415421, B‑415421.2, Dec. 28, 2017, 2018 CPD ¶ 55 at 7.  A protester’s disagreement with a procuring agency’s judgment, without more, is insufficient to establish that the agency acted unreasonably.  WingGate Travel, Inc., B-412921, July 1, 2016, 2016 CPD ¶ 179 at 4-5.  Moreover, it is an offeror’s responsibility to submit an adequately written proposal; this includes adequate information relating the offeror’s past performance.  Intelligent Decisions, Inc., et al., B-409686 et al., July 15, 2014, 2014 CPD ¶ 213 at 8.  An offeror failing to submit an adequately written proposal runs the risk that its proposal will be evaluated unfavorably.  Id.

Avosys challenges the agency’s determination that its proposal did not demonstrate confidentiality and integrity with regard to cybersecurity, and argues that its proposal provided all of the required information.  The protester claims that the “language and industry jargon” used in its proposal, “collectively” validated claims regarding its past performance in sufficient detail.[9]  Comments at 30-31. 

Confidentiality

The agency reviewed the sections of Avosys’ PPNs that the firm cited in its cross‑reference matrix (AR, Tab 9, Avosys Proposal Vol. I CMMI and Vol. II Technical Experience at 13), as exhibiting confidentiality, and determined that Avosys’ proposal did not demonstrate the offeror’s past performance providing solutions for confidentiality as that term is defined in the solicitation.  COS/MOL at 43; AR, Tab 14, Avosys Technical Evaluation at 30. 

For example, Avosys’ PPN #1 stated the following:

Through the design phase, coding concepts were established to insure secure processes were implemented with every coding functional path exploitation or threat vulnerability mitigated.

*        *        *        *        *

[DELETED]

AR, Tab 10, Avosys Proposal, Vol. III, Past Performance at 14 (emphasis in original).

The protester contends that as a whole its PPN #1 demonstrated how Avosys provided and implemented those confidential solutions.  Protest at 46.  Avosys further argues that its PPN #4 demonstrated that it implemented confidentiality solutions through coding, methodologies and achievement of confidentiality to protect and access Health Insurance Portability and Accountability Act (HIPPA) compliant data.  Id. at 48.  Avosys contends that the terminology that it used in this PPN provided sufficient detail, and that while it may not have provided the individual steps and decisions, it provided the solution and how the solution was achieved.  Comments at 33. 

The agency responds that while it determined that Avosys did list in PPN #1, and in the other three PPNs that Avosys cited, certain solutions to implement the support of confidentiality, and provided brief descriptions for ensuring confidentiality, the agency determined that the sections cited in Avosys’ PPNs did not demonstrate past performance implementing these solutions that would show that Avosys had past performance supporting confidentiality.  AR, Tab 14, Avosys Technical Evaluation at 30.  The agency states that Avosys’ statement in PPN #1 that “coding concepts were established” and “solutions were selected during the design process to implement,” failed to demonstrate exactly what those coding concepts were, or what solutions were implemented, and, thus, were determined to not meet the evaluation criteria requirements.  COS/MOL at 42 (citing AR, Tab 10, Avosys Proposal, Vol. III, Past Performance at 14). 

Regarding PPN #4, the agency determined that Avosy’ statement in this PPN that [DELETED] did not demonstrate past performance in, nor did it provide specific and clear details to support Avosys’ past performance with regard to confidentiality.  COS/MOL at 45 (citing AR, Tab 10, Avosys Proposal, Vol. III, Past Performance at 27).  The agency further states that as the proposal is written, the users with “records view only access” still have permission to view the data/ information; and that adding administrative permission for the government department managers within the application does not preserve authorized restrictions on information access and disclosure to include means of protection of the information.  COS/MOL at 45. 

Based on our review of the record, the agency reasonably evaluated Avosys’ proposal under the confidentiality portion of the cybersecurity subfactor because the firm failed to include adequate detail concerning coding concepts and solutions that it implemented to ensure confidentiality.  Offerors were responsible for providing proposals that were “clear, specific, and [ ] include[d] sufficient detail for effective evaluation and for substantiating the validity of [the stated claims.”  RFP at 142.  We find that Avosys’ argument that it provided adequate detail, amounts simply to disagreement with the evaluation and is insufficient to establish that the agency’s evaluation was unreasonable.  Ben-Mar Enters., Inc., B‑295781, Apr. 7, 2005, 2005 CPD ¶ 68 at 7. 

Integrity

Avosys alleges that the agency unreasonably concluded that its proposal failed to demonstrate integrity concerning cybersecurity, as that term is defined in the solicitation.  According to Avosys, its PPNs provided details of specific technical steps that were implemented to achieve integrity, along with specific coding for guarding against data modification.  Protest at 49.  For example, the protester specifically noted that in its PPN #1 Avosys designed the security to achieve authorization to operate (ATO), when it stated that [DELETED].  Id. at 50 (citing AR, Tab 10, Avosys Proposal, Vol. III, Past Performance at 6). 

The agency reviewed the sections of Avosys’ PPNs that the firm cited in its cross‑reference matrix (AR, Tab 9, Avosys Proposal Vol. I CMMI and Vol. II Technical Experience at 13), and determined that Avosys’ proposal did not demonstrate the offeror’s past performance providing solutions for integrity.  COS/MOL at 46; AR, Tab 14, Avosys Technical Evaluation at 31.  For example, the agency noted that while Avosys stated in PPN #1 that various integrity solutions such as [DELETED] the agency determined that the proposal failed to demonstrate the offeror’s past performance providing those solutions to guard against unauthorized modification or damage to data.  AR, Tab 14, Avosys Technical Evaluation at 31 citing Tab 10, Avosys Proposal, Vol. III, Past Performance at 14.  The agency determined as well regarding this PPN that the proposal was not specific as to whether the offeror or another developer implemented these solutions.  AR, Tab 14, Avosys Technical Evaluation at 31. 

Overall, the agency determined that this PPN was “not clear and specific,” and that it failed to provide “sufficient detail for effective evaluation and for substantiating the validity of stated claims,” as required by the solicitation.  Id. (citing RFP at 142).  For example, regarding ATO, the agency determined that the statement in PPN #1 quoted above failed to demonstrate past performance incorporating solutions for integrity because an ATO is possible even if portions of the coding mechanism or software functionality are not fully effective or functional.  COS/MOL at 50 (citing AR, Tab 10, Avosys Proposal, Vol. III, Past Performance at 14).  The agency also concluded that while security control is an “important process step” in mapping to an applicable RMF, security control alone does not demonstrate the solutions used for the “applicable RMF security controls” to achieve integrity.  Id. at 47-48. 

As stated above, an offeror is responsible for demonstrating affirmatively the merits of its proposal and risks rejection of its proposal if it fails to do so.  Intelligent Decisions, Inc., et al., supra.  The solicitation specifically required that offerors demonstrate integrity with regard to cybersecurity with “sufficient detail” that would allow the agency to substantiate the validity of the stated claims.  RFP at 142.  The agency reviewed the sections that Avosys cited in its cross-reference matrix as demonstrating integrity and determined that these sections lacked the detail that the solicitation required.  While Avosys contests the agency’s evaluation in this regard, we find its arguments amount to disagreement with agency’s evaluation which, by itself, is not sufficient to establish that the evaluation was unreasonable.  We therefore find reasonable the agency’s assessment that Avosys’ cited PPNs failed to demonstrate integrity.

Given our conclusion that the agency reasonably evaluated Avosys’ proposal under the cybersecurity subfactor as providing limited confidence, and given that a performance confidence assessment rating lower than satisfactory in any subfactor rendered the proposal ineligible for award, we find that the agency reasonably concluded that the Avosys proposal was ineligible for award.  As a result, Avosys is not an interested party to pursue its remaining challenges regarding the evaluation of its proposal.  Bid Protest Regulations, 4 C.F.R. § 21.0(a)(1).

The protest is denied.

Thomas H. Armstrong
General Counsel



[1] Citations to the RFP are to the conformed copy provided by the agency.  AR, Tab 8, RFP.

[2] The solicitation stated that pursuant to “10 U.S.C. § 2305(a)(3)(C), as amended by Section 825 of the National Defense Authorization Act (NDAA) for Fiscal Year 2017, the Government will not evaluate cost or price for the IDIQ contract.  Cost or price to the Government will be considered in conjunction with the issuance of a task or delivery order under any contract awarded hereunder.”  RFP at 162.

[3] Offerors were permitted to include past performance references that were not also used in the technical experience volume, but all references provided as part of the technical experience volume were required to also be used as past performance references.

[4] The agency’s estimated value for the SBEAS contract is a maximum of $13.4 billion over the possible ten year ordering period of the contract.  Combined Contracting Officer’s Statement and Memorandum of Law (COS/MOL) at 4. 

[5] CMMI is a process level improvement training and appraisal program that is administered by the CMMI Institute. 

[6] The solicitation provided that the technical experience factor would receive an adjectival rating of acceptable or unacceptable.  RFP at 164. 

[7] For example, to receive a rating of very relevant under the cybersecurity subfactor offerors must have demonstrated past performance in all six of the cybersecurity objectives and concepts listed in SOO sections 3.1.10.1, 3.1.10.2, 3.1.10.3, 3.1.10.4, 3.1.10.5 and 3.1.10.6.  RFP at 176.  To receive a rating of relevant the offeror must have demonstrated past performance with five of the six above-stated cybersecurity objectives in the above-listed SOO sections; to receive a somewhat relevant rating offerors must have demonstrate past performance in four of the six above-stated cybersecurity objectives listed above; a not relevant rating was for offerors who failed to demonstrate past performance in at least four of the six above-stated cybersecurity objectives.  Id.

[8] As a general matter, a neutral rating is not considered to be lower than a satisfactory rating.  However, according to the solicitation here, a past performance confidence rating of neutral is considered lower than satisfactory.  RFP at 164. 

[9] Avosys also argues that the agency improperly failed to examine certain portions of its PPN #1 beyond that cited in its cross-reference matrix.  Comments at 31.  We need not address this argument because to the extent that the protester cites additional portions of the PPN, it has failed to show how this information would alter the agency’s evaluation.

Dec 14, 2018

Dec 13, 2018

Dec 12, 2018

Looking for more? Browse all our products here