American Justice Solutions, Inc., dba CorrectiveSolutions

B-417171.2: Aug 16, 2019

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

Kenneth E. Patton
(202) 512-8205
PattonK@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

American Justice Solutions, Inc., doing business as CorrectiveSolutions, of Mission Viejo, California, a small business, protests the award of a contract to Track Group, Inc., of Naperville, Illinois, also a small business, under request for quotations (RFQ) No. 959P0019R0002, issued by the Court Services and Offender Supervision Agency, Pretrial Services Agency for the District of Columbia (PSA), for commercial services to monitor defendants electronically. American argues that PSA conducted an unfair competition due to the disclosure of information about its quotation in an earlier procurement for the same services, misevaluated its quotation as unacceptable, and applied the evaluation criteria unequally in finding Track's quotation acceptable while rejecting American's.

We dismiss the protest in part and deny it in part.

Decision

Matter of:  American Justice Solutions, Inc., dba CorrectiveSolutions

File:  B-417171.2

Date:  August 16, 2019

Thomas Jonsson, Esq., for the protester.
Shaun Callahan, Esq., for Track Group, Inc., the intervenor.
Linette Lander, Esq., Court Services and Offender Supervision Agency, Pretrial Services Agency for the District of Columbia, for the agency.
Paul N. Wengert, Esq., and Tania Calhoun, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

1.  Protest that competition was unfair because agency had earlier released protester’s pricing information during debriefings in another procurement is dismissed as untimely where protester knew of both the release of its pricing and the alleged similarity of the new solicitation before it submitted its quotation, but filed its protest after the closing time for submission of quotations. 

2.  Protest that agency misevaluated protester’s quotation as unacceptable, and applied evaluation criteria unequally in finding awardee’s quotation acceptable, is denied where evaluation was reasonable and consistent with evaluation criteria in solicitation, and where differences in protester’s and awardee’s quotations justified the differences in the evaluation of both quotations.

DECISION

American Justice Solutions, Inc., doing business as CorrectiveSolutions, of Mission Viejo, California, a small business, protests the award of a contract to Track Group, Inc., of Naperville, Illinois, also a small business, under request for quotations (RFQ) No. 959P0019R0002, issued by the Court Services and Offender Supervision Agency, Pretrial Services Agency for the District of Columbia (PSA), for commercial services to monitor defendants electronically.  American argues that PSA conducted an unfair competition due to the disclosure of information about its quotation in an earlier procurement for the same services, misevaluated its quotation as unacceptable, and applied the evaluation criteria unequally in finding Track’s quotation acceptable while rejecting American’s. 

We dismiss the protest in part and deny it in part. 

BACKGROUND

The RFQ, issued on November 9, 2018, sought quotations to provide electronic and global positioning system-based electronic monitoring of approximately 475 defendants monthly[1] for a base year and four option years.  The RFQ included a performance work statement (PWS) that described the agency’s requirement, which principally involved attaching rugged tamperproof electronic monitoring/global positioning system devices to defendants’ ankles as directed by PSA and the D.C. Superior Court, monitoring each defendant’s location around the clock, providing data and alerts about the location of each defendant, and removing the devices at PSA direction.  See generally, RFQ at 7‑10.  Among other things, the RFQ required the contractor to exchange data about defendants and their locations via a secure web interface with PSA’s client management system (CMS), known as the Pretrial Real-time Information System Manager (PRISM), through that system’s electronic monitoring module.  Id. at 11. 

Section 12.1 of the PWS stated that the vendor was required to comply with all laws and policies regarding the protection of the system and its information, and specifically identified several standards as being minimum requirements, including the Federal Information Security Modernization Act of 2014 (FISMA), and National Institute of Standards and Technology (NIST) standards in the “Special Publication 800 series,” following which the PWS listed publication Nos. SP 800‑37 and SP 800‑53A.  Id. at 16. 

Under section 12.2.2 of the PWS, the RFQ directed each offeror to submit answers to ten questions regarding its information security program, and noted that the agency would review the questionnaire responses “to assess whether or not the proposed system, end-to-end, could pass an information security assessment and be authorized within 120 days.”  Id. at 17.  The questions included whether the firm had a formal information security program in place, whether the program was FISMA compliant, whether the program was based on NIST SP 800‑37 revision 2 and SP 800‑53 revision 4, and whether the offeror’s CMS was Federal Risk and Authorization Management Program (FedRAMP) certified.  Id.  Under the management approach and technical capabilities factor, the RFQ identified five evaluation criteria, two of which were that the vendor have “a current and mature information security program in place,” and that the “information security program follows the NIST framework or similar, but equivalent framework that meets the requirements identified” in the PWS.  Id. at 54. 

Quotations were to be evaluated under six factors:  management approach and technical capabilities, personnel qualifications, organizational experience, vendor product demonstrations, past performance, and price.  Id. at 54-55.  The RFQ also stated that “technical and past performance, when combined, are more important than price.”  Id. at 56.  The RFQ directed vendors to submit prices as a daily fixed-price per defendant.  Id. at 51.  The PSA would assess “price reasonableness,” which the RFQ described as including a determination of whether the vendor’s “costs [we]re realistic for the work,” whether they “reflect[ed] a clear understanding” of the requirements, and whether they were “inclusive of all services requested.”  Id. at 56.

PSA received timely quotations from four vendors, including Track and American.[2]  AR, Tab R, Final Technical Evaluation Summary Memorandum, at 1.  On April 4, 2019, the contracting officer emailed a letter to both American and Track, seeking “additional information/clarification.”  AR, Tab H, Letter from Contracting Officer to American (Apr. 4, 2019) at 1-2; see also AR, Tab M, Redacted Track Quotation Documents, at 127 (cover letter for supplemental questionnaire response from Track’s Regional Sales Manager to Contracting Officer (Apr. 9, 2019) at 1).  The letter repeated and extended the 10 questions in the information security requirements questionnaire, and posed three additional questions about the firm’s information security approach.  Id. at 127-131.  American’s quotation, as thus supplemented, described its approach as relying on a subcontractor, Satellite Tracking of People, LLC (STOP), to provide equipment, a monitoring system, and data storage.  AR, Tab I, American Supplemental Questionnaire Response, at 1.  

When PSA evaluated American’s quotation as supplemented by the additional questionnaire responses, the evaluators concluded that the firm’s approach to information security, in particular, had weaknesses and deficiencies.  Under the management approach and technical capabilities factor, the evaluators assessed a weakness that American did not manufacture the equipment or software it proposed, and thus might be unable to anticipate or address problems with them.  Protest exh. E, Debriefing Letter from Contracting Officer to American (May 23, 2019), at 1. In addition, the evaluators assessed a deficiency to American because the description of its approach to information security in its questionnaire responses showed that American itself did not have a security program; rather, only its subcontractor had an information security program in place.  Id.  The evaluation explained that PSA had concluded that it would not be able to establish a chain of trust with American to exchange the required information about defendants, as FISMA required the agency to do.  Id. at 2.  The agency recognized that American had emphasized that its subcontractor has a robust information security approach, but that the subcontractor’s program applied only to the subcontractor, and not to the handling of information by American. 

The final evaluations of Track’s and American’s quotations were as follows:

Factor

Track

American

Management Approach & Technical Capabilities

Acceptable

Unacceptable

Personnel Qualifications

Acceptable

Acceptable

Organizational Experience

Acceptable

Acceptable

Vendor Product Demonstrations

Acceptable

Acceptable

Past Performance

Very Good

Satisfactory

Evaluated Price

$4.2 million

Not Evaluated


Id. at 5; AR, Tab O, Best-Value Determination (“Fully Redacted” version[3]), at 1-2. 

In a source selection decision dated May 1, the contracting officer determined that Track’s price was reasonable based on competition and that further evaluation of price was “not warranted.”  Id. at 18.  Following the award to Track, American requested and received a debriefing.  In the debriefing, PSA stated that price was the deciding factor in determining overall best value among vendors with ratings of acceptable and very good past performance.[4]  Protest exh. E, Debriefing Letter from Contracting Officer to American (May 23, 2019), at 5.

PROTEST

American argues that the competition was unfair, and that PSA misevaluated its quotation and unequally evaluated the programs of Track and American under the RFQ’s information security requirements.  Protest at 1; Protester’s Comments at 3-4.  As discussed below, based on our review of the record, we conclude that the protester’s arguments lack merit. 

Unfair Competition under RFQ  

American argues that it was unfairly disadvantaged because PSA released the firm’s adjectival ratings and unit prices under an earlier solicitation for the same services.  That information was released during the debriefing process in connection with the award of the contract to American in August 2018.  Shortly after those debriefings, the then-incumbent[5] contractor, Sentinel Offender Services, filed a protest with our Office.  PSA took corrective action by canceling that solicitation and the award to American, and subsequently issued the instant RFQ.  Protest at 3; Protest exh. D, Debriefing Letter from Contracting Officer to Sentinel (Aug. 21, 2018), at 3-5.  American argues that even if the debriefings properly included information about its successful quotation, the disclosure of its unit prices placed it at a competitive disadvantage here.  The firm contends that the scope of the previous requirement and the scope of this RFQ are similar, and thus the release of its pricing under the previous solicitation made this competition unfair.  Protester’s Comments at 2. 

We dismiss this argument as untimely.  The record shows that on October 2, 2018, in an email sent to American responding to a Freedom of Information Act request, PSA stated that, as the successful offeror in the earlier procurement, American’s unit prices had been released to the unsuccessful offerors, including Sentinel, “during the post award notice and debriefing process.”  Protest exh. G, FOIA Final Response Letter (Oct. 2, 2018) at 1.  American’s complaint now is that the RFQ was improper because it meant that American had to compete for essentially the same requirement against firms to whom PSA had released American’s ratings and unit prices. 

To the extent that American claims that the RFQ here was unfair to the firm, we conclude that American knew, or should have known, that issue no later than November 9, 2018, when PSA released the RFQ.  Having already been informed that its pricing under the first contract award had been released to its competitors during the debriefing, upon release of the RFQ, American knew all the facts to which it now objects. 

Our Bid Protest Regulations contain strict rules for the timely submission of protests.  These rules reflect the dual requirements of giving parties a fair opportunity to present their cases and resolving protests expeditiously without unduly disrupting or delaying the procurement process.  Verizon Wireless, B‑406854, B‑406854.2, Sept. 17, 2012, 2012 CPD ¶ 260 at 3-4.  Our timeliness rules specifically require that a protest based upon alleged improprieties in a solicitation that are apparent prior to the closing time for receipt of initial proposals be filed before that time.  4 C.F.R. § 21.2(a)(1); see AmaTerra Envtl. Inc., B-408290.2, Oct. 23, 2013, 2013 CPD ¶ 242 at 3.  American’s protest was filed on June 3, 2019, after the December 11, 2018, amended closing time for submission of proposals.  RFQ amend. 2 at 1.  Therefore, we express no view on the agency’s release of unit pricing from the earlier solicitation or the alleged similarity of that solicitation to this RFQ, but dismiss those aspects of the protest as untimely. 

Evaluation of Management Approach and Technical Capabilities Factor

American next argues that its quotation was misevaluated under the management approach and technical capabilities factor.  American contends that its quotation provided the same approach as the firm had used in the previous solicitation, which PSA had rated favorably, whereas under this RFQ, PSA evaluated the approach as unacceptable.  Protest at 3‑5.  American contends that since its quotation explained that the RFQ security standards were met by its subcontractor, PSA’s application of the standards to American as the prime contractor was “absurd and not a requirement of the solicitation.”  Protester’s Comments at 3. 

PSA contends that, fundamentally, compliance with information security standards is an obligation of the contractor, and therefore the RFQ properly provided for the agency to assess the contractor’s approach to such compliance.  AR Legal Memorandum at 6.  PSA argues that its evaluation was reasonable and that the unacceptable rating was based on American’s failure to provide acceptable responses to the information security questionnaire and the agency’s follow-up questions.  Id. at 6-8.  In particular, the agency emphasizes that neither American’s quotation, nor American’s responses to additional questions, showed that the firm had an acceptable approach to meeting the RFQ information security requirements.  Id. at 6.  Although American argues that it identified the information security program used by its subcontractor, which American’s approach expressly relied upon, the agency concluded that the subcontractor’s security program did not make American’s approach acceptable.  Protest at 3.  PSA emphasizes that the information security program was not limited to computer systems, but also required, American itself to securely handle information.  AR Legal Memorandum at 7.  Further, as the prime contractor, American would have a role in responding to security incidents and contingency planning.  Id.  In short, PSA viewed American’s questionnaire responses--in both the initial quotation and in response to the April 4 request--as deficient because they did not show that American accepted the responsibility for, or had an acceptable approach to meeting, the RFQ’s information security standards.  Id. at 6-7. 

A contracting agency’s evaluation of quotations is a matter within the agency’s discretion.  Technatomy Corp., B-411583, Sept. 4, 2015, 2015 CPD ¶ 282 at 4.  In reviewing an agency’s evaluation, our Office will examine the evaluation to ensure that it was reasonable and consistent with the solicitation’s stated evaluation criteria and with procurement statutes and regulations.  Id. at 4–5.  It is the contracting agency’s role to define both its underlying needs and the best method of accommodating those needs, and the agency may reject as unacceptable a quotation that does not meet the requirements.  IJC Corp., B-415388, Dec. 19, 2017, 2017 CPD ¶ 388 at 2-3.  

Our review of the record supports the reasonableness of PSA’s evaluation.  PSA properly assessed whether American itself would comply with the information security requirements in the RFQ because performance of the contract required its personnel to use sensitive information about defendants.  We see no basis for American’s claim that the RFQ allowed a vendor to delegate compliance entirely to its subcontractor. 

Our review of the record shows that the evaluation recognized that the information security questionnaire responses in American’s quotation addressed only the status of its subcontractor’s information security program, and provided no indication that American itself would comply with those standards.  See AR Tab J, American Quotation, at 61-63.  The quotation describes the information security requirements as entirely a matter of its subcontractor’s equipment and systems.  AR, Tab J, American Quotation, at 61 (“STOP has a formal information security program . . .”); id. at 63 (“STOP maintains a POA&M [plan of actions and milestones] document,” and “STOP maintains the SSP [systems security plan]”).  Compliance with the NIST standards was likewise described only in connection with STOP’s information security program.  Id. at 62.  At the same time, the quotation’s description stated that American itself would “provide local staff to service PSA,” and described its staff as being able to enroll defendants in the system, including entering defendants’ personal information and setting inclusion/exclusion zones.  Id. at 14, 22.  Even though American’s personnel would handle sensitive information, the quotation provided no indication that American had an information security plan to ensure compliance with PSA’s standards.  PSA’s evaluation of American’s quotation as deficient and unacceptable on that basis under the management approach and technical capabilities factor was thus reasonable. 

Unequal Evaluation Treatment

American argues that the evaluation nevertheless reflects disparate treatment because Track’s quotation showed that it did not have a fully documented security program in place, Track’s system was only partially FedRAMP compliant, and Track provided no written documentation of its information security systems.  Protester’s Comments at 3-4.  American contends that PSA unfairly ignored Track’s acknowledged noncompliance with the information security requirements, while rejecting American’s quotation for failing to comply with the same standards.  Id. 

PSA argues that the evaluation did not treat the two quotations unequally.  The agency notes that the information security questionnaire was expressly intended to allow the agency to assess whether the contractor’s system, end-to-end, could pass an information security assessment and be authorized within 120 days.  AR Legal Memorandum at 7.  PSA contends that the evaluation properly distinguished between Track’s acknowledgement that the information security requirements applied to Track itself, and thus identified areas where its information security program would need to be brought into timely compliance, which contrasted with American’s erroneous claim that FISMA and NIST standards applied only to its subcontractor.  Supplemental AR Legal Memorandum at 1-3.  PSA argues that Track’s approach to compliance was acceptable under the terms of the RFQ, whereas American’s reflected an erroneous understanding of the requirement and was properly deemed deficient and unacceptable.  Id. 

Where a protester alleges unequal treatment in a technical evaluation, it must show that the differences in ratings did not stem from differences between the offerors' proposals.  Performance Sys., LLC; Integrity Mgmt. Consulting, Inc., B-416374, et al., Aug. 13, 2018, 2018 CPD ¶ 283 at 10.  Our review of the record does not support American’s claim that the evaluation reflects unequal treatment of it and Track.  Instead, the record shows that Track’s quotation recognized the areas where its information security approach would need to come into compliance with the standards specified in the RFQ within 120 days, while American’s quotation incorrectly assumed that compliance was entirely a matter for its subcontractor to address, and provided no indication that American would become compliant within 120 days.  In short, the record does not support American’s claim of unequal treatment in the evaluation of the quotations.  Accordingly, we deny American’s challenges to the evaluation of the quotations. 

We deny the protest in part and dismiss it in part.[6] 

Thomas H. Armstrong
General Counsel



[1] The RFQ also described the scope of work as including the storage and retrieval of electronic and location data for approximately 7,200 defendants annually.  RFQ at 8. 

[2] The record shows that a fifth quotation was deemed to be late and was not evaluated on that basis.  Agency Report (AR), Tab O, Best Value Determination (“Fully Redacted” version), at 1.  Except where necessary, we omit discussion of the other vendors here.  

[3] Where the protester included certain relevant information in the public version of its protest but PSA redacted the corresponding information from the public exhibits submitted with the agency report, we have included the information here based on the release of the information either before the protest was filed, or in the public version of American’s protest. 

[4] Notwithstanding the implication of this statement, PSA has not challenged American’s claim to be an interested party as the vendor next in line for award after Track.  The record in this matter does not indicate whether either of the other vendors received acceptable adjectival ratings and a very good past performance rating (or better), which could presumably place one or both of them in line for award ahead of American. 

[5] Sentinel’s contract ended on June 30, 2019.  AR Legal Memorandum at 1. 

[6] American also alleges that PSA evaluated quotations “on a system that will not be used,” broadly claims that Track has not complied with the PWS requirement to obtain FedRAMP certification after award, and argues that Track’s compliance with the requirement “should be something that must be independently verified.”  Protest at 1; Protester’s Supplemental Comments at 2.  American provided no factual support for these allegations beyond noting that Track lacked a FedRAMP certification at the time it submitted its quotation, and failed to meaningfully challenge the agency’s rebuttal in the AR and supplemental AR.  Further, questions of Track’s performance are matters of contract administration that exceed our Office’s protest function.  Accordingly, we also dismiss each of these allegations.  4 C.F.R. §§ 21.1(c)(4),  21.5(a).  

Nov 19, 2019

Nov 18, 2019

Nov 15, 2019

Nov 14, 2019

Nov 13, 2019

Nov 7, 2019

Looking for more? Browse all our products here