Appian Corporation

Decision

Matter of:  Appian Corporation

File:  B-417837.2

Date:  March 9, 2020

DIGEST

Protest that agency improperly relaxed certain cybersecurity requirements in revising a solicitation is dismissed.  GAO will not entertain a protest that the agency should utilize more restrictive specifications.

Appian Corporation, of McLean, Virginia, protests the terms of request for quotations (RFQ) No. FY18-ECM 5000017835, issued by the Department of the Treasury, Internal Revenue Service (IRS), for a multifaceted Enterprise Case Management (ECM) solution.  Appian contends that the IRS’s decision to relax the RFQ’s cybersecurity requirements is unjustified and unreasonable, and its decision to convert database software license costs to government furnished equipment (GFE) was improper.

We dismiss the protest.

BACKGROUND

The IRS issued the RFQ on May 24, 2018, to vendors holding a contract under General Services Administration Federal Supply Schedule 70, pursuant to the procedures of Federal Acquisition Regulation subpart 8.4.  Agency Report (AR), Tab D.1, RFQ, at 1.  The estimated value of the procurement is between $40 million and $125 million.  Id. at 4.

The RFQ sought quotations to provide a multifaceted ECM solution to replace existing case management legacy systems.  Id. at 1, 6.  The solution was to consist of commercially available off-the-shelf software and services, capable of operating fully in a cloud environment and fully on-premise.  Id. at 7.  The RFQ noted that, while the IRS intended to use an IRS or Treasury cloud option for hosting the solution, it would be interested in Federal Risk and Authorization Management Program (FedRAMP) certified cloud hosting options. Id. 

The RFQ provided for a two‑phase award and evaluation process.  Id. at 99.  The evaluation criteria for the first phase included the following factors:  (1) strategy and approach; (2) technical capabilities of the products; (3) similar experience; (4) past performance; (5) management capabilities; and (6) price.  Id. at 101.  The agency evaluated several mandatory minimum requirements (MMRs) under the technical capabilities of the products factor on a pass/fail basis.  Id. at 100, 103. 

As relevant here, MMR-4 required that the solution adhere to the various regulatory, legal, statutory, and security-related policies and guidance “at the time of quote submission.”  RFQ at 8.  This includes “Federal Cloud Strategy and Standards, including the [FedRAMP] for cloud components” and “Federal Information Security Management Act (FISMA).”  Id.  During phase I, the agency was asked whether all software components were required to have FedRAMP authorization and FISMA certification at the time quotations were submitted.  AR, Tab D.14, Question and Answers (Q&A), at Q.92, Q.93.  The agency responded yes to both questions.  Id. 

Eight vendors responded to the solicitation.  Contracting Officer’s Statement (COS) at 1.  Two of the vendors, immixTechnology and Appian, were rated excellent under each non-price factor.  Id. at 6.  Appian offered to perform for $47,127,800, and immixTechnology for $79,749,010.  Id.  The agency established blanket purchase agreements with immixTechnology and Appian, and both received task orders to participate in phase II. 

During phase II, the solutions proposed by vendors were subjected to an ECM physical assessment and analysis (EPAA) to ensure that the solution met the selected requirements of the ECM program.  RFQ at 99, 110, 111.  The agency evaluated the quotations under phase II using the following evaluation criteria:  (1) results of the EPAA; (2) strategy and approach (rating established in phase I); (3) technical capabilities of the products (rating established in phase I); and (4) price (established in phase I).  Id. at 111.  The agency utilized the evaluation results from both phase I and phase II to make a best-value tradeoff to determine which vendor would be issued additional task orders for products.  Id. at 99.

After completion of the phase II evaluation, the agency rated immixTechnology’s solution as good under the results of the EPAA factor, while Appian’s was found technically unacceptable.  COS at 6.  The agency issued the task order to immixTechnology.  Appian filed a protest with our Office, asserting that the IRS used an unstated evaluation criteria to find its proposal technically unacceptable.  Id.  In  response, the IRS notified our Office that it would take corrective action by reassessing its requirements.  The agency would then either issue a new solicitation, or reevaluate the quotations in accordance with the terms of the solicitation as issued, allow vendors to submit revised quotations, and make a new award determination.  As a result, GAO dismissed the protest as academic.  Appian Corp., B-417837, Sept. 17, 2019 (unpublished decision).

The agency undertook a comprehensive review of its requirements to determine if any changes to the RFQ were required.  COS at 7.  Based on this review, the agency revised the answers that it had provided in response to questions it received from vendors regarding the cybersecurity requirements of MMR-4 during phase I of the procurement.  Id.  With respect to FedRAMP, the agency revised its response to state that the requirement for FedRAMP certification at the time of quotation submission applied to the cloud solution only.  AR, Tab E.4, Revised Q&A, at Q.92.  With respect to FISMA certification, the agency’s amended response to the question provided that software components were required to achieve and maintain compliance with FISMA, but not to have FISMA certification at the time quotations were submitted.  Id. at Q.93.  The agency also deleted a requirement for vendors to provide database management software licenses; the agency amended the solicitation to indicate that these would be provided as GFE.  AR, Tab F.3, Pricing Worksheet, Assumptions Tab. 

Responses to the amended solicitation were due on December 9, 2019.  AR, Tab I, Request for Revised Quotations, at 2.  On December 9, before the time that quotations were due, Appian filed a protest with our Office.   

DISCUSSION

Appian challenges the agency’s decision to amend the requirements for FedRAMP and FISMA certifications, and to provide database licenses as GFE.  Protest at 16-20.  The agency asserts that it amended the FedRAMP and FISMA requirements to more accurately reflect the agency’s needs.  COS at 7.  The agency explains it is unnecessary for all software components to be FedRAMP certified at the time of quotation submission because they will be deployed in the FedRAMP certified cloud environment at the agency.  Id.  The agency explains that FISMA certification is not required at the time of quotation submission because the certification must take place within the environment that the ECM solution is implemented.  Id. at 8.  Since the agency is providing the ECM infrastructure, FISMA certification will have to take place after the solution is implemented in that infrastructure.  Id.  The agency also states that it amended the solicitation to address GFE because the IRS has licenses available for multiple database technologies to support any ECM solution proposed.  Id. at 9.  We have reviewed all of Appian’s arguments and find that none provide a basis to sustain the protest.  We discuss several arguments below.[1] 

First, Appian argues that by deleting the requirement for all software components to be FedRAMP and FISMA certified at the time quotations were submitted, the IRS unreasonably and unjustifiably relaxed the solicitation’s cybersecurity requirements.  Protest at 16.  Appian asserts that the solicitation indicates that the IRS may shift cloud hosting responsibilities to vendors sometime in the future.  Protester Comments at 3-4.  According to Appian, requiring all software components to be FedRAMP certified at the time of quotation submission will ensure that if the agency shifts cloud hosting responsibilities to the vendor, the software being used can be integrated into a FedRAMP approved platform.  Protest at 16.   

With respect to FISMA, Appian argues that if FISMA certification is addressed in the quotations, it will ensure that all software will be FISMA certified before the software is incorporated into the quotation, instead of relying on promises of later compliance.  Protest at 16.  In any case, argues Appian, if the software is certified at the time quotations are submitted it will demonstrate that the proposed software has a proven track record of successful performance while FISMA certified.  Id. 

In Appian’s view, the agency changed these requirements because immixTechnology could not meet them.  Protest at 1-2, 17.  Appian notes in this regard that if its protest is sustained, it will be the only vendor that meets the solicitation’s mandatory cybersecurity requirements.[2]   Id. at 3.  Appian’s protest, in essence, is an allegation that, based on its view of what the government needs, the solicitation should be more restrictive of competition. 

Our Office will not consider this basis of protest.  The role of our Office in reviewing bid protests is to ensure that the statutory requirements for full and open competition are met, not to protect any interest a protester may have in more restrictive specifications.  Platinum Services, Inc.; WIT Assocs., Inc., B-409288.3 et al., Aug. 21, 2014, 2014 CPD ¶ 261 at 5; Loral Fairchild Corp.--Recon., B-242957.3, Dec. 9, 1991, 91-2 CPD ¶ 524  at 3 (our Office “will not review a protest that an agency should have drafted additional, more restrictive specifications in order to meet the protester's perception of the agency's minimum needs”).  Accordingly, we dismiss this basis of protest.  

Second, Appian also asserts that the agency unreasonably converted database software license costs to GFE, thereby ignoring the actual cost of the procurement to the government.  Protest at 18-19.  As issued, the solicitation required vendors to provide all licenses to meet the full enterprise case management solution proposed by the vendor.  AR, Tab D.9, Pricing Workbook, at 1.  As noted, the agency amended the solicitation to provide that database management software licenses required to support the proposed ECM solution would be provided as GFE.  AR, Tab F.3, Pricing Worksheet, Assumptions Tab. 

According to Appian, these database related license costs will have a major impact on the cost to the government of the competing solutions.  Protest at 19.  Appian asserts that it can provide the license free of charge as part of the package of products and software it is offering, while immixTechnology must procure the database services through a license with a database vendor.  Id.  According to Appian, if the agency provides the licenses as GFE, immixTechnology’s price will drop substantially, but the cost to the government will not because the government does not currently have the licenses and will have to procure them for immixTechnology.  Id. at 19-20. 

In response, the agency explains that it has licenses available for multiple database technologies suitable to support any ECM solution proposed, and will not need to procure and pay for licenses for the eventual awardee.  COS at 9.  In its comments on the agency report, Appian asserts that it is immaterial that the government has the available licenses, effectively abandoning its protest that the agency would improperly provide the licenses as GFE.  Protester Comments at 10.  Appian now asserts that the relevant inquiry is whether the IRS will have to pay for contractors to store immixTechnology’s data, a cost that will not be incurred with an award to Appian.  Id.  at 10-11 (asserting that while the agency may have access to the databases through the licenses, “it will have to pay for additional storage”).   

The agency has explained that database licenses and database storage costs are two different things.  Agency Response, Jan. 15, 2020, at 2-3 (database licenses will be used for a database management system to organize and make available data; database storage may be implemented using a wide range of digital media).  Since the protester did not protest that the agency would have to incur storage costs until after the closing time for the receipt of quotations, the protest is untimely.  4 C.F.R. § 21.2(a)(1).[3]

The protest is dismissed.

Thomas H. Armstrong
General Counsel

---