22nd Century Technologies, Inc.

B-418029,B-418029.2,B-418029.3: Dec 26, 2019

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

Kenneth E. Patton
(202) 512-8205
PattonK@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

22nd Century Technologies, Inc., of McLean, Virginia, protests the establishment of a blanket purchase agreement (BPA) with Deloitte Consulting, LLP, of Arlington, Virginia under request for quotations (RFQ) No. 1605DC-19-Q-00006, issued by the Department of Labor (DOL), for enterprise-wide support services. 22nd Century argues that the agency's evaluation was unreasonable, the agency treated vendors disparately, and the best-value tradeoff was flawed.

We deny the protest.

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of:  22nd Century Technologies, Inc.

File:  B-418029; B-418029.2; B-418029.3

Date:  December 26, 2019

Elizabeth N. Jochum, Esq., Todd M. Garland, Esq., and Nora K. Brent, Esq., Smith Pachter McWhorter PLC, for the protester.
Keith R. Szeliga, Esq., Katie A. Calogero, Esq., and Adam A. Bartolanzo, Esq., Sheppard, Mullin, Richter, and Hampton LLP, for Deloitte Consulting, LLP, the intervenor.
Jose Otero, Esq., and Virginia Ackerman, Esq., Department of Labor, for the agency.
Young H. Cho, Esq., and Laura Eyester, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest challenging agency’s evaluation and selection of higher-rated, higher-priced quotation is denied where the record shows that the agency’s evaluation and selection were reasonable and consistent with the solicitation. 

DECISION

22nd Century Technologies, Inc., of McLean, Virginia, protests the establishment of a blanket purchase agreement (BPA) with Deloitte Consulting, LLP, of Arlington, Virginia under request for quotations (RFQ) No. 1605DC-19-Q-00006, issued by the Department of Labor (DOL), for enterprise-wide support services.  22nd Century argues that the agency’s evaluation was unreasonable, the agency treated vendors disparately, and the best-value tradeoff was flawed.

We deny the protest.

BACKGROUND

The RFQ was issued on January 1, 2019 to establish a BPA against the Federal Supply Schedule (FSS) using Federal Acquisition Regulation (FAR) subpart 8.4 procedures for enterprise-wide support for DOL’s cybersecurity and information assurance and program integration support services for department-wide information technology (IT) initiatives.[1]  Agency Report (AR), Tab 5, RFQ at 9.[2]  The RFQ stated that the agency would establish a BPA with one 12-month base period and four 12-month option periods using a best-value tradeoff considering the following factors:  technical, past performance, and price.  Id. at 9, 100.  The technical factor included the following five equally weighted subfactors:  understanding of the requirement, key personnel, corporate experience, start-up/phase-out plan, and quality control plan.  Id. at 100-102.  The RFQ stated that the technical factor was significantly more important than the past performance factor, and that the non-price factors, when combined, were significantly more important than price.  Id. at 100.  The RFQ also stated that the agency would evaluate vendors’ price quotations for reasonableness and completeness, and that vendors’ total proposed price would be utilized in the tradeoff.  Id. at 102. 

The agency received five quotations, including quotations from 22nd Century and Deloitte, which were evaluated as follows:

 

22nd Century

Deloitte

Technical 

Acceptable

Good

Understanding of the Requirement

Acceptable

Good

Key Personnel

Acceptable

Good

Corporate Experience

Acceptable

Good

Start-Up/Phase-Out Plan

Acceptable

Acceptable

Quality Control Plan

Acceptable

Good

Past Performance

Good/Low Risk

Good/Low Risk

Total Proposed Price

$111,994,220

$137,366,343



AR, Tab 14, Award Decision Document (ADD), at 2, 3. 

The contracting officer, who served as the selection official, reviewed the technical evaluation panel’s (TEP) consensus evaluation under the technical factor, performed a price analysis and a past performance evaluation, and conducted a comparative assessment between the vendors.  The contracting officer identified discriminators between the quotations; found that Deloitte’s quotation was superior to 22nd Century’s quotation under the understanding of the requirements, key personnel, corporate experience and quality control plan subfactors; and concluded that Deloitte’s technical superiority was worth the price premium over 22nd Century’s quotation.  Id. at 25‑28.  22nd Century was notified of Deloitte’s selection on September 20, 2019.  After receiving a brief explanation of the basis of award, this protest followed. 

DISCUSSION

22nd Century challenges the agency’s evaluation of its and Deloitte’s quotation essentially under every factor and subfactor, and the best-value tradeoff decision. Although we do not specifically address all of 22nd Century’s arguments, we have fully considered all of them and find that they afford no basis on which to sustain the protest.[3] 

Technical Factor--Understanding of the Requirement Subfactor

Under the technical factor, understanding of the requirement subfactor, vendors were required to demonstrate their understanding of the work to be performed pursuant to the Performance Work Statement’s (PWS) five task areas and their respective subtasks.[4]  RFQ at 23-37, 96, 101.  22nd Century was assessed one strength and six weaknesses, and assigned an acceptable rating under this subfactor.  AR, Tab 10, TEP Consensus Evaluation Report (TEP Report), at 4-6.  Deloitte was assessed five strengths and no weaknesses and assigned a good rating.  Id. at 9-10.  

The contracting officer performed a comparative assessment between the two quotations.  AR, Tab 14, ADD, at 25.  The contracting officer identified several weaknesses in 22nd Century’s quotation, including:  (1) failing to highlight or address enterprise architecture or EGov capabilities in its quotation; and (2) failing to describe a process to support the agency’s major information systems authority to operate (ATO) management.  Id. at 25-26.  The contracting officer identified Deloitte’s strength for its superior knowledge of identity control and access management (ICAM) to be a discriminator.  Id. at 25.  As a result, the contracting officer found Deloitte’s quotation to be more advantageous than 22nd Century’s quotation under this subfactor, and worth the additional cost.  Id. at 26.

22nd Century challenges five of the six weaknesses assessed to its quotation.  22nd Century also challenges the strength and discriminator assessed to Deloitte’s quotation for its knowledge of ICAM.  Protest at 8-13;[5] Comments and Supp. Protest at 7-8, 21‑26; Protester’s Supp. Comments, Nov. 21, 2019, at 2-5. 

Where, as here, an agency issues an RFQ to FSS vendors under FAR subpart 8.4 and conducts a competition for the issuance of an order or establishment of a BPA, we will review the record to ensure that the agency’s evaluation was reasonable and consistent with the terms of the solicitation and applicable procurement laws and regulations.  AllWorld Language Consultants, Inc., B-414244, B‑414244.2, Apr. 3, 2017, 2017 CPD ¶ 111 at 2; Digital Solutions, Inc., B-402067, Jan. 12, 2010, 2010 CPD ¶ 26 at 3-4.  A protester’s disagreement with the agency’s judgment, without more, does not establish that an evaluation was unreasonable.  DEI Consulting, B-401258, July 13, 2009, 2009 CPD ¶ 151 at 3.  Further, it is a vendor’s responsibility to submit a well-written quotation, with adequately detailed information which clearly demonstrates compliance with the solicitation requirements; the vendor runs the risk that the agency will unfavorably evaluate its proposal where it fails to do so.  The Concourse Grp., LLC, B-411962.5, Jan. 6, 2017, 2017 CPD ¶ 36 at 7.

Based on our review, we find that the agency’s evaluation with respect to four of the weaknesses was reasonable.  We also find that the agency’s evaluation was not reasonable with regard to one of the weaknesses assessed to 22nd Century.  However, we conclude that this error did not prejudice the protester, and we therefore find no basis to sustain the protest.  We address several representative examples below.

Failure to Address Enterprise Architecture or EGov Capability

22nd Century first argues that the agency unreasonably assessed a weakness for failing to “highlight or address Enterprise Architecture (EA) or EGov capability” and cites to sections of its quotation that addressed its enterprise architect approach.  Protest at 9‑10; Comments and Supp. Protest at 23.  The agency responds that 22nd Century’s quotation did not adequately address its plan for the integration of security objectives identified in the RFQ.  Memorandum of Law (MOL) at 27-28.  The agency also contends that 22nd Century’s assertions that its quotation addressed its enterprise architect approach pertained to a completely different subtask area, and did not adequately address the solicitation requirement.  Id.  

Under the DIA program management support task, information assurance administration subtask, the contractor was to provide recommendations on how to integrate security objectives into other aspects of the DOL organization, including enterprise architecture, EGov, CPIC, and specific technological initiatives; and how to include and expand upon the activities of other organizations to the benefit of DOL.  RFQ at 24.  22nd Century’s quotation stated that it would utilize its knowledge, initiative and experience to provide recommendations, guidance, and goals to improve the organization.  AR, Tab 6, 22nd Century Tech. Quotation, at 2-3.  22nd Century’s quotation further stated that it was familiar with the CPIC control process for IT.  Id. at 3.  In assessing a weakness, the agency found that 22nd Century did not address enterprise architecture or EGov capability, and only addressed its CPIC experience, and therefore did not demonstrate its understanding of the specific requirements and comprehension of the tasks outlined in the PWS.  AR, Tab 10, TEP Report, at 5. 

Based on our review of the record, we find reasonable the agency’s conclusion.  The agency reasonably concluded that the quotation did not sufficiently address enterprise architecture or EGov, and agencies are not required to infer information from an inadequately detailed proposal, or to supply information that the protester elected not to provide.  See Engility Corp., B-413120.3 et al., Feb. 14 2017, 2017 CPD ¶ 70 at 16.  Accordingly, this protest ground is denied.   

Failure to Address ATO Management Process

22nd Century next argues that the agency unreasonably assessed a weakness for failing to address the RFQ’s requirement to perform an in-depth analysis and prepare recommendations to support the ATO management task.  Protest at 11-13; Comments and Supp. Protest at 25-26.  The agency responds that while 22nd Century’s quotation claimed that it had a successful and proven approach, it provided little information that specifically addressed DOL’s ATO requirements or the process used.  MOL at 30‑31.

The RFQ described in detail the requirements under the enterprise security authorization management support task, ATO management subtask, including a requirement to:

Perform an in-depth analysis of current processes to determine the adequacy and shall prepare recommendations describing the technical approach, organizational resources, and management controls to be employed to meet the cost, performance and schedule requirements for the task; ensuring conformance with federal policies and guidelines.

RFQ at 30-32.  22nd Century’s quotation stated that it had a “successful and proven approach” that followed the National Institute of Standards (NIST) Special Publication (SP) 800-37 Risk Management Framework that could be tailored to support DOL processes and procedures.  AR, Tab 6, 22nd Century Tech. Quotation, at 19.  In assessing a weakness, the agency found that 22nd Century’s quotation did not describe processes that show how it would manage and support DOL major information system ATOs.  AR, Tab 10, TEP Report, at 5-6.

22nd Century’s arguments provide no basis to sustain the protest.  The record supports the agency’s conclusion that 22nd Century’s quotation did not provide a methodology that specifically addressed how it would manage and support DOL’s major information system ATOs.  While 22nd Century contends otherwise, the record shows that 22nd Century’s quotation provided a general approach without details.  AR, Tab 6, 22nd Century Tech. Quotation, at 18-19.  Accordingly, we find it reasonable for the agency to have assessed a weakness.  See Great Lakes Towing Co. d/b/a Great Lakes Shipyard, B-408210, June 26, 2013, 2013 CPD ¶ 151 at 7-8 (where a proposal omits, inadequately addresses, or fails to clearly convey required information, the offeror runs the risk of an adverse agency evaluation).

Outdated NIST Guidance

22nd Century also argues that the agency unreasonably assessed a weakness because the quotation’s executive summary referenced NIST SP “800-53a (rev.3),” rather than the most recent NIST guidance, which was revision 4.  The protester argues that its executive summary only described the work previously performed by its subcontract and its quotation elsewhere indicated its understanding that the relevant tasks were to be performed using the most recent NIST guidance.  Protest at 9; Comments and Supp. Protest at 22.  The agency responds that the quotation showed that 22nd Century’s subcontractor had been advising DOL using outdated guidance, which was an “obvious concern.”  MOL at 26-27; 2nd Supp. MOL at 4-5. 

Under the enterprise security authorization management support task, centralized information systems security officer (ISSO) services subtask, the contractor was to develop and maintain all security documentation for systems under its purview in accordance with the latest NIST SP 800-37 revision.  RFQ at 32.  The executive summary of 22nd Century’s quotation included a table highlighting 22nd Century’s and its subcontractors “strengths,” including a statement that “[f]or the DOL, over the last three years we have been providing cybersecurity assessments managing the NIST SP 800-53a (rev. 3) control assessments.”  AR, Tab 6, 22nd Century Tech. Quotation, at v.  22nd Century’s quotation, however, also indicated its familiarity with “various compliance program updates” including “the upcoming NIST SP 800-53 Rev 5 due sometime in 2019.”  Id. at 18. The agency, however, assessed the following weakness: 

The Executive Summary references 800-53a (rev.3).  This is old guidance and has been superseded by rev. 4 and soon rev. 5.  As well, it is not in alignment with the most recent versions as identified in the RFQ on page 32 (“the latest NIST SP 800-53 Revision”). 

AR, Tab 10, TEP Report, at 5.

On this record, we agree with the protester that the weakness is not supported by the record.  The RFQ stated that the agency would evaluate quotations to ensure vendors demonstrated their understanding of the work described in the PWS and the extent to which potential risks were identified and mitigated.  RFQ at 101.  As discussed above, 22nd Century’s quotation demonstrated its understanding that ISSO services were to be performed in accordance with the most recent NIST SP 800-53a revision and that a revision was forthcoming.  It was therefore not reasonable for the agency to assess a weakness based on 22nd Century’s executive summary description of the work its subcontractor had previously performed, which the agency now contends had been performed using outdated guidance. 

While we agree that the assessment of this weakness was unreasonable, we do not find it provides a basis to sustain the protest.  Competitive prejudice is an essential element of a viable protest, and we will sustain a protest only where the protester demonstrates that, but for the agency’s improper actions, it would have had a substantial chance of receiving the award.  DRS ICAS, LLC, B-401852.4, B-401852.5, Sept. 8, 2010, 2010 CPD ¶ 261 at 21-22.  Here, the record shows that 22nd Century was assessed five other weaknesses, one of which 22nd Century did not challenge.  Further, while the contracting officer identified several weaknesses as discriminators between Deloitte’s quotation and 22nd Century’s quotation under this subfactor, this weakness was not one of them. 

Evaluation of Deloitte’s Quotation

22nd Century argues that the agency unreasonably and unequally assessed and identified as a discriminator Deloitte’s strength for its superior knowledge of ICAM.  Comments and Supp. Protest at 7-8; Protester’s Supp. Comments, Nov. 21, 2019, at 2‑5; Protester’s Supp. Comments, Dec. 3, 2019, at 10-12.  The agency explains that it reasonably found Deloitte’s ICAM experience to be a strength and discriminator and the differing evaluation results were based on the differences in the quotations.  Supp. MOL at 2-3; 2nd Supp. MOL at 8-9.

In conducting procurements, agencies may not generally engage in conduct that amounts to unfair or disparate treatment of competing vendors.  Arc Aspicio, LLC et al., B-412612 et al., Apr. 11, 2016, 2016 CPD ¶ 117 at 13.  It is a fundamental principle of federal procurement law that a contracting agency must treat all vendors equally and evaluate their quotations evenhandedly against the solicitation’s requirements and evaluation criteria.  See Sumaria Sys., Inc.; COLSA Corp., B-412961, B-412961.2, June 21, 2016, 2016 CPD ¶ 188 at 10.  Where a protester alleges unequal treatment in a technical evaluation, it must show that the differences in ratings did not stem from differences between the proposals or quotations.  Camber Corp., B-413505, Nov. 10, 2016, 2016 CPD ¶ 350 at 8.

Under the DIA program management support task, ICAM subtask, the RFQ required the contractor provide support to the DOL ICAM solution project framework, which was in direct support of the agency’s identity access management (IAM) program.  RFQ at 27.  The specific duties included providing an in-depth analysis of the adequacy of DOL’s IAM efforts--to include conformance with the most current version of federal policies and guidelines--and recommendations on implementation.  Id.  The solicitation also required the contractor to actively participate on the IAM integrated project team (IPT) and associated advisory and working groups and lead DOL’s technical workgroups.  Id.

Deloitte’s quotation explained that it supported some of the largest IAM programs in the federal government to include those that are defining the future of ICAM, and would draw upon its experience to support the ICAM subtask.  See AR, Tab 16, Deloitte Tech. Quotation, at 8-9.[6]  Deloitte’s quotation also highlighted that its leadership helped shape identity management for the federal government, and identified its experience leading “the Federal CIO [Chief Information Officer] Council ICAM Policy and Standards Tiger Team advising on updates for authentication policy and standards.”  Id. at 8.  As a result, the TEP assessed Deloitte a strength, finding that Deloitte demonstrated its knowledge and experience and would assist the agency to stay current in the ICAM field.  AR, Tab 10, TEP Report, at 10.  In the contracting officer’s comparative assessment, the contracting officer identified this strength as a discriminator.  AR, Tab 14, ADD, at 25.

In comparison, 22nd Century’s quotation stated that it had supported system development life cycle processes and that its subject matter experts (SMEs) would use that knowledge and expertise to support DOL’s ICAM solution.  AR, Tab 6, 22nd Century Tech. Quotation, at 8.  22nd Century also stated that it recognized the importance of participating in various IPTs, associated advisory and working groups, and that its SMEs would support all such efforts.  Id. at 9. 

Based on this record, we do not find that the agency’s assessment of a strength to be unreasonable or unequal.  While 22nd Century’s quotation described its understanding of the requirements and explained that it has supported processes and has SMEs, Deloitte’s quotation detailed its experience in the ICAM field in leading a team, which it would utilize to perform the tasks under this requirement.  Accordingly, this protest ground is denied.  See Camber Corp., supra.

Key Personnel Subfactor

22nd Century argues that the agency treated vendors unequally by assessing strengths to Deloitte’s quotation, but not 22nd Century’s, for exceeding certification requirements and for mapping its quotation with the RFQ requirements.  Comments and Supp. Protest at 10, 14; Protester’s Supp. Comments, Nov. 21, 2019, at 8-11; Protester’s Supp. Comments, Dec. 3, 2019, at 8-10.[7]  The agency responds that Deloitte’s quotation demonstrated that several key personnel possessed multiple relevant certifications and 22nd Century’s quotation did not.  Supp. MOL at 6-8.  Similarly, Deloitte’s quotation mapped its key personnel to most of the PWS task areas while 22nd Century’s quotation did not.  2nd Supp. MOL at 6-7. 

The RFQ identified five key personnel positions and described education and certification requirements for each position.  RFQ at 37-39.  With the exception of the lead project/program manager, the RFQ required that key personnel possess Certified Information Systems Security Professional and Information Technology Infrastructure Library (ITIL) 4 Foundation certifications, and identified the Project Management Institute Project Management Professional (PMP) certification as a “highly recommended” certification.  Id.  The RFQ instructed vendors to provide resumes for key personnel and a matrix that included the background/experience mapped to the appropriate PWS task area supporting the proposed labor category, which the agency would evaluate.  Id. at 96, 101.

22nd Century was assessed one strength and one weakness, and assigned an acceptable rating under the key personnel subfactor.  AR, Tab 10, TEP Report, at 6. Deloitte was assessed six strengths and assigned a good rating under the key personnel subfactor.  Id. at 10.  Of the six strengths, three were assessed because its proposed project manager, senior security architect, and senior security engineer exceeded the certification requirements for their respective positions.  Id.  Deloitte was  also assessed two strengths for having mapped the skills of its key personnel to the requirements of the RFQ that:  (1) provided insight into how Deloitte planned to support the required task areas, and (2) documented that Deloitte was proposing a “team of professionals who will enhance DOL’s security posture.”  Id. at 11.  Finally, Deloitte was assessed a strength for proposing leads that exceeded the certification requirements for their positions but also exceeded the experience in the field of IT security specific for the tasks set forth by the agency.  Id. 

The contracting officer identified as a discriminator the fact that Deloitte proposed key personnel that exceeded the certification requirements for their positions, and mapped the skills of the key personnel to the RFQ requirements.  AR, Tab 14, ADD, at 26.  The contracting officer recognized that 22nd Century was also assessed a strength because its proposed project manager exceeded the certification requirements.  Id.  However, the contracting officer noted that 22nd Century’s quotation did not address whether its lead incident responder possessed the required ITIL certification.  Id.  

Based on our review of the record, we do not find that the agency treated 22nd Century unequally.  For example, 22nd Century argues that Deloitte was unequally assessed a strength because its proposed senior security architect possessed the highly recommended PMP certification but 22nd Century’s proposed senior security architect also had the same certification.  Protest at 10.  However, the TEP assessed a strength to Deloitte’s senior security architect not only for having the required certification and the highly recommended PMP certification but also having an additional [DELETED] certification.  AR, Tab 10, TEP Report, at 10.  In assessing the strength, the agency found that having the PMP and the [DELETED] could provide additional value and insight.  Id.  22nd Century does not argue, nor does its quotation demonstrate, that its proposed senior security architect possessed the [DELETED] certification.  Compare AR, Tab 6, 22nd Century’s Tech. Quotation, at 81 with AR, Tab 16, Deloitte’s Tech. Quotation, at A-5.[8] 

Similarly, the record shows that Deloitte’s quotation mapped its key personnel to each PWS task and subtask area.  AR, Tab 16, Deloitte’s Tech. Quotation, at 39; see also id. at A‑1-A-20 (resumes describing experience in each task area).  By contrast, 22nd Century’s quotation mapped its key personnel to only two out of five task areas of the PWS.  AR, Tab 6, 22nd Century Tech. Quotation, at 40.  For example, 22nd Century’s proposed project manager and senior security architect were mapped to the DI Assurance program management support task, and within those task areas, specifically the project management support and security engineering and architecture subtasks.  Id.  The remaining three key personnel were mapped to the Enterprise Security Operations Center support task, and three specific subtasks within that task.  Id.  On this record, we have no basis to find that the agency treated the vendors unequally.  Camber Corp., supra.

Corporate Experience Subfactor

22nd Century argues that the agency treated 22nd Century and Deloitte unequally under the corporate experience subfactor by identifying Deloitte’s Federal Risk and Authorization Management Program (FedRAMP) and third party assessment organization (3PAO) experience as a strength and overemphasized this experience in the selection decision when 22nd Century had similar experience.[9]  Comments and Supp. Protest at 15-17; Protester’s Supp. Comments, Nov. 21, 2019, at 11-15.  22nd Century also argues that the agency unreasonably credited Deloitte’s lack of experience with DOL more than it credited 22nd Century’s DOL experience.  Comments and Supp. Protest at 17-18; Protester’s Supp. Comments, Nov. 21, 2019, at 13-14. 

The agency explains that Deloitte’s quotation described and documented in greater detail the nature and level of its experience as compared to 22nd Century’s quotation.  Supp. MOL at 9.  The agency also explains that it did not overemphasize Deloitte’s FedRAMP experience in its evaluation because the experience was related to a specific PWS task area.  Id. at 12-13.  Finally, the agency explains that the contracting officer’s comparative assessment found Deloitte’s experience with FedRAMP and 3PAO--and not its lack of experience with DOL--to be more advantageous than 22nd Century’s experience with DOL.  Supp. MOL at 9-13; 2nd Supp. MOL at 10-12.

An agency’s evaluation of experience and past performance is, by its nature, subjective, and that evaluation, including the agency’s assessments with regard to relevance, scope, and significance, are matters of discretion which we will not disturb absent a clear demonstration that the assessments are unreasonable or inconsistent with the solicitation criteria.  Jefferson Consulting Grp., LLC, B-417555, B-417555.2, Aug. 16, 2019, 2019 CPD ¶ 293 at 6 (citing Glenn Def. Marine-Asia PTE, Ltd., B-402687.6, B‑402687.7, Oct. 13, 2011, 2012 CPD ¶ 3 at 7; SIMMEC Training Sols., B-406819, Aug. 20, 2012, 2012 CPD ¶ 238 at 4). 

The RFQ stated that under the corporate experience subfactor, the agency would evaluate the similarity in nature, scope, complexity, and difficulty to the orders contemplated under the solicitation.  RFQ at 101.  22nd Century was assessed one strength and assigned an adequate rating, while Deloitte was assessed three strengths and assigned a good rating.  AR, Tab 10, TEP Report, at 6, 11-12.  Specifically, 22nd Century’s quotation was assessed a strength under this subfactor based on its experience at DOL, which the TEP found would benefit the agency because of 22nd Century’s knowledge of the agency’s policies and procedures.  AR, Tab 10, TEP Report, at 7.  Deloitte was assessed three strengths, which included:  (1) its experience and knowledge of [DELETED]  and [DELETED], and experience providing a variety of training techniques, which the TEP found would benefit the agency in delivery of security awareness trainings; and (2) its experience as a FedRAMP accredited 3PAO organization, which the agency found validates the contractor’s expertise in FedRAMP knowledge, since 3PAO accreditation means the company has been selected by the government’s JAB to audit FedRAMP certified cloud service providers.  Id. at 11-12. 

In the comparative assessment, the contracting officer identified Deloitte’s experience with FedRAMP and as a 3PAO as a discriminator because Deloitte exceeded the experience necessary to perform the solicitation’s requirements and can provide additional value and insight.  AR, Tab 14, ADD, at 26.  The contracting officer also identified Deloitte’s use of tools ([DELETED]  and [DELETED]) that the agency was currently using as an advantage that would “ensure continuity of services . . . with minimum disruption and additional savings on training personnel.”  Id.  With regard to 22nd Century, the contracting officer recognized its experience working with the department as a strength because of its institutional knowledge.  Id. at 27.  The contracting officer, however, found that Deloitte “bring[s] new ideas and insight on how to approach DOL requirements . . . . [and was] worth the additional cost.”  Id.   

Based on the record presented, we find nothing unreasonable or unequal with regard to the agency’s evaluation under the corporate experience subfactor.  First, the enterprise security authorization management support task, ATO management subtask, provided a detailed description of the work to be performed, including providing expert knowledge and resources to assist federal staff in meeting FedRAMP requirements.  RFQ at 31.  Deloitte’s quotation highlighted, as part of the depth of its corporate experience in cybersecurity, that it was a FedRAMP accredited 3PAO.  AR, Tab 16, Deloitte Tech. Quotation, at 42.  22nd Century’s quotation stated that it provided subject matter expertise in FedRAMP and the cloud service accreditation process to include the review and analysis of 3PAO reports, provisional ATO packages, and agency ATO packages.  AR, Tab 6, 22nd Century Tech. Quotation, at 43, 44.  Here, 22nd Century has not shown how its expertise in FedRAMP and review of 3PAO reports is equal to Deloitte’s FedRAMP experience and 3PAO accreditation.  The protester also has not shown that the differences in ratings did not stem from differences between the quotations.  See Camber Corp., supra.

Additionally, we have routinely found that an agency may reasonably consider more relevant or specialized experience as a discriminator between proposals.  See, e.g., Environmental Chem. Corp., B-416166.3 et al., June 12, 2019, 2019 CPD ¶ 217 at 11 (citations omitted).  Here, the agency’s evaluation found that Deloitte’s experience as a 3PAO “validates the contractor’s expertise in FedRAMP knowledge.”  AR, Tab 10, TEP Report, at 12.  As the agency explained, this 3PAO experience provides “additional value and insight” for the ATO management requirement, which requires expert knowledge and resources to assist federal staff in meeting FedRAMP requirements.  Id.; AR, Tab 14, ADD, at 26.  The contracting officer also found that while 22nd Century’s corporate experience was a strength because of its institutional knowledge, Deloitte’s strength in its corporate experience--which could provide additional insight into how to approach the agency’s requirement--was a discriminator.  AR, Tab 14, ADD, at 26-27. 

Further, as discussed above, the record does not show that the contracting officer “credited” Deloitte with the lack of DOL experience.  Rather, the record shows that the contracting officer acknowledged the strength of 22nd Century’s corporate experience stemming from its experience with the agency.  AR, Tab 14, ADD, at 26-27.  The agency, however, found that Deloitte’s corporate experience--especially as a 3PAO that exceeded the requirements of the solicitation--would be beneficial to the agency as it could provide different ideas and insight as to how to approach the agency’s requirement.  Id.  22nd Century’s disagreement with the contracting officer’s determination that Deloitte’s quotation was more advantageous to 22nd Century’s quotation in this regard provides no basis to sustain the protest. 

Exception to Terms of the Solicitation

22nd Century argues that Deloitte’s price quotation took an exception to material terms of the solicitation, and, as a result, should have been eliminated from the competition.  Specifically, the protester contends that Deloitte’s price quotation contains statements reflecting its intent not to be bound by the ceiling rates proposed in its quotation and imposed other conditions affecting established deliverables schedules.  Comments and Supp. Protest at 4-6.  The agency responds that the statements relied on by 22nd Century describe assumptions made by Deloitte in its price quotation, but contends that those assumptions did not take exception to the material terms of the solicitation.  Supp. MOL at 20-21.

Clearly stated solicitation requirements are considered material to the needs of the government, and a proposal that fails to conform to the material terms and conditions of the solicitation is considered unacceptable and may not form the basis for award.  Akira Techs., Inc.; Team ASSIST, B-412017 et al., Dec. 7, 2015, 2015 CPD ¶ 383 at 5.  Material terms of a solicitation are those which affect the price, quantity, quality, or delivery of the goods or services being provided.  Arrington Dixon & Assocs., Inc., B‑409981, B-409981.2, Oct. 3, 2014, 2014 CPD ¶ 284 at 11.

The RFQ contemplated the establishment a BPA under which fixed-price and labor-hour type orders would be issued.  RFQ at 1.  For the price factor, vendors were instructed to complete a workbook that reflected the agency’s estimate of labor categories and labor hours necessary to perform each PWS task area for the base and option periods.  Id. at 1, 99, 102; RFQ, attach. 6, Pricing Worksheet.  The RFQ did not require vendors to utilize the agency-provided labor categories or hours.  Id.  The RFQ, however, required the fixed-priced labor rates proposed by the vendors to be utilized as ceiling labor rates for orders placed under the BPA.  RFQ at 1. 

Deloitte’s price quotation proposed fixed-price labor rates that Deloitte represented would be “used as ceiling rates for pricing all labor proposed under future fixed priced orders under the BPA.”  AR, Tab 9A, Deloitte Price Quotation, at 16-17.  Deloitte’s price quotation also included an assumptions and clarifications section describing its assumptions utilized in pricing its quotation.  Id. at 22-23. 

With regard to the level of effort, Deloitte explained that for pricing purposes it utilized the labor categories and hours provided in the RFQ.  Id. at 22.  However, it also stated the following:

[Deloitte] understand[s] that upon BPA award, task orders will be diverse, which will require us to propose varying levels of effort across labor categories.  For individual task orders, Deloitte assumes that additional scoping and sizing information will be provided prior to developing estimated levels of effort and pricing.

Id.  Deloitte’s quotation also stated that it assumed information requested from the government and/or third parties would be provided within a certain time frame and be accurate, but if not, “may lead to a change order if it results in a project schedule delay.”  Id. 

The record does not support 22nd Century’s contention that Deloitte’s assumption--that the agency would provide additional information that would be utilized to develop an estimate and price for an order--reflected Deloitte’s lack of commitment to be bound by the ceiling labor rates.  Deloitte’s quotation clearly stated that the labor rates proposed in its quotation would be utilized as ceiling rates for future orders to be placed under the BPA.

Similarly, we do not agree with 22nd Century that Deloitte modified the requirement that it meet established schedules for contract deliverables when it stated that a change order could result from delays in the availability and accuracy of information.  Deloitte’s quotation only stated that delays in the project schedule stemming from unavailability or inaccuracy of information provided to Deloitte, during the performance of a yet-to-be issued order, may result in a change order.  These statements do not indicate that Deloitte does not intend to commit to the RFQ’s terms.  Accordingly, we do not find that Deloitte took exception to material terms of the solicitation in its price quotation, and, we deny these protest grounds.  See BillSmart Sols., LLC, B-413272.4, B-413272.5, Oct. 23, 2017, 2017 CPD ¶ 325 at 12. 

Evaluation of Deloitte’s Price Quotation

22nd Century argues that the agency failed to perform and document an adequate price reasonableness evaluation which would have determined that Deloitte’s price--which was $25 million and 22.8 percent higher than 22nd Century’s--was unreasonable.  Protest at 16; Comments and Supp. Protest at 28-32.  The agency responds that it concluded and documented that Deloitte’s price was reasonable based on a comparison of the vendors’ proposed prices to each other, and to the independent government cost estimate (IGCE).  Contracting Officer’s Statement (COS) at 16-17; MOL at 36-37; Supp. MOL at 18-20. 

A price reasonableness determination is a matter of administrative discretion involving the exercise of business judgment by the contracting officer that our Office will only question where it is shown to be unreasonable.  See TCG, Inc., B-417610, B-417610.2, Sept. 3, 2019, 2019 CPD ¶ 312 at 7; InfoZen, Inc., B-411530, B‑411530.2, Aug. 12, 2015, 2015 CPD ¶ 270 at 5.  The manner and depth of an agency’s price analysis is a matter within the sound exercise of the agency’s discretion, and we will not disturb such an analysis unless it lacks a reasonable basis.  See Gentex Corp.—W. Operations, B‑291793 et al., Mar  25, 2003, 2003 CPD ¶ 66 at 27-28.  

The RFQ stated that in evaluating price reasonableness and completeness, quotations would be evaluated using one or more of the techniques defined in FAR § 15.404.  RFQ at 103.  These techniques include, among other methods, a comparison of the proposed prices received in response to the solicitation (with adequate price competition normally establishing a fair and reasonable price), and comparison of prices to an independent government estimate.  FAR § 15.404-1(b)(2).

Here, the agency evaluated the reasonableness of Deloitte’s pricing by comparing vendors’ total proposed prices to each other and the IGCE.  See generally AR, Tab 13, Price Analysis, at 2-8.  In the pricing analysis, the contracting officer found that Deloitte’s price was higher than the total proposed prices of three other vendors, including 22nd Century, but was lower than the other remaining vendor and 28 percent lower than the IGCE.  Id. at 2, 4.  Similarly, of the five quotations received, 22nd Century’s total proposed price was 42 percent lower than the IGCE and was lower than two vendors, including Deloitte, but higher than two other vendors.  See id.  The contracting officer also compared the labor rates between 22nd Century and Deloitte for the base and option years and did not find these labor rates to be unreasonable.  Id. at 5-7.  As a result, the contracting officer concluded that Deloitte and 22nd Century’s total proposed prices were reasonable.  Id. at 8.  We find this conclusion to be reasonable, within the agency’s sound discretion, and well-documented. 

In reaching these conclusions, we find 22nd Century’s reliance on our decisions in Cognosante, LLC, B-417111 et al., Feb. 21, 2019, 2019 CPD ¶ 93 at 5, and Technatomy Corp., B‑414672.5, Oct. 10, 2018, 2018 CPD ¶ 353 at 14, to be misplaced.  In those decisions, we sustained the protests because the records did not demonstrate that the agencies performed any assessment or comparison of the proposed prices but instead showed reliance solely on adequate price competition, i.e., the receipt of multiple responses to the solicitation, to determine that the awardees’ prices were reasonable.  To the extent 22nd Century believes the agency should have conducted a more in-depth analysis of the price quotations, as discussed above, the depth of an agency’s price analysis is a matter within the sound exercise of the agency’s discretion; we find no legal requirement here for the agency to have done a more in-depth analysis than was undertaken here.  See Indtai Inc., B-298432.3, Jan. 17, 2007, 2007 CPD ¶ 13 at 4.  Accordingly, this protest ground is denied. 

Best-Value Tradeoff

Finally, 22nd Century argues that the agency’s best-value tradeoff decision was flawed because the agency failed to meaningfully consider Deloitte’s price and the decision was inadequately documented.  Protest at 17-19; Comments and Supp. Protest at 32‑33.

Where, as here, a procurement conducted pursuant to FAR subpart 8.4 provides for the establishment of a BPA on a best-value tradeoff basis, it is the function of the selection authority to perform a price/technical tradeoff, that is, to determine whether one quotation’s technical superiority is worth its higher price.  SRA Int’l, Inc.; NTT DATA Servs. Fed. Gov’t, Inc., B-413220.4 et al., May 19, 2017, 2017 CPD ¶ 173 at 15.  An agency may properly select a more highly rated quotation over one offering a lower price where it has reasonably determined that the technical superiority outweighs the price difference.  Id.  The agency’s decision is governed only by the test of rationality and consistency with the solicitation’s stated evaluation scheme.  Id.

Here, the record shows that the contracting officer performed a comparative assessment between the vendors under each factor and subfactor, identified discriminators between the quotations, and ultimately concluded that Deloitte demonstrated technical superiority over 22nd Century under the technical factor.  Specifically, under the understanding of the requirement, key personnel, corporate experience, and quality control plan subfactors, the agency identified attributes of both vendors that represented discriminators.  AR, Tab 14, ADD, at 25-28. The contracting officer also concluded that the collective technical superiority based on the discriminators identified under each subfactor was worth the price premium associated with Deloitte’s quotation.  Id. at 27. Given that the record shows that the agency’s selection decision had a reasonable basis, and was properly documented, and given that 22nd Century has not prevailed on its substantive challenges to the agency’s evaluation, we see no basis to disturb the selection decision here. 

The protest is denied.

Thomas H. Armstrong
General Counsel



[1] These initiatives include, but are not limited to, enterprise architecture, e-government (EGov) achievement, and IT capital planning and investment control (CPIC).  RFQ at 8. 

[2] The solicitation was amended four times.  Citations to the solicitation are to the final version as amended.

[3] For example, 22nd Century challenges the agency’s assignment of adjectival ratings for several subfactors.  See, e.g., Protest at 13-14; Comments and Supp. Protest at 8-9, 14-15, 19-20, 26.  It is well-established that adjectival ratings are only guides for intelligent decision making in the procurement process.  Protection Strategies, Inc., B‑414648.2, B-414648.3, Nov. 20, 2017, 2017 CPD ¶ 365 at 17. The essence of an agency’s evaluation is reflected in the evaluation record itself, not in the adjectival ratings or adjectival characterizations of proposal features as strengths or weaknesses.  See Systems Eng’g Partners, LLC, B-412329, B-412329.2, Jan. 20, 2016, 2016 CPD ¶ 31 at 7.  We find 22nd Century’s argument to be without merit as the record shows that the contracting officer looked behind the adjectival ratings to the substance of the evaluation, performed a comparative assessment of the quotations, and identified discriminators in the selection decision.  See L-3 Commc’ns, L-3 Link Simulations & Training, B-410644.2, Jan. 20, 2016, 2016 CPD ¶ 44 at 7 (denying protest where agency properly considered relative merits of two proposals).

[4] The task areas are:  Division of Information Assurance (DIA) program management support; enterprise policy and governance; enterprise security authorization management support; enterprise security operations center support; and information assurance transition plan.  RFQ at 23-37. 

[5] After filing its initial protest on September 25, 2019, 22nd Century filed a supplemental protest on September 30 alleging additional protest grounds and consolidating the initial grounds of protest.  For the purpose of consistency, all citations in this decision to the “Protest” will refer to the protester’s September 30 filing.

[6] Deloitte’s technical quotation was provided to the protester and our Office after DOL submitted its agency report.  Electronic Protest Docketing System (EPDS) docket entry 32.  While the agency did not assign this document an agency report document number, for the purpose of consistency with the agency report documents that were produced, this decision refers to this document as Tab 16. 

[7] For the first time in its comments, 22nd Century argues that it should have been assessed additional strengths because its key personnel exceeded the solicitation’s educational and experience requirements.  Comments and Supp. Protest at 11-14.  While the protester asserts this argument is timely because the agency assessed Deloitte a strength, in part, for exceeding the experience requirements in the RFQ, we disagree.  Under our Bid Protest Regulations, protests based on other than solicitation improprieties must be filed within 10 days of when the protester knew or should have known their basis.  4 C.F.R. § 21.2(a)(2).  Because the protester had knowledge of the proposal strengths identified by the agency on September 20, 2019, and did not challenge the failure of the agency to assess additional strengths until it submitted its comments on the agency report on November 4, 2019, these additional assertions are untimely and will not be considered further.  4 C.F.R. § 21.2(a)(2).

[8] Similarly, Deloitte’s senior security engineer was assessed a strength for having, in addition to the required certifications and highly recommended PMP certification, a [DELETED] and [DELETED] certification.  AR, Tab 10, TEP Report, at 11.  A review of 22nd Century’s quotation does not show that its proposed senior security engineer possessed the same certifications.  See AR, Tab 6, 22nd Century Tech. Quotation, at 85.

[9] FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  Supp. MOL at 12-13 (quoting fedramp.gov/faqs/).  There are two types of FedRAMP authorizations:  a provisional authority to operate through the Joint Authorization Board (JAB) and an agency authority to operate.  Id.  3PAOs perform the initial and periodic assessments of cloud systems to ensure they meet FedRAMP security requirements as part of a cloud service provider’s FedRAMP authorization for both JAB and agency authorizations.  See https://www.fedramp.gov/assessors/ (last visited Dec. 19, 2019). 

Jan 17, 2020

Jan 16, 2020

Jan 15, 2020

Jan 13, 2020

Jan 10, 2020

Jan 9, 2020

Looking for more? Browse all our products here