Open SAN Consulting, LLC
B-418875.3: Oct 6, 2020
- Full Report:
Open SAN Consulting, LLC (OSC), an 8(a) women-owned small business of Atlanta, Georgia, protests the rejection of its quotation under request for quotations (RFQ) No. 140D0420Q0189, issued by the Department of the Interior (DOI), on behalf of the Department of Health and Human Services (HHS), for cybersecurity support services in support of HHS's Office of the Chief Information Officer. The protester argues that the agency improperly determined that its quotation was unacceptable.
We deny the protest.
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.
Matter of: Open SAN Consulting, LLC
Date: October 6, 2020
Protest that the agency improperly rejected quotation in an acquisition conducted under Federal Acquisition Regulation subpart 8.4 is denied where the record shows that the evaluation was reasonable and consistent with the terms of the solicitation.
Open SAN Consulting, LLC (OSC), an 8(a) women-owned small business of Atlanta, Georgia, protests the rejection of its quotation under request for quotations (RFQ) No. 140D0420Q0189, issued by the Department of the Interior (DOI), on behalf of the Department of Health and Human Services (HHS), for cybersecurity support services in support of HHS’s Office of the Chief Information Officer. The protester argues that the agency improperly determined that its quotation was unacceptable.
We deny the protest.
On March 26, 2020, DOI issued the RFQ as a small business set-aside and sought quotations from vendors holding Federal Supply Schedule (FSS) contracts under General Services Administration Information Technology Schedule 70. Agency Report (AR), Tab 2, RFQ at 1. The solicitation, issued under the FSS procedures of Federal Acquisition Regulation (FAR) subpart 8.4, contemplated the issuance of a time-and- materials task order for cybersecurity support services to be performed over a 1-year base period and four 1-year option periods. Id. at 1-2. Award would be made on a best-value tradeoff basis, considering four evaluation factors, listed in descending order of importance: (1) technical approach; (2) management approach and key personnel; (3) past performance; and (4) price. Id. at 11-12.
To be considered for award, each vendor was required to complete a minimum requirements worksheet (MRW) in which the agency identified eight minimum requirements for technical acceptability. RFQ, attach. 2, MRW at 1. In this regard, vendors were required to certify whether their quotation met the minimum requirements, and identify the section where information meeting the requirement could be found. Id. As relevant here, one of the requirements was that a firm demonstrate “experience providing privacy [subject matter expert (SME)] review of Privacy Impact Assessments [(PIAs)] and other privacy-related Assessment and Authorization (A&A) documentation to assess privacy risks and compliance with federal and agency requirements.” Id. at 2.
The RFQ advised that the government would evaluate a vendor’s answers to the MRW on a pass/fail basis. RFQ at 5. Quotations that did not meet the minimum requirements would be found technically unacceptable and rejected from further consideration. Id. at 11; RFQ, attach. 2, MRW at 1.Quotations determined to meet the minimum requirements would be considered preliminarily technically acceptable and the remainder of the vendor’s technical quotation would be evaluated. RFQ at 5. The RFQ also advised that the government reserved the right to validate the information in the MRW in any way it deemed necessary. Id.
Nineteen vendors, including OSC, submitted quotations by the May 4 closing date. Memorandum of Law (MOL) at 1. OSC identified sections 2.1.3 and 2.1.4 as the portions of its quotation that met the requirement to demonstrate experience providing privacy SME review of PIAs and other privacy-related documentation to assess privacy risks and compliance with federal and agency requirements. AR, Tab 3, OSC MRW at 2.
After evaluating the vendors’ MRWs, OSC and six other vendors were found technically unacceptable for failing to adequately demonstrate certain minimum requirements. MOLat 7. With regard to OSC, the agency found OSC’s response to the requirement to demonstrate experience providing privacy SME review of PIAs and other privacy-related A&A documentation to be lacking. AR, Tab 6, MRW Evaluation at 1. Specifically, the agency concluded that OSC’s quotation showed experience only in completing PIAs, rather than a privacy SME’s review of PIAs or privacy compliance documentation. Id. As relevant here, the agency stated that section 2.1.3 failed to identify privacy or privacy compliance documentation. Id. Additionally, the agency explained that the quotation mentioned authorizations to operate (ATOs) documentation, which includes PIAs, but did not reference any privacy documents or controls despite providing examples of security documentation. Id. With regard to section 2.1.4, the agency concluded that OSC’s reference to providing privacy subject matter expertise to assist stakeholders with the review and completion of “privacy reared deliverables” did not explicitly name PIAs or relevant privacy compliance documentation. Id. As a result, OSC’s quotation was found technically unacceptable and not further evaluated.
On June 22, the agency notified OSC that another vendor was selected for award. On June 29, the agency provided OSC a brief explanation of award. On July 2, OSC timely protested to our Office.
OSC challenges the agency’s evaluation of its MRW. The protester contends that the agency’s conclusions with regard to sections 2.1.3 and 2.1.4 of the protester’s quotation were flawed. As explained below, we find no basis to sustain the protest.
Where, as here, an agency issues an RFQ to FSS contractors under FAR subpart 8.4 and conducts a competition, we will review the record to ensure that the agency’s evaluation is reasonable and consistent with the terms of the solicitation and applicable procurement laws and regulations. DEI Consulting, B-401258, July 13, 2009, 2009 CPD ¶ 151 at 2. It is a vendor’s burden to submit an adequately-written quotation, and the vendor’s disagreement with an unfavorable rating of a poorly-written quotation, without more, does not establish that the evaluation was unreasonable. DigitalSpec, LLC, B-412344, Jan. 20, 2016, 2016 CPD ¶ 72 at 5.
The protester contends that sections 2.1.3 and 2.1.4 of its quotation demonstrated the experience required by the MRW. First, while acknowledging that section 2.1.3 of its quotation did not specifically reference PIAs, the protester contends that this section met the requirement to show experience providing SME review of PIAs and privacy compliance documentation by referencing ATOs, which include PIAs. Protest at 13.
In response, the agency explains that the quotation’s reference to ATOs, which it acknowledges includes PIAs, was too general to meet the specific minimum requirement. MOL at 5. Additionally, the agency asserts that this section failed to reference either specific PIAs and privacy-related A&A documents, or OSC’s experience providing review of privacy documents by privacy SMEs. Contracting Officer’s Statement at 6.
OSC asserts in reply that the agency should have found the references to ATOs sufficient to meet the requirement because the agency acknowledged that ATOs include PIAs. Comments at 11. Additionally, OSC contends that the agency erred in finding review of ATOs by “seasoned experts” to be insufficient. Id.
Here, we find the agency’s evaluation unobjectionable. The RFQ essentially required vendors to demonstrate experience providing privacy SME review of PIAs. RFQ, attach. 2, MRW at 2. The record shows that in section 2.1.3, the protester’s quotation referenced ATOs, and development of ATOs, rather than PIAs as the solicitation required. AR, Tab 4, OSC Quotation at 16. Additionally, the section’s reference to using “seasoned personnel who are experts at [Information System Security Officer and security control assessment] services” also fails to meet the solicitation requirements. Id. This reference neither explains how these “seasoned personnel” are or should be understood as being privacy SMEs, nor shows that these personnel reviewed PIAs. Id. In this regard, the protester failed to provide the specific information required by the solicitation. On this record, we find no basis to sustain the protest.
Next, OSC contends that section 2.1.4 of the firm’s quotation explicitly named PIAs by referencing development of standard operating procedures (SOP) for the completion of PIAs for the Centers for Medicare and Medicaid Services (CMS) and by stating that “Team [OSC] has provided privacy subject matter expertise to assist CMS stakeholders with the review and completion of privacy reared deliverables.” Protest at 12 (citing AR, Tab 4, OSC Quotation at 24). In addition, the protester contends that the agency should have understood that these two references were connected despite them appearing two sentences apart. Id.
In response, the agency contends that developing SOPs for the completion of PIAs, and an SME’s review of “privacy reared deliverables,” is different from a privacy SME’s review of PIAs. MOL at 5. The agency explains that during the evaluation, the contracting officer specifically inquired whether the term “privacy reared deliverables” could be interpreted to mean PIAs and was advised by the technical team that the term was too general to include PIAs. Id. In this contemporaneous conversation, the technical representative also explained to the contracting officer the difference between an SME’s review of PIAs and the development or preparation of PIAs in general. AR, Tab 9, Email from Technical Representative to Contracting Officer, May 15, 2020. In this regard, the technical representative stated that review of PIAs by privacy SMEs is especially important because SMEs are trained to interpret the legal and privacy-specific risks that can arise in compliance documentation, including documentation that has been approved for data processing. Id. The technical representative also noted that the content provided in PIAs by the technical system owners or information security professionals usually relates only to information about the system, such as who has access and the information included in the system. Id.
In response, OSC argues that it is unreasonable to conclude that the company that drafts a PIA lacks the capacity to ensure that PIAs are compliant. Comments at 7. The protester also continues to assert that its quotation identified experience providing SME review of privacy documentation. Id. at 9-10.
Our review of section 2.1.4 of OSC’s quotation shows that the quotation identified the OSC team as having experience developing an SOP on completing PIAs. AR, Tab 4, OSC Quotation at 24. In our view, this reference neither identifies experience performed by a privacy SME, nor shows that a PIA itself was reviewed. As the agency explains, in the contemporaneous record and in response to the protest, development of a PIA is distinguishable from an SME’s review of PIAs because an SME has the background necessary to discover legal and privacy-specific risks in documents that may have been approved for implementation.
Additionally, where OSC’s quotation does identify experience performed by a privacy SME, the quotation makes reference only to “privacy reared deliverables.” AR, Tab 4, OSC Quotation at 24-25. In this regard, the quotation provides no definition for this term and offers no explanation for how the term should be understood to reference PIAs. Given the lack of definition or explanation, we fail to see how the agency should have understood that the reference to “privacy reared deliverables” encompassed the reference to an SOP on completing PIAs, even assuming the agency considered these two references as connected. Moreover, even if the agency had read these references in conjunction, the completion of an SOP on PIAs would not have been sufficient to meet the minimum requirement given that completion of a PIA is distinguishable from an SME’s review of a PIA. On these facts, we do not find that the agency’s evaluation of sections 2.1.3 and 2.1.4 of OSC’s quotation was improper. Accordingly, we find no basis to question the agency’s conclusion that the quotation was unacceptable for failing to comply with the solicitation requirements.
We deny the protest.
Thomas H. Armstrong
 The RFQ also sought to award task orders for advanced cybersecurity support services and security information and event management. RFQ at 1. Neither service is at issue in this protest.
 In its evaluation, the agency also described the significance of having documents reviewed by privacy SMEs. AR, Tab 6, MRW Evaluation at 1. The agency asserted that the content provided in PIAs is usually carried out by technical systems owners or information security professionals who can offer information only about the system. Id. Conversely, SME reviewers of PIA are trained to interpret information in the PIA for compliance and to identify the legal and privacy-specific risks. Id. In this regard, the agency explained that reviews by individuals with privacy expertise is important because privacy risks can arise from even “approved” data processing. Id.
 An authorization to operate--sometimes called authority to operate--is the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation based on the implementation of an agreed-upon set of security controls. DATA Act: OMB and Treasury Have Issued Additional Guidance and Have Improved Pilot Design but Implementation Challenges Remain, GAO-17-156 at 28 n.37 (2016) (citing the definition for ATO set forth in National Institute of Standards and Technology Special Publication 800-37).
 OSC also raises other collateral arguments. Although not addressed in this decision, we have considered the protester’s various arguments and conclude that none provide a basis to sustain the protest. For example, in its protest, OSC asserts that the agency disparately evaluated the awardee’s and OSC’s quotations based only on OSC’s contention the agency “baselessly” concluded that OSC failed to meet a minimum requirement. Protest at 14. The protester offers only this bare assertion to support its allegation. This argument fails to provide a sufficient factual basis to challenge the agency’s evaluation. Accordingly, we did not require the agency to respond to this protest ground, and we dismiss this argument here. 4 C.F.R. § 21.5(f); Electronic Protest Docketing System No. 14.
 Our citations are to the pages in the Adobe pdf version of the document provided by the agency.
 We find no merit to the protester’s contention that a paragraph in section 2.1.4 of the firm’s quotation, entitled Privacy Impact Assessments, met the minimum requirement by explicitly naming PIAs and relevant privacy compliance documentation. Protest at 13. The record shows that this section primarily discusses what PIAs are and what PIAs do. AR, Tab 4, OSC Quotation at 24-25. Additionally, rather than demonstrating a privacy SME’s experience reviewing PIAs, this section shows that OSC “is experienced in completing PIAs . . . and has assisted stakeholders in completing PIAs.” Id. at 25. Because this paragraph does not demonstrate OSC’s experience providing review of PIAs by privacy SMEs, we find no basis to challenge the agency’s evaluation of this section.
 We also find no basis to sustain the protester’s allegation that the agency disparately evaluated OSC’s and another vendor’s quotation, where the agency advanced the other vendor’s quotation for further review, but ultimately did not select this other quotation for award. Comments at 2, 17-18. The record shows that in reviewing this vendor’s quotation, the agency’s concern was “more about the drafting and developing of privacy compliance documentation (PIAs) and not reviewing as a SME.” AR, Tab 6, MRW Evaluation at 1. In our view, this language does not show that the agency allowed this vendor to remain in the competition despite having concerns about a privacy SME’s review of PIAs. Instead, the agency was concerned about the drafting and developing of PIAs, which was not the focus of the MRW.