Discover Technologies LLC

B-412773,B-412773.2: May 27, 2016

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

Kenneth E. Patton
(202) 512-8205
PattonK@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Discover Technologies LLC, of Reston, Virginia, protests the establishment of a blanket purchase agreement (BPA) with Information Innovators Inc. (Triple-i), of Rockville, Maryland, by the Department of Health and Human Services (HHS), Food and Drug Administration (FDA), under request for quotations (RFQ) No. 1014249 for website content management system support services. Discover alleges that the agency unreasonably evaluated Triple-i's quotation with regard to information security.

We deny the protest.

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of:  Discover Technologies LLC

File:  B-412773; B-412773.2

Date:  May 27, 2016

Robert J. Symon, Esq., Elizabeth A. Ferrell, Esq., and Aron C. Beezley, Esq., Bradley Arant Boult Cummings LLP, for the protester.
Shlomo D. Katz, Esq., and Andrew Crawford, Esq., Brown Rudnick LLP, for Information Innovators Inc., an intervenor.
Christopher M. Johnson, Esq., and Jonathan A. Baker, Esq., Department of Health and Human Services, for the agency.
Matthew T. Crosby, Esq., and Christina Sklarew, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

1.  Solicitation provisions requiring the “contractor” to comply with federal information security laws and standards did not require vendors to demonstrate compliance before the source selection decision; such compliance is a performance requirement to be satisfied during contract performance.

2.  Protest challenging agency’s evaluation of awardee’s technical quotation is denied where the record shows the evaluation was reasonable and consistent with the terms of the solicitation and applicable statutes and regulations.

DECISION

Discover Technologies LLC, of Reston, Virginia, protests the establishment of a blanket purchase agreement (BPA) with Information Innovators Inc. (Triple-i), of Rockville, Maryland, by the Department of Health and Human Services (HHS), Food and Drug Administration (FDA), under request for quotations (RFQ) No. 1014249 for website content management system support services.  Discover alleges that the agency unreasonably evaluated Triple-i’s quotation with regard to information security.

We deny the protest.

BACKGROUND

On July 31, 2015, and pursuant to the procedures set forth in Federal Acquisition Regulation (FAR) subpart 8.4, the agency issued the solicitation to vendors holding contracts under General Services Administration (GSA) Federal Supply Schedule (FSS) 70, General Purpose Commercial Information Technology Equipment, Software, and Services.  Contract Specialist’s Statement at 2.  The solicitation contemplated the establishment of a fixed hourly rate BPA with a base ordering period of one year, and four one-year options.  RFQ at 24.[1]

The solicitation included a statement of work (SOW) outlining the services to be furnished under the BPA.  RFQ at 6-18.  The solicitation also included an SOW for an initial task order to be issued under the BPA, referred to as “Call One.”  Agency Report (AR), Tab 6, Call One SOW.  In addition, the solicitation included a hypothetical “technical scenario” that vendors were to address in their quotations.  RFQ at 43-44.

The solicitation provided that the BPA would be established based on the quotation representing the best value to the government, considering price and the following three factors, listed in descending order of importance:  technical understanding and approach, management approach, and relevant experience.  RFQ at 48.  The solicitation stated that the nonprice factors, when combined, were significantly more important than price.  Id. at 48.

The technical understanding and approach factor included two subfactors:  Call One understanding and approach; and technical understanding and approach to technical scenarios.  RFQ at 48.  The management approach factor also included two subfactors:  management approach to BPA and Call One; and key personnel.  Id.  The solicitation provided evaluation criteria for each of the factors and subfactors.  Id. at 49-51.

As relevant here, the solicitation stated that “[t]he Contractor shall be familiar and comply with applicable federal information technology and information management laws, regulations, policies, and standards.”  RFQ at 19.  Following this statement, the solicitation listed “[c]urrent standards and guidelines that must be considered in the performance of this BPA.”  Id.  The list included the Federal Information Security Management Act of 2002 (FISMA).  Id. at 20.  As described in the solicitation, FISMA requires “each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, Contractor, or other source.”[2]  RFQ at 20.

Triple-i is the incumbent contractor for the web content management system support services being solicited here.  AR, Tab 1a, Triple-i Quotation, Technical Vol., pt. 1, at 4-5.  In its performance as the incumbent, Triple-i employed the services of a web hosting vendor known as Rackspace.  Id. at 7-8.

The agency received a number of quotations by the solicitation’s closing date, including quotations from Discover and Triple-i.  AR, Tab 9, Recommendation for Award, at 2.  Several quotations were eliminated from the competition after being deemed noncompliant with the solicitation.  Id.  A project advisory group (PAG) evaluated the remaining quotations and assigned adjectival ratings under each of the nonprice factors and subfactors.  See id. at 5.  The PAG also assigned risk ratings and overall nonprice ratings to the quotations.  See id.  The table below shows the ratings assigned to Discover’s and Triple-i’s quotations, as well as the firms’ total evaluated prices.

 

DISCOVER

TRIPLE-I

Factor 1--Technical Understanding and Approach


Satisfactory


Highly Satisfactory

Subfactor 1--Call One Understanding and Approach


Satisfactory


Highly Satisfactory

Subfactor 2--Technical Understanding and Approach to Technical Scenarios



Highly Satisfactory



Highly Satisfactory

Factor 2--Management Approach

Satisfactory

Satisfactory

Subfactor 1--Management Approach to BPA and Call One


Satisfactory


Satisfactory

Subfactor 2--Key Personnel

Not Satisfactory

Highly Satisfactory

Factor 3--Relevant Experience

Satisfactory

Satisfactory

Risk

Low

Very Low

Overall Rating

Satisfactory

Highly Satisfactory

Total Evaluated Price

$29,563,701.61

$28,756,932.78


Id. at 3, 5.

Based on the PAG’s evaluation, the contract specialist prepared a report and source selection recommendation for the contracting officer.  AR, Tab 9, Recommendation for Award.  The report summarized the PAG’s findings and provided a best-value tradeoff analysis.  Id. at 7-26.  In comparing the quotations of Discover and Triple-i, the contract specialist found that Triple-i’s quotation was “more beneficial” to the government than Discover’s because it was both lower-priced and higher-technically-rated.  Id. at 24.  After comparing the other quotations and discussing the merits of a number of specific features of Triple-i’s technical approach, the contract specialist concluded that Triple-i’s quotation offered the best value to the government and recommended that the BPA be established with Triple‑i.  Id. at 23-26.  The contracting officer approved the contract specialist’s recommendation.  Id. at 27.  The agency then established the BPA with Triple-i.  Discover subsequently filed a protest with our Office.

DISCUSSION

Discover alleges that the agency’s selection of Triple-i for the BPA was improper because, according to Discover, the vendor that Triple-i intends to use for web hosting (Rackspace) provides services that, as Discover characterizes it, “are not compliant with FISMA.”  Protest at 6 (emphasis in original).  As discussed above, the solicitation provided that the “contractor” must comply with a number of federal information technology laws and standards, including FISMA.  RFQ at 19-20.  Discover offers several communications in which sales representatives for Triple-i’s web hosting vendor state that the vendor’s services are not “FISMA certified” or “FISMA compliant.”  Protest at 7.  Based on these e-mails, Discover argues that the agency should have evaluated Triple-i’s quotation as “Not Satisfactory” or “noncompliant with the terms of the RFQ.”  Id. at 5, 8.

In response, the agency states that in the context of the requirement here, it is not up to a contractor to designate itself as FISMA compliant or noncompliant.  See Mem. of Law at 3.  Rather, the agency states, under the applicable guidance and policy documents that implement FISMA, it is the responsibility of the agency having purview over a given information system to make a determination as to whether the various components of the system--including any components provided by a contractor--collectively present an acceptable level of risk to the agency and the nation.  See id. at 2.  An affirmative determination is known as an “authorization to operate,” and the agency official who makes the determination is known as the “authorizing official.”[3]  See id.  By making this determination, as well as taking various steps that lead to the determination, the information system is deemed FISMA-compliant.  See Mem. of Law at 3.

The agency further states that the information system connected with this procurement is known as the Office of the Commissioner, FDA Internet, or “OC Internet,” and that FDA’s chief information officer (CIO) is the “authorizing official” for this system.  See Mem. of Law at 3; AR, Tab 4a, FDA CIO Decl., ¶ 1.  When the solicitation was issued, the agency explains, an authorization to operate was in place for the OC Internet, but that authorization was set to expire on August 31, 2015.  AR, Tab 4a, FDA CIO Decl., ¶ 2.  Therefore, FDA’s risk and compliance staff prepared a security assessment report on the system for the FDA CIO’s review.  Id. (referencing AR, Tabs 3a - 3f, Security Assessment Rep. and Accompanying Documents).

According to the agency, since Triple-i and its web hosting vendor provided components of the OC Internet system under the incumbent contract, the security assessment report addressed those components.  See AR, Tab 4a, FDA CIO Decl., ¶ 2; AR, Tab 3a, Security Assessment Rep., at 5.  With regard to the web hosting vendor, the vendor’s security controls were validated through a third party audit, with an audit period of October 1, 2013 through September 30, 2014.  AR, Tab 3.a, Security Assessment Report, at 5.  In addition, FDA’s information security staff reviewed documentation of the vendor’s environment to further validate the security controls.  See AR, Tab 12, FDA CIO Supp. Decl., ¶ 2.  Based on this information, as well as the recommendation of FDA’s risk and compliance staff, on August 14, 2015, the FDA CIO granted a new, three-year authorization to operate for the OC Internet.  Id. ¶¶ 2-3; AR, Tab 2, Security Authorization Decision Mem., at 1.  Through this process, the agency views the web hosting services that Triple-i’s vendor currently provides within the system to be “FISMA-compliant.”  See Mem. of Law at 3.

Turning to Discover’s allegation that Triple-i’s quotation should have been found “Not Satisfactory” or “noncompliant” based on the web hosting vendor’s alleged noncompliance with FISMA, the agency responds that there was no basis for such a finding because the solicitation did not contemplate the consideration of whether a vendor’s approach was compliant with FISMA prior to performance.  Supp. Mem. of Law at 2-3.  In this regard, the agency points out that nothing in the solicitation required vendors to demonstrate or provide proof that their systems qualified as FISMA compliant at the time that quotations were submitted.  Id.  Rather, the agency continues, vendors were to describe their approach for maintaining security‑‑consistent with the applicable federal standards and guidance‑‑during performance of the requirement.  Supp. Mem. of Law at 2-3.  The agency also points out that, consistent with this framework, the solicitation’s provisions regarding FISMA, and other information security guidance and standards, refer to the “contractor,” rather than the “vendor,” “quoter,” or other term connoting an entity’s pre-source-selection status.  See id. at 3 (citing RFQ at 19-20, 35).

For the reasons discussed below, we agree with the agency that the terms of the solicitation here provide no basis to find that the agency should have assessed Triple-i’s quotation as “Not Satisfactory” or “noncompliant” with the solicitation.  At the outset, however, we observe that where, as here, an agency issues an RFQ to GSA FSS contractors under FAR subpart 8.4 and conducts a competition, we will review the record to ensure that the agency’s evaluation is reasonable and consistent with the terms of the solicitation and applicable procurement laws and regulations.  See Digital Solutions, Inc., B-402067, Jan. 12, 2010, 2010 CPD ¶ 26 at 3-4; DEI Consulting, B-401258, July 13, 2009, 2009 CPD ¶ 151 at 2.  A protester’s disagreement with the agency’s judgment, without more, does not establish that an evaluation was unreasonable.  See DEI Consulting, supra.

Here, although the solicitation’s evaluation criteria included consideration of a vendor’s approach to ensuring security, the criteria did not require a showing of current compliance with FISMA or other information security standards.[4]  See RFQ at 49-50.  Further, the solicitation provisions that reference FISMA and the other information security standards refer to the “contractor’s” performance after the BPA has been established.  Id. at 12, 19-20, 35.  Requirements such as this, which impose obligations on the “contractor,” are performance requirements that need not be met before the source selection decision; therefore, whether Triple-i ultimately performs in a way that meets the requirement is a matter of contract administration, which our Office will not review.  See 4 C.F.R. § 21.5(a) (2016); HS Support, B‑409937, Sept. 18, 2014, 2014 CPD ¶ 276 at 3; Freedom Sci., Inc., B‑401173.3, May 4, 2010, 2010 CPD ¶ 111 at 3.  In sum, the record reflects that there was no basis for the agency to have evaluated Triple-i’s quotation as not satisfactory or noncompliant, as Discover alleges should have been done.  We therefore deny this basis of protest.

Next, Discover argues that the agency’s evaluation of Triple-i’s quotation under factor 1, technical understanding and approach, was unreasonable with regard to information security.  Supp. Protest at 2-3; Comments at 3-4; Supp. Comments at 1‑2.  As shown above, Triple-i’s quotation was assigned a rating of highly satisfactory under factor 1.  AR, Tab 9, Recommendation for Award, at 5.  Discover’s primary contentions in this area are that the only aspect of information security that Triple-i’s quotation addressed was documentation and that the agency failed to evaluate Triple-i’s quotation with regard to information security.  Comments at 3-4; Supp. Comments at 1‑2.  We see no merit in Discover’s contentions.

The only reference to security in the solicitation’s evaluation criteria was under factor 1, subfactor 2, technical understanding and approach to technical scenario, where it was stated that the agency would evaluate the extent to which a vendor’s quotation presented, among other things, a “feasible method of . . . ensuring security.”  RFQ at 49.  Triple-i’s quotation included an 8-page section that addressed subfactor 2, and within that section was a subsection that discussed specific aspects of Triple-i’s approach to security.  AR, Tab 1a, Triple-i Quotation, Technical Vol., pt. 1, at 18-22; AR, Tab 1b, Triple-i Quotation, Technical Vol., pt. 2, at 1-2.  In its technical evaluation report, the PAG documented a finding under factor 1, subfactor 2, that Triple-i’s quotation “demonstrated the ability to handle site availability and security.”  AR, Tab 7, Technical Evaluation Rep., at 19.

In addition to the discussion of security under factor 1, subfactor 2, other specific information regarding Triple-i’s approach to security appears throughout the firm’s quotation, including a detailed discussion of how the firm intends to assist the agency in maintaining FISMA compliance.  See AR, Tab 1a, Triple-i Quotation, Technical Vol., pt. 1, at 10-15.  The agency’s evaluation of Triple-i’s quotation reflects consideration of this information as well.  For example, under factor 1, subfactor 1, Call One understanding and approach, the PAG documented findings that specific aspects of Triple-i’s approach to security met or exceeded the solicitation’s requirements.  AR, Tab 7, Technical Evaluation Rep., at 16-17.  In sum, the record reflects that the agency’s evaluation of Triple-i’s approach to information security was reasonable and consistent with the terms of the solicitation.  Discover’s arguments to the contrary reflect no more than disagreement with the evaluation conclusions and do not provide a basis to sustain the protest.

Discover raises various other arguments as to why Triple-i’s quotation purportedly should have been downgraded based on issues related to FISMA compliance.  We have considered all of Discover’s arguments, and we conclude, based on the record, that none has merit.[5]  For example, Discover alleges that the agency unreasonably evaluated Triple-i’s quotation with regard to information security under factor 2, subfactor 1, management approach to BPA and Call One.  Protest at 6; Supp. Protest at 2-3.  The solicitation’s evaluation criteria for factor 2, subfactor 1, do not include security, although, as Discover points out, the criteria do include the feasibility and effectiveness of the vendor’s approach to risk management.  RFQ at 49‑50.  Triple-i’s quotation addressed risk management under factor 2, subfactor 1, and the PAG documented its finding that the quotation met the solicitation requirements in this area.  See AR, Tab 1b, Triple-i Quotation, Technical Vol., pt. 2, at 3-8; AR, Tab 7, Technical Evaluation Rep., at 25.  Accordingly, we see no merit in this ground of protest.

Finally, Discover challenges the above-discussed authorization to operate that the FDA CIO granted for the OC Internet.  In this regard, Discover argues that there are flaws with the security assessment report underlying the authorization.  Supp. Protest at 1-2; Comments at 2.  As discussed above, solicitation did not contemplate the consideration of whether a vendor, prior to the source selection decision, was authorized to operate within the OC Internet or was otherwise “FISMA-compliant.”  Further, we see nothing in the contemporaneous record--and Discover has offered nothing--to show that the FDA CIO’s authorization to operate was considered in the source selection decision.  See AR, Tab 13, PAG Chair Supp. Decl., ¶¶ 2-3. (describing how the PAG was aware that the authorization to operate had been granted but, consistent with the solicitation’s evaluation criteria, this was not a consideration in the evaluation of quotations).  Under these circumstances, we see no basis to further consider Discover’s allegations regarding the authorization to operate.

The protest is denied.

Susan A. Poling
General Counsel



[1] Because the record was supplied to our Office in an electronic format, citations refer to the electronic page numbers, rather than to any numbers that appear on the face of the pages.

[2] FISMA was enacted as Title III of the E-Government Act of 2002, Pub. L. No. 107‑347, 116 Stat. 2899, 2946 (Dec. 17, 2002). 

[3] The agency points to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 as the basis for these procedures.  Mem. of Law at 2 (citing NIST, SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems:  A Security Life Cycle Approach (2010).  Appendix F of this publication addresses “security authorization” and sets forth the authorization-to-operate process described by the agency.

[4] The solicitation’s evaluation criteria did not reference FISMA or any information security standards.  See RFQ at 49-50.

[5] We note also that Discover in its initial protest alleged that the agency should have disqualified Triple-i from the competition based on a purported “biased ground rules” type of organizational conflict of interest.  Protest at 8-9.  After the agency responded to this allegation in its report, Discover withdrew this basis of protest.  Comments at 1 n.1.