Chags Health Information Technology, LLC

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of: Chags Health Information Technology, LLC

File: B-413104.30; B-413104.37

Date: April 11, 2019

David B. Dixon, Esq., Meghan D. Doherty, Esq., Toghrul Shukurlu, Esq., and Robert C. Starling, Esq., Pillsbury Winthrop Shaw Pittman LLP, for the protester.
Christine F. Simpson, Esq., Department of Health and Human Services, for the agency.
Jonathan L. Kang, Esq., and Laura Eyester, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest that the agency unreasonably found a protester's proposal unacceptable based on the failure to submit a password prior to the proposal due date to decrypt a required document in the proposal is sustained where the encrypted document related solely to responsibility and where the agency had both the document and the password in its possession prior to evaluating the protester's proposal.

DECISION

Chags Health Information Technology, LLC (C-HIT), an economically disadvantaged woman-owned and 8(a) small business, of Columbia, Maryland, protests the decision by the Department of Health and Human Services, National Institutes of Health (NIH), to find its proposal unacceptable in the competition conducted under request for proposals (RFP) No. NIHJT2016015, which was issued for information technology solutions and services. The protester argues that the agency unreasonably found the protester failed to timely provide the password to decrypt a required document submitted in its proposal.

We sustain the protest.

BACKGROUND

NIH administers a governmentwide multiple-award indefinite-delivery, indefinite-quantity contract for information technology supplies and contracts, known as the Chief Information Officer-Solutions and Partners (CIO-SP3) Small Business contract. Agency Report (AR), Tab 2, Conformed RFP, at 1, 19.¹ The agency issued the solicitation on March 14, 2016, seeking proposals for the award of additional CIO-SP3 contracts as part of a "ramp-on" to expand the pool of vendors eligible to compete for task orders. Memorandum of Law (MOL) at 2. The solutions and services to be provided under the contracts "include, but are not limited to, health and biomedical-related [information technology (IT)] services to meet scientific, health, administrative, operational, managerial, and information management requirements." RFP at 8.

The solicitation was set aside for small businesses, and stated that awards would be made in groups based on the status of the offerors: Historically Underutilized Business Zone small businesses, service-disabled veteran-owned small businesses, participants in the Small Business Administration's 8(a) program, and small businesses. Id. at 143. The initial CIO-SP3 contracts for the 8(a) group were awarded on June 30, 2012, and have a 10-year period of performance; the contracts awarded under the RFP here for the 8(a) group will have a period of performance ending on June 29, 2022. Id. at 8, 34; Agency Response to GAO Question, Mar. 8, 2019, at 1. The total amount that may be awarded under the CIO-SP3 contracts is $20 billion. RFP at 9.

The RFP advised that proposals would be evaluated in two phases. In phase 1, the agency was to evaluate proposals based on the following go/no-go criteria: (1) compliant proposal; (2) verification of an adequate accounting system; (3) IT services for biomedical research, health sciences, and healthcare; and (4) domain-specific capability in a health related mission. Id. at 143-44. As relevant here, the compliant proposal criterion provided that "[i]f the proposal does not contain the required documents, the Government may deem the proposal to be 'Unacceptable' and ineligible for further consideration." Id. at 143. The RFP stated that, for the phase 1 evaluation, proposals that failed to meet any of the go/no-go criteria would be ineligible for award. Id. at 144. In phase 2, the agency was to evaluate proposals that passed the phase 1 criteria, using the following four factors: (1) technical capability and understanding (including 10 task areas); management approach (including four subfactors); past performance; and price. Id. at 144-145, 150. For purposes of award in the phase 2 evaluation, factors 1 and 2 were of equal importance and "more important" than factor 3, and factors 1, 2, and 3 were "[i]ndividually . . . significantly more important" than factor 4, price. Id. at 141.

The RFP permitted offerors to submit proposals using contract team arrangements (CTAs) pursuant to Federal Acquisition Regulation (FAR) § 9.601. RFP at 131. According to FAR § 9.601(1), the CTA could include "[t]wo or more companies [that] form a partnership or joint venture to act as a potential prime contractor." According to FAR § 9.601(2), the CTA could be a "potential prime contractor agree[ing] with one or more other companies to have them act as its subcontractors under a specified Government contract or acquisition program."

In addition, as relevant here, the RFP required offerors to provide "Other Administrative Data." RFP at 140. One of the requirements was to provide "[a] copy of the organization's (and any proposed CTA member's) most recent annual report, or if organized as a non-public corporation, the organization's most recent asset and liability report." Id. In this regard, the solicitation explained that an offeror would be "subject to a responsibility evaluation" and must "demonstrate that it has the necessary financial capacity, working capital, and other resources to perform the contract without the assistance from any outside source." Id. The RFP further advised that the agency's responsibility determination would consider "[t]he Offeror's financial statements and other pertinent financial data. . . ." Id. at 151. CTA members could provide the required financial statements as follows: "[I]f the CTA members do not want to share [their] proprietary financial information with the prime, the offeror may submit such information from the CTA members as encrypted files and instruct their CTA members to send an email to the [Electronic Procurement Information Center (EPIC)] help desk"² containing the decryption password. Id. at 130.

NIH received proposals from 552 offerors, including C-HIT, by the closing date of May 16, 2016. Contracting Officer's Statement (COS) at 1. C-HIT was part of a CTA which included [DELETED]. Protest at 10; AR, Tab 3, C-HIT Proposal, Cover Letter, at 1. C-HIT's proposal included an encrypted copy of [DELETED]'s financial statement. AR, Tab 3, [DELETED] Audit Report 2015-2014--FINAL1. [DELETED] states that it submitted an email containing the password for the encrypted financial statement to the EPIC help desk on May 11, prior to the proposal due date. Protest, Exh. A, Decl. of [DELETED] President, Jan. 7, 2019, at 1.

On July 5, 2017, the contracting officer contacted C-HIT and advised that NIH was evaluating its proposal. AR, Tab 5, Email from Contracting Officer to C-HIT, July 5, 2017, at 1. The agency requested that the protester confirm that the protester's proposal was submitted as a CTA in accordance with FAR § 9.601(1). Id. The agency also made the following request regarding the password for [DELETED]'s encrypted financial statement:

In addition, if proposing as a FAR 9.601(1) CTA, please clarify where in your proposal can be found the decryption passwords for the most recent annual financial report or asset and liability report for [DELETED], your proposed CTA members as required by paragraph L.4.2.a of the solicitation.

We request that you provide this clarification by responding to this email by 4:00 PM EST on July 11, 2017. Please note that this is not a request for revisions, and no new documents will be accepted or evaluated.

Id.

On July 7, a [DELETED] vice president responded to the contracting officer's email, forwarding an email that the individual represented had been sent to the EPIC help desk on May 11, 2016. Id., Email from [DELETED] Vice President to Contracting Officer, July 7, 2017, 9:25 a.m., at 29-31. The forwarded email contained the password to decrypt the [DELETED] financial statement. Id. at 30.

Also on July 7, C-HIT responded to the contracting officer and confirmed that the protester had submitted its proposal as a CTA pursuant to FAR § 9.601(1). Id., Email from C-HIT to Contracting Officer, July 7, 2017, 2:00 p.m., at 3.³ With regard to the password, C-HIT advised that "[o]n May 11th 2016, [a representative of] [DELETED] sent an email" to the EPIC help desk with the password. Id. The protester also noted that [DELETED] had forwarded the May 11, 2016, email earlier in the day: "FYI: Today at 9:25am, the same original email threads (with password details), which was sent on May 11th 2016, was once again directly forwarded to you, by [DELETED] vice president []." Id.

In the evening of July 7, the [DELETED] vice president sent the contracting officer another email, requesting that the agency acknowledge receipt of [DELETED]'s 2:00 p.m. email forwarding the password. Id., Email from [DELETED] Vice President to Contracting Officer, July 7, 2017, 10:19 p.m., at 2. On July 10, the contracting officer confirmed receipt, stating that: "Yes, I have received the email sent on July 7th at 2pm. Receipt confirmed." Id., Email from Contracting Officer, July 10, 2017, at 2.

On August 10, NIH found C-HIT's proposal unacceptable under the phase 1 evaluation because the protester did not provide a password to decrypt the financial statement prior to the proposal due date. AR, Tab 4.a, 8(a) Phase 1 Evaluation Report, at 47. The agency stated that "[a]lthough there is a document that appears to be a financial report for [DELETED], a proposed CTA member, entitled '[DELETED] Audit Report 2015-2014--Final' it is encrypted and no encryption code was provided." Id. The agency further noted the following: "Via email of July 7, 2017 in response to a request for clarification, the offeror stated that their proposed CTA member sent the encrypted password to the proposal portal on May 11, 2016. However, there is no evidence of this password being received." Id. The agency concluded, in effect, that the failure to provide the password to the [DELETED] financial statement by the proposal due date meant that the proposal did not contain the required financial statement. Id. The agency therefore found the protester's proposal unacceptable under the phase 1 go/no-go criterion and excluded it from the competition. Id. C-HIT was provided a debriefing on January 2, 2019, and this protest followed.

DISCUSSION

C-HIT argues that NIH unreasonably found its proposal unacceptable. The protester raises two primary arguments: (1) the agency erroneously concluded that the protester did not provide the password to decrypt the encrypted financial statement prior to the proposal due date; and (2) even if the agency reasonably found that the protester failed to provide the password by the proposal due date, the agency unreasonably failed to consider the password because the financial statement it decrypted related to responsibility, rather than technical acceptability.⁴ For the reasons discussed below, we agree with the protester's second argument and sustain the protest; we therefore need not resolve the protester's first argument.

The parties agree that C-HIT submitted its proposal prior to the proposal due date, and that the proposal included an encrypted version of [DELETED]'s financial statement. Protest at 7; MOL at 3-4; COS at 1; see also AR, Tab 3, [DELETED] Audit Report 2015-2014--FINAL1. The parties do not agree, however, whether [DELETED] sent an email containing the password to decrypt the financial statement to the EPIC help desk prior to the proposal due date.⁵ See Protest at 7-9; MOL at 4; COS at 1. Despite the parties' disagreement as to whether [DELETED] sent and the agency received an email on May 11, 2016, the parties agree that [DELETED] provided the password to the contracting officer on July 7, 2017. See id.

C-HIT notes that the solicitation stated that the financial report would be considered as part of the agency's responsibility determination. See RFP at 151. The protester contends, therefore, the agency should have considered the password and the financial report even though it was received after the proposal due date. We agree with the protester.

The FAR provides that a contract may not be awarded unless the contracting officer makes an affirmative determination of responsibility. FAR § 9.103(b). In most cases, responsibility is determined based on the standards set forth in FAR § 9.104-1. For example, the contracting officer must consider, among other factors, whether the firm in line for award has "adequate financial resources to perform the contract, or the ability to obtain them." FAR § 9.104-1(a). As our Office has explained, determinations of responsibility involve subjective business judgments that are within the broad discretion of the contracting agency. ExecuTech Strategic Consulting, LLC; TRI-COR Indus., Inc., B-410893 et al., Mar. 9, 2015, 2015 CPD ¶ 103 at 11.

Our Office has also stated that responsibility and technical acceptability are distinct matters. Acquest Dev. LLC, B-287439, June 6, 2001, 2001 CPD ¶ 101 at 3-5 (agency not required to reject proposal as technically unacceptable for failure to provide information relating to legal control of proposed site at time of initial offer since it related to firm's responsibility); ExecuTech Strategic Consulting, LLC; TRI-COR Indus., Inc., supra (failure of awardee to include responsibility information in proposal was not a basis for finding proposal technically unacceptable); see also Integrated Protection Sys., Inc., B-254457, B-254457.2, Jan 19, 1994, 94-1 CPD ¶ 24 at 2-3 (concerning bid responsiveness); LORS Med. Corp., B-259829, B-259829.2, Apr. 25, 1995, 95-1 CPD ¶ 222 at 4 (concerning bid responsiveness). Responsibility may be satisfied at any time prior to award, as opposed to technical acceptability, which must be satisfied based on a common proposal deadline. Pond Sec. Grp. Italia, JV, B-400149.3, Dec. 22, 2008, 2008 CPD ¶ 233 at 4 (responsibility may be satisfied any time prior to award); Raytheon Tech. Servs. Co. LLC, B-404655.4 et al., Oct. 11, 2011, 2011 CPD ¶ 236 at 6 (agencies must evaluate proposals based on a common cutoff date for final proposal revisions to ensure that all offerors are being treated fairly and on an equal basis).

In addition, an agency may reasonably evaluate an offeror's responsibility based on the information in its possession, and the agency generally need not request additional information prior to finding an offeror nonresponsible based on its failure to provide information necessary to demonstrate responsibility. See Pond Sec. Grp. Italia, JV, supra, at 4. Agencies may, however, request and receive information about an offeror's responsibility without conducting discussions that trigger the obligation to conduct non-responsibility discussions with other offerors. Coast Int'l Sec., Inc., B-411756, B-411756.2, Oct. 19, 2015, 2015 CPD ¶ 340 at 13.

We conclude here that the financial statement related to responsibility and was therefore a matter that could be satisfied any time prior to award. We also conclude that the agency reasonably viewed the failure to provide a password to decrypt the [DELETED] financial statement as tantamount to a failure to provide the underlying document, itself. NIH, therefore, did not have an obligation to request additional information from C-HIT regarding the [DELETED] financial statement. See Pond Sec. Grp. Italia, JV, supra, at 4. We also find, however, that since the financial statement related to responsibility, the agency was permitted to request and consider the password that decrypted it, even though that password was not received prior to the proposal due date.⁶ See Pond Sec. Grp. Italia, JV, supra, at 4; Acquest Dev. LLC, supra, at 5; A.I.A. Costruzioni S.P.A., B-289870, Apr. 24, 2002, 2002 CPD ¶ 71 at 2-3; Integrated Protection Sys., Inc., supra, at 2-3; LORS Med. Corp., supra, at 4. The question posed here, therefore, is whether NIH, upon receipt of the password for the financial statement, reasonably refused to consider that information because it was not received by the closing date established in the solicitation. We conclude that the agency's actions were not reasonable.

Our Office has primarily addressed the issue of responsibility information submitted after a solicitation's closing date in the context of protests where a disappointed offeror or bidder challenges the award to a firm that was found responsible based on late-submitted information. E.g., Pond Sec. Grp. Italia, JV, supra, at 4; Acquest Dev. LLC, supra, at 5-6; A.I.A. Costruzioni S.P.A., supra, at 3; Gardner Zemke Co., B-238334, Apr. 5, 1990, 90-1 CPD ¶ 372 at 4-5; Integrated Protection Sys., Inc., supra, at 2-3; LORS Med. Corp., supra, at 4. In these decisions, we have explained that agencies may reasonably find offerors or bidders responsible based on information pertaining to responsibility, even where that information is submitted after the time for receipt of proposals or bids. Our Office has further explained that, even where a solicitation states that documents related to responsibility must be submitted by a deadline, an agency is not required to reject a proposal or bid as unacceptable or nonresponsive based on a failure to satisfy a responsibility criterion by the deadline. Pond Sec. Grp. Italia, JV, supra, at 4; Acquest Dev. LLC, supra, at 5-6; A.I.A. Costruzioni S.P.A., supra, at 2-3; Integrated Products, supra, 2-3; ExecuTech Strategic Consulting, LLC; TRI-COR Indus., Inc., supra, at 11-12. We therefore conclude that NIH unreasonably refused to consider the password based on a solicitation provision that mandated that responsibility information be provided by the proposal due date.⁷ See id.; see also Fort Apache Timber Co., B-237377, Feb. 22, 1990, 90-1 CPD ¶ 199 at 4 (agency improperly refused to accept information relating to responsibility provided by bidder after bid opening deadline, but prior to time for price auction and award).

NIH contends that it reasonably relied upon the RFP's phase 1 evaluation criteria in finding that C-HIT's proposal was incomplete. In support of its position, the agency argues that the facts here are similar to those in AttainX, Inc., where our Office denied a protest concerning the same solicitation based on NIH's finding that the protester's proposal was incomplete because it failed to provide information that pertained to responsibility. AttainX, Inc.; FreeAlliance.com, LLC, B-413104.5, B-413104.6, Nov. 10, 2016, 2016 CPD ¶ 330 at 5. In AttainX, Inc., the agency rejected the protester's proposal as unacceptable under the phase 1 criteria because it did not provide required documentation from a third-party certified public accountant. Id. at 3-4. There, we concluded that the agency acted reasonably because the protester did not provide the required information prior to the agency's evaluation and rejection of its proposal. Id. at 5. Here, in contrast, the record shows that the agency had all of the required information in its possession prior to the time it completed its evaluation. If the agency had never received the decrypted password prior to evaluation, the agency could have rejected the C-HIT proposal because it did not contain the required documents and therefore failed to meet the compliant proposal criterion of phase 1. See RFP at 143; AttainX, Inc.; FreeAlliance.com, LLC, supra, at 5.

NIH also argues that it was not required to consider the password provided by [DELETED] in its July 2017 email responding to the contracting officer because the RFP stated that the password was to be submitted via email to the EPIC help desk. Supp. MOL at 16. The record shows, however, that the contracting officer sent an email to C-HIT requesting clarification, received an email from [DELETED] with the password, and specifically acknowledged that he had received the email with the password. AR, Tab 5, Email from Contracting Officer to C-HIT, July 5, 2017, at 1; Email from [DELETED] Vice President to Contracting Officer, July 7, 2017, 9:25 a.m., at 29-31; Email from Contracting Officer, July 10, 2017, at 2. Under these circumstances, we conclude that the contracting officer--the individual charged by the FAR with making responsibility determinations--could not ignore the password in his possession on the grounds that the RFP required the password to be provided via email to the EPIC help desk.

In sum, we conclude: (1) the [DELETED] financial statement concerned responsibility, and thus the password that unlocked this document was information that pertained to responsibility; (2) NIH was not obligated to provide C-HIT an opportunity to provide the missing password; (3) NIH nonetheless received the password prior to the time it conducted the phase 1 evaluation; and (4) NIH unreasonably refused to consider the information it had in its possession at the time it made the phase 1 evaluation, i.e., the [DELETED] financial statement and the password to decrypt that document.⁸ We therefore conclude that the agency unreasonably rejected C-HIT's proposal as unacceptable.

CONCLUSION AND RECOMMENDATION

We conclude that NIH unreasonably refused to consider the password provided by [DELETED] to decrypt its financial statement. We recommend that the agency use the password to decrypt the document and evaluate the protester's proposal. We also recommend that the agency reimburse the protester's reasonable costs associated with filing and pursuing its challenges to the evaluation of the awardee's technical proposal and the tradeoff decision, including attorneys' fees. 4 C.F.R. § 21.8(d). The protester's certified claims for costs, detailing the time expended and costs incurred, must be submitted to the agency within 60 days after the receipt of this decision. Id. § 21.8(f).

The protest is sustained.

Thomas H. Armstrong
General Counsel