NCI Information Systems, Inc. (NCI), of Reston, Virginia, protests the issuance of a task order to General Dynamics Information Technology Services (GDIT), under task order proposal request (TOPR) No. 319155, issued by the Department of the Army, Army Materiel Command, for information technology (IT) support services. The protester contends that the agency's evaluation of NCI's proposal was unreasonable and inconsistent with the terms of the solicitation.
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.
Matter of: NCI Information Systems, Inc.
Date: November 4, 2020
Daniel P. Graham, Esq., Elizabeth Krabill McIntyre, Esq., and Ryan D. Stalnaker, Esq., Vinson & Elkins LLP, for the protester.
Carla J. Weiss, Esq., Noah B. Bleicher, Esq., and Matthew L. Haws, Esq., Jenner & Block, LLP, for General Dynamics Information Technology, Inc., the intervenor.
Gwendolyn T.D. Franks, Esq., and Jonathan A. Hardage, Esq., Department of the Army, for the agency.
Michael P. Grogan, Esq., and Edward Goldstein, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.
Protest that agency unreasonably evaluated protester’s proposal based on unstated evaluation criteria is denied where the record reflects that the agency’s evaluation was reasonable and consistent with the terms of the solicitation.
NCI Information Systems, Inc. (NCI), of Reston, Virginia, protests the issuance of a task order to General Dynamics Information Technology Services (GDIT), under task order proposal request (TOPR) No. 319155, issued by the Department of the Army, Army Materiel Command, for information technology (IT) support services. The protester contends that the agency’s evaluation of NCI’s proposal was unreasonable and inconsistent with the terms of the solicitation.
We deny the protest.
On April 6, 2020, the agency issued the TOPR under the Army Computer Hardware Enterprise Software and Solutions (CHESS) Information Technology Enterprise Solutions - 3 Services (ITES-3S) multiple-award indefinite-delivery, indefinite-quantity (IDIQ) contract, pursuant to the procedures of Federal Acquisition Regulation (FAR) subpart 16.5. Contracting Officer’s Statement and Memorandum of Law (COS/MOL) at 5; Agency Report (AR), Tab 8, TOPR at 1. The TOPR contemplated the issuance of a single fixed-price task order with cost-reimbursable contract line items, with a 6-month base period of performance, two 1-year option periods, and an optional 6‑month extension under FAR clause 52.217‑8, for Global Enterprise Fabric (GEF) IT support services. TOPR at 1. This requirement covers all of U.S. Army Network Enterprise Technology Command’s (NETCOM) managed networks, including non-classified and classified networks. AR, Tab 35, amend. 10, attach. I, Performance Work Statement (PWS) § C.1.0. As described in the PWS, the services required to support the task order included capability management, project integration, process development, information assurance, cybersecurity, configuration management, hardware/software support, as well as various support functions. Id. at § C.2.
The solicitation provided for award on a best-value tradeoff basis, considering two evaluation factors: technical/management and price. TOPR at 5. The technical/management factor had three subfactors: technical approach; staffing approach; and management and quality control approach. Id. at 6-7. For the purpose of the best-value tradeoff, offerors were advised that the technical/management factor was more important than price, and that the technical/management subfactors were of equal importance. Id. at 5. The agency used an adjectival rating scheme with the following rating combinations for the technical/management factor: outstanding; good; acceptable; marginal; and unacceptable. Id. at 6-7. The subfactors were not separately rated. AR, Tab 3, Joint Decl. of Tech./Mgmt. Eval. Team at 3. The TOPR advised that “[t]o receive consideration for award, a rating of no less than ‘Acceptable’ must be achieved for the Technical/Management Factor.” TOPR at 5. Though not immediately relevant to the protest, the agency would also conduct a price analysis to determine if proposed prices were fair and reasonable. Id. at 7.
The solicitation required offerors to provide a “written narrative that is the Offeror’s proposed solution to the requirement[s] contained in the [PWS]” that would “demonstrate an understanding of the tasks required. . . .” Id. at 3. For the technical approach subfactor, offerors were to provide a “technical solution that fulfills, and demonstrates, an understanding of the Government’s requirements” and “outline the offeror’s overall approach to perform and manage the tasks and requirements set forth in each specific PWS section.” Id. at 3. The agency would then evaluate whether the offeror demonstrated an understanding of the requirements of the PWS, the feasibility of the proposed approach, and if the PWS requirements had been completely satisfied. Id. at 6.
Under the staffing approach subfactor, offerors were to “demonstrate a thorough knowledge and understanding of how to fulfill and staff the Government’s requirement” and provide “sufficient information to describe the offeror’s procedures, processes, and controls” so as to achieve “full capability of performance.” Id. at 3. An offeror’s staffing approach would be evaluated to determine its “understanding of the requirement and capability to provide technical personnel with the skills and practical experience, to perform the requirements of the PWS, to include the ability/capability of the personnel to support the designated position and the ability to designate personnel for assignment to the specific functional areas.” Id. at 6-7. Lastly, under the management and quality control subfactor, offerors were to “describe the site management methodology to accomplish the technical requirements” of the PWS; the agency would evaluate the “proposed methodology for planning, organizing, directing, and controlling its staff” in performing the PWS. Id. at 3, 7.
The agency received multiple proposals by the June 18 submission deadline, to include proposals from NCI and GDIT. COS/MOL at 8. Following an evaluation by the technical support panel, the task order selection authority (who was also the contracting officer) conducted a comparative assessment of proposals and concluded that GDIT represented the best overall value to the Army. Id.; AR, Tab 51, Task Order Decision Document (TODD) at 1-2. GDIT received an overall technical/management rating of good, with an evaluated price of $53,243,604, whereas NCI received an overall technical/management rating of marginal, at an evaluated price of $48,478,882. Id. at 2.
As relevant to this protest, the agency evaluated NCI’s technical/management approach as marginal because the firm “did not propose an adequate approach or [demonstrate an] understanding of the requirement.” Id. The Army noted that NCI’s approach was based on using its intelligent automation tool, EMPOWER, but this tool was “not on the approved enterprise tools list” and could not be used on the Army network. Id. The selection authority went on to conclude that NCI’s proposal did not meet other mandatory requirements for using EMPOWER on the Army network, and that because the proposal lacked “any alternative approach. . . the risk of unsuccessful contract performance is appreciably increased.” Id. The agency assigned NCI’s proposal significant weaknesses under both the technical approach and staffing approach subfactors, and a weakness under the management and quality control approach subfactor. Id. at 2-5. Given that NCI’s technical/management rating was marginal, consistent with the terms of the solicitation (which required at least an acceptable rating for consideration for award), NCI’s proposal was deemed not eligible for award.
On July 24, the agency issued the task order to GDIT. Following a debriefing, NCI timely filed this protest on August 3.
NCI principally challenges its marginal rating under the technical/management factor, stemming from two significant weaknesses assigned by the Army, one under the technical approach subfactor, and the second under the staffing approach subfactor. Protest at 6-17. The protester argues that the agency’s evaluation findings were predicated on unstated evaluation criteria, and that its proposal was therefore improperly excluded from consideration for award. Id. Although we do not specifically address all of NCI’s arguments, we have considered them all and conclude that none affords a basis on which to sustain the protest.
Technical Approach Subfactor
As part of its technical solution, NCI proposed to use EMPOWER, an artificial intelligence platform, to “deploy intelligent automation and machine learning tools.” AR, Tab 46, NCI’s Proposal, vol. II, Technical, at 3. According to the protester’s proposal, EMPOWER would allow for efficiencies in performance and enhance productivity across a number of task areas. See e.g., id. at 9-10, 23. The agency, however, concluded that NCI’s use of EMPOWER increased the risk of unsuccessful performance. AR, Tab 51, TODD at 4. Specifically, the agency identified risks associated with using EMPOWER on the Department of Defense (DOD) Information Network-Army (DODIN-A) GEF platform. The agency found that: EMPOWER is not on the approved enterprise tools list, which prevents its use on the Army network; NCI’s proposal did not demonstrate that EMPOWER has, as an application that would reside on the Army’s network, an approved authority to operate (ATO) on that network; and NCI’s proposal did not discuss data or licensing rights concerning EMPOWER. Id. at 3‑4. Because NCI’s proposal did not demonstrate how it would address these matters when deploying EMPOWER, and did not acknowledge or otherwise address the existence of these issues, the agency concluded that NCI’s proposal warranted a significant weakness under this subfactor. Id.
NCI challenges the assigned significant weakness under this subfactor, arguing that the Army’s concerns were not related to evaluation criteria set forth in the solicitation. Protest at 6‑14; Comments at 2-7. According to NCI, the solicitation did not require the protester to demonstrate that EMPOWER was on an approved list or to address its status in relation to an ATO, nor did the TOPR require offerors to demonstrate a plan for obtaining an ATO. Id. While acknowledging that the solicitation placed certain limitations on the use of non-governmental systems or devices, NCI argues that such restrictions, by their terms, did not apply to EMPOWER. Comments at 2-5; Supp. Comments at 2-3.
In response, the agency contends that its concerns about the EMPOWER platform were proper bases for consideration because the solicitation required firms to comply with certain Army IT processes and security requirements. COS/MOL at 19-27. If an offeror intended to use a software tool or application on the Army network as part of its technical solution, the offeror would have to comply with various governing regulations concerning operations on the Army’s network. Id. Specifically, the agency points to PWS sections C.8.7.3 and C.11.0 as establishing a requirement that a tool, such as EMPOWER, be on the DOD Approved Products List (APL) and/or that such a tool must have an ATO. Id. at 20. Given these provisions in the PWS, the Army argues that NCI was on notice that the agency could consider whether NCI’s proposal addressed how EMPOWER met, or would otherwise meet, these requirements. Because NCI’s proposal failed to address these issues, the agency argues that its concerns leading to the significant weakness were reasonable and provided valid bases for downgrading NCI’s proposal under the terms of the solicitation. Id. at 26-27.
As stated above, the task order competition was conducted pursuant to FAR subpart 16.5. The evaluation of proposals in a task order competition is primarily a matter within the contracting agency’s discretion, because the agency is responsible for defining its needs and the best method of accommodating them. Engility Corp., B-413120.3 et al., Feb. 14, 2017, 2017 CPD ¶ 70 at 15. In reviewing protests of an award in a task order competition, we do not reevaluate proposals, but examine the record to determine whether the evaluation and source selection decision are reasonable and consistent with the solicitation’s evaluation criteria and applicable procurement laws and regulations. DynCorp Int’l LLC, B-411465, B-411465.2, Aug. 4, 2015, 2015 CPD ¶ 228 at 7.
On this record, we cannot conclude that the agency’s judgments were unreasonable or inconsistent with the TOPR. First, concerning the protester’s allegation that the TOPR did not require EMPOWER to be on the APL, we note that the solicitation required offerors to comply with the requirements in Army Regulation (AR) 25-2, which concerns Army cybersecurity. See PWS § C.11.0 (listing publications, to include AR 25-2, and providing that they “form a part of this contract” and that compliance was “Mandatory”); PWS § C.8.7.3 (“The Contractor shall comply with AR 25-1 and AR 25-2.”). This regulation explicitly states that for products on the Army’s network, “only those listed on the [APL] are approved for purchase.” AR, Tab 57, AR 25-2, para. 4-12(c)(1). The same regulation also provides that “contractor-owned and  operated information systems, will meet all security requirements for government-owned hardware and software when managing, storing, or processing [Army or DOD data].” Id. at para. 4-25. A plain reading of these sections indicates that a tool, like EMPOWER, would need to be on the APL in order to operate on the Army’s network.
The protester argues that the restrictions in AR 25-2 are inapplicable to EMPOWER. Comments at 4; Supp. Comments at 4. NCI notes that the APL requirements in AR 25‑2 apply to IT products “approved for purchase.” See Tab 57, AR 25-2, para. 4‑12(c)(1)(a). Because NCI is only granting the Army restricted rights in EMPOWER per the terms of its proposal, the protester posits that the agency is not actually purchasing the EMPOWER tool, and thus, it does not need to be on the APL for use on the network. Comments at 4; Supp. Comments at 4. This interpretation is unreasonable given that the agency would, according to the protester, be at the very least acquiring restricted rights in EMPOWER if NCI was selected for award. See AR, Tab 45, NCI’s Transmittal Letter, vol. I, at 1. The protester fails to explain why an acquisition of limited rights would not constitute a purchase under this regulation, nor does the protester point to any other language in Army Regulation 25-2 that would support such a narrow interpretation. Accordingly, we find the agency’s determinations unobjectionable, in this regard.
We find similarly unpersuasive NCI’s arguments challenging the agency’s finding that EMPOWER required an ATO before it could be placed on the Army’s network. As noted above, the TOPR levied restrictions and limitations on the use of IT products on the Army’s network. See PWS §§ C.8.7.3 and C.11.0. As relevant to this argument, section C.8.7.3 of the PWS specifically provided as follows:
The Contractor shall not install or connect non-Government-owned computing systems or devices to Government networks without the [Contracting Officer’s Representative’s] coordinating and obtaining proper authorization from the appropriate Information Systems Security Manager (ISSM), ensuring that all software has a Government Certificate of Networthiness or has been authorized under the Risk Management Framework (RMF) Assess Only process.
PWS § C.8.7.3.
This section of the PWS goes on to provide a non-exhaustive list of examples of “non-Government-owned computing systems or devices,” such as thumb drives, hard drives, laptops, or any device that can store data. Id. NCI contends that these requirements, to include having an ATO, do not apply to EMPOWER because the tool is not a “non-Government-owned computing system or device” as that phrase is understood in section C.8.7.3 of the PWS. Comments at 3-4; Supp. Comments at 2-3.
We cannot conclude that the protester’s interpretation is a reasonable one. The protester bases its contention that section C.8.7.3 is inapplicable on the fact that EMPOWER, a software platform, is too dissimilar to the non-exhaustive list of non-government-owned computing systems or devices provided. Comments at 3; Supp. Comments at 3. However, NCI’s reading ignores the context of the provision. The immediately preceding sentence makes clear that the agency’s concern includes placing unapproved software on the network. See PWS § C.8.7.3. (proper authorization required to “ensur[e] that all software has a Government Certificate of Networthiness or has been authorized under the Risk Management Framework (RMF) Assess Only process.”). Moreover, as explained in the declaration from the technical management team, “[i]t is standard business and Army practice to include stand-alone software in the definition of ‘non-Government-owned computer system or device’ because the same information security and cybersecurity requirements apply to both software contained within hardware and standalone software.” AR, Tab 59, Second Joint Decl. of Tech./Mgmt. Eval. Team, at 2-3. This seems especially true where, as here, the software will reside on the Army’s network. We find the agency’s interpretation to be reasonable.
In summary, the TOPR explained that the agency would evaluate offerors’ proposals based on their demonstrated understanding of operational requirements, and their technical approach. TOPR at 6. When evaluating NCI’s proposal, the agency concluded that the use of EMPOWER increased risk of unsuccessful performance because the proposal did not address the APL or ATO requirements. The agency then reasonably ascribed a significant weakness to NCI’s proposal because it “demonstrate[d] a lack of understanding of the operational requirements and constraints.” AR, Tab 51, TODD at 4. We find nothing improper with the agency’s assignment of a significant weakness under the technical approach subfactor.
The agency assigned NCI’s proposal a second significant weakness under the staffing approach subfactor, which also relates to NCI’s proposed use of the EMPOWER software application. AR, Tab 51, TODD at 4. The agency specifically noted that NCI’s reliance on EMPOWER was “to make staffing more affordable and [to] [DELETED].” Id. However, the Army found that NCI failed to provide “sufficient technical details on the tool to demonstrate that this approach will meet the minimum staffing and support needs of the task order” and that “without additional detail[,] their staffing approach cannot work on the current GEF network.” Id. The agency also found that NCI’s proposal demonstrated “a lack of understanding” of the agency’s requirements when the proposal discussed executing tier III tasks, yet the task order only contemplates performance of tier I and II tasks. Id.
In challenging the agency’s findings, NCI marshals several arguments. First, the protester contends that this significant weakness is derivative of the significant weakness assigned under the technical approach factor, because both are based on the Army’s assessment that EMPOWER cannot operate on the Army’s network. Protest at 14-15; Comments at 7. Additionally, the protester argues that the agency’s conclusions were unreasonable because the agency ignored the fact that staff reductions would only occur in the option years, but that NCI committed to maintaining its base year staffing if such staff reductions were not feasible through the use of EMPOWER. Protest at 15; Comments at 8-9; Supp. Comments at 5-6. Finally, the protester maintains its proposal properly addressed performance of only tier I and II tasks. Comments at 9-10.
We find the agency’s evaluation reasonable and consistent with the terms of the TOPR. First, the assigned significant weakness under the staffing approach subfactor is different from the one the agency assigned under the technical approach subfactor. While both relate to EMPOWER, the evaluation under the staffing approach subfactor raises concerns about the lack of data to support the staffing efficiencies NCI derives from its use of EMPOWER and the risks of not having sufficient staff if such efficiencies prove illusory, whereas the concerns under the technical approach factor stem from the risks associated with NCI’s failure to address how it will implement the EMPOWER tool within the Army IT security framework. See TODD at 3-4. Additionally, while there certainly could be overlap with the agency’s concerns in this regard--that is, if NCI is unable to deploy the EMPOWER tool due to IT security restrictions, it will not be in a position to achieve its purported EMPOWER staffing efficiencies, thereby creating a risk of successful performance--the concerns and associated weaknesses are, by their nature, different.
Second, contrary to the protester’s assertion, the agency’s criticism was not solely limited to NCI’s staffing in the option years, but instead, applied to the protester’s staffing as a whole. See id. at 4. This conclusion is supported by the underlying evaluation record, and is further confirmed by the declarations of the technical management team. See id.; AR, Tab 3, Joint Decl. of Tech./Mgmt. Eval. Team, at 5-6; AR, Tab 59, Second Joint Decl. of Tech./Mgmt. Eval. Team, at 5 (“We assessed NCI a significant weakness related to its overall staffing levels in the evaluation. [ ] As we explained in our previous declaration, this significant weakness encompassed problems with NCI’s staffing in the base year, as well as in the option periods.”).
As the technical management team explains, based on its consideration of historical staffing levels for mission performance and how NCI would be utilizing EMPOWER, the agency had concerns with the firm’s staffing approach. AR, Tab 3, Joint Decl. of Tech./Mgmt. Eval. Team, at 5-6. The Army understood that NCI would seek to “[DELETED].” Id. at 5. However, because the protester did not address how EMPOWER could be used on the Army’s network, NCI’s “staffing plan did not provide sufficient personnel to accomplish both the low and high complexity tasks necessary in support of the GEF mission.” Id. Accordingly, the team believed that NCI’s proposed staffing was “insufficient to accomplish the tasks in the base period” and option periods. Id. Thus, even assuming, for the sake of argument, that NCI’s proposal did properly identify that it would not reduce staffing in the option years if its EMPOWER efficiencies were not realized, such staffing would remain insufficient in the absence of a secondary plan if EMPOWER could not be used.
Finally, concerning tier III support, the record demonstrates that the agency reasonably construed multiple references in NCI’s proposal to tier III support, which, as previously stated, was not a requirement of the TORP, as reflecting a lack of understanding of the TOPR’s requirements. An offeror’s disagreement with an agency’s evaluation judgments, without more, does not demonstrate that those judgments are unreasonable. Science Applications Int’l Corp., B-413112, B-413112.2, Aug. 17, 2016, 2016 CPD ¶ 240 at 6. Accordingly, we find the agency’s assignment of a significant weakness under this subfactor to be reasonable.
The protest is denied.
Thomas H. Armstrong
 The awarded value of the task order at issue exceeds $25 million. Accordingly, this procurement is within our jurisdiction to hear protests related to the issuance of task orders under multiple-award indefinite-delivery, indefinite-quantity contracts established under the authority of Title 10 of the United States Code. 10 U.S.C. § 2304c(e).
 An authority to operate--sometimes called authorization to operate--is the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the nation based on the implementation of an agreed-upon set of security controls. DATA ACT: OMB and Treasury Have Issued Additional Guidance and Have Improved Pilot Design but Implementation Challenges Remain, GAO-17-156 at 28 n.37 (2016) (citing the definition for ATO set forth in National Institute of Standards and Technology Special Publication 800-37).
 According to Army Regulation (AR) 25-2, Army Cybersecurity (which was incorporated as a mandatory requirement for offerors in sections C.8.7.3 and C.11.0 of the PWS), the DOD Unified Capabilities Approved Products List (APL) is the authoritative list of products that have completed interoperability and cybersecurity certification. AR, Tab 57, AR 25-2, para. 4-12(c)(1).
 The agency explains that obtaining an ATO is part of the RMF process. COS/MOL at 20 n.6; see AR, Tab 57, AR 25-2, para. 2-27; para. 4-3(d).
 NCI advances an alternative argument that “to the extent that PWS C.8.7.3 could reasonably be construed to apply to EMPOWER, the provision was latently ambiguous.” Comments at 4 n.1; see also Supp. Comments at 3. An ambiguity exists when two or more reasonable interpretations of the terms or specifications of the solicitation are possible. See Ashe Facility Servs. Inc., B-292218.3, B-292218.4, Mar. 31, 2004, 2004 CPD ¶ 80 at 10. Because, as we will discuss, NCI’s interpretation is not a reasonable reading of the solicitation, we conclude that no such ambiguity exists.
 The technical team goes on to provide numerous examples throughout AR 25-2 where similar restrictions apply to both hardware and software. See AR, Tab 59, Second Joint Decl. of Tech./Mgmt. Eval. Team, at 3.
 Though not in its proposal, in response to the protest, NCI now contends that it would “follow accepted software delivery principles, such as by download from the Government’s approved software repository” to place EMPOWER on the GEF platform. Comments at 3. This contention is inconsistent with NCI’s claims, throughout the pendency of this protest, that its software does not need to be on an approved list to be utilized on the network. See Protest at 7-8.
 NCI also argues that because it properly addressed data rights in a separate volume of its proposal, the third basis for the significant weakness under the technical approach subfactor was unwarranted. Protest at 12-14; Comments at 6-7. In a declaration, the technical management team explains that it identified concerns about data rights for EMPOWER to “ensure the Contracting Officer was aware” of such concerns, but that its “primary concern under the Technical Approach subfactor was the viability of the EMPOWER tool itself.” AR, Tab 3, Joint Decl. of Tech./Mgmt. Eval. Team at 4-5.
While the underlying evaluation record does provide, in the discussion of NCI’s significant weakness, that there “is no indication in the proposal about the data or licensing rights held currently or after contract expiration on the application,” the record supports the technical team’s contention that its main concern was the viability of EMPOWER, and that the significant weakness would stand without the data rights issues. TODD at 4-5; see AR, Tab 3, Joint Decl. of Tech/Mgmt. Eval. Team at 4-5 (“It was our assessment at the time, as it is now, that the proposed reliance on the EMPOWER tool itself is a Significant Weakness that appreciably increases the risk of unsuccessful contract performance, even absent our concerns about the data and licensing rights.”).
 Tier I support provides basic help-desk and service-desk support, while tier II support provides more in-depth technical support to assess and resolve problems that could not be resolved by tier I support. COS/MOL at 16 n.4. When neither tier I nor II can resolve an issue, tier III support provides significantly higher levels of expert support. Id. Tier III support falls outside the scope of this task order. Id.; AR Tab 3, Joint Decl. of Tech./Mgmt. Eval. Team at 6.
 NCI contends that the declarations from the agency are post hoc explanations that should be entitled to no weight. Comments at 11; Supp. Comments at 5-6. In reviewing an agency’s evaluation, we do not limit our review to contemporaneous evidence, but consider all of the information provided, including the parties’ arguments and explanations. Science Applications Int’l Corp., Inc., B-408270, B-408270.2, Aug. 5, 2013, 2013 CPD ¶ 189 at 8 n.12. Although we generally give little weight to reevaluations and judgments prepared in the heat of the adversarial process that are inconsistent with the contemporaneous record, see Boeing Sikorsky Aircraft Support, B-277263.2, B-277263.3, Sept. 29, 1997, 97-2 CPD ¶ 91 at 15, post-protest explanations that provide a detailed rationale for contemporaneous conclusions and simply fill in previously unrecorded details will generally be considered in our review of the rationality of selection decisions, so long as those explanations are credible and consistent with the contemporaneous record. Remington Arms Co., Inc., B-297374, B‑297374.2, Jan. 12, 2006, 2006 CPD ¶ 32 at 12. Here, the evaluators’ explanations are credible and consistent with the contemporaneous record.