Comprehensive Health Services, LLC (Comprehensive), of Reston, Virginia, protests the exclusion of its proposal from the competitive range of the competition conducted under request for proposals (RFP) No. 70RDAD20R00000012, which was issued by the Department of Homeland Security (DHS), for COVID-19 test kits and related services. Comprehensive argues that the agency's evaluation relied on an unstated evaluation criterion.
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.
Matter of: Comprehensive Health Services, LLC
Date: February 16, 2021
Elizabeth N. Jochum, Esq., Zachary D. Prince, Esq., and Nora K. Brent, Esq., Smith Pachter McWhorter PLC, for the protester.
Matthew D. McKenzie, Esq., and Brian C. Habib, Esq., Department of Homeland Security, for the agency.
Jonathan L. Kang, Esq., and Laura Eyester, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.
Challenge to the assignment of a weakness to the protester’s proposal, and exclusion from the competitive range, is denied where the agency’s evaluation was reasonable and consistent with the terms of the solicitation.
Comprehensive Health Services, LLC (Comprehensive), of Reston, Virginia, protests the exclusion of its proposal from the competitive range of the competition conducted under request for proposals (RFP) No. 70RDAD20R00000012, which was issued by the Department of Homeland Security (DHS), for COVID-19 test kits and related services. Comprehensive argues that the agency’s evaluation relied on an unstated evaluation criterion.
We deny the protest.
DHS issued the solicitation on June 22, 2020, seeking proposals to provide COVID-19 testing kits and related services. Agency Report (AR), Tab 14, RFP amend. 7 at 1, 4-5. The agency requires “in-vitro diagnostics for the detection and/or diagnosis of the virus that causes COVID-19” for individuals including DHS personnel, DHS contractors, persons within DHS custody, and persons being repatriated. Id. at 5. The statement of work (SOW) identified three functional categories under which services will be provided: (1) managed testing services, (2) molecular diagnostic test kits and testing services; and (3) antigen testing kits and testing services. Id. at 7-10. Offerors could submit proposals for any or all of the functional categories. Id. at 7. The RFP anticipated the award of multiple indefinite-delivery, indefinite quantity (IDIQ) contracts with base periods of 1 year and four 1-year options. Id. at 13, 84. Orders under the IDIQ contracts will be issued on a fixed-price or time-and-materials basis. Id. at 4. The maximum cumulative ceiling value of all contracts is $2 billion. Id. at 16.
The RFP provided for a two-phase evaluation; proposals were required to address both phases. Id. at 84. Phase one instructed offerors to provide adequate documentation demonstrating that the following two requirements were met: (1) a Food and Drug Administration approval or Emergency Use Authorization for the test kits; and (2) a letter of supply or other documentation substantiating the offeror’s relationship as an authorized reseller of its proposed manufacturer’s test kit. Id. Proposals that met the phase one requirements would be evaluated in phase two. Id.
The phase two evaluation required offerors to complete a capability questionnaire, which contained 20 questions, plus an additional four questions for firms proposing for functional category 1, managed testing services. Id.; AR, Tab 3a, RFP attach. A, Capability Questionnaire at 1-4. The RFP stated that the agency would review the questionnaire responses as follows:
The Government will evaluate the offeror’s capability by considering the questionnaire responses from the offeror to determine: (1) the extent to which the offeror demonstrates a thorough understanding of the background, Does your offering create or store dascope, objectives, and work requirements of the SOW; (2) the extent to which the offeror supports how each functional category will be fully performed; and (3) the reasonableness and usability of the solutions the offeror provides in their responses.
RFP at 84-85.
For purposes of award, the RFP stated the agency intended to “award multiple IDIQ contracts to the responsible offerors submitting an overall proposal that is determined to be amongst the highest technically rated offers with fair and reasonable prices.” Id. at 84. The agency further explained that “[t]he Government will not conduct tradeoffs.” Id.
DHS received proposals from 118 offerors, including Comprehensive, by the closing date of August 12. AR, Tab 29, Competitive Range Determination at 3. Comprehensive’s proposal addressed functional categories 1 and 2, managed testing services, and molecular diagnostic test kits and testing services. AR, Tab 25, Comprehensive Proposal Vol. I at 2. As relevant here, the agency found that Comprehensive’s proposal did not meet the phase one evaluation criteria because it did not “provide a Letter of Supply demonstrating that they are an authorized reseller of the proposed kits.” AR, Tab 18, Notice of Exclusion at 2.
Comprehensive filed a protest with our Office on September 23, arguing that a letter of supply was not required where offerors did not propose to purchase and resell test kits. Protest (B‑419183) at 4. On October 6, the agency advised that it would take corrective action in response to the protest by reevaluating proposals to determine whether they complied with the letter of supply requirements. Comprehensive Health Servs., LLC, B‑419183, Oct. 7, 2020, at 1 (unpublished decision). Based on the agency’s proposed corrective action, we concluded that the protest was rendered academic, and dismissed it on October 7. Id. at 1-2.
DHS included Comprehensive’s proposal in the phase two evaluation and reviewed its capability questionnaire. Contracting Officer’s Statement (COS) at 4. As discussed below, the agency’s technical evaluation team (TET) identified a weakness in Comprehensive’s proposal based on its response to question 17 concerning anonymized data. AR, Tab 28, Revised TET Report at 17. The TET concluded that Comprehensive’s questionnaire responses merited a rating of some confidence. Id. at 18.
Based on the results of the phase two evaluation, the agency established a competitive range for the purpose of conducting discussions with the offerors that submitted the most highly-rated proposals. AR, Tab 29, Competitive Range Determination at 1. The contracting officer cited the findings of the TET and assigned Comprehensive’s proposal a rating of some confidence. Id. at 35-37. Based on this rating, the contracting officer concluded that Comprehensive’s proposal was not one of the most highly rated, and excluded it from the competitive range. Id. at 37.
The agency provided Comprehensive a pre-award debriefing, which concluded on November 6. AR, Tab 24, Debriefing at 4. This protest followed.
Comprehensive primarily argues that DHS unreasonably assigned its proposal a weakness in the phase two evaluation based on an unstated evaluation criterion concerning anonymization of patient data. For the reasons discussed below, we find no basis to sustain the protest.
The evaluation of an offeror’s proposal is a matter within the agency’s discretion. National Gov’t Servs., Inc., B‑401063.2 et al., Jan. 30, 2012, 2012 CPD ¶ 59 at 5. In reviewing protests challenging an agency’s evaluation of proposals, our Office does not reevaluate proposals or substitute our judgment for that of the agency, but rather examines the record to determine whether the agency’s judgment was reasonable and in accord with the stated evaluation criteria and applicable procurement laws and regulations. 22nd Century Techs., Inc., B‑413210, B‑413210.2, Sept. 2, 2016, 2016 CPD ¶ 306 at 8. An offeror’s disagreement with the agency’s evaluation judgment, without more, is insufficient to establish that the agency acted unreasonably. See Vectrus Sys. Corp., B‑412581.3 et al., Dec. 21, 2016, 2017 CPD ¶ 10 at 3.
Agencies must evaluate proposals based solely on the factors identified in the solicitation, and must adequately document the bases for their evaluation conclusions. Sterling Med. Corp., B‑412407, B‑412407.2, Feb. 3, 2016, 2016 CPD ¶ 73 at 11; Intercon Assocs., Inc., B‑298282, B‑298282.2, Aug. 10, 2006, 2006 CPD ¶ 121 at 5. While agencies properly may apply evaluation considerations that are not expressly outlined in the RFP if those considerations are reasonably and logically encompassed within the stated evaluation criteria, there must be a clear nexus between the stated and unstated criteria. Raytheon Co., B‑404998, July 25, 2011, 2011 CPD ¶ 232 at 15‑16. Where a dispute exists as to a solicitation’s requirements, we begin by examining the plain language of the solicitation. Bluehorse Corp., B‑414809, Aug. 18, 2017, 2017 CPD ¶ 262 at 5. When a protester and agency disagree over the meaning of solicitation language, we will resolve the matter by reading the solicitation as a whole and in a manner that gives effect to all of its provisions; to be reasonable, and therefore valid, an interpretation must be consistent with the solicitation when read as a whole and in a reasonable manner. Constructure-Trison JV, LLC, B‑416741.2, Nov. 21, 2018, 2018 CPD ¶ 397 at 3.
The RFP’s phase two evaluation criteria required offerors to submit responses to questions in the capability questionnaire. RFP at 84; AR, Tab 3a, RFP attach. A, Capability Questionnaire at 1-4. As relevant here, question No. 17 stated as follows:
Question 17: Does your offering create or store data? Can the data be anonymized or is [personally identifiable information (PII)] required? Can your solution support receiving anonymized testing subject data and how? How do you handle the collection of PII and how do you process notifications of test results? By what mechanism are the test results available electronically  (i.e., computer to computer transfer)[?]
AR, Tab 3a, RFP attach. A, Capability Questionnaire at 4.
The TET found that the protester’s questionnaire responses merited a “some confidence” rating based on two “[n]oteworthy observations.” AR, Tab 28, Revised TET Report at 17. First, the TET found that the protester’s response to question 3 concerning its approach to establishing on-site locations was a benefit because it “provides DHS with the capability to quickly respond to COVID-19 situations that will enable DHS’s return to workplace efforts.” Id. at 17, 18. Second, the TET found that the protester’s response to question 17 created a risk to the agency because it did not address anonymized data, as follows:
The offeror does not provide information in their response that addresses anonymizing data in response to the stated question. Although the offeror provides information regarding collecting and storing data, there is no information regarding anonymization of the data. This adds to the risk that if there were a data breach, the Government would be required to expend resources to resolve the situation.
AR, Tab 28, Revised TET Report at 18, 19.
The competitive range determination cited the two observations noted in the TET report. AR, Tab 29, Competitive Range Determination at 35-37. In addition, the competitive range determination found that the protester’s response to question 2, concerning the ability to “scale-up staffing,” provides a benefit because “it reduces the risk that sites will be setup and staffed in required timeframes, thus, ensuring the Government meets mission requirements.” Id. at 36-37. The contracting officer concluded that Comprehensive’s proposal merited a rating of some confidence and should not be included in the competitive range for the following reasons:
Comprehensive Health has noteworthy observations relating to set up time and staffing which are identified as benefits and a risk with respect to its system’s ability to anonymize data. While benefits are identified for Comprehensive Health’s response, they are offset by a risk and are not of an overall nature to merit a rating higher than some confidence, therefore, Comprehensive Health is not in the competitive range.
Id. at 37.
Comprehensive’s debriefing explained that the weakness assigned to its proposal concerned “anonymizing data.” AR, Tab 24, Debriefing at 4. The debriefing quoted the weakness as cited in the TET report, and also quoted the contracting officer’s conclusion in the competitive range determination regarding the protester’s “ability to anonymize data.” Id.
Comprehensive does not dispute that its response to question 17 did not specifically address anonymized data. See Protest at 6. Rather, the protester states that it responded to the question in a “holistic manner” and that it addressed its processes for electronically collecting, capturing, and storing testing subject data and sharing results. Protest at 6. The protester also explains that it addressed question 17 by stating its system is capable of securely transmitting data, confidentially communicating test results to DHS employees and ensuring secure and HIPAA-compliant records management. Id. The protester argues, however, that neither the SOW nor any other part of the RFP referred to the “ability to anonymize data,” which was the term used in the competitive range determination. Protest at 4; AR, Tab 29, Competitive Range Determination at 37. In this regard, the protester distinguishes between the ability to accept anonymized data, and the ability to render non-anonymized data (including PII) into an anonymous form. Protest at 4-6; Comments at 2-4. For these reasons, the protester argues that the phase two questionnaire did not require offerors to address the ability to anonymize data, and that the weakness assigned to its proposal was therefore unreasonable.
DHS agrees that the SOW will not require the contractors to anonymize data, that is, render the data into a form that does not contain PII. Memorandum of Law (MOL) at 31-32; COS at 5, 8. Instead, the agency states, as discussed above, that the SOW will require the contractors to accept data in the form provided by the agency, including anonymized data. Id. The agency further states that the evaluation of Comprehensive’s proposal found that it did not demonstrate the ability to receive and handle anonymized data. Id.
Comprehensive does not specifically dispute the agency’s interpretation that the SOW will require contractors to accept anonymized data. See Comments at 2-6. Instead, the protester argues that the agency’s evaluation improperly applied an unstated evaluation criterion that contractors will be required to anonymize the data, that is, take non-anonymized PII and render it in an anonymized form. Id. Comprehensive contends that the agency’s response to the protest is an improper post-hoc explanation that is not consistent with the contemporaneous record. Comments at 3-4. The protester argues that the response should not be given any weight in our review, and that the contemporaneous record shows that the agency relied on the unstated criterion of the ability to anonymize data. Id.
Our Office generally accords lesser weight to post-hoc arguments or analyses made in response to protest allegations because we are concerned that new judgments made in the heat of an adversarial process may not represent the fair and considered judgment of the agency. Boeing Sikorsky Aircraft Support, B‑277263.2, B‑277263.3, Sept. 29, 1997, 97‑2 CPD ¶ 91 at 15. In contrast, we will consider agencies’ explanations that provide a detailed rationale for contemporaneous conclusions and fill in previously unrecorded details, so long as the explanations are credible and consistent with the contemporaneous record. Native Energy & Tech., Inc., B‑416783 et al., Dec. 13, 2018, 2019 CPD ¶ 89 at 4.
Here, we conclude that the record supports the agency’s representations regarding its contemporaneous understanding of the RFP and its evaluation of the protester’s proposal. First, we find that the record supports the agency’s explanation that the SOW will require contractors to accept data in an anonymized format. Question 17 asked offerors to address the following: “Does your offering create or store data? Can the data be anonymized or is PII required? Can your solution support receiving anonymized testing subject data and how?” AR, Tab 3a, RFP attach. A, Capability Questionnaire at 4. The phrase “can the data be anonymized” could be understood to ask: (1) can the data be rendered anonymized, (2) or can the data at issue exist in an anonymous form? The agency argues that the latter interpretation was intended, and that the question did not require offerors to address the ability to render data anonymous.
In response to the protest, a member of the TET provided a declaration explaining that he “developed the [SOW] requirements related to submitting and receiving data associated with COVID-19 testing.” AR, Tab 31, Decl. of TET Evaluator at 1. The TET evaluator states that “in some instances, [the government] would choose not to provide, or be prohibited from providing, vendors with personally identifiable information (PII) or other demographic data of certain tested individuals or populations.” Id. For this reason, question 17 was intended to “gauge a vendor’s capability to receive and handle anonymized data from the Government,” and that “[a]ssessing this ability was to ensure that the vendors’ solution would not reject anonymized data upon submission.” Id. at 2. The TET evaluator further states that “DHS was not concerned with whether vendors could anonymize test subject data after receiving a test subject’s personally identifiable information from the Government.” Id. We conclude that the record supports the agency’s interpretation that question 17 referred to the ability to receive anonymized testing data.
Next, we find that the TET evaluation was consistent with the interpretation that the SOW will not require contractors to render data anonymous. In this regard, the TET evaluation stated that the protester “did not provide information  that addresses anonymizing data in response to the stated question,” and that “there is no information regarding anonymization of the data.” AR, Tab 28, Revised TET Report at 18, 19. Here again, the phrases “anonymizing data” and “anonymization of the data” can be understood to mean: (1) the ability to make data anonymous, or (2) the data that makes PII anonymous.
The TET evaluator states that “the risk the Government assigned to [Comprehensive’s] proposal applied broadly to [Comprehensive’s] failure to address any aspect of its solution’s ability to receive, accept, or otherwise process anonymized test result data.” AR, Tab 31, Decl. of TET Evaluator at 2-3. The TET evaluator explains that “[i]n using the phrases ‘anonymizing data’ and ‘anonymization of the data,’ I was broadly referring to [Comprehensive’s] failure to address in any way its solution’s ability to receive, accept, or otherwise process anonymized data.” Id. at 3. In light of our conclusion that question 17 is reasonably understood to refer to the ability to receive anonymized testing data, we conclude that the TET’s evaluation also referred to whether the protester’s proposal addressed the ability to receive anonymized testing data.
Finally, we find that the contracting officer reasonably explains that she understood the RFP and the TET’s evaluation to refer to the ability to accept anonymized data. As discussed above, the competitive range determination restated the findings of the TET concerning the assignment of a weakness to the protester’s proposal based on the failure to address anonymized data. AR, Tab 29, Competitive Range Determination at 36. The determination, however, also stated that the weakness was assigned based on a “risk with respect to its system’s ability to anonymize data.” Id. at 37.
The contracting officer states that the summary of the reference in the competitive range determination to Comprehensive’s “ability to anonymize data” was a misstatement:
In characterizing the risk that the TET assigned to [Comprehensive] as relating to [Comprehensive’s] “system’s ability to anonymize data,” I inaccurately summarized the TET’s assessment. I worked with [the TET Evaluator] in the requirements development phase and in the evaluation and I agree with his statement that a vendor’s ability to anonymize data, or, a vendor’s need to anonymize personally identifiable information that was not already anonymized by the Government, was not contemplated as part of this requirement and not required in the solicitation.
COS at 5.
The contracting officer further states that she “did not fully appreciate that the phrase ‘ability to anonymize data’ could be interpreted as referring to a capability for successful offerors to anonymize the data themselves, as opposed to receiving, accepting, and otherwise processing data anonymized by the government.” Id. Rather than indicating the ability to render non-anonymous data into an anonymous form, the contracting officer explains that she “intended only to summarize offerors’ benefits and risks as documented by the TET,” and that her summary “inadvertently ascribed a narrow meaning to the TET’s” findings. Id.
We find the record supports the contracting officer’s explanation. As discussed above, the record supports the agency’s interpretation that the SOW will require contractors to accept all data, including anonymized data. The record also supports the agency’s explanation that the TET evaluation assessed a weakness to Comprehensive’s proposal based on the failure to respond to question 17 regarding whether the protester can accept anonymized data. In light of this record, we find that the contracting officer reasonably explains that her summary of the risk as assessed by the TET unintentionally changed the meaning of the risk, and that she did not intend to alter the TET’s finding.
In sum, we conclude that DHS’s evaluation of Comprehensive’s proposal did not rely on an unstated evaluation criterion. The phase two questionnaire expressly advised offerors that they were required to address anonymized data, and the record supports the agency’s explanation that the evaluation was based on the protester’s failure to
address its ability to receive and handle anonymized data. On this record, we find no basis to sustain the protest.
The protest is denied.
Thomas H. Armstrong
 Citations to the RFP are to the conformed copy in RFP amendment 7, unless otherwise noted. Citations to documents in the agency report are to Adobe PDF document pages.
 The agency assigned phase two capability questionnaires one of the following ratings: high confidence, some confidence, or low confidence. AR, Tab 32, Technical Evaluation Plan at 7.
 Comprehensive also raises other collateral arguments. Although we do not address every argument, we have reviewed them all and find no basis to sustain the protest.
 The TET report included identical findings for Comprehensive’s questionnaire responses for functional categories 1 and 2. AR, Tab 28, Revised TET Report at 17‑19.
 HIPAA is the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, Aug. 21, 1996.
 Comprehensive’s initial protest noted that the RFP initially contained the following requirement: “The contractor shall be able to accept anonymized patient data to enroll individuals to be tested into a testing queue from Government systems.” AR, Tab 3, Initial RFP at 10 (emphasis added). The agency revised this requirement in RFP amendment 7, as follows: “The contractor shall be able to accept all patient data necessary to enroll individuals to be tested into a testing queue from Government systems and report the results once testing is completed.” RFP at 10 (emphasis added). The protester noted that the initial version of the RFP required offerors to demonstrate the ability to accept anonymized data. Protest at 3. The protester argued, however, that the amended RFP removed the requirement to accept anonymized data. Id. at 4. DHS’s response to the protest argued that the revised RFP provision did not state that the requirement to accept anonymized data was removed, and instead broadened the requirement to mandate acceptance of “all patient data.” MOL at 28‑29. The protester’s comments on the agency report did not specifically respond to the agency’s argument and, in a single sentence, only repeats its argument that the amendment changed the requirement to accept anonymized patient data. Comments at 2. We agree that the agency reasonably interpreted the SOW to require contractors to accept all necessary patient data, including anonymized data.
 The TET evaluator explains that under some circumstances DHS could be prohibited from disclosing personally identifiable information to the contractor conducting the testing, “in which case the [contractor’s] solution would be required to accept anonymized test subject data.” AR, Tab 31, Decl. of TET Evaluator at 2 (citing SOW Sections 2.0, 6.8.1, 6.8.2; and RFP Section 7.9). Further, the TET evaluator explains that the SOW informed offerors that test result reports would be required to include a “patient’s name or anonymized identifier” and therefore the RFP did not establish or allude to separate and distinct requirements for contractors to anonymize data that was not already anonymized by DHS. Id.
 According to the TET evaluator, the “validation rules for names often are constrained to letters, while anonymized names may be comprised of alphanumeric characters [and if the contractor’s] system imposed such validation rules for names, the [contractor] would need to make modifications to their systems.” AR, Tab 31, Decl. of TET Evaluator at 2. Further, the ability to receive and accept anonymized test result data “significantly reduces the security risk if data were to be lost in a breach.” Id.
 The protester’s argument, in essence, agrees with the agency’s interpretation to the extent that the protester contends that neither the SOW nor question 17 required offerors to address the ability to render data anonymous. See Comments at 2-4.