Panasonic I-PRO Sensing Solutions Corporation of America

Decision

Matter of:  Panasonic I-PRO Sensing Solutions Corporation of America

File:  B-419260

Date:  January 12, 2021

DIGEST

Sole-source award for an incident-driven video recording system is unobjectionable where the agency reasonably determined that the protester and its solution are not capable of meeting the agency’s needs.

Panasonic i-PRO Sensing Solutions Corporation of America (Panasonic), of Rolling Meadows, Illinois, protests the award of contract No. 70B03C20C00000167, on a sole-source basis, to Axon Enterprise, Inc. (Axon), of Scottsdale, Arizona, by the Department of Homeland Security, U.S. Customs and Border Protection (CBP), for an incident-driven video recording system.  Panasonic challenges the basis of the sole-source award and contends that it offered a solution that could meet the agency’s needs.

We deny the protest.

BACKGROUND

CBP’s mission involves active patrolling, monitoring, and screening of those entering the United States.  Agency Report (AR), Tab 30, Justification and Approval (J&A) at 1. CBP states that it must conduct these activities and other interactions with the public in a transparent and accountable manner.  Id.  The agency further explains that this requirement ensures that non-surveillance, agent-activated recordings of interactions between CBP agents and the public are conducted in a straightforward and transparent manner.  Id.

The agency states that it received a mandate from Congress to expand the use of body‑worn cameras (BWCs) and develop a comprehensive plan and implementation schedule for camera technology.Id. (citing Department of Homeland Security Appropriations Bill, 2017, H. Rept. 114-668 (2016)).  To implement Congress’s mandate that CBP deploy BWC technology prior to the end of fiscal year 2021, CBP intends to purchase 4,300 BWCs, 700 docking stations, and 4,000 video management system (VMS) software and cloud storage licenses (to be purchased annually) over the course of multiple base and option years through fiscal year 2025.  AR, Tab 30, J&A at 1. 

On July 22, 2020, the agency finalized a J&A to support its decision to award a sole-source contract to Axon for the incident-driven video recording system.  Id.; Tab 31, J&A Signature Page at 1  The J&A concluded that a sole-source award to Axon was justified pursuant to 41 U.S.C. § 3304(a)(1) and Federal Acquisition Regulation (FAR) 6.302-1, which states that only one source can satisfy the agency’s needs.  AR, Tab 30, J&A at 2.  CBP estimates the value of this procurement to be approximately $15.7 million.  Id. at 1. 

The J&A explained the agency’s basis for concluding that only Axon could meet the agency’s requirements.  AR, Tab 30, J&A at 2.  Specifically, the J&A stated that only Axon demonstrated the necessary security and data management authorizations that would support immediate deployment of the required technology. Id.  In this regard, the J&A identified Federal Risk and Authorization Management Program (FedRAMP) authorization as a requirement for all government cloud systems.[1]  Id.  The J&A explains that Axon is uniquely qualified to perform the requirement because it is the only BWC vendor listed in the FedRAMP marketplace that has achieved FedRAMP moderate risk impact level authorization and Federal Information Processing Standard (FIPS) 140-2 compliance.[2]  Id.  During the agency’s acquisition planning, Axon was able to provide documentation proving both its video management application and cloud storage solution are FedRAMP authorized.  Id. at 3.  The J&A notes the CBP would endeavor to monitor the marketplace and FedRAMP authorization status for other potential incident-driven video recording systems that could meet CBP’s needs.  Id. at 4. 

In addition to security and data management authorizations, the J&A cites the need to use a single vendor as another fact supporting the use of other than full and open competition.  Id. at 3.  CBP concluded that the use of a single vendor would not only ensure the seamless accessing of information, but also prevent the compatibility and performance risks found to arise when CBP moved between one vendor’s VMS and another’s cloud storage platform.  Id.  In this regard, the agency explains that Axon offers an all-in-one solution including camera, docking station, video management on premises, cloud-based application, and cloud storage.  Id.

Additionally, the J&A outlines the market research the agency conducted beginning in 2014.  Id. at 2.  The agency’s market outreach and assessment included a feasibility study in 2015, a request for information (RFI) and an industry day in 2016, a 6-month field evaluation in 2018, a second RFI conducted in October 2019, and in-person vendor meetings held in February 2020.  Id.; AR, Tab 27, Market Research Report at 7. 

Pertinent to this protest, on October 16, 2019, the agency issued its second RFI to obtain information and recommendations for the requirement and invited firms to show their capability to provide incident-driven recording systems.  AR, Tab 9, October 2019 RFI at 1, 9.  The RFI advised that offerings should meet a desired minimum threshold for the operational requirements identified by CBP.  Id. at 1.  In this regard, the RFI included a table identifying the operational features that CBP was seeking and the minimum thresholds, attributes, and attribute description associated with each operational feature.  Id. at 2.  The table identified 10 operational features and 42 associated attributes required to support incident-driven video recording systems.[3]  Id. at 3-8. 

As relevant here, the operational feature of information security identified nine attributes including FedRAMP.  Id.  The attribute, attribute description, and minimum desired threshold for FedRAMP authorization are identified below.

Id. at 3.

Thirteen firms responded to the October 2019 RFI.  AR, Tab 27, Market Research Report at 20.  The protester’s RFI response included a claimed capability narrative for FedRAMP that indicated that its cloud-hosted storage solution was built to meet FedRAMP requirements and was undergoing FedRAMP assessment and audit.  AR, Tab 12, Panasonic RFI Response at 5. 

Between November 2019 and January 2020, the agency emailed follow-up questions to the respondents of the October 2019 RFI and received responses from several vendors, including Panasonic.  In December and November 2019, the agency inquired about vendors’ security policies and protocols critical to CBP.  AR, Tab 14, Post-RFI Planning Emails at 1; Tab 16, Email between Agency and Panasonic at 1, 3.  In January 2020, the agency requested information regarding storage offerings and procedures.  AR, Tab 18, Emails between Agency and Panasonic at 1-3.  In February 2020, at Panasonic’s request, CBP met with Panasonic to discuss Panasonic’s qualifications and capabilities.  AR, Tab 20, Emails between Panasonic and Agency at 3; Tab 22, Panasonic Vendor Meeting Notes at 2.  In that meeting, Panasonic indicated that its evidence management system was neither FedRAMP approved, nor in the process of being approved,[4] and that CBP’s data would be stored on the FedRAMP approved [DELETED].[5]  AR, Tab 22, Panasonic Vendor Meeting Notes at 2. 

In April 2020, the agency issued its Market Research Report.  In that report, the agency concluded that mandatory minimum federal security requirements, such as FedRAMP, limited the number of vendors capable of providing BWC (body worn camera) technology to law enforcement agencies.  AR, Tab 27, Market Research Report at 41.  On this point, the agency explained that the selected vendor and its cloud video management application must be authorized at a FedRAMP moderate risk impact level to ensure the security of the entire system, i.e., to ensure the sharing, retention, tagging, retrieval, and redaction of footage captured by BWCs is not compromised.  Id. at 8.  CBP further asserted that FedRAMP authorization was required prior to selecting and procuring a solution in order to achieve full security compliance and approval from security authorities at CBP.  Id. at 9. 

The agency also explained that because FedRAMP authorization takes several years to complete, and the requirement cannot be waived, the agency required a vendor that has already been FedRAMP authorized in order to prevent delay.  Id.  In this regard, the agency notes that if it were to select a vendor that lacked FedRAMP authorization, and FedRAMP authorization was subsequently denied, the implementation of the BWC technology could be delayed by several years.  Id.

In its Market Research Report, the agency also determined that Panasonic’s proprietary solutions were not FedRAMP authorized and, of the 13 firms that responded to the October 2019 RFI, only Axon provided proprietary solutions that were FedRAMP authorized.  Id. at 27-28, 41.  In this respect, CBP explains that the government makes a company’s FedRAMP authorization status publicly available through the FedRAMP marketplace dashboard.  Id. at 9.  The agency noted that as of the date of the Market Research Report, i.e., April 20, 2020, only Axon offered a viable FedRAMP authorized solution for incident-driven recording systems.  Id. at 31.

On September 25, CBP posted notice of the sole-source award on beta.sam.gov.  On October 5, Panasonic timely protested to our Office.

DISCUSSION

Panasonic contends that the agency erred in concluding that only Axon could perform the requirement and raises various challenges to the agency’s conclusion.  For example, Panasonic asserts that the agency’s second RFI failed to inform firms that FedRAMP authorization was required at the time of RFI submission, and further contends that its solution can meet the agency’s requirement.  Protest at 19-22.  Additionally, Panasonic challenges the agency’s decision to require a single vendor solution.  Protest at 16-19.  While we do not address every issue raised, we have considered all of the protester’s arguments and conclude that none furnishes a basis on which to sustain the protest. 

When using noncompetitive procedures pursuant to 41 U.S.C. § 3304(a)(2), as here, agencies are required to execute a written J&A with sufficient facts and rationale to support the use of the cited authority.  41 U.S.C. §§ 3304(e)(1)(A), (f); FAR 6.302-1, 6.303, 6.304; eFedBudget Corp., B-298627, Nov. 15, 2006, 2006 CPD ¶ 159 at 7.  Our review of an agency’s decision to conduct a noncompetitive procurement focuses on the adequacy of the rationale and conclusions set forth in the J&A; where the J&A sets forth a reasonable justification for the agency’s actions, we will not object to the award.  See Bravura Info. Tech. Sys., Inc., B-418755, Aug. 18, 2020, 2020 CPD ¶ 277 at 3; Space Vector Corp., B-253295, B-253295.2, Nov. 8, 1993, 93-2 CPD ¶ 273 at 6.

The protester argues that the agency cannot justify a sole-source contract because Panasonic can meet the agency’s needs.  Protest at 20-21.  In this regard, Panasonic alleges that its cloud-hosted service is capable of achieving FedRAMP authorization surpassing the moderate authorization level specified in the RFI and therefore can meet federal government security policies.  Id. at 20-21.

In response, the agency states that OMB requires that cloud service providers comply with FedRAMP security authorization requirements.  Memorandum of Law (MOL) at 20.  Stated differently, FedRAMP authorization is a mandatory minimum requirement of the procurement that was communicated to offerors in the October 2019 RFI.  Id. at 23.  The agency explains that although Panasonic’s 2019 RFI response did not demonstrate that it had achieved FedRAMP authorization, its response was nevertheless considered during the agency’s acquisition planning, as evidenced by several follow-up email exchanges, and a February 2020 vendor meeting discussing FedRAMP authorization.  Id. at 21, 23.  Additionally, the agency notes that at the direction of CBP’s competition advocate, the agency continued to consider whether companies could attain FedRAMP authorization at some point between the 2019 RFI and contract award.  Id.  Prior to concluding its market research and issuing the J&A, the agency explains that it considered Panasonic’s ability to meet the FedRAMP authorization requirement, and found that the protester had not met this requirement.  Id.  Thus, the agency maintains that it reasonably determined that Panasonic’s solution could not meet the agency’s minimum needs.

The agency further contends that even now, after the filing of the protest, that Panasonic cannot meet the fundamental security requirements of the contract, and thus, the sole-source contract to Axon is appropriate.  Id. at 8.  The agency asserts that because Panasonic cannot meet the FedRAMP requirements, it is not an interested party to challenge the agency’s decision to award the contract to Axon on a sole-source basis.  Id. at 16-17.

Panasonic acknowledges that neither it, nor its solution, currently meet the FedRAMP certification requirement.  Protester’s Resp. to GAO Req. for Additional Briefing at 1.  Moreover, the protester specifically states that its protest “does not challenge the Agency’s application of FedRAMP certification to [this] procurement or the right of the Agency to include possession of FedRAMP moderate authorization as a procurement requirement.”  Id. at 2. 

Based on the record before us, Panasonic has not demonstrated that the firm or its solution is capable of meeting the agency’s needs.  The J&A indicates that the agency is procuring an incident-driven video recording system, comprised of BWCs, docking stations, VMS, and cloud storage licenses.  AR, Tab 30, J&A at 1.  The J&A clearly establishes that FedRAMP authorization is a mandatory minimum requirement for all federal agencies procuring cloud systems, and therefore is required here.  Id. at 2.  The protester acknowledges that Panasonic and its solution cannot demonstrate a current FedRAMP authorization.[6]  Protester’s Reponses to GAO Request for Additional Briefing at 1.  Thus, the protester has not shown that it can meet the agency’s needs.  In addition, the protester has not effectively challenged Axon’s ability to satisfy the agency’s requirements as it relates to FedRAMP authorization.[7]  As a result, the protester’s assertions provide no basis to question the agency’s decision to award a sole-source contract to Axon on the basis that Axon is the only source that can satisfy the agency’s needs.  Consequently, we deny this protest ground.

Since the protester concedes that neither Panasonic, nor its solution, has attained FedRAMP authorization, we need not address the protester’s remaining arguments.  That is, because the agency reasonably determined that Panasonic cannot meet the requirements to perform the contract, it is not an interested party to challenge other aspects of the agency’s sole-source determination.  Research Analysis & Maintenance, Inc., B-296206, B-296206.2, July 12, 2005, 2005 CPD ¶ 182 at 11 n.5.  Under the bid protest provisions of the Competition in Contracting Act of 1984, 31 U.S.C. §§ 3551-3556, only an “interested party” may protest a federal procurement.  That is, a protester must be an actual or prospective offeror whose direct economic interest would be affected by the award of a contract or the failure to award a contract.  4 C.F.R. § 21.0(a).  A protester is not an interested party where it would not be in line for contract

award were its protest to be sustained.  Bluehorse Corp., B-414643.2, Aug. 11, 2017, 2017 CPD ¶ 259 at 3. Accordingly, we dismiss the protester’s remaining arguments.

The protest is denied.

Thomas H. Armstrong
General Counsel