Skip to main content

CSIOS Corporation

B-419779,B-419779.2 Jul 27, 2021
Jump To:
Skip to Highlights

Highlights

CSIOS Corporation, of Rockville, Maryland, protests the issuance of task order No. W912HZ-21-F-0082 to Bowhead Total Enterprise Solutions, LLC (BTES), of Springfield, Virginia, pursuant to indefinite-delivery, indefinite-quantity (IDIQ) contract No. W912HZ-20-D-0001. The Department of the Army, U.S. Army Corps of Engineers awarded the contract in May 2020 to BTES for various scientific and technical services for the agency's Engineering Research and Development Center. The protester asserts that the activities being performed under the task order are beyond the scope of the IDIQ contract.

We deny the protest.
View Decision

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. The entire decision has been approved for public release.

Decision

Matter of:  CSIOS Corporation

File:  B-419779; B-419779.2

Date:  July 27, 2021

Edward J. Tolchin, Esq., Offit Kurman Attorneys-at-Law, for the protester.
Robert K. Tompkins, Esq., Hillary J. Freund, Esq., and Kelsey M. Hayes, Esq., Holland & Knight, LLP, for Bowhead Total Enterprise Solutions, LLC, the intervenor.
Walker D. Moller, Esq., Department of the Army, for the agency.
April Y. Shields, Esq., and Christina Sklarew, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest asserting that task order requirements are beyond the scope of the underlying indefinite-delivery, indefinite-quantity contract is denied where the protester has not shown that the task order is materially different from what could reasonably be expected under the original contract.

DECISION

CSIOS Corporation, of Rockville, Maryland, protests the issuance of task order No. W912HZ-21-F-0082 to Bowhead Total Enterprise Solutions, LLC (BTES), of Springfield, Virginia, pursuant to indefinite-delivery, indefinite-quantity (IDIQ) contract No. W912HZ-20-D-0001.  The Department of the Army, U.S. Army Corps of Engineers awarded the contract in May 2020 to BTES for various scientific and technical services for the agency’s Engineering Research and Development Center.  The protester asserts that the activities being performed under the task order are beyond the scope of the IDIQ contract.

We deny the protest.

BACKGROUND

The protest concerns the agency’s award of an IDIQ contract and subsequent issuance of a task order to BTES for various scientific and technical services for the agency’s Engineering Research and Development Center, which manages the Department of Defense’s High Performance Computing Modernization Program (HPCMP).[1]  Agency Report (AR), Tab 4, Contract No. W912HZ-20-D-0001 (“BTES Contract”), at 174;[2] AR, Tab 9, Task Order No. W912HZ-21-F-0082 (“BTES Task Order”), at 584.  The HPCMP is responsible for maintaining continuous defensive cybersecurity operations to defend the agency’s Defense Research and Engineering Network (DREN) from cyberattacks.  The agency explains DREN, and the significance of the HPCMP, as follows:

The work performed on DREN involves unclassified, secret, and top-secret missions, many of which are vital for national security.  For obvious reasons, the DREN is an attractive hacking target for adversarial nation states and other hostile entities.  It is therefore critical, and mandated by various statutes and regulations, that certain cybersecurity functions be continuously maintained (24/7/365) on the DREN.  In order for the DREN to maintain its certifications to operate, there can be no lapse in cybersecurity services.  The Agency procures many of these services.

MOL at 2.

On May 22, 2020, the agency awarded IDIQ contract No. W912HZ-20-D-0001[3] on a direct sole-source basis to BTES, an Alaska Native Corporation under the Small Business Administration’s (SBA) Section 8(a) program,[4] in accordance with Federal Acquisition Regulation section 19.811-1.  The contract is under North American Industry Classification System code 541512, computer systems design services.  The contract has a 5-year ordering period and a maximum value of $20,000,000.  BTES Contract at 174.  The contract includes a performance work statement (PWS), which includes requirements such as “systems engineering services,” as well as various labor categories and completion of specific agency training requirements.  BTES Contract at 180-182, 206-208.

Under the BTES IDIQ contract, the agency has issued two task orders to BTES, both for HPCMP systems engineering services, with cybersecurity components.  The agency issued the first task order on September 27, 2020; performance concluded on March 31, 2021.  AR, Tab 8, Task Order No. W912HZ-20-F-0231 at 515.  The agency issued the second task order (No. W912HZ-21-F-0082) on March 31, in the amount of $2,610,053 for a 6-month period of performance.  BTES Task Order at 584.

On April 26, CSIOS filed a protest with our Office, asserting that the requirements being performed by BTES should be subject to a separate competition.

DISCUSSION

CSIOS argues that the activities being performed under the task order--specifically, as they relate to cybersecurity--fall outside of the scope of BTES’s contract.  Protest at 4; Comments and Supp. Protest at 4-14.  In response, the agency argues that the BTES contract “made clear in a variety of ways--through the PWS, labor categories, and certification requirements--that cybersecurity services were envisioned,” and that “[a]ny potential offeror was on clear notice that the contract contained cybersecurity components.”  MOL at 14.  We have reviewed all of the parties’ arguments and, as discussed below, find no basis to sustain the protest.[5]

In determining whether a task or delivery order is outside the scope of the underlying contract, and thus falls within the Competition in Contracting Act’s competition requirement, 31 U.S.C. §§ 3551-3557, our Office examines whether the order is materially different from the original contract, as reasonably interpreted.  Evidence of a material difference is found by reviewing the circumstances attending the original procurement; any changes in the type of work, performance period, and costs between the contract as awarded and the order as issued; and whether the original solicitation effectively advised offerors of the potential for the type of orders issued.  Nuance Commc’ns, Inc., B-418106, Jan. 8, 2020, 2020 CPD ¶ 23 at 5.  In other words, the inquiry is whether the order is one which potential offerors should have reasonably anticipated.  Symetrics Indus., Inc., B‑289606, Apr. 8, 2002, 2002 CPD ¶ 65 at 5.  In this context, where there is a logical connection between a broad scope of work in an IDIQ contract and the services procured under a subsequent task order, potential offerors are on notice that such logically-connected services are within the scope of the IDIQ.  See, e.g., Morris Corp., B-400336, Oct. 15, 2008, 2008 CPD ¶ 204 at 5-6.

In our view, the record is consistent with the agency’s position, and CSIOS has not established that the requirements of the BTES task order are outside the scope of the underlying IDIQ contract.

First, the record shows the BTES contract is more broadly worded compared to the BTES task order, which the agency explains as follows:  “Because of the rapidly changing [information technology (IT)] arena, the agency elected to use a more comprehensive scope in order to account for the ‘rapidly evolving IT requirements and enable the agency to quickly react to and fulfill future needs whose exact specifics were unknown at that time.’”  MOL at 15; Contracting Officer’s Statement (COS) at 3.  For example, the BTES contract contains “systems engineering” requirements, which is a term that, “[i]n the IT arena, professionals would know . . . encompasses a variety of IT functions, including cybersecurity,” according to an agency HPCMP employee.  AR, Tab 13, Decl. of Agency HPCMP Employee, at 3; see BTES Contract at 180.  The BTES task order includes more specific tasks in areas including “cybersecurity systems engineering,” “project operations,” “protect services,” and “external threat analysis.”  BTES Task Order at 593‑602.  The agency argues, and the protester has identified no basis to question, that cybersecurity services in the BTES task order are “logically connected” to the BTES contract’s PWS.  MOL at 15; see Nuance Commc’ns, Inc., supra at 5 (IDIQ statements of work need not include specific references to every type of task).

Second, the record shows that the labor categories in the BTES contract and the BTES task order are identical.  BTES Contract at 206-208; AR, Tab 12, BTES Cost Proposal for Task Order at 673-675.  Moreover, the record is consistent with the agency’s view that the labor categories “repeatedly emphasized that cybersecurity capabilities would be required.”  MOL at 16.  For example, the “information systems security manager” position is described as responsible for maintaining “data needed to meet system cybersecurity reporting,” supporting IT “security goals,” and evaluating “the effectiveness of the enterprise’s cybersecurity safeguards.”  BTES Contract at 208.

Third, the record shows that the BTES contract includes various cybersecurity training and certification requirements.  Specifically, the contract’s PWS states that “[a]ll contractor employees working [information assurance]/IT functions must comply with [Department of Defense] and Army training requirements” listed therein.  BTES Contract at 182.  The contracting officer explains that, “[i]n order to be eligible to perform cybersecurity-related work, federal employees and contractors must satisfy the training requirements outlined in these authorities.”  COS at 4.  The agency explains that these training requirements were included “[b]ecause cybersecurity work was contemplated by the PWS and labor categories.”  MOL at 17.

Finally, as the agency points out, the BTES task order, issued in the amount of $2,610,053 for a 6-month period of performance, “represents a fraction of the IDIQ’s dollar ceiling and will be completed almost three years before the contract’s expiration.”  MOL at 18.  In this regard, the agency argues that the BTES task order cannot be characterized as “a material change in either the performance period or cost of the base contract.”  Id.

In all, the agency sums up its position that, “[c]onsidering the contract’s broadly worded PWS, its labor categories that repeatedly emphasized cybersecurity components, its cybersecurity training and certification requirements, and the other circumstances surrounding this procurement, any reasonably competent IT contractor would immediately recognize that cybersecurity functions were an integral component of the procurement.”  MOL at 18.

Indeed, CSIOS acknowledges that BTES’s contract and task order include “technology services,” and that “cybersecurity is relevant to this business work.”  Comments and Supp. Protest at 10.  Nonetheless, CSIOS argues that the BTES task order is out-of-scope because, in the protester’s view, the agency should be required to use a separate procurement vehicle to fulfill these cybersecurity requirements.  Protest at 3; Comments and Supp. Protest at 4-14.

As a preliminary matter, in order to view the protester’s complaints in their proper context, we provide the following additional background.  In this regard, “[d]uring the same timeframe” as the award of BTES’s contract, the agency identified the General Services Administration’s (GSA) multiple award schedule (MAS) as “a potential vehicle to satisfy some of its specialized cybersecurity requirements.”  COS at 5.  Specifically, the agency was exploring the potential use of GSA MAS schedule 70 (information technology), special item number (SIN) for highly adaptive cybersecurity support, for certain cybersecurity services for the HPCMP.  Id.

On May 29, 2020, GSA, on behalf of the Corps, issued a request for quotations under GSA MAS schedule 70, SIN for “highly adaptive cybersecurity support,” with the title of “HPCMP cybersecurity service provider services.”  On September 3, GSA issued a task order to CSIOS with a total potential value of $58,277,716 over a performance period of a base year, four option years, and a 6-month extension option.  AR, Tab 3, GSA Task Order No. 47QFSA20F0096/ ID04200051 at 111-113.  A disappointed vendor[6] filed a protest with our Office, challenging the evaluation and award decision, and GSA proposed to take corrective action, to include reevaluating quotations and making a new award decision.  We dismissed that protest as academic.  BreakPoint Labs, LLC, B‑419121 et al., Oct. 19, 2020 (unpublished decision).

On April 15, 2021, GSA terminated CSIOS’s task order.  The contracting officer for the Army explains that “the [highly adaptive cybersecurity support] MAS simply was not a suitable procurement option to fulfill the HPCMP’s highly specialized cybersecurity needs,” as “there were irreconcilable and material differences between the Agency’s proposed labor categories and the [highly adaptive cybersecurity support] SIN labor categories.”  COS at 5-6; MOL at 9.  The contracting officer also explains that, at the same time, she considered the agency’s cybersecurity needs and, “upon consultation with leadership and technical experts,” concluded that it was in the agency’s “best interest to utilize the SBA’s 8(a) program to fulfill the cybersecurity services that are the subject of this protest”--that is, the contract that the agency had awarded to BTES, months before.  COS at 6.

After GSA terminated CSIOS’s task order, CSIOS filed this protest with our Office.  As support for its allegation that the BTES task order is out-of-scope, CSIOS presents an extensive comparison between the requirements of the BTES contract and task order and the requirements of the since-terminated CSIOS task order.  Protest at 3; Comments and Supp. Protest at 4‑14.  In other words, as the agency characterizes the protester’s position, “CSIOS contends that because the [BTES contract’s] requirements did not match the [CSIOS] order’s requirements, the protested work is somehow outside the scope of the [BTES contract].”  Supp. MOL at 9.

In our view, CSIOS’s arguments reflect a fundamental misunderstanding.  As noted above, in determining whether a task or delivery order is outside the scope of the underlying contract, and thus falls within the Competition in Contracting Act’s competition requirement, our Office examines whether the order is materially different from the original contract, as reasonably interpreted.  The agency argues, and we agree, that, “[f]or the purposes of determining scope, [the p]rotester does not specify why the [CSIOS] order requirements are relevant to whether the disputed requirements [in BTES’s task order] are within [the] scope of the base IDIQ” contract awarded to BTES.  Supp. MOL at 9.  We note that, in general, each procurement stands alone, and actions taken in a different procurement are not relevant to our consideration of the agency’s actions in this procurement.  See, e.g., Genesis Design and Dev., Inc., B‑414254, Feb. 28, 2017, 2017 CPD ¶ 79 at 3 n.2.

CSIOS points out the contracting officer’s statement that during the course of GSA’s corrective action that culminated in the termination of the CSIOS task order, she considered it to be in the agency’s “best interest” to use the BTES contract under which task orders with cybersecurity components had already been, and could subsequently continue to be, issued.  Supp. Comments at 1-2; COS at 6.  Even so, we do not think CSIOS’s complaints establish a basis to sustain its protest.

The agency points out, for example, that it awarded the underlying IDIQ contract to BTES months before the GSA issued the since-terminated task order to CSIOS.  Supp. MOL at 3.  Moreover, the agency asserts that the requirements of the BTES task order “differ meaningfully from the types of work contemplated by” the since-terminated CSIOS task order--that is, while the CSIOS order was for “a highly specialized and more comprehensive set of cybersecurity services,” the BTES order is for “a baseline set of services, necessary for the [a]gency to maintain certifications related to its national security initiatives.”  Id. at 6.  In this regard, we agree with the agency’s position that, under these circumstances, “[i]t is irrelevant that the [a]gency previously procured materially different cybersecurity services under a separate procurement vehicle.”  Id. at 12.

Finally, while CSIOS continues to argue that the GSA MAS is “the only contract vehicle for these types of services” and “[o]nly the [highly adaptive cybersecurity support] SIN satisfies these [agency] requirements,” Supp. Comments at 2, 4, the protester has not established anything unreasonable or improper here.  The agency asserts that it “is not required--by statute, regulation, policy, or otherwise--to fulfill its cybersecurity needs under the [highly adaptive cybersecurity support] SIN.”  MOL at 9; Supp. MOL at 3.  The agency also explains that it is “currently performing acquisition planning to contract for its more specialized cybersecurity requirements that were contemplated by the GSA task order.”  Supp. MOL at 4.  We note that a contracting agency has the primary responsibility for determining its needs and the best method of accommodating them, and that this principle applies to the contracting format used to purchase the items (or services) which the agency has determined necessary.  See, e.g., General Electrodynamics Corp., B‑298698, B‑298698.2, Nov. 27, 2006, 2006 CPD ¶ 180 at 3; Voith Hydro, Inc., B‑401244.2, B‑401771, Nov. 13, 2009, 2009 CPD ¶ 239 at 4.  The protester’s disagreement with the agency’s actions here does not establish a basis to sustain its protest.

The protest is denied.

Thomas H. Armstrong
General Counsel

 

[1] In its initial protest, CSIOS also raises allegations concerning various other procurement actions, including a separate IDIQ contract (No. W912HZ-16-D-0004, which was awarded in 2016 to a separate entity, Bowhead Business and Technology Solutions).  The agency explains that there are no active cybersecurity functions being performed under that IDIQ contract and, in any event, the period of performance for that contract expired on May 31, 2021.  Memorandum of Law (MOL) at 1 n.1.  We do not address them further in light of the agency’s explanation, and because the protester’s subsequent filings focus on the contract and task order discussed in detail in this decision.

[2] Citations to the record are to the Bates-numbered pages provided by the agency.

[3] On April 24, the agency issued solicitation No. W912HZ-20-R-0017, in which it announced its intention to award the contract at issue here.  BTES Contract at 174.  While the existence of the contract is public knowledge, as evidenced by publicly available documents included in the record and the protester’s references to the contract in its initial protest filing, the protester asserts that the contract itself is “unavailable publicly.”  Supp. Comments at 2.

[4] Section 8(a) of the Small Business Act, 15 U.S.C. § 637(a), authorizes the SBA to enter into contracts with government agencies and to arrange for performance through subcontracts with socially and economically disadvantaged small business concerns.  See 13 C.F.R. § 124.501(a) (SBA may enter into all types of awards, including contracts and orders).  This program is commonly referred to as the 8(a) program.

[5] In a supplemental protest filed after receipt of the agency report, CSIOS challenges, for the first time, the use of the SBA’s Section 8(a) program for these requirements, including “[t]he failure to offer this work to the SBA, and to instead expand the [BTES] contract to include it.”  Comments and Supp. Protest at 4 n.2; Supp. Comments at 2 (explaining that “[t]he issue is whether moving the [work] in March was properly accomplished”).  The gravamen of this allegation is the same as CSIOS’s initial protest, which is that out-of-scope activities are being performed under the BTES task order.

As the agency and the intervenor point out, publicly available information states that the BTES contract was awarded as an 8(a) sole-source contract, along with the subsequently issued task orders.  AR, Tab 25, Federal Procurement Data System (FPDS) Notice of Contract No. W912HZ-20-D-0001, at 859-861; see also AR, Tab 18, FPDS Notification for Task Order No. W912HZ-20-F-0231, at 797-799.  The agency and the intervenor argue that CSIOS knew or should have known, at the very latest, that the work was being conducted under the 8(a) program when it filed its initial protest.  Supp. MOL at 7‑9; Intervenor’s Supp. Comments at 2-3.

Given this publicly available information, and the protester’s references to this contract in its initial protest filing, we find unavailing the protester’s belated assertions that it “could not even know about the existence of the secret” contract or about the agency’s “offers of work to SBA.”  Supp. Comments at 5.  Since our Bid Protest Regulations do not contemplate the unwarranted piecemeal presentation or development of protest issues, this supplemental protest ground is not timely filed and is dismissed.  4 C.F.R. § 21.2(a)(2); see, e.g., Suntek Sys., Inc., B‑412265, Dec. 22, 2015, 2016 CPD ¶ 6 at 3‑5 (protest is untimely because the protester filed its protest more than 10 days after it knew, or should have known, of SBA’s acceptance of the requirement into the 8(a) program); Quanterion Sols., Inc., B-419438, Dec. 28, 2020, 2020 CPD ¶ 415 at 3-5 (same).

[6] CSIOS points out that the vendor, BreakPoint Labs, LLC, is a subcontractor to BTES.  Protest at 3.

Downloads

GAO Contacts

Office of Public Affairs