Meridian Knowledge Solutions, LLC

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This version has been approved for public release.

Decision

Matter of: Meridian Knowledge Solutions, LLC

File: B-420150.4; B-420150.5; B-420150.6

Date: August 25, 2022

DIGEST

1. Protest alleging that agency’s decision to cancel a solicitation was a pretext for making an impermissible sole source award is denied where the agency’s explanation for the decision was reasonable.

2. Protest challenging agency’s decision to enter into an inter-agency agreement is denied where the agreement was authorized by statute.

Meridian Knowledge Solutions, LLC, of Reston, Virginia, protests the cancellation of request for quotations (RFQ) No. 70RTAC20Q00000081 by the Department of Homeland Security (DHS) for information technology support services. The protester alleges that the agency’s decision to cancel the solicitation and procure its requirements through an inter-agency agreement (IAA) with the Office of Personnel Management (OPM) is unreasonable and contrary to law.

We deny the protest.

BACKGROUND

On September 24, 2020, DHS issued an RFQ pursuant to the procedures of Federal Acquisition Regulation (FAR) subpart 8.4 to establish blanket purchase agreements (BPAs) against the General Services Administration Information Technology Federal Supply Schedule (FSS). The RFQ sought information technology services supporting the agency’s learning management software (LMS) system. Agency Report (AR), Tab 3, RFQ at 2. Among other things, DHS sought an LMS system that would permit the agency to analyze training needs and gaps for its staff, to develop training and development plans for individual learners, and monitor the completion of those plans. RFQ, attach. 2, Statement of Work at 6.

The solicitation contemplated the establishment of more than one BPA with an ordering period of “up to ten years from award to consist of a one year base and nine, one year option periods.” RFQ at 1. The RFQ contemplated a two-phase evaluation. Id. at 75‑77. In the first phase, the agency would evaluate written responses and then provide an advisory notification to vendors recommending whether they should proceed to the second phase. Id. In the second phase of the evaluation, the vendors would conduct a technical demonstration and oral presentation, which the agency would evaluate in combination with price. Id. Of note, the solicitation asked vendors to provide examples of their experience with the Federal Risk and Authorization Management Program[1] (FedRAMP), and expressed a preference for FedRAMP moderate or higher experience. RFQ at 76, 83. However, the solicitation explained that vendors need not be FedRAMP authorized at time of award. See AR, Tab 4, RFQ Amendment 0004 at 30.

Following its final evaluation the agency established BPAs with three vendors: Envisage Technologies, LLC; The Educe Group, Inc.; and IBM Corporation. Meridian Knowledge Solutions, LLC, B‑420150 et al., Dec. 13, 2021, 2021 CPD ¶ 388 at 2; B‑420150, AR, Tab 32, Award Decision Document at 23. However, two of the awardees, Envisage and Educe, submitted quotations based on FSS contracts that would expire in 2022 and 2030, respectively. See Id. at 23. On August 31, 2021, the agency issued BPAs with varying periods of performance tailored to the time remaining on each awardee’s respective FSS contract. Id. Specifically, the agency issued a BPA to Envisage with a period of performance extending to October of 2022, a BPA to Educe with a period of performance extending to August of 2030, and a BPA to IBM for the full 10-year period of performance. Id.

Meridian filed a protest with our Office challenging, among other things, the agency’s decision to issue BPAs of varying lengths. B-420150 et al., Protest at 14-15. On December 13, we sustained Meridian’s protest because we concluded that issuing BPAs with varying periods of performance shorter than ten years was inconsistent with material terms of the RFQ. Meridian Knowledge Solutions, LLC, supra. We recommended that the agency either reevaluate quotations consistent with the terms of the solicitation, or, in the alternative, revise the solicitation to better reflect the agency’s needs. Id. at 11. On February 11, 2022, DHS indicated that it intended to take corrective action in response to our recommendation by terminating the BPAs and canceling the original solicitation. AR, Tab 5, Response to Sustain Recommendation at 1. The agency explained that it would reassess its needs and prepare either an amended solicitation or an entirely new solicitation. Id.

Following that notice, DHS reconsidered its requirements and concluded, in response to a series of cybersecurity incidents and related policy initiatives, that it needed to procure an LMS that met additional security requirements.[2] Memorandum of Law (MOL) at 4-7. Specifically, the agency concluded that it needed an LMS solution authorized by the FedRAMP Joint Authorization Board at the FedRAMP moderate level or higher. Id. Following additional market research, the agency conducted an analysis of alternatives and concluded that the best method for procuring the revised requirement would be an interagency agreement with OPM, which facilitates assisted acquisitions through a program called USALearning. AR, Tab 26, Analysis of Alternatives at 2-3.

OPM explains that the purpose of the USALearning program “is to leverage simplified acquisition processes and allow agencies to expeditiously acquire a myriad of support services via Intra/Interagency Agreements under the authority of the Revolving Fund (5 USC 1304(e)).” Services for Agencies – USALearning Overview, available at https://www.opm.gov/services-for-agencies/center-for-leadership-develop… usalearning/ (last visited August 19, 2022). Such services explicitly include “[c]ustomized learning management systems (LMS)” and “[l]earning content management systems (LCMS) and associated services.” Id. OPM’s USALearning program delivers services to other agencies through a single award indefinite-delivery, indefinite-quantity (IDIQ) contract in which the contractor acts as an integrator of training solutions. AR, Tab 26, Analysis of Alternatives at 2-3. Of note, the analysis of alternatives explains that OPM represented to DHS that all enterprise solutions required by DHS were within the scope of the USALearning IDIQ contract. Id. On May 17, the agency notified Meridian that it intended to procure its LMS requirements through an IAA with OPM. AR, Tab 27, Letter to Meridian of May 17, 2022.

This protest primarily challenging DHS’s cancellation of the original solicitation and decision to acquire the agency’s requirements via an IAA with OPM followed on May 24, 2022. We note that Meridian has filed two additional, separate protests challenging the procurement actions undertaken by OPM to implement the proposed IAA with DHS.

First, OPM is currently in the process of soliciting a new USALearning IDIQ contract. On June 7, Meridian protested the terms of the OPM solicitation, and our Office dismissed that protest as academic after OPM represented that it would conduct additional market research and either amend the solicitation or cancel and resolicit its requirements. Meridian Knowledge Solutions, LLC, B‑420808, B‑420808.2, July 28, 2022 (unpublished decision).

Second, on July 25, 2022, Meridian filed a separate protest alleging that OPM is improperly attempting to use the existing USALearning contract to acquire LMS services for DHS. Among other challenges, that protest alleges that OPM’s proposed procurement actions exceed the scope of the existing USALearning IDIQ contract and amount to an impermissible sole-source procurement. B-420906, Protest at 9-13. The propriety of OPM’s procurement actions, however, will be resolved in connection with that separate protest.

DISCUSSION

The protester advances numerous arguments falling into two overarching categories that we will address herein: (1) challenges to DHS’s decision to cancel the prior solicitation; and (2) challenges to DHS’s and OPM’s authority to enter into an IAA.[3] See Protest at 9-17; Comments and 1st Supp. Protest at 2-9. For the reasons that follow, we find that DHS has articulated a reasonable basis for cancelling the original solicitation because its requirements have changed, and OPM is authorized to provide the services at issue to DHS. Therefore, we find no basis on which to sustain the protest.[4]

Cancellation of the Solicitation

The protester alleges DHS’s cancellation of the RFQ was unreasonable because the agency has not identified a reasonable basis for the cancellation. Specifically, Meridian contends that the agency’s conclusion that it now requires a FedRAMP moderate solution at the time of proposal submission is unreasonable, inadequately documented, and unsupported by the record. Protest at 9‑10; Comments and 1st Supp. Protest at 11-17. In the alternative, the protester contends that the agency could have met its needs for a FedRAMP moderate solution through the existing solicitation. Comments and 1st Supp. Protest at 4-8. Finally, the protester alleges that the agency’s cancellation of the prior RFQ is, in effect, a pretext to avoid competing the requirement, exclude Meridian from the competition, and to procure LMS licenses from a specific preferred vendor. Id. at 6-8; Supp. Comments and Second Supp. Protest at 5-11.

An agency has broad authority to decide whether to cancel a solicitation, and to do so, need only establish a reasonable basis. VSE Corp., B-290452.2, Apr. 11, 2005, 2005 CPD ¶ 111 at 6. A reasonable basis to cancel exists when, for example, an agency determines that a solicitation does not accurately reflect its needs. MedVet Dev. LLC, B-406530, June 18, 2012, 2012 CPD ¶ 196 at 3. For example, cancellation of a procurement is reasonable when the agency determines that it no longer has a requirement for the item solicited, or when the agency discovers an existing contract for its requirement would be more advantageous to the government than continuing with the procurement. Lasmer Indus., Inc., B-400866.2 et al., Mar. 30, 2009, 2009 CPD ¶ 77 at 4.

However, where, as here, a protester has alleged that the agency’s rationale for cancellation is but a pretext--that the agency’s actual motivation is to avoid awarding a contract on a competitive basis or to avoid resolving a protest--we will examine the reasonableness of the agency’s actions in canceling the acquisition. Inalab Consulting, Inc.; Solutions by Design II, LLC, B-413044 et al., Aug. 4, 2016, 2016 CPD ¶ 195 at 7. Even if it can be shown that pretext may have supplied at least part of the motivation to cancel the procurement, the reasonableness standard applicable to cancellation of a solicitation remains unchanged. See Lasmer Indus., Inc., supra at 4.

Here, the agency has explained that a series of recent cybersecurity incidents, such as the SolarWinds and Microsoft Exchange breaches, caused the agency to reconsider its cybersecurity needs. MOL at 5. Additionally, the agency noted that a recent Executive Order encouraged agencies to make “bold changes and significant investments” to improve cybersecurity, and to take specific actions concerning the development of security principles for incorporating FedRAMP requirements into agency IT modernization efforts. MOL at 5 (citing Executive Order 14028, Improving the Nation’s Cybersecurity (May 12, 2021)).

Accordingly, the agency determined to seek an LMS solution that was already approved at the FedRAMP moderate level, for two reasons: 1) a FedRAMP moderate solution would provide a meaningful security benefit; and 2) using an offering that was already authorized at the FedRAMP moderate level would save significant time and resources because the security package developed to receive FedRAMP authorization can be reused by the agency in issuing its own authority to operate for the system. AR, Tab 8, Statement of DHS Chief Information Security Officer at 2-3; see also MOL at 11 (explaining that requirement for FedRAMP certification at time of proposal submission was necessitated by delays in procurement process preventing vendors from having adequate time to subsequently secure FedRAMP approval prior to replacing Meridian’s expiring incumbent BPA by September 26, 2022). The agency then identified OPM’s USALearning IDIQ contract as an existing contract vehicle that it believed could provide LMS solutions already authorized at the FedRAMP moderate level, and decided to cancel the existing RFQ in favor of an IAA with OPM. AR, Tab 26, Analysis of Alternatives at 2-3.

The protester contends the agency’s actions were nonetheless inappropriate for several reasons. First, the protester argues that the cybersecurity incidents and Executive Order cited by the agency predate the establishment of BPAs under the prior RFQ, and so cannot rationally form the basis for the agency’s change in requirements. Comments and Supp. Protest at 7-8. Second, the protester argues that the agency could meet its needs by establishing BPAs under the existing RFQ, because one of the vendors competing under the existing RFQ offered a FedRAMP moderate authorized LMS solution. Id. Finally the protester argues that the agency’s decision to cancel is, in effect, a pretext to avoid competition, exclude it from the competition, and make award to a preferred vendor. Id.; Supp. Comments and Second Supp. Protest at 4-11

Concerning the protester’s first argument, we do not agree that the timing of the incidents and Executive Order establish that the agency’s change in requirements was unreasonable. While the events in question may predate the establishment of BPAs under the prior RFQ, they post-date the issuance of the RFQ. See MOL at 5 (noting that the RFQ was issued in September of 2020, while the attacks came to the agency’s attention in December of 2020 and March of 2021, and the Executive Order was issued in May of 2021). Moreover the process of remediating and analyzing these serious incidents has been complex, involving ongoing coordination between many federal agencies and private parties over a period of years. See MOL at 5; Cybersecurity: Federal Response to SolarWinds and Microsoft Exchange Incidents, GAO-22-104746 at 1, 29-30 (Jan. 2022) (noting that, as of January of 2022, there were still response actions to be completed concerning the SolarWinds event).

Even if, however, we were to credit the protester’s arguments that DHS should have more swiftly recognized its need for enhanced cybersecurity, such an argument is irrelevant to our analysis of whether DHS has articulated a reasonable basis to cancel the solicitation; the solicitation did not accurately reflect the agency’s actual requirements. Indeed, an agency may properly cancel a solicitation no matter when the information supporting the cancellation first surfaces or should have been known, even if discovered during the course of a protest. T.W. Recycling, B-413256, Sept. 16, 2016, 2016 CPD ¶ 261 at 4; SEI Group, Inc., B‑299108, Feb. 6, 2007, 2007 CPD ¶ 35 at 3. In short, sometimes wisdom comes late, and the fact that the agency realized its needs had changed later than the protester might have preferred gives us no basis to question an otherwise reasonable change in the agency’s requirements in order to ensure adequate cybersecurity for government systems.

Similarly, the protester’s argument that the existing RFQ could meet the agency’s needs is without merit. Specifically, the protester contends that one of the original vendors that received a BPA under the RFQ offers a FedRAMP moderate authorized solution and is still eligible for award. Comments and First Supp. Protest at 6-8. The protester notes that the RFQ contemplated the establishment of more than one BPA, and therefore the agency could have met its needs for a FedRAMP moderate authorized system through a BPA with that other vendor, but then could also have established a second BPA with the protester or another vendor. Id. This argument is unpersuasive.

The agency has not articulated it’s changed requirement to be for a mix of FedRAMP moderate and other less secure LMS solutions, but rather solely for FedRAMP moderate LMS solutions. Therefore, even assuming as true the protester’s contention that it would be appropriate to re-establish a BPA with another vendor, the protester has not alleged that it could provide a FedRAMP moderate authorized LMS solution that would meet the agency’s requirements. Therefore, it is unclear how the existing RFQ could meet the agency’s needs in the way the protester suggests.[5]

The protester also argues that the agency’s cancellation of the RFQ was a pretext to avoid competing the requirement, exclude Meridian from the competition, and make award for a specific preferred vendor’s product. Comments and First Supp. Protest at 6-8; Supp. Comments and Second Supp. Protest at 5-11. While the parties vigorously contest these points, we need not resolve the question of whether pretext formed part of the basis for the agency’s decision to cancel the RFQ. Even if we accepted the protester’s allegations as true that the agency’s decision to cancel the solicitation was, in part, pretextual, our decisions have consistently concluded, that an agency may nevertheless still cancel a solicitation if it has established a reasonable basis for doing so. See Lasmer Indus., Inc., supra at 4.

That is to say, if an agency’s cancellation decision is reasonably supported by a change in the agency’s requirements or the identification of a more advantageous existing contract, the fact that the decision to cancel may also have been motivated by another inappropriate interest provides no basis to sustain a protest of the cancellation. Id.; see also Dr. Robert J. Telepak, B-247681, June 29, 1992, 92-2 CPD ¶ 4 at 4 (concluding that personal animus may have supplied at least part of the motivation for a solicitation’s cancellation, but that the cancellation was nonetheless proper because the agency’s needs had also changed). Here, we have concluded above that the agency’s decision to cancel the solicitation was reasonably related to the agency’s changed cybersecurity requirements. Accordingly, even reading the evidence in the light most favorable to the protester, we see no basis to sustain the protest here.[6]

Authority for IAA and the Economy Act

The protester alleges, in various ways, that DHS’s IAA with OPM is inappropriate or otherwise represents an inappropriate sole-source procurement. Protest at 10-13; Comments and Supp. Protest at 18-20; Supp. Comments and 2nd Supp. Protest at 7‑11. Among other arguments, the protester alleges that the statutory authority cited by the agency in support of the contemplated IAA, 5 U.S.C. § 1304, does not permit IAAs such as this one. Id. Further, the protester contends that, absent specific statutory authority, DHS can only enter into an IAA via the Economy Act and its implementing regulations, which impose specific requirements not met by DHS in this case. Id. (citing 31 U.S.C. § 1535 and FAR 17.502-2)

As a general matter, the Competition in Contracting Act, by its terms, does not require full and open competition in the case of procurement procedures “otherwise expressly authorized by statute,” and for that reason our Office has, in some cases, declined to review the propriety of IAAs. 41 U.S.C. § 3301(a); see, e.g., Ecosearch, Inc., B-232403, Sept. 2, 1988, 88-2 CPD ¶ 212 at 1 (concluding that we do not, in general, consider complaints about the propriety of IAAs). However, we have reviewed IAAs in various circumstances, such as where the performance of the agreement would involve exceeding the scope of an awarded contract, or where the statutes authorizing such agreements impose specific requirements for their use. See, e.g., Floro & Assocs., B‑285451.3, B-285451.4, Oct. 25, 2000, 2000 CPD ¶ 172 at 6-7 (concluding that an IAA otherwise authorized by law was improper where the services would be provided under an IDIQ contract, but exceeded the scope of that contract). Relevant to this protest, we have, in some cases, considered the propriety of IAAs authorized by the Economy Act, because the Economy Act imposes several specific pre-conditions for its use. See, e.g., Liebert Corp., B‑232234.5, Apr. 29, 1991, 91-1 CPD ¶ 413 (analyzing whether an agency’s use of the Economy Act for an IAA was appropriate based on the requirements of the Economy Act and related regulations).

In this case, however, DHS and OPM are not relying on the Economy Act, but rather on 5 U.S.C. § 1304(e). This provision makes a revolving fund available to OPM for:

[F]inancing investigations, training, and such other functions as the Office is authorized or required to perform on a reimbursable basis, including personnel management services performed at the request of individual agencies (which would otherwise be the responsibility of such agencies), or at the request of nonappropriated fund instrumentalities, and for the cost of audits, investigations, and oversight activities, conducted by the Inspector General of the Office, of the fund and the activities financed by the fund.

5 U.S.C. § 1304(e)(1).

The protester contends that this provision merely authorizes OPM to perform certain investigatory and oversight functions on behalf of other agencies, but does not permit OPM to procure LMS services for other agencies, such as the ones to be provided under the proposed IAA. Comments and Supp. Protest at 18-20; Supp. Comments and 2nd Supp. Protest at 7-11. Further, the protester alleges that the legislative history of the provision supports the protester’s argument that the provision is limited to various investigatory or oversight functions. Supp. Comments & 2nd Supp. Protest at 9‑10 n.6. Specifically, the protester argues the revolving fund provision was enacted in 2014 to permit the OPM Inspector General to use revolving funds for audits, investigations, and oversight activities, and the statute’s language should be read in light of that history. Id.

In this regard, the protester misconceives both the plain language of the statute and its legislative history. First, and most significantly, the statute is not in any way limited to investigatory functions. Specifically, the statute makes the revolving fund available to OPM for “investigations,” but also for “training,” as well as other personnel management services performed on a reimbursable basis at the request of other agencies. 5 U.S.C. § 1304(e)(1). The LMS services that DHS seeks to procure are unquestionably training services, and, given the significant role of training in human capital management, they are also arguably related to DHS’s management of its personnel. In our view, the statute unambiguously permits OPM to perform the kinds of activities contemplated by the IAA in this case, and this authority underpins OPM’s USALearning program, through which OPM provides training and related integration services to numerous agencies throughout the federal government.

Second, even assuming for the sake of argument that the plain language were unclear, the protester misconceives the legislative history of the provision. The protester claims that the provision was added in 2014 to permit OPM’s Inspector General to use the fund for investigation and oversight activities, but this is only a relatively recent revision to a longstanding provision that has developed over the course of approximately 70 years. See Supp. Comments and 2nd Supp. Protest at 9-10 n.6 (citing OPM IG Act, Pub. L. No. 113-80 § 2 (Feb. 12, 2014)).

The provision was first enacted in 1952 to permit OPM’s predecessor agency, the Civil Service Commission (CSC), to perform investigations for other agencies on a reimbursable basis. Third Supplemental Appropriations Act, 1952, ch. 369, § 701, 66 Stat. 101, 107 (1952) (originally codified at 5 U.S.C. § 657). However, in 1969, the provision was significantly amended to specifically permit the CSC to use the fund to provide, among other things, training courses for other agencies. Act of Dec. 30, 1969, Pub. L. No. 91-189 § 1 (1969) (codified at 5 U.S.C. 1304(e)); see also Office of Personnel Management Revolving Fund, B-206531-O.M., Sept. 12, 1986, at 1-3 (tracing development of the provision from 1952 through 1986). In 1978, following the reorganization of the CSC and the establishment of OPM, the statute was revised to transfer those authorities to OPM. Civil Service Reform Act of 1978, Pub. L. No. 95-454 § 906(a)(2). Although 5 U.S.C. § 1304(e)(1) has been further amended and expanded on several occasions, the statute has permitted OPM to use its revolving fund to provide training to other agencies for over 50 years. Accordingly, we see no basis to conclude that the legislative history of the provision provides any basis to conclude that 5 U.S.C. § 1304(e) does not authorize the IAA contemplated in this case.

In short, the contemplated IAA provides that OPM, through its USALearning IDIQ contract, will provide training and related services to DHS, and this use is consistent with OPM’s statutory authority under 5 U.S.C. § 1304(e). Accordingly, we need not reach the protester’s Economy Act arguments because the agencies do not intend to rely on the Economy Act to authorize the IAA.

The protest is denied.

Edda Emmanuelli Perez
General Counsel