B&M Consulting Group, Inc.

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of: B&M Consulting Group, Inc.

File: B-420450.2

Date: June 29, 2022

DIGEST

Protest that the agency unreasonably evaluated the protester’s quotation as technically unacceptable is denied where the record shows the evaluation was reasonable in light of the protester’s failure to submit an adequately written quotation.

B&M Consulting Group, Inc., a small business of Rockville, Maryland, protests the issuance of a task order to Iron Vine Security, LLC, a small business of Washington, D.C., under request for quotations (RFQ) No. 2031JW22Q00022, issued by the Department of Treasury, Office of the Comptroller of the Currency (OCC), for cybersecurity support services. B&M, the incumbent contractor, contends that the agency unreasonably evaluated its quotation as technically unacceptable and conducted a flawed best-value tradeoff analysis.

We deny the protest.

BACKGROUND

The RFQ was issued on October 6, 2021, pursuant to Federal Acquisition Regulation (FAR) part 12 and subpart 8.4, to vendors holding General Services Administration multiple award schedule Information Technology-IT Services, Special Item Number (SIN) 5451HACS, Highly Adaptive Cybersecurity Services contracts, to obtain comprehensive cybersecurity support services. Agency Report (AR), Exh. B, RFQ, amend. 1 at 51.[1] The services were to assist with the agency’s Cybersecurity Assurance & Compliance program, which provides agency-level oversight to ensure compliance with the Risk Management Framework (RMF), audit liaison, and execution of assessment and authorization steps of the RMF. Id. at 5. The contractor was to provide a wide range of technical, administrative, and managerial support to the program to ensure the effectiveness of OCC’s cybersecurity protocols and compliance with various privacy laws. Id. The RFQ contemplated the issuance of a fixed-price task order to be performed over a 1-year base period, four 1-year option periods, and one 6-month option period. Id. at 2-4, 55.

Award was to be made to the quotation offering the best value to the government as determined by a tradeoff considering the following factors, listed in descending order of importance: technical/management approach; key personnel resumes; past performance; and price. Id. at 55. As relevant here, under the key personnel resumes factor, the resumes would be evaluated to determine if the individuals met or exceeded the minimum qualifications set forth in the RFQ’s statement of work. Id. As relevant here, and among other things, the tier 2 Enterprise Governance, Risk, and Compliance System (eGRC) specialist was required to have at least 2 years of experience with ITILv3 service management processes in the last 3 years, id. at 23, and the project manager was required to have at least 8 years of experience in program and project management supporting information security or cybersecurity projects for the federal government. Id. at 22.

The agency received eight quotations by the submission due date, including those from B&M and Iron Vine. AR, Exh. H, Award Determination at 2. The agency made award to Iron Vine on December 28 and notified B&M on January 6, 2022. Id. B&M filed a protest with our Office the same day. The agency subsequently advised our Office of its intent to take corrective action, which included reevaluating quotations, and as a result, we dismissed the protest as academic on February 10. B&M Consulting Group, Inc., B‑420450.1, Feb. 10, 2022 (unpublished decision). The agency reevaluated the quotations of B&M and Iron Vine quotations, with the following results:

AR, Exh. H, Award Determination at 4.

The source selection authority (SSA) assigned B&M’s quotation a rating of low under the key personnel resumes factor because the agency found that two of the firm’s key personnel--the tier 2 eGRC specialist and the project manager--failed to meet the solicitation’s minimum requirements. AR, Exh. G, SSA Evaluation at 4. The SSA noted that the specialist’s resume did not include any indication that he had the requisite 2 years’ experience with ITILv3 service management processes within the last three years, and the project manager’s resume did not clearly state whether the individual had the requisite 8 years’ experience in project management supporting information security or cybersecurity projects for the federal government. Id. at 4-7. As a result, the SSA concluded that B&M’s quotation was technically unacceptable and ineligible for award. Id. at 8. All quotations except Iron Vine’s were found technically unacceptable, and the agency reaffirmed award to Iron Vine on March 17. This protest followed.

DISCUSSION

B&M argues that the agency unreasonably evaluated its technical quotation as unacceptable under the key personnel resumes factor because it provided resumes that met the solicitation’s requirements.[2] Where an agency issues a solicitation to Federal Supply Schedule (FSS) contractors under FAR subpart 8.4 and conducts a competition, we will review the record to ensure that the evaluation was reasonable and consistent with the terms of the solicitation. Kearney & Company, PC, B-420331, B-420331.2, Feb. 4, 2022, 2022 CPD ¶ 56 at 5. In reviewing a protest challenging an agency’s technical evaluation, our Office will not reevaluate quotations. Id. Rather, we will examine the record to determine whether the agency’s evaluation was reasonable and consistent with the terms of the solicitation and applicable procurement statutes and regulations. Id.

As described above, the SSA concluded that B&M’s proposed tier 2 eGRC specialist and its project manager did not meet the minimum solicitation requirements for these key personnel positions. With respect to the requirement for a tier 2 eGRC specialist, the solicitation required that the contractor provide this support to assist with the process of moving OCC from its current governance processes and tools to the ServiceNow Governance, Risk, and Compliance tool suite, and maintain and manage the suite. RFQ at 11-12. One requirement for this position was “[a]t least 2 years of experience with ITILv3 Service Management processes in the last three years.” Id. at 23.

After reviewing the resume of B&M’s tier 2 eGRC specialist, the SSA determined that, while B&M’s quotation provided a table listing all the requirements for this position and affirming that each was met, the specialist’s resume said nothing about having ITILv3 service management processes experience. AR, Exh. F, B&M’s Technical Quotation at 28-30; AR, Exh. G, SSA Evaluation at 7-8. On this basis, the SSA concluded that the specialist’s resume did not meet the requirement. AR, Exh. G, SSA Evaluation at 7-8. The protester argues that the specialist’s resume provides experience with ServiceNow ITSM, which necessarily includes experience with ITILv3 Service Management processes. Comments at 6.

B&M’s quotation, however, makes no mention of this experience, and our review of the record confirms that the specialist’s resume does not list any experience with ITILv3 service management processes. AR, Exh. F, B&M’s Technical Quotation at 28-30. We note that the solicitation explicitly stated that ITILv3 service management processes experience was required to be part of a vendor’s quotation. AR, Exh. B, RFQ, amend. 1 at 23. As it is a vendor’s burden in a competitive FSS procurement to submit a quotation that is adequately written and establishes the merits of its quotation, Kearney, supra at 10, we conclude that the agency reasonably determined that the specialist’s resume failed to meet the solicitation’s requirements here.

Regarding the project manager position, the solicitation required that the individual have at least 8 years of experience in “program and project management supporting information security or cybersecurity projects for the federal government.” RFQ at 22. The SSA reviewed the resume of B&M’s proposed project manager and noted that the description of each listed position contained paragraphs describing both project management and non-project management tasks, some relating to information security or cybersecurity, without consistently delineating which tasks were performed for federal agencies or for how long. AR, Exh. G, SSA Evaluation at 4-6; AR, Exh. F, B&M’s Technical Quotation at 20-22. As a result, the SSA concluded that it was impossible to determine that the project manager had at least 8 years of experience performing qualified work. Id.

The protester argues that the project manager’s resume clearly demonstrates experience that exceeds the requirements of the solicitation and references two positions that, with the years of experience combined, exceed 8 years. Comments at 5. The protester first points to the project manager’s current position as a project manager for B&M which she has held for 5 years, since 2017. AR, Exh. F, B&M’s Technical Quotation at 21-22. The protester then points to a position the project manager held as a project manager with a corporation for 6 years between 1997 and 2003. Id.

With respect to the manager’s current position as the Cybersecurity Program Manager for B&M, the resume provides several long paragraphs listing a wide-range of project management and non-project management tasks, some of which are related to information security or cybersecurity. AR, Exh. G., SSA Evaluation, at 3-4; Exh. F, B&M’s Technical Quotation at 21. Here, the SSA noted that the resume lists several agencies with this position, but does not consistently explain which tasks were performed for which agencies, i.e., whether they were the project management or non-project management tasks, or if work was performed for only the federal agencies or other entities as well, or specific timeframes. Id.; AR, Exh. G, SSA Evaluation at 5. The SSA also noted that in a few instances where the resume mentions work performed for an agency, the resume references non-project management tasks. Id. The protester did not rebut the agency’s specific arguments about the ambiguity of the resume; rather, the protester generally reiterated its position that the individual’s experience in the current position and all the experience provided in the resume exceeds the requirement. Comments at 5.

With respect to the position held between 1997 and 2003, the resume states that the manager “Managed a 13-person [Independent Verification and Validation] team for a Federal Agency,” and then goes on to list various project management tasks. AR, Exh. F, B&M’s Technical Quotation at 22. The SSA noted that while this position demonstrated qualifying work, it was not clear whether this work was performed for a federal agency during the manager’s entire tenure or if the manager worked for other entities as well. Id.; AR, Exh. G, SSA Evaluation at 6. Again, the protester did not address the SSA’s concern over the lack of clarity, and asserted only that dates regarding when work was performed was not required or relevant. Comments at 5. While the project manager’s resume demonstrates some qualifying work and there was no requirement to provide specific dates regarding when work was performed, vendor’s were required to demonstrate 8 years of relevant experience and the protester has not shown that the SSA’s concerns over the ambiguity in the resume was unreasonable.

Moreover, the project manager’s resume lists the individual’s previous position as the Principal Consultant for a specific corporation from 2005 to 2017. AR, Exh. F, B&M’s Technical Quotation at 21-22. The SSA noted that the only relevant experience amid the three paragraphs describing this position was one sentence mentioning work performed for the Federal Reserve Bank, but it was not stated how long this work was performed. AR, Exh. G, SSA Evaluation at 5-6; AR, Exh. F, B&M’s Technical Quotation at 22. The resume makes one other fragmented reference to work performed for a federal agency: “Managed a project to develop templates, standard operating procedures, project management plans, and presentations for a Federal cybersecurity office.” AR, Exh. F, B&M’s Technical Quotation at 21. The SSA noted that while this work was related to cybersecurity, it “is more in line with a technical writer role than a project manager.” AR, Exh. G, SSA Evaluation at 5. The resume did not state whether the bulk of the remaining experience was performed for these agencies or for other entities.

The lack of clarity in the resume with respect to the timeframes and tasks performed makes it impossible to determine that the requirements were met, and as we have stated, it is a vendor’s responsibility to submit an adequately written quotation that demonstrates compliance with the solicitation’s requirements. Kearney, supra. Therefore, we conclude, the agency reasonably determined that B&M’s quotation did not meet the solicitation’s requirements.

Lastly, B&M argues that the flaws it asserted were present in the agency’s evaluation necessarily render the agency’s best-value determination flawed. As we have denied or otherwise dismissed B&M’s challenges to the agency’s evaluation, this derivative challenge to the best-value determination does not afford a basis to sustain the protest. DCR Services & Construction, Inc., B-420179.2, B-420179.3, April 28, 2022, 2022 CPD ¶ 109 at 8 n.6.

The protest is denied.

Edda Emmanuelli Perez
General Counsel