SimVentions, Inc.

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. The entire decision has been approved for public release.

Decision

Matter of: SimVentions, Inc.

File: B-420967; B-420967.2

Date: November 21, 2022

DIGEST

1. Protest is denied where agency’s assessment of multiple weaknesses, deficiencies, and associated risks provided a reasonable basis, consistent with the terms of the solicitation, for the agency’s determination that protester’s proposal was technically unacceptable and, therefore, ineligible for award.

2. Protester’s speculation regarding the content of the awardee’s proposal, and the agency’s evaluation thereof, fails to comply with requirement that protest grounds be factually and legally sufficient.

SimVentions, Inc., of Fredericksburg, Virginia, protests the Department of the Navy’s issuance of a task order to Peraton, Inc., pursuant to request for proposals (RFP) No. N0017822R3004, to provide cybersecurity engineering support services for Naval Surface Warfare Center activities in Virginia. SimVentions challenges various aspects of the agency’s source selection process, including the agency’s determination that SimVentions’ proposal was technically unacceptable.[1]

We deny the protest in part and dismiss it in part.

BACKGROUND

On January 6, 2022, pursuant to Federal Acquisition Regulation (FAR) subpart 16.5, the agency issued the solicitation to all contractors holding Department of the Navy, Seaport Next Generation indefinite-delivery, indefinite-quantity (IDIQ) contracts. Agency Report (AR), exh. 1, RFP at 84, 101.[2] The solicitation sought proposals to provide cybersecurity engineering support services for Naval Surface Warfare Center activities in Dahlgren and Dam Neck, Virginia; those activities are responsible for performing “research, development, Test & Evaluation (T&E), analysis, systems engineering, integration, and certification of complex naval warfare systems.” Id. at 11.

SimVentions characterizes itself as the “incumbent contractor” for these services, Protest at 2; however, the agency describes SimVentions’ prior task order as “significantly smaller” than the task order at issue here,[3] noting that multiple portions of this solicitation’s statement of work (SOW) reflect new requirements. Protest, exh. B, Written Debriefing at 24. In this context, the RFP stated:

With the growing number of breaches of tactical and non-tactical computer systems, there is an increasing need to focus on the engineering aspects of CS [cyber security]. CS continues to be approached as compliance-based and this has not addressed significant shortcomings and vulnerabilities in the security of naval warfare systems and other service warfare systems. CS requirements must be included during the design, development, and sustainment phases of systems acquisition to ensure they are secure and Cyber-resilient throughout their Life-cycle. Additionally, previously designed, and fielded systems must be evaluated on an engineering basis to determine potential changes to their design or supportability approaches.

RFP at 11.

The RFP contemplated award of a single cost-reimbursement task order, and provided for a best-value tradeoff based on the following evaluation factors: (1) technical understanding/capability/approach;[4] (2) management approach/capability/transition plan; (3) workforce; (4) past performance; and (5) total evaluated cost.[5] With regard to the evaluation factors’ relative importance, the solicitation stated that: factor 1 (technical) was slightly more important than factor 2 (management), which was slightly more important than factor 3 (workforce), which was slightly more important than factor 4 (past performance); factor 5 (cost) was not weighted; and, combined, the non-cost factors were significantly more important than cost. Id. at 103.

With regard to preparing technical proposals, the solicitation directed offerors as follows:

The Technical Volume should be specific and complete. Legibility, clarity, and coherence are very important. Your responses will be evaluated against the Technical Subfactors defined in Section M, Evaluation Factors for award. Using the instructions provided below, provide as specifically as possible the actual methodology you would use for accomplishing/satisfying these Subfactors. . . . Do not merely reiterate the objectives or reformulate the requirements specified in the solicitation.

Id. at 88.

On or before the February 22, 2022 solicitation closing date, proposals were submitted by three contractors, including Peraton and SimVentions.[6] Subsequently, Peraton’s and SimVentions’ proposals were evaluated as follows:

Protest, exh. E, SSDD at 145; Protest, exh. F, SSDD Addendum at 154.

In evaluating SimVentions’ proposal as technically unacceptable, the agency assessed 18 weaknesses and two deficiencies. Overall, the agency concluded that SimVentions’ technical proposal was “vague in many areas and appeared to indicate a lack of comprehension or understanding of the required effort,” adding that “[m]any of the responses . . . were a restatement of the Statement of Work requirements from the solicitation.” Protest, exh. E, SSDD at 146. More specifically, the agency concluded that SimVentions’ proposal was deficient under the technical scenarios subfactor.[8] Among other things, the agency noted that SimVentions’ response to one of the two scenarios “did not address the requirements for Cybersecurity Testing and Evaluation which consists of six phases”; was “scarce” in addressing CYBERSAFE practices;[9] and failed to adequately address “what role, if any, [CYBERSAFE practices] would play in the development of the Program Protection Plan [also referred to as “Criticality Analysis”].”[10] AR, exh. 3, SSEB Report at 15-16; see AR, exh. 7, CYBERSAFE Certification Standard at 15.

In addition to the deficiencies, the agency assessed 18 weaknesses in SimVentions’ proposal under the technical evaluation factor. Most of these weaknesses were based on SimVentions’ “lack of details in the technical approach and restatement of the [solicitation’s] requirements.” AR, exh. 3, SSEB Report at 6-14. For example, the Navy evaluated SimVentions’ proposal as reflecting weaknesses with regard to the solicitation requirement that offerors adequately address their approach to and understanding of: standing up servers for CS compliance tools; developing a strategic cybersecurity framework; conducting technical or automated assessments; describing steps to achieve safety recertification for systems; conducting day-to-day operation and maintenance support for cybersecurity laboratories; demonstrating a process for developing, supporting and evaluating prototypes; outlining a strategy for implementing lessons learned; demonstrating an understanding of the VRAM [vulnerability remediation asset manager] process; and demonstrating an understanding of the ship’s external communication requirements/connections. Id. In documenting its assessments, the agency noted that each of the evaluated weaknesses created increased performance risk.[11] Id. Overall, in assigning a rating of unacceptable to SimVentions’ proposal under the technical evaluation factor, the agency concluded that “[the] Risk of unsuccessful performance is unacceptable”; accordingly, based on the evaluated weaknesses, deficiencies, and accompanying risk assessments, SimVentions’ proposal was excluded from further consideration. AR, exh. 3, SSEB Report at 6; Protest, exh. E, SSDD at 146.

By letter dated August 1, SimVentions was notified that it had not been selected for award. This protest followed.[12]

DISCUSSION

SimVentions challenges various aspects of the agency’s source selection process, including assertions that the agency: unreasonably evaluated SimVentions’ proposal as technically unacceptable; failed to properly evaluate the awardee’s proposal; and improperly evaluated SimVentions’ proposal under other evaluation factors. As discussed below, we deny SimVentions’ assertion that the agency unreasonably evaluated SimVentions’ proposal as technically unacceptable and dismiss SimVentions’ remaining allegations.

Evaluation of SimVentions’ Proposal as Technically Unacceptable

First, SimVentions challenges the agency’s determination that SimVentions’ proposal was technically unacceptable, asserting that the agency’s evaluation was “irrational” and “applied unstated evaluation criteria.” Protest at 16-22. Among other things, SimVentions complains about what it describes as the agency’s “picayune” assessments which “overstate” performance risk, see Protester’s Comments at 3; asserts that each evaluated deficiency did not constitute a “material failure” to meet the RFP requirements and, therefore, each deficiency should have been classified as a “minor omission or lack of clarity warranting the assignment of, at most, a Weakness or Significant Weakness,” id. at 3-4; Protest at 16-22; and asserts that the agency’s assessment of all 18 weaknesses in SimVentions’ technical proposal was improper.[13] Protest at 22-36.

Overall, SimVentions requests that our Office determine that SimVentions’ proposed schedules were adequate; complains that other aspects of its proposal “more generally” demonstrated SimVentions understanding of the solicitation requirements; and maintains that, because the Navy “simply disagrees” with SimVentions regarding the proposal flaws, the Navy’s evaluation was unreasonable. Protest at 16-36; Protester’s Comments at 3-7.

The agency first responds that its evaluation of SimVentions’ technical proposal was reasonable and consistent with the terms of the solicitation. In this regard, the agency notes that the solicitation expressly advised offerors that their proposals must be “specific and complete”; directed them to discuss “as specifically as possible the actual methodology” they intended to use, adding that “clarity and coherence are very important”; and warned them not to “merely reiterate” the solicitation requirements. See RFP at 88. The agency further points out that the RFP defined a rating of unacceptable as “contains one or more deficiencies, and/or risk of unsuccessful performance is unacceptable”; defined risk as “the potential for . . . disruption of schedule, increased cost or degradation of performance, the need for increased Government oversight, and . . . unsuccessful contract performance”; defined a deficiency as a “material failure” to meet a solicitation requirement “or a combination of significant weaknesses . . . that increases the risk of unsuccessful performance to an unacceptable level”; and notes that the solicitation specifically warned offerors that an unacceptable rating in any factor or subfactor “will result in the entire proposal being deemed unacceptable.” Id. at 102.

More specifically, with regard to the scenario for which SimVentions’ proposal was found deficient, the agency notes that the solicitation: stated that “NSWCDD-DNA [Naval Surface Warfare Center Dahlgren Division-Dam Neck Activity] has been identified as the Cybersecurity Lead for all Combat Systems on a new ship class”; required that “[a] comprehensive Cybersecurity schedule must be developed to ensure all required Cybersecurity activities are performed”; advised offerors that “Cybersecurity activities include, but are not limited to Risk Management Framework activities, Cybersecurity Test and Evaluation, CYBERSAFE, and Program Protection Plan development;” and directed offerors to identify “any major interdependencies.” Id. at 90.

In this context, the agency maintains that it properly evaluated SimVentions’ response regarding this scenario to be deficient because SimVentions’ proposed schedule did not meaningfully address the testing and evaluation requirement, and provided inadequate information regarding CYBERSAFE practices, including a failure to discuss the role CYBERSAFE practices would play in development of the Program Protection Plan.[14] The agency also discusses and defends the agency’s assessment of the 18 weaknesses in SimVentions’ technical proposal. Memorandum of Law at 16-21; see AR, exh. 3, SSEB Report at 6-14.

Finally, the agency notes that the solicitation specifically provided for a rating of unacceptable on the basis of risk and, based on the agency’s assessment of risk associated with its proper identification of 18 weaknesses and two deficiencies under the technical evaluation factor, SimVentions’ proposal was reasonably evaluated as unacceptable.

The evaluation of technical proposals is a matter within the discretion of the contracting agency, since the agency is responsible for defining its needs and the best method for accommodating them. Cherokee Nation Tech. Solutions, LLC, B-411140, May 22, 2015, 2015 CPD ¶ 170 at 5. In reviewing an agency’s evaluation, we will not reevaluate technical proposals but, rather, will examine the agency’s evaluation to ensure that it was reasonable and consistent with the solicitation’s stated evaluation criteria and with procurement statutes and regulations; a protester’s disagreement with an agency’s judgment, without more, is insufficient to establish that an agency acted unreasonably. Id. at 5-6. Further, it is an offeror’s responsibility to submit a well-written proposal, with adequately detailed information which clearly demonstrates its compliance with the solicitation requirements and allows a meaningful review by the procuring agency. See, e.g., Innovative Pathways, LLC, B-416100.2, June 13, 2018, 2018 CPD ¶ 212 at 5; Hallmark Capital Grp., LLC, B-408661.3 et al., Mar. 31, 2014, 2014 CPD ¶ 115 at 9. Finally, although agencies are required to identify all major evaluation factors in an RFP, they need not specifically identify each and every element an agency considers during an evaluation; rather, an agency may properly take into account matters that are logically encompassed by or related to the stated evaluation criteria. E.g. Trailboss Enterprise, Inc., B-419209, Dec. 23, 2020, 2020 CPD ¶ 414 at 6; Portage, Inc., B-410702, B‑410702.4, Jan. 26, 2015, 2015 CPD ¶ 66 at 5-6.

Here, based on our review of the record, we find no basis to question the agency’s evaluation of SimVentions’ proposal as technically unacceptable. First, as noted above, the solicitation clearly advised offerors that the agency expected proposals that differed from the prior task order and expressed a particular need for an increased focus on cybersecurity issues. Among other things, the solicitation noted: the “growing number of breaches” to the agency’s computer systems; the “need to focus on the engineering aspects of [cyber security]”; and the prior “compliance-based” approach that “ha[d] not addressed significant shortcomings and vulnerabilities in the security of naval warfare systems and other service warfare systems.” RFP at 11. The solicitation further notified offerors that cyber security requirements “must be included during the design, development, and sustainment phases of systems acquisition to ensure they are secure and Cyber-resilient throughout their Life-cycle,” and added that “previously designed, and fielded system must be evaluated on an engineering basis to determine potential changes to their design or supportability approaches.” Id. Finally, in this context, the solicitation required offerors to submit a “comprehensive Cybersecurity schedule” for each RFP scenario; directed that the proposed schedule must “ensure all required Cybersecurity activities are performed” and “major interdependencies” identified; noted that required activities “include, but are not limited to, Risk Management Framework activities, Cybersecurity Test and Evaluation, CYBERSAFE, and Program Protection Plan development;” and warned that the agency would assess the “validity and thoroughness” of each offeror’s response. Id. at 89-90, 104.

Based on our review of the agency’s comprehensive evaluation of SimVentions’ proposal under the technical factor, we do not question the reasonableness of the agency’s determination that SimVentions’ proposal was technically unacceptable. Specifically, as discussed above, the agency identified two deficiencies in SimVentions’ proposal under the technical factor, concluding that the proposal failed to adequately address the solicitation requirements for testing and evaluation, and failed to adequately address its proposed CYBERSAFE practices, including a failure to adequately discuss the relationship between the CYBERSAFE program and the Program Protection Plan/Criticality Analysis. AR, exh. 3, SSEB Report at 15-16; see AR, exh. 7, CYBERSAFE Certification Standard at 15.

Additionally, the agency assessed and documented multiple weaknesses in SimVentions’ technical proposal, noting that the proposal was “vague in many areas and appeared to indicate a lack of comprehension or understanding of the required effort,” adding that “[m]any of the responses . . . were a restatement of the Statement of Work requirements from the solicitation.” Finally, the agency performed risk assessments with regard to each evaluated weakness and deficiency, concluding that the risk associated with SimVentions’ technical proposal was unacceptable. While SimVentions complains that the agency’s assessments were “picayune,” “overstate[d]” performance risk, or merely reflected SimVentions’ “clerical errors” (acknowledging that the proposal included “a few incorrect policy and guidance document references”), see Protester Comments at 3; Protest at 18-19, our review of the evaluation record leads us to conclude that the agency’s assessment of deficiencies, weaknesses, and associated risk was reasonable and consistent with the terms of the solicitation. SimVentions’ assertion that the agency improperly evaluated SimVentions’ proposal as technically unacceptable is denied.

Other Allegations

SimVentions also asserts that the agency improperly evaluated the awardee’s proposal, speculating that Peraton’s proposed staffing and its proposed costs were unrealistic or otherwise failed to comply with the solicitation requirements. Protest at 39-40, 43-50. SimVentions asserts that “as the incumbent contractor . . . SimVentions is uniquely positioned to understand the requirements as well as the cost associated with fulfilling the Navy’s needs.” Id. at 2.

Our Bid Protest Regulations require protesters to present protest grounds that are factually and legally sufficient. 4 C.F.R. § 21.1(c)(4) and (f); see also System Dynamics Int’l, Inc.--Recon., B-253957.4, Apr. 12, 1994, 94-1 CPD ¶ 251 at 4. More specifically, where a protester’s allegations are based on unsupported allegations or speculation, we will summarily dismiss a protest without requiring the agency to submit a report. Id. In this regard, our bid protest procedures do not permit a protester to embark on a fishing expedition for protest grounds merely because it is dissatisfied with the agency’s source selection decision. See, e.g., Alascom, Inc. – Second Recon., B‑250407.4, May 26, 1993, 93-1 CPD ¶ 411 at 4.

Here, SimVentions’ allegations regarding the content of the awardee’s proposal and the agency’s evaluation thereof are based on the fact that Peraton’s total evaluated cost was lower than SimVentions’ proposed cost--along with SimVentions’ perception that, as the “incumbent contractor,” it was “uniquely positioned” to understand the solicitation requirements and associated costs. SimVentions’ speculation and assumptions regarding the content of Peraton’s proposal and the agency’s evaluation thereof are insufficient to form a basis for protest. 4 C.F.R. § 21.1(c)(4) and (f); System Dynamics Int’l, Inc.--Recon., supra. Accordingly, those allegations are dismissed.[15]

The protest is denied in part and dismissed in part.

Edda Emmanuelli Perez
General Counsel