InnoVet Technologies, LLC

Decision

Matter of: InnoVet Technologies, LLC

File: B-423306.20

Date: June 16, 2026

Darrell Hernandez for the protester.
Jennifer L. Howard, Esq., and Stephen T. O'Neal, Esq., National Aeronautics and Space Administration, for the agency.
Jacob M. Talcott, Esq., and Heather Weiner, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest is denied where agency reasonably eliminated protester's proposal from award consideration because the proposal failed to include information required by solicitation.

DECISION

InnoVet Technologies, LLC, a small business of Frederick, Maryland, protests the elimination of its proposal from the competition under request for proposals (RFP) No. 80TECH24R0001, issued by the National Aeronautics and Space Administration (NASA), for information technology (IT) products, cloud solutions, cybersecurity, and related services. The protester contends that the agency unreasonably eliminated its proposal from the competition.

We deny the protest.

BACKGROUND

NASA issued the solicitation on May 23, 2024, in accordance with Federal Acquisition Regulation (FAR) part 15, seeking to award the sixth generation of the solutions for enterprise-wide procurement (SEWP VI) government-wide acquisition contract vehicle for IT products and services.[1] The solicitation will result in multiple government-wide indefinite‑delivery, indefinite‑quantity contracts under which fixed-price, time-and-materials, labor‑hour, fixed-price award fee, fixed-price incentive fee, and fixed-price economic price adjustment task orders can be issued. RFP at 40. The solicitation contemplates awarding contracts to all qualifying offerors for an ordering period of 10 years. Id. at 40, 117. The maximum ordering value is $20 billion. Id. at 44.

The solicitation advised that contracts will be awarded for three categories;[2] each category is self-contained with its own separate fulfillment requirements, proposal submission requirements, and evaluation criteria. Id. at 25-39. This protest concerns category B, enterprise-wide ITC/AV service solutions, and category C, ITC/AV mission‑based services. Protest at 8. The due date for receipt of category B and C proposals was February 24, 2025. COS at 2.

NASA is conducting this procurement in three phases. RFP at 117. Upon the completion of each phase of the evaluation, the agency will notify the offeror whether its proposal was selected to proceed to the next phase of the competition or eliminated from the competition. Id. at 118. Offerors were required to submit their proposals in the following three volumes: offer volume, past performance volume, and mission suitability volume. Id. at 96. As relevant here, the mission suitability volume, which was evaluated during phase three, consisted of the mission suitability factor and included two subfactors--the technical approach subfactor and the management approach subfactor.[3] Id. at 114-115.

Pertinent to this protest, for the management approach subfactor, offerors were to provide a narrative describing their corporate processes and resources regarding the corporate risks associated with cybersecurity supply chain risk management (C-SCRM) and IT security of contractor acquired property; “ie., ancillary products required for performance and fulfillment of task orders including appropriate security controls based on the most current Government and Industry standards such as CNSSI 1253, NIST SP 800-53, NIST SP 800-161, NIST SP 800-171.” Id. at 115. In the narrative, offerors also were to provide information related to how the offeror is participating in SCRM and/or IT security activities, or at a minimum provide details regarding how the offeror is kept abreast of and is addressing key SCRM and/or IT security practices. Id. Additionally, the solicitation specified that offerors shall either fill out a C‑SCRM attestation form, attached as exhibit 5 to the RFP, or provide a copy of a valid active open trusted technology provider standard (O-TTPS) certification to attest to meeting the ISO 20243 standard. Id.

As relevant here, the solicitation provided that the agency would evaluate the management approach subfactor of the mission suitability factor to assess the offeror's understanding and demonstration of their ability to successfully perform the management requirements as specified in the RFP. Id. at 123. The RFP provided that the agency would evaluate proposals under the mission suitability factor and subfactors on a pass/fail basis, with proposals receiving a rating of either satisfactory confidence or no confidence. Id. The solicitation specified that an offeror must receive an overall confidence rating of satisfactory under the mission suitability factor to receive an award, RFP at 117, and explained that “[r]eceiving a ‘[n]o [c]onfidence' rating in either [m]ission [s]uitability subfactors ([t]echnical [a]pproach or [m]anagement [a]pproach) . . . will result in a ‘[n]o [c]onfidence' rating” and that the offeror “must receive a rating of ‘[s]atisfactory [c]onfidence' in both subfactors to have an overall [m]ission [s]uitability [r]ating of ‘[s]atisfactory [c]onfidence.'” Id. at 123. The RFP also provided that “[o]fferors must respond to all factors, sub-factors, and points of the [m]ission [s]uitability [v]olume” and that a “non-response by an [o]fferor to any part of this [s]ection will result in the [o]fferor being no longer eligible for award.” RFP at 114. In addition, the solicitation provided that any proposal that deviated from, or took exception to, any of the instructions of the solicitation would be eliminated from the competition. Id. at 117.

InnoVet timely submitted two proposals, one for category B and one for category C. COS at 6. In evaluating both of InnoVet's proposals, the agency noted that the submissions did not include a narrative description of their corporate processes and resources regarding corporate risks associated with SCRM and/or IT security of contractor acquired property. AR, Tab 21, Category B Down‑Select Notice at 1‑2; AR, Tab 22, Category C Down-Select Notice at 1‑2. The agency also noted that InnoVet's proposals did not explain how it would address key SCRM and/or IT security practices. AR, Tab 21, Category B Down‑Select Notice at 1‑2; AR, Tab 22, Category C Down‑Select Notice at 1‑2. The agency explained that, given this lack of required information, it assigned InnoVet's two proposals ratings of no confidence. AR, Tab 21, Category B Down‑Select Notice at 1‑2; AR, Tab 22, Category C Down-Select Notice at 1‑2. Because the solicitation required proposals to receive a rating of satisfactory confidence to be eligible for award, RFP at 117, the agency eliminated InnoVet's proposals from the competition. AR, Tab 21, Category B Down‑Select Notice at 2; AR, Tab 22, Category C Down-Select Notice at 2.

The agency informed InnoVet of the elimination of its proposals from categories B and C on March 20, 2026, and stated that the notice constituted the agency's written debriefing in accordance with FAR part 15. AR, Tab 21, Category B Down‑Select Notice at 1; AR, Tab 22, Category C Down-Select Notice at 1. This protest followed.

DISCUSSION

InnoVet argues that the agency unreasonably eliminated its proposals from the competition due to its failure to provide a narrative under the management approach subfactor that described, among other things, its corporate processes and resources regarding risks associated with SCRM and/or IT security of contractor acquired property. Protest at 3. According to InnoVet, even though it did not provide a narrative to describe these processes under the management approach subfactor, other areas of its proposals, such as its C-SCRM attestation form and technical approach narrative, sufficiently demonstrated InnoVet's understanding of these processes, and therefore, satisfied the requirement that it describe its corporate processes and resources regarding corporate risks associated with SCRM and/or IT security of contractor acquired property. Protest at 3. For reasons discussed below, we find no merit to the protester's arguments and deny the protest.[4]

In reviewing a protest challenging an agency's evaluation, our Office will not reevaluate proposals or substitute our judgment for that of the agency, as the evaluation of proposals is a matter within the agency's discretion. See SDS Int'l, Inc., B-291183.4, B‑291183.5, Apr. 28, 2003, at 5‑6. Rather, we will review the record to determine whether the agency' s evaluation was reasonable and consistent with the stated evaluation criteria and applicable procurement statutes and regulations. MVM, Inc., B‑407779, B‑407779.2, Feb. 21, 2013, at 6. In a negotiated procurement, a proposal that fails to conform to the material terms and conditions of the solicitation is considered unacceptable and may not form the basis for award. Wolverine Servs. LLC, B‑409906.3, B-409906.5, Oct. 14, 2014, at 3-4. An offeror bears the burden of submitting an adequately written proposal that contains all the information required under a solicitation. Business Integra, Inc., B-407273.22, Feb. 27, 2014, at 3. Where a proposal omits, inadequately addresses, or fails to clearly convey required information, the offeror runs the risk of an adverse agency evaluation. Distributed Sols., Inc., B‑416394, Aug. 13, 2018, at 4. A protester's disagreement with the agency's judgment, without more, is insufficient to establish that an evaluation was unreasonable. MVM, Inc., supra at 5-6.

InnoVet argues that the agency unreasonably eliminated its proposals for failing to provide a description of its corporate processes and resources with respect to SCRM and IT security. Protest at 2‑3. In lieu of providing this description as required by the solicitation, InnoVet argues that a “reasonable evaluator” should have considered its C‑SCRM attestation form as a sufficient demonstration of its SCRM capabilities “even absent a separately labeled narrative section” because, on the form, InnoVet answered “yes” to “every security control question, certifying compliance with access controls, network segmentation, vulnerability scanning, malicious code protection, and media sanitization,” which in InnoVet's view, is “precisely the corporate processes and resources contemplated by [the RFP].” Id. at 3. InnoVet also argues that in addressing the technical approach subfactor, its proposals “contained multiple pages of substantive cybersecurity and supply chain security content . . . that directly addresses the SCRM and IT [s]ecurity concepts.” Id.

The agency responds that neither the C-SCRM attestation form nor the technical approach narrative sufficiently addressed the requirements. Memorandum of Law (MOL) at 8. Concerning the C‑SCRM attestation form, the agency asserts that this form did not discuss, nor does InnoVet allege that it discussed, IT security of contractor acquired property, how the offeror would participate in SCRM and IT security activities, or how the offeror would be kept abreast of key SCRM and IT practices, as required by the management approach subfactor. Id. at 10; COS at 8. The agency also contends that the technical approach narrative similarly failed to satisfy the requirements of the management approach subfactor. MOL at 8; COS at 7. Specifically, the agency points out that the technical approach narrative addressed how InnoVet would support NASA's cybersecurity requirements but did not address how InnoVet manages its own corporate cybersecurity risks and processes as required for the management approach narrative. MOL at 8; COS at 7.

Based on our review of the record, we have no basis to object to the agency's evaluation. The solicitation required offerors to include a narrative describing their corporate processes and resources regarding the corporate risks associated with SCRM and the security of contractor acquired property, as well as providing information related to how the offeror is participating in SCRM and/or IT security activities. RFP at 115. The solicitation also provided that any proposal that deviated from, or took exception to, any of the instructions of the solicitation would be eliminated from the competition. Id. at 117; see also id. at 114 (“O]fferors must respond to all factors, sub-factors, and points of the [m]ission [s]uitability [v]olume. A “non-response by an [o]fferor to any part of this [s]ection will result in the [o]fferor being no longer eligible for award.”).

There is no dispute that InnoVet's proposals failed to provide a narrative description under the management approach subfactor describing its corporate processes and resources regarding corporate risks associated with SCRM or IT security of contractor acquired property, or how InnoVet would address key SCRM and/or IT security practices. See Protest at 4 (acknowledging that InnoVet's proposals failed to provide a “separately labeled narrative section” under the management approach subfactor). While InnoVet points to other areas of its proposal--i.e., the C‑SCRM attestation form and the narrative text for the technical approach subfactor--as sufficiently addressing the requirements for the management approach subfactor, as noted above, the agency explains that neither adequately satisfies the RFP's requirements. COS at 7. In this regard, as the agency notes, the RFP required that the management approach subfactor narrative describe the offeror's own corporate processes with respect to SCRM and IT security, RFP at 115, but such a description was not required for either the technical approach subfactor narrative or the C-SCRM attestation form, and InnoVet has not demonstrated or even asserted that such information is included in these aspects of InnoVet's proposal. See COS at 8 (explaining that the C-SCRM attestation form “requested offerors to demonstrate via a Yes/No response, their adherence to a set of cybersecurity guidelines,” but that InnoVet's responses on this form “do not address: ‘corporate risks associated with SCRM and/or IT Security of contractor acquired property;' nor ‘how the Offeror is kept abreast of and is addressing key SCRM and/or IT Security practices.'”); id. (explaining that the discussion provided in response to the technical approach subfactor concerns “how the offeror will provide NASA with cybersecurity services” and is not equivalent to addressing “how the offeror's corporate processes and resources support the management related corporate cybersecurity risks,” which is what was required to be addressed under the management approach subfactor).

As referenced above, an offeror bears the burden of submitting an adequately written proposal that contains all the information required under a solicitation. Business Integra, Inc., supra. Here, InnoVet failed to include a narrative description under the management approach subfactor of its proposals describing InnoVet's corporate processes and resources regarding corporate risks associated with SCRM or IT security of contractor acquired property, or how InnoVet would address key SCRM and/or IT security practices, and the protester has not demonstrated that this information was otherwise included in other parts of its proposals. Accordingly, we find nothing unreasonable regarding the agency's assessment of ratings of no confidence to InnoVet's proposals under the management approach subfactor, and elimination of InnoVet's proposals from the competition.

The protest is denied.

Edda Emmanuelli Perez
General Counsel