security

Koniag Technology Solutions, LLC | U.S. GAO – Government Accountability Office


DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.

Decision

Matter of: Koniag Technology Solutions, LLC

File: B-421758; B-421758.2

Date: October 3, 2023

Devon E. Hewitt, Esq., Potomac Law Group, PLLC, for the protester.
Andrew J. Smith, Esq., Jill B. Wiley, Esq., Nhu T. Tran, Esq., and Natalie W. McKiernan, Esq., Department of the Army, for the agency.
Christine Milne, Esq., Todd C. Culliton, Esq., and Scott H. Riback, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

Protest challenging agency’s evaluation of protester’s proposal and its elimination from the competitive range is denied where the record shows that the agency’s actions were reasonable and consistent with the terms of the solicitation and applicable statutes and regulations.

Koniag Management Solutions, LLC (KMS), a small business of Chantilly, Virginia, protests its exclusion from the competitive range under request for proposals (RFP) No. W9124923R0002, issued by the Department of the Army for information technology (IT) support services. KMS asserts that the agency unreasonably evaluated its proposal and improperly eliminated it from the competitive range.

We deny the protest.

BACKGROUND

The RFP is for a wide range of IT support services, including cyber security services, for the Army Mission and Installation Contracting Command’s Cyber Center of Excellence (CCoE) at Fort Gordon in Richmond County, Georgia. RFP at 1, 28, 65.[1] The CCoE provides training, education, and development for warfare professionals. RFP at 28.

The solicitation contemplates the award of a fixed-price contract to be performed over a 1-month phase-in period, an 11-month base period, four 1-year option periods, and an additional 6-month option period. RFP at 65-66. Award is to be made on a best-value tradeoff basis considering the following evaluation factors: staffing and management approach; technical approach; past performance; and price.[2] Id. at 75-76. The staffing and management approach factor was deemed significantly more important than the technical approach and past performance factors, which were deemed equal in importance. Id. at 76. When combined, the non-price factors were deemed significantly more important than price. Id.

As relevant here, the instructions for preparing the technical approach volume directed offerors to provide a narrative of their proposed methodology for performing three task areas: cyber virtual training area; information technical project management; and cyber security services. RFP at 70. In their proposed methodology narrative, offerors were required to demonstrate a clear understanding of the three task areas, and the capability to perform them successfully. Id.

The evaluation criteria for the technical approach factor provided that each offeror’s technical approach would be evaluated to determine if the proposal demonstrated a clear understanding of the nature and scope of the required work, and the capability to perform the requirements specified in the three task areas. RFP at 77. One of the three task areas included all cyber security services detailed in performance work statement paragraph 5.3 and its sub paragraphs. Id. at 77. Among other things, the cyber security services requirements included a requirement relating to a virtual technology called “OpenStack.”[3] Id. at 49. The agency added OpenStack to the solicitation in amendment 0005 and highlighted OpenStack in yellow to draw offerors’ attention to it. AR, Tab 8, RFP, amend. 0005 at 30, 32. The solicitation also advised that an offeror could be deemed ineligible for award if its proposal failed to comply with the material requirements of the solicitation. RFP at 76.

[DELETED] offerors, including KMS, submitted proposals in response to the solicitation. The agency assigned KMS’s proposal the following ratings: outstanding under the staffing and management approach factor; unacceptable under the technical approach factor; and substantial confidence under the past performance factor. AR, Exh. 17, Source Selection Evaluation Board Consensus Report at 12. The evaluators determined that KMS’s proposal failed to address the implementation or support of the OpenStack infrastructure, as outlined in the solicitation. Id. at 10-11. On that basis, the evaluators assigned the KMS proposal a deficiency, which formed the underlying basis for the assignment of the unacceptable rating. Id.

The source selection authority (SSA) considered the results of the technical evaluation, and then established a competitive range. In considering KMS’s proposal, the SSA noted KMS’s high ratings under the staffing and management approach, and past performance factors, and also noted that KMS’s total evaluated price of $71,337,135, was determined to be fair and reasonable. AR, Exh. 18, Competitive Range Determination at 10. However, the SSA also noted that KMS’s failure to address the implementation or support of OpenStack demonstrated an inadequate understanding of the requirements under the technical approach factor, which resulted in there being an unacceptable performance risk associated with its proposal. Id. at 10-11. In addition, the SSA determined that KMS’s proposal would require significant revisions to be eligible for award, and concluded that permitting such revisions would be inefficient. Id. For these reasons, the agency excluded KMS’s proposal from the competitive range. Id. at 16.

Readers Also Like:  Report: Cloud Security Isn't On Par With Cloud Migrations - TechDecisions

By letter dated June 7, 2023, the agency advised KMS that its proposal had been excluded from the competitive range. After requesting and receiving a debriefing, KMS filed the instant protest.

DISCUSSION

KMS raises multiple challenges to the evaluation of its proposal under the technical approach factor, and also challenges the agency’s decision to eliminate its proposal from the competitive range. We have reviewed all of KMS’s allegations, and find that none provides us with a basis to sustain the protest.[4] We note at the outset that, in reviewing a protest challenging an agency’s evaluation of proposals, our Office does not reevaluate proposals, or substitute our judgment for that of the agency, as the evaluation of proposals is a matter within the agency’s discretion. 22nd Century Technologies, Inc., B‑413210, B-413210.2, Sep. 2, 2016, 2016 CPD ¶ 306 at 8. Rather, we review the record only to determine whether the agency’s evaluation was reasonable and consistent with the terms of the solicitation and applicable procurement statutes and regulations. Id.

KMS asserts that the agency unreasonably evaluated its proposal as technically unacceptable for failing to provide an approach to managing and administering OpenStack. KMS contends that the RFP did not require offerors to address OpenStack specifically but, rather, only required offerors to address how they would manage and administer virtual technologies generally.

We find no merit to this aspect of KMS’s protest. The RFP provided, in relevant part, that “[t]he Contractor shall provide Cyber Security expertise, including . . . management, and administration of IT systems including virtualized infrastructures and systems (ex. VMWare and Virtual Technologies and OpenStack).” RFP at 49. The RFP also advised that both VMWare and OpenStack are technologies currently forming part of the agency’s existing multi-OS environment supporting its cyber security services function. Id. at 47.

KMS’s technical approach proposal included a chart detailing its cyber security support services. AR, Exh. 13, KMS Proposal, Vol. II, Technical Approach at 12-13. This chart makes only a single, passing reference to “OpenStack,” providing as follows: “Administration of virtualized infrastructures and systems (ex. VMWare and Virtual Technologies and OpenStack).” Id. The chart goes on to provide some additional detail, as follows:

[DELETED]

Id. KMS’s proposal makes no other mention of OpenStack.

We have no basis to object to the agency’s evaluation. As noted, the RFP required offerors to address all of the solicitation’s requirements and specifically directed offerors to address all cyber security requirements, including those associated with OpenStack. RFP at 49. Both the instructions to offerors–as well as the technical approach evaluation factor–specifically advised that offerors were required to provide a narrative of their proposed methodology for meeting all solicitation requirements that adequately addressed all cyber security requirements, and that their proposals would be evaluated to determine whether such a narrative was provided. Id. at 70, 77. Thus, evaluating offerors’ plans for managing and administering OpenStack was reasonably encompassed by the terms of the solicitation. See Burchick Construction Company, Inc., B-417310.3, Jan. 27, 2020, 2020 CPD ¶ 60 at 7.

As noted above, a review of KMS’s proposal confirms that the firm did not include any narrative description of its approach to managing and administering OpenStack, providing instead only a brief explanation regarding its approach to managing VMWare. We therefore conclude that the Army reasonably evaluated KMS’s proposal because it simply failed to describe in any way how it would manage and administer OpenStack.

KMS suggests that offerors were not required to address OpenStack specifically. KMS asserts that OpenStack was only identified as an example of virtual technologies. In support of its position, KMS notes that the RFP included the terms “ex.” and “Virtual Technologies,” RFP at 49, which KMS claims denotes that the agency was making only a generic reference to virtual technologies, and that OpenStack is listed only as an example of such technologies.

Readers Also Like:  Boeing, Lockheed Martin, and RTX Showcase Innovations at the ... - BlackEngineer.com

We disagree because we do not find the protester’s interpretation to be reasonable. To reiterate, the RFP instructed offerors to demonstrate a clear understanding of the agency’s cyber security services function, and how they could capably assist in the administration of the cyber security program. RFP at 70. Further, the RFP advised that both VMWare and OpenStack are technologies currently forming part of the agency’s existing multi-OS environment and supporting its cyber security services function. Id. at 47. Thus, even though KMS may narrowly focus on a specific PWS provision that refers to both VMWare and OpenStack as examples of virtualized technologies, we agree with the agency that the solicitation, when read as a whole, required offerors to address both systems. Considering the terms “ex.” and “virtual technologies” as indicating that OpenStack was merely an illustrative example that did not need to be addressed is inconsistent with the other terms of the solicitation, which explained that OpenStack was one of the agency’s virtual technologies and offerors needed to address it.

Furthermore, by addressing only a single virtual technology–in this case, KMS’s treatment of VMWare only–a firm would not demonstrate that it could capably assist in managing the agency’s entire existing cyber security services function.[5] See COS at 7-8 (explaining that offerors were required to explain how they would manage all of the current virtualized technology systems); see also Point Blank Enterprises, Inc., B‑415021, Oct. 16, 2017, 2017 CPD ¶ 319 at 3 (stating that where a protester and agency disagree over the meaning of solicitation language, we will resolve the matter by reading the solicitation as a whole and in a manner that gives effect to all of its provisions; to be reasonable, and therefore valid, an interpretation must be consistent with the solicitation when read as a whole and in a reasonable manner.)

In this regard, the agency points out that, while VMWare and OpenStack both provide virtualized technology environments, they have different functionalities and are not identical. AR, Exh. 26, Technical Evaluator Declaration at 2. The agency explains that the knowledge and skills needed to maintain, diagnose, or address issues regarding OpenStack are vastly different from those needed for VMWare. Id. (“These two virtualized infrastructure environments necessarily require different skills and competencies to successfully maintain, diagnose, and address the various issues that can arise during training.”).

The agency also explains that OpenStack requires specialized expertise and particular familiarity with that system’s functionality. AR, Exh. 26, Technical Evaluator Declaration at 2 (“OpenStack Administrators must be competent in researching, down to the lowest level, to diagnose the issue and then work [potentially] with other OpenStack developers to release patches or updates (as required) to resolve those issues. The knowledge and capability to maintain, diagnose, and address OpenStack issues differs from that of other virtualized infrastructure environments, specifically VMWare.”). Thus, we are not persuaded that the RFP only required offerors to address either system by way of example only, because, as the agency articulates, technical approaches to these systems would not be the same and would require separate explanations in order to demonstrate sufficient capability.

Moreover, even if we agreed that the protester’s interpretation was reasonable, this would present what amounts to a patent ambiguity. An ambiguity exists where two or more reasonable interpretations of the terms of the solicitation are possible. Point Blank Enters., Inc., supra. A patent ambiguity exists where the solicitation contains an obvious, gross, or glaring error, while a latent ambiguity is more subtle. Id.

Here, we consider any ambiguity to be patent because the RFP’s references to VMWare and OpenStack as examples only would be inconsistent with the RFP’s other provisions that specifically refer to those systems as part of the agency’s current operating environment, as well as the specific requirement in the instructions to offerors to provide a narrative description of how the offeror would provide the agency’s cyber security services requirements.

Because we conclude any ambiguity in the RFP to be patent, any challenge to these RFP provisions would be untimely at this juncture. Under our Bid Protest Regulations, a patent ambiguity must be protested prior to the time set for receipt of initial proposals, when it is most practicable to take effective action against such defects. Id.; 4 C.F.R. § 21.2(a)(1). Since KMS’s protest was not filed until after proposals had been submitted, any challenge to the terms of the RFP is untimely now. Point Blank Enterprises, Inc., supra. (explaining that where a solicitation term appears inconsistent on its face with remaining solicitation terms, it is a patent ambiguity that must be protested before the due date for proposal submissions).

Next, we address KMS’s argument that the agency unreasonably determined that its failure to address OpenStack constituted a deficiency. According to KMS, the agency should have assigned its proposal a weakness or significant weakness, at most, for its failure to address OpenStack because its proposal provides an approach to managing and administering virtual technologies in general. This argument is without merit.

Readers Also Like:  This top password manager apparently has a major security flaw ... - TechRadar

KMS has not provided any basis–beyond its disagreement–for our Office to object to the agency’s determination that its failure to address the OpenStack requirement constituted a deficiency. In contrast, the agency explains that OpenStack is a unique open source platform, and that OpenStack is the only system that can facilitate its training curriculum. Specifically, the agency explains as follows:

The Cyber Center of Excellence (CCOE) sub-organization, U.S. Army Cyber School, relies on OpenStack, vice other virtualized infrastructure software capabilities, to support critical training objectives to Cyber soldiers and civilians. Students require a scalable, customizable, and flexible environment that can be deployed on any hardware system, regardless of vendor, type, or brand. OpenStack is the only platform that facilitates this flexibility and creates a dynamic training environment that can be easily torn down and rebuilt in under 24 hours. This capability is critical to student learning objectives in the program of instruction. . . . [DELETED]. Essentially, OpenStack is the only program that is unlimited in its application on any hardware, any brand, or any vendor with extreme flexibility in mobile deployment.

AR, Exh. 26, Technical Evaluator Declaration at 1. In light of the agency’s explanation regarding the criticality of OpenStack to the agency’s overall requirement, we conclude that the agency appropriately determined that KMS’s proposal merited a deficiency rather than merely a weakness or significant weakness.

As a final matter, KMS asserts that the agency unreasonably excluded its proposal from the competitive range because its proposal requires only minor revisions to be eligible for award. The agency responds that KMS’s proposal requires significant revisions in order to address OpenStack and comply with the solicitation’s page limitations since its proposal makes no mention of OpenStack. The agency maintains that any revision to the KMS technical proposal would amount to a complete rewrite of that portion of its proposal.

The determination of whether a proposal should be included in the competitive range is a matter primarily within the contracting agency’s discretion. ARCIS International-UNISECUR S.R.L.-RANGERS S.R.L. JV, B-419481, Mar. 1, 2021, 2021 CPD ¶ 86 at 10. Our Office will not disturb such a determination unless it is shown to be unreasonable or in violation of procurement laws and regulations. Id. Generally, proposals that are to be considered in the competitive range are those which are technically acceptable or reasonably susceptible of being made acceptable through discussions–that is, proposals which have a reasonable chance of being selected for award. Id. Contracting agencies are not required to retain a proposal in the competitive range where the proposal is not among the most highly rated, or where the agency otherwise reasonably concludes that the proposal has no realistic prospect of award. FAR 15.306(c)(1); Henry Schein, Inc., B-405319, Oct. 18. 2011, 2011 CPD ¶ 264 at 7.

We have no basis to object to the agency’s decision to eliminate KMS’s proposal from the competitive range. First, our review confirms that KMS’s proposal was not among the most highly rated. The record shows that [DELETED] other offerors were evaluated as having “outstanding” ratings under both the staffing and management approach, and technical approach factors. AR, Exh. 18, Competitive Range Determination at 4. In contrast, as discussed, the agency reasonably found the KMS proposal technically unacceptable. Second, as the agency explains, KMS’s failure to discuss OpenStack in its proposal would require essentially a complete rewrite of the firm’s technical proposal in light of the solicitation’s page limitation. Under the circumstances, we conclude that the agency reasonably eliminated the KMS proposal from the competitive range.[6]

The protest is denied.

Edda Emmanuelli Perez
General Counsel





READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.