On February 24, 2020, the GAO denied the bid protest of 22nd Century Technologies, Inc., which challenged the issuance of a task order to KCI-Acuity, LLC by the Department of State (DOS) on the grounds that DOS unreasonably evaluated the vendors’ quotations under the management and technical, price, and similar experience and past performance factors. DOS issued a solicitation on July 26, 2019 seeking quotations to provide IT support for the agency’s Bureau of Information Resource Management (IRM). The solicitation advised that quotations would be evaluated based on four factors:
- Management and technical approach
- Similar experience and past performance
- Staffing plan and key personnel
For purposes of award, the three non-cost/price factors were listed in descending order of importance, and when combined, were “significantly more important” than cost/price. DOS received quotations from 22nd Century and KCI-Acuity. In its evaluations of their respective quotations, the DOS gave KCI-Acuity higher marks for all three of the non-cost/price factors, while 22nd Century’s price was $43 million lower than KCI-Acuity’s. The contracting officer concluded that KCI-Acuity’s quotation merited selection for award at a cost/price premium of $43.8 million, due both to its higher marks in the non-price factors as well as its finding that “22nd Century’s quotation presented high risk that cannot be easily mitigated without substantial Government effort…”
22nd Century raised three challenges in its protest:
- The agency unreasonably assigned the protester’s quotation a marginal rating under the management and technical approach factor
- The agency improperly assigned risk to the protester’s price quotation based on the awardee’s failure to follow the solicitation instructions
- The agency unreasonably evaluated the awardee’s quotation under the relevant experience and past performance factor, based on the agency’s failure to consider the awardee’s performance record as a joint venture.
In rejecting the first argument, the GAO concluded that it was reasonable for DOS to assign a major weakness to 22nd Century’s quotation, which described an approach that was not consistent with the SOW’s requirement to assume a hostile environment. DOS had asked each offeror to describe an IT security approach that assumed a hostile environment, that is, one “where adversaries already have achieved a security breach.” 22nd Century described an approach for a “safe” environment, which is one focused on preventing breaches, but not on mitigating or remedying those that have already occurred.
Additionally, the GAO determined that DOS was reasonable to assign 22nd Century’s quotation a major weakness for failing to adequately address the SOW’s cloud security requirements. The SOW required that the offeror “implement and maintain administrative, technical, and physical safeguards and controls for multiple cloud computing models…includ[ing] Microsoft Office 360 (including SharePoint Online, Dynamics Online, PowerBI, OneDrive, PowerApps, Forms, and Flow), Amazon Web Services, and Microsoft Azure.” 22nd Century’s quotation merited a significant weakness because it merely restated these requirements without explaining how it would perform those requirements.
As to the second argument, the GAO concluded that DOS reasonably assigned risk to 22nd Century’s price quotation because the labor rates it included did not comply with the requirements of the SOW. The SOW required that each offeror “propose locality specific prices for each place of performance specified in the RFQ.” DOS found that 22nd Century’s proposed labor rates did not comply with these instructions because its rates corresponded to Richmond, rather than Washington. These labor rates were significantly lower than the independent government cost estimate (IGCE) labor rates per position; DOS concluded thus that the “cost-price proposal is not accurate and represents a risk.”
Finally, the GAO found no basis to support 22nd Century’s third argument, that DOS failed to properly evaluate the past performance of KCI-Acuity (a joint venture) by relying solely on the records of the individual joint venture partners, but not also the joint venture. DOS relied on SBA regulations under which the agency was not required to “reject or negatively evaluate vendors who proposed as SBA-approved joint ventures,” but relied on the experience and past performance of the individual joint venture partners. The rationale behind this SBA regulation was that, until its promulgation, newly formed joint ventures faced extreme challenges in demonstrating past performance. 22nd Century’s argument that KCI-Acuity was required to submit three past performance contract profiles for the joint venture found no basis or merit in SBA’s regulations.