CACI, INC.-FEDERAL v. THE UNITED STATES, Defendant, GENERAL DYNAMICS MISSION SYSTEMS, INC., and SIERRA NEVADA CORPORATION, Defendant-Intervenors.
No. 21-1823 C
In the United States Court of Federal Claims
Filed Under Seal: December 22, 2021
Reissued: January 13, 2022*
SOMERS, Judge.
Pursuant to the protective order entered in this case, this opinion was filed initially under seal. The parties provided proposed redactions of confidential or proprietary information. In addition, the Court made minor typographical and stylistic corrections.
Daniel Falknor, Trial Attorney, Commercial Litigation Branch, Civil Division, Department of Justice, with whom were Reginald T. Blades, Jr., Assistant Director, Martin F. Hockey, Jr., Acting Director, and Brian M. Boynton, Acting Assistant Attorney General, all of Washington, D.C., for Defendant, and Major Michael R. Tregle, Jr., Trial Attorney, U.S. Army Legal Services Agency, of Fort Belvior, VA, of counsel.
Shaun C. Kennedy, with whom were Chris R. Hogle, Thomas A. Morales, Hannah E. Armentrout, and Ryan K. Lundquist, Holland & Hart LLP, all of Denver, CO, for Defendant-Intervenor Sierra Nevada Corp.
Noah Benjamin Bleicher, with whom were Jeri K. Somers, Carla J. Weiss, and Scott E. Whitman, Jenner & Block LLP, all of Washington, D.C., for Defendant-Intervenor General Dynamics Mission Systems, Inc.
SOMERS, Judge.
On September 8, 2021, Plaintiff CACI, Inc.-Federal (“CACI“) filed a complaint in this Court challenging the United States Army‘s award of a contract in August 2021 to Defendant-Intervenors General Dynamics Mission Systems, Inc. (“GDMS“) and Sierra Nevada Corporation (“Sierra Nevada” or “SNC“) for the design and manufacture of the Next Generation Load Device Medium (“NGLD-M” or “device“). ECF No. 1 (“Compl.“).1 Plaintiff asserts that the Army misevaluated its proposal and applied unstated evaluation criteria in assigning its proposal three deficiencies and two weaknesses. Id. at 2.
Plaintiff filed a motion for judgment on the administrative record, ECF No. 42 (“CACI MJAR“), on October 18, 2021, to which the government and Defendant-Intervenors filed cross-motions. See ECF Nos. 48 (“USA MJAR“), 49 (“SNC MJAR“), 50 (“GDMS MJAR“). Additionally, Sierra Nevada and the government filed motions to dismiss, asserting that CACI lacked standing because of an organizational conflict of interest (“OCI“) that made CACI ineligible for award even if it was successful on the merits of its protest. See ECF No. 43 (“SNC Mot. to Dismiss“); USA MJAR at 18-25. For the reasons that follow, the Court finds that Plaintiff has not met its burden to establish standing to bring this bid protest. Moreover, in the alternative, even if CACI had standing, it has failed to demonstrate that the three deficiencies it received were the result of actions by the Army that were arbitrary, capricious, an abuse of discretion, or otherwise contrary to law.
BACKGROUND AND PROCEDURAL HISTORY
On November 16, 2020, the Army issued Request for Proposal No. W15P7T-21-R-0001 for the design, development, and production of the NGLD-M. AR Tab 14. The NGLD-M will be used by the Army on the battlefield to encrypt and decrypt sensitive information. The device will need to be certified and approved by the National Security Agency (“NSA“) before the Army‘s implementation. Id. The solicitation was amended and reissued on December 3, 2020, and then again on January 11, 2021. AR Tab 15-16. The solicitation provided that the Army could award up to two contracts but “reserve[d] the right to make a single award or no award at all.” AR 1515. It required offerors to address various technical aspects of the NGLD-M. Specifically, offers were required to:
include all data and information requested by the [Solicitation] and shall be submitted in accordance with (IAW) these instructions. The Offeror shall address the requirements outlined in the Engineering Development Performance Work Statement (PWS), Program Management Statement of Work (SOW), Contract Data Requirements Lists (CDRLs), NGLD-M System Requirements Document
(SRD), Technical Security Requirements Document (TSRD), and the Information Assurance Security Requirements Directive (IASRD).
AR 1499.
The solicitation notified offerors that failing to address these factors could result in their proposal being eliminated from further consideration. Id. Offerors’ proposals were evaluated on four factors: Technical; Cost; Past Performance; and Small Business Participation. AR 1514. Technical and cost ratings were weighed “approximately equal in importance” to each other, but both categories were “significantly more important” than the rating for past performance. Id. Small Business Participation was rated on an “acceptable/unacceptable basis.” Id.
The solicitation also detailed that the technical evaluation would be rated on four sub-factors: (1) Hardware and Application Programming Interface (“API“) Integration/Description Approach; (2) User Application Software (“UAS“) Approach/Key Management Interface Implementation; (3) Management; and (4) Production. Id. The solicitation informed offerors that the Army would rate the technical evaluation as follows:
Strength: is an aspect of an offeror‘s proposal that has merit or exceeds specific performance or capability requirements in a way that will be advantageous to the Government during contract performance.
Weakness: means a flaw in the proposal that increases the risk of unsuccessful contract performance. A significant weakness in the proposal is a flaw that appreciably increases the risk of unsuccessful contract performance.
Significant Weakness: means a flaw in the proposal that appreciably increases the risk of unsuccessful contract performance.
Deficiency: is a material failure of a proposal to meet a Government requirement or a combination of significant weaknesses in a proposal that increases the risk of unsuccessful contract performance to an unacceptable level.
AR 1519-20.
Based on the above ratings, the Army would then score the proposals on a combined technical evaluation from “Outstanding” to “Unacceptable” as set forth in the following table:
| TABLE M1. COMBINED TECHNICAL/RISK RATINGS | ||
|---|---|---|
| Color | Rating | Description |
| BLUE | Outstanding | Proposal indicates an exceptional approach and understanding of the requirements and contains multiple strengths, and risk of unsuccessful performance is low. |
| PURPLE | Good | Proposal indicates a thorough approach and understanding of the requirements and contains at least one strength, and risk of unsuccessful performance is low to moderate. |
| GREEN | Acceptable | Proposal indicates an adequate approach and understanding of the requirements, and risk of unsuccessful performance is no worse than moderate. |
| YELLOW | Marginal | Proposal has not demonstrated an adequate approach and understanding of the requirements, and/or risk of unsuccessful performance is high. |
| RED | Unacceptable | Proposal does not meet requirements of the solicitation, and thus, contains one or more deficiencies, and/or risk of unsuccessful performance is unacceptable. Proposal is unawardable. |
AR 1520.
The Army evaluated the offerors in two phases: an initial phase and, in accordance with
Through letters dated June 7, 2021, the Army notified SNC, GDMS, and Plaintiff that their proposals were within the competitive range and invited them to submit revised and final
Plaintiff, on the other hand, was again given an “Unacceptable” technical rating based on the Army identifying three deficiencies in its technical evaluation of Plaintiff‘s proposal. AR 5062-64, 5066-67. The Army determined that, in attempting to correct the deficiency related to the authentication requirements identified in the initial evaluation phase, Plaintiff created three new deficiencies. Id. The Army gave Plaintiff two deficiencies related to its USB port based on finding that its design would be incapable of simultaneously performing two required functions. AR 5066-67. Plaintiff‘s proposal received a third deficiency for failing to specify the external dimensional measurements of its device, and, therefore, the Army determined it was “unclear if the proposed design meets the NGLD-M length and weight requirements.” AR 5063. In addition, Plaintiff‘s proposal received two weaknesses on its technical approach. AR 5064-65, 5067.
On August 9, 2021, the Army‘s Source Selection Advisory Council (“SSAC“) recommended that both SNC and GDMS be awarded contracts for the NGLD-M, as their proposals represented the best value to the government. AR 7123. The report also concluded that Plaintiff‘s proposal failed to meet the requirements of the solicitation and summarized the three deficiencies. AR 7122-23. As the solicitation makes clear, even one deficiency renders a proposal “Unacceptable” under the technical factor and automatically unawardable. AR 1520 (“Red/Unacceptable-Proposal does not meet requirements of the solicitation, and thus, contains one or more deficiencies, and/or risk of unsuccessful performance is unacceptable. Proposal is unawardable.“); see also AR 7122. The SSAC report summarized the offerors’ scores in the following chart:
| Offeror | Technical | Past Performance | Small Business Participation | FPR Price | Total Evaluated Price |
|---|---|---|---|---|---|
| [SNC] | Outstanding | Substantial Confidence | Acceptable | Image in original document— redacted price | $544,267,922 |
| [GDMS] | Outstanding | Substantial Confidence | Acceptable | Image in original document— redacted price | $229,952,952 |
| [CACI] | Unacceptable | Substantial Confidence | Acceptable | Image in original document— redacted price | Undetermined |
AR 7120.
On August 10, 2021, the Army awarded SNC and GDMS contracts on the NGLD-M solicitation. AR Tabs 52, 55. The Army notified Plaintiff on August 11, 2021, that it was “not selected for award” and that the “decision was driven by the unacceptable rating.” AR 7137-38. The notification also highlighted the ratings of the three offerors’ proposals and included a summary of Plaintiff‘s deficiencies and weaknesses. Id. The Army, pursuant to
CACI filed this post-award bid protest on September 8, 2021. The complaint alleges, inter alia, that the Army unreasonably assigned three deficiencies to Plaintiff‘s technical proposal. See Compl. at 32-38. Plaintiff argues that but for these errors, it would have been awarded the NGLD-M contract over SNC because of CACI‘s lower price proposal. CACI asks the Court to enjoin performance on the contract and require the Army to re-evaluate the proposals. Id. at 50.
Defendant-Intervenor SNC and the government filed motions to dismiss Plaintiff‘s complaint under Rule 12(b)(1) of the Rules of the Court of Federal Claims (“RCFC“), arguing that CACI has not established that it has standing to protest the award because it is not an “interested party.” See SNC Mot. to Dismiss; USA MJAR at 18-25. Based on prior task orders CACI performed for the Army, SNC and the government argue that CACI has an unmitigable, biased ground rules OCI disallowing it from being awarded the contract at issue regardless of the errors that CACI alleges the Army made in its technical evaluation, and, therefore, Plaintiff cannot clear the “prejudice” threshold to establish standing. SNC Mot. to Dismiss at 8-18.
On December 7, 2021, the Court held oral argument on the pending motions, and the matter is now ripe for consideration.
DISCUSSION
A. Legal Standard
The Tucker Act, as amended by the Administrative Dispute Resolution Act, provides the Court of Federal Claims with “jurisdiction to render judgment on an action by an interested party objecting to . . . the award of a contract or any alleged violation of statute or regulation in connection with a procurement . . . .”
On the first ground, “the courts have recognized that contracting officers are entitled to exercise discretion upon a broad range of issues confronting them in the procurement process.” Id. (citations and internal quotations omitted). Thus, the Court must “determine whether the contracting agency provided a coherent and reasonable explanation of its exercise of discretion, and the disappointed bidder bears a heavy burden of showing that the award decision had no rational basis.” Id. at 1332-33 (citations and internal quotations omitted). On the second ground, “the disappointed bidder must show a clear and prejudicial violation of applicable statutes or regulations.” Id. at 1333 (citation and internal quotation omitted).
However, before the Court can proceed to the merits of a bid protest, a protestor must establish that it has standing. Castle v. United States, 301 F.3d 1328, 1337 (Fed. Cir. 2002) (“Standing is a threshold jurisdictional issue, which . . . may be decided without addressing the merits of a determination.“); see also Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992) (“The party invoking federal jurisdiction bears the burden of establishing [the] elements [of standing].“). As standing is a jurisdictional issue, it may be raised in a motion to dismiss under
B. Plaintiff Has Not Established That It Has Standing
“It is well-established that the plaintiff bears the burden of establishing the court‘s jurisdiction by a preponderance of the evidence.” Brandt v. United States, 710 F.3d 1369, 1373 (Fed. Cir. 2013). In bid protests, “[o]nly an ‘interested party’ has standing to challenge a contract award.” Digitalis Educ. Sols., Inc. v. United States, 664 F.3d 1380, 1384 (Fed. Cir. 2012) (citing Rex Serv. Corp. v. United States, 448 F.3d 1305, 1307 (Fed. Cir. 2006);
In order to establish that it had a direct economic interest in the NGLD-M procurement, Plaintiff must demonstrate prejudice. See Myers Investigative & Sec. Servs., Inc. v. United States, 275 F.3d 1366, 1370 (Fed. Cir. 2002) (“[P]rejudice (or injury) is a necessary element of
Plaintiff has failed, however, to carry its burden to demonstrate that it would be eligible for award if the Court agreed with its arguments on the merits. A contract may not be awarded to an “apparent successful offeror” if “a conflict of interest is determined to exist that cannot be avoided or mitigated.”
FAR subpart 9.5 describes three categories of OCIs: biased ground rules, unequal access to information, and impaired objectivity. The government and SNC assert that CACI has a biased ground rules OCI with regard to the NGLD-M solicitation. They further argue that because a biased ground rules OCI cannot be avoided or mitigated, Plaintiff would not have been eligible for the award of a contract pursuant to the solicitation regardless of the merits of its protest and, therefore, lacks standing. See generally SNC Mot. to Dismiss; USA MJAR at 18-25; see also
“The biased ground rules category of OCIs focuses on the concerns that a company may, by participating in the process of setting procurement ground rules, have special knowledge of the agency‘s future requirements that may skew the competition in its favor.” Turner Const. Co. v. United States, 645 F.3d 1377, 1382 (Fed. Cir. 2011). Because of the “highly influential and responsible position” of contractors that performed systems engineering and technical direction,
[a] contractor that provides systems engineering and technical direction for a system but does not have overall contractual responsibility for its development, its integration, assembly, and checkout, or its production shall not – (1) be awarded a contract to supply the system or any of its major components or (2) be a subcontractor or consultant to a supplier of the system or any of its major components.
The Army required all offerors to identify any potential OCIs related to the procurement. AR 1500. In response, Plaintiff disclosed that it had performed two Systems Engineering and Technical Assistance (“SETA“) contracts related to the NGLD-M procurement.2 AR 2244-45. First, it disclosed that CACI was a contractor on a task order that resulted in the Capability Production Document (“CPD“) from which the technical and operational requirements for the NGLD-M were derived. See AR 1198 (“The SRD identifies requirements to develop the NGLD-M and its interfaces. The requirements in this document are derived from the Capability Production Document (CPD) for NGLD family of systems Version (v) 1.05, dated 22 April 2013.“). As part of this task order, a CACI employee “supported the development” of the CPD and that employee was listed as a “Secondary Point of Contact” on the cover page of the CPD. AR 2244; ECF No. 55-1. Plaintiff also disclosed that two other employees assisted in developing the CPD as part of CACI‘s CPD task order. AR 2244. Second, Plaintiff disclosed that a “small portion of CACI‘s work” on a separate 2014 SETA task order “provided support to the NGLD-M program.” AR 2244-45. In short, as part of its proposal, CACI admits it did SETA work related to the NGLD-M by working on the development of the CPD and on the 2014 task order.
Indeed, as SNC correctly observes, “[t]he specifications in the CPD in fact pervade all of the technical and operational requirement[s] for the NGLD-M set forth in the Solicitation.” SNC Mot. to Dismiss at 11. And, moreover, “the Solicitation indicates the Army utilized the CPD developed through CACI‘s SETA task orders to create the technical and operational requirements for the NGLD-M.” Id. at 12. Specifically, the CPD was used to develop the SRD, which outlines the technical requirements in the NGLD-M solicitation. See generally AR 1270-1343. In fact, the NGLD-M SRD Requirements Traceability Matrix contains a column sourcing each SRD requirement to the CPD. Id. It would appear, therefore, that at the very least there is prima facie evidence that CACI‘s prior work on the task order that resulted in the CPD created a biased ground rules OCI that would disqualify CACI from being awarded a contract pursuant to the solicitation.
The government attempts to buttress this prima facie evidence with a November 5, 2021, declaration from the Contracting Officer (“CO“) declaring that “a biased ground rules OCI exists” and that “there is no question that the CPD would be part of the RFP for the NGLD-M program when it was developed; that was the entire purpose of the CPD development and
Normally, the Court would need to assess how much weight, if any, to give this declaration because of the alleged procedural issues with its promulgation and alleged problems with the reasoning contained therein. See Sys. Plus, Inc. v. United States, 69 Fed. Cl. 757, 763-69 (2006). However, in this case, Plaintiff has completely failed to offer any evidence whatsoever that it did not have a biased ground rules OCI (much less evidence sufficient to overcome the prima facie evidence of a biased ground rules OCI that is apparent on the face of its proposal and in the sourcing of the technical requirements contained in solicitation and related documents). Rather than offer any evidence that the apparent OCI was not in fact an OCI (and, therefore, attempt to meet its burden to establish standing), Plaintiff instead focused its response to the motions to dismiss on alleged procedural deficiencies with, perceived terminology issues in, and the timing of, the CO‘s declaration. Plaintiff‘s burden, however, was not to demonstrate that the government and SNC had not established that an OCI exists; its burden was to prove by a preponderance of the evidence that it has standing. See Reynolds, 846 F.2d at 748 (holding that a plaintiff “bears the burden of establishing subject matter jurisdiction by a preponderance of the evidence“).
This is a burden Plaintiff made no attempt to meet. Plaintiff failed to provide this Court with a single piece of evidence to show it did not have an OCI.3 See Moyer v. United States, 190 F.3d 1314, 1318 (Fed. Cir. 1999) (“Fact-finding is proper when considering a motion to dismiss where the jurisdictional facts in the complaint . . . are challenged.“). There are myriad ways through which CACI could have come forward with some evidence to attempt to establish that it did not have a biased ground rules OCI and thus standing to bring the instant protest. For instance, assuming that a biased ground rules OCI does not in fact exist, CACI could have simply introduced an affidavit from its former employee who was the secondary point of contact on the CPD task order explaining whether she or anyone else from CACI took part in systems engineering and technical direction as part of that task order. Such a declaration may have been sufficient to establish standing. But CACI instead chose to attack the CO‘s declaration. If it was
Unfortunately for CACI, it bears this jurisdictional burden, not the government. And because the obligation to establish standing is not a mere pleading requirement “but rather an indispensable part of the plaintiff‘s case, each element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.” Lujan, 504 U.S. at 561. Although judges of this Court have at times indicated that at the standing stage only a “limited review” is conducted, CACI failed to provide the Court with anything to review other than arguments as to why the CO‘s declaration is “faulty.” But none of these arguments as to why the CO‘s declaration is “faulty” demonstrate that CACI did not provide systems engineering and technical direction for the NGLD-M, past services that make it ineligible for award of the contract at issue.
Plaintiff argues at length that “[t]he Agency‘s post-hoc, faulty OCI determination does not deprive the Court of subject matter jurisdiction.” ECF No. 55 at 5 (“CACI Reply“). Plaintiff‘s argument, however, misses the point. It is not the “Agency‘s post-hoc, faulty OCI determination” that is depriving the Court of jurisdiction. It is Plaintiff‘s failure to offer any evidence to show that it did not have an OCI, and thus was eligible for award, that deprives the Court of jurisdiction. If the CO‘s declaration was the lynchpin of the standing inquiry, attacking it with the reasoning used in Systems Plus, Inc. v. United States may have aided Plaintiff.4 But, as is explained above, the CO‘s declaration is not what is depriving the Court of jurisdiction. Moreover, in Systems Plus, unlike the instant case, the plaintiff offered evidence in the form of a declaration and a memorandum from a fact witness that significantly undermined, if not disproved, the alleged OCI. 69 Fed. Cl. at 768.
In sum, once the OCI issue was raised, it was Plaintiff‘s burden to affirmatively demonstrate that there was no OCI and that it was thus eligible for award. Because Plaintiff has not shown that it was eligible for award, it has no economic interest in the outcome of the Army‘s NGLD-M solicitation. That is to say, even if the Court assumed all the factual allegations Plaintiff makes on the merits of its protest are true and that Plaintiff was prejudiced by the alleged procurement process errors, Plaintiff has not shown that it was eligible for award. Without an economic interest in the outcome, Plaintiff does not have standing to challenge the government‘s award of the contracts to SNC and GDMS.
C. Even if Plaintiff Had Standing, the Government and Defendant-Intervenors Would Nonetheless Be Entitled to Judgment on the Administrative Record
Even had Plaintiff been able to demonstrate that it had standing, its protest would have nonetheless failed on the merits. The Administrative Record demonstrates the reasonableness of
1. The Army Technical Evaluation Team Reasonably Assigned Two Deficiencies to CACI‘s Design Methodology
The parties first cross-move for judgment on the administrative record with regard to the technical evaluation team‘s (“TET“) assignment of two deficiencies to Plaintiff‘s design—specifically, the detrimental effect that its chosen two-factor authentication (“2FA“) solution would have on the device‘s ability to meet other design requirements. Plaintiff alleges the agency erred in assigning the two deficiencies; the government and Defendant-Intervenors assert that the Army acted rationally in assigning both. The Court finds the agency‘s actions entirely reasonable based on the record before the Court.
To review, “[i]t is well established that the evaluation of proposals for their technical quality generally requires the special expertise of procurement officials.” KSC Boss All., LLC v. United States, 142 Fed. Cl. 368, 380 (2019). Thus, as in the instant case, “challenges concerning ‘the minutiae of the procurement process in such matters as technical ratings . . . involve discretionary determinations of procurement officials that a court will not second guess.‘” Enhanced Veterans Sols., Inc. v. United States, 131 Fed. Cl. 565, 584 (2017) (quoting E.W. Bliss Co. v. United States, 77 F.3d 445, 449 (Fed. Cir. 1996)). The Court must merely “determine whether the contracting agency provided a coherent and reasonable explanation of its exercise of discretion, . . . and the disappointed bidder bears a heavy burden of showing that the award decision had no rational basis.” Impresa, 238 F.3d at 1332-33 (citations and quotes omitted).
Proceeding to the record, the Court looks first to what the Army‘s solicitation required. Under a plain reading, the solicitation compels 2FA as a threshold requirement. See AR 1272 (NGLD-M_SRD_0025 providing that “[t]he NGLD-M shall enforce two-factor authentication when started in Medium Assurance mode.“); AR 1273 (NGLD-M_SRD_0033 providing that “[t]he NGLD-M shall enforce two-factor authentication when started in High Assurance mode.“); AR 1275 (NGLD-M_SRD_055 providing that “[t]he NGLD-M shall support two factor authentication.“). Given this requirement, the Court next looks to what the Army‘s evaluators ultimately found. The clearest reflection is the TET‘s evaluation of Plaintiff‘s proposal, in which the team assigned two deficiencies to Plaintiff.5 The first deficiency is set forth in full as follows:
DEFICIENCY: The offeror‘s proposal is flawed as the design methodology to meet the two-factor authentication requirements (NGLD-M_SRD_0025 (Medium Assurance) and NGLDM_SRD_0033 (High Assurance)) does not allow the system to meet the USB data receiving (Req IDs: NGLD-M_SRD_: 0575; 0577; 0578; 0581; 0583; 0585; 0587) and Software/Firmware update via USB interface (NGLD-M_SRD_0573) requirements while meeting RMF and IASRD
requirements. The proposal does not discuss how the exchanges in the NGLD-M System Requirements Document Table 5 “NGLD-M Receiving Data Types and Interfaces” for the USB port are met when the design approach requires the continuous use of the only USB-C interface on the device to maintain a two factor authenticated session. The proposal‘s approach to meeting the two-factor authentication requirements is an external USB-C dongle and
Image in original document— redacted text. The proposed design has single USB-C port which is required to support both two-factor authentication dongle and USB data receiving requirements which physically does not allow the device to maintain a two-factor authenticated sessions [sic] and perform USB Receiving requirements. On Volume 2, page 14 the Offeror proposes to resolve this conflict through the following statement “The external USB-C [Two-Factor Authentication] 2FA device is required to be attached during login authentication in both MA or HA modes and required to be inserted in response to periodic reauthentication.” According to IASRD TOK-2 “The authentication period for a token shall conclude when the token is removed from the host/terminal interface. Under agreed upon conditions, the token may be required to be removed from the equipment after authentication of the user is completed.” The proposal does not discuss or mention any “agreed upon conditions” with the National Security Agency when an authenticated session can be maintained after removal of the token. The proposed design does not meet the NGLD-M requirements without violating IASRD TOK-2 as well as adherence to Risk Management Framework security policies regarding authentication sessions to meet receiving data requirements across the USB. The proposal does not covey an understanding of requirements nor convey a feasible approach to meeting the requirements.
AR 5066.6 In almost identical fashion, the second deficiency follows in full:
DEFICIENCY: The offeror‘s proposal is flawed as the design methodology to meet the two-factor authentication requirements (NGLD-M_SRD_0025 (Medium Assurance) and NGLDM_SRD_0033 (High Assurance)) does not allow the system to meet the USB distributing (Req IDs: NGLD-M_SRD_: 0576; 0579; 0580; 0582; 0584; 0586; 0588) while meeting RMF and IASRD requirements. The proposal does not discuss how the exchanges in the NGLD-M System Requirements Document Table 7 “NGLD-M Distribution Data Types and Interfaces” for the USB port are met when the design approach requires the continuous use of the only USB-C interface on the device to maintain a two factor authenticated session. The proposal‘s approach to meeting the two-factor authentication requirements is an external USB-C dongle and
Image in original document— redacted text. The proposed design has single USB-C port which is required to support both two-factor authentication dongle and USB data distributing requirements which physically does not allow the device to maintain a two-factor authenticated
sessions and perform USB Receiving requirements. On Volume 2, page 14 the Offeror proposes to resolve this conflict through the following statement “The external USB-C [Two-Factor Authentication] 2FA device is required to be attached during login authentication in both MA or HA modes and required to be inserted in response to periodic reauthentication.” According to IASRD TOK-2 “The authentication period for a token shall conclude when the token is removed from the host/terminal interface. Under agreed upon conditions, the token may be required to be removed from the equipment after authentication of the user is completed.” The proposal does not discuss or mention any “agreed upon conditions” with the National Security Agency when an authenticated session can be maintained after removal of the token. The proposed design does not meet the NGLD-M requirements without violating IASRD TOK-2 as well as adherence to Risk Management Framework security policies regarding authentication sessions to meet distributing data requirements across the USB. The proposal does not covey an understanding of requirements nor convey a feasible approach to meeting the requirements.
AR 5066-67. In sum, Plaintiff‘s proposed 2FA solution would commandeer “the only USB-C interface on the device,” rendering the port unavailable (and thus the device unable) to simultaneously perform other key tasks—distributing and receiving data7—that require an available USB port. Id.
a. The Army did not apply unstated evaluation criteria
Plaintiff paints myriad objections to the TET‘s evaluation, none of which stick to the canvas. It first contends that the Army
evaluated CACI‘s approach to two-factor (“2-FA“) authentication, despite the RFP expressly instructing offerors that they did not need to address, nor would they be evaluated, against certain RFP sections (which RFP sections included the offerors’ approach to 2-FA), so long as they proposed to use the Government User Application Software (“UAS“), which CACI indisputably proposed to do.
CACI MJAR at 1; see also id. at 18 (“First, the Army should never have evaluated CACI‘s proposed solution for 2-FA.“). This line of argument quickly breaks under pressure.
To begin with, it appears that Plaintiff manufactured—or at the very least, misstated—a quote from the solicitation in defense of its assertion that the Army should never have “evaluated” its 2FA approach. In its motion for judgment on the administrative record, Plaintiff purports to quote the solicitation: “[i]n particular, the RFP states that ‘[u]se of the Government UAS relieves the Offeror from providing any additional information for . . . Device User
L24.4 Sub-Factor 1.2. UAS Approach/KMI Implementation
Use of the Government UAS relieves the Offeror from providing any additional information for this sub-factor, apart from a statement that the Offeror will utilize the Government UAS. If the Offeror is choosing to develop and deliver their own UAS solution, the Offeror shall describe the proposed NGLD-M UAS design from perspectives aligned with the below Elements. This description shall be at a level of detail that provides the Government confidence that the Offeror has a design that will allow this UAS to satisfy the SRD requirements, incorporates KMI capabilities and management design requirements, takes non-functional requirements into consideration, and ensures fulfilment of all security requirements.
AR 1505 (emphasis added). There is nothing in this paragraph referencing “Device User Management SRD 3.2.2,” and certainly nothing referencing it within the single sentence that Plaintiff appears to quote. To be fair, Plaintiff also cites to AR 1518, where the term does indeed appear but only after the conclusion of the full paragraph referencing “[u]se of the Government UAS. . . .” AR 1518. More importantly, however, these segments of the solicitation speak at most to an offeror needing not provide “any additional information” for a particular sub-factor. AR 1505 (emphasis added). There is nothing in either of Plaintiff‘s cited segments of the solicitation supporting the entirely different proposition that offerors “did not need to address, nor would they be evaluated” on whether their proposals satisfy the Army‘s baseline requirements for 2FA. CACI MJAR at 1 (emphasis added).
Moreover, as the government correctly points out, Plaintiff‘s initial proposal resulted in a deficiency for failure to “define a two-factor authentication approach for Medium Assurance (“MA“) mode (NGLD-M_SRD_0025),” AR 6910, yet Plaintiff did not take issue at that time with the Army—to borrow a phrase—having “evaluated [its] approach to [2FA] authentication.” In fact, in response to the initial deficiency, Plaintiff revised its proposal to directly address the solicitation‘s 2FA requirements. See AR 5435-36 (Plaintiff‘s “Technical Change Cover Sheet,” preceding its revised proposal, explaining “[t]he MCL meets NGLD-M requirements for the submission of login credentials including a two-factor authentication (2FA) token (NGLD-M_SRD_0055, NGLD-M_SRD_0025 and NGLD-M_SRD_0033) as part of Authentication, Authorization, Accounting (AAA) state per SRD section 3.1 during user login” and ”
Nevertheless, even accepting Plaintiff‘s contention—that use of the government‘s UAS precluded the Army‘s evaluation of Plaintiff‘s 2FA approach—there is simply nothing in the
b. Plaintiff‘s 2FA solution necessitates continuous use of the only USB port
Plaintiff next objects to the Army‘s conclusion that its particular “design approach requires the continuous use of the only USB-C interface on the device to maintain a two factor authenticated session.” AR 5066. Recall, the Army evaluators observed that:
[Plaintiff‘s] proposal‘s approach to meeting the two-factor authentication requirements is an external USB-C dongle and
Image in original document— redacted text. The proposed design has single USB-C port which is required to support both two-factor authentication dongle and USB data receiving requirements which physically does not allow the device to maintain a two-factor authenticated sessions and perform USB Receiving requirements. On Volume 2, page 14 the Offeror proposes to resolve this conflict through the following statement “The external USB-C [Two-Factor Authentication] 2FA device is required to be attached during login authentication in both MA or HA modes and required to be inserted in response to periodic reauthentication.” According to IASRD TOK-2 “The authentication period for a token shall conclude when the token is removed from the host/terminal interface. Under agreed upon conditions, the token may be required to be removed from the equipment after authentication of the user is completed.” The proposal does not discuss or mention any “agreed upon conditions” with the National Security Agency when an authenticated session can be maintained after removal of the token. The proposed design does not meet the NGLD-M requirements without violating IASRD TOK-2 as well as adherence to Risk Management Framework security policies regarding authentication sessions to meet receiving data requirements across the USB.
AR 5066; see also id. (“data distributing” deficiency). Plaintiff argues that the solicitation only requires 2FA in Medium and High Assurance (“HA“) modes “when started,” citing NGLD-M_SRD_0025 and NGLD-M_SRD_0033, and that “[a] requirement for 2-FA to be continuous is not included in the RFP or any other requirements.” CACI MJAR at 20 (emphasis added).
The Court reads the government‘s argument as the better of the two.11 Per the relevant section of the IASRD:
The authentication period for a token shall conclude when the token is removed from the host/terminal interface. Under agreed upon conditions, the token may be required to be removed from the equipment after authentication of the user is completed.
AR 7983. While the solicitation may not expressly require that authentication be “continuous,” the IASRD—clearly incorporated into the solicitation—effectively creates a default or presumption that a token, if used for 2FA, remain inserted in the device for purposes of authentication absent agreed upon conditions. Plaintiff did not provide the Army with any such conditions; instead, it argues it did not need to address conditions for removal. CACI MJAR at 23. But, if Plaintiff is correct, where would that leave the evaluators? The Court, instead, accepts the government‘s invitation to “read the 2FA requirements in the SRD and the IASRD together.” USA MJAR at 34. Although the solicitation “uses the term ‘when started’ in certain places, the cited portions of the SRD are silent on removal. The IASRD fills the gap and requires continuous 2FA by stating that the token can only ‘be removed from the equipment after authentication of the user is completed’ upon agreed upon conditions.” Id. at 34-35 (citations omitted). Thus, absent such agreed upon conditions, or any evidence thereof, Plaintiff‘s 2FA
c. Plaintiff‘s proposed design only includes a single USB port
The Court moves to what can safely be considered Plaintiff‘s central argument and objection: that “the Army inexplicably found that CACI‘s proposed design only included a single USB port, when, in fact, CACI‘s proposal clearly indicated that its proposed design included both a USB-C and a USB-2.0 port.” CACI MJAR at 1; see also id. at 14 (“[T]he evaluators mistakenly concluded that CACI‘s proposed MCL device design had just a single USB port.“). In reviewing the record, however, there is nothing “inexplicable” at all about the Army evaluators’ conclusion that Plaintiff‘s design includes a single USB port. In fact, Plaintiff‘s own proposal says so.
First, section 1.1.1.1.6 of Plaintiff‘s proposal—notably titled “Physical External Interface“—includes a segment titled “USB” that, to any reasonable reader, sets forth the design‘s USB capabilities and functionalities:
USB [SRD ID 569, 570, 588]: The MCL incorporates a ruggedized IP68-rated USB-C connector and corresponding dust cover. The COTS USB-C connector supports two operating modes where mode selection is based on attached devices. These modes support either high speed USB 3.0 + USB 2.0 or Display Port + USB 2.0 interfaces through the single USB-C connector and fully supports USB On-The-Go (OTG) operation (SRD ID 569, USB 3.0 exceeds SRD threshold requiring USB 2.0). . . . The USB-C interface supports the power rating required (supports 3A to 5A, battery requires 2.03A) to operate the device while charging the battery (SRD ID 574, Meets Objective). The MCL USB-C solution supports future innovation using the USB-C connector, which has become the standard interface for handheld and portable devices, including smartphones and laptops. USB-C is the next generation USB interface that is fully backward capable and future-proof.
AR 5478-79 (emphasis in original). The Court draws special attention to the proposal‘s choice of wording. Plaintiff‘s design “incorporates a ruggedized IP68-rated USB-C connector . . . .” Id. (emphasis added). “The COTS USB-C connector supports two operating modes . . . .” Id. (emphasis added). Most tellingly, “[t]hese modes support either high speed USB 3.0 + USB 2.0 or Display Port + USB 2.0 interfaces through the single USB-C connector . . . .” Id. (emphasis added). To read this section of the proposal as indicating anything more than a single accessible USB port would be, frankly, “inexplicable” and unreasonable. Indeed, there is no mention whatsoever of a second USB port in the section labeled “USB.” See AR 5478-79.
Plaintiff attempts to overcome this fact by first arguing that the Army unreasonably relied on Plaintiff‘s “prototype,” which was shown during an optional demonstration and on which the Army allegedly should not have relied in assigning deficiencies to Plaintiff‘s proposal. According to Plaintiff,
On February 4, 2021, prior to the Army‘s assessment of the related Deficiencies, [Plaintiff] provided the optional demonstration of its prototype product to designated Army evaluators. As indicated in its Technical Proposal, [Plaintiff] had already prototyped
Image in original document— redacted percentage% of the SRD‘s hardware requirements prior to its proposal submission. The prototype device that [Plaintiff] demonstrated already included a visible external USB-C port. The printed circuit board in the CACI prototype also included a second built-in USB port, consistent with Figure 5, MCL Block Diagram in [Plaintiff‘s] Technical Proposal. Because [Plaintiff] hadImage in original document— redacted textthis second port, this second USB port was not visible to the Army‘s evaluators during the product demonstration. It appears that the Army‘s evaluators relied in significant part on their external view of the CACI prototype product, rather than [Plaintiff‘s] unambiguous proposal responses . . . to conclude erroneously that [Plaintiff‘s] MCL device design included only a single USB port.
CACI MJAR at 15 (citations omitted). Plaintiff further argues that “[s]uch an evaluation contradicts the RFP instruction that ‘Offeror demonstrations may only positively impact the risk rating based on the demonstrated ability to meet the NGLD-M requirements.‘” Id. at 15-16 (citing AR 1487). Even accepting as true Plaintiff‘s contention that a demonstration may not negatively impact an offeror‘s evaluation, nothing in Plaintiff‘s cited segment of the solicitation provides that the prototype itself, if presented as the offeror‘s revised proposal, may not negatively impact an offeror‘s risk rating. And from all appearances, the same or similar prototype shown during the demonstration is what Plaintiff presented to the Army in its final, revised proposal.
For example, Figure 4 of Plaintiff‘s revised proposal demonstrates the “MCL Physical Design Elements” and declares that “[o]ur functional prototype is ready for Government UAS/API development and integration on Day 1 of award.” AR 5473 (emphasis added). Figure 4 unambiguously shows a single USB-C port on the self-identified “prototype,” as follows:
Plaintiff attempts to rescue itself by pointing to section 1.1.2.1 of its proposal, wherein it states that the design “incorporates an additional USB 2.0 interface to support the future addition of devices like
First, the proposal‘s mention of “an additional USB 2.0 interface” appears not in the “USB” or “Physical External Interface” sections of the proposal, but rather pages later, buried within a section concerning “Operating System.” AR 5485. Any reasonable evaluator---or any reasonable reader for that matter—when searching the proposal for indications of a second (or third, or so on) USB port would rationally turn to the sub-section titled “USB” under the section “Physical External Interface.” Agencies must indeed review the whole proposal, but they are not compelled to comb the record for information that an offeror does not otherwise adequately present through a well-written proposal. KSC Boss All., LLC, 142 Fed. Cl. at 382 (“An offeror has the responsibility to submit a well-written proposal with adequately detailed information that allows for a meaningful review by the procuring agency.” (quoting Structural Assocs., Inc./Comfort Sys. USA (Syracuse) Joint Venture v. United States, 89 Fed. Cl. 735, 744 (2009))).12
Third, context suggests that Plaintiff knew exactly what it meant when it proposed a “single USB-C connector.” AR 5478. In presenting the “MCL Platform Architecture,” Plaintiff‘s final proposal states that “[i]n addition to
Fourth, context further suggests that even if Plaintiff contemplated a second USB port, it was only in terms of a future addition to the device—not something that would be available to the user on Day 1. For example, Plaintiff asserts that Figure 5, the “MCL Block Diagram,” shows a “USB-2 Expansion Port and a USB-C Port,” thus its design “clearly includes two COTS-item USB ports . . . .” CACI MJAR at 16 (citing AR 5474). If both were physical ports available on Day 1, however, there would presumably be no need to label one port an “expansion” but not the other. Moreover, the proposal‘s reference to “an additional USB 2.0 interface” mentions only the ”future addition of devices
In short, the Court finds nothing unreasonable about the Army‘s technical evaluation of Plaintiff‘s proposal.14 The solicitation plainly required 2FA. If 2FA was to be accomplished via a token, as Plaintiff‘s design proposes, the authentication period would end upon removal of the token, absent agreed upon conditions. Plaintiff provided no such conditions or evidence thereof. An additional USB port was therefore needed for the NGLD-M to simultaneously perform other critical functions. Plaintiff‘s design proposal—under any reasonable or rational reading—incorporates a single USB port, which, as was reasonably determined by the Army, cannot carry out necessary functions simultaneously. Accordingly, the Army evaluators were neither arbitrary nor capricious in assigning two deficiencies to Plaintiff‘s design methodology.
2. The Army Reasonably Assigned a Deficiency for CACI‘s Failure to Provide Size and Weight Information for its 2FA Solution
CACI also asserts that the Army acted unreasonably in assigning it a deficiency related to the Size, Weight, and Power (“SWAP“) requirements of this procurement. See CACI MJAR at 24-29. As is explained below, the Court finds that not only were the Army evaluators reasonable in assigning CACI a deficiency for failing to satisfy the SWAP requirements, but that they were entirely correct in doing so.
As a threshold matter, the Court briefly reviews the unambiguous SWAP requirements for this procurement. The Army required that the NGLD-M weigh less than eight pounds and be no greater than 7.75” long, 4.5” wide, and 2.5” deep. AR 1260. These dimensions not only provide parameters for the device itself, but for “operational hardware used to perform NGLD-M functions.” Id. Operational hardware encompasses the “primary device, batteries and accessories required to operate the NGLD-M.” Id. Only “[s]tandalone cables that provide a means of interfacing with systems, devices or power sources that are outside of the NGLD-M system context are exempt from the SWAP requirements.” Id.
Regarding the deficiency assigned for failure to provide updated SWAP information, CACI argues that the Army erroneously assigned that deficiency because the YubiKey is an external device and thus is not included in the SWAP requirements. See CACI MJAR at 25-26. CACI analogizes the YubiKey to a cellphone or RSA token, both of which are external devices, and asserts that because neither of those would be considered operational hardware, neither should the YubiKey.15 See CACI Reply at 25-26. Further, CACI argues that because the device would have a limited use outside of MA and HA mode, the YubiKey is not operational hardware because the YubiKey is only needed to achieve 2FA. See CACI MJAR at 26-28.
It is apparent to the Court that the Army evaluators reasonably determined that the SWAP dimensions in CACI‘s revised proposal did not include the YubiKey. In fact, CACI‘s updated proposal does not indicate any changes between its initial and final proposals in the sections pertaining to SWAP.16 Compare AR 1565 with AR 5474 (changes denoted in blue text). CACI also concedes as much. CACI MJAR at 28. What CACI contests, however, is the determination that the YubiKey is operational hardware. See generally CACI MJAR 25-28.
According to the Army, knowing the size and weight of all operational hardware in an offeror‘s proposal is important because: 1) the NGLD-M could, and is expected to be, utilized on the battlefield; and 2) it needs certain external operational hardware to function. See AR 1348; 1207-10 (describing the various triggers and requirements to enter different modes). Most important to the SWAP deficiency, the device requires 2FA to enter MA and HA modes, AR 1272-73, which CACI ultimately chose to accomplish via an external USB dongle. See AR 5661. The solicitation makes clear that without successful 2FA, the device is useless outside of turning on, being in alarm mode, or zeroizing. See AR 1207-10. The key question, then, is whether the YubiKey is operational hardware necessary to “operate the NGLD-M“?
In answering this question, it is important to focus on what the NGLD-M is: a device to decrypt and encrypt information, namely commands and orders on the battlefield. See AR 1348. That information is only accessible if users are able, through 2FA, to verify that they are who
Additionally, the Court is not persuaded by CACI‘s argument that the Army evaluators “just Google” the YubiKey‘s measurements to give them the confidence that the SWAP requirements would be met—if only it were that easy. In fact, the Court notes that CACI never specifies exactly which YubiKey product it plans to use. See CACI MJAR at 28-29 (“CACI specifically identified the brand and model of the COTS device that it proposed to achieve 2-FA-the YubiKey
Attempting to land one last punch, CACI argues that its interpretation of the YubiKey as not operational hardware is equally reasonable as the Army‘s determination that it is, which
In sum, the Army must be given enough information to draw a reasonable conclusion that CACI‘s proposed device would meet the solicitation‘s SWAP requirements. CACI failed to include a critical piece of such information in bidding for this contract. Therefore, the Army did not act unreasonably when it assigned CACI a deficiency for failing to meet the SWAP requirements.
CONCLUSION
For the reasons set forth above, Plaintiff failed to establish that it has standing to bring the instant protest. As stated in the Court‘s December 21, 2021, order, ECF No. 61, Plaintiff‘s complaint is dismissed for lack of subject matter jurisdiction, and the Clerk shall enter judgment accordingly.
The parties shall confer to determine agreed-to proposed redactions to this opinion. On or before January 10, 2022, the parties shall file a joint status report indicating their agreement on proposed redactions, attaching a copy of those pages of the Court‘s opinion that contain proposed redactions, with all proposed redactions clearly indicated.
IT IS SO ORDERED.
s/ Zachary N. Somers
ZACHARY N. SOMERS
Judge