Case Information
In the United States Court of Federal Claims No. 24-1204
Filed: February 18, 2025 [*]
FOR PUBLICATION INTELLIBRIDGE, LLC, et al.,
Plaintiffs,
.
v.
UNITED STATES,
Defendant. Hamish Hume , Boies Schiller & Flexner LLP, Washington, DC, with Samuel C. Kaplan and Gina A. Rossman , of counsel, for the plaintiffs.
Ashley Akers , Civil Division, U.S. Department of Justice, Washington, D.C., for the defendant.
MEMORANDUM OPINION
HERTLING , Judge
In this pre-award bid protest, IntelliBridge, LLC (“IntelliBridge”) and its subsidiary, RevaComm, Inc. (“RevaComm,” and together, “IntelliBridge” or “the plaintiff”), challenge the issuance by the Centers for Medicare and Medicaid Services (“CMS”) of Request for Quotation No. 75FCMC24Q0011 (“RFQ”) for the CMS Hybrid Cloud Product Engineering & Operations (“PEO contract”). IntelliBridge alleges that, in issuing the RFQ, CMS violated 41 U.S.C. § 3307 (“section 3307”), a statute requiring agencies to conduct market research and to give a preference to commercial products and services in procuring goods and services. The plaintiff alleges that CMS violated the law by: (1) “seeking to develop new technology when it is eminently practicable to meet its requirements through existing nondevelopmental technology”; (2) failing to conduct “the type of market research that would reasonably be expected before shelving successful existing technology”; and (3) failing to use the results of its market research to satisfy the requirements of section 3307. (ECF 1 at 5.)
IntelliBridge provides “cloud, cyber, intelligence and next-generation digital solutions to defense and national security customers.” (ECF 1 at 6.) In 2021, RevaComm developed the CMS Continuous Authorization and Verification Engine (“batCAVE”), a software product that provides platform-as-a-service (“PaaS”) functions to support the “development and onboarding of apps” by CMS application (“app”) developers. (ECF 1 at 14-15.) The batCAVE platform automates the process by which app developers can secure legally required authorizations to operate (“ATOs”) and “obtain [these] verifications on an ongoing basis.” (ECF 27 at 2.) Under a CMS contract, IntelliBridge developed the batCAVE platform and, since September 2021, has licensed it to CMS. (ECF 27 at 8.) In spring 2024, however, CMS discontinued the use of the batCAVE platform because the platform had not been “widely adopted.” (AR 1271.)
As part of a revised technology-acquisition strategy, CMS decided to combine three existing contracts into a solicitation for what evolved into the PEO contract. The batCAVE contract was not one of the contracts combined into the PEO contract. Instead, the RFQ explains that CMS needed “agile and scalable infrastructure hosting environments,” including an “extensible platform with a Platform as a Service (PaaS) and Engineering Support Services operating model for CMS product development teams.” (AR 589.) The RFQ also requires that the awardee “develop and operate a modular product vending solution that enables customers to receive, both at initial onboarding and during normal operations, hosting service products and services.” (AR 1245.) The RFQ provided that the awardee’s solution “should be fully automated and incorporated into customer support workflows and triggered at appropriated times during the customer journey.” .
In August 2024, IntelliBridge filed this protest challenging the RFQ. IntelliBridge asserts that the PEO solicitation violates section 3307 by seeking a developmental solution to meet the agency’s requirements. [1] IntelliBridge further asserts that the RFQ, in seeking a developmental solution, would require the awardee to develop a product replicating the functionality of the batCAVE platform, an existing, nondevelopmental product. IntelliBridge claims that CMS violated section 3307 by launching the effort without “appropriate market research into the practicability of using batCAVE to meet its requirements.” (ECF 34 at 6.)
The defendant argues in its cross-motion for judgment on the administrative record that CMS fulfilled its obligations under section 3307 in its conduct of market research and issuance of the RFQ for commercial services, and that the procurement is not a developmental effort. The defendant argues that CMS is, in fact, procuring commercial cloud-computing services. The defendant also argues that language in the RFQ incorporates the requirements of section 3307, thereby subjecting the awardee to the statute’s market-research requirements and satisfying the agency’s statutory obligation.
The plaintiff’s problem is that CMS is not seeking to acquire what IntelliBridge is looking to sell. CMS is seeking to acquire an array of cloud-computing services and is acquiring those services from vendors with currently available commercial services. IntelliBridge’s batCAVE platform offers a narrower functionality than what CMS is seeking. CMS is therefore complying with its legal obligations, and its market research was appropriate to the procurement. Accordingly, IntelliBridge’s motion for judgment on the administrative record is denied, and the defendant’s cross-motion for judgment on the administrative record is granted.
I. FACTUAL BACKGROUND
CMS, a component of the Department of Health and Human Services, provides healthcare coverage for beneficiaries enrolled in Medicare, Medicaid, the Children’s Health Insurance Program, and for individuals enrolled in a qualified health plan through the health- insurance marketplace created by the Affordable Care Act. (AR 15.)
The Infrastructure and User Services Group (“IUSG”) of CMS’s Office of Information Technology (“OIT”) “supports the CMS cloud infrastructure by provisioning, maintaining and supporting applications serving CMS’s beneficiaries.” (AR 17.) The IUSG also “provides end- to-end application hosting services for over 300 CMS business workloads.” (AR 16.) The IUSG’s role includes providing “all aspects of data center operations; physical infrastructure operations; compute and storage services; network administration; virtualization operations; application infrastructure operations; and application middleware operations.” ( .)
In 2011, the federal government instituted the Federal Cloud Computing Strategy, which was “intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.” [2]
Since the publication of the Federal Cloud Computing Strategy, “CMS has undertaken several cloud initiatives” to establish “a Cloud First policy” and “leverage shared infrastructure and economies of scale, as well as to decrease implementation times.” (AR 15.) As a result, “[h]ow the CMS enclave and its shared services were designed and delivered to CMS [Application Delivery Organizations (“ADOs”)] has greatly evolved over time.” (AR 1058.) ADOs migrate and deploy applications and systems to the CMS cloud environments. (AR 22.)
The OIT/IUSG has “developed a strategic vision for CMS to become the leading agency in leveraging modern cloud technology.” (AR 16.) The goal of CMS’s cloud initiatives is to deliver “Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) from one or more cloud service providers” and Common Engineering Services to facilitate the use of these services by ADOs. (AR 1162.) One of these cloud service providers to CMS has been IntelliBridge, through its batCAVE platform.
A. batCAVE
The Federal Information Security Management Act of 2002 (“FISMA”), 44 U.S.C. § 3541, requires federal agencies to issue ATOs to any software application that seeks to use the agency’s information-technology systems. To compete for federal contracts, RevaComm developed a PaaS to allow application developers to meet FISMA’s cybersecurity requirements and obtain the necessary ATOs. (ECF 27-1 at 2.) RevaComm’s platform also supports ongoing verification for app development. ( .)
In September 2021, CMS awarded RevaComm a Small Business Innovation Research (“SBIR”) Indefinite Delivery, Indefinite Quantity (“IDIQ”) contract. [3] (AR 1879.) Under that contract, RevaComm was, among other things, to develop a PaaS “to support more rapid development of secure and usable systems.” (AR 1890.)
RevaComm used this contract to develop a PaaS that became the batCAVE platform. (AR 299.) The batCAVE platform, or the “Continuous Authorization and Verification Engine,” is a PaaS “developed to assist in the development, security, and operation (“DevSecOps”) of software apps that are onboarded onto the CMS system, including by automating much of the process for ensuring software apps meet the [g]overnment’s stringent cybersecurity requirements.” [4] (AR 1890; ECF 27-1 at 2.) The batCAVE platform also includes “a curriculum to facilitate onboarding onto CMS’s information systems.” (ECF 27-1 at 3.)
The batCAVE platform “enables Continuous Authority to Operate (cATO) capabilities which allow . . . [ADOs] to continuously release software solutions to end-users” by “provid[ing] an automated pipeline that reduces costs” and “reduces compliance control burdens through continuous authorization.” (AR 299.) The batCAVE platform allows ADOs to “focus on their applications' business operations” and “achieve a CMS ATO within months compared to their previous standard of more than a year.” ( Id .) According to Mr. Kimura, the batCAVE platform “accelerates the ATO process by offering a built-in suite of tools, resources, and security control mapping that automate about 75% of the cybersecurity and compliance processes needed to obtain an ATO.” (ECF 27-1 at 4-5.) By deploying apps to batCAVE, app developers can “avoid highly time-consuming and resource-intensive manual documentation, assessment, testing, and evidence production that otherwise would be required.” ( Id .)
The batCAVE platform also helps to facilitate faster deployment times and technology standardization using “templates for Infrastructure as Code (IaC) components that can be used to onboard similar apps with other app developers.” ( Id. at 10.) Along with these templates, the batCAVE support team provides “documentation to execute these best practices.” ( Id .)
Finally, [t]he batCAVE platform provides CMS with “continuous security monitoring tools that ensure that every app update complies with CMS’s cybersecurity requirements.” ( Id. at 5.) These tools “ensure that every app update (from the major to the minor) complies with CMS’s cybersecurity requirements,” and can “obviate the need for ATO recertification” because, “by virtue of their deployment on batCAVE, apps are continuously in compliance.” ( Id .)
In September 2022, CMS issued a task order to IntelliBridge under the SBIR IDIQ contract to deploy the batCAVE platform to provide onboarding services for app developers and to integrate developer apps with CMS systems. (AR 1759.) In 2023, CMS exercised an option to extend through September 29, 2024, the use of the batCAVE platform for these purposes. (AR 1547.) In spring 2024, however, CMS decided to discontinue using the batCAVE platform because, according to internal CMS emails, CMS app developers had not widely adopted it. (AR 1271.) CMS also determined that it could migrate ADOs from the batCAVE infrastructure to an alternative existing infrastructure. (AR 1286-89.)
B. CMS Acquisition Strategy
Separately, in November 2022, CMS began to develop an acquisition strategy for Infrastructure and End User Services. (AR 11.001.) The scope of the acquisition strategy included “providing for day-to-day operations and maintenance activities of CMS’[s] enterprise- wide infrastructure, including managing the mainframe, backing up CMS’[s] mission critical applications, and providing support to 6,500 CMS employees.” ( .)
On April 11, 2024, as part of this acquisition strategy, CMS decided to proceed with the acquisition of the PEO contract and produced a draft Statement of Objectives (“SOO”) for that acquisition. (AR 12.) The project requirements outlined in the draft SOO noted that the awardee:
shall acquire, design, build, operate, maintain, refine, modernize, and evolve all cloud services, agile software and network infrastructure, and products and services required to deliver consumable CMS cloud infrastructure services for CMS customers as envisioned in this SOO. Additionally, the contractor will support Application Development Organizations (ADOs) and their system / business owners in the migration and deployment of applications and systems to the CMS cloud environments.
(AR 22.)
The draft SOO also noted that the “[c]ontractor will work with CMS and the other contractor teams . . . as one team (integrated partners) to collaborate and jointly realize OIT’s product vision.” ( .) The batCAVE platform was listed in the SOO as one of the contracts that “directly support the CMS Cloud and Hybrid Cloud Program.” (AR 20-21.) The SOO described the batCAVE contract as “support[ing] software and systems development for [the] batCAVE platform and supporting products, including platform instrumentation, continuous integration and deployment pipelines, and continuous authorization support.” (AR 21.)
C. CMS Market Research
To conduct market research before issuing the RFQ, CMS issued on April 22, 2024, a Request for Information (“RFI”) (AR 48-51), to which the draft SOO was attached. (AR 12-47.) The RFI was posted to the General Services Administration (“GSA”) e-buy website under two categories, Information Technology Professional Services and Cloud Computing and Cloud Related Information Technology. (AR 587, 590.)
The RFI described CMS’s new contract as “support[ing] the [OIT and IUSG] vision which includes the following but is not limited to acquiring, designing, building, operating, maintaining, refining, modernizing, and evolving all current and future cloud services.” (AR 49.) CMS also provided the following description of the OIT cloud infrastructure for which the eventual awardee would be expected to provide support:
CMS/OIT manages two large physical data centers, Equinix East (Ashburn Data Center) and Equinix West (Kent Data Center), and several cloud enclaves (AWS commercial, AWS GovCloud, and MAG). The CPEO contractor will primarily provide support for the cloud enclaves. CMS is the largest non-DoD federal consumer of the cloud. The current OIT Cloud Infrastructure hosts over 120 FISMA systems consisting of over several hundred workloads spanning both AWS and MAG. Most of the applications are hosted in AWS, with a handful in MAG. The contractor is expected to support an ever-increasing number of FISMA applications/systems throughout the life of this contract. The OIT Cloud Infrastructure has a total of over 13,500 instances across 1550 plus [Virtual Private Clouds] (these figures will grow as customers onboard).
(AR 49.) [5]
Respondents to the RFI were asked to address the items: 1. Describe your organization’s experience in managing large-scale infrastructure services inclusive of on-premises and cloud-based infrastructure.
2. Describe your organization’s approach for delivery of infrastructure and shared services to a large federal organization with varying levels of DevSecOps maturity and experience.
3. Describe your organization’s approach for staffing a large-scale infrastructure services program that includes basic infrastructure services (e.g., compute, storage, network) as well as more complex, modern shared services (e.g., DevSecOps pipeline, security vulnerability management, CI/CD services, etc.).
4. Describe your organization’s experience and/or approach to supporting 24x7 operations while still providing core product development and engineering services in a scrum-based delivery model.
5. Describe your organization’s experience and approach for managing multiple GSS ATO boundaries under a singular governance umbrella.
6. Describe your firm’s ability to staff this requirement or ability to staff up to meet the requirement. What is the expected timeline to identify and obtain the necessary skill sets? What resources are currently available to meet the draft requirement?
(AR 50.)
Responses to the RFI were due May 6, 2024. (AR 48.) IntelliBridge, along with 47 other vendors, responded to the RFI by the closing date. (AR 591.) In its response, IntelliBridge described its batCAVE platform as “a secure PaaS which can be deployed on-premises or in the cloud” and which can “assist application teams utilizing these data centers and hybrid cloud environments to modernize and deploy their applications to a cloud-native state.” (AR 295.)
IntelliBridge also claimed that it had “significant experience providing the services listed in the Statement of Objectives (SOO), including cloud services.” (AR 294.) In addition, IntelliBridge informed CMS that it was able to “actively demonstrate[ ]” its cloud service experience through RevaComm’s “work on the Continuous Authorization and Verification Engine (batCAVE) program for CMS.” ( .) IntelliBridge noted, however, that the batCAVE platform was “still in the early stages” with “approximately nine applications in production.” (AR 299.) The implementation status for the batCAVE ATO was listed as “Completed,” but the cATO function was described as “in progress.” (AR 299.)
Based on these responses, CMS prepared a Market Research Report (“MRR”) for the PEO Contract. The MRR was issued on June 6, 2024. (AR 587.) The MRR explained that “[t]he objective of th[e] effort is to obtain, design , build, operate, maintain, refine, modernize, and evolve all cloud services, agile software, and network infrastructure, and products and services required to deliver consumable CMS cloud infrastructure services for CMS customers.” (AR 589.) (Emphasis added.)
Moreover, in the MRR, CMS described OIT/IUSG’s needs as including at least the following elements:
1. Private, cloud-based web and data services for CMS organizations
2. Rapid creation and modification of processing environments 3. Automated cloud and platform management services 4. Cloud-based web and data services in a scalable, secure, highly available, and cost-effective manner
5. An extensible platform with a Platform as a Service (PaaS) and Engineering Support Services operating model for CMS product development teams
6. Product implementation services, enabling DevOps methods and processes with a focus on self-service and automation, to provide for simplified implementation and operations with increased operational reliability. Help ADOs focus on delivering business value quickly and continuously using native cloud services which provide an abstraction layer over physical and virtual hardware, network and security devices or tools.”
( Id .)
The MRR noted that “[t]he services required under this effort were originally covered under multiple separate task orders as CMS actively migrated from physical data centers to virtual data centers and the cloud environment.” (AR 588.) The task orders being grouped under the PEO contract include “the CMS Onboarding, Migration, Engineering and Training (COMET), Cloud Security Operations & Maintenance (SecOps) and the Cloud Assistance and Rapid Engineering (CARE) contracts.” (AR 590.) These preexisting contracts were procured under a GSA Multiple Award Schedule contract for commercial products and services. All three of these existing contracts being subsumed within the PEO contract had previously been set aside for small businesses. ( Id .)
The MRR concluded that there is “a large interest in this requirement and several opportunities for subcontractor involvement.” (AR 588.) CMS observed that several respondents to the RFI “appeared to have some understanding of the PEO requirements but were not necessarily equipped to manage the contract without assistance.” ( Id .) CMS determined that only four of the respondents “demonstrated the capability of providing support and understanding of the requirements based on the response to all questions.” (AR 592.) In addition, a fifth vendor was deemed “borderline capable” but “would require support.” ( .)
IntelliBridge was not one of the five respondents deemed capable or borderline capable. CMS rated Intellibridge’s responses to the RFI as “low” and determined that IntelliBridge was “not capable.” (AR 586.) Additionally, IntelliBridge was listed as an “other than small business.” ( .)
The MRR concluded that “based on the information received, [CMS] will be able to obtain three or more acceptable quotes” from small businesses and, accordingly, “set [the contract] aside for small businesses.” (AR 589.) Because CMS determined to set the contract aside for a small business, CMS did not evaluate each element of IntelliBridge’s response to the RFI, because it is not a small business.
CMS also determined that “[b]ased on market research, [the PEO contract] could be considered an acquisition of commercial items in the form of professional services delivered on an hourly basis using labor categories specified in a price list.” (AR 595.)
On July 1, 2024, CMS published a streamlined acquisition plan detailing its solicitation requirements, procurement history, performance requirements, risks, and procurement requirements. (AR 606.) The acquisition plan noted that the acquisition was set aside for small businesses and that it would be a FAR part 37 performance-based acquisition. (AR 618, 629.) According to CMS’s acquisition plan, the solicitation would include the SOO, which would form the basis for the performance work statement (“PWS”) from each offeror. Under this format, each offeror would propose its own solutions to address the needs of the agency. (AR 629.) [6]
On July 11, 2024, CMS issued the RFQ under FAR 8.405 for GSA Multiple Award Schedule contract holders for commercial cloud services as a “100% set aside for small business participants.” (AR 1209.)
D. RFQ and SOO
The RFQ is for the acquisition of “CMS Hybrid Cloud Product Engineering and Operations (PEO).” The RFQ described the acquisition as one for “commercial, severable services.” (AR 1209.) The RFQ and its accompanying SOO were both amended four times. In the SOO amended on July 11, 2024, CMS added language requiring that the awardee:
develop and operate a modular product vending solution that enables customers to receive, both at initial onboarding and during normal operations, hosting service products and services. This solution should define the initial set of products to be vended at initial onboarding into the hosting service to allow the customer to quickly build and deploy their applications and it should support post go- live vending of add-on products used by customers on an as needed basis. Initial vending should include base VPC deployments, security scanning products, gold image products, logging products, baseline DevSecOps products, backup/restore products, and authentication products, at a minimum. Post go-live products to be automatically vended should include performance testing products, APM and advanced monitoring products, and disaster recovery, at a minimum. This solution should be fully automated and incorporated into customer support workflows and triggered at appropriated times during the customer journey.
(AR 1174.) (Emphasis added.)
The RFQ and SOO were revised for the last time on August 6, 2024. Most of the changes made by various amendments were minor edits or corrections of clerical errors. The final version of the RFQ asked offerors to detail their corporate experience in several relevant focus areas. These included: (1) “[p]roviding Enterprise Cloud Operations that satisfy and support multiple lines of businesses”; (2) “[p]roviding, managing, and scheduling a robust and complex large-scale change management system/process”; (3) “[p]roviding incident response strategy, processes, and staffing” to meet the needs of the CMS cloud service offerings; (4) “[p]roviding complex Enterprise hybrid cloud security operations, compliance, and governance”; (5) “[p]roviding design and operation services for enterprise products and tools” that can be utilized by CMS customers “across different potential platforms”; and (6) “[p]roviding strategy and implementation of broad data collection to identify service quality, utilization, and prioritize development priorities.” (AR 1216.)
The final version of the SOO retains the language detailing that the awardee would “support [ADOs] . . . in the migration and deployment of applications and systems to the CMS cloud environments.” (AR 22, 1245.) The final amendment to the SOO also added a new section addressing section 3307.
This new section of the SOO notes that the awardee would be required to comply with section 3307 by preferring commercial products and services “when procuring or making recommendations to CMS for the procurement of products or services” under the PEO contract. (AR 1269.) The section specifies that the awardee must “[p]erform market research considering the[ ] requirements” of section 3307 and provide “an analysis of alternatives and make a recommendation or determination as to whether or not such items or services are suitable for re- use in performance of the contract.” (AR 1269-70.) To comply with this requirement, the awardee must “describe requirements in terms of functions to be performed, . . . consider non- developmental or off-the-shelf solutions, . . . make a recommendation as to whether or not such items or services are suitable for re-use in performance of the contract, . . . and document these activities.” ( .)
The final SOO also includes specific requirements regarding app developers and the ATOs necessary for their integration into the CMS cloud. According to the final version of the SOO, the awardee would be required to provide “ADOs with a secure, automated, maintainable cloud architecture” that would allow for the facilitation and simple deployment of application ATOs. (AR 1238.) Additionally, the awardee should provide “upskill application teams and business owner[s] to be better practitioners of the cloud and increase comfort with cloud migrations.” ( Id .) Finally, the awardee should “[p]rovide the ADOs with the flexibility of full DevSecOps IaaS and PaaS family product offerings, migration services and/or assessment and planning, rearchitecture [sic] engineering assistance, and/or a managed service product offering.” ( Id .) To accomplish these tasks, “the PEO Contractor must, at times, closely coordinate and collaborate with the [ADOs] . . . as well as potentially other CMS hosting contractors.” (AR 1240.)
In addition, the SOO requires the awardee “to support any new applications that onboard to one of CMS’ cloud offerings” and to help “enable the CMS cloud and IUSG to maintain and deliver key operational and support services that support applications deployed into the CMS cloud.” (AR 1237.) According to the final SOO, the solicitation is intended to “create, implement, maintain, and operate plans for research, development, services, cloud infrastructure, and applications to meet the requirements for technologies identified” within the following areas: (1) Hybrid Cloud Engineering and Operations; (2) Enterprise Products and Tools Administration and Support; and (3) Enterprise Security Operations. (AR 1231, 1242.) The SOO provides detailed expectations for offerors in each of these three areas.
a. Hybrid Cloud Engineering and Operations
For the awardee to fulfill CMS’s requirements for Hybrid Cloud Engineering and Operations, the SOO requires the awardee to “assist CMS in managing and operating CMS cloud infrastructure hosting services by providing cloud operations support necessary for enhancing, onboarding, optimizing, maximizing cost efficiencies, and maintaining cloud computing capabilities at CMS.” (AR 1242.) This work includes operations-management services for CMS cloud service providers (“CSPs”). The awardee must “maintain and operate multiple environments such as Sandbox, Dev, Test, Staging, Implementation, non-Production and Production in various CSP provided enclaves.” (AR 1243.) Moreover, the awardee will work with CSPs “to perform these services as core offerings to ADOs to operate in cloud.” ( Id .) The awardee will also provide support and coordination as needed to interface with various tools and existing contractors in areas such as: Domain Name System (“DNS”), Active Directory, Simple Mail Transfer Protocol (“SMTP”), and Patching. ( .)
The contractor will need, among other things, to be able to support the following objectives in its technology “stack”: (1) back up and maintain key services; (2) support and administer customer issues related to Windows and Linux on CMS Cloud infrastructure; (3) provide cloud support and management to support improvements in system uptime, performance, visibility, and security operations; (4) support CMS’s requirements for alerting, change management, and incident management for all the tools and cloud services administered and maintained; (5) be responsible for the disaster recovery for the tools and services maintained and administered under this contract; (6) facilitate the creation of a set of APIs that power every CMS cloud service and which can be exposed to approved internal ADOs and third parties; (7) work with contracting partners to build automation in all areas of the customer journey; (8) analyze the current cloud security and recommend, develop, assess, test, implement, and maintain upgrades that provide greater security to the CMS cloud; (9) and develop and operate a modular product vending solution that enables customers to receive, both at initial onboarding and during normal operations, hosting service products and services. (AR 1243-45.)
b. Enterprise Products and Tools Administration and Support According to the SOO, the contractor is responsible for the administration and support of critical enterprise products and tools that are already hosted in the CMS cloud. These include: Atlassian Tools, Github, and the cloud governance tool Kion. [7] (AR 1246-47.) The contractor will be required to, among other things, oversee and support the configuration, maintenance, administration, integration, API configuration, monitoring, future upgrades, and enhancements to these products and tools. (AR 1247.)
c. Enterprise Security Operations Enterprise security is also a component of the SOO. The contractor will be required to deliver “all required services necessary to ensure the continuous security of the CMS Cloud, Hybrid Cloud, and Enterprise [General Support Systems].” ( .) The contractor will be “responsible for ensuring the CMS Cloud and Hybrid Cloud program has policies and procedures in place and is responsible for implementation of controls or plans that fulfill the CMS Information Security Policy requirements.” (AR 1249.) A few of the required tasks include taking over operations of the 24/7/365 CMS security-operations center, monitoring and acting upon security events and incidents, integrating with the CMS enterprise-security- operations center, conducting vulnerability and compliance scanning, and administering, supporting, and configuring continuous monitoring functionality. (AR 1248-49.)
The contractor will work closely with the CMS Hosting Coordinator team to triage requests from ADOs seeking to onboard to the CMS cloud. The contractor will be required to support ADOs in the migration and deployment of apps and systems to OIT cloud environments.
To achieve these goals, the contractor is required under the SOO to maintain ATOs for the services and tools administered and maintained under this contract. The contractor shall also “develop and maintain Application/Infrastructure security documentation in support of achieving and maintaining an Authority to Operate (ATO) at General Support System (GSS) level” and “comply with CMS ATO process for all CMS Cloud Offerings, Hybrid Cloud Offerings, and Enterprise Hosting Offering[s].” (AR 1248.)
Furthermore, the contractor “shall support CMS’s requirements for monitoring and alerting for all the tools and services administered and maintained under this contract” as well as “proactively prepare for and actively participate in interviews, examinations, testing, and reviews from the auditing community.” (AR 1252-53.) To protect CMS and app-developer data, the contractor is instructed to “[d]esign, build, operate and maintain security features as part of a DevSecOps framework in connection with the services delivered by the CMS Cloud program for consumption by ADOs and CMS Cloud product teams.” (AR 1250.)
Continuous monitoring functionality and incident management are also aspects required of the contractor under the SOO. The contractor is required to “[d]evelop, implement, and administer a CMS-approved continuous monitoring plan including supplying feeds required by the Department of Homeland Security (DHS) for Continuous Diagnostics and Mitigation (CDM).” (AR 1253.) In addition, “[t]he [c]ontractor shall support CMS’s requirements for alerting and incident management for all of the tools and services administered and maintained under this contract.” (AR 1255.)
II. PROCEDURAL HISTORY
The plaintiff filed its complaint on August 8, 2024. [8] (ECF 1.) The plaintiff moved for judgment on the administrative record and to supplement the administrative record on October 8, 2024. (ECF 27.) On November 11, 2024, the defendant moved to dismiss and cross-moved for judgment on the administrative record. (ECF 28.) The plaintiff responded on November 26, 2024 (ECF 34), and the defendant replied on December 18, 2024. (ECF 37.) On January 13, 2025, a portion of the plaintiff’s motion to supplement the administrative record with the plaintiff’s Contractor Performance Assessment Reporting System reviews was denied, and a portion was deferred until oral argument. (ECF 41.) Oral argument, postponed due to inclement weather, was held on January 16, 2025. At oral argument, as noted in footnote 4, the remainder of the plaintiff’s motion to supplement the administrative record was granted, and the Kimura declarations were included in the record for a limited purpose. (ECF 44.)
III. JURISDICTION
The Court of Federal Claims has jurisdiction over “an action by an interested party objecting to a solicitation by a Federal agency for bids or proposals for a proposed contract or to a proposed award or the award of a contract or any alleged violation of statute or regulation in connection with a procurement or a proposed procurement.” 28 U.S.C. § 1491(b)(1). Actions brought under this provision are typically called bid protests.
The plaintiff has alleged that CMS failed to comply with the “market research requirements, acquisition planning requirements, and procurement requirements” laid out in section 3307 before issuing the PEO contract solicitation. (ECF 27 at 21.) Accordingly, the plaintiff’s claims fall within the bid-protest jurisdiction of the court.
IV. STANDING
For a plaintiff to have statutory standing in a bid protest, it “must be an ‘interested party,’ 28 U.S.C. § 1491(b)(1), that is, a party with a substantial chance of securing the award.” CACI, Inc.-Fed. v. United States , 67 F.4th 1145, 1152 (Fed. Cir. 2023). To qualify as an interested party, an offeror must allege facts, that, if true, “establish that it (1) is an actual or prospective bidder, and (2) possesses the requisite direct economic interest.” Rex Serv. Corp. v. United States , 448 F.3d 1305, 1307 (Fed. Cir. 2006).
An offeror in a pre-award protest may establish a direct economic interest by demonstrating the solicitation or bidding process caused it to suffer a “non-trivial competitive injury.” Weeks Marine v. United States , 575 F.3d 1352, 1361-62 (Fed. Cir. 2009). This standard applies when a “prospective bidder” challenges a solicitation’s terms “prior to actually submitting a bid.” Orion Tech. Inc. v. United States , 704 F.3d 1344, 1348 (Fed. Cir. 2013). Although the plaintiff submitted a response to the RFI, it has not submitted an offer to the RFQ, for which, as a non-small business, it is not qualified.
The parties do not dispute that IntelliBridge has standing to pursue this protest as a prospective offeror for the PEO contract. IntelliBridge has established that it is a prospective offeror because it has been a contractor providing PaaS services for CMS since 2021 and was prepared “to submit a proposal in response to the RFQ.” (ECF 27 at 22.) IntelliBridge also responded to the RFI. (AR 591.) If CMS were found to have violated section 3307 by failing to conduct appropriate market research into commercially available products to meet that statute’s requirements, the plaintiff, as a prospective provider of an existing, nondevelopmental solution, could have their economic interest directly affected. As provider of the batCAVE platform formerly used by CMS, the plaintiff would have a non-trivial chance of having CMS reacquire that platform to perform the RFQ, if the batCAVE platform meets the RFQ’s requirements. In their complaint, the plaintiff alleges that they “can meet the entire requirements of the RFQ.” (ECF 1 at 8.) For determining standing, that allegation is assumed to be true. Accordingly, the plaintiff has adequately alleged that it is an interested party and has standing.
V. STANDARD OF REVIEW
On a motion for judgment on the administrative record pursuant to Rule 52.1 of the Rules of the United States Court of Federal Claims (“RCFC”), the court’s review is limited to the administrative record, with findings of fact made as if the case was a trial on a paper record. See Bannum, Inc. v. United States , 404 F.3d 1346, 1353-56 (Fed. Cir. 2005). The court must determine whether a party has met its burden of proof based solely on the evidence in the administrative record. Id. at 1355-56. Genuine issues of material fact will not foreclose judgment on the administrative record. Id.; see also Palantir USG, Inc., v. United States, 904 F.3d 980, 989 (Fed. Cir. 2018).
Bid protests require a two-step analysis. Bannum , 404 F.3d at 1351. First, the court must determine whether the government’s conduct is “arbitrary and capricious” or “not in accordance with law” under 5 U.S.C. § 706. Id. (citing 5 U.S.C. § 706; 28 U.S.C. § 1491(b)(4)). To find that an agency acted arbitrarily and capriciously, a court must “determine whether ‘(1) the procurement official’s decision lacked a rational basis; or (2) the procurement procedure involved a violation of regulation or procedure.’” Weeks Marine, 575 F.3d at 1358 (quoting PGBA, LLC v. United States , 389 F.3d 1219, 1225 n.4 (Fed. Cir. 2004)).
The arbitrary and capricious standard requires a court to give considerable deference to the agency. See Safeguard Base Operations, LLC v. United States , 989 F.3d 1326, 1343 (Fed. Cir. 2021). A reviewing court may not substitute its judgment for that of the agency; instead, a court evaluates the basis for the agency’s decision to determine if it is reasonable, supported by the record before the agency, and consistent with the law. See Motor Vehicle Mfrs. Ass’n of U.S., Inc. v. State Farm Mut. Auto. Ins. Co. , 463 U.S. 29, 43 (1983).
Second, the court must “determine, as a factual matter, if the bid protester was prejudiced by that conduct.” Bannum, 404 F.3d at 1351. “[T]he second step is always required before setting aside a bid award, regardless of whether the error identified at the first step was arbitrary and capricious action or, instead, a violation of law.” Sys. Stud. & Simulation, Inc. v. United States , 22 F.4th 994, 997 (Fed. Cir. 2021). In the context of a pre-award protest, as Judge Roumel explained, to prevail on its claim, a “protestor must demonstrate ‘a greater-than- insignificant chance’ that correcting the agency’s errors [in the procurement process] could lead to a different result for the protestor.” SH Synergy, LLC v. United States , 165 Fed. Cl. 745, 758 (2023) (quoting Am. Relocation Connections, L.L.C. v. United States , 789 F. App’x 221, 228 (Fed. Cir. 2019)).
VI. DISCUSSION
Section 3307 requires that during the procurement process federal agencies, “to the maximum extent practicable,” define the products or services they are seeking in a manner that allows for the procurement of “commercial services or commercial products or, to the extent that commercial products . . . are not available, nondevelopmental items” to fulfill the agency’s requirements. 41 U.S.C. § 3307(b).
IntelliBridge argues that the RFQ reflects an effort by CMS to circumvent section 3307 and acquire a developmental product that would replicate the functionality of the batCAVE platform, rather than acquiring that existing platform. As a result, the plaintiff argues, the RFQ violates section 3307 by failing to conduct “appropriate market research into the practicability of using batCAVE to meet its requirements” and instead seeking a developmental solution. (ECF 34 at 6.)
CMS responds that it is procuring existing commercial services rather than seeking a developmental solution. As a result, its market research focusing on those commercial services was appropriate. (ECF 28 at 25.) The agency claims that the PEO contract complies with section 3307 by properly defining the agency’s needs and allowing it to determine the availability of commercially available products or services to meet those needs. CMS argues further that the PEO contract is not an attempt to replicate the batCAVE platform but rather an effort to procure “commercial cloud product engineering and operations services.” ( Id at 27.) Thus, CMS argues, its market research was designed for that purpose and made clear that the services the agency is seeking to procure are “for the support of a commercial product and are otherwise available to the general public under similar terms and conditions.” ( . at 26.)
Citing section 3307’s definition of “commercial services,” the plaintiff retorts that the RFQ does not seek a commercial service, because the definition of that term in the statute “does not include services designed to develop new functionality or to replicate the functionality of an existing, fully-developed product.” (ECF 34 at 13.) IntelliBridge claims that the batCAVE platform could, among other things, fulfill the SOO’s requirement to “develop and operate a modular product vending solution.” (ECF 27 at 34.)
According to CMS, however, IntelliBridge “misunderstand[s] that the RFQ calls for development.” (ECF 37 at 12.) Moreover, it argues that whether it is seeking a developmental solution is irrelevant because section 3307 requires the agency to consider nondevelopmental items, like the batCAVE platform, only when commercial products or services are not available. Here, CMS argues the service it is seeking, cloud computing and cloud-related information technology (“IT”) professional services, are available. Therefore, it has no need to procure a developmental solution and fulfilled its obligations under section 3307 when it conducted its market research. According to CMS, its conduct of market research and issuance of the RFQ for commercial services were appropriate to its needs and complied with section 3307.
In addition, even if the plaintiff were correct, the defendant argues that the incorporation into the SOO of the obligation that the awardee must comply with section 3307 subjects the awardee to the same market-research obligations as the agency and thereby complies with the statute. This obligation will require the awardee, prior to using a developmental solution, to conduct market research into whether a commercial or nondevelopmental product, such as the batCAVE platform, is appropriate for use in the awardee’s effort.
IntelliBridge and CMS present starkly divergent views regarding the nature of the RFQ. The parties dispute what product or services CMS is seeking to procure. IntelliBridge’s argument rests on the claim that CMS is not procuring a commercial service but instead seeks to recreate the batCAVE platform’s functionality through a developmental solution. CMS, on the other hand, describes the PEO contract as one for cloud and IT professional services.
Resolution of the cross-motions for judgment on the administrative record initially requires factual findings, based on the administrative record, on the scope of procurement at issue. See Bannum, 404 F.3d at 1355-56; see also Palantir , 904 F.3d at 989.
A. Findings of Fact
The first step towards deciding this protest is to determine whether CMS is procuring a commercial service or if instead it is seeking a developmental solution to replicate the batCAVE platform’s functionality.
It is appropriate to focus on the batCAVE platform when considering whether the solicitation is seeking a developmental solution or commercial services. Intellibridge’s ability to perform the contract is, according to its submission to CMS, directly related to the functionality of the batCAVE platform. The plaintiff cites its “significant experience providing the services listed in the [SOO], including cloud services” and claims that its “expertise is actively demonstrated through . . . [its] work on the [batCAVE] program for CMS.” (AR 294.)
For the plaintiff to prevail, CMS must first be seeking to procure a product that performs the same or similar functionality as the batCAVE platform; then, CMS must be found to have decided that, rather than procure the existing batCAVE platform itself, it would instead replicate that functionality through a developmental solution. On this record, however, IntelliBridge has failed to meet its burden to demonstrate that, as a factual matter, CMS is seeking to procure a product that replicates the functionality of the batCAVE platform. Instead, CMS is seeking a broad set of cloud computing and IT-management services, and based on the RFQ responses, it will be able to acquire those services through a commercially available, nondevelopmental solution.
1. batCAVE Platform According to Mr. Kimura’s initial declaration, the batCAVE platform is a PaaS and curriculum “developed to assist in the development, security, and operation (‘DevSecOps’) of software apps that are onboarded onto the CMS system, including by automating much of the process for ensuring software apps meet the [g]overnment’s stringent cybersecurity requirements.” (ECF 27-1 at 2-3.) IntelliBridge’s response to the RFI elaborates further, explaining that the batCAVE platform “can be deployed on-premises or in the cloud” to “assist application teams utilizing [ ] data centers and hybrid cloud environments to modernize and deploy their applications to a cloud-native state.” (AR 295.)
Mr. Kimura explains that the batCAVE platform also “accelerates the ATO process” allowing app developers to “avoid highly time-consuming and resource-intensive manual documentation, assessment, testing, and evidence production that otherwise would be required.” (ECF 27-1 at 4-5.) The batCAVE platform accelerates the ATO process by using “templates for Infrastructure as Code (IaC) components that can be used to onboard similar apps with other app developers.” ( Id. at 10.) Along with these templates, the batCAVE support team provides “documentation to execute these best practices.” ( .)
The batCAVE platform can also “ensure that every app update complies with CMS’s cybersecurity requirements.” ( Id. at 5.) Additionally, the batCAVE platform’s continuous monitoring can “obviate the need for ATO recertification” because, “by virtue of their deployment on batCAVE, apps are continuously in compliance.” ( Id .)
IntelliBridge’s RFI response describes the batCAVE platform’s cATO capabilities as “allow[ing] . . . [ADOs] to continuously release software solutions to end-users” by “provid[ing] an automated pipeline that reduces costs” and “reduces compliance control burdens through continuous authorization.” (AR 299.) The batCAVE platform allows ADOs to “focus on their applications’ business operations” and “achieve a CMS ATO within months compared to their previous standard of more than a year.” ( Id .)
IntelliBridge acknowledged in its RFI response that batCAVE was “still in the early stages” with “approximately nine applications in production.” ( Id .) Although IntelliBridge noted the implementation status for the batCAVE ATO as “completed,” it noted that its cATO remains “in progress.” ( Id .)
2. CMS Solicitation According to the initial draft of the SOO, CMS is seeking an awardee to “provid[e] for day-to-day operations and maintenance activities of CMS’[s] enterprise-wide infrastructure, including managing the mainframe, backing up CMS’[s] mission critical applications, and providing support to 6,500 CMS employees.” (AR 11.001.) The SOO specifies that the awardee “shall acquire, design, build, operate, maintain, refine, modernize, and evolve all cloud services, agile software and network infrastructure, and products and services required to deliver consumable CMS cloud infrastructure services for CMS customers.” (AR 22.)
Although the description of the agency’s goals in the RFI, the MRR, and the SOO reflects that CMS is partly seeking a solution with functionality like that of the batCAVE platform, these similarities are only a minor part of the solicitation. For example, the SOO notes that the contractor will “support [ADOs] and their system/business owners in the migration and deployment of applications and systems to the CMS cloud environments.” ( .) CMS also noted in the MRR that it required “agile and scalable infrastructure hosting environments,” including an “extensible platform with a Platform as a Service (PaaS) and Engineering Support Services operating model for CMS product development teams.” (AR 589.) This language mirrors language from IntelliBridge’s RFI response, in which one aspect of the functionality of the batCAVE platform noted is to “assist application teams utilizing [ ] data centers and hybrid cloud environments to modernize and deploy their applications to a cloud-native state.” (AR 295.)
As with the draft SOO and the MRR, there are also portions of the RFI and the final SOO that appear to seek services that parallel the batCAVE platform’s functionality. The RFI mentioned support for app developers and app management as a goal of the procurement, specifically noting that “[t]he contractor is expected to support an ever-increasing number of FISMA applications/systems throughout the life of this contract.” (AR 49.) According to the final SOO, the contractor would be required to provide “ADOs with a secure, automated, maintainable cloud architecture” that would allow for the facilitation and simple deployment of application ATOs. (AR 1238.) This language also closely reflects the description of the batCAVE platform from Mr. Kimura’s declaration.
The final SOO also requires the awardee “to support any new applications that onboard to one of CMS’ cloud offerings” and to help “enable the CMS cloud and IUSG to maintain and deliver key operational and support services that support applications deployed into the CMS cloud.” (AR 1237.) Additionally, CMS required that the awardee “develop and operate a modular product vending solution that enables customers to receive, both at initial onboarding and during normal operations, hosting service products and services.” (AR 1174.) This “modular product vending solution” would “allow the customer to quickly build and deploy their applications.” ( .)
These similarities between the services sought by the RFQ and the functionality of the batCAVE platform, however, make up only a modest and relatively insignificant portion of the RFQ and the related SOO, MRR, and RFI when viewed as a whole. Portions of the draft SOO are extremely broad and explicitly note that the scope of the solicitation includes all cloud services, network infrastructure, and CMS cloud products and services. (AR 22.) This broad language supports the agency’s claim that the contract is for wholistic IT-management services and not just the DevSecOps service provided by the batCAVE plartform. The RFI mirrors the broad language of the draft SOO, describing the goal of CMS’s new contract as “support[ing] the Office of Information Technology (OIT) and Infrastructure and User Services Group (IUSG) vision which includes . . . acquiring, designing, building, operating, maintaining, refining, modernizing, and evolving all current and future cloud services.” (AR 49-50.) This language again appears to seek services that go beyond the functionality and capabilities of the batCAVE platform regarding ADO migration and the deployment of apps.
Specifically, while batCAVE does provide ADO support, the draft SOO required that the contractor work as a facilitator beyond the ADO level, to include supporting CMS contractors like IntelliBridge itself. For instance, although the draft SOO mentions batCAVE as a contract that can “directly support the CMS Cloud and Hybrid Cloud Program,” it notes that batCAVE is just one of the various “teams” that the “[c]ontractor will work with . . . to collaborate and jointly realize OIT’s product vision.” (AR 20-22.) This discussion of the batCAVE platform in the draft SOO reflects that CMS understands that the batCAVE platform on its own does not have the functionality to perform the entire PEO contract. Instead, the express reference to the batCAVE platform in the draft SOO demonstrates that, from the outset of the procurement process, CMS has understood the batCAVE platform to be one part of a larger OIT cloud project for which the RFQ seeks support services.
Likewise, the RFI’s language is more comprehensive than the description of the functionality of the batCAVE platform. As initially conceived, the contractor is expected to “provide support for the cloud enclaves” which “host[ ] over 120 FISMA systems consisting of over several hundred workloads spanning both AWS and MAG.” (AR 49.) The batCAVE platform on the other hand is, according to Intellibridge’s own response to the RFI, “still in the early stages” with only “approximately nine applications in production.” (AR 299.)
According to the final SOO, the RFQ is intended to “create, implement, maintain, and operate plans for research, development, services, cloud infrastructure, and applications to meet the requirements for technologies identified” within the following areas: (1) Hybrid Cloud Engineering and Operations; (2) Enterprise Products and Tools Administration and Support; and (3) Enterprise Security Operations. (AR 1231, 1242.) A review of each of these specific areas sheds light on whether CMS is seeking an expansive set of cloud and IT services or a narrower service more closely replicating the batCAVE platform’s functionality.
i. Hybrid Cloud Engineering and Operations The batCAVE platform does not provide any of the services required under the hybrid cloud engineering and operations portion of the SOO. To fulfill CMS’s requirements, the awardee will need to “assist CMS in managing and operating CMS cloud infrastructure hosting services by providing cloud operations support necessary for enhancing, onboarding, optimizing, maximizing cost efficiencies, and maintaining cloud computing capabilities at CMS.” (AR 1242.) These provisions of the SOO would require IntelliBridge to provide operations- management services for CMS CSPs. Nothing in the administrative record or the Kimura declarations mentions that the batCAVE platform can provide such management and operations services to CMS CSPs.
Additionally, the awardee must “maintain and operate multiple environments such as Sandbox, Dev, Test, Staging, Implementation, non-Production and Production in various CSP provided enclaves.” (AR 1243.) The awardee must also work with CSPs “to perform these services as core offerings to ADOs.” ( .) While batCAVE does provide ATO services to ADOs, neither the administrative record nor the relevant portion of the Kimura declarations mentions that the batCAVE platform works within these multiple environments and provides all of them as offerings to ADOs. The record also reflects no evidence of the ability of the batCAVE platform to provide support and coordination as needed to interface with various tools and existing contractors in areas such as: DNS, Active Directory, SMTP, and Patching.
ii. Enterprise Products and Tools Administration The final SOO also requires that the contractor be responsible for the administration and support of critical enterprise products and tools that are already hosted in the CMS cloud. As with the hybrid cloud engineering and operations portion of the RFQ, the record is devoid of any reference to the capacity of the batCAVE platform to administer and support Atlassian Tools, Github, or Kion. Under the final SOO, the contractor will be required to oversee and support the configuration, maintenance, administration, integration, API configuration, monitoring, future upgrades, and enhancements to these products and tools. (AR 1247.)
BatCAVE is a platform that facilitates and “accelerates the ATO process.” (ECF 27-1 at 4-5.) Nothing supplied to CMS by the plaintiff, nothing otherwise in the administrative record, and nothing in the Kimura declarations provides any evidence to support a claim that the batCAVE platform can administer and support other platforms and tools that are beyond the scope of the ATO process.
iii. Enterprise Security Operations Aspects of the batCAVE platform’s functionality do fit squarely under the enterprise- security operations portion of the three areas of support enumerated by the SOO. Nonetheless, even the work sought by CMS within this category is broader in scope than what the record reflects the batCAVE platform can provide.
The final SOO requires the contractor to deliver “ all required services necessary to ensure the continuous security of the CMS Cloud, Hybrid Cloud, and Enterprise [General Support Systems].” (AR 1247.) (Emphasis added.) To fulfill the contract, the awardee will be taking over operations of the full-time, 24 hours a day/7 days a week/365 days a year (366 in a leap year) IT-security-operations center run by CMS. The awardee will monitor and respond to security events and incidents, integrating with the CMS enterprise-security-operations center, conducting vulnerability and compliance scanning, and administering, supporting, and configuring continuous monitoring functionality. (AR 1248-49.) These requirements anticipate complete and total management of CMS cloud security by the contractor. The wide array of functions sought under the RFQ requires the awardee to coordinate and operate across the entire CMS IT system.
While the record reflects that the batCAVE platform performs some of the required tasks, there is no evidence in the record or in the Kimura declarations that the batCAVE platform can perform the full scope of work required under the RFQ. For example, the contractor will be required to support ADOs in the migration and deployment of apps and systems to OIT cloud environments. To perform that task, the contractor will need to maintain ATOs for the services and tools administered and “develop and maintain Application/Infrastructure security documentation in support of achieving and maintaining [ATOs].” (AR 1248.) The batCAVE platform performs these functions. (ECF 27-1 at 3-5.).
These responsibilities, however, comprise only a small portion of the PEO contract requirements. Moreover, the contract largely requires the maintenance, administration, support, and facilitation across platforms and service providers. For instance, to protect CMS and app- developer data, the contractor is instructed to “[d]esign, build, operate and maintain security features as part of a DevSecOps framework in connection with the services delivered by the CMS Cloud program for consumption by ADOs and CMS Cloud product teams.” (AR 1250.) The batCAVE platform, however, is more narrowly focused on app developers and their ATO’s.
In addition, continuous-monitoring functionality and incident management are also aspects required of the contractor under the SOO. Although the batCAVE platform can and does provide continuous monitoring for ATOs, the continuous monitoring envisioned by the PEO contract is more comprehensive, covering the entirety of the CMS cloud environment. Under the SOO, the contractor is required to “[d]evelop, implement, and administer a CMS-approved continuous monitoring plan including supplying feeds required by the Department of Homeland Security (DHS) for Continuous Diagnostics and Mitigation (CDM).” (AR 1253.) In addition, “[t]he [c]ontractor shall support CMS’s requirements for alerting and incident management for all of the tools and services administered and maintained under this contract.” (AR 1255.) As with the other required elements of the PEO contract, the record contains no evidence that the batCAVE platform can perform the full range of responsibilities CMS is seeking under the RFQ.
3. Conclusion A comparison between the elements of the RFQ and the functionality of the batCAVE platform reveals that the RFQ, when read in its entirety, is not seeking to replicate the batCAVE platform’s functionality. Instead, CMS is seeking a much broader IT- and cloud-management- services contract. Application onboarding and ATO compliance is only a small part of the broader set of requirements of the PEO contract. The contract instead envisions a managerial role across CMS components and contractors that the batCAVE platform does not provide. IntelliBridge’s conception of the PEO contract is misaligned with the reality that CMS is seeking to award a contract that can wholistically meet the full scope of the agency’s cloud-computing needs. It is true that the RFQ does on its face anticipate the need for some developmental solutions, but these products or services are a small subset of the overall procurement. The batCAVE platform is unable to provide most of these services and any overlap is too limited to conclude that the RFQ seeks merely a developmental solution to replicate the batCAVE platform. Thus, CMS is seeking to procure commercial services, not a developmental solution as the plaintiff asserts.
B. CMS’s Market Research Satisfied Section 3307 The crux of the plaintiff’s argument is that CMS has violated section 3307 by failing to: a) “conduct appropriate market research”; b) “make necessary determinations as to the availability of commercial and non-developmental items to meet its requirements”; and c) procure “commercial and non-developmental items to the maximum extent practicable.” (ECF 27 at 6.)
Analysis of the record discloses, however, that through its RFQ CMS is seeking existing commercial services that are broader than the functionality of the plaintiff’s product. Accordingly, CMS’s market research, focused on commercial cloud- and IT-management services, was appropriately targeted to the services it seeks to acquire. That market research revealed that existing providers of commercial services were available to meet the agency’s requirements. CMS then properly documented its conclusions in the MRR.
Under the Federal Acquisition Streamlining Act (“FASA”), Congress has created an express mandatory preference for the use of commercial products and services when agencies procure supplies or services. Executive agencies are required to “ensure that, to the maximum extent practicable,” agency requirements “with respect to a procurement of supplies or services” are “defined so that commercial services or commercial products or, to the extent that commercial products suitable to meet the executive agency’s needs are not available, nondevelopmental items other than commercial products may be procured to fulfill those requirements.” 41 U.S.C. § 3307(b)(2).
“FASA achieves its preference for commercial items in part through preliminary market research.” Palantir , 904 F.3d at 984. To determine the availability of commercial items, an agency “shall conduct market research appropriate to the circumstances (A) before developing new specifications for a procurement by that executive agency; and (B) before soliciting bids or proposals for a contract in excess of the simplified acquisition threshold.” Section 3307(d)(1). This market research must then be used “to determine whether commercial services or commercial products . . . are available that” meet the agency’s requirements, could be modified to do so, or could do so if the requirements “were modified to a reasonable extent.” Section 3307(d)(2). The agency is then required to “document the results of market research in a manner appropriate to the size and complexity of the acquisition.” Section 3307(d)(4).
In November 2022, CMS developed an acquisition strategy for infrastructure and end- user services to “provid[e] for day-to-day operations and maintenance activities of CMS’[s] enterprise-wide infrastructure.” (AR 11.001.) Based on this strategy, CMS developed the draft SOO. (AR 12.) At this stage of the procurement, CMS was required to “conduct market research appropriate to the circumstances (A) before developing new specifications for a procurement by that executive agency; and (B) before soliciting bids or proposals for a contract in excess of the simplified acquisition threshold.” Section 3307(d)(1).
CMS complied with these requirements. On April 22, 2024, CMS issued the RFI and posted it to the GSA e-buy website under two categories: Information Technology Professional Services and Cloud Computing and Cloud Related Information Technology. (AR 587, 590.) These categories align with the services that, based on the record, CMS seeks to acquire.
IntelliBridge, along with 47 other vendors, responded to the RFI. (AR 591.) According to section 3307, CMS then had to “determine whether commercial services or commercial products . . . are available that” meet its requirements, could be modified to do so, or could do so if the requirements “were modified to a reasonable extent.” Section 3307(d)(2). Finally, CMS had to “document the results of market research in a manner appropriate to the size and complexity of the acquisition.” Section 3307(d)(4).
CMS has complied fully with the obligations imposed by section 3307. Based on the RFI responses, CMS undertook market research focused on the services it seeks to acquire. Upon completion of its market research, CMS issued the MRR on June 6, 2024. (AR 587.) The MRR determined that the PEO contract’s objective would be “to obtain, design, build, operate, maintain, refine, modernize, and evolve all cloud services, agile software, and network infrastructure, and products and services required to deliver consumable CMS cloud infrastructure services for CMS customers.” (AR 589.) CMS concluded that “[b]ased on market research, [the PEO contract] could be considered an acquisition of commercial items in the form of professional services delivered on an hourly basis using labor categories specified in a price list.” (AR 595.) CMS also determined that “based on the information received, [CMS] will be able to obtain three or more acceptable quotes” from small businesses. (AR 589.) As a result of its market research, CMS “set [the contract] aside for small businesses.” ( .) On July 1, 2024, CMS published a streamlined acquisition plan. (AR 606.) Nothing more was required of CMS.
CMS seeks to procure cloud-computing and cloud-related IT services rather than a developmental solution meant to replicate the functionality of the batCAVE platform. Its market research, focused on the goal of the procurement, complies with section 3307. Because it is not seeking a developmental solution to replicate the functionality of the batCAVE platform, CMS was under no obligation to conduct market research beyond the scope of the procurement. [9]
C. Prejudice Even if the agency had not complied with section 3307, based on the record, the plaintiff cannot show that it has suffered any prejudice from CMS’s process or the RFQ. The record shows, as noted, that the batCAVE platform is unable to satisfy all of CMS’s requirements.
To prevail in a bid protest, a plaintiff must “show a significant, prejudicial error in the procurement process.” Alfa Laval Separation, Inc. v. United States , 175 F.3d 1365, 1367 (Fed. Cir. 1999)). Establishing prejudice requires a protestor to demonstrate that it had or would have a “substantial chance” at receiving a contract award. Info. Tech. & Applications Corp. v. United States , 316 F.3d 1312, 1319 (Fed. Cir. 2003) (quoting Alfa Laval , 175 F.3d at 1367).
IntelliBridge is unable to compete for the PEO contract in its current form. Therefore, even if CMS had committed an error in the procurement to this point, IntelliBridge cannot show that it has been harmed by that error. IntelliBridge cannot show prejudice because the batCAVE platform cannot meet all the requirements CMS is seeking to procure. At best, IntelliBridge could compete for a subcontract once the RFQ is awarded; it cannot compete for the RFQ award itself, as it does not meet the requirements.
Indeed, IntelliBridge acknowledged that the batCAVE platform is unable to perform all the functions sought by CMS. In its motion for judgment on the administrative record, IntelliBridge argued that “if CMS issued an RFQ that allowed IntelliBridge to bid its nondevelopmetal item to meet CMS’s needs, then IntelliBridge would have at least a substantial [chance] of winning that contract.” (ECF 27 at 24.) Implicit in this assertion is an acknowledgement that IntelliBridge is unable to provide all the services CMS is seeking through the RFQ. Instead, the plaintiff would only be competitive for a hypothetical RFQ tailored specifically to the functionality of the batCAVE platform. CMS has chosen not to break up the contract in the manner IntelliBridge would prefer, but it is for the agency to determine to scope of the contract. Because IntelliBridge cannot obtain the PEO contract because its platform fails to meet all the requirements of the RFQ, Intellibridge cannot show prejudice.
CMS’s decision to require the awardee to comply with section 3307 also precludes the plaintiff from being able to demonstrate prejudice, to the extent that the RFQ does require developmental solutions to meet aspects of the procurement. See 41 USC § 3307(c) (requiring the head of each executive agency to “require that prime contractors and subcontractors . . . incorporate commercial services or commercial products or nondevelopmental items other than commercial products as components of items supplied to the executive agency”). As noted, CMS’s final version of the SOO requires the awardee to comply with section 3307 by preferencing existing commercial products and services “when procuring or making recommendations to CMS for the procurement of products or services.” (AR 1269.) If the PEO contract will require the awardee to replicate the batCAVE platform’s functionality, then this obligation to comply with section 3307 will require the awardee to conduct appropriate market research before undertaking any developmental solution. At that point, the batCAVE platform may be found to be a commercially available alternative to development, and the statute would operate to require the procurement of that platform. That stage of the implementation of the PEO contract is in the future, and no dispute exists about it now.
VII. CONCLUSION
CMS is not seeking to acquire a developmental solution that would replicate the functionality of the batCAVE platform. Instead, CMS seeks to acquire cloud computing and IT- management services. CMS complied with section 3307 and appropriately conducted its market research on the services it seeks to procure. Even if CMS had failed to comply with section 3307, the plaintiff is unable to show prejudice, as the batCAVE platform cannot meet the requirements set out by the RFQ. Moreover, the requirement that the awardee comply with section 3307 prevents the plaintiff from being harmed at this stage of the procurement.
Accordingly, the plaintiff’s motion for judgment on the administrative record is denied, and the defendant’s cross-motion for judgment on the administrative record is granted. A separate order directing the entry of judgment will be filed concurrently with this opinion.
s/ Richard A. Hertling Richard A. Hertling Judge
[*] Pursuant to the protective order in this case, this opinion was under seal on February 10, 2025, and the parties were directed to propose redactions of confidential or proprietary information. The parties have reported that no redactions are necessary. Accordingly, the opinion is released in full.
[1] Section 3307 requires federal agencies to “ensure that, to the maximum extent practicable,” agency requirements “with respect to a procurement of supplies or services” are “defined so that commercial services or commercial products or, to the extent that commercial products suitable to meet the executive agency’s needs are not available, nondevelopmental items other than commercial products may be procured to fulfill those requirements.” 41 U.S.C. § 3307(b).
[2] Vivek Kundra, The White House, Federal Cloud Computing Strategy (Feb. 8, 2011), https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/federal-cloud- computing-strategy.pdf
[3] See 15 U.S.C. § 638 for the statutory authorization for the SBIR program.
[4] ECF 27-1 is a declaration from Brett Kimura, senior vice president and general manager of RevaComm. Mr. Kimura submitted a second declaration at ECF 34-1. The plaintiffs moved to supplement the administrative record with the Kimura declarations. That motion was granted at oral argument and memorialized in an order filed on January 16, 2025. (ECF 44.) The Kimura declarations were added to the record for their description of the batCAVE platform and its technological capacity. The Kimura declarations also contained speculation on the rationale for the procurement and CMS’s motives in terminating its use of the batCAVE platform and its refusal to acquire it under the RFQ. The declarations have not been considered for those aspects unrelated to the technological capabilities of the batCAVE platform. The result here would be the same, even if the Kimura declarations were not considered.
[5] Although they are undefined in the record, AWS and MAG are understood to mean Amazon Web Services and Microsoft Azure for Government, respectively.
[6] In a procurement under FAR part 37, offerors may use the SOO to develop the performance work statement, but “the SOO does not become part of the contract.” FAR 37.602(a)-(c).
[7] Atlassian provides development and collaboration software that uses cloud platforms to provide collaboration, automation, insights, and extensibility to organizations. A TLASSIAN , https://www.atlassian.com (last visited Feb. 3, 2025). Github is a web-based platform that allows developers to store, manage, and share code. G ITHUB , I NC ., https://github.com (last visited Feb. 3, 2025). Kion is a software product that streamlines cloud operations by automating identity, compliance, and financial management across multiple cloud infrastructures, such as AWS, Microsoft Azure, and Google Cloud. K ION , https://kion.io (last visited Feb. 3, 2025).
[8] In the complaint, IntelliBridge initially challenged CMS’s sole-source solicitation to develop a scheduling app that mirrored Signal, a scheduling app already provided by IntelliBridge, in addition to the claims related to the batCAVE platform. (ECF 1.) The defendant moved to dismiss that portion of the complaint. In response to the motion to dismiss, the plaintiffs withdrew the challenge regarding the Signal scheduling app. (ECF 34 at 9.) As a result, the motion to dismiss is moot, and any issues raised in the complaint regarding the Signal app are not addressed.
[9] The plaintiff has not argued that CMS illegally bundled the various elements of the procurement to evade its obligations under section 3307 or any other provision of law.