GAO decides one of first protests based on FedRAMP compliance

The Government Accountability Office settled one of the first bid protests that involved whether or not a vendor met the cloud cybersecurity requirements.

SRA International protested the Department of Health and Human Services award to InfoReliance for a blanket purchase agreement for cloud email. SRA claimed HHS’ evaluation of its bid was unreasonable and the factors were unclear.

GAO, however, denied SRA’s protest, letting the HHS contract to InfoReliance move forward.

HHS awarded InfoReliance a BPA under Schedule 70 of the General Services Administration’s schedule contract program in June. InfoReliance and SRA were among the six bidders going through a two-step evaluation process.

Advertisement

The first step required the vendor to provide evidence that it met the Federal Risk Authorization and Management Program (FedRAMP) and requirements under Section 508 for technology.

HHS determined SRA didn’t meet the FedRAMP requirements because it didn’t have an authority to operate from the Joint Authorization Board or from an agency.

SRA claimed HHS’ evaluation factors were unclear because of how they listed the FedRAMP and Section 508 requirements.

“SRA maintains that listing of the two elements, with neither the word ‘and’ nor the word ‘or’ between them, made it unclear whether the agency intended for vendors to comply with both elements,” GAO wrote in its Sept. 2 decision that was just released Sept. 23. “However, according to SRA, the use of ‘or’ in the subsequent provision warning that a vendor would receive a fail rating if ‘insufficient documentation is provided to demonstrate either (a) or (b) above’ clarified that the provisions were to be read in the disjunctive.”

GAO disagreed with SRA’s claims.

“[T]he only reasonable interpretation of the solicitation language pertaining to the FedRAMP evaluation criteria set forth in section 11.3.1.3 is that if a vendor had not achieved an ATO meeting FedRAMP requirements by the time of quotation submission, it was required to provide both (a) documentation confirming FedRAMP initiation, and (b) a current ATO issued by another federal agency supporting a FIPS 199 security categorization of moderate,” GAO lawyers wrote. “In this regard, sections 2.4.7.1 and 10.3.3 both separately identified the ATO requirements, and listed elements (a) and (b) without any indication that they could be provided in the alternative. Such a listing was not ambiguous, as the protester maintains, and could only be reasonably understood as a requirement for both items.”

GAO said HHS properly rejected SRA’s bid for failing to demonstrate compliance with FedRAMP.

HHS’ decision to disqualify SRA from the competition marks one of the first public rebuffs of a company that didn’t, at the time of the solicitation, meet the cloud security mandate.

The Office of Management and Budget mandated starting June 5 that all cloud services must be FedRAMP approved or at least in the process of getting an authority to operate.

Frank Baitman, the HHS chief information officer, said in August 2013 that the contract would be as much about email as it would be about collaboration services.

HHS has been working on this email in the cloud contract for the better part of three years.

RELATED STORIES:

HHS pacing its move to the cloud

Inside the Reporter’s Notebook: FedRAMP compliance results months away, OMB’s word of the year: Effectiveness

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.