The Government Accountability Office settled one of the first bid protests that involved whether or not a vendor met the cloud cybersecurity requirements.
SRA International protested the Department of Health and Human Services award to InfoReliance for a blanket purchase agreement for cloud email. SRA claimed HHS’ evaluation of its bid was unreasonable and the factors were unclear.
HHS awarded InfoReliance a BPA under Schedule 70 of the General Services Administration’s schedule contract program in June. InfoReliance and SRA were among the six bidders going through a two-step evaluation process.
The first step required the vendor to provide evidence that it met the Federal Risk Authorization and Management Program (FedRAMP) and requirements under Section 508 for technology.
HHS determined SRA didn’t meet the FedRAMP requirements because it didn’t have an authority to operate from the Joint Authorization Board or from an agency.
SRA claimed HHS’ evaluation factors were unclear because of how they listed the FedRAMP and Section 508 requirements.
“SRA maintains that listing of the two elements, with neither the word ‘and’ nor the word ‘or’ between them, made it unclear whether the agency intended for vendors to comply with both elements,” GAO wrote in its Sept. 2 decision that was just released Sept. 23. “However, according to SRA, the use of ‘or’ in the subsequent provision warning that a vendor would receive a fail rating if ‘insufficient documentation is provided to demonstrate either (a) or (b) above’ clarified that the provisions were to be read in the disjunctive.”
GAO disagreed with SRA’s claims.
“[T]he only reasonable interpretation of the solicitation language pertaining to the FedRAMP evaluation criteria set forth in section 184.108.40.206 is that if a vendor had not achieved an ATO meeting FedRAMP requirements by the time of quotation submission, it was required to provide both (a) documentation confirming FedRAMP initiation, and (b) a current ATO issued by another federal agency supporting a FIPS 199 security categorization of moderate,” GAO lawyers wrote. “In this regard, sections 220.127.116.11 and 10.3.3 both separately identified the ATO requirements, and listed elements (a) and (b) without any indication that they could be provided in the alternative. Such a listing was not ambiguous, as the protester maintains, and could only be reasonably understood as a requirement for both items.”
GAO said HHS properly rejected SRA’s bid for failing to demonstrate compliance with FedRAMP.