Missing Password Doesn’t Sink CIO-SP3 Proposal

A Maryland contractor nearly lost a contract with $20 billion ceiling because of a password protected encrypted document.

After much back and forth, and for somewhat obscure reasons, GAO said that it was unreasonable for the agency to ask for the password and then not use it.

Chags Health Information Technology, LLC, of Columbia, Maryland, protested the decision of the Department of Health and Human Services, National Institutes of Health, to eliminate its proposal from the competition because NIH did not have the password to one document included with the proposal.

Chags had sought a Chief Information Officer-Solutions and Partners (CIO-SP3) ramp-on contract. CIO-SP3 is a massive indefinite-delivery indefinite-quantity contract for health and biomedical IT services. The goal of the ramp-on was was to expand the pool of eligible vendors.

This particular ramp-on was for 8(a) concerns and included a period of performance ending June 29, 2022. Businesses with the contract could be eligible for up to $20 billion in awards. NIH issued the solicitation on March 14, 2016, and got more than 500 offers by the closing date two months later.

Chags submitted a proposal as part of a contractor team arrangement, or CTA. The solicitation had instructed that CTAs must provide financial statements from each CTA member so that the agency can make a responsibility determination for each member. It provided that if team members did not wish to share their financial information with the prime (in this case Chags) they could encrypt the document and send the password in an email to the Electronic Procurement Information Center help desk.

Chags proposal included an encrypted copy of its teaming partner’s financial statement. Its partner also provided a sworn statement that it provided the password to the help desk days prior to the proposal due date. The agency claimed that it never received the email.

On July 5, 2017, the contracting officer told Chags that it was evaluating the proposal and asked Chags to clarify where “in your proposal can be found the decryption passwords.” The vice president of the teaming partner—the identity of which was redacted from the decision—forwarded the email containing the passwords that it said was sent to the help desk.

The agency found the proposal unacceptable because it said the password was not provided by the proposal due date.

Chags argued two things. First, that the password had been provided as instructed. Second, that the agency should have used the password as part of its responsibility determination because undoubtedly the password had been provided prior to the agency making the determination.

GAO said that because it agreed with the second argument, it did not need to determine whether the password had been received or not.

GAO has often said that responsibility determinations and technical acceptability are different. It said: “Responsibility may be satisfied at any time prior to award, as opposed to technical acceptability, which must be satisfied based on a common proposal deadline.”

Because the agency asked for clarification and got it, it was unreasonable not to consider the information at its fingertips:

the agency had all of the required information in its possession prior to the time it completed its evaluation. If the agency had never received the decrypted password prior to evaluation, the agency could have rejected the [Chags] proposal because it did not contain the required documents . . . .

Under these circumstances, we conclude that the contracting officer—the individual charged by the FAR with making responsibility determinations—could not ignore the password in his possession[.]

It sustained the protest and recommended that the agency use the password to determine the CTA partner’s responsibility. In other words, one missing password was not enough to keep Chags from potentially receiving a contract worth potentially $20 billion.

GAO issues many decisions about what proposal information an agency received and when the agency received it. Normally, GAO denies the protest and sides with the agency, although the Court of Federal Claims is willing to put a little more pressure on agencies to clarify missing information. If there is any doubt, contractors would do well to confirm receipt with the agency and keep records of what was sent.

Questions about this post? Or need help with a government contracting legal issue? Email us or give us a call at 785-200-8919.