Details published for protest of $164M DHA Cybersecurity Risk Management Operations Support (RMOPS) task denial


  1. Protest that the agency unreasonably evaluated protester’s proposal is denied where the record shows that the evaluation was consistent with the solicitation’s evaluation criteria.
  2. Protest that the agency should have referred a nonresponsibility determination to the Small Business Administration under certificate of competency procedures is denied where the agency did not effectively evaluate the protester as nonresponsible but rather simply identified aspects of the protester’s proposal as weak under the evaluation criteria.
  3. Protest challenging the cost realism evaluation is denied where the record shows that agency reasonably determined that protester’s estimated costs were unrealistically low.”


On April 3, 2019, the Navy issued the RFP to procure cybersecurity risk management operations support services for the Defense Health Agency, Information Services Division.  Combined Contracting Officer’s Statement and Memorandum of Law (COS/MOL) at 2; AR, Tab 2, RFP at 8.  The RFP was issued against the Navy’s SeaPort Next-Generation (NX-G) multiple-award, indefinite-delivery, indefinite‑quantity (IDIQ) contract.  COS/MOL at 3.  The RFP contemplated the award of a performance based cost-plus-fixed-fee, level-of-effort, and cost-reimbursement task order to be performed over a 1‑year base period and three 1-year option periods.  AR, Tab 2, RFP at 4-7, 86.

Award would be made on a best-value tradeoff basis, considering cost and non-cost factors.  AR, Tab 2, RFP at 96.  Non-cost factors included gate criteria, technical capability, and management plan.  Id.  The gate criteria assessed, on a pass or fail basis, whether each offeror had at least one year experience collecting and reporting required information.  Id. at 90, 96.  Proposals receiving a passing score for the gate criteria factor were evaluated under the technical capability and management plan factors.  Id. at 96-97.  The tradeoff decision would consider the technical capability, management plan, and cost factors; in making the tradeoff decision, the RFP specified that the non-cost factors were significantly more important than the cost factor, and that the technical capability factor was more important than the management plan factor.

The technical capability factor (i.e., factor B) required the agency to assess each offeror’s corporate experience in an enterprise‑level environment under four subfactors.  AR, Tab 2, RFP at 97-98.  Subfactor B1 required offerors to demonstrate experience developing, maintaining, and updating risk posture assessments; providing oversight and compliance reporting for the Cybersecurity Vulnerability Management program; and providing risk mitigation strategies relative to the assessments (greater than 50,000 server and workstation assets).  Id. at 98.  Under subfactor B2, the agency would evaluate each offeror’s experience developing risk management framework (RMF) documentation.  Id.  Under subfactor B3, the agency would evaluate each offeror’s experience maintaining and enhancing security postures using a variety of software applications.  Id.  Under subfactor B4, the agency would evaluate each offeror’s experience analyzing and detecting cyber security events.  Id.  The RFP specified that subfactors B1 and B2 were of equal importance, and were significantly more important than subfactors B3 and B4.  Id. at 98…”


BEAT raises various challenges to the Navy’s evaluation and source selection decision.  We have reviewed all of them and find no basis to sustain the protest.  We discuss BEAT’s principal allegations below, but note at the outset that, in reviewing protests challenging an agency’s evaluation of proposals, our Office does not reevaluate proposals or substitute our judgment for that of the agency; rather, we review the record to determine whether the agency’s evaluation was reasonable and consistent with the solicitation’s evaluation criteria, as well as applicable statutes and regulations.  AT&T Corp., B‑414886 et al., Oct. 5, 2017, 2017 CPD ¶ 330 at 6.

Evaluation of BEAT’s Technical Proposal

BEAT challenges the agency’s evaluation of its proposal under subfactor B1 of the technical capability factor.  Protester’s Comments and Supp. Protest at 3.  BEAT argues that the assignment of a marginal rating was unreasonable because, contrary to the evaluation, its proposal demonstrated experience providing risk posture assessments.  Id. at 3-8.  The Navy responds that BEAT’s proposal lacked details substantiating its experience or relating its experience to the solicitation requirements.  COS/MOL at 25‑34…”


Business Enabled Acquisition & Technology, LLC (BEAT), of San Antonio, Texas, protests the award of a task order contract to Sentar, LLC, of Baltimore, Maryland, under request for proposals (RFP) No. N6523619R3507, issued by the Department of the Navy, Naval Information Warfare Center Atlantic (NIWC), for cybersecurity risk management operations support.  BEAT alleges that the Navy unreasonably evaluated its proposal, failed to refer a nonresponsibility determination to the Small Business Administration (SBA) under certificate of competency procedures, and improperly adjusted its proposed costs.

We deny the protest.”

Read the full 9-page decision here.

Related item

Update: Sentar awarded $164M Defense Health Agency Cybersecurity Risk Management Operations Support (RMOPS) task



Please enter your comment!
Please enter your name here