ACE-FEDERAL REPORTERS, INC v. USA, No. 1:2020cv00636 - Document 54 (Fed. Cl. 2020)
Court Description: REPORTED OPINION AND ORDER. Unsealed version of 51: opinion and order. Signed by Judge Ryan T. Holte. (tjw) Service on parties made.
Download PDF
<![CDATA[
In the United States Court of Federal Claims No. 20-636 (Filed: 22 September 2020*) *************************************** ACE-FEDERAL REPORTERS, INC., * * Plaintiff, * * v. * * THE UNITED STATES, * * Defendant, * * and * * HERITAGE REPORTING CORPORATION, * * Defendant-Intervenor. * * *************************************** Bid protest; International Trade Commission (“ITC”); Cryptographic Module Validation Program (“CMVP”); supplementation of the administrative record Michael D. McGill, of Arnold & Porter Kaye Scholer, LLP, with whom was Thomas A. Pettit, of Washington, DC, for plaintiff. Eric E. Laufgraben, Senior Trial Counsel, Commercial Litigation Branch, Civil Division, Department of Justice, with whom were Ethan P. Davis, Acting Assistant Attorney General, Robert E. Kirschman, Jr., Director, and Douglas K. Mickle, Assistant Director, all of Washington, DC for defendant. Gina K. Grippando, Assistant General Counsel, U.S. International Trade Commission, of counsel. John E. McCarthy Jr., of Crowell & Moring LLP, with whom were Mark A. Ries, Evan D. Wolff, and Christopher D. Garcia, all of Washington, DC, for defendant-intervenor. OPINION AND ORDER HOLTE, Judge. * This order was originally filed under seal on 4 September 2020 pursuant to the protective order in this case. The Court provided parties the opportunity to review this opinion for any proprietary, confidential, or other protected information and submit proposed redactions no later than 18 September 2020. The parties jointly proposed redactions on 18 September 2020. The Court accepts the parties’ proposed redactions and reissues the order, with redacted language replaced as follows: “[XXXXX].” Plaintiff, Ace-Federal Reporters, Inc. (“plaintiff,” “Ace-Federal,” or “Ace”) brings this bid protest challenging the U.S. International Trade Commission’s (“ITC”) award of a contract for court reporting services to defendant-intervenor Heritage Reporting Corporation (“defendantintervenor,” “Heritage,” or “HRC”) under Solicitation No. 34300019Q007. Pending before the Court are plaintiff’s motion for judgment on the administrative record and motion to supplement the administrative record, as well as the government’s and defendant-intervenor’s respective cross-motions for judgment on the administrative record. For the following reasons, the Court DENIES plaintiff’s motion to supplement the administrative record, DENIES plaintiff’s motion for judgment on the administrative record, and GRANTS the government’s and defendantintervenor’s respective cross-motions for judgment on the administrative record. I. Background A. The Solicitation On 6 June 2019, the ITC issued Request for Quotation (“RFQ” or “Solicitation”) No. 34300019Q0017 “to acquire court reporting services” to “support the Commission’s legal proceedings.” Admin. R. at 8, ECF No. 19 (“AR”). The RFQ contemplated “award of a Time and Materials contract, with an established ceiling.” Id. The RFQ specified: “This is a no-cost contract for the Government. The winner bidder will receive compensation through sales of services and reports to the public. The Government will not be paying for routine court reporting services.” Id. (emphasis omitted). Additionally, this procurement “is a 100% Small Business Set Aside, under [North American Industry Classification System (“NAICS”)] Code 561492, Court Reporting and Stenotype Services” with a $15 million size standard. Id. The RFQ required the contractor to “furnish all personnel, equipment, materials, incidentals[,] and other resources necessary to satisfy the Commission’s requirements for Court Reporting Services, and any other services the Contractor renders under this Contract, within the scope of the [Statement of Work (“SOW”)].” Id. at 9. The SOW provided, “[t]he Contractor shall provide the Commission with court reporting services for Commission-held proceedings when the Presiding Official or the Contracting Officer’s Representative (“COR”)” provides the contractor advance notice, as outlined in the SOW. Id. at 9–10. The SOW also provided for depositions, real-time court reporting, authentication of transcripts, production and delivery of transcripts to the Commission, and sales to the parties and members of the public, among other requirements. See AR at 10–22. Most relevant to this protest, the SOW provided: The Contractor shall produce all paper-copy transcripts on white paper measuring 8-1/2 inches by 11 inches. Each full page of such transcript shall contain no less than 25 lines of typewriting, 10 letters to the inch, double spaces between lines, with a binding margin of 1-1/2 inches at the left side and a margin of 3/8 of an inch on the right side. On each page, the lines shall fill as nearly as practicable the spaces between the margins. Id. at 19. Also relevant to this protest, under the heading of “Digital Security,” the RFQ stated: -2- Encryption utilizing Federal Information Processing Standards Publication (FIPS PUB) 140-3, Security Requirements for Cryptographic Modules (as updated), is applicable to the services provided under this contract, as follows. The Contractor shall employ encryption utilizing FIPS 140-3 validated cryptographic modules operated in the FIPS-approved mode . . . . Id. at 22. Offerors would be evaluated under three factors: (1) Technical; (2) Past Performance; and (3) Price. Id. at 27–28. The Technical factor comprised the following three subfactors: (a) Use of Technology; (b) Management Plan; and (c) Technical Approach. Id. at 28–29. Most relevant to this protest, under the Use of Technology subfactor, the RFQ stated: “The offeror shall propose cryptographic modules and shall state the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) certificate number(s) of the cryptographic modules that are being proposed.” Id. at 28 (emphasis omitted). For evaluation of the Past Performance factor, the RFQ explained: The offeror shall submit a minimum of three (3) past experience/past performance references of similar work and scope. Evaluation will be based on the relevancy and quality of recent efforts accomplished by the offeror. Other information that may be obtained, including how well the offeror cooperated with the client, the quality and timeliness of work delivered, and if costs were properly controlled (if applicable) will also be evaluated. Past performance information will also be accessed by the Government from available online databases, including sources such as the Past Performance Information Retrieval System (PPIRS); Federal Awardee Performance and Integrity Information System (FAPIIS); as well as any other source for past performance information available to the Contracting Officer. AR at 29. Concerning award and best value analysis, the RFQ provided: Contract award shall be made to the responsible offeror whose quotation, in conforming to this Request for Quotation, provides the best value to the Government. Since it is in the best interest of the Government to consider award to other than the lowest priced offeror, or other than the highest technically rated offeror, the Government will use a tradeoff source selection approach to determine the proposal that represents the best value to the Government. Technical is the most important Factor. Past Performance is not as important as Technical, but more important than Price. Price is the least important Factor. Technical and Past Performance, when combined, [are] more important than Price. Id. at 29–30. The three subfactors under the Technical Factor are “equally weighted in the development of the overall Technical Factor rating.” Id. at 30. For the Use of Technology -3- subfactor, the ITC would “evaluate the offeror’s ability to meet the Federal Information Processing Standards Publication (FIPS PUB) 140-3, Security Requirements for Cryptographic Modules.” Id. (emphasis omitted). In evaluating the proposals, the ITC would assign a strength, weakness, or deficiency to the proposals. Id. at 32. A strength is “[a] proposal attribute that increases the likelihood of successful Task Order performance, or provides an approach directly related to the requirement that exceeds the minimum expectation.” Id. A weakness “means a flaw in the quotation that increases the risk of unsuccessful Task Order performance.” AR at 32. A deficiency “is a material failure of a quotation to meet a Government requirement or a combination of significant weaknesses in a quotation that increases the risk of unsuccessful Order performance to an unacceptable level.” Id. The ITC additionally used the following adjectival ratings to evaluate proposals: Outstanding, Good, Acceptable, Marginal, and Unacceptable. An Outstanding rating means the “[p]roposal indicates an exceptional approach and understanding of the requirements and contains multiple strengths.” Id. A Good rating means the “[p]roposal indicates a thorough approach and understanding of the requirements and contains at least one strength.” Id. An Acceptable rating means the “[p]roposal indicates an adequate approach and understanding of the requirements.” Id. A Marginal rating means the “[p]roposal has not demonstrated an adequate approach and understanding of the requirements.” Id. Lastly, an Unacceptable rating means the “[p]roposal does not meet the requirements of the solicitation and, thus, contains one or more deficiencies and is unawardable.” AR at 32. On 25 June 2019, the ITC issued Amendment 001 to the Solicitation, which answered questions offerors asked about the terms. See id. at 61, 67. Question 9 stated: Encryption utilizing FIPS 140-3 is applicable to the services provided in this RFQ. Our understanding is the effective date of FIPS 140-3 is September 22, 2019 and testing begins September 22, 2020. Will FIPS 140-2 be acceptable until implementation of FIPS 140-[3]? Id. at 63. The ITC answered it “will evaluate cryptographic solutions using the relevant standard. The current NIST CMVP evaluates 140-2. 140-2 is acceptable.” Id. B. Plaintiff’s Proposal On 8 July 2019, plaintiff submitted its proposal in response to the Solicitation. Id. at 75. Of relevance here, responding to the requirements under the Technical factor, plaintiff noted it “will not have any difficulty meeting the current FIPS 140-2 security requirements.” Id. at 79. “To prepare for FIPS 140-3 implementation,” plaintiff stated it “is working closely with [its] vendors who provide cryptographic modules to ensure that they will offer software upgrades to meet FIPS 140-3 requirements once testing begins” in September 2020. AR at 79. Addressing FIPS 140-2 compliance for real-time court reporting, plaintiff proposed a wireless WIFI option that is FIPS 140-2 compliant [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] Plaintiff specified: [XXXXXXXXX -4- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] Plaintiff similarly provided the CMVP Certificate numbers for other equipment in the proposal. See id. at 81, nn.3–4. Plaintiff’s proposal also highlighted its past performance: “As the incumbent contractor to the ITC for the past 5 ½ years, there can be no better indicator of our ability to meet—and exceed—the ITC’s performance requirements nor no contract more relevant.” Id. at 89. Plaintiff emphasized the importance of relevant experience due to the “demanding . . . technical requirements” of this contract. Id. For example, “[o]ther than certain government intelligence agencies, to our knowledge no other reporting contract has the FIPS 140-2/140-3 digital security encryption mandate,” which plaintiff would be able to meet. AR at 89. Five evaluators—the Federal Energy Regulatory Commission’s Office of Administrative Law Judges, the ITC, two law firms, and the District of Columbia Bar—submitted past performance questionnaires attesting to plaintiff’s performance. See id. at 103–08. Most of the evaluations rated plaintiff’s performance “Exceptional,” except the ITC’s evaluation rated plaintiff as “Very Good.” See id. C. Defendant-Intervenor’s Proposal Defendant-intervenor submitted a timely proposal on 8 July 2019. See id. at 109. Most relevant here, for the technology used in real-time court reporting, defendant-intervenor stated, “[a] Cisco 881W router is used running in FIPS 140-2 compliant mode.” Id. at 113. CMVP Certificate No. 1700, which corresponds to the Cisco 881W router, indicates the router has a “historical” validation. Id. at 2899. The NIST website states, “[t]he referenced cryptographic module should not be included by Federal Agencies in new procurements. Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used.” AR at 2899. Defendant-intervenor also explained how its technology operates real-time court reporting, which defendant-intervenor characterized as FIPS 140-2 compliant, and it provided the CMVP Certificate numbers for all proposed equipment and modules. Id. at 113–14. Defendant-intervenor also provided links to the NIST website confirming the FIPS 140-2 compliance of its hardware and software configurations. Id. at 115. Four evaluators—the Supreme Court of the United States, the Occupational Safety Health Review Commission (“OSHRC”), the ITC, and the Environmental Protection Agency— submitted past performance questionnaires for defendant-intervenor. See id. at 150–53. Almost all ratings were “Exceptional,” with only a few “Very Good” ratings. Id. D. Proposal Evaluation -5- The Technical Evaluation Team (“TET”), which comprised four members, each evaluated the proposals according to an Individual TET worksheet.1 See id. at 164–72. Under the first factor, Technical, the TET rated plaintiff’s proposal “overall Good.” AR at 185. Plaintiff’s proposal had “two noted strengths . . . and no weaknesses or deficiencies.” Id. The first strength fell under “Factor 1b (Management Plan),” and the TET noted plaintiff’s “proposed management plan thoroughly addresses its ability to staff the project and builds in redundancies thereby reducing risk to the government.” Id. Plaintiff’s second strength fell under “Factor 1c (Technical Approach),” for which the TET observed plaintiff’s “technical approach shows a comprehensive grasp of the requirements and provides detailed examples of its ability to perform and deliver the court reporting services.” Id. Next, the TET rated plaintiff “Outstanding” in the second factor, Past Performance. Id. at 186. Plaintiff had “numerous strengths,” including mostly Exceptional ratings in each category, “with notes of quality and expertise in work.” Id. There were no weaknesses or deficiencies for past performance. Id. Plaintiff’s total evaluated price was $4,257,602. AR at 187. The TET similarly rated defendant-intervenor as “overall Good” under the Technical Factor, noting defendant-intervenor had one strength and no weaknesses or deficiencies. Id. at 189–90. Defendant-intervenor had one technical strength because its “proposed use of technology highlights their proposed hardware/software elements and also technology related business processes. It shows a thorough grasp of the technical requirements and reduces risk to the federal government by providing a detailed and auditable technical implementation.” Id. at 190. The TET also assigned defendant-intervenor an “Outstanding” rating under the second factor. Id. The TET listed two strengths of defendant-intervenor’s past performance, which were exceptional ratings in every category on questionnaires submitted by the Supreme Court and OSHRC and defendant-intervenor’s real-time court reporting experience with the Supreme Court. Id. at 191. Defendant-intervenor’s total evaluated price was $3,885,500. Id. at 192. The CO’s best value determination observed plaintiff and defendant-intervenor were assigned identical adjectival ratings for the Technical and Past Performance factors. AR at 193. The CO explained, “[b]ased on the identical ratings, the Price Factor became the deciding Factor for award, with Heritage offering 9% ($372,102.00) less than Ace.” Id. Further, “[w]hile Ace received 2 Strengths in the Technical Factor, which was the most important Factor, versus Heritage’s 1 Strength, there was no material difference in their Technical quotations and did not amount to a higher Adjectival rating, or discussion of their Technical Factor rating.” Id. (emphasis omitted). The CO therefore reasoned, “the 1 extra Strength that Ace received did not amount to any perceived benefit of 1 [offeror] over the other,” and “[t]he higher Price offered by Ace was not . . . perceived to offer a better value to the Government.” Id. The CO consequently “determined that award of a Contract to Heritage Reporting Corporation, a Washington, DC women owned small business, is in the best interest of the Government.” Id. On 29 July 2019, the CO informed plaintiff by email it was not a successful offeror on the subject solicitation. Id. at 195. On 31 July 2019, the CO notified defendant-intervenor by email the government awarded it the contract. AR at 197. Three offerors submitted quotations, but the record only contains documentation related to plaintiff’s and defendant-intervenor’s proposals. See AR at 182. 1 -6- E. First Government Accountability Office (“GAO”) Protest and Corrective Action On 12 August 2019, plaintiff filed a GAO protest of the ITC’s award of the contract to defendant-intervenor. Id. at 310. Plaintiff asserted the following grounds: (1) defendantintervenor did not comply with the solicitation’s pricing requirements; and (2) the ITC’s decision to award the contract to defendant-intervenor was unreasonable and inconsistent with the solicitation. See Id. at 325–35. On 26 September 2019, plaintiff filed a supplemental protest, asserting the following additional grounds: (1) “the ITC’s evaluation of Heritage’s proposal and its best value decision failed to account for Heritage’s inability to comply with the transcript formatting requirements and the impact on Heritage’s pricing;” (2) “Heritage’s proposal was technically unacceptable because Heritage proposed equipment that did not comply with the RFQ’s encryption requirements;” and (3) “Heritage’s proposal was technically unacceptable because it showed Heritage would not comply with FAR 52.219-14.” Id. at 919–24. On 5 November 2019, GAO conducted alternative dispute resolution (“ADR”) of the protest. Id. at 1731. The next day, 6 November 2019, the ITC notified GAO “[i]n response to the outcome prediction ADR session on November 5, 2019, [the ITC] intends to take corrective action and will file the necessary notice by close of business on November 8, 2019.” Id. at 1732. On 8 November 2019, ITC submitted a memorandum to GAO detailing ITC’s intended corrective action and requested “GAO dismiss the subject protest as academic.” AR at 1733–34. The memorandum listed the following actions the ITC would take as part of its corrective action: 1. The USITC will re-evaluate both offerors’ proposals under RFQ Factor 1: Technical, a. Use of Technology, specifically considering the offerors’ proposed use of encryption technology; 2. The USITC will assign relative weight to that factor accordingly and will then conduct a trade-off analysis to determine which offeror represents the best value to the government. The trade-off analysis will be based on the proposals’ relative strengths and weaknesses, as well as price, in accordance with the Federal Acquisition Regulations (FAR), statute, Comptroller General decisions, and other case-law precedent; and 3. The USITC will document the re-evaluation and subsequent source-selection decision. Id. at 1735–36. On 12 November 2019, “to preserve its rights,” plaintiff submitted its objections to the proposed corrective action to GAO. Id. at 1737. Plaintiff asserted the following objections: (1) “the corrective action is too narrow;” (2) “the ITC’s new cost-technical tradeoff and best-value decision will be based on the same misleading and inaccurate price delta between Ace-Federal’s and Heritage’s proposals;” and (3) “the ITC’s notice is ambiguous in stating that the agency will ‘assign relative weight to that factor accordingly.’” Id. at 1737–38. Plaintiff also objected to the ITC’s request for GAO to dismiss the protest as academic. Id. at 1740. -7- On 15 November 2019, GAO issued its decision dismissing plaintiff’s protest. AR at 1742–43. GAO noted the ITC “informed our Office that it intends to take corrective action by reevaluating vendors’ quotations under the portion of the technical factor relating to the solicitation’s encryption requirements and making a new source selection decision.” Id. at 1742. GAO also stated the ITC’s “notice of corrective action describes how the agency’s action renders the protest academic,” but plaintiff’s objection to the corrective action “fails to adequately explain how the protest is not rendered academic by the proposed corrective action.” Id. at 1742–43. GAO concluded “[t]he agency’s corrective action renders the protest academic” and consequently dismissed the protest. Id. at 1743. As part of the corrective action, the ITC’s Chief Information Security Officer (“CISO”) evaluated the offerors’ FIPS 140-2 compliance. Id. at 2309–10. The CISO first clarified: Offers were evaluated by reviewing the Cryptographic Module Validation Program (CMVP) certificate number(s) in each proposal to confirm FIPS 140-2 compliance. A FIPS 140 certification can have three states (“active,” “historical,” or “revoked”). For the purposes of the evaluation certification, values of “active” or “historical” are considered complaint; values of “revoked” or no valid certification are considered non-compliant. Id. at 2309. The CISO also cited NIST guidance concerning validation certificate status: If a validation certificate is marked as historical, Federal Agencies should not include these in new procurement. This does not mean that the overall FIPS-140 certificates for these modules have been revoked[;] rather it indicates that the certificates and the documentation posted with them are more than 5 years old and have not been updated to reflect latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. Agencies may make a risk determination on whether to continue using the modules on this list based on their own assessment of where and how the module is used. AR at 2309 (emphasis and internal quotation marks omitted). The CISO applied this guidance in his evaluation and explained: [W]e distinguished between procurements of hardware . . . and procurements of services . . . . The Commission’s interpretation of NIST’s guidance is that procurements for new hardware/software should generally avoid equipment with FIPS140 certificates marked as “historical” in new procurements. However, NIST’s guidance provides that agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used. The evaluation team does not interpret this language as directed at procurement of services. Given the complexity of service provider systems and the fact that those service provider systems are expected to evolve over time and replace equipment as needed, “historical” designations are considered compliant for the purposes of this evaluation. -8- Id. at 2310. The CISO also found support for this distinction between procurements of goods rather than services in FIPS 140-3. Id. In a section titled “Implementation,” the regulation provides “‘[a]gencies should develop plans for the acquisition of products that are complaint with FIPS 140-3; however, agencies may purchase any of the products on the CMVP validated modules list.’” Id. (emphasis in original) (quoting FIPS 140-3, Security Requirements for Cryptographic Modules, NIST Computer Security Resource Center, https://csrc.nist.gov/publications/detail/fips/140/3/final (Mar. 22, 2019)). Lastly, the CISO reasoned, “because FIPS 140 certificates were evaluated as a Boolean (i.e., compliant or noncompliant) no additional weight/emphasis was given for sub-values of ‘active’ or ‘historical.’” Id. Therefore, because both plaintiff and defendant-intervenor proposed equipment with only “active” or “historical” certificates, the CISO found both offerors were “100% Compliant” with FIPS 140-2. Id. The CO’s reevaluation of the proposals was substantively identical to the initial evaluation. The government assigned Plaintiff a “Good” rating under the Technical factor and “Outstanding” rating under the Past Performance factor, both with the same stated strengths. AR at 1747–49. Likewise, the government assigned defendant-intervenor a “Good” rating under the Technical factor and an “Outstanding” rating under the Past Performance factor, both with the same strengths. Id. at 1752–53. The CO provided the same reasoning as the initial best value determination and concluded award of the contract to defendant-intervenor provided the best value to the government. Id. at 1755. On 8 January 2020, the CO informed plaintiff and defendant-intervenor of the award decision following the corrective action. Id. at 1756–57. F. Second GAO Protest On 16 January 2020, plaintiff filed a second protest with GAO. Id. at 1762. Plaintiff asserted the following grounds: (1) “The ITC’s award to Heritage was improper because Heritage’s proposal was technically unacceptable on account of its noncompliant router;” (2) “The ITC’s evaluation of Heritage’s proposal and its best-value decision blatantly ignored the fact that Heritage cannot comply with the solicitation’s mandatory transcript formatting requirements and consequently charges more per page than Ace-Federal;” (3) “The ITC’s bestvalue decision was unreasonable because it failed to account for Heritage’s poor past performance and Ace-Federal’s superior past performance;” and (4) “Heritage’s proposal is unacceptable because Heritage has no intention of complying with FAR 52.219-14, Limitations on Subcontracting.” Id. at 1779, 1784, 1787, 1790. On 28 February 2020, plaintiff filed a supplemental protest arguing “[t]he ITC unreasonably assigned Heritage’s proposal a strength for its ‘digital security’ after concluding that the solicitation’s digital security requirements are inapplicable.” AR at 2892. On 23 April 2020, GAO issued its decision denying plaintiff’s protest. See id. at 3655– 56. First, GAO determined the ITC’s evaluation under the Use of Technology subfactor was reasonable and consistent with the RFQ because the ITC reasonably interpreted NIST guidance as discretionary and the RFQ did not require the ITC to consider an active CMVP validation as a strength over a historical CMVP validation. Id. at 3662–63. Second, GAO stated defendantintervenor’s compliance with transcript formatting requirements is a matter of contract -9- administration not properly raised in a bid protest, and plaintiff did not “demonstrate[] that there was significant countervailing evidence reasonably known to the agency evaluators that should have created any . . . doubt” that defendant-intervenor would comply with the requirements. Id. at 3663–64. Next, GAO found the ITC’s “evaluation of the awardee’s past performance was reasonable and consistent with the terms of the RFQ” because defendant-intervenor’s references provided excellent ratings of its performance and it “received higher past performance ratings than [plaintiff] for its previous work with [the ITC].” Id. at 3666. Additionally, to the extent the ITC knew of defendant-intervenor’s purported historic noncompliance with transcript formatting requirements, GAO found “no basis in the record . . . to conclude that the evaluators were aware, or should have been aware, of complaints regarding Heritage’s formatting of transcripts.” Id. at 3667. Lastly, the record did not support plaintiff’s contention defendant-intervenor would not comply with the subcontracting limitations codified in FAR 52.219-14. AR at 3668. G. Procedural History Before This Court On 22 May 2020, plaintiff filed its complaint in this protest. See Compl., ECF No. 1. On 26 May 2020, defendant-intervenor filed a motion to intervene, which the Court granted the same day. See Mot. by Heritage Reporting Corp. to Intervene as Def., ECF No. 8; Order, ECF No. 9. Pursuant to the Court’s 26 May 2020 order, on 28 May 2020, the parties filed a joint status report with a proposed schedule. See Order, ECF No. 9; Status Report, ECF No. 10. The Court held an initial status conference on 29 May 2020. See Order, ECF No. 9. Also on 29 May 2020, defendant-intervenor filed a motion for protective order, which the Court granted on 2 June 2020, along with setting the briefing schedule. See Intervenor-Def.’s Mot. for Protective Order, ECF No. 11; Order, ECF No. 12. On 5 June 2020, the government filed the administrative record. See AR. On 22 June 2020, plaintiff filed a motion to supplement the administrative record and its motion for judgment on the administrative record. See Pl.’s Mot. to Suppl. Admin. R., ECF No. 24 (“Mot. to Suppl. AR”); Pl.’s Mot. for J. on Admin. R., ECF No. 25 (“Pl.’s MJAR”). On 10 July 2020, the government and defendant-intervenor filed their respective cross-motions for judgment on the administrative record, responses to plaintiff’s motion for judgment on the administrative record, and responses to plaintiff’s motion to supplement the administrative record. See Def.’s Cross-Mot. for J. on Admin. R., & Combined Resp. to Pl.’s Mots. for J. on Admin. R. & Suppl. Admin. R., ECF No. 30 (“Def.’s Cross-MJAR & Resp.”); Def.-Intervenor Heritage Reporting Corp.’s Resp. to Pl.’s Ace-Federal Reporters, Inc.’s Mot. for J. on Admin. R. & Cross-Mot. for J. on Admin. R., ECF No. 31 (“Def.-Intervenor’s Cross-MJAR”); Intervenor-Def.’s Opp’n to Pl.’s Mot. to Suppl. Admin. R., ECF No. 32 (“Def.-Intervenor’s Resp. to Mot. to Suppl. AR”). On 20 July 2020, plaintiff filed its responses to the government’s and defendant-intervenor’s respective cross-motions and replies to the government’s and defendant-intervenor’s respective responses to plaintiff’s motion for judgment on the administrative record. See Pl.’s Combined Resps. to Def.’s and Def.-Intervenor’s Cross-Mots. for J. on Admin. R. & Replies to Def.’s and Def.-Intervenor’s Resps. to Pl.’s Mot. for J. on Admin. R., ECF No. 35 (“Pl.’s Resp. & Reply”). On 30 July 2020, the government and defendant-intervenor filed their respective replies in support of their cross-motions for judgment on the administrative record. See Def.-Intervenor Heritage Reporting Corp.’s Reply in Supp. of Cross-Mot. for J. on Admin. R., ECF No. 37 (“Def.-Intervenor’s Reply”); Def.’s Reply in Supp. of Cross-Mot. for J. on Admin. R., ECF No. - 10 - 38 (“Def.’s Reply”). The Court held oral argument on the parties’ cross-motions for judgment on the administrative record and plaintiff’s motion to supplement the administrative record on 18 August 2020. See Order, ECF No. 20. II. Legal Standards A. Bid Protest Jurisdiction & APA Standard of Review The Tucker Act provides this Court jurisdiction to “render judgment on an action by an interested party objecting to a solicitation by a Federal agency for bids or proposals for a proposed contract or to a proposed award or the award of a contract or any alleged violation of statute or regulation in connection with a procurement or a proposed procurement.” 28 U.S.C. § 1491(b)(1). In rendering such judgment, this Court “review[s] the agency’s decision pursuant to the standards set forth in section 706 of title 5.” Id. § 1491(b)(4). “Among the various [Administrative Procedure Act] standards of review in section 706, the proper standard to be applied in bid protest cases is provided by 5 U.S.C. §706(2)(A): a reviewing court shall set aside the agency action if it is ‘arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.’” Banknote Corp. of Am., Inc. v. United States, 365 F.3d 1345, 1350–51 (Fed. Cir. 2004) (citing Advanced Data Concepts, Inc. v. United States, 216 F.3d 1054, 1057–58 (Fed. Cir. 2000)). Under this standard, “a court is not to substitute its judgment for that of the agency.” Motor Vehicle Mfrs. Ass’n of U.S., Inc. v. State Farm Mut. Auto Ins. Co., 463 U.S. 29, 43 (1983). “Courts have found an agency’s decision to be arbitrary and capricious when the agency ‘entirely failed to consider an important aspect of the problem, offered an explanation for its decision that runs counter to the evidence before the agency, or [the decision] is so implausible that it could not be ascribed to a difference in view or the product of agency expertise.’” Ala. Aircraft Indus., Inc.-Birmingham v. United States, 586 F.3d 1372, 1375 (Fed. Cir. 2009) (quoting Motor Vehicle Mfrs. Ass’n of U.S., Inc., 463 U.S. at 43). “The arbitrary and capricious standard applicable here is highly deferential” and “requires a reviewing court to sustain an agency action evincing rational reasoning and consideration of relevant factors.” Advanced Data Concepts, 216 F.3d at 1058 (citing Bowman Transp., Inc. v. Arkansas-Best Freight Sys., Inc., 419 U.S. 281, 285 (1974)). B. Supplementation of the Administrative Record Appendix C of the Rules of the Court of Federal Claims (“RCFC”), which establishes this Court’s bid protests procedures, lists twenty-one examples of the possible “relevant core documents” which should be produced in the administrative record. RCFC App’x C ¶ 22. The Court may order the production of additional documents as part of the administrative record. Id. ¶ 24. “It is well settled that the ‘primary focus’ of the court’s review of agency decision making ‘should be the materials that were before the agency when it made its final decision.” Joint Venture of Comint Sys. Corp. v. United States, 100 Fed. Cl. 159, 166 (2011) (quoting Cubic Applications, Inc. v. United States, 37 Fed. Cl. 345, 349–50 (1997)). “[T]o perform an effective review pursuant to the [Administrative Procedure Act (‘APA’)], the court must have a record containing the information upon which the agency relied when it made its decision as well as any - 11 - documentation revealing the agency’s decision-making process.” Vanguard Recovery Assistance v. United States, 99 Fed. Cl. 81, 92 (2011) (citing Citizens to Preserve Overton Park, Inc. v. Volpe, 401 U.S. 402, 420 (1971)). The Federal Circuit has recognized “the parties’ ability to supplement the administrative record is limited.” Axiom Res. Mgmt., Inc. v. United States, 564 F.3d 1374, 1379 (Fed. Cir. 2009). “The purpose of limiting review to the record actually before the agency is to guard against courts using new evidence to ‘convert the “arbitrary and capricious” standard into effectively de novo review.’” Id. at 1380 (quoting Murakami v. United States, 46 Fed. Cl. 731, 735 (2000), aff’d, 398 F.3d 1342 (Fed. Cir. 2005)). “Thus, supplementation of the record should be limited to cases in which ‘the omission of extra-record evidence precludes effective judicial review.’” Id. (quoting Murakami, 46 Fed. Cl. at 735). “In applying this ‘effective judicial review’ test, this court has consistently understood the test as enabling supplementation when necessary, not when merely convenient.” State of N.C. Bus. Enters. Program v. United States, 110 Fed. Cl. 354, 361 (2013) (emphasis added). Another judge of this Court provided the following summary of examples when information may be necessary for effective judicial review: Such information might include tacit knowledge possessed by offeror and agency personnel of a highly technical and complex nature, requiring explication via affidavits or expert testimony. Upon a proper showing, discovery might be allowed seeking information intentionally left out of the record, such as evidence of bias or bad faith. And the record may be supplemented with relevant information, contained in the procurement files or generally known in an industry or discipline, which was inappropriately ignored by an agency. These categories all concern information that is necessary for effective judicial review, because they reflect what was or should have been considered by the agency. East West, Inc. v. United States, 100 Fed. Cl. 53, 57 (2011). Following the Axiom Resource decision, other judges of this Court began to distinguish parties’ efforts to complete the administrative record from requests to supplement the administrative record. For example, in Joint Venture of Comint Systems Corp. v. United States, after examining Axiom Resource, this Court explained, “[a]dmission of new evidence into an agency-assembled record is a separate and distinct issue from completing the record through incorporation of materials generated or considered by the agency itself during the procurement process.” Joint Venture of Comint Sys. Corp., 100 Fed. Cl. at 167 (citing NEQ, LLC v. United States, 86 Fed. Cl. 592, 593 (2009)). Additionally, in Linc Government Services, LLC v. United States, the Court expounded: “A procuring agency’s initial submission to the court may omit information that is properly part of the administrative record because it served as a basis for the agency’s award decision. In such instances, subsequent admission of the omitted information is appropriate not to supplement the record, but to complete it.” Linc Gov’t Servs., LLC v. United States, 95 Fed. Cl. 155, 158 (2010) (internal citations omitted) (emphasis added). C. Judgment on the Administrative Record in a Bid Protest - 12 - Rule 52.1(c) of the Rules of the Court of Federal Claims “provides for judgment on the administrative record.” Huntsville Times Co. v. United States, 98 Fed. Cl. 100, 104 (2011). Rule 52.1(c) was “designed to provide for trial on a paper record, allowing fact-finding by the trial court.” Bannum, Inc. v. United States, 404 F.3d 1346, 1356 (Fed. Cir. 2005). This Court may set aside a contract award if: “(1) the procurement official’s decision lacked a rational basis; or (2) the procurement procedure involved a violation of regulation or procedure.” Impresa Construzioni Geom. Domenico Garufi v. United States, 238 F.3d 1324, 1332 (Fed. Cir. 2001). “When a challenge is brought on the second ground, the disappointed bidder must show ‘a clear and prejudicial violation of applicable statutes or regulations.’” Id. at 1333 (quoting Kentron Haw., Ltd. v. Warner, 480 F.2d 1166, 1169 (D.C. Cir. 1973)). “[D]e minimis errors do not require the overturning of an award.” Grumman Data Sys. Corp. v. Dalton, 88 F.3d 990, 1000 (Fed. Cir. 1996). “De minimis errors are those that are so insignificant when considered against the solicitation as a whole that they can safely be ignored and the main purposes of the contemplated contract will not be affected if they are.” Id. (internal quotation marks omitted) (quoting Andersen Consulting v. United States, 959 F.2d 929, 935 (Fed. Cir. 1992)). A bid protest plaintiff must establish alleged “errors in the procurement process significantly prejudiced [it]” by showing “there was a ‘substantial chance’ it would have received the contract award but for the errors.” Bannum, Inc., 404 F.3d at 1353. D. Permanent Injunction When deciding whether a permanent injunction is warranted, a court considers: (1) whether, as it must, the plaintiff has succeeded on the merits of the case; (2) whether the plaintiff will suffer irreparable harm if the court withholds injunctive relief; (3) whether the balance of hardships to the respective parties favors the grant of injunctive relief; and (4) whether it is in the public interest to grant injunctive relief. PGBA, LLC v. United States, 389 F.3d 1219, 1228–29 (Fed. Cir. 2004). III. Supplementation of the Administrative Record Since supplementation of the administrative record permeates the arguments on the merits, the Court first considers whether supplementation is appropriate in this case. See State of N.C. Bus. Enters. Program, 110 Fed. Cl. at 361 (“Before proceeding to the merits, the court considers the propriety of supplementing the administrative record.”); Holloway & Co. v. United States, 87 Fed. Cl. 381, 391–92 (2009) (analyzing supplementation of the administrative record before reaching the merits). A. The Parties’ Arguments Plaintiff moved to supplement the administrative record with: (1) [CMVP] Certificate No. 950 and accompanying NIST validation notes associated with Heritage’s proposed Cisco 881W router; (2) “all transcripts that defendant-intervenor . . . produced while performing prior - 13 - court reporting services contracts with [the ITC]:” and (3) “Heritage’s prior contracts with the ITC for court reporting services.” Mot. to Suppl. AR at 3. Plaintiff argues supplementation with CMVP Certificate No. 950 and its corresponding validation notes is necessary because “[a] central issue to this protest is whether the ITC should have declared Heritage’s proposal technically acceptable not only because Heritage’s router no longer holds an Active FIPS 140-2 validation but also due to the reasons that the router no longer holds such a validation.” Id. at 12. Thus, “if the agency had considered the fact that the Cisco 881W router uses RNG algorithm X9.31 and the reasons surrounding NIST’s disallowance of that algorithm—as shown in CMVP Certificate No. 950 and the associated NIST validation notes—it could not have rationally concluded that Heritage’s proposal complied with the terms of the solicitation and applicable law.” Id. Next, plaintiff argues defendant-intervenor’s previous transcripts and ITC contract are “central to Ace-Federal’s protest grounds challenging the ITC’s evaluation of Heritage’s proposal under the Past Performance and Price factors and the agency’s conclusion that Heritage’s proposal presented a better value than Ace-Federal’s.” Id. at 4–5. As to the past performance evaluation, plaintiff contends the ITC “had at least constructive knowledge” of defendant-intervenor’s alleged past noncompliance with transcript formatting requirements “because Heritage’s contracts required it to deliver a copy of each transcript to the agency.” Id. at 7. Plaintiff therefore contends without supplementation with the transcripts and previous contract, it is “impossible for the Court to know whether those transcripts violated the terms of Heritage’s contracts or to assess whether the agency was required to review those transcripts to determine whether they complied with the contract requirements.” Id. at 9. The government opposes plaintiff’s motion to supplement the administrative record, arguing “the Commission did not consider [the requested materials], nothing in the RFQ required the Commission to consider [the requested materials], and they are unnecessary for the Court to adjudicate this case.” Def.’s Cross-MJAR at 48. Concerning the CMVP certificate and validation notes, the government asserts, “[e]ven if Ace believes that the router ‘should have been unacceptable[]’ because of the algorithm transition, the existing record already reflects the information that Ace seeks to add because the Cisco 881W certificate and the cited Special Publication both note the algorithm transition.” Id. at 48–49. Regarding the transcripts, the government argues “their only utility is to undermine the actual close-at-hand information the Commission collected and considered—namely, the Past Performance Questionnaire completed by Commission staff, which confirmed that Heritage complied with its contract’s technical requirements.” Id. The government therefore contends plaintiff “fails to show what these particular documents demonstrate that is not already in the existing record.” Id. at 49. Defendant-intervenor also opposes plaintiff’s motion to supplement the administrative record, arguing plaintiff “hopes to use this supplemental documentation to argue that . . . the agency was required to look beyond the ‘historical’ . . . NIST [CMVP] rating assigned to the Heritage proposed router, the Cisco 881W, and to perform an independent algorithmic analysis of one of the seven FIPS algorithms used by that device, an analysis that was neither contemplated by the solicitation nor conducted by the Agency.” Def.-Intervenor’s Resp. to Mot. to Suppl. AR at 6. Defendant-intervenor thus maintains, based on the solicitation, the ITC “was entitled to rely on the NIST CMVP router certificate,” not “delv[ing] into the underlying algorithm determinations,” and “if that argument is correct, the current record is sufficient for the Court to review the USITC’s evaluation.” Id. at 8. Next, defendant-intervenor characterizes - 14 - plaintiff’s motion as asking “the Court to supplement the record with about a million pages of material, which was not before the Agency during its evaluation, for the purpose of asking this Court to conduct a de novo review in the manner Plaintiff would have desired.” Id. at 2 (internal footnote omitted). To the extent plaintiff seeks supplementation with the 2019 contract and transcripts produced thereunder, “the 2019 contract was awarded after the USITC conducted the past performance and price evaluations that are being challenged in this protest,” rendering them irrelevant to this protest. Id. at 3. Defendant-intervenor also notes “a copy [of] the 2019 contract is already a part of the record.” Id. (citing AR Tab 15). Defendant-intervenor argues “the ITC did consider Heritage’s performance as part of the past performance evaluation” by considering “past performance questionnaire responses from four of Heritage’s reference contracts,” including the ITC. Id. Therefore, defendant-intervenor maintains “Plaintiff wants this Court to reconsider not the past performance evaluation in this procurement, but the underlying evaluation of Heritage’s performance on the Pre-2014 Contract that expired by its own terms more than six years ago,” which “is exactly the type of de novo review that the Federal Circuit cautioned against in Axiom.” Def.-Intervenor’s Resp. to Mot. to Suppl. AR at 4. B. Analysis 1. CMVP Certificate No. 950 and Validation Notes Plaintiff seeks to supplement the administrative record in this case with the addition of CMVP Certificate No. 950 and its validation notes. See Mot. to Suppl. AR at 9–12. CMVP Certificate No. 950 corresponds to one of seven algorithms the Cisco 881W router uses. See id. at 10–11. Under the heading “Algorithm Capabilities” on Certificate No. 950, the following language is noted as follows with strikethrough: “RNG ANSI X9.31: Core Algorithm: TDES2Key.” Id. at 11. The validation notes accompanying Certificate No. 950 confirm the RNG algorithm capabilities are crossed out on Certificate No. 950 because it is no longer approved. Id. at 12. Plaintiff argues: “if the agency had considered the fact that the Cisco 881W router uses RNG algorithm X9.31 and the reasons surrounding NIST’s disallowance of that algorithm—as shown in CMVP certificate No. 950 and the associated NIST validation notes—it could not have rationally concluded that Heritage’s proposal complied with the terms of the solicitation and applicable law.”2 Id. Plaintiff clarified during oral argument that “this is an alternative argument.” Tr. at 29:10–11, ECF No. 50. Plaintiff’s primary argument is FIPS 140-2 prohibits federal agencies from procuring services using cryptographic modules with a historical CMVP validation. See id. at 29:11–25. Assuming the agency had discretion to procure such services, or an exception applied, plaintiff argues the ITC would be required to make a risk assessment considering the reason why the module had a historical validation. See id. at 30:1–31:22. Plaintiff confirmed its case is “not dependent on this supplementation,” but CMVP Certificate 2 Plaintiff clarified during oral argument if the ITC considered Certificate No. 950 and its validation notes, then the standard for completion of the record would apply rather than supplementation. See Tr. at 23:3–24:1. Plaintiff explained, however, “it’s unclear from the record if the agency actually looked at them,” but “if they didn’t look at them, . . . it would be a supplementation issue.” Id. at 23:23–24:1. Plaintiff assumes for the purposes of its motion the agency did not consider Certificate No. 950 and its validation notes, invoking the supplementation standard under Axiom. Id. at 24:1–3. Plaintiff does not point to—and the Court cannot locate—any evidence in the record Certificate No. 950 and its validation notes were before the ITC. - 15 - No. 950 and its validation notes are “further evidence that if the agency had reasonably assessed the information available through the CMVP with respect to this proposed router, there would have been additional information that would have called into question its acceptability.” Id. at 24:12–18. Plaintiff presents an either-or proposition: either the ITC may not procure services proposing use of historically validated hardware, or if the ITC may procure such services, it must engage in a technical analysis of the reason why the hardware holds a historical validation. The Solicitation stated the ITC would “evaluate the offeror’s ability to meet the [FIPS 140-2], Security Requirements for Cryptographic Modules.” AR at 30. In both the initial evaluation and the subsequent CISO evaluation of FIPS 140-2 compliance, the agency adhered to this evaluation scheme. The CO noted “Heritage’s proposed use of technology highlights their proposed hardware/software elements and . . . shows a thorough grasp of the technical requirements and reduces risk to the federal government by providing a detailed and auditable technical implementation.” Id. at 190. When reviewing plaintiff’s and defendant-intervenor’s FIPS 140-2 compliance after the first GAO protest, the CISO explained “[o]ffers were evaluated by reviewing the [CMVP] certificate number(s) in each proposal to confirm FIPS 140-2 compliance.” Id. at 2309. Additionally, “[f]or the purposes of the evaluation certification, values of ‘active’ or ‘historical’ are considered compliant.” Id. Based on the Solicitation’s evaluation scheme, it was appropriate for the ITC to consider the router CMVP certificate numbers cited in each proposal when considering FIPS 140-2 compliance. The details in Certificate No. 950, however, extend beyond the scope of the Solicitation because the Solicitation did not require the agency to do a full technical analysis of the algorithm risk or consider “the reasons surrounding NIST’s disallowance of that algorithm.” Mot. to Suppl. AR at 12; see also East West, Inc., 100 Fed. Cl. at 57 (“These categories all concern information that is necessary for effective judicial review, because they reflect what was or should have been considered by the agency.”). Were the Court to consider these details, which are beyond the scope of the Solicitation and not something the agency considered during evaluation, the Court would be conducting a de novo technical evaluation of the proposals, which is beyond the Court’s bid protest jurisdiction. See Axiom Resource Mgmt., 564 F.3d at 1380 (“The purpose of limiting review to the record actually before the agency is to guard against courts using new evidence to ‘convert the “arbitrary and capricious” standard into effectively de novo review.’”) (quoting Murakami, 46 Fed. Cl. at 735). For the reasons discussed in greater detail in Sections IV.B and IV.C, ITC reasonably concluded hardware with historical validation was compliant for this procurement. Furthermore, nothing required ITC to consider the reasons why the Cisco router holds a historical status, including “the reasons surrounding NIST’s disallowance of [the RNG] algorithm,” as depicted by the strikethrough algorithm details on Certificate No. 950. Mot. to Suppl. AR at 12. Thus, the Court finds plaintiff’s either-or proposition incorrect. Moreover, Certificate No. 1700, which corresponds to the Cisco 881W router and is already part of the record, indicates the reason for its historical status is “RNG SP800-131A Revision 1 Transition,” referencing the same disallowance reason as listed on Certificate No. 950. AR at 2899. This Court “has consistently understood the [effective judicial review] test as enabling supplementation when necessary, not when merely convenient.” State of N.C. Bus. Inters. Program, 110 Fed. Cl. at 361 (emphasis added). Therefore, even under plaintiff’s - 16 - alternative argument the agency should have considered Certificate No. 950 and its validation notes to consider “the reasons surrounding NIST’s disallowance of [the RNG] algorithm,” the reasons are on Certificate No. 1700, which is in the record and sufficient for effective judicial review. Mot. To Suppl. AR at 12. For these reasons and the reasons set forth in further detail below, the Court finds supplementation of the administrative record with these materials is inappropriate and unnecessary for effective judicial review. 2. Transcripts and Contracts Plaintiff also seeks supplementation of the administrative record with defendantintervenor’s previous ITC court reporting contracts and all transcripts produced thereunder. See Mot. to Suppl. AR at 4–9. The proposed supplementation would demonstrate defendantintervenor’s alleged historical noncompliance with transcript formatting requirements under previous contracts, which plaintiff contends the agency should have considered when evaluating defendant-intervenor’s past performance. See id. at 6–8. Plaintiff argues these materials should be part of the administrative record because it is “impossible for the Court to know whether those transcripts violated the terms of Heritage’s contracts or to assess whether the agency was required to review those transcripts to determine whether they complied with the contract requirements . . . .” Id. at 9. The Solicitation provided offerors’ past performance would be based on past performance questionnaires and required offerors to “submit a minimum of three (3) past experience/past performance references of similar work and scope.” AR at 29. The Solicitation further indicated “[t]he Government may also use past performance information obtained from the Past Performance Information Retrieval System (PPIRS), Federal Awardee Performance and Integrity Information System (FAPIIS), and any other past performance information available to the Contracting Officer, such as but not limited to performance history under USITC.” Id. at 31. The ITC based its past performance evaluation of both plaintiff and defendant-intervenor on the questionnaires their respective references submitted, including the ITC. Id. For both offerors, the ITC submitted past performance questionnaires specifying both parties complied with all technical requirements of the contract. Id. at 104, 152. The Solicitation required the ITC to consider the past performance questionnaires but did not require the ITC to reexamine the offerors’ past work product for compliance with an expired contract. To the extent plaintiff seeks to impute to the ITC constructive knowledge of alleged noncompliance with the requirements of defendant-intervenor’s ITC contract ending in 2014, the issue is irrelevant to this case. Nothing on the face of the past performance questionnaires from defendant-intervenor’s references, including the ITC’s reference, raised any question whether defendant-intervenor had “Exceptional” references. See, e.g., AR at 150. Nothing required the ITC to then search for negative information to rebut the “Exceptional” references. See id.; see also East West, Inc., 100 Fed. Cl. at 57 (“These categories all concern information that is necessary for effective judicial review, because they reflect what was or should have been considered by the agency.”). Supplementing the record with defendant-intervenor’s previous contracts and transcripts would invite the Court to consider a matter of management of an expired contract, thereby confusing the issues in this case and placing the Court in a position to conduct a de novo review of the ITC’s past performance evaluation. See Axiom Resource Mgmt., 564 F.3d at 1380 (“The purpose of limiting review to the record actually before the agency is to guard against courts using new evidence to ‘convert the “arbitrary and capricious” standard into - 17 - effectively de novo review.’”) (quoting Murakami, 46 Fed. Cl. at 735). For these reasons and the reasons set forth in further detail below, the Court finds supplementation of the administrative record with these materials is inappropriate and unnecessary for effective judicial review.3 IV. Judgment on the Administrative Record Related to the ITC’s Technical Evaluation A. The Parties’ Arguments Regarding the ITC’s Technical Evaluation Plaintiff argues “[t]he ITC failed to comply with NIST’s requirements” of only procuring services with active FIPS 140-2 certificates by “accept[ing] Heritage’s proposal despite Heritage’s plan to use the Cisco 881W router,” which has a historical certificate. Pl.’s MJAR at 16. Plaintiff thus also contends the ITC arbitrarily and capriciously found defendant-intervenor’s proposal technically acceptable and assigned its proposal a strength for defendant-intervenor’s digital security approach. Id. at 31, 40. The government argues plaintiff fails to demonstrate the ITC’s technical evaluation lacks a rational basis because the ITC reasonably determined historical certificates were FIPS 140-2 compliant. Def.’s Cross-MJAR at 22–24. According to the government, neither the RFQ nor FIPS 140-2 differentiates between active and historical validation certificates. Id. at 25–27. The government also contends the ITC was reasonable in determining defendant-intervenor’s approach to digital security was a “strength” and its overall technical rating was “good.” Id. at 34–35. Defendant-intervenor argues the ITC rationally evaluated the proposals under the technical factor because nothing prohibited the ITC from procuring services using equipment with historical validation certificates and the ITC reasonably determined NIST guidance prohibiting historically validated hardware did not apply to service procurements like this one. Def.-Intervenor’s Cross-MJAR at 22–31. Additionally, “[t]o the extent the RFQ had any ambiguity” concerning active and historical certificates, “that ambiguity was patent,” and plaintiff waived the argument by failing to raise it prior to award. Id. at 31. B. Whether NIST Website Guidance Prohibited the ITC from Procuring Services Using Historically Validated Hardware The Solicitation’s SOW, under the heading “Digital Security,” provided: “[e]ncryption utilizing [FIPS 140-2] . . . is applicable to the services provided under this contract.” AR at 22. Offerors were therefore required to “employ encryption utilizing [FIPS 140-2] validated cryptographic modules operated in the FIPS-approved mode.” Id. The Solicitation instructed offerors to “propose cryptographic modules and . . . state the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) certificate number(s) of the cryptographic modules that are being proposed.” Id. at 28. The Solicitation stated the ITC would “evaluate the offeror’s ability to meet the [FIPS 140-2] Security Requirements for Cryptographic Modules.” Id. at 30. FIPS 140-2 provides, “[c]ryptographic modules that are To the extent defendant-intervenor’s past transcripts are relevant to this case, the administrative record already contains hundreds of pages of its transcripts. See, e.g., AR at 981–1546. 3 - 18 - validated under the CMVP will be considered as conforming to this standard.” Nat’l Inst. for Standards & Tech., FIPS 140-2 Security Requirements for Cryptographic Modules, at iv (2001), https://csrc.nist.gov/publications/detail/fips/140/2/final. Plaintiff argues “[t]he ITC failed to comply with NIST’s requirements” as set forth in FIPS 140-2 because defendant-intervenor proposed use of a router holding a historical, rather than active, CMVP validation. Pl.’s MJAR at 16. Plaintiff cites various pages of the CMVP website providing digital security guidance to federal agencies to support its contention federal agencies are prohibited from procuring services using equipment holding any status other than active. See id. at 17, 22. For example, plaintiff highlights guidance declaring “[i]f a validation certificate is marked as historical, Federal Agencies should not include these [cryptographic modules] in new procurement[s].” Id. at 22 (emphasis omitted). A full review of FIPS 140-2, however, reveals no distinction between active and historical validations. During oral argument, the Court asked plaintiff if any law or regulation contains the same provision plaintiff quoted from the CMVP website. Tr. at 72:2–4. Plaintiff responded, “the agency is bound to use the NIST website,” and it is required to “implement FIPS 140-2 validated modules,” which is “one that CMVP has validated.” Id. at 72:6, 11–12. The Department of Commerce, through NIST, promulgated FIPS 140-2 following the APA’s notice-and-comment rulemaking procedures. See Announcing Approval of Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules, 66 Fed. Reg. 34,154-02 (June 27, 2001) (explaining NIST’s issuance of FIPS 140-2 as a binding regulation after a notice-and-comment period). FIPS 140-2 is thus a legislative rule with the force and effect of law. Perez v. Mortg. Bankers Ass’n, 575 U.S. 92, 96 (2015) (quoting Chrysler Corp. v. Brown, 441 U.S. 281, 302–03 (1979) (internal quotation marks omitted) (“Rules issued through the notice-and-comment process are often referred to as ‘legislative rules’ because they have the ‘force and effect of law.’”)). The same notice-and-comment requirement does not apply “to interpretative rules, general statements of policy, or rules of agency organization, procedure, or practice.” 5 U.S.C. § 553(b)(3)(A). The Supreme Court has observed “opinion letters—like . . . policy statements, agency manuals, and enforcement guidelines . . . lack the force of law.” Christensen v. Harris Cty., 529 U.S. 576, 587 (2000); see also Butterbaugh v. Dep’t of Justice, 336 F.3d 1332, 1340 (Fed. Cir. 2003) (quoting Christensen, 529 U.S. at 587) (finding agency policy guidance, like “‘policy statements, agency manuals, and enforcement guidelines,’ . . . lack the force of law . . . .”); Hamlet v. United States, 63 F.3d 1097, 1103 (Fed. Cir. 1995) (“Obviously, not every piece of paper released by an agency can be considered a regulation entitled to the force and effect of law.”). While there is disagreement over the definition of interpretive rules, “it suffices to say that the critical feature of interpretive rules is that they are ‘issued by an agency to advise the public of the agency’s construction of the statutes and rules which it administers.’” Perez, 575 U.S. at 97 (quoting Shalala v. Guernsey Mem’l Hosp., 514 U.S. 87, 99 (1995)). Regarding the website interpretation, interpretive rules “do not have the force and effect of law and are not accorded that weight in the adjudicatory process.” Shalala, 514 U.S. at 99. Thus, the CMVP website does not have the force and effect of law because it is an “interpretative rule[], general statement[] of policy, or rule[] of agency organization, procedure, or practice.” 5 U.S.C. § 553(b)(3)(A). - 19 - Plaintiff argues NIST, through the CMVP website, forbids historical certifications from inclusion in procurements like the one in this case. Pl.’s Resp. & Reply at 12. Plaintiff asks the Court to give Skidmore deference to what it perceives to be unambiguous language from CMVP website guidance as NIST’s interpretation of its own legislative rule. Pl.’s Resp. & Reply at 13. Plaintiff raised this argument in a short conclusory paragraph in its reply and response brief and in a conclusory manner at oral argument. Id.; Tr. at 79:24–80:3. Skidmore describes the standard courts use to determine how much weight to give agency constructions of statutes and regulations: “[t]he weight of such a judgment in a particular case will depend upon the thoroughness evident in its consideration, the validity of its reasoning, its consistency with earlier and later pronouncements, and all those factors which give it power to persuade, if lacking power to control.’” Skidmore v. Swift & Co., 323 U.S. 134, 140 (1944). Plaintiff notes another judge on this court held “[u]nder Skidmore, courts may give deference to an agency’s interpretation of its governing laws even when the agency does not use its rulemaking authority.” Nippon Paper Indus. USA Co. v. United States, 129 Fed. Cl. 76, 79 (2016) (citing Skidmore, 323 U.S. at 139–40). The weight of Skidmore deference a court may choose to apply ranges from “great respect . . . to near indifference . . . .” United States v. Mead Corp., 533 U.S. 218, 228 (2001). Even if the Court assumes Skidmore deference applies to an agency website, plaintiff did not explain why the CMVP website has persuasive power to make it worthy of something closer to “great respect” as opposed to “near indifference.” See Skidmore, 323 U.S. at 140; Mead Corp., 533 U.S. 218. Plaintiff instead asserted, “[g]iven the authority vested in NIST, the NIST and CMVP guidance are compelling evidence of the intent behind FIPS 140-2 and binding standards in their own right.” Pl.’s Resp. & Reply at 13. Defendants dispute whether the CMVP website forbids historical certifications. According to defendant-intervenor, regardless of whether the Court treats the website with deference, neither the website nor any other “regulation . . . says that an agency cannot use a cryptographic module with a historical rating. . . . [T]he burden is on the protestor to demonstrate that and he hasn’t done so.” Tr. at 83:18–21. The government similarly emphasized the CMVP website does not state what plaintiff alleges: “the Court can consider [the website], it can consider what the agency did, but . . . the question is whether or not that guidance says . . . that a historical certificate is not FIPS 140-2 validated. It doesn’t say that. And that’s what [plaintiff] needs it to say, and it doesn’t say that.” Id. at 84:11–17. Deference is appropriate when “policies are made in pursuance of official duty, based upon more specialized experience and broader investigations and information than is likely to come to a judge in a particular case.” Skidmore, 323 U.S. at 139. NIST is empowered to set federal government information systems standards. See 15 U.S.C. § 278g-3(a). Also, through the CMVP, NIST “validates cryptographic modules to [FIPS] 140-2 and other cryptography based standards.” Nat’l Inst. for Standards & Tech., FIPS 140-2, at iii. While NIST’s congressionally prescribed expertise suggests its website interpretation of its legislative rules is worthy of consideration, the CMVP website presents no information as to its authorship or definitiveness. See Tr. at 72:21–75:10 (responding to questioning by the Court, plaintiff’s counsel was unable to clarify the authoritativeness of website details beyond describing it as - 20 - “subregulatory”). Further, NIST did not present plaintiff’s preferred interpretation—or any other interpretation—to the Court because NIST is not party to this case. See Hydro Res., Inc. v. United States Env’t Prot. Agency, 608 F.3d 1131, 1146 n.10 (10th Cir. 2010) (en banc) (highlighting the importance of affected parties’ participation in the adversarial process when considering whether to apply Skidmore deference). Plaintiff requests the Court give deference to NIST through the CMVP website, yet the meaning of the website plaintiff proposes to the Court includes plaintiff’s own interpretation of the CMVP website. Granting deference to a plaintiff’s interpretation of a nonlitigating agency’s website would require the Court to speculate what NIST’s position would be on the weight and meaning of the website, as well as straining the adversarial process. See id. (noting a court relies on the adversarial process “to test the issues for [its] decision and from concern for the affected parties to whom [it] traditionally extend[s] notice and an opportunity to be heard on issues that affect them”). Plaintiff also claims the ITC seeks Skidmore deference for its own interpretation of NIST’s regulations. Tr. at 81:17–22 (“[T]he Federal Circuit expressly said that it gives no deference to agency interpretations of other agency regulations. And that’s what the ITC is doing here. They’re saying we [the ITC] have the authority to interpret what a validation is.”). Federal Circuit precedent clarifies: “only the interpretation of the agency that promulgated the regulation matters.” Allegheny Teledyne Inc. v. United States, 316 F.3d 1366, 1378 (Fed. Cir. 2003).4 Contrary to plaintiff’s claim, however, the ITC does not ask for deference to its construction of the CMVP website; rather, the ITC asks the Court to review its actions under an arbitrary and capricious standard of review pursuant to the APA. Def.’s Cross-MJAR at 19 (“This Court reviews bid protests using the standard of review set forth in the Administrative Procedure Act (APA) and considers whether the agency action was arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.”) The ITC’s matter-of-fact statement of the standard of review is not a request the Court grant Skidmore deference to any construction of relevant statutes or regulations. While Skidmore directs courts to consider “all those factors which give [an agency interpretation of a statute or regulation] power to persuade,” the ITC asks for arbitrary and capricious review of its compliance with NIST’s regulations. Skidmore, 323 U.S. at 140. This case presents an APA question related to arbitrary and capricious review, not an abstract deference question. See Kisor v. Wilkie, 139 S. Ct. 2400, 2432 (2019) (Gorsuch, J., concurring in the judgment) (noting a court discussing the “rules governing judicial review of federal agency action” does not, or at least should not, be “writing on a blank slate or exercising Judges on this court have carved a narrow exception to Allegheny’s prohibition on one agency’s interpretation of another agency’s regulations. See, e.g., Colon v. United States, 132 Fed. Cl. 655, 661–62 (2017) (“Where an agency interprets regulations promulgated by a different agency, such an interpretation is also afforded deference when the interpreting agency is authorized to adopt or implement the regulations at issue.”); see also Bortone v. United States, 110 Fed. Cl. 668, 676 (2013) (internal citations omitted) (“While deference is generally only afforded to an agency’s interpretation of its own rules and regulations, courts will give deference to an agency’s interpretation of regulations drafted by another agency where, as here, the interpreting agency adopts and administers the subject regulations.”); Murphy v. United States, 130 Fed. Cl. 554, 562 (2017) (“Courts afford deference to an agency’s interpretation of regulations drafted by another agency, when the non-drafting agency is authorized to adopt or implement the subject regulations.”). Regardless of whether this carve out is consistent with Allegheny, the ITC’s interpretation of the CMVP website does not fall under the exception because the ITC does not “adopt or implement” NIST’s regulations. See Colon, 132 Fed. Cl. at 661–62. 4 - 21 - some common-law-making power. [It is] supposed to be applying the Administrative Procedure Act.”). In bid protests, the Court follows 5 U.S.C. §706(2)(A): “a reviewing court shall set aside the agency action if it is ‘arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.’” Banknote Corp. of Am., Inc., 365 F.3d at 1350–51 (quoting Advanced Data Concepts, Inc., 216 F.3d at 1057–58). Under this standard, “a court is not to substitute its judgment for that of the agency.” Motor Vehicle Mfrs. Ass’n of U.S., Inc., 463 U.S. at 43; see also Advanced Data Concepts, 216 F.3d at 1058 (citing Bowman Transp., Inc., 419 U.S. at 285) (holding the court must “sustain an agency action evincing rational reasoning and consideration of relevant factors”); Ala. Aircraft Indus., Inc.-Birmingham, 586 F.3d at 1375 (quoting Motor Vehicle Mfrs. Ass’n of U.S., Inc., 463 U.S. at 43) (agency action fails the APA standard of review when it has “‘entirely failed to consider an important aspect of the problem, offered an explanation for its decision that runs counter to the evidence before the agency, or [the decision] is so implausible that it could not be ascribed to a difference in view or the product of agency expertise.’”). The CMVP website states the following: If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to . . . FIPS 140-2. If a validation certificate is marked as historical, Federal Agencies should not include these in new procurement[s]. This does not mean that the overall FIPS140 certificates for these modules have been revoked[;] rather[,] it indicates that the certificates and the documentation posted with them are either more than 5 years old, or were moved to the historical list because of an algorithm transition. In these cases, the certificates have not been updated to reflect latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. . . . Agencies may make a risk determination on whether to continue using the modules on the historical list based on their own assessment of where and how the module is used. Cryptographic Module Validation Program, NIST Computer Security Resource Center, https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules (last updated Aug. 12, 2020) (emphasis added). Notably, this guidance indicates historical status does not mean the validation has been revoked. Additionally, the guidance acknowledges historical modules “can be used in FIPS mode.” Id. It also recognizes there are instances when an agency may use historical modules: when the agency “make[s] a risk determination.” Id. Accordingly, the website’s guidance is either ambiguous or it affirmatively allowed the agency to assess the risk of using historically validated hardware in a service procurement. Any Skidmore deference the Court could grant to the CMVP website, as plaintiff requests, would produce a result either neutral (if the website is ambiguous) or supporting the ITC’s interpretation (if the website allowed the agency to assess the risk). During oral argument, plaintiff asserted, “the solicitation expressly incorporates the CMVP.” Tr. at 80:9–10. To the extent plaintiff contends the Solicitation incorporated the entire program, including its website, the Federal Circuit has stated “the language used in a contract to - 22 - incorporate extrinsic material by reference must explicitly, or at least precisely, identify the written material being incorporated and must clearly communicate the purpose of the reference is to incorporate the referenced material into the contract (rather than merely to acknowledge the referenced material is relevant to the contract, e.g., as background law or negotiating history).” Northrop Grumman Info. Tech., Inc. v. United States, 535 F.3d 1339, 1345 (Fed. Cir. 2008); see also St. Christopher Assocs., L.P. v. United States, 511 F.3d 1376, 1384 (Fed. Cir. 2008) (“This court has been reluctant to find that statutory or regulatory provisions are incorporated into a contract with the government unless the contract explicitly provides for their incorporation.”). The Solicitation, however, merely stated: “[t]he offeror shall propose cryptographic modules and shall state the [NIST CMVP] certificate number(s) of the cryptographic modules that are being proposed.” AR at 28. The Solicitation’s reference to the CMVP does not explicitly incorporate any guidance from the website. Rather, the Solicitation’s mention of CMVP provides instruction for the offeror in compiling its proposal. When considering the “prohibition” in its entire context, the Court finds the CISO’s interpretation of the “prohibition” reasonable: it permitted the ITC to assess whether historically validated hardware could be used for the purposes of this procurement. The Solicitation mentions the CMVP website, and the ITC based its decision on a reasonable interpretation of the CMVP website. These facts indicate the ITC did not “entirely fail[] to consider an important aspect of the problem, [or] offer[] an explanation for its decision that runs counter to the evidence before the agency,” but instead engaged the problem using the evidence before it. Ala. Aircraft Indus., Inc.-Birmingham, 586 F.3d at 1375 (discussing the APA “arbitrary and capricious” standard for reviewing an agency’s procurement decision). The ITC’s interpretation of the CMVP website is not “so implausible that it could not be ascribed to a difference in view or the product of agency expertise.” Id. As a result, the ITC did not arbitrarily or capriciously interpret the CMVP website to allow historically validated hardware for this procurement. See Emery Worldwide Airlines, Inc. v. United States, 264 F.3d 1071, 1085 (2001) (quoting 5 U.S.C. § 706(2)(A)) (“[A] reviewing court must set aside agency actions that are ‘arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.’ . . . [T]he agency’s action must be upheld as long as a rational basis is articulated and relevant factors are considered.”). C. Whether ITC’s Determination Defendant-Intervenor’s Proposal was Technically Acceptable is Arbitrary and Capricious Plaintiff further argues it was arbitrary and capricious for the ITC to find defendantintervenor’s proposal technically acceptable in light of its proposed router. Pl.’s MJAR at 31. In challenging the ITC’s acceptance of defendant-intervenor’s proposal, plaintiff argues the ITC’s distinction between procurements for goods and services is irrational because “[t]here is no authority to support a finding that FIPS 140-2 or the specific procurement restriction at issue do not apply to service procurements.” Id. at 33. To the contrary, the CISO found support in FIPS 140-3, the most recent NIST cryptography standards promulgated through notice-and-comment rulemaking, for this distinction. AR at 2309 (“The USITC will evaluate the offeror’s ability to meet the Federal Information Processing Standards Publication (FIPS PUB) 140-3, Security Requirements for Cryptographic Modules.”). The CISO looked to the 140-3 requirement because the SOW’s FIPS 140 requirement was forward-looking at version 140-3 despite FIPS 140-2 being the current and applicable version of FIPS 140 at the time the ITC released the - 23 - solicitation and parties submitted offers. Id. The CISO explained FIPS 140-3 provides support for the ITC’s interpretation because it notes “‘[a]gencies should develop plans for the acquisition of products that are compliant with FIPS 140-3; however, agencies may purchase any of the products on the CMVP validated modules list.’” Id. at 2310 (quoting FIPS 140-3, Security Requirements for Cryptographic Modules, NIST Computer Security Resource Center, https://csrc.nist.gov/publications/detail/fips/140/3/final (Mar. 22, 2019)). Additionally, the CISO noted “[a] search of the CMVP list for modules on the active validation list yields results for products that are either hardware, software, firmware, or hybrids.” Id. The CISO therefore concluded FIPS standards applied to procurements of products, rather than services, because the active validation list exclusively discussed products. The Court finds the CISO’s explanation of the distinction between products and services to “evinc[e] rational reasoning.” See Advanced Data Concepts, 216 F.3d at 1058 (citing Bowman Transp., Inc., 419 U.S. at 285). Plaintiff’s disagreement with the interpretation does not render the CISO’s evaluation arbitrary and capricious. “‘If the court finds a reasonable basis for the agency’s action, the court should stay its hand even though it might, as an original proposition, have reached a different conclusion as to the proper administration and application of the procurement regulations.’” Honeywell, Inc. v. United States, 870 F.2d 644, 648 (Fed. Cir. 1989) (quoting M. Steinthal & Co. v. Seamans, 455 F.2d 1289, 1301 (D.C. Cir. 1971)). Plaintiff also argues to the extent an agency opts to procure services using equipment with historical status, the agency must first conduct a risk assessment. Pl.’s MJAR at 17–18. Even assuming the NIST website guidance requires a risk assessment before procuring equipment with historical status, the ITC read the language as applying only to products, not services. The ITC’s CISO quoted the same website guidance in the FIPS 140 evaluation conducted pursuant to the ITC’s corrective action and explained the ITC’s interpretation of the guidance: “procurements for new hardware/software should generally avoid equipment with FIPS140 certificates marked as ‘historical’ in new procurements.” AR at 2310. Further, addressing whether “agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used,” the CISO explained the ITC “does not interpret this language as directed at procurement of services.” Id. The ITC based its interpretation on “the complexity of service provider systems and the fact that those service provider systems are expected to evolve over time and replace equipment as needed.” Id. Therefore, “‘historical’ designations [were] considered compliant for the purposes of this evaluation.” Id. Based on the ITC’s interpretation of the guidance, the agency found no risk of procuring services using historical modules and thus did not conduct a risk assessment in the sense plaintiff maintains NIST’s regulations required. The bid protest standard of review “recognizes the possibility of a zone of acceptable results in a particular case and requires only that the final decision reached by an agency be the result of a process which ‘consider[s] the relevant factors’ and is ‘within the bounds of reasoned decisionmaking.’” Wit Assocs., Inc. v. United States, 62 Fed. Cl. 657, 660 (2004) (quoting Baltimore Gas & Elec. Co. v. Nat. Res. Def. Council, Inc., 462 U.S. 87, 105 (1983)). Although plaintiff interprets the same language differently, the Court finds the CISO evaluation evinces rational reasoning supported by a reasonable explanation of the agency’s interpretation based on the relevant factors. See Honeywell, Inc., 870 F.2d at 648 (quoting M. Steinthal & Co. v. Seamans, 455 F.2d 1289, 1301 (D.C. Cir. 1971)) (“‘If the court - 24 - finds a reasonable basis for the agency’s action, the court should stay its hand even though it might, as an original proposition, have reached a different conclusion as to the proper administration and application of the procurement regulations.’”). D. Whether it was Arbitrary and Capricious for the ITC to Assign DefendantIntervenor’s Technical Proposal a Strength Plaintiff argues the ITC also erred by assigning defendant-intervenor’s proposal a strength for digital security. Pl.’s MJAR at 40. Plaintiff asserts the agency could only have found a strength by failing to consider “the Cisco 881W router was highly risky because its security depends on the X9.31 algorithm that NIST has disallowed due to security vulnerabilities.” Id. Plaintiff contends the ITC should have looked beyond the router’s CMVP certificates to determine why each router holds its current status. Id. Since contracting officers are “entitled to ‘broad discretion . . . to determine whether a proposal is technically acceptable, plaintiff has an unusually heavy burden of proof in showing that the determination . . . was arbitrary and capricious.’” Westech Int’l, Inc. v. United States, 79 Fed. Cl. 272, 286 (2007) (internal citation omitted) (quoting Cont’l Bus. Enters. v. United States, 452 F.2d 1016, 1021 (Ct. Cl. 1971)). Defendant-intervenor’s proposal thoroughly highlighted its technology’s FIPS 140-2 compliance. For example, its proposal stated, “[a] Cisco 881W router is used running in FIPS 140-2 compliant mode with tamper resistant labels.” AR at 113; see also id. (“[Defendantintervenor] will employ encryption technologies utilizing FIPS 140-2 validated cryptography, with our equipment and software configured in FIPS-approved mode . . . . As FIPS 140-3 validated cryptographic modules become available from commercial vendors, [defendantintervenor] will test and implement these modules in the equipment, software[,] and processes dedicated to the USITC contract.”). The CO did not need to look at every algorithm to conclude defendant-intervenor’s proposal “shows a thorough grasp of the technical requirements and reduces risk to the federal government by providing a detailed and auditable technical implementation.” Id. at 190. Nothing in the Solicitation required the ITC to look beyond the CMVP certificates for the routers and investigate the CMVP validations for the algorithms each router uses. The Solicitation stated the ITC would “evaluate the offeror’s ability to meet” FIPS 140-2 standards and “evaluate the offeror’s access to and use of current technology as it relates to court reporting.” AR at 30. The ITC’s consideration of the reasons behind a single algorithm’s disallowance would therefore be beyond the scope of the Solicitation’s requirements. Further, plaintiff’s argument regarding the algorithm invites the Court to conduct a de novo technical evaluation, which goes beyond the scope of the Court’s APA standard of review. Motor Vehicle Mfrs. Ass’n of U.S., Inc., 463 U.S. at 43 (“The scope of review under the ‘arbitrary and capricious’ standard is narrow and a court is not to substitute its judgment for that of the agency.”). “The purpose of limiting review to the record actually before the agency is to guard against courts using new evidence to convert the arbitrary and capricious standard into effectively de novo review.” Axiom Res. Mgmt., Inc., 564 F.3d at 1381 (internal quotation marks omitted). Plaintiff asks the Court to investigate the details of whether the CO looked beyond the CMVP certificates for the routers and inquire into the CMVP validations for each router’s algorithms. Requiring the CO to analyze the underlying algorithms would improperly expand judicial review beyond “the record actually before the agency” and “convert the arbitrary and - 25 - capricious standard into effectively de novo review.” AgustaWestland North America, Inc. v. United States, 880 F.3d 1326, 1331 (2018) (internal quotation marks omitted). For these reasons the Court finds defendant’s technical evaluation reasonable. V. Judgment on the Administrative Record Related to the ITC’s Past Performance Evaluation A. The Parties’ Arguments Regarding the ITC’s Past Performance Evaluation Plaintiff argues the ITC’s evaluation of defendant-intervenor’s proposal was flawed because it did not consider defendant-intervenor’s purported historical noncompliance with transcript formatting requirements and its Contractor Performance Assessment Reports (“CPARs”). Pl.’s MJAR at 42–43. The government asserts plaintiff waived its arguments concerning ITC’s past performance evaluation because it failed to challenge the scope of the ITC’s proposed corrective action, which would only reevaluate the proposals under the use of technology subfactor. Def.’s Cross-MJAR & Resp. at 36. Further, the government argues plaintiff fails to show the ITC’s past performance evaluation lacked a rational basis because the ITC reasonably determined defendant-intervenor’s past performance warranted an “Outstanding” rating, and nothing required the ITC to consider CPARs in evaluating past performance. Id. at 40–41. Responding to plaintiff’s transcript formatting arguments, the government maintains plaintiff “has no standing as a third party to challenge [defendant-intervenor’s] capacity to fulfill contract requirements under the guise of a bid protest,” and such arguments “would require the Commission to assume future non-compliance when no evidence of prior non-compliance was before the evaluators.” Id. at 47. Defendant-intervenor also contends plaintiff waived its past performance arguments by failing to raise them as a challenge to the ITC’s proposed corrective action during the first GAO protest. Id. at 32–33. Even if plaintiff did not waive its past performance arguments, defendant-intervenor nonetheless maintains those arguments are unavailing because ITC’s past performance evaluation was rational. Id. at 33. Defendantintervenor further asserts plaintiff’s transcript formatting arguments are “untimely,” “factually baseless,” and a “matter[] of contract administration.” Id. at 44–45. B. Whether Plaintiff Waived its Past Performance Arguments As a threshold matter, both the government and defendant-intervenor argue plaintiff waived its past performance arguments by failing to protest the agency’s corrective action. “[A] party who has the opportunity to object to the terms of a government solicitation containing a patent error and fails to do so prior to the close of the bidding process waives its ability to raise the same objection afterwards in a § 1491(b) action in the Court of Federal Claims.” Blue & Gold Fleet, L.P. v. United States, 492 F.3d 1308, 1315 (Fed. Cir. 2007). “The same policy underlying Blue & Gold supports its extension to all pre-award situations.” COMINT Sys. Corp. v. United States, 700 F.3d 1377, 1382 (Fed. Cir. 2012). While the Federal Circuit has not applied its Blue & Gold waiver rule to corrective action, this Court has extended the waiver rule to situations in which a protestor did not protest an agency’s proposed corrective action. For example, in XPO Logistics Worldwide Government Services, LLC v. United States, this Court held the plaintiff waived its arguments regarding discussions after it was informed the agency would not hold discussions during its corrective action and did not protest the corrective action. - 26 - 134 Fed. Cl. 783, 799 (2017), aff’d, 713 Fed. App’x 1008 (Fed. Cir. 2018). Similarly, in Anham FZCO v. United States, this Court held the plaintiff waived arguments concerning the awardee’s legal issues because it knew the agency would not consider those issues during its corrective action and failed to challenge the scope of the corrective action. 144 Fed. Cl. 697, 719 (2019). In Technatomy Corp. v. United States, however, this Court declined to extend the waiver rule to arguments the plaintiff could have raised in protesting the agency’s corrective action but did not raise until after the corrective action. 144 Fed. Cl. 388, 391–92 (2019). There, this Court explained the circumstances in which the waiver rule should apply “involve bid protests brought by an initial awardee challenging a decision to undertake corrective action, as such parties are injured by having to win the same award twice, and the decision is neither interlocutory nor without legal consequences.” Id. at 391 (internal citations omitted) (first citing NVE, Inc. v. United States, 121 Fed. Cl. 169, 178–79 (2015), and then citing Sys. Application & Techs., Inc. v. United States, 691 F.3d 1374, 1382, 1384 (Fed. Cir. 2012)). The Court next reasoned, “[i]n contrast, the initially unsuccessful offeror which obtains corrective action as a result of bringing a GAO protest cannot usually be said to have been injured by this remedy, particularly when the GAO recommended the course of action—as that office will only do so when it has been convinced that the protester’s substantial chance of winning the award would thereby be restored.” Id. Applying Technatomy’s principles to its facts, the Court found the plaintiff could not have raised its technical evaluation arguments in a subsequent protest challenging the corrective action, which the GAO recommended, because “the decision which injured plaintiff— the source selection decision—was no longer in force, and none of the technical evaluation decisions which plaintiff challenges were the sort which necessarily disqualified plaintiff.” Id. Therefore, “plaintiff had neither standing nor a ripe claim to pursue once the corrective action was announced. To find otherwise would open the floodgates to bid protests challenging evaluation minutiae brought by parties who had not yet even been excluded from a competitive range.” Id. at 391–92. Moreover, this Court found the plaintiff “preserved these protest grounds by raising them before the GAO in the first place.” Id. at 392. It was “not disputed that plaintiff’s protest grounds concerning the technical evaluations of proposals were previously included in the GAO protest, and a timely, formal objection is all that is necessary to preserve grounds that are subject to Blue & Gold waiver.” Id. Similarly, in Vanguard Recovery Assistance v. United States, another judge of this Court rejected similar arguments and found the plaintiff did not waive arguments it raised at GAO, which were not subject to the agency’s corrective action, and later raised in the subsequent protest before this Court. 99 Fed. Cl. 81, 90–92 (2011). There, this Court similarly noted evaluation arguments raised in a protest challenging the corrective action “would be met with a persuasive ripeness objection.” Id. at 91. Like the plaintiff in Technatomy, here plaintiff raised the same substantive past performance arguments before GAO. See AR at 332. Additionally, although the ITC did not propose to reevaluate past performance during its corrective action, plaintiff promptly objected to the scope of the corrective action and requested GAO not dismiss its first protest. Specifically, plaintiff asserted “the corrective action is too narrow” because, among other reasons, “the ITC will not address . . . its failure to consider [defendant-intervenor’s] noncompliance with the RFQ’s transcript formatting requirements.” Id. at 1737. Plaintiff also - 27 - argued to GAO ambiguities in the notice of corrective action “make it difficult to assess which, if any, of [plaintiff’s] protest grounds it will address or potentially address and hence render academic.” Id. at 1740. Moreover, similar to Technatomy, here, the ITC stated its corrective action would reevaluate its best value determination and produce a new source selection decision. See id. at 1735–36. Therefore, with the original source selection decision no longer in effect, plaintiff likely would not have had standing to raise past performance arguments regarding the source selection decision in a protest challenging the scope of the corrective action. See Technatomy, 144 Fed. Cl. at 391 (“Because of that corrective action, the decision which injured plaintiff—the source selection decision—was no longer in force . . . .”). Consistent with other judges of this Court, the Court declines to extend a Blue & Gold waiver rule to this case and finds plaintiff did not waive its past performance arguments. C. Whether the ITC’s Past Performance Evaluation was Arbitrary and Capricious Plaintiff argues the ITC should have considered defendant-intervenor’s alleged historical noncompliance with transcript formatting requirements in its evaluation of defendantintervenor’s past performance.5 Pl.’s MJAR at 43. In so arguing, plaintiff invokes the “too close at hand” doctrine. Id. Plaintiff relies on this Court’s decision in Seattle Security Services, Inc. v. United States, 45 Fed. Cl. 560 (2000) for the proposition “an agency may not disregard an offeror’s past performance on a contract for the same work that is being solicited.” Id. The government argues the ITC considered all relevant “close-at-hand” information and “did not ignore either (1) information about [defendant-intervenor’s] performance personally known to the Evaluation Team[,] or (2) information relating to [defendant-intervenor’s] contracts with the Commission.” Def.’s Cross-MJAR at 44. Additionally, the government contends “in advancing its wide-margin allegations, [plaintiff] raises a question about future contract administration, which is governed by the Contract Disputes Act, and beyond the scope of the Court’s bid-protest jurisdiction.” Id. at 46. Likewise, defendant-intervenor argues the ITC reasonably relied on defendant-intervenor’s past performance questionnaires, which reported defendant-intervenor complied with all technical requirements for each reference contract, and “the page formatting requirement[s] under the present solicitation are irrelevant to [defendant-intervenor’s] performance under the Pre-2014 Contract.” Def.-Intervenor’s Cross-MJAR at 40. Seattle Security Services concerned a General Services Administration procurement for armed security guards for federal offices and courthouses in Washington and Oregon. 45 Fed. Cl. at 562. The solicitation instructed offerors to provide three contract references from relevant past contracts performed within the last five years, and the CO would contact some or all of the offerors’ references. Id. at 563. The plaintiff previously held separate contracts for Washington and Oregon and listed the CO for each contract as a reference. See id. at 564. The CO for the procurement at issue “did not evaluate the same number of references for each offeror and did not always employ the evaluation form” the CO created to evaluate past performance. Id. To 5 Defendant-intervenor notes in its briefing the record shows plaintiff may have failed to comply with formatting requirements on a transcript it produced of an ITC hearing on 3 October 2019. AR at 2417–18 (Declaration of Ian Quillman, CO at the ITC). See Def.-Intervenor’s Cross-MJAR at 38, (quoting AR at 2417) (“Mr. Quillman stated that during his review of Ace’s performance under its 2019 bridge contract, he reviewed a transcript that Ace completed and found Ace’s margins were not compliant, considering them to be ‘large variances.’”). - 28 - evaluate the plaintiff’s past performance, the CO contacted the Washington contract CO and the reference for another smaller contract. Id. The plaintiff challenged the CO’s past performance evaluation and argued the CO “failed to evaluate properly its performance as the incumbent on the Washington and Oregon contracts, which were being combined” for the procurement, and by inconsistently using the evaluation form. Id. at 566. This Court agreed the CO’s failure to consider the plaintiff’s past performance on both the Washington and Oregon contracts prejudiced plaintiff. Seattle Sec. Servs., Inc., 45 Fed. Cl. at 567. This Court therefore concluded “the CO acted unreasonably in failing to combine the Washington and Oregon contracts for purposes of evaluating plaintiff’s past performance” because “[t]his information was simply too relevant and close at hand to ignore.” Id. at 569. Here, the ITC submitted a past performance questionnaire testifying to defendantintervenor’s performance under its pre-2014 contract providing court reporting services to the ITC, and it considered this questionnaire in evaluating defendant-intervenor’s past performance. AR at 152. The ITC indicated on the questionnaire defendant-intervenor complied with all technical requirements of the contract. Id. Defendant-intervenor’s three other references responded the same, with each reference assessing either “Very Good” or “Exceptional” ratings in every category. Id. at 150–51, 153. Unlike the CO in Seattle Security Services, here, the CO took all past performance questionnaires into account in evaluating past performance. The record does not show evaluators ignored any other information they personally knew or possessed. This Court’s decision in Seattle Security Services is therefore distinguishable from the instant case. Nothing on the questionnaires would have caused the CO to question the accuracy or dependability of the ratings. Moreover, defendant-intervenor’s past transcript formatting does not bear on this contract; compliance with contract requirements is a matter of contract administration not appropriately raised in a bid protest. See MSC Indus. Direct Co. v. United States, 140 Fed. Cl. 632, 652 (2018) (“[A protestor] cannot, as a third party, challenge the capacity of an awardee to fulfill the requirements of the award.”). The CO for this procurement echoed this principle in a declaration submitted to the GAO, which stated: “As the CO, my duties include contract administration. I consider the order form and transcript-formatting requirements in the original contract and the bridge contract to be performance requirements subject to contract administration . . . .” AR at 1898. Even if the past transcript formatting were relevant, there is no evidence in the record showing the evaluators had any personal knowledge of defendantintervenor’s transcript formatting. The ITC’s evaluation of defendant-intervenor’s past performance consisted of a review of four completed past performance questionnaires reflecting defendant-intervenor’s performance and a review of a chart reflecting a summary of CPARs ratings for defendant-intervenor’s past contracts, all of which were rated “Exceptional,” “Very Good,” or “Satisfactory.” Id. at 150–53, 192. From this, the Evaluation Team assigned an “Outstanding” rating to defendant-intervenor’s past performance factor. Id. at 193. Plaintiff argues the ITC “fail[ed] to reasonably consider [defendant-intervenor’s] CPARs” in two respects: first, the information contained in the summary CPARs chart does not support an assignment of an “Outstanding” rating under the past performance factor because the majority of defendant-intervenor’s ratings were merely “Satisfactory;” and second, the ITC did not actually review and consider the CPARs, but instead - 29 - relied on an assessment chart without looking at the underlying reports. Pl.’s MJAR at 49–50. Plaintiff concludes had the ITC given meaningful weight to defendant-intervenor’s CPARs, defendant-intervenor “would have received a lower past performance rating.” Id. at 52. Plaintiff’s argument concerns the assignment of an “Outstanding” rating based on the ratings contained in the summary CPARs chart regarding “minutiae of the procurement process, which involve discretionary determinations of procurement officials that a court will not second guess.” E.W. Bliss Co. v. United States, 77 F.3d 445, 449 (Fed. Cir. 1996). “The Court gives the ‘greatest deference possible’ to a procurement official’s evaluation of a proposal’s technical excellence or quality.” Seaborn Health Care, Inc. v. United States, 101 Fed. Cl. 42, 48 (2011) (quoting Fort Carson Support Servs. v. United States, 71 Fed. Cl. 571, 598 (2006)). Plaintiff fails to identify any objective requirement in FAR Section 42.1502 stating the ITC must review and consider defendant-intervenor’s full CPARs report, as opposed to reviewing and summarizing CPARs ratings. Section 42.1502 sets forth a general policy requiring agencies to input information about a contractor’s performance in CPARs, but it does not universally require agencies to extract CPARs reports as part of a past performance evaluation. See FAR § 42.1502(a). Instead, plaintiff relies on a GAO decision finding an agency unreasonably “relied exclusively upon the assessment chart generated by CPARS listing rating percentages.” JMark Servs., Inc., B-417331.2, 2019 CPD ¶ 277, 2019 WL 3493829, at *8 (Comp. Gen. July 22, 2019); Pl.’s MJAR at 50. Applied to this case, JMark shows the ITC conducted a rational past performance evaluation. The solicitation in JMark required past performance evaluations be a “primary consideration in [the] selection process,” but the Air Force disregarded the questionnaires in favor of a rating derived from CPARs summary charts. JMark Services, Inc., 2019 WL 3493829, at *10. The CPARs charts in the JMark solicitation did not provide information by which the Air Force could determine whether the ratings pertained to relevant experience, meaning the Air Force’s entire evaluation scheme was inconsistent with the solicitation requirements. Id. at *9–10. Here, the ITC’s past performance evaluation also included questionnaires attached to the RFQ. AR at 191–92. Additionally, the RFQ neither required nor prohibited ITC’s review of a CPARs summary chart. There is no basis for plaintiff’s assertion the ITC acted without a rational basis in considering the CPARs chart. See Honeywell, Inc., 870 F.2d at 648 (quoting M. Steinthal & Co. v. Seamans, 455 F.2d at 1301) (“‘If the court finds a reasonable basis for the agency’s action, the court should stay its hand even though it might, as an original proposition, have reached a different conclusion as to the proper administration and application of the procurement regulations.’”). Plaintiff’s assertions thus concern the “minutiae of the procurement process[,] . . . which involve[s] discretionary determinations of procurement officials that a court will not second guess.” E.W. Bliss Co., 77 F.3d at 449. For these reasons the Court finds defendant’s past performance evaluation reasonable. VI. Judgment on the Administrative Record Related to the ITC’s Best Value Determination Plaintiff asserts the ITC conducted a flawed best value tradeoff based on its alleged errors in evaluating the offerors under the technical and past performance factors. Pl.’s MJAR at 52. - 30 - The government argues plaintiff also waived its arguments regarding ITC’s best value determination because plaintiff failed to protest the scope of the ITC’s corrective action, which did not include reevaluating its best value tradeoff. Def.’s Cross-MJAR at 35–39. Finally, defendant-intervenor argues plaintiff’s “challenge to the best-value determination is entirely derivative of its meritless technical, past performance, and price evaluation arguments, which the Court should reject . . . .” Def.-Intervenor’s Cross-MJAR at 47. Plaintiff objected to the scope of the corrective action, arguing “the ITC’s new costtechnical tradeoff and best value decision will be based on [the] same misleading and inaccurate price delta between [plaintiff’s] and [defendant-intervenor’s] proposals.” AR at 1738. Similar to the above analysis regarding waiver of the past-performance evaluation, plaintiff preserved its best value determination arguments by raising them in the first GAO protest. See id. at 334. Plaintiff argues, based on its contention the ITC evaluation of the technical and past performance factors was arbitrary and capricious, the alleged errors tainted the ITC’s best value trade off analysis, rendering the best value determination arbitrary and capricious as well. Pl.’s MJAR at 53. Plaintiff’s arguments regarding the best value trade off depend on the Court finding error with either the technical evaluation or the past performance evaluation. See Pl’s MJAR at 53–55 (arguing the ITC’s best-value decision was unreasonable because of flaws in its technical evaluation and past performance evaluation). Since the Court finds the ITC’s evaluation of the technical and past performance factors was rational, the ITC’s best value determination accordingly did not err. “It is well-established that contracting officers have a great deal of discretion in making contract award decisions, particularly when, as here, the contract is to be awarded to the bidder or bidders that will provide the agency with the best value.” Banknote Corp. of Am., Inc., 365 F.3d at 1355. For these reasons and the reasons discussed in Sections IV and V, the Court finds defendant’s best value determination reasonable. VII. Injunctive Relief In its motion for judgment on the administrative record, plaintiff requested a permanent injunction. See Pl.’s MJAR at 56–58. The Court considers the following factors when determining whether to issue a permanent injunction: “(1) whether . . . the plaintiff has succeeded on the merits of the case; (2) whether the plaintiff will suffer irreparable harm if the court withholds injunctive relief; (3) whether the balance of hardships to the respective parties favors the grant of injunctive relief; and (4) whether it is in the public interest to grant injunctive relief.” PGBA, LLC, 389 F.3d at 1228–29. Turning first to factor one, plaintiff is not entitled to injunctive relief because plaintiff does not prevail on the merits. The Court therefore does not reach the remaining prongs of the test for a permanent injunction. Info. Tech. & Applications Corp. v. United States, 51 Fed. Cl. 340, 357 n.32 (2001), aff’d, 316 F.3d 1312 (Fed. Cir. 2003) (“Absent success on the merits, the other factors are irrelevant.”). VIII. Conclusion For the foregoing reasons, the Court DENIES plaintiff’s motion to supplement the administrative record, DENIES plaintiff’s motion for judgment on the administrative record, and GRANTS the government’s and defendant-intervenor’s respective cross-motions for judgment on the administrative record. The Clerk is directed to enter judgment accordingly. - 31 - IT IS SO ORDERED. s/ Ryan T. Holte RYAN T. HOLTE Judge - 32 -
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
