B-310611, Merlin International, Inc., January 2, 2008
DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. This redacted version has been approved for public release.
Decision
Matter of: Merlin International, Inc.
Richard B. Oliver, Esq., McKenna Long & Aldridge, for the protester.
Allison V. Feierabend, Esq., and Joseph P. Hornyak, Esq. Holland & Knight, for MTM Technologies, Inc., an intervenor.
Capt. Joshua Drewitz, Department of the Army, for the agency.
Mary G. Curcio, Esq., and John M. Melody, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.
DIGEST
Protest that successful vendor’s encryption software does not meet agency’s requirement for compatibility with specified operating systems is denied where vendor’s blanket purchase agreement included required vendor certification of compatibility, which satisfied requirement.
DECISION
Merlin International, Inc. protests the Department of the Army’s issuance of a purchase order to MTM Technologies, Inc. under Federal Supply Schedule (FSS) blanket purchase agreement (BPA) No. FA8771-07-A-0301, for encryption software. Merlin alleges that MTM’s software does not meet the agency’s requirements, and that the agency improperly failed to permit Merlin to compete for the requirement, instead issuing the purchase order to MTM on a sole-source basis.
The Army reports
that the Office of Management and the Budget has directed all federal agencies
to encrypt personal identifiable information and agency sensitive but
unclassified information on all mobile devices.
Agency Report (AR) at 2. Here,
pursuant to this directive, the Army sought to procure commercial-off-the-shelf
data at rest encryption (DAR) software through the issuance of multiple
purchase orders against the Department of Defense (DOD) Enterprise Software
Initiative/General Services Administration (GSA) Smart Buy DAR FSS BPA. The Army determined that, in addition to
being listed on the Smart Buy BPA, the software must meet six
requirements. Justification and
Approval,
From July through
September 2007, the agency reviewed vendors’ BPAs for encryption software
products, and determined that MTM was the only current BPA holder with a
product that met all of its requirements.
Contracting Officer’s Statement at 1.
The Army issued the purchase order to MTM on September 30.
Merlin asserts
that the issuance of the purchase order was improper because MTM’s encryption
software does not meet several of the Army’s requirements. This argument is without merit. The agency’s requirement was for FIPS 140-2
certification for the operating system or, if the certification was
unavailable, a vendor statement attesting that its product operates with the
identified operating systems without modification. MTM’s BPA includes this vendor
statement: “Although not tested and
validated within them, this product or module is also installed without any
modifications in the following operating systems . . . and thus the
cryptography will operate correctly with MAC OS X . . . .” (underline in
original). Certification of FIPS
Validation, MTM’s BPA, at 589. This
vendor statement expressly satisfies the agency’s requirement.
Merlin asserts
that MTM’s software is not compatible with the MAC OS X operating system. In this regard, it cites a statement in MTM’s
BPA that “[MTM’s software does not] currently provide support for the Mac OS X. Support can be easily added . . . .” The parties dispute the meaning of the
reference in this statement to “support.”
Merlin asserts that the reference indicated that MTM’s product does not
operate with the MAC OS X system, contrary to the agency’s requirement. The Army and MTM, on the other hand, state
that the language referred only to help desk support, and had nothing to do
with compatibility with MAC OS X. Agency
Statement,
Merlin also argues
that the MTM software should not be considered compatible with the Windows
Mobile versions 5.0 and 6.0 operating systems, because MTM’s handheld product
was successfully “hacked” during validation testing at Southern Methodist
University (SMU).
This argument is
without merit. First, Merlin does not
identify the handheld product to which it is referring, or explain how it
relates to the validation testing of MTM’s encryption software. Moreover, the Army reports that SMU is not an
authorized federal laboratory for testing products for inclusion on the IAPPL,
and that it did not request testing at SMU.
In any case, the Army only required that the product be FIPS 140-2
certified, or that the vendor statement be provided. As the agency points out, MTM’s vendor
certification letter expressly states that its products will operate correctly,
without modification, in the Windows Mobile 5.0 and 6.0 operating systems. Since MTM included the required vendor
statement in its
Merlin maintains that the Army did not reasonably justify its decision
to purchase the encryption software from MTM on a sole-source basis. Merlin is not an interested party to
challenge this determination. Under the
bid protest provisions of the Competition in Contracting Act of 1984, 31 U.S.C.
sections 3551-56 (2000 and Supp. IV 2004), only an interested party may protest a
federal procurement. That is, a
protester must be an actual or prospective supplier whose direct economic
interest would be affected by the award of a contract or the failure to award a
contract. Bid Protest Regulations,
4 C.F.R. sect. 21.0(a) (2007). Here,
while Merlin states that it will have an acceptable product on the BPA in the
future, it does not dispute that it did not have a product on the BPA that met
all of the agency’s requirements at the time of the sole-source
determination. This being the case,
Merlin would not have been eligible to receive the purchase order if the agency
had not issued it to MTM on a sole-source basis. Thus, Merlin is not an interested party to
challenge the Army’s determination to proceed on a sole-source basis. Sales Resources Consultants, Inc., B‑284943,
B-284943.2,
The protest is denied.
Gary L. Kepplinger
General Counsel
[1]On
November 7, in response to a dismissal request from the Army, Merlin argued for
the first time that the agency should have issued the purchase order for a
limited amount of time so that Merlin would have an opportunity to become
qualified to meet its needs. A protest
based on other than a solicitation impropriety must be filed within 10 days
after the protester knows or should know the basis of protest. 4 C.F.R. sect. 21.2(a)(2). New, independent grounds of protest that
supplement a timely protest must independently satisfy the timeliness
requirements under our Regulations. Advanced
Seal Tech., Inc., B-242362,