GAO decision shows how subjective 'best practices' are

Gettyimages.com/ Jirapong Manustrong

Find opportunities — and win them.

Slalom’s loss to IBM in a $305.6 million competition and subsequent protest defeat is a lesson in why bidders need to seek clarity before they turn in their proposals.

One bidder’s best practice sometimes is an evaluator’s damning weakness.

That seems to be the message from a Government Accountability Office decision that went against Slalom Inc. and in favor of IBM involving a $305.6 million contract. The decision was made in August but released publicly Sept. 13.

IBM won the Falcon contract with the U.S. Citizenship and Immigration Services agency to support software development through a two-phase competition that included oral presentations.

Bidders were given a problem statement and 12 days later conducted an in-person demonstration. They had to build the solution using specific technical tools and platforms.

After a 40-minute presentation and 20 minutes of agency questions, the bidders were given instructions to enhance their solution. They had five hours to implement those instructions and an hour to demonstrate the enhanced solution.

The solicitation said that bidders would be evaluated “on the extent to which the process is consistent with best practices and the approaches planned for Falcon in accordance” with the performance work statement, GAO wrote in its decision.

It seems that the best practice part is Slalom ran into trouble. USCIS gave Slalom a lower confidence rating because evaluators believed the company didn’t follow the solicitation.

For example, Slalom didn’t use a particular database that housed the test data in a private sub-network. Slalom argued it didn’t use that approach and secured the data a different way that they felt was less complicated.

But DHS said that approach wasn’t a best practice. DHS said Slalom's approach would give “anyone on the internet access while securing in a private subnet is a best practice because it prevents outside access,” GAO wrote, quoting DHS.

Slalom also didn’t use an image scanning tool, which caused the company to miss vulnerabilities in the system.

“Consequently, the record shows that the agency had a reasonable basis to conclude Slalom’s failure to follow these practices compromised the security of the system during the technical demonstration,” GAO wrote.

Slalom argued that DHS used unstated evaluation criteria because the solicitation didn’t say that the database had to be secured. But the solicitation did say that bidders needed to demonstrate best practices including for security, GAO wrote.

As attorney Lucas Hanback wrote on LinkedIn: Slalom’s argument that it used an alternate approach to securing the database raises the question of how to define a best practice.

Hanback, a lawyer with Rogers Joseph O’Donnell, also offered a piece of advice for companies when a solicitation doesn’t clearly define a best practice – Ask the agency, by using the Q&A process to get a clarification.

A second approach is to file a pre-award protest to force the agency to develop a clearer standard of best practice.

“And, if none of these options were available or successful, it could have better explained why the security measures implemented in its proposal were best practices, preferably with reference to some external and objective standard,” Hanback wrote.

Waiting to make the best practice argument until after the evaluation and award is too late, as Slalom has learned.