In the United States Court of Federal Claims
No. 20-636
(Filed: 22 September 2020*)
***************************************
ACE-FEDERAL REPORTERS, INC., *
*
Plaintiff, *
*
v. * Bid protest; International Trade Commission
* (“ITC”); Cryptographic Module Validation
THE UNITED STATES, * Program (“CMVP”); supplementation of the
* administrative record
Defendant, *
*
and *
*
HERITAGE REPORTING CORPORATION, *
*
Defendant-Intervenor. *
*
***************************************
Michael D. McGill, of Arnold & Porter Kaye Scholer, LLP, with whom was Thomas A.
Pettit, of Washington, DC, for plaintiff.
Eric E. Laufgraben, Senior Trial Counsel, Commercial Litigation Branch, Civil Division,
Department of Justice, with whom were Ethan P. Davis, Acting Assistant Attorney General,
Robert E. Kirschman, Jr., Director, and Douglas K. Mickle, Assistant Director, all of
Washington, DC for defendant. Gina K. Grippando, Assistant General Counsel, U.S.
International Trade Commission, of counsel.
John E. McCarthy Jr., of Crowell & Moring LLP, with whom were Mark A. Ries, Evan
D. Wolff, and Christopher D. Garcia, all of Washington, DC, for defendant-intervenor.
OPINION AND ORDER
HOLTE, Judge.
*
This order was originally filed under seal on 4 September 2020 pursuant to the protective order in this case. The
Court provided parties the opportunity to review this opinion for any proprietary, confidential, or other protected
information and submit proposed redactions no later than 18 September 2020. The parties jointly proposed
redactions on 18 September 2020. The Court accepts the parties’ proposed redactions and reissues the order, with
redacted language replaced as follows: “[XXXXX].”
Plaintiff, Ace-Federal Reporters, Inc. (“plaintiff,” “Ace-Federal,” or “Ace”) brings this
bid protest challenging the U.S. International Trade Commission’s (“ITC”) award of a contract
for court reporting services to defendant-intervenor Heritage Reporting Corporation (“defendant-
intervenor,” “Heritage,” or “HRC”) under Solicitation No. 34300019Q007. Pending before the
Court are plaintiff’s motion for judgment on the administrative record and motion to supplement
the administrative record, as well as the government’s and defendant-intervenor’s respective
cross-motions for judgment on the administrative record. For the following reasons, the Court
DENIES plaintiff’s motion to supplement the administrative record, DENIES plaintiff’s motion
for judgment on the administrative record, and GRANTS the government’s and defendant-
intervenor’s respective cross-motions for judgment on the administrative record.
I. Background
A. The Solicitation
On 6 June 2019, the ITC issued Request for Quotation (“RFQ” or “Solicitation”) No.
34300019Q0017 “to acquire court reporting services” to “support the Commission’s legal
proceedings.” Admin. R. at 8, ECF No. 19 (“AR”). The RFQ contemplated “award of a Time
and Materials contract, with an established ceiling.” Id. The RFQ specified: “This is a no-cost
contract for the Government. The winner bidder will receive compensation through sales of
services and reports to the public. The Government will not be paying for routine court reporting
services.” Id. (emphasis omitted). Additionally, this procurement “is a 100% Small Business
Set Aside, under [North American Industry Classification System (“NAICS”)] Code 561492,
Court Reporting and Stenotype Services” with a $15 million size standard. Id.
The RFQ required the contractor to “furnish all personnel, equipment, materials,
incidentals[,] and other resources necessary to satisfy the Commission’s requirements for Court
Reporting Services, and any other services the Contractor renders under this Contract, within the
scope of the [Statement of Work (“SOW”)].” Id. at 9. The SOW provided, “[t]he Contractor
shall provide the Commission with court reporting services for Commission-held proceedings
when the Presiding Official or the Contracting Officer’s Representative (“COR”)” provides the
contractor advance notice, as outlined in the SOW. Id. at 9–10. The SOW also provided for
depositions, real-time court reporting, authentication of transcripts, production and delivery of
transcripts to the Commission, and sales to the parties and members of the public, among other
requirements. See AR at 10–22. Most relevant to this protest, the SOW provided:
The Contractor shall produce all paper-copy transcripts on white paper measuring
8-1/2 inches by 11 inches. Each full page of such transcript shall contain no less
than 25 lines of typewriting, 10 letters to the inch, double spaces between lines,
with a binding margin of 1-1/2 inches at the left side and a margin of 3/8 of an inch
on the right side. On each page, the lines shall fill as nearly as practicable the spaces
between the margins.
Id. at 19. Also relevant to this protest, under the heading of “Digital Security,” the RFQ stated:
-2-
Encryption utilizing Federal Information Processing Standards Publication (FIPS
PUB) 140-3, Security Requirements for Cryptographic Modules (as updated), is
applicable to the services provided under this contract, as follows. The Contractor
shall employ encryption utilizing FIPS 140-3 validated cryptographic modules
operated in the FIPS-approved mode . . . .
Id. at 22.
Offerors would be evaluated under three factors: (1) Technical; (2) Past Performance;
and (3) Price. Id. at 27–28. The Technical factor comprised the following three subfactors: (a)
Use of Technology; (b) Management Plan; and (c) Technical Approach. Id. at 28–29. Most
relevant to this protest, under the Use of Technology subfactor, the RFQ stated: “The offeror
shall propose cryptographic modules and shall state the National Institute of Standards and
Technology (NIST) Cryptographic Module Validation Program (CMVP) certificate number(s) of
the cryptographic modules that are being proposed.” Id. at 28 (emphasis omitted). For
evaluation of the Past Performance factor, the RFQ explained:
The offeror shall submit a minimum of three (3) past experience/past performance
references of similar work and scope. Evaluation will be based on the relevancy
and quality of recent efforts accomplished by the offeror. Other information that
may be obtained, including how well the offeror cooperated with the client, the
quality and timeliness of work delivered, and if costs were properly controlled (if
applicable) will also be evaluated.
Past performance information will also be accessed by the Government from
available online databases, including sources such as the Past Performance
Information Retrieval System (PPIRS); Federal Awardee Performance and
Integrity Information System (FAPIIS); as well as any other source for past
performance information available to the Contracting Officer.
AR at 29.
Concerning award and best value analysis, the RFQ provided:
Contract award shall be made to the responsible offeror whose quotation, in
conforming to this Request for Quotation, provides the best value to the
Government. Since it is in the best interest of the Government to consider award
to other than the lowest priced offeror, or other than the highest technically rated
offeror, the Government will use a tradeoff source selection approach to determine
the proposal that represents the best value to the Government. Technical is the most
important Factor. Past Performance is not as important as Technical, but more
important than Price. Price is the least important Factor. Technical and Past
Performance, when combined, [are] more important than Price.
Id. at 29–30. The three subfactors under the Technical Factor are “equally weighted in the
development of the overall Technical Factor rating.” Id. at 30. For the Use of Technology
-3-
subfactor, the ITC would “evaluate the offeror’s ability to meet the Federal Information
Processing Standards Publication (FIPS PUB) 140-3, Security Requirements for Cryptographic
Modules.” Id. (emphasis omitted).
In evaluating the proposals, the ITC would assign a strength, weakness, or deficiency to
the proposals. Id. at 32. A strength is “[a] proposal attribute that increases the likelihood of
successful Task Order performance, or provides an approach directly related to the requirement
that exceeds the minimum expectation.” Id. A weakness “means a flaw in the quotation that
increases the risk of unsuccessful Task Order performance.” AR at 32. A deficiency “is a
material failure of a quotation to meet a Government requirement or a combination of significant
weaknesses in a quotation that increases the risk of unsuccessful Order performance to an
unacceptable level.” Id.
The ITC additionally used the following adjectival ratings to evaluate proposals:
Outstanding, Good, Acceptable, Marginal, and Unacceptable. An Outstanding rating means the
“[p]roposal indicates an exceptional approach and understanding of the requirements and
contains multiple strengths.” Id. A Good rating means the “[p]roposal indicates a thorough
approach and understanding of the requirements and contains at least one strength.” Id. An
Acceptable rating means the “[p]roposal indicates an adequate approach and understanding of
the requirements.” Id. A Marginal rating means the “[p]roposal has not demonstrated an
adequate approach and understanding of the requirements.” Id. Lastly, an Unacceptable rating
means the “[p]roposal does not meet the requirements of the solicitation and, thus, contains one
or more deficiencies and is unawardable.” AR at 32.
On 25 June 2019, the ITC issued Amendment 001 to the Solicitation, which answered
questions offerors asked about the terms. See id. at 61, 67. Question 9 stated:
Encryption utilizing FIPS 140-3 is applicable to the services provided in this RFQ.
Our understanding is the effective date of FIPS 140-3 is September 22, 2019 and
testing begins September 22, 2020. Will FIPS 140-2 be acceptable until
implementation of FIPS 140-[3]?
Id. at 63. The ITC answered it “will evaluate cryptographic solutions using the relevant
standard. The current NIST CMVP evaluates 140-2. 140-2 is acceptable.” Id.
B. Plaintiff’s Proposal
On 8 July 2019, plaintiff submitted its proposal in response to the Solicitation. Id. at 75.
Of relevance here, responding to the requirements under the Technical factor, plaintiff noted it
“will not have any difficulty meeting the current FIPS 140-2 security requirements.” Id. at 79.
“To prepare for FIPS 140-3 implementation,” plaintiff stated it “is working closely with [its]
vendors who provide cryptographic modules to ensure that they will offer software upgrades to
meet FIPS 140-3 requirements once testing begins” in September 2020. AR at 79. Addressing
FIPS 140-2 compliance for real-time court reporting, plaintiff proposed a wireless WIFI option
that is FIPS 140-2 compliant [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] Plaintiff specified: [XXXXXXXXX
-4-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX] Plaintiff similarly provided the
CMVP Certificate numbers for other equipment in the proposal. See id. at 81, nn.3–4.
Plaintiff’s proposal also highlighted its past performance: “As the incumbent contractor
to the ITC for the past 5 ½ years, there can be no better indicator of our ability to meet—and
exceed—the ITC’s performance requirements nor no contract more relevant.” Id. at 89. Plaintiff
emphasized the importance of relevant experience due to the “demanding . . . technical
requirements” of this contract. Id. For example, “[o]ther than certain government intelligence
agencies, to our knowledge no other reporting contract has the FIPS 140-2/140-3 digital security
encryption mandate,” which plaintiff would be able to meet. AR at 89.
Five evaluators—the Federal Energy Regulatory Commission’s Office of Administrative
Law Judges, the ITC, two law firms, and the District of Columbia Bar—submitted past
performance questionnaires attesting to plaintiff’s performance. See id. at 103–08. Most of the
evaluations rated plaintiff’s performance “Exceptional,” except the ITC’s evaluation rated
plaintiff as “Very Good.” See id.
C. Defendant-Intervenor’s Proposal
Defendant-intervenor submitted a timely proposal on 8 July 2019. See id. at 109. Most
relevant here, for the technology used in real-time court reporting, defendant-intervenor stated,
“[a] Cisco 881W router is used running in FIPS 140-2 compliant mode.” Id. at 113. CMVP
Certificate No. 1700, which corresponds to the Cisco 881W router, indicates the router has a
“historical” validation. Id. at 2899. The NIST website states, “[t]he referenced cryptographic
module should not be included by Federal Agencies in new procurements. Agencies may make a
risk determination on whether to continue using this module based on their own assessment of
where and how it is used.” AR at 2899.
Defendant-intervenor also explained how its technology operates real-time court
reporting, which defendant-intervenor characterized as FIPS 140-2 compliant, and it provided
the CMVP Certificate numbers for all proposed equipment and modules. Id. at 113–14.
Defendant-intervenor also provided links to the NIST website confirming the FIPS 140-2
compliance of its hardware and software configurations. Id. at 115.
Four evaluators—the Supreme Court of the United States, the Occupational Safety Health
Review Commission (“OSHRC”), the ITC, and the Environmental Protection Agency—
submitted past performance questionnaires for defendant-intervenor. See id. at 150–53. Almost
all ratings were “Exceptional,” with only a few “Very Good” ratings. Id.
D. Proposal Evaluation
-5-
The Technical Evaluation Team (“TET”), which comprised four members, each
evaluated the proposals according to an Individual TET worksheet.1 See id. at 164–72. Under
the first factor, Technical, the TET rated plaintiff’s proposal “overall Good.” AR at 185.
Plaintiff’s proposal had “two noted strengths . . . and no weaknesses or deficiencies.” Id. The
first strength fell under “Factor 1b (Management Plan),” and the TET noted plaintiff’s “proposed
management plan thoroughly addresses its ability to staff the project and builds in redundancies
thereby reducing risk to the government.” Id. Plaintiff’s second strength fell under “Factor 1c
(Technical Approach),” for which the TET observed plaintiff’s “technical approach shows a
comprehensive grasp of the requirements and provides detailed examples of its ability to perform
and deliver the court reporting services.” Id. Next, the TET rated plaintiff “Outstanding” in the
second factor, Past Performance. Id. at 186. Plaintiff had “numerous strengths,” including
mostly Exceptional ratings in each category, “with notes of quality and expertise in work.” Id.
There were no weaknesses or deficiencies for past performance. Id. Plaintiff’s total evaluated
price was $4,257,602. AR at 187.
The TET similarly rated defendant-intervenor as “overall Good” under the Technical
Factor, noting defendant-intervenor had one strength and no weaknesses or deficiencies. Id. at
189–90. Defendant-intervenor had one technical strength because its “proposed use of
technology highlights their proposed hardware/software elements and also technology related
business processes. It shows a thorough grasp of the technical requirements and reduces risk to
the federal government by providing a detailed and auditable technical implementation.” Id. at
190. The TET also assigned defendant-intervenor an “Outstanding” rating under the second
factor. Id. The TET listed two strengths of defendant-intervenor’s past performance, which
were exceptional ratings in every category on questionnaires submitted by the Supreme Court
and OSHRC and defendant-intervenor’s real-time court reporting experience with the Supreme
Court. Id. at 191. Defendant-intervenor’s total evaluated price was $3,885,500. Id. at 192.
The CO’s best value determination observed plaintiff and defendant-intervenor were
assigned identical adjectival ratings for the Technical and Past Performance factors. AR at 193.
The CO explained, “[b]ased on the identical ratings, the Price Factor became the deciding Factor
for award, with Heritage offering 9% ($372,102.00) less than Ace.” Id. Further, “[w]hile Ace
received 2 Strengths in the Technical Factor, which was the most important Factor, versus
Heritage’s 1 Strength, there was no material difference in their Technical quotations and did not
amount to a higher Adjectival rating, or discussion of their Technical Factor rating.” Id.
(emphasis omitted). The CO therefore reasoned, “the 1 extra Strength that Ace received did not
amount to any perceived benefit of 1 [offeror] over the other,” and “[t]he higher Price offered by
Ace was not . . . perceived to offer a better value to the Government.” Id. The CO consequently
“determined that award of a Contract to Heritage Reporting Corporation, a Washington, DC
women owned small business, is in the best interest of the Government.” Id.
On 29 July 2019, the CO informed plaintiff by email it was not a successful offeror on
the subject solicitation. Id. at 195. On 31 July 2019, the CO notified defendant-intervenor by
email the government awarded it the contract. AR at 197.
1
Three offerors submitted quotations, but the record only contains documentation related to plaintiff’s and
defendant-intervenor’s proposals. See AR at 182.
-6-
E. First Government Accountability Office (“GAO”) Protest and Corrective Action
On 12 August 2019, plaintiff filed a GAO protest of the ITC’s award of the contract to
defendant-intervenor. Id. at 310. Plaintiff asserted the following grounds: (1) defendant-
intervenor did not comply with the solicitation’s pricing requirements; and (2) the ITC’s decision
to award the contract to defendant-intervenor was unreasonable and inconsistent with the
solicitation. See Id. at 325–35. On 26 September 2019, plaintiff filed a supplemental protest,
asserting the following additional grounds: (1) “the ITC’s evaluation of Heritage’s proposal and
its best value decision failed to account for Heritage’s inability to comply with the transcript
formatting requirements and the impact on Heritage’s pricing;” (2) “Heritage’s proposal was
technically unacceptable because Heritage proposed equipment that did not comply with the
RFQ’s encryption requirements;” and (3) “Heritage’s proposal was technically unacceptable
because it showed Heritage would not comply with FAR 52.219-14.” Id. at 919–24.
On 5 November 2019, GAO conducted alternative dispute resolution (“ADR”) of the
protest. Id. at 1731. The next day, 6 November 2019, the ITC notified GAO “[i]n response to
the outcome prediction ADR session on November 5, 2019, [the ITC] intends to take corrective
action and will file the necessary notice by close of business on November 8, 2019.” Id. at 1732.
On 8 November 2019, ITC submitted a memorandum to GAO detailing ITC’s intended
corrective action and requested “GAO dismiss the subject protest as academic.” AR at 1733–34.
The memorandum listed the following actions the ITC would take as part of its corrective action:
1. The USITC will re-evaluate both offerors’ proposals under RFQ Factor 1:
Technical, a. Use of Technology, specifically considering the offerors’ proposed
use of encryption technology;
2. The USITC will assign relative weight to that factor accordingly and will then
conduct a trade-off analysis to determine which offeror represents the best value to
the government. The trade-off analysis will be based on the proposals’ relative
strengths and weaknesses, as well as price, in accordance with the Federal
Acquisition Regulations (FAR), statute, Comptroller General decisions, and other
case-law precedent; and
3. The USITC will document the re-evaluation and subsequent source-selection
decision.
Id. at 1735–36.
On 12 November 2019, “to preserve its rights,” plaintiff submitted its objections to the
proposed corrective action to GAO. Id. at 1737. Plaintiff asserted the following objections: (1)
“the corrective action is too narrow;” (2) “the ITC’s new cost-technical tradeoff and best-value
decision will be based on the same misleading and inaccurate price delta between Ace-Federal’s
and Heritage’s proposals;” and (3) “the ITC’s notice is ambiguous in stating that the agency will
‘assign relative weight to that factor accordingly.’” Id. at 1737–38. Plaintiff also objected to the
ITC’s request for GAO to dismiss the protest as academic. Id. at 1740.
-7-
On 15 November 2019, GAO issued its decision dismissing plaintiff’s protest. AR at
1742–43. GAO noted the ITC “informed our Office that it intends to take corrective action by
reevaluating vendors’ quotations under the portion of the technical factor relating to the
solicitation’s encryption requirements and making a new source selection decision.” Id. at 1742.
GAO also stated the ITC’s “notice of corrective action describes how the agency’s action renders
the protest academic,” but plaintiff’s objection to the corrective action “fails to adequately
explain how the protest is not rendered academic by the proposed corrective action.” Id. at
1742–43. GAO concluded “[t]he agency’s corrective action renders the protest academic” and
consequently dismissed the protest. Id. at 1743.
As part of the corrective action, the ITC’s Chief Information Security Officer (“CISO”)
evaluated the offerors’ FIPS 140-2 compliance. Id. at 2309–10. The CISO first clarified:
Offers were evaluated by reviewing the Cryptographic Module Validation Program
(CMVP) certificate number(s) in each proposal to confirm FIPS 140-2 compliance.
A FIPS 140 certification can have three states (“active,” “historical,” or “revoked”).
For the purposes of the evaluation certification, values of “active” or “historical”
are considered complaint; values of “revoked” or no valid certification are
considered non-compliant.
Id. at 2309. The CISO also cited NIST guidance concerning validation certificate status:
If a validation certificate is marked as historical, Federal Agencies should not
include these in new procurement. This does not mean that the overall FIPS-140
certificates for these modules have been revoked[;] rather it indicates that the
certificates and the documentation posted with them are more than 5 years old and
have not been updated to reflect latest guidance and/or transitions, and may not
accurately reflect how the module can be used in FIPS mode. Agencies may make
a risk determination on whether to continue using the modules on this list based on
their own assessment of where and how the module is used.
AR at 2309 (emphasis and internal quotation marks omitted). The CISO applied this guidance in
his evaluation and explained:
[W]e distinguished between procurements of hardware . . . and procurements of
services . . . . The Commission’s interpretation of NIST’s guidance is that
procurements for new hardware/software should generally avoid equipment with
FIPS140 certificates marked as “historical” in new procurements. However,
NIST’s guidance provides that agencies may make a risk determination on whether
to continue using this module based on their own assessment of where and how it
is used. The evaluation team does not interpret this language as directed at
procurement of services. Given the complexity of service provider systems and the
fact that those service provider systems are expected to evolve over time and
replace equipment as needed, “historical” designations are considered compliant
for the purposes of this evaluation.
-8-
Id. at 2310. The CISO also found support for this distinction between procurements of goods
rather than services in FIPS 140-3. Id. In a section titled “Implementation,” the regulation
provides “‘[a]gencies should develop plans for the acquisition of products that are complaint
with FIPS 140-3; however, agencies may purchase any of the products on the CMVP validated
modules list.’” Id. (emphasis in original) (quoting FIPS 140-3, Security Requirements for
Cryptographic Modules, NIST Computer Security Resource Center,
https://csrc.nist.gov/publications/detail/fips/140/3/final (Mar. 22, 2019)). Lastly, the CISO
reasoned, “because FIPS 140 certificates were evaluated as a Boolean (i.e., compliant or non-
compliant) no additional weight/emphasis was given for sub-values of ‘active’ or ‘historical.’”
Id. Therefore, because both plaintiff and defendant-intervenor proposed equipment with only
“active” or “historical” certificates, the CISO found both offerors were “100% Compliant” with
FIPS 140-2. Id.
The CO’s reevaluation of the proposals was substantively identical to the initial
evaluation. The government assigned Plaintiff a “Good” rating under the Technical factor and
“Outstanding” rating under the Past Performance factor, both with the same stated strengths. AR
at 1747–49. Likewise, the government assigned defendant-intervenor a “Good” rating under the
Technical factor and an “Outstanding” rating under the Past Performance factor, both with the
same strengths. Id. at 1752–53. The CO provided the same reasoning as the initial best value
determination and concluded award of the contract to defendant-intervenor provided the best
value to the government. Id. at 1755. On 8 January 2020, the CO informed plaintiff and
defendant-intervenor of the award decision following the corrective action. Id. at 1756–57.
F. Second GAO Protest
On 16 January 2020, plaintiff filed a second protest with GAO. Id. at 1762. Plaintiff
asserted the following grounds: (1) “The ITC’s award to Heritage was improper because
Heritage’s proposal was technically unacceptable on account of its noncompliant router;” (2)
“The ITC’s evaluation of Heritage’s proposal and its best-value decision blatantly ignored the
fact that Heritage cannot comply with the solicitation’s mandatory transcript formatting
requirements and consequently charges more per page than Ace-Federal;” (3) “The ITC’s best-
value decision was unreasonable because it failed to account for Heritage’s poor past
performance and Ace-Federal’s superior past performance;” and (4) “Heritage’s proposal is
unacceptable because Heritage has no intention of complying with FAR 52.219-14, Limitations
on Subcontracting.” Id. at 1779, 1784, 1787, 1790. On 28 February 2020, plaintiff filed a
supplemental protest arguing “[t]he ITC unreasonably assigned Heritage’s proposal a strength
for its ‘digital security’ after concluding that the solicitation’s digital security requirements are
inapplicable.” AR at 2892.
On 23 April 2020, GAO issued its decision denying plaintiff’s protest. See id. at 3655–
56. First, GAO determined the ITC’s evaluation under the Use of Technology subfactor was
reasonable and consistent with the RFQ because the ITC reasonably interpreted NIST guidance
as discretionary and the RFQ did not require the ITC to consider an active CMVP validation as a
strength over a historical CMVP validation. Id. at 3662–63. Second, GAO stated defendant-
intervenor’s compliance with transcript formatting requirements is a matter of contract
-9-
administration not properly raised in a bid protest, and plaintiff did not “demonstrate[] that there
was significant countervailing evidence reasonably known to the agency evaluators that should
have created any . . . doubt” that defendant-intervenor would comply with the requirements. Id.
at 3663–64. Next, GAO found the ITC’s “evaluation of the awardee’s past performance was
reasonable and consistent with the terms of the RFQ” because defendant-intervenor’s references
provided excellent ratings of its performance and it “received higher past performance ratings
than [plaintiff] for its previous work with [the ITC].” Id. at 3666. Additionally, to the extent the
ITC knew of defendant-intervenor’s purported historic noncompliance with transcript formatting
requirements, GAO found “no basis in the record . . . to conclude that the evaluators were aware,
or should have been aware, of complaints regarding Heritage’s formatting of transcripts.” Id. at
3667. Lastly, the record did not support plaintiff’s contention defendant-intervenor would not
comply with the subcontracting limitations codified in FAR 52.219-14. AR at 3668.
G. Procedural History Before This Court
On 22 May 2020, plaintiff filed its complaint in this protest. See Compl., ECF No. 1. On
26 May 2020, defendant-intervenor filed a motion to intervene, which the Court granted the
same day. See Mot. by Heritage Reporting Corp. to Intervene as Def., ECF No. 8; Order, ECF
No. 9. Pursuant to the Court’s 26 May 2020 order, on 28 May 2020, the parties filed a joint
status report with a proposed schedule. See Order, ECF No. 9; Status Report, ECF No. 10. The
Court held an initial status conference on 29 May 2020. See Order, ECF No. 9. Also on 29 May
2020, defendant-intervenor filed a motion for protective order, which the Court granted on
2 June 2020, along with setting the briefing schedule. See Intervenor-Def.’s Mot. for Protective
Order, ECF No. 11; Order, ECF No. 12.
On 5 June 2020, the government filed the administrative record. See AR. On 22 June
2020, plaintiff filed a motion to supplement the administrative record and its motion for
judgment on the administrative record. See Pl.’s Mot. to Suppl. Admin. R., ECF No. 24 (“Mot.
to Suppl. AR”); Pl.’s Mot. for J. on Admin. R., ECF No. 25 (“Pl.’s MJAR”). On 10 July 2020,
the government and defendant-intervenor filed their respective cross-motions for judgment on
the administrative record, responses to plaintiff’s motion for judgment on the administrative
record, and responses to plaintiff’s motion to supplement the administrative record. See Def.’s
Cross-Mot. for J. on Admin. R., & Combined Resp. to Pl.’s Mots. for J. on Admin. R. & Suppl.
Admin. R., ECF No. 30 (“Def.’s Cross-MJAR & Resp.”); Def.-Intervenor Heritage Reporting
Corp.’s Resp. to Pl.’s Ace-Federal Reporters, Inc.’s Mot. for J. on Admin. R. & Cross-Mot. for J.
on Admin. R., ECF No. 31 (“Def.-Intervenor’s Cross-MJAR”); Intervenor-Def.’s Opp’n to Pl.’s
Mot. to Suppl. Admin. R., ECF No. 32 (“Def.-Intervenor’s Resp. to Mot. to Suppl. AR”). On
20 July 2020, plaintiff filed its responses to the government’s and defendant-intervenor’s
respective cross-motions and replies to the government’s and defendant-intervenor’s respective
responses to plaintiff’s motion for judgment on the administrative record. See Pl.’s Combined
Resps. to Def.’s and Def.-Intervenor’s Cross-Mots. for J. on Admin. R. & Replies to Def.’s and
Def.-Intervenor’s Resps. to Pl.’s Mot. for J. on Admin. R., ECF No. 35 (“Pl.’s Resp. & Reply”).
On 30 July 2020, the government and defendant-intervenor filed their respective replies in
support of their cross-motions for judgment on the administrative record. See Def.-Intervenor
Heritage Reporting Corp.’s Reply in Supp. of Cross-Mot. for J. on Admin. R., ECF No. 37
(“Def.-Intervenor’s Reply”); Def.’s Reply in Supp. of Cross-Mot. for J. on Admin. R., ECF No.
- 10 -
38 (“Def.’s Reply”). The Court held oral argument on the parties’ cross-motions for judgment
on the administrative record and plaintiff’s motion to supplement the administrative record on
18 August 2020. See Order, ECF No. 20.
II. Legal Standards
A. Bid Protest Jurisdiction & APA Standard of Review
The Tucker Act provides this Court jurisdiction to “render judgment on an action by an
interested party objecting to a solicitation by a Federal agency for bids or proposals for a
proposed contract or to a proposed award or the award of a contract or any alleged violation of
statute or regulation in connection with a procurement or a proposed procurement.” 28 U.S.C.
§ 1491(b)(1). In rendering such judgment, this Court “review[s] the agency’s decision pursuant
to the standards set forth in section 706 of title 5.” Id. § 1491(b)(4). “Among the various
[Administrative Procedure Act] standards of review in section 706, the proper standard to be
applied in bid protest cases is provided by 5 U.S.C. §706(2)(A): a reviewing court shall set aside
the agency action if it is ‘arbitrary, capricious, an abuse of discretion, or otherwise not in
accordance with law.’” Banknote Corp. of Am., Inc. v. United States, 365 F.3d 1345, 1350–51
(Fed. Cir. 2004) (citing Advanced Data Concepts, Inc. v. United States, 216 F.3d 1054, 1057–58
(Fed. Cir. 2000)). Under this standard, “a court is not to substitute its judgment for that of the
agency.” Motor Vehicle Mfrs. Ass’n of U.S., Inc. v. State Farm Mut. Auto Ins. Co., 463 U.S. 29,
43 (1983). “Courts have found an agency’s decision to be arbitrary and capricious when the
agency ‘entirely failed to consider an important aspect of the problem, offered an explanation for
its decision that runs counter to the evidence before the agency, or [the decision] is so
implausible that it could not be ascribed to a difference in view or the product of agency
expertise.’” Ala. Aircraft Indus., Inc.-Birmingham v. United States, 586 F.3d 1372, 1375 (Fed.
Cir. 2009) (quoting Motor Vehicle Mfrs. Ass’n of U.S., Inc., 463 U.S. at 43). “The arbitrary and
capricious standard applicable here is highly deferential” and “requires a reviewing court to
sustain an agency action evincing rational reasoning and consideration of relevant factors.”
Advanced Data Concepts, 216 F.3d at 1058 (citing Bowman Transp., Inc. v. Arkansas-Best
Freight Sys., Inc., 419 U.S. 281, 285 (1974)).
B. Supplementation of the Administrative Record
Appendix C of the Rules of the Court of Federal Claims (“RCFC”), which establishes
this Court’s bid protests procedures, lists twenty-one examples of the possible “relevant core
documents” which should be produced in the administrative record. RCFC App’x C ¶ 22. The
Court may order the production of additional documents as part of the administrative record. Id.
¶ 24.
“It is well settled that the ‘primary focus’ of the court’s review of agency decision
making ‘should be the materials that were before the agency when it made its final decision.”
Joint Venture of Comint Sys. Corp. v. United States, 100 Fed. Cl. 159, 166 (2011) (quoting Cubic
Applications, Inc. v. United States, 37 Fed. Cl. 345, 349–50 (1997)). “[T]o perform an effective
review pursuant to the [Administrative Procedure Act (‘APA’)], the court must have a record
containing the information upon which the agency relied when it made its decision as well as any
- 11 -
documentation revealing the agency’s decision-making process.” Vanguard Recovery Assistance
v. United States, 99 Fed. Cl. 81, 92 (2011) (citing Citizens to Preserve Overton Park, Inc. v.
Volpe, 401 U.S. 402, 420 (1971)). The Federal Circuit has recognized “the parties’ ability to
supplement the administrative record is limited.” Axiom Res. Mgmt., Inc. v. United States, 564
F.3d 1374, 1379 (Fed. Cir. 2009). “The purpose of limiting review to the record actually before
the agency is to guard against courts using new evidence to ‘convert the “arbitrary and
capricious” standard into effectively de novo review.’” Id. at 1380 (quoting Murakami v. United
States, 46 Fed. Cl. 731, 735 (2000), aff’d, 398 F.3d 1342 (Fed. Cir. 2005)). “Thus,
supplementation of the record should be limited to cases in which ‘the omission of extra-record
evidence precludes effective judicial review.’” Id. (quoting Murakami, 46 Fed. Cl. at 735).
“In applying this ‘effective judicial review’ test, this court has consistently understood
the test as enabling supplementation when necessary, not when merely convenient.” State of
N.C. Bus. Enters. Program v. United States, 110 Fed. Cl. 354, 361 (2013) (emphasis added).
Another judge of this Court provided the following summary of examples when information may
be necessary for effective judicial review:
Such information might include tacit knowledge possessed by offeror and agency
personnel of a highly technical and complex nature, requiring explication via
affidavits or expert testimony. Upon a proper showing, discovery might be allowed
seeking information intentionally left out of the record, such as evidence of bias or
bad faith. And the record may be supplemented with relevant information,
contained in the procurement files or generally known in an industry or discipline,
which was inappropriately ignored by an agency. These categories all concern
information that is necessary for effective judicial review, because they reflect what
was or should have been considered by the agency.
East West, Inc. v. United States, 100 Fed. Cl. 53, 57 (2011).
Following the Axiom Resource decision, other judges of this Court began to distinguish
parties’ efforts to complete the administrative record from requests to supplement the
administrative record. For example, in Joint Venture of Comint Systems Corp. v. United States,
after examining Axiom Resource, this Court explained, “[a]dmission of new evidence into an
agency-assembled record is a separate and distinct issue from completing the record through
incorporation of materials generated or considered by the agency itself during the procurement
process.” Joint Venture of Comint Sys. Corp., 100 Fed. Cl. at 167 (citing NEQ, LLC v. United
States, 86 Fed. Cl. 592, 593 (2009)). Additionally, in Linc Government Services, LLC v. United
States, the Court expounded: “A procuring agency’s initial submission to the court may omit
information that is properly part of the administrative record because it served as a basis for the
agency’s award decision. In such instances, subsequent admission of the omitted information is
appropriate not to supplement the record, but to complete it.” Linc Gov’t Servs., LLC v. United
States, 95 Fed. Cl. 155, 158 (2010) (internal citations omitted) (emphasis added).
C. Judgment on the Administrative Record in a Bid Protest
- 12 -
Rule 52.1(c) of the Rules of the Court of Federal Claims “provides for judgment on the
administrative record.” Huntsville Times Co. v. United States, 98 Fed. Cl. 100, 104 (2011). Rule
52.1(c) was “designed to provide for trial on a paper record, allowing fact-finding by the trial
court.” Bannum, Inc. v. United States, 404 F.3d 1346, 1356 (Fed. Cir. 2005).
This Court may set aside a contract award if: “(1) the procurement official’s decision
lacked a rational basis; or (2) the procurement procedure involved a violation of regulation or
procedure.” Impresa Construzioni Geom. Domenico Garufi v. United States, 238 F.3d 1324,
1332 (Fed. Cir. 2001). “When a challenge is brought on the second ground, the disappointed
bidder must show ‘a clear and prejudicial violation of applicable statutes or regulations.’” Id. at
1333 (quoting Kentron Haw., Ltd. v. Warner, 480 F.2d 1166, 1169 (D.C. Cir. 1973)). “[D]e
minimis errors do not require the overturning of an award.” Grumman Data Sys. Corp. v.
Dalton, 88 F.3d 990, 1000 (Fed. Cir. 1996). “De minimis errors are those that are so
insignificant when considered against the solicitation as a whole that they can safely be ignored
and the main purposes of the contemplated contract will not be affected if they are.” Id. (internal
quotation marks omitted) (quoting Andersen Consulting v. United States, 959 F.2d 929, 935
(Fed. Cir. 1992)). A bid protest plaintiff must establish alleged “errors in the procurement
process significantly prejudiced [it]” by showing “there was a ‘substantial chance’ it would have
received the contract award but for the errors.” Bannum, Inc., 404 F.3d at 1353.
D. Permanent Injunction
When deciding whether a permanent injunction is warranted,
a court considers: (1) whether, as it must, the plaintiff has succeeded on the merits
of the case; (2) whether the plaintiff will suffer irreparable harm if the court
withholds injunctive relief; (3) whether the balance of hardships to the respective
parties favors the grant of injunctive relief; and (4) whether it is in the public interest
to grant injunctive relief.
PGBA, LLC v. United States, 389 F.3d 1219, 1228–29 (Fed. Cir. 2004).
III. Supplementation of the Administrative Record
Since supplementation of the administrative record permeates the arguments on the
merits, the Court first considers whether supplementation is appropriate in this case. See State of
N.C. Bus. Enters. Program, 110 Fed. Cl. at 361 (“Before proceeding to the merits, the court
considers the propriety of supplementing the administrative record.”); Holloway & Co. v. United
States, 87 Fed. Cl. 381, 391–92 (2009) (analyzing supplementation of the administrative record
before reaching the merits).
A. The Parties’ Arguments
Plaintiff moved to supplement the administrative record with: (1) [CMVP] Certificate
No. 950 and accompanying NIST validation notes associated with Heritage’s proposed Cisco
881W router; (2) “all transcripts that defendant-intervenor . . . produced while performing prior
- 13 -
court reporting services contracts with [the ITC]:” and (3) “Heritage’s prior contracts with the
ITC for court reporting services.” Mot. to Suppl. AR at 3. Plaintiff argues supplementation with
CMVP Certificate No. 950 and its corresponding validation notes is necessary because “[a]
central issue to this protest is whether the ITC should have declared Heritage’s proposal
technically acceptable not only because Heritage’s router no longer holds an Active FIPS 140-2
validation but also due to the reasons that the router no longer holds such a validation.” Id. at 12.
Thus, “if the agency had considered the fact that the Cisco 881W router uses RNG algorithm
X9.31 and the reasons surrounding NIST’s disallowance of that algorithm—as shown in CMVP
Certificate No. 950 and the associated NIST validation notes—it could not have rationally
concluded that Heritage’s proposal complied with the terms of the solicitation and applicable
law.” Id. Next, plaintiff argues defendant-intervenor’s previous transcripts and ITC contract are
“central to Ace-Federal’s protest grounds challenging the ITC’s evaluation of Heritage’s
proposal under the Past Performance and Price factors and the agency’s conclusion that
Heritage’s proposal presented a better value than Ace-Federal’s.” Id. at 4–5. As to the past
performance evaluation, plaintiff contends the ITC “had at least constructive knowledge” of
defendant-intervenor’s alleged past noncompliance with transcript formatting requirements
“because Heritage’s contracts required it to deliver a copy of each transcript to the agency.”
Id. at 7. Plaintiff therefore contends without supplementation with the transcripts and previous
contract, it is “impossible for the Court to know whether those transcripts violated the terms of
Heritage’s contracts or to assess whether the agency was required to review those transcripts to
determine whether they complied with the contract requirements.” Id. at 9.
The government opposes plaintiff’s motion to supplement the administrative record,
arguing “the Commission did not consider [the requested materials], nothing in the RFQ required
the Commission to consider [the requested materials], and they are unnecessary for the Court to
adjudicate this case.” Def.’s Cross-MJAR at 48. Concerning the CMVP certificate and
validation notes, the government asserts, “[e]ven if Ace believes that the router ‘should have
been unacceptable[]’ because of the algorithm transition, the existing record already reflects the
information that Ace seeks to add because the Cisco 881W certificate and the cited Special
Publication both note the algorithm transition.” Id. at 48–49. Regarding the transcripts, the
government argues “their only utility is to undermine the actual close-at-hand information the
Commission collected and considered—namely, the Past Performance Questionnaire completed
by Commission staff, which confirmed that Heritage complied with its contract’s technical
requirements.” Id. The government therefore contends plaintiff “fails to show what these
particular documents demonstrate that is not already in the existing record.” Id. at 49.
Defendant-intervenor also opposes plaintiff’s motion to supplement the administrative
record, arguing plaintiff “hopes to use this supplemental documentation to argue that . . . the
agency was required to look beyond the ‘historical’ . . . NIST [CMVP] rating assigned to the
Heritage proposed router, the Cisco 881W, and to perform an independent algorithmic analysis
of one of the seven FIPS algorithms used by that device, an analysis that was neither
contemplated by the solicitation nor conducted by the Agency.” Def.-Intervenor’s Resp. to Mot.
to Suppl. AR at 6. Defendant-intervenor thus maintains, based on the solicitation, the ITC “was
entitled to rely on the NIST CMVP router certificate,” not “delv[ing] into the underlying
algorithm determinations,” and “if that argument is correct, the current record is sufficient for the
Court to review the USITC’s evaluation.” Id. at 8. Next, defendant-intervenor characterizes
- 14 -
plaintiff’s motion as asking “the Court to supplement the record with about a million pages of
material, which was not before the Agency during its evaluation, for the purpose of asking this
Court to conduct a de novo review in the manner Plaintiff would have desired.” Id. at 2 (internal
footnote omitted). To the extent plaintiff seeks supplementation with the 2019 contract and
transcripts produced thereunder, “the 2019 contract was awarded after the USITC conducted the
past performance and price evaluations that are being challenged in this protest,” rendering them
irrelevant to this protest. Id. at 3. Defendant-intervenor also notes “a copy [of] the 2019 contract
is already a part of the record.” Id. (citing AR Tab 15). Defendant-intervenor argues “the ITC
did consider Heritage’s performance as part of the past performance evaluation” by considering
“past performance questionnaire responses from four of Heritage’s reference contracts,”
including the ITC. Id. Therefore, defendant-intervenor maintains “Plaintiff wants this Court to
reconsider not the past performance evaluation in this procurement, but the underlying
evaluation of Heritage’s performance on the Pre-2014 Contract that expired by its own terms
more than six years ago,” which “is exactly the type of de novo review that the Federal Circuit
cautioned against in Axiom.” Def.-Intervenor’s Resp. to Mot. to Suppl. AR at 4.
B. Analysis
1. CMVP Certificate No. 950 and Validation Notes
Plaintiff seeks to supplement the administrative record in this case with the addition of
CMVP Certificate No. 950 and its validation notes. See Mot. to Suppl. AR at 9–12. CMVP
Certificate No. 950 corresponds to one of seven algorithms the Cisco 881W router uses. See id.
at 10–11. Under the heading “Algorithm Capabilities” on Certificate No. 950, the following
language is noted as follows with strikethrough: “RNG ANSI X9.31: Core Algorithm: TDES-
2Key.” Id. at 11. The validation notes accompanying Certificate No. 950 confirm the RNG
algorithm capabilities are crossed out on Certificate No. 950 because it is no longer approved.
Id. at 12.
Plaintiff argues: “if the agency had considered the fact that the Cisco 881W router uses
RNG algorithm X9.31 and the reasons surrounding NIST’s disallowance of that algorithm—as
shown in CMVP certificate No. 950 and the associated NIST validation notes—it could not have
rationally concluded that Heritage’s proposal complied with the terms of the solicitation and
applicable law.”2 Id. Plaintiff clarified during oral argument that “this is an alternative
argument.” Tr. at 29:10–11, ECF No. 50. Plaintiff’s primary argument is FIPS 140-2 prohibits
federal agencies from procuring services using cryptographic modules with a historical CMVP
validation. See id. at 29:11–25. Assuming the agency had discretion to procure such services, or
an exception applied, plaintiff argues the ITC would be required to make a risk assessment
considering the reason why the module had a historical validation. See id. at 30:1–31:22.
Plaintiff confirmed its case is “not dependent on this supplementation,” but CMVP Certificate
2
Plaintiff clarified during oral argument if the ITC considered Certificate No. 950 and its validation notes, then the
standard for completion of the record would apply rather than supplementation. See Tr. at 23:3–24:1. Plaintiff
explained, however, “it’s unclear from the record if the agency actually looked at them,” but “if they didn’t look at
them, . . . it would be a supplementation issue.” Id. at 23:23–24:1. Plaintiff assumes for the purposes of its motion
the agency did not consider Certificate No. 950 and its validation notes, invoking the supplementation standard
under Axiom. Id. at 24:1–3. Plaintiff does not point to—and the Court cannot locate—any evidence in the record
Certificate No. 950 and its validation notes were before the ITC.
- 15 -
No. 950 and its validation notes are “further evidence that if the agency had reasonably assessed
the information available through the CMVP with respect to this proposed router, there would
have been additional information that would have called into question its acceptability.” Id. at
24:12–18. Plaintiff presents an either-or proposition: either the ITC may not procure services
proposing use of historically validated hardware, or if the ITC may procure such services, it must
engage in a technical analysis of the reason why the hardware holds a historical validation.
The Solicitation stated the ITC would “evaluate the offeror’s ability to meet the [FIPS
140-2], Security Requirements for Cryptographic Modules.” AR at 30. In both the initial
evaluation and the subsequent CISO evaluation of FIPS 140-2 compliance, the agency adhered to
this evaluation scheme. The CO noted “Heritage’s proposed use of technology highlights their
proposed hardware/software elements and . . . shows a thorough grasp of the technical
requirements and reduces risk to the federal government by providing a detailed and auditable
technical implementation.” Id. at 190. When reviewing plaintiff’s and defendant-intervenor’s
FIPS 140-2 compliance after the first GAO protest, the CISO explained “[o]ffers were evaluated
by reviewing the [CMVP] certificate number(s) in each proposal to confirm FIPS 140-2
compliance.” Id. at 2309. Additionally, “[f]or the purposes of the evaluation certification,
values of ‘active’ or ‘historical’ are considered compliant.” Id.
Based on the Solicitation’s evaluation scheme, it was appropriate for the ITC to consider
the router CMVP certificate numbers cited in each proposal when considering FIPS 140-2
compliance. The details in Certificate No. 950, however, extend beyond the scope of the
Solicitation because the Solicitation did not require the agency to do a full technical analysis of
the algorithm risk or consider “the reasons surrounding NIST’s disallowance of that algorithm.”
Mot. to Suppl. AR at 12; see also East West, Inc., 100 Fed. Cl. at 57 (“These categories all
concern information that is necessary for effective judicial review, because they reflect what was
or should have been considered by the agency.”). Were the Court to consider these details,
which are beyond the scope of the Solicitation and not something the agency considered during
evaluation, the Court would be conducting a de novo technical evaluation of the proposals, which
is beyond the Court’s bid protest jurisdiction. See Axiom Resource Mgmt., 564 F.3d at 1380
(“The purpose of limiting review to the record actually before the agency is to guard against
courts using new evidence to ‘convert the “arbitrary and capricious” standard into effectively de
novo review.’”) (quoting Murakami, 46 Fed. Cl. at 735). For the reasons discussed in greater
detail in Sections IV.B and IV.C, ITC reasonably concluded hardware with historical validation
was compliant for this procurement. Furthermore, nothing required ITC to consider the reasons
why the Cisco router holds a historical status, including “the reasons surrounding NIST’s
disallowance of [the RNG] algorithm,” as depicted by the strikethrough algorithm details on
Certificate No. 950. Mot. to Suppl. AR at 12. Thus, the Court finds plaintiff’s either-or
proposition incorrect.
Moreover, Certificate No. 1700, which corresponds to the Cisco 881W router and is
already part of the record, indicates the reason for its historical status is “RNG SP800-131A
Revision 1 Transition,” referencing the same disallowance reason as listed on Certificate No.
950. AR at 2899. This Court “has consistently understood the [effective judicial review] test as
enabling supplementation when necessary, not when merely convenient.” State of N.C. Bus.
Inters. Program, 110 Fed. Cl. at 361 (emphasis added). Therefore, even under plaintiff’s
- 16 -
alternative argument the agency should have considered Certificate No. 950 and its validation
notes to consider “the reasons surrounding NIST’s disallowance of [the RNG] algorithm,” the
reasons are on Certificate No. 1700, which is in the record and sufficient for effective judicial
review. Mot. To Suppl. AR at 12. For these reasons and the reasons set forth in further detail
below, the Court finds supplementation of the administrative record with these materials is
inappropriate and unnecessary for effective judicial review.
2. Transcripts and Contracts
Plaintiff also seeks supplementation of the administrative record with defendant-
intervenor’s previous ITC court reporting contracts and all transcripts produced thereunder. See
Mot. to Suppl. AR at 4–9. The proposed supplementation would demonstrate defendant-
intervenor’s alleged historical noncompliance with transcript formatting requirements under
previous contracts, which plaintiff contends the agency should have considered when evaluating
defendant-intervenor’s past performance. See id. at 6–8. Plaintiff argues these materials should
be part of the administrative record because it is “impossible for the Court to know whether those
transcripts violated the terms of Heritage’s contracts or to assess whether the agency was
required to review those transcripts to determine whether they complied with the contract
requirements . . . .” Id. at 9. The Solicitation provided offerors’ past performance would be
based on past performance questionnaires and required offerors to “submit a minimum of three
(3) past experience/past performance references of similar work and scope.” AR at 29. The
Solicitation further indicated “[t]he Government may also use past performance information
obtained from the Past Performance Information Retrieval System (PPIRS), Federal Awardee
Performance and Integrity Information System (FAPIIS), and any other past performance
information available to the Contracting Officer, such as but not limited to performance history
under USITC.” Id. at 31. The ITC based its past performance evaluation of both plaintiff and
defendant-intervenor on the questionnaires their respective references submitted, including the
ITC. Id. For both offerors, the ITC submitted past performance questionnaires specifying both
parties complied with all technical requirements of the contract. Id. at 104, 152.
The Solicitation required the ITC to consider the past performance questionnaires but did
not require the ITC to reexamine the offerors’ past work product for compliance with an expired
contract. To the extent plaintiff seeks to impute to the ITC constructive knowledge of alleged
noncompliance with the requirements of defendant-intervenor’s ITC contract ending in 2014, the
issue is irrelevant to this case. Nothing on the face of the past performance questionnaires from
defendant-intervenor’s references, including the ITC’s reference, raised any question whether
defendant-intervenor had “Exceptional” references. See, e.g., AR at 150. Nothing required the
ITC to then search for negative information to rebut the “Exceptional” references. See id.; see
also East West, Inc., 100 Fed. Cl. at 57 (“These categories all concern information that is
necessary for effective judicial review, because they reflect what was or should have been
considered by the agency.”). Supplementing the record with defendant-intervenor’s previous
contracts and transcripts would invite the Court to consider a matter of management of an
expired contract, thereby confusing the issues in this case and placing the Court in a position to
conduct a de novo review of the ITC’s past performance evaluation. See Axiom Resource Mgmt.,
564 F.3d at 1380 (“The purpose of limiting review to the record actually before the agency is to
guard against courts using new evidence to ‘convert the “arbitrary and capricious” standard into
- 17 -
effectively de novo review.’”) (quoting Murakami, 46 Fed. Cl. at 735). For these reasons and the
reasons set forth in further detail below, the Court finds supplementation of the administrative
record with these materials is inappropriate and unnecessary for effective judicial review.3
IV. Judgment on the Administrative Record Related to the ITC’s Technical Evaluation
A. The Parties’ Arguments Regarding the ITC’s Technical Evaluation
Plaintiff argues “[t]he ITC failed to comply with NIST’s requirements” of only procuring
services with active FIPS 140-2 certificates by “accept[ing] Heritage’s proposal despite
Heritage’s plan to use the Cisco 881W router,” which has a historical certificate. Pl.’s MJAR at
16. Plaintiff thus also contends the ITC arbitrarily and capriciously found defendant-intervenor’s
proposal technically acceptable and assigned its proposal a strength for defendant-intervenor’s
digital security approach. Id. at 31, 40.
The government argues plaintiff fails to demonstrate the ITC’s technical evaluation lacks
a rational basis because the ITC reasonably determined historical certificates were FIPS 140-2
compliant. Def.’s Cross-MJAR at 22–24. According to the government, neither the RFQ nor
FIPS 140-2 differentiates between active and historical validation certificates. Id. at 25–27. The
government also contends the ITC was reasonable in determining defendant-intervenor’s
approach to digital security was a “strength” and its overall technical rating was “good.” Id. at
34–35.
Defendant-intervenor argues the ITC rationally evaluated the proposals under the
technical factor because nothing prohibited the ITC from procuring services using equipment
with historical validation certificates and the ITC reasonably determined NIST guidance
prohibiting historically validated hardware did not apply to service procurements like this one.
Def.-Intervenor’s Cross-MJAR at 22–31. Additionally, “[t]o the extent the RFQ had any
ambiguity” concerning active and historical certificates, “that ambiguity was patent,” and
plaintiff waived the argument by failing to raise it prior to award. Id. at 31.
B. Whether NIST Website Guidance Prohibited the ITC from Procuring Services
Using Historically Validated Hardware
The Solicitation’s SOW, under the heading “Digital Security,” provided: “[e]ncryption
utilizing [FIPS 140-2] . . . is applicable to the services provided under this contract.” AR at 22.
Offerors were therefore required to “employ encryption utilizing [FIPS 140-2] validated
cryptographic modules operated in the FIPS-approved mode.” Id. The Solicitation instructed
offerors to “propose cryptographic modules and . . . state the National Institute of Standards and
Technology (NIST) Cryptographic Module Validation Program (CMVP) certificate number(s) of
the cryptographic modules that are being proposed.” Id. at 28. The Solicitation stated the ITC
would “evaluate the offeror’s ability to meet the [FIPS 140-2] Security Requirements for
Cryptographic Modules.” Id. at 30. FIPS 140-2 provides, “[c]ryptographic modules that are
3
To the extent defendant-intervenor’s past transcripts are relevant to this case, the administrative record already
contains hundreds of pages of its transcripts. See, e.g., AR at 981–1546.
- 18 -
validated under the CMVP will be considered as conforming to this standard.” Nat’l Inst. for
Standards & Tech., FIPS 140-2 Security Requirements for Cryptographic Modules, at iv (2001),
https://csrc.nist.gov/publications/detail/fips/140/2/final.
Plaintiff argues “[t]he ITC failed to comply with NIST’s requirements” as set forth in
FIPS 140-2 because defendant-intervenor proposed use of a router holding a historical, rather
than active, CMVP validation. Pl.’s MJAR at 16. Plaintiff cites various pages of the CMVP
website providing digital security guidance to federal agencies to support its contention federal
agencies are prohibited from procuring services using equipment holding any status other than
active. See id. at 17, 22. For example, plaintiff highlights guidance declaring “[i]f a validation
certificate is marked as historical, Federal Agencies should not include these [cryptographic
modules] in new procurement[s].” Id. at 22 (emphasis omitted). A full review of FIPS 140-2,
however, reveals no distinction between active and historical validations. During oral argument,
the Court asked plaintiff if any law or regulation contains the same provision plaintiff quoted
from the CMVP website. Tr. at 72:2–4. Plaintiff responded, “the agency is bound to use the
NIST website,” and it is required to “implement FIPS 140-2 validated modules,” which is “one
that CMVP has validated.” Id. at 72:6, 11–12.
The Department of Commerce, through NIST, promulgated FIPS 140-2 following the
APA’s notice-and-comment rulemaking procedures. See Announcing Approval of Federal
Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic
Modules, 66 Fed. Reg. 34,154-02 (June 27, 2001) (explaining NIST’s issuance of FIPS 140-2 as
a binding regulation after a notice-and-comment period). FIPS 140-2 is thus a legislative rule
with the force and effect of law. Perez v. Mortg. Bankers Ass’n, 575 U.S. 92, 96 (2015) (quoting
Chrysler Corp. v. Brown, 441 U.S. 281, 302–03 (1979) (internal quotation marks omitted)
(“Rules issued through the notice-and-comment process are often referred to as ‘legislative rules’
because they have the ‘force and effect of law.’”)). The same notice-and-comment requirement
does not apply “to interpretative rules, general statements of policy, or rules of agency
organization, procedure, or practice.” 5 U.S.C. § 553(b)(3)(A). The Supreme Court has
observed “opinion letters—like . . . policy statements, agency manuals, and enforcement
guidelines . . . lack the force of law.” Christensen v. Harris Cty., 529 U.S. 576, 587 (2000); see
also Butterbaugh v. Dep’t of Justice, 336 F.3d 1332, 1340 (Fed. Cir. 2003) (quoting Christensen,
529 U.S. at 587) (finding agency policy guidance, like “‘policy statements, agency manuals, and
enforcement guidelines,’ . . . lack the force of law . . . .”); Hamlet v. United States, 63 F.3d 1097,
1103 (Fed. Cir. 1995) (“Obviously, not every piece of paper released by an agency can be
considered a regulation entitled to the force and effect of law.”).
While there is disagreement over the definition of interpretive rules, “it suffices to say
that the critical feature of interpretive rules is that they are ‘issued by an agency to advise the
public of the agency’s construction of the statutes and rules which it administers.’” Perez, 575
U.S. at 97 (quoting Shalala v. Guernsey Mem’l Hosp., 514 U.S. 87, 99 (1995)). Regarding the
website interpretation, interpretive rules “do not have the force and effect of law and are not
accorded that weight in the adjudicatory process.” Shalala, 514 U.S. at 99. Thus, the CMVP
website does not have the force and effect of law because it is an “interpretative rule[], general
statement[] of policy, or rule[] of agency organization, procedure, or practice.” 5 U.S.C. §
553(b)(3)(A).
- 19 -
Plaintiff argues NIST, through the CMVP website, forbids historical certifications from
inclusion in procurements like the one in this case. Pl.’s Resp. & Reply at 12. Plaintiff asks the
Court to give Skidmore deference to what it perceives to be unambiguous language from CMVP
website guidance as NIST’s interpretation of its own legislative rule. Pl.’s Resp. & Reply at 13.
Plaintiff raised this argument in a short conclusory paragraph in its reply and response brief and
in a conclusory manner at oral argument. Id.; Tr. at 79:24–80:3. Skidmore describes the
standard courts use to determine how much weight to give agency constructions of statutes and
regulations: “[t]he weight of such a judgment in a particular case will depend upon the
thoroughness evident in its consideration, the validity of its reasoning, its consistency with
earlier and later pronouncements, and all those factors which give it power to persuade, if
lacking power to control.’” Skidmore v. Swift & Co., 323 U.S. 134, 140 (1944). Plaintiff notes
another judge on this court held “[u]nder Skidmore, courts may give deference to an agency’s
interpretation of its governing laws even when the agency does not use its rulemaking authority.”
Nippon Paper Indus. USA Co. v. United States, 129 Fed. Cl. 76, 79 (2016) (citing Skidmore, 323
U.S. at 139–40).
The weight of Skidmore deference a court may choose to apply ranges from “great
respect . . . to near indifference . . . .” United States v. Mead Corp., 533 U.S. 218, 228 (2001).
Even if the Court assumes Skidmore deference applies to an agency website, plaintiff did not
explain why the CMVP website has persuasive power to make it worthy of something closer to
“great respect” as opposed to “near indifference.” See Skidmore, 323 U.S. at 140; Mead Corp.,
533 U.S. 218. Plaintiff instead asserted, “[g]iven the authority vested in NIST, the NIST and
CMVP guidance are compelling evidence of the intent behind FIPS 140-2 and binding standards
in their own right.” Pl.’s Resp. & Reply at 13.
Defendants dispute whether the CMVP website forbids historical certifications.
According to defendant-intervenor, regardless of whether the Court treats the website with
deference, neither the website nor any other “regulation . . . says that an agency cannot use a
cryptographic module with a historical rating. . . . [T]he burden is on the protestor to
demonstrate that and he hasn’t done so.” Tr. at 83:18–21. The government similarly
emphasized the CMVP website does not state what plaintiff alleges: “the Court can consider
[the website], it can consider what the agency did, but . . . the question is whether or not that
guidance says . . . that a historical certificate is not FIPS 140-2 validated. It doesn’t say that.
And that’s what [plaintiff] needs it to say, and it doesn’t say that.” Id. at 84:11–17.
Deference is appropriate when “policies are made in pursuance of official duty, based
upon more specialized experience and broader investigations and information than is likely to
come to a judge in a particular case.” Skidmore, 323 U.S. at 139. NIST is empowered to set
federal government information systems standards. See 15 U.S.C. § 278g-3(a). Also, through
the CMVP, NIST “validates cryptographic modules to [FIPS] 140-2 and other cryptography
based standards.” Nat’l Inst. for Standards & Tech., FIPS 140-2, at iii. While NIST’s
congressionally prescribed expertise suggests its website interpretation of its legislative rules is
worthy of consideration, the CMVP website presents no information as to its authorship or
definitiveness. See Tr. at 72:21–75:10 (responding to questioning by the Court, plaintiff’s
counsel was unable to clarify the authoritativeness of website details beyond describing it as
- 20 -
“subregulatory”). Further, NIST did not present plaintiff’s preferred interpretation—or any other
interpretation—to the Court because NIST is not party to this case. See Hydro Res., Inc. v.
United States Env’t Prot. Agency, 608 F.3d 1131, 1146 n.10 (10th Cir. 2010) (en banc)
(highlighting the importance of affected parties’ participation in the adversarial process when
considering whether to apply Skidmore deference). Plaintiff requests the Court give deference to
NIST through the CMVP website, yet the meaning of the website plaintiff proposes to the Court
includes plaintiff’s own interpretation of the CMVP website. Granting deference to a plaintiff’s
interpretation of a nonlitigating agency’s website would require the Court to speculate what
NIST’s position would be on the weight and meaning of the website, as well as straining the
adversarial process. See id. (noting a court relies on the adversarial process “to test the issues for
[its] decision and from concern for the affected parties to whom [it] traditionally extend[s] notice
and an opportunity to be heard on issues that affect them”).
Plaintiff also claims the ITC seeks Skidmore deference for its own interpretation of
NIST’s regulations. Tr. at 81:17–22 (“[T]he Federal Circuit expressly said that it gives no
deference to agency interpretations of other agency regulations. And that’s what the ITC is
doing here. They’re saying we [the ITC] have the authority to interpret what a validation is.”).
Federal Circuit precedent clarifies: “only the interpretation of the agency that promulgated the
regulation matters.” Allegheny Teledyne Inc. v. United States, 316 F.3d 1366, 1378 (Fed. Cir.
2003).4 Contrary to plaintiff’s claim, however, the ITC does not ask for deference to its
construction of the CMVP website; rather, the ITC asks the Court to review its actions under an
arbitrary and capricious standard of review pursuant to the APA. Def.’s Cross-MJAR at 19
(“This Court reviews bid protests using the standard of review set forth in the Administrative
Procedure Act (APA) and considers whether the agency action was arbitrary, capricious, an
abuse of discretion, or otherwise not in accordance with law.”) The ITC’s matter-of-fact
statement of the standard of review is not a request the Court grant Skidmore deference to any
construction of relevant statutes or regulations. While Skidmore directs courts to consider “all
those factors which give [an agency interpretation of a statute or regulation] power to persuade,”
the ITC asks for arbitrary and capricious review of its compliance with NIST’s regulations.
Skidmore, 323 U.S. at 140.
This case presents an APA question related to arbitrary and capricious review, not an
abstract deference question. See Kisor v. Wilkie, 139 S. Ct. 2400, 2432 (2019) (Gorsuch, J.,
concurring in the judgment) (noting a court discussing the “rules governing judicial review of
federal agency action” does not, or at least should not, be “writing on a blank slate or exercising
4
Judges on this court have carved a narrow exception to Allegheny’s prohibition on one agency’s interpretation of
another agency’s regulations. See, e.g., Colon v. United States, 132 Fed. Cl. 655, 661–62 (2017) (“Where an agency
interprets regulations promulgated by a different agency, such an interpretation is also afforded deference when the
interpreting agency is authorized to adopt or implement the regulations at issue.”); see also Bortone v. United States,
110 Fed. Cl. 668, 676 (2013) (internal citations omitted) (“While deference is generally only afforded to an agency’s
interpretation of its own rules and regulations, courts will give deference to an agency’s interpretation of regulations
drafted by another agency where, as here, the interpreting agency adopts and administers the subject regulations.”);
Murphy v. United States, 130 Fed. Cl. 554, 562 (2017) (“Courts afford deference to an agency’s interpretation of
regulations drafted by another agency, when the non-drafting agency is authorized to adopt or implement the subject
regulations.”). Regardless of whether this carve out is consistent with Allegheny, the ITC’s interpretation of the
CMVP website does not fall under the exception because the ITC does not “adopt or implement” NIST’s
regulations. See Colon, 132 Fed. Cl. at 661–62.
- 21 -
some common-law-making power. [It is] supposed to be applying the Administrative Procedure
Act.”). In bid protests, the Court follows 5 U.S.C. §706(2)(A): “a reviewing court shall set aside
the agency action if it is ‘arbitrary, capricious, an abuse of discretion, or otherwise not in
accordance with law.’” Banknote Corp. of Am., Inc., 365 F.3d at 1350–51 (quoting Advanced
Data Concepts, Inc., 216 F.3d at 1057–58). Under this standard, “a court is not to substitute its
judgment for that of the agency.” Motor Vehicle Mfrs. Ass’n of U.S., Inc., 463 U.S. at 43; see
also Advanced Data Concepts, 216 F.3d at 1058 (citing Bowman Transp., Inc., 419 U.S. at 285)
(holding the court must “sustain an agency action evincing rational reasoning and consideration
of relevant factors”); Ala. Aircraft Indus., Inc.-Birmingham, 586 F.3d at 1375 (quoting Motor
Vehicle Mfrs. Ass’n of U.S., Inc., 463 U.S. at 43) (agency action fails the APA standard of review
when it has “‘entirely failed to consider an important aspect of the problem, offered an
explanation for its decision that runs counter to the evidence before the agency, or [the decision]
is so implausible that it could not be ascribed to a difference in view or the product of agency
expertise.’”).
The CMVP website states the following:
If a validation certificate is marked as revoked, the module validation is no longer
valid and may not be referenced to demonstrate compliance to . . . FIPS 140-2.
If a validation certificate is marked as historical, Federal Agencies should not
include these in new procurement[s]. This does not mean that the overall FIPS-
140 certificates for these modules have been revoked[;] rather[,] it indicates that the
certificates and the documentation posted with them are either more than 5 years
old, or were moved to the historical list because of an algorithm transition. In these
cases, the certificates have not been updated to reflect latest guidance and/or
transitions, and may not accurately reflect how the module can be used in FIPS
mode. . . . Agencies may make a risk determination on whether to continue using
the modules on the historical list based on their own assessment of where and how
the module is used.
Cryptographic Module Validation Program, NIST Computer Security Resource Center,
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules (last
updated Aug. 12, 2020) (emphasis added). Notably, this guidance indicates historical status does
not mean the validation has been revoked. Additionally, the guidance acknowledges historical
modules “can be used in FIPS mode.” Id. It also recognizes there are instances when an agency
may use historical modules: when the agency “make[s] a risk determination.” Id. Accordingly,
the website’s guidance is either ambiguous or it affirmatively allowed the agency to assess the
risk of using historically validated hardware in a service procurement. Any Skidmore deference
the Court could grant to the CMVP website, as plaintiff requests, would produce a result either
neutral (if the website is ambiguous) or supporting the ITC’s interpretation (if the website
allowed the agency to assess the risk).
During oral argument, plaintiff asserted, “the solicitation expressly incorporates the
CMVP.” Tr. at 80:9–10. To the extent plaintiff contends the Solicitation incorporated the entire
program, including its website, the Federal Circuit has stated “the language used in a contract to
- 22 -
incorporate extrinsic material by reference must explicitly, or at least precisely, identify the
written material being incorporated and must clearly communicate the purpose of the reference is
to incorporate the referenced material into the contract (rather than merely to acknowledge the
referenced material is relevant to the contract, e.g., as background law or negotiating history).”
Northrop Grumman Info. Tech., Inc. v. United States, 535 F.3d 1339, 1345 (Fed. Cir. 2008); see
also St. Christopher Assocs., L.P. v. United States, 511 F.3d 1376, 1384 (Fed. Cir. 2008) (“This
court has been reluctant to find that statutory or regulatory provisions are incorporated into a
contract with the government unless the contract explicitly provides for their incorporation.”).
The Solicitation, however, merely stated: “[t]he offeror shall propose cryptographic modules
and shall state the [NIST CMVP] certificate number(s) of the cryptographic modules that are
being proposed.” AR at 28. The Solicitation’s reference to the CMVP does not explicitly
incorporate any guidance from the website. Rather, the Solicitation’s mention of CMVP
provides instruction for the offeror in compiling its proposal.
When considering the “prohibition” in its entire context, the Court finds the CISO’s
interpretation of the “prohibition” reasonable: it permitted the ITC to assess whether historically
validated hardware could be used for the purposes of this procurement. The Solicitation
mentions the CMVP website, and the ITC based its decision on a reasonable interpretation of the
CMVP website. These facts indicate the ITC did not “entirely fail[] to consider an important
aspect of the problem, [or] offer[] an explanation for its decision that runs counter to the
evidence before the agency,” but instead engaged the problem using the evidence before it. Ala.
Aircraft Indus., Inc.-Birmingham, 586 F.3d at 1375 (discussing the APA “arbitrary and
capricious” standard for reviewing an agency’s procurement decision). The ITC’s interpretation
of the CMVP website is not “so implausible that it could not be ascribed to a difference in view
or the product of agency expertise.” Id. As a result, the ITC did not arbitrarily or capriciously
interpret the CMVP website to allow historically validated hardware for this procurement. See
Emery Worldwide Airlines, Inc. v. United States, 264 F.3d 1071, 1085 (2001) (quoting 5 U.S.C.
§ 706(2)(A)) (“[A] reviewing court must set aside agency actions that are ‘arbitrary, capricious,
an abuse of discretion, or otherwise not in accordance with law.’ . . . [T]he agency’s action must
be upheld as long as a rational basis is articulated and relevant factors are considered.”).
C. Whether ITC’s Determination Defendant-Intervenor’s Proposal was Technically
Acceptable is Arbitrary and Capricious
Plaintiff further argues it was arbitrary and capricious for the ITC to find defendant-
intervenor’s proposal technically acceptable in light of its proposed router. Pl.’s MJAR at 31. In
challenging the ITC’s acceptance of defendant-intervenor’s proposal, plaintiff argues the ITC’s
distinction between procurements for goods and services is irrational because “[t]here is no
authority to support a finding that FIPS 140-2 or the specific procurement restriction at issue do
not apply to service procurements.” Id. at 33. To the contrary, the CISO found support in FIPS
140-3, the most recent NIST cryptography standards promulgated through notice-and-comment
rulemaking, for this distinction. AR at 2309 (“The USITC will evaluate the offeror’s ability to
meet the Federal Information Processing Standards Publication (FIPS PUB) 140-3, Security
Requirements for Cryptographic Modules.”). The CISO looked to the 140-3 requirement
because the SOW’s FIPS 140 requirement was forward-looking at version 140-3 despite FIPS
140-2 being the current and applicable version of FIPS 140 at the time the ITC released the
- 23 -
solicitation and parties submitted offers. Id. The CISO explained FIPS 140-3 provides support
for the ITC’s interpretation because it notes “‘[a]gencies should develop plans for the acquisition
of products that are compliant with FIPS 140-3; however, agencies may purchase any of the
products on the CMVP validated modules list.’” Id. at 2310 (quoting FIPS 140-3, Security
Requirements for Cryptographic Modules, NIST Computer Security Resource Center,
https://csrc.nist.gov/publications/detail/fips/140/3/final (Mar. 22, 2019)). Additionally, the CISO
noted “[a] search of the CMVP list for modules on the active validation list yields results for
products that are either hardware, software, firmware, or hybrids.” Id. The CISO therefore
concluded FIPS standards applied to procurements of products, rather than services, because the
active validation list exclusively discussed products. The Court finds the CISO’s explanation of
the distinction between products and services to “evinc[e] rational reasoning.” See Advanced
Data Concepts, 216 F.3d at 1058 (citing Bowman Transp., Inc., 419 U.S. at 285). Plaintiff’s
disagreement with the interpretation does not render the CISO’s evaluation arbitrary and
capricious. “‘If the court finds a reasonable basis for the agency’s action, the court should stay
its hand even though it might, as an original proposition, have reached a different conclusion as
to the proper administration and application of the procurement regulations.’” Honeywell, Inc. v.
United States, 870 F.2d 644, 648 (Fed. Cir. 1989) (quoting M. Steinthal & Co. v. Seamans, 455
F.2d 1289, 1301 (D.C. Cir. 1971)).
Plaintiff also argues to the extent an agency opts to procure services using equipment
with historical status, the agency must first conduct a risk assessment. Pl.’s MJAR at 17–18.
Even assuming the NIST website guidance requires a risk assessment before procuring
equipment with historical status, the ITC read the language as applying only to products, not
services. The ITC’s CISO quoted the same website guidance in the FIPS 140 evaluation
conducted pursuant to the ITC’s corrective action and explained the ITC’s interpretation of the
guidance: “procurements for new hardware/software should generally avoid equipment with
FIPS140 certificates marked as ‘historical’ in new procurements.” AR at 2310. Further,
addressing whether “agencies may make a risk determination on whether to continue using this
module based on their own assessment of where and how it is used,” the CISO explained the ITC
“does not interpret this language as directed at procurement of services.” Id. The ITC based its
interpretation on “the complexity of service provider systems and the fact that those service
provider systems are expected to evolve over time and replace equipment as needed.” Id.
Therefore, “‘historical’ designations [were] considered compliant for the purposes of this
evaluation.” Id.
Based on the ITC’s interpretation of the guidance, the agency found no risk of procuring
services using historical modules and thus did not conduct a risk assessment in the sense plaintiff
maintains NIST’s regulations required. The bid protest standard of review “recognizes the
possibility of a zone of acceptable results in a particular case and requires only that the final
decision reached by an agency be the result of a process which ‘consider[s] the relevant factors’
and is ‘within the bounds of reasoned decisionmaking.’” Wit Assocs., Inc. v. United States, 62
Fed. Cl. 657, 660 (2004) (quoting Baltimore Gas & Elec. Co. v. Nat. Res. Def. Council, Inc., 462
U.S. 87, 105 (1983)). Although plaintiff interprets the same language differently, the Court finds
the CISO evaluation evinces rational reasoning supported by a reasonable explanation of the
agency’s interpretation based on the relevant factors. See Honeywell, Inc., 870 F.2d at 648
(quoting M. Steinthal & Co. v. Seamans, 455 F.2d 1289, 1301 (D.C. Cir. 1971)) (“‘If the court
- 24 -
finds a reasonable basis for the agency’s action, the court should stay its hand even though it
might, as an original proposition, have reached a different conclusion as to the proper
administration and application of the procurement regulations.’”).
D. Whether it was Arbitrary and Capricious for the ITC to Assign Defendant-
Intervenor’s Technical Proposal a Strength
Plaintiff argues the ITC also erred by assigning defendant-intervenor’s proposal a
strength for digital security. Pl.’s MJAR at 40. Plaintiff asserts the agency could only have
found a strength by failing to consider “the Cisco 881W router was highly risky because its
security depends on the X9.31 algorithm that NIST has disallowed due to security
vulnerabilities.” Id. Plaintiff contends the ITC should have looked beyond the router’s CMVP
certificates to determine why each router holds its current status. Id. Since contracting officers
are “entitled to ‘broad discretion . . . to determine whether a proposal is technically acceptable,
plaintiff has an unusually heavy burden of proof in showing that the determination . . . was
arbitrary and capricious.’” Westech Int’l, Inc. v. United States, 79 Fed. Cl. 272, 286 (2007)
(internal citation omitted) (quoting Cont’l Bus. Enters. v. United States, 452 F.2d 1016, 1021 (Ct.
Cl. 1971)). Defendant-intervenor’s proposal thoroughly highlighted its technology’s FIPS 140-2
compliance. For example, its proposal stated, “[a] Cisco 881W router is used running in FIPS
140-2 compliant mode with tamper resistant labels.” AR at 113; see also id. (“[Defendant-
intervenor] will employ encryption technologies utilizing FIPS 140-2 validated cryptography,
with our equipment and software configured in FIPS-approved mode . . . . As FIPS 140-3
validated cryptographic modules become available from commercial vendors, [defendant-
intervenor] will test and implement these modules in the equipment, software[,] and processes
dedicated to the USITC contract.”). The CO did not need to look at every algorithm to conclude
defendant-intervenor’s proposal “shows a thorough grasp of the technical requirements and
reduces risk to the federal government by providing a detailed and auditable technical
implementation.” Id. at 190.
Nothing in the Solicitation required the ITC to look beyond the CMVP certificates for the
routers and investigate the CMVP validations for the algorithms each router uses. The
Solicitation stated the ITC would “evaluate the offeror’s ability to meet” FIPS 140-2 standards
and “evaluate the offeror’s access to and use of current technology as it relates to court
reporting.” AR at 30. The ITC’s consideration of the reasons behind a single algorithm’s
disallowance would therefore be beyond the scope of the Solicitation’s requirements. Further,
plaintiff’s argument regarding the algorithm invites the Court to conduct a de novo technical
evaluation, which goes beyond the scope of the Court’s APA standard of review. Motor Vehicle
Mfrs. Ass’n of U.S., Inc., 463 U.S. at 43 (“The scope of review under the ‘arbitrary and
capricious’ standard is narrow and a court is not to substitute its judgment for that of the
agency.”). “The purpose of limiting review to the record actually before the agency is to guard
against courts using new evidence to convert the arbitrary and capricious standard into
effectively de novo review.” Axiom Res. Mgmt., Inc., 564 F.3d at 1381 (internal quotation marks
omitted). Plaintiff asks the Court to investigate the details of whether the CO looked beyond the
CMVP certificates for the routers and inquire into the CMVP validations for each router’s
algorithms. Requiring the CO to analyze the underlying algorithms would improperly expand
judicial review beyond “the record actually before the agency” and “convert the arbitrary and
- 25 -
capricious standard into effectively de novo review.” AgustaWestland North America, Inc. v.
United States, 880 F.3d 1326, 1331 (2018) (internal quotation marks omitted). For these reasons
the Court finds defendant’s technical evaluation reasonable.
V. Judgment on the Administrative Record Related to the ITC’s Past Performance
Evaluation
A. The Parties’ Arguments Regarding the ITC’s Past Performance Evaluation
Plaintiff argues the ITC’s evaluation of defendant-intervenor’s proposal was flawed
because it did not consider defendant-intervenor’s purported historical noncompliance with
transcript formatting requirements and its Contractor Performance Assessment Reports
(“CPARs”). Pl.’s MJAR at 42–43. The government asserts plaintiff waived its arguments
concerning ITC’s past performance evaluation because it failed to challenge the scope of the
ITC’s proposed corrective action, which would only reevaluate the proposals under the use of
technology subfactor. Def.’s Cross-MJAR & Resp. at 36. Further, the government argues
plaintiff fails to show the ITC’s past performance evaluation lacked a rational basis because the
ITC reasonably determined defendant-intervenor’s past performance warranted an “Outstanding”
rating, and nothing required the ITC to consider CPARs in evaluating past performance. Id. at
40–41. Responding to plaintiff’s transcript formatting arguments, the government maintains
plaintiff “has no standing as a third party to challenge [defendant-intervenor’s] capacity to fulfill
contract requirements under the guise of a bid protest,” and such arguments “would require the
Commission to assume future non-compliance when no evidence of prior non-compliance was
before the evaluators.” Id. at 47. Defendant-intervenor also contends plaintiff waived its past
performance arguments by failing to raise them as a challenge to the ITC’s proposed corrective
action during the first GAO protest. Id. at 32–33. Even if plaintiff did not waive its past
performance arguments, defendant-intervenor nonetheless maintains those arguments are
unavailing because ITC’s past performance evaluation was rational. Id. at 33. Defendant-
intervenor further asserts plaintiff’s transcript formatting arguments are “untimely,” “factually
baseless,” and a “matter[] of contract administration.” Id. at 44–45.
B. Whether Plaintiff Waived its Past Performance Arguments
As a threshold matter, both the government and defendant-intervenor argue plaintiff
waived its past performance arguments by failing to protest the agency’s corrective action. “[A]
party who has the opportunity to object to the terms of a government solicitation containing a
patent error and fails to do so prior to the close of the bidding process waives its ability to raise
the same objection afterwards in a § 1491(b) action in the Court of Federal Claims.” Blue &
Gold Fleet, L.P. v. United States, 492 F.3d 1308, 1315 (Fed. Cir. 2007). “The same policy
underlying Blue & Gold supports its extension to all pre-award situations.” COMINT Sys. Corp.
v. United States, 700 F.3d 1377, 1382 (Fed. Cir. 2012). While the Federal Circuit has not
applied its Blue & Gold waiver rule to corrective action, this Court has extended the waiver rule
to situations in which a protestor did not protest an agency’s proposed corrective action. For
example, in XPO Logistics Worldwide Government Services, LLC v. United States, this Court
held the plaintiff waived its arguments regarding discussions after it was informed the agency
would not hold discussions during its corrective action and did not protest the corrective action.
- 26 -
134 Fed. Cl. 783, 799 (2017), aff’d, 713 Fed. App’x 1008 (Fed. Cir. 2018). Similarly, in Anham
FZCO v. United States, this Court held the plaintiff waived arguments concerning the awardee’s
legal issues because it knew the agency would not consider those issues during its corrective
action and failed to challenge the scope of the corrective action. 144 Fed. Cl. 697, 719 (2019).
In Technatomy Corp. v. United States, however, this Court declined to extend the waiver
rule to arguments the plaintiff could have raised in protesting the agency’s corrective action but
did not raise until after the corrective action. 144 Fed. Cl. 388, 391–92 (2019). There, this Court
explained the circumstances in which the waiver rule should apply “involve bid protests brought
by an initial awardee challenging a decision to undertake corrective action, as such parties are
injured by having to win the same award twice, and the decision is neither interlocutory nor
without legal consequences.” Id. at 391 (internal citations omitted) (first citing NVE, Inc. v.
United States, 121 Fed. Cl. 169, 178–79 (2015), and then citing Sys. Application & Techs., Inc. v.
United States, 691 F.3d 1374, 1382, 1384 (Fed. Cir. 2012)). The Court next reasoned, “[i]n
contrast, the initially unsuccessful offeror which obtains corrective action as a result of bringing
a GAO protest cannot usually be said to have been injured by this remedy, particularly when the
GAO recommended the course of action—as that office will only do so when it has been
convinced that the protester’s substantial chance of winning the award would thereby be
restored.” Id. Applying Technatomy’s principles to its facts, the Court found the plaintiff could
not have raised its technical evaluation arguments in a subsequent protest challenging the
corrective action, which the GAO recommended, because “the decision which injured plaintiff—
the source selection decision—was no longer in force, and none of the technical evaluation
decisions which plaintiff challenges were the sort which necessarily disqualified plaintiff.” Id.
Therefore, “plaintiff had neither standing nor a ripe claim to pursue once the corrective action
was announced. To find otherwise would open the floodgates to bid protests challenging
evaluation minutiae brought by parties who had not yet even been excluded from a competitive
range.” Id. at 391–92. Moreover, this Court found the plaintiff “preserved these protest grounds
by raising them before the GAO in the first place.” Id. at 392. It was “not disputed that
plaintiff’s protest grounds concerning the technical evaluations of proposals were previously
included in the GAO protest, and a timely, formal objection is all that is necessary to preserve
grounds that are subject to Blue & Gold waiver.” Id.
Similarly, in Vanguard Recovery Assistance v. United States, another judge of this Court
rejected similar arguments and found the plaintiff did not waive arguments it raised at GAO,
which were not subject to the agency’s corrective action, and later raised in the subsequent
protest before this Court. 99 Fed. Cl. 81, 90–92 (2011). There, this Court similarly noted
evaluation arguments raised in a protest challenging the corrective action “would be met with a
persuasive ripeness objection.” Id. at 91.
Like the plaintiff in Technatomy, here plaintiff raised the same substantive past
performance arguments before GAO. See AR at 332. Additionally, although the ITC did not
propose to reevaluate past performance during its corrective action, plaintiff promptly objected
to the scope of the corrective action and requested GAO not dismiss its first protest.
Specifically, plaintiff asserted “the corrective action is too narrow” because, among other
reasons, “the ITC will not address . . . its failure to consider [defendant-intervenor’s]
noncompliance with the RFQ’s transcript formatting requirements.” Id. at 1737. Plaintiff also
- 27 -
argued to GAO ambiguities in the notice of corrective action “make it difficult to assess which, if
any, of [plaintiff’s] protest grounds it will address or potentially address and hence render
academic.” Id. at 1740. Moreover, similar to Technatomy, here, the ITC stated its corrective
action would reevaluate its best value determination and produce a new source selection
decision. See id. at 1735–36. Therefore, with the original source selection decision no longer in
effect, plaintiff likely would not have had standing to raise past performance arguments
regarding the source selection decision in a protest challenging the scope of the corrective action.
See Technatomy, 144 Fed. Cl. at 391 (“Because of that corrective action, the decision which
injured plaintiff—the source selection decision—was no longer in force . . . .”). Consistent with
other judges of this Court, the Court declines to extend a Blue & Gold waiver rule to this case
and finds plaintiff did not waive its past performance arguments.
C. Whether the ITC’s Past Performance Evaluation was Arbitrary and Capricious
Plaintiff argues the ITC should have considered defendant-intervenor’s alleged historical
noncompliance with transcript formatting requirements in its evaluation of defendant-
intervenor’s past performance.5 Pl.’s MJAR at 43. In so arguing, plaintiff invokes the “too close
at hand” doctrine. Id. Plaintiff relies on this Court’s decision in Seattle Security Services, Inc. v.
United States, 45 Fed. Cl. 560 (2000) for the proposition “an agency may not disregard an
offeror’s past performance on a contract for the same work that is being solicited.” Id. The
government argues the ITC considered all relevant “close-at-hand” information and “did not
ignore either (1) information about [defendant-intervenor’s] performance personally known to
the Evaluation Team[,] or (2) information relating to [defendant-intervenor’s] contracts with the
Commission.” Def.’s Cross-MJAR at 44. Additionally, the government contends “in advancing
its wide-margin allegations, [plaintiff] raises a question about future contract administration,
which is governed by the Contract Disputes Act, and beyond the scope of the Court’s bid-protest
jurisdiction.” Id. at 46. Likewise, defendant-intervenor argues the ITC reasonably relied on
defendant-intervenor’s past performance questionnaires, which reported defendant-intervenor
complied with all technical requirements for each reference contract, and “the page formatting
requirement[s] under the present solicitation are irrelevant to [defendant-intervenor’s]
performance under the Pre-2014 Contract.” Def.-Intervenor’s Cross-MJAR at 40.
Seattle Security Services concerned a General Services Administration procurement for
armed security guards for federal offices and courthouses in Washington and Oregon. 45 Fed.
Cl. at 562. The solicitation instructed offerors to provide three contract references from relevant
past contracts performed within the last five years, and the CO would contact some or all of the
offerors’ references. Id. at 563. The plaintiff previously held separate contracts for Washington
and Oregon and listed the CO for each contract as a reference. See id. at 564. The CO for the
procurement at issue “did not evaluate the same number of references for each offeror and did
not always employ the evaluation form” the CO created to evaluate past performance. Id. To
5
Defendant-intervenor notes in its briefing the record shows plaintiff may have failed to comply with formatting
requirements on a transcript it produced of an ITC hearing on 3 October 2019. AR at 2417–18 (Declaration of Ian
Quillman, CO at the ITC). See Def.-Intervenor’s Cross-MJAR at 38, (quoting AR at 2417) (“Mr. Quillman stated
that during his review of Ace’s performance under its 2019 bridge contract, he reviewed a transcript that Ace
completed and found Ace’s margins were not compliant, considering them to be ‘large variances.’”).
- 28 -
evaluate the plaintiff’s past performance, the CO contacted the Washington contract CO and the
reference for another smaller contract. Id. The plaintiff challenged the CO’s past performance
evaluation and argued the CO “failed to evaluate properly its performance as the incumbent on
the Washington and Oregon contracts, which were being combined” for the procurement, and by
inconsistently using the evaluation form. Id. at 566. This Court agreed the CO’s failure to
consider the plaintiff’s past performance on both the Washington and Oregon contracts
prejudiced plaintiff. Seattle Sec. Servs., Inc., 45 Fed. Cl. at 567. This Court therefore concluded
“the CO acted unreasonably in failing to combine the Washington and Oregon contracts for
purposes of evaluating plaintiff’s past performance” because “[t]his information was simply too
relevant and close at hand to ignore.” Id. at 569.
Here, the ITC submitted a past performance questionnaire testifying to defendant-
intervenor’s performance under its pre-2014 contract providing court reporting services to the
ITC, and it considered this questionnaire in evaluating defendant-intervenor’s past performance.
AR at 152. The ITC indicated on the questionnaire defendant-intervenor complied with all
technical requirements of the contract. Id. Defendant-intervenor’s three other references
responded the same, with each reference assessing either “Very Good” or “Exceptional” ratings
in every category. Id. at 150–51, 153. Unlike the CO in Seattle Security Services, here, the CO
took all past performance questionnaires into account in evaluating past performance. The
record does not show evaluators ignored any other information they personally knew or
possessed. This Court’s decision in Seattle Security Services is therefore distinguishable from
the instant case. Nothing on the questionnaires would have caused the CO to question the
accuracy or dependability of the ratings.
Moreover, defendant-intervenor’s past transcript formatting does not bear on this
contract; compliance with contract requirements is a matter of contract administration not
appropriately raised in a bid protest. See MSC Indus. Direct Co. v. United States, 140 Fed. Cl.
632, 652 (2018) (“[A protestor] cannot, as a third party, challenge the capacity of an awardee to
fulfill the requirements of the award.”). The CO for this procurement echoed this principle in a
declaration submitted to the GAO, which stated: “As the CO, my duties include contract
administration. I consider the order form and transcript-formatting requirements in the original
contract and the bridge contract to be performance requirements subject to contract
administration . . . .” AR at 1898. Even if the past transcript formatting were relevant, there is
no evidence in the record showing the evaluators had any personal knowledge of defendant-
intervenor’s transcript formatting.
The ITC’s evaluation of defendant-intervenor’s past performance consisted of a review of
four completed past performance questionnaires reflecting defendant-intervenor’s performance
and a review of a chart reflecting a summary of CPARs ratings for defendant-intervenor’s past
contracts, all of which were rated “Exceptional,” “Very Good,” or “Satisfactory.” Id. at 150–53,
192. From this, the Evaluation Team assigned an “Outstanding” rating to defendant-intervenor’s
past performance factor. Id. at 193. Plaintiff argues the ITC “fail[ed] to reasonably consider
[defendant-intervenor’s] CPARs” in two respects: first, the information contained in the
summary CPARs chart does not support an assignment of an “Outstanding” rating under the past
performance factor because the majority of defendant-intervenor’s ratings were merely
“Satisfactory;” and second, the ITC did not actually review and consider the CPARs, but instead
- 29 -
relied on an assessment chart without looking at the underlying reports. Pl.’s MJAR at 49–50.
Plaintiff concludes had the ITC given meaningful weight to defendant-intervenor’s CPARs,
defendant-intervenor “would have received a lower past performance rating.” Id. at 52.
Plaintiff’s argument concerns the assignment of an “Outstanding” rating based on the
ratings contained in the summary CPARs chart regarding “minutiae of the procurement process,
which involve discretionary determinations of procurement officials that a court will not second
guess.” E.W. Bliss Co. v. United States, 77 F.3d 445, 449 (Fed. Cir. 1996). “The Court gives the
‘greatest deference possible’ to a procurement official’s evaluation of a proposal’s technical
excellence or quality.” Seaborn Health Care, Inc. v. United States, 101 Fed. Cl. 42, 48 (2011)
(quoting Fort Carson Support Servs. v. United States, 71 Fed. Cl. 571, 598 (2006)).
Plaintiff fails to identify any objective requirement in FAR Section 42.1502 stating the
ITC must review and consider defendant-intervenor’s full CPARs report, as opposed to
reviewing and summarizing CPARs ratings. Section 42.1502 sets forth a general policy
requiring agencies to input information about a contractor’s performance in CPARs, but it does
not universally require agencies to extract CPARs reports as part of a past performance
evaluation. See FAR § 42.1502(a). Instead, plaintiff relies on a GAO decision finding an agency
unreasonably “relied exclusively upon the assessment chart generated by CPARS listing rating
percentages.” JMark Servs., Inc., B-417331.2, 2019 CPD ¶ 277, 2019 WL 3493829, at *8
(Comp. Gen. July 22, 2019); Pl.’s MJAR at 50.
Applied to this case, JMark shows the ITC conducted a rational past performance
evaluation. The solicitation in JMark required past performance evaluations be a “primary
consideration in [the] selection process,” but the Air Force disregarded the questionnaires in
favor of a rating derived from CPARs summary charts. JMark Services, Inc., 2019 WL
3493829, at *10. The CPARs charts in the JMark solicitation did not provide information by
which the Air Force could determine whether the ratings pertained to relevant experience,
meaning the Air Force’s entire evaluation scheme was inconsistent with the solicitation
requirements. Id. at *9–10. Here, the ITC’s past performance evaluation also included
questionnaires attached to the RFQ. AR at 191–92. Additionally, the RFQ neither required nor
prohibited ITC’s review of a CPARs summary chart. There is no basis for plaintiff’s assertion
the ITC acted without a rational basis in considering the CPARs chart. See Honeywell, Inc., 870
F.2d at 648 (quoting M. Steinthal & Co. v. Seamans, 455 F.2d at 1301) (“‘If the court finds a
reasonable basis for the agency’s action, the court should stay its hand even though it might, as
an original proposition, have reached a different conclusion as to the proper administration and
application of the procurement regulations.’”). Plaintiff’s assertions thus concern the “minutiae
of the procurement process[,] . . . which involve[s] discretionary determinations of procurement
officials that a court will not second guess.” E.W. Bliss Co., 77 F.3d at 449. For these reasons
the Court finds defendant’s past performance evaluation reasonable.
VI. Judgment on the Administrative Record Related to the ITC’s Best Value
Determination
Plaintiff asserts the ITC conducted a flawed best value tradeoff based on its alleged errors
in evaluating the offerors under the technical and past performance factors. Pl.’s MJAR at 52.
- 30 -
The government argues plaintiff also waived its arguments regarding ITC’s best value
determination because plaintiff failed to protest the scope of the ITC’s corrective action, which
did not include reevaluating its best value tradeoff. Def.’s Cross-MJAR at 35–39. Finally,
defendant-intervenor argues plaintiff’s “challenge to the best-value determination is entirely
derivative of its meritless technical, past performance, and price evaluation arguments, which the
Court should reject . . . .” Def.-Intervenor’s Cross-MJAR at 47.
Plaintiff objected to the scope of the corrective action, arguing “the ITC’s new cost-
technical tradeoff and best value decision will be based on [the] same misleading and inaccurate
price delta between [plaintiff’s] and [defendant-intervenor’s] proposals.” AR at 1738. Similar to
the above analysis regarding waiver of the past-performance evaluation, plaintiff preserved its
best value determination arguments by raising them in the first GAO protest. See id. at 334.
Plaintiff argues, based on its contention the ITC evaluation of the technical and past performance
factors was arbitrary and capricious, the alleged errors tainted the ITC’s best value trade off
analysis, rendering the best value determination arbitrary and capricious as well. Pl.’s MJAR at
53. Plaintiff’s arguments regarding the best value trade off depend on the Court finding error
with either the technical evaluation or the past performance evaluation. See Pl’s MJAR at 53–55
(arguing the ITC’s best-value decision was unreasonable because of flaws in its technical
evaluation and past performance evaluation). Since the Court finds the ITC’s evaluation of the
technical and past performance factors was rational, the ITC’s best value determination
accordingly did not err. “It is well-established that contracting officers have a great deal of
discretion in making contract award decisions, particularly when, as here, the contract is to be
awarded to the bidder or bidders that will provide the agency with the best value.” Banknote
Corp. of Am., Inc., 365 F.3d at 1355. For these reasons and the reasons discussed in Sections IV
and V, the Court finds defendant’s best value determination reasonable.
VII. Injunctive Relief
In its motion for judgment on the administrative record, plaintiff requested a permanent
injunction. See Pl.’s MJAR at 56–58. The Court considers the following factors when
determining whether to issue a permanent injunction: “(1) whether . . . the plaintiff has
succeeded on the merits of the case; (2) whether the plaintiff will suffer irreparable harm if the
court withholds injunctive relief; (3) whether the balance of hardships to the respective parties
favors the grant of injunctive relief; and (4) whether it is in the public interest to grant injunctive
relief.” PGBA, LLC, 389 F.3d at 1228–29. Turning first to factor one, plaintiff is not entitled to
injunctive relief because plaintiff does not prevail on the merits. The Court therefore does not
reach the remaining prongs of the test for a permanent injunction. Info. Tech. & Applications
Corp. v. United States, 51 Fed. Cl. 340, 357 n.32 (2001), aff’d, 316 F.3d 1312 (Fed. Cir. 2003)
(“Absent success on the merits, the other factors are irrelevant.”).
VIII. Conclusion
For the foregoing reasons, the Court DENIES plaintiff’s motion to supplement the
administrative record, DENIES plaintiff’s motion for judgment on the administrative record, and
GRANTS the government’s and defendant-intervenor’s respective cross-motions for judgment
on the administrative record. The Clerk is directed to enter judgment accordingly.
- 31 -
IT IS SO ORDERED.
s/ Ryan T. Holte
RYAN T. HOLTE
Judge
- 32 -