In a decision issued on April 20, 2007, but published today because of a protective order, the GAO denied a protest by Olympus Building Services, Inc., B-296741.14; B-296741.15 against the award of a contract to Rowe Contracting Services, Inc., issued by the Defense Intelligence Agency (DIA) for janitorial services at the DIA Analysis Center. Olympus challenged the proposal evaluation and best value determination.

Among other things, Olympus asserted that Rowe’s proposal should not have been rated excellent under the technical factors because it did not include a required security awareness plan.  In this regard, in evaluating Rowe’s initial proposal, the Technical Evaluation Board (TEB) noted that Rowe had not provided a security awareness plan; the agency pointed this out to Rowe as a weakness during discussions.  In response, in its final proposal revision (FPR), Rowe provided a security awareness plan comprised of a short statement explaining, among other things, that Rowe was familiar with current Defense Security Services and DIA Regulations and security manuals, and stating that Rowe would comply with all DIA security policies. The FPR also included copies of several documents, including an Annual Security Awareness Briefing, a Refresher Security Briefing, and a Security Awareness Bulletin (self inspection handbook for contractors). The TEB determined that this information was sufficient to respond to its original concern.  Olympus argued that the information should not have been deemed sufficient because it did not include a narrative explaining how each of the included documents would be utilized during performance.

The GAO concluded that the RFP did not require that the security awareness plan be presented in any particular format or include any particular information; thus, the fact that the plan could have included additional information did not require the agency to find it deficient.  “The plan Rowe presented included information addressing security awareness and, given the absence from the RFP of detailed informational requirements, we think the agency reasonably could determine that this information was sufficient to address its concerns. Olympus’s disagreement with the agency’s conclusion is not sufficient to establish that the evaluation is unreasonable.”

While the outcome of the protest might have been the same for other reasons, we find it to be somewhat inconsistent, based on prior GAO decisions, for the GAO to take the position that instead of providing a security awareness plan, it was sufficient for Rowe to simply furnish a “short statement” explaining that it was familiar with DIA security policies.  A “plan” is usually required to enable a TEB to be certain that an offeror has thought out the implementation of agency policy.  The GAO has frequently found that the mere recitation of compliance with an RFP requirement is not sufficient to demonstrate compliance.  The fact that the TEB was willing to accept a “short statement” instead of a security awareness plan should not have endorsed by the GAO.