Agency Unreasonably Declined to Consider Responsibility Information Submitted After Deadline for Proposals; GAO B-413104.30, Chags Health Information Technology LLC

Protest challenging the agency’s rejection of a proposal as noncompliant with the solicitation requirements is sustained, where the agency unreasonably declined to consider responsibility information that was submitted after the deadline for proposals. The protester failed to provide a password to decrypt certain financial documents in its proposal but later provided this password after the deadline for proposals but before the agency’s evaluation. GAO held that the agency was not required to request the password, but was obligated to use it once it was received, as the agency had not yet completed its evaluation of the protester’s proposal and because the information went to the protester’s responsibility.

Chags Health Information Technology LLC protested the National Institutes of Health’s rejection of its proposal for one of multiple IDIQ contracts for IT solutions.

C-HIT submitted a timely proposal, which included an encrypted version of a financial statement for one of its teaming partners. The solicitation required the submission of either an annual report or an offeror’s most recent asset and liabilities report. During phase one of the evaluation, the agency would verify merely that the information had been submitted. Later in the evaluation, this financial information would be used to determine an offeror’s responsibility. Team members who did not wish to share their financial information with their prime contractor were allowed to provide an encrypted version of their statements, but were required to send a decryption password to the agency via email.

When the agency evaluated C-HIT’s proposal, it inquired about the encrypted document and was informed that the password had been emailed to the address indicated in the solicitation. However, the agency concluded it had not received the password prior to the deadline for proposals and rejected the proposal as noncompliant.

The protester argued that the password had been sent. Further, when the agency inquired about the encrypted document, the teaming partner sent the password again. The agency argued it reasonably declined to consider the password, as it arrived after the deadline for proposals. The protester argued that because the document would not be considered until the agency made a responsibility determination, that the agency should have considered the proposal compliant, because it did include the required statement, albeit in encrypted format.

GAO agreed with the protester, finding that the financial statement related to responsibility and was therefore a matter that could be satisfied any time prior to award. On the one hand, GAO found the agency reasonably concluded that the failure to provide a password to decrypt the documents was tantamount to a failure to provide the document at all, and therefore it was not obligated to request additional information from C-HIT about the financial statement. However, GAO also held that since the financial statement related to responsibility, the agency was permitted to request and consider the password that decrypted it, even if it was received after the deadline.

GAO held that the agency’s refusal to consider the password was unreasonable. GAO noted that it has regularly found that agencies may consider responsibility information submitted after the deadline for proposals. Even where a solicitation states that documents related to responsibility must be submitted by a deadline, an agency is not required to reject a proposal or bid as unacceptable or nonresponsive based on a failure to satisfy a responsibility criterion by the deadline.

NIH argued that it reasonably relied on the terms of the solicitation, which established compliance with the solicitation instructions as a pass/fail criterion. Further, NIH noted that in AttainX, a protest of the same procurement, GAO found that the agency reasonably rejected a proposal for failing to provide information that pertained to responsibility. In response, GAO explained that in AttainX, the protester did not provide the required information prior to the agency’s evaluation and rejection of its proposal. In contrast, in this case the agency had all the required information in its possession prior to the time it completed its evaluation. If the agency had never received the decrypted password prior to the evaluation, the agency could have rejected the C-HIT proposal because it did not contain the required documents and therefore failed to meet the compliant proposal criterion of phase 1.

NIH also argued that it was not required to consider the password, because the solicitation required that any passwords be sent to a specific help desk address. However, GAO noted the CO received an email from the teaming partner and specifically acknowledged its receipt. GAO concluded the CO—the individual charged by the FAR with making responsibility determinations—could not ignore the password in his possession on the grounds that the RFP required the password to be provided via email to the EPIC help desk.

In short, while NIH was not obligated to request the password, GAO concluded the agency was required to use it once it was received. Accordingly, GAO sustained the protest.

Chags Health Information Technology LLC is represented by David B. Dixon, Meghan D. Doherty, Toghrul Shukurlu, and Robert C. Starling of Pillsbury Winthrop Shaw Pittman LLP. The government is represented by Christine F. Simpson, Department of Health and Human Services. GAO attorneys Jonathan L. Kang and Laura Eyester participated in the preparation of the decision.