GOOGLE, INC. et al v. USA
Filing
100
Second MOTION for Judgment on the Administrative Record Based On The Refiled And Updated Administrative Record, filed by GOOGLE, INC., ONIX NETWORKING CORPORATION.Response due by 7/28/2011.(Nucci, Katherine)
<![CDATA[
IN THE UNITED STATES COURT OF FEDERAL CLAIMS
Bid Protest
)
)
)
)
)
)
GOOGLE, INC.,
and
ONIX NETWORKING CORPORATION,
Plaintiffs,
v.
THE UNITED STATES,
Defendant,
and
SOFTCHOICE CORPORATION,
Defendant-Intervenor.
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
)
AGREED-TO PUBLIC VERSION
No. 10-743 C
(Judge Braden)
Plaintiffs' Restated Motion For Judgment
On The Refiled And Updated Administrative Record
Timothy Sullivan
1909 K Street, N.W., 6th Floor
Washington, D.C. 20006
(202) 585-6930 (tel.)
(202) 508-1028 (fax)
Attorney of Record for Plaintiffs Google, Inc.
and Onix Networking Corporation
Of Counsel:
Katherine S. Nucci
Scott F. Lane
Kathleen E. Kraft
Thompson Coburn LLP
Dated: May 27, 2011
TABLE OF CONTENTS
Page
I. STATEMENT OF FACTS
5
II. THE COURT HAS JURISDICTION AND PLAINTIFFS HAVE STANDING
8
III. DEFENDANT'S ACTIONS VIOLATED STATUTORY AND REGULATORY
REQUIREMENTS
10
Standard Of Review On A Motion For Judgment Upon The Administrative
Record
Defendant's Pre-Selection Of The Microsoft BPOS-Federal Solution Violated
CICA And FAR Subpart 6.3, And Was Not Rationally Based
IV. THE COURT SHOULD PERMANENTLY ENJOIN THE DOl FROM
PROCEEDING WITH ITS PROCUREMENT OF BPOS-FEDERAL
Plaintiffs Will Suffer Irreparable Harm If Injunctive Relief Is Not Granted
The Balancing Of Harm Favors Injunctive Relief
The Public Interest Favors Issuance Of An Injunction
V. CONCLUSION
11
19
20
20
21
22
-15348390.1
10
TABLE OF AUTHORITIES
Cases
Advanced Data Concepts, Inc.
Aero Corp.
v.
Dept.
v.
of the Navy,
United States, 216 F.3d 1054 (Fed.Cir. 2000)
540 F.Supp. 180 (D.D.C. 1982)
Ala. Aircraft Indus. Inc.-Birmingham
(Fed.Cir. 2009)
Amoco Prod. Co.
v. Viii.
Cardinal Maint. Serv., Inc.
v.
v.
11, 18
United States, 365 F.3d 1345 (Fed.Cir. 2004)
United States, 63 Fed.C1. 98 (2004)
v.
United States, 39 Fed.C1. 780 (1997)
CHE Consulting, Inc.
v.
United States, 552 F.3d 1351 (Fed.Cir. 2008)
Distributed Solutions, Inc.
Googie, Inc. et al.
v.
United States, 95 Fed.C1. 661 (2011)
Hunt Building Co., Ltd.
v.
United States, 61 Fed.C1. 243 (2004)
Information Sciences Corp.
Mission Critical Solutions
OTIAm., Inc.
v.
United States, 539 F.3d 1340 (Fed. Cir. 2008)
v.
v.
v.
United States, 80 Fed.C1. 759 (2008)
United States, 91 Fed.C1. 389 (2010)
United States, 68 Fed.C1. 646 (2005)
PGBA, LLC v. United States, 60 Fed.C1. 196, affd, 389 F.3d 1219 (Fed.Cir. 2004)
Prineviile Sawmill Co., Inc.
Redland Genstar, Inc.
v.
v.
United States, 859 F.2d 905 (Fed.Cir. 1988)
United States, 39 Fed.CI. 220 (1997)
Rex Serv. Corp. v. United States, 448 F.3d 1305 (Fed.Cir. 2006)
Savantage Financial Services, Inc.
5348390.1
v.
18
United States, 586 F.3d 1372
of Gambell, Alaska, 480 U.S. 531 (1987)
Banknote Corp. ofAm., Inc.
CCL, Inc.
v.
12
United States, 81 Fed.C1. 300 (2008)
19
10
20
9
12
8, 9
passim
21
20
22
20
19, 20
10
10, 11
9
8, 18
Weeks Marine, Inc. v. United States, 575 F.3d 1352 (Fed.Cir. 2009)
9
Statutes And Regulations
10 U.S.C.
§
2304(a)(1)(A)
10 U.S.C. § 2305(a)(1)(B)(ii)
28 U.S.C.
§
1491(b)(1)
12
12
8
28
u.s.c.
1491(b)(2)
41
u.s.c.
§
253(a)(1)(A)
12
41
u.s.c.
§
253(a)(2)(B)
12
41
u.s.c.
§
403(2)
48 C.F.R. (FAR) Subpart 6.3
19
8
passim
IN THE UNITED STATES COURT OF FEDERAL CLAIMS
Bid Protest
)
)
)
)
GOOGLE, INC.,
and
AGREED-TO PUBLIC VERSION
)
)
)
)
)
)
ONIX NETWORKING CORPORATION,
Plaintiffs,
)
)
v.
No. 10-743 C
(Judge Braden)
)
THE UNITED STATES,
)
)
Defendant,
)
)
)
and
)
SOFTCHOICE CORPORATION,
)
)
)
)
Defendant-Intervenor.
Plaintiffs' Restated Motion For Judgment
On The Refiled And Updated Administrative Record
Plaintiffs Google, Inc. ("Google") and Onix Networking Corporation ("Onix") hereby
submit their Restated Motion for Judgment on the Administrative Record, which was updated
and refiled by Defendant on May 12, 2011 pursuant to the Court's Order, dated May 11, 2011,
and as a result of the Court's decision in Google, Inc. et al.
v.
United States, 95 Fed.Cl. 661
(2011) ("Google I"). In Google I, the Court preliminarily enjoined the Department of the
Interior ("DOT" or "Defendant") from proceeding with DOT's procurement of agency-wide
messaging and collaboration services based on Microsoft Corporation's Business Productivity
-15348390.1
Online Suite-Federal ("BPOS-Federal") cloud computing solution pursuant to Request for
Quotation No. 503786 (the "RFQ") or any related procurement, solicitation, task order, or
activity, and the Court remanded the procurement to the DOT "for additional investigation or
explanation" regarding the agency's processes for procuring a unified messaging solution. Id. at
680.
In Google I, the Court aptly summarized Plaintiffs' protest as follows:
The gravamen of the October 29, 2010 Complaint and December
30, 2010 Amended Complaint is that the process by which Interior
restricted competition exclusively to the Microsoft BPOS-Federal
and the Microsoft Desktop and Service Software for messaging
and collaboration solutions violated the Competition in
Contracting Act, 41 U.S.C. § 253(a) and the FAR, and therefore
was arbitrary, capricious, an abuse of discretion and contrary to
law, in violation of the Administrative Procedure ACt 5 U.S.C.
§ 706(2)(A).
Id. at 672-73. The Court proceeded to closely examine the facts, recounting the extensive
collaboration between DOT and Microsoft that began in early-to-mid 2009 to migrate all of
DOT's messaging requirements on a sole-source basis to Microsoft's as yet-to-be-built BPOS-
Federal cloud solution, that led to DOT' s issuance of two July 15, 2010 standardization decisions
upon which the August 30, 2010 RFQ and accompanying "Limited Source Justification" were
based. Id. at 663-71. Holding that the two standardization decisions, contained in the
Administrative Record (both original and as refiled) ("AR") at Tabs 15 and 16, were
"quintessential non-competitive procedure[sJ,' that must be justified by the econtracting
officer," Id. at 676, the Court ruled that the standardization decisions violated the Competition
in Contracting Act ("CICA") and the FAR. Id. at 679. As explained by the Court, it did not
appear that the appropriate DOT official had approved the decisions, there was no Secretarial
Order endorsing the project as required by the May 4, 2010 "Unified Messaging System Project
2
Plan" (AR Tab 47, p. 1587), and the decisions did not comply with FAR 6.302-1(a), 6.303-1,
6.303-2, and 6.304. Id. at 676-78.
Little has changed since Google Iwas issued on January 4, 2011. Despite the Court's
conclusions and remand instructions, and as explained in Plaintiffs' Response to Defendant's
Motion to Terminate the Stay of Proceedings, Dissolve the Court's Preliminary Injunction, and
Issue a Schedule to Resume Briefing on the Merits of the Case ("Plaintiffs' Response to
Defendant's Motion to Dissolve"), Defendant has done nothing to explain away or cure the
deficiencies identified by the Court in Google I.' Instead, the Defendant sought to divert the
Court's attention from the "gravamen" of this protest to the flak and publicity over the FISMA
certification2 issue, which as we shall reiterate herein is a red herring in the context of the merits
of this case. Indeed, the facts show that long before the issue arose regarding whether the
Google Apps for Government security-enhanced version of the Google Apps Premier system is
encompassed within the FISMA authorization issued by the GSA on July 22, 2010 (AR Tab 92,
- a commercial BPOS system
subsequently modified for government purposes as BPOS-Federal - and negotiated terms and
pp. 2041-59), the DOT selected the Microsoft messaging solution
commitments with Microsoft that preceded the standardization decisions by many months.
Moreover, the refiled AR establishes that even after this protest action was initiated in October
As detailed in Plaintiffs' Response to Defendant's Motion to Dissolve, pp. 3-7, it remains
questionable that Ms. Suh, DOT's Assistant Secretary for Policy, Management and Budget, was
authorized to approve the standardization decisions. Moreover, while Defendant's "side by side
analysis" chart in its Notice of Filing the Administrative Record, dated May 12, 2011, cites to
four documents (Entry # 16 (citing AR Tabs 15, 55, 58 and 75)) as purporting to be the
"Secretarial order endorsing the Unified Messaging Project," clearly none of these documents
constitutes the requisite Secretarial Order. Finally, the standardization decisions remain
unchanged and, thus, still do not comply with FAR Subpart 6.3 requirements.
2
FISMA is the Federal Information Security Management Act of 2002. See generally AR Tab
14KK, "GAO Report on Information Security: Federal Guidance Needed to Address Control
Issues with Implementing Cloud Computing," describing FISMA and other requirements related
to securing federal information systems and data.
3
2010, there was continuing confusion among DOl and Microsoft officials about what BPOSFederal cloud solution was being built for DOT (for all customers or DOT's own implementation)
and regarding its configuration, and DOT was frustrated with delays in completion or submission
of the FTSMA certification and accreditation ("C&A") package for BPOS-Federal and with the
"overall appearance of sloppy execution by Microsoft." AR Tab 65, p. 1778.
Confusion, uncertainty and frustration. This is what can happen where, as here, agencies
flaunt the requirements of CTCA and ignore the safeguards established at FAR Subpart 6.3 for
justifying a sole-source procurement. The DOT has consistently claimed that its actions leading
up to and culminating in the July 15, 2010 standardization decisions3 were necessitated by (a) the
need for enhanced security in its cloud-based messaging solution (i.e., data storage and
computing infrastructures that are physically and logically dedicated to DOT or to federal
government customers only (AR Tab 11)), (b) only Microsoft's alleged ability to satisfy those
security needs, and (c) Google's refusal to provide a system either dedicated to DOl alone or
Defendant and Defendant-Tntervenor contend, of course, that the standardization decisions are
nothing more than internal policy documents beyond the scrutiny of the Court - and that the
August 30, 2010 "Limited Source Justification" and RFQ are the only procurement documents
subject to the Court's review because they, unlike the standardization decisions, will result in a
contract award and obligation of appropriated funds. See Defendant's Reply to Plaintiffs'
Response to Defendant's Motion to Dissolve, p. 7, and Reply of Softchoice Corporation in
Support of its Motion to Terminate the Stay of Proceedings, Dissolve the Court's Preliminary
Tnjunction, and Dismiss the Action ("Sofichoice Reply"), pp. 3-5. This argument lacks
credibility for several reasons. First, the Court recognized in Google I that the"Limited Source
Justification" and RFQ were nothing more than the means by which the DOT would implement
its decision to procure the Microsoft cloud-based system. Google, 95 Fed.Cl. at 676 and 679.
Second, the record indicates there will be a contractual agreement (if one doesn't exist already)
between DOT and Microsoft resulting from the standardization decisions. AR Tab 32, p. 1051;
Tab 33, p. 1106. Perhaps most telling, DOT's Mr. Corrington obviously considered the
standardization decisions as equivalent to a contractual commitment, and not just a "policy
decision." Tab 65, p. 1778.1 ("this might be a good time to reference the standardization memo
as it demonstrates that we have made a commitment to BPOS."). Finally, the fundamental flaw
in Defendant's and Defendant-Tntervenor's position is that, if the Court were to adopt their
reasoning, agencies then would have free rein to avoid the mandates of CTCA and FAR Subpart
6.3 merely by calling any document that identifies a need and specifies a product or vendor to
satisfy that need a "standardization decision."
-
4
restricted to federal government agencies.4 The DOT' s claims are not substantiated by any
comparative analyses of the security controls in Google's and Microsoft's cloud offerings or by
relative empirical data establishing that Google's community cloud (consisting of federal, state
and local governments) is any less secure than Microsoft's community cloud (consisting of
federal governments only). Instead, the DOI' s alleged "minimum" need - developed nearly a
year after DOT selected the "Microsoft Dedicated Hosted Exchange service to deliver a single
mail system to all DOT users" (AR Tab 33, p. 1098)
e-
- is based on (a) commercial reports that
principally assess generic and irrelevant cloud models, i.e., public versus private clouds instead
of the government community cloud options available in the marketplace, (b) DOT's risk
assessment based on those largely irrelevant reports, (c) a superficial and inaccurate "market
research" report by contractor
,
and (d) the post hoc arguments of
counsel regarding the alleged lesser security concerns of state and local governments.
As set forth herein and based on the record as a whole, Plaintiffs respectfully request that
the Court permanently enjoin the DOT from proceeding with its illegal and ill-conceived solesource procurement of the Microsoft BPOS-Federal messaging solution.
I.
STATEMENT OF FACTS
The Court's decision in Google I detailed the relevant facts as of January 4, 2011 when
the decision was issued. See Google, 95 Fed.Cl. at 663-72. Those facts are supplemented herein
to reflect documents and information contained in the updated and refiled AR.
In response to the Court's query during the May 4, 2011 conference call with the parties,
Google's product offering has not changed since the initiation of this bid protest action. The
Google Apps for Government system is available to federal, state and local government
customers, and each customer's data is logically separated from other customer data and located
in U.S. data centers. See also AR Tab 5, pp. 50-58 (Google's June 17, 2010 letter to DOT
describing how its cloud solution satisfies DOT's requirements as outlined in DOI's May 27,
2010 letter (AR Tab 4)).
5
Although the Court observed that the then-existing AR was "far from complete" and
identified examples of documentation that the Court believed should be in the AR, Id. at 679-80,
the refiled AR contains only a few additional documents responsive to the Court's expressed
concerns. These include a generic Microsoft handout and product materials (AR Tab 87, pp.
2000-16, and Tab 100, pp. 2221-80) provided with a July 19, 2010 e-mail to DOT's Mr. Andrew
Jackson, Mr. Jackson's notes (handwritten and retyped) only from meetings with Microsoft held
on September 22, 2009 and August 30, 2010 (AR Tab 65, pp. 177 l-77), documents purporting
to establish that DOT's modification to the Dell Marketing LLP schedule contract to implement
the BPOS-Federal "proof of concept" project was within the scope of the original Dell contract
(AR Tab 102), and other insignificant documents. Two e-mails added to the record, however,
provide further confirmation of the deal that was cut between DOT and Microsoft before any
thought was given to the mandates of the CICA and the FAR.
On February 17, 2010, the day before DOT officials met with Google, Mr. Jackson and
Mr. Corrington exchanged e-mails regarding Mr. Jackson's conversation with Microsoft's Teresa
Carlson, Vice President
- Federal Government.
According to Mr. Jackson, "[b]ottom line is that
she [Ms. Carlson] committed that our pricing won't change and that they will back off of the
hard sell." AR Tab 65, p. 1778.2. Thus, well before Mr. Corrington penned his June 29, 2010
No documentation was provided in relation to numerous other meetings referenced in the AR
that apparently occurred at least monthly between and among Mr. Jackson, Mr. Corrington and
various Microsoft executives and marketing personnel. E.g., AR Tab 32, pp. 1088-89
(referencing a meeting in July 2009); pp. 1083 and 1086 (referencing a meeting on October 7,
2009); p. 1077 (referencing a meeting on November 10, 2009); pp. 1071-1074 (referencing a
meeting on November 17, 2009); pp. 1068-1070 (referencing a meeting around December 2,
2009); pp. 1060-106 1 (referencing a meeting on December 22, 2009); pp. 1050-105 1 and 1057
(referencing a meeting on January 7, 2010 at Microsoft); p. 1050 (confirming high-level
executive meetings on February 4, 2010 (Defendant has asserted that no documents reflect what
happened at this particular set of meetings)); p. 1044 (referencing a meeting on February 23,
2010); pp. 1041-1044 (referencing a meeting around April 1, 2010); pp. 1036 (referencing a
meeting around May 7, 2010); p. 1016 (referencing a call and future meetings in late July 2010).
6
risk assessment (AR Tab 11),
concluded its market research (AR Tab 12), or Ms. Suh
signed the standardization decisions (AR Tabs 15 and 16), the DOT and Microsoft had already
agreed on the pricing for migrating DOT's e-mail systems to the BPOS-Federal cloud solution.
Evidence of exactly what that pricing arrangement was (or is) has never been produced by
Defendant.
In addition, on July 19, 2010, Mr. Corrington provided Mr. Jackson with "talking points"
for a conversation to be held with Ms. Carlson, including DOT's commitment to and need for
Microsoft to design and build a system to support 80,000 users (and not just the 6,000 users for
the "proof of concept" project) "despite the lack of a signed contract." Mr. Corrington's e-mail
stated that Mr. Jackson might want to reference the standardization decision
days earlier
- to demonstrate "that we have made a commitment to BPOS."
- signed just four
AR Tab 65, p.
1778.1.
The plans and commitments between DOT and Microsoft referenced in these additional
documents are encapsulated in numerous other documents contained in the record and referenced
by the Court in Google I, most notably in DOT's September 28, 2009 Project Plan (AR Tab 33),
its May 4, 2010 updated Project Plan (AR Tab 47), its July 13, 2010 Acquisition Plan (AR Tabs
18
and 98), and its July 15, 2010 BPOS-Federal standardization decision (AR Tab 15). See also
Google, 95 Fed.Cl. at 664-65 (describing Microsoft/DOT communications); AR Tab 32 (e-mail
correspondence between Microsoft and DOT). Taken together, these documents and other
materials in the AR prove beyond cavil that the DOT's sole-source selection of the Microsoft
cloud-based system was made in 2009 without the benefit of any competition or an authorized,
compliant justification pursuant to FAR Subpart 6.3 to use other than full and open competition.
The DOT made this monumental decision well beforethe BPOS-Federal solution was even
7
launched, designed or built by Microsoft, and based on the factually-incorrect premise that "the
BPOS-Federal offering is the only standardized hosted e-mail service offering that meets Federal
government security requirements including FISMA certification." AR Tab 47, p. 1586.
II.
THE COURT HAS JURISDICTION AND PLAINTIFFS HAVE STANDING
In Google I, the Court determined that it has jurisdiction to adjudicate this protest action,
and nothing relevant to this conclusion has changed. Google, 95 Fed.Cl. at 672-73. The U.S.
Court of Federal Claims has jurisdiction "to render judgment on an action by an interested party
objecting to ... any alleged violation of statute or regulation in connection with a procurement or
a proposed procurement." 28 U.S.C.
§
1491(b)(1) (the "Tucker Act"). The U.S. Court of
Appeals for the Federal Circuit has defined the phrase "procurement or proposed procurement"
as including "all stages of the process of acquiring property or services, beginning with the
process for determining a need for property or services and ending with contract completion and
closeout." Distributed Solutions, Inc.
v.
United States, 539 F.3d 1340, 1345-46 (Fed. Cir.
2008).6 Here, as the Court held in Google I, Plaintiffs have alleged violations of statutes and
regulations in connection with a proposed procurement, namely, the DOT's unwavering decision
made initially in 2009 to restrict competition exclusively to a Microsoft cloud solution
6
-
Softehoice's argument that the statutory definition of "procurement" is only applicable for
determining jurisdiction under the Tucker Act, but not for purposes of determining whether the
same agency action (constituting a "procurement" for jurisdictional purposes) violates CICA' s
requirements is nonsensical. Softchoice Reply, pp. 7-10. There exists no legal or logical reason
for the Court to assume jurisdiction because DOl's standardization decisions constitute a
procurement as defined at 41 U.S.C. § 403(2) (recodified in CICA at 41 U.S.C. § 111), but then
to decline examination of that same action's compliance with the competition requirements of
CICA and the FAR because of the applicability of some different definition of procurement.
Indeed, the court in Savantage Financial Services, Inc. v. United States, 81 Fed.Cl. 300 (2008),
assumed jurisdiction of Savantage's bid protest on the basis that the challenged brand name
justification constituted a procurement and, even though the justification did not result in a
contract award or obligate funds to purchase goods or services (which was to be accomplished
through a procurement restricted to contractors with EAGLE IDIQ contracts), the court held that
the brand name justification violated CICA and FAR Subpart 6.3 requirements. Id. at 306-08.
8
subsequently identified as the BPOS-Federal system -- and the Microsoft Desktop and Service
Software for messaging and collaboration solutions.
Furthermore, in order to have standing under 28 U.S.C.
§
149 1(b), a plaintiff must also
establish that it is an "interested party." This requires a plaintiff to show that "(1) it was an
actual or prospective bidder or offeror, and (2) it had a direct economic interest in the
procurement or proposed procurement." Distrib. Solutions, 539 F.3d at 1344; see Rex Serv.
Corp.
v.
United States, 448 F.3d 1305, 1307 (Fed.Cir. 2006) (explaining that the definition of
"interested party" under the Tucker Act is the same as its definition under CICA). "Where a
claim is made that an agency violated the CICA by failing to comply with the procedures set
forth, 'it is sufficient for standing purposes if the plaintiff shows that it likely would have
competed for the contract had the government publicly invited bids or requested proposals."
Google, 95 Fed.Cl. at 673 (quoting CCL, Inc.
v.
United States, 39 Fed.Cl. 780, 790 (1997)).
As previously noted by the Court, Google was engaged in an active campaign to have its
products considered for this procurement, and would have received substantial revenue from any
such procurement. Google, 95 Fed.Cl. at 673. Similarly, Onix, as a licensed vendor of Google's
products, woUld have also had a direct economic interest at stake. Id. The DOT's improper
selection of Microsoft products, however, deprived each Plaintiff of the opportunity to compete,
and this is sufficient economic harm to demonstrate prejudice for purposes of standing. Id. at
674 (citing Weeks Marine, Inc.
v.
United States, 575 F.3d 1352, 1363 (Fed.Cir. 2009) ("[W]e
conclude that in a pre-award protest such as the one before us, [a] prospective bidder or offeror
must establish 'a non-trivial competitive injury which can be addressed by judicial relief to meet
the standing requirement of § 1491 (b)( 1).")).
9
III.
DEFENDANT'S ACTIONS VIOLATED STATUTORY AND REGULATORY
REQUIREMENTS
Standard Of Review On A Motion For Judgment Upon The Administrative
A.
Record
The Tucker Act, as amended by the Administrative Dispute Resolution Act, Pub. L. No.
104-320,
§ 12, 110
Stat. 3870, 3874 (Oct. 19, 1996, authorizes the U.S. Court of Federal Claims
to review agency decisions under the standards of the Administrative Procedure Act,
§
5
U.S.C.
706 (the "APA"). In a bid protest action, the relevant APA standard is whether the agency
decision was "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with
law." Banknote Corp. ofAm., Inc.
(quoting
5
U.S.C.
§
v.
United States, 365 F.3d 1345, 1350 (Fed.Cir. 2004)
706(2)(A)). As the Court previously explained:
[T]he court's primary responsibility is to determine whether the
agency violated a federal statute or regulation in the procurement
process and whether any such violation is prejudicial. If no
prejudicial violation of law or regulation is found, the court next is
required to determine whether the agency decision evidences a
rational basis. Last, the court is required to ascertain whether the
agency otherwise acted in an arbitrary and capricious manner with
respect to the procurement at issue.
Google, 95 Fed.Cl. at 675 (internal citations and quotations omitted) (emphasis in original).
When applying these standards, the Court may not substitute its judgment for that of the
agency, but is required to "perform an informed review of even technical decisions in order to
meaningfully exercise its jurisdiction." Redland Genstar, Inc.
231 (1997) (citing Prineville Sawmill Co., Inc.
v.
v.
United States, 39 Fed.Cl. 220,
United States, 859 F.2d 905, 910-11 (Fed.Cir.
1988). In doing so, the Court "must ensure that the agency has examined a satisfactory
explanation for its action including a rational connection between the facts found and the choice
made." Redland Genstar, 39 Fed.Cl. at 231 (citations and quotation marks omitted). And even
where the agency may be entitled to some "presumption of regularity," that presumption does
-
10-
not shield the agency's actions from a "thorough, probing, in-depth review." Id. Agency
decisions will be set aside where the agency "entirely failed to consider an important aspect of
the problem, offered an explanation for its decision that runs counter to the evidence before the
agency, or is so implausible that it could not be ascribed to a difference in view or the product of
agency expertise." Ala. Aircraft Indus. Inc. -Birmingham
v.
United States, 586 F.3 d 1372, 1375
(Fed.Cir. 2009).
B.
Defendant's Pre-Selection Of The Microsoft BPOS-Federal Solution Violated
CICA And FAR Subpart 6.3, And Was Not Rationally Based
The relevant facts recited in Google I prompted the Court to hold that "Google has made
aprimafacie showing that Interior violated the Competition in Contracting Act and relevant
FAR provisions and that such violation was prejudicial to Google' s interests." Google, 95
Fed.Cl. at 679. The Court remanded the case to the DOT to correct its illegal and prejudicial
actions. Id. at 680. Despite the Court's directive, and as pointed out in Plaintiffs' Response to
Defendant's Motion to Dissolve, the DOI did nothing to remedy the improprieties in its
procurement processes; instead, the Defendant informed the Court that the reasoning in Google I
was flawed and produced an additional 429 pages of materials (now made part of the refiled AR)
that have little or no bearing on the merits of this case. Consequently, Plaintiffs respectfully
submit that the DOT's procurement processes still violate CICA and FAR Subpart 6.3
requirements, thereby warranting the issuance of a permanent injunction.
Plaintiffs acknowledge, however, that the Court's decision in Google I "made no
judgment as to whether Interior's,basis for this procurement was rational or whether the
procurement was conducted in a manner that was arbitrary and capricious." Id. at 680. In that
regard, Plaintiffs contend that the record, as described at length in Plaintiffs' December 3, 2010
Motion for Judgment on the Administrative Record, Reply to Defendant's and Defendant-
-11-
Intervenor's Oppositions to Plaintiffs' Motion for Preliminary Injunction, and Response to
Defendant-Intervenor' s Motion to Dismiss ("Plaintiffs' MJAR"), does in fact establish that
DOT's bases for procuring the BPOS-Federal solution on a sole-source basis were irrational and
that DOT's pre-selection of the Microsoft product, as well as its subsequent procurement-related
actions focused on implementing that decision, were arbitrary and capricious. This Restated
Motion is intended to highlight the reasons that declaratory and permanent injunctive relief in
this case is both warranted and necessary to fulfill CICA's mandate.
Competition has long been the cornerstone of federal procurement policy. CICA imposes
a duty on procuring agencies to solicit proposals "in a maimer designed to achieve full and open
competition for the procurement." 10 U.S.C.
2304(a)(1)(A); 41 U.S.C.
§
§
253(a)(1)(A). Under
CICA, solicitation provisions that restrict competition are authorized only to the extent necessary
to satisfy the needs of the agency. 10 U.S.C. § 2305(a)(1)(B)(ii); 41 U.S.C. § 253(a)(2)(B).
Where an agency's procurement decision is challenged as being unduly restrictive of competition
in violation of CICA, this Court has held that such a challenge "invokes 'highly deferential'
rational basis review." CHE Consulting, Inc.
2008) (citing Advanced Data Concepts, Inc.
v.
v.
United States, 552 F.3d 1351, 1354 (Fed.Cir.
United States, 216 F.3d 1054, 1058 (Fed.Cir.
2000) ("This standard requires a reviewing court to sustain an agency action evincing rational
reasoning and consideration of relevant factors.")). Here, DOT's post hoc reasoning, primarily
described in its June 29, 2010 risk assessment (AR Tab 11), in formulating the restrictive
requirements for its cloud computing environment lacked a rational basis and was purposefully
tailored to support the conclusion that only the pre-selected Microsoft solution will satisfy those
requirements.
Citing several commercial reports addressing the risks and attributes associated with
generic cloud computing models, a
and other materials, the
DOT' s risk assessment compared private versus public clouds and concluded that the security
risks were too great with the public cloud model. As discussed in Plaintiffs' MJAR, pp. 37-38
(addressing types of computing clouds) and pp. 39-42 (addressing DOl's risk assessment), the
DOT did not assess the benefits and risks associated with a public cloud versus a community
cloud, and more specifically DOT did not consider the different risks, if any, that may result from
hosting its data in a community cloud consisting of only federal government customers and one
consisting of federal, state and local government customers. The only rationale provided by the
DOl for rejecting a community cloud, such as Google's, that includes state and local
governments was that such non-federal governments "do not have the same security
requirements as Federal agencies, nor would they face the same potential impacts from security
issues that the DOI would face." AR Tab 21, p. 784. There was no explanation or
substantiation, rational or otherwise, for this conclusory statement.
There is no question that the security of the selected cloud computing model should be
critically important to DOI and any other customer of a cloud provider. And there is no question
that DOT gathered many commercial reports and other materials addressing various topics related
to the general concept of cloud computing. DOl also contracted with
to conduct market research and provide acquisition support services "to foster the
successful competition and award of a DOT-wide hosted Microsoft Exchange infrastructure."
AR Tab 36, pp. 1173 and 1176. As described in Plaintiffs' MJAR, pp. 34-35,
research
The DOT relied on the
in preparing its June 29 risk
assessment; however, as pointed out by the Court in Google, 95 Fed.Cl. at 668, fn. 15, a March
17, 2010
report (AR Tab 14EE, p. 662) questioned the usefulness of the
for such an assessment.
- 13 -
was perfunctory at best and it ruled out Google's public cloud, Google Apps, for failure to meet
"the DOT's external private cloud requirement." AR Tab 12, p. 171
8
Even though Google had
previously announced on September 15, 2009 that it was creating the Google Apps for
Government community cloud,
brief report did not consider, or even mention, the
community cloud dedicated to government customers, presumably because
was focused
solely on private cloud models. Moreover, like DOT's May 4, 2010 version of the Project Plan,
report erroneously concluded that Microsoft's BPOS-Federal cloud met all of DOT's
technical and security requirements, including FISMA. AR Tab 12, p. 171.
None of the reports and other materials upon which DOT purportedly relied, however,
substantiates DOT's conclusion that (a) only a private cloud would meet DOl's enhanced security
requirements or subsequently (b) a federal-government-only community cloud, and not a
community cloud dedicated to federal, state and local governments, could satisfy DOI's
minimum security needs. On the contrary, as detailed in Plaintiffs' MJAR at pp. 46-49, the
security of a cloud model is not defined solely by its classification as a private, community,
hybrid or public cloud. In other words, a private cloud is not per se more secure than a
community or public cloud. As the U.S. Government Accountability Office's May 2010 report
entitled "Information Security: Federal Guidance Needed to Address Control Issues with
Implementing Cloud Computing," states: "Private clouds may have a lower threat exposure than
public clouds, but evaluating this risk requires an examination of the specific security controls in
place for the cloud's implementation." AR Tab 14KK, p. 696 (emphasis added). As noted by
report was issued (on the same day as the DOT's risk
Of course, by the time
assessment), DOl' s requirement was no longer limited to a private external cloud, as evidenced
by the risk assessment and the BPOS-Federal standardization decision. The August 30 RFQ,
however, continued to erroneously state that DOT was procuring "an external private cloud
deployment model," while at the same time stating that an infrastructure dedicated to "DOl and
other Federal government customers only" would meet DOT's requirements. AR Tab 24, pp. 800
8
and 803. Again, confusion abounds.
- 14 -
the Court, other materials in the AR caution against investing in a private cloud without a
complete and thorough investigation of the alternatives. Google, 95 Fed.Cl. at 668, fn.16.
Despite Google's several offers to provide its FISMA C&A package to DOl for review, DOT
never examined the specific security controls in place for the Google Apps Premier cloud
system, or the enhanced security controls being added for the Google Apps for Government
version. Instead, DOT concluded that Google's system will not satisfy DOl's security needs
because it is not a private cloud or federal-government-only cloud and its data storage and
computing infrastructure will not physically
- in addition to logically -_ separate DOT's data from
other customer data.
DOT's conclusion was arbitrary and capricious, and irrational, not only for the reasons
noted above, but also because DOl gave little or no credence to GSA's July 22, 2010 FISMA
security authorization for the "Google Apps Premier Edition (Google Apps Cloud) information
system and its constituent components." AR Tab 92, pp. 204 1-59. As alluded to earlier,
Defendant has made this FISMA certification a bone of contention in this case, and the Court
determined in its April 15, 2011 Order, at p. 4, that "whether or not Google Apps Premier and/or
Google Apps for Government are FISMA certified is central to resolve the issues presented in
this case." At the Court's direction, GSA's David McClure submitted a declaration to the Court
on April 22, 2011 addressing this issue. As explained by Mr. McClure, GSA is serving as the
lead agency for the Federal Cloud Computing Initiative, and GSA's Office of the Chief
Information Officer ("OCIO") provides determinations of FISMA compliance for particular
technology products or services that may be relied upon by (but are not binding on) other federal
agencies. AR Tab 103, pp. 2309-10. There is no question that the Google Apps Premier cloud is
FISMA-certified and other agencies wishing to use the Google Apps cloud may rely on GSA's
certification and authorization, and it is important to understand that Google Apps for
Government is not a separate information system from Google Apps Premier Edition. As
verified by Mr. McClure, the GSA's OCIO has been reviewing Google's updated C&A package
to include enhancements and additional security controls to the Google Apps for Government
"subset" of Google Apps Premier. The GSA's public statement has characterized the change
(i.e., additional enhancements and security controls that re-brand the Google Apps Premier
system as the Google Apps for Government system using the same infrastructure) as
"noteworthy enough to be reviewed, but is not significant enough to require a new FISMA
certification." Id. at 2314. While GSA' s "review focuses on the change itself and (if applicable)
how the change interacts with the package as a whole," the original certification remains valid.
Id. It is Google's understanding that the GSA's review has been completed and the updated
certification letter for the Google Apps system, which addresses the enhancements that constitute
Google Apps for Government, has been signed and recommends that the Authorizing Official,
Ms. Casey Coleman, sign the updated security authorization letter.9 Google has not yet been
provided with either letter by GSA officials.
While Plaintiffs contend that GSA's FISMA certification of the Google Apps cloud
system is significant, and clearly relevant to assessing the rationality of DOI's restrictive
requirements as set forth in the risk assessment and BPOS-Federal standardization decision, it is
not entirely clear that such certification(s) are "central" to the resolution of this case. While the
RFQ does state that "at all times" the contractor and Microsoft shall comply with FISMA by
'
See AR Tab 92, pp. 2041-59 evidencing the differences between the GSA certification letter
and the authorization letter. Because of continuous changes and improvements that are made by
any provider to its information technology systems, updating security certifications and
authorizations for such services and systems is not only a common practice, but is also an
expected process under FISMA, the purpose of which is to certify information systems and not
software products.
- 16 -
completing and maintaining a C&A for the BPOS-Federal service10, as noted in the Court's April
5, 2011 Order, other provisions in the RFQ state that the successful contractor, together with
Microsoft and with the support of DOT, will be responsible for the C&A application and process
provided for in FISMA and "shall ensure that Microsoft shall complete the C&A process on or
before providing Service Ready Notice." AR Tab 24,.Sections 10.5.1 through 10.5.4, pp. 81618.
If the Court should interpret the RFQ as requiring that any cloud-based messaging system be
FISMA-certified as a prerequisite to DOT's award of a contract pursuant to the RFQ, then
permanent injunctive relief is clearly warranted since Microsoft's BPOS-Federal --even as of
today -- has not received FISMA authorization from either DOI or GSA."
As the foregoing and Plaintiffs' MJAR establish, the record does not support DOT's
restrictive requirements for a DOT private cloud or a federal-government-only community cloud.
DOT's sole-source selection
of Microsoft's BPOS-Federal cloud solution, as reflected in the risk
assessment and BPOS-Federal standardization decision, therefore was not rationally based.
Moreover, DOl's conduct of this procurement based on its sole-source selection of the Microsoft
product was arbitrary and capricious. First, the standardization decisions violated CICA's
mandate for full and open competition and the FAR Subpart 6.3 provisions for justifying a non'°
Although it is Google's understanding that Microsoft's C&A package for its BPOS-Standard
and/or BPOS-Dedicated cloud system was submitted to GSA in 2010, the GSA has yet to issue a
FISMA authorization letter to Microsoft. The fact that the U.S. Department of Agriculture
recently issued a FISMA authorization to Microsoft, as mentioned by Softchoice's counsel
during the May 4, 2011 conference call among the Court and the parties, does not affect the
issues in this case. As admitted by Softchoice' s counsel, such authorization is non-transferable
and, unlike a GSA FISMA authorization, DOl may not rely on the USDA authorization for
purposes of using BPOS-Federal. May 4, 2011 Hearing Transcript at p. 20.
'
In addition, as pointed out at pp. 49-53 in Plaintiffs' MJAR, DOT's selection of the BPOSFederal private or community cloud and it remains unclear to this day what Microsoft has been
building for DOl - was irrational because components of the BPOS-Federal solution do not
satisfy DOT's requirements as set forth in its risk assessment. See also AR Tab 65, p. 1778
(explaining that the BPO S-Federal C&A package was delayed because there was confusion on
Microsoft's part whether it was building a BPOS-Federal community cloud "for all customers"
or a private cloud for DOl ("whether DOl gets their own implementation")).
-
-
17-
competitive procurement. Savantage Financial Services, 81 Fed.Cl. at 308-09. Second, the
evidence establishes that Google provides a competing community cloud that satisfies all of
DOT's legitimate needs, complies with FISMA requirements, and meets the security concerns of
numerous government and commercial customers. Even if DOT may perceive the BPOS-Federal
system, which according to Defendant has yet to be built (Defendant's Cross-Motion for
Judgment on the Administrative Record, p. 39), to be more secure and therefore technically
superior to Google' s cloud solution, that unsubstantiated determination is not acceptable as a
justification for a sole-source procurement. Id. at 308 (citing Aero Corp.
v.
Dept.
of the Navy,
540 F.Supp. 180, 208-09 (D.D.C. 1982) (holding that "the technical and administrative
superiority of a given firm over all other possible sources has never been accepted as a
justification for sole-source procurement from that firm[;]" rather, "[tjhe place where.
differences (in technical merit) appropriately should be considered is in evaluating proposals in
connection with a negotiated procurement.")).'2 Finally, and most significantly, DOT's selection
of the Microsoft solution was arbitrary and capricious because the record establishes that long
before DOT developed its restrictive requirements it had already chosen the "Microsoft Dedicated
Hosted Exchange service" based on nothing more than conversations with
representatives in early 2009, the fact that DOT had "previously established Microsoft Exchange
as the agency standard," and"
." Plaintiffs' MJAR, pp. 3-4 (citing AR Tabs
14 and 33). All subsequent actions by DOT focused on making that 2009 decision a reality,
12
Indeed, in its June 17, 2010 letter to DOT, Google recommended that DOl conduct a
competitive procurement similar to that then being conducted by GSA in which the solicitation's
Statement of Objectives required the contractor to "provide security controls that are confirmed
to meet the security standards for Moderate Impact systems as described in NIST SP 800-53 with
an accepted Certification and Accreditation (C&A)." AR Tab 5, p. 51. Google's and
Microsoft's cloud solutions were among the offered cloud services in response to GSA's
solicitation, and Google's system was ultimately selected by GSA. Plaintiffs' MJAR, p. 12 n.4.
- 18 -
while DOT officials simultaneously either rebuffed Google's "active campaign to be afforded the
opportunity to have the Google Apps Service considered for the procurement, if and when
Interior issued a RFP," Google, 95 Fed.Cl. at 673, or misled Google officials into believing there
would be a competitive procurement for the selection of a cloud-based messaging solution.
For these reasons and as demonstrated by the record and Plaintiffs' previous filings,
Plaintiffs contend that Defendant's basis for this procurement lacked a rational basis and the
procurement was conducted in a maimer that was arbitrary and capricious.
IV.
THE COURT SHOULD PERMANENTLY ENJOIN THE DO! FROM
PROCEEDING WITH ITS PROCUREMENT OF BPOS-FEDERAL
The Tucker Act authorizes the U.S. Court of Federal Claims to award "any relief that the
court considers proper, including declaratory and injunctive relief." 28 U.S.C. 149 1(b)(2). In
deciding whether a permanent injunction is warranted, the court considers: "(1) whether. . .the
plaintiff has succeeded on the merits of the case; (2) whether the plaintiff will suffer irreparable
harm if the court withholds injunctive relief (3) whether the balance of hardships to the
respective parties favors the grant of injunctive relief; and (4) whether it is in the public interest
to grant injunctive relief." PGBA, LLC v. United States, 389 F.3d 1219, 1228-29 (Fed.Cir. 2004)
(citing Amoco Prod. Co.
v. Viii.
of Gambeli, Alaska, 480 U.S. 531, 546 n.
12 (1987) ("The
standard for a preliminary injunction is essentially the same as for a permanent injunction with
the exception that the plaintiff must show a likelihood of success on the merits rather than actual
success.")). The Defendant's procurement actions have violated statutory and regulatory
requirements, and as described below, the factors for permanent injunctive relief are satisfied in
this case.
Plaintiffs Will Suffer Irreparable Harm If Injunctive Relief Is Not Granted
When assessing irreparable harm, "the relevant inquiry is whether the plaintiff has an
adequate remedy in the absence of an injunction." OTIAm., Inc.
v.
United States, 68 Fed.CI.
646, 659 (2005) (quoting PGBA, LLCv. United States, 60 Fed.C1. 196, 221, affd, 389 F.3d 1219
(2004). In the context of a bid protest action, the U.S. Court of Federal Claims has consistently
held that a protester suffers irreparable harm if it is deprived of the opportunity to compete fairly
for a contract. See, e.g., Information Sciences Corp.
(2008); Cardinal Maint. Serv., Inc.
v.
v.
United States, 80 Fed.Cl. 759, 798
United States, 63 Fed.Cl. 98, 110 (2004) ("It is well-settled
that a party suffers irreparable injury when it loses the opportunity to compete on a level playing
field with other bidders... Irreparable injury includes, but is not limited to, lost profits which
would flow from the contract."). The RFQ here contemplates an award with a five-year term,
worth as much as $59.3 million. AR Tab 24, p. 811. If the Court does
grant injunctive relief,
the Defendant will proceed with the implementation of this RFQ, despite the unlawful
procedures and restrictions upon which it was based, and Plaintiffs will lose the opportunity to
compete on a fair and lawful basis, as well as the revenues and profits that might follow. See
Google, 95 Fed.Cl. at 679.
The Balancing Of Harm Favors Injunctive Relief
The next factor considers the relative harm to the Government and to the intervening
defendant should the Court enter an injunction. PGBA, 60 Fed.Cl. at 22 1-222. Here, the alleged
harms to the DOl and Softchoice amount to nothing more than de minimus inconvenience.
Injunctive relief may indeed delay the DOl's procurement while it retraces its steps and
coordinates a transparent competition in accordance with the law. But these delays are the
consequence of DOT's own actions, and the resulting harm is outweighed by the harm to the
Plaintiffs and the public. See Google, 95 Fed.C1. at 679-680. Similarly, even though Softchoice
- 20 -
and Microsoft may have to rewrite their messaging proposals and compete against Plaintiffs and
others in response to a competitive procurement, this does not compare to the above-referenced
harm to Plaintiffs. See Hunt Building Co., Ltd.
v.
United States, 61 Fed.Cl. 243, 280 (2004) (The
awardee "will still be able to compete, this time on equal footing ... whereas absent injunctive
relief, [the protester] will have been unfairly denied a meaningful opportunity to compete. On
balance, injunctive relief is warranted to remedy the unfair process here.").
Defendant has previously argued that the balance of harms weighs against Plaintiffs
because, notwithstanding the issuance of an injunction against the procurement at issue,
Plaintiffs still will have no chance of competing on any subsequent procurement since DOl's
requirements will not be relaxed. Def. MJAR, p. 47. But Plaintiffs have specifically challenged
the rationality of DOl's alleged minimum need for a cloud hosted on a physically isolated server
dedicated to DOI alone or to federal government customers only, and the procedures and
circumstances underlying the selection of that alleged minimum need. If the Court upholds any
of Plaintiffs' challenges, then DOT's restrictive requirements must be removed, or at least
rationally reconsidered, and the subsequent procurement should be open to competition from
Google, its resellers and other Microsoft competitors.
C.
The Public Interest Favors Issuance Of An Injunction
The public interest lies in preserving the integrity of the competitive process. See Hunt
Building, 61 Fed.Cl. at 280 ("the public interest is served by ensuring that the Government
procurement process is fair"). A permanent injunction will serve that interest by ensuring that
the DOl' s acquisition of a secure cloud-based messaging system is conducted through a fair and
transparent procurement process. On the other hand, allowing the DOl to proceed with its
unlawful RFQ would undermine the integrity of the competitive process and encourage other
agencies to also circumvent the restraints that are imposed by the CICA and the FAR by, as here,
labeling a sole-source selection of a product or service as a "standardization decision." The
Court must not validate such a message. Accordingly, it is in the public interest to grant
permanent injunctive relief in this case. See Mission Critical Solutions
v.
United States, 91
Fed.Cl. 389, 410-412 (2010) ("There exists strong public interest in ensuring that government
procurement contracts are awarded in accordance with law.").
V.
CONCLUSION
All Google has ever sought was an opportunity to compete for the DOl's unified, cloud-
based messaging requirements, as it has been able to do successfully in response to several other
government agency procurements. The record in this case, however, establishes that the DOl
identified Microsoft as its preferred and sole cloud provider in 2009 and crafted an acquisition
strategy to achieve that result. Without any regard to the applicable procurement laws and
regulations, the DOT charged full speed ahead, and collaborated with Microsoft on a pilot project
to begin implementation of its "first in federal" messaging system. When Google again reached
out to the DOT in May 2010 after numerous attempts to remind the DOT of Google's keen
interest in a competitive procurement and the DOT' s obligations under the CTCA and the FAR,
the DOT prepared a risk assessment and standardization decision designed to back up the solesource procurement that DOl initiated a year earlier. Even those post hoc documents fail to
include any meaningful comparison of Google's community cloud to Microsoft's community
cloud, and the logical gaps and inconsistencies in those documents further demonstrate the
irrationality of DOT's conclusion that Microsoft's BPOS-Federal is the sole messaging solution
that can satisfy DOT's alleged minimum needs.
This Court has the authority to afford Plaintiffs and others a fair opportunity to compete
for this significant procurement. Indeed, the competitive mandate of CICA and the facts in this
- 22 -
case strongly favor, and Plaintiffs believe dictate, such a result. Accordingly, Plaintiffs
respectfully request that the Court grant Plaintiffs' motion for declaratory and permanent
injunctive relief.
Respectfully submitted,
_/sI Timothy Sullivan
Timothy Sullivan
6th
1909 K Street, N.W.,
Floor
Washington, DC 20006
(202) 585-6930 (tel.)
(202) 508-1028 (fax)
Attorney of Record for Plaintiffs Google,
Inc. and Onix Networking Corporation
Of Counsel:
Katherine S. Nucci
Scott F. Lane
Kathleen E. Krafi
Thompson Coburn LLP
Dated: May 27, 2011
CERTIFICATE OF SERVICE
I hereby certify that on this 27 day
of May, 2011, a copy of the foregoing "Plaintiffs'
Restated Motion for Judgment on the Refiled and Updated Administrative Record" was filed
electronically.
I
understand that notice of this filing will be sent to all parties by operation of the
Court's electronic filing system. Parties may access this filing through the Court's system.
s/ Timothy Sullivan
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
