Agency Said Awardee Fully Mitigated OCI; GAO Says: “Nope!”

Most organizational conflict of interest (OCI) sustains arise where the record shows that an agency failed to analyze the potential for a conflict.  But GAO’s decision in A Square Group, LLC, is a rarer type of OCI sustain: the agency considered the purported OCI and documented its conclusion that the OCI had been mitigated.  However, GAO found that the agency’s conclusions were unreasonable, and the OCI risk remained.

The procurement sought a contractor to perform “operational analytics” (OA) services—including data analysis, reporting, root cause analysis, and surveillance functions—related to Center for Medicare and Medicaid Services (CMS) operations under the Patient Protection and Affordable Care Act.  The eventual awardee, Cogent People, Inc., proposed to perform the contract aided by its subcontractor (the identity of which was redacted in GAO’s decision).  That subcontractor, however, currently holds a contract to support the operation of the Federally Facilitated Exchange (FFE)—a health insurance exchange, the public-facing component of which is known as “Healthcare.gov.”

In evaluating quotes, CMS identified a potential OCI related to the subcontractor’s separate FFE contract.  Specifically, CMS noted that the procurement at issue requires the successful contractor to reconcile and validate FFE enrollment and payment data.  CMS asked Cogent to address the apparent OCI.  In response, Cogent stated that it would firewall the subcontractor’s personnel from reviewing or validating payment data that was generated by the subcontractor’s personnel under the FFE contract, and Cogent would provide strict oversight of the data validation process to ensure it was free from any conflict of interest.  After reviewing this response, CMS documented its conclusion that Cogent had adequately addressed the OCI concern.  In addition to the firewall, the Contracting Officer noted that Cogent’s proposed business analyst lead responsible for the validation of payment data was a Cogent employee. 

In reviewing CMS’ documented analysis of the OCI, GAO found that the agency’s conclusions were unreasonable.  As an initial matter, GAO quoted the OCI memorandum’s explanation of the work required under the OA contract:

The OA contractor performs validation of enrollment and payment data using logic developed independently. This independent validation provides CMS confidence that the enrollment data supporting the monthly payment processing are correct.  It is imperative that these determinations remain independent so that we prevent as best as possible any flaw in these calculations occurring in both sets of calculations.

A Square Group, LLC, B-421792.2, B-421792.3 (emphasis added).

In attempting to resolve the conflict, Cogent’s mitigation plan stated that the subcontractor would be firewalled from reviewing or validating payment data, but failed to provide any mitigation with respect to validating enrollment data or FFE data generally.  In this regard, GAO noted that Cogent had proposed to have two business analyst leads: a lead responsible for validation of payment data (a Cogent employee) and a lead responsible for validation of enrollment data (a subcontractor employee).  While Cogent’s mitigation plan appeared to address the OCI with respect to payment data, it did not address the OCI with respect to enrollment data—enrollment data was not included in the firewall and, in fact, Cogent’s proposed business analyst lead for enrollment data was an employee of the subcontractor at issue. 

CMS attempted to defend its analysis by claiming that the terms “payments data” and “enrollment data” are often used interchangeably; however, GAO found that the solicitation—and even Cogent’s own quote—refuted that position.  The SOW did not treat the terms as equivalent or interchangeable; rather, it specifically distinguished between payment data and enrollment data.  Similarly, Cogent’s quote treated the two terms differently, even going so far as to name different business analyst leads for enrollment data and payment data.  As a result, GAO sustained the OCI protest, finding that the agency had failed to reasonably analyze the impaired objectivity OCI and Cogent’s mitigation plan.

Moreover, GAO found that CMS failed to consider the impact that Cogent’s limited mitigation plan would have on its technical approach.  As GAO noted, “[a]gencies are required to consider the effect that a firm’s OCI mitigation measures have on its technical approach, and whether such OCI mitigation measures either directly contradict a firm’s proposed technical approach, or otherwise call into question the agency’s original evaluation conclusions concerning the merit of a firm’s proposed approach.”  Here, Cogent proposed to mitigate the OCI by firewalling the subcontractor’s personnel from validating payment data.  However, Cogent’s technical approach provided that several of the subcontractor’s personnel were responsible for supporting the payment validation tasks.  GAO identified four subcontractor employees proposed to support payment validation, noting that each of these employees was proposed to provide several hundred labor hours in support of the payment validation tasks in each period of performance.  And, even though Cogent was given three opportunities to submit revised quotations after it had submitted its mitigation plan promising a firewall, none of the revised quotations reflected the firewall or altered the technical approach to address the conflict.  As a result, GAO sustained this aspect of the protest as well, finding that the agency failed to analyze the impact of Cogent’s mitigation plan on its technical approach.

As a result of the sustained protests, GAO recommended that the agency conduct a new OCI evaluation that reassesses the potential for conflicts arising from the subcontractor’s obligations under the FFE contract and its proposed scope of work under the OA task order.