Junk Mail

One of my very first posts in GovContrActually was an article entitled "Emails to Nowhere". It involved a very sad situation where the government maintained a system called Secure Access File Exchange (SAFE)[1] that automatically and incorrectly populated an email address. As one might expect, a vendor used SAFE, got the wrong email address, sent a proposal, and the government never got it. The vendor protested, and GAO denied the protest.

Here's what I wrote then:

So, one moral of the story here might be to pay close attention to the submission instructions and have a healthy skepticism for government (auto-populated) data.

An uninitiated reader might think that another moral of the story is to for the government to maybe not create a system that involves something called SAFE, give people you ostensibly want to work with to the tune of $37 million the wrong email address, and then be like "new phone, who dis" because you gave them the typo in the first place. Hahahaha. Sorry, uninitiated reader; this is government contracting! Of course that's not the moral of this story.

In hindsight, though, I missed a more obvious point, which is that the existence of SAFE was actually kind of irrelevant. There's a more straightforward way for the government to inadvertently drive proposal managers to despair. And today, y'all, I present that case.

In 2022, the National Geospatial-Intelligence Agency (NGA) issued a solicitation for audit management and support services. After initial proposals were submitted and after exchanges between the NGA and vendors, the NGA allowed for re-submission of final quotation revisions (FQR) via email to the contracting officer.

One of the vendors—Guidehouse—submitted 8 emails to the NGA including 5 volumes. Four of those emails included volumes I, II, V, and VI, and had no issues. One of those emails "included passwords to access quotation volume V."[2] One of those emails, with volume IV, bounced back because "the email could not be delivered because the email attachments exceeded the size limit." And the last two emails included volume IV, a tracked-changes version and a clean version.

This is really no way to live, but this is how government does its work to award hundreds of billions of dollars each year. I digress...

At this point, I should also note that volume IV was very important for Guidehouse. During exchanges, Guidehouse learned that its proposal was on track to a "fail" rating because it did not meet the solicitation's small business participation plan requirements. So, without an update to volume IV, Guidehouse would not win the contract.

Unfortunately for Guidehouse, however, the NGA never received the last two emails. At this point, everyone agrees what happened:

NGA investigated whether the contracting officer and the contract specialist received emails transmitting volume IV of Guidehouse’s FQR on June 20. NGA explains that it employs a two-step cybersecurity check for recipients with an @nga.mil email address. The NGA email security gateway first scans the email and then the advanced malware-defense appliance scans the email for malicious content or code. As a result, NGA’s security controls will either drop, block, quarantine, or deliver email to the NGA server based on the scan results. Only emails that pass both scans will be passed through to NGA’s email server.

Ok, NGA's got junk filters. Go on...

NGA’s investigation revealed that two emails from Guidehouse were received by the NGA email security gateway, assigned a [DELETED] indicator, and passed to the advanced malware-defense appliance. NGA determined, however, that neither email was received into the NGA’s email server and neither email was delivered to the recipients’ email inboxes because of their [DELETED] status. NGA was unable to learn the final disposition of the emails, i.e. whether they were dropped, blocked, or quarantined, because [DELETED].

Oh no! Those emails never got to the contracting officer because the NGA's junk filters automatically deleted it!

Now, unlike many situations I've seen before, there's really no question that — but for the junk filter — Guidehouse's submission would have been timely. But the one volume that didn't get through the junk filter? It was Volume IV! The one document that they really needed to get through!

So, Guidehouse lost. And then they protested. And then they lost again.

Now, when I originally sat down to draft this post, I wanted to say something smart about jurisprudence. After all, one of the great philosophical debates about the law is how strictly and literally judicial bodies should apply the law when it leads to inequitable results.

But I have nothing smart to say about jurisprudence at this moment; the GAO denied the protest and you just have to sit with the sad trombone vibes.

Here's what GAO said:

Contrary to Guidehouse’s position, delivery to NGA’s email security gateway does not constitute delivery to the email address designated in the solicitation, and, therefore, we find that the agency reasonably concluded that Guidehouse was ineligible for award because the FQRs were not received.

End of story.

Is it fair? That's really the wrong question. This is govcon; them's the breaks.

Are there any lessons to be learned from this? Now, that's a better question! And, yes. Yes, I think there is. Here's a nugget from the GAO:

NGA maintains, however, that the contract specialist never received emails from Guidehouse with FQRs for volume IV, SBPP, and therefore, the contract specialist did not send Guidehouse an email confirming the agency’s receipt of volume IV as the contract specialist had done with the other volumes.

The key phrase here is "the contract specialist did not send Guidehouse an email confirming the agency’s receipt." If you are submitting a proposal to the government, ask for receipts and make sure you've got 'em.

I know this may sound obvious. But I really never want to write another post about lost emails again.

So, please, dear reader: get those proposals in on time, and get those receipts. Because, as we now know, you are only ever one junk-filter away from a very sad outcome.

[1] I wrote then that the name SAFE instilled terror. After re-reading the article, I am sorry to say that the trauma of working with government technology systems with abbreviations like SAFE has not worn off. I dunno, maybe I need a content warning on these posts.

[2] SERIOUSLY?! WHAT THE ACTUAL... THEY SENT AN EMAIL WITH PASSWORDS TO OPEN THE OTHER VOLUME? I dunno, y'all. I guess op sec exists on a spectrum?

Subscribe to GovContrActually

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.