Where to begin?
Last week, I announced that I would be writing about the GAO's decision in C3.ai. When I sat down to start writing, I figured I would write primarily about the government-facilitated cottage industry that is value-added resellers. I thought I might write broadly about GWACs and strategic sourcing and set-aside pools. I thought I might write about the strangeness of setting evaluation criteria for SaaS that is not primarily based on price.
But, no. Maybe one day I will write about those things. Today, however, we will stay focused on a more narrowly funny thing.
Our story begins in 2010 with the creation of a product called DCIPHER... and then in picks up dramatically at the beginning of the COVID-19 pandemic in 2020 with a product called HHS Protect... and then continues with another product in 2020 called Tiberius... which all appear to be sort of the same thing?
CDC awarded an estimated $19 Million between 2010 and 2021 via contracts to develop, operate, and maintain the DCIPHER solution that today is a configuration of commercial software called the Palantir Foundry. A recent award in 2021 enabled CDC to migrate the DCIPHER solution from a CDC on-premises solution to the Palantir Foundry cloud software as a service platform.
HHS Protect was created in March 2020 by HHS in collaboration with CDC as a data integration, analytics, and situational awareness platform for the whole of Government response to COVID-19—inclusive of information regarding cases, deaths, hospitalizations, diagnostics, and resource planning. HHS has since served as the common operating picture where most COVID-19 data (approximately 1 petabyte of data managed across a few thousand users) is generated from and shared to partners, the White House, and the public. The current HHS Protect Contract (NNG15SD31B / 75D30122F 13684) was transferred from HHS to CDC in 2022.
Tiberius was created in the summer of 2020 and was tasked with managing the production, delivery, and administration of COVID-19 vaccines to the American public. Since then, it has expanded to include information regarding therapeutics and at-home test kits (over 500 terabytes of data managed across a few thousand users).
You see, over the course of 12+ years, HHS had built 3 different systems with 3 different fun and clever names, and each of them sort of related to data things. Under the hood, though, they were all Palantir. Compounding the situation, all 3 of these systems were all contracted through a single "value added reseller" called i3 Federal LLC, and HHS even had a separate contract with Palantir.
So, HHS decided to combine these contracts together and bid the opportunity as a task order under the NASA SEWP GWAC as an SDVOSB set-aside. And because these contracts all used Palantir, the government wrote up a brand-name justification for Palantir. All very standard, federal contracting 101 type stuff.
Enter C3.ai. It, like Palantir, is an enterprise data platform. And it basically argues that anything it can do anything Palantir can do. So, C3.ai protested the SEWP award and argued that CDC should not have required a SDVOSB to use Palantir:
C3.ai asserts that CDC’s brand-name justification in support of its decision to limit the SaaS solution license to Palantir Foundry products is improper. The protester argues that, “under the Federal Acquisition Regulation, ‘brand-name specifications shall not be used unless market research indicates other companies’ similar products, or products lacking the particular feature, do not meet, or cannot be modified to meet, the agency’s needs.’” C3.ai contends that if the CDC had conducted the required market research, the agency would have found that the protester—and not Palantir alone—can provide a full solution for the agency’s requirements.
This sort of argument is tough sledding. After all, Palantir famously made a similar argument in 2016... and lost.
But, here, GAO never reached the question of whether CDC was justified in using Palantir because GAO concluded that C3.ai was not "an interested party" in the award decision.
Now, I'll be honest. That conclusion at first surprised me! After all, the regulations define an interested party as "an actual or prospective bidder or offeror whose direct economic interest would be affected by the award of a contract or the failure to award a contract." C3.ai sure seems like a prospective offerer, with a direct economic interest, by the award (or failure to award).
So, how did GAO reach the conclusion that C3.ai was not an interested party?
Well, apparently there's this rule? "A protester is not an interested party where it does not possess the IDIQ contract under which the protested order will be or has been issued". And because C3.ai is not on SEWP, game over. Finito. Donesies.
The agency exercised reasonable discretion in selecting the NASA SEWP as the contract vehicle. Because the protester does not hold a NASA SEWP contract, C3.ai would not be eligible for award even if its challenge to the brand-name justification was sustained. The protester is thus not an interested party to bring that challenge.
That's it. That's the rule. If an agency uses a contract vehicle that you're not on, you don't get to complain that the agency screwed up in how they used that vehicle. I guess I've sort of always known this, and it has a certain logic to it, but it was still pretty surprising to see this specific application.
The GAO did note that, theoretically, C3.ai had a path to protest, which was to have its value-added reseller—Carahsoft, which does hold a SEWP contract—file on C3.ai's behalf and argue that Carahsoft should have been able to use C3.ai. But Carahsoft didn't, and C3.ai lost.
So we're left with the question of should CDC have done market research that might reveal other products that could do what Palantir could do? Maybe? We'll never really know, though, because the market research that the CDC did do was demonstrate that at least two SDVOSBs could sell the CDC some Palantir on SEWP. End of story.
Them's the breaks!
 I really might one day write about those things. And they're honestly hilarious! Like, here's a fact that I chuckled about all weekend but couldn't figure out a way to spin the fact into a whole post: the small business that received the award in question has received over $755.6 million in federal awards! According to one commercial data source that I checked, the company has six employees. Hahahaha! Value-added resellers are such a funny cottage industry.
 The language comes from a "Determination and Findings for Consolidation" published on SAM.gov on September 2, 2022.
 I'm sorry, I just had to. The abbreviations here are: the National Aeronautics and Space Administration (NASA) Solution for Enterprise-Wide Procurement (SEWP) Government-Wide Acquisition Contract (GWAC). Despite the ridiculous abbreviations, SEWP is very commonly used as a contract vehicle for agencies to buy tech. An SDVOSB is a Service-Disabled Veteran-Owned Small Business.
 The precedent that the GAO relies upon (Latvian Connection) is, ummm, pretty wild. Here's one sentence from that opinion that basically says everything you need to know: "In addition to the instant protest, our records show that, thus far this fiscal year, Latvian Connection has filed 150 protests with our Office." Stunning. The GAO also footnoted that sentence with this jawdropper: "Our records show that Latvian Connection has filed an additional 296 protests in prior fiscal years; almost all of these protests were filed in the last five years. In addition, the firm has filed 9 requests that it be reimbursed its protest costs (all were dismissed as legally insufficient), and 40 requests for reconsideration (4 pending, 3 dismissed as untimely, and 33 dismissed as legally insufficient)." Latvian Connection was a protesting machine! You do not want to be in the same sentence as Latvian Connection.
 I sorta wondered why Carahsoft didn't protest on C3.ai's behalf until I saw this. Ok, sure. This all makes sense.