Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

When an agency announces its intent to take corrective action in response to a protest, it’s easy for the protester to feel that it has “won”—and to some extent it has. At the very least, its protest has prompted the agency to regroup and remedy one or more perceived problems with the subject procurement. Despite that, the agency’s notice of corrective action does not mean that the protester can sit back and rest on its laurels, or simply hope that the agency’s corrective action will fix the procurement problems identified in its protest. As reiterated in the recent Government Accountability Office (GAO) decision in CPS Professional Services, LLC d/b/a CATHEXIS, B-417928.2 (February 5, 2020), a “successful” protester must carefully—and immediately—analyze the agency’s intended corrective action and challenge any shortcomings it finds. Simply waiting to see what comes from the corrective action is not a viable option.

The underlying protest involved the issuance by the Department of Veterans Affairs (VA) of a task order for program and program management support services. The protester, CATHEXIS, challenged the agency’s award decision to Enterprise Resource Performance, Inc. (ERPi), arguing that, among other things, the VA had failed to evaluate the basis of estimate (BOE) CATHEXIS submitted as part of its proposal in accordance with the agency’s commitment to such an evaluation. CATHEXIS sought to have the Agency “terminate the award to ERPi and (1) award a task order to CATHEXIS as the best value offeror; (2) reevaluate the proposals in accordance with the stated criteria and make a new award determination; or (3) accept proposal revisions, conduct new evaluations correcting the errors described above, perform a new best value analysis, and award a new task order in accordance with the evaluation criteria set forth in the [solicitation].”

In response, the VA sought dismissal of the protest based on its notice of intent to take corrective action. The GAO then dismissed the protest as academic.

On its face, however, the agency’s announced corrective action did not give CATHEXIS everything it sought. More particularly, the VA’s intended corrective action entailed only a re-evaluation of proposals and a new best value determination based on that re-evaluation. It did not provide for the submission or evaluation of revised proposals, the third aspect of the relief CATHEXIS sought in its protest.

Despite this, CATHEXIS decided not to immediately protest the inadequate scope of the announced corrective action. Instead, it waited to do so until after the VA had completed that corrective action (without providing offerors the opportunity to submit revised proposals)—and only then argued that the corrective action did not address the prior errors in the procurement because it did not allow for the submission of revised proposals. The GAO explained that “CATHEXIS nevertheless hoped the corrective action would allow for revised proposals, in order to implement further revisions beyond those contained in its basis of estimate.”

As the GAO pointed out however, just as protests based on alleged solicitation improprieties that are apparent prior to the deadline for submitting proposals must be filed before that deadline, protests challenging the agency’s announced ground rules for performing corrective action and recompetition also must be filed prior to the deadline for submitting revised proposals. More importantly, the GAO went on to note that, “[w]here, as here, no further submissions are anticipated, such challenges must be raised within 10 days of when the scope of the agency’s corrective action was known or should have been known.” In this regard, the GAO rejected outright CATHEXIS’ assertion that it “had no reason to believe the VA’s proposed corrective action would fail to address the primary aspect of its [protest] until after the VA issued an award to ERPi without requesting proposal revisions.” According to the GAO, CATHEXIS knew that the VA did not intend to request revised proposals as soon as it received the notice of corrective action, so it should have protested that scope within 10 days. Because CATHEXIS failed to do so, its protest was dismissed as untimely.

There certainly can be—and often are—corrective action circumstances that give rise to much more complicated questions about what the protester knows or should know about the agency’s intent and how the corrective action will actually play out. But this decision underscores the importance of taking time as soon as the notice of corrective action is received to review what the agency says about its intended corrective action and analyzing whether and to what extent that plan addresses the protest grounds to which it purportedly responds. If you feel that the stated corrective action is inadequate, protest within 10 days. Whatever you do, don’t sit back and hope everything will work out fine then try to protest if it doesn’t.

At the end of December, China acknowledged the existence of the coronavirus. We don’t know how long it has been around or how many people have actually contracted the virus. We do know the virus has spread at an alarming rate and that people with the virus can now be found in 25 countries around the globe.

This burgeoning health crisis is becoming a supply chain problem. China, a major manufacturing hub for materials, products and components being used around the globe, has been significantly impacted.

Facing the alarmingly fast spread of the virus, China took a number of steps – delaying the return to work of millions following the lunar new year celebration, blockading entire cities where the virus is found to be most prevalent, and transporting those with the virus to isolation camps.

In addition, travel, transportation and shipping services to and from China have been cancelled or restricted. Certain airlines have stopped flying to locations in China. Countries are instituting screening and isolation protocols to prevent those persons with symptoms from entering their countries and further spreading the virus.

The Wall Street Journal reports that as of Monday there are “40,787 confirmed cases . . . according to John’s Hopkins Center for Systems Science and Engineering data . . . an increase of 102% from the 20,198 confirmed cases a week earlier.” Though that rate is lower than the 352% growth rate reported last week, these illnesses, city closures, travel bans, and transportation restrictions have impacted the global supply chain. Workers have been unable to get to their factories to produce materials, products and components. Supplies have been delayed or prevented from transport to their destinations. This has impacted sales, the manufacturing of additional products, and the delivery of services elsewhere. Given the expanding reach of the virus, further impacts to the global supply chain are likely.

What Can A Government Contractor Do Now?

Because of the global nature of the supply chain, these problems are likely to impact the public sector supply chain.

Government contractors must comply with the schedule and performance requirements in their contracts. They may be required to deliver in accordance with an established bill of materials or to use only qualified products. Even where they are delivering commercial or other items or services, they may experience problems or delays in obtaining needed materials, products or components. Contractors should start working now to identify the potential risks and impacts of this global problem.

Consider reviewing your contract terms to determine your rights and requirements under your contracts:

  • Are you required to notify your higher tier prime or subcontractor of any risks or delays?
  • Can you substitute products or components if items are delayed or unavailable?
  • Do you have any rated orders under the Defense Production Act (DPA)? If so, you have an obligation to deliver what is required under the set schedule. You also may have a duty to notify the Government or your higher tier contractor if there are performance and schedule risks.

Consider whether your contract provides terms that may allow you to obtain contractual relief:

  • Does the force majeure clause apply to your situation?
  • Are these problems or delays excusable?
  • Are the increased costs of performance recoverable?
  • Is your schedule impacted and can you obtain relief?

These issues may also be applicable to your own supply chain members and further impact your performance.

Consider developing a plan to identify and address these concerns. Being proactive and strategic now may help you to avoid problems down the road.

If you would like to know more about how you might address these and other supply chain risks, contact Susan Warshaw Ebner or your Stinson counsel.

Discussions with an agency prior to submitting a final proposal can lead to a more well-informed submission by an offeror; however, such is not always the case. The Government Accountability Office (GAO) decision in Quality Control International, LLC (QCI), B-417984 (December 20, 2019) provides guidance as to how offerors should rely on information supplied by the agency in crafting their best, most competitive bid.

QCI protested the General Service Administration (GSA), Public Buildings Service’s award of a contract for maintenance services—including mechanical maintenance, custodial services, grounds maintenance, and pest control services—at multiple GSA facilities in Montana. The underlying request for proposals (RFP), a small business set-aside, was governed by the procedures of FAR parts 12 and 15. The RFP anticipated the award of a fixed price contract, with an indefinite delivery component, and a base period of one year, as well four option years.

The solicitation stated that proposals would be evaluated based on four non-price factors—staffing plan, management plan, experience, and past performance—and price, where the non-price factors combined were considered approximately equal to price. Of relevance to QCI’s protest, price was to be evaluated based on multiple metrics: low price, price reasonableness, price realism, and balance. Award would be made to the offeror whose proposal provided the best value to the Government.

GSA received proposals from various offerors prior to the closing date, and from these established a competitive range, which included QCI and Phoenix Management Inc. (Phoenix). After evaluating QCI’s initial proposal, GSA conducted its first round of discussions and informed QCI that QCI’s proposal was both unreasonably high in some respects—in particular as pertained to QCI’s markup rates, i.e., general and administrative (G&A), overhead, and profit rates—and unrealistically low in others, including the overall proposed price. GSA directed QCI to revise its proposal to address these price reasonableness and price realism concerns.

In response, QCI submitted a revised proposal, increasing its proposed price. However, GSA remained concerned that QCI’s markup rates were too high. The agency informed QCI of this continued concern in a second round of discussions. Following the second round of discussions, the agency informed offerors that they should submit their most competitive offers in their final revised proposals (FRPs). In its FRP, QCI decreased its proposed price such that the price was lower than that in its revised proposal, though still higher than that in its initial proposal.

In the end, the contract was awarded to Phoenix, which offered a lower price and fared slightly better in non-price factors as compared to QCI. Following a written debriefing from GSA, QCI filed this protest with the GAO.

QCI challenged the agency’s conduct during the pre-FRP discussions, asserting that the agency misled QCI, coerced QCI into raising its prices, and caused QCI competitive harm when GSA ultimately awarded the contract to a lower-priced offeror. GSA argued that it in good faith provided QCI with accurate information about its concerns, and, moreover, that the agency never required QCI to raise its price.

GAO sided with the agency. An agency cannot consciously, i.e., in bad faith, mislead or coerce offerors into raising their prices. However, an agency is free to accurately and in good faith indicate its concerns to offerors and provide offerors with an opportunity to revise their proposals or otherwise address the concerns. According to the GAO, the latter is what occurred here: GSA discussed concerns of price reasonableness, i.e., that aspects of QCI’s price were too high, and price realism, i.e., that other aspects of QCI’s price were too low, and required QCI to address these concerns but not to take any particular action. QCI responded to these concerns by choosing to raise (in its revised proposal) and then lower (in its FRP) the proposed price.

The important lesson here is that offerors should take the time to digest information provided by the agency, address this information in a meaningful way, and know that any change it chooses to make in response to the information is a business decision that may result in its losing out on the award. Information that is not adequately addressed by offerors may indeed cause offerors competitive harm, but such harm will not be actionable where the information provided by the agency is accurate and provided in good faith.

Earlier this month, the National Security Agency (NSA) discovered a serious security flaw in Microsoft Windows 10 cryptographic functionality, CVE-2020-0601.That security flaw could render trust certifications used to authenticate sources in communications and files vulnerable to spoofing or attack. As the NSA Cybersecurity Advisory notes, “[e]xploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.” To address this critical vulnerability, the NSA recommends installation of the Microsoft patch on Windows 10 and Windows Server 2016/2019 systems.

Government contractors and their supply chains are being impacted by this discovery and the potential impacts to contractors throughout the supply chain raise the inevitable questions about how cybersecurity requirements are to be handled under Government contracts and subcontracts, whether government-directed changes are to be compensated, and whether contractors are at risk if they don’t promptly address the security issue and/or specific Government direction.

Who pays for the impact of installing the patch? What if the contractor (or a supplier somewhere) delays in installing the patch and something happens? Will there be contractor liability if a cyber incident occurs?

For example, the current DFARS cybersecurity rule, DFARS 252.204-7012, calls for contractors, and their subcontractors and similar agreement holders, to maintain “adequate security” to protect unclassified information systems that are owned, or operated by or for, a contractor and that process, store, or transmit covered defense information (CDI). CDI includes controlled unclassified information that requires safeguarding (CUI). The DFARS also requires at a minimum compliance with the National Institute of Standards and Technology (NIST) SP 800-171’s 110 security controls, including the 110th control which is to have a System Security Plan (SSP) and Program and Milestones (POAM) to implement the other 109 security controls. The NIST provides for flexibility in how the contractor applies these required security controls. For example, NIST SP 800-171 at 3.11 Risk Assessment provides for compliance with basic security requirements:

Basic Security Requirements

3.11.1 Periodically assess the risk to organizational operations …, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

Derived Security Requirements

3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

3.11.3 Remediate vulnerabilities in accordance with risk assessments.

However, where the Government agency directs the Government contract holder to take specific actions that are not requirements under in the contract in order to address a Government-identified security flaw – such as directing the contractor to install a particular patch to address the identified flaw, requiring that the contractor do so within a specified period of time, directing their subcontractors and supply chain entities to install that patch, and requiring the contractor to report to the Government agency within a specified time on the implementation efforts – these Government-directed activities may increase the Government contract’s scope (including method of performance), schedule, or costs and therefore give rise to a potentially compensable contractual change. See, e.g., FAR Part 43 Contract Modifications.

If you receive direction from the Government to take specific actions in response to a cybersecurity threat, you may have no choice but to comply with that direction. However, as a contractor it would be wise to consider whether such direction will give rise to increased costs and impacts and, if so, to take steps to promptly notify the Government of these impacts and seek to negotiate a compensable change to your contract. At a minimum, putting the Government on notice should help you preserve your right to bring a claim for any increased costs and impacts arising from that Government direction.

In these types of situations, you should take steps to document … document … document! Consider establishing a separate charge number to record and track your increased work, schedule changes, and costs related to this Government-directed change so that you have the evidence needed to support any request for equitable adjustment or claim.

Be aware of your contract requirements and any impacts that such direction may have on your contract schedule, cost, scope or method of performance. These may be impacts that entitle you to compensation.

If you have questions about this article, or other government contracting questions, contact Susan Warshaw Ebner or your Stinson counsel.

Susan Warshaw Ebner covered recent developments in the issuance of a final Federal Cybersecurity Maturity Model Certification (CMMC) standard and the establishment of a related program that will require certification of defense contractors and their supply chains using third party independent auditors.