Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

Given how much emphasis federal procurement law properly places on fairness, it can be easy to assume that government buyers must do everything necessary to ensure a fair procurement. But that’s not always the case. For example, as the recent Government Accountability Office (GAO) decision in Yulista Tactical Services LLC, B-417317.3; B-417317.5; B-417317.6 (January 15, 2020) reminds us, purchasing agencies need only take reasonable steps to obtain complete past performance information about an offeror. If its reasonable efforts are not successful, the agency can still proceed with the procurement and make a valid award decision based on the information it has.

In Yulista, the U.S. Army awarded a contract to Tyonek Global Services, LLC (Tyonek) for aviation support services at the Redstone Test Center. The request for proposals (RFP) contemplated the award of a cost-plus fixed-fee level-of-effort contract on a best-value tradeoff basis considering five evaluation factors: technical; past performance; experience; transition plan; and cost/price. Only proposals rated acceptable or higher in every non-cost/price factor were eligible for award.

The agency received multiple timely proposals, including those from Tyonek and Yulista. After initial proposal evaluations, discussions with offerors, and evaluations of final proposal revisions, the contracting officer (CO), acting as the source selection authority, concluded that Tyonek’s proposal offered the best value to the government based on its evaluation of submissions under the RFP’s stated evaluation factors and found that the advantages in Tyonek’s proposal identified under the agency’s technical subfactors evaluation warranted the price premium, as compared to lower-priced offerors like Yulista.

After being informed of the award to Tyonek and receiving a debriefing, Yulista protested, arguing, among other things, that the agency’s past performance evaluation improperly failed to consider poor performance by Tyonek’s major subcontractor on an identified prior contract.

With respect to the past performance factor, the RFP required offerors to provide information regarding recent and relevant contracts. Tyonek’s proposal disclosed shortcomings in performance of a prior contract by a company it was proposing to use as its major subcontractor, but Yulista argued that the Army did not consider any information about the subcontractor’s problematic performance as part of its past performance evaluation. The agency explained, however, that its attempts to obtain a past performance questionnaire (PPQ) for the subject contract from the CO were not successful. Thus, the Army argued, it did not have the information from the government customer necessary to determine whether Tyonek’s subcontractor would successfully perform the requirement and for that reason did not consider the contract in its past performance evaluation.

The GAO sided with the agency, finding no basis to question the agency’s conclusion not to evaluate the contract in question. It also reiterated that “[t]here is no legal requirement that all past performance, or even all past performance references listed in an offeror’s proposal, be included in a valid review of past performance.” Instead, according to the GAO, what matters is “whether the evaluation is conducted fairly, reasonably, and in accordance with the stated evaluation criteria, and whether it is based upon relevant information sufficient to reach a reasonable conclusion.” Furthermore, “[a]n agency is only required to make a reasonable effort to contact an offeror’s references, and, where that effort proves unsuccessful, it is unobjectionable for the agency to evaluate an offeror’s past performance based on fewer than the maximum possible number of references the agency could have received.”

Here, the record showed that Tyonek sent a PPQ to the CO for the problematic contract, but the CO did not return the PPQ. The agency also reviewed Contractor Performance Assessment Reporting System (CPARS) reports and did not find any CPARS rating for this contract. Nor did it find any CPARS reports for Tyonek or any negative CPARS reports for Tyonek’s major subcontractor. Given all this, the GAO held that “it was not unreasonable for the agency to conclude that it could not determine whether the major subcontractor would successfully perform the requirement without qualitative performance information.”

Furthermore, the Army rated Tyonek’s past performance “acceptable” based on past performance information provided about Tyonek under another contract—and Yulista did not challenge the agency’s evaluation of that contract. Thus, the GAO held the protester did not demonstrate that the agency’s past performance evaluation was unreasonable.

The primary takeaway here is simple: don’t make your protest dependent on past performance information that may not have been obtained by the agency despite its reasonable efforts. This decision provides another important reminder for offerors: if you want to ensure that the evaluating agency learns about your positive past performance, you need to take affirmative steps to help make that happen (e.g., give the CO a heads-up that the PPQ is coming and follow-up to confirm it is submitted).

On January 16, 2020, the National Institute of Standards and Technology (NIST) issued its NIST Privacy Framework Version 1.0 (Privacy Framework). The Privacy Framework follows the same type of structure as the NIST Framework for Improving Critical Infrastructure Cybersecurity, which was first issued in February 2014 (NIST Cybersecurity Framework).

Specifically, NIST identifies the Privacy Framework as a flexible tool that entities may use to assess their privacy activities and requirements, and develop an implementation plan. NIST states that the Privacy Framework “is designed to be agnostic to any particular technology, sector, law, or jurisdiction, and to encourage cross-organization collaboration between different parts of an organization’s workforce, including executives, legal, and cybersecurity.”

The Privacy Framework includes three sections – The Core, Profiles, and Implementation Tiers. The Core facilitates consideration of the various privacy protection activities and outcomes of the entity. Profiles identifies the entity’s current privacy needs and activities. Implementation addresses the decision-making processes and resources needed to manage the privacy requirements and risks.

Like the NIST Cybersecurity Framework, the Privacy Framework calls for a risk-based approach to addressing the protection of privacy information. And, as in cybersecurity, achieving privacy protection is likely to require significant thought and care. The devil is in the details and we will need to see how useful the Privacy Framework is.

The Privacy Framework could be viewed as a detailed tool to implement a Privacy by Design framework. In the rush to comply with the General Data Protection Regulations (GDPR), many companies adopted fairly simple Privacy by Design policies. This was a welcome change as many companies had the practice of considering privacy at the later stages of a development causing compliance concerns and waste of resources. However the Privacy Framework represents a new level of Privacy by Design enabling companies to actively engage in a process for the identification, profiling and implementation of privacy requirements. While the new California Consumer Privacy Act (CCPA) does not mandate Privacy by Design, the approach is useful in achieving compliance and adopting FTC recommendations. Even a company not subject to the CCPA can benefit from the Privacy Framework as the inventory and mapping functions in the Core will provide a head start on compliance with new state privacy laws that will undoubtedly arise in the near future.

Indeed, privacy protection is important whether you are a strictly commercial business or engaged in government-funded activities, such as grants, agreements, or formal government contracts. There are a number of ways in which you may be required to address privacy protection matters when accepting government funding or engaging in government activities or contracts. For example, in the federal space, the government is required to comply with the Privacy Act of 1974, 5 U.S.C. §552a. This Act requires the protection of systems or records and information about individuals. Activities that you engage in, or funding that you receive, may trigger requirements such as these. Federal grant and agreement rules provide for protection of Personally Identifiable Information (PII), which includes “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” Public information (non-PII) may become PII subject to affirmative protection obligations where “additional information, in any medium and from any source” is combined with other information and can be used to identify an individual. 2 C.F.R. § 200.79. In the contracting space, FAR Part 24 governs requirements for privacy protections. Specific requirements may be included in a government grant, agreement, or government contract procurement where the agreement holder, recipient, contractor, or its subcontractors, may be afforded access to PII, or where they may develop, deliver, or connect to government systems that handle or have access to data that is PII or could become PII. These Federal PII requirements may be tricky to navigate. Compliance concerns may be compounded where there are other Federal or state laws and regulations, or where the activities go beyond United States borders, to other countries.

We would note that the NIST Cybersecurity Framework was the initial step in governmental efforts to address emerging cybersecurity threats and risks. As we have noted in our blogs on the topic, the DOD is engaged in establishing a Cybersecurity Maturity Model Certification (CMMC) standard and program to provide for neutral third party certification of contractors and their supply chains. So too the Privacy Framework may be an initial shot across the bow to prompt greater efforts to ensure the protection of private information through a flexible and voluntary process. Whether this initial shot will lead to legislation, regulation, and the kind of cybersecurity requirements we are seeing now at DOD, remains to be seen. However, there is no question that there is a need to protect privacy data and that increasing cybersecurity risks point out a need for greater efforts to be taken to protect this and other types of data. Indeed, not only federal actions, but state actions are being undertaken to improve the protection of this data.

NIST advises that the Privacy Framework will evolve over time and that NIST will retain oversight. It seeks comments on the Privacy Framework.

Stay tuned for developments in this space.

The Office of Federal Contract Compliance Programs (“OFCCP”) is seeking to codify its current procedures for analyzing statistical evidence of discrimination and communicating with contractors after finding potential violations of the laws it enforces. The proposed regulations provide greater clarity to the contractor community about OFCCP’s process both during and after audits.

What do the proposed regulations say?

Under the proposed regulations, OFCCP defines two new terms in 41 C.F.R. § 60-1.3: statistical evidence, and nonstatistical evidence. Statistical evidence means “hypothesis testing, controlling for the major, measurable parameters and variables used by employers.” The proposed regulations list several factors as examples of what OFCCP believes are “variables used by employers,” including test scores, geographic variables, years of experience, years of service, performance evaluations, and quality of performance. Nonstatistical evidence is essentially any nonstatistical indicia of discrimination, such as biased statements, cohort analyses, and “testimony about the extent of discretion or subjectivity involved in making employment decisions.”

OFCCP’s proposed regulations require different levels of evidence for OFCCP to pursue discrimination claims, depending on whether nonstatistical evidence of discrimination exists. If a finding of discrimination is based solely on statistical evidence, OFCCP would require that the statistical evidence be significant at a 99 percent confidence level (roughly equivalent to at least three standard deviations). If the audit finds nonstatistical evidence of discrimination in addition to statistical evidence, OFCCP would only require a 95 percent confidence level (approximately two standard deviations) to move forward.

The changes proposed to 41 C.F.R. § 60-1.33 confirm that if OFCCP makes preliminary findings of discrimination in an audit, it will follow a specific process. First, OFCCP will issue a predetermination notice (“PDN”). The contractor would have 15 days to respond to the PDN, with potential extensions of time “for good cause.” Second, and only if discrimination allegations are not resolved at the PDN stage (or the contractor does not respond within the required timeframe), OFCCP will issue a Notice of Violation (“NOV”). After these two steps, if OFCCP believes there is a “material violation of the equal opportunity clause,” OFCCP can pursue a Conciliation Agreement. This process may be expedited with the contractor’s agreement, and may be abbreviated if the violations at issue are technical, rather than indicia of discrimination.

What would these changes mean?

OFCCP has touted its commitment to increased transparency during the Trump Administration, and the regulations do provide greater clarity both on OFCCP’s process following an audit and OFCCP’s own standards for pursuing claims.

OFCCP’s confirmation of the threshold for pursuing cases based on statistical evidence—if actually followed—should be welcomed by the contractor community. The proposed regulations not only set specific standards for the level of statistical evidence required, but they confirm by way of definition that statistical evidence requires “controlling for the major, measurable parameters and variables used by employers.” There will still be disputes about whether a factor is “major” or “measurable,” or actually “used” by an employer, but again, if followed, this codified process would be an improvement on the seemingly random or inexplicable statistical analyses some contractors have faced in audits and litigation against OFCCP. The statistical thresholds of two to three standard deviations for pursuing discrimination cases are not new (and are in fact well defined in case law), but would now be formalized in the regulations.

Contractors should also appreciate the proposed regulations’ commitment to a post-audit process. The current text of 41 C.F.R. § 60-1.33 only concerns Conciliation Agreements, and use of PDNs had historically been discretionary to OFCCP. The changes—at least theoretically—give contractors more of a guarantee of notice and opportunity to dispute OFCCP’s findings, better explain their position, and potentially resolve issues.

Contractors can submit comments on the proposed regulations until January 29, 2020: https://www.federalregister.gov/documents/2019/12/30/2019-27258/nondiscrimination-obligations-of-federal-contractors-and-subcontractors-procedures-to-resolve.

The Department of Commerce (Commerce) recently issued a proposed regulation to better secure the United States’ information and communications technology and services (ICTS) supply chain. The ICTS supply chain supports how government, industry and the public communicate and conduct their business. The ICTS supply chain encompasses the generation, storage and transmission of data for critical infrastructure and national security – including energy, transportation, telecommunications, banking, manufacturing, agriculture, and more.

The proposed rule seeks to address concerns about the design, development, manufacture, supply, and control of ICTS by “foreign adversaries,” which is defined to include “any foreign government or foreign non-government person determined … to have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons” as identified in Executive Order 13783.

Under the proposed rule, a process would be established to review “any acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or services” (“transaction”) that “(1) … is conducted by any person subject to the jurisdiction of the United States or involves property subject to the jurisdiction of the United States; (2) … involves any property in which any foreign country or a national thereof has an interest (including through an interest in a contract for the provision of the technology or service); and (3) … was initiated, pending, or completed after May 15, 2019, regardless of when any contract applicable to the transaction was entered into, dated or signed, or when any license, permit, or authorization applicable to such transaction was granted. Transactions involving certain ongoing activities, including but not limited to managed services, software updates, or repairs, would constitute transactions that ‘will be completed’ on or after May 15, 2019 even if a contract was entered into prior to May 15, 2019.” Proposed Section 7.1.

Where such a transaction is identified, the proposed rule would provide for an “initial threat assessment” by the Office of the Director of National Intelligence and a “vulnerability assessment” by the Department of Homeland Security. This and other information would be developed and used by Commerce to assess the transaction to determine whether it poses an undue risk of, inter alia, sabotage or subversion of ICTS, “catastrophic effects on the security or resiliency of United States critical infrastructure or the digital economy,” or an “unacceptable risk to the national security” or “the safety of United States persons.” Parties to the transaction would be notified of Commerce’s preliminary determination and would be provided an opportunity to respond, including providing proposed mitigation. They also would be required to retain all records relating to the transaction once they have notice of the review.

Under the proposed rule, Commerce could approve the transaction, subject to it to a requirement for mitigation, prohibit it, or even seek to have it unwound. Commerce also could employ the proposed rule to establish a “class of transactions” that could be prohibited because they pose such “undue or unacceptable risks.”

Stay tuned for developments in this space.

Putting your best foot, or best personnel, forward seems like “Winning the Contract Award 101.” But a refresher course never hurts. Recently, the Government Accountability Office (GAO) decision in Deloitte Consulting, LLC (Deloitte), B-416882.4 (January 6, 2020), provided a reminder about the content of a quotation where the solicitation requires submission of a crosswalk, resume, and detailed work history for key personnel.

Deloitte protested the award of a contract and subsequent issuance of a task order by the Department of Health and Human Services, Food and Drug Administration (FDA) for information technology services for the agency’s integrated budget, acquisition, and planning system. The FDA issued the underlying request for quotations (RFQ), pursuant to FAR subpart 8.4, to vendors holding Federal Supply Schedule contracts under General Services Administration Information Technology Schedule 70.

The solicitation anticipated the award of a single blanket purchase agreement (BPA) with an estimated value of $112 million for a base performance period of 12 months, as well as four 1-year option periods. The award would be made according to three evaluation factors—technical approach, relevant experience, and price—on a best value basis. The technical approach factor included three sub-factors. Of note was the following sub-factor: “technical approach to Center for Drug Evaluation and Research (CDER) child application development, modernization, and enhancement (DME) [Statement of Work].” This sub-factor required bidders to provide resumes for key personnel, including an enterprise solutions architect. The enterprise solutions architect, in turn, was required to possess certain qualifications, including “[a]t least 10 years [of] experience in Oracle Enterprise [P]erformance [(EPM)] or OBIEE Oracle [Applications Development Framework (ADF)] or Custom [user interface (UI) (Java, Angular [JavaScript (JS)], Visual Studio, .Net) Applications.”

Ultimately, the FDA received bids from Deloitte and Guidehouse LLP, and Deloitte was initially awarded the BPA. However, after two protests, the agency decided to take corrective action in the form of reopening the procurement. Further, the FDA amended the RFQ and updated the instructions related to key personnel, adding the following: “provide a crosswalk from the experience and skills of the proposed key personnel to the skills, qualifications and minimum years of experience . . . listed in the [RFQ’s] position descriptions . . . . Note from which positions . . . the proposed key personnel obtained the aforementioned skills, qualifications, and minimum years of experience.”

The FDA held an exchange with Deloitte in which it informed Deloitte that its enterprise solutions architect did not meet the minimum qualification of 10 years’ experience in Oracle EPM, OBIEE Framework, or custom UI applications. Deloitte subsequently submitted a revised quotation proposing a different enterprise solutions architect.

However, in reviewing Deloitte’s revised quotation, the technical evaluation team still assessed a weakness related to Deloitte’s enterprise solutions architect. In spite of Deloitte’s statement that its candidate had 25 years of experience, the technical evaluation team found that this key personnel possessed only 8 years of experience with Oracle EPM and OBIEE. According to the technical evaluation team, with which the contracting officer agreed, this weakness increased the risk that Deloitte would be unable to perform, and the contractor officer deemed this a technically unacceptable solution with an overall rating of unsatisfactory.

The contract was awarded to Guidehouse, and, after receiving a brief explanation from the agency, Deloitte filed a protest with the GAO arguing that the FDA was unreasonable in its evaluation and failed to properly account for their proposed enterprise solution architect’s experience, as described in his resume and crosswalk.

According to Deloitte, the proposed enterprise architect’s resume clearly stated that he had over 20 years of experience using technologies that were later acquired by Oracle and rebranded as the software relevant to the solicitation, which the agency failed to credit to the candidate. The FDA countered by arguing that it had actually credited the candidate for the experience in these technologies but it still concluded that the experience did not amount to the requisite minimum 10 years, such that the proposal was technically unacceptable since this was a material requirement.

GAO agreed with the agency, finding that the agency’s evaluation was reasonable and consistent with the solicitation’s terms. While the enterprise solution architect’s resume did state “20+ years of . . . experience [in relevant technologies],” the evaluation team and contracting officer determined that some of the dates listed in the detailed work history overlapped, as the proposed enterprise solutions architect had worked for multiple employers simultaneously. After eliminating duplicative periods of time, the contracting officer determined that the proposed enterprise solutions architect had only 8.25 years of relevant experience. Deloitte’s argument that the candidate satisfied the requirement as the resume indicated 21 years of experience as well as work on 16 Oracle EPM/OBIEE projects was unavailing, particularly as it was unsupported by the detailed work history.

After all, it remains unclear whether the general statements that Deloitte provided relating to its proposed enterprise solutions architect’s experience could be substantiated and actually met the solicitation’s requirements. However, regardless of the statements in the resume, nothing in the crosswalk or detailed work history substantiated the key personnel’s touted experience. This decision serves as a reminder that clarity and consistency in your proposal are vital in order to meet a solicitation’s requirements and win awards.