Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

On October 2, 2019, DoD, GSA and NASA issued a proposed rule amending the FAR to implement Section 811 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2018. The amendment increases the threshold for requesting certified cost or pricing data from $750,000 to $2 million for contracts entered into after June 30, 2018.

Truth in negotiations, 10 U.S.C. 2306a, and Required cost or pricing data and certification, 41 U.S.C. 3502, require that the Government obtain certified cost or pricing data for certain contract actions listed at FAR 15.403-4(a)(1), such as negotiated contracts, certain subcontracts and certain contract modifications. Section 811 amends 10 U.S.C. 2306a and 41 U.S.C. 3502 to increase the certified cost or pricing threshold to $2 million. The threshold remains $750,000 for changes and modifications to a prime contract entered into before July 1, 2018, with one exception. Upon request from a contractor that was required to submit certified cost or pricing data in connection with a prime contract—including for modifications of sealed bid contracts—entered into before July 1, 2018, the contracting officer must modify the contract, without requiring consideration, to reflect the $2 million threshold.

The proposed changes are not applicable to contracts at or below the simplified acquisition threshold or to contracts for the acquisition of commercial items.

Interested parties should submit written comments in response to FAR Case 2018-005 on or before December 2, 2019 to be considered in the formation of the final rule. Submission procedures are detailed in the proposed rule.

Given the broad discretion afforded to agencies when they decide to take corrective action in response to a protest, it sometimes seems like challenges to a corrective action are destined to fail. The Government Accountability Office (GAO) decision in MCR Federal, LLC, B-416654.2; B-416654.3 (December 18, 2018), serves as a reminder that failure is not a foregone conclusion, at least where the procurement is under Federal Acquisition Regulation (FAR) subpart 16.5. In that context, such efforts can succeed if the corrective action’s implementation does not allow the original protester a fair opportunity to compete.

MCR Federal involved a Fair Opportunity Proposal Request (FOPR) issued by the Air Force under FAR subpart 16.5, to offerors holding indefinite-delivery, indefinite-quantity (IDIQ) contracts under the General Services Administration’s One Acquisition Solution for Integrated Services. The FOPR, which sought acquisition, financial, and administrative support services for the Space and Missile Systems Center, provided that award would be made on a best-value tradeoff basis, considering personnel management, technical expertise, and cost/price. The technical expertise factor was significantly more important than the cost/price factor, which was more important than the personnel management factor. Of relevance here, the most important aspect of the technical expertise evaluation factor was the offeror’s approach and understanding of the Performance Work Statement (PWS), which was to be evaluated by analyzing the proposed contractor staffing matrix, including their proposed labor and skill mix, key personnel, experience level, education, certification, technical experience, and expertise.

After “interchanges” (discussions) with the awardee (Tecolote Research, Inc.) and protester (MCR Federal, LLC), the Air Force found that both proposals received acceptable ratings for the personnel management factor because they clearly met the factor’s minimum requirements. On the technical expertise factor, the agency assigned Tecolote’s proposal an outstanding rating, noting that the firm proposed staff with more experience than MCR’s personnel, as well as more expertise in an NSS launch environment. In contrast, the agency assigned MCR’s proposal only an acceptable rating, finding that its staffing was “less representative of high-level, strategic thinking” due to the firm’s personnel having lower average years of experience than Tecolote’s personnel, as well as apparent inexperience in the NSS launch environment. The Air Force described the difference in experience levels between the personnel proposed by Tecolote and MCR as “akin to the difference between a mid-level, field grade military officer experienced with tactical-level operations compared to the value of a military senior officer with broader, seasoned experience who is adept at operating all the way up to the level of strategic thinking.” As a result, the agency concluded that Tecolote’s proposal represented the best value to the agency because Tecolote’s proposal was significantly technically superior and worth the price premium of $26,352,564.

After requesting and receiving a debriefing, MCR filed a protest alleging that (i) the agency’s evaluative preference for personnel with higher levels of experience was improper because it was not reasonably based in the terms of the solicitation; and (ii) the agency held misleading discussions because the interchange notices issued did not fairly alert MCR that the relative lack of experience of the firm’s proposed workforce would be such an important discriminator.

In response to the protest, the Air Force advised that it would take corrective action. The agency announced it would conduct discussions (interchanges) and allow the parties to submit a final proposal revision, then made a new best value award decision after an evaluation of the FPRs. That protest was dismissed as academic by the GAO.

The agency then issued two new notices to MCR, the first making clear that the agency had concluded that only 5 of MCR’s proposed 58.5 full-time equivalents (FTEs) provided the desired level of experience in a relevant NSS launch environment and asking MCR to “revise or confirm that [its] staffing matrix aligns” with the PWS objectives. The second notice described the agency’s concern that a number of the 58.5 proposed FTEs were contingent hires, which the agency felt “present[ed] a risk in that MCR may not be able to fill personnel requirements by the end of the 30-day window.” Then the Air Force dropped a bomb: It stated that FPRs must be filed in two days, on September 12, 2018.

In addition to filing this protest challenging the response deadline, MCR simultaneously responded to the notices by informing the Air Force that, given the short timeframe to respond, MCR would stand by its previous submission. MCR also pointed out that if it were given more time, it could propose candidates with more experience and increase the portion of proposed staff with demonstrated experience in an NSS Launch environment. In response, the agency announced that it would take “voluntary corrective action” and extend the response deadline to September 18th at 5:00 p.m.

When MCR objected to the proposed corrective action on the grounds that offerors should be given at least 30 days to submit a new FPR, the Air Force argued that, despite the significant issues with MCR’s proposal identified in its interchange, MCR had ample time to prepare its FPR because the FOPR put MCR on notice of the importance of the technical expertise factor (which included staffing) by making that factor significantly more important than price. It also argued that MCR had at least 18 days to respond since it received the agency’s notice of corrective action on August 30th. The GAO disagreed, finding that MCR could not be imputed knowledge of the serious impact of the agency’s staffing preferences until the September 10 interchange notice.

In addition, though GAO generally leaves what constitutes a sufficient amount of time for proposal preparation to the contracting officer’s discretion, the enormity of what the interchange required of MCR rendered the agency’s short time frame unreasonable. GAO noted that, in order to be responsive to the agency’s experience concerns, and to remain competitive in the procurement, MCR could not simply confirm its staffing proposal. Instead, it would have had to (i) successfully recruit and negotiate employment agreements in roughly a week’s time with a substantial number of highly-skilled personnel that have senior-level experience in an NSS launch environment; and (ii) propose non-contingent-hire personnel, which would affect the firm’s pricing, or alternatively required substantial revisions to its transition plan. Based on this, GAO found that “the amount of time provided by the agency to respond does not appear to have been calculated to actually allow MCR to submit a proposal responsive to these concerns.” In other words, the time provided to address the agency’s concerns did not allow MCR the “fair opportunity” to improve its proposal, or to maximize the agency’s ability to obtain the best value, required by FAR § 16.505(b).

The moral of the story? Even when you’re facing timing issues left to the contracting officer’s discretion, you may still be able to challenge unreasonably short timeframes that prevent you from addressing issues pointed out in agency discussions.

In the face of increasing concern over the security of Navy and Marine Corps (Navy) programs, the Navy Marine Corps Acquisition Regulation Supplement (NMCARS) was updated on September 6, 2019 to incorporate significant additional cybersecurity compliance, monitoring and reporting requirements, as well as identify potential penalties for contractor noncompliance with cybersecurity requirements or delivery of nonconforming supplies or services. The updated NMCARS is effective immediately. The new provisions and requirements are an interim step by the Navy pending the Department of Defense’s (DoD’s) issuance of the Cybersecurity Maturity Model Certification program (CMMC). As previously reported, the CMMC is intended to establish a uniform cybersecurity standard and third party certification program for companies that would compete and perform DoD contracts.

The NMCARS establishes cybersecurity compliance as a “material requirement”

Under the revised NMCARS 5204.73 for Safeguarding Covered Defense Information and Cyber Incident Reporting, the Navy expressly states that compliance with DFARS 252.204-7012 is considered a “material requirement.” The NMCARS is intended to supplement the DFARS in procurements, contracts, task and delivery orders where the Navy determines that the cyber risk to a critical program and/or technology warrants its inclusion.

The NMCARS establishes certain minimum cybersecurity, reporting, disclosure, and monitoring requirements for “covered” procurements, contracts and orders

The NMCARS provides that the Navy can incorporate the new Annex 16 into the Statements of Work (SOWs) for covered procurements, contracts and task orders.  Annex 16 supplements the cybersecurity controls and requirements mandated by DFARS 252.204-7012. Specifically, Annex 16 requires that contractors “shall fully implement the CUI Security Requirements … and associated Relevant Security Controls… in NIST Special Publication 800-171 (Rev.1)” or establish System Security Plans (SSPs) and Programs and Milestones (POAMs) that vary from NIST 800-171 “only in accordance with DFARS clause 252.227-7012(b)(2).” Annex 16 specially provides that it will require that the contractor’s implementation plans include a number of the NIST 800-171 cybersecurity controls notwithstanding the fact that the DFARS clause would permit contractors to submit SSPs and POAMs that vary from the requirements. Thus, for example, covered contractors cybersecurity must address requirements for multi-factor authentication, restrictions on unnecessary sharing or flow of covered defense information (CDI) based on the “need-to-know,” monitoring and control of remote access sessions, cryptographic or other controls, protection of CUI at rest, and encryption of CUI on mobile devices.

Under Annex 16, the contractor must provide its SSP and POAM to the Navy for review within 30 days of contract award.  If the Navy determines that the contractor’s SSP and/or POAM is inadequate to implement the requirements of the DFARS clause, it will notify the contractor of each deficiency. The contractor will only have 30 days to correct such identified deficiency unless the Navy agrees to a longer period.  The Contracting Officer must be notified immediately of any failure or anticipated failure to comply with the approved POAM. The Navy retains the right to engage in follow on reviews of the SSPs at the contractor’s facilities until the Navy determines that the contractor has corrected all deficiencies. The Navy has the right to conduct additional reviews at least every three years to determine contractor compliance.

In the event of a cyber-incident, the contractor is expressly required to deliver to the Government “all data used in performance of the contract that the Contractor determines is impacted by the incident and begin assessment of the potential warfighter/program impact.”  The new Annex 16 requires engagement with the Naval Criminal Investigative Service (NCIS) on multiple levels – through NCIS outreach efforts, recommendations for hardening covered systems, and NCIS or industry monitoring of systems and other requirements in the event the Government’s review of a contractor’s reported cyber-incident results in a determination that additional measures are required to monitor the contractor’s network.

The NMCARS would impose penalties for failure to comply with the material requirements of the DFARS clause and NMCARS

The Navy wants contractors to provide more than good cyber hygiene.  The new requirements under the NMCARS expressly identify a number of potential penalties that the Navy may impose where it finds that a contractor has failed to comply with its requirements:  The Navy has the right under the NMCARS to reduce or suspend progress payments where it determines that a contractor has not complied with requirements or has delivered nonconforming supplies or services. If the Contracting Officer decides to accept supplies or services that do not comply with material requirements, he or she may modify the contract to provide for an equitable price reduction or other consideration.  The NMCARS establishes that 5% of the contract value could be considered a “reasonable” amount for a reduction, but where there is increased risk in accepting the nonconforming supply or service, then a greater amount may be appropriate.  Correction of the nonconformance also could be required.

Some Thoughts to Consider

The NMCARS is a potentially big stick to use on contractors to enforce compliance with cybersecurity requirements. Where these provisions are identified in a procurement, or where the Agency seeks to include them in existing contracts and orders, contractors should be considering the potential impacts of these requirements on their schedule, costs and performance. Sound contracting principles support factoring these increased costs and requirements into bids, proposals, and modifications that would add them in to existing contracts.  Contractors that are unsure of their compliance with all terms and conditions of the DFARS need to take steps to determine and document their level of compliance and to fully disclose the status of their compliance and plans for compliance to the Government to avoid the risks of alleged noncompliance.

The requirements that the Government be permitted access to and monitoring of contractor’s systems, as well as delivery of “all data” impacted by a cyber-incident, are fraught with peril. Access, ongoing monitoring, and data delivery may extend beyond what the contractor intended to deliver under the contract – it may result in a requirement to provide access and to disclose the contractor’s or its subcontractor’s crown jewels used in performing the contract, or even data and systems that were not originally intended to be used in the performance of the contract.  Contractors need to think about the best way to protect their crown jewels and systems, and those of their subcontractors or similar agreement holders.  Consider establishing appropriate agreements and provisions to prevent the Government or its designated personnel from engaging in unauthorized use or disclosure of the data and access they may obtain under the NMCARS. Contractors also need to consider their underlying agreements with subcontractors and suppliers to assure all parties’ compliance and cooperation with these requirements.

Last, DOD has issued a draft of its CMMC and indicated that a final version will be issued in January.  It is unclear how the CMMC, once implemented, will impact the DFARS 252.204-7012, NIST SP 800-171, and the NMCARS.   It is clear that contractors and their supply chains need to be reading procurement documentation closely to see what it requires in order to determine how best to respond.

Comments Due September 25, 2019

Earlier this year, Assistant Secretary of Defense for Acquisition & Logistics Kevin Fahey announced that the Department of Defense (“DoD”) was working with Carnegie Mellon University and Johns Hopkins Applied Physics Laboratory to develop a new cybersecurity standard and certification framework for defense contractors, the Cybersecurity Maturity Model Certification (“CMMC”). The CMMC is designed for use in validating government contractors’ compliance with cybersecurity controls and requirements under DFARS 252.204-7012 (the “cyber clause”).

As previously reported, the cyber clause called for contractor systems that would use, develop, store or transit in Covered Defense Information (“CDI”) to comply with the 110 security controls set out in National Institute of Standards Special Publication 800-171 (“NIST SP 800-171”). The DoD has now rolled out a request for comment on its initial draft version of CMMC. The request for comment package includes the draft CMMC Rev 0.4 Release, a formal request for comment, and a matrix to be used by commenters for submission of their public comments.

The CMMC vision is to build upon the 110NIST SP 800-171 security controls and other security controls to develop a “unified standard” for cybersecurity in DoD acquisitions. The CMMC includes 18 different domains, each containing 9 standards based on cybersecurity best practices: Access Control, Identification and Authentication, Recovery, Asset Management, Incident Response, Risk Assessment, Awareness and Training, Maintenance, Security Assessment, Audit and Accountability, Media Protection, Situational Awareness, Configuration Management, Personnel Security, System and Communications Protection, Cybersecurity Governance, Physical Protection and System and Information Integrity.

The CMMC provides for the establishment of five levels of cybersecurity maturity, to be determined based on the system requirements, practices and processes. The five levels range from the lowest level, Level 1, which provides for a “basic” level of cyber hygiene, through to Level 5, which provides for an advanced/progressive level of cyber hygiene. Level 3, which is identified as “good cyber hygiene,” identifies the full panoply of controls in NIST SP 800-171, plus additional controls. It is anticipated that a limited number of contractors would be required to hold a certification at the Level 4 or 5.

As articulated in listening sessions, the DoD intends to have third party auditors conduct the CMMC certification audits of government contractors and inform the DoD of risks. These third party auditors are to be free from bias and not engaged in the performance of activities to assist contractors in the development of their cyber compliance.

DoD has established a schedule for comment and roll out of the final version of CMMC:

  • Comments on CMMC Rev 0.4 by September 25, 2019
  • Issuance of CMMC Rev 1.0 in January 2020
  • Issuance of CMMC requirements in Requests for Information starting in June 2020
  • Issuance of CMMC requirements in Requests for Proposals starting in Fall 2020

Once in place, the DoD intends to use the CMMC to establish required levels of cybersecurity maturity as foundational “go-no go” basis for determining eligibility to compete and be awarded contracts.

The DoD is seeking input on the technical requirements set out in the draft CMMC and asking for answers to certain specific questions:

  • What do you recommend removing or de-prioritizing to simplify the model and why?
  • Which elements provide high value to your organization?
  • Which practices would you move or cross-reference between levels or domains?
  • In preparation for the pending easy-to-use assessment guidance, what recommendations might you have to clarify practices and processes?

The current draft CMMC contains many technical requirements, including some that have not previously been included in the cyber rule. It also does not address how these requirements will be implemented. Because of the key role that CMMC will play in future procurements, government contractors at all tiers should review the draft CMMC and assess whether and to what extent it poses challenges in implementation or use.

In its recent decision in Criterion Systems, Inc. v. U.S., , the U.S. Court of Federal Claims (COFC) denied protester’s pre-award protest challenging the Agency’s rejection of its late submission of a revised quote in response to a solicitation amendment and request for revised quotations. In this case, the solicitation provided that ““[f]ailure to follow procedures or provide any of the documents or information may be considered a material omission and may adversely affect a Vendor’s evaluation or result in elimination of the Vendor from the competition.” It also provided that “LATE QUOTES WILL NOT BE ACCEPTED.” Emphasis and color font in the original. Criterion timely submitted its initial proposal and was in the competition. The Agency issued subsequent amendments to the solicitation and sought submission of the competitors’ revised quotes through a government portal, FedConnect, “no later than 5:00pm ET on November 21, 2018.”  Each amendment and the request for revised quotes stated that “LATE QUOTES WILL NOT BE ACCEPTED.” Emphasis and color font in the original.

Criterion “created” its revised quote on the designated electronic portal at 2:36:54 PM on November 21, 2018, but it did not “submit” it until 5:01:30 PM ET, 90 seconds after the deadline for quote submission. When asked for an explanation by the Agency, Criterion indicated it may have had “latency” issues and that this was its first time submitting documents using the portal.  Criterion did not provide any evidence to justify or further explain its late submission. The Agency rejected Criterion’s quote as untimely. In contrast, when another bidder submitted its revised quote without required pricing pages, the Agency engaged in communications with that bidder.

Criterion brought its protest alleging that the Agency’s actions in rejecting its quote were arbitrary and capricious and the Agency engaged in disparate treatment of the bids submitted by Criterion and the other offeror.

In rejecting Criterion’s protest of the rejection of its revised quote, the Court held that protester failed to establish that there was a “significant error” in the procurement process. Here the terms of the solicitation made clear that timing was critical for acceptance of the initial and revised quotations, “Ninety seconds late may appear to be a minimal infraction, but deadlines are set for a reason, and an agency’s strict adherence to a deadline places all bidders on an equal footing and avoids the sorts of issues Criterion is seeking to raise here.  Further, Criterion’s failure to submit a timely bid was entirely within its own control. [See Conscoop-Consorzia Fra Coop. Di Prod. e Lavoro v. United States, 62 Fed. Cl. 219, 237 (2004).] The Agency’s refusal to deviate from the express RFQ terms is not arbitrary, capricious, or contrary to law.”

The Court also rejected Criterion’s claim of disparate treatment holding that such protest grounds can only be made when there are discussions and an award.  Since the Agency had not made an award as of the time of the protest, the Court held that this protest ground was premature. The Court stated that “A claim is not ripe for judicial review when it is contingent upon future events that may or may not occur.”

Criterion makes clear that all those who compete in procurements must comply with the express terms of the solicitation. This is an essential truth in government procurement. A bidder’s or offeror’s failure to comply with such terms can result in its loss of the opportunity to be considered for award.

These days many procurements are conducted with the requirement to submit bids or proposals through portals or by electronic means. Submissions may also require access to government facilities, which can raise problems. As a contractor seeking to compete and win a procurement, it is important that you understand how to deliver your submissions. Become familiar ahead of time with the procedure you will need to use. And, when you file, always check to ensure that your submission has gone through and been accepted. Sometimes it takes a bit more time to get submissions through a portal, so be sure to leave extra time to do so.

If you do encounter a problem – you may still not be out of the procurement if you take appropriate steps. The lesson from Criterion: timing is everything.

If you have questions about this case, or a government contract matter, contact Susan Warshaw Ebner or your Stinson counsel.  Problems in a procurement may have solutions, ask your counsel if you have questions.