Helping individuals, companies, and organizations understand key legal and practical considerations for promoting compliance and making better business decisions in these types of federal, state, and local government contracting matters MORE

It’s not unusual for defeated protesters to feel as though the explanation for their defeat short changes their arguments. Indeed, this might be the case for every defeated protester (or intervenor, or agency). The Government Accountability Office (GAO) decision in Analytical Solutions by Kline, LLC (ASK), B-417161.3 (July 11, 2019), published on GAO’s website on December 11, 2019, provides a glimpse into what GAO looks for when considering requests for reconsideration.

In its underlying protest, ASK protested the terms of the Social Security Administration (SSA) request for proposals (RFP) for information technology support services. As background, the solicitation’s terms provided that SSA would evaluate proposals under four phases: (1) SSA accessibility requirements and required quality certification, (2) relevant experience requirements, (3) detailed corporate experience, and (4) past performance. Phases 1 and 2 were to be evaluated using a pass/fail method. Under phase 1, offerors were required to include either a capability maturity model/capability maturity model integration (CMM/CMMi) certification or an international organization for standardization (ISO) certification. Further, offerors, under phases 2 through 4, were limited to providing only three references relating to their experience even though a number of requirements were bundled together in the procurement.

In its initial protest, ASK argued that the solicitation unduly restricted competition in requiring CMMi certification and references demonstrating relevant experience, as well as by limiting the number of past performance references. Further, after reviewing the agency report, ASK filed a supplemental protest, arguing that the agency improperly bundled dissimilar requirements, which was also unduly restrictive. For various reasons, ASK’s protest was denied in part and dismissed in part in GAO’s March 12, 2019 decision.

GAO’s Bid Protest Regulations state that a successful request for reconsideration requires that the requesting party, who could be the protester, intervenor, or agency involved in the protest, “show that GAO’s prior decision contains errors of either fact or law, or . . . present information not previously considered that warrants reversal or modification of the decision.” 4 C.F.R. 21.14 (a), (c).

In its request for reconsideration, ASK argued that GAO’s decision included three errors of law and failed to consider information that warranted reconsideration.

First, ASK argued that GAO erroneously dismissed its protest as it related to the unduly restrictive certification requirement, maintaining that it had also included a challenge to the alternative ISO certification. According to ASK, it protested the purpose of the certification requirement generally, and merely used the CMMi certification as an example. GAO was unconvinced and did not find support for ASK’s contention that its protest encompassed the ISO certification as well as the CMMi certification finding that: ASK had a section under its “Basis of Protest” entitled “CMMI / CERTIFICATION,” did not discuss any specific concerns with the ISO certification, and only mentioned ISO certifications in its restatement of potential offerors’ questions.

Second, ASK argued that GAO erroneously dismissed its supplemental protest pertaining to improper bundling as untimely, claiming that it had raised the bundling issue in its initial protest and not merely in the supplemental protest filed after the agency submitted its report. Here too, ASK indicated that it had included references to “bundling” in its initial protest. However, GAO noted that ASK’s initial protest referenced bundling only as it related to allowing three references for the wide range of work under the solicitation. GAO found that the bundling requirement identified in ASK’s supplemental protest was fundamentally different – that later bundling assertion related to improper consolidation of requirements that were previously separately solicited, not the three reference limitation.

Third, and finally, ASK argued that GAO erroneously failed to address ASK’s challenge to the “vague and poorly defined pass/fail methodology for phase 1 and phase 2.” Here, GAO relied on its well-established maxim: just because something is not discussed in the GAO decision does not mean that GAO did not consider it in making its decision. GAO maintained that it considered all of the issues raised by ASK and that not addressing each in turn in its initial decision was not indicative of lack of due consideration, but rather furthered the interests of “inexpensive and expeditious resolution of protests.”

A request for reconsideration may be a last resort for protesters taking exception to an agency’s procurement action. The ASK decision makes clear that a protest of the terms of a solicitation must clearly state the bases for objection/concern. It also makes clear that initial protest grounds must be set forth clearly and unambiguously. Vague statements or mere references to a term without tying it to the assertion of a specific protest ground will not establish a cognizable protest ground. Further, in seeking reconsideration, specificity is critical. The requester must cite to specific facts in the original protest to support an assertion that GAO missed or failed to address something.

Last month we reported on the Department of Defense’s (DoD’s) issuance of Version 0.6 of its draft Cybersecurity Maturity Model Certification (CMMC) standard. That draft included DoD updates and revisions to CMMC’s domains, capabilities and practices for Levels 1 through 3. It deferred revisions to those parts of CMMC covering Levels 4 and 5. On December 6, 2019, DoD issued Version 0.7 of the draft CMMC standard, covering all domains, capabilities and practices for Levels 1 through 5. With this version of the draft CMMC, we are approaching what is expected to be the issuance of the final CMMC Version 1.0 in January 2020.

The revised CMMC Version 0.7 modifies some of the processes and practices in Levels 1 through 3, and includes a reduced number of requirements under Levels 4 and 5. Level 1 still addresses basic cyber hygiene, and it addresses Federal Contract Information (FCI) handling, applying the designation of the data to be protected and the rules in Federal Acquisition Regulation (FAR) 52.204-21 that are to apply. This rule applies to all contractors at all levels, and draft Version 0.7 identifies it as a “foundation for the higher levels of the model and [something that] must be completed by all certified organizations.” It is a performance requirement. Other levels starting with Level 2 address process maturity. While Level 2 still addresses data that is FCI, it, like Level 1, will be a foundation for achieving Level 3. Level 3 addresses compliance with NIST SP 800-171 and DFARS 252.204-7012 requirements. This level includes “the basic ability to protect and sustain an organization’s assets and CUI [Controlled Unclassified Information]”. Levels 4 and 5 will apply to more sensitive data and require the contractor to be able to demonstrate compliance with requirements for a substantial and proactive cybersecurity program.

Notably, Levels 4 and 5 presently do not require compliance with all 33 additional controls that were proposed in the draft NIST SP 800-171B. 15 of these controls are identified as excluded.

DoD continues to indicate that it expects to issue CMMC in final version in January 2020, and that it is working on establishment of the third party certifier organization and certifiers to certify contractors compliance with the CMMC levels. DoD FAQs now state that, once released, the CMMC Version 1.0 will be used for training the certifiers and that CMMC requirements will be included in Requests for Information starting in June 2020. Our understanding is that CMMC requirements are still expected to begin roll out in Requests for Proposals in the Fall. Recent clarification to the release indicates that “Contractors will be required to meet the certification level at time of award. The Prime contractors must flow down the appropriate CMMC requirement to sub-contractors. Unless a higher level is specified, all contractors and sub-contractors must meet at a minimum CMMC Level 1.”

For contractors and subcontractors at all tiers – the above puts you on notice that you need to be working on your compliance now. Given the foibles of procurements, as well as the timing and limited number of certifiers that will likely be in place in the first year, you should be working your way through the steps to being compliant so that there will be time to go through the third party certification process before award. Even though CMMC has not been finalized, there can be little doubt that the requirements of FAR 52.204-21 are a minimum for any procurement – they continue to be referenced in all versions of the CMMC, and DFARS 252.204-7012 will be a required set of standards even if the standards change at the higher levels – they too continue to be referenced in the CMMC. Having a system that addresses the requirements will take time to put in place.

On December 12, 2019, the Department of Justice (DOJ) announced that a former civilian employee of the U.S. Army is being prosecuted by the DOJ’s Criminal Division’s Fraud Section. The former employee, Ephraim Garcia, worked in the Army’s Directorate of Public Works, where his job duties related to the solicitation, award and management of government contracts for certain projects at Camp Arifjan, an Army base in Kuwait.

The charges against Mr. Garcia stem from his alleged part in steering Army work to a certain subcontractor in a way that lined his pockets. Allegedly, around September of 2015, Mr. Garcia offered to pay an employee of a prime contractor to award contracts to a particular subcontractor, Gulf Link Venture Company (Gulf Link). That subcontractor would in turn artificially inflate the price of its bids such that Mr. Garcia, the subcontractor, and the prime contractor’s employee could split the proceeds.

Mr. Garcia is being charged with one count of offering a bribe, one count of receiving illegal gratuities and one count of offering kickbacks related to his actions and the over $170,000 in wire transfers to him or members of his immediate family from Gulf Link’s owner and other individuals associated with Gulf Link, as well as from another subcontractor that was bidding on work under the prime contract.

On December 10, 2019, Mr. Garcia was arrested in the Philippines, where he had been living for the past few years. Three charges are being brought against the former Army employee: offering a bribe, receiving illegal gratuities, and offering kickbacks.


We are excited to welcome Partner Habib Ilahi to our Washington, DC office—and Stinson’s Government Contracts and Investigations Group. A former Healthcare Prosecutor in the Department of Justice, Civil Division, Fraud Section, Habib assists clients on government contracting matters and special investigations, as well as healthcare litigation.

It’s not always clear where the applicability of one law or rule should stop and the applicability of another should begin. Recently, the Government Accountability Office (GAO) decision in Becton, Dickinson and Company, B-417854 (November 15, 2019) helped clarify the interplay between the Buy American Act (BAA) and the Trade Agreements Act (TAA) when it comes to small business set-aside procurements.

Becton, Dickinson and Company (BD) protested the request for quotations (RFQ) issued by the Department of Veteran Affairs (VA) to establish blanket purchase agreements (BPAs) to provide patient exam room instruments and supplies for VA health centers nationwide under the VA’s Medical Surgical/Prime Vendor 2.0 Program. The solicitation anticipated a total set-aside award establishing multiple BPAs with a performance period less than or equal to five years.

Of note, the solicitation stated that the VA would evaluate offers using a tiered evaluation approach. The tiers were (1) service-disabled veteran-owned small business (SDVOSB) concerns; (2) veteran-owned small business (VOSB) concerns; (3) small business concerns, with historically under-utilized business (HUB) zone small business concerns and 8(a) participants having priority; and (4) large business concerns.

A tiered evaluation requires the contracting officer to evaluate quotations from the first tier first, here, SBVOSBs. If no quotations are received from SDVOSBs or if none could result in an award, the contracting officer must amend the solicitation to remove the SDVOSB set-aside and evaluate quotations from the next tier, here, VOSBs. The contracting officer proceeds in this way until an award can be made to the offeror whose quotation represents the best value to the Government. Ultimately, this means that the contracting officer will not consider quotations from lower tiers where an offeror from a higher tier can receive the award. Tiered evaluations make sense for the VA to the extent that, if an SDVOSB or VOSB concern cannot be selected, the VA does not have to resolicit the requirement.

The tiered evaluation method results in some clauses of a solicitation applying to certain offerors, e.g. small business concerns, and other clauses of a solicitation applying to other offerors, e.g. large business concerns. In this VA procurement, the RFQ incorporated FAR clause 52.225-1, Buy American—Supplies, and the related Buy American Certificate, as applicable to small business concerns, and FAR clause 52.225-5, Trade Agreements, and the related Trade Agreements Certificate, as applicable to large business concerns. Both the BAA and TAA are concerned with the source of end products supplied to the Government. However, they apply different tests for determining whether an end product will be considered a manufactured domestic end product. Unless the end product qualifies as a domestic end product that has been manufactured in the United States or a qualifying country under the applicable test, there are restrictions on when and to what extent the manufactured end product may be procured.

For the BAA, a manufactured domestic end product is “[a]n … end product … produced in the United States … if [t]he cost of its components mined, produced, or manufactured in the United States exceeds 50 percent of the cost of all its components …or …[t]he end product is a [commercial off-the-shelf] item.” For the TAA, the test is whether the manufactured end product is “an article that is mined, produced, or manufactured in the United States or that is substantially transformed in the United States or a qualifying country into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was transformed.” To determine whether and to what extent a proffered manufactured product complies with the BAA or TAA and can be acquired, the solicitation contained a Buy American Certificate and the Trade Agreements Certificate for the competitors to certify whether they offered a domestic or qualifying country end product.

Further, the VA obtained a nonmanufacturer rule waiver from the Small Business Administration, where the waiver allows nonmanufacturer small businesses to supply products from businesses of any size regardless of the place the goods were manufactured.

Six days before the deadline for submitting quotations, BD filed a protest with GAO. BD protested the terms of the solicitation alleging that the RFQ improperly advantaged small business by applying different standards to small and large business competitors. BD argued that the TAA should be applied to both large and small businesses and the nonmanufacturer exception should not be applied only to the small business because to have different standards would prevent a level playing field for the competition.

GAO disagreed with the protester’s various arguments holding that the agency could apply different standards to small and large business competitors in accordance with the express terms of the BAA and TAA. GAO recognized that the nonmanufacturer rule waiver properly allows small businesses to source foreign end products, and that the FAR expressly states “that the BAA applies to small business set-asides and that the TAA does not apply to acquisitions set aside for small businesses.” Furthermore, the BAA accounts for foreign-sourced supplies, including those acquired pursuant to the nonmanufacturer rule waiver, by adding a premium to the evaluation of foreign end products if there is an offer that includes an analogous domestic end product that would otherwise be higher-priced. Thus, GAO found that BD’s protest failed to “allege facts that, if uncontradicted, establish the likelihood that the VA violated applicable procurement laws or regulations.”

This decision highlights that there are a number of twists and turns in how the BAA and TAA may be applied. And, while different laws may apply to different classes of competitors and result in different standards, that does not mean that the GAO will find that they violate competition in contracting rules. Rather, where there is reasonable support for an agency’s actions under applicable laws and regulations, GAO, at least, will not disturb the procurement. Whether such distinction is fundamentally fair or promotes an appropriate socio-economic goal may be a question to raise elsewhere.