Contractor Representations Regarding Cybersecurity Compliance/Capabilities: An Increasingly Fertile Ground for Bid Protests
The importance of accuracy in contractor proposal representations regarding cybersecurity compliance/capabilities, and the increasing number of bid protests based on alleged proposal inaccuracies regarding the same, is demonstrated in Connected Global Solutions, LLC v. United States (Fed. Cl. Apr. 21, 2022).
In Connected Global Solutions, the Department of Defense, U.S. Transportation Command (TRANSCOM) issued a request for proposal (the RFP) seeking moving services to accommodate military members when changing duty stations. The RFP contemplated a contract worth up to $20 billion over a decade if all options were exercised. The RFP included an IT services evaluation factor that required contractors to provide and maintain an accessible, secure, web-based, and mobile-device-compatible IT system able to manage the moving and relocation services.
American Roll-on Roll-off Carrier Group, Inc. (ARC) filed a bid protest with the Government Accountability Office (GAO) alleging, inter alia, that awardee HomeSafe Alliance, LLC’s proposal contained a “material misrepresentation about the impact level to which a key component of its approach to meeting the Secure Access requirement has been authorized.” Am. Roll-On Roll-Off Carrier Grp., Inc. (Comp. Gen. Mar. 3, 2022). More specifically, ARC alleged that while HomeSafe’s proposal represented that it would utilize web-based IT services that were rated FedRAMP level “high,” the actual rating of the proposed services was “medium.” GAO rejected ARC’s argument, finding that information provided by the awardee, and publicly available information from the proposed web-based IT vendor, supported HomeSafe’s representation that it could ensure the web-based services proposed would be FedRAMP “high” compliant.
ARC subsequently filed a complaint with the U.S. Court of Federal Claims (COFC), again alleging that HomeSafe misrepresented its FedRAMP compliance as “high,” and requested leave to conduct limited discovery focused on the basis for the representations in HomeSafe’s proposal regarding FedRAMP status. The COFC noted that when material misrepresentation in the bidding process is alleged, courts do not examine the subjective mindset of the awarding agency, but “‘instead look to whether or not the statement itself constitutes misrepresentation[.]’” Therefore, the court noted it would not consider information that was before the agency, but instead must consider the conduct of and information available to the awardee. As a result, the court ordered HomeSafe to respond to two interrogatories (and a request for admission) surrounding its representations regarding FedRAMP “high” compliance in its proposal. The COFC reasoned that the two interrogatories were “pertinent” and the administrative record might not have all the required information for the court to properly review the misrepresentation allegations.
While accusations of proposal misrepresentations are not new, allegations of misrepresentations regarding a contractor’s cybersecurity compliance and capabilities represent a fertile ground for bid protests. As cybersecurity requirements applicable to federal procurements increase in number and complexity, bid protests challenging an offeror’s representations regarding compliance with the same may well also increase.
Connected Global Solutions also underscores the importance of documenting and maintaining evidence of the bases for material proposal representations regarding contractor cybersecurity compliance/capabilities. Contractors should consider carefully checking the accuracy of proposal information and utilizing internal controls for proposal review and submission. Even with such protocols in place, bid protests surrounding contractor cybersecurity compliance/capabilities can still occur, and can lead to costly consequences.