Government Accountability Office Tackles Cybersecurity
In two recent decisions, GAO denied protest grounds challenging the ability of contract awardees to satisfy government requirements related to cybersecurity. This posting analyzes those decisions and their implications for contractors.
Discover Technologies LLC, B-412773 (May 27, 2016)
In Discovery Technologies LLC, GAO denied a protest challenging the awardee’s ability to comply with the Federal Information Security Modernization Act (“FISMA”). The solicitation, issued by the Food and Drug Administration (“FDA”) under FAR Subpart 8.4 for GSA Schedule 70 vendors, stated “[t]he Contractor shall be familiar and comply with applicable federal information technology and information management laws, regulations, policies, and standards.” It listed FISMA, among other federal information technology regulations and standards, as a law with which the contractor was required to comply.
The protester alleged, inter alia, that the vendor to be used by the awardee for web hosting did not have services that were compliant with FISMA. In denying this protest ground, GAO focused on the fact that the solicitation specifically stated the “contractor” was required to comply with information security laws (and not the “offeror” or “vendor”). This supported a finding that the awardee could demonstrate compliance after award, and need not be compliant at the time it submitted a bid. GAO further found that the language of the solicitation indicated that vendors would be evaluated based on their approach to maintaining security throughout performance (consistent with federal information technology laws and standards), but did not require vendors to demonstrate compliance in their bids with federal information security laws and standards, including FISMA.
GAO, thus, determined that compliance with the agency’s cybersecurity requirements, as set forth in the solicitation, was a matter of contract administration not properly before GAO. See 4 C.F.R. 21.5(a) (“The administration of an existing contract is within the discretion of the agency” and is one of several “protest bases that shall be dismissed”).
It remains to be seen whether GAO will issue more decisions finding that compliance with information security laws is a matter of contract administration, particularly when it is dealing with civilian agency procurements, as opposed to DoD procurements, where cybersecurity requirements may not be as well-defined. Contractors should read the wording in their solicitations carefully, both in assessing potential protest grounds and also in ensuring that they are submitting responsive proposals, to determine whether the solicitation requires compliance with cybersecurity regulations at the time of proposal submission or at a later date (contractors also might consider addressing these issues in Q&A with the agency prior to proposal submittal).
Booz Allen Hamilton, Inc., B-412744 (June 6, 2016)
In Booz Allen Hamilton, Inc., GAO denied a protest challenging the Navy’s evaluation under a task order procurement for cybersecurity support. Among the protester’s challenges was an allegation that the awardee should have received a lower technical score based on its lack of experience in certain areas related to cybersecurity.
GAO first rejected the protester’s argument that the awardee should have been downgraded based on the fact that the awardee did not have a Navy-specific qualified validator certification (a certification that qualifies a company to validate that components and systems meet certain information security requirements). GAO found that such certification was not a requirement of the solicitation and noted that the Navy still is finalizing a new certification process for validators. In accordance with the solicitation, the awardee demonstrated its “experience maintaining qualified validator status in compliance with Department of Defense Cybersecurity/IA Certification and Accreditation Directives and Process,” which was all that was required.
GAO similarly denied the protester’s additional allegations that the awardee should have received a lower score based on increased risk to the government due to the awardee’s alleged “‘inability to protect against cybersecurity risks.’” GAO found that the Navy properly addressed the awardee’s experience in the evaluation by assessing the awardee a weakness for its lack of experience, but not a “significant weakness.” Thus, GAO held that the Navy’s evaluation of the capabilities of the offerors in the area of cybersecurity was rational and it upheld the award.
Again, contractors seeking to challenge awards based on awardees’ experience or compliance with cybersecurity regulations would benefit from a close reading of the requirements contained in the applicable solicitation. A challenge to an agency’s evaluation of proposals, particularly where offerors’ capabilities in the area of cybersecurity are examined by the agency during the evaluation, are unlikely to succeed based on GAO’s practice of deferring to agency discretion in this area. The most viable challenges will be those asserting an awardee did not agree to meet mandatory solicitation requirements. An example would include an awardee taking exception to a solicitation requirement stating that offerors must demonstrate compliance with existing cybersecurity regulations, NIST publications or industry standards (e.g., NIST SP 800-171 or ISO 27001), or industry best practices (e.g., PCI-DSS), at the time proposals are submitted. However, at present, these regulations and standards are relatively untested and such challenges still may pose an uphill battle for protesters.