When your proposal submission deadline is looming, you might be tempted to save time by not reading parts of the RFP, like provisions incorporated by reference. That’s always a bad idea as we can see from a recent protest decision of the Government Accountability Office (GAO).
The United States Secret Service issued an RFP for administration of the agency’s child care subsidy program (CCSP). One of the three best-value evaluation factors was protection of personally identifiable information (PII). The RFP’s statement of work described numerous requirements for safeguarding PII.
One requirement was that the winning contractor had to follow DHS security requirements including that the contractor “expeditiously notify” the agency of any PII security breaches. Although the text of the RFP did not get more specific, an agency-specific provision that the RFP incorporated by reference gave some helpful details of the agency’s notification requirements: Homeland Security Acquisition Regulation (HSAR) Special Clause-Safeguarding of Sensitive Information required contractors to notify the contracting officer immediately of any security breach and to notify DHS security within one hour of discovering a security breach.
One offeror, First Financial Associates, Inc. (FFA) submitted a proposal that had two problems. First, FFA’s proposal did not describe how quickly FFA’s internal notification process would notify DHS but instead described only FFA’s internal breach notification process. In addition, FFA’s internal notification process gave its employees as much as 12 hours after discovery of a breach to notify FFA’s Chief Information Officer of a PII security breach.
The agency evaluation found this to be a weakness because 12 hours was too long to notify the agency of a PII security incident and the statement of work required breaches to be reported “expeditiously.”
After FFA lost the solicitation, it protested to GAO. But GAO found the agency’s evaluation of a weakness in PII notification to be reasonable and denied the protest.
The unacceptability of a 12-hour delay in notification would have been more obvious to FFA if the HSAR Special Clause had been set forth in the RFP in full text instead of simply being incorporated by reference. However, it’s reasonable for an agency to assume that offerors read the entire RFP, especially when it involves sensitive information like PII.
First Financial Associates, Inc., B-415713, B-415713.2, (Feb. 16, 2018).
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, legal updates, events, and more. This post was published in the March 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.