As expected, the new government cyber requirements have become weapons for protests. It’s important for government contractors to see how GAO will handle these issues.
In a recent GAO protest, a NOAA RFQ required that an offeror provide documentation that showed it had an awareness and capability for meeting the agency’s security requirements. According to the RFQ, the contractor had to meet the Department of Commerce IT Security Program Policy (ITSPP) and Commerce Information Technology Requirements (CITRs). Offerors also had to show it met other IT security requirements including a requirement that an offeror must consider IT security controls throughout the lifecycle of the BPA as outlined in National Institute of Standards and Technology (NIST) Special Publication 800-64, and guarantee strict confidentiality of the information/data that is provided by the government during the performance of the call order.
The protester, Jardon and Howard Technologies, Inc. (JHT) argued that the winner, Consolidated Safety Services, Inc. (CSS) did not adequately respond to the IT security requirements. For example, CSS’s quotation never mentioned the words “IT Security,” and also failed to mention specifically other IT requirements, such as the Department of Commerce ITSPP or the CITRs.
The agency, however, was not looking for this level of detail. The agency considered simply whether the vendors referenced security considerations in their quotations. Failure to do so was a deficiency for all offerors. Because CSS, among other things, provided a quality assurance plan that included NOAA Security Standards, CSS met the RFQ’s requirements. According to GAO, “the RFQ required only that vendors indicate their management capacity to provide the required mission based services described in the SOW.” Because CSS’s quote did that, the agency fairly evaluated CSS’s quote.
This decision shows that potential protestors should carefully consider, before protesting, the precise level of detail that an agency requires in its solicitation. A protest will be unsuccessful if it argues that the awardee needed to show a level of IT security detail that was not required by the RFQ, given GAO’s deference to agency discretion in this area.
The decision also shows that offerors can use robust IT security plans to get maximum evaluation benefit from them. GAO acknowledged that offerors whose IT plans exceeded the minimum SOW requirements could merit “a strength or significant strength.”
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, events, and more. This post was published in the June Monthly Insights newsletter. To sign up for Monthly Insights, please click here.