Highly Anticipated Report on Bid Protests is Finally Here!RAND Corporation recently issued its much-anticipated report on the prevalence and impact of bid protests. The report, which was issued at the direction of Congress, contains a plethora of important—and interesting—findings, including:

  • Despite a “steady increase” in bid protests filed between fiscal years 2008 and 2016, “[t]he share of contracts protested remains very small—less than 0.3 percent.”
  • A “concern” shared by federal contractors “was the quality of post-award debriefings.” According to the report, “[t]he worst debriefings were characterized as skimpy, adversarial, or evasive and failed to provide reasonable responses to relevant questions.”
  • “[S]mall protest rates per contract imply that bid protests are exceedingly uncommon for DoD procurements.”
  • “Task-order protests have a slightly higher effectiveness rate than other types of protests.”
  • “The stability of the bid protest effectiveness rate over time—despite the increase in protest numbers—suggests that firms are not likely to protest without merit.”
  • “Cases in which legal counsel is required (i.e., a protective order was issued by GAO) have higher effectiveness and sustained rates.”

A complete copy of the report is available here. If you have any questions about any of the topics discussed in the report, please do not hesitate to contact Aron Beezley.

All Small Mentor-Protégé Program Year-End Report: Fast Figures Small and Large Businesses Need to KnowThe Small Business Administration (SBA) started accepting applications for the new All Small Mentor-Protégé Program (ASMPP) in October 2016, but SBA has seen a surge in applications in 2017.

Under the ASMPP, any small business—including Historically Underutilized Business Zone (or HUBZone) small businesses, 8(a) small businesses, veteran-owned and service-disabled veteran-owned small businesses (VOSBs/SDVOSBs), woman-owned and economically disadvantaged woman-owned small businesses (WOSBs/EDWOSBs)—may enter into an agreement with a large business under which the large business will provide mentorship and assistance. In return, the large and small businesses are permitted to joint venture to perform federal small business set-aside contracts.

Previously, we provided a mid-year report on fast figures about the ASMPP that both large and small businesses need to know. Here is our year-end update to those figures:

356  SBA reports that, as of Dec. 1, 2017, it has approved 356 different ASMPP agreements.
1,116 As of Dec. 1, 2017, there have been more than 1,116 views of the new SCORE-SBA ASMPP Webinar.
16 SBA reports that, as of Dec. 8, 2017, 16 8(a) Mentor-Protégé Program participants transferred to the new ASMPP.
64 SBA reports that at least 64 of the 356 SBA-approved ASMPP agreements were approved under the protégé’s secondary—rather than primary—North American Industry Classification System (or NAICS) code.
72 SBA reports that, as of Dec. 8, 2017, 72 ASMPP applications were declined by SBA.
112 SBA reports that at least 112 of the ASMPP participants are 8(a) firms.
110 SBA reports that at least 110 of the ASMPP participants are SDVOSBs.
47 SBA reports that at least 47 of the ASMPP participants are HUBZone companies.
54 SBA reports that at least 54 of the ASMPP participants are EDWOSBs.
65 SBA reports that 65 of the ASMPP participants are small businesses without any other set-aside status.
42 SBA reports that ASMPP participants are based or incorporated in 42 different U.S. states/territories/districts.

If you have any questions about the ASMPP or any related issues, please feel free to contact Aron Beezley or Frederic Smith.

Final Countdown to DFARS Cybersecurity ComplianceMost federal defense contractors are aware that December 31, 2017, is the deadline for them to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. However, many defense contractors (understandably) remain perplexed about not only the details of the requirements, but the basics. This article provides answers to some of the most basic, yet commonly asked, questions regarding the new requirements.

In a nutshell, what is required by December 31, 2017?

The Department of Defense amended the Defense Federal Acquisition Regulation Supplement (DFARS) in 2016 to provide for the safeguarding of Controlled Unclassified Information when transiting through or residing on a contractor’s internal network or information system. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement NIST SP 800-171 to safeguard “covered defense information” that is stored on or processed in their internal network or information system. Additionally, DFARS Clause 252.204-7012 requires contractors to report, within 72 hours of discovery, any cyber incidents that may have affected “covered contractor information systems.” DFARS Clause 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, states that, by submitting an offer, “the Offeror represents that it will implement the security requirements specified by [NIST SP 800-171] . . . not later than December 31, 2017.”

What if my company cannot fully comply by December 31, 2017?

A December 2016 update to NIST SP 800-171 (Revision 1) provides some relief to covered contractors who cannot fully comply with the requirements by December 31, 2017.  Revision 1, which provides guidance on the use of System Security Plans (or SSPs) and Plans of Action and Milestones (or POAMs), states in relevant part:

Nonfederal organizations should describe in a system security plan, how the specified security requirements are met or how organizations plan to meet the requirements. The plan describes the system boundary; the operational environment; how the security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented.

Then, in September 2017, the Director of Defense Pricing/Defense Procurement and Acquisition Policy issued a memorandum addressing implementation of DFARS Clause 252.204-7012. This memorandum provides additional guidance on SSPs and POAMs as follows:

To document implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline, companies should have a system security plan in place, in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. Organizations can document the system security plan and plans of action as separate or combined documents in any chosen format.

The memorandum further states that a “solicitation may require or allow elements of the system security plan which demonstrates/documents implementation of NIST SP 800-171, to be included with the contractor’s technical proposal, and may subsequently be incorporated (usually by reference) as part of the contract[.]” However, the memorandum reiterates that “DFARS Clause 252.204-7012 requires the contractor that is performing a contract awarded prior to October 1, 2017, to notify the DoD [Chief Information Officer] of any requirements of NIST SP 800-171 that are not implemented at the time of contract award.”

Must my subcontractors comply?

Yes. Covered defense contractors must include DFARS Clause 252.204-7012 in subcontracts, or “similar contractual instruments,” for “operationally critical support” or for which performance will involve “covered defense information.” Among other things, covered contractors must also require subcontractors to “[p]rovide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD” as required in DFARS Clause 252.204-7012. Moreover, given that most covered prime contractors will be required, either explicitly or implicitly, to certify compliance with the requirements, prime contractors would be wise to require subcontractors to certify their own compliance to the prime contractor.

What are some of the consequences for non-compliance?

Potential consequences for noncompliance with DFARS Clause 252.204-7012 and NIST SP 800-171 include, but certainly are not limited to, losing a contract award; being subjected to a bid protest; being found to have breached an awarded contract; being terminated for default; and/or negative past performance reviews. Potential consequences for falsely certifying compliance may include, but are not limited to, False Claims Act liability; liability under the various false statement statutes; default termination; negative past performance reviews; suspension; and/or debarment.

Wait, I have more questions!

If you have any questions about any of the foregoing requirements or any related issues, please do not hesitate to contact Aron C. Beezley, the head of Bradley’s Government Contracts Cybersecurity team.