Last month, I blogged about DoD’s draft guidance on how it will evaluate cybersecurity compliance in the award of contracts. The blog is available here. Based on this draft guidance indicating DoD may use cybersecurity compliance as pass/fail or best value criteria in evaluations, I concluded that bid protests would not be too far behind once DoD finalizes and implements the guidance.
The public comment period on DoD’s draft guidance recently closed, so we may still be a little way away from the final implementation of the guidance and widespread use of cybersecurity compliance evaluation factors in DoD procurements. However, that does not mean that DoD is not using cybersecurity compliance as a competitive discriminator even today or that DoD is the only federal agency doing so. In fact, a recent protest decision from the U.S. Government Accountability Office (“GAO”) shows that cybersecurity compliance is already being used in contract evaluations outside DoD.
In Jardon and Howard Technologies, Inc., B-415330.3; B-415330.4 (May 24, 2018), a disappointed offeror claimed that the awardee should have been rated lower due to its alleged failure to respond adequately to the IT security requirements in the RFQ. Although this was not a DoD procurement, the RFQ contained multiple unique IT security requirements, including agency-specific requirements from the Department of Commerce and consideration of IT security controls as outlined in NIST SP 800-64. The protester alleged that the awardee’s proposal did not adequately address all of these IT security requirements. GAO rejected this challenge because it found that the agency had reasonably evaluated the awardee’s proposal to meet the IT security requirements. The bar for the agency was pretty low, as it simply evaluated whether the offeror had referenced the security considerations in its quotation. If the quotation referenced the applicable security considerations, the agency concluded that the quotation demonstrated a sufficient awareness, capability, and understanding of the agency’s requirements. GAO concluded that the RFQ did not require the level of detail the protester asserted necessary in the quotation to address the IT security requirements.
While the RFQ may not have required significant detail from vendors, the awardee did include information in its quotation to indicate it had taken prudent steps to recognize and comply with the applicable IT security requirements. For example, the quotation indicated the awardee had a “Corporate Security Plan” that defined its security procedures, responsibilities, and systems. The plan also addressed training of employees in the security requirements. To me, this shows that, even though the bar may have been fairly low in this procurement to demonstrate cybersecurity compliance, the fact that the awardee had a good security plan went a long way to make the agency comfortable with its understanding of the applicable security requirements. Indeed, the Jardon and Howard case may have turned out very differently for the awardee if it had not had a good system security plan in place.
So, my main takeaway from this case is the importance of having an adequate system security plan for your business. Having a good plan makes sense for business reasons, to protect your information and avoid liability. And, it is especially important if you operate in the federal market, where an increasing number of procurements are subject to cybersecurity requirements. We’re regularly helping clients assess the cybersecurity requirements applicable to them and implement an adequate plan. This does not necessarily need to be an extensive undertaking, and it will help you get ahead of the curve on cybersecurity compliance. As seen in the Jardon and Howard case, having a good security plan can make a big difference in winning (or losing) federal contracts.
About the Author: Jon Williams is a partner with PilieroMazza and a member of the Government Contracts Group. He may be reached at [email protected].