Government contracts cybersecurity developments in 2022 demonstrate the need for enhanced monitoring in 2023
Global Government Contracting: Insight SeriesAs we begin 2023, it is helpful to look back at cybersecurity developments from 2022 and consider their impact on government contractors in the new year.
The second half of the year saw a number of cybersecurity-related developments that affect federal government contractors.
This alert focuses on a statement by a Department of Defense (DoD) official that DoD agencies will begin to include cybersecurity controls as an evaluation criterion in competitive procurements, as well as a number of bid protest decisions involving cybersecurity-related protest grounds. The juxtaposition of these developments demonstrates the ever-increasing need for contractors to remain vigilant in their review of their cybersecurity infrastructure, policies, contract requirements, and certifications.
Consideration of compliance with NIST SP 800-171 as an evaluation factor
During a September 2022 cybersecurity conference, Stacy Bostjanick (DoD’s Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity) stated that DoD contracting officers were being instructed to consider including compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-1711 as an evaluation criterion in upcoming procurements. Ms. Bostjanick suggested that the office of the DoD Chief Information Security Officer had provided contracting officers with sample solicitation language addressing evaluation of NIST SP 800-171 compliance.
Additionally, Ms. Bostjanick indicated that contracting officers will be taking a more aggressive approach to evaluating an officer’s compliance with NIST SP 800-171. She said that non-compliance “could have implications for you moving forward and your position on a competitive procurement.”
Thus, although the DoD’s Cybersecurity Maturity Model Certification is still in the process of being finalized, agencies may begin considering offerors’ compliance with NIST SP 800-171 as an evaluation criterion in competitive procurements in the near future.
Bid protests involving issues relating to cybersecurity
The second half of 2022 saw an increase in the number of cybersecurity-related issues in bid protests before both the U.S. Government Accountability Office (GAO) and the US Court of Federal Claims, including the following decisions.
- GAO concluded that an agency reasonably rated an offeror’s proposal as technically unacceptable when, in response to a solicitation that expressed a need for an increased focus on cybersecurity, the protestor failed to adequately address how it would meet solicitation requirements for cybersecurity testing and evaluation.2
- The GAO found that an agency reasonably evaluated an offeror as being ineligible for award when the offeror’s proposal did not adequately demonstrate that its solution would be hosted within an approved Federal Risk and Authorization Management Program (FedRAMP) moderate environment as required by the solicitation.3
- The Court of Federal Claims similarly denied a protest alleging that an agency erred in evaluating the FedRAMP authorization of its proposed solution when the protestor could not demonstrate that its proposed solution met the solicitation’s FedRAMP authorization requirements at the time of proposal submission, as required by the solicitation.4
- The GAO addressed FedRAMP authorization issues in a protest challenging a sole-source award. The GAO determined that the protestor was not an interested party for purposes of challenging the award because the sole-source justification articulated a need for a solution with a FedRAMP moderate authorization, but the protestor’s solution lacked such authorization.5 Thus, the protestor was not an interested party because, even if the contract was competed on a full-and-open basis, the protestor would be ineligible for award.
- The GAO concluded that an agency reasonably canceled a solicitation when the agency had experienced a change in its cybersecurity requirements.6 The agency in that protest cancelled its solicitation relating to a learning management software system because it decided that, contrary to the terms of the original solicitation, it needed a solution that was authorized at the FedRAMP moderate level or higher. In reaching that conclusion, the agency explained that recent high-profile cybersecurity incidents and Executive Order 14028 (“Improving the Nation’s Cybersecurity”), which encouraged agencies to make “bold changes and significant investments” to improve cybersecurity, had led to the agency reconsidering its cybersecurity needs.
- The Court of Federal Claims’ issued a decision in the American Roll-On Roll-Off Carrier Group litigation.7 As we have previously written, in March 2022, the GAO denied a protest that alleged that an awardee had misrepresented its cybersecurity compliance by representing its FedRAMP authorization level as “high” when it should have been represented as “medium.” After the GAO denied its protest, the protestor filed a protest in the Court of Federal Claims, which included a protest ground addressing the FedRAMP authorization misrepresentation claim that the GAO had denied. The Court of Federal Claims rejected the FedRAMP misrepresentation ground, finding that the protestor could not demonstrate that it was prejudiced by the alleged misrepresentation. The Court of Federal Claims explained that, although the awardee’s claim of having a high FedRAMP authorization was “suspect,” the security requirement in the solicitation was not a material term of the solicitation, and the agency did not rely on the FedRAMP authorization representation when making its award decision.
Going forward
Although the government is increasing its focus on cybersecurity compliance, at least one recent survey of 300 contractors suggests that a majority of companies do not satisfy the applicable cybersecurity requirements in their contracts. Moreover, as illustrated by the recent bid protest decisions discussed above, the trend toward using cybersecurity as an evaluation factor will result in greater scrutiny of contractors’ cybersecurity infrastructures and authorizations by both the government and competitors.
All of this is occurring at a time when, even outside the government contracts context, authorities are focused on how companies respond to data breaches – including bringing criminal charges against high-ranking company officials. These issues highlight the importance of government contractors thoroughly reviewing their cybersecurity infrastructure, policies, contract requirements, and representations.
We will continue to monitor developments in this area. If you have any questions, please contact the authors or your DLA Piper relationship attorney.
1NIST SP 800-171 provides a list of 110 controls for protecting controlled unclassified information (“CUI”). Pursuant to Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, covered contractor information systems are subject to the requirements in NIST SP 800-171.
2SimVentions, Inc., B-420967 et al., 2022 WL 17359342 (Comp. Gen. Nov. 21, 2022).
3Computerized Facility Integration LLC, B-420865, 2022 WL 4598690 (Comp. Gen. Sept. 28, 2022). Conversely, an agency took corrective action in response to an argument that it engaged in disparate treatment by excluding a protestor’s solution from a list of approved licenses based on a lack of FedRAMP authorization while also including another offeror’s solution on the approved list notwithstanding that the other offeror also lacked FedRAMP authorization. See Meridian Knowledge Sols., LLC, B-420808.3, 2022 WL 17819516 (Comp. Gen. Dec. 5, 2022).
4LS3, Inc. v. United States, No. 22-1274, 2022 WL 17369640 (Fed. Cl. Oct. 7, 2022).
5Meridian Knowledge Sols., LLC, B-420906, 2022 WL 16900276 (Comp. Gen. Nov. 2, 2022).
6Meridian Knowledge Sols., LLC, B-420150.4 et al., 2022 WL 4011312 (Comp. Gen. Aug. 25, 2022).
7See Connected Glob. Sols., LLC v. United States, No. 22-292C, 2022 WL 16954007 (Fed. Cl. Oct. 28, 2022).