No one will argue against the need to improve cybersecurity. We should limit the vulnerability of critical infrastructure and preserve the confidentiality of military technology, private company trade secrets, and individual medical records.
But there is a significant cost to upgrade IT systems in order to achieve this goal. The federal government will pay more to contractors who can meet heightened cybersecurity standards. If cybersecurity standards are too restrictive, qualified contractors will be driven away from federal contracting. At a minimum, new cybersecurity standards will mean more grounds for bid protests, which are the focus of this post.
First, the background
Executive Order No. 13636 (Feb. 12, 2013) [pdf] called for agencies to publish guidance on mitigating cybersecurity threats in federal procurement. In November 2013, DOD and GSA released a joint report recommending that compliance with an established cybersecurity protocol be a precondition to the award of information and communication technology (“ICT”) contracts. See Improving Cybersecurity and Resilience through Acquisition, Final Report of the Department of Defense and General Services Administration (Nov. 2013) [pdf].
The National Institute for Standards and Technology (“NIST”) released its voluntary framework for improving cybersecurity for critical infrastructure in February 2014. See Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12, 2014) [pdf]. The NIST Framework is a tool for organizations seeking to measure and improve their cybersecurity programs against an ideal. The Framework encourages organizations to improve their cybersecurity programs “when such a change would reduce cybersecurity risk and be cost effective.” Compliance is not yet mandatory, but legislation incentivizing or requiring compliance should be expected.
These are by no means the first cybersecurity standards for federal contractors, but they would broaden and increase existing requirements. As they are implemented, cybersecurity requirements will certainly lead to an increase in pre- and post-award bid protests for ICT contracts. We see them principally in three areas.
1. Cybersecurity requirements unduly restrict competition
The November 2013 Joint Report by DOD and GSA recommends that agencies adopt baseline cybersecurity requirements as a precondition to award. It recognizes that the use of baseline cybersecurity requirements will impact acquisition rules—particularly the socioeconomic preferences programs such as small business set-asides. In the short term, heightened cybersecurity requirements will restrict competition by decreasing the number of contractors qualified to compete for ICT contracts.
In light of this impact, the joint GSA and DOD report recommends that new cybersecurity requirements be imposed only in the “types of procurements that present risks great enough to justify the negative impact on competition or price differences between trusted and un-trusted sources.”
There is certainly room for debate about whether a particular procurement is of a type for which it would be appropriate to limit the pool of available contractors. We are likely to see protests challenging agency decisions to impose heightened cybersecurity measures on particular contracts.
The decision in Technosource Info. Sys., LLC; True Tandem, LLC, B-405296, B-405296.2 (Oct 11,2011), illustrates the issue. GSA issued an RFQ to establish a blanket purchase agreement of GSA Schedule 70 contract holders for cloud computing services. The RFQ incorporated all IT security, standards, polices, reporting requirements, laws, and regulations applicable to the protection of government-wide security, including NIST guidelines on multi-tenancy cloud computing. The protester filed a pre-award protest arguing that the specifications were unduly restrictive of competition. GAO denied the protest, finding that the agency demonstrated the vulnerabilities inherent in multi-tenancy cloud computing and that the increased standards presented “a meaningful benefit inherent to the government community cloud set forth in the RFQ.” This won’t always be the result, especially if agencies continue to expand cybersecurity standards to areas where vulnerabilities may not be so obvious.
2. Compliant contractors improperly excluded from competition
Assuming that cybersecurity requirements are reasonably imposed, agencies will be forced to determine whether an offeror meets them. Disappointed bidders may point to ambiguities in the cybersecurity requirements or misapplication of the requirements with respect to a contractor’s stated qualifications. GAO sustained such a protest in Intercon Assoc., Inc., B-298282, B-298282.2 (Aug. 10, 2006). In Intercon, GSA issued an RFP for an automated electronic forms system software package. GSA rejected Intercon’s proposal on the grounds that it did not meet e-authentication requirements because the software required the use of use of internal digital certificates to verify the identity of users and Intercon’s product used external digital certificates. In its protest, Intercon argued that the solicitation did not specify whether digital certificates had to be issued and managed externally or internally. GAO sustained the protest, not only because Intercon’s approach was not specifically prohibited, but because the agency had failed to determine whether the awardee’s use of digital certificates was different from the protester’s.
3. Agency evaluations not in accordance with stated criteria
Agencies have broad discretion to determine their needs and to determine the criteria by which they will select contractors. But incorporating heightened cybersecurity standards into the source selection process will present new grounds for offerors claiming that agencies have not acted in accordance with the stated evaluation scheme or applied unstated evaluation criteria. A disappointed bidder could also protest an agency’s undue emphasis on the cybersecurity element in a price-technical tradeoff or the agency’s failure to document its consideration of the awardee’s or the protester’s cybersecurity program.
This list of potential areas of bid protest grounds is by no means exhaustive. Indeed, the new agency recommendations and voluntary guidance may raise more questions than they answer. One thing is certain—contractors looking at the new cybersecurity recommendations can expect that they will be implemented and that they will have a material effect on the federal procurement process.