No one will argue against the need to improve cybersecurity. We should limit the vulnerability of critical infrastructure and preserve the confidentiality of military technology, private company trade secrets, and individual medical records.

But there is a significant cost to upgrade IT systems in order to achieve this goal. The federal government will pay more to contractors who can meet heightened cybersecurity standards. If cybersecurity standards are too restrictive, qualified contractors will be driven away from federal contracting. At a minimum, new cybersecurity standards will mean more grounds for bid protests, which are the focus of this post.

First, the background

Executive Order No. 13636 (Feb. 12, 2013) [pdf] called for agencies to publish guidance on mitigating cybersecurity threats in federal procurement. In November 2013, DOD and GSA released a joint report recommending that compliance with an established cybersecurity protocol be a precondition to the award of information and communication technology (“ICT”) contracts. See Improving Cybersecurity and Resilience through Acquisition, Final Report of the Department of Defense and General Services Administration (Nov. 2013) [pdf].

The National Institute for Standards and Technology (“NIST”) released its voluntary framework for improving cybersecurity for critical infrastructure in February 2014. See Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12, 2014) [pdf]. The NIST Framework is a tool for organizations seeking to measure and improve their cybersecurity programs against an ideal. The Framework encourages organizations to improve their cybersecurity programs “when such a change would reduce cybersecurity risk and be cost effective.” Compliance is not yet mandatory, but legislation incentivizing or requiring compliance should be expected.

These are by no means the first cybersecurity standards for federal contractors, but they would broaden and increase existing requirements. As they are implemented, cybersecurity requirements will certainly lead to an increase in pre- and post-award bid protests for ICT contracts. We see them principally in three areas.

The GAO’s decision in BC Peabody Constr. Serv., Inc., B-408023 (May 10, 2013) [pdf] illustrates the importance of establishing prejudice in a bid protest. The protester alleged that it proposed the same subcontractor (Bauer Foundation Corporation) as the awardee proposed on a dike rehabilitation project. Both offerors relied on Bauer for the “cut-off wall,” a critical element of the project. Both proposals showed that Bauer had the required experience for the cut-off wall.

Despite their use of the same subcontractor, the Corps of Engineers nevertheless assigned the awardee and the protester different scores for the cut-off wall element of their proposals. The Corps rated the awardee’s proposal acceptable for both the demonstrated experience and past performance subfactors, but it rated the protester’s proposal unacceptable.  The GAO agreed the Corps’s action was procurement error. “Where multiple proposals propose the same contractor, once the agency becomes aware of that subcontractor’s experience . . . it cannot reasonably assign one proposal a higher score than another based on that experience.” GAO nevertheless denied the protest.