Blank Rome LLP, Author at Government Contracts Navigator

60-Second Sustains: Deloitte Consulting LLP and Softrams LLC

Elizabeth N. Jochum ●

Deloitte Consulting LLP
B-422094; B-422094.2

During the evaluation of the awardee’s quotation, the Department of Homeland Security identified a potential Organizational Conflict of Interest (“OCI”) with one of the awardee’s proposed teaming partners.
The Agency engaged in discussions with the awardee, in which the awardee informed the Agency that the teaming partner with the potential OCI would be immediately removed from the team and would not participate in the program upon award.
Deloitte argued that the agency failed to consider the impact of the teammate’s removal on the awardee’s proposed approach to performance.
The Agency provided declarations asserting that the agency had considered the elimination of the teaming partner and its impact on performance, but the Government Accountability Office (“GAO”) found that those declarations were unsupported by the contemporaneous record and gave them little weight.
GAO sustained the protester’s argument that the Agency’s evaluation was unreasonable because it failed to consider the elimination of the teaming partner.

Deloitte Consulting LLP; Softrams, LLC
B-421801.2,B-421801.3,B-421801.4,B-421801.5,B-421801.6

DISPARATE TREATMENT

Both protesters alleged numerous instances where the Library of Congress engaged in disparate treatment by assessing strengths for elements of the awardees’ proposals that were substantially indistinguishable from the protesters’ proposal features that did not receive strengths.
In most cases, the Agency argued that the strengths in question stemmed from differences between the proposals or that the protesters’ proposal features were, in fact, captured in the evaluation. However, in a few instances, the Agency instead argued that the disparate treatment was insignificant or did not prejudice the protesters.
GAO found these instances amounted to a concession by the Agency that there had been disparate treatment and sustained these protests, since the competition was extremely close and any change in competitive standing could have impacted source selection.

The Department of Defense Clarifies FedRAMP Equivalency Standard

Michael Joseph Montalbano ●

As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.

My Company Just Got a Notice of Proposed Debarment. Now What?

Dominique L. Casimir ●

Receiving a Notice of Proposed Debarment from a federal agency Suspending and Debarring Official (“SDO”) is an alarming moment for any government contractor. It means the government believes there is a basis to question whether the entity is “presently responsible.” Debarment is sometimes referred to colloquially as the “death penalty” for government contractors because of its many, potentially devastating effects. A debarred entity is ineligible to receive new government contracts from any executive agency, not just the agency that imposes the debarment. Additionally, any existing federal contracts cannot be augmented or extended and may even be terminated.

Debarment can also seriously disrupt numerous areas of an entity’s business, including prime-sub relationships, teaming arrangements, and the normal function of the supply chain, because companies involved in government contracts ordinarily avoid partnering with debarred entities, and even entities proposed for debarment. Moreover, there are significant reputational impacts associated with debarment and these can affect everything from workplace morale to customer goodwill and even commercial relationships. And finally, debarment casts a long shadow, because even after the debarment ends, an entity will almost certainly be required to disclose the prior debarment as it pursues future government work.

For these reasons, it is critical to respond effectively to a Notice of Proposed Debarment. This blog post offers suggestions to federal contractors who have been proposed for debarment and are wondering what to do next.

60-Second Sustains: American Material Handling, Inc.

Elizabeth N. Jochum ●

American Material Handling, Inc.
B-422171

The Agency, the International Boundary and Water Commission, was buying a brand name or equal wheel loader on a lowest price, technically acceptable basis.
The RFQ stated that the proposed loader had to “meet the salient features or specifications of the [brand name product] or exceed the specifications attached,” and included a two-page specification sheet.
After receiving quotations, the contracting officer added salient characteristics—not expressly included in the solicitation—to the technical evaluation form to be considered during evaluations.
The Agency evaluated the two quotes received and found the protester not technically acceptable based on the salient characteristics added after submission of quotes.
GAO sustained the protest of the evaluation, noting that, in a “brand name or equal” acquisition, the agency has an obligation to inform vendors of the characteristics that are essential to the government’s needs; a product offered as an “equal” one need not meet unstated features of the brand name product.
Here, GAO found the agency “appeared to be deciding what characteristics it considered to be salient for the first time during its evaluation of quotations.”

Understanding the Basics of CMMC Level 3

Michael Joseph Montalbano ●

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2. In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply. DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.” We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI. DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.

What are the requirements of CMMC Level 3?

There are three steps the contractor must satisfy to obtain a CMMC Level 3 certification. First, the contractor must obtain a CMMC Level 2 certification. This means that a Certified Third-Party Assessor Organization (“C3PAO”) will need to assess any contractor information system that stores, processes, or transmits CUI for compliance with the NIST SP 800-171 rev. 2 security requirements. Note that because the proposed CMMC rule requires a CMMC Level 2 certification—a third party assessment—a CMMC Level 2 self-assessment will not suffice.

Understanding the Basics of CMMC Level 2

Michael Joseph Montalbano ●

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1. In this post, we discuss the basics of CMMC Level 2.

What contracts will be subject to CMMC Level 2?

CMMC Level 2 will apply to all DoD contracts where the contractor will receive Controlled Unclassified Information (“CUI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. CUI is information that requires safeguarding or dissemination controls pursuant to applicable laws, regulations, and government-wide policies. The Government currently recognizes 20 categories of CUI, all of which are listed on the National Archives website. Those CUI categories include information related to defense, export-controlled information, intelligence, and procurements. While not as prevalent as Federal Contract Information, CUI is still often used in the performance of DoD contracts and DoD estimates that approximately 36 percent of defense contractors will obtain a CMMC Level 2 verification once the rule has gone into full effect.

60-Second Sustains: SierTek-Peerless JV LLC

Elizabeth N. Jochum ●

SierTek-Peerless JV LLC
B-422085, B-422085.2

The protester alleged that the Transportation Security Administration had not properly evaluated the awardee’s proposal under the prior experience factor.
The RFP required the agency to consider the size of offerors’ prior experience examples compared to the anticipated contract.
The Agency assigned the awardee a High Confidence rating under this factor, stating that they had demonstrated prior experience that was relevant in terms of both size and scope.
But the Government Accountability Office (“GAO”) found that the evaluation record failed to demonstrate that the Agency evaluated whether the size of the awardee’s prior experience examples were similar to the anticipated contract.
The evaluation report contained “little, if any discussion of any indicia of the size” of one of projects and conclusory statements that the other projects were similar in size, without any discussion of why and despite differing values and staffing numbers.
GAO found that the agency’s evaluation focused almost entirely on scope, rather than size, of the prior experience examples.
Since prior experience was the most important evaluation factor, GAO stated the protester was possibly prejudiced by the error and recommended the Agency reevaluate proposals.

Understanding the Basics of CMMC Level 1

Michael Joseph Montalbano ●

In this series, we have provided an overview of the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule and its implementation timeline. Now, we delve deeper into the three CMMC security levels, starting with CMMC Level 1.

What contracts will be subject to CMMC Level 1?

CMMC Level 1 will apply to all DoD contracts where the contractor will receive Federal Contract Information (“FCI”), except contracts that are purely for commercially available off-the-shelf (“COTS”) items. FCI is information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. Types of documents that could contain FCI include contracts, modifications, statements of work, technical drawings, and government communications to the contractor. Given the broad definition of FCI, contractors can expect that nearly all non-COTS, DoD contracts will involve FCI and will therefore be subject to CMMC Level 1.

New U.S. Russia Sanctions Target Financial Support of Military-Industrial Base and Expand Ban of Seafood Imports

Anthony Rapa, George T. Boggs, Alan G. Kashdan, and Matthew J. Thomas ●

The Biden Administration recently issued the latest round of U.S. sanctions against Russia, focusing on (1) secondary sanctions applicable to foreign financial institutions (“FFIs”) that engage in certain transactions in support of Russia’s military-industrial base, and (2) the importation into the United States of certain Russian-origin seafood processed in third countries. The U.S. sanctions, issued December 22, 2023, follow the European Union’s twelfth package of sanctions against Russia, imposed on December 18, 2023.

As a result of the new sanctions, it will be important for FFIs to conduct export controls-related due diligence for any transaction with potential Russia exposure and for U.S. seafood importers to engage in supply chain tracing to ensure that imported products are not prohibited.

To effectuate the sanctions, President Biden issued a new executive order (“EO”) amending EO 14024 (providing for the imposition of sanctions against certain categories of Russia-related persons) and EO 14068 (prohibiting certain Russia-related imports, exports, and new investment). Furthermore, the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”) issued a determination (the “Critical Items Determination”) identifying categories of goods triggering secondary sanctions risks for FFIs and a determination (the “Seafood Determination”) identifying categories of seafood processed in third countries that are prohibited for import.

To read the full client alert, please visit our website.

The Department of Defense Issues Proposed Timeline for CMMC Implementation

Michael Joseph Montalbano ●

On December 26, 2023, the Department of Defense (“DoD”) issued the long-awaited proposed rule for the Cybersecurity Maturity Model Certification (“CMMC”) program. In our previous post, we discussed how the CMMC program comprises three levels with increasing cybersecurity requirements. Contractors will be required to either conduct a self-assessment or undergo a third-party assessment (the latter referred to as a certification assessment) to demonstrate compliance with their applicable CMMC Level.

DoD included in the proposed rule an estimated timeline for the rollout of the CMMC program. Specifically, DoD intends to implement the CMMC program in four phases over two and a half years:

Phase 1 begins on the effective date of DoD’s final CMMC rule (i.e., when DFARS 252.204–7021 is officially revised). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award. This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: