I have put this together as a review of the paper posted by Bob Metzger’s law firm, New DOD Cyber Rules Create Fertile Bid Protest Grounds, By Lucas Hanback and Jeffery Chiow. Primarily the translation focuses on considerations for the Department of Defense in absorbing this very well thought out commentary on how the new DoD rules might generate bid protests, and also some straightforward thoughts on how to mitigate that. The original thread and comments that generated this posting are here.
Upfront key takeaways:
There are substantive issues in here, not just trying to avoid doing Cyber
Training of KO’s (Government Contracting Officers, abbreviated by some as KO because the only real CO is a Commanding Officer) is key. They are already (in my direct experience) misapplying the rules in some cases. Please be as determined to train the DoD workforce as to get the contractors moving.
KO’s and PM’s understanding CUI, marking CUI, and understanding how and what information they want protected in their programs is critical. That lack of knowledge (currently) lays fertile grounds for protests, AND it also undermines the real rewards from CMMC that the department is looking for.
Now let’s review the summary. I am sure the legal minded reviewers will be shocked and appalled at my license and all the details I left out. Sorry. Trying to translate it from what you said, into what it means and what we can do about it. Please comment wherever you think my read was incorrect.
1) Challenge on whether the CUI rules should apply. Contracting Officers are already misapplying these rules. I received a contract mod with the 7021 clause in it for example. Sigghh. The Air Force memo to all KO’s says add the new rules to all contracts and glosses over that CUI needs to be involved. Point is that a lot of times KO’s don’t understand their own rules and pushing back on them from the contractors' position is a losing proposition. This could lead to protests. KO’s need to understand what CUI is and how it should be applied to contracts as do PM’s/COTR’s (Contracting Officer Technical Representative). So far, they don’t in general. “But, protests may be useful in forcing the agency to clarify the extent to which the clause is expected to apply — e.g., is there any controlled unclassified information in contract performance?”
2) Requiring a Medium or High DIBCAC Assessment. This is something the department should advise KO’s not to do. Why? Because you cannot get a Medium or High Assessment. That could be made a requirement and used to eliminate other qualified offerors, and it would be a foul to do so. DIBCAC is backed up, slow, and a contractor has no way of asking for or obtaining such an assessment. If done it needs to be thought about long and hard.
3) Matching CMMC Assessor availability, to CMMC pre-award requirements. Just something to consider out of this is the need to ensure that as you shift from the provisional year to holding the accountability line for CMMC at award there needs to be enough assessor capacity in the system. If you do it too soon, and the qualified C3PAO’s are back up 12 months with what they are already doing, that could cause a problem.
Post Award Protests
1) Unstated Evaluation Criteria. If KO’s don’t say in the RFP that they are going to use self assessment scores for an award decision, and then do, that could be a problem. Although my impression is that your intent is NOT to do this, I am very much concerned that this will happen. This also discourages honest self assessment reporting. If you state the score requirement in the RFP, the most likely response is for everyone to just raise their score to the needed level anyway, so probably not a useful approach. I would argue that honest inputs are more important to the Department currently. Announcing also opens another protest avenue (see para with ref )
2) Incumbent advantage. Under CMMC you are going to focus available assessor capacity on incumbents with requirements. The inability of competitors to obtain a CMMC cert due to low capacity might unfairly disadvantage a “good” competitor. Someone who has done everything right but could not obtain an assessment because the CMMC eco-system is not robust enough yet. Again something for you to consider as you orchestrate the transition to CMMC enforcement.
There are things the Department needs to do that are highlighted in this paper. Avoiding grounds for protests is good motivation but the more smoothly this runs, the better industry and the government can focus on the real issues of securing our vital information.