Welcome to Jenner & Block’s Government Contracts Legal Round‑Up, a biweekly update on important government contracts developments. This update offers brief summaries of key developments for government contracts legal, compliance, contracting, and business executives. Please contact any of the professionals at the bottom of the update for further information on any of these topics.
CMMC 2.0 and the Future of Cybersecurity Certification
- The Department of Defense issued a significant proposed rule implementing CMMC 2.0; comments are due by February 26, 2024.
- In 2019, DoD first announced the CMMC program to move away from “self-attestation” of compliance with cybersecurity requirements applicable to the safeguarding of sensitive, unclassified information.
- Following an initial 2020 version implemented in an interim rule (CMMC 1.0), DoD announced a streamlined CMMC 2.0 in November 2021. Industry submitted 750 comments.
- Just before the end of 2023, DoD issued a proposed rule implementing CMMC 2.0, with requirements set to take effect over a three-year period.
Summary of Rule
- The rule does not displace existing cybersecurity requirements for contractors, including in FAR 52.204-21 and DFARS 252.204-7012. Those clauses, when applicable, will continue to require contractors to meet certain cybersecurity requirements. The rule instead creates a certification regime whereby prime contractors and subcontractors may be subject to assessment by certified, independent third-party organizations and required to pass those assessments as a condition of contract award. In other words, self-assessment of cybersecurity compliance will no longer be sufficient for thousands of contractors doing business with DoD.
- DoD Program Managers will select which of the three CMMC Levels are appropriate for inclusion in each solicitation: Level 1 aligns to the basic 15 security requirements in FAR 52.204-21; Level 2 aligns to the 110 requirements from NIST SP 800-171 rev 2; and Level 3 is defined as the additional requirements from NIST SP 800-172 intended to protect against advanced persistent threats.
- While third-party assessments and certifications are a paradigm shift, the rule notes that contractors are already required to implement the primary substantive requirements (the -7012 clause requires compliance with NIST SP 800-171, and FAR 52.204-21 mandates implementation of 15 security requirements) and to perform at a minimum a self-assessment documenting compliance, which is submitted to DoD via the Supplier Performance Risk System (SPRS) (DFARS 252.204-7019 and -7020).
- Notably, the rule does not mandate third-party assessments and certifications to achieve all three “Levels.” Level 1 can be achieved through an annual self-assessment with results entered in SPRS, and a limited number of solicitations will also designate Level 2 as satisfied through a self-assessment. However, the majority of Level 2 certifications will only be achieved through a third-party assessor issuing a certification, and all Level 3 certifications will require a third-party assessor (specifically, DCMA DIBCAC).
Risks and Why It Matters
- Compliance is a prerequisite for doing business with DoD. The rule is clear that DoD does not “provide mitigations for assessment delays” that might prevent a contractor from obtaining the requisite certification prior to award of a contract. Prime contractors and subcontractors will need to be prepared to obtain certification for their systems well in advance of a competition. Even with a phased approach to implementation, it remains to be seen whether the CMMC ecosystem will provide adequate capacity to timely certify the many thousands of interested organizations within the Defense Industrial Base.
- Ensuring that subcontractors who receive CUI obtain Level 2 certifications may present compliance challenges for prime contractors; however, the specific CMMC Level required for a subcontractor will depend on the type of unclassified information that the subcontractor receives. Thus, a subcontractor that only receives Federal Contract Information will only be required to achieve Level 1 certification.
- This rule may widen enforcement and False Claims Act risk for contractors. For assessments at all three levels, a “senior official” from the prime contractor and any applicable subcontractor must annually affirm, and enter into SPRS, continuing compliance with the specified security requirements. Further, the DoD CMMC Program Management Office is responsible for investigating indications that a CMMC assessment is questionable, with consequences including revocation of CMMC certifications.
- Significant industry interest and comments are expected; the previous rule triggered 750 comments from industry.
Bid Protest Updates
B.H. Aircraft Company, Inc. v. United States, No. 2022-1766 Fed. Cir. (January 2, 2024)
- In a short per curiam opinion, the Federal Circuit affirmed the Court of Federal Claims’ rejection of a protester’s allegations of improper bundling but avoided addressing thorny issues of standing.
- B.H. Aircraft requested that the Navy unbundle the replacement of an aircraft part from the repair of that part; the Navy refused, finding that not only was there not improper bundling, but B.H. Aircraft was not a qualified bidder for the replacement work in any event. B.H. Aircraft protested to the Court of Federal Claims.
- The Court of Federal Claims decision contained a complex discussion of the protester’s standing, framed as an issue of subject matter jurisdiction that had to be addressed before the merits. Ultimately B.H. Aircraft’s complaint was dismissed for lack of standing on the ground that B.H. Aircraft was not a qualified bidder. Alternatively, the Court of Federal Claims concluded that the protester failed to state a claim upon which relief could be granted because B.H. Aircraft had not established a violation of the bundling regulation.
- In affirming the decision, the Federal Circuit panel explained that, because the “interested party” requirement is no longer treated as a jurisdictional rule, it is no longer necessary to grapple with standing before rejecting a protester’s claim on the merits. The Federal Circuit thus did not reach the issue of bidder qualifications, but instead affirmed that the Court of Federal Claims correctly concluded that B.H. Aircraft’s complaint failed to state a claim on which relief could be granted.
B.H. Aircraft is a helpful demonstration of the practical impact of the new framework for dealing with interested party issues.
ConsortiEX, Inc., B-422078 (December 22, 2023)
- GAO dismissed a protest challenging the award of a contract where the protester alleged that the PWS contained latent ambiguities regarding the level of effort necessary to perform the contract.
- The protester presumably felt compelled to raise this objection given the significant price disparity between the awardee’s price ($1 million) and the protester’s price ($33.8 million).
- GAO stated that as a threshold matter for an ambiguity to exist, there must be “two or more reasonable interpretations of the terms or specifications.”
- GAO distinguished between an ambiguity susceptible to two or more “reasonable interpretations” and generally “vague” solicitation language that is not susceptible to a “reasonable alternative interpretation.”
- Here, because the protester could not establish that the PWS was anything other than vague (i.e., it was not susceptible to reasonable alternative interpretations), any protest challenging the vague solicitation terms was due prior to the deadline for proposal submission and thus untimely when filed post-award.
This decision highlights a protest tactic used where vastly different approaches suggest that offerors had different understandings of the solicitation. But for this allegation to be viable, the protester must identify an actual solicitation ambiguity—language susceptible to two or more reasonable interpretations. A poorly written or vague solicitation will not suffice to lay the foundation for a cognizable protest ground.
Small Business Update
Federal Performance Management Solutions, LLC v. United States (January 3, 2024)
- The Court of Federal Claims denied FPMS’s protest arguing that it was arbitrary for the Small Business Administration (SBA) to deem the company large for violating rules related to joint ventures.
- FPMS (a joint venture) entered into its first contract in 2018 under an SBA rule that allowed a JV to enter into three contracts in two years (the 3-in-2 Rule). In 2020, SBA changed its rules to permit JVs to enter into an unlimited number of contracts within a two-year period (the Two-Year Rule).
- In 2022, FPMS was awarded a new contract set aside for small businesses, but following a size protest, was deemed large because more than two years had passed since FPMS won its first contract. Following a loss at the SBA Office of Hearing and Appeals, FPMS appealed to the court. The court agreed that FPMS was large and thus ineligible for award. Contrary to the appellant’s arguments, switching from the 3-in-2 Rule to the Two-Year Rule did not impact the two-year limitation on JVs, and enforcing the Two-Year Rule in 2022 did not impermissibly apply the regulation retroactively. Moreover, amending the rules did not require the two-year clock to start anew.
This recent decision from the Court of Federal Claims reminds companies that under SBA rules, a mentor-protégé joint venture (JV) can only exist for two years, after which time a new JV must be created.