Organizational conflicts of interest (or “OCI”) generally exist when one party has access to nonpublic information as part of its performance on a government contract.

OCI — or even the appearance of OCI — can be a landmine for Federal contractors.  Unresolved OCI can lead to exclusion from a contract competition, contract termination, and even suspension / debarment.

OCI Basics

OCI can arise in many different shapes and sizes.  Sometimes, a mitigation plan is sufficient to wall off the conflict.  Other times, the conflict is so pervasive that it undermines the integrity of the Federal procurement process – resulting in a lost contract (or worse).

It is imperative that contractors diligently investigate any actual or apparent OCI and prepare a comprehensive and compelling plan to address the conflict.  OCI that can be neutralized or mitigated generally does not require disqualification.  But the existence of actual OCI that cannot be adequately mitigated will likely lead the loss of contracting opportunities.

In light of the many forms that OCI can take and the serious consequences associated with a violation, it was surprising to see GAO dismiss a recent protest involving self-evident OCI concerns.

GAO Refuses to Consider “Private” OCI

The protest at issue concerns a U.S. Army task order for intelligence support services.  After the award, the unsuccessful incumbent filed a bid protest at the GAO alleging that the Army failed to investigate OCI in the form of unequal access to proposal materials.

Specifically, the protester alleged that a high-level employee for the awardee previously served as a consultant for the protester.  In that role, the consultant had access to the protester’s confidential information and trade secrets.

The protester argued that the relationship created an unmitigated conflict of interest.

GAO, however, found no OCI and denied the protest.

According to GAO, OCI and the unfair access to information must arise within the context of a government contract.  Here, the underlying relationship did not involve the government.  It was a disclosure that took place between two sophisticated parties on a private transaction.

Because of the private nature of the alleged OCI, GAO would not even consider the protest allegation.  Stated differently, without the involvement of the government, there is no OCI.

OCI Strategies Moving Forward

So where does this decision Federal contractors?

It certainly should not lull contractors into believing that OCI does not matter.  It matters quite a bit.  Without appropriate diligence and a plan for identifying and neutralizing OCI, a contractor could find itself in an OCI case where the GAO takes great interest in exploring alleged unfair or unequal access to information.

Instead, the primary takeaway here should be for contractors to think seriously about how they disclose confidential and proprietary information in private settings.  If it is necessary to disclose that kind of information to an outside consultant, take care to limit or redact the data to the extent possible.

Contractors should also explore installing language in third-party agreements to limit disclosure and future competition.

Nick Solosky is a Partner in Fox Rothschild’s Government Contracts Practice Group.  You can reach Nick directly at NSolosky@FoxRothschild.com or 202-696-1460.

Last week, DOD announced the release of CMMC Version 1.0. CMMC Version 1.0 is a comprehensive certification process featuring 171 cybersecurity best practices to ensure that contractors secure their information systems. The question on everyone’s mind is who is going to pay for the certification and all of the work necessary to comply.

DOD has been less than clear on how contractors are expected to pay for CMMC certification. But what is clear is that the costs associated with obtaining CMMC certification will be significant. It is unclear whether contractors can seek reimbursement for these costs. They may be able to claim costs as an allowable indirect cost. We suspect that the cost of certification itself will be covered, but that the greater costs associated with becoming compliant will not be covered as a reimbursable direct cost. In response to comments regarding DFARS 252.204-7012 in 2013, DOD stated that costs related to complying with DFARS 252.204-7012 are likely allowable and chargeable to indirect cost pools. (See page 69274). Since complying with CMMC level 3 is the equivalent to complying with DFARS 252.204-7012, it should follow that, at a minimum, the cost of Level 3 certification should be an allowable cost.

More recently, has claimed that costs associated with CMMC “will not be prohibitive,” but it seems that DOD has yet to work out all the kinks on what exactly that means. For one, not all contractors will need to meet the same level certification. DOD has emphasized that prime contractors will be expected to achieve a higher level of certification than smaller subcontractors. This will cut down on costs for subcontractors. SBA may also assist small businesses with the cost of certification, but has not given any specifics on how they intend to do so.

In a press conference following the release of CMMC, DOD officials stated they are working with large DOD prime contractors to address costs. It’s too early to tell whether these conversations result in solutions on keeping costs down. In the meantime, it appears that contractors will bear the large majority of costs associated with achieving CMMC certification.

On January 30, 2020 the Department of Defense released the Cybersecurity Maturity Model Certification (CMMC). The Department of Defense (DOD) Office of the Undersecretary of Defense for Acquisition and Sustainment developed the CMMC in response to concerns that contractors were not adequately protecting sensitive federal information, known as Controlled Unclassified Information (CUI). Although DOD has been regulating cybersecurity through DFARS 252.204-7012 since 2013, the CMMC is intended to give contractors more specific guidelines.

CMMC Version 1 consists of 5 maturity levels, composed of 17 security domains (i.e. security controls). Each level requires a contractor to implement more security than the one before it.  For example, Level 1, Basic Cyber Hygiene is equivalent to basic cybersecurity requirements found in FAR 52.204-21 and requires contractors to implement only 4 security controls. Level 3, Good Cyber Hygiene, equates to the current DFARS cybersecurity requirements, and Level 5, Advanced/Progressive, contains all 17 security controls.

Not only does CMMC give detailed guidance on securing information systems, it also recognizes that cybersecurity requirements must be tailored to the needs of the federal government, and the resources of a contractor. Beginning in June, RFPs will specify the CMMC level a contractor needs to meet to be awarded the contract. While most RFPs will require Level 3 certification, some will require Level 4 or 5 certification. By contrast, small business subcontractors will not have to meet the same requirements to perform under the contract. CMMC tailors the certification levels so that subcontractors may only be required to meet Level 1 or 2 certification, provided that they do not possess any CUI.

Going forward, CMMC will be DOD’s primary mechanism for regulating information systems security. It’s important for DOD contractors to become familiar with CMMC and begin implementing its cybersecurity best practices. However, contractors should be aware that CMMC does not negate their already existing cybersecurity regulations. For example, CMMC does not reference the 72-hour reporting requirement found in DFARS 252.204-7012. Further, it does not define CUI or Controlled Defense Information (CDI). Similarly, CMMC often references NIST SP 800-171’s requirements, the original guide in complying with DFARS 252.204-7012, but doesn’t explain them. CMMC closes the gaps in the existing regulatory framework, but does not replace it.

Responding to agency Requests for Proposals (RFP) is an exercise in playing follow-the-leader.  Contractors should take care to :

  • Read the RFP
  • Understand the information requested by the agency; and
  • Provide that information in a clear and concise manner.

The common thread for RFPs across all procurement types is to deliver the exact information requested by the agency – and in exact format requested.

Proposal content forms a common basis for bid protests.  Here is the typical scenario:  The contractor argues that the agency overlooked key information in its proposal.  The agency, on the other hand, contends that the contractor did not provide the information (or did not provide it in the manner requested).

The “Key” Experience or Key Personnel Factor (common in many Federal RFPs) offers a great discussion point.  You know that your team meets the RFP requirements – but does that fact shine through in your company’s proposal?

Take a recent Food and Drug Administration solicitation for IT services.  The RFP required bidders to include an Enterprise Solutions Architect as a “Key Person.”  In addition to the title, the bidder needed to show that the Architect has 10 years of experience working with certain software platforms.

In a protest at the GAO, a bidder argued that the agency incorrectly rejected its proposal as technically unacceptable because it did not include an Architect with the required qualifications/experience.  The bidder maintained that its Architect had over 20 years of relevant experience – more than double the RFP requirement.

The agency responded that it reviewed the bidder’s proposal – but was unable to conclude that the Architect had the required experience.  The RFP asked bidders to provide a “crosswalk” between the Architect’s experience and the RFP requirements.

Rather than provide such a crosswalk, the agency stated that the protester’s proposal provided only the Architect’s work history with overlapping dates.  When the agency sought to compute the total years of experience, it eliminated periods of overlap.  As a result, the agency found only 8.25 years – short of the RFP requirement.

On review, GAO found the agency’s evaluation was reasonable.

The GAO’s decision has nothing to do with the proposed Architect’s actual experience.  Instead, the key is how the bidder conveyed that experience in its proposal.  Because the proposal did not track the RFP requirements, GAO found there was no reason to overrule the agency’s award decision.

The takeaway for contractors is one of form and substance – both matter for proposals.  In order to prevail on a protest, contractors need to show that they used the proper form before the GAO or COFC will consider the substance.

Nick Solosky is a Partner in Fox Rothschild’s Government Contracts Practice Group.  You can reach Nick directly at NSolosky@FoxRothschild.com or 202-696-1460.

Best Value and Lowest Price Technically Acceptable (LPTA) procurements trigger very different bidding obligations for contractors.

As I’ve detailed in this space before, Best Value procurements place limited importance on price.  While cost is (always) a factor, a bidder can overcome a higher price by demonstrating its technical expertise and ability to add value for the agency.  LPTA procurements, on the other hand, place an absolute premium on the ability to perform the work for the lowest possible price.

Decisions from the Government Accountability Office (GAO) and Court of Federal Claims (COFC) tell us that Federal agencies must consider evaluation factors in a manner that is consistent with the framework established in the RFP.  But history and common sense also tell us that Best Value protests can be difficult to win due to the discretion afforded to the agency.

It appears that courts are now more willing to place limits on that discretion.

The Challenge of Best Value Protests

Best Value RFPs instruct the agency to focus on technical merit and  limit price considerations.  Easier said than done.

Best value procurements tend to pull agency selection officials in many directions.  Though price may not be the RFP’s priority, those evaluating proposals and awarding the contract may feel differently for any number of practical reasons (either consciously or otherwise).

The practice of “Technical Leveling” highlights the danger inherent in Best Value Tradeoff evaluations.

A selection official interested in a low price can artificially level the playing field by grading all proposals as equal on technical factors.  IIf the procurement official does not identify any proposal as offering significantly greater technical value to the agency, he or she has the discretion to turn to price as a tiebreaker.

Combating Technical Leveling in Procurement Award Decisions

While defining Technical Leveling is easy, proving it is another matter.

A protester challenging a Best Value award on this basis generally must show two things:  (1) that the agency erroneously failed to consider the technical superiority of its proposal and (2) prejudice as a result of that failure in terms of the ultimate award decision.  That can be a heavy burden if the agency makes an effort to document the purported equality among all proposals.

Happily, it appears that courts are showing increased interest in digging into these type of evaluations.

The COFC recently granted a Best Value Tradeoff protest when the agency first awarded the contract to the lowest-priced (and lowest rated) proposal.  The Court found that the agency went to great lengths to smooth over differences between proposals and create a false impression of equality.  The agency’s Technical Leveling of proposals therefore improperly converted a Best Value procurement into an LPTA.

The Court’s decision also highlights the agency’s improper reliance on the fact that all of the offerors were “capable” of successfully performing the work.  Consideration of whether an offer is “adequate” is a hallmark of LPTA procurements – not Best Value Tradeoff decisions.

Price Still Matters

While we can champion this decision as a win for true Best Value offers, it is also essential to recognize the lingering importance of price in all government procurements.

The COFC’s decision hinges – at least in part – on the relatively small (6%) difference between the lowest- and highest-rated offers.  Had this gap been larger, it would have bolstered the agency’s original award decision.

A higher-priced offeror must always be ready to carry the burden of showing that technical superiority outweighs the proposal’s costs.

Contract Disputes Act (CDA) claims offer Government Contractors the opportunity to recover costs incurred due to Government-caused changes or delays.  While the initial focus often rests on proving liability, a recent Court of Federal Claims (COFC) decision highlights the danger of failing to prove entitlement to damages.

In other words, claims can present the danger of winning the battle . . . only to lose the war.

The Federal Protective Service (FPS) awarded a contract for administrative support services personnel.  The contract included a Department of Labor Wage Determination setting forth the wage and vacation requirements for the solicited employees.  Per the terms of the contract, each tendered employee was required to log 1,888 “productive hours” per year.

The issue at the heart of the contractor’s claim was FPS’ demand for more hours (2,000 per employee) and more personnel (FPS required the contractor to secure replacement personnel during employee absences).

The COFC granted the contractor’s motion for summary judgment, finding that the agency’s enhanced demands constituted a constructive change to the contract.  But, despite prevailing on the issue of liability, the Court awarded no damages.

While the contractor almost certainly incurred additional costs associated with the contract change, it failed to offer proof of those costs to the Court’s satisfaction.  Specifically, the COFC decision highlights the absence of evidence like payroll records that would detail the additional costs incurred as damages.

So, while still a victory, the contractor walked away with nothing to show for its “technically” successful claim.

The takeaway here is simple and should be applied in every instance.  In the event of a claim – or even a suspected claim – the contractor should make a conscious effort to track and document all additional costs incurred in real time.

In addition to avoiding the very unfortunate outcome seen in this COFC decision, tracking costs from the outset has many additional benefits (and zero downside).  For example, understanding these costs will help the contractor assess the merits of a claim prior to submission.  A detailed understanding of actual damages could also be helpful in terms of early dispute resolution with the agency (thus avoiding the claims process entirely).

Nick Solosky is a Partner in Fox Rothschild’s Government Contracts & Construction Practice Group.  You can reach Nick directly at NSolosky@FoxRothschild.com or 202-696-1460.

The Small Business Administration (SBA) just rolled out a series of significant changes to the Historically Underutilized Business Zone (HUBZone) Program.  The Final Rule is found here and is now in effect (and has been since December 26, 2019).

The aim of the HUBZone Program is to encourage small business participation in specific geographic areas identified by the Government.  In order to take advantage of the Program’s set-aside contracting opportunities, a business must not only be located in the underutilized area, but must also employ residents of the community (specifically, in order to qualify as a HUBZone, 35% of employees must live in a HUBZone designated area).

These requirements – and the employee residency requirement, in particular – previously made establishing and maintaining HUBZone compliance a challenge.  In fact, running a HUBZone often felt like trying to hit a moving target.

The Final Rule aims to encourage greater use of the HUBZone Program and remove some of the uncertainty outlined above.  Many of the changes are also meant to maximize the benefit to the residents of underutilized communities.

Increased Certainty Regarding Eligibility and Compliance (But Also New Challenges)

As noted above, a major criticism of the former HUBZone Program was the moving target for compliance.  By tying compliance expressly to employee residency, HUBZone owners literally faced a daily question regarding the Program’s 35%  requirement.

The Final Rule tackles some of the uncertainty regarding residency issues by grandfathering the status of employees that establish significant roots in the community:

An employee who resided in a HUBZone for at least six months at the time of certification or recertification, and continues to reside in a HUBZone for at least six months thereafter, may continue to be considered a HUBZone resident so long as the individual is employed by the firm, even if he/she moves to a non-HUBZone area, or if the area of his/her residence loses HUBZone geographical eligibility.

The Final Rule now places a greater burden on HUBZone firms in terms of establishing residency.  The requirement for 180 days of residency prior to certification/re-certification is geared towards eliminating the practice of employees moving in and out of HUBZone areas on a contract-by-contract basis.

While the burden is greater, the Rule also eliminates the uncertainty of losing a long-time employee simply because they decide to move.  In fact, according to SBA, this update is designed to reward businesses for creating an environment where successful employees may work to achieve upward mobility.

Additionally, SBA will now update HUBZone maps (which designate specific HUBZone areas in which businesses/employees must reside) every five (5) years.  This is a significant uptick from the prior practice of updating the maps annually.  Again, stability is the key.  SBA wants to encourage businesses and employees alike to have confidence when choosing to reside in a HUBZone.

Improved Set-Aside Contracting Provisions

SBA’s Final Rule also aims to simplify and improve the contracting experience for HUBZone firms.  The updates to the Program include the following:

If a firm is a certified HUBZone small business at the time of its initial offer for a contract, it generally will be considered a HUBZone small business throughout the life of that contract.  HUBZone status will no longer be determined as of the time of award.

To go along with this change, SBA also implemented a 20% “floor” for the residency requirement during contract performance.  A firm falling below 20% would be automatically considered as failing to make good faith efforts to meet the 35% requirement and subject to decertification.

The new 20% floor provides clarity for HUBZone firms and removes the anxiety over an unexpected employee departure immediately jeopardizing compliance.

The SBA is also implementing annual certifications for HUBZone firms (rather than the current contract-by-contract system):

Once certified as a HUBZone small business, a firm will be eligible for all HUBZone contracts for which the firm qualifies as small, for one year from the date of its initial certification (and subsequently, for one year after each annual recertification), unless the firm acquires, is acquired by, or merges with another firm during that period.

***

Anticipating increased participation in the HUBZone Program, SBA also saw fit to expand the protest process.  Now, HUBZone firms and joint ventures receiving set-aside awards are subject to protests from other interested parties (i.e., other HUBZone businesses that missed out on the award).

As with any set of new rules, we are sure to find areas of ambiguity as we dig deeper into the Final Rule.  Existing and prospective HUBZone firms alike should expect new challenges and increased opportunities moving forward.

SBA

The Small Business Administration (SBA) announced December 5 that it is changing the measuring period for calculating average annual gross receipts (revenue) of small businesses to determine small business size from three years to five years.

The SBA uses Size Standards to determine whether a business qualifies as “small” for procurements set aside by the federal government for small businesses.  For example, procurements set aside for contractors with NAICS Code 236220 (“Commercial and Institutional Building Construction”) has a $39.5 million Size Standard. Therefore, businesses with annual revenue below $39.5 million qualify as small for that particular procurement. Small business size for procurements is generally measured based on the annual revenue of the business (or in some circumstances, based on the business’ number of employees).

Size standards based on annual revenue are currently calculated based on an entity’s average annual revenue over the past three tax years (along with the average annual revenue of the business’ affiliates over the same period). 13 C.F.R. § 121.104 (“The average annual receipts size of a business concern with affiliates is calculated by adding the average annual receipts of the business concern with the average annual receipts of each affiliate”). This calculation of annual revenue provides flexibility for entities to maintain their small business status for a procurement even though their revenue for one or more of the past three years may have actually exceeded a procurement’s designated Size Standard. As long as an entity’s three-year average annual revenue falls below the applicable Size Standard ($39.5 million in the example above) the entity is considered small.

On December 5, 2019, the SBA announced that it was modifying its rule to calculate average annual revenue to increase the measuring period from three years to five years. For most small businesses, this change is good news as it will enable the business to remain small for a longer period of time assuming the business’ revenue increases incrementally each year. This five-year change will become effective for procurements issued on or after January 6, 2020.

For detailed coverage of multiple issues related to SBA small business concepts and procedures, consult my free  “Federal Contractors’Guide to Small Business Administration Set-Aside Contracts, Size Standards, Size Protests, and Affiliation” eBook, which can be accessed here.

Doug Hibshman is a partner in Fox Rothschild LLP’s Federal Government Contracts & Procurement; Construction; Litigation; Privacy & Data Security; Mergers & Acquisitions; White-Collar Compliance & Defense; Health Law; and Architecture, Engineering & Design Professional Firms practice groups. He routinely assists clients with understanding and applying the Small Business Administration (SBA) regulations, filing and defending against SBA size protests, mitigating possible affiliation issues, and ensuring compliance with SBA regulations. 

Mary Mikhaeel, a law clerk at Fox Rothschild, contributed to this post.

For the first time since 2014, the Small Business Administration (SBA) adjusted size standards for small businesses to keep pace with inflation.  Initially posted by the SBA for public comment back in June, the interim rule went into effect on August 19, 2019.

According to SBA, the change “restores small business eligibility in real terms to businesses that have grown above the existing size standard due to inflation-led revenue growth rather than due to increased business activity.”

For those readers in the construction industry, the revision increases the applicable size standard to $39.5 million (from $36.5 million) for institutional, commercial, and institutional building contractors.  For most specialty trade contractors, the increase raises the size standard to $16.5 million (from $15.0 million).

Access to the full list of standards for all industries is available at this link.

So what happens now?

The SBA projects that the upward adjustment will make an additional 89,730 firms eligible for small business status.  In theory, that could lead to an increase in the number of size protests as formerly large businesses now seek set-aside work.  The SBA’s pending Runway Extension Act (which changes the applicable size review period from three years to five years) will only add to the lack of clarity.

Newly eligible small businesses should focus on compliance first.  For example, updating the business’ System for Award Management (SAM) profile and completing the representations and certifications (which opens the door for set-aside procurement opportunities).   Contractors should also update their status in the SBA’s Dynamic Small Business Search engine.

Recall that submitting a proposal for a set-aside procurement when the contractor knows – or should know – that it does not qualify due to its size (including all affiliates) may cause the business to be liable for civil or criminal penalties, including liability under the Civil False Claims Act. That is on top of the obvious disadvantage of losing eligibility for set-aside work.

Familiarity with size protests and maintaining compliance with SBA standards has to be of the utmost importance for small businesses.

It is common practice for contractors to provide the government with their confidential and propriety information – whether it comes in the form of a response to a solicitation, invitation for bid, or other materials provided during the course of contract performance.

Since you provided the information on a public contract, does that mean the information is now available to anyone (including your competitors) through a simple Freedom of Information Act (FOIA) request?  A recent decision from the U.S. Supreme Court says that the answer is No.

Federal agencies are required to disclose any information requested under FOIA — unless it falls under one of nine exemptionsExemption No. 4 protects trade secrets and/or a contractor’s commercial or financial information that is confidential or privileged.

The Supreme Court considered whether commercial or financial information that is customarily and actually treated as private by its owner – but nevertheless provided to the government during contract performance – remains “confidential” under FOIA Exemption No. 4 (and is therefore shielded from disclosure).  The Court held that the exemption applies, even where the contractor provided the information on a public contract.  Critically, the Court also held that the contractor is not required to show that disclosure of its confidential information would also cause substantial harm to its competitive position – the confidential nature of the information is sufficient.

This ruling provides contractors who are trying to protect their confidential and proprietary information with significant leverage against FOIA requests from competitors.

However – while the decision is favorable for contractors – it should only be relied on as a last line of defense.  Even with the recent ruling, a contractor can still take additional precautionary measures to prevent their information from disclosure to third parties under FOIA.  Simple steps like the following can go a long way:

·       Disclose confidential or proprietary information only when necessary/required by the government

·       Limit the internal availability of the information to only critical employees, and

·       Label all sensitive information as confidential and proprietary.

Contractors failing to follow these protocols run the risk of the agency determining the information is not confidential – thus opening the door to FOIA requests (and placing the contractor’s information outside of the protections of the Supreme Court decision discussed above).