GAO Denies Protest on Grounds Cybersecurity Compliance Irrelevant Pre-Performance
Discover Technologies LLC protested the award of a HHS and FDA BPA for website management support services to the incumbent contractor Triple-i. Discover contented that the agency unreasonably evaluated Triple-i’s proposal because at the time of proposal submission and evaluation, Triple-i’s proposed web hosting vendor was not compliant with the Federal Information Security Management Act of 2002 (FISMA). FISMA requires agencies to establish information security programs to protect agency information systems and assets that are “provided or managed by another agency, Contractor, or other source.” 44 U.S.C. § 3544. The agency evaluated the submitted proposals, and determined that Triple-i offered the best value as the low-cost, highly-rated offeror. After award, the FDA subsequently granted Triple-i’s vendor authorization to operate after its security controls were assessed by the agency and validated by a third party audit. Discover protested, and argued that Triple-i’s proposal was unreasonably evaluated and the agency should have designated the proposal as “Not Satisfactory” or “non-compliant” because the proposed vendor was not FISMA compliant.
GAO denied the protest, reasoning that the solicitation did not require FISMA compliance prior to performance. Rather, because the solicitation specifically stated that the “contractor” must comply with all federal information technology standards, it was not necessary for offerors to demonstrate compliance prior to performance. In other words, while the evaluation criteria included consideration of a security approach, the criteria did not require a showing of current compliance with security standards.
In the aftermath of GAO’s decision, contractors should be mindful of solicitation language in determining whether cybersecurity compliance may give rise to protest grounds, although, at the least, compliance will become an issue for contract administration post-award.