Alert

GAO Denies Protest on Grounds Cybersecurity Compliance Irrelevant Pre-Performance

June 6, 2016

Discover Technologies LLC protested the award of a HHS and FDA BPA for website management support services to the incumbent contractor Triple-i.  Discover contented that the agency unreasonably evaluated Triple-i’s proposal because at the time of proposal submission and evaluation, Triple-i’s proposed web hosting vendor was not compliant with the Federal Information Security Management Act of 2002 (FISMA).  FISMA requires agencies to establish information security programs to protect agency information systems and assets that are “provided or managed by another agency, Contractor, or other source.”  44 U.S.C. § 3544.  The agency evaluated the submitted proposals, and determined that Triple-i offered the best value as the low-cost, highly-rated offeror.  After award, the FDA subsequently granted Triple-i’s vendor authorization to operate after its security controls were assessed by the agency and validated by a third party audit.  Discover protested, and argued that Triple-i’s proposal was unreasonably evaluated and the agency should have designated the proposal as “Not Satisfactory” or “non-compliant” because the proposed vendor was not FISMA compliant.

GAO denied the protest, reasoning that the solicitation did not require FISMA compliance prior to performance.  Rather, because the solicitation specifically stated that the “contractor” must comply with all federal information technology standards, it was not necessary for offerors to demonstrate compliance prior to performance.  In other words, while the evaluation criteria included consideration of a security approach, the criteria did not require a showing of current compliance with security standards.

In the aftermath of GAO’s decision, contractors should be mindful of solicitation language in determining whether cybersecurity compliance may give rise to protest grounds, although, at the least, compliance will become an issue for contract administration post-award.

Read Time: 1 min

Practice Areas

Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek