Photo of Christian CurranPhoto of Michael G. Gruden, CIPP/G

In Matter of: First Fin. Assocs., Inc., B-415713, Feb. 16, 2018, the Government Accountability Office (GAO) denied a protest filed by First Financial Associates, Inc. (FFA)  against an award by the Department of Homeland Security, U.S. Secret Service (DHS/USSS) to FEEA Childcare Services, Inc. (FEEA) for the administration of a childcare subsidy program.  FFA alleged that their proposal was not evaluated consistently with the RFP’s evaluation criteria regarding the protection of personally identifiable information (PII) incident reporting requirements.

Specifically, among other grounds, FFA took issue with the timeliness requirement for reporting a data breach. Because the contract would require access to PII, the RFP’s statement of work specified requirements for safeguarding such data, including the use of DHS/USSS incident reporting procedures that required “expeditious notification” to agency officials.  The solicitation also incorporated Homeland Security Acquisition Regulation (HSAR) Special Clause – Safeguarding of Sensitive Information (March 2015), which requires contractors to report all known or suspected sensitive information incidents to DHS headquarters or a component security operations center within one hour of discovery and must immediately notify the contracting officer of the incident.

In evaluating FFA’s proposal based on the timeliness requirements for reporting set forth in the RFP, the Agency determined that the 12 hour response time proposed by FFA was too long to be considered “expeditious,” and FFA’s proposal was assigned a marginal rating under the PII protection subfactor based on that weakness.  FFA argued that the agency’s evaluation was unreasonable and only required offerors to submit a PII incident response plan consistent with the solicitation’s evaluation provisions, not the statement of work.  But the agency countered that the RFP in its entirety required offerors to submit procedures that described an expeditious plan for notifying the agency of a PII data breach, consistent with the statement of work.

GAO agreed with the agency and found that the agency evaluated FFA’s technical proposal consistent with the solicitation’s PII provisions.    GAO noted that the RFP expressly stated that an offeror would be evaluated on the procedures “that demonstrates the protection of applicant, recipient PII and its notification process if a breach or leak [of] information ha[d] occurred.” GAO also pointed out that the response time proposed by FFA was inconsistent with the HSAR Special Clause – Safeguarding of Sensitive Information, which set forth specific procedures for dealing with PII. Finally, GAO found that because the RFP evaluation called for a best-value tradeoff, it was reasonable for the agency to distinguish FFA’s proposal on this basis.

This decision highlights the government’s increased enforcement of privacy and cybersecurity standards in federal procurement. As demonstrated by the agency’s position and GAO’s decision, agencies are gaining increasingly wide discretion on implementing procedures to safeguard sensitive information. More procurements are incorporating detailed reporting requirements, such as those at issue in the FFA case and agencies are now using these requirements not only in the administration context when work is performed, but as a differentiator in making award decisions. Contractors would be wise to note the government’s cybersecurity priorities and ensure adequate cybersecurity safeguards are implemented internally and featured prominently in their proposals for procurements involving the handling of sensitive data.