Photo of Christian CurranPhoto of Michael G. Gruden, CIPP/G

In Matter of: First Fin. Assocs., Inc., B-415713, Feb. 16, 2018, the Government Accountability Office (GAO) denied a protest filed by First Financial Associates, Inc. (FFA)  against an award by the Department of Homeland Security, U.S. Secret Service (DHS/USSS) to FEEA Childcare Services, Inc. (FEEA) for the administration of a childcare subsidy program.  FFA alleged that their proposal was not evaluated consistently with the RFP’s evaluation criteria regarding the protection of personally identifiable information (PII) incident reporting requirements.

Specifically, among other grounds, FFA took issue with the timeliness requirement for reporting a data breach. Because the contract would require access to PII, the RFP’s statement of work specified requirements for safeguarding such data, including the use of DHS/USSS incident reporting procedures that required “expeditious notification” to agency officials.  The solicitation also incorporated Homeland Security Acquisition Regulation (HSAR) Special Clause – Safeguarding of Sensitive Information (March 2015), which requires contractors to report all known or suspected sensitive information incidents to DHS headquarters or a component security operations center within one hour of discovery and must immediately notify the contracting officer of the incident.

In evaluating FFA’s proposal based on the timeliness requirements for reporting set forth in the RFP, the Agency determined that the 12 hour response time proposed by FFA was too long to be considered “expeditious,” and FFA’s proposal was assigned a marginal rating under the PII protection subfactor based on that weakness.  FFA argued that the agency’s evaluation was unreasonable and only required offerors to submit a PII incident response plan consistent with the solicitation’s evaluation provisions, not the statement of work.  But the agency countered that the RFP in its entirety required offerors to submit procedures that described an expeditious plan for notifying the agency of a PII data breach, consistent with the statement of work.

GAO agreed with the agency and found that the agency evaluated FFA’s technical proposal consistent with the solicitation’s PII provisions.    GAO noted that the RFP expressly stated that an offeror would be evaluated on the procedures “that demonstrates the protection of applicant, recipient PII and its notification process if a breach or leak [of] information ha[d] occurred.” GAO also pointed out that the response time proposed by FFA was inconsistent with the HSAR Special Clause – Safeguarding of Sensitive Information, which set forth specific procedures for dealing with PII. Finally, GAO found that because the RFP evaluation called for a best-value tradeoff, it was reasonable for the agency to distinguish FFA’s proposal on this basis.

This decision highlights the government’s increased enforcement of privacy and cybersecurity standards in federal procurement. As demonstrated by the agency’s position and GAO’s decision, agencies are gaining increasingly wide discretion on implementing procedures to safeguard sensitive information. More procurements are incorporating detailed reporting requirements, such as those at issue in the FFA case and agencies are now using these requirements not only in the administration context when work is performed, but as a differentiator in making award decisions. Contractors would be wise to note the government’s cybersecurity priorities and ensure adequate cybersecurity safeguards are implemented internally and featured prominently in their proposals for procurements involving the handling of sensitive data.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Christian Curran Christian Curran

Christian N. Curran is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the Government Contracts Group. His practice focuses on government contracts litigation and counseling, including bid protests, government investigations, and compliance with federal and state procurement laws…

Christian N. Curran is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the Government Contracts Group. His practice focuses on government contracts litigation and counseling, including bid protests, government investigations, and compliance with federal and state procurement laws and regulations.

Christian has broad experience in the government contracts arena, including bid protest litigation at both the Government Accountability Office and the Court of Federal Claims, contract claims before the Armed Services Board of Contract Appeals, prime-sub disputes, internal investigations, mandatory disclosures, transactional due diligence, Defense Contract Audit Agency audits, and compliance assessments. He also has experience in both traditional litigation and alternative dispute resolution forums, including international arbitration and mediation, and administrative proceedings before various government agencies.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.