Interview transcript

Terry Gerton You’ve got an interesting story about a protest this morning from a company who actually won the bid. Tell us about that.

Zach Prince Sure. So this involved a Department of Homeland Security procurement from ICE for detention services for folks detained for immigration law violations. So the protester here is a company, Active Deployment Systems. They’re a Texas-based company that markets itself as specializing in rapidly deploying and operating temporary facilities — so, exactly what ICE is looking for for this procurement. So ICE said that they were going to be issuing five or more IDIQ contracts, and then task orders would be competed for particular tasks. Each of the offerers would bid on only those types of tasks that they want to be considered for going forward. ADS, Active Deployment Systems — they received an award, but they were one of 42 offerers that received the award. And you get the sense reading the protest that they don’t like the fact they’re competing now with fewer, slightly fewer than they were competing with for the IDIQ award, but not many. So it’s still gonna be big, big competitions going forward. Maybe they’re trying to level or eliminate some of those competitors.

Terry Gerton So this was an IDIQ contract, right? Does this what does this tell us about the structure of these? Was ADS’s expectation reasonable in terms of the number of winners that they would have?

Zach Prince No, and in fact this is happening pretty commonly where agencies have these very large IDIQ awards that they might issue 50, 100+ individual IDIQs that, it does narrow the playing field a little bit going forward, but what it really does for the agency is speed along the competition for that next stage when they actually have the identifiable requirements that they’re going to have bids on.

Terry Gerton And you can kind of understand ADS’s perspective. I guess the fewer the competitors on — or the fewer the awardees — on the actual contract, the more likelihood they have of winning those orders and the higher their revenue might be. So their projections might have been off a little.

Zach Prince Yeah, that’s right. And you know, I think the better arguments that they had here, and maybe their real concern was about the price structure of this IDIQ. But the problem was that they raised these challenges while also submitting a bid for a contract they received, right. So to tell you a little bit more about that, for each of the objectives that you could bid on for this IDIQ, there was a set pricing volume that contained the government’s independent government estimate for what prices should be to be fair and reasonable. Among those estimates was a hard cap, essentially a hard cap on prices per bed per detainee. ADS argue that this harms them if they’re stuck with this because it might put them in a losing position going forward for the actual task orders.

Terry Gerton So the court kind of said that, well, the time to challenge that is not after you’ve won, but before you’ve won, right?

Zach Prince Yeah, that’s right. And they did try, to give ADS credit. They challenged this at the agency level and an agency level protest. But agency level protests don’t actually stop anything. They just tell the agency, hey, we think this is unworkable. You’re hoping the agency looks at it and says, Oh, yeah, you’re right. But here they didn’t. So, you know, ADS took a contract based on this price structure that they think isn’t proper. And as the court noted, they don’t have to bid on any task orders. So if they really think that this is a losing proposition for them, first of all, they shouldn’t have bid on the contract. And the same thing is true for the 50 something other offerors. But now they don’t have to take losing contracts. They can do the analysis on a task order basis and say, we don’t want to be part of this. Whether it’s good business for the agency, well, maybe not, but I think the agency was moving quickly and just wants to get this thing done for urgent needs to be fulfilled.

Terry Gerton I’m speaking with Zach Prince. He’s a partner at Haynes Boone. So we talked a little bit about ICE’s strategy and you’re seeing this more often in these IDIQs, where agencies will bring on a lot of winners and then use this as a means to simplify later competition.

Zach Prince Yeah, we are seeing quite a lot of this. And I think there are a couple reasons for it. One is perhaps strategically, from a protest perspective, that this — if you just issue contracts essentially to everyone who submitted a reasonably responsive offer, then you’re limiting the IDIQ level protests, which generally can be heard at various forums, Court of Federal Claims, GAO. Maybe then you could have protests of the task order competitions, but those are limited only to GAO and only when they’re above certain dollar values. So the protest possibility becomes much more limited. You also can only have protests for whoever bid on the initial IDIQ or from whoever bid on the initial IDIQ. So it might be a management of protest strategy. It might just be because if you can get a framework in place from the agency that has the pricing mechanisms and the ordering mechanisms, it makes it a lot faster to buy what you need later on.

Terry Gerton So do you take any lessons from this particular protest resolution on how the court views these kind of arguments?

Zach Prince Yeah, I think in general, even if you haven’t waived an argument because you didn’t bring it up before, which it usually is the case. That is, if you submit a proposal and you have arguments that the solicitation was ambiguous or otherwise flawed, you can’t then complain later. That’s not always the case if you’ve launched agency level protests like ADS did here or there’s some other exception. But you really can’t have your cake and eat it too in this regard. And contractors are in a tough position, because you don’t want to be kicked out of competition for choosing not to bid. You don’t want to annoy the customer by protesting, perhaps unnecessarily, in advance. But if you don’t have clarity on terms or you’re gonna have to accept terms you don’t like, the protest mechanism is what’s there for you.

Terry Gerton Then should contractors change the way they approach these large IDIQs? Is there a different competition strategy that they should be employing to be more competitive going forward?

Zach Prince I don’t think there really is, unfortunately. I think — I have this conversation with clients all the time where there is a very ambiguous RFP, RFQ. I don’t know what it means. The agency won’t respond to questions and it makes a significant difference for the business on how they put their proposal together. But if they don’t bid, then they’re totally out of the game. If they bid making assumptions that prove to be unwarranted because the agency thinks it means something else, they might take a loss. So they could protest and annoy the customer and potentially delay the procurement. They can’t always protest because the protest rights are not so sweeping. And it also costs a lot of money. Or they just proceed and hope for the best.

Terry Gerton Or as the court told ADS, don’t take an order.

Zach Prince Yeah, that’s right. And I think ADS is likely going to take orders. I mean that was what they told the court. They want to keep this contract.

Terry Gerton This is an interesting case, Zach. Thanks for sharing it with us today.

Zach Prince Sure. Thanks for having me, Terry.

The post A protest from a winner? A recent case shows why timing matters when challenging solicitation terms first appeared on Federal News Network.

Interview transcript:

Jared Serbu: Dan, we now have a final rule, actually multiple final rules, telling us where the Defense Department is headed with CMMC. It’s been a long time coming. As we sit here in the fall of 2025, I mean, generally, how would you assess the level of clarity that folks have about how this is going to play out once we start really moving into the implementation stage here?

Dan Ramish: Well, Jared, I would say there are some questions about how the rollout will take place and the final rule included in Title 48 actually created some new questions. So one of the big questions, there are two central pieces of the CMMC program, really. One of them is that over time, these verification requirements will be implemented and that’ll include for most contractors that have contracts involving CUI, a certified third-party assessment, but the other piece of CMMC is that contractors are actually going to have to have a passing score that they are implementing cybersecurity requirements whereas currently, they only need to do an assessment and report the summary scores of that assessment without reference to having a particular passing score, having implemented a certain number of the security requirements. So this is going to be a big deal starting November 10th. Some contracts will require contractors to have a certain level of cybersecurity implementation with regard to the 110 cybersecurity requirements in this data 171. The question is which contracts will have the CMMC clause and which won’t. And it’s going to matter so much because again it’s going to be an issue of eligibility for award. So you could lose out on a contract if you don’t have sufficient cybersecurity compliance. And the uncertainty here stems from the fact that there is language in the Title 32 rule and the Title 48 rule that is different. So the Title 32 rule suggests that DoD, as of Phase 1, which begins on November 10th, 2025, intended to include the CMMC statuses in clauses in all contracts and solicitations. Whereas the Title 48 rule, that came out in September, says that during the first three years the CMMC requirement will be included in only certain contracts. So it’s unclear which contracts will or won’t have it, or whether all contracts will have the CMMC clause or not.

Jared Serbu: But I think part of the take-home message there is you as a potential bidder or potential offer on any of these contracts have no control over what DoD ends up doing on any particular contract and whether the clauses are going to be included or not. So that probably means it’s time to be ready no matter what.

Dan Ramish: That’s right. Contractors shouldn’t be rolling the dice and potentially losing out on an important contract opportunity that may include the CMMC clause.

Jared Serbu: And so what do we know about, as you just did a great job of taking us through, there’s a lot of murkiness about which contracts are going to include this or not. But what do we know about sort of the process DoD is going to use to decide whether those clauses are going end up going into those contracts, at least during this first phase where they’re leaving themselves quite a bit of discretion?

Dan Ramish: So the Title 48 rule basically says that it’ll be up to the requiring activity to make the determination of CMMC that the CMMC program office will direct the component program offices as to inclusion of the requirement. The other issue, besides whether the clause will be in the contract at all, is whether self-assessment will be included or whether some contracts may include certification assessment for CMMC Level 2 and there’s discretion in that as well. There is a little bit more guidance as to that piece of it, when the decision might be made to include a certification assessment requirement. DoD’s frequently asked questions says that PMs should only make use of the discretion to include C3PAO assessment during Phase 1. When informed by adequate market research, there’s reason to believe there are enough qualified offerors, including their subcontractors, to provide adequate competition. So if there are enough contractors that have a certification assessment for a particular requirement, then there’s a greater chance that DoD might decide to include a certification assessment and you could lose out even if you have self-assessed and are compliant, either conditionally or fully compliant.

Jared Serbu: Yeah and one of the things that comes to mind here is it may be an incentive against over-classification in some cases here, of course, a problem that has been existent in the government for a long time. If you run into a situation now where whether you’re designating things as CUI or not could determine whether or not you need to have CMMC in a contract, that could be a fairly powerful force on the government side to at least make you take a second look at the requirements in your contract and say, ‘Hey, is this really CUI or not?’

Dan Ramish: Yes. Well, and the backdrop to that is that a significant portion of the defense industrial base isn’t at the full passing score as yet for CMMC Level 2. And there have been a number of studies, one of them fairly recently from a company called CyberSheath, that suggested that the median SPRS score based on 300 survey respondents was 60, whereas the full compliance score is 110. So a lot of contractors have work to do and DoD requiring activities, of course, want to get their products and services from the contractors. And so on the one hand, the cybersecurity concerns are real, the national security implications of cybersecurity are real. But on the other hand, the Department of Defense needs to get their stuff. And so this has always been the tension all along. And I hope that you’re right that as the stakes increase with the CMMC clause that the government will take a more serious look at what really needs to be marked as CUI and be more discerning in that. But part of the challenge is that there isn’t at this stage a standardized method for indicating, identifying what CUI will be involved in the given contract. That’s something that’s addressed in the FAR CUI proposed rule. But that is kind of on hold with the whole Revolutionary FAR Overhaul that’s taking place. So there’s still going to be some challenge and some need for informal communication between prime contractors and the government or between subcontractors and prime contractors to figure out even what is going to be CUI under a contract.

Jared Serbu: Yeah, I want to make sure I’ve got my head around that last piece. So you as a vendor, when you see an RFP, you may not necessarily know just based on those solicitation documents whether or not there’s going to be CUI involved in performance of the work. And you may not know at the outset whether or at what level you need to be compliant with CMMC. Is that the upshot of all that?

Dan Ramish: Well, so there will be a designation of what CMMC level is required. The clause will designate which CMMCs level is required, but just because CMMC Level 2 is designated for a given solicitation or contract, doesn’t mean that all information that is provided by the government or that’s generated in performance is going to be controlled on classified information and it’s important to know what specific information is subject to handling and dissemination controls because contractors need to take appropriate precautions and they may have CUI on some information systems and not on others. And so ensuring that they are properly directing the flow of materials that are actually CUI is critical for compliance with the cybersecurity requirements. And so if they don’t have that information, if that’s not clearly indicated in the contract because there is no standardized form for that to happen, as yet, that creates a challenge.

Jared Serbu: Yeah, and you mentioned earlier that this is not the time to roll the dice anymore. But are there some areas or windows where, depending on the type of work you do, you can get away with completely avoiding CMMC altogether? Are there places where contractors really can still play and not worry about anything that we’ve been talking about the last 10 minutes?

Dan Ramish: So this is a big point of debate because, so CMMC Level 1 is actually going to apply to the largest portion of the Defense Industrial Base. And CMMC Level 1 corresponds to the basic safeguarding requirements that are currently in the FAR and those requirements are intended to be less onerous, but they are government-unique requirements. And to get out of even CMMC Level 1, there are really two ways around it. One of them is, there is an exception for COTS items. So if a contract is solely for a COT, commercially available off the shelf, that’s one exception. There’s going to maybe be greater need to drill down on what specifically is COTS. Of course, we live in an age where if you’re buying something off the shelf, there may be different options, and if the same options are available to the government as are available in the commercial marketplace, does that still make it COTS? There are questions like that where there could be gray areas. The other piece is federal contract information. If there’s no federal contract information, then CMMC Level 1 isn’t going to be required, assuming there also is CUI. Federal contract information is just non-public government information that’s involved in the contract. And the way that is interpreted by the government is going to important because, of course, a lot of the information that is involved in contract performance is going to be accessible through the Freedom of Information Act. But the Department of Defense declined to say that anything that’s foible is not FCI. So it may be challenging to demonstrate that you don’t have any non-public federal information. There are going to be some exceptions if the government makes the information publicly available like on a public website or certain financial payment information isn’t going to be FCI. But short of that, I think it will be interesting to see whether there are questions about getting out of CMMC altogether based on the lack of FCI.

The post New CMMC rules take effect Monday, with contractors facing uncertainties first appeared on Federal News Network.