As the fourth quarter of 2024 ends, our Government Contracts Editorial Team pored through the numerous GC developments it has tracked over the last three months to identify those they deem most significant to government contracting professionals and advisors.
Rule Establishes DoD’s Cybersecurity Maturity Model Certification Program
A final rule codifies Department of Defense regulations to establish the Cybersecurity Maturity Model Certification Program to verify that contractors have implemented required security measures necessary to safeguard Federal Contract Information and Controlled Unclassified Information. The mechanisms discussed in this rule allow DoD to confirm a contractor or subcontractor has implemented the security requirements for a specified CMMC level and maintains that status—including level and assessment type—across the performance contract period.
Currently, contracts involving the transfer of FCI to a non-government organization follow the requirements specified in the clause at FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. To comply with DFARS 252.204-7012, contractors must develop a system security plan detailing the policies and procedures their organization has in place to comply with NIST SP 800–171. Essentially, an SSP describes the cybersecurity plan the contractor has in place to protect CUI. The SSP serves as a foundational document for the required NIST SP 800–171 self-assessment. To comply with DFARS 252.204-7019 and DFARS 252.204-7020, a contractor must submit self-assessment scores. If a contractor’s SPRS score indicates a security gap exists, the contractor must create a plan of action that identifies security tasks that still need to be accomplished. The SSP must address each NIST SP 800–171 security requirement and explain how the requirement is implemented. This can be through policy, technology, or a combination of both.
In addition to the supplementary information contained in the rule, DoD has created a series of guidance documents to assist organizations in better understanding the CMMC Program and the assessment process and scope for each CMMC level. These guidance documents are available on DoD’s CMMC website at https://dodcio.defense.gov/CMMC/Documentation/ and on the DoD Open Government website at https://open.defense.gov/Regulatory-Program/Guidance-Documents/.
Source: GOVERNMENT CONTRACTS REPORTS No. 2772
FAR Rule Updates SAM Registration Requirements
The interim rule associated with FAR Case 2023-018 amends the FAR to clarify System for Award Management preaward registration requirements. This particular change was pivotal to recent bid protest decisions by the Court of Federal Claims and Government Accountability Office. While the nature of the procurements and associated remedies varied, the decisions uniformly highlighted FAR 52.204-7(b)(1) as requiring an offeror to be registered at the point of offer submission and maintain that registration through contract award. The application of FAR 52.204-7(b)(1) in recent bid protest decisions represented a barrier to entry and a significant disruption to the industrial base and the government agencies they support, which warranted immediate action. The change clarifies that the offeror must be registered at the time of offer submission and at time of contract award, but would not be required to be registered at every moment in between those two points. The rule is expected to mitigate the risk of more litigation and mission delay.
Source: GOVERNMENT CONTRACTS REPORTS No. 2776
GAO Releases FY 2024 Bid Protest Report
The Government Accountability Office has released its Bid Protest Annual Report to Congress for Fiscal Year 2024. According to the report, GAO received 1,803 cases in the 2024 fiscal year, consisting of 1,740 protests, 33 cost claims, and 30 requests for reconsideration. GAO closed 1,706 cases in FY 2024, with 346 of them being attributable to GAO’s jurisdiction over task order protests.
Of the protests resolved on the merits, GAO sustained 16 percent of them, down from 33 percent in FY 2023. The most prevalent reasons for sustaining protests during FY 2024 were unreasonable technical evaluations, flawed selection decisions, and unreasonable cost or price evaluations. The FY 2024 “effectiveness rate” was 52 percent. Further, GAO used alternative dispute resolution in 76 cases, and the percentage of those cases resolved without a formal GAO decision—or “success rate”—was 92 percent. A significant number of GAO protests do not reach a decision on the merits because agencies voluntarily take corrective action in response to the protest rather than defend the protest on the merits.