Government Contracts Quarterly Update – February 2016 - Government Contracts, Procurement & PPP

The Government Contracts Quarterly Update is published by BakerHostetler's Government Contracts Practice team to inform our clients and friends of the latest developments in federal government contracting. In This Issue:

Supreme Court to Tackle Circuit Split Regarding Implied Certification
An Analysis of Fiscal Year 2015 GAO Bid Protest Statistics
GAO Sustains Protest Over Out-of-Scope Modification to Delivery Order
Organizational Conflicts of Interest Remain Important Concept for Contractors to Consider
Conflicts of Interest Lead to Successful Post-Award Protests
Cybersecurity Updates
Contractor's Appeal Received Five Minutes After Deadline, Dismissed as Untimely
Fiscal Year 2016 Omnibus Spending Bill
BARDA Funding for FY 2016
Government Contracting Updates in the 2016 NDAA
Seen and Heard
Legislative and Regulatory Roundup

Supreme Court to Tackle Circuit Split Regarding Implied Certification

On December 4, 2015, the Supreme Court of the United States granted certiorari in the case of Universal Health Services, Inc. v. Escobar, 780 F.3d 504 (1st Cir. 2015), cert. granted in part, 136 S. Ct. 582 (2015). By doing so, the Supreme Court agreed to address the long-standing circuit split regarding the viability of the implied certification theory in False Claims Act ("FCA") litigation. Under this theory, which has been recognized by most circuits (First, Second, Third, Fourth, Sixth, Ninth, Tenth, Eleventh, and D.C. Circuits), each invoice that a contractor submits is considered to impliedly certify the contractor's compliance with certain contractual and regulatory requirements.

The Fifth and Seventh Circuits have both declined to adopt the theory of implied certification, with the Seventh Circuit recently holding it would be unreasonable to extend FCA liability for noncompliance with the numerous federal statutes and regulations that are incorporated by reference into many government contracts. Oral arguments before the Supreme Court are expected in March or April of 2016, with a decision to likely follow in the summer of 2016. Contractors obviously may be hoping the Supreme Court will agree with the Fifth and Seventh Circuits, but the future of the implied certification theory will be especially murky until the court issues a decision. In the meantime, contractors—and especially their compliance personnel—must remain vigilant and maintain compliance with all federal requirements.

An Analysis of Fiscal Year 2015 GAO Bid Protest Statistics

Every year, the U.S. Government Accountability Office ("GAO") submits an annual report to Congress summarizing, among other things, overall bid protest filings for the previous fiscal year. The report for Fiscal Year ("FY") 2015 confirms trends we have previously observed. Most importantly, in 2015, as in previous years, over 40 percent of protesters received some form of relief, either through a sustained protest or through voluntary corrective action.

The GAO received 2,496 protests in 2015 and closed out 2,647 cases (this includes protests, cost claims, and requests for reconsideration). Protest filings have slowly but steadily increased since 2011, when 2,286 protests were filed.

Of the 2,647 cases closed in 2015, only 587, or 22.2 percent, reached a decision on the merits. The low number of merits decisions indicates that many protests are resolved early, through dismissal, voluntary corrective action, alternative dispute resolution, or withdrawal.

The most prevalent grounds for sustaining protests in FY 2015 were unreasonable cost or price evaluation, unreasonable past performance evaluation, unreasonable technical evaluation, failure to follow evaluation criteria, and inadequate documentation of the record. Although denials have continued to outweigh sustains at an increasing rate—the 12 percent sustain rate for these protests is the lowest figure of the past five years—the overall percentage of protests resulting in some form of relief, such as voluntary corrective action, ticked up to 45 percent. This is slightly higher than the previous four years and confirms a five-year trend in which protesters have consistently enjoyed an effectiveness rate of over 40 percent.

GAO Sustains Protest Over Out-of-Scope Modification to Delivery Order

In a recent victory for Google reseller Onix Networking Corporation, the GAO found that a government agency impermissibly used an existing delivery order to procure cloud-based email services from En Pointe Gov, Inc., a Microsoft reseller. En Pointe's delivery order, which it received through an agency schedule contract in 2013, called for renewal of software licensing agreements and related services for the agency's existing suite of Microsoft products. The agency subsequently modified the order by adding requirements for one of Microsoft's cloud-based email services. Onix protested the modification, arguing that the request for cloud-based email services fell outside the scope of the original delivery order and amounted to an improper sole-source modification. In its protest, Onix seized on the fact that prior to modifying the order, the agency had conducted a pilot program for both Microsoft's and Google's cloud-based email services, and concluded that Google's services were slightly preferred. The agency then issued a Request for Information to vendors with blanket purchase agreements for cloud-based email services. The agency received responses directly from Microsoft, as well as from Onix. After evaluating these responses, the agency concluded that only Microsoft's cloud-based email service met its needs, and subsequently modified En Pointe's delivery order to incorporate the agency's requirements for a cloud-based email service.

The GAO sustained Onix's protest, concluding that the original competition for En Pointe's delivery order did not contemplate the acquisition of a cloud-based email system. Moreover, the GAO observed that because the original competition was limited strictly to resellers of Microsoft products, later requirements which could potentially be met by non-Microsoft products would by definition fall outside the scope of the original delivery order. The Onix decision, which is noted as Onix Networking Corp., B-411841 (Nov. 9, 2015), stands as a stark reminder of the GAO's distaste for agency attempts to bypass competition requirements through de facto sole-source awards. Contractors should pay close attention to solicitations that seek name-brand products and services from their competitors or that include unnecessary specifications that only their competitors can provide. Contractors should also pay close attention to contract modifications on their competitors' contracts. When reviewing modifications, contractors should look to the original solicitation and imagine whether potential offerors could have reasonably anticipated the additional goods or services. If not, the modification is likely an improper, out-of-scope, sole-source modification.

Organizational Conflicts of Interest Remain Important Concept for Contractors to Consider

Before pursuing a new project, and even during contract performance, federal contractors should evaluate the potential for organizational conflicts of interest ("OCIs"). An OCI typically arises when a contractor is unable to render impartial assistance or advice to the Government, lacks objectivity in performing the contract work, or has an unfair competitive advantage. The Federal Acquisition Regulation ("FAR") describes three types of OCIs, termed as "unequal access to information," "biased ground rule," and "impaired objectivity" OCIs. An unequal access to information OCI presents itself when a contractor has access to nonpublic information not generally available to other competitors that gives the contractor a competitive advantage in procurement. Biased ground rule OCIs arise when a contractor, as part of its performance of a government contract, sets the ground rules for another government contract, which could skew the competition in favor of the contractor or its affiliates. Impaired objectivity OCIs occur when a contractor's work under a contract requires the contractor to evaluate proposals, products, services, or past performance of itself or a competitor, which could impair the contractor's objectivity in its evaluation in question.

Under the FAR, a contracting officer must identify and evaluate potential OCIs as early in the acquisition process as possible, and avoid, neutralize, or mitigate significant potential conflicts before the contract award. Even in the absence of an actual OCI, contracting officers are still obligated to take ameliorative steps when a potential contractor carries even the appearance of a conflict. Accordingly, OCIs play a major role in the contract formation stages of procurements, and OCIs are often the source of successful bid protests when they are not properly addressed by the relevant agency. Further, contractors often have a continuing obligation under executed contracts to notify the Government when OCIs are created through the contractor's work under other contracts.

Conflicts of Interest Lead to Successful Post-Award Protests

The GAO recently sustained two conflict of interest protests.

On November 6, 2015, the GAO sustained a protest from an unsuccessful bidder who argued that the agency's program manager—a potentially disgruntled former employee—should have been recused from the procurement based on the program manager's conflict of interest. The GAO found that even though the Contracting Officer was aware of the program manager's conflict of interest prior to issuing the solicitation, the Contracting Officer failed to address the conflict. The GAO recommended that the agency terminate the award, cancel the solicitation, and reimburse the protester for the costs of bringing its protest. That decision is noted as Satellite Tracking of People, LLC, B-411845.2 et al. (Nov. 6, 2015).

On November 9, 2015, the GAO sustained a second conflict of interest protest. In DRS Technical Services, Inc., B411573.2 et al. (Nov. 9, 2015), the GAO held that although the agency had adequately evaluated potential impaired objectivity conflicts for some aspects of the Performance Work Statement, it failed to adequately consider others. The GAO recommended that the agency terminate the award, conduct a more complete organizational conflict of interest evaluation, and reimburse the protester for the costs of bringing its protest.

These decisions are notable as rare instances in which protesters have received favorable merits decisions in conflict of interest cases before the GAO.

Cybersecurity Updates

In keeping with what appears to be a trend that shows no signs of letting up, there have been a number of proposed and interim changes to cybersecurity rules this past quarter. The proposals that may directly or indirectly impact federal contractors and subcontractors include:

DoD Cybersecurity Clause Class Deviation – In our last edition of the quarterly we covered the Department of Defense's ("DoD's") August 2015 interim rule that expanded the requirements for contractors and subcontractors to report cyber incidents under DFARS 252.204-7008 and 252.204-7012. On October 8, 2015, the DoD issued a class deviation that replaced DFARS 252.204-7008 and 252.204-7012 with revised clauses that give covered contractors up to nine months (measured from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for "multifactor authentication for local and network access" found in Section 3.5.3 of National Institute of Standards and Technology ("NIST") Special Publication ("SP") 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations." Under the revised clause, contractors are required to notify the Government if they need more time to satisfy the NIST SP 800-171 requirements. The deviation does not otherwise alter the requirements of DFARS 252.204-7008 and 252.204-2012.

DoD subsequently published a related interim rule on December 30, 2015, that further modified DFARS 252.204-7008, -7009, and -7012. Significantly, the interim rule further extends the deadline for contractors to comply with the security requirements specified in NIST SP 800-171 until December 31, 2017. Contractors are required to notify DoD within 30 days of contract award if they are not in compliance with any NIST SP 800-171 security requirements at the time of contract award. The notifications will be used by DoD to monitor progress across the defense industrial base, identify implementation trends, and identify issues that may require clarification or adjustment. The notifications will help DoD assess the overall risk to DoD-covered defense information (as defined in DFARS 204.7301) on unclassified contractor systems.

The interim rule also: 1) modifies the subcontract flowdown requirements in DFARS 252.204-7009 and 252.204-7012 to require, when applicable, inclusion of the clause without alteration, except to identify the parties; 2) limits the flowdown requirement for DFARS 252.204-7012 to subcontractors whose efforts will involve covered defense information or that will provide operationally critical support; and 3) removes the requirement in DFARS 252.204-7012 for DoD Chief Intelligence Officer acceptance of "alternative but equally effective security measures" prior to award. The interim rule was effective upon release on December 30, 2015, with comments due by February 29, 2016.
White House Cybersecurity Plan for Civilian Agencies and Contractors – On October 30, 2015, the White House issued a Cybersecurity Strategy and Implementation Plan ("CSIP") that directs federal civilian agencies to undertake a series of specific actions to identify and address cybersecurity gaps and priorities, articulated through five broad objectives: 1) prioritization and protection of high-value information and assets; 2) timely detection of and response to cyber incidents; 3) rapid recovery from incidents and adoption of lessons learned; 4) recruitment of highly qualified cybersecurity talent; and 5) efficient and effective acquisition and deployment of existing and emerging technology. While the CSIP applies directly to federal civilian agencies, the resulting actions likely will result in new cybersecurity requirements for contractors, as well as opportunities for contractors to help implement new technologies. The CSIP specifically directs the General Services Administration ("GSA"), in coordination with the Office of Management and Budget, to research contract vehicle options and develop a capability to deploy incident response services that can quickly be leveraged by federal agencies, with a finalized acquisition process in place by April 30, 2016.
FedRAMP Opens Comment Period for High Baseline Draft – On December 21, 2015, the GSA released an updated draft of the Federal Risk and Authorization Management Program's ("FedRAMP's") "high baseline" cloud security standards. In accordance with FIPS 199, the draft sets a baseline at the High/High/High level for confidentiality, integrity, and availability and is mapped to the security controls from the NIST SP 800-53, Rev. 4 catalog of security controls. The open comment period for the draft began on December 18, 2015, and ended on January 8, 2016. Under NIST SP 800-53, Rev. 4, all Cloud Service Providers ("CSPs") had to transition to the FedRAMP Revision 4 requirements by the end of the 2015 calendar year. Starting in 2016, the FedRAMP program office—including the Joint Authorization Board and Authorities to Operate ("ATOs") submitted through agencies—will only accept documentation proving a CSP's ability to meet NIST SP 800-53 Rev. 4 standards.

Meanwhile, the federal government has been a strong critic of its own response to cyber threats:

OPM Chastised Over Post-Breach Cybersecurity Contract – On October 30, 2015, the U.S. Office of Personnel Management ("OPM") Office of the Inspector General ("OIG") released a memorandum publicly stating that OPM's Office of Procurement Operations ("OPO") violated the FAR and the agency's own contracting requirements when it awarded an anti-identity theft and credit-monitoring contract in the wake of a high-profile hack last summer. After performing a special review of the procurement, the OPM OIG issued a subsequent report on December 2, 2015, that found OPO's procurement and award violated numerous FAR provisions, including the use of an incomplete statement of work, inadequate market research, incomplete acquisition planning, a blanket purchase agreement call order that exceeded the limitations of FAR Subpart 13.5, and incomplete and unreliable documentation of the procurement. Related to the OPM breach, the Chinese government claimed in September 2015 that it had arrested a handful of hackers it says were connected to the breach. The breach involved information about more than 22 million current and former federal employees and contractors.
GAO Says Federal Agencies Still Haven't Followed Cyber Advice – On November 17, 2015, the GAO issued a report alleging that federal agencies still have not implemented nearly half of the GAO's recommended information security practices—despite several recent high-profile breaches. According to the report, federal agencies have yet to implement some 42 percent of the GAO's recommendations from the past six years. According to the report, among the 24 agencies covered by the Chief Financial Officers Act, cybersecurity was a significant deficiency or material weakness for 19 of them. In addition, most of those 24 agencies had weaknesses in limiting, preventing, and detecting inappropriate access to computer resources. The report concluded that until agencies take action, their information will be at an increased risk of cyber-attacks.

Contractor's Appeal Received Five Minutes After Deadline, Dismissed as Untimely

The Civilian Board of Contract Appeals recently held that a contractor's appeal, which was received five minutes late, was untimely and must be dismissed for lack of jurisdiction. Estes Brothers Construction, Inc., submitted a claim for extra compensation on a Federal Highway Administration contract. The Contracting Officer denied the claim. The Board's rules specify that email filings received after 4:30 pm will be deemed filed on the next working day. Estes did not email its notice of appeal, however, until 4:35 pm on the day of the deadline. The Board dismissed the appeal for lack of jurisdiction. Although Estes could still file its appeal in the Court of Federal Claims, ideally a contractor's choice of fora is a strategic decision. The Board's decision is yet another reminder that contractors must be wary of procedural rules and deadlines. Late is late.

Fiscal Year 2016 Omnibus Spending Bill

On December 18, 2015, President Obama signed the Consolidated Appropriations Act, 2016, also known as the omnibus spending bill. Passage of the bill averted a government shutdown and funded the federal government through the end of FY 2016. The bill provides $1.067 trillion in base-level discretionary funding. This includes $548 billion for defense spending and $518 billion for nondefense spending. The bill also provides for an additional $73.7 billion in funding for Overseas Contingency Operations. Relevant to government contractors, the bill provides for increased discretionary funding for military construction projects and the Department of Veterans Affairs.

BARDA Funding for FY 2016

The Consolidated Appropriations Act granted the Biomedical Advanced Research and Development Authority ("BARDA") $511.7 million for FY 2016. Project BioShield, a program administered by BARDA but funded separately, received $510 million. This year's appropriations continue the recent year-on-year trend of improved annual appropriations for BARDA. The $510 million appropriation for Project BioShield nearly doubled that provided in FY 2015. And BARDA's FY 2016 appropriations come on top of previously appropriated emergency funding for Ebola Response made available through FY 2019. In its FY 2016 budget request and justification, BARDA indicated that it would expend a significant amount of its funding on efforts to combat antibiotic-resistant bacteria.

Government Contracting Updates in the 2016 NDAA

On November 25, 2015, President Obama signed the National Defense Authorization Act for Fiscal Year 2016 ("2016 NDAA"), following a prolonged conflict with Congress that saw the president veto an earlier version of the bill in October. In conjunction with the consolidated appropriations bill signed into law on December 18, 2015 (see "Fiscal Year 2016 Omnibus Spending Bill"), the 2016 NDAA sets funding levels and budget priorities for the DoD for FY 2016.

In addition to this budget authorization, the 2016 NDAA also provides for significant modifications to DoD's acquisition policies and procedures, aimed at expanding DoD's sources of supply by engaging potential contractors that do not ordinarily cater to the DoD, including commercial item suppliers, small business concerns, and nontraditional defense contractors. Among the greatest benefits to commercial item suppliers is a provision directing the Secretary of Defense to centralize the procedures for making commercial item determinations in DoD acquisitions, to make these determinations publicly available, and to give greater weight to prior determinations regarding the cost reasonableness and acceptability of commercial items. Small businesses benefit from an extension of the DoD Mentor-Protégé Program through FY 2018. The extension includes expanded reporting and data collection requirements that will ostensibly aid the DoD in improving the program in future years.

The 2016 NDAA also permanently codified the DoD's Other Transaction Authority ("OTA") for prototype projects with nontraditional defense contractors—which had been set to expire in 2018—and expanded the types of contracts which may be awarded thereunder. Under DoD's OTA, the DoD is permitted to enter into transactions outside the scope of ordinary contracts, grants, and cooperative agreements for prototype projects with nontraditional defense contractors aimed at improving mission effectiveness, so long as the other parties to the transaction assume at least one-third of the total cost of the project. The 2016 NDAA also authorizes DoD to award follow-on production contracts to contractors that successfully develop prototypes under these transactions if the participants were selected through competitive procedures.

Government Contracting Updates in the 2016 NDAA

Seen and Heard

Partner Kelley Doran and Counsel Barron Avery spoke on the panel "Government Contracts and Organizational Conflicts of Interest: Conflicts in an Increasingly Conflicted World" at the Geospatial & Remote Sensing Law Workshop, hosted by the United States Geospatial Intelligence Foundation at the General Dynamics Information Technology facility in Springfield, Virginia, on November 18, 2015. Partner Bill Bergmann also participated in the workshop by moderating the panel "Government Contracts and Intellectual Property: Playing a Critical Role in Geospatial Contracting."

Partner Kelley Doran traveled to San Francisco, California, on January 12, 2016, to attend Life Science Nation's Redefining Early Stage Investments (RESI) Conference at the Marines' Memorial Club & Hotel.

Members of BakerHostetler's government contracts team attended the West Government Contracts Year-in-Review Conference, held at the Omni Shoreham Hotel in Washington, DC from February 16 to 19, 2016.

Legislative and Regulatory Roundup

We have been tracking legislative and regulatory actions relevant to government contractors in order to keep you better informed about new developments that are likely to impact procurement policies and rules.

Legislative Updates

Regulatory Updates

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.