The streak eventually had to end. The National Institute of Health IT Acquisition and Assessment Center (NITAAC) had won 22 straight protests of its CIO-SP4 acquisition. But like all great runs, there finally was something they couldn’t overcome.
GAO on Nov. 23 ended that streak when it sustained part of Computer World Services Corp.’s protest of the CIO-SP4 solicitation.
CWS claimed the requirement that large businesses who are part of a mentor-protégé program with a small business could only submit two examples of past performance, while other joint ventures or teaming arrangements could submit three examples was unreasonable and didn’t treat bidders equally.
GAO agreed with CWS when NITAAC couldn’t defend its position sufficiently.
“Agencies can shape their solicitation criteria anyway they want, but they need to be able to explain it, and they weren’t able to come up with one here,” said Michelle Litteken, a counsel at Morris, Manning and Martin, who represented CWS before GAO. “They didn’t explain why they were treating a joint venture with a large mentors differently from other partnerships.”
NITAAC is using a scoring sheet approach where bidders receive points for meeting certain gate criteria. Based on the current solicitation, large businesses submitting proposals as part of a mentor-protégé joint venture couldn’t earn as many points as other bidders, creating what CWS saw as unequal treatment.
Litteken said by not imposing the same limitations on all teams, NITAAC is making it more difficult for these mentor-protégé teams to win a spot.
“You can treat people differently if you have a reason for doing it. You can have different point categories if a bidder is large or an emerging large or a small business. But there has to be a justification, and even GAO hints at that in its decision that there could be a reasonable way for the agency to explain what they are doing, what they did, but NITAAC didn’t do it so GAO sustained the protest,” she said. “If agency lawyers had come up with a better explanation we may have lost, but they weren’t able to.”
Reviewing GAO’s decision
NITAAC acting director Brian Goodger said in a statement to Federal News Network that they are reviewing the GAO decision.
“NITAAC is working with our Office of General Counsel in reviewing the recommendations by GAO to consider next steps. Our government customers can rest assured that the NITAAC suite of IT contracting vehicles will continue to provide best in class IT services both now and well into the next calendar year, if needed,” Goodger said.
NITAAC had defended its approach to CIO-SP4 successfully against the almost two dozen other protests. Of the 22 other protests, three have been denied by GAO, 12 have been dismissed and five were withdrawn. The CWS protest was considered three separate filings, two of which GAO did deny.
Despite the protest wins, NITAAC has come under pressure from industry associations and companies for its approach. Multiple amendments and changes to the solicitation and the extension of due dates left many in industry frustrated and confused.
Some in industry continue to believe CIO-SP4 will buckle under all the problems and pressure in 2022. Right now, it’s hard to know what the future of CIO-SP4 looks like, but if past is prologue, NITAAC seems to be on the right track given its track record of wins.
NITAAC is expected to make the first set of awards by the end of February.
“We fully expect and intend CIO-SP4 will be awarded in a timely manner. If there is a delay in the award date of CIO-SP4, please know CIO-SP3 and CIO-SP3 Small Business may be extended up to a year and NITAAC will ensure there is no gap in contractual coverage between CIO-SP3 and CIO-SP4,” NITAAC wrote on its website on Nov. 4.
CISA, GSA team up on cyber acquisitions
The Cybersecurity and Infrastructure Security Agency is, once again, teaming up with the General Services Administration to bring more cybersecurity services to civilian agencies.
The Homeland Security Department’s agency, through GSA, released two interesting requests for information over the last few weeks.
The most recent one, for protective email services, would build on the DHS effort from more than four years ago when it mandated the use of Domain-based Message Authentication, Reporting and Conformance (DMARC) standards.
GSA, on behalf of CISA, issued a request for information seeking industry feedback on three possible approaches to protective email services, the initial set of general and core capabilities of the services and asked vendors to describe their current approach, risks and to make recommendations.
CISA wrote in the RFI that its goals with the protective email service is to:
Normalize and provide baseline security and visibility for federal civilian agency email.
Detect and protect federal enterprise from malicious email content as part of the CISA mission to manage FCEB risk.
Detect and prevent the federal enterprise email from being used as a vector for malicious threat actors against itself and non-federal entities.
Provide appropriate visibility into agency email traffic to enable CISA Global Operators to conduct cyber hunt and incident response.
Be able to leverage CISA’s and federal civilian agency entity data holdings in cyber hunt, prevention, mitigation and incident response activities.
Responses to the RFI are due Dec. 20.
The second RFI from Oct. 14 is for end point detection and response (EDR) capabilities. This is part of CISA’s requirements under the May cyber executive order from President Joe Biden.
“CISA is executing an approach where major investments in validated EDR tools can be expanded at agencies. In this model, CISA would, in full collaboration with agencies and their security operations staff, identify and validate specific EDR tools that are functionally capable and compatible with CISA’s mission to unify the federal civilian executive branch (FCEB) enterprise in enabling coordinated threat detection and response,” the RFI stated. “This approach is inclusive of evaluating the existing investments agencies have made in their EDR tooling (and security processes), and soliciting from agencies true technology needs (i.e., gaps in functionality and/or coverage).”
Knowing agencies already have some of the necessary tools, CISA plans to work with agency security operations center (SOC) operations to fill any existing gaps in EDR platforms.
Responses to this RFI were due Nov. 15.
Both of these RFIs signal the continued growth of services either CISA will provide or manage on behalf of agencies. The big question that remains is whether adding more tools and capabilities is what’s needed, or as Alan Paller used to lead the drum beat for, should CISA and agencies focus more on people and soft skills because in the end, the tools can’t stop people from doing dumb things? Maybe the next RFI will be for cyber workforce training instead of more tools to help address this constant shortcoming of all organizations.