Publication

Gordon Rees Scully Mansukhani presents the latest insights from our Government Contracts practice group, offering a comprehensive overview of recent significant decisions, regulatory changes, and essential updates for businesses contracting with federal and state governments. Our team compiled the most pertinent legal developments to keep you informed in the dynamic landscape of government procurements.

For further information, please reach out to Patrick Burns or Meredith Thielbahr and be sure to tune into The Essential GovCon Brief podcast for an in-depth discussion of the issues highlighted here.

Agency Regulations:

CMMC 2.0: DoD Issues Final Cybersecurity Rule—Key Changes for Contractors

Overview: The Department of Defense (“DoD”) issued the final rule for its Cybersecurity Maturity Model Certification (“CMMC”) Program’s rigorous, standardized cybersecurity requirements for federal contractors to protect Controlled Unclassified Information (“CUI”) and Federal Contract Information (“FCI”).

Key Aspects of the Final Rule:

• Tiered Model: CMMC defines three levels of cybersecurity standards, each corresponding to the sensitivity of the information handled. Contractors must implement the appropriate level based on the type of information they process.

• Assessment Requirements: The program mandates assessments to verify that contractors have implemented the required cybersecurity practices. Depending on the CMMC level, assessments may be self-conducted or performed by third-party assessors.

• Phased Implementation: CMMC will be introduced in four phases over three years. Contractors handling FCI and CUI will need to achieve the specified CMMC level as a condition for contract awards.

Summary of the Three CMMC Levels:

1.  Level 1 (Foundational): Focuses on basic cybersecurity practices to protect FCI. This level requires the implementation of 15 safeguarding requirements as specified in Federal Acquisition Regulation (“FAR”) clause 52.204-21. Assessments at this level are typically self-conducted.

2.  Level 2 (Advanced): Designed to protect CUI, this level includes the 110 security requirements outlined in National Institute of Standards and Technology (“NIST”) Special Publication 800-171. Assessments may be self-conducted or performed by a Certified Third-Party Assessment Organization (“C3PAO”), depending on the specific contract requirements.

3.  Level 3 (Expert): Intended for contractors handling the most sensitive CUI, this level requires compliance with a subset of NIST SP 800-172 enhanced security requirements. Assessments at this level are conducted exclusively by the DoD.

Phased Implementation of CMMC:

The DoD will implement CMMC through a structured, four-phase rollout over three years, attempting a smooth transition for contractors.

• Phase 1: Begins on the effective date of the CMMC revision to Defense Federal Acquisitions Regulations Supplement (“DFARS”) 252.204-7021 (estimated early-mid 2025). Select contracts, primarily high-priority programs will include CMMC requirements.

• Phase 2: Commences six months after Phase 1. The inclusion of CMMC requirements expands to a broader range of contracts, increasing the number of contractors required to certify.

• Phase 3: Starts 12 months after Phase 2. CMMC requirements become more widespread, encompassing a significant portion of DoD contracts involving FCI and CUI.

• Phase 4: Initiates 12 months after Phase 3. At this stage, CMMC requirements apply to all DoD contracts, ensuring comprehensive implementation across the defense industrial base. 

Notable Changes from CMMC 1.0:

• Streamlined Levels: The updated framework consolidates the previous five levels into three, simplifying the certification process.

• Flexible Assessment Options: For certain levels, particularly Level 1 and some Level 2 contracts, contractors can perform self-assessments, reducing the need for third-party evaluations.

• Enhanced Clarity on Subcontractor Requirements: The final rule provides detailed guidance on how CMMC requirements flow down to subcontractors, ensuring consistent cybersecurity practices throughout the supply chain.

Action Items for Contractors:

• Review the Final Rule: Familiarize yourself with the finalized CMMC requirements to understand the specific obligations for your organization.

• Assess Current Cybersecurity Practices: Evaluate your existing cybersecurity measures against the CMMC standards to identify areas needing improvement.

• Plan for Certification: Develop a timeline and allocate resources to achieve the necessary CMMC level before it becomes a prerequisite for contract awards.

Effective Date: December 16, 2024.

Proposed Changes to Nonavailable Articles Under Buy American Act

Overview: The DoD, General Services Administration (“GSA”), and the National Aeronautics and Space Administration (“NASA”) proposed changes to the FAR list of nonavailable articles, under the Buy American Act, to encourage domestic sourcing. The Buy American Act (41 U.S.C. §§ 8301-8305) requires federal agencies to procure goods produced in the United States. However, certain articles are designated as "nonavailable" when they cannot be mined, produced, or manufactured domestically in sufficient and reasonably available commercial quantities or of satisfactory quality. This designation allows agencies to procure these items from foreign sources without violating the statute.

Key Changes: The proposed rule removes 70 articles from the nonavailability list, including commonly imported materials such as mica, olive oil, and platinum, as well as items deemed obsolete or with limited demand. The rule also mandates that individual waivers be publicly posted on MadeinAmerica.gov, providing contractors with greater visibility into potential U.S. production opportunities. Furthermore, a new oversight mechanism will evaluate requests to add items to the nonavailability list.

Impact: The rule encourages agencies to conduct more thorough market research before assuming nonavailability, fostering a broader and more competitive domestic supplier base. Increased transparency in the waiver process is expected to help new and existing domestic suppliers identify potential federal contract opportunities. Over time, the shift from broad regulatory waivers to case-specific waivers could strengthen U.S. supply chains, diversify the contractor base, and reduce reliance on foreign-made items.

Comment Submission Deadline: December 23, 2024.

SBA Proposes Rule to Boost Small Business Participation in Multiple-Award Contracts

Overview: The Small Business Administration (“SBA”) proposed a rule to increase small business participation in multiple-award contracts by expanding the application of the "Rule of Two." This rule mandates setting aside contracts for small businesses when there are at least two competitive small-business offerors. The proposed rule aims to increase the share of government contracts awarded to small businesses.

Key Changes: Under the proposed rule, agencies must apply the Rule of Two for orders under multiple-award contracts whenever feasible, except in specific cases, such as Federal Supply Schedule orders or when an agency-specific exception applies. Contracting officers must document any decision not to set aside an order for small businesses and consult with small business specialists. Additionally, agencies are encouraged to reserve at least 30% of multiple-award contract slots for small businesses to promote ongoing small business engagement.

Impact: The rule is expected to create more contracting opportunities for small businesses, including disadvantaged small businesses, by applying the Rule of Two more broadly and transparently. This change should enhance competition, boost diversity in the federal contracting landscape, and help the government meet its goal of awarding 15% of contract spending to small, disadvantaged businesses by FY 2025. The documentation requirements also strengthen oversight, ensuring that small businesses are prioritized when agencies make procurement decisions.

Comment Submission Deadline: Comments must be received by December 24, 2024.

Recent Cases/Decisions:

GAO Sustains Protest Due to Small Business Subcontracting Goal Evaluation Inconsistencies

Background: In this protest, the Army’s solicitation required offerors to satisfy a small business subcontracting goal, mandating that a minimum of two percent of the task order’s value be subcontracted to small businesses. Proposals were expected to clearly reflect this commitment in all sections, including technical and cost proposals. APLS, the awardee, initially indicated it would meet this requirement in its small business participation plan but simultaneously proposed to self-perform all task order work, excluding subcontractor involvement. Upon discovering this contradiction, the Army attempted to address it with a simple “yes or no” clarification request to APLS rather than requiring a full proposal revision.

Key Issues:

The Government Accountability Office (“GAO”) sustained the protest, finding the Army’s approach unreasonable for the following reasons:

1.  Unresolved Inconsistency: GAO held that the Army’s simple clarification request was inadequate to resolve the material inconsistency in APLS’s proposal. Since APLS’s technical and cost sections both indicated self-performance without subcontracting costs, the proposal conflicted with the small business participation goal. A full proposal revision, rather than a simple clarification, was required.

2.  Improper Risk Adjustment: GAO found that the Army’s use of a risk-adjusted price—adding costs to account for hypothetical subcontracting—was an inappropriate method to compensate for APLS’s failure to include the required subcontracting costs in its proposal. This approach effectively allowed the Army to alter the proposal instead of requiring APLS to submit a compliant proposal.

3.  Mandatory Small Business Requirement: GAO emphasized that the solicitation’s small business participation requirement was material. Thus, a proposal that did not clearly commit to this requirement could not be considered technically acceptable without proper discussions and a revised proposal addressing the inconsistency.

Citation: KBR Services, LLC; Vectrus Systems Corporation, B-422697.2; B-422697.5; B-422697.9; B-422697.12 (Oct. 4, 2024)

VA’s Misapplication of "All Documentation Requested" Clause Leads to Sustained Protest

Background: The Department of Veterans Affairs (“VA”) issued a solicitation that sought home oxygen services. Proposals were to be evaluated based on experience and price. The protester, Hometown Veterans Medical, LLC submitted its proposal with all required materials relevant to these factors. However, the VA rejected Hometown’s proposal (and three others) due to the lack of information concerning FAR provisions 52.209-7 (responsibility information) and 52.204-24 (covered telecommunications equipment or services). The agency claimed that a vague solicitation clause referencing the submission of “all documentation requested” obligated offerors to include information covered by these FAR provisions.

Key Issue - Misuse of “All Documentation Requested”: The core of the dispute revolved around the vague phrase “all documentation requested,” which did not explicitly list which documents needed to be attached to the proposal beyond those associated with the primary evaluation factors (experience and price). The VA interpreted this clause as a blanket requirement, rejecting proposals if any unspecified documents were absent.

GAO's Recommendations: GAO sustained the protest, emphasizing that, unless explicitly required by the solicitation, agencies cannot exclude proposals for missing documentation that is readily accessible via the System for Award Management ("SAM"), such as the FAR provisions in question. GAO recommended that the VA could have used SAM.gov to verify these details instead of applying a rigid interpretation of “all documentation requested” that disregarded accessible information.

Citation: Hometown Veterans Medical, LLC, B-422751; B-422751.2 (Oct. 11, 2024).

GRSM Government Contracts Practice Group

GRSM’s government contracts team has considerable experience defending and enforcing the rights of our contractor clients in disputes against government entities and private businesses. In addition to litigating claims in state and federal courts, we routinely handle matters before administrative tribunals, such as the Government Accountability Office, the Small Business Administration, and Boards of Contract Appeals. 

Our team of attorneys is located throughout the United States, which allows the firm to represent contractors, regardless of size, and in a wide variety of industries, including defense, information technology, construction, and aerospace, among others. Please contact the authors with any questions. GRSM would like to acknowledge the significant contributions to this update by Quyen Dang.

Subscribe to receive the latest Government Contracts practice group updates directly to your inbox.