What to Expect in Government Contracts This Year
In this episode of Wiley’s Government Contracts Podcast, host Craig Smith is joined by Government Contracts Partner Gary Ward to discuss Gary’s projections of trends we may see in protests, cybersecurity, and more.
Transcript
Craig Smith
Good morning, good afternoon, good evening, wherever you are. We’re back here with the Wiley Rein Government Contracts podcast. My name is Craig Smith, Partner in the practice. here with me today is Gary Ward. Gary is a partner in our group. He’s been here I think at this point a decade now. Gary is really one of our rising stars. So much so that Law360 said officially in 2022, he’s one of the Government Contracts Rising Stars. Gary focus over the years, while broad, I’ve known him to work on Cost Matters, he’s one of our “cost cowboys.” And protests, I think you’re up over 100 that you’ve litigated to resolution at this point?
Gary Ward
Yea, that’s about it.
Craig Smith
A remarkable total. And even to the point where you’ve spent some time developing software to try and study trends at GAO and how protests ebb and flow.
Gary Ward
Yep, that’s right.
Craig Smith
So, we’re going to get into a little bit of that today, as here we are in January 2023 looking at the year ahead. And Gary’s here today to talk about “well, what do you see ahead?” Let’s start with those protests, Gary. I mean, that is one of your specialties. So, talk to us. Protest work, there’s always a lot of it. The government’s always buying stuff is what I tell people whenever there’s a change of administration. But you see reports in the media that maybe protests are down a little bit in numbers. I know you look at a more subtle level. But now, instead of looking backwards at what GAO has been doing, what do you see looking ahead?
Gary Ward
Yea, this year is going to be an interesting one for the protest stat nerds. Because it’s really the first year that how you count protests might make a difference in how you view the system. Six years ago, before Rand did the study that the government had commissioned to kind of look at the protest process, we wrote an article discussing some of the different ways you can count protests. GAO in its annual report, they count the “B” numbers. That’s what they assigned to the initial protest file when you file it. And then when you file a supplemental protest, they’ll assign another B number. So, it counts both initial protests and supplemental protests. You can use the same data that GAO publishes on its Docket, though, and just count either the initial protests, so you can exclude the supplemental protests, or you can count just the protests of a single procurement, using the solicitation number or another part of the docket identifier. To be honest, since then, it’s been really more of an academic issue. It’s affected the final number that you see. So, if we look at one number, we’ll see a lower number than GAO reports. But, that number’s hard to use for anything because how do you evaluate “are there too many protests?” If you’re on one side it’s “yes, there’s too many protests.” If you’re on the other side, “no, it’s about right,” or “there could be more.” The year over year trend, that’s probably a little bit more informative. But that’s been the same, regardless of which metric you use. This year, we’re on track for that to change a little bit because of one particular procurement out there. The CIO-SP4 procurement, which is a large GWAC (government wide acquisition contract) awarded by NIH. So far, this fiscal year, 132 different companies have protested that single procurement. Depending on how you count GAO’s numbers, that’s about 10% of it’s annual caseload. So, at the end of the year, GAO’s report if it’s counting all of those as separate protests might show an increase this year. But, on the other hand, we have got to look at the number of procurements that are protested. So, how you count these 132 protests - are they one procurement protested or are they 132 different protests - it really affects the way that you view the system. And we’re about a quarter of the way into the fiscal year. Looking at the data. If you look at the procurement’s protested, we’re almost identical to last year. Which shows that we’re starting to stabilize at that new lower level that GAO has been trending towards in the last five or six years. But then, if we look at the number of B-number filings, or the initial protests, like what we’re going to see in GAO’s annual report, you’re going to see a spike that might actually take us three or so years back in that downward trend. And again, this is just right now. The agency took corrective action in response to those protests, which means there could be another wave of 132 more protests, or somewhere around that, depending on how the procurement shakes out.
Craig Smith
It’s a remarkable number of protests. And I think about not just a spike in numbers but then down the line, there could be impacts on the calculations people do on the efficacy of protests. If you get 132 corrective actions for a single procurement, that’s quite different than 132 corrective actions in 132 procurements. But I’m curious, thinking about both just counts and then outcomes, have seen anything like this?
Gary Ward
So, if we’re talking about number of protests of one procurement, we haven’t seen anything like this as far back as we track this, which goes back to FY16. We have seen multiple protests of these large GWAC contracts, but totally different universe of numbers. So, the largest one that we’ve seen so far was in FY16. The Air Force awarded the Small Business Enterprise Application Solutions. 22 companies protested that procurement that year. More recently, in FY19 actually the predecessor to CIO-SP4 was CIO-SP3, and 15 companies protested that one. Really, to see a blip like this in the stats we have to go back to FY16, I believe, when Latvian Connections had filed somewhere around 150 protests all on its own, which eventually led to GAO suspending them from filing protests.
Craig Smith
Well, I think unlike that, we’ll have to see if the way that SP4 plays out has any influence on not just the numbers but then what type of policy making decisions do agencies, or even Congress, try to make on that. And you’ve just raised a really important point which is “let’s try to pull out what might be a little different about this year versus last year.” Speaking of things that remain constant, we’re always talking about cybersecurity. You can’t have any conversation about being a federal contractor without it. I know, I guess at this point it was what, three and a half years ago that you spoke about the cybersecurity maturity model. And it was what, out in San Diego?
Gary Ward
Yep.
Craig Smith
I attended that conference and then went to the hospital, so I remember it well.
Gary Ward
A rare in-person conference out there.
Craig Smith
It does feel like that. So, now that we’re here. We’re in 2023. I know there have been a wealth of changes. While everyone knows cyber, where do you see things heading this year?
Gary Ward
Like you said, cybersecurity is going to be another key focus for contractors this year. But the one thing I’m hopeful, the focus will finally shift away from the phrase “CMMC,” the DOD Cybersecurity Maturity Model Certification. Yes, don’t get me wrong here, CMMC is important and yes, we’re probably going to see a Federal Registry Notice rolling out the details this year. But really, the current CMMC 2.0 program, that’s what we’re on right now, is not the same program as the CMMC 1.0. The one we all remember Kitty Harrington going and hosting all these webinars and talking about how this is going to totally change the game and scaring a lot of industry with this really overwhelming program. The new 2.0, DOD kept the name CMMC, but it is completely different. 2.0 is more about independently assessing contractors against the requirements that exist today, based on the standard DFARS regulation and the NIST 80171 guidance. Let’s shift away from CMMC, we’re going to see a lot of other activity in cybersecurity areas. And some of this stems from executive orders.
Craig Smith
So, we can look beyond CMMC?
Gary Ward
Absolutely. We should be looking beyond CMMC. And like I said, I’m hopeful that the focus can begin looking at cybersecurity the big picture, and not get distracted in the label of CMMC and not get distracted by the label of CMMC or some of the past issues on that program. And things that are out there in this area, a lot of it comes from the Biden executive order outlining a pretty ambitious agenda across a host of different areas. Section Four of that is what we’ve seen a lot recently, with the secure software development framework. OMB has issued its guidance on that, and now it’s up to the FAR Council to implement standard terms and conditions that can go into contracts. We’re going to start seeing that when solicitations hit the street. On a very very positive note, we’re hoping to see some standardization from the Federal government in this area. We’ve talked about DOD so far because they’re the ones who have standardized cybersecurity to a much, much, greater extent than the rest of the Federal government has. If you’re dealing with a lot of civilian agency contracts, you really have to look at every single contract to have a sense of what are your cybersecurity obligations, what are your reporting obligations. Section Two of that executive order, the Biden cybersecurity executive order, that required some standardization of a lot of these things. And we’re expecting to see that rolled out into the FAR. Hopefully it’s coming this year, because that will be a relief to many that have to track their obligations.
Craig Smith
So, there’s that perpetual push-pull and cybers a good example. Standardization can simplify, but it also maybe lacks some of the nuance that you need for what do different contractors and different parts of the community really need to protect the government and supply chain.
Gary Ward
Yea, there’s always going to be some degree of tailoring and that’s necessary. But right now, it’s not really tailoring it’s more ad hoc. And you have variations, not just between large agencies, but even within certain agencies. Because some agencies are handling these cyber requirements more the way they handle technical requirements. And they have the requirements team working on that, rather than a standard agency-wide policy of “here’s what we’re going to require in each contract.” There needs to be a balance of “Well, here’s our standard. And here’s how we tailor that to meet our unique requirements, that may or may not be different, actually.” Shifting beyond that executive order, we’re going to go way back in time, well not that far back in time, to one of President Obama’s executive orders on controlled unclassified information. And that one, believe it or not, has not had a FAR rule issued on it. And that rule on controlled unclassified information may finally give us more guidance on designating, safeguarding, and marking controlled unclassified information. Which really is an important topic for any of these cybersecurity areas, because in order to protect the information. you first got to understand what needs to be protected to what level. And it’s been a challenging area to know what’s controlled unclassified information and what requires certain levels of protection.
Craig Smith
It also strikes me as an area where you’re not going to get a lot of cases to help you out. You’re really dependent on guidance and rulemaking along those lines.
Gary Ward
Definitely not going to get a lot of litigation on whether something was properly marked or needed to be marked. And all this talk about different cybersecurity requirements, we’re actually seeing something pretty rare from the FAR Council. You might have a better sense of how rare this is. We’re potentially getting a new part to the FAR to deal with cybersecurity requirements. On their open cases report they’ve listed a case – I believe it’s Part 40 – is going to be the place where these cybersecurity requirements eventually end up living.
Craig Smith
It’s a blue moon event, you’re absolutely right.
Gary Ward
And then, of course, outside of the FAR and regulatory environment, we’re going to see some statutory changes. The NDAA, for example, codified the FedRAMP program, so we’re going to see some changes related to that.
Craig Smith
We talked about how we’re not going to see a lot of litigation or cases to help us expand on what the government’s giving us through regulations, guidance, or even statute. But also, at the same time, there’s plenty of litigation going on. And not just protest litigation, there’s all sorts of claims and disputes. And that’s one other area you think we’ll want to pay attention to this year?
Gary Ward
Yea, absolutely. Craig, you and I are always paying attention to litigation, this is
Craig Smith
It’s what we do!
Gary Ward
This is exactly what we do. And when we’re not litigating, we’re advising on what others have litigated in the past. The litigation though, I think we’re still going to continue to see a lot of cases dealing with what you normally see in a lot of this litigation involving cost accounting issues. And, fortunately, the ground rules of the Contract Disputes Act. This month the Federal Circuit issued a decision in a cost accounting case between Raytheon and DCMA, that really shows what’s at stake in these types of cost accounting cases. I’ll save the details for a separate discussion when we want to dive into that. But it’s still a good example of why we have so many cost accounting disputes. The question in that case is, they’re really foundation to how contractors count their costs that they ultimately pass along to the government. But in that Raytheon decision, it took about 15 years from when Raytheon first started incurring those costs under its polices, for the Federal Circuit to ultimately weigh in and issue a decision on how Raytheon SHOULD have tracked those costs under those policies.
Craig Smith
It’s got to be frustrating for anyone trying to make decisions with that kind of lag. Of course, at least they got a decision on the merits, whatever one thinks of it. But there’s another scenario where you could go all the way through to, even to the Federal Circuit, and find out you almost have to go back to the beginning. And that’s something you and I – well at least I’ve had some gray hairs develop over it, you still haven’t for some reason.
Gary Ward
Well, yea, you’re hitting the other main topic, which is the Contracts Dispute ground rules. We’ve had the CDA since 1978? So, what’s that, almost 45 years? Yet, there are still open questions about foundational jurisdictional issues like, “What is a claim?” And “What is a final decision on a claim?” You and I have talked about this one before: I love Judge Clark’s line referring to “secret final decisions.”
Craig Smith
That’s the URS Federal Services Case from 2020 at the Armed Services Board?
Gary Ward
Exactly. And it really kind of reminds us how we feel about some of these areas. This is truly a common law approach to “you need a list of a dozen final decisions by the government before, and decisions on it, and then you’ve got to analogize whatever contract action you just got to that list of final decisions to figure out whether that’s an appealable final claim. And you’re on the clock, you have 90 days to get to the board, or whether it’s not, and you have to submit your own claim.” 45 years later there’s still a lot of uncertainty about when contractors are on the clock. And that decision is a great one from, a great line from Judge Clark, about recognizing the difficulty of it. But it is the ASBCA and it’s not the Federal Circuit, so we don’t necessarily know. We’d hope they share the same view and there’s good reason for that but, like you said, there’s a lot of uncertainty. This is an area that you want to make sure that the forum has jurisdiction over your dispute.
Craig Smith
And it’s the Lockheed case that I think we’re expecting a Federal Circuit decision this year on whether a definitization of a yuca ended up being a government claim?
Gary Ward,
Yea, the Lockheed case is one of those cases out there pending. Listening to the oral argument though, the judges spent a lot of time questioning whether the dispute about whether this is a claim was mooted by Lockheed eventually filing its own claim. So, they may use that as a way of not wading into this mess at this point. But we expect that they’re going to have other opportunities, and this is still going to continue to be a very litigious area. The Board’s Annual Report – like GAO the Armed Services Board issue their own annual report – the last four years or so they’ve been identifying the number of each type of motion that’s pending. In the last two years there have been over 100 motions to dismiss for lack of jurisdiction pending. That’s a little over 10% of the Board’s docket. And that’s actually an increase over the last two years, the only years that have reported that. So, we’re actually going backwards with some of the uncertainty about whether you have jurisdiction under the CEA.