The legal side of procurement with Alexander Canizares

Alexander Canizares joined me on the Acquisition Talk podcast to discuss the legal side of the acquisition system. He is a senior counsel at Perkins-Coie, a lecturer at George Washington Law School, and a former trial attorney at the Department of Justice. Alex provides insights on a number of topics, including:

Whether an OTA contract can be protested
The Cybersecurity Maturity Model Certification (CMMC)
What’s new in pricing policy for sole source contracts
Whether VC funding disqualifies businesses from SBA loans
The Procurement Collusion Task Force

Throughout the episode, Alex relates a fundamental tension in procurement law that I would describe as the tension between the desire to move with commercial speed and the fact that government is not just a big firm. For example, the CMMC addresses a real problem for national security but has a number of unknowns in terms of compliance issues. Bid protests help create fair procurement processes but can upset agency timelines and create risk aversion. Cost or pricing data requirements prevent abusive sole-source pricing but may deter competition from commercial firms.

One of the highlights was the discussion on whether an Other Transaction Authority (OTA) contract can be protested or not. Alex explains how the Court of Federal Claims rejected SpaceX’s bid protest of an OTA because they are not considered procurement contracts under the Tucker Act — they are outside the Federal Acquisition Regulation. The caveat is that a protest can be raised over whether the contract was able to use an OTA in the first place. For example, Oracle successfully protested an OTA follow-on production award because the agency did not specify in the original prototyping solicitation that follow-on production was available, citing the DoD OTA Guide.

Podcast annotations

I’ll let Alex provide an introduction to the Cybersecurity Maturity Model Certification:

Stepping back, CMMC is a framework for assessing cyber security protection among the defense industrial base… There is some indication that commercial off-the-shelf contractors may be exempt, and that’s just based on what I’ve seen on the FAQs on the DoD website. But the expectation is this: it will be a huge program, it’s going to be costly, it’s going to have a lot of compliance obligations, and it raises a lot of questions — some of which the DoD has answered and some it hasn’t. But the original idea was to move really fast to get this out, and I think even before Covid-19 they were going to have to do as Ellen Lord said, crawl, walk, run.

One of the interesting features of CMMC is that while government is responsible for the standards themselves — having released v1.0 early in Feb. 2020 — there will be a non-profit Accreditation Body (CMMC AB) which will certify third-party auditors who will eventually assess all 300,000 defense suppliers on whether they met the cyber security criteria at certain levels. This actually presents a number of questions because a third-party will basically decide whether or not a contractor is qualified to bid on a government contract. Here is Alex:

This accreditation body is a non-governmental organization, and the idea is that they’re going to manage this whole accreditation process. It will be carried out on the ground by these auditors — these third party organizations. Those organizations themselves are not government entities. The accreditation body is now rolling out a training program to get these auditors trained. One of the questions I think is really fascinating is you’ve got these non-governmental actors who are doing doing the certification level work and determining these really consequential determinations. If you’re a government contractor, if you don’t get certified to the level you need, that could be a calamitous impact.

Having third-party entities do this presents an unusual, risky scenario. As a government contracts lawyer, I think about the Contract Disputes Act or a bid protest — those statutes and those ways for providing a meaningful judicial review we’re accustom to. If you’re familiar with submitting a certified claim to a contracting officer as a way of bringing a dispute to an agency, that sort of framework doesn’t readily apply here because you’re basically dealing with non-governmental entities and arguably its not really a procurement. Certification decisions are being done through a different context. That’s one aspect…

Similar to how OTA contracts are not procurement contracts and therefore (usually) not subject to bid protests, CMM Certifications are not procurements either. The CMMC AB will be responsible for dispute resolutions, but that process doesn’t seem to be fully laid out.

One area of trouble I see in such disputes is the subjectivity of many CMMC standards. Many involve requiring documentation and procedures, and reasonable people may easily disagree on whether they were met. It’s not clear to me whether the incentives are aligned for auditors to be risk averse (holding out certifications until a high bar is passed) or risk taking (more willing to provide certifications). Here are a couple more considerations:

Subcontractor Flow Down. Supposedly, only a few dozen contractors will require CMMC level 4 or 5, the highest standards. Most will require level 3. However, let’s say a government releases a major development contract for a weapon system. The prime contractor may be required to have a level 4 or 5 certification, but their numerous subs down the supplier tiers will not necessarily need that level. Who will make the determinations for each subcontractor and according to what process?

One unknown of mine is whether digital engineering environments can be “containerized” through interface specifications (thus, only the prime has the whole picture and the subs only what they need) or whether participation in digital engineering implies the same CMMC level requirements.

Allowable Costs. Another issue is the cost of becoming CMM Certified. A traditional defense prime would have no problem spending money to get compliant, and then getting that reimbursed by the government as an allowable cost. It isn’t clear whether that will be through overhead rates or as a line item in a contract. But since they already have government accounting systems with clearly segmented commercial work, the cost of CMMC can be readily reimbursed through existing contracts.

For commercial firms, it isn’t as straight forward. First, if the firm doesn’t have any government work, then it will have to invest upfront on security accreditation (many months most likely) and then face the prospect of losing the award and never getting reimbursed. Second, even if the nontraditional won the contract, without a government compliant accounting system it won’t be clear exactly what costs were attributed to CMMC or whether that work supported commercial activities. It’s all much more clean-cut when the contractor only does business with the government, which is why contractors often carve out government-unique business units.

Covid-19 Impacts

We covered a lot more ground than CMMC in this episode — so listen to the whole thing! — but I’d like to conclude on the same note Alex did:

I think the real area for people to think about is what’s the long term impact of the Covid-19 crisis going to be on government acquisition and industry. We’ve touched on a couple things in our conversation, but how do you attract innovation to government procurement. We’re at a real point where we want to make sure we’re creating those opportunities.

I agree that the Covid-19 crisis will be an event of tremendous long term impact. I think the jury is still out on which way it sways. In some ways, Covid-19 may be something of a boon to industry’s perceptions of government procurement. It demonstrated how government can be a reliable source of cash flow in times of crisis. It also came with a surge in emergency procurement procedures and an expansion in OTAs.

In the longer term, it may have some downsides. For example, procurement scandals later discovered may put a damper on rapid contracting or the use of OTAs. Another thing Alex alerted me to was the challenges small businesses faced getting loans through the Small Business Administration, including certificates of need and disqualification under some circumstances for having venture capital funding. This may result in the exit of startups the DoD has been cultivating for the last five years. Ultimately, I think there are numerous forces pushing in the direction of more regulation independent of Covid-19, and with hindsight some may blame Covid-19 even it it was just coincidental.