Many small businesses learn the hard way that a “bid protest” and a “size protest” differ in much more than name only. Whereas generally a “bid protest” challenges agency action taken in connection with a procurement and can be timely brought at the Government Accountability Office (“GAO”) or in the U.S. Court of Federal Claims (“COFC”) after award, a “size protest” challenges an offeror’s eligibility as “small” for a small business set-aside and must be filed with the U.S. Small Business Administration (“SBA”) within 5 days of contract award; otherwise, a disappointed offeror will forfeit its right to challenge the awardee’s size. While this consequential distinction may seem clear in a vacuum, a recent decision by the U.S. Court of Appeals for the Federal Circuit (“Federal Circuit”) demonstrates that distinguishing between a “bid protest” and a “size protest” may not always be so easy. Instead, the Federal Circuit’s decision leaves open the possibility that even when a timely size protest was not filed with the SBA, a disappointed offeror still may be able to challenge the contracting officer’s failure to refer an awardee of a small business set-aside to the SBA for a size status determination by filing a bid protest at the COFC.


Continue Reading “What’s In A Name?”: Federal Circuit Holds Claims Court Blurred Distinction Between ‘Size Protests’ And ‘Bid Protests’ In Dismissal For Failure To Exhaust Administrative Remedies

As called for in the May 12, 2021 Cybersecurity Executive Order (“EO”) released by the Biden Administration (discussed here), NIST met its deadline to release a definition of “critical software” within 45 days of the date of the Order.  The determination of what constitutes “critical software” is a key step in the process set forth in the Order for securing the software supply chain, which will culminate sometime next year in new Federal Acquisition Regulations for contractors that supply software.

Continue Reading Right on Time – NIST Releases Definition of “Critical Software” Per Biden’s Cybersecurity Executive Order

Ignore our prior prediction—the U.S. Court of Federal Claims definitely is NOT remanding the protest by Medline Industries, Inc. (“Medline Protest’) to the agencies for corrective action.  In a surprisingly scathing opinion issued June 22, 2021 by Judge David A. Tapp, the court made one thing very clear—the Department of Veterans Affairs’ (“VA”) transfer of its Medical Surgical Prime Vendor (“MSPV 2.0”) requirements to the Defense Logistics Agency (“DLA”) is dead on arrival.  After issuing a brief order on June 17 denying remand to the agencies for corrective action, the court detailed its reasoning in an opinion issued in a parallel protest filed by Owens & Minor Distribution, Inc. challenging (slightly) different aspects of the shifting MSPV 2.0 procurement (“O&M Protest”).  The government had moved for remand in both protests, and because the Medline Protest and O&M Protest involved the same parties and many common operative facts, the court issued a single opinion denying remand in both—and telegraphing that the outlook for the government in both cases is grim.  Piling on, the court took a few shots at the government for its litigation conduct and (more generally) its lack of acquisition planning.

Continue Reading Duck Hunt – The VA Cannot Escape The Medline Protest, And Takes A Few Shots In The Process

In February 2021, President Biden issued Executive Order 14017, “Executive Order on America’s Supply Chains” (discussed here), requiring (among other things) a report within 100-days requiring key government agencies to assess vulnerabilities and consider potential improvements to supply chains in four critical industries – (i) semiconductor manufacturing; (ii) high capacity batteries; (iii) rare earth elements; and (iv) pharmaceuticals.

Continue Reading At a Glance: White House 100-Day Supply Chain Report

In Van Buren v. United States, No. 19-783 (U.S. June 3, 2021), the United States Supreme Court issued an opinion drastically limiting the application of the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030 et seq.), holding that the “exceeds authorized access” clause of the Act applies only to those who obtain information from particular areas in the computer—such as files, folders, or databases—to which the individual is not authorized to access under any circumstances. However, the Supreme Court excluded application of the clause to individuals who misuse their access to obtain information otherwise available to them for an unauthorized purpose.
Continue Reading Supreme Court Resolves Circuit Split Over CFAA

The U.S. Department of Veterans Affairs (“VA”) Medical Surgical Prime Vendor (“MSPV”) 2.0 Program (discussed previously here and here) has yet to make it off the ground, but in March 2021 the VA announced plans to eliminate the program by September 2023 and instead purchase from the Defense Logistics Agency’s (“DLA”) separate MSPV catalog. The VA and DLA MSPV programs are how the VA and DLA (separately) purchase most of their medical, surgical, and laboratory equipment for care centers across the country (and abroad, in the case of DLA). The VA and DLA have been exploring the possibility of consolidation since at least January 2019, but many vendors relied on the VA’s representations that it would not make any decisions on potential consolidation until at least 2025. So when the VA informed stakeholders of its new September 2023 target, Medline Industries, Inc. (“Medline”), one of the prime vendor awardees under the VA’s MSPV 2.0 Program, responded by filing a bid protest at the U.S. Court of Federal Claims. On May 28, 2021, the VA and DLA decided to take corrective action, asking the Court for six months to re-evaluate the issues raised by the protest. It seems that the government did not have all of its ducks in a row prior to announcing the targeted transition.
Continue Reading Ducks (Not) in a Row – VA Agrees to Take Corrective Action in Transitioning MSPV 2.0 Requirements to DLA

The National Institute of Standards and Technology (“NIST”) is seeking comments on its draft NIST SP 800-161 Rev. 1, “Cyber Supply Chain Risk Management Practices for Systems and Organizations,” published on April 29, 2021. The public comment period currently is open and concludes on June 14, 2021. NIST anticipates releasing a second draft in September 2021, with a final version anticipated to be released by April 2022.
Continue Reading Seeking HoNIST Opinions – NIST Invites Comments on Major Revision to Cyber Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161) and Provides Further Software Supply Chain Guidance

On May 12, 2021, the Biden Administration issued its much anticipated “Executive Order on Improving the Nation’s Cybersecurity.” Below are provisions we believe will be of most interest to contractors, as well as any company that provides information technology (“IT”) and operational technology (“OT”) services, cloud computing, software, or internet of things (“IoT”) technology, as the new regulations and standards called for in the Order are likely to have an impact beyond government contractors.
Continue Reading Biden’s Cybersecurity Executive Order

The Biden Administration has taken (at least temporarily) the teeth out of a Trump-era Executive Order that directed the government to “Buy American” for essential drugs and medical devices. President
Continue Reading “Buy American” Update: Essential Medicines May Continue to Come From Abroad (For Now)

On February 24, 2021, President Biden signed Executive Order 14017, “Executive Order on America’s Supply Chains,” requiring a review of global supply chains that support key U.S. industries in an attempt to improve supply chain security for the U.S. government and U.S. companies. The new Executive Order appears to be an initial step focused on information gathering. Comprehensive reforms and supply chain strategies are likely to follow once the White House has collected key information.
Continue Reading Finding the Weak Links – President Biden Executive Order Demands Review of Critical U.S. Supply Chains