Since Nov. 30, 2020, all U.S. Department of Defense solicitations, except those for commercial off the shelf items, have included Defense Federal Acquisition Regulation Supplement clause 252.204-7019, to require assessment of contractor compliance with cybersecurity requirements.
Additionally, certain solicitations, other than those for commercial off the shelf items, have included DFARS clause 252.204-7021 to phase in the implementation of Cybersecurity Maturity Model Certification, or CMMC, requirements.
These clauses were published together on Sept. 29, 2020, as part of an interim rule intended to assess contractor implementation of cybersecurity requirements. There are many questions about what the new interim rule means for contractors, but very little attention has been paid to how the new interim rule may create protest issues during the solicitation period for contracts.
As we near the end of the U.S. Government Accountability Office’s 100- day statutory deadline to resolve protests that may implicate these provisions, reported decisions may soon appear analyzing challenges under the new clauses. As implementation continues, additional protest issues will certainly arise.
This article is intended to highlight some of the more likely issues expected to arise, and to provide some initial analysis and considerations related to these challenges.