Start preparing now to earn points on GSA’s Polaris contract opportunity

The General Services Administration (GSA) recently released a draft request for proposals (RFP) for the Polaris IDIQ procurement, which spans a wide variety of IT services. This up-to-10-year Indefinite Delivery/Indefinite Quantity (IDIQ) contract (five years base, with a five-year option period) is a significant opportunity for a variety of small businesses. GSA plans to issue three pools of awards, including ones specifically for HUBZone and Women-Owned small businesses. This is the unofficial replacement for Alliance Small Business 2, which failed to proceed after a number of sustained protests. 

The services covered in this intended multiple IDIQ award effort include cloud services, cybersecurity, data management, information and communications technology, IT operations and maintenance, software development, and system design. There is an emphasis on contractors who are experienced using innovative solutions within emerging technologies such as advanced and quantum computing, artificial intelligence (AI), automation technology, distributed ledger technology, edge computing, and immersive technology. 

The draft RFP indicates that GSA will take a self-scoring sheet approach to evaluating proposals, and it includes a very high-level draft version of the sheet. It will likely take several months for this RFP to be finalized, so potential offerors have ample time to prepare for areas in which they may be able to earn points. 

In what areas should you expect to earn points?

The biggest point-earning opportunities will likely relate to experience and past performance. The applicable projects can be for pretty much any customer, both federal and commercial, but there will likely be more points for projects with multiple federal clients. The more complex the project, the higher the likelihood that you will receive more points. If the experience was within a cost-plus contract instead of fixed-price, there will likely be more points for that as well. There will likely be additional points for a wider variety and separate instances of recent projects within each performance area, and even more points if emerging technology was used in these projects.  

The other significant area that might be a bit more controllable for prospective contractors right now is within Volume 4 – Systems, Certifications, and Clearances. This area will include point-earning opportunities for evidence of superior corporate governance and operations. It includes points for CMMI-SVC or CMMI-DEV Level II or above certifications. ISO 9001:2015, ISO 20000-1:2018, and/or ISO 27001:2013 certification can also garner prospective offerors points. Finally, having a “secret” or above facility clearance will likely earn contractors additional points. 

However, as of the current version, there are a couple of point-earning potentials in Volume 4 that are contingent on what the government has done on behalf of the contractor (i.e., not so controllable as per draft RFP language). In order to get point credit for having an accounting system capable of operating under a federal cost reimbursable contract or a purchasing system compliant with the criteria under DFARS 252.244-7001, it must be approved by a federal government official. Unlike other GWAC IDIQs as of late, this RFP is currently not allowing any independent CPA firm/third-party approvals. One could see this approach as inhibiting competition, and hopefully the next draft will change the rules around earning points for these systems. 

What about CMMC and other RFP requirements?

The draft RFP for Polaris dedicates a whole section to “IT Security Considerations” (Section H.5) that does not name any specific requirements. Instead, it instructs offerors to pay close attention to the latest Cybersecurity Maturity Model Certification (CMMC) and supply chain risk management (SCRM) requirements. It acknowledges that civilian agencies have not yet adopted CMMC but suggests that it may be included as a requirement for future task orders under this IDIQ. It also then includes instructive exemplar items for contractors to monitor with regards to cybersecurity and SCRM. 

This all being said, an interested offeror must submit a seven-page-or-less cybersecurity and SCRM risk self-assessment. The government will grade this self-assessment as either acceptable or unacceptable. If deemed unacceptable, the offeror will be eliminated. 

This draft RFP also includes a specific requirement to submit a Professional Employee Compensation Plan in compliance with FAR 52.222-46. It appears that GSA included this requirement to help prevent unreasonable underbidding related to labor costs on future task orders. If the government assesses that a submitted plan is insufficient, an offeror is likely to be eliminated. 

Now what?

Here is what we think any potentially interested contractors should be doing right now:

• Understand the RFP technical areas, and identify all the applicable past performances that will likely maximize point-earning potential (i.e., find the ones that involve emerging technology).
• Consider a teaming arrangement if you think that will bolster your competitiveness. 
• Assign team members who are responsible now for the proposal. 
• Don’t wait until the final RFP comes out to start writing and developing a win strategy. 
• Gather and submit comments on the draft RFP that will help make you more competitive and stand out from your competitors. (See our recent Lunch and Learn slides on proposal best practices.) Comments are due Jan. 29. 
• Establish a timeline and plan for any achievable Volume 4 point-earning opportunities. 
• If you do not already have one, develop a Professional Employee Compensation Plan.
• Start working on your cybersecurity and supply chain risk management self-assessment, and figure out a path to ensuring that it demonstrates a robust understanding of and commitment to minimizing these risks.