Skip to main content
Case Law

A Missing Cybersecurity Narrative Ended a SEWP VI Bid: The InnoVet Protest

In InnoVet Technologies, LLC (GAO, June 16, 2026), NASA eliminated a small business from the SEWP VI competition — a 10-year GWAC that ultimately produced 2,115 awards — not because its security was weak, but because its proposals omitted a required narrative describing the offeror's own cybersecurity supply chain risk management. GAO denied the protest. The lesson for contractors: on many federal procurements, the cybersecurity write-up is a pass/fail gate for award eligibility, and a checklist attestation is not a substitute for the narrative the solicitation asks for.

Brandon Hancock, J.D., CMMC-RPPublished July 6, 2026Updated July 6, 20265 min read

A small business just lost its place in one of the government's largest IT contract vehicles over cybersecurity — but not because its security was judged weak. It lost because a required section of its proposal was simply not there.

On June 16, 2026, the Government Accountability Office (GAO) denied a bid protest that belongs on the reading list of anyone who writes — or signs off on — the cybersecurity sections of a federal proposal. In InnoVet Technologies, LLC, B-423306.20, GAO upheld the National Aeronautics and Space Administration's (NASA) decision to eliminate a small business from the competition for the Solutions for Enterprise-Wide Procurement (SEWP VI) governmentwide acquisition contract because its proposals left out one required narrative: a description of the company's own cybersecurity supply chain risk management (C-SCRM) practices.

NASA announced the SEWP VI award results on June 22, 2026: 2,115 awards to roughly 1,490 companies across three categories — 364 in Category A (IT Solutions), 692 in Category B (Enterprise-Wide IT Service Solutions), and 1,059 in Category C (IT Mission-Based Services) — for a 10-year ordering period running November 1, 2026 through October 31, 2036. Each awarded contract carries an individual ceiling of $20 billion; industry and trade-press reporting place the vehicle's aggregate program value at up to $60 billion. InnoVet's proposals were eliminated before that finish line.

There was no finding that InnoVet's security program was deficient. The proposals were eliminated because a required section was missing. On a vehicle where each awarded contract carries a $20 billion ceiling — within a program reported at up to $60 billion in the aggregate — that omission was the difference between competing and being cut.

What the Solicitation Required

NASA evaluated SEWP VI proposals in phases, and the cybersecurity content lived in the mission suitability volume's management approach subfactor. Under that subfactor, offerors had to provide a narrative describing their corporate processes and resources for the risks associated with C-SCRM and the IT security of contractor-acquired property — expressly referencing recognized standards such as CNSSI 1253, NIST SP 800-53, NIST SP 800-161, and NIST SP 800-171. Offerors also had to explain how they participate in, and stay current on, supply chain and IT-security practices, and either complete a C-SCRM attestation form or provide a valid O-TTPS (ISO 20243) certification.

Two features of the evaluation scheme did the work here. First, the management approach subfactor was scored on a pass/fail basis — "satisfactory confidence" or "no confidence" — and a rating of no confidence in that single subfactor made the entire proposal ineligible for award. Second, the solicitation warned that a non-response to any part of the mission suitability volume, or any deviation from its instructions, would remove the offeror from the competition. Cybersecurity was not a scored nicety that a strong price or past performance could offset. It was a gate.

Where the Proposal Fell Short

InnoVet submitted proposals for two SEWP VI categories but did not include the management approach narrative describing its own corporate C-SCRM and IT-security processes. NASA assigned both proposals a rating of no confidence and eliminated them from the competition.

On protest, InnoVet argued the omission should have been excused. It pointed to its C-SCRM attestation form — where it had answered "yes" to every security-control question — and to cybersecurity content in its technical approach narrative, contending that a reasonable evaluator would have treated those as satisfying the requirement even without a separately labeled narrative section.

What GAO Held

GAO denied the protest, and its reasoning is worth stating plainly, because it is not new law — it is the settled standard applied to a cybersecurity fact pattern.

GAO does not reevaluate proposals; it reviews whether the agency's evaluation was reasonable and consistent with the stated criteria. And an offeror bears the burden of submitting an adequately written proposal that contains the information the solicitation requires. Where a proposal omits or inadequately addresses required information, the offeror runs the risk of an adverse evaluation.

On the substance, GAO found the two substitutes InnoVet offered were not equivalents. The C-SCRM attestation form was a yes/no confirmation of adherence to a control set — it did not describe the corporate risks tied to C-SCRM and the IT security of contractor-acquired property, nor how the company stays current on those practices. The technical approach narrative addressed how InnoVet would deliver cybersecurity services to NASA — not how InnoVet manages its own corporate cybersecurity risks, which is what the management approach subfactor asked for. GAO also rejected, as impermissibly speculative, InnoVet's argument that NASA's corrective action on other SEWP VI protests should carry over to its own proposals.

Why This Reaches Beyond One Procurement

The practical lesson is not "have good cybersecurity." It is that agencies increasingly evaluate cybersecurity as a discrete — sometimes pass/fail — element of award eligibility, and that what you write is the representation that gets evaluated, not what you could have proven if someone had asked.

Two of the most common ways contractors lose these points appear side by side in this decision. The first is answering the wrong question: describing how you will secure the agency's environment when the solicitation asked how you secure your own. The second is assuming that information supplied elsewhere in the proposal will be read across into the section that required it. Evaluators are not obligated to hunt for a required narrative inside an attestation form or a different subfactor.

This is the same discipline that runs through the rest of the compliance picture — from DFARS 252.204-7012 safeguarding obligations to your SPRS self-assessment score: a cybersecurity representation is only as strong as the specific, responsive record behind it.

A Checklist for the C-SCRM / Management-Approach Narrative

Before submission, confirm that the narrative section itself — not another volume — does each of the following:

  • Answers the question asked. Describe your own corporate C-SCRM and IT-security processes and resources, not how you would serve the agency.
  • Names the standards the solicitation names. Map your description to the referenced frameworks (for example, CNSSI 1253, NIST SP 800-53, NIST SP 800-161, and NIST SP 800-171) as applicable.
  • Covers contractor-acquired property. Address IT security for the ancillary products you would acquire to perform, if the solicitation calls for it.
  • Shows how you stay current. Explain your participation in supply chain and IT-security activities and how you keep the program up to date.
  • Completes every required attachment. Submit the attestation form or the alternative certification exactly as specified — and treat it as an addition to the narrative, not a replacement for it.
  • Stands on its own. Do not rely on the evaluator to import content from another subfactor or volume; put the required information where the instructions require it.
  • Leaves no part blank. Treat any "non-response" warning as literal — a single missing sub-element can end the evaluation.

Key Takeaways

  • In InnoVet Technologies, LLC, B-423306.20 (June 16, 2026), GAO denied a protest and upheld NASA's elimination of a small business from the SEWP VI competition — a 10-year GWAC that ultimately produced 2,115 awards, each carrying an individual $20 billion ceiling — because its proposals omitted a required narrative describing the offeror's own cybersecurity supply chain risk management.
  • The cybersecurity subfactor was scored pass/fail; a "no confidence" rating on that factor alone made the proposal ineligible for award — cybersecurity was an eligibility gate, not a scored preference.
  • A yes/no attestation form and a narrative about serving the agency did not substitute for the required description of the offeror's own corporate processes; the offeror bears the burden of putting responsive information where the solicitation requires it.
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?