                  ARMED SERVICES BOARD OF CONTRACT APPEALS

Appeal of--                                   )
                                              )
IBM Corporation                               )       ASBCA No. 60332
                                              )
Under Contract No. W91QUZ-04-D-0003           )

APPEARANCES FOR THE APPELLANT:                       David W. Burgett, Esq.
                                                     Brendan M. Lill, Esq.
                                                     Nicole D. Picard, Esq.
                                                      Hogan Lovells US LLP
                                                      Washington, DC

APPEARANCES FOR THE GOVERNMENT:                      Raymond M. Saunders, Esq.
                                                      Army Chief Trial Attorney
                                                     Frank A. March, Esq.
                                                      Trial Attorney

            OPINION BY ADMINISTRATIVE JUDGE WOODROW ON
      APPELLANT'S MOTIONS FOR SUMMARY JUDGMENT AND DISMISSAL

       In 2003, the United States Army Contracting Command Agency (Army or
government) awarded Indefinite-Delivery/Indefinite-Quantity (IDIQ) Contract
No. W91QUZ-04-D-0003 to IBM Corporation (appellant or IBM) for worldwide information
technology (IT) services. In 2003, the Army issued Task Order 0002 (TO 2) for IT support at
the National Defense University at Fort McNair in Washington, DC. This appeal arises out of
a contracting officer's final decision (COFD) asserting a government claim for $5,903,353 in
alleged overcharges by IBM under TO 2, based on IBM's alleged failure to perform the
requirements of TO 2.

       Appellant's brief contains three distinct motions: ( 1) a partial motion to dismiss for
lack of jurisdiction; (2) a motion for summary judgment on the basis that the government's
claim is time-barred by the six-year statute of limitation set forth in the Contract Disputes Act
(CDA), 41 U.S.C. §§ 7101-7109; and (3) a motion to dismiss the government's complaint
with prejudice for failure to state a claim upon which relief can be granted.

       We address each of appellant's motions separately.
              STATEMENT OF FACTS (SOF) FOR PURPOSES OF THE MOTIONS

       1. On 22 October 2003, the Army Contracting Command Agency-ITEC4 (Army or
government) awarded IDIQ Contract No. W91QUZ-04-D-0003 (the contract) to IBM for IT
services worldwide. With options, the contract period was from 22 October 2003 until
21 October 2010. (R4, tab 1 at 1)

       2. On 30 June 2005, the Army awarded TO 2 to IBM for IT support at the National
Defense University (NDU) (R4, tab 12 at 2). The task order included a base period of
performance of 1 July 2005 through 1 July 2006, as well as two 12-month option periods,
1 July 2006 to 30 June 2007 and 1 July 2007 to 30 June 2008 (id. at 1, 5-17). The period of
performance was extended to 2 September 2008 by Modification No. 27 (R4, tab 19).

       3. TO 2's Performance Work Statement (PWS) provides: "The Contractor shall
operate and maintain baseline services and infrastructure in accordance with Appendix C"
(R4, tab 12 at 22). Appendix C consists of a table entitled "Operate and Maintain Baseline
Services and Infrastructure." Below is an excerpt of the portion of the table relevant to the
present motions.




Establish     I) Create, maintain     I) Ensure security    I) Monthly certified   0.5%of total monthly
and           and update required     documentation         review of security     price shall be
administer    NDU IA policy and       complies with         documentation          deducted for
IT security   procedures mandated     Federal                                      documented
program       by DOD regulations      legislation ...                              deficiencies noted in
              and federal laws                                                     Monthly reviews for
              2) Review audit logs    2) Respond to         2) Review network      identified monitor
              and monitor network     security breaches     security reports and   activities and not
              security tools          within 4 hours of     logs                   corrected within 30
                                      notification                                 days.
              3) Establish and        3) Ensure that        3) Review patch
              monitor University      systems have latest   documentation
              software patch          security patches      reports and logs
              program                 installed within 24
                                      hours of approved
                                      release;
              4) Analyze network      4) Provide monthly    4) Review IA related
              and web activity data   network metric        help tickets
              to identify possible    reports to include
              problem trends and      but limited to:
              propose proactive       network, server and
              solutions               services downtime;

                                                     2
             5) Create and oversee     5) Provide IA         5) Survey users to
             a security training and   training to faculty,  ensure training [has]
             awareness program         staff and students at been met
                                       least once a year;
             6) Establish and          6) Ensure COOP        6) Review test plans,
             maintain for critical     plans are current     procedures and test
             NDU systems and           and tested annually   results
             continue to operate
             (COOP) plan,
             procedures and
             resources for ongoing
             operations under
             emergency situations
             7) Provide                7) Test new           7) Review NDU
             information assurance     technologies,         projects for IA
             and security analysis     security tools and    compliance and
             on proposals related      procedures prior to   documentation
             to new technologies       implementation
             and new operational
             policies within the
             university
Establish    Create, maintain and      Ensure program        Provide monthly         0.5% of total
and          update network            documentation and     network operational     monthly price shall
administer   security policies,        resource              security activity       be deducted for
a network    procedures and            assignment            reports to the NDU      documented
operations   operational guidance      necessary to          Chief Information       deficiencies noted in
security     mandated by federal       achieve and           Security Officer        monthly reviews for
program      and DOD regulations       maintain DOD and                              identified monitored
                                       federal compliance                            activities that are not
                                                                                     corrected within 30
                                                                                     days of notification
                                                                                     or by mandated
                                                                                     DOD and federal
                                                                                     implementation
                                                                                     deadlines.



(R4, tab 12 at 33-34)

      Staffing under the Contract

       4. IBM had been providing IT support services to NDU under performance-based
contracts for several years prior to 2005 (app. mot., Statement of Undisputed Material Facts
(ASUMF), 1; gov't resp., Statement of Genuine Issues of Material Facts (GSGIMF), 1),
when it was awarded TO 2 (ASUMF, 2).



                                                      3
      5. NDU staff had the opportunity to directly observe IBM's day-to-day performance
under TO 2. IBM employees worked side-by-side and in the same location as NDU
employees. (ASUMF , 5)

        6. IBM provided the government with a staffing plan at the contract's inception
(ASUMF, 15; GSGIMF, 15). There are factual disputes concerning the content of the staffing
plan, including whether certain personnel relevant to the government's claim were included in
the staffing plan (R4, tab 8 at 18-20, 40-47; ASUMF, 15; GSGIMF, 15).

        7. Of the 22 employees at issue in the government's claim, 4 had supported NDU
prior to TO 2, under IBM's former contracts (ASUMF, 16; GSGIMF, 16).

        8. Before making personnel changes during performance, IBM consulted with NDU
officials about proposed personnel changes (ASUMF , 20). IBM provided to the government
resumes of new candidates for review and also gave the government an opportunity to meet
new candidates for contract positions during task order performance (ASUMF , 21; see, e.g.,
R4, tabs 36, 38).

       Network Intrusions and Subsequent Government Investigations

       9. The government identified a total of six malicious network intrusions during the
period from January 2006 until June 2009. The six intrusions occurred on or about January
2006, November 2007, 4 November 2008, 14 May 2009, 17 June 2009, and 23 June 2009.
The first network intrusion occurred in January 2006, but was not detected until November
or December 2006 (ASUMF, 24; GSGIMF, 24; app. reply br., ex. A, 24). Two of the
six network intrusions occurred during TO 2's period of performance, from 2005 to
September 2008 (ASUMF, 23; GSGIMF, 23).

       10. The six attacks resulted in the exfiltration of unclassified but sensitive DoD
information, including personally identifiable information ofNDU students and faculty,
expense and budget reports, and documents related to U.S. military technology and technical
tradecraft. The attacks degraded NDU's network and compromised the DoD Non-Classified
Internet Protocol Router Network (NIPRNET). (R4, tab 31 at 15-25)

      Government's Demand Letter and Contracting Officer's Final Decision

       11. By letter dated 8 March 2013, the contracting officer (CO) issued a demand for
payment of $8,998,187 allegedly owed as a result of IBM's failure to perform and deliver
services as required under TO 2. The letter stated, in part:

                    There were six (6) major network intrusions requiring IBM
             to execute network security IT services in the systems that IBM
             was to support under this Task Order. These intrusions

                                             4
               compromised the DoD computers assigned to the National
               Defense University (NDU), Fort McNair, Washington D.C., and
               commenced approximately January 2006

                       IBM failed to plan, develop, manage, and execute
               substantial network security IT services and related enterprise
               architecture management in accordance with the subject Task
               Order. Furthermore investigation revealed that IBM personnel
               did not have the appropriate subject matter expertise, and were not
               qualified to execute the IT security related tasks to properly plan,
               test and conduct specific tasks of IT security, as required in the
               subject Task Order. In addition, IBM failed to develop, test, and
               execute a proper network security incident response plan.

(R4, tab 22)

       12. On 21 March 2013, IBM responded by letter, through counsel, denying liability
(R4, tab 23).

       13. On 23 May 2013, the Contracting Officer (CO) responded to IBM by letter and
provided it copies of the Government Audit Net Security Reports. The CO also proposed a
meeting for 12 June 2013 to discuss the findings of the government's audits. (R4, tab 25)
The exhibits summarized the results of government investigations, during the period from
12 December 2006 through 9 January 2009:

               - Exhibit #1: "National Security Agency Blue Team Assessment,"
               dated 15 December 2006;
               - Exhibit #2: "DISA NIPRNET Compliance Review," dated 18
               May 2007;
               - Exhibit #3: "Army Research Lab NDU Norfolk Campus
               DIACAP Status Report," dated 14 December 2007;
               - Exhibit #4: "NDU IA Issues," dated 15 January 2008;
               - Exhibit #5: "NDU DIACAP Out brief," dated 21 March 2008;
               - Exhibit #6: "DISA Information Assurance Readiness Review
               (IARR)," dated 5 December 2008;
               - Exhibit #7: "DISA Information Assurance Readiness Review
               Final Report," dated 9 January 2009

(R4, tab 24) The record does not contain full copies of these investigations, only summaries
of the findings.

       14. On 12 June 2013, the CO made a presentation concerning the government's
investigations into IBM's performance of TO 2 (R4, tab 31). IBM was present at the

                                               5
meeting where the CO delivered the presentation (id. at 2). The presentation slides
identified a series of network security assessments by the government, apparently
referencing the exhibits attached to the CO's 23 May 2013 letter (R4, tab 25).

     15. The 12 June 2013 presentation also included a breakdown of the claimed total
damages to the government resulting from IBM's alleged deficient performance.


 1)   DISA Network Assessments
      11-15 December 2006                  $137,874
      14-18 May 2007                       $114,741
      1-5 December 2008                    $113,965
      15-19 December 2008                  $105,331

 2)   NDU Personal ldentifving Info
      Protection Coveraee
      01 February2009-31 January20IO       $44,492

 3)   Arml'.: Research Lab {ARL} IA
      Consultation & CNDSP
      01 Dec 2006- 30 Sept 2007            $221,325
      1 Oct 2007 - 30 Sept 2008            $265,590
      1 Oct 2008 - 30 Jun 2009             $351,600

 4)   Labor Mischarging and Labor
      Deficiencies (21 Individuals)
      2005 - 2008 Contract Period          $4,037,019
                                           Sub Total:        $5.277.973


 5)   Total Contract Invoices PAID {JulI    $16,426,4 7c
      2005-Seo 2008)
      PWS Aooendix C deficiency Areas                    ~
      Penalty for each deficiency Area               0.00~
      (0.5%)
                                                             Sub Total:   $657.059

 6)   DIACAP Training Class (20 persons)          $19,04<
                                                             Sub Total    $19,049
                                                             Grand Total: $5.954.081

(R4, tab 31 at 53)



                                              6
       16. On 13 June 2013, the Defense Contract Audit Agency (DCAA) completed a
formal labor billing analysis identifying 22 individuals that purportedly billed at different
labor category rates than those applicable to the actual tasks performed, and some who did not
perform the minimum required elements of the task order (R4, tabs 26-27). This analysis was
the basis of the claimed $4,037,019 in damages for "Labor Mischarging and Labor
Deficiencies (21 Individuals)" set forth in the CO's 12 June 2003 presentation.

         17. On 2 August 2013, IBM responded by letter, providing a detailed response to each
of the government's allegations and denying liability (R4, tab 28). IBM contended, in part,
that it did not warrant freedom from unauthorized access and is not contractually liable for
security breaches (id. at 6). IBM further contended that its performance was subject to
oversight by NDU's chief information officer and that NDU failed to implement many of
IBM's recommendations for improving network security (id. at 3-4).

       18. By letter dated 24 August 2015, the CO issued a COFD asserting a government
claim for $5,903,353. The COFD stated that six major network intrusions had compromised
the DoD computers assigned to the NDU, beginning in January 2006. Based on internal
investigations, the COFD claimed:

             ( 1) [T]hat IBM failed to plan, develop, manage, and execute
             substantial network security IT services and related enterprise
             architecture management in accordance with the subject Task
             Order, (2) IBM failed to adhere to material requirements of the
             Task Order by failing to ensure that NDU's network was properly
             secured, managed, and maintained, and as a result of failing to meet
             material requirements and (3) IBM failed to apply or to execute
             necessary security safeguards, as requ_ired by the subject Task
             Order.

(R4, tab 29 at 1-2)

       19. With respect to the internal investigations, the COFD stated that:

              The Defense Criminal Investigative Services (DCIS), Cyber
              Crimes Division conducted an investigation; in conjunction with
              examining Government network security audit reports, while
              consulting with Government Subject Matter Experts who
              specifically examined the network security posture ofNDU and
              IBM's performance, it was determined that IBM was responsible
              for network security violations, labor mischarging and personnel
              security violations during IBM's contract performance.

(R4, tab 29 at 2)

                                              7
        20. The COFD further claimed that IBM personnel did not have the appropriate
subject matter expertise and were not qualified to execute the IT security-related tasks
required in the subject task order. The COFD also alleged that IBM failed to develop,
test, and execute a proper network security incident response plan, and that IBM failed to
execute their Quality Control Plan, which IBM stated would be used to identify the
process for achieving all performance objectives of the PWS. The COFD concluded that
IBM failed to perform all TO 2 requirements, as well as submitted invoices, and was
paid, for work not performed. (R4, tab 29 at 1-2)

       21. Appellant timely filed a notice of appeal from the 24 August 2015 COFD.
The notice of appeal included a request that the government be required to file the
complaint. The Board docketed the appeal as ASBCA No. 60332. On 22 February 2016,
the government filed its complaint.

        22. Paragraph 15 of the government's complaint states: "The task order PWS
§ 6.4.3 required: 'The Contractor shall operate and maintain baseline services and
infrastructure in accordance with Appendix C (Operate and Maintain Baseline Services
and Infrastructure)."' Subparagraph (a) of paragraph 15 further provides: "The tasks at
Appendix C contained eight specific areas related to network security." The complaint
then lists eight tasks appearing in the Required Service column of Appendix C that
correlate to two desired functions. The associated desired functions are "Establish and
administer IT security program" and "Establish and administer a network operations
security program." (Compl. ,-r 15; see also SOF ,-r 3) Subparagraph (b) of paragraph 15
provides: "Each of the eight areas contained performance standards and acceptable
quality levels ('AQLs')." It then lists the eight items appearing in the "Performance
Standard and AQL" column of Appendix C associated with the same two desired
functions. (Id.)

          PARTIAL MOTION TO DISMISS FOR LACK OF JURISDICTION

       Appellant contends that we lack jurisdiction to entertain the government's
allegations in its complaint that IBM failed to meet the "acceptable quality levels"
(AQLs) set forth in the contract for network security, because those allegations were not
within the COFD. 1 Appellant moves to strike the allegations relating to the network
security AQLs from the government's complaint. (App. mot. at 19)

        We conclude that allegations in the complaint relating to AQL deficiencies relate
to the same set of "operative facts" set forth in the COFD and, therefore, fall within the



1
    In the contract's statement of work, performance standards are expressed as acceptable
        quality levels or AQLs (R4, tab 1 at 112).
                                                  8
scope of the COFD. We deny appellant's partial motion to dismiss and/or to strike these
allegations from the government's complaint.

                                       DISCUSSION

       The scope of the Board's jurisdiction is determined by the contents of the claims
submitted to the CO who issues a decision on said claims which are timely appealed to the
Board. Thus the claim, and not the complaint, determines the scope of our jurisdiction.
American General Trading & Contracting, WLL, ASBCA No. 56758, 12-1 BCA, 34,905
at 171,639; see also US. Coating Specialties & Supplies, LLC, ASBCA No. 58245, 15-1
BCA, 35,957 at 175,706 (citing Optimum Services, Inc., ASBCA No. 57575, 13
BCA, 35,412 at 173,726) ("The Board lacks jurisdiction over claims raised for the first
time on appeal."). In Placeway Construction Corporation v. United States, 920 F.2d 903,
907 (Fed. Cir. 1990), the Federal Circuit explained that in determining whether an issue
constitutes a new or separate claim, "the court must assess whether or not the claims are
based on a common or related set of operative facts." In determining a claim's scope, we
are not limited to the claim document but may examine the totality of the circumstances.
Sauer Incorporated, ASBCA No. 60366, 16-1 BCA, 36,565 at 178,101.

        Appellant asserts that the government's allegation that IBM's performance failed
to meet the network security AQLs specified in the task order, set forth in paragraph 15,
subparagraph (b) of complaint, was not asserted in a government claim or in the COFD
and is, therefore, not properly before the Board (app. mot. at 19). 2 At paragraph 15 of the
government's complaint, the government identifies eight tasks, and their associated
AQLs, as concerning network security; these are the tasks associated with the "Establish
and administer IT security Program" and "Establish and administer a network operations
security program" functions in Appendix C (SOF ,, 22, 18). For the purposes of this
motion, we will refer to these desired functions, collectively, as the network security
functions. 3

       The government argues that the COFD's reference to IBM's failure to complete
tasks corresponding to three desired functions, which includes the network security


2   Appellant also argues that the Board lacks jurisdiction over the government's complaint to
      the extent that it seeks relief on the basis of the follow-on task order contract performed
      by IBM from 3 September 2008 to 2 September 2009 (app. mot. at 25). The government
      has acknowledged and agreed that the follow-on task order is not a part of the
      government claim before the Board in this appeal and states that the government has
      lodged no claim against appellant under the follow-on task order contract (gov't resp. at
      25).
3
    We will refer to the tasks associated with the network security functions as the network
       security tasks; we will refer to the AQLs associated with the network security
       functions as network security AQLs.
                                                9
functions, "are sufficient references to the AQLs to maintain the Board's jurisdiction
regarding any issue alleging that IBM failed to meet network security AQLs" (gov't resp.
at 21 ). It further contends that appellant was aware, at the time the COFD was issued,
that a portion of the claimed damages was attributable to AQL deficiencies (id. at 22).

       A comparison of the language of the COFD and the complaint demonstrates that
they are based on the same operative facts. The COFD states that "IBM failed to plan,
develop, manage, and execute substantial network security IT services" (SOF 1 18). It
also references the contractor's responsibility to perform network security tasks in
accordance with TO 2 and alleges that IBM did not properly perform these tasks (see id.).
The language of the complaint is more specific. Paragraph 15 of the complaint recites
specific portions of the contract's performance work statement and enumerates eight
specific tasks relating to network security at the NDU (compl. 115.a.; SOF 113, 22). It
further enumerates the AQLs associated with each of the eight tasks (compl. 115.b.).
Finally, it describes the contractual penalty for failing to meet the AQLs - a deduction of
0.5% of the total monthly price for each documented deficiency that is not corrected
within 30 days (compl. 115.c.).

        Appellant cites this penalty clause as the alleged factual distinction between the
claim in the COFD and the allegations in the complaint. According to appellant, the
0.5% penalty was not part of the government's claim (app. mot. at 20). Appellant's
argument elevates form over substance. While the language of the complaint is more
specific, the COFD expressly references the contractor's responsibility to perform
network security tasks in accordance with TO 2 and alleges that IBM did not properly
perform these tasks (see SOF 11 18, 19). TO 2 provides that monthly invoices are to be
deducted by 0.5% for AQL deficiencies (see SOF 13). The COFD's reference to IBM's
failure to perform the "network security tasks" set forth in TO 2 encompasses the specific
tasks and associated AQLs alleged in the complaint and set forth in the TO. Although the
allegations in the complaint are more detailed and specific, they are based on the same
operative facts as the COFD. See DSP, Inc., ASBCA No. 32869, 87-1 BCA 119,452 at
98,290 (fact that one claim included a specific item of damage that did not appear in the
other claim was not sufficient to treat claims as being separate and discrete). Indeed, in
order to adjudicate whether IBM failed to perform network security tasks as claimed in
the COFD, or whether it failed to meet the AQLs for specific network security tasks as
alleged in the complaint, the Board must review the same evidence concerning IBM's
performance of network security tasks. See Lael Al Sahab & Co., ASBCA Nos. 58344,
59009, 15-1BCA135,809 at 175,130 (quoting Placeway Constr., 920 F.2d at 907)
(holding that if the Board "will have to review the same or related evidence to make its
decision, then only one claim exists").

      Moreover, there is evidence that the 0.5% deduction accounts for a portion of the
government's claimed damages in the COFD. Prior to issuing the COFD, the CO
conducted a presentation regarding the government's claim against IBM, at which IBM

                                              10
was present (SOF ,r 14). The presentation divided into parts the government's claim,
stating that approximately $657,059 of the government's $5,903,353 claim is attributable
to a 0.5% penalty against all invoices paid between July 2005 and September 2008 for
Appendix C deficiencies (SOF ,r 15). Appellant offers no rebuttal to this evidence in
support of its contention that the AQL deficiencies were not included in the government's
claim (see generally app. reply hr.). The 0.5% contractual penalty, which appellant
contends applies only to AQL deficiencies, appears to always have been a part of the
government's claimed damages. The complaint's direct reference to network security
AQLs merely provides details about the government claim, where the language of the
COFD includes the broad assertion that IBM is liable for failure to provide network
security services in accordance with TO 2.

        Even if the Board concluded that the COFD did not state a claim on the basis of
AQL deficiencies, the allegations in the complaint only would assert a new legal theory
 for recovery. The complaint seeks the same relief. The operative facts for these
allegations in the complaint are the same as those underlying the claim as stated in the
COFD. Both the claim and the complaint require examining the facts regarding how
IBM performed the network security functions under TO 2. The assertion of a differing
legal theory for recovery, when based on the same operative facts, does not defeat our
jurisdiction. Scott Timber Co. v. United States, 333 F.3d 1358, 1365 (Fed. Cir. 2003).

       Appellant's partial motion to dismiss and/or to strike from the complaint all
allegations that IBM failed to meet the network security AQLs is denied.

                       MOTION FOR SUMMARY JUDGMENT

        We tum next to appellant's motion for summary judgment. The basis for
appellant's motion is that the government's claim is time-barred by the six-year statute of
limitation set forth in the CDA, 41 U.S.C. §§ 7101-7109. We find the current record to
be inadequate to sustain a finding that the government's claim is time-barred and deny
summary judgment in appellant's favor.

                                      DISCUSSION

I.     Summary Judgment Standard

        Summary judgment is appropriate when, drawing all inferences in the non-movant's
favor, the movant establishes that there is no genuine dispute as to any material fact and the
movant is entitled to judgment as a matter of law. Mingus Constructors, Inc. v. United
States, 812 F.2d 1387, 1390-91 (Fed. Cir. 1987). It is appellant's burden as movant to
show by undisputed material facts that the government's claim is time-barred under the



                                               11
CDA. See Supreme Foodservice GmbH, ASBCA No. 57884 et al., 16-1 BCA 1 36,426 at
177,582.

II.    Six-Year Statute of Limitations Under the CDA

        The CDA requires a contract claim to be "submitted within 6 years after the
accrual of the claim." 41 U.S.C. § 7103(a)(4)(A). A claim accrues under the CDA when
"all events, that fix the alleged liability ... and permit assertion of the claim, were known or
should have been known." Some injury must have occurred; however "monetary
damages need not have been incurred." FAR 33.201. The events fixing liability should
have been known when they occurred unless they can be reasonably found to have been
either concealed or "inherently unknowable" at that time. Raytheon Missile Systems,
ASBCA No. 58011, 13 BCA 135,241 at 173,017.

       Appellant alleges that there is no genuine dispute over certain facts which
establish that "the claims asserted in the complaint accrued more than six years before the
Government asserted them" (app. mot. at 1). Appellant divides the government claim
into two claims with different accruals, arguing that the government is asserting
entitlement to costs on the basis of two legal theories: (1) a claim for costs for breach of
contract due to deficient performance under the task order, and (2) a claim for labor
mischarging (app. mot. at 6). We first address the date on which the government filed its
claims, and then address the dates on which those claims allegedly accrued.

              A.      Date of the Government's Claims

        At the outset, we note that appellant has failed to establish, or even propose, as an
undisputed material fact a date on which the government submitted its claims (see
generally, ASUMF). However, appellant's brief argues that the government did not issue
its claims until, at the earliest, 8 March 2013, when it issued a demand for payment letter
(app. reply br. at 1-2). Appellant also argues that the government's claims accrued more
than six years before 8 March 2013. We understand this to mean that, for purposes of its
motion, appellant accepts that the government filed its claims on 8 March 2013. The
government, for its part, also refers to the 8 March 2013 demand letter as a claim,
referring to the letter as "demanding the sum certain of $8,998,187.87" (gov't opp'n at
2, 15), and arguing that the CO's 8 March 2013 demand letter was within the six-year
statute of limitations (id. at 4 ). In the alternative, the government argues that the COFD
on 25 August 2015 was within the six-year statute of limitations, on the grounds that the
claim accrued no earlier than 4 April 2012, when DCIS reported its findings to the CO
( comp I. 1 7).

       We conclude that the government first asserted its claim on 8 March 2013, when it
issued a demand letter for the sum certain amount of $8,998,187 (SOF 111). The
government's demand letter satisfies the definition of"claim" set forth in FAR 2.101,

                                                12
because it contains a "written demand or written assertion by one of the contracting
parties seeking, as a matter of right, the payment of money in a sum certain."
FAR 2.101; Eaton Contract Services, Inc., ASBCA No. 52888 et al., 02-2 BCA ,r 32,023
at 158,267 (total overall demand for payment of a specific dollar amount meets the
FAR's requirement that a monetary claim be for a sum certain). The 8 March 2013
demand letter is distinct from a "voucher, invoice, or other routine request for payment
that is not in dispute when submitted," because IBM unequivocally denied liability for
the payment demand on 21 March 2013, when its counsel responded to the CO's letter
(SOF ,r 12). The parties continued to dispute both liability and quantum during their
subsequent discussions, which culminated in the COFD, dated 25 August 2015.
(SOF ,r 17; compl. ,r 19).

              B.         The Dates of Alleged Accrual

        A claim accrues "when all events, that fix the alleged liability of either the
Government or the contractor and permit assertion of the claim, were known or should
have been known." FAR 33.201. The "knew or should have known test" includes a
reasonableness component regarding "what facts were reasonably knowable to the
claimant. Summary judgment is not normally appropriate where reasonableness and
subjective knowledge are facts at issue." Kellogg Brown & Root Services, Inc., ASBCA
Nos. 58518, 59005, 16-1 BCA ,r 36,408 at 177,528 (quoting Raytheon Company,
ASBCA No. 58840, 15-1 BCA ,r 36,000 at 175,868). To determine when the alleged
liability was fixed, we begin by examining the legal basis of a particular claim. Gray
Personnel, Inc., ASBCA No. 54652, 06-2 BCA ,r 33,378 at 165,475.

                    i.         Deficient Performance Claim

      Appellant asserts that the government's deficient performance claim accrued at the
time of the first network intrusion in January 2006, or, at the latest, by December 2006,
when the government discovered the first network intrusion (app. mot. at 7-8). The
government argues that it could not have known of its claim against IBM until it
completed an investigation of the network intrusion (gov't opp'n at 14).

        IBM has failed to demonstrate by undisputed facts that the government knew or
should have known at the time of the discovery of the first network intrusion that the
government was aware of the facts concerning IBM's performance of TO 2 requirements.
The government's claim is based, in part, on the contention that the network intrusions
were caused by IBM's failure to perform network security IT services and enterprise
architecture management in accordance with TO 2 (SOF ,r 15). IBM has established only
the time of the first network intrusion, the time of discovery of the first network intrusion,
and that IBM staff worked in the same location as NDU employees (see SOF ,r,r 10, 14).
This is not sufficient for the Board to conclude that, at the time of the discovery of the
network intrusion, the government knew or reasonably should have known of its claim

                                                13
against IBM, especially in light of the government's assertion that multiple investigations
were necessary to reveal the alleged deficiencies in IBM's performance that serve as the
basis for the government's claim (gov't opp'n at 2-3).

       The Board also rejects appellant's characterization of the government's brief as
conceding that the government had knowledge in December 2006 of findings of the
investigation that are the basis for the government's claim (see app. reply br. at 8).
Appellant refers to language in the government's brief that provides: "these items [the
alleged acts and omissions giving rise to the government's claim] were noted after a
Defense Information Systems Agency ('DISA') Incident Response & Recovery Team
(IRRT) visit on 30 November 2006 to 15 December 2006" (gov't resp. at 18). The
government's brief concedes the timing ofDISA's visit, but not the timing of when DISA
could report its findings. Moreover, a separate part of the government's brief asserts that
the government's claim was based on the findings of the Defense Criminal Investigative
Service investigation, which was not completed until 4 April 2012 (gov't opp'n at 2-3,
13).

        In addition, the record is incomplete regarding the scope, nature, and details of the
government's internal investigations. Although the record contains slides from the
government's 12 June 2003 presentation with some information about the dates of its
internal investigations (SOF ,r 14), as well as copies of a series of government audit net
security reports (SOF ,r 13), the summary nature of these reports do not provide sufficient
detail to determine the relationship between the government's audit findings and the
network intrusions. Moreover, as IBM itself pointed out in its response to the
government's initial claim, there are significant disputes of material fact regarding whose
responsibility it was to implement various network security measures designed to prevent
network intrusions (SOF ,r 17). In order to draw conclusions about the timing and scope
of the government's knowledge of the network intrusions, and IBM's alleged failure to
prevent the intrusions, we would need significantly more information about the
government's investigations.

       The multiple investigations, and the lack of detailed information about those
investigations in the record, raise a genuine issue of material fact regarding when the
government should reasonably have known of its deficient performance claim against
IBM. As such, summary judgment is not appropriate with respect to the deficient
performance claim.

                   ii.      Labor Mischarging Claim

      Appellant separately asserts that the government's labor mischarging claim is
time-barred (app. mot. at 9-11). The only date proposed and established by appellant as
undisputed that relates to the labor mischarging claim is September 2008, the month
when TO 2 performance was completed (SOF ,r 9). Appellant contends that the latest the

                                               14
government claim could have accrued is September 2008, "the latest month for which the
Government asserts that NDU was overcharged" (app. mot. at 10). Appellant further
alleges that the first time the government asserted a claim for labor mischarging was in
the 24 March 2015 COFD. Appellant does not argue that the 8 March 2013 demand
letter is not a claim; it only argues that the 8 March 2013 letter does not include a claim
for labor mischarging. Accordingly, appellant contends that the labor mischarging claim
is time-barred because the latest the claim could have accrued was at the end of IBM's
performance of TO 2 in September 2008, more than six years prior to the 24 March 2015
COFD. (Id.)

       The government has stated that the primary concern of the government's labor
mischarging claim is that "IBM mischarged the government for personnel who did not
meet the contractually specified qualifications" (gov't resp. at 20; compl. , 15) The
8 March 2013 letter states: "Furthermore investigation revealed that IBM personnel did
not have the appropriate subject matter expertise, and were not qualified to execute the IT
security related tasks to properly plan, test and conduct specific tasks of IT security, as
required in the subject Task Order" (SOF, 11). In light of this language, we see no basis
to determine that the 8 March 2013 letter does not encompass the government's labor
mischarging claim. Accordingly, the Board need not assess if the claim could have
accrued any later than September 2008 because the 8 March 2013 demand letter was
issued within six years of the end of the task order performance.

        Appellant's alternative arguments alleging earlier accrual of the government's
labor mischarging claim are not supported by undisputed facts. Appellant argues that all
but 4 employees that serve as the basis for the labor mischarging claim were engaged on
the task order before March 2007, and, therefore, it is entitled to summary judgment with
respect to those 18 employees on the basis that the government would have received their
resumes at the time the employees were hired (app. mot. at 10). We disagree. While
appellant established undisputed facts concerning general routines for hiring new
personnel during performance of the task order (see SOF, 13), appellant failed to
establish or even propose the dates when the 18 individuals were hired under TO 2.
Accordingly, appellant has failed to establish as an undisputed fact the timing of the 18
individuals' employment. Appellant also argues that all charges for invoices submitted
prior to March 2007 should be dismissed under summary judgment and asserts that any
aspect of the government's claim relating to background investigations also is
time-barred (app. mot. at 11-12). Appellant failed to establish facts regarding the date of
specific invoices for which it seeks summary judgment. Nor did it establish any facts
concerning how background investigations were conducted under the task order.

       Thus, we conclude that the current record is inadequate to sustain a finding that
the government's claim is time-barred and deny appellant's motion for summary
judgment as to the labor mischarging claim.


                                              15
III.   Partial Summary Judgment as to A QLs

        Appellant also contends that it is entitled to summary judgment on the portion of
the government's claim that alleges IBM failed to meet the network security AQLs (app.
mot. at 21 ). Appellant contends that an AQL violation occurs only if a relevant
deficiency is noted in monthly metric reports, and there is no dispute that none were
reported (app. mot. at 21; see also ASUMF, 12; GSGIMF, 12). However, the
government has disputed the veracity of the information contained in the monthly metric
reports (see gov't opp'n at 2-3,, 3). IBM prepared monthly metric reports as a
deliverable under the contract (R4, tab 12 at 23; GSGIMF, 10). The government
contends that its investigation revealed that security patches were missing, documentation
was lacking, and that information systems were not in compliance with DoD
configuration standards at the time when IBM was reporting no deficiencies and policy
compliance in its reports. It also asserts that the reports were not properly signed,
certified, or accredited. (Gov't opp'n at 2-3,, 3)

        As the government factually has challenged the documents upon which appellant
relies to establish that there were no AQL deficiencies, it has established a material fact
in dispute. Appellant's argument that the audit reports are not relevant to the question of
AQL deficiencies is unpersuasive. Appellant asserts that only the information in the
monthly reports is relevant to the question of whether there were AQL deficiencies,
because there is no contractual right to recover 0.5% of invoice payments based upon
audit findings. (App. reply at 17) In this instance, the government does not use the audit
report as an independent basis for a claim, but rather as evidence to dispute the factual
information contained in IBM's monthly reports. This is sufficient to create a genuine
issue of material fact that precludes our granting summary judgment in appellant's favor.

             MOTION TO DISMISS FOR FAILURE TO STATE A CLAIM

        Finally, appellant also has moved to dismiss the government's complaint for
failure to state a claim upon which relief can be granted, alleging that the complaint is
insufficient to state a claim for labor mischarging. Specifically, appellant contends that
the complaint's allegations do not identify any contractual provision specifying that
particular tasks may be performed by a person in a specific labor category.

       The complaint contains two allegations concerning labor mischarging. First, the
government alleges that "[IBM billed] 22 individuals ... at different labor category rates
than those applicable to the actual tasks performed." Second, the government alleges that
some of those 22 individuals "did not perform the minimum required elements of the task
order." The complaint also references DCAA's analysis of 22 specific employees, which
found examples of unqualified personnel and defective performance. (Compl., 18)



                                               16
              A.     Standard of Review

        Dismissal for failure to state a claim upon which relief can be granted is appropriate
 where the facts asserted in the complaint do not entitle the claimant to a legal remedy.
Lindsay v. United States, 295 F.3d 1252, 1257 (Fed. Cir. 2002). The Board will grant a
motion to dismiss for failure to state a claim when the complaint fails to allege facts
plausibly suggesting (not merely consistent with) a showing of entitlement to relief. Cary
v. United States, 552 F.3d 1373, 1376 (Fed. Cir. 2009) (citing Bell Atlantic Corp. v.
 Twombly, 550 U.S. 544, 557 (2007)). In deciding a motion to dismiss for failure to state a
claim, "the court must accept well-pleaded factual allegatfons as true and must draw all
reasonable inferences in favor of the claimant." Kellogg Brown & Root Services, Inc. v.
 United States, 728 F.3d 1348, 1365 (Fed. Cir. 2013). In this review, "[w]e decide only
whether the claimant is entitled to offer evidence in support of its claims, not whether the
claimant will ultimately prevail." Matcon Diamond, Inc., ASBCA No. 59637, 15-1
BCA ,r 36,144 at 176,407. The scope of our review is limited to considering the
sufficiency of allegations set forth in the complaint, "matters incorporated by reference or
integral to the claim, items subject to judicial notice, [and] matters of public record." A &D
Auto Sales, Inc. v. United States, 748 F.3d 1142, 1147 (Fed. Cir. 2014) (citing 5B CHARLES
ALAN WRIGHT & ARTHUR R. MILLER, FEDERAL PRACTICE AND PROCEDURE § 1357 (3d ed.
2004)). For purposes of assessing whether an appeal before us states a claim upon which
relief can be granted, the primary document setting forth the claim is not the complaint, per
se, but is either the contractor's claim or the government's claim, the letter asserted in a
COFD as required by the Contract Disputes Act, 41 U.S.C. § 7103(a)(3). Lockheed Martin
Integrated Systems, Inc., ASBCA Nos. 59508, 59509, 17-1 BCA ,r 36,597 at 178,281.

              B.     The Parties' Contentions

       Appellant contends that the government has failed to state a claim for breach of
contract, because the complaint's allegations do not identify any contractual provision
specifying that particular tasks may only be performed by a person in a specific labor
category. According to appellant, the contract required merely that IBM bill based on
labor rates defined by each worker's labor category, not by the actual tasks performed
(app. reply at 15-16). Appellant relies on pre-award discussions concerning IBM's
proposed staffing approach to demonstrate that the government was aware that IBM
personnel assigned to the task order would not be limited to supporting only certain tasks
or sub-areas (app. mot. at 18).

       In response, the government insists that the primary concern in its complaint is that
IBM mischarged the government for personnel who did not meet the contractually-specified
qualifications, not that contractor personnel worked on tasks outside their assigned labor
categories. According to the government, it does not matter what task an employee is
performing if the government is consistently paying the contractor for a more costly labor
category. The government also notes that the complaint references the DCAA's

                                               17
investigation into labor mischarging, including DCAA's analysis of 22 specific employees,
and that the allegations in the complaint are sufficient to state a claim labor mischarging
based on unqualified personnel (gov't resp. at 20).

              C.      The Government has Stated a Claim for which Relief May
                      be Granted

       Appellant's contention that the complaint is deficient, because it does not identify
a contractual provision requiring particular tasks to be performed by a person in a specific
labor category, fails to account for the complaint's allegations that individuals failed to
meet contractual specifications. We read the labor mischarging allegations in the
complaint more broadly; as alleging both that appellant overcharged for tasks performed
by certain individuals, and that certain individuals did not perform the minimum required
elements of the task order.

        Our understanding of the complaint's allegations is reinforced by the specific
factual allegations set forth in the COFD. See Lockheed Martin Integrated Systems, 17-1
BCA ,r 36,597 at 178,281 (holding that Board will examine complaint and COFD in
analyzing a motion for dismiss for failure to state a claim). Although the complaint could
have been more specific in terms of identifying alleged violations of contractual terms,
the COFD alleges that IBM employees violated the task order by failing to perform
"tangible work in the area of quality assurance, network security and enterprise
architecture as prescribed in the PWS" (R4, tab 29 at 2). Moreover, with respect to
employee qualifications, the COFD alleges that IBM personnel "did not have the
appropriate subject matter expertise, and were not qualified to execute the IT security
related tasks to properly plan, test and conduct specific tasks of IT security, as required in
the subject Task Order" (SOF ,r 18). Taken together, the allegations in the complaint and
the COFD are sufficient to state a claim for labor mischarging.

                                        CONCLUSION

       For these reasons, each of appellant's motions is denied.

       Dated: 8 March 2018




                                                     Administrative Judge
                                                     Armed Services Board
                                                     of Contract Appeals
(Signatures continued)


                                                18
 I concur                                          I concur




 RICHARD SHACKLEFORD                               OWEN C. WILSON
 Administrative Judge                              Administrative Judge
 Acting Chairman                                   Vice Chairman
 Armed Services Board                              Armed Services Board
 of Contract Appeals                               of Contract Appeals


       I certify that the foregoing is a true copy of the Opinion and Decision of the Armed
Services Board of Contract Appeals in ASBCA No. 60332, Appeal of IBM Corporation,
rendered in conformance with the Board's Charter.

      Dated:



                                                   JEFFREY D. GARDIN
                                                   Recorder, Armed Services
                                                   Board of Contract Appeals




                                              19
