Fraud Liability for Government Contractors with Lax Cybersecurity
The Department of Justice announced on October 6, 2021 the creation of a new Civil Cyber-Fraud Initiative to pursue penalties against government contractors who do not properly comply with the cybersecurity standards required by their contracts. This new risk, under the False Claims Act (FCA), means that CISOs should consult with their lawyers before starting cybersecurity compliance audits.
The National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 Rev. 2 outlines the information security framework federal contractors must adopt to protect networks when working on government contracts. To show compliance with the NIST framework, a contractor need only document an internal review of its cybersecurity policies and procedures and find them compliant. However, under the newly promulgated Cybersecurity Maturity Model, federal contractors will be required to have an independent third-party certify their compliance with the necessary cybersecurity practices under their contracts. The Cybersecurity Maturity Model Certification (CMMC) does not raise the bar far above the standards set under the NIST SP 800-171 standards. However, contractors who claim compliance with the NIST framework may now face liability under the FCA if the third-party CMMC auditor documents the contractor’s non-compliance with the framework.
The FCA was originally passed during the Civil War to combat fraud by government contractors, but a recent case in the Ninth Circuit shows the courts’ willingness to extend the Act’s application to contractors’ cybersecurity obligations. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., the District Court of the Eastern District of California held that a whistleblower who reported a contractor for insufficient cybersecurity practices could move forward with his and the government’s case under the FCA. Prior to this case, courts had been somewhat unwilling to find that a lapse in cybersecurity protocols was sufficiently “material” to constitute an FCA action. The FCA defines “material” as something that “has a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property.” The analysis looks to the behavior of the government agency who grants the contract.
The court in Markus held that the defendant’s misrepresentations about its compliance with NIST standards were material because the court found that the government may not have awarded the contract if it had known the full extent of the contractor’s noncompliance. The Markus case is set for trial in February 2022. Although the Markus case is pending trial, the court’s willingness to allow the case to proceed will serve as important precedent to support any other FCA cases the government brings forward against contractors with what are alleged to be poor cybersecurity practices.
Experienced cybersecurity counsel can help structure investigations so they are privileged and can act as advocates in prioritizing remediation strategies and advising on the law. After a serious data incident, for example, contractors may want to conduct a gap analysis against the NIST SP 800-171 standard. Experienced cybersecurity counsel are positioned to be advocates if that compliance gap is questioned by contracting officers or the Department of Justice. As contractors await the finalization of the CMMC framework, cybersecurity counsel can also help navigate the current regulatory gray areas and ensure they are compliant and competitive in the bidding process from day one.
For more information on this topic, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.