As predicted, a recent decision from the Federal District Court for the Eastern District of California is the first sign of a new, and potentially enormous wave, of Civil False Claims Act, 31 U.S.C. §§ 3729-33 (“FCA”) actions based on allegations of non-compliance with Federal procurement cybersecurity requirements. On May 8, 2019, that court issued a decision related to allegations of non-compliance with the Department of Defense’s (“DOD”) complex cybersecurity requirements in the DOD FAR Supplement (“DFARS”), 48 C.F.R. § 252.204-7012. See United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 WL 2024595 (E.D. Cal. May 8, 2019); C. Hamrick et al., “A Guide to Understanding Federal Contracting Cybersecurity Rules,” Thomson Reuters’ Briefing Papers, Oct. 2017, at 2 (“Government contracting cybersecurity rules could generate the next wave of allegations under the [FCA]”).
DFARS 252.204-7012
The predicate for these FCA allegations, DFARS 252.204-7012, is relatively new. However, the applicability of the clause is broad, and the requirements are complicated and onerous.
In October 2016, DOD issued the final rule implementing DFARS 252.204-7012, and that rule constituted a sea change for defense contractors. DOD specified that the clause is required in all solicitations and contracts, including those for commercial items, except for solicitations and contracts solely for commercially available off-the-shelf, or “COTS,” items. The clause requires “adequate security” on all “covered contractor systems,” a term that means “an unclassified information system that is owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information.” The definition of “covered defense information,” or “CDI,” includes (but is not limited to) information described in the National Archives’ “Controlled Unclassified Information Registry,” or “CUI Registry.” And for “covered contractor information systems” that are not part of a technology service or system operated on behalf of the Government, “adequate security” means that the covered contractor information system is subject to National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, which includes 110 security requirements. The clause includes other significant requirements.
The October 2016 final DFARS rule was the culmination of a process the DOD began with the publication of a proposed rule in 2011, a final rule in 2013, and two interim rules in August and December 2015. The first interim rule in 2015 introduced the requirement to comply with the security controls in NIST SP 800-171. The second interim rule in 2015 granted contractors additional time (until December 31, 2017) to comply with those requirements, which was an acknowledgement of the burdens associated with compliance.
The Aerojet Decision – Background
As noted above, Aerojet is the first reported FCA decision involving allegations of non-compliance with DFARS 252.204-7012. In that case, the relator, Brian Markus, brought an FCA action against Aerojet Rocketdyne Holdings, Inc. (“ARH”), and its wholly-owned subsidiary Aerojet Rocketdyne, Inc. (“AR”); ARH uses AR to perform its contractual obligations. The court based its background facts on the relator’s Second Amended Complaint. Mr. Markus worked for the defendants as the senior director of Cyber Security, Compliance, and Controls, from June 2014 to September 2015. His allegations included that defendants fraudulently entered into Government contracts despite knowing that they did not meet the minimum standards required to be awarded a Government contract. The court’s decision focused on AR’s contracts with DOD and NASA, citing the 2013 final rule and the two interim rules in 2015 implementing DFARS 252.204-7012, and also citing a NASA cybersecurity regulation at 48 C.F.R. § 1852.204-76 (part of the NASA FAR Supplement) that includes security controls where a contractor stores sensitive but unclassified Government information. The defendants terminated the relator’s employment in September 2015, and the relator filed his initial complaint in October 2015. The United States declined to intervene in the case.
The Aerojet Decision – Materiality and Cybersecurity Requirements
The relator’s FCA claims included allegations based on 31 U.S.C. § 3729(a)(1)(A), which imposes liability on anyone who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval,” and § 3729(a)(1)(B), which imposes liability on anyone who “knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim.” The court explained that outside the context where a claim is literally false or fraudulent, the Ninth Circuit recognizes two doctrines that attach FCA liability to allegedly false or fraudulent claims: false certification (which can either involve an express false certification or implied false certification) and promissory fraud, also known as fraud in the inducement. Under either doctrine, the elements of liability include (1) a false statement or fraudulent course of conduct, (2) made with scienter, (3) that was material, causing (4) the Government to pay out money or forfeit moneys due. The defendants moved to dismiss the Second Amended Complaint in part for a failure to state a claim upon which relief can be granted, and only the materiality requirement was at issue based on that motion.
The court rejected the defendants’ arguments that the relator had insufficiently pled facts as to materiality, including the argument that it was impossible to demonstrate materiality because AR disclosed to its Government customers that it was not compliant with DOD and NASA cybersecurity regulations. The court explained that the relator had sufficiently alleged that defendants did not fully disclose the extent of AR’s noncompliance with the regulations. For example, the relator alleged that AR misrepresented in a letter to the Government the extent to which it had equipment required by the regulations, instituted required security controls, and possessed necessary firewalls.
The court also rejected the argument that AR’s noncompliance did not go to the central purpose of any of the contracts, as the contracts pertain to missile defense and rocket engine technology, not cybersecurity. The court explained that the relator alleged that all of AR’s contracts with DOD and NASA incorporated each agency’s acquisition regulations; that the regulations require the contractor to undertake cybersecurity specific measures before the contractor can handle certain technical information; and compliance with the requirements could have affected AR’s ability to handle technical information pertaining to missile defense and rocket engine technology. Therefore, misrepresentations as to compliance with these cybersecurity requirements could have influenced the extent to which AR could have performed work specified by the contract.
Further, the court rejected the argument that the Government’s response to the defense industry’s non-compliance with the regulations as a whole weighs against a finding of materiality. Specifically, defendants argued that DOD never expected full compliance because it constantly amended the regulations and promulgated guidance that attempted to ease the burdens on industry. The court disagreed, explaining that even if the Government never expected full compliance, the relator properly pled that the extent to which a company was technically compliant still matters to the Government’s decision to enter into a contract.
Conclusion
The Aerojet decision is likely to be the first of many more decisions involving FCA allegations focused on non-compliance with cybersecurity procurement regulations. As noted previously, the DFARS clause at 252.204-7012 applies to all DOD contracts except those for COTS items, and is complex and onerous. And several agencies beyond DOD and NASA have their own cybersecurity regulations governing procurement contracts. Moreover, the Government is working on a FAR rule covering CUI, which likely will mandate compliance with the 110 security controls in NIST SP 800-171. Cybersecurity regulations imposed on contractors are growing, and this growth presents the Government and relators with more ammunition to use in FCA lawsuits. To date, DOD has not taken an aggressive approach to auditing and enforcing DFARS 252.204-7012. However, regardless of how agencies may administer cybersecurity procurement requirements in procurement contracts, relators appear poised to initiate a new wave of FCA actions based on these requirements. As with all contract requirements, Government contractors need to be familiar with this expanding set of requirements and take reasonable steps to ensure compliance.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.
[View source.]
