The Department of Justice (DOJ) recently announced a new “Cyber-Fraud Initiative” aimed at “developing actionable recommendations to enhance and expand [DOJ’s] efforts against cyber threats.” The initiative will be part of DOJ’s Commercial Litigation Branch, Fraud Section, and will use the False Claims Act (FCA) as a tool to combat “cybersecurity related fraud” among federal contractors and grant recipients. In light of DOJ’s efforts, government contractors and entities receiving federal funding should implement measures to reduce the risk of being sued by the government for failing to meet their regulatory and contractual cybersecurity obligations. Below are PilieroMazza’s key takeaways for government contractors, with details on how DOJ’s Cyber-Fraud Initiative could impact your business.
Cybersecurity and the FCA
Use of the FCA to address cybersecurity fraud is not new. Indeed, PilieroMazza discussed it previously here, and DOJ is already pursuing contractors for fraud relating to their non-compliance with the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171 controls. Additionally, contractors are required to make certain cybersecurity-related representations for federal contracts, such as the representations regarding their use of certain Chinese telecom products and services at Federal Acquisition Regulation (FAR) 52.204-24 and -26.
Further, a majority of federal contracts include the clause at FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, which means contractors must comply with the basic cybersecurity requirements therein. Department of Defense (DOD) contractors are often also directly required to implement all the NIST SP 800-171 safeguards via inclusion of Defense Federal Acquisition Regulation Supplement 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, in their contracts. And with DOD’s NIST SP 800-171 self-assessment requirements plus the upcoming Cybersecurity Maturity Model Certification (CMMC) self-assessments, there are many opportunities for contractors to make various representations or certifications to the Government regarding their cybersecurity posture.
Because “knowing” misrepresentations may form the basis for FCA liability, it is critical that contractors ensure the accuracy of their representations to the Government. Importantly, “knowingly” making a false claim is not confined to intentionally misleading the Government. Indeed, the FCA’s definition of “knowing” includes actual knowledge, deliberate indifference, or reckless disregard for the truth or falsity of the representation. As we also discussed previously here, it may be difficult for the Government to prove that a contractor’s misrepresentation of its compliance with cybersecurity requirements was made with actual knowledge. As many of our readers are aware, cybersecurity requirements like the NIST SP 800-171 standards can be complex and are often open to a wide variety of interpretations and implementation methods. For instance, there is no one way to implement each of the NIST SP 800-171 controls. This can make it difficult to assess whether a contractor was knowingly non-compliant with those standards, especially in cases where there is no “smoking gun” and the allegations of non-compliance come down to a disagreement between the company and a whistleblower.
That said, it is much easier for DOJ to prove reckless disregard. For instance, as noted above, many contractors are required to comply with the basic cybersecurity safeguards in FAR 52.204-21. If a contractor represents that it is in compliance with all contractual requirements without giving due consideration to whether the cybersecurity safeguards are met, this could give DOJ an easy argument that the contractor had its proverbial head in the sand and should have at least tried to comply. Likewise, if a DOD contractor performs a CMMC self-assessment in slipshod fashion and then attests that it fulfills the applicable CMMC requirements, this too would be easy FCA fodder for DOJ.
So, what can contractors do to head off a cybersecurity-related FCA investigation before it arises? There are a variety of ways contractors can accomplish this goal, and PilieroMazza has helped many contractors do so. Key takeaways to help avert an FCA claim related to cybersecurity include:
- Read your contracts carefully: Be aware of what specific cybersecurity requirements apply to your contracts. Awareness and understanding of the cybersecurity requirements that apply to you is the first step in compliance. Where requirements are unclear, engaging counsel to understand your obligations prior to certifying compliance can help show that you did not act with reckless disregard as to the company’s compliance.
- Mere awareness is not enough: Once you understand the requirements that apply to you, begin critically examining your systems. For instance, have you instituted basic security measures like anti-malware software and requiring unique usernames and passwords to access company systems?
- Set up internal controls and reporting: Can your employees report cybersecurity-related problems to management, and will the company act on it? DOJ’s announcement specifically highlights FCA protections against retaliation for whistleblowers and encourages people to report cyber-related fraud to the DOJ. To reduce the risk of whistleblowers going straight to DOJ, contractors should be sure to have a method for reporting cybersecurity issues internally—and should remedy reported problems promptly.
- Include reporting obligations in your cyber incident response plan: Many DOD contracts already contain cyber incident reporting requirements, and some civilian contracts are beginning to contain similar requirements. So, in the event you discover a cyber incident, you will need to thoroughly investigate and determine whether (and when) you will need to make a report.