Keeping track of current Federal Cybersecurity Requirements can be challenging. Not long ago, compliance was largely a matter of self-certification. Cybersecurity requirements were often given affirmation in principle but neglected in practice. In the past federal payment and purchasing organizations affected often were already awash with their own priorities and therefore would uncritically accept contractors’ self-certifications. The “tick box” was checked, nothing to see here, move on. That was then, but events have intervened and reordered priorities.
Cybersecurity compliance is now treated with heightened seriousness, attention, and notably more vigorous enforcement. New tools are being proposed, and old tools are being applied with new purpose. Among the new tools are two proposed Rules and one Interim Rule that will apply to federal contractors. The first proposal (FAR Case 2021- 017) applies a standardized approach. The second (FAR Case 2021-019) applies stringent reporting requirements where cybersecurity is challenged. The Interim Rule requires exclusion and removal orders issued by the Federal Acquisition Security Council (FASC). So far, the FASC has not issued any orders.
Whatever final form these measures take, any entity that receives payments under federal programs should take heed. Using history as a guide, the compliance and reporting requirements applied to federal contractors soon will become standard across every agency and program, affecting any federal payee. No organization will escape these requirements. Moreover, the Justice Department already vigorously enforces cybersecurity compliance violations, as the 2022 numbers (see below) illustrate. Its Cyber Fraud Initiative has and is using the False Claims Act (FCA) as a standard means of enforcing compliance. The new proposals and Interim Rule will serve to enhance DOJ’s already muscular approach to compliance enforcement.
For example, settlements and judgments under the False Claims Act exceeded $2.2 billion in the fiscal year ending Sept. 30, 2022. According to Justice Department figures, there were some 351 FCA settlements and judgments in 2022. That was the second-highest number of settlements and judgments in any single year considering cases brought both by the Government and by Qui Tam relators (a growing source of new FCA claims), as in the Aerojet Rocketdyne case, mentioned below. Among those were major settlements such as those of Aerojet Rocketdyne ($9 million), NextGen Healthcare ($31 million), and BioTek reMEDys, and its chief executive officer, Chaitanya Gadde ($20 million). One may fairly expect an increase in DOJ’s use of the FCA as an enforcement mechanism especially after strengthened cybersecurity requirements are implemented. In fact, the DOJ has been quite plain about this.
While detailing the broad sweep of DOJ’s enforcement in 2022, Principal Deputy Assistant Attorney General Boynton promised vigorous enforcement saying, “Protecting taxpayer dollars by preventing fraud and abuse is a critical priority for the Department of Justice. The large number of settlements and judgments this past year demonstrates that the False Claims Act remains one of the most important tools for ensuring that public funds are spent properly and advance the public interest.”
The case of Comprehensive Health Services, LLC, (CHS) included in the DOJ Press Release, will be only the tip of the cybersecurity spear once the proposals and Interim Rule are finalized and fully implemented as the government-wide standard. Enforcement of this standard approach by the DOJ using the FCA as an enforcement tool will be the “thermobaric bomb” of legal enforcement mechanisms.
