Last week signaled a potential rude awakening for government contractors subject to cybersecurity requirements. A California U.S. district court ruled that allegations against Aerojet Rocketdyne could progress following a former employee’s complaint that the company terminated his employment after he disclosed cybersecurity failures to the company’s board of directors and refused to sign documents indicating that the company was compliant. Among the employee’s chief allegations is a charge that the company violated the False Claims Act by falsely representing its level of compliance with applicable cybersecurity standards so it could appear eligible for certain federal government contract awards.
The regulations at issue in the case require a contractor to implement specific controls covering various areas of cybersecurity. Since Aerojet contracted with NASA and DOD, the relevant regulations in the case are two contract clauses found in DOD and NASA federal acquisition regulations (DFARS and NASA FARS, respectively). Both the clauses implement the standards for cybersecurity controls found in the National Institute of Standards and Technology Special Publication 800-171 (“NIST SP 800-171”), which concerns protection of controlled unclassified information (“CUI”) in non-federal IT systems. CUI covers a broad range of information types, from personally identifying information, to engineering data, to computer software. The common thread running through all CUI is that while it is unclassified, it is still sensitive and should not be made public.
The NIST 800-171 standards are designed to provide a minimum threshold of protection of CUI from unauthorized access and disclosure. Thus, the DFARS and NASA FARS apply these standards unyieldingly. The NASA FARS allows no deviation from the 800-171 standards. The DFARS allows deviation, but only insofar as that deviation is a different method of accomplishing the same end result laid out in the 800-171 standards. Neither regulation allows for waiver of the 800-171 standards, because of the importance of maintaining a uniform level of security.
Unfortunately for Aerojet, and according to the complaint in the case, Aerojet allegedly complied with less than 30% of the standards. The complaint goes on to allege that an Aerojet officer prevented him from revealing Aerojet’s cybersecurity vulnerabilities to the Board. When his efforts to approach the Board failed, he instead went to the Government, and the present legal proceedings commenced.
This case is a good reminder of the importance of clear internal reporting policies and having mechanisms in place to monitor compliance with cybersecurity requirements. When an employee, particularly an expert, raises red flags, a company should conduct a thorough investigation. Limited reporting policies (or a lack thereof) may stymie opportunities to address employee concerns before an employee looks outside the company for solutions. A thorough investigation from an employee’s first indication that something is wrong can save companies a great deal of time, money—and face