March 3, 2022

Last Updated on January 17, 2024

All federal contractors and grant recipients need to be aware of the new Civil Cyber-Fraud Initiative from the US Department of Justice (DoJ). Under this new ruling, if you fail to comply with cybersecurity requirements defined in applicable Federal Acquisition Regulation (FAR) clauses in your contract, you could now wind up in court facing “very hefty fines” under the False Claims Act (FCA) in addition to losing revenue.

This step-up in contract enforcement isn’t unexpected, given the DoJ’s recent FCA actions for cybersecurity lapses, many of which involved whistleblowing—which this initiative incentivizes. While healthcare is a far bigger target within the $2.2 billion recovered under the FCA in 2020, the DoJ has certainly demonstrated its willingness to pursue multi-million-dollar penalties for cyber offenses, even against tech heavyweights like Cisco.

Scope of the initiative

The Civil Cyber-Fraud Initiative’s goal is to hold feet to fire when businesses put US government information or systems at risk by:

  1. Knowingly providing deficient cybersecurity products or services
  2. Knowingly misrepresenting their cybersecurity practices or protocols, and/or
  3. Knowingly violating obligations to monitor and report cybersecurity incidents and breaches

In the words of Deputy Attorney General Lisa Monaco, “… we will use our civil enforcement tools to pursue [government contractors] when they fail to follow required cybersecurity standards—because we know that puts us all at risk.”

 

Since its inception during the US Civil War, the FCA (aka “The Lincoln Law”) has been the primary litigation weapon in the government’s anti-fraud arsenal. By pointing this weapon straight at cyber compliance, the government is drawing a line in the sand by making the cybersecurity clauses in federal contracts “material” to payment. The obvious intent is to harden its vendors’ security defenses to counter devastating attacks by nation state and organized cybercrime adversaries.

Contract clauses of concern

If you haven’t already done so, now would be a good time to scrutinize your federal contracts. Clauses that could fuel an FCA action—particularly on compliance with CMMC or NIST 800-171—include:

  • FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, which requires you to have “basic” security controls like user authentication and up-to-date malware protection.
  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which mandates compliance with NIST 800-171 and also includes cyber incident reporting guidelines.
  • DFARS 252.204-7019, Notice of NST SP 800-171 DoD Assessment Requirements, which requires you to keep a current (3 years old max) NIST 800-171 DoD self-assessment for all covered information systems in the Supplier Performance Risk System (SPRS) database.
  • DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, which requires contractors compelled to comply with NIST 800-171 per DFARS 7012 to give the DoD access to their facilities, systems and people for the purpose of conducting a NIST 800-171 assessment.
  • DFARS 252.204-7021, Contractor Compliance with the CMMC Level Requirement, which —as CMMC phases in—requires DIB companies to have a current CMMC certificate at the level your contract specifies, and to maintain that certificate for the duration of the contract. Should your security posture lapse during your contract, you would be in violation of the FCA and potentially vulnerable to (in particular) a whistleblower-initiated suit.

FCA impacts on CMMC compliance

As you probably gathered already, a CMMC compliance requirement could greatly increase your company’s exposure to the FCA, depending on factors like your current compliance posture with NIST 800-171 and your mandated CMMC level.

Because DFARS 7021 obliges you to continuously maintain CMMC compliance, federal contractors in the defense supply chain or another sector requiring CMMC (e.g., General Services Administration STARS III contracts) will need to keep a close watch on your security controls. You’ll also need to stay up to speed on any changes to the CMMC framework and other applicable regulations over time, so that you can adjust your program. At CMMC Level 3, for example, each of the 130 controls could be a “point of failure” in your environment, subject to increasingly aggressive FCA litigation.

If you think it’s premature for the DoD to start wielding the FCA against contractors for CMMC, keep in mind what CMMC point person Katie Arrington has pointed out more than once: The CMMC requirements are really about certifying the self-attested claims that DIB companies have already made against the DFARS clauses in their current and prior contracts. If CMMC is a significant lift for your business, you may already have violated the FCA, depending on your self-report score in the SPRS database.

And don’t forget about the overarching cybersecurity executive order from May 2021, which presaged “bold changes and significant investments” to protect federal data. In the glare of a national spotlight, it doesn’t take a psychic to read these tea leaves: if you want to do business with the US government going forward, cyber compliance per the letter of your contract(s) needs to be among your top business priorities.

What’s Next?

Concerned about your ability to govern your cybersecurity program and prove you’re secure and in compliance? This recent podcast has you covered: EP#59 – John Verry – Governing Cybersecurity: A Process for Becoming Provably Secure & Compliant

Want to dig deeper into the “murkier” aspects of CMMC compliance? Then don’t miss this informative podcast with CMMC insider Corbin Evans: EP#36 – Corbin Evans – CMMC Compliance: The Nuances You Should Know