Government Contractors Need to Understand Their False Claims Risk When It Comes to Cybersecurity

C3's Policy Analyst Collin Overby discusses cybersecurity and the Fed's use of the False Claims Act

Recent actions, both by the government, as well as internal whistleblowers highlight the importance of meeting cybersecurity requirements in DoD contracts.  Defense industry contractors that fail to meet the requirements and/or falsely represent their compliance risk punitive actions that can be extremely costly.

In 2021, Deputy Attorney General, Lisa O. Monaco announced that the United States Government had launched a new Department of Justice mission known as the Civil Cyber-Fraud Initiative.[1] Deputy Attorney General Monaco underscored that government contractors receiving federal funds will be required to abide by federally mandated and requisite cybersecurity standards.[2] The initiative signals increased enforcement of the False Claims Act (FCA) and is led by the Department of Justice (DOJ), Civil Division, Fraud Section’s Commercial Litigation Branch.  Its goal is to “enhance and expand” the DOJ’s law enforcement presence in cyberspace to help combat national threats.[3]

Specifically, the Civil-Cyber Fraud Initiative is utilizing the False Claims Act to combat fraud; and concurrently to not only protect, but also to reward whistleblowers in successful actions where the federal government is found to have been a victim.[4] Moreover, the use of the FCA against alleged fraudulent actors, including government contractors and grant recipients, is aimed to address entities or individuals that knowingly do not adequately protect federal information or systems; and/or knowingly utilize deficient cybersecurity “products or services.”[5] These acts indicate that the Defendants knowingly misrepresented their level of cyber-hygiene to the government. Additionally, the FCA protects against entities’ neglecting to fulfill their duties of reporting certain required cybersecurity incidents or data breaches within the contractually agreed upon and regulated time limit.[6]

The False Claims Act

Historically, The FCA is federal statutory law that prescribes criminal as well as civil penalties for the fraudulent billing of the federal government; or over-representing the amount of a delivered product; or misrepresenting an obligation to the federal government.[7] Within the scope of the Civil-Cyber Fraud Initiative, the portion of the infraction that likely most often pertain to Defense Industrial Base (DIB) contractors and sub-contractors goes to the misrepresentation of an obligation e.g., false attestation of the requisite cyber-hygiene via SPRS score. As referenced, above, the FCA protects whistleblowers; but also provides that private parties are permitted to bring legal claims on behalf of the federal government. Private party actions are known as qui tam; or a popular action.[8] As the private representative of the government, also known as the relator, if the suit is successful that relator may receive up to 30% of the government’s award.[9] However, if the government intervenes, and supplants the relator as Plaintiff in the case, the relator then typically receives between 15% and 25% of the government award, depending on the specifics of the action.[10] Also, the government is sometimes awarded treble (3X) the amount of damages that are found in their favor at the disposition of the case.[11]

For the sake of brevity, False Claims – 31 United States Code (U.S.C.) § 3729(a)(1) defines the important element of “knowingly” in the infraction by an entity or its agent(s).[12] In the case of FCA use in the context of the Cyber Fraud Initiative, it is more likely to see the source of liability in subpart (B) of the U.S.C. Section “…(B) knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim…”[13] To unpack two (2) important terms, knowingly and material, the infraction continues that, “For the purposes of this section…(1) the terms ‘knowing’ and ‘knowingly’…(A) mean that a person, with respect to information…(i) has actual knowledge of the information; (ii) acts in deliberate ignorance of the truth or falsity of the information; or (iii) acts in reckless disregard of the truth or falsity of the information; and (B) require no proof of specific intent to defraud.”[14]

It is particularly interesting that at trial, or other finding of fact, specific intent to harm the federal government and/or its agency is not required in the adjudication of such infractions. They, “require no proof of specific intent to defraud,” as is the case with some actions where the Defendant is accused of acts of recklessness or negligence and in which the claim requires only a general intent; as is reflected in the FCA definition of knowingly.[15] [16] Specifically pertaining to the Civil-Cyber Fraud Initiative use of the FCA, the element of knowingly seems to be satisfied when the Defendant: has actual knowledge of the lack of accuracy of cyber compliance standards communicated to the government, intentionally ignores the deficiencies in reported cyber compliance with government requirements, or is dangerously irresponsible with respect to the duty to provide attestation of a minimum-level of cyber hygiene required to protect certain government information.

The FCA defines that an allegation is “material” when the term, “(4) …means having a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property.”[17] In a hypothetical case, this could be a contractor submitting a falsified SPRS score, which allows the contractor to bid on a contract at a lower price; due to not investing in the requisite cyber hygiene achievement and maintenance resources needed to protect government data.[18] That lower bid could be material if the government were to rely on its accuracy and award a contract on the basis of the misrepresentation.

The DFARS 7012 & NIST SP 800-171

According to the DFARS 252.204-7019 on or after November 30, 2020, contracting officers are required, prior to awarding a contract, task order; or exercising an option period or period of performance with an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause at DFARS 252.204-7012, and to verify that the contractor has a certain level score based upon a current NIST SP 800-171 DoD Assessment.[19] This recent score (i.e., not more than 3 years old) posted in the Supplier Performance Risk System (SPRS) is applicable for each covered contractor information system that is relevant to an offer, contract, task order, or delivery order.[20] When a contractor inputs a fraudulent score into the SPRS, this is likely the beginning of an actionable FCA infraction. This problem is conflated Controlled Unclassified Information (CUI) requirements to subcontractors now required to achieve the same ‘high water mark’ of cyber hygiene as the prime contractor. Until recently the federal government assumed that contractors would truthfully self-attest to their levels of cyber-hygiene, when uploading an SPRS score.

Consequential Cases

As of the date of this piece, prosecution under the Cyber-Fraud Initiative has not resulted in a criminal conviction via the False Claims Act; hence the inclusion of ‘Civil” in its current version. However, the first landmark case in this area, which predated the Civil Cyber-Fraud Initiative, United States ex rel. , Inc. (381 F. Supp. 3d 1240 (E.D. Cal. 2019)), has been resolved in the government’s favor. A former senior Director of Cybersecurity and Compliance at Aerojet Rocketdyne, Brian Markus, alleged that the government contractor (that specializes in missile defense) fraudulently concealed its noncompliance with cyber regulations. This claim pertained to actions necessary to satisfy government cybersecurity data protection standards; and to the nonreporting of incidents and intrusions as is required by the government.[21] Because the court found that the contractor had not disclosed the extent of its noncompliance to the government and deemed this as material to the awarding of the contract; the case was ultimately resolved with Aerojet Rocketdyne settling with the government for $9 million.[22] [23]

A current case that is working its way through the federal court system in Pennsylvania is about State University (the University) and its compliance according to DFARS 7012 and NIST SP 800-171. Until recently the case was under seal in a qui tam action brought by a realtor who alleges that the University did not provide “adequate security” when handling Covered Defense Information, a form of CUI.[24]  On September 29, 2023, the US Federal government decided not to participate in the action.[25] However, the Relator, former Interim Chief Information Officer at the University’s Applied Research Laboratory, ioffered 20 documents that are allegedly falsified pertaining to NIST SP 800-171 self-attestation, as well as evidence that the University migrated part of its sensitive data to a commercial cloud server that did not meet the government’s FedRAMP data protection standards.[26]

At present, there has not been an adverse finding against the University, nor a settlement. However, the current progression of this case should put Academic Institutions, as Aerojet Rocketdyne should have done for DIB contractors, on notice that the federal government, via its , is taking its requirements drawn from the DFARS 7012 and NIST SP 800-171 seriously. At present, it is not clear that the FCI has yet operated to initiate law enforcement investigative authority, relying primarily on references from contractor insiders; and is relying on Relator inside-information before the DOJ begins its determination of whether to participate in each case. Those seeking federal contracts and/or grants would do well to ensure that they are compliant with the ‘high water mark’ set by the 110 controls found within the NIST SP 800-171 framework that are required pursuant to the federal regulation, DFARS 7012.

Contractors and Subcontractors Seeking Legal and Compliant Status

Contractors avoid the specter of litigation brought from within or outside of their organization by ensuring good cyber hygiene that meets the contractual requirements. Within the DIB, contractors and subcontractors should seriously consider working with experienced, compliance professionals to ensure that the Company is lawfully compliant with the requirements of the DFARS 7012 and NIST SP 800-171. Additionally, choosing an External Service Provider (ESP) that is knowledgeable and experienced in meeting cyber requirements. By partnering with an ESP, DIB Companies are also superiorly positioned to be dynamic and nimble in response to changes to laws and regulations that occur as well as to changes in the policies of government officials and agencies.

[1]United States Department of Justice, Office of Public Affairs, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (2021).

[2] See id.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] Wex , US Law, LII / Legal Information Institute (cornell.edu), False Claims Act (2022).

[8] Wex, US Law, LII / Legal Information Institute (cornell.edu), qui tam (2022).

[9] Wex , US Law, LII / Legal Information Institute (cornell.edu), False Claims Act (2022).

[10] Ibid.

[11] Double or Treble Damages Under the False Claims Act? (bricker.com), http://www.bricker.com/insights-resources/publications/double -or-treble-damages-under-the-false-claims-act (last visited Sept. 20, 2023).

[12] 31 U.S. Code § 3729 – False claims (Legal Information Institute (cornell.edu)).

[13] See id.

[14] Id.

[15] Id. At 14.

[16] Her Lawyer, General Intent vs Specific Intent: What’s The Difference? Her Lawyer (July 5, 2022), https://www.herlawyer.com/general-intent-vs-specific-intent.

[17] 31 U.S. Code § 3729 – False claims (Legal Information Institute (cornell.edu)).

[18] See id.

[19] Office of the Under Secretary of Defense, Memorandum For Commander, United States Cyber Command et al., Interim Defense Acquisition Regulation Supplement Rule, 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements (2020), https://www.acq.mil/dpap/policy/policyvaullt/ USA002524-20-DPC.pdf (osd.mil).

[20] See id.

[21] The National Law Review, Aerojet Rocketdyne Case False Claims Act for Cybersecurity Fraud, The National Law Review (May 6, 2022), https://www.nationalreview.com/article/aerojet-rocketdyne-cybersecurity-trial-and-settlement.

[22]  See id.

[23] United States Department of Justice, Office of Public Affairs, Aerojet Rocketdyne Agrees to Pay $9 Million to Resolve False Claims Act Allegations of Cybersecurity Violations in Federal Government Contracts (2023).

[24] Townsend L. Bourne, Recent Cyber-Related False Claims Act Activity Signals Contractors and Universities Should Examine Their Cybersecurity Practices and Brace for an Uptick in Enforcement (2023).

[25] Townsend Bourne, Nikole Snyder, DOJ Declines to Intervene in Penn State FCA Case, The National Law Review (10/09/2023), https://www.natlawreview.com/article/update-doj-declines-intervene-penn-state-cyber-related-fca-case#:~:text=One of those cases is a qui tam,United States “is not intervening at this time.”

[26] Townsend L. Bourne, Recent Cyber-Related False Claims Act Activity Signals Contractors and Universities Should Examine Their Cybersecurity Practices and Brace for an Uptick in Enforcement (2023).