Federal contractors will be fined if they fail to adhere to required cybersecurity standards, according to a Department of Justice (DOJ) announcement in October. The False Claims Act will allow the DOJ to pursue civil action if contractors don’t report cyber incidents to the U.S. government. Given the focus on cybersecurity in recent months, this may not be a surprise – but it is now a compliance mandate.
False Claims Act and the Civil Cyber-Fraud Initiative
Under the False Claims Act, which can apply broadly to many industries, any federally funded contractor that knowingly submits false information can be liable for per-claim fines plus damages and a penalty that’s tied to inflation. In the fiscal year that ended on September 30, 2020, the government obtained more than $2.2 billion in settlements and judgments from civil cases. The False Claims Act has allowed the federal government to combat contractor fraud since 1863.[1] Now, it’s the mechanism for enforcing the Civil Cyber-Fraud Initiative.
Introduced in early October 2021, the Civil Cyber-Fraud Initiative takes fraud cases a step further. Government contractors and grant recipients are subject to the Initiative’s rules, which are “knowingly:
- Providing deficient cybersecurity products or services,
- Misrepresenting their cybersecurity practices or protocols, or
- Violating obligations to monitor and report cybersecurity incidents and breaches.”
That means that not only will contractors be liable for incomplete or faulty cybersecurity processes, but also failure to report an incident. Whistleblowers are expected to be a source of many reported violations.
Statutory penalties are adjusted for inflation and are currently about $23,000 per false claim. Violations that result in proven loss to the government are also liable for treble damages of up to three times the government’s losses.
The mandate isn’t exactly new; in May 2021, the Biden Administration required pipeline companies to report significant cybersecurity incidents. This announcement, coupled with the President’s cybersecurity executive order, emphasized the Administration’s attention to cybersecurity initiatives as well as provided a blueprint for initial compliance.
More recently, July’s Cyber Incident Notification Act of 2021 proposed requiring federal contractors, agencies, and critical infrastructure operators to report cyber incidents. These are in addition to existing reporting requirements going back to 2017 under the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Essentially, it’s part of the defense contract to assess compromised information and report incidents within 72 hours of discovery.
The bottom line? Especially now with DOJ enforcement, federal contractors should expect to commit substantial resources to cybersecurity.
Alignment With Other Cybersecurity Standards
It’s clear that while basic cybersecurity standards are required, more substantive compliance programs are necessary in a changing risk landscape. This is even more applicable for contractors and subcontractors that are part of a federal supply chain.
Specific standards weren’t referenced, but two good places to start are the National Institute for Standards in Technology (NIST) and the Cyber Maturity Model Certification (CMMC). Both of these frameworks call for a level of cybersecurity that many contractors are only just starting to become familiar with.
Soon, all organizations doing business with the Department of Defense (DOD) will be required to conform to CMMC Level 1, at a minimum. Level 1 CMMC Readiness involves 17 cybersecurity practices; Levels 1 through 3 represent the 110 security requirements specified in NIST SP 800-171 rev1.
But those are cybersecurity regulations. The Civil Cyber-Fraud Initiative is now law. And while complying with both cybersecurity regulations and the new law encompass some of the same activities, ensuring there are processes in place to adhere to the DOJ’s new law requires contractors to take another look at their cybersecurity infrastructure and reporting mechanisms.
Cybersecurity Preparedness for Contractors
One of the first things contractors should do is determine which rules and regulations apply to them. Talk to advisors because this list is longer and more complicated than before.
Specific to the new DOJ initiative, much of what the federal government decides is a known violation starts with the contract. Contractors should go back to the standards and carefully review the contracts to understand what they’re on the hook for and how the standards might be interpreted.
Contractors should also be mindful of what they represent in writing and otherwise. If a contractor purports to have a robust cyber incident detection and response system in place, but does not, that claim now becomes a liability for which the contractor could be heavily penalized.
Timely reporting cyber incidents will also depend on the specific contract; in general, use the DFARS guideline of 72 hours until and unless other guidance is released. But also check the contract terms.
Now is also a good time to assess the entire supply chain and certify that any products, services, or suppliers are not banned by the U.S. government.
Ensure that employees are well-trained in incident response and document retention guidelines in the event of a breach. A contractor can do all the right things, but if it does not report incidents properly, it’s a potential violation.
Plan to allocate a substantial amount of the budget to cybersecurity preparedness in 2022. Make sure information technology officers have the resources they need to oversee an incident response plan. Also, know that information security on its own cannot be responsible for a robust cybersecurity defense program, nor can certification to CMMC standards be self-assessed. It will be necessary to work with outside advisors on at least some of these programs.
PBMares is a C3PAO candidate company, meaning we will be able to perform CMMC audits once they’re available. We also have a breadth of expertise in cybersecurity mitigation and stand ready to assist government contractors and subs in interpreting and applying the latest Civil Cyber-Fraud Initiative compliance requirements.
