The initiative also expressly aims to secure FCA recoveries to reimburse the government and taxpayers for losses incurred “when companies fail to satisfy their cybersecurity obligations.” Government contractors and grantees should expect increased scrutiny of their compliance with cybersecurity requirements and a corresponding increase in FCA complaints based on alleged failures to meet those obligations. In rolling out this initiative, DOJ has emphasized that civil enforcement will not wait for a cybersecurity breach – cases can be brought for failure to comply with contractual or regulatory requirements even in the absence of such a breach.
Increased focus on contractors and grantees
The initiative is expressly intended to encourage contractors to harden their defenses against computer intrusions, hacks, and cyber-attacks following recent, well-publicized incidents that have highlighted a national security vulnerability. At the same time, several recent, headline-grabbing FCA claims against government contractors have been based on an alleged failure to comply with contract and regulatory cybersecurity requirements or on alleged misrepresentation of such compliance. DOJ settled its first such case in 2019.2 It and other similar cases have put government contractors on notice that the threat of FCA litigation for non-compliance with cybersecurity measures is real.3
Although government contractors have long been prime targets for FCA whistleblowers, this new DOJ initiative further elevates this risk.4 The emphasis by DOJ on these issues suggests that it may be more prone to intervene in whistleblower cases based on cybersecurity compliance, and this fact may incentivize more whistleblowers to come forward. It will also cause some would-be whistleblowers – who are most often employees and insiders – to examine more closely their companies’ cybersecurity obligations and practices. Finally, the initiative will draw government scrutiny not just from DOJ, but also from inspectors general at numerous government agencies who could in turn refer cases to DOJ.
The cybersecurity obligations that could give rise to a claim
Government contractors and grantees are frequent targets for cyberattacks due to their need to store sensitive technical data and other high-value national security information as part of their work. In recognition of this fact, the federal government has imposed a framework of cybersecurity requirements that typically require government contractors and grantees to make substantial investments in data security infrastructure that meet specific standards.
Although FCA claims relating to cybersecurity obligations could take many forms, two recently modified regulatory requirements are noteworthy.
First, in addition to the safeguarding and cyber incident reporting requirements in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, the Department of Defense (DoD) now requires contractors (through DFARS 252.204- 7020) to complete a pre-award assessment of their compliance with cybersecurity controls identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.5 This self-assessment is referred to as a “Basic Assessment.” It results in a numerical score and must also identify a date by which the contractor will be fully compliant with NIST SP 800-171. Should the validity of a contractor’s self-assessment be later questioned, a whistleblower could claim that false or reckless representations made in the self-assessment caused false claims to be made.
Significantly, a Basic Assessment may be followed by a government-led assessment – either a “Medium Assessment” or a “High Assessment” – after award. This could lead to disagreements about the degree to which the contractor is compliant with NIST SP 800- 171, and such disagreements could give rise to FCA suits.
Second, through the Cybersecurity Maturity Model Certification (CMMC) program, DoD anticipates the use of self-attestation, third-party certification, and government-led assessments for cybersecurity compliance. When such certification begins, it is possible that third-party certifiers or DoD may uncover inconsistencies between their own assessment of the contractor’s security controls and the contractor’s earlier Basic Assessment. Whistleblowers could point to such inconsistencies to allege a contractor caused false claims to be made by misrepresenting its security controls in order to win the contract.
The above DFARS clauses apply only to Controlled Unclassified Information (CUI) within the DoD supply chain. However, numerous government contracts contain contract-specific cybersecurity requirements, and noncompliance with these requirements could also give rise to FCA claims. Furthermore, the Federal Acquisition Regulation (FAR) clause 52.204-21 requires all contractors and subcontractors to apply specified safeguarding requirements when processing, storing, or transmitting Federal Contract Information (FCI) in or from covered contractor information systems.
Finally, we expect additional government-wide cybersecurity standards and reporting requirements to be issued pursuant to EO 14028, which will increase the avenues for potential FCA claims. In addition, if proposals for new legislation and/or regulations that would strengthen cyber incident reporting obligations are implemented, the government will have new avenues for learning of cyber incidents.
Subcontractors should also take note
The FCA imposes liability not only on a prime contractor or direct grant recipient, but it applies to any entity, including subcontractors, whose conduct causes a false claim to be presented to the United States for payment or approval. Although prime contractors or grant recipients typically submit claims for payment directly to the government on behalf of their subcontractors, a subcontractor that causes a prime contractor or recipient to present a false claim for payment can be held liable for FCA damages and penalties.6
What’s next?
The Supreme Court has noted that the FCA is not a “vehicle for punishing garden-variety breaches of contract or regulatory violations.”7 What remains to be seen is the extent to which suits that allege a failure to comply with fast-developing cybersecurity requirements will meet the rigorous “materiality” requirements outlined by the Supreme Court.8 The government’s intent to bolster security of its supply chain is clear, but federal contracts incorporate dozens of regulatory requirements, and strict compliance with any single one may not be material to the contracting agency’s decision to pay for goods or services in every case.
Separately, it will be important to watch the cases that arise in this area to see whether the government will seek, and whether the courts will award, damages based upon the full value of the contract or grant, or whether the more traditional “benefit-of-the-bargain” measure of damages will be imposed based upon the difference in value between what the government paid for, and what it received. In some cases you can expect DOJ to contend that the larger measure of damages is appropriate, because the government would never have been induced to award a contract to a company that misrepresented its ability to comply with rigorous cybersecurity requirements.
Despite questions about the strength of future FCA claims based on alleged non-compliance with cybersecurity requirements, companies that contract with the government or receive grants should carefully track fast-evolving cybersecurity rules and regulations and prioritize related compliance efforts.
References
1. See Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, U.S. Dep’t of Justice (Oct. 6, 2021), available at https:// www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
2. Joseph Marks, Cisco to Pay $8.6 Million Fine for Selling Government Hackable Surveillance Technology, Wash. Post (July 31, 2019), available at https://www.washingtonpost.com/politics/2019/07/31/cisco-pay-million-fine-selling-government-hackable-surveillance-technology/.
3. See, e.g., United States ex rel. Adams v. Dell Computer Corp., 496 F. Supp. 3d 91 (D.D.C. 2020); United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019).
4. See John Hewitt Jones, DOJ expects whistleblowers to play ‘significant role’ in False Claims Act cases against contractors, FEDScoop (Oct. 13, 2021), available at https://www.fedscoop.com/doj-expects-whistleblowers-to-play-significant-role-in-false-claims-act-cases-against-contractors/.
5. Ron Ross, Victoria Pillitteri, Kelley Dempsey, Mark Riddle, & Gary Guissanie, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, NIST SP 800-171 Rev. 2, (Feb. 2020), available at https://csrc.nist.gov/publications/ detail/sp/800-171/rev-2/final.
6. See 31 U.S.C. § 3729(a)(1); United States v. Bornstein, 423 U.S. 303, 309 (1976) (“It is settled that the Act . . . gives the United States a cause of action against a subcontractor who causes a prime contractor to submit a false claim to the Government.”).
7. Universal Health Servs., Inc. v. United States ex rel. Escobar, 579 U.S. 176, 194 (2016).
8. Id. at 194-95, 195 n.6.