DOJ: ‘False Claims Act + Cybersecurity’ Is Here To Stay

Amid ongoing policy shifts in Washington, the federal government’s interest in pursuing civil cyber-fraud cases appears to be here to stay.  In October 2021, the Department of Justice (DOJ) initiated its Civil Cyber-Fraud Initiative focused on using the False Claims Act (FCA) “to combat new and emerging cyber threats to the security of sensitive information and critical systems,” and DOJ’s efforts to pursue civil cyber-fraud continue under the Trump administration.  For example, on March 26th, the DOJ announced a FCA settlement with a Massachusetts company focused on the company’s cybersecurity program and representations made in connection with its Department of Defense contracts as well as FedRAMP[1] and DFARS[2] requirements.   

The company agreed to pay $4.6 million to settle the government’s claims, and the relator who filed the qui tam complaint that gave rise to the investigation will receive about $850,000 of the settlement amount.  The company also must pay $198,000 for attorney’s fees and expenses, as required by the FCA.

The settlement agreement revealed additional details regarding the cybersecurity issues underlying this matter.  As is customary in a settlement agreement with the Boston U.S. Attorney’s Office, the company “admit[ted], acknowledge[d], and accept[ed] responsibility” for four principal violations, each of which provides a valuable lesson to any company subject to the FCA:

1. Failure to implement NIST Special Publication 800-171 cybersecurity controls. The company admitted that it “had not fully implemented all cybersecurity controls in NIST SP 800-171,” including controls that could prevent “significant exploitation of the network or exfiltration of controlled defense information.”  SP 800-171 sets forth controls for protecting controlled unclassified information in nonfederal systems and organizations. ”Controlled unclassified information” is “information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release.”  Built alongside SP 800-53, which many look to as a gold standard for cybersecurity maturity, SP 800-171 is intended for use by private sector organizations handling sensitive government information, and compliance is, at least some cases (e.g., defense contracts) required by appliable law.
2. Misrepresentation of the company’s security control implementation.  The company failed to comply with a DFARS supplement that requires contractors to provide the DOD with their summary level scores related to compliance with NIST SP 800-171.  These scores “reflect[] the net effect of security requirements not yet implemented”; the maximum score, if every NIST SP 800-171 requirement is implemented, is 110. The company admitted to submitting a self-assessed score of 104 and waiting nearly a year to correct it to reflect a consultant-determined score of -142.  The facts admitted by the company are noteworthy.  According to the settlement agreement, the company retained a third-party consultant to perform a gap analysis with respect to its implementation of NIST SP 800-171 controls and provided a summary score of -142.  Only 22% of the controls were implemented with 78% not implemented or partially implemented, and the consultant simultaneously proposed plans of action and milestones to remediate gaps identified.  Even so, the real concern seemed to be that the company did not then update the results of its analysis in a timely way.  The government complains of payment request submittals made to DoD during this relevant period of time in violation of DFARS. 
3. Failure to have a consolidated written plan for its covered information systems. The company admitted to lacking written plans required by FedRAMP for its covered information systems that describe the system boundaries, environments, security requirements, and connections to other systems.

4. Use of a potentially noncompliant cloud vendor.  DFAR requires cloud vendors that handle unclassified controlled information on behalf of a contractor to meet FedRAMP Moderate baseline security standards and other requirements.  The company admitted that its cloud email hosting provider was not contractually required to meet DFARS or FedRAMP requirements and that the company did not ensure it did. 

   Unfortunately, this mistake can be common as technology companies often offer FedRAMP compliant products similar to their commercial offerings, and companies sometimes do not realize whether FedRAMP compliant technology is required.   

The reported resolution of this matter offers many takeaways that organizations should consider immediately, including a handful outlined here:

First, maintain a cybersecurity culture where employees are heard and identified risk is evaluated.  The relator was the company’s Head of Security and Facility Security Officer, who previously worked at other defense contractors and served in the armed forces.  Individuals who have served in such roles typically are invested in the success of their employer’s cybersecurity program.  The complaint alleges that he became aware of cybersecurity gaps and vulnerabilities at the company “within weeks of arriving” in January 2021 and that he repeatedly raised issues with senior leadership throughout 2021 and 2022 before filing his qui tam complaint in January 2023.  If true, the company would have had opportunities to listen and course-correct.  Instead, the relator claims that on at least one occasion a member of senior leadership disregarded concerns by saying “everybody does it’ with respect to noncompliance” with the DOD security requirements. 

Relatedly, there is no reference to the relator’s reporting structure, including whether the relator reported to the board. Governance of a security function and security risk is critical because cybersecurity risk is potentially material at many companies these days.

Second, engaging in a third-party gap analysis is important, but creating a record of gaps with no remediation plan is problematic.  Measuring cybersecurity compliance with legal obligations is a core legal function, not just a cybersecurity function.  Companies need to be mindful of their objectives when engaging third parties for any type of cyber assessment or validation assessment (from gap assessments to pen testing, etc.).  One primary objective is to comply with applicable legal requirements, whether those originate from (i) statutes and regulations, (ii) contract, and (iii) the courts, as well as industry standards (like NIST) incorporated into any of (i)-(iii) by explicit requirement. 

Third, building an environment to appropriately qualify and quantify cybersecurity risk is critical.  The complaint paints a picture of institutional noncompliance and disregard for contractual obligations as “business decisions,” flowing from the top of the company.  According to the complaint, the self-assessed score of 104, rather than a maximum scope of 110, was reported by the COO and CEO “to avoid scrutiny from DOD.”  The CEO allegedly “observed that [the company] ‘never would have gotten off the ground’ if it had followed every DFARS provision and every DoD regulation” and allegedly viewed “noncompliance” with the NIST SP 800-171 requirements as “simply ‘a business risk,’” similar to his “disregard[ing of] many rental code requirements” for the “multiple residential rental units” he owned in the area. 

Importantly, there is no reference to whether the relator’s complaints were assessed by anyone other than the DFARS consultant. A company’s legal counsel should be involved in cybersecurity assessments for a variety of reasons, including to ensure any risk identified is appropriately quantified and qualified and then mitigated as needed to comply with legal obligations; a cyber risk assessment cannot be handled by cybersecurity or IT functions alone.

Fourth, cybersecurity legal requirements are changing and expanding, and organizations need to address current and future obligations as well as the changing regulatory enforcement landscape.  Several government agencies, such as DOD and the Internal Revenue Service, require compliance with significant NIST control frameworks.  (The IRS uses a variation on NIST SP 800-53.)  Other agencies require compliance with the security controls set out in FAR 52.204-21, which contains “[r]equirements and procedures for basic safeguarding of covered contractor information systems,” such as authentication and identity verification controls.  If more federal agencies join the DOD and require compliance with NIST SP 800-171 for controlled unclassified data, then it may become a commercial expectation that organizations handling the commercial equivalent -- likely, information under a data classification system that is more sensitive than nonpublic information but not the most sensitive data -- should also comply when handling that type of information for their customers.  In cybersecurity, government regulates, and the private sector follows.

Fifth, organizations should be mindful of third-party vendors, third-party systems, and their third-party contracts and also understand data use-cases.  The company admitted to not requiring its cloud email provider to comply with FedRAMP rules.  That does not mean that the cloud email provider did not comply; the cloud email provider likely complied, or the government presumably would have called that out.  This fact indicates government interest in practical compliance and corporate oversight of vendors.  Similarly, it illustrates that a company must understand how it uses its systems and its data.  Here, the company had trouble because it used its cloud-based email to exchange controlled unclassified data.  Had the company kept that data out of email, then it may not have violated this DFARS provision.  Public information about the settlement does not indicate how pervasive the company’s use of its cloud-based email with controlled unclassified data was, but here, as elsewhere, corporate policies matter.  A good policy can show good faith and provide arguments for lower sanctions because the organization itself wanted to comply, and the issues may be human error, rather than something that can be blamed on the organization as a whole.

Managing cybersecurity risk continues to require significant attention and is crucial for any company to avoid investigations and litigation. 

Subscribe To Viewpoints