The US Department of Justice (DOJ) announced a recent $4 million settlement of False Claims Act (FCA) allegations regarding a contractor’s failure to meet certain cybersecurity requirements, noting that its Civil Cyber-Fraud Initiative will continue to pursue knowing cybersecurity-related violations. However, it emphasized that contractors who cooperate with the government and make proactive disclosures will receive credit in settlement negotiations.
As government contractors face increasing cybersecurity obligations, attendant FCA risks are also on the rise. Over the last decade, government contractors have seen their cybersecurity obligations steadily increase. Federal contractors who access or use certain government information are frequently subject to Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) clauses that impose significant cyber responsibilities—many of which are ill-defined and change over the course of performance.
Frequently encountered cybersecurity clauses require contractors to meet rigorous and costly compliance obligations, as reflected in FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems), DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), and DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirement).
Despite the costs of compliance, “knowingly” failing to meet cybersecurity obligations included in government contracts carries significant FCA risk. The FCA defines “knowingly” to include acting with deliberate ignorance or with reckless disregard. On October 6, 2021, the DOJ announced the launch of its Civil Cyber-Fraud Initiative, which united its government procurement and cybersecurity enforcement efforts to pursue civil enforcement against government contractors who fail to satisfy required cybersecurity standards.
Additionally, the DOJ has indicated that criminal enforcement in the cyber space will increase significantly; this trend is likely to impact contractors and implicate a range of additional issues.
The best way to avoid FCA cybersecurity risk is to work proactively to ensure compliance with applicable cyber requirements. Prospective contractors and subcontractors should always review solicitations before submitting bids to determine the included cybersecurity obligations. Once a prospective contractor identifies attendant cybersecurity obligations, it is important to assess whether the company meets those standards or can achieve compliance before certifying such compliance and receiving the contract award.
Some cybersecurity requirements are met by implementing changes to cybersecurity technical infrastructure, while others are met by implementing policies, procedures, and trainings to ensure that all employees and officers take necessary steps to protect sensitive data. Achieving full compliance with cybersecurity standards can take time, so it is important to begin working toward compliance as soon as a prospective contractor determines that submitting a bid—and receiving a contract award—will trigger obligations.
Government contractors that are not compliant with the cybersecurity requirements included in their contracts can mitigate the consequences of that noncompliance. The DOJ has noted in past press releases that the department gives credit to contractors who voluntarily self-disclose false claims, take remedial actions, and cooperate with government investigations of alleged noncompliance. The DOJ reiterated that policy in its recent settlement press release, and noted that the contractor with whom it settled received settlement credit for
Each of those steps reflect best practices for government contractors who have identified compliance failures, and the DOJ’s commitment to crediting contractors for their cooperation underscores the importance of making proactive disclosures, taking strong remedial measures, and fully cooperating with any agency investigation.
Government contractors are subject to a slew of cybersecurity requirements, and ensuring compliance can be challenging. While the best way to mitigate FCA and other enforcement risk is to proactively assess and address applicable compliance obligations, government contractors and subcontractors that have identified potential failures to meet those obligations retain options to remediate their noncompliance and allay any FCA and other civil and criminal enforcement.
The DOJ’s recent announcement reaffirms that government contractors that are not fully compliant with cybersecurity requirements can mitigate potential FCA consequences by cooperating with government investigations and making voluntary disclosures when appropriate.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: