On July 8, 2022, the U.S. Department of Justice (DOJ) announced a $9,000,000 settlement with federal government contractor, Aerojet Rocketdyne Inc. (Aerojet) for alleged violations of the False Claims Act (FCA) in a case pending in the Eastern District of California. This settlement results from alleged false statements by Aerojet related compliance with Department of Defense (DoD) cybersecurity requirements described in DoD Federal Acquisition Regulation Supplement (DFARS) clause 252.204–7012 and National Aeronautics and Space Administration (NASA) Federal Acquisition Regulation Supplement (NFARS) clause 1852.204–76. This settlement further underscores the DOJ’s commitment to FCA enforcement actions involving cybersecurity considerations related to its Civil Cyber-Fraud Initiative in October 2021. To that end, this settlement serves as a clear reminder to contractors that DOJ and the plaintiffs’ qui tam bar are taking the Cyber-Fraud Initiative seriously, and suggests that close understanding of and adherence to federal agency contractual cybersecurity requirements have become important mandates for the government contracting community broadly and the defense industrial base in particular.
Specifically, in the Aerojet case, a relator, the former Senior Director of Cybersecurity, Compliance and Controls at Aerojet, filed a whistleblower suit in October 2015 under the qui tam or whistleblower provisions of the FCA, alleging that Aerojet had misled both the DoD and NASA about its cybersecurity compliance posture. Under the FCA, individuals may file suit against those who knowingly misrepresent themselves to the government by submitting false claims, records, or statements. See 31 U.S.C. §§ 3729(a)(1)(A) and (B). Here, the relator alleged that Aerojet failed to comply with the DFARS and NFARS clauses noted above, which require the protection of controlled unclassified information (CUI) and other sensitive information, and that it knowingly made false statements to the contracting agencies concerning the nature and effectiveness of its compliance efforts. When the relator attempted to call attention to Aerojet’s failures, he alleged that his employment was thereafter terminated.
In May 2019, a U.S. District Judge in the Eastern District of California denied Aerojet’s motion to dismiss the case, holding that Aerojet’s compliance with these cybersecurity clauses could be deemed material to the government’s decision to award Aerojet government contracts and pay invoices thereunder. This decision was the first of its kind, preceding the settlement in the Comprehensive Health Services case about which we reported on in March 2022, and setting potential precedent for an FCA theory of liability based on allegations of a breach of contractual cybersecurity requirements. While DOJ announced this settlement in an April 27, 2022 court filing, the details remained sealed until last week. Out of the government’s $9 million settlement payment from Aerojet, the relator will receive a $2.61 million share. The settlement agreement also notes that notwithstanding the settlement, Aerojet continues to deny having engaged in any unlawful action.
In furtherance of its Civil Cyber-Fraud Initiative, about which we first reported in October 2021, DOJ remains eager to announce victories in its efforts to bolster cyber security and combat cyber fraud. Federal government contractors should anticipate similar DOJ FCA enforcement suits surrounding cyber-related misrepresentations and violations. Contractors should also appreciate that this settlement and the associated $2.61 million relators’ share serve as encouragement to whistleblowers to file qui tam actions under the FCA for cyber-related contractual violations. The problem in cases like this is not necessarily failing to fully comply with the cybersecurity rules. Instead, it is making false or reckless assertions about the state of your compliance efforts, i.e., telling the contracting agency you are compliant when in reality you are not, or agreeing to incorporate certain requirements into a contract (e.g., DFARS 252.204-7012) when you are neither meeting those requirements nor taking proactive actions to do so. Indeed, this settlement demonstrates that proactive compliance efforts, such as engaging with experts early to understand the specific requirements and methods to ensure compliance, can be critical to avoiding later enforcement or whistleblower actions.
This is an area that is also subject to recent increased regulatory scrutiny, as evidenced by DoD’s progress on the Cybersecurity Maturity Model Certification (or CMMC) Program 2.0, which we understand DoD is seeking to implement in RFPs within as soon as the next 12 months. Additionally, the Federal Acquisition Regulation Council continues to consider a draft rule entitled “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems,” which, if implemented, would standardize cybersecurity requirements within federal civilian agencies that currently do not have an equivalent clause to DFARS 252.204–7012.
Against this backdrop, federal government contractors must not only continue to bolster their cybersecurity compliance efforts, but also make sure that representations and statements to federal agencies concerning the company’s cybersecurity infrastructure and initiatives are accurate and complete.
Please contact the authors if you have any questions about compliance with federal contract cybersecurity requirements or the implications of the DOJ’s Cyber-Fraud Initiative in the FCA enforcement arena.