On October 6, 2021, the Department of Justice (DOJ) announced a new Civil Fraud Cyber Initiative to “combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.”
As noted in a May 20, 2021, McGuireWoods alert, President Biden issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” on May 12, 2021, mandating that the federal government significantly improve cybersecurity within its networks and modernize federal cyber defenses, with important implications for federal contractors. The EO acknowledged that the United States “faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy” and called for the Administration to review and implement changes to its information technology and operational technology contract requirements and language to improve cybersecurity. This move followed a series of sweeping cyberattacks on federal contractors and federal government networks over the past year, including a recent incident that resulted in gasoline shortages across the U.S. East Coast and another that involved breaches of the networks of several federal agencies.
The DOJ initiative builds upon the earlier EO and provides that the Department will use its power under the False Claims Act (FCA), including through support for qui tam whistleblowers, to increase enforcement of cybersecurity-related fraud by federal contractors and grant recipients. While some contractors previously believed it to be “less risky to hide a breach than to bring it forward and to report it,” according to Deputy Attorney General Lisa O. Monaco, the federal government has now committed to ensuring government contractors who receive federal funds follow increased cybersecurity standards. The initiative commits to increase enforcement against contractors in the following areas: (1) provision of deficient cybersecurity products or services; (2) misrepresentations regarding cybersecurity practices or protocols; and (3) violations of obligations to monitor and report cybersecurity incidents and breaches.
The DOJ’s initiative comes in response to the EO’s establishment of a carrot-and-stick treatment for contractors, removing contractual barriers and tightening contractual requirements related to reporting information about threats, incidents, and risks. The related May 12, 2021, White House fact sheet explained that “requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole.” While increasing enforcement scrutiny, the initiative aims to provide federal contractors clarity on best practices and legal obligations related to cybersecurity compliance, monitoring, and reporting.
Of most importance to contractors, DOJ has stated that the goals for the initiative specifically include:
- building broad resiliency against cybersecurity intrusions across the government, the public sector, and key industry partners;
- holding contractors and grantees to their commitments to protect government information and infrastructure;
- supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services;
- ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage;
- reimbursing the government and taxpayers for losses incurred when companies fail to satisfy their cybersecurity obligations; and
- improving overall cybersecurity practices that will benefit the government, private users, and the American public.
In light of the DOJ’s promise to use the FCA to improve cybersecurity, federal contractors should refamiliarize themselves with the Supreme Court’s 2016 holding in Universal Health Services, Inc. v. United States ex rel. Escobar, “that the implied certification theory can be a basis for liability, at least where two conditions are satisfied: first, the claim does not merely request payment, but also makes specific representations about the goods or services provided; and second, the defendant’s failure to disclose noncompliance with material statutory, regulatory, or contractual requirements makes those representations misleading half-truths.” Contractors should also monitor the EO’s call for a series of changes to federal contract security language to consider participating in public comment opportunities for proposed rules. To that end, we expect contracting agencies to begin closer review and enforcement of the cybersecurity and related breach reporting requirements under, among other clauses, FAR 52.204-21, DFARS 252.204-7012, DFARS 252.204-7020, and the Cybersecurity Maturity Model Certification (CMMC) process (see, e.g., DFARS 252.204-7021), to include referral to DOJ for FCA enforcement where a material noncompliance is identified.