The Department of Justice (DOJ) is bringing one of its trustiest tools to the project of improving the nation's cybersecurity. The DOJ announced last week the launch of its Civil Cyber-Fraud Initiative which will use the False Claims Act to enforce cybersecurity requirements in federal government contracts. The False Claims Act, first enacted during the Civil War to combat fraud by government contractors, awards treble damages and levies additional penalties against a party that knowingly makes a false claim to the government.
In remarks made the day of the announcement, Deputy Attorney General Lisa Monaco warned of "very hefty fines" for companies that are entrusted with federal government work but fail to meet cybersecurity requirements. "For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it," said Deputy Attorney General Monaco.
According to the DOJ, the Civil Cyber-Fraud Initiative will hold accountable those who put federal information and systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents and breaches.
Federal contractors promptly should:
- Identify and assess their compliance with cybersecurity-related obligations in federal contracts. Companies must understand everything they have committed to under federal contracts and determine the extent to which they are in compliance. Note that federal contracts regularly incorporate standards from the National Institute for Standards and Technology (NIST), such as Special Publications 800-53 (Security and Privacy Controls for Information Systems and Organizations) and 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations).
- Evaluate and strengthen controls for reporting cybersecurity incidents and certifying compliance with cybersecurity requirements. Contractors must have strong controls in place for identifying and reporting cybersecurity incidents and compliance issues. Company employees responsible for certifying compliance with federal contracts must have access to all the information they need to ensure that certifications are complete and accurate.
Federal contractors are required to certify their compliance with myriad regulations and contractual requirements at numerous points in the relationship, such as when they sign or renew a contract and when they submit invoices for payment. This parade of certifications provides DOJ with many opportunities to assert that federal contractors knowingly misrepresented their compliance with cybersecurity rules in violation of the False Claims Act. The DOJ makes frequent use of the False Claims Act and reports having recovered more than $2.2 billion dollars in fiscal year 2020 in settlements and judgments under the law.
To complicate matters further, the False Claims Act allows private citizens to file qui tam suits on behalf of the government and to receive a portion of the government's recovery. The False Claims Act serves as a major whistleblower statute and frequently is used by current and former employees of federal contractors alleging that their companies falsely represented their compliance with federal requirements.
Individuals already have brought several high-profile cases under the False Claims Act, alleging cybersecurity misrepresentations. For example, in 2019, Cisco Systems settled for $8.6 million a False Claims Act suit brought by the employee of a Cisco partner company alleging the company failed to address security vulnerabilities in video surveillance systems used by the federal government. The False Claims Act prohibits retaliation against employees, contractors, or agents who exercise their rights under that law.
Enforcement of incident and breach notification requirements is likely to be a top priority for the new initiative. To be clear, contractors would not be liable under the False Claims Act simply for missing a notification deadline (although that may be a breach of contract). Rather, False Claims Act liability could arise where a contractor missed a notification deadline and then knowingly misrepresented that fact in a certification to the government. The financial consequences for such a misrepresentation could be very significant—up to three times the amount the government paid to the contractor in reliance on the misrepresentation, plus penalties.
The timelines within which federal government contractors must report security incidents vary by agency and other circumstances but are becoming increasingly short. President Biden's May 2021 Executive Order on Improving the Nation's Cybersecurity, which we discussed in a prior blog post, directs agencies to require notification "not to exceed 3 days after initial detection" for the most serious incidents.
Competing bills in Congress—including ones from the Senate Homeland Security Committee, the Senate Intelligence Committee, and the House Homeland Security Committee—would require some federal contractors, critical infrastructure operators, and potentially others to report incidents between 24 and 72 hours of detection. The Department of Defense requires notification within 72 hours under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. Cloud service providers operating under the Federal Risk and Authorization Management Program (FedRAMP) have only one hour to notify federal agencies under the FedRAMP Incident Communications Procedures..