Skip to Main Content

Blog

06.15.19

Recent developments in a case heard by the U.S. District Court for the Eastern District of California shine a spotlight on the importance of cybersecurity measures for government contractors. The district court denied in part a motion to dismiss from defendants Aerojet Rocketdyne Holdings, Inc. and Aerojet Rocketdyne, Inc. (collectively, "Aerojet"), holding that the relator "plausibly pled that defendants’ alleged failure to fully disclose its noncompliance [with cybersecurity requirements] was material to the government’s decision to enter into and pay on the relevant contracts." [1]

Cybersecurity Noncompliance Allegations Against Aerojet

The relator in this case alleges that Aerojet (1) committed promissory fraud, or fraud by inducement, and (2) submitted false or fraudulent statements in violation of the False Claims Act by failing to disclose the full extent of its noncompliance with cybersecurity requirements when it obtained contracts with NASA and DoD, and continuing to misrepresent its compliance to government officials.

Partial Disclosure Is Not Sufficient To Relieve Liability

Aerojet argued that they did disclose their noncompliance to NASA and the DoD, making it impossible for the materiality standard to be satisfied. The district court rejected this argument, saying that the relator "properly allege[d] with sufficient particularity that defendants did not fully disclose the extent of AR's noncompliance with relevant regulations" and that a partial disclosure would not be sufficient to relieve defendants of liability. It is true that DoD was aware Aerojet was not fully compliant with cybersecurity regulations when it awarded the contract. However, they awarded the contract based in part on a disclosure statement from Aerojet, from which a DoD representative determined that it would be a "relatively simple matter for the contractor to become compliant". The relator alleges material nondisclosures in this letter, namely that Aerojet misrepresented the extent to which it had the requisite equipment, security controls, and firewalls required by the regulations. Accepting these allegations as true, the court reasoned that the government may not have awarded the contract to Aerojet had it known the full extent of noncompliance, seeing as "how close [Aerojet] was to full compliance was a factor in the government's decision to enter into some contracts".

Cybersecurity Compliance May Be Relevant to "Central Purpose of the Contract"

Aerojet also argued that the cybersecurity requirements were not material because they did not go to the central purpose of their contracts, which related to missile defense and rocket engine technology, not cybersecurity. The court found this argument "unavailing at this stage of the proceedings", but responded that since DoD and NASA acquisition regulations require that contractors undertake specific cybersecurity measures before they can handle certain technical information, it stands to reason that misrepresentations as to cybersecurity compliance could have influenced Aerojet's ability to perform the work specified by the contract.

Government Behavior After A False Claim Is Not Dispositive

Aerojet presented two more arguments that the materiality requirement was not met, attempting to show that the government did not find the issue material: 1) the government declined to intervene in the case and both NASA and the DoD continue to contract with Aerojet, and 2) the DoD's amendments to acquisition regulations continually lowered the bar on cybersecurity requirements for contractors. These both failed as well; courts have continually held that government behavior after a defendant presents a false claim is not dispositive, and Aerojet failed to present evidence that DoD paid a company that it knew was noncompliant to the same extent that Aerojet was.

Federal Cybersecurity Requirements for Contractors

Aerojet had contracts with the Department of Defense ("DoD") and the National Aeronautics & Space Administration ("NASA"), and both agencies have security requirements that govern how contractors must protect sensitive but unclassified electronic information.

NASA Requirements

As of January 2011, all NASA contractors and sub-contractors were required to "protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure" with no allowance for measures other than those specified.[2] A host of specific requirements, regulations, policies and guidelines are also attached to individual NASA contracts, and the NASA Office of the CIO has a Cybersecurity & Privacy Division that develops and manages NASA's cybersecurity policies and requirements.

DoD Requirements

The DoD first issued a final rule imposing cybersecurity requirements on contractors for unclassified controlled technical information in 2013. This rule and subsequent revisions have defined adequate security as "protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information." Examples of technical information include research and engineering data, engineering drawings, studies and analyses, computer software executable code and source code, among other things.[3]

Contractors were required to implement specific security requirements specified by the National Institute of Standards and Technology ("NIST") by the end of 2017, but "alternative, but equally effective, security measure[s]" were permissible for contracts awarded prior to October 2017, so long as the Contractor notified the DoD CIO of variation between their alternative measures and the NIST requirements.[4]

What Comes Next?

The Aerojet Case will Proceed

The relator previously worked as the Senior Director of Cybersecurity for Aerojet. His lawsuit also alleges that he was wrongfully terminated after refusing to certify that Aerojet was compliant with DoD cybersecurity regulations. These employment-related claims have been referred to arbitration.

While a third FCA conspiracy claim was dismissed, the promissory fraud and implied certification fraud claims survived and will proceed. On Summary Judgment, the court may provide guidance on what cybersecurity policies are material under the FCA for the first time. The court declined the defendants' request to stay the entire proceedings pending the resolution of the employment claims, siding with the relator that the issues involved in the FCA claims differ and that a stay would unnecessarily delay their resolution, which has been pending for more than three years.

Cybersecurity Standards Continue to Develop

As of June 2016, Federal Acquisition Regulations include cybersecurity standards for companies pursuing contracts with the General Services Administration ("GSA") in addition to NASA and DoD. This rule relates to processing, storage, and transmission of federal contract information, and is intended to be "just one step in a series of coordinated regulatory actions being taken or planned to strengthen protections of information systems.”[5] In part, the rule requires that certain companies seeking government contracts comply with NIST standards for protecting controlled unclassified information.[6]

The relator's initial complaint in the Aerojet case was filed in October 2015, pre-dating this rule, though the DoD regulations refer to the same NIST standards and actually encompass a much greater scope of information that must be secured.

If you are aware of fraud against the government, whether in cybersecurity or another sector, you may be eligible to blow the whistle in a False Claims Act lawsuit and may be entitled to a portion of the recovery. To find out more, contact Goldberg Kohn for a confidential consultation.

[1] United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC (E.D. Cal. May 8, 2019).

[2] See 48 C.F.R. § 1852.204-76 - Security requirements for unclassified information technology resources.

[3] See 48 C.F.R. § 252.204–7012 - Safeguarding covered defense information and cyber incident reporting.

[4] Current standards and guidelines can be found in National Institute of Standards and Technology (NIST) Special Publication 800-171, Revision 1.

[5] See 81 FR 30439 – Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems

[6] See NIST SP 800-171, Revision 1.