According to statistics published by the Cybersecurity and Infrastructure Security Agency (CISA), 47 percent of American adults have had their personal information exposed by cyber criminals, and an estimated 600,000 Facebook accounts are hacked every day. Cybercrime has greatly affected individual citizens, and it is no surprise that cybercriminals have targeted the government as well. In 2023, the United States Federal Government allocated nearly $11 billion of the $90 billion information technology (IT) budget for cybersecurity, and there were an estimated 30,819 cyberattacks against Federal Government agencies in 2020.
Government contractors have also been targeted by cyber-attacks, and the United States has required its contractors to implement increasingly demanding cybersecurity protections as a condition of payment in their contracts. To specifically address cybersecurity fraud, the Department of Justice introduced the Civil Cyber-Fraud Initiative in 2021, which is intended to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” The Civil Cyber-Fraud Initiative will partner with qui tam whistleblowers to utilize the False Claims Act to ensure contractors abide by cybersecurity requirements and that bad actors are prevented from accessing sensitive government information.
Violation of cybersecurity requirements and other cybersecurity failures may give rise to False Claims Act liability, under which government contractors with insufficient cybersecurity practices must pay treble damages. Whistleblowers who expose contractors who falsely profess compliance with these requirements or fail to report cybersecurity incidents can recover 15 to 30 percent of money recovered by the government in a False Claims Act suit.
There are two generally applicable cybersecurity obligations for government contractors:
- Federal Acquisition Regulations (FAR) 52.204-21;
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
For contractors with the Department of Defense, there are two additional cybersecurity standards:
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012; and
- Cybersecurity Maturity Model Certification (CMMC) 2.0
Failure to comply with these cybersecurity obligations may give rise to a False Claims Act claim. For a whistleblower to know whether a violation has occurred, they must first understand what each of these requirements entails.
A. Federal Acquisition Regulations 52.204-21
FAR 52.204-21 is a generally applicable requirement to all government contractors, and the requirements of the regulation is extended to subcontractors. There are fifteen "safeguards," or measures and controls that are prescribed to protect government information, with which contractors must comply. This includes requirements such as limiting system access to unauthorized users, controlling interactions with external information systems like private emails or cloud storage, destroying and sanitizing information before disposal or reuse, and limitations on physical access to information systems.
A full list of these requirements can be found here.
B. National Institute of Standards and Technology SP 800-171
NIST SP 800-171 has 110 security requirements, which are organized into fourteen groups, including: access control, audit and accountability, and incident response. While no agency is responsible for adjudicating compliance with NIST requirements, contractors are required to self-assess their own compliance and report their score to the contracting agency. Each agency which utilizes NIST requirements establishes their own reporting mechanism. For example, the Department of Defense uses a Plan of Actions and Milestones (POA&M) and a System Security Plan (SSP) which outline timelines for and evidence of compliance, respectively.
The full text of NIST SP 800-171 can be found here.
C. Defense Federal Acquisition Regulation Supplement 252.204-7012
DFARS supplements the original FAR requirements pursuant to increased security concerns surrounding defense information. DFARS requires contractors and subcontractors to, among other things:
- "Adequately" safeguard sensitive defense information that resides on the contractor's internal information system, where "adequately" is defined as complying with NIST SP 800-171 requirements;
- Report malicious cyber incidents and submit malicious software to the Department Of Defense Cyber Crime Center; and
- Submit damage assessment information to evaluate the origin and extent of cyberattacks.
The full text of DFARS 252.204-7012 can be found here.
D. Cybersecurity Maturity Model Certification 2.0
The CMMC 2.0 program is designed to protect the transfer of information between the Department of Defense and its contractors and subcontractors. To achieve this goal, CMMC 2.0 relies on a tiered model that requires contractors to meet progressively advanced security requirements, depending on the sensitivity of information within their possession. In addition, the Department of Defense may verify contractors' compliance with these security requirements. Compliance with CMMC 2.0 requirements is a condition for payment from a Department of Defense contract.
More information on CMMC 2.0 can be found here.
While this list represents several key cybersecurity requirements, note that there are other cybersecurity requirements that the government expects its contractors to respect. For example, cybersecurity requirements for contractors are contained in the Federal Information Security Modernization Act of 2014 (FISMA), the full text of which can be found here.
In addition, individual contracts may contain contractor-specific requirements, the violation of which may also be grounds to bring a False Claims Act case.
Recent Cybersecurity False Claims Act Cases
A. Verizon Wireless allegedly violated FAR requirements
On September 5, 2023, the Department of Justice announced a $4 million settlement, resolving allegations that Verizon's Managed Trusted Internet Protocol Service (MTIPS) failed to satisfy the generally applicable FAR requirements. MTIPS provided federal agencies with supposedly secure connections over public internet and other external networks. However, from 2017 to 2021, these connections lacked three requirements the Federal Acquisition Council deemed critical: the Domain Name System security extension (DNSSEC), full packet capture, and miscellaneous encryption features.
DNSSEC is a security service which prevents server responses from being manipulated by cybercriminals. Full packet capture is the process of recording all traffic coming onto the server and leaving the server and is important to monitor both the introduction of malware into the information system and to prevent the external distribution of sensitive materials. Finally, the suit alleged that MTIPS failed to meet encryption requirements laid out in the Federal Information Processing Standards 140-2.
Verizon brought the False Claims Act suit against itself, and The Department of Justice settled the allegations before the suit was unsealed. The Department of Justice acknowledged that Verizon "took a number of significant steps" in addressing the shortfalls of its MTIPS program.
B. Penn State University allegedly violated DFARS and NIST SP 180-171 requirements
The Eastern District of Pennsylvania recently unsealed a False Claims Act suit Decker v. Pennsylvania State University, 22-CV-03895. This suit was a qui tam action brought by chief information officer of Penn State University's (PSU) Applied Research Laboratory (ARL) Matthew Decker, and it alleges that PSU failed to adequately protect contract defense information by falsifying compliance with required cybersecurity controls.
The ARL, which was founded in 1945 at the request of the United States Navy, performs a variety of scientific experimentation, prototyping, and proofing on behalf of clients in defense, intelligence, and homeland security. As a result, the ARL is subject to both Department of Defense-specific and generally applicable cybersecurity standards.
In this suit, the whistleblower alleges that the ARL failed to meet its obligations laid out in DFARS 252.204-7012. As discussed above, this regulation supplement requires defense contractors to self-audit their information systems on the 110 controls listed in NIST SP 180-171 and to report a score to the government. the whistleblower alleges that PSU and the ARL falsified at least 20 documents in order to falsely self-report compliance since January 2018.
On September 29, 2023, the Department of Justice declined to intervene in this case. As a result, Mr. Decker's attorneys will continue to litigate the case without the help of the government.
As the government institutes increasingly demanding cybersecurity standards, contractors will be increasingly tempted to cut corners and save costs by falsifying compliance with the government's requirements. Potential whistleblowers should remain vigilant by encouraging government contractors to truthfully comply with cybersecurity obligations, or to bring False Claims Act suits to enforce compliance with these requirements. The whistleblower attorneys of Goldberg Kohn stand ready to assist in investigating and litigating False Claims Act cases to enforce cybersecurity compliance by government contractors.
WHAT SHOULD YOU DO IF YOU ENCOUNTER CYBERSECURITY NONCOMPLIANCE?
Under the False Claims Act, employees or other persons with knowledge who become aware of conduct which violates statutory and/or contractual cybersecurity standards and is connected to false claims on the government can file a qui tam lawsuit on behalf of the government to address these practices. Whistleblowers who sue on behalf of the government may receive between 15 to 30 percent of the money recovered by the government if the suit is successful.
The whistleblower attorneys at Goldberg Kohn can help.
If you are aware of false claims being made on the government, call Goldberg Kohn at 312-284-3258 or contact us online. We are always willing to provide you with a free, confidential consultation to discuss a potential case.