New Civil Cyber-Fraud Initiative Uses False Claims Act to Enforce Cybersecurity Requirements

PHOTO BY THE LIGHT-WRITER

By Moshe Broder, David Bitkower, Brandon D. Fox, Shoba Pillay, and David B. Robbins of Jenner & Block

The Department of Justice (DOJ) announced recently a new Civil Cyber-Fraud initiative that will use the False Claims Act (FCA) to enforce government contract cybersecurity requirements. The initiative will be led by the Fraud Section of the DOJ Civil Division’s Commercial Litigation Branch. The DOJ believes it can bring its experience and resources from its civil fraud enforcement, procurement, and cybersecurity focused attorneys to make this a successful initiative.

In remarks coinciding with the launch of this initiative, Deputy Attorney General Lisa Monaco emphasized that the DOJ will seek to impose “very hefty fines” on contractors or grant recipients who fail to comply with their obligations under cybersecurity standards. For example, while contractors are required to “rapidly report” (defined as reporting within 72 hours) “cyber incidents” to the Department of Defense under Defense Federal Acquisition Regulation Supplement 252.204-7012, Monaco suggested that contractors are falling short in meeting those reporting requirements. In particular, she stated that “[f]or too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well, that changes today.”

Although enforcement practices and other details of this initiative remain to be seen, DOJ described the focus of the enforcement efforts as seeking to “hold accountable entities or individuals that put U.S. information or systems at risk.” The DOJ said it would target those: (1) providing deficient cybersecurity products or services, (2) misrepresenting their cybersecurity practices or protocols, or (3) violating obligations to monitor and report cybersecurity incidents and breaches. The DOJ also noted the applicability of the FCA’s whistleblower protection provision, highlighting the risk to contractors from qui tam suits alleging noncompliance with cybersecurity requirements. This announcement comes during a surge in FCA and other procurement fraud investigations.

The DOJ initiative also comes at a time when government contractor cybersecurity compliance and enforcement remains a high priority due to increasing cyber threats, including ransomware and other sophisticated attacks. Through standard government contract clauses implemented by an Interim Rule issued in September 2020,1 many Department of Defense (DoD) contractors are required to perform a “Basic Assessment” of their implementation of National Institute of Standards and Technology controls for protecting controlled unclassified information.2 Performing a Basic Assessment (and submitting a score to the Supplier Performance Risk System) can be a condition for contract award, exercise of an option period, and/or extension of a contract’s period of performance.

The same Interim Rule introduced another standard government contracts clause3 that is intended to incorporate Cybersecurity Maturity Model Certification (CMMC) requirements into contracts. CMMC represents a paradigm shift from permitting self-attestation of compliance with contractual cybersecurity requirements to requiring third-party certification as a condition of contract award.

CMMC requirements have not yet been rolled out in solicitations and contracts, and media reports indicate that the CMMC initiative is undergoing a programmatic review with a range of possible changes under consideration. Taken together, however, the CMMC initiative reflects DoD’s push toward requiring widespread compliance with minimum cybersecurity standards, while DOJ’s Civil Cyber-Fraud initiative signals increasing enforcement resources directed at government contractors that knowingly misrepresent their cybersecurity practices or fail to monitor and report cyber incidents.

The new Initiative has the potential to carry significant risk for government contractors. First and foremost, understanding the scope of a cyber attack and determining whether reporting obligations have been triggered within the 72-hour rapid reporting period can be challenging and may require close coordination with forensic investigators and counsel. Second, DOJ has announced that the fact (and presumably the completeness) of the reporting will be subject to FCA enforcement. More than ever, government contractors should ensure they understand their contractual cybersecurity requirements and the representations they are making about their compliance with those requirements. Contractors should also consider conducting tabletop exercises that game out how to respond to a cyber attack and ensure their internal policies, including timely reporting pursuant to federal regulations, are up to date.

End Notes

1 DFARS 252.204-7019 and DFARS 252.204-7020. See 85 Fed Reg. 61505 (Sept. 29, 2020), available here.

2 NIST Special Publication (“SP”) 800-171.

3 DFARS 252.204-7021.

Find Out More

Access NASBP Virtual Seminars on this topic here. Access all NASBP Virtual Seminars here. Access free NASBP Podcasts on this topic here

Moshe Broder is an Associate in the Government Contracts Practice of Jenner & Block. He represents government contractors and subcontractors on a broad range of legal issues, including bid protests, disputes between prime contractors and subcontractors, and contract claims and disputes. Broder regularly prosecutes and defends bid protests before the US Government Accountability Office and the US Court of Federal Claims and litigates commercial disputes in state and federal courts. He can be reached at mbroder@jenner.com or 202.637.6334.

David Bitkower is a Co-chair of the Investigations, Compliance and Defense Practice and the Data Privacy and Cybersecurity Practice at Jenner & Block, where he leads prominent white-collar cases and counsels clients with respect to cutting-edge cybersecurity matters. Bitkower previously served as the Principal Deputy Assistant Attorney General at the DOJ Criminal Division and also as the Chief of the National Security and Cybercrime Section at the U.S. Attorney’s Office for the Eastern District of New York. He can be reached at dbitkower@jenner.com or 202.639.6048.

Brandon D. Fox serves as Managing Partner of the Los Angeles office and Co-chair of the Investigations, Compliance, and Defense Practice of Jenner & Block. Fox formerly led the Criminal Division and the Public Corruption Section of the U.S. Attorney’s Office in Los Angeles. He has tried dozens of cases, including 20 as first chair. He can be reached at bfox@jenner.com or 213.239.5101.

Shoba Pillay is a Partner in Jenner & Block’s Investigations, Compliance and Defense Practice, Data Privacy and Cybersecurity Practice and the National Security, Sanctions, and Export Controls Practice. She has significant investigations, trial, and appellate experience in complex fraud, cybercrime, and national security matters. She can be reached at spillay@jenner.com or 312.923.2605.

David B. Robbins is a Partner in Jenner & Block’s Washington, DC, office and is Co-chair of the firm’s Government Contracts Group. He has extensive experience with False Claims Act litigation and investigations, including in the surety industry related to the construction of government buildings. Robbins ran the U.S. Air Force’s global Procurement Fraud Remedies Office and served, among other roles, as Deputy General Counsel (Contractor Responsibility). Robbins is also the principal author and editor of the American Bar Association peer-reviewed book entitled The Procurement Fraud Guidebook: The System, Stakeholders, and Response Strategies. Robbins serves on the NASBP Attorney Advisory Council. He can be reached at DRobbins@jenner.com or 202.639.6040.