Enable breadcrumbs token at /includes/pageheader.html.twig

DOJ Steps Up Cybersecurity Enforcement on Contractors

Companies should take note of possible actions under the False Claims Act.

The Department of Justice aims to hold government contractors and federal grant recipients accountable for weak cybersecurity. Credit: Shutterstock/Christopher E. Zimmer

The U.S. Department of Justice, or DOJ, is wielding the proverbial stick to improve cybersecurity across the federal government. Under the Civil Cyber-Fraud Initiative rolled out in October, the DOJ is increasing its actions against federal contractors and grant recipients that neglect to adhere to cybersecurity standards when providing technology solutions or services to the government. The department is relying on fraud provisions under the False Claims Act to pursue this cybersecurity-related legal action.

“The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations,” explained Deputy Attorney General Lisa Monaco in a statement last month. “The initiative will hold accountable entities or individuals that put U.S. information or systems at risk.”

Under the initiative, the department is drawing on its “expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems,” the deputy attorney general indicated. The DOJ will work closely with other federal agencies, subject matter experts and law enforcement partners to pursue actions related to the initiative, the department said.

The DOJ’s action aims to even the playing field for companies that “follow the rules and invest in meeting cybersecurity requirements,” the department stated. The initiative also endeavors to reimburse the government and taxpayers for federal losses due to companies not meeting their cybersecurity obligations.

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” Deputy Attorney General Monaco said. “We will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public trust.”

The DOJ Civil Division’s Commercial Litigation Branch, Fraud Section, is leading the initiative.

The department, as a policy, does not comment on how many actions it has already started pursuing. The False Claims Act was originally passed in 1863 to combat fraud perpetrated by defense contractors during the Civil War.

Maria Horton, cybersecurity expert and FedRAMP program manager for Herndon, Virginia-based EmeSec Inc., a subsidiary of DecisionPoint Corp., reminds contractors that under the act, the DOJ can pursue three types of allegations against federal contractors or grant recipients:

Knowingly providing deficient cybersecurity products or services;
Knowingly misrepresenting their cybersecurity practices or protocols; or
Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

“The False Claims Act has teeth which can impact corporations based on actions, inactions and misrepresentations,” Horton warned. “The DOJ also made it clear that False Claim Act penalties can be applied in conjunction with other penalties such as HIPAA [Health Insurance Portability and Accountability Act], Securities and Exchange Commission, or other Federal Trade Commission (FTC) Section 5 rules for unfair or deceptive commerce practices.”

She notes that the broad authorities of Section 5 of the FTC Act have already been used to penalize commercial corporations for “misrepresentations” in regards to cybersecurity. “The misrepresentations are ‘deceptive’ practices and unfair advantages used by companies,” she indicated.

Horton suggests that defense contractors pay attention to two specific action areas:

At the corporate level, focus on what is being presented to the government, including any contractually binding language related to cybersecurity performance and promises.
At the performance level, where monitoring and self-reporting on data leaks or breaches are related to the specific contracts.

“I expect to see ongoing contractual modifications, interest in cybersecurity proof points such as policies, and methods related to reporting breaches as requirements for new contracts,” she stipulated. “Violations and penalties could cost a company more than they earn on any given contract.”

Steve Shirley, executive director of the National Defense Information Sharing and Analysis Center (ND-ISAC), agrees that the act is a forceful instrument for the department. “The False Claims Act is a powerful tool for the Department of Justice and, of course, it isn’t new to defense contractors,” he noted. “What is new is DOJ’s October 6 announcement emphasizing its use in a ‘Civil Cyber-Fraud Initiative’ to enforce cybersecurity compliance.”

He anticipates that companies within the defense industrial base (DIB) may have “multiple” concerns about how this emphasis may potentially affect them.

“An exhaustive treatment no doubt requires a treatise in contract law cross-fertilized with cybersecurity issues,” he stated. “But for starters my DIB cybersecurity colleagues may have at least two initial worry points. The first arises from the nature of the DIB itself. Of the 16 critical infrastructure sectors permanently designated by the Department of Homeland Security (DHS) only the DIB as a sector is literally defined by the complex volume of the Defense Department’s acquisition and contracting guidelines. As all DIB companies know, but perhaps less apparent to DOJ, that complex volume comprises an eye-watering array of cybersecurity standards, policies, guidelines and requirements developed by various military departments, commands, agencies and DoD organizations; plus existing federal guidelines incorporated by reference by DoD entities; and inserted in contract language.”

This complex web of federal policies, requirements and contracting language are not harmonized or aligned or, worse, may sometimes even conflict, Shirley specified.

“Within ND-ISAC’s technical working groups, I see extraordinary focus by member company subject matter experts to parse the precise intention and meaning of various cybersecurity requirements and associated technical controls developed by DoD organizations,” he explained. “This is with the earnest objective of complying with DoD contractual requirements and oversight (e.g. the assessments conducted by the Defense Contract Management Agency’s DIB Cybersecurity Assessment Center and evolving DoD Cyber Maturity Model Certification provisions). Not surprisingly, even among technical experts there can be an honest divergence of opinion about configuring various technical controls or if/how to implement a valid and acceptable compensatory control that may achieve the effect DoD desires.”

Deputy Attorney General Monaco also highlighted the False Claims Act’s “unique whistleblower provision” that enables private citizens—such as employees of contractors—to assist the government in identifying and pursing fraudulent conduct, by filing so-called qui tam lawsuits on behalf of the government. The whistleblowers who bring successful qui tam actions may receive a share of the government’s recovery and are reportedly protected from retaliation, the DOJ said.

For Shirley, this potential payout to employees could be significant.

“In plain speak this means a source or ‘whistleblower’ can be granted between 15 percent and 25 percent of a successful DOJ civil recovery based on their disclosure,” he stated. “While there’s an obvious constructive government purpose for this feature, the potential for monetary reward may also give rise to specious allegations that might claim a complex technical decision is a fraud with the intent to knowingly misrepresent cybersecurity practices or protocols.”

Lastly, he urged the DOJ to increase its recognition of the complexities federal contractors face due to the intricate web of federal cybersecurity provisions.

“If the DOJ announcement underscores the expectation that DIB companies will exercise due diligence in complying with cybersecurity requirements, it also invites the reasonable corresponding expectation that DOJ will exercise due diligence in understanding the challenges of complying with complex intersecting cybersecurity requirements in the DoD contracting terrain, but also in carefully testing allegations of noncompliance,” Shirley advised.