Takeaway: The DOJ’s Cyber Fraud Initiative and qui tam actions under the False Claims Act represent signification enforcement mechanisms for cybersecurity contractor compliance.
On the eve of 2022, the United States began imposing new, punitive cybersecurity measures aimed at making the internet a safer platform for businesses to share and use data. As a direct result, cybersecurity contractors working in the defense industrial base are being targeted by the Department of Justice, resulting in a rapid increase of settlements under the False Claims Act.
Just a few weeks ago, the Department of Defense issued a memorandum reminding contracting officers about their remedies against contractors that fail to implement NIST 800-171 cybersecurity controls. NIST 800-171 is a self-administered cybersecurity requirement for all DoD contractors. The DoD memorandum urges contracting officers to use available remedies, withholding progress payments, foregoing remaining contract options, and potentially terminating the contract in part or in whole.
The following cases serve as cautionary tales to cybersecurity contractors:
If a cybersecurity contractor knowingly fails to comply with material cybersecurity requirements, the contractor could be exposed to liability via qui tam actions under the False Claims Act.
The recent Aerojet Rocketdyne settlement is foretelling. Aerojet’s Senior Director for Cybersecurity filed the Aerojet action in April as a whistleblower under the False Claims Act. The action alleged that Aerojet fraudulently induced the government to contract with the aerospace company by not fully disclosing its non-compliance with DoD cybersecurity requirements. The action sought $19 billion in damages.
The evidence showed that Aerojet communicated with the government about its non-compliance as it had sought a waiver of certain requirements. The presiding court, however, found “a genuine dispute of material fact  as to the sufficiency of the disclosures” and thus denied Aerojet’s motion for summary judgment. The court found, upon a deeper investigation, that Aerojet failed to disclose pertinent information about cyber audits conducted by external firms, as well as past security breaches. Additionally, the court found that more information was needed to determine whether the government deemed these requirements material to contract award.
Ultimately Aerojet settled the case for $9 million – $2.61 of which was paid to the whistleblower – and the government received the entire economic value of the contract.
In March 2022, prior to the Aerojet case, the Department of Justice’s Civil-Cyber Fraud Initiative produced its first cyber-related settlement. Comprehensive Health Services LLC, a medical services contractor, paid $930,000 to settle allegations claiming that it violated the False Claims Act by failing to store confidential medical records on an electronic health record system. Upon resolution of the case, the Principal Deputy Assistant Attorney General made a statement that the settlement “demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards.”
Moving forward, contractors must be aware of these refortified efforts in litigation. How contractors choose to demonstrate cybersecurity compliance in their proposals will be key to surviving government surveillance.