Cyber Security Rules and Guidance
For the most part, the cyber security regulations a contractor must follow are dependent on the contracting government agency. All federal contractors, however, must abide with the Federal Acquisition Regulations (FARs). Department of Defense contractors must follow additional regulations. For instance, they must implement Defense Acquisition Regulation (DFAR) 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and NIST SP 800-171 (Protecting Controlled Unclassified Information [CUI] in Nonfederal Systems and Organizations). Similarly, subcontractors in the Defense Industrial Base must certify their compliance with DoD cybersecurity standards to be eligible to work on DoD projects. On October 3, 2023, the government proposed additional DFARs standardizing cybersecurity requirements for handling CUI and regulating cyber threat and incident reporting. Final versions of the proposed rules are expected to take effect in 2024.
Companies who maintain the protected health information (PHI) of government beneficiaries are subject to additional regulations. For example, they must abide by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and CMS Information Systems Security & Privacy Policy.
Companies who fail to comply with these rules may be liable for claims under the federal False Claims Act.
What is the Civil Cyber-Fraud Initiative?
Cyber fraud poses a risk to businesses, national security, and taxpayers. On October 6, 2021, the Department of Justice introduced the Civil Cyber-Fraud Initiative (Initiative) to combat cyber fraud. The Initiative emphasizes civil enforcement to hold government contractors accountable for failing to meet cybersecurity standards or failing to report cybersecurity incidents and breaches. This ensures that sensitive government information is protected taxpayer dollars are used appropriately.
The Initiative empowers whistleblowers to file lawsuits against entities or individuals endangering U.S. information by providing deficient cybersecurity products or services, misrepresenting cybersecurity practices, or violating monitoring and reporting obligations. In addition, the Initiative offers a powerful incentive for whistleblowers. Whistleblowers may receive up to 30% of the government’s financial recovery in successful cyber security fraud lawsuits. Reporting cyber fraud aids the government in addressing leaked sensitive material, recovering misappropriated funds, and informing businesses of breaches.
The False Claims Act is a Strong Tool Against Cyber Security Failures
Brian M. Boynton, Assistant Attorney General U.S. Department of Justice provided some insight into how the federal False Claims Act is a strong tool in the fight against cyber crime.
The False Claims Act can be used to address failures to meet cybersecurity standards when providing products or services to the government. These standards are usually specified in contracts. Violating them can harm the government.
Settlements Under the Civil Cyber Fraud Initiative
The first settlement under the Initiative was announced in March 2022. In that case, Comprehensive Health Services LLC agreed to pay $930,000 to settle claims it breached security protocols.
In July 2022, Aerojet Rocketdyne, Inc. paid $9 million to settle a case alleging it falsely certified its cyber security controls in order to win contracts.
In March 2023, the government settled with Jelly Bean Communications Design LLC for $300,000. The case involved cyber security failures related to the protection of PHI in the Florida Medicaid system.
In September 2023, Verizon agreed to pay $4 million to settle a False Claims Act case. Verizon received credit for self-reporting its failure to provide adequate security controls in federal contracts.
You can read more about the early takeaways from the Initiative in our prior blog post.
We Help Whistleblowers Report Cybersecurity Failures