A Sea Change in Handling of Government Contractor Cyber Incident Reporting?
In the wake of increasing cybersecurity threats and incidents, the U.S. Department of Defense (DoD) amended its Federal Acquisition Regulation Supplement (DFARS) in 2015 to issue the 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting clause (DFARS clause). The DFARS clause, which is included in all DoD solicitations and contracts, including those for acquisitions of commercial items, requires that the contractor must “provide adequate security on all covered contractor information systems.” Covered contractor information systems are those that are “owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.” The DFARS clause also requires that a contractor discovering a cyber incident that “affects a covered contractor information system or the covered defense information residing therein, or affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract,” must conduct a review and “rapidly report” the cyber incident to the DoD Cyber Crime Center (DC3). A “cyber incident” is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The current version of the clause goes on to define “compromise,” “covered defense information,” and more. Thus, a reportable event only arises when a number of elements are present. There still remain questions about the timing and scope of reporting under the clause. Recognizing this, even when there are not mandatory reporting requirements, DoD has established a voluntary public-private Defense Industrial Base (DIB) Cybersecurity program that allows for the sharing of information on cyber threats and more.
In the wake of the Solar Winds cyber incident and Colonial Pipeline ransomware cyber attack, among others, the Biden Administration earlier this year issued Executive Order 14028 on Improving the Nation’s Cybersecurity. It requires that Executive agencies recommend and develop guidance on best practices and new regulations and that the new regulations be issued for notice and comment. The recommendations and activities to address these Executive Order requirements have not been fully transparent, and, while two FAR cases have been opened for the rulemaking promised under this Executive Order, FAR Cases 2021-017 and 2021-019, no proposed rule or opportunity for comment on any proposed standardization of cyber requirements, information sharing, or incident reporting, has yet been provided contractors or the public. This effort is still in process.
Congress also has been focused on addressing and improving cybersecurity of the government and its supply chain following these cyber incidents. In the Senate, bipartisan legislation, such as the Cyber Incident Notification Act of 2021, which would require “federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery,” has been proposed.
With this backdrop and without waiting for passage of legislation or issuance of specific guidance or rules, or promised rulemaking by the Executive Branch, on October 6, 2021, Deputy Attorney General (DAG) Lisa Monaco of the U.S. Department of Justice (DOJ) announced that DOJ is launching the Civil Cyber Fraud Initiative. Under that Initiative, DOJ intends to use the authority of the False Claims Act, 31 U.S.C. §§ 3729 et seq., (FCA) to investigate, prosecute and fine government contractors that “fail to follow required cybersecurity standards.” Actions that DOJ expects to address include the situation in which a government contractor “hides” and does not come forward to report “a breach.” This Initiative raises concerns about government overreach and lack of definition. Precisely what actions will be considered “hiding” and what event will be defined to be a prosecutable “breach” will need to be identified. The current DFARS clause does not use these terms in its provisions.
The FCA prohibits the submission of false or fraudulent claims to the government, or using false statements in the submission of those claims. The FCA allows for per claim penalties that range from $11,665 to $23,331 plus up to three times the amount of damages that the government sustains.
A key aspect of the FCA is its whistleblower or “qui tam” provisions, which allow for whistleblowers who first report suspected violations to obtain a percentage of the government’s recovery from a successful resolution of the matter. The FCA is a civil enforcement statute that does not require specific intent to defraud, such as in most criminal fraud statutes.
This lowered intent requirement, along with the potential for incredibly hefty fines and treble damages, are part of the reason that it has become the federal government’s main tool to combat fraud involving government funds and property in a multitude of government operations and functions. In 2020, the DOJ recovered over $2.2 billion from FCA cases.
The reach of the FCA is broad and liability can extend to employees, affiliates, and business partners of companies that do business with the federal government. Indeed, in light of the trillions of dollars that Congress appropriated for COVID relief, a bipartisan group of senators, led by Sen. Chuck Grassley (R-Iowa), introduced amendments in late July 2021 to augment the FCA by clarifying certain provisions and expanding the reach of other provisions.
Notwithstanding DAG Monaco’s announcement, the DOJ’s interest in using the FCA to police and enforce cybersecurity standards is not new. In late December 2020, Deputy Assistant Attorney General Michael D. Granston laid out one of the key upcoming FCA enforcement areas for DOJ in 2021, “[w]here [cybersecurity] protections are a material requirement of payment or participation under a government program or contract, the knowing failure to include such protections could give rise to False Claims Act liability.” More than a year earlier, DOJ announced the first FCA settlement based on cybersecurity noncompliance. In July 2019, Cisco Systems Inc. agreed to pay $8.6 million to settle an FCA whistleblower suit alleging that Cisco did not meet federal cybersecurity standards when it sold to government agencies video surveillance products with known vulnerabilities that hackers could exploit.
Given that there are open and continuing action items to determine what is required when on cyber incident reporting, and what contractors should do to address these situations, we will have to wait to see whether DOJ’s Civil Cyber Fraud Initiative will actually result in an increase in FCA enforcement actions or cyber incident reporting. When the government instituted FAR Mandatory Disclosure requirements covering fraud and FCA violations in 2008, the entire government contracting industry was told that the new disclosure requirements would open the floodgates to reporting violations, which would in turn strengthen the integrity of the U.S. government contracting apparatus, root out fraud, and lead to the recovery of monies. While contractors certainly have taken reporting and disclosure seriously, it is unclear whether there has been the expected exponential uptick in reporting. That may be because the threat of criminal or civil FCA investigation and prosecution, or whistleblower action, makes it necessary for contractors to carefully consider what they are required to report and when. In this case, the time, costs and risks associated with the new cyber fraud initiative actually may result in chilling companies that might otherwise come forward to disclose concerns.
There is no question that cyber threats to the government and its supply chain are increasing. There also is no question that this Administration is intent on turning up the heat in addressing cybersecurity and other matters. But, there also is no question that the majority of government contractors are concerned about the problem as well and looking to the government to work with them and to provide insight and assistance so that they can better understand the threats out there and best practices for addressing them.
We are watching out for the promised rulemaking and will keep a close eye on developments in DOJ’s new program. If you have questions about this advisory or other government contracts and investigations matters, contact the authors, Susan Warshaw Ebner and Habib Ilahi.