False Claims Act Meets Cybersecurity: DOJ's New Civil Cyber-Fraud Unit
Earlier this week, the U.S. Department of Justice (DOJ) announced the launch of its new Civil Cyber-Fraud Initiative — an effort designed to harness the department's knowledge in civil fraud enforcement, government procurement and cybersecurity to combat emerging (and escalating) cyber threats. The initiative comes on the heels of the DOJ's comprehensive, 120-day review into its cybersecurity strategy for defending and deterring cyber threats. According to the announcement, the initiative's aim is to "hold accountable" those entities and individuals that put sensitive U.S. information at risk by failing to comply with federal cybersecurity requirements.
The DOJ's tool of choice? The civil False Claims Act (FCA). The FCA imposes liability on any person (or entity) who knowingly presents, or causes to be presented, a false or fraudulent claim to the government. As applied to cybersecurity, the initiative will use the FCA to prosecute those who:
- knowingly provide deficient cybersecurity products or services
- knowingly misrepresent their cybersecurity practices or protocols, or
- knowingly violate obligations to monitor and report cybersecurity incidents and breaches
For purposes of the FCA, the "knowing" and "knowingly" standard means that a person 1) has actual knowledge of the information; 2) acts in deliberate ignorance of the truth or falsity of the information; or 3) acts in reckless disregard of the truth or falsity of the information. 31 U.S.C. § 3729(b). Importantly, no proof of specific intent to defraud is required.
The DOJ's announcement is part of the federal government's larger effort to improve the nation's cybersecurity. Other efforts include President Joe Biden's Executive Order on Improving the Nation's Cybersecurity, issued in May 2021, in which President Biden declared "bold changes and significant investments" were needed in order to defend and protect information systems that process, store or transmit sensitive federal information – whether cloud-based, on-premises or hybrid. (See Holland & Knight's previous blog post, "Cybersecurity for All: President Biden Issues Sweeping Cybersecurity Executive Order," May 13, 2021). The president issued the Executive Order in response to a wave of recent cyberattacks, such as those against SolarWinds. The U.S. Department of Defense (DoD) is also in the process of reviewing its Cybersecurity Maturity Model Certification (CMMC) program that would require all DoD contractors and subcontractors not selling commercial off-the-shelf (COTS) products to obtain a third-party cybersecurity certification. As it is now, certain DoD contractors are required to comply with cybersecurity self-certification requirements.
However, FCA cybersecurity actions aren't (that) new. There has been an uptick in cybersecurity-based FCA actions in recent years, predominantly qui tam actions filed by former employees that "blew the whistle" on their company's deficient cybersecurity standards and practices.
Takeaways and Considerations
For contractors, now is a good time to review your organization's cybersecurity practices and ensure they are in compliance with federal regulations. Take a close look at your federal prime and subcontracts — any of the following could potentially serve as a basis for an FCA enforcement action:
- FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems: Requires contractors to employ certain "basic" security controls, such as limiting access, authenticating users and identifying system flaws in a "timely manner.
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting: Requires contractor information systems to comply with the cybersecurity requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. The clause also requires reporting of "cyber incidents" within 72 hours and other mitigation measures.
- DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements: Applies to covered contractor information systems that are required to comply with NIST SP 800-171, in accordance with the -7012 clause. This clause requires contractors to provide access to their facilities, systems and personnel necessary for the government to conduct a NIST SP 800-171 DoD Assessment, as described in NIST SP 800–171 DoD Assessment Methodology (latest version, version 1.2.1 (June 24, 2020)).
- DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements: Requires offerors, as a prerequisite for award, to perform and hold a current (i.e., not more than three years old) NIST SP 800-171 DoD Assessment for each covered contractor information system that is relevant to the offer, contract, task or delivery order. This can initially be accomplished by entering NIST SP 800-171 compliance information within the DoD-operated Supplier Performance Risk System (SPRS) database.
- DFARS 252.204-7021 Contractor Compliance with the CMMC Level Requirement: Requires contractors to have a current CMMC certificate at the CMMC level required by the contract, and to maintain that certificate for the duration of the contract. CMMC only builds upon DFARS 252.204-7012 and having the security measures required by DFARS -7012 (i.e., NIST SP 800-171 requirements) in place is the first step toward CMMC certification.
These clauses are aimed at ensuring contractors implement robust cybersecurity measures to protect sensitive federal information residing in their information systems. Where these protections are a material requirement of payment under a government contract, the knowing failure to implement such protections or report vulnerabilities could give rise to liability under the FCA.
Although DOJ's Civil Division is launching the initiative, it does not preclude parallel government enforcement actions, including criminal prosecutions, where potential criminal liability is found. It is not uncommon for the DOJ to initiate criminal proceedings based off the same factual allegations underlying qui tam complaints and DOJ civil fraud investigations, especially as the FCA shares elements in common to criminal statutes where there is criminal intent. For example, 18 U.S.C. § 287, criminalizes making false, fictitious or fraudulent claims upon the United States or conspiring to do so. As a result, this Civil Cyber-Fraud Initiative could lead to increased coordination between the criminal and civil divisions in the cyber arena.
For more information on the DOJ's Civil Cyber-Fraud Initiative, the FCA or any of the issues raised above, contact the authors.