The US Department of Justice (DOJ) recently took a big step toward putting in place an enforcement regime that has the potential to carry significant risk for government contractors that do not have in place proper cybersecurity policies and procedures.
On October 6, 2021, the DOJ announced a new Civil Cyber-Fraud Initiative, which will use the False Claims Act (FCA) to enforce government contract cybersecurity requirements and pursue cybersecurity-related fraud by government contractors.
The DOJ has indicated that this program will hold accountable entities or individuals that put US information or systems at risk by knowingly 1) providing deficient cybersecurity products or services to the government, 2) misrepresenting their cybersecurity practices or protocols, or 3) violating obligations to monitor and report cybersecurity incidents and breaches.
This new initiative should serve as a wakeup call to government contractors that have been slow to put in place strong cybersecurity practices and policies. This initiative also is an indication to qui tam whistleblowers that they can expect the government’s support for reporting their employers.
This announcement comes in the wake of several highly publicized cybersecurity breaches, including cyber incidents such as the December 2020 SolarWinds hack and the May 2021 cyber-attack on Colonial Pipeline Co. For the most part, the DOJ has avoided bringing enforcement actions against contractors that are victims of cyberattacks, but based on this recent announcement, it appears that could change.
This governmental focus on cybersecurity readiness is in line with the Cybersecurity Maturity Model Certification (CMMC) initiative to require certain cybersecurity requirements in future government contracts. While the CMMC initiative has been undergoing a programmatic review under the Biden administration, the focus on subcontractors’ cybersecurity procedures and policies will grow in the coming months and years.
Now is the time for government contractors to gain a comprehensive understanding of their cyber incident reporting procedures, including having a cyber plan that includes a list of who must be notified and when in the event of a cyber incident. Contractors also should be careful to ensure that their employees fully understand their obligations regarding controlled unclassified information (CUI) and covered defense information (CDI). Contractors need to prioritize cybersecurity compliance and have in place the proper security controls, processes, procedures, and policies to comply with relevant regulatory and contractual obligations, including CMMC, NIST, and FedRAMP requirements.
The CMMC team is happy to offer a free initial consultation for government contractors that want to learn more about these cybersecurity requirements and how to start preparing for CMMC assessments. Contact us to learn more. You can also visit our webpage or BRG’s profile on the CMMC Marketplace.