This announcement was closely followed by the reveal of CMMC 2.0, a large-scale modification of the Department of Defense’s proposed cybersecurity requirements. Defense contractors especially should pay attention to the Civil Cyber-Fraud Initiative. CMMC 2.0 now allows many contractors to self-attest their cybersecurity compliance without a formal third-party assessment. But with the Civil Cyber-Fraud Initiative, the government now has the tools to hold you accountable to that self-assessment.
Cybersecurity is still front-of-mind for the federal government. All government contractors, DoD contractors or otherwise, must be aware of the Civil Cyber-Fraud Initiative.
What is the Civil Cyber-Fraud Initiative?
In May 2021, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.” This executive order asks government agencies to use the full scope of their authority and resources to strengthen America’s cybersecurity. In pursuit of this goal, the Department of Justice has determined a basis for using the False Claims Act to combat cybersecurity negligence. This is the Civil Cyber-Fraud Initiative.
What is the False Claims Act?
The False Claims act dates back to the Civil War. It allows the federal government to recover losses from contractors who make “false claims” to receive government funds or property.
This initiative will crack down on federal contractors who knowingly neglect cybersecurity requirements. Under the False Claims Act, the government can claim up to three times its losses, and this penalty applies to every false claim made. Currently, these fines could be as high as $23,607 per claim.
Expected Benefits of the Civil Cyber-Fraud Initiative
Through this initiative, the DoJ intends to improve the nation’s cybersecurity and reduce breaches. By creating a real penalty for false claims and noncompliance, the DoJ is making it harder for contractors to evade their cybersecurity responsibilities.
The DoJ also hopes to “level the playing field” by creating a fair environment for contractors who invest in cybersecurity. Cybersecurity compliance takes time and money. Without consequences for false cybersecurity claims, the contractors who “play by the rules” face a disadvantage; Their competitors win the same contracts for far less by simply presenting a false picture to the government. The DoJ intends to prevent such situations going forward.
The DoJ also hopes this initiative will help government experts create needed security patches.
Who The Initiative Targets
According to the DoJ, the Civil Cyber-Fraud Initiative will target contractors who “put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
Under this, the DoJ has identified three primary targets for their initiative:
1. Contractors who knowingly fail to comply with cybersecurity standards (when these standards are a condition for payment)
This applies when contractors must meet certain cybersecurity standards to receive their contract, yet knowingly fail meet those standards.
Consider the example of CMMC. To receive contracting work with the Department of Defense, you must comply with CMMC to protect the government information you handle. If you knowingly fail to practice these requirements, and thus endanger government information, you could be targeted by the Civil Cyber-Fraud Initiative.
2. Contractors who knowingly misrepresent their cybersecurity controls or practices
These contractors aren’t just failing to meet requirements; They are actively lying about their cybersecurity posture.
Again, CMMC provides a clear example. Under CMMC 2.0, many contractors will self-attest their compliance score to the federal government, with company leadership affirming that score. If you submit a score of 100, but your true score is -12, then the Civil Cyber-Fraud Initiative could be levelled against your company.
3. Contractors who knowingly fail to meet requirements for reporting breaches (or suspected breaches)
This will depend on your contract requirements. All federal contractors must report breaches in a timely manner, but the exact timing depends on your specific situation. Make sure to know when and how to report incidents. If you fail to report a breach in the allotted time, the government could seek damages through the Civil Cyber-Fraud Initiative.
As part of the False Claims Act, this initiative also protects whistleblowers. It actually incentivizes whistleblowing by offering whistleblowers a portion of the money recouped from the false claims they expose.
What Does This Mean For You?
This initiative targets contractors who knowingly make false claims about their cybersecurity. Ideally, if you’re fulfilling your obligations, this initiative shouldn’t affect you.
But cybersecurity is a complicated pursuit. It requires a level of specialized expertise that many companies don’t have on hand. For standards like NIST SP 800-171, it can be difficult to figure out exactly what’s required and how it applies to your company.
If you neglect to bring in the right expertise, and thus misunderstand and misapply your cybersecurity requirements, you could face action through the Civil Cyber-Fraud Initiative. Even if you can prove you made such mistakes unknowingly, the process itself costs valuable time and resources.
The biggest takeaway: Don’t go it alone. Have experts by your side to make sure that you’re applying the correct cybersecurity for your business. Small consulting costs now could save you a major payout in the future.
Know your cybersecurity requirements. Make sure you can recognize and report security incidents. And don’t go it alone.
How Core Can Help
At Core Business Solutions, we provide support for companies seeking cybersecurity standards such as ISO 27001, NIST, and CMMC 2.0. Our experts help you apply cybersecurity requirements to your specific business, so you can be confident in your security posture.
Our CORE Compliance Platform offers subscribers helpful tools for document control, training, and NIST self-assessment. For CMMC 2.0, subscribers receive technical solutions to meet the required practices, including solutions for CUI storage, secure email, and more.
We also offer assistance for non-cyber standards to help you earn points and win government contracts. Learn more here.
Contact us today to talk to a consultant and learn how to achieve stress-free cybersecurity compliance.