DOJ Civil Cyber-Fraud Initiative
In October of 2021, the Department of Justice revealed the Civil Cyber-Fraud Initiative. This initiative uses the False Claims Act to hold government contractors accountable for cybersecurity. If your company receives funds or resources from the federal government, you can’t ignore the Civil Cyber-Fraud Initiative.
This announcement was closely followed by the reveal of CMMC 2.0, a large-scale modification of the Department of Defense’s proposed cybersecurity requirements. Defense contractors in particular need to pay attention to the Civil Cyber-Fraud Initiative.
Unlike the original CMMC, CMMC 2.0 allows many contractors to self-attest their cybersecurity compliance without a formal third-party assessment. However, with the Civil Cyber-Fraud Initiative, the government has the tools to hold you accountable for that self-assessment.
What is the Civil Cyber-Fraud Initiative?
In May 2021, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.” This executive order asks government agencies to use the full scope of their authority and resources to strengthen America’s cybersecurity. In pursuit of this goal, the Department of Justice has determined a basis for using the False Claims Act to combat cybersecurity negligence. This is the Civil Cyber-Fraud Initiative.
This initiative will crack down on federal contractors who knowingly neglect cybersecurity requirements. Under the False Claims Act, the government can claim up to three times its losses, and this penalty applies to every false claim made.
What are the False Claims Penalties in 2023?
The False Claims penalties adjust for inflation every year. As of January 30, 2023, the penalties for making a false claim to the US Government range from between $13,508 and $27,018 per violation.
Both the date of violation and the date the court assesses the penalties are factors in determining the amount of the penalties.
What is the False Claims Act?
The False Claims Act dates back to the Civil War. It allows the federal government to recover losses from contractors who make “false claims” to receive government funds or property.
The False Claims Act in Action
The Penn State Cybersecurity Incident
On September 1, 2023, a significant legal case came to light when the U.S. District Court for the Eastern District of Pennsylvania unsealed a qui tam False Claims Act (FCA) lawsuit, initially filed on October 5, 2022.
The lawsuit alleged that Penn State University failed to uphold the necessary security standards for Covered Defense Information (CDI) as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause. According to this clause, “adequate security” entails the implementation of all 110 controls specified in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).
Federal regulations further mandate that Department of Defense (DoD) contractors perform a self-assessment to verify compliance with these 110 controls. Contractors are then required to report their compliance score, measured out of 110, in the DoD’s Supplier Performance Risk System (SPRS).
The lawsuit brought forth serious allegations against Penn State University. It claimed that the university not only failed to meet the stipulated DFARS compliance but also falsified a minimum of 20 documents related to its NIST SP 800-171 self-assessment and other self-attestations. Despite never achieving DFARS compliance, the university allegedly engaged in deceptive practices, falsely asserting its compliance since January 1, 2018.
Moreover, the lawsuit highlighted a concerning incident where sensitive information faced potential jeopardy. This occurred when Penn State University chose to migrate a portion of its data to a commercial cloud-storage service, a move that allegedly put this sensitive data at risk.
The Need for Rigorous Cybersecurity Protocols
This Penn State legal action underscores the importance of stringent adherence to cybersecurity regulations, especially when it comes to defense contracts. It highlights the severe consequences faced by institutions that neglect their obligations, not only in terms of legal ramifications but also the potential compromise of sensitive data. As the case unfolds, it serves as a stark reminder of the need for transparency, honesty, and rigorous cybersecurity protocols, especially in handling information as sensitive as Covered Defense Information.
Expected Benefits of the Civil Cyber-Fraud Initiative
Through this initiative, the DOJ intends to improve the nation’s cybersecurity and reduce breaches. By creating a real penalty for false claims and noncompliance, the DOJ is making it harder for contractors to evade their cybersecurity responsibilities.
The DOJ also hopes to “level the playing field” by creating a fair environment for contractors who invest in cybersecurity. Cybersecurity compliance takes time and money. Without consequences for false cybersecurity claims, the contractors who “play by the rules” face a disadvantage; Their competitors win the same contracts for far less by simply presenting a false picture to the government. The DOJ intends to prevent such situations going forward.
The DOJ also hopes this initiative will help government experts create needed security patches.
Who The Initiative Targets
According to the DOJ, the Civil Cyber-Fraud Initiative will target contractors who “put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
Under this, the DOJ has identified three primary targets for their initiative:
1. Contractors who knowingly fail to comply with cybersecurity standards (when these standards are a condition for payment)
This applies when contractors must meet certain cybersecurity standards to receive their contract, yet knowingly fail to meet those standards.
Consider the example of CMMC. To receive contracting work with the Department of Defense, you must comply with CMMC to protect the government information you handle. If you knowingly fail to practice these requirements, and thus endanger government information, you could be targeted by the Civil Cyber-Fraud Initiative.
2. Contractors who knowingly misrepresent their cybersecurity controls or practices
These contractors aren’t just failing to meet requirements; They are actively lying about their cybersecurity posture.
Again, CMMC provides a clear example. Under CMMC 2.0, many contractors will self-attest their compliance score to the federal government, with company leadership affirming that score. If you submit a score of 100, but your true score is -12, then the Civil Cyber-Fraud Initiative could be leveled against your company.
3. Contractors who knowingly fail to meet requirements for reporting breaches (or suspected breaches)
This will depend on your contract requirements. All federal contractors must report breaches promptly, but the exact timing depends on your specific situation. Make sure to know when and how to report incidents. If you fail to report a breach in the allotted time, the government could seek damages through the Civil Cyber-Fraud Initiative.
As part of the False Claims Act, this initiative also protects whistleblowers. It incentivizes whistleblowing by offering whistleblowers a portion of the money recouped from the false claims they expose.
What Does This Mean For You?
This initiative targets contractors who knowingly make false claims about their cybersecurity. Ideally, if you’re fulfilling your obligations, this initiative shouldn’t affect you.
But cybersecurity is a complicated pursuit. It requires a level of specialized expertise that many companies don’t have on hand. For standards like NIST SP 800-171, it can be difficult to figure out exactly what’s required and how it applies to your company.
If you neglect to bring in the right expertise, and thus misunderstand and misapply your cybersecurity requirements, you could face action through the Civil Cyber-Fraud Initiative. Even if you can prove you made such mistakes unknowingly, the process itself costs valuable time and resources.
The biggest takeaway: Don’t go it alone. Have experts by your side to make sure that you’re applying the correct cybersecurity for your business. Small consulting costs now could save you a major payout in the future.
Know your cybersecurity requirements. Make sure you can recognize and report security incidents. And don’t go it alone.
How Core Business Solutions Can Help
At Core Business Solutions, we provide support for companies seeking cybersecurity standards such as ISO 27001, NIST, and CMMC 2.0. Our experts help you apply cybersecurity requirements to your specific business, so you can be confident in your security posture.
Our CORE Compliance Platform offers subscribers helpful tools for document control, training, and NIST self-assessment. For CMMC 2.0, subscribers receive technical solutions to meet the required practices, including solutions for CUI storage, secure email, and more.