In 2015, Brian Markus, a former senior director of cybersecurity and compliance at Aerojet Rocketdyne, filed a False Claims Act lawsuit against the company alleging that it had violated the Act by knowingly submitting false or fraudulent claims to the government for cybersecurity services that were not actually provided.
Markus alleged that Aerojet Rocketdyne had engaged in a number of deceptive practices, including:
Overstating the scope and effectiveness of its cybersecurity services
Failing to implement and maintain adequate cybersecurity controls
Failing to report cybersecurity incidents to the government
On April 27, 2022, Aerojet Rocketdyne agreed to pay roughly $9 million to settle the relator’s False Claims Act complaint. It was the second major FCA settlement related to the Justice Department’s Civil Cyber-Fraud Initiative, which “aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
The Markus case is significant because it is the first time that a whistleblower has successfully used the False Claims Act to hold a defense contractor accountable for cybersecurity fraud. The case also sets an important precedent for future whistleblowers who are trying to hold defense contractors accountable for cybersecurity violations.
What is the False Claims Act (FCA)?
The FCA is an American federal law that imposes liability on persons and companies (typically federal contractors) who defraud governmental programs. It is the federal government's primary litigation tool in combating fraud against the government. The law includes a qui tam provision that allows people who are not affiliated with the government, called "relators" under the law, to file actions on behalf of the government. This is informally called "whistleblowing", especially when the relator is employed by the organization accused in the suit. As of 2019, over 71% of all FCA actions were initiated by whistleblowers, however it is not the only mechanism for filing a false claim under the act.
Why would someone file a claim against their own company?
While not the only reason, persons who file actions under the Act stand to receive a portion (15–30%, depending on certain factors) of any recovered damages.
What does this mean for my organization? Why should I pay attention to this?
This case has set a precedent for the Department of Justice (DOJ) to go after government contractors who make false claims related to cybersecurity. Previously, the claims brought under the FCA were typically related to healthcare, military or other government spending programs, and represented the majority of the list of the largest pharmaceutical settlements. On Oct. 6, 2021, DOJ announced its Civil Cyber-Fraud Initiative. This initiative uses the FCA to hold contractors and grantees accountable for knowingly furnishing deficient cybersecurity products/services, misrepresenting cybersecurity practices, or knowingly violating obligations to report cybersecurity incidents.
The Department of Defense has also taken notice, passing DFARS 252.204-7012 just one year after Markus filed his complaint against Aerojet Rocketdyne. The regulation requires contractors to conduct an assessment and score of their cybersecurity posture, document it in a systems security plan (SSP) and have a plan of action with milestones (POA&M) for addressing any deficiencies.
That was followed up by DFARS 252.204-7019 in which contractors now must post the score of their current NIST SP 800-171 DoD Assessment (required in DFARS 252,204-7012) in the Supplier Performance Risk System (SPRS), putting contractors on record re: the state of their organization’s cybersecurity.
The proposed CMMC rule (DFARS 252.204-7021) takes this even further requiring not only the score, but that an officer or senior leader of the company sign off on it annually.
What are the current requirements for the Defense Industrial Base?
Many defense contractors are either unaware of their existing cybersecurity compliance requirements or are not equipped to achieve full compliance when it comes to safeguarding Controlled Unclassified Information (CUI). Two clauses from the DoD FAR are worth emphasizing to gain an understanding of the basic requirements:
DFARS 252.204-7012
The DFAR supplement that requires contractors to implement and maintain adequate cybersecurity controls to protect CUI. The clause applies to all contracts that involve the handling of CUI, regardless of the contract value.
The clause mainly requires contractors to:
Document the implementation of the one hundred ten (110) NIST SP 800-171 Security Controls in a Systems Security (SSP)
Conduct an assessment every 3 years against the 110 NIST SP 800-171 Security Controls according to the assessment methodology (can be a self-assessment or third party)
For any security controls not met, document in a plan of action with milestones (POA&M) how you plan to meet the controls and track the status of the implementation
Report cybersecurity incidents to the government promptly and give access/provide specific evidence to the government to investigate
Use FedRAMP moderate or equivalent cloud service providers if you are processing, transmitting or storing CUI in the public cloud (i.e. Microsoft, Salesforce, Amazon, Google, etc.)
DFARS 252.204-7019
DFARS 252.204-7019, entitled Notice of NIST SP 800-171 Assessment Requirements, was released along with clauses 7020 and 7021 in the DoD's November 2020 DFARS Interim Rule for CMMC. The DFARS 7019 clause requires contractors to complete two main tasks:
1. Conduct a self-assessment of NIST SP 800-171 compliance according to DoD Assessment Methodology, and
2. Report their NIST SP 800-171 self-assessment scores to the DoD via its Supplier Performance Risk System (SPRS).
SPRS scores must be submitted by the time of contract award and not be more than three years old.
Recommendations for the Defense Industrial Base
The Markus case provides several important lessons for defense contractors. First, the case demonstrates that the government is serious about enforcing cybersecurity requirements. The settlement in the case sends a message to defense contractors that they will be held accountable for cybersecurity fraud.
Second, the case underscores the importance of DFARS 252.204-7012, passed just one year after Markus filed his complaint against Aerojet Rocketdyne. The clause is a critical tool for the government to ensure that defense contractors are implementing adequate cybersecurity controls to protect CUI.
Finally, the NIST SP 800-171 reporting requirement defined in DFARS 252.204-7019 should be heeded as a warning to defense contractors that simply paying lip-service to their CUI safeguarding responsibilities is no longer going to pass muster. The self-reporting requirement opens up a new mechanism for the DoD to pursue contractors for the False Claims Act, in cases where it is discovered that they have overstated or misrepresented their cybersecurity preparedness.
Based on the lessons learned from the Markus case, here are some recommendations for defense contractors to avoid future false claims acts:
Comply with DFARS 252.204-7012. You don’t need a perfect, or even good score to be compliant at this time, but you do need the basics. Do you have an SSP? Are you using FedRAMP moderate or equivalent public cloud providers for CUI? Have you assessed yourself or had a third party assess you against NIST 800-171 in the last 3 years? Do you have a POA&M and are you making progress on remediating your assessment shortfalls. By complying with the current requirements now, you will be more ready when CMMC arrives and you are assessed by an independent third party.
Report an accurate score to SPRS. DFARS 252.204-7019 requires that your have a score reported at the time of contract award (no sooner, don’t let Prime’s pressure you). If you want to be extra cautious, have a third party do your assessment so you know the score is unbiased. Don’t set yourself up for a claim under the FCA.
Work with a qualified provider to assist in your journey to compliance. A qualified external consultant can help you identify and address any gaps that you may have. Start now, this truly is a journey that takes time. Our authorized C3PAO advisory team has assisted more than a hundred DoD contractors with assessing their current state of compliance with NIST SP 800-171 and CMMC. Based on our team’s experience, the journey averages between 6-18 months.
How can Ariento help?
Ariento has over 30 years of experience in US Federal Government cybersecurity and compliance. We divide our government compliance business into two arms so that DIB companies of all sizes can leverage our expertise. As an authorized CMMC 3rd Party Assessor Organization (C3PAO), we’ve been through a successful NIST 800-171 and CMMC Level 2 assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). We know what it takes for the journey to have a successful result.
For mid to large contractors, our team of assessors provides best-in-class readiness and advisory services as well as assessments as a part of the CMMC Pilot Joint Surveillance Voluntary Assessment Program. You can schedule time to speak with our assessor team here.
For cloud-native capable SMB contractors, we operate managed services that address the NIST SP 800-171/CMMC Level 2 security controls you are required to implement in a cost effective way. For more information, click here to speak with our Managed Services Sales Team.