Government Contracts & Defense Industries Client Alert – Making Sense of the DOJ Cyber-Fraud Initiative and What it Means For Defense Contractor Compliance | Kaufman & Canoles
The Department of Justice recently announced the launch of a Civil Cyber-Fraud Initiative, which has direct implications for government contractors and serves as a warning that slack cybersecurity practices will be a target of Government enforcement action. It is important for companies to understand their cybersecurity requirements and implement appropriate compliance measures to reduce the risk of DOJ action.
What is the DOJ’s Civil Cyber-Fraud Initiative?
On October 6, 2021, the Department of Justice announced that the Cyber-Fraud Initiative will be led by the Fraud Section of the Civil Division’s Commercial Litigation Branch and primarily utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The aim is to hold entities and individuals accountable that put U.S. information or systems at risk by knowingly violating obligations to monitor or report cybersecurity incidents and breaches, misrepresent their cybersecurity practices, or provide deficient cybersecurity products or services.
On the surface, this Initiative doesn’t sound like anything new; the DOJ intends to use an already-existing statute (the FCA) to enforce unchanged contractual obligations for defense contractors by relying on longstanding whistleblower reporting mechanisms. So what’s the intended message?
Here, context is everything. The DOJ Cyber-Fraud Initiative coincides with the Biden Administration’s May 2021 Executive Order aimed at strengthening the Government’s cybersecurity protections. Related are the announced modifications to the Cybersecurity Maturity Model Certification (CMMC) which continues to guide contractor compliance as it pertains to the protection of online information.
How Does CMMC 2.0 Change Things?
The initial CMMC was implemented in January 2020 and intended to measure the cybersecurity competency of federal contractors. Under the first iteration, a five-level model measured a contractor’s security protocols in order to determine the capability for adequately protecting Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). The goal, through real-time scoring, was to ensure contractor compliance with the cybersecurity requirements under Defense Federal Acquisition Regulation Supplement 252.204-7012. Criticized by the Defense Industrial Base for lack of clarity regarding the tiered maturity standards and the heavy (and sometimes prohibitive) cost on contractors, the Department of Defense (DoD) announced in March 2021 that CMMC would undergo assessment.
On November 4, 2021, the DoD announced the release of CMMC 2.0 which is intended to streamline contractor requirements and reduce costs, particularly for small businesses. CMMC 2.0 still implements the DFARS 252.204-7012 obligations but in some cases may look similar to the NIST SP 800-171 self-assessments that contractors have previously been required to perform, except now with a three-level structure. Details remain to be seen, but the following information should be instructive to defense contractors trying to familiarize themselves with the process.
- Foundational/Level 1: For companies with Federal Contract Information (FCI) only. This is expected to be similar to prior CMMC Level 1 and requires an annual self-assessment of the practices outlined by FAR 52.204-21. While still in the rulemaking process, Level 1 is anticipated to require compliance affirmation by an individual within the company. Level 1 Self-Assessment Scope here: Scope_Level1_V2.0_FINAL_20211203.pdf (osd.mil)
- Advanced/Level 2: For defense contractors with CUI. Level 2 is expected to be similar to prior CMMC Level 3. This will likely require a third-party or self-assessment and will be the minimum certification level needed for contractors that intend to process, store, or transmit CUI. Companies will be responsible for certification or obtaining an assessment prior to contract award. Level 2 Assessment Scope here: Scope_Level2_V2.0_FINAL_20211203.pdf (osd.mil)
- Expert/Level 3: For the highest priority programs with CUI, and similar to requirements under previous CMMC Level 5. Assessments are expected to be performed by Government officials rather than third-party reviewers and are intended to confirm robust security abilities able to defend against the most advanced, persistent online threats.
CMMC 2.0 eliminates “maturity processes” and removes universal third-party assessments across all levels. Although self-assessments are anticipated to be the primary certification mechanism for lower-level compliance, company executives should carefully review any individual liability created by any compliance affirmation requirements. Higher scrutiny through Government assessments is anticipated to be a requirement for Level 3. With these changes, defense contractors can expect new information about the role and future of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) as it adjusts its training materials in response to the new three-level CMMC 2.0 structure.
CMMC 2.0 will not be effective until the rulemaking process is complete, which could take up to 24 months. Once CMMC 2.0 is implemented, the requisite level will be specified by DoD as part of the solicitation or Requests for Information (RFI) process. Any subcontractors handling the same type of FCI or CUI as the prime contractor will be expected to have the necessary CMMC compliance level number; however, in situations where only select information flows to a subcontractor, a lower level may be applicable.
What is the GAO’s Concern with CMMC 2.0?
What’s CMMC 2.0 Got to do with the DOJ Cyber-Fraud Initiative?
If CMMC 1.0 was cumbersome and costly for defense contractors, CMMC 2.0 removed some of the confusing assessment restrictions. The modification entirely removes government and third-party assessments for Level 1 and some Level 2 contracts in favor of self-assessments. The tradeoff for the greater freedom provided by self-assessments is the increased risk in the event of non-compliance, which is where the DOJ Cyber-Fraud Initiative should have defense contractors ready to increase rather than cut back compliance vigilance.
Defense contractors would be wise to recognize that although CMMC 2.0 appears to loosen some of the assessment oversight, significant compliance risks remain. By announcing the DOJ Cyber-Fraud Initiative to hold defense contractors accountable under the False Claims Act for cybersecurity violations, the Government signals its intent to aggressively pursue violators for failing to report breaches, misrepresenting online security capabilities, or skirting monitoring obligations. With large civil penalties available for each violation and a treble damages provision, the FCA provides the Government with a heavy stick as it seeks to enforce cybersecurity compliance.
Days following the announcement of the DOJ Initiative, Brian Boynton, Acting Assistant Attorney General for the DOJ Civil Division, delivered remarks at the National Cybersecurity Summit highlighting policy issues behind the Initiative that may help defense contractors anticipate how enforcement efforts will play out. Most obviously, the Government intends to pursue cases where federal agencies have been victimized. Additionally, the Government has made clear that as part of every contract where FCI and CUI is involved, it is contracting for the security of this sensitive information and the obligation for compliance falls to the contractor. Where a contractor misrepresents its cybersecurity practices or knowingly fails to abide by its obligations, the Government does not get what it bargained for and the FCA will be the tool by which the Government seeks relief.
Assistant Attorney General Boykin further described “prime candidates” to be targeted as including those that engage in the following misconduct:
- Knowing failures to comply with cybersecurity standards required under a contract;
- Knowing misrepresentation of security controls and practices in order to secure a contract; or
- Knowing failures to timely report suspected breaches or cyber-fraud incidents.
How Should Contractors Respond to the Cyber-Fraud Initiative?
Practical steps for defense contractors to protect themselves in the face of increased DOJ investigations and civil action can include:
- Actively audit their company’s cybersecurity abilities and exercise extreme caution not to inflate or mischaracterize established practices as part of the contracting process.
- Familiarize the company with relevant cybersecurity standards and implement them into established company practices and compliance program procedures.
- Implement detailed processes for identifying and reporting cyber breaches and other security incidents.
- Train company employees regarding the processes and make reporting mechanisms and expectations clear.
- Document ongoing compliance efforts, audits, and oversight with diligence and care.
Outside of the evolving compliance requirements under CMMC 2.0 and the enhanced threat of DOJ enforcement, a cyberattack can cripple a company by shutting down operations and exposing sensitive information. The stakes for implementing and following effective compliance programs have never been higher for defense contractors.