Cybersecurity

Cybersecurity Fraud and the False Claims Act

Inadequate cybersecurity controls are a growing threat to national security and taxpayer money. As a result, the U.S. government strictly regulates how contractors protect sensitive data.

When government contractors—including cloud computing providers, software vendors, defense contractors, and healthcare companies—fail to follow these cybersecurity rules or lie about their actual security posture, they may violate the federal False Claims Act.

Cybersecurity obligations are all the more critical today.  Federal departments and agencies are increasingly reliant upon cloud computing and artificial intelligence companies to store and process large swaths of sensitive government data.

1. The Standards: What Rules Must Federal Contractors Now Follow?

The specific cybersecurity mandates that may apply to a given contractor (or subcontractor) vary based on the type of service being provided.  Further, federal entities may contract for more than the regulatory minimum (particularly for workloads involving highly sensitive data).

Nevertheless, there exist various regulatory sources that broadly govern the cybersecurity obligations of federal contractors and, depending on the context, subcontractors.

• The Federal Acquisition Regulations (FAR) generally govern all federal contractors.
• The Federal Risk and Authorization Management Program (FedRAMP) created a general framework for companies providing cloud services to federal departments and agencies.  FedRAMP standards exist on a gradient depending on the nature of the information at issue (so-called Low, Moderate, and High baselines). 
• The Defense Federal Acquisition Regulation Supplement (DFARS) standards generally apply to companies contracting with the Department of Defense (DoD).  Under the DFARS standards, contractors generally must comply with certain baseline standards depending on the nature of their service, information systems, and the underlying information that they may handle such as:
  • NIST SP 800-171, a technical standard for protecting “Controlled Unclassified Information” (CUI) on non-federal networks,
  • DoD’s Security Requirements Guide (“SRG”), which incorporates standards set out in NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, and governs cloud services.  DoD’s cloud standards are often referred to as FedRAMP+ as they include more extensive requirements than the FedRAMP baseline standards.
• Cybersecurity Maturity Model Certification (“CMMC”) is a new certification program by the DoD which requires that DoD contractors obtain and maintain a designated certification at one of three levels depending on the nature of the contract at hand.
  • Level 1: Uses the control framework of FAR 52.204-21
  • Level 2: Adds the control framework of NIST SP 800-171
  • Level 3: Adds the control framework of NIST SP 800-172.
• Healthcare Providers: Companies handling government health data (PHI) must comply with the Health Insurance Portability and Accountability Act (HIPAA), CMS Information Systems Security & Privacy Policy (IS2P2) and Acceptable Risk Safeguards (ARS).

In sum, if a company accepts government money, they accept the responsibility to secure their systems according to relevant contractual and regulatory technical standards.

2. The Civil Cyber-Fraud Initiative

In 2021, the Department of Justice (DOJ) launched the Civil Cyber-Fraud Initiative. The goal of the initiative is simple: hold contractors accountable when they put sensitive federal information at risk.

The initiative focuses on civil enforcement against companies that:

1. Provide deficient cybersecurity products or services
2. Misrepresent their cybersecurity practices (lying to win a contract)
3. Violate obligations to monitor and report cyber incidents.

3. How Cybersecurity Failures Violate the False Claims Act

The False Claims Act (FCA) is the government’s primary tool for fighting fraud. In the context of technology and cybersecurity, an FCA violation typically falls into one of three categories:

         A. Failing to Meet Required Standards

Government contracts often legally require specific cybersecurity controls (e.g., multifactor authentication, encryption, prompt vulnerability remediation, and air-gapping). If a contractor delivers products or services that do not meet these promised standards, they are billing the government for a service they did not provide.

         B. Misrepresenting the Nature of Your Cybersecurity Controls (i.e., Lying to Win Business)

When bidding for contracts, companies often must “certify” that they are compliant with security frameworks like the operative NIST controls. If a company claims to be compliant but, in actuality, lacks the necessary security controls, they may be committing fraud to win the contract.

          C. Failing to Report Breaches

Government contracts often require prompt reporting if a hack or data breach occurs. Concealing a breach prevents the government from mitigating the damage. Hiding a data breach could be considered a violation of the False Claims Act.

4. The Role of the Whistleblower

The government cannot monitor every contractor’s internal network.  Increasingly the government is reliant on private cloud service providers to provide the very infrastructure to store and process its governmental data in the first instance.  This makes compliance with cybersecurity requirements all the more critical because the government does not own the underlying assets that must be secured.  Yet this also makes ferreting out non-compliance difficult as the oversight of the networks (e.g., cloud networks) at hand lies first and foremost within the jurisdiction of a private company.

The government is accordingly heavily dependent on insiders—e.g., software engineers, IT administrators, and compliance officers at private companies—to bring cybersecurity violations to light.

The False Claims Act empowers private individuals, called relators, to file lawsuits on behalf of the government to expose fraud upon federal payors.  The law has two key pillars.

• Financial Incentive: Whistleblowers are eligible to receive an award of up to 30% of the funds recovered on behalf of the federal government.
• Protection: The law offers anti-retaliation protections for those who file an FCA suit or otherwise oppose the conduct violating the FCA.

By reporting cybersecurity fraud, whistleblowers help recover wasted tax dollars and protect sensitive government data from foreign and domestic threats.

Do You Suspect Cybersecurity Fraud?

If you know of a government contractor or subcontractor that has violated federal cybersecurity requirements, we can help.

Our team includes attorneys and former prosecutors highly experienced in bringing and litigating False Claims Act cases on behalf of whistleblowers. We can discuss your concerns in a confidential setting and advise you on how to proceed safely and appropriately.