Highlights
- For the third time in five years, the U.S. Department of
Defense (DOD) announced new, comprehensive cybersecurity standards
for government contractors and subcontractors to ensure the
protection of sensitive unclassified information. - The Cybersecurity Maturity Model Certification (CMMC) 2.0
improves upon its earlier version by reducing the model to three
cybersecurity levels, removing bespoke CMMC requirements and
permitting self-assessments affirmations for Level 1 and part of a
bifurcated Level 2. - Self-assessments affirmations create substantial risks of
future False Claims Act (FCA) U.S. Department of Justice (DOJ)
investigations and qui tam suits, and this alert explains
steps that can be taken to reduce such risks.
With the announcement of a revamped Cybersecurity
Maturity Model Certification (known as CMMC 2.0),1 for the third time
in five years, the U.S. Department of Defense (DOD) announced new,
comprehensive cybersecurity standards for government contractors
and subcontractors to ensure the protection of sensitive
unclassified information, that is, Federal Contract Information
(FCI) and Controlled Unclassified Information (CUI). By referring
to the new cybersecurity standard as CMMC 2.0, the DOD implicitly
recognizes the likelihood of future versions at an unknown cost to
the Defense Industrial Base (DIB).
Nevertheless, version 2.0, which was released after a
seven-month review by the Biden Administration, reflects the
DOD’s assessment of the DIB’s concerns and reflects the
DOD’s efforts to streamline and improve upon its earlier
version after criticisms aimed at its cost and complexity.
Specifically, CMMC 2.0 collapses CMMC 1.0’s five tiers to three
simplified tiers that are based on the cybersecurity framework
implemented and that are devoid of additional CMMC-unique practices
and processes. CMMC 2.0 also will allow “annual
self-assessment with an annual affirmation by DIB company
leadership” for Level 1 and part of the new bifurcated Level 2
(formerly Level 3). Otherwise, an independent third-party
assessment or government-led assessment will be required.2
Besides CMMC 2.0, contractors with CUI are also required to
comply with Defense Federal Acquisition Regulation Supplement
(DFARS) 252.204-7019 and 252.204-7020. Collectively, these clauses
require contractors to enter their compliance with the National
Institute of Standards and Technology (NIST) Special Publication
(SP) 800-171 into DOD’s Supplier Performance Risk System
(SPRS). DOD will identify medium- and high-risk contracts and
perform independent assessments of contractor compliance with NIST
SP 800-171 and whether a contractor’s compliance matches what
it inputted into SPRS. Contractors should also be mindful as to
whether these disclosures match their prior acceptance of contracts
with DFARS 252.204-7012, which required full compliance with NIST
SP 800-171.
The return of self-assessment, which was the bedrock of the
first DOD cybersecurity standards set out in DFARS 252.204-7012 and
whose failure led to the development of CMMC 1.0., creates
substantial risks to DIB companies and their leadership. The U.S.
Department of Justice (DOJ) recently announced a new Civil
Cyber-Fraud Initiative that emphasized the use of the False Claims
Act (FCA), 31 U.S.C. § 3729 et. seq., to bring civil
action against government contractors who knowingly misrepresented
their cybersecurity practices and protocols.3 The FCA allows the
government to recover treble damages and permits qui tam
suits,4 which allow whistleblowers to
receive a portion of the monies recovered by the government. In
addition, other regulatory agencies have brought enforcement
actions for alleged false certifications concerning compliance with
agency-required cybersecurity standards.5 Thus, the risk of a
DOJ investigation or a qui tam suit connected with a DIB
company’s self-assessment affirmation is very real, and this
announcement – coupled with self-certification options in
CMMC 2.0 – should not been seen as a coincidence.
Nevertheless, companies can reduce such risks with appropriate
cybersecurity policies and a culture of compliance.
Evolution of DOD’s Cybersecurity Regulations
In October 2016, the DOD issued comprehensive cybersecurity
regulations through DFARS. See 48 CFR §§ 204.7302,
204.7304, and 252.204-7012. The 2016 cybersecurity regulations
required contractors and subcontractors to provide “adequate
security” over their information systems and implement
cybersecurity protocols and procedures that, at a minimum, complied
with NIST SP 800-171 for “Protecting Controlled Unclassified
Information in Nonfederal Information Systems and
Organizations.”6 These regulations, however, only
required contractors to self-assess that they were in compliance
with NIST SP 800-171.
The initial cybersecurity framework did not succeed, in part,
due to the self-assessment requirement. In July 2019, the DOD
Inspector General (IG) issued a report finding that government
contractors did not consistently implement NIST SP 800-171 as
required and DOD agencies and contracting officers did not develop
and implement processes to verify contractors’ compliance.7 The IG
report “recommended that DOD take steps to assess a
contractor’s ability to protect this [CUI] information.”8
In response, in September 2020, the DOD issued interim rules of
its second comprehensive cybersecurity regulations, which developed
CMMC 1.0.9 CMMC 1.0 classified contractors
into five tiers. Level one required compliance with basic
safeguarding requirements of the Federal Acquisition Regulations
(FAR) clause 52.204-21. Level 2 required compliance with 65
security requirements within NIST 800-171, along with additional
CMMC practices and processes. Level 3 through Level 5 required
complete compliance with NIST 800-171 and varying additional CMMC
practices and processes. CMMC level assessments would be conducted
by CMMC Third Party Assessment Organizations (C3PAOs), which would
be accredited by an independent CMMC Accreditation Body (AB). All
DOD solicitation and contracts would identify the required CMMC
level necessary for said solicitation or contract, though it was
unclear how it would be enforced down the supply chain.
DIB companies expressed concerns with this lack of clarity and
the additional bespoke CMMC requirements. Besides these issues,
concerns were raised about the cost to small businesses, just as
DOD has been contending, with an ever-shrinking pool of contractors
willing to do business with it. That was, in part, because a
third-party assessment was required at all levels. CMMC 2.0
attempts to address these various concerns with the following
changes to version 1.0:
- Level 1 remains the same and still requires basic safeguarding
requirements consistent with FAR 52.204-21. Instead of a
third-party assessment, Level 1 will require a company leader to
certify compliance with requirements on an annual basis. - Level 2 has been eliminated.
- Level 3 (now known as Level 2) maintains full NIST 800-171
compliance but eliminates the bespoke CMMC requirements. Further,
some contractors will be able to self-certify instead of utilizing
a third-party assessment, although it is unclear what that dividing
line will be. - Level 4 has been eliminated.
- Level 5 (now known as Level 3) will require full compliance
with 800-171 and at least partial compliance with NIST SP 800-172
for “Enhanced Security Requirements for Protecting
Unclassified Information.” DOD is still determining what NIST
SP 800-172 standards will be required. Contractors seeking a
certification within this level will first need to be certified by
a third-party assessor under Level 2 and then seek a government
assessment under this level (presumably for the additional NIST SP
800-172 requirements).
Even though the implementation of CMMC 2.0 is anywhere from nine
months to two years away, DOD is seeking ways to incentivize
adoption. For instance, DOD may utilize cybersecurity compliance as an
evaluation factor in procurements.10
Risk of Costly and Time-Consuming Investigations and
Litigations
Viewing cybersecurity risks as both a national security risk and
an investment risk, government regulators have increased
enforcement actions against U.S. companies for deficient
cybersecurity standards. This past year, the U.S. Securities and
Exchange Commission (SEC) announced its first-ever enforcement
actions against a public company for deficient disclosure controls
concerning cybersecurity risks.11 The New York Department of
Financial Services (NYDFS) has brought enforcement actions against
regulated institutions for alleged failure to comply with its
recently enacted NYDFS Cybersecurity Regulations, including
action against insurance companies, in part, for the alleged false
certification of its compliance with the NYDFS Cybersecurity
Regulations.12
These actions preceded the DOJ’s announcement on Oct. 6,
2021, of the new Civil Cyber-Fraud Initiative.13 (See Holland
& Knight’s previous blog post, “False Claims Act Meets Cybersecurity: DOJ New
Civil Cyber-Fraud Unit,” Oct. 8, 2021.) Therein, Deputy
Attorney General Lisa Monaco stated that the DOJ “will use our
civil enforcement tools to pursue companies, those who are
government contractors who receive federal funds, when they fail to
follow required cybersecurity standards.”14 Particularly
relevant to CMMC 2.0’s self-assessment affirmations, the Civil
Cyber-Fraud Initiative will use the FCA to prosecute entities and
individuals who knowingly provide deficient cybersecurity products
or services and/or knowingly misrepresent their cybersecurity
practices or protocols.15
The FCA “was originally aimed principally at stopping the
massive frauds perpetrated by large contractors during the Civil
War.”16 The act was enacted in 1863
“following a series of sensational congressional
investigations” where “[t]estimony before…Congress
painted a sordid picture of how the United States had been billed
for nonexistent or worthless goods, charged exorbitant prices for
goods delivered, and generally robbed in purchasing the necessities
of war.”17
Today, the FCA lists seven types of conduct that create civil
liability. Predominantly, the FCA provides that any person
(i.e., entity or individual) who knowingly submits, or
causes another to submit, a false or fraudulent claim to the
government or knowingly makes a false record or statement to get a
false claim paid by the government is liable for three times the
government’s damages plus a civil penalty, which accounting for
inflation, is not less than $11,181 and not more than $22,363 per
claim.18 The FCA also permits
whistleblowers to file qui tam suits against any person
who allegedly violates the FCA. If the qui tam suit is
successful, the whistleblower may receive a portion of the
government’s recovery. As such, FCA and qui tam suits
have become quite lucrative for the government and the
whistleblower. For instance, in fiscal year (FY) 2020, the DOJ
recovered over $2.2 billion from FCA cases and paid out $309
million to whistleblowers.
Under the FCA, a person acts knowingly when the person 1) has
actual knowledge of the information,19 2) acts in
deliberate ignorance of the truth or falsity of the information or
3) acts in reckless disregard of the truth or falsity of the
information.20 Moreover, the person need not
have any specific intent to defraud the government.21
Thus, as it relates to the CMMC 2.0’s self-assessment
affirmations, if the affirmation is incorrect, the DIB company
could be liable under the FCA even though its leadership did not
intend to defraud the government and did not have actual knowledge
that its affirmation was incorrect. Instead, a DIB company could be
found to be “in reckless disregard of the truth” by
failing to conduct a sufficient investigation of its cybersecurity
practices and procedures prior to its affirmation,22 which would
subject the company to treble damages and civil monetary
penalties.
Additionally, although 2016 cybersecurity regulations have
required DIB companies to report cyber incidents to the DOD within
72 hours, Congress has been debating the inclusion of a
cyber-reporting bill as part of the National Defense Authorization
Act (NDAA) FY 2022, which would require critical infrastructure
owners and operator as well as federal contractors, not just DOD
contractors and subcontractors, to report cyber incidents to the
Cybersecurity and Infrastructure Security Agency (CISA) and,
potentially, to provide that information to the FBI.23 If
cyber incidents are to be provided to the DOJ, it may potentially
fuel this Civil Cyber-Fraud Initiative. Even if such reporting is
not required, each cyber incident presents the possibility of an
employee or former employee filing a qui tam suit alleging
that the self-assessment assertions were false and violated the
FCA. Thus, although self-certifications programs create significant
flexibility and cost savings within the CMMC 2.0 framework, it
creates substantial litigation and investigation risks.
The threat of cybersecurity-based FCA action against DIB
companies is not simply theoretical. As illustrated by Briggs
v. Quantitech, and similar cases,24 “[t]here has
been an uptick in cybersecurity-based FCA actions in recent years,
predominantly qui tam actions filed by former employees
that ‘blew the whistle’ on their company’s deficient
cybersecurity standards and practices.”25
Key Takeaways
For DIB companies that will provide annual self-assessment
affirmations within the CMMC 2.0 framework, steps can be taken to
reduce the risk of future DOJ investigations and qui tam
suits.
- First, DIB companies should implement and maintain written
cybersecurity policies that are consistent with the basic
safeguarding requirements of the FAR clause 52.204-21 and, if
applicable, DFARS 252.204-7012. Because these policies will provide
significant defenses against allegations of falsity and knowledge
in any FCA litigation, they should be written in coordination with
counsel and reviewed by multifunctional teams. - Second, Deputy Attorney General Lisa Monaco recently emphasized
that the DOJ will evaluate a company’s history of compliance
issues in future enforcement actions.26 Thus, DIB
companies should develop and foster a culture of compliance
throughout its organization, including employee training, internal
disclosure controls and/or board oversight on leadership’s
management. - Finally, contractors should consider a CMMC certification to
give themselves a competitive advantage and minimize the risk of
other DIB companies not wanting to do business with them because of
the cybersecurity risks they pose. This will help address concerns
about the constantly evolving nature of cyberattacks and
cybersecurity risks.
Footnotes
1 Federal Register, Cybersecurity Maturity Model
Certification (CMMC) 2.0 Updates and Way Forward.
2 Prior
to obtaining a government-led Level 3 assessment, contractors will
need to first obtain a Level 2 certification led by a third-party
assessor approved by the Accreditation Body.
3 U.S. Department of Justice (DOJ) Deputy Attorney
General Lisa O. Monaco Announces New Civil Cyber-Fraud
Initiative (Oct. 6, 2021).
4 Qui
tam lawsuits are civil lawsuits filed by a private party on
behalf of the government. The private party, called a relator,
essentially steps into the role of the government for such action.
The False Claims Act (FCA) permits such qui tam lawsuits.
31 U.S.C. § 3730(b).
5 See,
e.g., NYDFS, “DFS Superintendent Lacewell Announces
Cybersecurity Settlement with First Unum and Paul Revere Life
Insurance Companies” (May 13, 2021).
6 These
regulations also require contractors to, among other things,
disclose security breaches within 72 hours and cooperate with U.S.
Department of Defense (DOD) regulations.
7 DOD
Inspector General, No. DODIG-2019-105, “Audit of Protection of DOD Controlled Unclassified
Information on Contractor-Owned Networks and Systems“
(July 25, 2019).
8 Fed.
Reg. vol. 85, no. 189, at 61508 (Sept. 29, 2020).
9
Id.
10 See
“Pentagon considers incentives to get companies to
CMMC 2.0 early,” Nov. 26, 2021
11
Law360, “Managing Risk After SEC’s Cyber Enforcement
Action,” (June 28, 2021).
12
NYDFS, “DFS Superintendent Lacewell Announces
Cybersecurity Settlement with First Unum and Paul Revere Life
Insurance Companies” (May 13, 2021).
13
“Deputy Attorney General Lisa O. Monaco Announces
New Civil Cyber-Fraud Initiative” (Oct. 6,
2021).
14
“Deputy Attorney General Lisa O. Monaco Announces
New Civil Cyber-Fraud Initiative” (Oct. 6,
2021).
15
Id.
16
United States v. Bornstein, 423 U.S. 303, 309
(1976).
17
United States v. McNinch, 356 U.S. 595, 599
(1958).
18 31
U.S.C. § 3729(a)(1); 28 CFR § 85.5.
19
Where actual knowledge exists, the DOJ may bring criminal
prosecution for the submission of false claims pursuant to 18
U.S.C. §§ 286 and 287. See, e.g., United States v.
Slocum, 708 F.2d 587, 596 (11th Cir. 1983) (listing the
elements for the criminal false claims provision).
20 31
U.S.C. § 3729(b)(1)(A).
21 31
U.S.C. § 3729(b)(1)(B).
22 See
U.S. ex rel. Ervin & Assoc., Inc. v. Hamilton Sec.
Group, 370 F. Supp. 2d 18, 40-43 (D.D.C 2005); United
States v. Krizek, 111 F.3d 934, 942 (D.C. Cir. 1997); S. Rep.
99-345, at 20 (“the constructive knowledge definition attempts
to reach what has become known as the ostrich type situation where
an individual has ‘buried his head in the sand’ and failed
to make simple inquiries which would alert him that false claims
are being submitted. While the Committee intends that at least some
inquiry be made, the inquiry need only be ‘reasonable and
prudent under the circumstances[]’ . . . .”).
23 H.R.4350 – National Defense Authorization Act for
Fiscal Year 2022; but see The Hill, “Language Requiring Companies to Report
Cyberattacks Left Out of Defense Bill” (Dec. 7,
2021).
24
Briggs v. Quantitech, No. 2:19-cv-1690, 2021 WL 461694
(N.D. Ala. Feb. 9, 2021). A former employee brought a False Claims
Act suit claiming that defendants concealed cybersecurity
vulnerabilities to misrepresent contractual performance. The court
dismissed the lawsuit for failure to state a claim.
25
Holland & Knight Government Contracts Blog, “False Claims Act Meets Cybersecurity: DOJ New
Civil Cyber-Fraud Unit” (Oct. 8, 2021).
26
“DOJ Deputy Attorney General Lisa O. Monaco Gives
Keynote Address at ABA’s 36th National Institute on White
Collar Crime” (Oct. 28, 2021).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
