Reset Password


Change Password

Old Password:
New Password:
We have completed your request.

False Claims Act Statistics, News & Analysis

Broad New DoD Cybersecurity Rule Could Put Defense Contractors at Risk for FCA Allegations

In late October, the Department of Defense (DoD) published the Network Penetration Reporting and Contracting for Cloud Services Final Rule (the Rule). The Rule amended Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, a clause that must be incorporated in all solicitations and contracts, except commercial-items contracts. See 81 FR 72986 (October 21, 2016). While ostensibly designed to require cybersecurity protections for unclassified defense-related information and to establish reporting requirements for cyber incidents, the Rule also imposes considerable compliance hurdles for contractors and could create FCA pitfalls.

The New DFARS Cybersecurity Clause

The Rule requires contractors provide “adequate security” on all unclassified systems owned or operated by or for a contractor that processes, stores, or transmits covered defense information. “Covered defense information” is defined broadly to include “unclassified controlled technical information,” as well as the 102 categories and subcategories described in the Controlled Unclassified Information (CUI) Registry, which includes non-defense and non-technical information. Contractors also have an ongoing obligation to identify and protect any covered defense information that is collected, developed, received, transmitted, used, or stored in support of performance of the contract, requiring contractors to identify covered defense information not marked or identified as such by the DoD.

What “adequate security” means varies depending on whether or not the system is operated on behalf of the government and whether the system provides cloud computing services. Non-cloud services are subject to the detailed requirements in NIST SP 800-171, and cloud services are subject either to DFARS 252.239-7010 (if the system is operated on behalf of the government) or the FedRAMP Moderate baseline requirements (if not). These standards represent a baseline, but do not supplant other regulatory or contractual requirements. Contractors also must apply additional, unspecified security measures if they “reasonably determine[]” such measures necessary. Contractors must implement NIST SP 800-171 by December 31, 2017, although they may request variances. It is unclear whether this deadline also applies to the implementation of cloud service requirements.

The Rule also imposes time-sensitive reporting requirements. For instance, for contracts awarded prior to October 1, 2017, contractors must notify the DoD CIO within 30 days of a contract’s award of any NIST SP 800-171 security requirements not implemented at the time of award. Although less clear, the Rule also suggests this deadline applies to cloud service requirements under FedRAMP but not to those under DFARS 252.239-7010. Contractors also must report cybersecurity incidents within 72 hours of discovery. Each incident report must include the elements required by the DoD’s Defense Industrial Base (DIB) Cybersecurity Program, and every contractor or subcontractor must have or acquire a DoD-approved medium assurance certificate to report cyber incidents.

Finally, the DoD noted that the Rule “does not require ‘certification’ of any kind” regarding compliance because “[b]y signing the contract, the contractor agrees to comply with the contract’s terms.”

FCA Liability Could Become the New Cybersecurity Risk

Escobar established that even absent an express false certification, FCA liability can accrue through implied certification. However, implied certification only applies in cases where the omitted fact or violation of the contract was so essential to what was expressly stated on the bill that its omission or the violation rendered the bill a half truth, and where the omission or violation was actually material to the government’s decision to pay.

Even under that difficult standard, it is possible the government and relators will argue that the Rule’s reporting requirements create FCA liability under theories of implied certification or fraudulent inducement. For instance, if a contractor fails to report non-compliance with certain NIST SP 800-171 requirements within thirty days of contract award, the government or a relator might assert that failure to report was material to the government’s decision to execute the awarded contract and pay bills under that contract.

A contractor, its subcontractor, or a cloud service provider also might fail during contract performance to comply with some NIST SP 800-171 or FedRAMP requirement, or fail to meet its ongoing obligation to identify data the government might consider sensitive. A plaintiff might argue that the contractor’s bills impliedly certified full compliance. Likewise, a contractor might—at the end of a brief and surely hectic 72-hour investigation—submit an incomplete or late cyber incident report (or no report at all), and the plaintiff contend that subsequent billings impliedly certified that the contractor timely complied with the Rule’s cyber incident reporting requirements.

We are aware of no defense contractors subjected to FCA litigation based on non-compliance with previous DoD cybersecurity requirements. But with the new Rule’s staggering breadth and depth of coverage, and the increasing prevalence of private and state-sponsored cyber-attacks against large corporations, it may only be a matter of time before a relator or the government gives FCA cybersecurity liability a shot. Of course, any such attempt would have long odds given the high bar set for materiality and implied certification under Escobar, not to mention the challenge the government or a relator would have in proving the government’s actual damages from deficient compliance and reporting. We will continue to monitor developments in these cybersecurity regulations and case law.

Sign Up for Updates

Receive email news and alerts about False Claims Act/Qui Tam Litigation from V&E


David R. Johnson

David R. Johnson Partner

Related Practices