Federal Cybersecurity Regulations Pose New FCA Risk to Defense Contractors
Defense contractors who falsely claim that they are compliant with federal cybersecurity acquisition regulations may face liability under the False Claims Act (“FCA”) in light of a recent decision from the Eastern District of California. The case, United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.,1 demonstrates the substantial liability risk that defense contractors face as they struggle to meet the government’s cybersecurity standards.
At this point, this case has only survived the motion to dismiss stage. Yet, this case is the first reported instance of an FCA claim based upon noncompliance with federal acquisition cybersecurity requirements, marking new liability risks for defense contractors.
The Relator, who was the defendants’ former director of Cyber Security, Compliance, and Controls, sued Aerojet Rocketdyne Holdings and its wholly owned subsidiary, alleging that the contractors falsely certified compliance with the Department of Defense (“DoD”) cybersecurity requirements. Although DoD updated the regulations throughout the life of the defendants’ contracts, the defendants had to ensure that they could provide, at minimum, “adequate security”2 that prevented the unauthorized disclosure of “unclassified controlled technical information.”3 These regulations required the contractors to meet and certify compliance with the cybersecurity standards promulgated by the National Institute of Standards and Technology (“NIST”), and required the contractors to rapidly report cyber incidents to the DoD.4
In Markus, the Relator alleged that the defendants entered into multiple prime contracts and subcontracts subject to the DoD cybersecurity requirements despite knowing that they did not satisfy these cybersecurity requirements. When the defendants did disclose noncompliance to the government, those disclosures did not fully explain the extent of the defendants’ noncompliance. According to the Relator, the defendants submitted documents to the federal government affirming compliance with the majority of NIST-required security controls when, in fact, the defendants were mostly non-compliant. For example, the Relator alleged that the defendants claimed partial compliance with NIST Spec. Pub. 800-171 for equipment or software they had not yet installed, and that the defendants claimed full compliance with these standards for firewalls they had deployed at only one of their facilities. The Relator further alleged that the government awarded contracts to the defendants based upon the false representations of compliance with the NIST standards. When the defendants learned that their systems were breached, they allegedly failed to disclose the full extent of their systems’ noncompliance. In addition to allegedly making these misrepresentations to the government, the defendants allegedly submitted false information to prime contractors in order to win subcontract awards, according to the complaint.
In rejecting the defendants’ motion to dismiss, the Court ruled that the Relator had alleged sufficient facts that, if assumed to be true, state a plausible claim under the FCA. Specifically, the court reasoned that:
- a partial disclosure of noncompliance to the government does not defeat the materiality element, as a disclosure that omits key details qualifies as a false statement under the FCA;5
- evidence that the government continued to enter into new contracts after learning of the alleged noncompliance is not dispositive of materiality at the motion to dismiss stage;
- the government’s decision not to intervene does not establish immateriality;
- it is irrelevant for the motion to dismiss that the contracts’ central purpose was not to provide cybersecurity; and
- the government’s relaxation of some requirements in light of industry-wide compliance challenges does not defeat materiality at the motion to dismiss stage because the complaint pled that compliance with the cybersecurity requirements was material to the government.
The court also reasoned that the defendants’ alleged noncompliance was material because it could have impacted their ability to perform their contracts. The Court noted that defendants were required to handle unclassified controlled technical information in order to deliver aerospace systems under their contracts, and were therefore required to comply with DoD cybersecurity requirements governing the handling of that information, including NIST SP 800-53 and NIST SP 800-171. The Court ruled that the Relator adequately alleged that false statements about compliance with these requirements may have limited the defendants’ ability to perform on their contracts by preventing them from handling necessary information. Although the Relator’s claims survived this motion to dismiss, it remains to be seen whether the Relator’s evidence will establish materiality at summary judgment or trial.
Markus nevertheless reminds contractors to examine their FCA liability risk in light of all material terms and conditions of their contracts, including the changing cybersecurity requirements contained in extrinsic documents that are incorporated by reference through FAR and FAR Supplement clauses, which themselves are typically incorporated by reference. Moreover, the case reminds contractors to ensure that all information provided to the Federal Government about cybersecurity is accurate. Given the highly technical and evolving nature of cybersecurity, ensuring compliance requires close coordination among a contractor’s information security, legal, compliance, and contracts functions.
V&E will track this case and provide key updates as the case develops.
Visit our website to learn more about V&E’s Government Contracts practice. For more information, please contact Vinson & Elkins lawyers Daniel Graham or Peter Thomas.
1 See 2:15-cv-02245-WBS-AC (E.D. Cal. May 8, 2019).
2 “Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of, information. 48 C.F.R. 252.204-7012.
3 The current regulations refer to this information as “covered defense information,” and it is information that the government has determined requires safeguarding or dissemination controls.
4 48 C.F.R. 252.204-7012. 48 C.F.R. 252.204-7012(b)(2)(i), 7012(c).
5 See, e.g., Universal Health Servs. v. United States ex rel. Escobar, 136 S. Ct. 1989, 2000 (2016).