For the first time, a district court has held that a contractor's failure to comply with a US government contract's cybersecurity requirements can expose a company to False Claims Act liability – a significant and harrowing finding for government contractors.
In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., et. al, the United States District Court for the Eastern District of California denied, in part, a motion to dismiss an action alleging that the company violated the False Claims Act when it entered into, and invoiced under, US government contracts despite failing to fully satisfy (or otherwise disclose the scope of its gaps with) its contracts' requisite cybersecurity controls.
Specifically, the relator, Aerojet's former Senior Director of Cybersecurity, Compliance, and Controls, alleged that the company did not satisfy all of the security controls delineated in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, as applicable to the company's contracts through DFARS 252.204-7012 and the NASA FAR Supplement, and did not otherwise disclose the full extent of its noncompliance.
In reaching its decision, the court concluded that the nondisclosures could be "material," as required to establish liability under the False Claims Act, because the government might not have awarded the contracts if it had known the extent of the noncompliance. The court further rejected Aerojet's claim that it was sufficient to notify the government of some, but not all, of its areas of noncompliance. Finally, the court rejected Aerojet's argument that cybersecurity requirements are not "material" to the contract because they do not go to the central purpose of the contract.
The court explained that Aerojet's failure to comply with the applicable security controls could have influenced Aerojet’s ability to perform the contract requirements and the alleged failure to accurately disclose the extent of the defendants' noncompliance could be sufficient to establish materiality. Citing the Supreme Court's seminal decision in Escobar, the court noted that "[w]hile it may be true that [Aerojet] disclosed some of its noncompliance . . ., a partial disclosure would not relieve defendants of liability where defendants failed to 'disclose noncompliance with material statutory, regulatory, or contractual requirements.'"
The decision highlights the expansion of False Claims Act risk for contractors in an area that already presents unique challenges, and underscores the importance of cybersecurity compliance. Key takeaways from the decision include:
1. Know your contracts' requirements. Before entering into a contract, government contractors should scrutinize and document contract and subcontract cybersecurity requirements and assess the company's ability to comply with those requirements. In conducting this analysis, pay close attention to any agency- and contract-specific cybersecurity requirements, as these may contain requirements in addition to those set forth in the standard FAR and DFARS clauses.
2. Document, document, document. Sound and adequate documentation practices are critical. This includes documenting operational assessments, steps taken to comply with cybersecurity controls and requirements, and analyses regarding whether the company possesses information that requires protection. In addition, it is important to document any correspondence with the government regarding exceptions, waivers, or applicability of cybersecurity requirements.
3. Cybersecurity compliance is a team sport. Cybersecurity compliance requires a multi-disciplinary team with clearly defined roles and responsibilities. At a minimum, this team should include personnel from IT, Legal, Contracts, and Program Operations. You should also evaluate whether there are other parts of your organization that would benefit from a basic understanding of the requirements and the potential consequences for noncompliance. For example, your company's Business Development and Human Resources personnel may apply this information when evaluating new contract opportunities or recruiting and managing IT or Contracts personnel. In addition, senior management should assess how best to keep the board of directors apprised of cybersecurity compliance issues.
4. Periodic assessments are a must. A one-time assessment of your company's cybersecurity compliance is insufficient. This is a rapidly changing area, and periodic assessments are critical to ensuring compliance. When conducting these assessments, it is important to follow-up on findings and to stay current with the applicable requirements and standards, recognizing that they are fluid. For example, NIST SP 800-171, which lists the controls that must be implemented under the DFARS clause, has already been amended twice since its release in 2015, and another amendment is anticipated in the coming months.
5. Be precise and transparent. When documenting and engaging with the government (and higher-tiered contractors), a contractor should ensure that it is accurately representing its state of compliance with each security control and cybersecurity requirement. Representations should be reviewed carefully for each contract and/or program.
6. Silence does not necessarily equal acquiescence. Ultimately, the company is accountable for its compliance; a contracting officer's tacit acceptance of a contractor's representations regarding cybersecurity compliance does not mean that the government is agnostic the requirements. In instances where a contracting officer is not proactively engaging on cybersecurity issues, others in the government, including program personnel who are creating and transmitting sensitive information, may have a different view, and could equally raise concerns regarding a company's compliance.
In sum, in the wake of the Aerojet decision, critically evaluating and carefully documenting cybersecurity compliance is more important than ever. Cybersecurity compliance programs are most effective when they promote sustained awareness, transparency, accountability, collaboration, and practical business practices.
See the court's decision here. To learn more, please contact either of the authors.