Skip to content
As the recent SolarWinds Orion attack makes clear, cybersecurity will be a focus in the coming years for both governmental and non-governmental entities alike.  In the federal contracting community, it has long been predicted that the government’s increased cybersecurity requirements will eventually lead to a corresponding increase in False Claims Act (FCA) litigation involving cybersecurity compliance.  This prediction may soon be proven true, as a December 2020 speech from Deputy Assistant Attorney General Michael Granston specifically identified “cybersecurity related fraud” as an “area where we could see enhanced False Claims Act activity.”  This post discusses recent efforts to use the FCA to enforce cybersecurity compliance — and, based on those efforts, what government contractors may expect to see in the future.

In recent years, the government and qui tam plaintiffs have begun using the FCA to pursue alleged noncompliance with cybersecurity regulations, and some of these efforts have gained traction.  For instance, in May 2019, a federal district court in California declined to dismiss a case alleging that a government contractor had falsely asserted its compliance with cybersecurity standards when entering into Department of Defense contracts.  And in July 2019, the Department of Justice announced that another contractor had agreed to pay more than $8 million in connection with resolving a qui tam suit alleging failure to meet federal cybersecurity standards, marking the first settlement based on FCA allegations related to cybersecurity noncompliance.

More recently, however, at least one court rejected the attempt to build an FCA case out of alleged deviations from cybersecurity regulations.  In October 2020, a federal district court in the District of Columbia dismissed a qui tam suit alleging that a contractor had failed to disclose a security vulnerability in the computer systems that it sold to the United States.  United States ex rel. Adams v. Dell Computer Corp., 15-cv-608 (D.D.C. Oct. 8, 2020).The court’s dismissal was based on its conclusion that the whistleblower had failed to show that the noncompliance was “material.”  As the court noted, “the technology policies referenced . . . do not require defect-free products,” and that any applicable security policy could have instead been addressed by “providing the necessary assistance to eliminate or reduce vulnerabilities as they appear.”

Going forward, we expect the FCA’s strict materiality requirement will continue to present a significant  hurdle for plaintiffs in future cases alleging noncompliance with increasingly detailed cybersecurity regulations.  As Mr. Granston’s recent speech portends, however, the federal government and qui tam plaintiffs are poised to bring suits under the FCA predicated on allegations of cybersecurity noncompliance.  While these allegations could take myriad forms, there are two regulatory developments in particular that may provide ammunition to enterprising whistleblowers – and pose FCA risk for unwary contractors.

First, under the NIST 800-171 DoD Assessment Methodology, DoD is now requiring that  contractors complete a pre-award self-assessment (formally known as a “Basic Assessment”) of their compliance with the 110 security controls found in NIST 800-171.  That Basic Assessment results in a numerical score that is provided to the government and a date by which the contractor represents it will be in full compliance with all NIST 800-171 controls.  Following award, the DoD may decide to complete its own Medium Assessment (via a paper review) or High Assessment (via an in-person review) of a contractor’s compliance with the NIST 800-171 security requirements.This assessment process could give rise to disagreements between the contractor and the government over the extent to which the contractor is complying with the NIST 800-171 security controls.  In particular, a large discrepancy between the Basic Assessment’s numerical score and the Medium or High Assessment’s numerical score could lead to allegations that the contractor failed to accurately represent its cybersecurity requirements, thereby raising the specter of FCA risk.

Second, defense contractors will soon be asked to obtain and provide a Cybersecurity Maturity Model Certification (CMMC) from an accredited CMMC Third Party Assessment Organization.  As part of this certification process, contractors will be expected to show their ability to meet the NIST 800-171 security requirements as well as several additional security controls.  Allegations of inconsistencies between the self-assessment of compliance with 800-171 and the third party CMMC assessment, may also draw the attention of would-be qui tam plaintiffs.However, it may prove difficult for the government or qui tam plaintiffs to establish FCA liability based on allegations of cybersecurity noncompliance.  First, and as noted above, FCA liability can only be imposed where the requirement is “material,” meaning that the noncompliance would have a “natural tendency to influence, or be capable of influencing” the government’s decision to pay the contractor.  However, federal contracts often contain cybersecurity requirements among a list of dozens — if not hundreds — of other regulatory obligations.  In many cases it is unlikely that the government’s decision to pay a contractor would depend on  strict compliance with a particular cybersecurity control or set of controls, in which case noncompliance with that control would not be “material.”

Second, FCA liability requires a showing that a noncompliance was “knowing,” meaning that the contractor actually knew they were not in compliance with a requirement, acted with deliberate ignorance, or acted with reckless disregard.  However, many of the cybersecurity requirements are new, and drafted broadly, allowing reasonable differences in technical interpretation. There is substantial case law establishing that a contractor cannot be held liable under the FCA for a reasonable, good-faith reading of unclear regulatory requirements.

Thus, even if the predictions about an uptick in FCA cybersecurity cases come true, there are good reasons for thinking that many such matters will face significant headwinds.  Although all cases are different, the standard defenses in such matters will be fully available, including both substantive defenses like those outlined above, and procedural defenses such as the statute’s Public Disclosure bar.  Nonetheless, the likelihood of an increase in FCA cases underscores the importance of ensuring careful attention to cybersecurity compliance and associated representations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael Wagner Michael Wagner

Mike Wagner helps government contractors navigate high-stakes enforcement matters and complex regulatory regimes.

Combining deep regulatory knowledge with extensive investigations experience, Mr. Wagner works closely with contractors across a range of industries to achieve the efficient resolution of regulatory enforcement actions and government…

Mike Wagner helps government contractors navigate high-stakes enforcement matters and complex regulatory regimes.

Combining deep regulatory knowledge with extensive investigations experience, Mr. Wagner works closely with contractors across a range of industries to achieve the efficient resolution of regulatory enforcement actions and government investigations, including False Claims Act cases. He has particular expertise representing individuals and companies in suspension and debarment proceedings, and he has successfully resolved numerous such matters at both the agency and district court level. He also routinely conducts internal investigations of potential compliance issues and advises clients on voluntary and mandatory disclosures to federal agencies.

In his contract disputes and advisory work, Mr. Wagner helps government contractors resolve complex issues arising at all stages of the public procurement process. As lead counsel, he has successfully litigated disputes at the Armed Services Board of Contract Appeals, and he regularly assists contractors in preparing and pursuing contract claims. In his counseling practice, Mr. Wagner advises clients on best practices for managing a host of compliance obligations, including domestic sourcing requirements under the Buy American Act and Trade Agreements Act, safeguarding and reporting requirements under cybersecurity regulations, and pricing obligations under the GSA Schedules program. And he routinely assists contractors in navigating issues and disputes that arise during negotiations over teaming agreements and subcontracts.

Photo of Peter B. Hutt II Peter B. Hutt II

Peter Hutt represents government contractors in a range of complex investigation, litigation, and compliance matters, including False Claims Act and fraud investigations and litigation, compliance with accounting, cost, and pricing requirements, and contract claims and disputes.

Peter has litigated more than 25 qui…

Peter Hutt represents government contractors in a range of complex investigation, litigation, and compliance matters, including False Claims Act and fraud investigations and litigation, compliance with accounting, cost, and pricing requirements, and contract claims and disputes.

Peter has litigated more than 25 qui tam matters brought under the False Claims Act, including matters alleging cost mischarging, CAS violations, quality assurance deficiencies, substandard products, defective pricing, Iraqi procurement fraud, health care fraud, and inadequate subcontractor oversight. He has testified before Congress concerning proposed amendments to the False Claims Act.

Peter has also conducted numerous internal investigations and frequently advises clients on whether to make disclosures of potential wrongdoing.

Peter also represents clients in a wide range of accounting, cost, and pricing matters, as well as other contract and grant matters. He is experienced in addressing issues concerning pensions and post-retirement benefits, contract formation, TINA and defective pricing, claims and terminations, contract financing, price reduction clauses, subcontracting and supply chain compliance, specialty metals compliance, and small business and DBE compliance. He has litigated significant cost, accounting, and contract breach matters in the Court of Federal Claims and the Armed Services Board of Contract Appeals.

Peter is recognized for his work both in government contracts and in False Claims Act disputes by Chambers USA, which notes that he is “whip-sharp, wicked smart and will advocate to the hilt for his clients.” Chambers also notes that “Peter brings a lot of thoughtfulness and creativity to cases. He is extremely clear in his communications and very responsive.”

Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Andrew Guy Andrew Guy

Andrew Guy is an associate in the firm’s Washington, DC office. He is a member of the Government Contracts practice group.