Cybersecurity issues are not going away anytime soon and the risk of noncompliance for contractors is ratcheting up. In a recent ruling in a Civil False Claims Act (FCA) Qui Tam case, Judge Shubb of the Eastern District of California determined that the whistleblower’s allegations – – that a company’s statements regarding the status of its compliance with a Department of Defense (DoD) cybersecurity clause were half-truths — met the FCA’s “materiality” standard for purposes of surviving a motion to dismiss. Judge Shubb found the alleged statements to be “material” representations even though the contracts were for missile defense and rocket technology, and not cybersecurity. In issuing this ruling, the Court held that these facts met the “materiality” threshold for denial of the motion because, considering the facts in the light most favorable to the qui tam relator, the Government might not have awarded the contracts if it had known the full extent of the contractor’s compliance with the cybersecurity provisions. Significantly, the Court did not find that the Government’s continued contracting with the contractor after learning of the allegations in the complaint was dispositive of whether the alleged misrepresentations were material. It held that the test of materiality is whether the misrepresentations were material at the time that the Government was entering into the relevant contracts. The Court also did not find the Government’s decision not to intervene in the case to be instructive, holding that there could be many reasons apart from the merits of the case for the Government’s lack of intervention. Further, the Court was unpersuaded by the fact that the Government has continued to change the cybersecurity requirements after issuance of the initial clause in order “to ease the burdens on the industry” since this did not address whether the contractor’s technical compliance with the initial clause mattered to the Government for this particular set of contracts. See U.S.A. ex rel. Brian Markus v. Aerojet Rocketdyne Holdings, and Aerojet Rocketdyne, Inc., E.D. Cal. Docket No. 2:15-cv-2245 WBS AC, ___F.3d ___, 2019 WL 2024595.
Under the Civil False Claims Act, a false or fraudulent claim may be actionable where it is claimed that the person or entity “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval” or “knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim.” 31 U.S.C. §§ 3729(a)(1)(A) and (B). The Supreme Court decision in Universal Health Servs., Inc. v. U.S. ex rel. Escobar (Escobar), has interpreted these provisions to include the situation where a person or entity makes an implied certification for such a claim for payment, approval, or action, by failing to disclose noncompliance with material statutory, regulatory, or contractual requirements which would make those representations misleading half-truths.
The cybersecurity clauses at issue include Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding of Unclassified Controlled Technical Information (November 2013), which was implemented in 2013 and requires, inter alia, that “The Contractor shall provide adequate security to safeguard unclassified controlled technical information from compromise.” DFARS 252.204-7012(b). The standards for cybersecurity were revised in subsequent iterations of the clause and the clause was renamed in 2015, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The previous version of the clause called for compliance with National Institute of Standards and Technology (NIST) Special Publication 800-53 (NIST SP 800-53) security controls, or an alternative control or protective measure. As currently revised, DFARS 252.204-7012 requires that covered information systems of DoD contractors, and their subcontractors and similar contractual instrument holders, comply with the version of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in effect at the time the solicitation is issued, or as authorized by the Contracting Officer. This current standard requires that covered contractors safeguard all types of Covered Defense Information (CDI), including Unclassified Controlled Technical Information (CTI) and other Controlled Unclassified Information (CUI). Covered DoD contractors include those that provide supplies or services in the performance of contracts for the DoD, except for contractors only providing commercial off-the-shelf (COTS) items, and who receive, use, create, transit, or store CDI. It also includes those contractors providing “operationally critical support.”
The case also identifies the National Aeronautics and Space Administration (NASA) cyber provision, 48 C.F.R. § 1852.204-76, as listing relevant security requirements for contractor-handling of sensitive but unclassified information. The current version of that NASA provision states that the contractor “shall protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure.” However, the provision also states that the “contractor shall afford Government access to the Contractor’s and subcontractors’ facilities, installations, operations, documentation, databases, and personnel used in performance of the contract … to carry out a program of IT inspection (to include vulnerability testing), investigation and audit to safeguard against threats and hazards to the integrity, availability, and confidentiality of NASA Electronic Information or to the function of IT systems operated on behalf of NASA, and to preserve evidence of computer crime.”
Given the evolving state of current cyber provisions, the decision should be of concern to contractors at all tiers of the Government contract supply chain. DoD has in fact revised its cyber provision on multiple occasions, stating that a company will be considered to be compliant with the clause where it has a documented System Security Plan (SSP) and Program and Milestones (POAM) to implement compliance with the NIST SP 800-171’s 110 security controls, and it is taking steps to implement that SSP. Moreover, while the current NASA provision provides for the contractor to protect its covered information and resources, it also provides that NASA will engage in actions to inspect, test, investigate and audit the contractor and its subcontractor to safeguard against threats and hazards.