Department of Defense Contractors have struggled to meet the DFARS 252.204-7012 (“DFARS-7012”) regulation, partularly with compliance on the referenced NIST SP 800-171 (“NIST-171”) security controls.
Now, an employee has successfully brought suit against his employer using the False Claims Act (FCA) for falsely claiming compliance on DFARS-7012/NIST-171. There hasn’t been a judgement lodged against the company yet and it could still rule in the company’s favor. However, other DoD contractors should take note of the details of this case so far.
The DFARS-7012 regulation was added to the vast majority of DoD contracts. DoD contractors with this clause in their contracts have been required to comply with that regulation since Dec 31, 2017. However, the clause referenced a set of 110 (mostly cyber) security controls in the NIST-171 standard. Compliance on these controls did not have a calendar date assigned; they are required to implement those controls ‘as quickly as practical’. Some companies have chosen to document their intended compliance years in the future using a Plan of Action and Milestones (POA&M) document. Additionally, the controls are somewhat loosely written as to allow multiple paths for compliance and the judgement of whether a company is compliant or not is by the company itself performing a “self-assessment”.
You can likely see the problem here. Yes, some companies asked their CSO, ISO, or IT Directors to claim compliance on very dubious interpretations…sometimes pressuring them to sign documents stating such. That’s where the FCA comes into play.
The law firm of Taft Stettinius & Hollister LLP posted details in a recent blog on their site:
Recently, a federal court refused to dismiss a relator’s implied certification FCA case in which he alleged that his employer “misrepresented … to the government the extent to which it had equipment required by the regulations, instituted required security controls, and possessed necessary firewalls” in violation of DoD’s cybersecurity regulations. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245, 2019 WL 2024595, *3 (E.D. Cal. May 8, 2019).
The FCA allows an individual, called a Relator, to bring a lawsuit in the name of the US Government, against anyone (or company) who violates the Act. Penalites can be up to THREE times the acutal damages suffered by the Government along with a penalty between $5K and $10K PER VIOLATION. PLUS, the Relator (possibly your employee) RECEIVES between 15% to 30% of ANY PROCEEDS, plus attorney’s fees and court costs.
Here’s a bit more detail in the case:
In Markus, the Relator was the senior director of Cyber Security, Compliance and Controls for the defendants. In Sept. 2015, he was terminated after he refused to sign documents that his employer complied with the DoD’s new cybersecurity requirements. A month later, he filed a lawsuit alleging violations of the FCA and relating to his termination. The lawsuit remained under seal while the Government investigated the FCA claim. Three years later, after the Government declined to intervene, the case was unsealed.
The risk of exposure is compounded by the FCA’s lengthy statute of limitations of either six years from when the fraud is committed or three years after the Government knows or should know about the material facts, whichever is longer, as long as the action is filed within ten years of the alleged fraud. So, if the Government discovers the fraud, they have up to six years to file suit. BUT, if a Relator ‘discovers’ the fraud on the day it occurred, the relator could have as many as 10 years to bring suit. Ten Years. Ten years after dismissing that disgruntled IT employee that management pressured to interpret compliance somewhat incorrectly a law suit could arrive at the company’s doorstep.
If you want help, or the confidence a third party compliance assessment can provide, feel free to contact us at Sentar. We’ve specifically helped over 100 companies meet their DFARS-7012 and NIST-171 compliance. Let us do the heavy lifting for you.