Contractors Racking Up Big Fines for Cybersecurity Violations

“NATIONAL DEFENSE MAGAZINE” By Tyler R. Bridegan, Luke Cass and Joshua A. Mullen

“With increased focus on contractors’ cybersecurity practices, the four most recent settlements provide valuable guidance for federal contractors looking to avoid government scrutiny.”

_______________________________________________________________________________

“Over the past year, the new administration has strongly signaled that it has every intention of continuing to scrutinize federal contractors’ cybersecurity practices and to continue the fight against new and emerging cyber threats to the security of sensitive government information and critical systems.

On the rulemaking front, the Pentagon recently amended the Defense Federal Acquisition Regulation Supplement to incorporate the standards of the Cybersecurity Maturity Model Certification program. The final rule took effect on Nov. 10 but has a phased implementation over the next few years and mandates that contractors achieve a specific CMMC level before contract award.

The final rule also introduces a framework for assessing contractor compliance with cybersecurity requirements, including self-assessments and third-party assessments. After contract award, contractors must maintain their CMMC status throughout the contract’s duration and provide affirmations of continuous compliance.

On the enforcement front, the government’s Civil Cyber-Fraud Initiative has continued to ramp up its cybersecurity enforcement efforts over the past year. Since the initiative was first launched in 2021, the Justice Department has announced approximately 15 settlements against federal contractors. However, in a clear sign that cybersecurity enforcement is continuing to heat up, six of these settlements have come since June.

While the specific allegations vary, each settlement revolved around contractors’ cybersecurity representations or contractual requirements, with the Justice Department alleging that the contractors either failed to comply with their contractual cybersecurity requirements or misrepresented their cybersecurity practices.

With this increased focus on contractors’ cybersecurity practices, the four most recent settlements provide valuable guidance for federal contractors looking to avoid government scrutiny.

The first of these four settlements was announced in July and resulted in the federal contractor Hill ASC Inc. agreeing to pay the United States a minimum of $14.75 million.

In this case, the company provided certain info-tech services to the General Services Administration. According to the allegations, Hill had not passed the technical evaluations required by GSA for a contractor to offer certain highly adaptive cybersecurity services to government customers. Nevertheless, the contractor submitted claims charging the government for such cybersecurity services, which the Justice Department alleged violated the False Claims Act.

The second settlement was announced later in July and resulted in Illumina agreeing to pay $9.8 million, albeit with the company denying the allegations. According to the Justice Department, Illumina violated the False Claims Act by selling federal agencies certain genomic sequencing systems that contained cybersecurity vulnerabilities.

That same day, a third settlement, which was with Aero Turbine Inc. and Gallant Capital Partners LLC, resulted in a $1.75 million settlement, which resolved the Justice Department’s allegations that Aero Turbine violated the False Claims Act by knowingly failing to comply with the cybersecurity requirements of its contract with the Air Force.

Pursuant to the contract, Aero Turbine was required to implement the security requirements outlined by National Institute of Standards and Technology Special Publication 800-171, but failed to fully do so. Additionally, the companies allegedly failed to control the flow of and limit unauthorized access to sensitive defense information by providing an unauthorized Egypt-based software company and its personnel with files containing sensitive defense information.

The fourth settlement was announced in September and resolved a government lawsuit against the Georgia Tech Research Corp. As part of the settlement, it agreed to pay $875,000 to resolve allegations resulting from a whistleblower complaint that it failed to meet the cybersecurity requirements in its Defense Department contracts.

Specifically, the Justice Department alleged that until December 2021, the contractor failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks while conducting sensitive cyber defense research. It was further alleged that the contractor did not have a system security plan setting out cybersecurity controls, as required by the government contracts.

Lastly, the Justice Department alleged that the contractor submitted a false summary level cybersecurity assessment score of 98 to the Defense Department, with the score being premised on a “fictitious” environment and did not apply to any system being used to process, store or transmit sensitive defense information.

With these recent enforcement actions, the Justice Department is investigating a wide array of cybersecurity practices, including federal contractors’ cybersecurity practices during product development and deployment and contractors’ statements regarding assessment scores and underlying representations. It also appears to be taking whistleblower complaints seriously, regardless of whether a contractor experienced a cyber breach.

To avoid scrutiny, federal contractors would be well advised to review and understand their cybersecurity contractual obligations; develop processes to work with the appropriate internal teams — information security, information technology — to ensure that contractual obligations have been appropriately implemented; and develop processes to monitor compliance with the contractual obligations on an ongoing basis.

”Tyler R. Bridegan and Joshua A. Mullen are partners at Womble Bond Dickinson. Luke Cass is a Chambers-ranked partner at the firm. Partner Christopher L. Lockwood also contributed to this article.