The Department of Justice (DOJ) settled one of the first lawsuits related to alleged cybersecurity fraud by Aerojet Rocketdyne, a defense contractor. So how did it begin. Aerojet Rocketdyne hired an employee as the Senior Director for Cyber Security, Compliance and Controls. The employee asserts that Aerojet misrepresented its compliance with the cyber requirements in DFARS 252.204-7012 when communicating with government officials to obtain DOD and NASA contracts between 2013 and 2015. The employee later refused to sign documents stating Aerojet was compliant with the cybersecurity requirements and reported it to the company’s ethics hotline and filed an internal company report. The employee was terminated and filed a qui tam suit alleging cybersecurity fraud under the False Claims Act.
While the original lawsuit was seeking damages of $19 plus billion calculated as three times the sum of every invoice paid under the alleged fraudulently obtained contracts, Aerojet settled the case for $9 million prior to the start of a jury trial. It is estimated that the terminated employee will receive $2.6 million as a result of the settlement. This kind of payout is going to tempt many more employees to report alleged cybersecurity fraud.
Importance of Accurate Reporting of Compliance with NIST SP 800-171 Requirements
We continue to stress the importance of accurately reporting compliance with the implementation of the NIST SP 800 171 cybersecurity requirements in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. The clause requires contractors to implement NIST SP 800-171 requirements no later than December 31, 2017, or submit an alternative but equally effective security measures. This NIST SP 800-171 requirements include:
- creating a system security plan,
- completion of a basic self-assessment,
- plan of action and milestones to close any gaps,
- uploading assessment score in Supplier Performance Risk System (SPRS), and
- timely reporting of cyber incidents.
Safeguarding covered defense information is important. DFARS 252.204-7012 requires protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information or comprised information to unauthorized persons, violation of a security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, loss or copying of unauthorized media.
DOJ is Encouraging Employees to Report Alleged Cybersecurity Fraud
The Department of Justice launched its Civil Cyber-Fraud Initiative in October 2021. This initiative is being used to pursue cybersecurity related fraud by encouraging employees to report Government contractors and subcontractors who knowingly fail to comply with cybersecurity requirements, through the use of the False Claims Act (FCA). Employees (also referred to as a relator) can file qui tam suites to assist the government in prosecuting fraud against the government. If the case is successful, the relator can earn a reward between 10 to 30% of the amount collected by the government.
So, What Happened?
It all came down to material nondisclosures surrounding Aerojet’s cybersecurity compliance to the government. The relator claims that Aerojet failed to report its status on all required controls, alleged misstatements as to partial compliance with protection measures and the company cherrypicked what data they chose to report. As the government is taking cybersecurity seriously, contractors need to ensure the information they are reporting in their self-assessment in SPRS and to the government on the status of their security controls in process is accurate. The government is also expecting contractors to proactively work toward implementing the security controls in NIST SP 800-171. While having the case settled does not allow us to see just where lines will be drawn, it was probably a good thing at least for Aerojet. Not sure any defense contractor wants to be the first to go to court on the cybersecurity false claims issue, especially with $19 plus million at stake.
Time to Verify Your Compliance With NIST SP 800-171
The Aerojet case should be a wakeup call to management to revisit the accuracy of your basic self-assessment, plan of action, and whether you are moving toward timely completion of milestones to eliminate vulnerabilities in the system, sooner rather than later. The accuracy of the cybersecurity information is very important, and the assessment should be updated if inaccuracies are found in the current assessment Companies may be short-staffed in the Information Technology Department or not have an IT department. Bringing on staff or bring in consultants is costly – but it is a necessary cost at this point.
An additional risk is that the basic self-assessment does not require management certification before being uploaded into SPRS so it can be completed by an employee at any level, even an employee with little IT experience in smaller companies. However, CMMC 2.0 will bring a certification requirement, which we cover in our blog article, One More Required Company Executive Certification Under CMMC 2.0.
Contractors are not only at risk for potential false claims exposure, but there can also be contract claims and terminations for default as a result of noncompliance with cybersecurity requirements. We discussed this topic in our blog article, Contractors Beware: Don’t get caught with a Material Breach of Contract Terms. Coordinate with your contracts team to ensure they are accurately communicating the status of the assessment to the government prior to contract award.
If your company does not have the IT resources to complete the milestones in the plan of action timely, consider assistance from third parties. While DoD has not provided information on what an adequate score is, the government is expecting an accurate information from the contractor relative to the assessment score and reporting of status of compliance with the criteria.
Redstone GCI along with our trusted and established industry leading partners, can assist in fulfilling numerous cybersecurity compliance requirements including, but not limited to, penetration testing, incident response, security assessments and POAM revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cybersecurity policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting