The Department of Justice (DOJ) settled one of the first lawsuits related to alleged cybersecurity fraud by Aerojet Rocketdyne, a defense contractor. So how did it begin. Aerojet Rocketdyne hired an employee as the Senior Director for Cyber Security, Compliance and Controls. The employee asserts that Aerojet misrepresented its compliance with the cyber requirements in DFARS 252.204-7012 when communicating with government officials to obtain DOD and NASA contracts between 2013 and 2015. The employee later refused to sign documents stating Aerojet was compliant with the cybersecurity requirements and reported it to the company’s ethics hotline and filed an internal company report. The employee was terminated and filed a qui tam suit alleging cybersecurity fraud under the False Claims Act.
While the original lawsuit was seeking damages of $19 plus billion calculated as three times the sum of every invoice paid under the alleged fraudulently obtained contracts, Aerojet settled the case for $9 million prior to the start of a jury trial. It is estimated that the terminated employee will receive $2.6 million as a result of the settlement. This kind of payout is going to tempt many more employees to report alleged cybersecurity fraud.
Importance of Accurate Reporting of Compliance with NIST SP 800-171 Requirements
We continue to stress the importance of accurately reporting compliance with the implementation of the NIST SP 800 171 cybersecurity requirements in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. The clause requires contractors to implement NIST SP 800-171 requirements no later than December 31, 2017, or submit an alternative but equally effective security measures. This NIST SP 800-171 requirements include:
- creating a system security plan,
- completion of a basic self-assessment,
- plan of action and milestones to close any gaps,
- uploading assessment score in Supplier Performance Risk System (SPRS), and
- timely reporting of cyber incidents.
Safeguarding covered defense information is important. DFARS 252.204-7012 requires protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information or comprised information to unauthorized persons, violation of a security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, loss or copying of unauthorized media.
DOJ is Encouraging Employees to Report Alleged Cybersecurity Fraud
The Department of Justice launched its Civil Cyber-Fraud Initiative in October 2021. This initiative is being used to pursue cybersecurity related fraud by encouraging employees to report Government contractors and subcontractors who knowingly fail to comply with cybersecurity requirements, through the use of the False Claims Act (FCA). Employees (also referred to as a relator) can file qui tam suites to assist the government in prosecuting fraud against the government. If the case is successful, the relator can earn a reward between 10 to 30% of the amount collected by the government.
So, What Happened?
It all came down to material nondisclosures surrounding Aerojet’s cybersecurity compliance to the government. The relator claims that Aerojet failed to report its status on all required controls, alleged misstatements as to partial compliance with protection measures and the company cherrypicked what data they chose to report. As the government is taking cybersecurity seriously, contractors need to ensure the information they are reporting in their self-assessment in SPRS and to the government on the status of their security controls in process is accurate. The government is also expecting contractors to proactively work toward implementing the security controls in NIST SP 800-171. While having the case settled does not allow us to see just where lines will be drawn, it was probably a good thing at least for Aerojet. Not sure any defense contractor wants to be the first to go to court on the cybersecurity false claims issue, especially with $19 plus million at stake.
Time to Verify Your Compliance With NIST SP 800-171
The Aerojet case should be a wakeup call to management to revisit the accuracy of your basic self-assessment, plan of action, and whether you are moving toward timely completion of milestones to eliminate vulnerabilities in the system, sooner rather than later. The accuracy of the cybersecurity information is very important, and the assessment should be updated if inaccuracies are found in the current assessment Companies may be short-staffed in the Information Technology Department or not have an IT department. Bringing on staff or bring in consultants is costly – but it is a necessary cost at this point.
An additional risk is that the basic self-assessment does not require management certification before being uploaded into SPRS so it can be completed by an employee at any level, even an employee with little IT experience in smaller companies. However, CMMC 2.0 will bring a certification requirement, which we cover in our blog article, One More Required Company Executive Certification Under CMMC 2.0.
Contractors are not only at risk for potential false claims exposure, but there can also be contract claims and terminations for default as a result of noncompliance with cybersecurity requirements. We discussed this topic in our blog article, Contractors Beware: Don’t get caught with a Material Breach of Contract Terms. Coordinate with your contracts team to ensure they are accurately communicating the status of the assessment to the government prior to contract award.
If your company does not have the IT resources to complete the milestones in the plan of action timely, consider assistance from third parties. While DoD has not provided information on what an adequate score is, the government is expecting an accurate information from the contractor relative to the assessment score and reporting of status of compliance with the criteria.
Redstone GCI along with our trusted and established industry leading partners, can assist in fulfilling numerous cybersecurity compliance requirements including, but not limited to, penetration testing, incident response, security assessments and POAM revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cybersecurity policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.