A recent DoD memorandum should serve as a warning to contractors that they need to focus on cybersecurity compliance now or risk serious consequences.
On July 5, 2022, the district court in United States ex rel. Brian Markus v. Aerojet RocketDyne Holdings, Inc. et al., No. 2:15-cv-02245 (E.D. Cal.) approved the parties’ settlement agreement. This seven-year long whistleblower suit has finally come to an end. The case involved allegations that the contractor falsely certified to the government its level of compliance with, among other things, the requirements of DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting). As relevant here, DFARS 252.204-7012 requires defense contractors to have a cybersecurity plan that addresses compliance with 110 cybersecurity controls developed by the National Institute of Standards and Technology.
The whistleblower that brought the suit, under the qui tam provisions of the False Claims Act (FCA), was the contractor’s former senior director of cybersecurity compliance. In the complaint, the whistleblower alleged that external auditors were able to compromise the contractor’s network. Within four hours, auditors allegedly were able to obtain all user accounts and passwords, access attorney-client privileged documents, and remotely view and listen to security camera footage at the contractor’s facility. At the same time, the contractor allegedly certified that it was in compliance with applicable cybersecurity requirements. The U.S. Department of Justice (DOJ) submitted a “statement of interest” in October 2021 to respond to the legal issues related to the FCA that the contractor raised in a motion for summary judgment.
After surviving several attempts to dismiss the suit, the whistleblower agreed to settle shortly after the April 2022 trial had commenced. In the settlement agreement, the contractor expressly denied any violation of the FCA, but agreed to pay the United States a total of $9 million. The FCA provides that the whistleblower can receive up to 30 percent of the settlement amount.
Since the time this case was filed, DoD and DOJ have taken steps to emphasize the importance of cybersecurity maturity within the government’s supply chain. (We have previously reported on these efforts in July 2022, November 2021, October 2021 and October 2020.) Although the government’s cybersecurity standards continue to evolve, the settlement should serve as a wake-up call for contractors to take their cybersecurity obligations seriously today and to be transparent about their level of compliance with cybersecurity requirements. This is especially true since DoD issued DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements), which is an interim rule that went into effect in November 2020 and requires most defense contractors to self-assess their level of cybersecurity compliance and post the results of that assessment on the Supplier Performance Risk System, a government database.