Takeaways

The Civil Cyber-Fraud Initiative will utilize the FCA to combat cyber-security threats.
Recipients of government contracts and grants that fail to follow required cybersecurity standards will be subject to penalties.
Government contractors must ensure that they have sufficient systems in place to prevent cyberattacks and safeguard data in accordance with their contractual obligations.

On October 6, 2021, the Department of Justice (DOJ) announced the launch of a new initiative to combat the growing threat of cyberattacks. The Civil Cyber-Fraud Initiative (Initiative), led by the Civil Division’s Commercial Litigation Branch (Civil Division), aims to combat cybersecurity threats by imposing penalties for government contract and grant recipients who fail to follow required cybersecurity standards.

The Initiative aims to hold accountable those who put federal agency information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Other goals of the Initiative include:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users and the American public.

DOJ officials foreshadowed the Initiative in February, when Acting Assistant Attorney General Brian Boyton noted in a Qui Tam Conference that cybersecurity was one of six priorities of the Civil Division. This move also follows a recent trend of enforcement actions against violators of cybersecurity regulations and requirements that accompany government contracts and grants, where FCA provisions incentivize private parties to report violations by allowing those whistleblowers to share in any recovery.

To better protect Federal agencies and to prevent against the threat of cyberattacks, the Initiative will “extract very hefty fines,” and “protect whistleblowers who bring those violations and those failures forward.”

DOJ’s announcement leaves open many important questions for government contractors and agencies alike. For example, it is unclear how DOJ will define “deficient” cybersecurity products and services and what criteria it will use to trigger an investigation into whether a given product or service is somehow “deficient.” Similarly, it is unclear what standard DOJ will use to define “misrepresentations” or “knowing violations” to monitor and report events. Different contracting agencies may set different expectations for those terms. It also is unclear how this Initiative will be harmonized with President Biden’s May 12, 2021 Executive Order directing the establishment of zero trust architectures (ZTA) across government. By its very nature, ZTA presumes some level of hacker penetration into information systems, and so DOJ may have to coordinate with other federal agencies to ensure that prosecution priorities do not interfere with cybersecurity strategies. Finally, DOJ’s announcement does not address how the Initiative will apply to subcontractors and vendors and whether prime contractors will face liability if their supply chains fail to meet cybersecurity obligations.

The Initiative comes at a time when government contractors are preparing to comply with other cybersecurity initiatives, including the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. The Initiative raises the stakes for failure to comply with cybersecurity obligations. Thus, government contractors and other companies that receive government funding must ensure—now more than ever—that they have sufficient systems in place to comply with the obligations relating to cybersecurity under their government contracts, including safeguarding data and reporting cybersecurity incidents.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.